LockBit Attack on MCNA Leaves Millions Compromised

Managed Care of North America (MCNA), a prominent healthcare provider, recently disclosed a major data breach, revealing that the personal data of almost 9 million patients, including patients, parents, and guardians, had been compromised.

The threat actors behind this attack are the notorious LockBit Ransomware gang, one of the world’s most active and successful cybercrime organizations. With this single attack, the LockBit gang demonstrated their ability to compromise millions of individuals’ security and privacy.

MCNA stated they became aware of unauthorized access to their computer systems on March 6th, 2023, with their investigation revealing that the LockBit ransomware gang first gained access to MCNA’s network on February 26th, 2023.

During the period of unauthorized access, the LockBit gang stole identifying information, such as names and addresses, Social Security numbers, and government-issued ID numbers. Health insurance information, dental care records, associated billing, and insurance claims were also compromised.

On March 7th, 2023, the LockBit gang first published the stolen data samples on their website. Following this, they threatened to release a massive 700GB of sensitive patient data unless MCNA paid a ransom of $10 million.

When the ransom was not paid, LockBit published all the stolen data on its website, pushing the information into the public domain. This exposed the victims to increased risks, including identity theft and other fraudulent activities.

In response to the breach, MCNA contacted law enforcement authorities to help prevent the misuse of the stolen data. They also have taken steps to strengthen the security of their systems to prevent similar incidents from happening in the future.

Acreto Solution

Acreto offers a comprehensive approach to addressing the threats posed by ransomware. By leveraging the power of Ecosystems:

• Ecosystems Acreto’s Ecosystem approach allows an organization to build a dedicated security infrastructure for each application, use case, project, or third-party. This inherently limits access to only the users, devices, systems, and applications that need to interoperate together. By creating this contained environment, Acreto helps prevent unauthorized access and reduces the attack surface, which would be crucial in fending off attacks like LockBit’s.

• Elimination of Attack Surfaces Acreto’s solution aims to eliminate both Internet and internal attack surfaces. It achieves this by employing micro-segmentation and nano-segmentation to isolate individual or groups of systems on a shared network, preventing the lateral movement of attackers, which is a common tactic used in ransomware attacks.

• Encrypted Secure Scan Acreto’s Encrypted Secure Scan decrypts, scans, and re-encrypts communications inline and in real-time. Any malicious content embedded in the encrypted payload is blocked. This helps in preventing the initial intrusion of ransomware into the network.

• Access Control Acreto utilizes multi-factor authentication (MFA) and unique device identities to control access to its Ecosystems. This stringent control can help prevent unauthorized access, which was the initial entry point of the LockBit gang in MCNA’s case.

• Content and Threat Prevention Acreto’s solution controls communication-based on content categories, and has capabilities for data leak prevention, and threat prevention. It can identify and mitigate known exploits, malware, botnets, and ransomware and also has a zero-day behavioral analysis feature to detect new, unknown threats.

• Policy and Change Management Since Ecosystems operate independently, the impact of any change management is limited to the members of a specific Ecosystem. This simplified approach reduces the risk of a widespread attack and facilitates efficient policy management.

Contact Acreto today for more information or to evaluate Ecosystem security for your organization.

Ecosystem Security Isolation

Ecosystems deliver a dedicated security infrastructure that can be deployed per application, use-case, project or third-party. An Ecosystem inherently limits access only to users, devices, systems and applications that need to interoperate together.

Ecosystems support any technology, on any network, anywhere in the world. These include computers, mobile devices, IoTs, Offices, Clouds, SaaS and Data Centers.

Ecosystems can be configured as:

Eliminate the Internet Attack Surface

Eliminates any and all access from the Internet while Ecosystem members can interoperate with authorized systems and applications.

Eliminate the Internal Attack Surface

Ecosystems can easily isolate individual or groups of systems on a shared network or entire networks, to limit access only to systems that need to interoperate together. This is done with

• Micro-Segmentation Segmenting groups of systems on any shared network, including hostile networks or the entire network.

• Nano-Segmentation Isolating an individual system, device or application to limit access only to other authorized Ecosystem members.

Isolated Data Flows

Isolated data flows can be defined between two Ecosystem members to limit access to specified sources and destinations, network protocols and ports, application protocols as well as application programs.

Encrypted Secure Scan

Secure Scan addresses a key weakness in many security tools today. 90%+ of all communications is encrypted, yet only 10% of organizations have the means to secure these communications. Encrypted Secure Scan decrypts, scans, and re-encrypts communications inline and in real-time.

Any malicious content embedded in the encrypted payload is blocked, otherwise the clean and validated communication is delivered to its final destination.

Controls

• User Authorizes access to the Ecosystem by a user’s identity, including MFA, as authenticated by the organizations’ Directory Services such as Active Directory or LDAP, as well as third-party Identity Service Providers such as Okta, Ping, Duo, and CloudJump among others.

• Device Specifies a unique identity to each device to validate that a specified device that does not rely on a user to operate – such as an autonomous application or IoT, is allowed to join the Ecosystem.

• Credit Cards Upload / Download Controls

• Social Security Number Upload / Download Controls

• RegEx Pattern Upload / Download Controls

Threat Prevention

After verification of network protocol, port, application protocol and application program, a deep inspection is performed on all communications. The effectiveness of this method is amplified by inline Encrypted Secure Scan. Threat prevention capabilities utilize two key methods:

Simplicity

Acreto Ecosystems are very easy to provision and deploy. There are no hardware dependencies or associated logistics.

