Monthly Archives: February 2018

Zero-Day Attacks Major Concern in Hybrid Cloud

Zero-Day Attacks Major Concern in Hybrid Cloud

Hybrid cloud environments are particularly vulnerable to zero-day exploits, according to a new study.

Securing cloud-based and legacy systems is a balancing act, and businesses have a tough time staying upright. As the race to the cloud picks up speed, many are struggling to fully protect their hybrid environments from zero-day attacks.

Researchers at Enterprise Strategy Group (ESG) polled 450 IT and security pros in North America and Western Europe on hybrid cloud environments and containers. The results demonstrate concern around zero-day attacks and increased container adoption.

“The thesis for the study was the multidimensionality of hybrid clouds is shifting cybersecurity priorities,” explains Doug Cahill, senior analyst covering cybersecurity for ESG and leader of this research, which was commissioned by Capsule8.

Hybrid infrastructures have become the major architecture in enterprise environments, a shift that has come with “major headaches and concerns,” says Bogdan “Bob” Botezatu, senior e-threat analyst at Bitdefender.

“The move to hybrid happened because increasingly more organizations want to enjoy the benefit of public cloud – scalability, pay-as-you-go rates and flexibility – but also maintain control over the key infrastructure,” he explains. The hybrid approach is a necessary step toward public cloud adoption, especially for companies hesitant about cloud security.

Complexity in the Cloud

“Hybrid clouds are comprised of disparate environments,” Cahill says, adding that more than 80% of organizations using infrastructure-as-a-service (IaaS) consume services from multiple providers. “This tells us more workloads are moving to public cloud platforms,” he adds.

More than half (56%) of respondents have already deployed containerized production applications; 80% report they will have containers in production within the next 12- to 24 months.

The adoption of new technology is a gradual, phased process and many companies are in the middle of migrating old applications to the cloud. Three-quarters (73%) or organizations use, or will use, containers for both new applications and preexisting legacy applications, Cahill says.

Despite their growing reliance on containers, many businesses will continue to at least partially rely on legacy systems for years to come, he continues. Security becomes a challenge when multiple users are accessing multiple environments from multiple different locations.

The biggest hybrid cloud security challenge is maintaining strong, consistent security across the enterprise data center and multiple cloud environments, says Cahill. Businesses want consistency; they want to be able to centralize policy and security controls across both.

Security teams also struggle to maintain the pace of cloud, an increasingly difficult challenge as cloud continues to accelerate. It used to be that cloud adoption was slowed by security, Cahill points out. Now, containers are driven by the app development team. Security has to keep up.

“One of the things we know about cloud computing in general, and about DevOps, is it’s all about moving fast,” he points out. “They need to keep pace with the rapid rate of change.”

Compliance is a major concern for companies using hybrid cloud, adds Botezatu, who says Bitdefender polled CISOs about their biggest fears related to hybrid cloud in late 2016.

“Lack of visibility into what is happening in the big hybrid datacenter, the increased attack surface, security of backups and snapshots and security of data (either at rest or in transit) were the top five answers,” he says.

More Complexity = Larger Attack Surface

The complexity of hybrid cloud environments puts organizations at risk for several types of attack. Forty-two percent of businesses reported an attack on their cloud environment in the past year; 28% said a zero-day exploit had been the attack origin.

“Part of [the reason] is the elastic nature of these environments,” says Cahill of the critical zero-day threat. “Servers are so rapidly deployed and sometimes they’re put into production without going through assessments and vulnerability scanning.”

Common threats include taking advantage of known flaws in unpatched applications (27%), misuse of privileged accounts by inside employees (26%), exploits taking advantage of known flaws in unpatched operating systems (21%), misuse of privileged account via stolen credentials (19%), and misconfigured cloud services, workloads, or network security controls (20%).

“The security in many hybrid cloud environments is focused on the perimeter, while totally missing in-depth defenses,” says Ofri Ziv, vice president of research and head of GuardiCore Labs. “This leads to environments with weak network segmentation, which is heaven for attackers and worms.”

