In a recent ad on a closed Telegram channel, a known threat actor has announced it’s recruiting AI and ML experts for the development of... Read ›
WANTED: Brilliant AI Experts Needed for Cyber Criminal Ring In a recent ad on a closed Telegram channel, a known threat actor has announced it’s recruiting AI and ML experts for the development of it’s own LLM product.
Threat actors and cybercriminals have always been early adapters of new technology: from cryptocurrencies to anonymization tools to using the Internet itself. While cybercriminals were initially very excited about the prospect of using LLMs (Large Language Models) to support and enhance their operations, reality set in very quickly – these systems have a lot of problems and are not a “know it all, solve it all” solution. This was covered in one of our previous blogs, where we reported a discussion about this topic in a Russian underground forum, where the conclusion was that LLMs are years away from being practically used for attacks.
The media has been reporting in recent months on different ChatGPT-like tools that threat actors have developed and are being used by attackers, but once again, the reality was quite different. One such example is the wide reporting about WormGPT, a tool that was described as malicious AI tool that can be used for anything from disinformation to actual attacks. Buyers of this tool were not impressed with it, seeing it was just a ChatGPT bot with the same restrictions and hallucinations they were familiar with. Feedback about this tool soon followed:
[boxlink link="https://www.catonetworks.com/resources/cato-networks-sase-threat-research-report/"] Cato Networks SASE Threat Research Report H2/2022 | Download the Report [/boxlink]
With an urge to utilize AI, a known Russian threat actor has now advertised a recruitment message in a closed Telegram channel, looking for a developer to develop their own AI tool, dubbed xGPT. Why is this significant? First, this is a known threat actor that has already sold credentials and access to US government entities, banks, mobile networks, and other victims. Second, it looks like they are not trying to just connect to an existing LLM but rather develop a solution of their own. In this ad, the threat actor explicitly details they are looking to,” push the boundaries of what’s possible in our field” and are looking for individuals who ”have a strong background in machine learning, artificial intelligence, or related fields.”
Developing, training, and deploying an LLM is not a small task. How can threat actors hope to perform this task, when enterprises need years to develop and deploy these products? The answer may lie in the recently announced GPTs, the customized ChatGPT agent product announced by OpenAI. Threat actors may create ChatGPT instances (and offer them for sale), that differ from ChatGPT in multiple ways. These differences may include a customized rule set that ignores the restrictions imposed by OpenAI on creating malicious content. Another difference may be a customized knowledge base that may include the data needed to develop malicious tools, evade detection, and more. In a recent blog, Cato Networks threat intelligence researcher Vitaly Simonovich explored the introduction and the possible ways of hacking GPTs.
It remains to be seen how this new product will be developed and sold, as well as how well it performs when compared to the disappointing (to the cybercriminals end) introduction of WormGPT and the like. However, we should keep in mind this threat actor is not one to be dismissed and overlooked.
Six months ago, the question, “Which is your preferred AI?” would have sounded ridiculous. Today, a day doesn’t go by without hearing about “ChatGPT” or... Read ›
Bard or ChatGPT: Cybercriminals Give Their Perspectives Six months ago, the question, “Which is your preferred AI?” would have sounded ridiculous. Today, a day doesn’t go by without hearing about “ChatGPT” or “Bard.” LLMs (Large Language Models) have been the main topic of discussions ever since the introduction of ChatGPT. So, which is the best LLM?
The answer may be found in a surprising source – the dark web. Threat actors have been debating and arguing as to which LLM best fits their specific needs.
Hallucinations: Are They Only Found on ChatGPT?
In our ChatGPT Masterclass we discussed the good, the bad, and the ugly of ChatGPT, looking into how both threat actors and security researchers can use it, but also at what are some of the issues that arise while using ChatGPT.
[boxlink link="https://catonetworks.easywebinar.live/registration-offensive-and-defensive-chatgpt"] Offensive and Defensive AI: Let’s chat(GPT) About It | Watch the Webinar [/boxlink]
Users of LLMs have quickly found out about “AI hallucinations” where the model will come up with wrong or made-up answers, sometimes for relatively simple questions. While the model answers very quickly and appears very confident in its answer, a simple search (or knowledge of the topic) will prove the model wrong.
What was initially perceived as the ultimate problem-solving wizard now faces skepticism in some of its applications, and threat actors have been talking about it as well. In a recent discussion in a Russian underground forum, a participant asked about the community’s preference when it comes to choosing between ChatGPT and Bard.
Good day, Gentlemen. I've become interested in hearing about Bard from someone who has done relatively deep testing on both of the most popular AI chatbot solutions - ChatGPT and Bard. Regarding ChatGPT, I have encountered its "blunders" and shortcomings myself more than once, but it would be very interesting to hear how Bard behaves in the sphere of coding, conversational training, text generation, whether it makes up answers, whether it really has an up-to-date database and other bonuses or negatives noticed during product testing.