Provisioning an Ecosystem takes 3-5 minutes. Simply provide a unique name to the Ecosystem then choose the bandwidth desired and within a few minutes your Ecosystem providing a dedicated security infrastructure is ready.

Depending on your connection options for Ecosystem members, deployment can take between 10 minutes to a few hours.

Sustainability

Acreto Ecosystems utilize a sustainable model without any dependency on products and their associated logistics. There are no more updates, upgrades or technology refreshes.

Change Management

Different Ecosystems operate completely independently from one-another. Therefore, change management impacts only members of a specified Ecosystem, not the entire organization. This simplifies the traditionally complex change management process.

Policy Management

Policy management also benefits from Ecosystems. Because Ecosystems are specific to a customer scenario such as an application, use-case, project or third-party, all policies apply to the scenario. Moreover, when its time for policy cleanup, when an application or use-case is retired, disabling or deleting the Ecosystem automatically prunes the policies. This has traditionally been a complex task that is at best inaccurate.

About Acreto

Acreto delivers full-stack cybersecurity without products, logistics or significant security expertise. It creates and consolidates the best of cybersecurity into a single plug-and-play platform with automated updates to stay ahead of threats. Acreto activates enterprise-grade security instantly, so organizations can run safely, easily, and without interruption.

Blacktail Ransomware Targets Windows, Linux & VMware

A ransomware operation named ‘Buhti’ is targeting Windows, Linux and VMware systems using the leaked code of the LockBit and Babuk ransomware. The threat actors behind the operation are being tracked under the name ‘Blacktail.’

For Blacktail’s Windows-based attacks, they use a modified LockBit 3.0 variant named “LockBit Black,” a tool leaked on Twitter by a disgruntled developer in September 2022. Once the variant infiltrates a system, it encrypts files, making them inaccessible to the user leaving a note demanding a ransom for release. Further specifics of the modified variant are yet to be learned.

For Linux attacks, Blacktail leverages a payload based on the Babuk source code that was posted on a Russian-speaking hacking forum in September 2021. Babuk’s proven ability to compromise VMware ESXi and Linux systems makes it attractive to several ransomware groups.

Blacktail also has its own custom exfiltration tool used to blackmail victims, employing a tactic known as “double extortion.” This tool is a Go-based stealer that can receive command-line arguments that specify the targeted directories in the filesystem. The tool targets various different file types, then copies them into a ZIP archive to be exfiltrated to Blacktail’s servers.

The emergence of Blacktail and its ransomware operation, Buhti, showcases how swiftly threat actors can become operational using readily available ransomware tools.

Acreto Solution

Acreto’s robust solutions can be leveraged to address and counteract the threats posed by Blacktail. Here’s how:

• By creating dedicated security infrastructure per application or use-case, Acreto’s ecosystems effectively isolate systems targeted by Blacktail, reducing the risk of wider network compromise. The ability to limit access to only those users, devices, systems, and applications that need to interoperate could provide an additional layer of security, making it harder for Blacktail to move laterally across networks.

• By eliminating all access from the internet while allowing interoperation among authorized systems, Acreto’s ecosystems minimize the attack surface available to Blacktail. Micro-segmentation and nano-segmentation could further restrict access and isolate data flows, making it difficult for Blacktail to infiltrate and exfiltrate data.

• Encrypted Secure Scan: This feature would be valuable in detecting and blocking any malicious content embedded in encrypted payloads used by Blacktail. By decrypting, scanning, and re-encrypting communications in real-time, Acreto could effectively catch Blacktail in its tracks.

• Acreto’s range of control features would allow fine-grained monitoring and restriction of network protocol, application protocol, application program, and content, potentially detecting and blocking Blacktail’s activities. The data leak prevention feature could further limit the ability of Blacktail to exfiltrate sensitive data.

• Acreto’s threat prevention capabilities, encompassing both known threats and zero-day behavioral analysis, help detect and block Blacktail’s ransomware activities, preventing them from causing harm.

Contact Acreto today for more information or to evaluate Ecosystem security for your organization.

Ecosystem Security Isolation

Ecosystems deliver a dedicated security infrastructure that can be deployed per application, use-case, project or third-party. An Ecosystem inherently limits access only to users, devices, systems and applications that need to interoperate together.

Ecosystems support any technology, on any network, anywhere in the world. These include computers, mobile devices, IoTs, Offices, Clouds, SaaS and Data Centers.

Ecosystems can be configured as:

Eliminate the Internet Attack Surface

Eliminates any and all access from the Internet while Ecosystem members can interoperate with authorized systems and applications.

Eliminate the Internal Attack Surface

Ecosystems can easily isolate individual or groups of systems on a shared network or entire networks, to limit access only to systems that need to interoperate together. This is done with

• Micro-Segmentation Segmenting groups of systems on any shared network, including hostile networks or the entire network.

• Nano-Segmentation Isolating an individual system, device or application to limit access only to other authorized Ecosystem members.

Isolated Data Flows

Isolated data flows can be defined between two Ecosystem members to limit access to specified sources and destinations, network protocols and ports, application protocols as well as application programs.

Encrypted Secure Scan

Secure Scan addresses a key weakness in many security tools today. 90%+ of all communications is encrypted, yet only 10% of organizations have the means to secure these communications. Encrypted Secure Scan decrypts, scans, and re-encrypts communications inline and in real-time.

