zscaler Archives - IT Security Guru

Overcoming hurdles: Businesses need to up their game if they are to maintain productivity this August

The Gurus — Fri, 29 Jul 2016 08:34:07 +0000

As the biggest sporting event of the summer begins, IT and security leaders need to make sure they refocus their cyber security efforts, to assess the risks associated, and their ability to respond if needed. Vigilance should be at the forefront for business leaders globally. Cybercriminals are aware that users will be looking for convenient ways to keep up-to-date with the sporting action. This is forcing organisations to roll out revised policies that ensure the security of users watching, searching for and downloading sporting coverage.
Considering the business exposure to phishing and malware attempts, exploitation of mobile applications and how this will impact business continuity is critical for organisations. In fact, at previous Games, ThreatLabZ research found that 80 per cent of “Olympic” web domains were found to be scams and spam.
Experience tells us that cybercriminals will use similar tactics to lure unsuspecting users to click on spam emails and visit scam websites that mirror legitimate sites, in order to exploit them to download malicious files.
In considering their ‘risk profile’, businesses need to be ‘enterprise ready’ across three key areas – productivity, cyber treats and approved applications – when preparing for the sporting season.
Enabling business productivity
As businesses shift to the cloud, cyber security and prioritisation of web traffic is hugely important. Online streaming of events runs the risk of diverting employee attention and saturating network bandwidth that is required for access to business applications.
While it may seem easier to simply blanket ban any live coverage during working hours, this will only leave employees feeling demotivated and encourage them to look for other means of viewing events. In turn, this could result in an increase in absence from the office and leave employees open to social engineering attacks, as their vigilance is lowered as they look for alternative means to stream events. Organisations need to take a proactive approach when it comes to preserving bandwidth such as conducting a survey to understand which events are likely to be the most popular will ensure staff levels can be maintained and bandwidth appropriately provisioned.
Threats: Phishing and malware
Phishing can take multiple forms – from spam email messages, social media, Typo Squatting and over the phone social engineering – yet, all have the same end-goal to make money by harvesting usernames and passwords, personally-identifiable information and/or payment card information.
Criminals use international events to capitalise on customer excitement and demand, often creating bogus ticket purchasing sites, offering discounted tickets or even tickets to sold out events. Falling for one of these scams not only leaves customers disappointed when tickets fail to arrive, but they have also left their personal information exposed, as these sites are rarely protected with at-rest and in-flight encryption technology.
Directing user traffic to bogus domains allows cybercriminals to leverage readily available exploit kits which look for vulnerabilities to load arbitrary malware onto, whilst also allowing criminals to offer seemingly free streaming of events. When the site owners have malicious intentions, there is often some form of browser plugin or executable download associated with the viewing. These files generally contain malware. If something looks too good to be true, it generally is.
We have already found cases of exploit kit traffic coming from “Olympics”-related content and predict that more attacks will target users with emails and attachments around further “Olympics”-related content, discounts and schedules.
Organisations need to ensure that they can identify phishing sites and detect scripts which are running in webpages that could be malicious. Relying on URL Filtering is no longer an appropriate cyber security defence framework. Streaming sites should be enabled on a whitelist-only approach: if the site has not been explicitly approved by your IT team, it should be blocked.
Mobile apps and app stores
We are already seeing examples of malware disguising itself by mirroring a similar login screen to the original app so that it can steal user credentials when the victim tried to authenticate. While Trojan malware that uses mobile applications as a delivery mechanism is not new, during major sporting events, cybercriminals will be looking to exploit the fact that millions of users will be looking for convenient methods of keeping up-to-date with the sporting action and will write mobile-applications that mirror their official equivalents.
The best defense against mobile malware is for organisations to block access to third-party app stores. Allow only access to the Play Store and Apple App Store (for Android and IoS respectively). Whilst there are isolated instances of rouge applications finding their way to approved stores, the risk is significantly lower. Organisations should also consider sandboxing technologies to detonate and inspect unknown Android APK files being downloaded to corporate devices.
While the business and security implications around the Games should not be taken lightly, many of the tactics cybercriminals will be using to target unsuspecting users are unlikely to be anything new. Defence in depth is of the upmost importance and businesses need to be extra vigilant when it comes to advanced security threats this August.

The post Overcoming hurdles: Businesses need to up their game if they are to maintain productivity this August appeared first on IT Security Guru.