The first reply claimed that Bard is better but has similar issues to ChatGPT:
Bard truly codes better than ChatGPT, even more complex things. However, it doesn't understand Russian. Bard also occasionally makes things up. Or it refuses to answer, saying, "I can't do this, after all, I'm a chatbot," but then when you restart it, it works fine. The bot is still partly raw.
The next participant in this discussion (let’s call him ‘W’), however, had a lot to say about the current capabilities of LLMs and their practical use.
All these artificial intelligences are still raw. I think in about 5 years it will be perfect to use them. As a de-facto standard. Bard also sometimes generates made-up nonsense and loses the essence of the conversation. I haven't observed such behavior with ChatGPT. But if I had to choose between Bard and GPT, I'd choose Bard. First of all, you can ask it questions non-stop, while ChatGPT has limits. Although maybe there are versions somewhere without limits. I don't know. I've interacted with ChatGPT version 3. I haven't tried version 4 yet. And the company seems to have canceled the fifth version. The advantages of Bard are that it gives, so to speak, what ChatGPT refuses to give, citing the law. I want to test the Chinese counterpart but I haven’t had the opportunity yet.
The member who provided the first reply in this conversation chimed in to make fun of some of the current views on ChatGPT:
The topic of coding on neural networks and the specifics of neural networks (as the theory and practice of AI and their creation and training) is extremely relevant now. You read some analysts and sometimes you're amazed at the nonsense they write about it all. I remember one wrote about how ChatGPT will replace Google and, supposedly, the neural network knows everything and it can be used as a Wikipedia. These theses are easily debunked by simply asking the bot a question, like who is this expert, and then the neural network either invents nonsense or refuses to answer this question citing ethics, and that's very funny.
This comment brought back ‘W’ to the discussion.
Partially true. In fact, Google itself plans to get rid of links in search results. There will be a page with a bot. This is a new type of information search, but they will not completely get rid of links, there will be a page where there will only be 10 links. I don't know if this is good or bad. Probably bad, if there will only be 10 of them in that search result. That is, there won't be the usual deep search.
For example, it's no longer interesting to use Google in its pure form. Bing has a cool search - a must-have. But sometimes I forget about it and use good old Google. Probably I would use Bing if it wasn't tied to an account, Windows, and the Edge browser. After all, I'm not always on Windows, it would be hell to adapt this to Linux.
+++ I have already encountered the fact that the neural network itself starts to make up nonsense.
Another member summarized it as he sees thing, in English:
Bard to search the web. ChatGPT to generate content. Both are very limited to write code from scratch. But, as wXXXX said, we must to wait some years to use it in our daily life.
In our next masterclass session Diana Kelley and I will dive into the different aspects of AI, how and why these “AI hallucinations” happen, what buyers of this technology need to ask vendors who claim to use LLMs as well the concerns raised in this discussion by cybercriminals.
Supply chain attacks are one of the top concerns for any organization as they exploit (no pun intended) the inherited trust between organizations. Recent examples... Read ›
The 3CX Supply Chain Attack – Exploiting an Ancient Vulnerability Supply chain attacks are one of the top concerns for any organization as they exploit (no pun intended) the inherited trust between organizations. Recent examples of similar attacks include SolarWinds and Kaseya. On March 29th, a new supply chain attack was identified targeting 3CX, a VoIP IPXS developer, with North Korean nation-state actors as the likely perpetrators.
What makes the 3CX attack so devastating is the exploitation of a 10-year-old Microsoft vulnerability (CVE-2013-3900) that makes executables appear to be legitimately signed by Microsoft while, in fact, they are being used to distribute malware. This is not the first time this vulnerability has been exploited; earlier this year, the same tactic was used in the Zloader infection campaign. In the 3CX case, the two “signed” malicious DLLs were used to connect to a C&C (Command and Control) server and ultimately connect to a GitHub repository and download an information stealing malware that targets sensitive data users type into their browser.
[boxlink link="https://www.catonetworks.com/resources/cato-networks-sase-threat-research-report/"] Cato Networks SASE Threat Research Report H2/2022 | Download the Report [/boxlink]
The Cato Networks security group responded to this threat immediately. Customers whose systems were communicating with the second-stage payload server were contacted and informed of which devices were compromised. All domains and IPs associated with the campaign were blocked to limit any exposure to this threat.