Any malicious content embedded in the encrypted payload is blocked, otherwise the clean and validated communication is delivered to its final destination.

Controls

• User Authorizes access to the Ecosystem by a user’s identity, including MFA, as authenticated by the organizations’ Directory Services such as Active Directory or LDAP, as well as third-party Identity Service Providers such as Okta, Ping, Duo, and CloudJump among others.

• Device Specifies a unique identity to each device to validate that a specified device that does not rely on a user to operate – such as an autonomous application or IoT, is allowed to join the Ecosystem.

• Credit Cards Upload / Download Controls

• Social Security Number Upload / Download Controls

• RegEx Pattern Upload / Download Controls

Threat Prevention

After verification of network protocol, port, application protocol and application program, a deep inspection is performed on all communications. The effectiveness of this method is amplified by inline Encrypted Secure Scan. Threat prevention capabilities utilize two key methods:

Simplicity

Acreto Ecosystems are very easy to provision and deploy. There are no hardware dependencies or associated logistics.

Provisioning an Ecosystem takes 3-5 minutes. Simply provide a unique name to the Ecosystem then choose the bandwidth desired and within a few minutes your Ecosystem providing a dedicated security infrastructure is ready.

Depending on your connection options for Ecosystem members, deployment can take between 10 minutes to a few hours.

Sustainability

Acreto Ecosystems utilize a sustainable model without any dependency on products and their associated logistics. There are no more updates, upgrades or technology refreshes.

Change Management

Different Ecosystems operate completely independently from one-another. Therefore, change management impacts only members of a specified Ecosystem, not the entire organization. This simplifies the traditionally complex change management process.

Policy Management

Policy management also benefits from Ecosystems. Because Ecosystems are specific to a customer scenario such as an application, use-case, project or third-party, all policies apply to the scenario. Moreover, when its time for policy cleanup, when an application or use-case is retired, disabling or deleting the Ecosystem automatically prunes the policies. This has traditionally been a complex task that is at best inaccurate.

Mechanism of Attack

• Leaked Ransomware Code Usage Blacktail uses the leaked code of the LockBit and Babuk ransomware families to target Windows and Linux systems, respectively.

• Double-Extortion Tactic The group has created a custom data exfiltration utility that they use to blackmail victims, a tactic known as “double-extortion.”

  • When attacks are successful, the wallpaper of compromised computers is altered to display a ransom note, and all encrypted files receive the “.buthi” extension.

• LockBit Black Creation For attacks on Windows, Blacktail uses a slightly modified LockBit 3.0 variant codenamed “LockBit Black.”

• File Encryption and Warning Successful attacks change the wallpaper of the breached computers to tell victims to open the ransom note while all encrypted files receive the “.buthi” extension.

• Babuk Payload for Linux Attacks For Linux attacks, Blacktail uses a payload based on the Babuk source code.

• Exploitation of Vulnerabilities The group exploits vulnerabilities like CVE-2023-27350 and CVE-2022-47986 to install Cobalt Strike, Meterpreter, Sliver, AnyDesk, and ConnectWise on target computers, using them to steal credentials and move laterally into compromised networks, steal files, launch additional payloads, and more.

• Use of Custom Exfiltration Tool Blacktail uses its own custom exfiltration tool, a Go-based stealer that can receive command-line arguments that specify the targeted directories in the filesystem.

• File Type Targeting The exfiltration tool targets a wide array of file types for theft, which are then copied into a ZIP archive and later exfiltrated to Blacktail’s servers. These file types include:

  • pdf, php, png, ppt, psd, rar, raw, rtf, sql, svg, swf, tar, txt, wav, wma, wmv, xls, xml, yml, zip, aiff, aspx, docx, epub, json, mpeg, pptx, xlsx, and yaml.

 

About Acreto

Acreto delivers full-stack cybersecurity without products, logistics or significant security expertise. It creates and consolidates the best of cybersecurity into a single plug-and-play platform with automated updates to stay ahead of threats. Acreto activates enterprise-grade security instantly, so organizations can run safely, easily, and without interruption.

GoldenJackal Harnesses .NET Malware for Espionage

GoldenJackal is an Advanced Persistent Threat (APT) group that has silently operated for years. Since 2019, this covert group has strategically focused on stealth, maintaining a low profile, and being selective with their targets to reduce the chances of detection.

GoldenJackal’s primary motivations center around espionage, as indicated by their use of data exfiltration and credential dumping tools. Their methods of attack include spear-phishing campaigns involving malicious documents and trojanized ‘Skype for Business’ installers.

A defining trait of GoldenJackal is their use of .NET malware – malicious software constructed with the .NET framework. Their .NET-based toolset includes ‘JackalControl,’ ‘JackalSteal,’ ‘JackalWorm,’ ‘JacklPerInfo,’ and ‘JackalScreenWatcher.’ Each component serves a different purpose, ranging from gaining control over infected systems, stealing sensitive data, and moving laterally across networks to capture screenshots and spread malware via USB drives.

Any powerful tool, even a software framework developed for legitimate purposes like .NET, can be repurposed for malicious intent. GoldenJackal’s tactics underline this, using a mainstream framework to create a covert arsenal of digital weapons.