Porno Flash Player Taking Android Users for a Long March

The Gurus — Fri, 11 Mar 2016 11:43:17 +0000

Zscaler has uncovered new instances of the Android Marcher Trojan being hidden as a flash player for watching pornography on Android devices – by prompting users to update their flash player through the Google Play Store an deceiving users into filling in their payment details, the proprietors are exploiting goodness knows how many hapless porn-watchers.
The e-mail attachment that contains the malicious Adobe flash file is where the story starts. The X-VIDEO app that users are then told to download has been downloaded over 100,000 times acccording to the Play Store, but when users click to download, the Marcher Trojan steps in and displays a flase payment screen, which users enter payment information into. Of course in reality, they’ve just handed their details to the hackers and received a dodgy app that never ends up loading.
The Marcher Trojan has been around since 2013, when it was seeking to scam users for credit card information by deploying the falso Google Play Store payment apge. It’s also been spotted working with banking applications and like to steal credentials.

Technical analysis

The infection cycle starts with the mobile user receiving a malicious URL via e-mail or SMS. Once the user opens this URL, the site will prompt the user to download and install the Adobe Flash Player.
The file that gets downloaded as a result of this action is aptly named – AdobeFlashPlayer.apk. Upon installation, malware asks for administrative access in order to perform its functions.
Once installed, Marcher connects to a predetermined Command & Control (C&C) server and sends information about all the installed applications on the infected device.
During our analysis, we also observed a unique approach where the C&C server will send a response generating a MMS notification on the infected device saying “You have received MMS” and instructs the user to visit “mms-service[.]info/mms” to see the content of the MMS.
As part of the infection cycle, Marcher will then display a fake Google Play payment screen asking for payment information to complete the account setup.This site redirects the user to the X-VIDEO app on official Google Play store. According to several reviews of this app, the users are claiming it to be a fake app that simply crashes after installation. We were able to verify the same crash behavior when installed on the latest Android OS Marshmallow 6.0.1. We haven’t analysed this app in any further detail but have been in touch with Google’s Android team to review these findings. The app in question has been downloaded more than 100,000 times and some of these downloads may have happened from infected devices. (UPDATE: This app has been verified as clean by Google’s Android team but they are monitoring it further.)
If the user falls for this screen then the credit card information is logged and relayed to the C&C server as seen below:
Newer variants of the Android marcher will also present a fake online banking login page based on information collected about already installed banking apps on victims device. Here is a sample fake login page that the user will see if the infected device has Commonwealth Bank of Australia mobile app installed.
The user banking credential information is relayed back to the C&C server in plain text.
BankSA – Bank of South AustraliaFollowing are some of the financial institution mobile apps that are targeted by Marcher:

Commerzbank
Commonwealth Bank of Australia – NetBank app
Deutsche Postbank
DKB – Deutsche Kreditbank
DZ Bank
Deutsche Bank
Fiducia & GAD IT
ING Direct
La Banque Postale
Mendons
NAB – National Australia Bank
PayPal
Santander Bank
Westpac
WellStar billpay app

The post Porno Flash Player Taking Android Users for a Long March appeared first on IT Security Guru.

Zscaler launch anti APT suite

The Gurus — Tue, 21 Oct 2014 16:45:52 +0000

Zscaler has entered the advanced persistent threat (APT) market with the launch of Fall 2014.

Combining robust internet security, APT protection, data loss prevention, SSL decryption, traffic shaping, policy management, security assessment and threat intelligence, the company said that the technology comes with a capability to monitor and manage a deployment via a mobile device.

Daniel Druker, chief marketing officer at Zscaler. “As a cloud-based system deployed at massive global scale, we at Zscaler leverage trillions of transactions to prevent, detect and remediate the most sophisticated zero-day attacks and APTs, providing far better security than appliances, coupled with unmatched ease of administration and superior economics.”

The APT Protection includes automatic Secure Sockets Layer (SSL) decryption, so it can inspect encrypted traffic, and incorporates multiple layers of security for defence in depth including automated behavioural analysis, sandboxing, detonation, forensics and analysis of suspected zero-day and advanced threats.

Asked if this could decrypt HTTPS traffic, Druker told IT Security Guru that it has to as decrypt this traffic, as around 35 per cent of overall traffic uses SSL, but more than 55 per cent of advanced threats are using SSL to hide.

He said: “To address employee privacy concerns, which are absolutely valid, Zscaler’s SSL decryption is governed by policy, so you can control what traffic is decrypted and what is not. Most of our clients put liberal white–listing policies in place, so for example, they won’t decrypt traffic going to consumer banks or healthcare companies that their employees are using – and they make it easy for employees to ask for additional sites to be white listed.

