The current reality has pushed users, applications, and data to the edge of the network —where traditional perimeter security solutions have historically fallen short. Threat actors know this, of course, and have spent the past nine months targeting the weakest link in the security stack: the user.
Email and web browsing continue to be popular attack vectors. Security vendors have beefed up web and email security, but issues with legacy architectures are letting some attacks slip through. Information and context derived from advanced threat intelligence remain the most powerful weapons in a security team’s arsenal. Advanced technologies such as artificial intelligence and machine learning can help scan, detect, and warn at scale, but they’re not bulletproof. Increasingly sophisticated threat actors, powered by AI and ML, are finding ways to evade threat detection.
Security professionals interested in learning more about the current state of advanced threat inspection, threat intelligence, and the emerging technologies that power these capabilities should check out the following sessions:
Artificial intelligence and machine learning are powerful, indeed essential, components of security Continue reading
Office documents, such as Word and Excel files, can be password-protected using a symmetric key encryption mechanism involving one password which is the key to both encrypt and decrypt a file. Malware writers use this key as an additional evasion technique to hide malicious code from anti-virus (AV) scanning engines. The problem is that encrypting a file introduces the disadvantage of requiring a potential victim to enter a password (which is normally included in the phishing or spam email containing the encrypted attachment). This makes the email and the attachment very suspicious, thus greatly reducing the chance that the intended victim will open the encrypted malicious attachment.
The good news (for the attackers) is that Microsoft Excel can automatically decrypt a given encrypted spreadsheet without asking for a password if the password for encryption happens to be VelvetSweatshop. This is a default key stored in Microsoft Excel program code for decryption. It’s a neat trick that attackers can leverage to encrypt malicious Excel files in order to evade static-analysis-based detection systems, while eliminating the need for a potential victim to enter a password.
The embedded VelvetSweatshop key in Excel is not a secret. It has been widely reported for many Continue reading
In the last few weeks, VMware NSX threat telemetry revealed the submission of a Windows executable Ransomware sample, written in Go, which is related to the Snake Ransomware family.
This ransomware specifically targeted the Honda network, and was found to be quite sophisticated. The ransomware appears primarily to be targeting servers, as it has logic to check for the type of host it is infecting, and it attempts to stop many server-specific services/processes. Hard-coded strings are encrypted, source code is obfuscated, and the ransomware attempts to stop anti-virus, endpoint security, and server log monitoring and correlation components. This ransomware family has ties to Iran and has historically been observed targeting critical infrastructure such as SCADA and ICS systems. More recently, the malware has been observed targeting healthcare organizations. Most interestingly, and unlike other variants, the malware analyzed in this threat report does not drop any ransom note to desktop machines.
To learn more, read our Targeted Snake Ransomware Report.
The post Threat Intelligence Report: Targeted Snake Ransomware appeared first on Network and Security Virtualization.
The network is a critical component of any IT environment. When it works, it’s “normal” and few notice it. But the smallest glitch can have devastating business impacts. For over a decade, networking has been adapting to become more programmable, closer to applications, and easier to use. At the same, the number of devices increased drastically while and applications exponentially. More than ever, there is a need to adapt the network to the new paradigm of multi-cloud environments, and to make it on-demand, easy to use, and simple. The network should be transparent to applications and users, yet allow the most complex environments to communicate reliably.
Let’s dig into the three pillars of a Modern Network framework.
User experience is paramount in today’s world. Applications and data are increasingly distributed across multiple on-premises data centers and public, private, and multi-cloud environments. At the same time, users and devices (including IoT) are spreading out from a centralized corporate headquarters to branch offices, remote worksites, and, increasingly, home offices. This new reality means that, more and more, machines are talking to machines and applications are talking to applications, creating network complexity that can only be mitigated by Continue reading
The modern application is dynamic and highly adaptive to changes in demand. It lives across multiple clusters and clouds. And it is highly distributed with hundreds of microservices servicing the requirements of rapid feature releases, high resiliency, and on demand scalability. In such a world, we simply cannot afford to continue to rely solely on the network architectures of the last decade.