Acreto Solution

Acreto’s robust solutions can be leveraged to address and counteract the threats posed by the Advanced Persistent Threat (APT) group, GoldenJackal. Here’s how:

Firstly, GoldenJackal has been methodically targeting government and diplomatic entities across Asia favoring stealth and a low profile. This matches perfectly with Acreto’s Ecosystems solution:

• Ecosystems can be set up to provide a dedicated security infrastructure per application, use-case, or even a particular third-party, inherently limiting access only to those necessary, thereby drastically reducing the chances of unwanted intrusions. With its global functionality, the Ecosystems solution could safeguard the targeted entities regardless of their geographical location.

• The primary tactics used by GoldenJackal include spear-phishing campaigns, malicious documents, and trojanized ‘Skype for Business’ installers. This highlights the need for secure communication channels. Acreto’s Ecosystems can eliminate the Internet Attack Surface, blocking all access from the Internet while ensuring secure communication between authorized systems.

• Acreto provides Micro-Segmentation and Nano-Segmentation to isolate individual or groups of systems on a shared network, preventing lateral movement of threats.

• To combat GoldenJackal’s ‘.NET’ malware toolset, the ‘Jackal’ series. Acreto’s Encrypted Secure Scan can decrypt, scan, and re-encrypt communications in real-time. If any malicious content is detected in the encrypted payload, it is blocked, neutralizing threats like the ‘Jackal’ series before they can inflict damage.

• With Access Control, Acreto can provide an additional layer of security. For instance, the Identity with MFA control can ensure only authorized users gain access to the Ecosystem, significantly lowering the chances of credential dumping, a method often used by GoldenJackal.

• GoldenJackal’s modus operandi also includes controlling infected systems. Acreto’s solutions can counteract this by isolating data flows between Ecosystem members, limiting access only to specified sources and destinations, which would help keep the systems secure.

• Acreto’s Event Tracking & Management and Threat Prevention capabilities can provide constant vigilance against the stealthy operations of GoldenJackal. By identifying and mitigating known threats and performing Zero-Day Behavioral Analysis, Acreto can help ensure that any unusual activity is promptly detected and addressed.

Contact Acreto today for more information or to evaluate Ecosystem security for your organization.

Ecosystem Security Isolation

Ecosystems deliver a dedicated security infrastructure that can be deployed per application, use-case, project or third-party. An Ecosystem inherently limits access only to users, devices, systems and applications that need to interoperate together.

Ecosystems support any technology, on any network, anywhere in the world. These include computers, mobile devices, IoTs, Offices, Clouds, SaaS and Data Centers.

Ecosystems can be configured as:

Eliminate the Internet Attack Surface

Eliminates any and all access from the Internet while Ecosystem members can interoperate with authorized systems and applications.

Eliminate the Internal Attack Surface

Ecosystems can easily isolate individual or groups of systems on a shared network or entire networks, to limit access only to systems that need to interoperate together. This is done with

• Micro-Segmentation Segmenting groups of systems on any shared network, including hostile networks or the entire network.

• Nano-Segmentation Isolating an individual system, device or application to limit access only to other authorized Ecosystem members.

Isolated Data Flows

Isolated data flows can be defined between two Ecosystem members to limit access to specified sources and destinations, network protocols and ports, application protocols as well as application programs.

Encrypted Secure Scan

Secure Scan addresses a key weakness in many security tools today. 90%+ of all communications is encrypted, yet only 10% of organizations have the means to secure these communications. Encrypted Secure Scan decrypts, scans, and re-encrypts communications inline and in real-time.

Any malicious content embedded in the encrypted payload is blocked, otherwise the clean and validated communication is delivered to its final destination.

Controls

• User Authorizes access to the Ecosystem by a user’s identity, including MFA, as authenticated by the organizations’ Directory Services such as Active Directory or LDAP, as well as third-party Identity Service Providers such as Okta, Ping, Duo, and CloudJump among others.

• Device Specifies a unique identity to each device to validate that a specified device that does not rely on a user to operate – such as an autonomous application or IoT, is allowed to join the Ecosystem.

• Credit Cards Upload / Download Controls

• Social Security Number Upload / Download Controls

• RegEx Pattern Upload / Download Controls

Threat Prevention

After verification of network protocol, port, application protocol and application program, a deep inspection is performed on all communications. The effectiveness of this method is amplified by inline Encrypted Secure Scan. Threat prevention capabilities utilize two key methods:

Simplicity

Acreto Ecosystems are very easy to provision and deploy. There are no hardware dependencies or associated logistics.

Provisioning an Ecosystem takes 3-5 minutes. Simply provide a unique name to the Ecosystem then choose the bandwidth desired and within a few minutes your Ecosystem providing a dedicated security infrastructure is ready.

Depending on your connection options for Ecosystem members, deployment can take between 10 minutes to a few hours.

Sustainability

Acreto Ecosystems utilize a sustainable model without any dependency on products and their associated logistics. There are no more updates, upgrades or technology refreshes.

Change Management

Different Ecosystems operate completely independently from one-another. Therefore, change management impacts only members of a specified Ecosystem, not the entire organization. This simplifies the traditionally complex change management process.

Policy Management

Policy management also benefits from Ecosystems. Because Ecosystems are specific to a customer scenario such as an application, use-case, project or third-party, all policies apply to the scenario. Moreover, when its time for policy cleanup, when an application or use-case is retired, disabling or deleting the Ecosystem automatically prunes the policies. This has traditionally been a complex task that is at best inaccurate.

