Data Center Threats: Turning Remote Access into Money
Data centers are an appealing target for cybercriminals. Even though they may be more difficult to compromise than the home computer of a kid playing Fortnite or the laptop of a sales representative connecting to a random wireless network, they can bring very large rewards: databases with millions of records containing financial and personal information, substantial computational resources that can be used to mine cryptocurrencies, and access to key assets that can be held for ransom.
In this blog post, we analyze the main pathways that cybercriminals leverage to gain access to data centers, how they take advantage of that access, and what security administrators can do to reduce and manage the associated risks.
Getting into the Data Center
The obvious first goal of an attacker is to gain access to the targeted data center. This can be achieved in several ways — including social engineering [1], physical access [2], and occasionally by deer [3]— but anecdotal evidence suggests that the two main avenues are remote exploitation (also known as remote-to-local attacks [4]), and stolen credentials [5].
Remote-to-local Attacks
In a remote-to-local attack, an attacker targets a remotely accessible service provided by one of the workloads running in the data Continue reading
VMware Wins 2021 Global InfoSec Award as Market Leader in Firewall
Today at RSA Conference 2021, we’re excited to announce that VMware is a winner of the CyberDefense Magazine 2021 Global InfoSec Award as Market Leader in Firewall. One of VMware’s core beliefs is that we need structural and architectural changes to how organizations approach security. This means taking a fresh look at how we approach issues such as internal data center security. This is exactly what led us to deliver the VMware NSX Service-defined Firewall.
The NSX Service-defined Firewall is one of the foundations of VMware Security. This solution is a unique distributed, scale-out internal firewall that protects all east-west traffic across all workloads without network changes. This radically simplifies the security deployment model. It includes a distributed firewall, advanced threat protection, and network traffic analytics. With the VMware NSX Service-defined Firewall, security teams can protect their organizations from cyberattacks that make it past the traditional network perimeter and attempt to move laterally. Its key differentiating capabilities include:
- Distributed, granular enforcement: The NSX Service-defined Firewall provides distributed and granular enforcement of security policies to deliver protection down to the workload level, eliminating the need for network changes.
- Scalability and throughput: Because it is distributed, the Service-defined Firewall is elastic, Continue reading
Threat Landscape Report – Threats Evading Perimeter Defenses
Today’s reality is that security breaches are a given. Sophisticated attackers are too numerous and too determined to get caught by perimeter defenses. A new VMware Threat Analysis Unit report bears this out. In North-by-South-West: See What Evaded Perimeter Defenses, the findings are clear: despite a cadre of perimeter defenses being deployed, malicious actors are actively operating in the network. The research presents a clear picture of how attackers evade perimeter detection, infect systems, and then attempt to spread laterally across the network to execute their objective.
Watch Chad Skipper, Global Security Technologist, provide an overview of the findings.
Key insights include:
- The best offense is to evade defense: Threat actors’ first order of business is to evade detection. Evasion of defense systems is the most encountered MITRE ATT&CK ® tactic used by malware, followed by execution and discovery.
- Email attacks lead the pack: Email continues to be used as the most common attack vector to gain initial access with more than four percent of all business emails analyzed contained a malicious component
- ZIP-ing through defenses: More than half of all malicious artifacts analyzed were delivered by a Zip archive. Attackers have massively scaled up operations Continue reading
Multi-Cloud Connectivity and Security Needs of Kubernetes Applications
Application initiatives are driving better business outcomes, an elevated customer experience, innovative digital services, and the anywhere workforce. Organizations surveyed by VMware report that 90% of app initiatives are focused on modernization(1). Using a container-based microservices architecture and Kubernetes, app modernization enables rapid feature releases, higher resiliency, and on-demand scalability. This approach can break apps into thousands of microservices deployed across a heterogeneous and often distributed environment. VMware research also shows 80% of surveyed customers today deploy applications in a distributed model across data center, cloud, and edge(2).
Enterprises are deploying their applications across multiple clusters in the data center and across multiple public or private clouds (as an extension of on-premises infrastructure) to support disaster avoidance, cost reduction, regulatory compliance, and more.