“The discussion with employees is about the balance between privacy, the protection of intellectual property, and compliance with Government regulations.”

The release also includes the ability to do administration, policy management, reporting, analytics and forensics from a single device. It said that the web-based, next generation graphical administrative and reporting tools can be managed via an internet connection and a Mac, PC or an iPad.

Druker said: “First – in most organisations, mobile devices and tablets are absolutely going unprotected by current security infrastructure. How is a security appliance in the corporate data center going to protect your iPad that is connected to the internet over 4G? Zscaler is unique in that we are ‘inside the internet connection’ so we can always protect mobile devices and ‘things’, regardless of where they are or how they are connected to the internet.

“Secondly, in Fall 2014 we introduced a new graphical administrative and reporting tools that work great on iPad. While I do not expect large enterprises to use an iPad to set up and manage their global security infrastructure, I do expect people to use our dashboards, reporting and analysis on their iPad.”

Also offered is a Security Preview option which offers an instant risk assessment to see how effective a company’s current security systems are at stopping threats, complying with regulations and safeguarding intellectual property.

The post Zscaler launch anti APT suite appeared first on IT Security Guru.

Shellshock-related attacks detected

The Gurus — Fri, 26 Sep 2014 13:10:55 +0000

Within hours of the Shellshock/Bash vulnerability being disclosed, attacks targeting it in the wild to download additional malware were detected.

According to Zscaler’s ThreatLabZ research team, upon successful exploitation of the CVE-2014-6271 vulnerability, an attacker is able to download and install a malicious ELF binary on the target Linux system. The malware connects to a predetermined Command and Control server on a specific port and awaits further instructions from the attacker.

Other reports of attacks were spotted by other threat labs. According to AlienVault’s Jaime Blasco, it began running a new module in its honeypots upon notification of the flaw, and it observed “several hits” in the last 24 hours.

He said: “Most of them are systems trying to detect if the system is vulnerable and they simply send a ping command back to the attacker’s machine.” He also said that the honeypot received another interesting attack from a file with a PERL script that seems to be a repurposed IRC bot that connects to an IRC server and waits for commands.

Blasco said: “As soon as the infected machine connects to the IRC server (185.31.209.84) on port 443, it joins a channel on the IRC server. It seems there are 715 users (probably victims) connected to the server right now. As soon as new victims join the server, the attackers are executing the command “uname -a” to determine the operating system that is running on the victim as well as “id” to check the current username. Since our honeypot joined the server, more than 20 new victims have become part of the botnet.”

Wolfgang Kandek, CTO of Qualys, said: “Our Web Application Firewall has the signatures needed to detect and block Shellshock attacks against websites. The detection is very reliable and is activated by default in the “normal” and “aggressive” settings on the WAF configuration page.

“Qualys scanners are considered not exploitable via the BASH vulnerability. Although Qualys scanners have a version of Bash vulnerable to CVE-2014-6271 installed, the scanner exposes no listening interfaces and services to the network, closing the common attack vectors discussed in the release of CVE-2014-6271. Further Bash is not used in any of the communication mechanisms that the scanner uses: scan dispatching, software updates and monitoring. We will update Bash on the scanner in the next system update cycle.”

Check Point said in an update that it had released an IPS signature to protect customer environments. It said: “The signature enables organisations to add a layer of protection to their network during the time they need to update their systems with vendor provided patches. This protection will detect and block attempts to exploit this vulnerability.”

The post Shellshock-related attacks detected appeared first on IT Security Guru.

