Managed Care of North America (MCNA), a prominent healthcare provider, recently disclosed a major data breach, revealing that the personal data of almost 9 million patients, including patients, parents, and guardians, had been compromised.
The threat actors behind this attack are the notorious LockBit Ransomware gang, one of the world’s most active and successful cybercrime organizations. With this single attack, the LockBit gang demonstrated their ability to compromise millions of individuals’ security and privacy.
MCNA stated they became aware of unauthorized access to their computer systems on March 6th, 2023, with their investigation revealing that the LockBit ransomware gang first gained access to MCNA’s network on February 26th, 2023.
During the period of unauthorized access, the LockBit gang stole identifying information, such as names and addresses, Social Security numbers, and government-issued ID numbers. Health insurance information, dental care records, associated billing, and insurance claims were also compromised.
On March 7th, 2023, the LockBit gang first published the stolen data samples on their website. Following this, they threatened to release a massive 700GB of sensitive patient data unless MCNA paid a ransom of $10 million.
When the ransom was not paid, LockBit published all the stolen data on its website, pushing the information into the public domain. This exposed the victims to increased risks, including identity theft and other fraudulent activities.
In response to the breach, MCNA contacted law enforcement authorities to help prevent the misuse of the stolen data. They also have taken steps to strengthen the security of their systems to prevent similar incidents from happening in the future.
Acreto offers a comprehensive approach to addressing the threats posed by ransomware. By leveraging the power of Ecosystems:
Ecosystems Acreto’s Ecosystem approach allows an organization to build a dedicated security infrastructure for each application, use case, project, or third-party. This inherently limits access to only the users, devices, systems, and applications that need to interoperate together. By creating this contained environment, Acreto helps prevent unauthorized access and reduces the attack surface, which would be crucial in fending off attacks like LockBit’s.
Elimination of Attack Surfaces Acreto’s solution aims to eliminate both Internet and internal attack surfaces. It achieves this by employing micro-segmentation and nano-segmentation to isolate individual or groups of systems on a shared network, preventing the lateral movement of attackers, which is a common tactic used in ransomware attacks.
Encrypted Secure Scan Acreto’s Encrypted Secure Scan decrypts, scans, and re-encrypts communications inline and in real-time. Any malicious content embedded in the encrypted payload is blocked. This helps in preventing the initial intrusion of ransomware into the network.
Access Control Acreto utilizes multi-factor authentication (MFA) and unique device identities to control access to its Ecosystems. This stringent control can help prevent unauthorized access, which was the initial entry point of the LockBit gang in MCNA’s case.
Content and Threat Prevention Acreto’s solution controls communication-based on content categories, and has capabilities for data leak prevention, and threat prevention. It can identify and mitigate known exploits, malware, botnets, and ransomware and also has a zero-day behavioral analysis feature to detect new, unknown threats.
Policy and Change Management Since Ecosystems operate independently, the impact of any change management is limited to the members of a specific Ecosystem. This simplified approach reduces the risk of a widespread attack and facilitates efficient policy management.
Contact Acreto today for more information or to evaluate Ecosystem security for your organization.
Ecosystems deliver a dedicated security infrastructure that can be deployed per application, use-case, project or third-party. An Ecosystem inherently limits access only to users, devices, systems and applications that need to interoperate together.
Ecosystems support any technology, on any network, anywhere in the world. These include computers, mobile devices, IoTs, Offices, Clouds, SaaS and Data Centers.
Ecosystems can be configured as:
Open → With inbound or outbound access from or to the Internet or a third-party
Closed → Fully contained with access limited to Ecosystem members
Hybrid → Where some systems have inbound or outbound Internet access while others operate fully contained.
Eliminate the Internet Attack Surface
Eliminates any and all access from the Internet while Ecosystem members can interoperate with authorized systems and applications.
Eliminate the Internal Attack Surface
Ecosystems can easily isolate individual or groups of systems on a shared network or entire networks, to limit access only to systems that need to interoperate together. This is done with
Micro-Segmentation Segmenting groups of systems on any shared network, including hostile networks or the entire network.
Nano-Segmentation Isolating an individual system, device or application to limit access only to other authorized Ecosystem members.
Isolated Data Flows
Isolated data flows can be defined between two Ecosystem members to limit access to specified sources and destinations, network protocols and ports, application protocols as well as application programs.
Secure Scan addresses a key weakness in many security tools today. 90%+ of all communications is encrypted, yet only 10% of organizations have the means to secure these communications. Encrypted Secure Scan decrypts, scans, and re-encrypts communications inline and in real-time.
Any malicious content embedded in the encrypted payload is blocked, otherwise the clean and validated communication is delivered to its final destination.
Identity with MFA
User Authorizes access to the Ecosystem by a user’s identity, including MFA, as authenticated by the organizations’ Directory Services such as Active Directory or LDAP, as well as third-party Identity Service Providers such as Okta, Ping, Duo, and CloudJump among others.
Device Specifies a unique identity to each device to validate that a specified device that does not rely on a user to operate – such as an autonomous application or IoT, is allowed to join the Ecosystem.
Network Protocol / Port
Control the network protocol (TCP, UDP, ICMP) and Port (1-65535) any Ecosystem member can use to communicate with any other Ecosystem member or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.
Application Protocol
Control the application protocol (HTTP, DNS, SMTP, SMB, etc…) any Ecosystem member can use to communicate with any other Ecosystem members or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.
Application Program
Control the application program (MS-Exchange, Oracle, Facebook, GMail, etc…) any Ecosystem member can use to communicate with any other Ecosystem members or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.
Content Category
Control communication based on content categories such as Adult, Gambling, Politics, Malware sites among 90+ category options.
File Type Upload / Download Controls
Control upload / download of files by type such .EXE, PDF, XLS, DOC, SCR, and MSI among hundreds of options.
Data Leak Prevention
Prevent data leaks by identifying and mitigating the upload or download of sensitive data such as:
Credit Cards Upload / Download Controls
Social Security Number Upload / Download Controls
RegEx Pattern Upload / Download Controls
After verification of network protocol, port, application protocol and application program, a deep inspection is performed on all communications. The effectiveness of this method is amplified by inline Encrypted Secure Scan. Threat prevention capabilities utilize two key methods:
Threat Signature
Identifies and mitigates known bad exploits, malware, botnets and ransomware.
Zero-Day Behavioral Analysis
Looks for behavioral indication of threats based on how system functions react to the payload, immediately and over time.
Acreto Ecosystems are very easy to provision and deploy. There are no hardware dependencies or associated logistics.
Provisioning an Ecosystem takes 3-5 minutes. Simply provide a unique name to the Ecosystem then choose the bandwidth desired and within a few minutes your Ecosystem providing a dedicated security infrastructure is ready.