Fig 1: Drivers for Multi-Cloud Transformation
The Challenges in Transitioning to Modern Apps
While app teams can quickly develop and validate Kubernetes applications in dev environments, a very different set of security, connectivity, and operational considerations awaits networking and operations teams deploying applications to production environments. These teams face new challenges as they transition to production with existing applications — even more so when applications are distributed across multiple infrastructures, clusters, and clouds. Continue reading
It Should Be Easy to Upgrade Your Load Balancer —And it Can Be
Applications have never been more important in business than they are today. And where there are applications, there’s a load balancer, working behind the scenes to ensure your applications can be used comfortably and safely at all times. When operating a load balancer, the most troublesome issue is upgrade work. Let’s examine the problems of traditional load balancer upgrades and take a look at VMware’s automated, streamlined solution: NSX Advanced Load Balancer.
Why do you need to upgrade your load balancer in the first place?
The main reasons to upgrade a load balancer are to patch vulnerabilities and bugs, to enable new features, and for EoSL support. A load balancer, located between users and applications, must above all be stable; we particularly want to avoid service disruptions due to defects in the load balancer software. For this reason, load balancer upgrades are inevitable. And for IT, the trick is to make them, as transparent and painless as possible..
For illustration, let’s take a look at a recent international case involving load balancers. To address software glitches, a project was running to upgrade hundreds of load balancers. The upgrade work was carried out little by little over several months, with operations personnel setting Continue reading
Achieving Application Resiliency via VMware Tanzu Service Mesh and AWS Route 53
Service Mesh is quickly becoming a fact of life for modern apps, and many companies are choosing this method for their distributed micro-services communications. While most examples of service mesh focus only on the east-west aspect of app services communications and security, Tanzu Service Mesh aims at including the entire application transaction which includes both east-west as well as north-south communications in the mesh.
In previous blogs and articles (here and here ), we dug into the core construct of the system, called Global Namespace (GNS). GNS is the instantiation of application connectivity patterns and services. In the case we are describing here, one of these services consists of “northbound” access to the application in a resilient configuration through integration with a Global Server Load Balancing (GSLB) solution. In the current version of the service, we support the following integrations:
- VMware NSX-ALB (aka avi networks) – VMware’s own complete software load balancing solution.
- AWS Route 53 – AWS DNS service providing GSLB services for resiliency. This is useful for customers who do not own NSX-ALB.
In this first blog, we’ll describe how the solution works with AWS Route 53 and how to configure it. In a later post, we’ll Continue reading
How to Implement Network Segmentation with Zero Changes to Your Network
Across industries, network segmentation is quickly becoming a critical capability for enterprises of all sizes. Why? First, network segmentation prevents the lateral spread of threats inside the network. Second, it separates dev, test, and production environments. And lastly, it meets increasingly complex compliance requirements while enabling a Zero Trust security strategy.
However, historically network segmentation has been fraught with operational challenges and limited by platform capabilities, leading to the perception that setting up and configuring segmentation policies requires massive changes to the physical network as well as a complex, bloated, and costly deployment of physical firewall appliances.
Not anymore. VMware takes a distributed, software-based approach to segmentation, eliminating the need to redesign your network in order to deploy security. Instead, segmentation policies are applied at the workload level through NSX Firewall, which is deployed on top of your existing VSphere 7 environments. This allows you to easily create zones in the data center where you can separate traffic by application or environment — providing the quickest and easiest way to achieve your data center segmentation Continue reading
How to Publish AVS Workloads on the Internet
Azure VMware Solution (AVS) is a VMware–validated private cloud solution, managed and maintained by Azure. It runs on dedicated, bare-metal Azure infrastructure. AVS allows customers to manage and secure applications across both VMware environments and Microsoft Azure resources with a consistent operating framework. It supports workload migration, VM deployment, and Azure service consumption.
As AVS private cloud runs on an isolated Azure environment, by default it is not accessible from Azure or the Internet. Users can use either ExpressRoute Global Reach (i.e., from on-prem) or a jump box (i.e., on an Azure VNet) to access AVS private cloud. This means AVS workload VMs are confined within AVS private cloud and not accessible from the Internet. If customers want to make AVS Private Cloud resources, such as web servers, accessible from the Internet, Public IP needs to be deployed. There are a couple of ways to do this: (1) Destination NAT or DNAT via Azure Virtual WAN/Azure Firewall; and (2) Azure Application Gateway. This article focuses on DNAT with Azure Virtual WAN/Azure Firewall.
