The global scale of the recent Exchange server attacks deserves the designation “saga.” The fallout, resulting in data theft and further malware deployment, has likely led to intensive changes in security protocols at thousands of institutions, and will surely be felt for a long time.
In an update to ESET’s original research piece detailing the global impact of the attacks, ESET’s telemetry picked up almost 27,000 attack attempts via web shells against around 5,500 unique servers:
Along with our well-received research into advanced persistent threat groups leveraging the Exchange vulnerabilities, ESET has set out to provide proactive advice via its Knowledgebase and a Customer Advisory. As the saga moves forward and we continue to compile and analyze data from the networks we protect, we would like to share how our cloud sandbox technology, ESET Dynamic Threat Defense (EDTD), and our endpoint detection and response solution, ESET Enterprise Inspector (EEI), offer protection to our clients.
With respect to malicious files, EDTD not only handles executables (as is the case with ESET LiveGrid®) but also documents, scripts, installers and other file types commonly used to deliver threats. As such, the technology gives greater visibility into, and protection against, various threat types. Leveraging EDTD in combination with endpoint security—both of which are backed by our core detection technologies—brings a multilayered approach to the table that significantly increases the likelihood an attack is automatically detected.
Looking closely at the samples related to the exploitation of Exchange servers, ESET has seen that some of the post-compromise attack components, for example, the loaders for the PlugX RAT (also known as Korplug), are being detected by EDTD when the most sensitive detection threshold – Suspicious – is applied. The same applies to the CobaltStrike-related components.
These kinds of detections also trigger alerts in the ESET Lab, where our researchers are actively monitoring EDTD detection data. The knowledge gained from malware analysis of these samples can then be applied further as we investigate possible intrusion vectors and remediation. With respect to post-compromise investigation and monitoring of servers, security operations center teams can use ESET Enterprise Inspector to address what amounts to a global challenge.
From the point of view of EEI’s rule set, the current modus operandi of the attackers can be fairly generic, meaning that creating a rule that detects such generic activity—even though possibly malicious—might cause a high number of false positives. For example, it is quite normal for w3wp.exe, the IIS worker process, to execute cmd.exe and powershell.exe, meaning that a rule monitoring this event would flood EEI’s dashboard with false positives.
However, ESET security teams have investigated how EEI faces up against malicious activity following the exploitation of Exchange. Our findings suggest that EEI deployed on exploited servers can cut investigation time by at least 80%.
EEI can not only shorten the time for investigation, but also show the path of attack. Critically, the security admin at EEI’s dashboard would have data at hand to see what was happening, when and where, which is a significant help in identifying and cleaning up malware, as well as providing for the overall security of compromised email servers.
Please follow our blog where ESET will share additional information to help customers return to normal operations following the extensive global exploitation of Exchange.
Partnership Will Drive Increased Adoption of Portnox’s Cutting-Edge NAC Solution Purpose-Built for Large Distributed Organizations in the Region
LONDON — Portnox, which supplies network access control (NAC), visibility and device risk management to organizations of all sizes, today announced that it has partnered with Distology for the sole distribution and resell of its cloud-delivered NAC-as-a-Service solution in the United Kingdom and Ireland.
We chose to partner with Distology because of their successful history of IT security solution distribution in the UK and Irish markets, said Portnox CEO, Ofer Amitai. Were confident this collaboration will yield tremendous growth for both parties, as Portnox has a unique value proposition and Distology has the market enablement expertise to effectively evangelize our network security offering.
We have a long-established relationship with Portnox and it speaks volumes that the team have decided to choose Distology as their sole UK&I distributor. The technology Portnox brings to the market is incredibly exciting and complements our existing vendor stack effortlessly, said Stephen Rowlands, Head of Sales for Distology. Were especially looking forward to representing and promoting Portnox Clear to our growing partner base, as this brand-new cloud-based technology has potential to completely disrupt the market and we foresee masses of growth potential in this innovative product.
Portnox introduced its cloud-delivered NAC-as-a-Service solution to the UK & Irish markets less than two years go. As the first to bring NAC to the cloud, Portnox has quickly gained a foothold in the region, particularly among large distributed enterprises in the retail, construction and utilities industries.
The adoption of our NAC-as-a-Service product in the UK has been very strong to date, said VP of Products, Tomer Shemer. This is a testament to the fact that the UK is one of the markets leading the trend of cloud security adoption. We expect to see continued growth in the coming years in this area of Europe.
Portnox is set to exhibit at this week’s RSA 2020 Conference (booth #4234) in San Francisco, February 24-28. Additionally, Portnox (booth #G108) and Distology (booth #C40) will both be exhibiting at InfoSec Europe 2020, Europes largest event for information and cyber security, in London, June 2-4.
About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About Portnox
Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。
About Distology
Distology is a Market Enabler and offers true value for the distribution of disruptive IT Security solutions. The vendors we work with represent innovative and exciting technology that continues to excite and inspire their reseller network. Our ethos is based on trust, relationships, energy and drive and offers end to end support in the full sales cycle providing vendor quality technical and commercial resource.
BRATISLAVA, MONTREAL – ESET researchers have recently discovered websites distributing trojanized cryptocurrency trading applications for Mac computers. These were legitimate apps wrapped with GMERA malware, whose operators used them to steal information, such as browser cookies, cryptocurrency wallets and screen captures. In this campaign, the legitimate Kattana trading application was rebranded – including setting up copycat websites – and the malware was bundled into its installer. ESET researchers saw four names used for the trojanized app in this campaign: Cointrazer, Cupatrade, Licatrade and Trezarus.
“As in previous campaigns, the malware reports to a Command & Control server over HTTP and connects remote terminal sessions to another C&C server using a hardcoded IP address,” says ESET researcher Marc-Etienne M.Léveillé, who led the investigation into GMERA.
ESET researchers have not yet been able to find exactly where these trojanized applications are promoted. However, in March 2020, the legitimate Kattana site posted a warning suggesting that victims are approached individually to lure them to download a trojanized app, thus pointing to social engineering. Copycat websites are set up to make the bogus application download look legitimate. The download button on the bogus sites is a link to a ZIP archive containing the trojanized application bundle.
In addition to the analysis of the malware code, ESET researchers have also set up honeypots (research computers) and lured GMERA malware operators to remotely control the honeypots. The researchers’ aim was to reveal the motivations behind this group of criminals. “Based on the activity we have witnessed, we can confirm that the attackers have been collecting browser information, such as cookies and browsing history, cryptocurrency wallets and screen captures,” concludes M.Léveillé.
For more technical details on the latest GMERA malicious campaign, read the full blogpost, “Mac cryptocurrency trading application rebranded, bundled with malware,” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.
About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.