Cato’s approach to such threats is one of multiple choke points, ensuring the threat is detected, mitigated, and prevented along its entire attack path. This can only be done by leveraging the private cloud backbone in which each PoP has the entire security stack sharing and contextualizing data for each network flow. Cato’s mitigation of the 3CX threat includes:
Malicious domains are tagged as such and are blocked. The firewall rule for blocking malicious domains is enabled by default.
IPS (Intrusion Prevention System) – Payload servers were added to the domain blocklist, this is complimentary to the firewall rules and is not dependent on them being enabled.
Anti-malware – All 3CX associated trojans are blocked
MDR (Managed Detection and Response) – the MDR team continues to monitor customer systems for any suspicious activities.
Cato Networks security group will continue to monitor this threat as it develops. For a detailed technical analysis of the attack see Cyble’s blog.
We recently issued the Cato Networks SASE Threat Research Report, which highlights cyber threats and trends based on more than 1.3 trillion flows that passed... Read ›
Cato Analyzes the Dominant Sources of Threats in 2H2022 Research Report We recently issued the Cato Networks SASE Threat Research Report, which highlights cyber threats and trends based on more than 1.3 trillion flows that passed through the Cato SASE Cloud network during the second half of 2022. The report highlights the most popular vulnerabilities that threat actors attempted to exploit, and the growing use of consumer applications that may present a risk to the enterprise.
Cato Scans a Vast Trove of Data to Hunt for Threats
One of the first observations in the report was the sheer scale of our data repository. Cato’s convergence of networking and security provides unique visibility on a global scale into both legitimate enterprise network usage and the malicious activity aimed at enterprise networks. This includes hostile network scans, exploitation attempts, and malware communication to C&C servers.
Like many security vendors, we collect information from threat intelligence feeds and other security resources. But as a networking provider, we’re also able enrich our understanding of security events with network flow data often unavailable to security professionals. During 2022, Cato’s data repository was fed by more than 2.1 trillion network flows traversing or our global private backbone or about a 20% growth in flows each quarter.
Security events, threats, and incidents also grew in proportion to the number of network flows. In the second half of 2022, the Cato Threat Hunting System (CTHS) detected 87 billion security events across the entire Cato Cloud. A security event is any network flow that triggers one of Cato’s many security controls.
[boxlink link="https://www.catonetworks.com/resources/eliminate-threat-intelligence-false-positives-with-sase/"] Eliminate Threat Intelligence False Positives with SASE | Download the eBook [/boxlink]
CTHS is a natural extension of Cato Cloud security services. It is comprised of a set of algorithms and procedures developed by Cato Research Labs that dramatically reduces the time to detect threats across enterprise networks. CTHS is not only incredibly accurate but also requires no additional infrastructure on a customer’s network.
CTHS concluded there were 600,000 threats, or high-risk flows, based on machine learning and data correlation. Of these, 71,000 were actual incidents, or verified security threats.
Cato Identifies the Top Threats and Exploit Attempts on the Network
Over the years, Cato has been tracking the top threats on the network and the trends haven’t changed much. The top five threat types in the current research report are (1) Network Scan, at 31.2 billion events, (2) Reputation, at 4.7 billion events, (3) Policy Violation, at 1.3 billion events, (4) Web Application Attack, at 623 million events, and (5) Vulnerability Scan, with 482 million events.
Other types of threats worth noting include Remote Code Execution (92 million), Crypto Mining (56 million), and Malware (55 million). Remote Code Execution events and Malware events both increased over the previous reporting period, but Crypto Mining events decreased. This latter fact may be due to the recent decline in the cryptocurrency business itself following the collapse of the FTX exchange.
The most-used cloud apps in the reporting period were from Microsoft, Google, Apple, Amazon (AWS), and Meta (Facebook). Many consumer-oriented applications were also in use, including YouTube, TikTok, Spotify, Tor, Mega, and BitTorrent. The latter three apps are known to be used frequently for malicious activities and pose a potential risk to enterprise networks.
The Log4j vulnerability (CVE-2022-44228) is a relatively recent discovery that is estimated to have affected nearly a third of all web servers in the world. Thus, it’s no surprise that it continues to dominate exploitation attempts with 65 million events across the Cato Cloud network. What is surprising is that two older vulnerabilities continue to make the top five list for exploit attempts. One is CVE-2017-9841, a remote code execution bug from 2017, and the other is CVE-2009-2445, a 14-year old vulnerability affecting certain popular web servers.
Cato also tracks network flows associated with MITRE ATT&CK techniques. Network based scanning and remote system discovery lead the list with 22.6 billion flows and 17 billion flows, respectively. The top five most-used techniques targeting enterprises are Phishing, Phishing for Information, Scanning, Remote System Discovery, and Exploit Public-facing Application. Knowing which attack techniques are most often seen on the network can help organizations tighten their defenses where it is most needed.