Security Power Block Series: Secure Your Data Center with NSX Firewall
We get it. The world of network security is changing, and it’s hard to keep up. Between your regular duties, pressure to adapt to changing realities, and pandemic stress on both your work and home life, it’s a challenge to find the time to build new skills.
Understanding that your time is precious, we’ve created a series of succinct, 30-minute, security-focused webinars that take a deep dive into the topics, strategies, and techniques you need to know. The four sessions in our Security Power Block Series will explore the new security landscape, how our unique architecture is ideal for protecting East-West traffic from modern security threats, and real-world use cases you can use to operationalize your data center security at scale.
You can register for one, two, three, or all sessions at once and you’ll automatically receive invitations with session links that you can add directly to your calendar. Staying informed — and learning new skills — couldn’t be easier.
Network Segmentation Made Easy
April 14, 2021
10:00 a.m. PT
Zoning or segmenting data center networks into manageable chunks Continue reading
4 Data Center Security Issues That Will Make You Rethink Firewalling
Recall what was happening a decade ago? While 2011 doesn’t seem that long ago (you remember, the Royal Wedding, Kim Kardashian’s divorce, and of course Charlie Sheen’s infamous meltdown), a lot has changed in 10 years. Back then, most data centers were just starting to experiment with virtualization. Remember when it was considered safe for only a handful of non-essential workloads to go virtual? Well, today about half of the servers globally have become virtualized, and we’ve moved well beyond just virtualization. Nearly every enterprise data center has become a hybrid environment, with a mix of physical and virtual storage and compute resources. Containerization and the technologies supporting it are starting to take hold. And of course, cloud computing has become pervasive in all aspects of enterprise computing.
Now, the business benefits of today’s software-defined data center are many, especially in terms of resource efficiency and cost savings. But there’s no denying that complexity has also increased, because all the same resources are still needed—compute, storage, switching, routing—but now any number of these resources may be on-prem or in the Continue reading
Dridex Reloaded: Analysis of a New Dridex Campaign
Dridex is a banking Trojan. After almost a decade since it was first discovered, the threat is still active. According to a report published by Check Point [1], Dridex was one of the most prevalent malware in 2020. The recent Dridex campaign detected by VMware demonstrates that this ongoing threat constantly evolves with new tactics, techniques, and procedures (TTPs), which exhibit great differences with respect to the variants we’ve collected from campaigns since April 2020 (as discussed in the section Comparison with old Dridex samples).
In this blog post, we first examine the recent Dridex attack by looking into some of VMware’s NSX Advanced Threat Prevention telemetry, which showcases the magnitude of the campaign. We then present the analysis for the most distinctive aspects of the attack, from the techniques leveraged by the XLSM downloader to the main functionality of the DLL payloads. Finally, we provide a comparison to some other Dridex variants seen in the past, which leads to the conclusion that the Dridex variant from the January 2021 campaign is very different from previous variants.
The Dridex Campaign
The chart below shows Continue reading
Memory Forensics for Virtualized Hosts
Detecting In-Memory Malware Threats
Memory analysis plays a key role in identifying sophisticated malware in both user space and kernel space, as modern threats are often file-less, operating without creating a file system artifact.
The most effective approach to the detection of these sophisticated malware components is to install on the protected operating system an agent that continuously monitors the OS memory for signs of compromise. However, this approach has a number of drawbacks. First, the agent introduces a constant overhead in the monitored OS — caused by both the resources used by the agent process (e.g., CPU, memory) and the instrumentation used to capture relevant events (e.g., API hooking). Second, a malware sample can detect the presence of an agent and attempt to either disable the agent or evade detection. Third, depending on how it is deployed, the agent not have access to specific portions of the user-space and kernel-space memory, and, as a consequence, may miss important evidence of a compromise. Finally, deploying, maintaining, and updating agents on every endpoint can be challenging, especially in heterogeneous deployments where multiple versions of different operating systems and architectures coexist.
