By Pooja Tikekar, Sub Editor, CISO MAG

A CoWin Decoy?

India has been aggressive with its vaccination drive since its launch in January 2021, for health care and frontline workers first in line. The second phase of the vaccination program for the public kickstarted on March 1, 2021. The two vaccines being administered include “Covishield” from the Serum Institute of India and “Covaxin” from Bharat Biotech. Technology plays a critical role in planning, deploying, and monitoring vaccination programs. Hence, citizens are urged to register via Aarogya Setu or on the CoWIN website. However, hackers are testing the country’s digital architecture, and allegedly impersonating the legitimate CoWIN website to coax citizens into registering on the fake portal and exfiltrate their personal information.

RDP Attacks Skyrocket

Remote work continues to top the business continuity operations in India. According to a cybersecurity report from Kaspersky, India witnessed 9.04 million brute-force attacks against remote desktop protocol (RDP) in February 2021, compared to 1.3 million in February 2020 and to 3.3 million in March 2020. Working in decentralized environments has become the new normal and brute-forcing RDPs, the most common technique for cybercriminals to gain access to Windows systems and execute malware.

“Remote work isn’t going anywhere. Even as companies begin considering re-opening their workplaces, many have stated that they will continue to include remote work in their operating model or pursue a hybrid format,” said Dmitry Galov, security expert at Kaspersky. “That means it’s likely these types of attacks against remote desktop protocols will continue to occur at a rather high rate. 2020 made it clear that companies need to update their security infrastructure, and a good place to start is providing stronger protection for their RDP access.”

The New-age Oil Leaks Copiously

The data breach landscape in India, pre-COVID, was simple. Adversaries launched ransomware attacks by encrypting the data on vulnerable systems and demanding ransom in exchange for a decryption key. Cybercriminals were complacent in inventing new attack vectors. But as the adage goes, change is the only constant. Today, ransomware groups are re-inventing their modus operandi to not just attack the data or “the new-age oil,” but the brand image of a business. With improved infrastructure, India is opening its doors to global market players. Threat actors are leveraging this opportunity to attack the brand image of a business/enterprise by dropping malware payloads on the targeted system and exporting data, in turn damaging intellectual property and national security.

The recent MobiKwik data leak exposed the data of 3.5 million users, with 6TB of KYC details and 350 GB of compressed MySQL dump. To add to the list, the personal information of 533 million Facebook users from 106 countries was leaked for free on an underground hacking forum – with 6.1 million users from India alone. And if this was not enough, India’s second-largest stockbroker, Upstox, was reportedly the latest victim of a breach, allegedly leaking data of 2.5 million users.

Souring India-China Relations

Ever since the pandemic broke out, India’s relationship with China turned sour. This was evident in the Mumbai power outage in October 2020, which crippled the financial capital with chaos. An investigation from Maharashtra cyber department revealed a malware attack with unaccounted data transfer from a foreign server to the Maharashtra State Electricity Board (MSEB) server. However, evidence from Recorded Future underlined the geopolitical tensions and border clashes between the two Asian neighbors. It claimed that Chinese-state sponsored group “RedEcho” targeted India’s power grid. However, it did not stop here. CERT-In averted a hacking attempt on Telangana state power utilities, TS Transco and TS Genco, by a Chinese cybercriminal hacking group.

In the past, the Indian government alleged Chinese threat actors for attacks on the National Informatics Centre (NIC), the National Security Council (NSC), and the Ministry of External Affairs (MEA). The transformative role of technology impacted Indian cyberspace and the information sector. Another report stated that India was named one of the most cyber-targeted countries globally in 2019, with over 50,000 cyberattacks from China alone. Whereas, the IBM Security report titled “2021 X-Force Threat Intelligence Index,” revealed that India was the second most cyberattacked country in the APAC.

Chief of Defense Staff, General Bipin Rawat says…

Where do we go from here?

Apart from vaccine disruptions, RDP attacks, and foreign intrusion, team CISO MAG continues to observe common attack trends such as phishing and business email compromise directed towards Indian governments and enterprises. Armies in countries like the U.S. have a cybersecurity unit (U.S. Cyber Command) that is responsible for countering cyberwarfare. India has cyber cells attached to its state police forces, and in a similar vein, the Indian government needs to seriously consider a cyberwarfare unit within the armed forces and scale up its cyber maturity.