Modern applications need a Modern Network—one that simplifies operations, reduces IT overhead and prioritizes user needs—such that organizations can empower users with fast, reliable and secure application access wherever and whenever they do business, regardless of the underlying infrastructure or connectivity. This requires adopting the public cloud—or even multiple public clouds—as an extension of on-premises infrastructure. What enterprises need is a common, multi-dimensional framework that provides availability, resiliency, and security for modern applications, with the ability to abstract connectivity, identity, and policy via declarative intents. These dimensions of control are paramount for modern applications – improving the visibility and control of assets that are ephemeral in nature and not directly under the Continue reading
Digital transformation has changed the way applications are deployed and consumed. The end-user to application journey has become increasingly complex and is a key objective for the Modern Network. End-users are more distributed, and applications run on heterogenous infrastructure often delivered from on-prem data centers, IaaS, SaaS, and public cloud locations. On average, enterprises use hundreds of applications. The number of end-user and IoT devices have also increased exponentially. They include infusion pumps in hospitals to Point of Sale systems in retail. These devices access applications from manufacturing floor, carpeted offices, homes or while users are on the move. As more devices and applications are enabled, the network increases in both complexity and value to the enterprise.
What has become increasingly clear is the need for advanced self-healing solutions that compensate for this complexity by helping IT teams shift to a proactive mode of operating a network. Several tools exist that provide domain or service-specific insights, but it is left to the IT teams to make sense of the volumes of data generated by these fragmented solutions to detect issues and perform root cause analysis. The dynamic nature of the network, device density, and the volume of data and Continue reading
Enterprises are growing increasingly dependent on modern distributed applications to innovate and respond quickly to new market challenges. As applications grow in significance, the end-user experience of the application has become a key differentiator for most businesses. Understanding what kind of application performance the end-users experience, optimizing the infrastructure, and quickly identifying the source of any issues has become extremely critical.
The Modern Network framework puts the end-user experience at the forefront. It helps our customers provide the public cloud experience on-premise with an on-demand network that enforces secure connectivity and service objectives across on-premise and cloud environments. As applications become more distributed, the increased application resiliency and efficiency often comes at the cost of increased contention for shared resources. The dynamic nature of the network, device density, and the volume of data and transactions generated makes this even more challenging. Managing network complexity and simplifying network operations in such environments requires a well architected network with support for modern cloud concepts such as availability zones that provide fault tolerance. Similarly, effective network-level fault isolation requires the ability to create self-contained fault domains that facilitate network resiliency, disaster recovery and avoidance, and end-to-end root cause(s) analysis throughout the Continue reading
The network has never been more vulnerable. Covid-19 has flung users out from the data center to home offices—where they are accessing critical systems, applications, and other users from unsecured devices and WiFi connections. As a result, it’s all hands on deck for IT, with network engineers deputized as IT support staff in a mad rush to give remote users fast and reliable, yet secure, access to the tools and information they need.
But what of the regular duties of these engineers? They are being pushed back in favor of new priorities—stretching network engineering resources, already spread thin, to the breaking point.
Enter network automation. VMware NSX-T allows organizations to automate and simplify operations in the age of Covid. Tasks that were once performed manually through the UI or CLI can now be automated with the NSX API—creating the foundation for dynamic, flexible and responsive network architectures that can support a world where users, devices, applications and data connect across private, public and hybrid cloud environments.
Networking professionals who want to learn more about how to automate operations should check out the following on-demand sessions from VMworld:
Applications are going through a major transformation – they are becoming more dynamic, complex, and distributed. They are often built on cloud-native principles and run on-premises and in the cloud. As we speak with our customers and industry analysts, we consistently hear about the need to rethink how the network supports this transformation and why it is so important for the business.
VMware is hosting a global online event – The Modern Network for a Future Ready Business. VMware executives will join industry analysts, customers, and partners to create an event that will be memorable and worthwhile, whether you are a business leader, an architect, a developer, or part of enterprise IT.
In this virtual event, we will take a look at the traditional networking model, carefully identify its shortcomings when it comes to servicing the application and the end user and make the case for a new framework – the Modern Network. Traditional networking takes a bottom up approach – focusing on connecting boxes in the campus, branch and data center with little attention paid to the apps running on top of the infrastructure. In contrast, the Modern Network keeps the end user application experience front Continue reading
It has been over three months since our last report on COVID-19–themed attacks . During this period, the tragedy of the COVID-19 pandemic has continued to dominate our daily livesfe. On the digital virus side, sSince our lastthat report [1, ] we’ have been closely tracking the cyberthreat landscape that leveraging leverages the COVID-19 themes. In the last report, we discovered that the majority of the attacks were involved infostealers. The oIn observations made from over the past two months, witnessed similar infostealers1 as reported in [ again played a key role1]. HoweverIn the meanwhile, we also detected other threats not that we hadn’t seen earlier, such as the Emotet campaign and remote access Trojan (RAT) attacks.