Mechanisms of Attack

• The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo and JackalScreenWatcher intended to:

  • Control victim machines

  • Spread across systems using removable drives

  • Exfiltrate certain files from the infected system

  • Steal credentials

  • Collect information about the local system

  • Collect information about users’ web activities

  • Take screen captures of the desktop

• JackalControl

  • This is a Trojan that allows the attackers to remotely control the target machine through a set of predefined and supported commands. These are received via an HTTPS communication channel facilitated between the malware and the C2 servers, and can instruct the implant to conduct any of the following operations:

    • Execute an arbitrary program with provided arguments

    • Download arbitrary files to the local file system

    • Upload arbitrary files from the local file system

• JackalSteal

  • This tool can be used to monitor removable USB drives, remote shares, and all logical drives in the targeted system. The malware can work as a standard process or as a service. It cannot maintain persistence, so it must be installed by another component.

• JackalWorm

  • This worm was developed to spread and infect systems using removable USB drives. The program was designed as a flexible tool that can be used to infect systems with any malware.

• JackalPerInfo

  • This malware was developed to collect information about the compromised system, as well as a specific set of files that could potentially be used to retrieve stored credentials and the user’s web activities. The attacker named it “perinfo”, a contraction of the program’s main class name PersonalInfoContainer.

• JackalScreenWatcher

  • This tool is used to collect screenshots of the victim’s desktop and sends the pictures to a remote, hard-coded C2 server:

About Acreto

Acreto delivers full-stack cybersecurity without products, logistics or significant security expertise. It creates and consolidates the best of cybersecurity into a single plug-and-play platform with automated updates to stay ahead of threats. Acreto activates enterprise-grade security instantly, so organizations can run safely, easily, and without interruption.

Notorious Fin7 Group Shifts to Ransomware

Google’s New .zip & .mov Domains Create New Risks

In an at-best questionable move, the “Don’t Be Evil” company, Google, has done something evil. Google has created new security risks by releasing eight new top-level domains (TLDs) including, .zip and .mov. Security experts are rebuking Google for introducing new attack vectors that scammers are actively exploiting.

TLDs are the final segment in a URL (such as .com, .org, .net, etc.), and they were initially designed to classify the purpose or geographic region of a given domain.

The .zip extension is commonly used in archive files that employ the zip compression format. Similarly, the .mov format appears at the end of video files, particularly those created in Apple’s QuickTime format. The concern arises from the automatic conversion of these TLDs into clickable links when displayed in emails, on social media, or elsewhere.

Security experts warn that these new TLDs cause confusion when displayed in emails or on social media, as many sites and software automatically convert strings into clickable URLs. Scammers will exploit this to trick people into clicking on malicious links.

A scam could involve the scammer registering a domain such as photos.zip and setting up a website to serve malicious content. Unsuspecting users might click on the link, thinking they are accessing a photo archive from a trusted source, only to be redirected to a scammer’s website.

This has already been illustrated when a .zip TLD was used to create a malicious URL that closely mimics a legitimate one. Spacing is added to deactivate the link.

h t t p s : // github . com ∕ kubernetes∕kubernetes∕archive∕refs∕tags∕@v1271.zip

and

h t t p s : // github . com/kubernetes/kubernetes/archive/refs/tags/v1.27.1.zip

Everything between “https://” and the @ symbol in a domain name is treated as user information, while everything after the @ symbol is treated as the hostname.

Scammers are sure to exploit these new TLDs to deliver malicious content leading to successful phishing, system breaches, and unauthorized access to sensitive data. The release of .zip and .mov TLDs is creating yet another attack vector that will confuse already vulnerable users.

Acreto Solution

• Through precise file type upload and download controls, Acreto can effectively block the transfer of files that could be potential vehicles for cyber threats. By doing so, it minimizes the chance of malicious files reaching your systems in the first place. This is particularly relevant in the context of the .zip and .mov TLDs, where scammers could exploit these file types to deliver harmful content.

• By blocking potentially harmful file transfers, Acreto ensures that your digital environment remains secure, without impeding your legitimate business operations. This safety measure, combined with Acreto’s comprehensive suite of security solutions, presents a formidable shield against the potential threats posed by the evolving TLD landscape.

Contact Acreto today for more information or to evaluate Ecosystem security for your organization.

Ecosystem Security Isolation

Ecosystems deliver a dedicated security infrastructure that can be deployed per application, use-case, project or third-party. An Ecosystem inherently limits access only to users, devices, systems and applications that need to interoperate together.

Ecosystems support any technology, on any network, anywhere in the world. These include computers, mobile devices, IoTs, Offices, Clouds, SaaS and Data Centers.

Ecosystems can be configured as:

Eliminate the Internet Attack Surface

Eliminates any and all access from the Internet while Ecosystem members can interoperate with authorized systems and applications.

Eliminate the Internal Attack Surface

Ecosystems can easily isolate individual or groups of systems on a shared network or entire networks, to limit access only to systems that need to interoperate together. This is done with

• Micro-Segmentation Segmenting groups of systems on any shared network, including hostile networks or the entire network.

• Nano-Segmentation Isolating an individual system, device or application to limit access only to other authorized Ecosystem members.

Isolated Data Flows

Isolated data flows can be defined between two Ecosystem members to limit access to specified sources and destinations, network protocols and ports, application protocols as well as application programs.

Encrypted Secure Scan

Secure Scan addresses a key weakness in many security tools today. 90%+ of all communications is encrypted, yet only 10% of organizations have the means to secure these communications. Encrypted Secure Scan decrypts, scans, and re-encrypts communications inline and in real-time.