Cyberwarfare is here to stay threat actors are eyeing every chance to sabotage the country’s defense mechanism. Out of the many attempts made by security agencies, India’s agility in incident response has been inadequate. And with the soaring second COVID-19 wave, it would be interesting to watch how India combats the vicious nature of existing and new cyberthreats.

What are your thoughts on this? Write to us at editorial@cisomag.com

About the Author

Pooja Tikekar is the Sub Editor at CISO MAG, primarily responsible for quality control. She also presents C-suite interviews and writes news features on cybersecurity trends.

More from the author.

The post COVID-19 and the Current Cyberthreat Landscape in India appeared first on CISO MAG | Cyber Security Magazine.

What RDP attacks occurred in the past?

LabCorp (Laboratory Corp. of America) was hit by ransomware through an RDP attack in 2018. The ransomware infected thousands of PCs and almost 2,000 servers of this major medical testing facility. According to the Wall Street Journal report, the company was hit with a strain of ransomware known as SamSam. The hackers demanded $6,000 in bitcoin for each machine or $52,500 to unlock all encrypted devices, according to the alert from the National Health Information Sharing and Analysis Center, which coordinates health-industry responses to cyberattacks.

And earlier in the year, the Hartsfield-Jackson Atlanta International Airport, regarded as the world’s busiest by passenger traffic, was also hit by an attack involving SamSam.

In 2018, the Internet Crime Complaint Center (IC3) along with the U.S. Department of Homeland Security released an alert stating, “Remote administration tools, such as Remote Desktop Protocol (RDP), as an attack vector has been on the rise since mid-late 2016 with the rise of dark markets selling RDP Access.”

How do RDP attacks happen?

Microsoft software is used in over 90% of the world’s computers, and naturally, these have been widely targeted by hackers. We saw that with Internet Explorer, the Windows Operating systems released over the years, Windows Server software – and these days with Microsoft 365.

Microsoft introduced the Remote Desktop Protocol in 1996. Every Windows system since Windows XP uses RDP for remote connection. As employees became mobile and worked from different locations, there was a need to access corporate servers and workstations from remote locations. Two technologies emerged: VPN and RDP. But RDP is the more popular choice among users as it is built into Windows and offers more control of the host. An RDP client running on the user’s laptop or desktop (client) communicates with the RDP component on the server (host). And the communication between the two is encrypted (see illustration).

Ever since RDP was introduced, cybercriminals have been trying to hack into machines via this protocol – effectively launching a Windows RDP attack. RDP attacks continue to impact organizations worldwide to this day. Today, hackers are using RDP attacks to deploy ransomware and to lock up systems, severely crippling businesses – as in the LabCorp incident. These types of RDP attacks are becoming more common since they are lucrative.

RDP attacks occur through open RDP ports.

What is an RDP port?

A computer has hardware and software ports for communicating with other devices and services. Hardware ports are easier to understand as they are physical. Look at the sides of your laptop and you will see different hardware ports for connecting devices – USB ports, HDMI ports, the legacy VGA and Firewire (Apple);  Ethernet (network) port, display port, lightning connector (Apple), Thunderbolt (Apple), the power port, etc.

Software ports are logical channels to services on networks. For instance, websites are accessed through port 8080 (http), file transfer is port 20 or 21, and send email is port 25 (SMTP). These are defined by communication protocols that are followed by the industry – http, FTP, TCP/IP, and SMTP are protocols.

Here is an analogy. Cable TV offers hundreds of channels coming down to us on a single wire. But all these channels have separate communication paths in that wire. Those are like ports. Think of ports as communication channels.

There are thousands of services to access on networks – printing, FTP/file transfer, file sharing, remote access, etc. A port (and a unique port number) is designated for service.

You have ports for Remote Access as well, and often, these ports are unsecured and open for anyone to use. Hackers scan connected devices for open ports, and once they find these, they can access the endpoints. The endpoints are connected to the corporate network via TCP/IP and other protocols. So once the hacker gets into your connected endpoint (laptop, tablet, phone) – they can easily get into the corresponding network and deploy malware like ransomware.

Why use Remote Access?

The most common example of remote access today is your IT engineer logging into your laptop from a remote location to fix an issue. They would use remote connectivity software like AnyDesk or TeamViewer to do that. This is through RDP.

Another example is a traveling employee who may want to access some files stored on his office computer, which is thousands of miles away. The employee could use either VPN or RDP to do that.