Depending on your connection options for Ecosystem members, deployment can take between 10 minutes to a few hours.
Acreto Ecosystems utilize a sustainable model without any dependency on products and their associated logistics. There are no more updates, upgrades or technology refreshes.
Change Management
Different Ecosystems operate completely independently from one-another. Therefore, change management impacts only members of a specified Ecosystem, not the entire organization. This simplifies the traditionally complex change management process.
Policy Management
Policy management also benefits from Ecosystems. Because Ecosystems are specific to a customer scenario such as an application, use-case, project or third-party, all policies apply to the scenario. Moreover, when its time for policy cleanup, when an application or use-case is retired, disabling or deleting the Ecosystem automatically prunes the policies. This has traditionally been a complex task that is at best inaccurate.
About Acreto
Acreto delivers full-stack cybersecurity without products, logistics or significant security expertise. It creates and consolidates the best of cybersecurity into a single plug-and-play platform with automated updates to stay ahead of threats. Acreto activates enterprise-grade security instantly, so organizations can run safely, easily, and without interruption.
A ransomware operation named ‘Buhti’ is targeting Windows, Linux and VMware systems using the leaked code of the LockBit and Babuk ransomware. The threat actors behind the operation are being tracked under the name ‘Blacktail.’
For Blacktail’s Windows-based attacks, they use a modified LockBit 3.0 variant named “LockBit Black,” a tool leaked on Twitter by a disgruntled developer in September 2022. Once the variant infiltrates a system, it encrypts files, making them inaccessible to the user leaving a note demanding a ransom for release. Further specifics of the modified variant are yet to be learned.
For Linux attacks, Blacktail leverages a payload based on the Babuk source code that was posted on a Russian-speaking hacking forum in September 2021. Babuk’s proven ability to compromise VMware ESXi and Linux systems makes it attractive to several ransomware groups.
Blacktail also has its own custom exfiltration tool used to blackmail victims, employing a tactic known as “double extortion.” This tool is a Go-based stealer that can receive command-line arguments that specify the targeted directories in the filesystem. The tool targets various different file types, then copies them into a ZIP archive to be exfiltrated to Blacktail’s servers.
The emergence of Blacktail and its ransomware operation, Buhti, showcases how swiftly threat actors can become operational using readily available ransomware tools.
Acreto’s robust solutions can be leveraged to address and counteract the threats posed by Blacktail. Here’s how:
By creating dedicated security infrastructure per application or use-case, Acreto’s ecosystems effectively isolate systems targeted by Blacktail, reducing the risk of wider network compromise. The ability to limit access to only those users, devices, systems, and applications that need to interoperate could provide an additional layer of security, making it harder for Blacktail to move laterally across networks.
By eliminating all access from the internet while allowing interoperation among authorized systems, Acreto’s ecosystems minimize the attack surface available to Blacktail. Micro-segmentation and nano-segmentation could further restrict access and isolate data flows, making it difficult for Blacktail to infiltrate and exfiltrate data.
Encrypted Secure Scan: This feature would be valuable in detecting and blocking any malicious content embedded in encrypted payloads used by Blacktail. By decrypting, scanning, and re-encrypting communications in real-time, Acreto could effectively catch Blacktail in its tracks.
Acreto’s range of control features would allow fine-grained monitoring and restriction of network protocol, application protocol, application program, and content, potentially detecting and blocking Blacktail’s activities. The data leak prevention feature could further limit the ability of Blacktail to exfiltrate sensitive data.
Acreto’s threat prevention capabilities, encompassing both known threats and zero-day behavioral analysis, help detect and block Blacktail’s ransomware activities, preventing them from causing harm.
Contact Acreto today for more information or to evaluate Ecosystem security for your organization.
Ecosystems deliver a dedicated security infrastructure that can be deployed per application, use-case, project or third-party. An Ecosystem inherently limits access only to users, devices, systems and applications that need to interoperate together.
Ecosystems support any technology, on any network, anywhere in the world. These include computers, mobile devices, IoTs, Offices, Clouds, SaaS and Data Centers.
Ecosystems can be configured as:
Open → With inbound or outbound access from or to the Internet or a third-party
Closed → Fully contained with access limited to Ecosystem members
Hybrid → Where some systems have inbound or outbound Internet access while others operate fully contained.
Eliminate the Internet Attack Surface
Eliminates any and all access from the Internet while Ecosystem members can interoperate with authorized systems and applications.
Eliminate the Internal Attack Surface
Ecosystems can easily isolate individual or groups of systems on a shared network or entire networks, to limit access only to systems that need to interoperate together. This is done with
Micro-Segmentation Segmenting groups of systems on any shared network, including hostile networks or the entire network.
Nano-Segmentation Isolating an individual system, device or application to limit access only to other authorized Ecosystem members.
Isolated Data Flows
Isolated data flows can be defined between two Ecosystem members to limit access to specified sources and destinations, network protocols and ports, application protocols as well as application programs.
Secure Scan addresses a key weakness in many security tools today. 90%+ of all communications is encrypted, yet only 10% of organizations have the means to secure these communications. Encrypted Secure Scan decrypts, scans, and re-encrypts communications inline and in real-time.
Any malicious content embedded in the encrypted payload is blocked, otherwise the clean and validated communication is delivered to its final destination.
Identity with MFA
User Authorizes access to the Ecosystem by a user’s identity, including MFA, as authenticated by the organizations’ Directory Services such as Active Directory or LDAP, as well as third-party Identity Service Providers such as Okta, Ping, Duo, and CloudJump among others.
Device Specifies a unique identity to each device to validate that a specified device that does not rely on a user to operate – such as an autonomous application or IoT, is allowed to join the Ecosystem.
Network Protocol / Port
Control the network protocol (TCP, UDP, ICMP) and Port (1-65535) any Ecosystem member can use to communicate with any other Ecosystem member or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.
Application Protocol
Control the application protocol (HTTP, DNS, SMTP, SMB, etc…) any Ecosystem member can use to communicate with any other Ecosystem members or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.
Application Program
Control the application program (MS-Exchange, Oracle, Facebook, GMail, etc…) any Ecosystem member can use to communicate with any other Ecosystem members or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.
Content Category
Control communication based on content categories such as Adult, Gambling, Politics, Malware sites among 90+ category options.
File Type Upload / Download Controls
Control upload / download of files by type such .EXE, PDF, XLS, DOC, SCR, and MSI among hundreds of options.
Data Leak Prevention
Prevent data leaks by identifying and mitigating the upload or download of sensitive data such as:
Credit Cards Upload / Download Controls
Social Security Number Upload / Download Controls
RegEx Pattern Upload / Download Controls
After verification of network protocol, port, application protocol and application program, a deep inspection is performed on all communications. The effectiveness of this method is amplified by inline Encrypted Secure Scan. Threat prevention capabilities utilize two key methods:
Threat Signature
Identifies and mitigates known bad exploits, malware, botnets and ransomware.