For more detailed information, read the Cato Networks SASE Threat Research Report for the second half of 2022.
Industry 4.0 is revolutionizing the manufacturing industry as we are witnessing numerous innovative technologies such as AI, IoT, and Robotic Process Automation (RPA) helping manufacturers... Read ›
SASE in Manufacturing: Overcoming Security and Connectivity Challenges Industry 4.0 is revolutionizing the manufacturing industry as we are witnessing numerous innovative technologies such as AI, IoT, and Robotic Process Automation (RPA) helping manufacturers enhance their supply chain, logistics and production lines. While we see these operations evolving into smart factories, the industry still faces challenges that could adversely impact its ability to realize the full potential of Industry 4.0.
Manufacturing Digital Transformation Challenges
Digital Transformation introduces a number of challenges to the manufacturing industry. These include:
Cybersecurity vulnerabilities - The manufacturing industry is especially vulnerable to cyberattacks. Legacy manufacturing systems were not designed to defend against modern-day cyber attacks. Their legacy architecture makes it difficult to remain current on software patches and fixes, and this exposes them to increased risk of security breaches. Additionally, lacking proper visibility and control of all traffic flows makes it virtually impossible to have a rapid response and remediation of threats to the environment.
Lack of flexible, scalable and reliable architectures - Manufacturers require a flexible, scalable and reliable architecture that can easily and cost-effectively scale as the business grows. This is something that MPLS does not provide because it cannot support the cloud evolution that the manufacturing industry is experiencing. Additionally, global expansion is a major challenge due to the cost and complexity of turning up new sites, especially in locations where MPLS is not easy for carriers to offer and support. And while some may deploy SD-WAN to overcome this, it is not suitable for global use cases, something the industry demands.
Cloud Performance - MPLS makes connecting directly to 3rd party SaaS applications impossible for 2 key reasons: MPLS is a point-to-point technology, whereas SaaS traffic flows between cloud providers, so it is not feasible for cloud use; and, SaaS apps like Microsoft 365, FactoryTalk, SAP and others, require high-performance internet access, and this is something MPLS does not provide.
Complicated tool management - Maintaining and monitoring multiple MPLS connections, telecom vendors, and legacy tools is extremely complicated, frustrating and prone to errors. This becomes even more challenging when integrating technology from acquisitions.
Global disconnect - Most manufacturers have global operations, with their HQ, production, engineering, suppliers and sales dispersed across the globe. All these users need secure, high-performance local, remote and global access to enable the business to run, which is hard to deliver over MPLS.
[boxlink link="https://www.catonetworks.com/resources/firsthand-perspectives-from-5-manufacturing-it-leaders-about-their-sase-experience/"] Firsthand Perspectives from 5 Manufacturing IT Leaders about their SASE Experience | Download the eBook [/boxlink]
The Solution to Manufacturing Challenges: SASE
SASE (Secure Access Service Edge) is an innovative approach to networking and security that converges these technologies into a single, global, cloud-native service that enables enhanced security, consistent policy enforcement, and faster threat response times. With SASE, manufacturers can overcome the above mentioned challenges that plagues many factories during their digital transformation journey.
To support this journey, manufacturers need a new solution: SASE. With SASE, enterprise networking and security technologies are converged into a single cloud-native software stack and delivered over a global backbone where all capabilities operate in unison. SASE allows manufacturers to reduce the risk of cybersecurity breaches while delivering reliable, low latency, global access to applications and systems. The following capabilities are crucial for SASE to deliver on its promise:
A Single Network Architecture
SASE, having its own global backbone, enables authorized users, locations, clouds and applications to reliably and consistently connect at anytime and from anywhere in the world.
High Performance
The SASE cloud enables IT teams to instantly scale, optimize and enhance the network according to business requirements, and this ensures reliable and predictable performance for applications and a rich experience for all users.
Cloud Data Architecture
SASE optimizes traffic and routes it along the best path to its destinateion based on WAN optimization and dynamic routing policies. This ensures low latency cloud access for all users.
Baked-in Security
SASE strengthens the security posture by providing all required security capabilities including Zero Trust Network Access (ZTNA), firewall-as-a-service (FWaaS), cloud-access security broker (CASB), DLP and secure web gateway (SWG).
Holistic Protection
ZTNA in SASE ensures only authenticated and authorized users and devices gain access to critical enterprise business applications. To further extend security protection and coverage, Managed Detection and Response (MDR) is also available.
Consistent Access for Mobile Users and Suppliers
All authorized users receive consistent access, performance, and security no matter where they are.
What’s Next for Manufacturers?