In this blog post, we first present the our most recent telemetry data, as reported by some VMware customers,, in order to exhibit highlight the diversity and magnitude of the attacks. Next, we investigate the Emotet campaign, as it is the most dominant wave seen in this period. More specifically, we analyze one of the samples from the campaign to reveal the tactics, techniques, and procedures (TTPs) used in the attack, and discuss how the Emotet payload variant is different from the one we reported recently .2
Cybersecurity consumes an ever-increasing amount of our time and budgets, yet gaps remain and are inevitably exploited by bad actors. One of the biggest gaps is unpatched vulnerabilities: a recent survey found that 60% of cyberattacks in 2019 were associated with vulnerabilities for which patches were availablei.
Most companies have a patch schedule that is barely able to keep up with applying the most important patches to the most critical vulnerabilities. Yet new ones crop up all the time: approximately 15,000 new vulnerability are discovered every year, which translates to one every 30 minutes ii. They impact all types of workloads, from multiple vendors, as well as open source projects.
It’s a constant race to try to find and fix the most dangerous vulnerabilities before the bad actors can exploit them. But ignoring them is not an option.
Why not just patch everything or fix flaws in the code? Because it’s operationally challenging – and almost impossible.
First, patching is an expensive and largely manual process. Second, applications may rely Continue reading
The security community has enjoyed a few months of silence from Emotet, an advanced and evasive malware threat, since February of this year. But the silence was broken in July as the VMware Threat Analysis Unit (TAU) observed a major new Emotet campaign and, since then, fresh attacks have continued to surface. What caught the attention of VMware TAU is that the security community still lacks the capacity to effectively detect and prevent Emotet, even though it first appeared in 2014. As an example of this, Figure 1 shows the detection status on VirusTotal for one of the weaponized documents from a recent Emotet attack. Only about 25% of antivirus engines blocked the file, even though the key techniques — such as a base64-encoded PowerShell script used to download the Emotet payload from one of five URLs — are nothing new. (These results were checked five days after they were first submitted to VirusTotal.)
In this blog post, we’ll investigate the first stage of the recent Emotet attacks by analyzing one of the samples from the recent campaign to reveal the tactics, techniques, and procedures (TTPs) used. This will help Continue reading
A recent report  from the Cybersecurity and Infrastructure and Security Agency (CISA) has alerted the public about possible forthcoming ransomware attacks that target the health industry.
This report has raised concerns  especially because of the current pandemic, which has strained the resources of hospitals and care centers. As a consequence, a ransomware attack, in addition to crippling a healthcare provider’s infrastructure, might actually put at risk the lives of patients.
The advisory describes in detail the tactics, techniques, and procedures (TTPs) followed by the malicious actors who, at the moment, seem to be associated with Russian crime groups.
The attack uses a number of malware components, such as TrickBot, BazarLoader, Ryuk, and Cobalt Strike, in order to compromise networks, create bridgeheads, and then move laterally so that, eventually, a ransomware attack can be successfully carried out.
In the rest of this report, we present the characteristics of the various components of the attacks. We look at both the actual malware components (i.e., the code that performs the malicious actions), as well as the network evidence associated with their actions. Even though a number of these components (as well as similar ones) have been covered previously Continue reading
Continuing our commitment to helping organizations around the world deliver a public cloud experience in the data center through VMware’s Virtual Cloud Network, we’re excited to announce the general availability of VMware NSX-TTM 3.1. This latest release of our full stack Layer 2 – 7 networking and security platform delivers capabilities that allow you to build modern networks at cloud scale while simplifying operations and strengthening security for east-west traffic inside the data center.
As we continue to adapt to new realities, organizations need to build modern networks that can deliver any application, to any user, anywhere at any time, over any infrastructure — all while ensuring performance and connectivity objectives are met. And they need to do this at public cloud scale. NSX-T 3.1 gives organizations a way to simplify modern networks and replace legacy appliances that congest data center traffic. The Virtual Cloud Network powered by NSX-T enables you to achieve a stronger security posture and run virtual and containerized workloads anywhere.
The evolution of the Excel 4.0 (XL4) macro malware proceeds apace, with new variations and techniques regularly introduced. To understand the threat landscape, the VMware NSBU Threat Analysis Unit extended its previous research on XL4 macro malware (see the previous blog) to analyze new trends and techniques.
Against analysis engines, the new samples have some novel evasion techniques, and they perform attacks more reliably. These variants were observed in June and July. Figure 1 depicts the Excel 4.0 macro malware wave.