Zero-Day Behavioral Analysis
Looks for behavioral indication of threats based on how system functions react to the payload, immediately and over time.
Acreto Ecosystems are very easy to provision and deploy. There are no hardware dependencies or associated logistics.
Provisioning an Ecosystem takes 3-5 minutes. Simply provide a unique name to the Ecosystem then choose the bandwidth desired and within a few minutes your Ecosystem providing a dedicated security infrastructure is ready.
Depending on your connection options for Ecosystem members, deployment can take between 10 minutes to a few hours.
Acreto Ecosystems utilize a sustainable model without any dependency on products and their associated logistics. There are no more updates, upgrades or technology refreshes.
Change Management
Different Ecosystems operate completely independently from one-another. Therefore, change management impacts only members of a specified Ecosystem, not the entire organization. This simplifies the traditionally complex change management process.
Policy Management
Policy management also benefits from Ecosystems. Because Ecosystems are specific to a customer scenario such as an application, use-case, project or third-party, all policies apply to the scenario. Moreover, when its time for policy cleanup, when an application or use-case is retired, disabling or deleting the Ecosystem automatically prunes the policies. This has traditionally been a complex task that is at best inaccurate.
Leaked Ransomware Code Usage Blacktail uses the leaked code of the LockBit and Babuk ransomware families to target Windows and Linux systems, respectively.
Double-Extortion Tactic The group has created a custom data exfiltration utility that they use to blackmail victims, a tactic known as “double-extortion.”
When attacks are successful, the wallpaper of compromised computers is altered to display a ransom note, and all encrypted files receive the “.buthi” extension.
LockBit Black Creation For attacks on Windows, Blacktail uses a slightly modified LockBit 3.0 variant codenamed “LockBit Black.”
File Encryption and Warning Successful attacks change the wallpaper of the breached computers to tell victims to open the ransom note while all encrypted files receive the “.buthi” extension.
Babuk Payload for Linux Attacks For Linux attacks, Blacktail uses a payload based on the Babuk source code.
Exploitation of Vulnerabilities The group exploits vulnerabilities like CVE-2023-27350 and CVE-2022-47986 to install Cobalt Strike, Meterpreter, Sliver, AnyDesk, and ConnectWise on target computers, using them to steal credentials and move laterally into compromised networks, steal files, launch additional payloads, and more.
Use of Custom Exfiltration Tool Blacktail uses its own custom exfiltration tool, a Go-based stealer that can receive command-line arguments that specify the targeted directories in the filesystem.
File Type Targeting The exfiltration tool targets a wide array of file types for theft, which are then copied into a ZIP archive and later exfiltrated to Blacktail’s servers. These file types include:
pdf, php, png, ppt, psd, rar, raw, rtf, sql, svg, swf, tar, txt, wav, wma, wmv, xls, xml, yml, zip, aiff, aspx, docx, epub, json, mpeg, pptx, xlsx, and yaml.
About Acreto
Acreto delivers full-stack cybersecurity without products, logistics or significant security expertise. It creates and consolidates the best of cybersecurity into a single plug-and-play platform with automated updates to stay ahead of threats. Acreto activates enterprise-grade security instantly, so organizations can run safely, easily, and without interruption.
GoldenJackal is an Advanced Persistent Threat (APT) group that has silently operated for years. Since 2019, this covert group has strategically focused on stealth, maintaining a low profile, and being selective with their targets to reduce the chances of detection.
GoldenJackal’s primary motivations center around espionage, as indicated by their use of data exfiltration and credential dumping tools. Their methods of attack include spear-phishing campaigns involving malicious documents and trojanized ‘Skype for Business’ installers.
A defining trait of GoldenJackal is their use of .NET malware – malicious software constructed with the .NET framework. Their .NET-based toolset includes ‘JackalControl,’ ‘JackalSteal,’ ‘JackalWorm,’ ‘JacklPerInfo,’ and ‘JackalScreenWatcher.’ Each component serves a different purpose, ranging from gaining control over infected systems, stealing sensitive data, and moving laterally across networks to capture screenshots and spread malware via USB drives.
Any powerful tool, even a software framework developed for legitimate purposes like .NET, can be repurposed for malicious intent. GoldenJackal’s tactics underline this, using a mainstream framework to create a covert arsenal of digital weapons.
Acreto’s robust solutions can be leveraged to address and counteract the threats posed by the Advanced Persistent Threat (APT) group, GoldenJackal. Here’s how:
Firstly, GoldenJackal has been methodically targeting government and diplomatic entities across Asia favoring stealth and a low profile. This matches perfectly with Acreto’s Ecosystems solution:
Ecosystems can be set up to provide a dedicated security infrastructure per application, use-case, or even a particular third-party, inherently limiting access only to those necessary, thereby drastically reducing the chances of unwanted intrusions. With its global functionality, the Ecosystems solution could safeguard the targeted entities regardless of their geographical location.
The primary tactics used by GoldenJackal include spear-phishing campaigns, malicious documents, and trojanized ‘Skype for Business’ installers. This highlights the need for secure communication channels. Acreto’s Ecosystems can eliminate the Internet Attack Surface, blocking all access from the Internet while ensuring secure communication between authorized systems.
Acreto provides Micro-Segmentation and Nano-Segmentation to isolate individual or groups of systems on a shared network, preventing lateral movement of threats.
To combat GoldenJackal’s ‘.NET’ malware toolset, the ‘Jackal’ series. Acreto’s Encrypted Secure Scan can decrypt, scan, and re-encrypt communications in real-time. If any malicious content is detected in the encrypted payload, it is blocked, neutralizing threats like the ‘Jackal’ series before they can inflict damage.
With Access Control, Acreto can provide an additional layer of security. For instance, the Identity with MFA control can ensure only authorized users gain access to the Ecosystem, significantly lowering the chances of credential dumping, a method often used by GoldenJackal.
GoldenJackal’s modus operandi also includes controlling infected systems. Acreto’s solutions can counteract this by isolating data flows between Ecosystem members, limiting access only to specified sources and destinations, which would help keep the systems secure.
Acreto’s Event Tracking & Management and Threat Prevention capabilities can provide constant vigilance against the stealthy operations of GoldenJackal. By identifying and mitigating known threats and performing Zero-Day Behavioral Analysis, Acreto can help ensure that any unusual activity is promptly detected and addressed.
Contact Acreto today for more information or to evaluate Ecosystem security for your organization.
Ecosystems deliver a dedicated security infrastructure that can be deployed per application, use-case, project or third-party. An Ecosystem inherently limits access only to users, devices, systems and applications that need to interoperate together.