How do you block an RDP attack?

Ports have default numbers. If you keep the RDP port to 3389 (default), then it is a security threat, since hackers know about this port. So, if you plan to open up RDP ports for Internet access, the first thing to do is change the default port number from 3389 to a number above 10000. Or, if you want to keep using port 3389, make sure the port is closed down after a remote access session.

Hackers use port scanning software to determine which ports are open on the targetted system. You can use this software to see all the open ports on your system — and close these ports. But the first thing to do is to change the default port number for RDP.

 Change the default port number

Follow these steps to change the RDP port:

1. In Windows, go to Run –> Type: regedit to open the Registry Editor.
2. Locate the following key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\

3. In the right-hand pane, double-click on PortNumber.

4. Change the value to Decimal and specify the new port number between 1001 to 254535.

5. Click OK.

6. Close the registry editor and restart your computer.

Warning: Do not try this if you are unfamiliar with the Window Registry and registry editing. Get your system administrator to do this for you.

Check if port 3389 is open and listening

You may open port 3389 to connect to a computer remotely and may forget to close it after the session. Or another user may have done this on a shared device.

Here’s how you can check if the port is open and listening:

1. Open PowerShell by going to Run –> powershell
2. Run the following command: tnc 192.168.1.2 -port 3389
3. In this command, replace the IP address 192.168.1.2 with your computer’s IP. Replace it with your router’s public IP if you have allowed public access to your computer through the router. The resulting value of TcpTestSucceeded should be True.

You can also check the port using the command prompt or CLI (command line interface), but we will not discuss this here, as it is beyond the scope of this article.

Alternately, use a port scanning or vulnerability scanning tool like CurrPorts (NirSoft) that will scan all ports and list which ones are open.

Close port 3389 (if open)

This can be done either through the command line or through a utility like CurrPorts (NirSoft).

Exploiting RDP ports to deploy ransomware

If a hacker comprises your system via an open RDP Port 3389, to deploy malware or ransomware, they could do the following:

• Install a process that starts encrypting all docs, pdf, jpg, and several other file formats into a secure RAR archive form. After that, they could delete the originals.
• Install a Group Policy script that enables the Guest account, set an unknown password on it, and give it complete access to all administrative functions, including RDP.  The script can be set to run on any user’s login (all profiles), so disabling the Guest account would only hold until the next session when the admin logs in.
• Lock the login screen for all users on the server with a ransomware scare tactic screen claiming to be from an authority like the FBI.  The ransom fee, an email address, and the mode of payment will be shown on that screen.
• Uninstalled anti-virus and other security products.
• Delete all backups online or on the system.
• Disabled the F8 startup key to prevent booting into safe mode.
• Turn off Shadow Copies on all shares – and delete the historical stored revisions of files.
• Change other system configuration settings to make the system more vulnerable to attacks.

Well, this might shake one up, if they did not already know this! So, what are you waiting for? Close your open RDP port now!

Security policies & Best Practices

We also suggest a few more things to secure your systems:

1. Use a secure VPN connection instead of RDP to access desktops remotely.
2. Enforce the use of strong passwords and password change every 60 – 90 days.
3. Set a threshold for password tries – the system should lock out the user after three failed login attempts (failed passwords).
4. Change the default name of your Administrator account.
5. Check your Group Policies frequently.
6. Install all server patches and pay attention to Microsoft Patch Tuesday (Update Tuesday) announcements (and similar advisories).

About the Author

Brian Pereira is the Editor-in-Chief of CISO MAG. He has been writing on business technology concepts for the past 26 years and has achieved basic certifications in cloud computing (IBM) and cybersecurity (EC-Council).

The post What is an RDP attack? appeared first on CISO MAG | Cyber Security Magazine.

Lt. Commander (Ret.) Israel Navy, Gutman has filled several operational, technical, and business positions at defense, HLS, Intelligence, and cybersecurity companies, and provided consulting services for numerous others. He joined SentinelOne 8 months ago to oversee local marketing activities in Israel and contribute to the global content marketing team. Gutman founded and managed the Cybersecurity Marketing Professionals Community, which includes over 300 marketing professionals from more than 170 cyber companies.

In a Zoom call with Brian Pereira, Principal Editor, CISO MAG, Gutman tells us about his journey from the Israeli Navy to Homeland Security and then to a cybersecurity startup ecosystem in Israel, finally becoming the Marketing Director at SentinelOne. He also discusses how SentinelOne grew from a startup to a global organization in less than a decade.