Heartbleed affecting more than half of the Forbes Global 2000

The Gurus — Wed, 27 Aug 2014 15:48:13 +0000

According to Venafi, more than half of the companies on the Forbes Global 2000 list are still vulnerable to the Heartbleed flaw. This follows the recent data breach at Community Health System which exposed over 4.5 million patients’ personal details, which was reportedly down to the OpenSSL flaw.
Richard Cassidy, senior security architect, Alert Logic explained why Heartbleed is still an issue 6 months on. “We know from our own research at Alert Logic that many threats exist across customer networks long before they are detected or more importantly, remediated. Heartbleed technically has been exploitable since OpenSSL 1.0.1 was widely adopted back in March of 2012 and if we look at many other threats including the recent theory that BlockPOS malware that’s wreaked havoc across ePOS networks, we know that these exploits were long “exploitable” before the industry was even made aware them.”
TK Keanini, CTO Lancope, explained that the onus is on the vendors to fix this problem – not the user. “The vulnerable version of the OpenSSL library has been widely used in all types of applications – some of which may be embedded systems (like the Internet of Things) and the discovery and remediation can only take place by the vendor as the end user has no access to source code or the means to replace the library themselves. These vendors are not performing security related testing, and thus it will take a long time before they are made aware of the flaw and it will be at the expense of many exploited system.”
Amichai Shulman, CTO, Imperva however, questioned the severity of the Heartbleed vulnerability, suggesting this might just be a media hype. “While I do not necessarily want to belittle the importance of the “Heartbleed” vulnerability, it does seem odd to me that the only incident directly related to this vulnerability is the recent Community Health breach. This is especially intriguing given the claim by Venafy (below) that so many “Internet devices” remain vulnerable. It just does not add up. I’ve said it in the past with respect to Heartbleed and I’ll say it again now – we have seen vulnerabilities who received far less media attention than Heartbleed being successfully and massively exploited in the wild.”
However Michal Sutton, VP security research at Zscaler, warned that this will not be the last we hear of Heartbleed. “With an impact the size of Heartbleed, we can be sure that vulnerable machines will be discovered for years to come.”

The post Heartbleed affecting more than half of the Forbes Global 2000 appeared first on IT Security Guru.

Scams Taking Advantage of Malaysia Airlines 370 Disappearance

The Gurus — Mon, 24 Mar 2014 11:04:20 +0000

Michael Sutton, VP of security research at Zscaler has spent some time looking for sites that are taking advantage of the disappearance of Malaysia Airlines flight 370 (MH370) to profit from the tragedy. Unsurprisingly, it was all too easy to find examples of this as it is almost a given that scammers will attempt to profit from any breaking news story, especially those where the public is desperate for the latest tidbit of news – regardless of where it may be coming from.
Advertising Scam
The first example is an advertising scam. The scam begins with the infection of a legitimate site, in this case debiworley[dot]com, a personal website for a photographer. A subdomain has been added to the site, which hosts different scams, all leveraging the same approach. In the case of the MH370 scam, an alleged video has been posted to alert[dot]debiworley[dot]com/news/?mh370. At that page you’ll see an image, which purports to show a Malaysian Airlines plane crashed in the jungle. The page includes the fake video and also includes comments formatted to appear as though they’re from Facebook. Despite the look of the page, everything is simply an image. Clicking anywhere on the video doesn’t actually play the video, but instead prompts the user to share the video on Facebook by presenting the following popup, before it can be played. If the user chooses to share the video, it does not ever play, but instead simply shares the scam with their Facebook friends. What the victim is promoting is a quickly hacked together site hosted at vinreox[dot]com, a simple website that acts as a front end for various YouTube videos and the owner profits from advertisements on the site.
Pay-Per-Click Scam
This time around, the scam appears to be hosted at a site controlled by the attacker. There are various URLs on the domain that ultimately link to the same content, but one in particular (rentadp[dot]com/malaysia/) appears to be piggybacking on the MH370 disappearance. When visiting that URL, the victim is redirected to a completely fake Facebook page. Once again, most of the page is nothing more than an image and the only links either refresh the page or prompt the user to share the scam on their real Facebook profile before they can view the video. It would appear that the scammers were a bit lazy this time as despite the URL referencing ‘Malaysia’, they’ve clearly used a picture of US Airways Flight 1549, which crash landed on the Hudson river in 2009. Should users choose to share the scam, they won’t ever see the video, but instead will be redirected to a pay-per-click scam which requires yet another task, this time around the victim must fill out one of three surveys before they can proceed. This is where the the scammers make money. They’re paid a few cents for every survey completed.
Sutton says: “Unfortunate that anyone would seek to profit from a tragedy, but unfortunately, this has now become the norm.”

The post Scams Taking Advantage of Malaysia Airlines 370 Disappearance appeared first on IT Security Guru.