SASE allows manufacturers to focus their time and resources on key business initiatives such as global expansion and enhancing factory operations instead of worrying about IT and security. This allows them to do what they do best, while maintaining peace of mind that their network and security needs are covered.
To learn more about SASE and manufacturing, listen to the podcast episode “How to implement SASE in manufacturing: A discussion with PlayPower”.
A new vulnerability underscores the need for virtual patching. The vulnerability, found in FortiOS, would allow a Remote Code Execution (RCE) attack on multiple firewall... Read ›
New Critical Vulnerability Underscores the Need for Virtual Patching A new vulnerability underscores the need for virtual patching. The vulnerability, found in FortiOS, would allow a Remote Code Execution (RCE) attack on multiple firewall products as well as FortiGate SSL VPN. The vulnerability has reportedly already been exploited by threat actors. Fortinet has issued a patch for this vulnerability.
The vulnerability, which was initially reported on December 9th, received a score of 9.3 (Critical) and Fortinet has confirmed at least one instance of it being exploited.
Any vulnerability in a system is a potential entry point for a threat actor and must be immediately patched, especially critical vulnerabilities like this one. Threat actors have been known to quickly utilize such vulnerabilities and exploit unpatched systems, while in many cases systems remain unpatched for a very long time giving even the slower-paced adversaries opportunities to exploit them. Vulnerabilities such as Log4j, which coincidently is “celebrating” its one-year birthday, are still being used by different adversaries to target unpatched systems to gain access into networks. Why? Because patching is so hard.
[boxlink link="https://www.catonetworks.com/rapid-cve-mitigation/?utm_medium=blog_top_cta&utm_campaign=rapid_cve_mitigation"] Rapid CVE Mitigation | Cato Security Research [/boxlink]
The Need for Virtual Patching
Having to identify, connect (or physically go to), patch, and test multiple boxes in multiple locations every time a new vulnerability is discovered is no small feat. Organizations need to perform this process very quickly whenever a new vulnerability is discovered as threat actors move quickly on such opportunities.
In addition, adversaries do not shy away from utilizing old vulnerabilities that still work. Log4j is one example but not the only. CISA addressed this in their “Top Routinely Exploited Vulnerabilities” alert, writing, “CISA, ACSC, the NCSC, and FBI assess that public and private organizations worldwide remain vulnerable to compromise from the exploitation of these CVEs. Malicious cyber actors will most likely continue to use older known vulnerabilities, such as CVE-2017-11882 affecting Microsoft Office, as long as they remain effective and systems remain unpatched. Adversaries’ use of known vulnerabilities complicates attribution, reduces costs, and minimizes risk because they are not investing in developing a zero-day exploit for their exclusive use, which they risk losing if it becomes known.“
The solution to this problem is a cloud-based security architecture that allows for virtual patching. Virtual patching is defined by OWASP as “A security policy enforcement layer which prevents the exploitation of a known vulnerability. The virtual patch works since the security enforcement layer analyzes transactions and intercepts attacks in transit, so malicious traffic never reaches the web application. The resulting impact of a virtual patch is that, while the actual source code of the application itself has not been modified, the exploitation attempt does not succeed.”
Only a cloud-based security solution eliminates the need to patch box-by-box and effectively enables a “mitigate-once-protect-everywhere" patching strategy.
Log4j is a Java-based, ubiquitous logging tool that is said to be used by nearly 13 billion devices world-wide. Late last year, in December 2021,... Read ›
Spring4Shell Might Grab Headlines, But Log4j Exploits Swamped Enterprises, Finds Cato Threat Report Log4j is a Java-based, ubiquitous logging tool that is said to be used by nearly 13 billion devices world-wide. Late last year, in December 2021, the Apache Software Foundation announced the discovery of a software vulnerability (CVE-2021-44228 a.k.a. Log4Shell) that allows unauthenticated users to remotely execute or update software code on multiple applications via web requests. As soon as the vulnerability was announced, researchers at Cato Networks noted over 3 million attempts (in Q4 2021) aimed at exploiting this vulnerability.
Fast forward to Q1 2022 and the number of attempts to exploit this vulnerability have increased to a whopping 24 million. According to the Cato Networks SASE Threat Research Report, Log4j vulnerabilities were leveraged all across the world, including cyber-attacks on Ukrainian organizations.
Interestingly, number two on the list of the top five CVE exploit attempts was a Java vulnerability (CVE-2009-2445) that has been around for more than a decade. Threat actors made almost 900,000 attempts (double than previous quarter) to exploit this vulnerability for initial access. Above research highlights the fact that while certain zero-day vulnerabilities (like Spring4Shell or CVE-2022-22965) grabbed news headlines, it is the legacy vulnerabilities that put enterprises at the most risk.