Ecosystems support any technology, on any network, anywhere in the world. These include computers, mobile devices, IoTs, Offices, Clouds, SaaS and Data Centers.
Ecosystems can be configured as:
Open → With inbound or outbound access from or to the Internet or a third-party
Closed → Fully contained with access limited to Ecosystem members
Hybrid → Where some systems have inbound or outbound Internet access while others operate fully contained.
Eliminate the Internet Attack Surface
Eliminates any and all access from the Internet while Ecosystem members can interoperate with authorized systems and applications.
Eliminate the Internal Attack Surface
Ecosystems can easily isolate individual or groups of systems on a shared network or entire networks, to limit access only to systems that need to interoperate together. This is done with
Micro-Segmentation Segmenting groups of systems on any shared network, including hostile networks or the entire network.
Nano-Segmentation Isolating an individual system, device or application to limit access only to other authorized Ecosystem members.
Isolated Data Flows
Isolated data flows can be defined between two Ecosystem members to limit access to specified sources and destinations, network protocols and ports, application protocols as well as application programs.
Secure Scan addresses a key weakness in many security tools today. 90%+ of all communications is encrypted, yet only 10% of organizations have the means to secure these communications. Encrypted Secure Scan decrypts, scans, and re-encrypts communications inline and in real-time.
Any malicious content embedded in the encrypted payload is blocked, otherwise the clean and validated communication is delivered to its final destination.
Identity with MFA
User Authorizes access to the Ecosystem by a user’s identity, including MFA, as authenticated by the organizations’ Directory Services such as Active Directory or LDAP, as well as third-party Identity Service Providers such as Okta, Ping, Duo, and CloudJump among others.
Device Specifies a unique identity to each device to validate that a specified device that does not rely on a user to operate – such as an autonomous application or IoT, is allowed to join the Ecosystem.
Network Protocol / Port
Control the network protocol (TCP, UDP, ICMP) and Port (1-65535) any Ecosystem member can use to communicate with any other Ecosystem member or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.
Application Protocol
Control the application protocol (HTTP, DNS, SMTP, SMB, etc…) any Ecosystem member can use to communicate with any other Ecosystem members or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.
Application Program
Control the application program (MS-Exchange, Oracle, Facebook, GMail, etc…) any Ecosystem member can use to communicate with any other Ecosystem members or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.
Content Category
Control communication based on content categories such as Adult, Gambling, Politics, Malware sites among 90+ category options.
File Type Upload / Download Controls
Control upload / download of files by type such .EXE, PDF, XLS, DOC, SCR, and MSI among hundreds of options.
Data Leak Prevention
Prevent data leaks by identifying and mitigating the upload or download of sensitive data such as:
Credit Cards Upload / Download Controls
Social Security Number Upload / Download Controls
RegEx Pattern Upload / Download Controls
After verification of network protocol, port, application protocol and application program, a deep inspection is performed on all communications. The effectiveness of this method is amplified by inline Encrypted Secure Scan. Threat prevention capabilities utilize two key methods:
Threat Signature
Identifies and mitigates known bad exploits, malware, botnets and ransomware.
Zero-Day Behavioral Analysis
Looks for behavioral indication of threats based on how system functions react to the payload, immediately and over time.
Acreto Ecosystems are very easy to provision and deploy. There are no hardware dependencies or associated logistics.
Provisioning an Ecosystem takes 3-5 minutes. Simply provide a unique name to the Ecosystem then choose the bandwidth desired and within a few minutes your Ecosystem providing a dedicated security infrastructure is ready.
Depending on your connection options for Ecosystem members, deployment can take between 10 minutes to a few hours.
Acreto Ecosystems utilize a sustainable model without any dependency on products and their associated logistics. There are no more updates, upgrades or technology refreshes.
Change Management
Different Ecosystems operate completely independently from one-another. Therefore, change management impacts only members of a specified Ecosystem, not the entire organization. This simplifies the traditionally complex change management process.
Policy Management
Policy management also benefits from Ecosystems. Because Ecosystems are specific to a customer scenario such as an application, use-case, project or third-party, all policies apply to the scenario. Moreover, when its time for policy cleanup, when an application or use-case is retired, disabling or deleting the Ecosystem automatically prunes the policies. This has traditionally been a complex task that is at best inaccurate.
The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo and JackalScreenWatcher intended to:
Control victim machines
Spread across systems using removable drives
Exfiltrate certain files from the infected system
Steal credentials
Collect information about the local system
Collect information about users’ web activities
Take screen captures of the desktop
JackalControl
This is a Trojan that allows the attackers to remotely control the target machine through a set of predefined and supported commands. These are received via an HTTPS communication channel facilitated between the malware and the C2 servers, and can instruct the implant to conduct any of the following operations:
Execute an arbitrary program with provided arguments
Download arbitrary files to the local file system
Upload arbitrary files from the local file system
JackalSteal
This tool can be used to monitor removable USB drives, remote shares, and all logical drives in the targeted system. The malware can work as a standard process or as a service. It cannot maintain persistence, so it must be installed by another component.
JackalWorm
This worm was developed to spread and infect systems using removable USB drives. The program was designed as a flexible tool that can be used to infect systems with any malware.
JackalPerInfo
This malware was developed to collect information about the compromised system, as well as a specific set of files that could potentially be used to retrieve stored credentials and the user’s web activities. The attacker named it “perinfo”, a contraction of the program’s main class name PersonalInfoContainer.
JackalScreenWatcher
This tool is used to collect screenshots of the victim’s desktop and sends the pictures to a remote, hard-coded C2 server:
hxxps://tahaherbal[.]ir/wp-includes/class-wp-http-iwr-client.php
This specific webpage was also used as a C2 for the JackalSteal component, indicating that the tools are probably part of a unique framework.
About Acreto
Acreto delivers full-stack cybersecurity without products, logistics or significant security expertise. It creates and consolidates the best of cybersecurity into a single plug-and-play platform with automated updates to stay ahead of threats. Acreto activates enterprise-grade security instantly, so organizations can run safely, easily, and without interruption.
Resurfacing again in the world of cybercrime, the notorious FIN7 group has grabbed attention by shifting tactics. Previously focused on stealing payment card data, the group’s recent switch to ransomware deployment presents a new strategy, extortion. A constant player since 2012 in the cybercrime arena, this recent development marks a new era of attacks for the group as they have started deploying Cl0p ransomware.
Their tactics may have changed, however, their motives remain the same – financial gain. They are exclusively targeting businesses and organizations.
The Cl0p ransomware functions by first stealing, then encrypting the victim’s files, rendering them inaccessible. The attackers then demand a ransom in exchange for the decryption key necessary to regain access to the files.
A few victims who did not pay found their information posted on the CL0P^_- LEAKS’ data leak site, hosted in the dark web.