Edited excerpts from the interview follow:

You served the Israeli Navy but how did you get into cybersecurity? What are your core interests in this field?

My route into cybersecurity was a peculiar one. Like most Israelis, I served in the armed forces, specifically in the Israeli Navy, where I was an officer for six and a half years, starting with serving on missile ships.  Later, I served as an instructor at the naval academy. On completion of service, I started working with Israeli defense companies, which worked extensively with India. After that, I moved to Homeland Security, and you will recall the terrorist attacks in Mumbai, around 2008. Israeli companies work with governments and organizations all over the world to improve their internal security, smart cities, and border security. Four years later, I saw that form of terrorism is starting to decline and that there is an emerging field called cybersecurity.

In 2010, there was a cyberattack on Iran’s nuclear facility (Stuxnet), and that incident highlighted the need to secure not just the IT infrastructure and the data that resides within but also the physical infrastructure.

Pursuing the current opportunities, I have worked with Israeli startups–there are 350 cybersecurity startups in Israel that are divided into roughly 150 cybersecurity product categories, collectively. My niche within that was to take my previous experience, product skills, pre-sale skills, marketing skills, and help those companies with their product offerings. And for the past six years, I moved between companies until I found my current position.

During this time, I met hundreds of local marketers and professionals and there was much sharing in communities, and we also established a community of like-minded professionals to share information about cybersecurity and marketing. Currently, this community has 350 members from all the major cybersecurity companies in Israel.

Can you tell us the story of SentinelOne and how it scaled up so quickly? How did you land up at SentinelOne? What are you involved in these days?

SentinelOne was established more than seven years ago and it was just like any other startup. People (in the company) knew one another from the military service and they came up with an idea to improve endpoint security. SentinelOne grew very rapidly and most of the company is now located overseas. The HQ is in the U.S. and they now have a large presence in the EU. We just established the first Asia Pacific HQ in Singapore. So, it has grown very quickly, and we now have 500 employees and many customers.

I got into it through one of the people in the community, who is also an ex-Israeli Navy. He suggested that I help them boost their marketing efforts on the local front. SentinelOne has been investing in brand awareness and brand recognition globally, especially in the North American market. And in the local market, it never got sufficient attention. But when it got to a point where we needed to recruit about 100 people each year, the lack of public awareness became a challenge.

I joined about a year ago. I began as a consultant and then I saw it as a good fit, and later joined full time, last January.

On the local front, I am helping with recruitment marketing, and we look for the top talent in cybersecurity and technology, in general. I’m also part of the global marketing team made up of content marketers, product marketers, people who are tech-savvy — and we create content that generates leads. We publish that content in many channels.

As an outsider, I was impressed with SentinelOne as it achieved something very few companies in the world, especially here in Israel, are able to do on that scale. Last year we did a business of $100 mn globally and this year we hope to increase that.

Even the pandemic has not made a dent in our sales. So, I am envisioning great things for this company.

How did you help customers when the pandemic was announced in March?

When this happened, we were among the first to inform customers about the risks of working from home. We conducted a webinar in early March to inform them. We also reached out to our existing customers and offered to extend the number of licenses. Since they were sending workers home, they would be looking to buy new licenses. That’s not something they were expecting. That’s not something that was budgeted. We offered that to them for a period of 90 days and this was also available to new customers.

We then started monitoring the threat intelligence landscape, and we have a blog with COVID-related threats. We advise people about IOCs (Indicators of Compromise) and compromised IP addresses.  We also beefed up our support and conduct surveys to measure their level of satisfaction.

How has the SentinelOne product evolved to help remote workers in a decentralized environment? Can it stop ransomware?

The product was initially built as an on-prem solution. We observe that people who work from remote locations connect and then they disconnect and go to a coffee shop and continue working. So, our product can work even in a non-connected environment when you are not connected to the cloud, or where there is no Wi-Fi connection. Our product will still secure you in a robust manner.

We invest in the autonomy of the product. We also invest in the ability to perform a roll-back, specifically for ransomware attacks. Sometimes our systems are able to stop these attacks. So, this is behavioral-based. If it is not a known threat, we will pick it up, but sometimes we could be late by a few seconds. That’s why we make sure that the product allows one to roll back and decrypt some of the files. We were also able to detect new forms of ransomware, create a decryptor, and publish it online for anyone to access.