John Viega, cofounder and CEO of Capsule8, says zero-days will always be a real and unpredictable threat. “This is particularly true in production due to the impact of open source,” he adds. A zero-day that appears in production from open-source software will affect a huge number of companies.

Move to Unify Security

Part of the reason security is difficult with hybrid cloud is because the majority (70%) of companies currently use separate controls for public cloud-based resources and on-premise virtual machines and servers. Only 30% use unified controls, Cahill explains.

“It’s very siloed today,” he says. “There are different tools for different environments managed by different people … but that’s not sustainable over time. It doesn’t afford the consistency of security policies across disparate environments.”

This is poised to dramatically change within the next two years. By that time, 70% of respondents claim they will focus on unified controls for all server workload types across public cloud(s) and on-premise resources.

“One of the most important things a company can do is be disciplined about keeping applications on-premise or in a data center and not moving it until it is absolutely mature enough to be seamlessly be deployed in either environment,” adds Viega. One way to control this is to focus on containerization in the software development process.

Related Content:


Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance & Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

More Insights

from Dark Reading – All Stories

New Android Malware Family Highlights Evolving Mobile Threat Capabilities

New Android Malware Family Highlights Evolving Mobile Threat Capabilities

RedDrop can steal data, record audio, and rack up SMS charges for victims, says Wandera.

RedDrop, a new family of malicious software found lurking in dozens of seemingly benign Android applications, is the latest indication of the increasingly dangerous capabilities that threat actors have begun integrating into modern mobile malware.

Security vendor Wandera recently discovered RedDrop hidden in 53 working Android applications, such as image editors, calculators, language learning apps, space exploration apps, and other educational, recreational, and practical tools. Each application functions as the user would expect, while executing malicious actions in the background.

Once an infected app is installed on an Android device, it downloads at least seven more Android Application Packages (APKs), each with its own malicious functionality and from a different command and control server. The APKs are stored in the system’s memory, giving attackers a way to execute them without having to embed the functionality in the original malware sample, Wandera said.

Data the malware is capable of stealing includes all locally saved files, including photos, contacts, and images; live recordings of the device’s surroundings; device and subscriber identifiers; application data; and SIM data.

When users interact with a RedDrop-infected app, it also secretly sends a cost-incurring SMS message to a premium service and then instantly deletes the message to avoid detection by the user. All data stolen from infected systems is uploaded to remote file storage systems controlled by the attackers for potential use in future extortion schemes or to launch further attacks, according to Wandera.

RedDrop apps are being distributed from a network of over 4,000 domains, all registered to a single group that looks like it might be operating out of China. Eldar Tuvey, Wandera’s co-founder and CEO, says that several infection vectors are being used to distribute the RedDrop family of malware.

The one with the broadest reach is through Chinese search giant, but users could also visit Sky-mobi, which happens to run one of the largest Android app stores in the world, he says. “We also believe advertising networks are being exploited by criminals in order to entice users towards the downloads.”

As with most Android malware tools — and indeed most mobile malware — RedDrop poses a threat mainly to users who voluntarily download apps from third-party sources and websites, something that security researchers have long warned against. People who download their apps only from Google’s official Play store or from properly vetted enterprise app stores are safe from the threat for the moment. Also for the moment, RedDrop appears to be primarily aiming at Android users in China, though many of the infected apps also target European and American users.

But underestimating mobile threats like RedDrop for such reasons might be a mistake. “Our data shows that around 20.6% of Android users have their configurations set to allow third-party installations,” Tovey says. Despite warnings, many users are still willing to take the risks that come with installations through unofficial app stores, he says.

“In order to protect themselves from these types of threats, individuals and organizations with vulnerable devices should disable downloads from third-party app stores, unless absolutely necessary for business functionality,” Tovey says.

Criminals have also begun ramping up threat activity targeted at mobile devices. In a report earlier this week, Trend Micro noted a sharp increase in the volume of mobile ransomware, banking Trojans, and other malware over the past year. Many of the threats are directed at Android devices, though Apple’s iOS is not immune either, according to Trend Micro.  