Any malicious content embedded in the encrypted payload is blocked, otherwise the clean and validated communication is delivered to its final destination.

Controls

• User Authorizes access to the Ecosystem by a user’s identity, including MFA, as authenticated by the organizations’ Directory Services such as Active Directory or LDAP, as well as third-party Identity Service Providers such as Okta, Ping, Duo, and CloudJump among others.

• Device Specifies a unique identity to each device to validate that a specified device that does not rely on a user to operate – such as an autonomous application or IoT, is allowed to join the Ecosystem.

• Credit Cards Upload / Download Controls

• Social Security Number Upload / Download Controls

• RegEx Pattern Upload / Download Controls

Threat Prevention

After verification of network protocol, port, application protocol and application program, a deep inspection is performed on all communications. The effectiveness of this method is amplified by inline Encrypted Secure Scan. Threat prevention capabilities utilize two key methods:

Simplicity

Acreto Ecosystems are very easy to provision and deploy. There are no hardware dependencies or associated logistics.

Provisioning an Ecosystem takes 3-5 minutes. Simply provide a unique name to the Ecosystem then choose the bandwidth desired and within a few minutes your Ecosystem providing a dedicated security infrastructure is ready.

Depending on your connection options for Ecosystem members, deployment can take between 10 minutes to a few hours.

Sustainability

Acreto Ecosystems utilize a sustainable model without any dependency on products and their associated logistics. There are no more updates, upgrades or technology refreshes.

Change Management

Different Ecosystems operate completely independently from one-another. Therefore, change management impacts only members of a specified Ecosystem, not the entire organization. This simplifies the traditionally complex change management process.

Policy Management

Policy management also benefits from Ecosystems. Because Ecosystems are specific to a customer scenario such as an application, use-case, project or third-party, all policies apply to the scenario. Moreover, when it’s time for policy cleanup, when an application or use-case is retired, disabling or deleting the Ecosystem automatically prunes the policies. This has traditionally been a complex task that is at best inaccurate.

Mechanism of Attack

• Google has introduced new TLDs, including .zip and .mov.

  • These extensions are problematic because they are commonly associated with specific file types (.zip for compressed files, .mov for QuickTime video files), which could lead to confusion.

  • Many software automatically converts strings into clickable URLs when displayed in emails or social media.

  • Scammers can use this feature to trick users into clicking malicious links disguised as regular file downloads.

  • Attacker could register a domain like ‘photos.zip’ and host malicious content there. Users might think they’re clicking on a compressed photo file when they’re actually being redirected to a dangerous website.

• Technical Aspects of Exploitation

  • The exploitation relies on the automated transformation of strings with new TLDs into clickable links by many email or social media platforms.

  • The attack vector is based on the confusion between file types and these new TLDs.

  • The malicious process could involve a multi-step attack, from registering the scam domain to crafting a deceptive email or post, to hosting and serving malicious content.

  • The scammer could also use the @ operator and Unicode characters that resemble slashes in URLs to make malicious URLs appear more legitimate.

About Acreto

Acreto delivers full-stack cybersecurity without products, logistics or significant security expertise. It creates and consolidates the best of cybersecurity into a single plug-and-play platform with automated updates to stay ahead of threats. Acreto activates enterprise-grade security instantly, so organizations can run safely, easily, and without interruption.

Severe Vulnerabilities in Cisco — Some Unpatchable

There are severe new vulnerabilities in CISCO switches that enable remote code execution on the affected devices.

These vulnerabilities have been given extremely high severity ratings with CVSS base scores of 9.8/10. Successful exploitation enables unauthenticated attackers to execute arbitrary code with root privileges on compromised devices.

The vulnerabilities (CVE-2023-20159, CVE-2023-20160, CVE-2023-20161, and CVE-2023-20189) are caused by improper validation of requests sent to the targeted switches’ web interfaces. Attackers can exploit these vulnerabilities by sending specially crafted requests through the devices’ web-based user interfaces.

Cisco has released patches for some software versions, but not all devices can be patched. End-of-life devices remain vulnerable. The following end-of-life series of switches DO NOT have patches and remain vulnerable:

• Small Business 200 Series Smart Switches

• Small Business 300 Series Managed Switches

• Small Business 500 Series Stackable Managed Switches

The availability of proof-of-concept exploit code for these vulnerabilities significantly raises the concern of motivated threat actors developing their own exploits to target vulnerable devices.

Acreto Solution

Even if the CISCO switches have entered the end-of-life process and are no longer receiving patches from the manufacturer, Acreto’s security measures can still be applied to protect CISCO devices.

• By isolating the vulnerable devices’ management interface within an Ecosystem, Acreto effectively limits access to only those systems that need to interoperate, preventing unauthorized access and reducing the risk of exploitation.

• The micro-segmentation and nano-segmentation capabilities offered by Acreto enable the isolation of individual devices or groups of devices on shared networks, further enhancing security. With isolated data flows, organizations can define specific communication paths and access controls, ensuring that interactions with vulnerable devices are restricted to authorized sources and destinations.

• Acreto’s Encrypted Secure Scan provides inline decryption, scanning, and re-encryption of communications, even for encrypted traffic. This ensures that any malicious content embedded in the encrypted payload is blocked, safeguarding vulnerable devices against potential attacks.