To counter this, we identify a new device on the network and fingerprint it, and we compare it to other devices in the network. Let’s say it is a security camera. If it starts behaving differently from other cameras, we can then block it through the firewall and prevent it from accessing the external world. So, we can restrict its behavior in a cyberattack.

This is an ongoing battle. We have to keep learning what the attackers are doing and keep training our algorithm to respond to the threat.

Read a longer version of this interview in the October 2020 issue of CISO MAG. Subscribe here.

The post “Attackers are looking to break into your organization either by a broken VPN or RDP protocols” appeared first on CISO MAG | Cyber Security Magazine.

By Rick Vanover, Senior Director of Product Strategy for Veeam Software

While threats to company data range in attack method, ransomware continues to be the most prominent risk known to organizations worldwide, with a 41% increase in 2019 alone. It’s important that companies focus on acknowledging this threat and deploying strategies to prepare, defend and repair incidents, before adapting to a hybrid workforce model. This process will prevent organizations from falling victim to attacks where data loss or ransom payment are the only unfortunate options. To win the war on ransomware, organizations should incorporate a plan for IT organizations that ensures they have the resilience needed to overcome any attack. Let’s explore three crucial steps for ransomware resilience in more detail.

1. Focus on education first, avoid reactive approaches to threats later

Education – beginning after threat actors are identified – should be the first step taken on the path towards resilience. To avoid being caught in a reactive position, should a ransomware incident arise, it’s important to understand the three main mechanisms for entry: internet-connected RDP or other remote access, phishing attacks and software vulnerabilities. Once organizations know where the threats lie, they can tactfully approach training with strategies to refine IT and user security, putting additional preparation tactics in place. Identifying the top three mechanisms can help IT administration isolate RDP servers with backup components, integrate tools to assess the threat of phishing attacks to help spot and respond correctly, and inform users on recurrent updates to critical categories of IT assets, such as operating systems, applications, databases and device firmware.

Additionally, preparing how to use the ransomware tools in place will help IT organizations familiarize themselves with different restore scenarios. Whether it be a secure restore process that will abort when malware is detected or software that can detect ransomware ahead of restoring a system, the ability to perform different restore scenarios will become invaluable to organizations. When an attack does happen, they will recognize, understand and have confidence in the process of working towards recovery. By taking the education aspect of these steps seriously, organizations can decrease the ransomware risks, costs and pressure of dealing with a ransomware incident unprepared.

2. Implement backup solutions that maintain business continuity

An important part of ransomware resiliency is the implementation of backup infrastructure to create and maintain strong business continuity. Organizations need to have a reliable system in place that protects their servers and keeps them from ever having to pay to get their data back. Consider keeping the backup server isolated from the internet and limit shared accounts that grant access to all users. Instead, assign specific tasks within the server that are relevant for users and require two-factor authentication for remote desktop access. Additionally, backups with an air-gapped, offline or immutable copy of data paired with the 3-2-1 rule will provide one of the most critical defenses against ransomware, insider threats and accidental deletion.

Furthermore, detecting a ransomware threat as early as possible gives IT organizations a significant advantage. This requires tools in place to flag possible threat activity. For endpoint devices displaced remotely, backup repositories that are set up to identify risks will give IT further insight into an incredible surface area to analyze for potential threat introduction. If implementations don’t prohibit attacks, another viable option is encrypting backups wherever possible for an additional layer of protection – threat actors charging ransom to prevent leaking data do not want to have to decrypt it. When it comes to a ransomware incident, there isn’t one single way to recover, but there are many options aside from these that organizations can take. The important thing to remember is that resiliency will be predicated on how backup solutions are implemented, the behavior of threat and the course of remediation. Take time to research the options available and ensure that solutions are implemented to protect your company.

3. Prepare to remediate an incident in advance

Even when there are steps in place that leverage education and implementation techniques to combat ransomware before an attack hits, organizations should still be prepared to remediate a threat if introduced. Layers of defense against attacks are invaluable, but organizations need to also map out specifically what to do when a threat is discovered. Should a ransomware incident happen, organizations need to have support in place to guide the restore process so that backups aren’t put at risk. Communication is key, having a list of security, incident response, and identity management contacts in place if needed – inside the organization or externally – will help ease the process towards remediation.