Ominously, threat actors have become increasingly better at uploading malware-laden apps to Google’s Play store, according to the Trend Micro report. As a result, users downloading their apps from there cannot be absolutely certain about their security either. Unsurprisingly, given the rapidly evolving threat landscape, four out of 10 enterprises see mobile devices posing a significant risk to their security.

“Android has an above-average amount of known security vulnerabilities, and hackers know this,” says Paul Bischoff, privacy advocate at Comparitech. Organizations that provide Android devices for work should consider setting up a guest account on each device, he says. “Guest accounts in Android cannot install apps from third-party sources due to a lower level of privileges. The main admin account should be password-protected.”

If employees are allowed to use their own Android devices, clear guidelines need to be laid out about what work-related activities are allowed on their phones and what security measures need to be in place, Bischoff says. Security administrators need to instruct employees not to change the “allow apps from unknown sources” setting on any personal phones used for work.

Organizations should also update their Android devices to Android Oreo, the latest version of the operating system, Tovey says. Oreo includes controls that make it easier for users to detect and block apps with invasive permissions. Unfortunately, almost half of all installed Android devices are running versions of the operating system that predate the previous Marshmallow version and can be easily bypassed by RedDrop, Bischoff says.

Related content:


Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

More Insights

from Dark Reading – All Stories

Misconfigured Memcached Servers Abused to Amplify DDoS Attacks

Cybercriminals behind distributed denial of service attacks have added a new and highly effective technique to their arsenal to amplify attacks by as much as 51,200x by using misconfigured memcached servers accessible via the public internet.

The technique was reported by Akamai, Arbor Networks and Cloudflare on Tuesday. All said they have observed an uptick in DDoS attacks using User Datagram Protocol (UDP) packets amplified by memcached servers over the past two days. Memcached servers are a type of server used to bolster responsiveness of database-driven websites by improving the memory caching system.

“Unfortunately, there are many memcached deployments worldwide which have been deployed using the default insecure configuration,” wrote Marek Majkowski, a Cloudflare engineer, in a technical description of the DDoS attacks posted on Tuesday.

Reflection attacks happen when an attacker forges its victim’s IP addresses in order to establish the victim’s systems as the source of requests sent to a massive number of machines. The recipients of those requests then issue an overwhelming flood of responses back to the victim’s network, ultimately crashing that network. These types of DDoS attacks differ from amplification attacks, where publicly accessible open DNS servers are used to flood victims with DNS responses.

In the case of the amplification attacks identified by Akamai, Arbor Networks and Cloudflare, attackers were able to send a small byte-sized UDP-based packet request to a memcached server (on port 11211). The packets would be spoofed to appear as if they were sent from the intended target of the DDoS attack. In response, the memcache server responds by sending the spoofed target a massively disproportionate response.

“Fifteen bytes of request triggered 134KB of response. This is amplification factor of 10,000x! In practice we’ve seen a 15 byte request result in a 750kB response (that’s a 51,200x amplification),” Majkowski said.

The implications of such an attack that requires so little resources with such a massive impact are far reaching on not only intended targets but also critical network infrastructure, researchers said.

“It is difficult to determine the exact amplification factor of memcached, but the attacks Akamai saw generated nearly 1 Gbps per reflector. Other organizations have reported attacks in excess of 500 Gbps using memcached reflection,” according to a Akamai SIRT Alert posted Tuesday.

By comparison, in 2016 security journalist Brian Krebs’ Krebs on Security website suffered a massive DDoS attacks, peaking at more than 620 Gbps of sustained traffic aimed at his site. That attack of course leveraged resource-intensive Mirai malware infected IoT botnets.

According to estimates, there are over 88,000 misconfigured open memcached servers vulnerable to abuse. Vulnerable memcached servers have been identified globally, with the highest concentration in North America and Europe, Cloudflare said.

Making matters worse, memcached servers support UDP, an alternative communications protocol to Transmission Control Protocol and also considered ripe for abuse in amplification attacks.

“The (UDP) protocol specification shows that it’s one of the best protocols to use for amplification ever! There are absolutely zero checks, and the data WILL be delivered to the client, with blazing speed! Furthermore, the request can be tiny and the response huge,” Cloudflare researchers noted.

Mitigation includes configuring memcached servers to operate behind a firewall and turning off support for UDP.