A complementary approach to the detection of Continue reading
Witness VMware Disrupt Enterprise Data Center Security at XFD5
The security industry needs to wake up. Today’s attackers are too numerous and too determined to get caught by simple perimeter defenses. It’s no longer a matter of if an attack will be successful, it’s a matter of when. Security pros need to recognize this reality, stop using archaic detect and respond approaches to secure the enterprise, and start focusing on blocking the spread of attacks once they make that initial breach.
Changing the industry won’t be easy. It will require a bold step — one that we believe we’ve taken at VMware with our distributed, software-defined approach to enterprise security. This approach gives us the ability to operationalize east-west security at scale, simplify the implementation of segmentation in just a few steps, and insert advanced threat prevention inside the data center.
We’ll showcase these latest security advances on Thursday, March 25, starting at at 2:00 pm PST. Broadcasting live around the world during Security Field Day 5, NSX security experts will run through simple, practical steps that security teams can take to meet Continue reading
VMware to Help Customers Make Modern Apps More Secure with Acquisition of Mesh7
By Tom Gillis, SVP/GM, Networking and Security Business Unit, VMware
EDITORIAL UPDATE: On March 31, 2021 VMware officially closed its acquisition of Mesh7. The blog post originally appeared on March 18, 2021 below and has been amended to reflect that announcement.
With the VMware Virtual Cloud Network, we are delivering a modern network that understands the needs of applications and programmatically delivers connectivity and security services to meet those requirements. The ultimate result is a better experience for both users and applications. We are furthering our efforts to make modern applications more secure with our acquisition of Mesh7, which closed today. The Mesh7 technology will enable VMware to bring visibility, discovery, and better security to APIs.
So why is this important?
Customers are driving app modernization to shed the legacy of monolithic applications, to free IT and developers from single, rigid environments, and to make every service, every team, and every business more agile. Modern applications require reliable connectivity, dynamic service discovery, and the ability to automate changes quickly without disruption as they extend across multi-cloud environments. Security teams and operators need better visibility into application behavior and overall security posture, and the developer experience needs to lead to Continue reading
Deconstructing Defray777 Ransomware
Contributors: Sebastiano Mariani • Stefano Ortolani • Baibhav Singh • Giovanni Vigna • Jason Zhang • Brian Baskin • George Allen • Scott Knight
Recently, reports surfaced describing ransomware attacks targeting VMware ESXi servers. While many of these attacks were initially based upon credential theft, the goal was to unleash one of a series of ransomware families, including Defray777 and Darkside, to encrypt the files associated with virtualized hosts.
These families of ransomware are related to examples that the VMware Threat Research teams had seen previously in the wild. Specifically, based upon their ransom notes and file extensions, they appeared to be variants of the RansomEXX ransomware family. In the second half of 2020 these variants of ransomware, including Defray777, have been witnessed targeting both Windows and Linux systems.
These attacks also leveraged several ancillary tools such as downloaders, RATs, and exploitation tools to obtain initial access to a system and spread within the target network.
In the following, we provide a technical description of the Defray777 ransomware and a brief discussion of the other components that have been observed in combination with this malware sample.
What is Defray777?
The version of Defray777 analyzed here is a Linux-based, command-line driven ransomware attack that employs Continue reading
Phishing Detection Using Perceptual Hashes
What are phishing attacks?
Phishing attacks have become more prominent and prevalent in recent years. In particular, our research into the cyber threat landscape over the last few months has shown a dramatic increase in the volume of phishing campaigns observed by our customers.
The most basic way to detect phishing is by using blacklists of phishing URLs. However, our research showed that, in many cases, the lifetime of phishing URLs is less than 24 hours, which renders the blacklist approach largely ineffective.
At VMware, we use multiple approaches to detect phishing attacks. The one we’ve found to be the most promising uses visual representation of the website to recognize phishing. In this blog post, we’ll discuss how this approach works in greater detail. If you need an overview of the more general idea behind phishing detection using image similarity, visit our previous blog post.
Not every hash function is a cryptographic hash function
As one part of VMware’s phishing detection, we store information about the visual representation of every analyzed URL: that is, we calculate perceptual hashes of the screenshots Continue reading
Attend Future:NET 2021 – A Premier Networking Event
What is Future:NET?