Tracked under the label ‘Sangria Tempest’ by Microsoft’s Threat Intelligence team, FIN7 has been targeting a broad spectrum of organizations. These span technology, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, and utilities.
In the latest series of attacks, FIN7 has leveraged the POWERTRASH PowerShell script to deploy the Lizar post-exploitation tool. This tactic has allowed them to establish a foothold within target networks. They then use OpenSSH and Impacket to move laterally and deploy the Cl0p ransomware.
FIN7’s recent activities suggest an escalation raising the stakes to a more destructive path forward.
Acreto offers a comprehensive approach to addressing the threats posed by ransomware groups like FIN7.
Micro-Segmentation and Nano-Segmentation These processes isolate individual or groups of systems on a shared network, limiting access only to systems that need to interoperate together. This directly counters lateral movement tactics used by FIN7, as unauthorized systems won’t have access to the network, thereby limiting the potential spread of ransomware.
Isolated Data Flows Isolated data flows limit access to specified sources and destinations, network protocols, and application programs. This mechanism prevents threat actors from communicating with their command and control servers, a necessary step in most ransomware attacks.
Encrypted Secure Scan The Encrypted Secure Scan decrypts, scans, and re-encrypts communications in real-time, protecting encrypted communications often exploited by attackers. This function can potentially detect and block the transmission of ransomware before it infiltrates the system.
Identity with MFA (Multi-Factor Authentication) This security measure ensures only authorized users can gain access, reducing the likelihood of unauthorized access through stolen credentials – a common initial step in ransomware attacks.
Application Protocol and Application Program Control These controls can restrict the use of certain software or tools within the network, such as those used by threat actors to deploy ransomware.
Threat Prevention Mechanisms Threat Signature and Zero-Day Behavioral Analysis, both integral to Acreto’s platform, help detect and mitigate known threats, as well as identify new or unknown threats based on behavioral indications. This would include detecting ransomware based on its behavior and blocking it before it can execute.
Acreto ensures that systems interact only with what they need to and that malicious agents can’t easily propagate through the network. This, combined with real-time encrypted scanning and robust threat detection, offers a comprehensive solution against ransomware attacks.
Contact Acreto today for more information or to evaluate Ecosystem security for your organization.
Ecosystems deliver a dedicated security infrastructure that can be deployed per application, use-case, project or third-party. An Ecosystem inherently limits access only to users, devices, systems and applications that need to interoperate together.
Ecosystems support any technology, on any network, anywhere in the world. These include computers, mobile devices, IoTs, Offices, Clouds, SaaS and Data Centers.
Ecosystems can be configured as:
Open → With inbound or outbound access from or to the Internet or a third-party
Closed → Fully contained with access limited to Ecosystem members
Hybrid → Where some systems have inbound or outbound Internet access while others operate fully contained.
Eliminate the Internet Attack Surface
Eliminates any and all access from the Internet while Ecosystem members can interoperate with authorized systems and applications.
Eliminate the Internal Attack Surface
Ecosystems can easily isolate individual or groups of systems on a shared network or entire networks, to limit access only to systems that need to interoperate together. This is done with
Micro-Segmentation Segmenting groups of systems on any shared network, including hostile networks or the entire network.
Nano-Segmentation Isolating an individual system, device or application to limit access only to other authorized Ecosystem members.
Isolated Data Flows
Isolated data flows can be defined between two Ecosystem members to limit access to specified sources and destinations, network protocols and ports, application protocols as well as application programs.
Secure Scan addresses a key weakness in many security tools today. 90%+ of all communications is encrypted, yet only 10% of organizations have the means to secure these communications. Encrypted Secure Scan decrypts, scans, and re-encrypts communications inline and in real-time.
Any malicious content embedded in the encrypted payload is blocked, otherwise the clean and validated communication is delivered to its final destination.
Identity with MFA
User Authorizes access to the Ecosystem by a user’s identity, including MFA, as authenticated by the organizations’ Directory Services such as Active Directory or LDAP, as well as third-party Identity Service Providers such as Okta, Ping, Duo, and CloudJump among others.
Device Specifies a unique identity to each device to validate that a specified device that does not rely on a user to operate – such as an autonomous application or IoT, is allowed to join the Ecosystem.
Network Protocol / Port
Control the network protocol (TCP, UDP, ICMP) and Port (1-65535) any Ecosystem member can use to communicate with any other Ecosystem member or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.
Application Protocol
Control the application protocol (HTTP, DNS, SMTP, SMB, etc…) any Ecosystem member can use to communicate with any other Ecosystem members or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.
Application Program
Control the application program (MS-Exchange, Oracle, Facebook, GMail, etc…) any Ecosystem member can use to communicate with any other Ecosystem members or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.
Content Category
Control communication based on content categories such as Adult, Gambling, Politics, Malware sites among 90+ category options.
File Type Upload / Download Controls
Control upload / download of files by type such .EXE, PDF, XLS, DOC, SCR, and MSI among hundreds of options.
Data Leak Prevention
Prevent data leaks by identifying and mitigating the upload or download of sensitive data such as:
Credit Cards Upload / Download Controls
Social Security Number Upload / Download Controls
RegEx Pattern Upload / Download Controls
After verification of network protocol, port, application protocol and application program, a deep inspection is performed on all communications. The effectiveness of this method is amplified by inline Encrypted Secure Scan. Threat prevention capabilities utilize two key methods:
Threat Signature
Identifies and mitigates known bad exploits, malware, botnets and ransomware.
Zero-Day Behavioral Analysis
Looks for behavioral indication of threats based on how system functions react to the payload, immediately and over time.
Acreto Ecosystems are very easy to provision and deploy. There are no hardware dependencies or associated logistics.
Provisioning an Ecosystem takes 3-5 minutes. Simply provide a unique name to the Ecosystem then choose the bandwidth desired and within a few minutes your Ecosystem providing a dedicated security infrastructure is ready.
Depending on your connection options for Ecosystem members, deployment can take between 10 minutes to a few hours.
Acreto Ecosystems utilize a sustainable model without any dependency on products and their associated logistics. There are no more updates, upgrades or technology refreshes.
Change Management
Different Ecosystems operate completely independently from one-another. Therefore, change management impacts only members of a specified Ecosystem, not the entire organization. This simplifies the traditionally complex change management process.
Policy Management
Policy management also benefits from Ecosystems. Because Ecosystems are specific to a customer scenario such as an application, use-case, project or third-party, all policies apply to the scenario. Moreover, when its time for policy cleanup, when an application or use-case is retired, disabling or deleting the Ecosystem automatically prunes the policies. This has traditionally been a complex task that is at best inaccurate.
Utilization of Cl0p Ransomware Cl0p (aka Clop) is a type of ransomware used by the FIN7 group. It’s a malware that encrypts files on a computer system, rendering them inaccessible until a ransom is paid.