“Similar to most reflection and amplification attacks before it, the primary solution to memcached attacks is to not have the reflectors exposed to the Internet. However, relying on remote systems administrators to remove their servers from the Internet is not a solution likely to see immediate results. In the meantime, organizations need to be prepared for more multigigabit attacks using this protocol and should plan accordingly,” Akamai said.

from Threatpost – English – Global – thr…

FTC Settles with Venmo on Security Allegations

FTC Settles with Venmo on Security Allegations

Proposed settlement addresses complaints that Venmo misrepresented its security and privacy features.

The Federal Trade Commission has reached a settlement with Venmo, a PayPal company, regarding allegations that the company misrepresented the way it handled and made available funds as well as the level of security of its financial platform.

The charges, originally filed in 2015, alleged that some Venmo customers suffered “real harm” when the company either didn’t make funds available in the advertised time or withdrew funds after their initial deposit.

Venmo advertised “bank-grade security” and transaction privacy for their customers; the FTC found that the company had delivered neither. In the proposed settlement, Venmo admits to no wrongdoing, but does admit to the facts of the allegations.

Under the agreement, approved by a 2-0 vote of the commission, Venmo is required to stop mis-representing the level of security available for transactions and to be more transparent with customers about both the security and privacy of their transactions. In addition, because of the GLB component of the complaint and settlement, Venmo will have to submit to twice-annual audits of its compliance for 10 years.

The proposed agreement will be published to the Federal Register and become subject to public comment for 30 days. After that time, the commission will vote on whether or not the settlement will become final.

Read more here and here.


Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

More Insights

from Dark Reading – All Stories

Hacking on TV: 8 Binge-Worthy and Cringe-Worthy Examples

Hacking on TV: 8 Binge-Worthy and Cringe-Worthy Examples

From the psycho-drama Mr. Robot to portraying the outright dangers of ransomware taking down a hospital in Grey’s Anatomy, hacking themes now run deep in today’s TV shows.


1 of 9


Image Source: Shutterstock via stock_photo_world

Image Source: Shutterstock via stock_photo_world

Hackers and inside stories about hacking have made their way into popular culture in a big way.

There’s still nothing that quite tops USA Network’s Mr. Robot for its sheer ability to drill down into the details of how hackers think and operate. The series’ protagonist and anti-hero, Eliot Alderson, played by Rami Malek, is a self-described hacker and computer tech complete with a drug problem and social anxiety and chronic depression disorders. While Malek’s character is clearly a bit of a stereotype, some viewers are forgiving.

“By far, Mr. Robot is the most accurate in the way it portrays the methods of hackers,” says Jason Haddix, vice president of trust and security at Bugcrowd. “In most shows, the longest time to exploit you’ll see is about 30 seconds. It’s never that simple. Our work can take hours and days to do enough reconnaissance to find a flaw.”  

Stu Sjouwerman, founder and CEO of KnowBe4, says shows such as NCIS and its spin-offs NCIS Los Angeles and NCIS New Orleans tend to be “quick and dirty” and don’t really give viewers a sense of how hacking is quite tedious.

“Hacking is a methodical and tedious exercise, but once you get there it’s like, ‘whoa,'” Sjouwerman says.

The sense of excitement and danger that surrounds hacking makes for good television. Hackers took over Grey Sloan Memorial Hospital earlier this year during multiple episodes of ABC’s Grey’s Anatomy and despite all the subplots that included domestic abuse themes and a transgender hacker who saves the day, the episode gave a reasonable depiction of how disruptive and dangerous it would be for a hospital to be held up for a $20 million ransom. 

Other TV shows this year, from Bull on CBS to Showtime’s Homeland offered up hacker plots and subplots. And HBO plans to launch Hackerville this fall, a new series based in Europe.

In putting together this slideshow, we drew from today’s popular shows to many of the popular techie shows of the past, like Person of Interest, CSI Cyber and Numb3rs. If you haven’t seen some of these shows, click on the links to trailers and episode clips to catch up and do some binge watching of your own. 


Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio


1 of 9


More Insights

from Dark Reading – All Stories