Broadly, the samples can be categorized into three clusters. Based on the variation of the samples in these three clusters, the weaponized documents can be grouped into multiple variants.
The samples in this cluster appeared in the month of June. They use FORMULA.FILL for obfuscation and to move the payload around the sheet. The formula uses relative references to access values stored in the sheet. There are variations in this category; Continue reading
It’s no secret that traditional firewalls are ill–suited to securing east-west traffic. They’re static, inflexible, and require hair-pinning traffic around the data center. Traditional firewalls have no understanding of application context, resulting in rigid, static policies, and they don’t scale—so they’re unable to handle the massive workloads that make up modern data center traffic. As a result, many enterprises are forced to selectively secure workloads in the data center, creating gaps and blind spots in an organization’s security posture.
A software-based approach to securing east-west traffic changes the dynamic. Instead of hair-pinning traffic, VMware NSX Service-defined Firewall (SDFW) applies security policies to all workloads inside the data center, regardless of the underlying infrastructure. This provides deep context into every single workload.
Anyone interested in learning how the Service-defined Firewall can help them implement micro–segmentation and network segmentation, replace legacy physical hardware, or meet growing compliance needs and stop the lateral spread of threats, should check out the following sessions:
Compliance is more than a necessary evil. Sure, it’s complex, expensive, and largely driven by manual processes, but it’s also a business enabler. Without the ability to prove compliance, you wouldn’t be able to sell your products in certain markets or industries. But meeting compliance requirements can’t be cost-prohibitive: if the barriers are too high, it may not make business sense to target certain markets.
The goal, of course, is to meet and prove compliance requirements in the data center in a simple, cost-effective way. With the intent to provide safety and maintain the privacy of customers, new government and industry regulations are becoming more robust, and many require organizations to implement East-West security through micro-segmentation or network segmentation inside the data center. Of course, this is easier said than done. Bandwidth and latency issues caused by hair–pinning traffic between physical appliances inhibit network segmentation and micro-segmentation at scale.
VMware NSX applies a software-based approach to firewalling that delivers the simplicity and scalability necessary to secure East-West traffic. It does this with no blind spots or gaps in coverage— Continue reading
The other guys will have you believe that more is better. You have a problem, just buy a solution and patch the hole. Security operations too siloed? Just cobble together some integrations and hope that everything works together.
VMware thinks differently. We believe that “integrated” is just another word for “complexity.” And clearly, complexity is the enemy of security.
Integrated security is bolted–on security. An example would be taking a hardware firewall and making it a blade in a data center switch. That’s what the other guys do. It makes it more convenient to deploy, but it doesn’t actually improve security.
Security always performs better—and is easier to operate—when it’s designed–in as opposed to bolted–on. At VMware, we call this intrinsic security. When we think about security, being able to build it in means you can leverage the intrinsic attributes of the infrastructure. We are not trying to take existing security solutions and integrate them. We are re-imagining how security could work.
Enterprises that want to learn how we’ve built security directly into Continue reading
Micro–segmentation is a critical component of Zero Trust. But, historically, micro-segmentation has been fraught with operational challenges and limited by platform capabilities.
VMware NSX enables a new framework and firewall policy model that allows applications to define access down to the workload level. NSX does this by understanding application topologies and applying appropriate policy per workload. Creating zones in the data center where you can separate traffic by application simultaneously helps stop the spread of lateral threats, create separate development, test, and production environments, and meet certain compliance requirements.
VMworld attendees who want to learn more about how to set up micro-segmentation in their data centers should consider the following sessions:
Micro-segmentation is something that is certainly easier said than done. Although micro-segmentation allows applications to define access down to the component level, the operation of such an environment can be daunting without structure and guidance. In this session, you’ll learn how to develop a Continue reading
As you migrate and expand your deployments on VMware Cloud on AWS, your network connectivity provides the foundational infrastructure for all workloads in your SDDCs. When you then scale across multiple SDDCs — which also need to network with several data centers and tens or even hundreds of VPCs — scaling network connectivity becomes a critical challenge.
In this context, we’re excited to announce a number of new networking and security capabilities on VMware Cloud on AWS.
Together, these new features enable seamless connectivity to your SDDCs from on-prem data centers and AWS VPCs while unlocking the capacity you need to efficiently drive your workloads in the cloud.
Let’s take a closer look at each one.
SDDC Groups enable customers to manage multiple SDDCs as a single logical entity. This simplifies operations while maintaining the flexibility that customers rely on. SDDCs in a Group can be interconnected with VMware Transit Connect, and Continue reading