Use of the PowerShell Script POWERTRASH POWERTRASH is a PowerShell script used by the group to load the Lizar post-exploitation tool. This allows the group to get a foothold into the target network.
Loading of Lizar Post-Exploitation Tool After the POWERTRASH script is used, the Lizar post-exploitation tool is loaded. This tool gives the group greater access to the compromised system.
Lateral Movement with OpenSSH and Impacket Once inside the network, the group uses OpenSSH and Impacket to move laterally, spreading their reach within the network to access other systems or segments.
Deployment of Cl0p Ransomware Once the desired systems are accessed, the group deploys Cl0p ransomware. This encrypts the data on the systems, making it inaccessible until a ransom is paid.
Use of Various Ransomware Families Aside from Cl0p, FIN7 has been linked to other ransomware families such as Black Basta, DarkSide, REvil, LockBit, Maze, and Ryuk.
Exploitation of Software Vulnerabilities The group has also been reported to exploit software vulnerabilities to gain initial access to systems. An example is the high-severity flaw in Veeam Backup & Replication software (CVE-2023-27532) they exploited.
Pivot from Data Theft to Extortion Historically known for stealing payment card data, FIN7 has shifted its strategy towards extortion, specifically via ransomware attacks.
Creation of Fake Security Companies As part of their tactics, the group sets up fake security companies, such as Combi Security and Bastion Secure, to recruit employees for conducting ransomware attacks and other operations.
About Acreto
Acreto delivers full-stack cybersecurity without products, logistics or significant security expertise. It creates and consolidates the best of cybersecurity into a single plug-and-play platform with automated updates to stay ahead of threats. Acreto activates enterprise-grade security instantly, so organizations can run safely, easily, and without interruption.
In an at-best questionable move, the “Don’t Be Evil” company, Google, has done something evil. Google has created new security risks by releasing eight new top-level domains (TLDs) including, .zip and .mov. Security experts are rebuking Google for introducing new attack vectors that scammers are actively exploiting.
TLDs are the final segment in a URL (such as .com, .org, .net, etc.), and they were initially designed to classify the purpose or geographic region of a given domain.
The .zip extension is commonly used in archive files that employ the zip compression format. Similarly, the .mov format appears at the end of video files, particularly those created in Apple’s QuickTime format. The concern arises from the automatic conversion of these TLDs into clickable links when displayed in emails, on social media, or elsewhere.
Security experts warn that these new TLDs cause confusion when displayed in emails or on social media, as many sites and software automatically convert strings into clickable URLs. Scammers will exploit this to trick people into clicking on malicious links.
A scam could involve the scammer registering a domain such as photos.zip and setting up a website to serve malicious content. Unsuspecting users might click on the link, thinking they are accessing a photo archive from a trusted source, only to be redirected to a scammer’s website.
This has already been illustrated when a .zip TLD was used to create a malicious URL that closely mimics a legitimate one. Spacing is added to deactivate the link.
h t t p s : // github . com ∕ kubernetes∕kubernetes∕archive∕refs∕tags∕@v1271.zip
and
h t t p s : // github . com/kubernetes/kubernetes/archive/refs/tags/v1.27.1.zip
Everything between “https://” and the @ symbol in a domain name is treated as user information, while everything after the @ symbol is treated as the hostname.
Scammers are sure to exploit these new TLDs to deliver malicious content leading to successful phishing, system breaches, and unauthorized access to sensitive data. The release of .zip and .mov TLDs is creating yet another attack vector that will confuse already vulnerable users.
Through precise file type upload and download controls, Acreto can effectively block the transfer of files that could be potential vehicles for cyber threats. By doing so, it minimizes the chance of malicious files reaching your systems in the first place. This is particularly relevant in the context of the .zip and .mov TLDs, where scammers could exploit these file types to deliver harmful content.
By blocking potentially harmful file transfers, Acreto ensures that your digital environment remains secure, without impeding your legitimate business operations. This safety measure, combined with Acreto’s comprehensive suite of security solutions, presents a formidable shield against the potential threats posed by the evolving TLD landscape.
Contact Acreto today for more information or to evaluate Ecosystem security for your organization.
Ecosystems deliver a dedicated security infrastructure that can be deployed per application, use-case, project or third-party. An Ecosystem inherently limits access only to users, devices, systems and applications that need to interoperate together.
Ecosystems support any technology, on any network, anywhere in the world. These include computers, mobile devices, IoTs, Offices, Clouds, SaaS and Data Centers.
Ecosystems can be configured as:
Open → With inbound or outbound access from or to the Internet or a third-party
Closed → Fully contained with access limited to Ecosystem members
Hybrid → Where some systems have inbound or outbound Internet access while others operate fully contained.
Eliminate the Internet Attack Surface
Eliminates any and all access from the Internet while Ecosystem members can interoperate with authorized systems and applications.
Eliminate the Internal Attack Surface
Ecosystems can easily isolate individual or groups of systems on a shared network or entire networks, to limit access only to systems that need to interoperate together. This is done with
Micro-Segmentation Segmenting groups of systems on any shared network, including hostile networks or the entire network.
Nano-Segmentation Isolating an individual system, device or application to limit access only to other authorized Ecosystem members.
Isolated Data Flows
Isolated data flows can be defined between two Ecosystem members to limit access to specified sources and destinations, network protocols and ports, application protocols as well as application programs.
Secure Scan addresses a key weakness in many security tools today. 90%+ of all communications is encrypted, yet only 10% of organizations have the means to secure these communications. Encrypted Secure Scan decrypts, scans, and re-encrypts communications inline and in real-time.
Any malicious content embedded in the encrypted payload is blocked, otherwise the clean and validated communication is delivered to its final destination.
Identity with MFA
User Authorizes access to the Ecosystem by a user’s identity, including MFA, as authenticated by the organizations’ Directory Services such as Active Directory or LDAP, as well as third-party Identity Service Providers such as Okta, Ping, Duo, and CloudJump among others.
Device Specifies a unique identity to each device to validate that a specified device that does not rely on a user to operate – such as an autonomous application or IoT, is allowed to join the Ecosystem.
Network Protocol / Port
Control the network protocol (TCP, UDP, ICMP) and Port (1-65535) any Ecosystem member can use to communicate with any other Ecosystem member or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.
Application Protocol
Control the application protocol (HTTP, DNS, SMTP, SMB, etc…) any Ecosystem member can use to communicate with any other Ecosystem members or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.
Application Program
Control the application program (MS-Exchange, Oracle, Facebook, GMail, etc…) any Ecosystem member can use to communicate with any other Ecosystem members or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.
Content Category
Control communication based on content categories such as Adult, Gambling, Politics, Malware sites among 90+ category options.