• By implementing access controls based on user identity, device identity, network protocols, ports, and application protocols, Acreto enables organizations to maintain granular control over communication flows involving the end-of-life CISCO switches. This helps to prevent unauthorized code execution and unauthorized access to these devices.

Acreto’s comprehensive security solution through Ecosystems can provide robust protection for both patched and unpatched CISCO devices, allowing organizations to mitigate the risks associated with vulnerabilities in CISCO Series Switches that have reached the end-of-life processes.

Contact Acreto today for more information or to evaluate Ecosystem security for your organization.

Ecosystem Security Isolation

Ecosystems deliver a dedicated security infrastructure that can be deployed per application, use-case, project or third-party. An Ecosystem inherently limits access only to users, devices, systems and applications that need to interoperate together.

Ecosystems support any technology, on any network, anywhere in the world. These include computers, mobile devices, IoTs, Offices, Clouds, SaaS and Data Centers.

Ecosystems can be configured as:

Eliminate the Internet Attack Surface

Eliminates any and all access from the Internet while Ecosystem members can interoperate with authorized systems and applications.

Eliminate the Internal Attack Surface

Ecosystems can easily isolate individual or groups of systems on a shared network or entire networks, to limit access only to systems that need to interoperate together. This is done with

• Micro-Segmentation Segmenting groups of systems on any shared network, including hostile networks or the entire network.

• Nano-Segmentation Isolating an individual system, device or application to limit access only to other authorized Ecosystem members.

Isolated Data Flows

Isolated data flows can be defined between two Ecosystem members to limit access to specified sources and destinations, network protocols and ports, application protocols as well as application programs.

Encrypted Secure Scan

Secure Scan addresses a key weakness in many security tools today. 90%+ of all communications is encrypted, yet only 10% of organizations have the means to secure these communications. Encrypted Secure Scan decrypts, scans, and re-encrypts communications inline and in real-time.

Any malicious content embedded in the encrypted payload is blocked, otherwise the clean and validated communication is delivered to its final destination.

Controls

• User Authorizes access to the Ecosystem by a user’s identity, including MFA, as authenticated by the organizations’ Directory Services such as Active Directory or LDAP, as well as third-party Identity Service Providers such as Okta, Ping, Duo, and CloudJump among others.

• Device Specifies a unique identity to each device to validate that a specified device that does not rely on a user to operate – such as an autonomous application or IoT, is allowed to join the Ecosystem.

• Credit Cards Upload / Download Controls

• Social Security Number Upload / Download Controls

• RegEx Pattern Upload / Download Controls

Threat Prevention

After verification of network protocol, port, application protocol and application program, a deep inspection is performed on all communications. The effectiveness of this method is amplified by inline Encrypted Secure Scan. Threat prevention capabilities utilize two key methods:

Simplicity

Acreto Ecosystems are very easy to provision and deploy. There are no hardware dependencies or associated logistics.

Provisioning an Ecosystem takes 3-5 minutes. Simply provide a unique name to the Ecosystem then choose the bandwidth desired and within a few minutes your Ecosystem providing a dedicated security infrastructure is ready.

Depending on your connection options for Ecosystem members, deployment can take between 10 minutes to a few hours.

Sustainability

Acreto Ecosystems utilize a sustainable model without any dependency on products and their associated logistics. There are no more updates, upgrades or technology refreshes.

Change Management

Different Ecosystems operate completely independently from one-another. Therefore, change management impacts only members of a specified Ecosystem, not the entire organization. This simplifies the traditionally complex change management process.

Policy Management

Policy management also benefits from Ecosystems. Because Ecosystems are specific to a customer scenario such as an application, use-case, project or third-party, all policies apply to the scenario. Moreover, when its time for policy cleanup, when an application or use-case is retired, disabling or deleting the Ecosystem automatically prunes the policies. This has traditionally been a complex task that is at best inaccurate.

About Acreto

Acreto delivers full-stack cybersecurity without products, logistics or significant security expertise. It creates and consolidates the best of cybersecurity into a single plug-and-play platform with automated updates to stay ahead of threats. Acreto activates enterprise-grade security instantly, so organizations can run safely, easily, and without interruption.

New Linux Vulnerabilities Actively Exploited

Cybersecurity researchers have uncovered new vulnerabilities in widely used Linux components, posing a significant risk to critical infrastructure and sensitive data. These vulnerabilities have been identified as frequent targets for malicious cyber actors and have been active since as far back as 2010.

One of the vulnerabilities affects Red Hat Polkit, an essential toolkit responsible for managing the policy between privileged and unprivileged processes. This vulnerability enables attackers to bypass credential checks, leading to privilege escalation. With this exploit, unauthorized individuals can gain higher privileges, potentially compromising system security and accessing sensitive information.

Another vulnerability has been discovered within the Linux Kernel itself. This vulnerability introduces a race condition, making the behavior of the program susceptible to manipulation by attackers. By altering the timing or order of operations, malicious actors can launch denial-of-service attacks, corrupt data, or even escalate their privileges within the system.

The Reliable Datagram Sockets (RDS) protocol implementation in the Linux Kernel is also affected by a vulnerability. Exploiting improper input validation, local users can exploit this flaw to gain elevated privileges. This means that unauthorized users within the system can potentially acquire higher privileges than intended, compromising the security and confidentiality of sensitive data.

Acreto Solution

Acreto can effectively address these Linux-related vulnerabilities.