Next, have a pre-approved chain of decision makers in place. When it comes time to make decisions, like whether to restore or to fail over company data in an event of an attack, organizations should know who to turn to for decision authority. If conditions are ready to restore, IT should be familiar with recovery options based on the ransomware situation. Implement additional checks for safety before putting systems on the network again – like an antivirus scan before restoration completes – and ensure the right process is underway. Once the process is complete, implement a sweeping forced change of passwords to reduce the threat resurfacing.

The threat that ransomware poses to organizations both large and small is real. While no one can predict when or how an attack will happen, IT organizations that have a strong, multi-layered defense and strategy in place have a greater chance for recovery. With the right preparation, the steps outlined here can increase any organization’s resiliency – whether in office, remote or a combination of the two – against a ransomware incident and avoid data loss, financial loss, business reputation damage or more.

About the Author

Rick Vanover (Cisco Champion, VMware vExpert) is a Senior Director of Product Strategy for Veeam Software based in Columbus, Ohio. Vanover’s experience includes system administration and IT management; with virtualization, cloud and storage technologies being the central theme of his career recently.

Disclaimer

CISO MAG did not evaluate/test the products mentioned in this article, nor does it endorse any of the claims made by the writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. CISO MAG does not guarantee the satisfactory performance of the products mentioned in this article.

The post Securing the Hybrid Workforce Begins with Three Crucial Steps appeared first on CISO MAG | Cyber Security Magazine.

By Gil Azrielant, CTO and Co-founder, Axis Security

VPNs are notoriously problematic to begin with, especially when paired with RDP’s security flaws. RDP has numerous known vulnerabilities (CVEs) registered against it. And even with patches, new vulnerabilities continue to emerge.

For an organization to thrive in this environment, they will need to adopt security measures when deploying Microsoft RDP-enabled access widely — ideally without having to constantly upgrade their servers. This is difficult when they have to provide remote access quickly, without the privilege of upgrading software.

How vulnerable is your RDP environment?

For remote workers to do their jobs, they often need to connect to remote workstations, servers or applications within the company. That’s why so many organizations with Windows computers rely on both VPNs to get on the network and Microsoft’s Remote Desktop Protocol (RDP) via the Remote Desktop Connection application to get to a particular machine.

VPN enablement can be painful for both IT and end users. In fact, VPNs can aggravate RDP’s security flaws. While many have patches available, some may not be able to receive upgrades, resulting in untold numbers of vulnerable legacy servers, which may or may not be able to receive upgrades. And even with those patches, RDP vulnerabilities continue to emerge.

Common vulnerabilities and exposures (CVEs) of RDP include BlueKeep, which allows cybercriminals to remotely take over a connected PC. We have listed relevant CVEs at the end of this post. Further, hackers continually use brute force attacks to try to obtain user credentials that have remote desktop access.

We recommend that, when using Microsoft’s RDP, organizations adopt additional security measures. Some are simply procedural. But whatever form they take, they are necessary to keep enterprise data safe.

How to alleviate RDP’s vulnerabilities?

Providing large scale urgent access while keeping users safe is not easy. But new access and security technologies make it possible without fiddling with VPNs or directly upgrading servers. A modern solution that is equipped to handle RDP’s vulnerabilities will provide a layer of security over all managed RDP servers. These solutions will analyze all user requests before they are securely forwarded to the RDP server. This protects the RDP host and its data by acting something like an RDP request broker.

This process of preventing the remote users from touching the applications effectively mitigates all those RDP-related CVE’s below, reducing the application attack surface and minimizing risk.

The most important thing to remember regarding RDP is to never put your RDP servers on the public Internet. Within minutes of public-facing RDP servers going out, they will be scanned, and then every hour numerous connection requests and exploitation attempts will take place. It is impractical that such legacy protocols can be secure on the Internet.

Other important steps that can be taken to protect against RDP vulnerabilities include:

• Enable network level authentication (NLA)
• Eliminate network access to the machine
• Enforce MFA for every login
• Focus on system patching, with virtual patching being the ideal technique for this
• Choose and enforce a strict policy

No VPN required, Giving your access and security a boost

The risks of enabling remote access are legitimate concerns for any enterprise. Traditional mitigation techniques, such as upgrading the server operating system, can take time and have cascading consequences. But new technologies are stepping up to improve access security and minimize complexity when it comes to VPNs and server software upgrades.