File Type Upload / Download Controls
Control upload / download of files by type such .EXE, PDF, XLS, DOC, SCR, and MSI among hundreds of options.
Data Leak Prevention
Prevent data leaks by identifying and mitigating the upload or download of sensitive data such as:
Credit Cards Upload / Download Controls
Social Security Number Upload / Download Controls
RegEx Pattern Upload / Download Controls
After verification of network protocol, port, application protocol and application program, a deep inspection is performed on all communications. The effectiveness of this method is amplified by inline Encrypted Secure Scan. Threat prevention capabilities utilize two key methods:
Threat Signature
Identifies and mitigates known bad exploits, malware, botnets and ransomware.
Zero-Day Behavioral Analysis
Looks for behavioral indication of threats based on how system functions react to the payload, immediately and over time.
Acreto Ecosystems are very easy to provision and deploy. There are no hardware dependencies or associated logistics.
Provisioning an Ecosystem takes 3-5 minutes. Simply provide a unique name to the Ecosystem then choose the bandwidth desired and within a few minutes your Ecosystem providing a dedicated security infrastructure is ready.
Depending on your connection options for Ecosystem members, deployment can take between 10 minutes to a few hours.
Acreto Ecosystems utilize a sustainable model without any dependency on products and their associated logistics. There are no more updates, upgrades or technology refreshes.
Change Management
Different Ecosystems operate completely independently from one-another. Therefore, change management impacts only members of a specified Ecosystem, not the entire organization. This simplifies the traditionally complex change management process.
Policy Management
Policy management also benefits from Ecosystems. Because Ecosystems are specific to a customer scenario such as an application, use-case, project or third-party, all policies apply to the scenario. Moreover, when it’s time for policy cleanup, when an application or use-case is retired, disabling or deleting the Ecosystem automatically prunes the policies. This has traditionally been a complex task that is at best inaccurate.
Google has introduced new TLDs, including .zip and .mov.
These extensions are problematic because they are commonly associated with specific file types (.zip for compressed files, .mov for QuickTime video files), which could lead to confusion.
Many software automatically converts strings into clickable URLs when displayed in emails or social media.
Scammers can use this feature to trick users into clicking malicious links disguised as regular file downloads.
Attacker could register a domain like ‘photos.zip’ and host malicious content there. Users might think they’re clicking on a compressed photo file when they’re actually being redirected to a dangerous website.
Technical Aspects of Exploitation
The exploitation relies on the automated transformation of strings with new TLDs into clickable links by many email or social media platforms.
The attack vector is based on the confusion between file types and these new TLDs.
The malicious process could involve a multi-step attack, from registering the scam domain to crafting a deceptive email or post, to hosting and serving malicious content.
The scammer could also use the @ operator and Unicode characters that resemble slashes in URLs to make malicious URLs appear more legitimate.
About Acreto
Acreto delivers full-stack cybersecurity without products, logistics or significant security expertise. It creates and consolidates the best of cybersecurity into a single plug-and-play platform with automated updates to stay ahead of threats. Acreto activates enterprise-grade security instantly, so organizations can run safely, easily, and without interruption.
There are severe new vulnerabilities in CISCO switches that enable remote code execution on the affected devices.
These vulnerabilities have been given extremely high severity ratings with CVSS base scores of 9.8/10. Successful exploitation enables unauthenticated attackers to execute arbitrary code with root privileges on compromised devices.
The vulnerabilities (CVE-2023-20159, CVE-2023-20160, CVE-2023-20161, and CVE-2023-20189) are caused by improper validation of requests sent to the targeted switches’ web interfaces. Attackers can exploit these vulnerabilities by sending specially crafted requests through the devices’ web-based user interfaces.
Cisco has released patches for some software versions, but not all devices can be patched. End-of-life devices remain vulnerable. The following end-of-life series of switches DO NOT have patches and remain vulnerable:
Small Business 200 Series Smart Switches
Small Business 300 Series Managed Switches
Small Business 500 Series Stackable Managed Switches
The availability of proof-of-concept exploit code for these vulnerabilities significantly raises the concern of motivated threat actors developing their own exploits to target vulnerable devices.
Even if the CISCO switches have entered the end-of-life process and are no longer receiving patches from the manufacturer, Acreto’s security measures can still be applied to protect CISCO devices.
By isolating the vulnerable devices’ management interface within an Ecosystem, Acreto effectively limits access to only those systems that need to interoperate, preventing unauthorized access and reducing the risk of exploitation.
The micro-segmentation and nano-segmentation capabilities offered by Acreto enable the isolation of individual devices or groups of devices on shared networks, further enhancing security. With isolated data flows, organizations can define specific communication paths and access controls, ensuring that interactions with vulnerable devices are restricted to authorized sources and destinations.
Acreto’s Encrypted Secure Scan provides inline decryption, scanning, and re-encryption of communications, even for encrypted traffic. This ensures that any malicious content embedded in the encrypted payload is blocked, safeguarding vulnerable devices against potential attacks.
By implementing access controls based on user identity, device identity, network protocols, ports, and application protocols, Acreto enables organizations to maintain granular control over communication flows involving the end-of-life CISCO switches. This helps to prevent unauthorized code execution and unauthorized access to these devices.
Acreto’s comprehensive security solution through Ecosystems can provide robust protection for both patched and unpatched CISCO devices, allowing organizations to mitigate the risks associated with vulnerabilities in CISCO Series Switches that have reached the end-of-life processes.
Contact Acreto today for more information or to evaluate Ecosystem security for your organization.
Ecosystems deliver a dedicated security infrastructure that can be deployed per application, use-case, project or third-party. An Ecosystem inherently limits access only to users, devices, systems and applications that need to interoperate together.
Ecosystems support any technology, on any network, anywhere in the world. These include computers, mobile devices, IoTs, Offices, Clouds, SaaS and Data Centers.
Ecosystems can be configured as:
Open → With inbound or outbound access from or to the Internet or a third-party
Closed → Fully contained with access limited to Ecosystem members
Hybrid → Where some systems have inbound or outbound Internet access while others operate fully contained.
Eliminate the Internet Attack Surface
Eliminates any and all access from the Internet while Ecosystem members can interoperate with authorized systems and applications.
Eliminate the Internal Attack Surface
Ecosystems can easily isolate individual or groups of systems on a shared network or entire networks, to limit access only to systems that need to interoperate together. This is done with
Micro-Segmentation Segmenting groups of systems on any shared network, including hostile networks or the entire network.
Nano-Segmentation Isolating an individual system, device or application to limit access only to other authorized Ecosystem members.
Isolated Data Flows
Isolated data flows can be defined between two Ecosystem members to limit access to specified sources and destinations, network protocols and ports, application protocols as well as application programs.