Samsung and Zscaler Announce Enterprise-Ready Mobile Security Solution

The Gurus — Mon, 24 Feb 2014 10:57:48 +0000

Zscaler, the global security cloud for the mobile enterprise, today announced a strategic partnership with Samsung Electronics Co., Ltd., to provide the industry’s first enterprise-ready mobile security solution. The deep integration of the Zscaler security cloud with Samsung KNOX, a secure Android platform for enterprise mobility, provides a streamlined, enterprise-ready solution for both Samsung and Zscaler customers.
This enterprise-grade mobile security solution from Zscaler and Samsung is made possible by extending the security and compliance policies from the Zscaler security cloud to Samsung KNOX. The Zscaler security cloud is centrally-managed and administers granular policy enforcement on a per-user/per-device basis anywhere in the world. Zscaler provides advanced security and real-time visibility for its users by meeting them en route to the Web services they consume and scanning all inbound and outbound Internet transactions. Samsung KNOX provides a container to separate work and personal environments to protect enterprise data and employee privacy. Together, these technologies give enterprises the additional security they need without compromising the user experience.
“We continue to evolve Samsung KNOX and our partner ecosystem to give enterprise customers the best solutions for secure enterprise mobility,” said Injong Rhee, Senior Vice President and Head of KNOX Business Group, IT & Mobile Communications Division at Samsung Electronics. “With more than twelve million users on the Zscaler cloud, we wanted to make our customer lives easier by strengthening our partnership with Zscaler and going to market together with a fully integrated, enterprise-ready solution.”
According to IDC, mobile malware is a top security concern among 68 percent of IT-controlled enterprises.[i] Zscaler research shows that browser and mobile applications present considerable risks for security and privacy. Whether an organisation implements a Bring Your Own Device (BYOD) scenario or provides company owned devices, the purpose-built integration provides truly secure and efficient work and play environments on one mobile device. Together, Zscaler and Samsung can go-to-market with an integrated solution that safely enables true enterprise mobility.
“We are excited to partner with Samsung on our shared vision of Enterprise-Ready Mobile Security”, said Jay Chaudhry, founder and CEO, Zscaler. “The deep integration between Samsung KNOX and the Zscaler security cloud enables users to have the same policy and protection on a mobile device and a PC. The collaboration, which is the result of ten months of joint development, will help accelerate the adoption of mobile devices in the Enterprise. The joint solution will be a game changer in the Industry”
[i] Source: IDC, “U.S. Mobile Security Survey, 2013,” Doc # 240598, April 2013

The post Samsung and Zscaler Announce Enterprise-Ready Mobile Security Solution appeared first on IT Security Guru.

Zscaler SHIFT Advances Internet Security with Intelligent Routing

The Gurus — Thu, 20 Feb 2014 11:01:35 +0000

Zscaler, the Global Security Cloud for the mobile enterprise, today announced Zscaler SHIFT, a new easy-to-use cloud service that extends its scalable security architecture to a broader market. Zscaler SHIFT introduces intelligent routing, which automatically applies threat intelligence from the behavioral analysis of 12 billion daily Web transactions from 4,500 global enterprises to enable ubiquitous protection against dynamic Internet threats.
“In a world of ubiquitous network connectivity, companies are looking for ways to provide uniform protection whilst reducing the cost per node when providing security for point products,” said Martin Brown, Chief Security Portfolio Architect at BT Security Enterprise, a world leader in Managed Security Services. “The leading solutions to this challenge will execute the vision of delivering security through the network, making protection as uniform as connectivity. Zscaler SHIFT is one of the capabilities poised to do just that.”
Zscaler SHIFT is configured in minutes, enabling instant policy enforcement, security and visibility for corporate headquarters, branch offices, and guest access networks – without the need for complex and expensive on-premise security appliances.
Zscaler SHIFT offers the streamlined benefits of:

Ubiquitous Security – Transparently enforce security and corporate policies from a single pane of glass without impacting end user experience. Protect against malware, botnets and advanced threats. Limit liability by filtering salacious sites.
Comprehensive Visibility – An intuitive dashboard provides instant insight into security posture, malicious activity and internet browsing trends, consolidating and correlating this information across the entire organization in real-time.
Granular Policy Management – Select one of four risk tolerance settings to instantly enforce common policies with the click of a button or select specific Internet browsing categories to create a custom policy. Granular control of Web browsing is enabled through specific block/allow lists.

“Organizations large and small struggle to safely enable users to do business beyond the corporate network,” said Patrick Foxhoven, VP & CTO of Emerging Technology. “Zscaler SHIFT extends the advanced security benefits of our Global Security Cloud with intelligent routing to enable all businesses, regardless of their size, to connect to the Internet with confidence.
For more information about Zscaler SHIFT please visit: www.zscalershift.com

The post Zscaler SHIFT Advances Internet Security with Intelligent Routing appeared first on IT Security Guru.