Sponsored by VMware, Future:NET 2021 is the premier thought leadership event on networking of the year. Scheduled for March 23 in AMER and March 24 in EMEA and APJ, the event will be simulcast live around the world—showcasing authentic, in-depth discussions led by the who’s-who of networking leaders. Come prepared to hear open, honest, and sometimes lively conversations about the future direction of networking.
How is Future:NET 2021 Different from Previous Years?
Future:NET has always been an invite-only, in-person event held during VMworld U.S. This year, we are taking it to the next level with a virtual format that will be broadcast live to a global audience on a new, interactive online platform. This will preserve the intimate, authentic feel of past events while allowing participants to share valuable insights with change agents around the world.
Why Attend Future:NET?
Future:NET is a different kind of industry event. While other networking conferences have been reduced to vendor showcases, Future:NET disallows product pitches in favor of open debates that foster in-depth conversation among professionals across the industry. This will not be a VMware showcase or a think tank. Future:NET is a vendor-agnostic industry event led by those who have forecasted, created, or disseminated change and who are lured by new technology and its ability to transform the world. Hear from luminaries such as Albert Greenberg from Azure, Bikash Koley from Google Cloud, Nick McKeown of Stanford University, Pere Monclus from VMware, and Vijoy Pandey from Continue reading
Introducing HCX 4.0: Migration Event Details and Estimation, In-Service Upgrades, and more
VMware HCX is indeed a swiss army knife — a mobility platform with several options to streamline and optimize workload migrations between on-premises and VMC-based environments. HCX delivers secure, seamless app mobility and infrastructure hybridity across vSphere 6.0 and later versions, both on-premises and in the cloud. Thousands of customers worldwide use HCX for faster, safer, and large-scale migrations, cost-savings, and efficient operations.
Today, we are excited to announce an important milestone in this journey — HCX 4.0, a major release that introduces new functionality and enhancements. This release focuses on providing enhanced visibility, reducing service downtime during upgrades, and simplifying the reconfiguration of NSX security policies post-migration.
Let’s take a look at some of the new capabilities in HCX 4.0:
New Release Versioning and Lifecycle Policies
Starting with the HCX 4.0.0 release, HCX is switching its naming convention from ‘R’ releases to Major.Minor.Maintenance semantic versioning to align with VMware convention. VMware HCX will now use X.Y.Z.P where:
- X is a major version.
- Y is a minor version.
- Z is a maintenance version.
- P is a patch version. This is a unique bit that uses the build number.
Please also note that the VMware N-2 Lifecycle Policy will be applicable with the new convention, providing extended support and additional flexibility to customers.
Each Major or Minor release will have a minimum support duration of 12 months (*).
Refer Continue reading
Death of Emotet
Cybercrime campaigns can last days or months, but the malicious actors behind them can be active for years.
As it’s often difficult to have first-hand information about the evolution of specific gangs (e.g., changes in membership and leadership, or motivations behind actions), the threat intelligence community generally resorts to tracking the most observable aspects of these criminal enterprises: the malware that is delivered to the victims and the infrastructure that is used to control compromised systems and collect sensitive information.
Malware campaigns are almost always trans-national in terms of both targets and infrastructure, covering multiple countries and sometimes spanning multiple continents. Therefore, it’s difficult to carry out coordinated law enforcement efforts (especially given that many law enforcement agencies are already stretched thin), and the defenses against these threats are primarily localized to specific countries or organizations.
However, sometimes the cyber threats are so egregious that they trigger the attention of a large group of people, resulting in major takedown operations such as 2011’s “Operation Ghost Click” or the Microsoft-led takedown of the TrickBot infrastructure in October 2020.
It was one of these efforts, and a historical one in this case, that brought down Emotet at the end of January 2021 — a feat that many considered impossible.
“Operation Ladybird” saw the law enforcement agencies of multiple countries (including the US, the UK, Canada, Germany, France, the Netherlands, Ukraine, and Lithuania) cooperate to eradicate the Emotet infrastructure (see Figure 1).
Emotet, introduced in 2014 as a banking Trojan, has been Continue reading