[boxlink link="https://www.catonetworks.com/cybersecurity-masterclass/?utm_source=blog&utm_medium=top_cta&utm_campaign=masterclass"] Join one of our Cyber Security Masterclasses | Go now [/boxlink]
Majority of Exploitation Events Originated in the U.S.
Understanding where attacks originate from or who (or where) the malware communicates to is a critical part of any organization's threat response strategy. Attackers are aware of the fact that traffic to or from certain countries may be blocked, inspected or investigated and that’s the reason why a majority of them ensure that their command and control (C&C) infrastructure is hosted in a country that is labeled as “safe”. While the U.S. is the most favored destination (hosts 17.3 billion C&C servers), China comes second (with 2 billion C&C servers), followed by Germany (1.66 billion), UK (1.29 billion) and Japan (1 billion).
Reputation-based Threats, Brute Force and Remote Code Execution Attacks Skyrocket
After analyzing 26 billion security events across 350 billion network flows, Cato researchers noted a 33% decline in attackers attempting to perform network scans. That being said, network scans still reign as the number one threat type (10 billion plus attempts), followed by reputation-based threats (1.5 billion attempts) or security events that are triggered by inbound or outbound communications to known malicious destinations.
Reputation-based threats grew more than 100% over the previous quarter. In addition to this, the Cato Threat Hunting System also observed that crypto-mining numbers continue to climb, while brute force attacks and remote code execution attacks have nearly tripled in comparison to the previous quarter.
Attackers Are Frequently Scanning Network Hardware and Software For Initial Access
Cato carried out an analysis based on the MITRE ATT&CK framework and concluded that network-based scanning is the most frequently used attack vector to gain initial access in an enterprise environment. Active Scanning (T1595 - 6.9 billion flows), Network Discovery (T1046 - 4.1 billion flows) and Remote System Discovery (T1018 - 2.7 billion flows) are the top three techniques employed by attackers. That’s not all, once adversaries have initial access they actively search data from local systems (T1005 - 9.5 million incidents), look for valid accounts (T1078 - 6.9 million incidents) and try to brute force access if credentials are not accessible (T1110 - 6.9 million incidents).
Risks Are Also Originating from Popular Consumer Apps Like Telegram and TikTok
While many governments have raised privacy concerns around the use of TikTok and even attempted to censor its use, Cato research finds that most enterprises still continue to allow TikTok flows. In fact, use of this short form video-haring app grew by 10% over the previous quarter. In addition to this, use of the instant-messaging app Telegram more than tripled, probably due to the Ukraine-Russia crisis, and YouTube grew by 25%. Growth in such non-business, consumer apps operating on enterprise networks significantly widens the attack surface, exposing organizations and people to greater risk of being targeted with phishing and other social engineering schemes.
What Can Organizations Do To Protect Themselves?
While security isn’t one-size-fits-all, below are some general recommendations and best practices that can help:
Execute a detailed audit of every website, system and application on a regular basis. Prioritize critical risks and plug those loopholes proactively.Patch all applications regularly and ensure they are running the most up-to-date software.Replace security point solutions and legacy network services with a solution that is more converged (or holistic) like SASE. A convergence of networking and security provides unique visibility into network usage, hostile network scans, exploitation attempts and malware communication to C&C servers.When organizations encounter zero-day vulnerabilities like Log4j, they must immediately implement virtual patching so that security teams can neutralize the threat and buy additional time till they are able to apply necessary and permanent fixes.Train staff regularly so they do not fall prey to phishing and social engineering scams.Try and restrict use of consumer applications (e.g., TikTok, Telegram) in enterprise environments as this can significantly minimize risk and lower possibility of infectious lateral movement.Be vigilant, have reporting and monitoring processes in place and be on guard for any changes in the attack surface.
Follow the link to get the full Q122 Cato Networks SASE Threat Research Report.
Network data from hundreds of Cato customers suggests malware communication persists despite the use of legacy security controls, services, and detection methods Cato Research Labs... Read ›
Threat Intelligence Feeds and Endpoint Protection Systems Fail to Detect 24 Malicious Chrome Extensions Network data from hundreds of Cato customers suggests malware communication persists despite the use of legacy security controls, services, and detection methods
Cato Research Labs released new findings today identifying 24 malicious Chrome extensions and 40 malicious domains, all previously thought to be benign. Some extensions simply introduced adware, but others stole user credentials and may allow attackers to exfiltrate data or manipulate search results to lure users into downloading malware. None of the extensions or the domains had been reported as malicious by endpoint protection systems (EPPs) or threat intelligence (TI).
The fact these malicious extensions and domains went undetected underscores the limitations of legacy protection systems. Attackers can employ a wide range of techniques to avoid detection by EPPs and TI. As such, enterprises cannot assume updated defenses will protect them. Putting into place the security measures to detect the C&C server communications of a malicious Chrome extension, or any malware for that matter, will fill this gap.