Here’s a partial list of CVEs related to RDP, which can be mitigated with the right steps taken and the support of the right technologies:

CVE-2019-0708 (BlueKeep) – The exploitation requires the client to bind to a specific channel. Axis security has a whitelist of allowed channels, and the MS_T120 channel is blacklisted.

CVE-2020-0660 – Is caused by insufficient validation of requests, that allow a crafted-malformed request to be sent and crash the system. Malformed packets will never be sent from the Application Access Cloud to your servers, as it validates and disarms every request and response before sending it over.

RDP as implemented in versions of Windows, including Server 2008/12 R2, 7, 8.1, 10, are known vulnerable to exploits described:

CVE-2020-0609 – This vulnerability lies in Windows RD Gateway. We isolate your RD gateway from the internet, so no one can send malicious requests to it. Malformed packets will never be sent from the Application Access Cloud to your servers, as it validates and disarms every request and response before sending it over.

CVE-2020-0610 – This is very similar to the last one. This vulnerability lies in Windows RD Gateway. We isolate your RD gateway from the internet, so no one can send malicious requests to it. Malformed packets will never be sent from the Application Access Cloud to your servers, as it validates and disarms every request and response before sending it over.

CVE-2019-1181 – This vulnerability affects unpatched versions of Windows Server 2008-2019, and Windows 7-10. Our RDP service is not vulnerable to this vulnerability.

CVE-2019-1182 – This vulnerability affects unpatched versions of Windows Server 2008-2019, and Windows 7-10. Our RDP service is not vulnerable to this vulnerability.

CVE-2019-1222 – This vulnerability affects unpatched versions of Windows Server 2016-2019, and Windows 10. Our RDP service is not vulnerable to this vulnerability.

CVE-2019-1226 – This vulnerability affects unpatched versions of Windows Server 2016-2019, and Windows 10. Our RDP service is not vulnerable to this vulnerability.

About the Author

Gil Azrielant is the Co-founder and CTO of Axis Security. He is responsible for technology strategy and the development of the company’s cloud-based zero-trust application access platform. Gil’s cybersecurity career began in the elite Unit 8200 of the Israeli Army Intelligence Corps, where he worked on advanced cybersecurity and code decryption. He served five years inside this elite unit, working as a researcher and team leader.

Disclaimer

CISO MAG did not evaluate/test the products mentioned in this article, nor does it endorse any of the claims made by the writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. CISO MAG does not guarantee the satisfactory performance of the products mentioned in this article.

The post Safeguarding Your Networks and Applications from the Risks of Remote Work with VPNs and RDP appeared first on CISO MAG | Cyber Security Magazine.

By Raj Samani, Chief Scientist and McAfee Fellow, Advanced Threat Research

Continuing advancements in artificial intelligence and machine learning have led to invaluable technological gains, but threat actors are also learning to leverage AI and ML in increasingly sinister ways. AI technology has extended the capabilities of producing convincing deepfake video to a less-skilled class of threat actors attempting to manipulate individual and public opinion. Deepfake content is so realistic that it is difficult for humans to discern real from fake. Deepfakes are used for the spread of misinformation and employ Generative Adversarial Networks (GANs), a recent analytic technology, that can create fake but incredibly realistic images, text, and videos. Enhanced computers can rapidly process the biometrics of a face, and mathematically build or classify human features, among many other applications. While the technical benefits are impressive, the underlying flaws inherent in all types of models represent a rapidly growing threat, which cybercriminals will look to exploit.

Other trends our researchers noted in 2019 include:

• With more enterprises adopting cloud services to accelerate their business and promote collaboration, the need for cloud security is greater than ever. As a result, the number of organizations prioritizing the adoption of container technologies will likely continue to increase in 2020.
• Our researchers also foresee more threat actors targeting corporate networks to exfiltrate corporate information in two-stage ransomware campaigns.
• The increased adoption of automation and the growing importance of securing system accounts used for automation raises security concerns about to Application Programming Interfaces (APIs) and the personal data they can contain.

The threat landscape (threatscape) of 2020 and beyond promises to be interesting for the cybersecurity community. With these trends in mind, here are five predictions that are most likely to shape the threatscape in 2020:

1. Broader Deepfake Capabilities for Less-skilled Threat Actors

Deepfake video or text can be weaponized to enhance information warfare. Freely available videos of public comments can be used to train a machine-learning model that can develop a deepfake video that depicts a person doing or saying something that they never did or said. Attackers can now create automated, targeted content to increase the probability that an individual or a group of people fall for a campaign. In this way, AI and machine learning can be combined to create massive chaos.