• CVE-2021-3560: Acreto’s Ecosystems can address this vulnerability by providing micro-segmentation and nano-segmentation capabilities. Ecosystems can easily isolate individuals or groups of systems, limiting access only to systems that need to interoperate together. By segmenting the Linux systems and implementing access controls based on the principle of least privilege, Acreto can help prevent unauthorized bypassing of credential checks and mitigate privilege escalation.

• CVE-2014-0196: To address this vulnerability in the Linux Kernel, Acreto’s Ecosystems provide isolated data flows between systems. By defining isolated data flows between vulnerable systems and other authorized Ecosystem members, Acreto can limit access to specific sources, destinations, network protocols, ports, and application protocols. This can help prevent local users from exploiting the race condition vulnerability and gaining elevated privileges.

• CVE-2010-3904: For the vulnerability in the Linux Kernel’s RDS protocol implementation, by segmenting the Linux systems and defining isolated data flows, Acreto can limit access to the RDS protocol and prevent local users from exploiting the improper input validation vulnerability, thus mitigating the risk of elevated privileges.

Ecosystem Security Isolation

Ecosystems deliver a dedicated security infrastructure that can be deployed per application, use-case, project or third-party. An Ecosystem inherently limits access only to users, devices, systems and applications that need to interoperate together.

Ecosystems support any technology, on any network, anywhere in the world. These include computers, mobile devices, IoTs, Offices, Clouds, SaaS and Data Centers.

Ecosystems can be configured as:

Eliminate the Internet Attack Surface

Eliminates any and all access from the Internet while Ecosystem members can interoperate with authorized systems and applications.

Eliminate the Internal Attack Surface

Ecosystems can easily isolate individual or groups of systems on a shared network or entire networks, to limit access only to systems that need to interoperate together. This is done with

• Micro-Segmentation Segmenting groups of systems on any shared network, including hostile networks or the entire network.

• Nano-Segmentation Isolating an individual system, device or application to limit access only to other authorized Ecosystem members.

Isolated Data Flows

Isolated data flows can be defined between two Ecosystem members to limit access to specified sources and destinations, network protocols and ports, application protocols as well as application programs.

Encrypted Secure Scan

Secure Scan addresses a key weakness in many security tools today. 90%+ of all communications is encrypted, yet only 10% of organizations have the means to secure these communications. Encrypted Secure Scan decrypts, scans, and re-encrypts communications inline and in real-time.

Any malicious content embedded in the encrypted payload is blocked, while the clean and validated communication is delivered to its final destination.

Controls

• User Authorizes access to the Ecosystem by a user’s identity, including MFA, as authenticated by the organizations’ Directory Services such as Active Directory or LDAP, as well as third-party Identity Service Providers such as Okta, Ping, Duo, and CloudJump among others.

• Device Specifies a unique identity to each device to validate that a specified device that does not rely on a user to operate – such as an autonomous application or IoT, is allowed to join the Ecosystem.

• Credit Cards Upload / Download Controls

• Social Security Number Upload / Download Controls

• RegEx Pattern Upload / Download Controls

Threat Prevention

After verification of network protocol, port, application protocol and application program, a deep inspection is performed on all communications. The effectiveness of this method is amplified by inline Encrypted Secure Scan. Threat prevention capabilities utilize two key methods:

Simplicity

Acreto Ecosystems are very easy to provision and deploy. There are no hardware dependencies or associated logistics.

Provisioning an Ecosystem takes 3-5 minutes. Simply provide a unique name to the Ecosystem then choose the bandwidth desired and within a few minutes your Ecosystem providing a dedicated security infrastructure is ready.

Depending on your connection options for Ecosystem members, deployment can take between 10 minutes to a few hours.

Sustainability

Acreto Ecosystems utilize a sustainable model without any dependency on products and their associated logistics. There are no more updates, upgrades or technology refreshes.

Change Management

Different Ecosystems operate completely independently from one another. Therefore, change management impacts only members of a specified Ecosystem, not the entire organization. This simplifies the traditionally complex change management process.

Policy Management

Policy management also benefits from Ecosystems. Because Ecosystems are specific to a customer scenario such as an application, use-case, project or third-party, all policies apply to the scenario. Moreover, when its time for policy cleanup, when an application or use-case is retired, disabling or deleting the Ecosystem automatically prunes the policies. This has traditionally been a complex task that is at best inaccurate.

Mechanism of Attack

• CVE-2021-3560 – Red Hat Polkit: Red Hat Polkit, an application-level toolkit for managing the policy between privileged and unprivileged processes, has an incorrect authorization vulnerability. Attackers can bypass credential checks for D-Bus requests, leading to privilege escalation.

• CVE-2014-0196 – Linux Kernel: The Linux Kernel is susceptible to a race condition vulnerability within the n_tty_write function. Local users can exploit this flaw to cause denial-of-service or gain elevated privileges through read and write operations involving long strings.

• CVE-2010-3904 – Linux Kernel: The Linux Kernel’s Reliable Datagram Sockets (RDS) protocol implementation contains an improper input validation vulnerability. Local users can exploit this flaw by crafting the sendmsg and recvmsg system calls, gaining elevated privileges.

For more details on CVEs, visit: CVE – CVE (mitre.org)

About Acreto

Acreto delivers full-stack cybersecurity without products, logistics or significant security expertise. It creates and consolidates the best of cybersecurity into a single plug-and-play platform with automated updates to stay ahead of threats. Acreto activates enterprise-grade security instantly, so organizations can run safely, easily, and without interruption.