Browsers: Today's Security Frontier
Everyone uses browsers, and it's this popularity that makes them particularly enticing targets for adversaries. Browser extensions provide fertile ground for attackers to access resources on client computers, often with the same permissions as the browser itself.
Many researchers consider malicious extensions as simply PuPs (Potentially unwanted Programs) or Adware, but malicious extensions can be far riskier than just showing ads. From manipulating search results to luring users to download malware to exfiltrating clipboard data or screenshots, malicious Chrome extensions pose a huge and growing risk for every enterprise. We saw this last fall with the Razy malware outbreak that also involved a Chrome extension.
How Malicious Chrome Extensions Make Their Way Into Your Browser
Google does a good job identifying and blocking malicious Chrome extensions. The process of uploading a new extension to Google's Chrome Web Store typically takes several weeks while the extension code and activity are reviewed automatically and manually by Google. Using the Chrome browser's standard security settings will block the installation of extensions from outside Google's Chrome Web Store. However, users can change this setting in the browser configuration.
Google also reviews abuse notifications from users and removes extensions identified as malicious from the Chrome Web Store. In those cases, the Chrome browser will mark the extension as malware; users are expected to remove the extension.
[caption id="attachment_14066" align="aligncenter" width="411"] Figure 1: The Great Suspender is flagged as an extension that contains malware.[/caption]
Endpoint Protection and Threat Intelligence Research Alone Do Not Detect Malicious Chrome Extensions
With those security controls in place and companies already investing heavily in endpoint protection, you might think that users would be safe from malicious extensions. However, our research shows this is not the case.
Overall, we discovered 85 malicious Chrome extensions on our customer networks. Some had never appeared in the Google Chrome Web Store, while others had been removed by Google. Nevertheless, they were still found operating on customer networks.
How can users continue to run malicious extensions despite the many security controls? During our research, we identified four approaches attackers use to introduce malicious extensions into user browsers:
Browser Configuration and Third-Party Sites: Some extensions enter browsers due to poor browser configuration and downloading CRX (Chrome extension installation file) from malicious sites, i.e., not Google's official web store. One malicious site we identified that distributes malicious CRXs is https://extore[.]space/inspire. Some of the extensions are real and benign, while others might be fake with malicious code.
Malicious Code Injection During Update: In other cases, Google might have approved the extensions, but attackers later injected malicious code in one of the extension's updates after the extension becomes popular.
Extension Rights Acquisition: Other ways are by adversaries purchasing a popular extension's rights from the developer and then injecting malicious code. Taking over the key (which generates the extension ID) and credentials from the developer might also be a way to get plugged into a popular extension.
Independent Code Downloads: We've also identified other Malwares/PUPs or malicious extensions that would download and install additional (other) malicious extensions.
Network-Based Discovery Is Critical for Spotting Malicious Extensions
Cato made these discoveries by analyzing five days of data from hundreds of Cato customers' networks. Rather than hunting for specific malware signatures, Cato uses a network-based approach that identifies the network traffic patterns indicative of all malware. As such, this methodology is not only useful for identifying these specific extensions but for continuously hunting for any malware communicating with a C&C server.
The research had two phases. First, we automatically correlated network traffic with extension behavior and then preliminarily classified extensions as malicious or benign. The result: 97 of 551 unique extensions from our data were identified as likely being malicious. The second phase was to manually inspect each extension, definitively classifying them as malicious or benign. The final result was 85 malicious extensions, representing an 87% success rate for our initial automated phase.
We achieved this remarkably successful approach by analyzing and correlating networking and security information across multiple dimensions, including looking for:
Traffic to Parked or Malicious Domains. Identifying traffic generated by extensions to parked domains or malicious domains typically yielded known malicious extensions. What's more, by checking the network behavior and other traffic data, such as the URL and other HTTP parameters, we were able to identify other malicious extensions that were using the same behavior and communicating with domains previously not classified as malicious.
[caption id="attachment_14072" align="aligncenter" width="660"] Figure 2: Parked domain used as a C&C server[/caption]
Identical Extensions Communicating with Different Domains: Attackers have identical extensions (as defined by their unique extension ID) communicating with many different domains. They'll target a particular area (creating PDFs was particularly popular), labeling each extension differently and having them communicate with a different domain, mimicking a benign extension's behavior. Using the same approach, we analyzed different extensions that communicate to the same domain. This behavior was suspicious, and after analyzing the specific extensions, they were identified as malicious.