In general, adversaries are going to use the best technology to accomplish their goals, so if the goal of nation-state actors is to manipulate an election, using deepfake video to manipulate voters is an excellent strategy. With deepfake technology, a cybercriminal can have a CEO make what appears to be a compelling statement that a company missed its earnings targets, or that there’s a fatal flaw in a product that’s going to require a massive recall. Such a video can be distributed to manipulate a stock price or to enable other financial crimes.

As deepfakes technology improves, the expertise required to use it will continue to fall, leading to an increase in the quantity of misinformation.

2. Adversaries to Generate Deepfakes to Bypass Facial Recognition

As technologies are adopted over the coming years, a very viable threat vector will emerge, and we predict adversaries will begin to generate deepfakes to bypass facial recognition. It will be critical for businesses to understand the security risks presented by facial recognition and other biometric systems and invest in educating themselves of the risks as well as hardening critical systems.

3. Ransomware Attacks to Morph into Two-Stage Extortion Campaigns

Based on what McAfee Advanced Threat Research (ATR) is seeing in the underground, we expect criminals to exploit their extortion victims via targeted ransomware. This means there will be an increased demand for compromised corporate networks that will be met by criminals who specialize in penetrating networks and then selling complete network access.

For 2020, we predict the targeted penetration of corporate networks will continue to grow and ultimately give way to two-stage extortion attacks. In the first stage, cybercriminals will deliver a crippling ransomware attack, extorting victims to get their files back. In the second stage, criminals will target the recovering ransomware victims again with another extortion attack, this time threatening to disclose the sensitive data stolen before the ransomware attack.

4. DevSecOps Will Rise to Prominence as Growth in Containerized Workloads Causes Security Controls to “Shift Left”

Container-based cloud deployments are growing in popularity due to the ease with which DevOps teams can continuously roll out micro-services and interact, reusing components as applications. As a result, the number of organizations prioritizing the adoption of container technologies will continue to increase in 2020.

Threats to containerized applications can be introduced by IaC (Infrastructure as Code) misconfigurations or application vulnerabilities. But they can also be introduced through abused network privileges, which allow lateral movement in an attack.

Organizations are increasingly turning to cloud-native security tools explicitly developed for container environments to address these threats. Cloud Access Security Brokers (CASB) are used to conduct configuration and vulnerability scanning, while Cloud Workload Protection Platforms (CWPP) work as traffic enforcers for network micro-segmentation based on the identity of the application, regardless of its IP. This approach to application identity-based enforcement will push organizations away from the five-tuple approach to network security, which is increasingly irrelevant in the context of ephemeral container deployments.

5. Application Programming Interfaces (API) Will Be Exposed as The Weakest Link Leading to Cloud-Native Threats

Threat actors are will continue to target API-enabled apps because APIs continue to be an easy and vulnerable way to access sensitive data. Despite the fallout of large-scale breaches and ongoing threats, APIs often reside outside of the application security infrastructure and are ignored by security processes and teams. Vulnerabilities will continue to include broken authorization and authentication functions, excessive data exposure, and a failure to focus on rate limiting and resource limiting attacks. Insecure consumption-based APIs without strict rate limits are among the most vulnerable.

Headlines reporting API-based breaches will continue into 2020, affecting high-profile apps in social media, peer-to-peer messaging, financial processes, and others, adding to the hundreds of millions of transactions and user profiles that have been stolen in the past two years. The increasing in API adoption for applications in 2020 will expose API security as the weakest link, putting user privacy and data at risk until security strategies mature.

About the Author

Raj Samani is a computer security expert working as the Chief Scientist, and McAfee Fellow for cybersecurity firm McAfee. Raj has assisted multiple law enforcement agencies in cybercrime cases, and is special advisor to the European Cybercrime Centre (EC3) in The Hague.

He has been recognized for his contribution to the computer security industry through numerous awards, including the Infosecurity Europe hall of Fame, Peter Szor award, Intel Achievement Award, among others. Raj is also the co-author of the book ‘Applied Cyber Security and the Smart Grid’, CSA Guide to Cloud computing, as well as technical editor for numerous other publications.

Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. 

The post 5 Threat Predictions for 2020: Are You Prepared? appeared first on CISO MAG | Cyber Security Magazine.