Unencrypted Extension IDs: Having the extension ID in clear-text or encoded to base64 in the URL, headers or payload is also suspicious. It may be evidence of the adversaries trying to understand the traffic origin (as sometimes they share the same domain across many extensions). It might also be used as an access-control function on the server-side to allow traffic only from the extension and not from security researchers or automatic web-classification algorithms trying to investigate and classify the domain.
Fake Postman Extension Leads to Credential Theft
While our approach identified many extensions that were believed to be benign, of particular note was one extension that disguised itself as the popular Postman application.
Postman allows developers to test and use APIs, typically using their credentials in the process. The fake Postman extension enables attackers to exploit those credentials to access the company's application. To make matters worse, the malicious extension closely mimics the real Postman extension, even using the same icon and offering the same capabilities.
[caption id="attachment_14074" align="aligncenter" width="452"] Figure 3: Fake Postman extension download[/caption]
We validated that the extension was malicious by analyzing the extension's code. Some of the code (JavaScript) was obfuscated, hiding its C&C targets, a common trick used by attackers.
[caption id="attachment_14076" align="aligncenter" width="192"] Figure 4: Obfuscated JS code in the Postman copycat extension. The variable p returns https://secure.browser-status[.]com/__utm.gif, which is a tracking pixel.[/caption]
Recommendations for Organizations
Cato recommends taking several actions to protect your users from these and other malicious extensions:
Define and maintain a whitelist policy of extensions ID allowed in your organization. Ensure whitelisted extensions are from Google's Chrome Web Store only.
Assess the permissions granted by the extension. Permissions to use cookies, manipulate network traffic or access all tabs and sites require more in-depth investigation.
Monitor for browsers with poor security settings (lower than "Standard").
Monitor network traffic to identify periodic communication with C&C servers.
Conclusions
Despite their investment in EPP and TI, enterprises continue to be infected by malicious Chrome extensions. Attackers introduce the extensions through a range of techniques bypassing legacy protection approaches. However, rather than hunting for a specific malicious extension, enterprises can best protect themselves by identifying the unique network patterns indicative of all malware.
IoCs
Extension ID:
djdcfiocijfjponepmbbdmbeblofhfff (Fake Postman)mfdcjdgkcepgfcfgbadbekokbnlifbko (Fake Postman)dfehheanbnmfndkffgmdaeindpjnicpimgkmlkgpnffmhhfallpoknfmmkdkfejp (QuickNewsWorld Promos)ijbcfkkcifjgnikfcmbdfbddcgjdmggalamaflkhfcmnjcfkcolgmmlpajfholjaiogkcdbmgbhoelodlobknifhlkljiepmflhahaabnnkoccijodlhobjfchcchgjdloiloamappomjnanlieaipcmlpmmolkgpdlfbopkggkgdmgkejgjgnbdbmfcnfjn (EZPackageTracking Promos)epcdjnnpcbidnlehlklebmdijbjleefclepjcehmlpfdgholbejebidnnkkannpl (DOCtoPDF)njmjfnbhppmkpbbcfloagfmfokbokjgo (pdfconverterds)ljnppgaebjnbbahgmjajfbcoabdpopfb (Search Manager)llfdfhfdkdpkphlddncfjmajiciboanfpdfakgkkbagclonnhakillpkhoalfeefndhhhgoicnabjcgnamebnbdgkpobbljmcpdngajmgfolfjhnccalanfegdiebmbm (PBlock+)ciiobgcookficfhfccnjfcdmhekiadje (ViewPDF)nofdiclilfkicekdajkiaieafeciemlh (Your Docs To PDF)fichcldcnidefpllcpcpmnjipcdafjjl (pdfconverterds)cflijgpldfbmdijnkeoadcjpfgokoeck (pdfconverterds)fkacpajnbmglejpdaaeafjafjeleacnj (pdfconverterds)hadebekepjnjbcmpiphpecnibbfgonni (ViewPDF)
Domains:
gojoroh[.]combekprty[.]combkpqdm[.]comyetwp[.]comqalus[.]commucac[.]comsanaju[.]comexploremethod[.]compupahaqo[.]comruboja[.]comjurokotu[.]comkuqotaj[.]comlufacam[.]comwunab[.]comqojonoko[.]combunafo[.]combunupoj[.]comcajato[.]comcusupuh[.]comkohaguk[.]comnaqodur[.]compocakaqu[.]comqunadap[.]comqurajoca[.]comqusonujo[.]comwomohu[.]comwuqah[.]comdagaju[.]comkogarowa[.]comqufobuh[.]combosojojo[.]comdubocoso[.]comfupoj[.]comjagufu[.]comnopuwa[.]comqotun[.]comtafasajo[.]comtudoq[.]comkuratar[.]comsecure.browser-status[.]com