Secure Scan addresses a key weakness in many security tools today. 90%+ of all communications is encrypted, yet only 10% of organizations have the means to secure these communications. Encrypted Secure Scan decrypts, scans, and re-encrypts communications inline and in real-time.
Any malicious content embedded in the encrypted payload is blocked, otherwise the clean and validated communication is delivered to its final destination.
Identity with MFA
User Authorizes access to the Ecosystem by a user’s identity, including MFA, as authenticated by the organizations’ Directory Services such as Active Directory or LDAP, as well as third-party Identity Service Providers such as Okta, Ping, Duo, and CloudJump among others.
Device Specifies a unique identity to each device to validate that a specified device that does not rely on a user to operate – such as an autonomous application or IoT, is allowed to join the Ecosystem.
Network Protocol / Port
Control the network protocol (TCP, UDP, ICMP) and Port (1-65535) any Ecosystem member can use to communicate with any other Ecosystem member or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.
Application Protocol
Control the application protocol (HTTP, DNS, SMTP, SMB, etc…) any Ecosystem member can use to communicate with any other Ecosystem members or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.
Application Program
Control the application program (MS-Exchange, Oracle, Facebook, GMail, etc…) any Ecosystem member can use to communicate with any other Ecosystem members or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.
Content Category
Control communication based on content categories such as Adult, Gambling, Politics, Malware sites among 90+ category options.
File Type Upload / Download Controls
Control upload / download of files by type such .EXE, PDF, XLS, DOC, SCR, and MSI among hundreds of options.
Data Leak Prevention
Prevent data leaks by identifying and mitigating the upload or download of sensitive data such as:
Credit Cards Upload / Download Controls
Social Security Number Upload / Download Controls
RegEx Pattern Upload / Download Controls
After verification of network protocol, port, application protocol and application program, a deep inspection is performed on all communications. The effectiveness of this method is amplified by inline Encrypted Secure Scan. Threat prevention capabilities utilize two key methods:
Threat Signature
Identifies and mitigates known bad exploits, malware, botnets and ransomware.
Zero-Day Behavioral Analysis
Looks for behavioral indication of threats based on how system functions react to the payload, immediately and over time.
Acreto Ecosystems are very easy to provision and deploy. There are no hardware dependencies or associated logistics.
Provisioning an Ecosystem takes 3-5 minutes. Simply provide a unique name to the Ecosystem then choose the bandwidth desired and within a few minutes your Ecosystem providing a dedicated security infrastructure is ready.
Depending on your connection options for Ecosystem members, deployment can take between 10 minutes to a few hours.
Acreto Ecosystems utilize a sustainable model without any dependency on products and their associated logistics. There are no more updates, upgrades or technology refreshes.
Change Management
Different Ecosystems operate completely independently from one-another. Therefore, change management impacts only members of a specified Ecosystem, not the entire organization. This simplifies the traditionally complex change management process.
Policy Management
Policy management also benefits from Ecosystems. Because Ecosystems are specific to a customer scenario such as an application, use-case, project or third-party, all policies apply to the scenario. Moreover, when its time for policy cleanup, when an application or use-case is retired, disabling or deleting the Ecosystem automatically prunes the policies. This has traditionally been a complex task that is at best inaccurate.
About Acreto
Acreto delivers full-stack cybersecurity without products, logistics or significant security expertise. It creates and consolidates the best of cybersecurity into a single plug-and-play platform with automated updates to stay ahead of threats. Acreto activates enterprise-grade security instantly, so organizations can run safely, easily, and without interruption.
Cybersecurity researchers have uncovered new vulnerabilities in widely used Linux components, posing a significant risk to critical infrastructure and sensitive data. These vulnerabilities have been identified as frequent targets for malicious cyber actors and have been active since as far back as 2010.
One of the vulnerabilities affects Red Hat Polkit, an essential toolkit responsible for managing the policy between privileged and unprivileged processes. This vulnerability enables attackers to bypass credential checks, leading to privilege escalation. With this exploit, unauthorized individuals can gain higher privileges, potentially compromising system security and accessing sensitive information.
Another vulnerability has been discovered within the Linux Kernel itself. This vulnerability introduces a race condition, making the behavior of the program susceptible to manipulation by attackers. By altering the timing or order of operations, malicious actors can launch denial-of-service attacks, corrupt data, or even escalate their privileges within the system.
The Reliable Datagram Sockets (RDS) protocol implementation in the Linux Kernel is also affected by a vulnerability. Exploiting improper input validation, local users can exploit this flaw to gain elevated privileges. This means that unauthorized users within the system can potentially acquire higher privileges than intended, compromising the security and confidentiality of sensitive data.
Acreto can effectively address these Linux-related vulnerabilities.
CVE-2021-3560: Acreto’s Ecosystems can address this vulnerability by providing micro-segmentation and nano-segmentation capabilities. Ecosystems can easily isolate individuals or groups of systems, limiting access only to systems that need to interoperate together. By segmenting the Linux systems and implementing access controls based on the principle of least privilege, Acreto can help prevent unauthorized bypassing of credential checks and mitigate privilege escalation.
CVE-2014-0196: To address this vulnerability in the Linux Kernel, Acreto’s Ecosystems provide isolated data flows between systems. By defining isolated data flows between vulnerable systems and other authorized Ecosystem members, Acreto can limit access to specific sources, destinations, network protocols, ports, and application protocols. This can help prevent local users from exploiting the race condition vulnerability and gaining elevated privileges.
CVE-2010-3904: For the vulnerability in the Linux Kernel’s RDS protocol implementation, by segmenting the Linux systems and defining isolated data flows, Acreto can limit access to the RDS protocol and prevent local users from exploiting the improper input validation vulnerability, thus mitigating the risk of elevated privileges.
Ecosystems deliver a dedicated security infrastructure that can be deployed per application, use-case, project or third-party. An Ecosystem inherently limits access only to users, devices, systems and applications that need to interoperate together.
Ecosystems support any technology, on any network, anywhere in the world. These include computers, mobile devices, IoTs, Offices, Clouds, SaaS and Data Centers.
Ecosystems can be configured as:
Open → With inbound or outbound access from or to the Internet or a third-party
Closed → Fully contained with access limited to Ecosystem members
Hybrid → Where some systems have inbound or outbound Internet access while others operate fully contained.
Eliminate the Internet Attack Surface
Eliminates any and all access from the Internet while Ecosystem members can interoperate with authorized systems and applications.
Eliminate the Internal Attack Surface
Ecosystems can easily isolate individual or groups of systems on a shared network or entire networks, to limit access only to systems that need to interoperate together. This is done with
Micro-Segmentation Segmenting groups of systems on any shared network, including hostile networks or the entire network.
Nano-Segmentation Isolating an individual system, device or application to limit access only to other authorized Ecosystem members.
Isolated Data Flows
Isolated data flows can be defined between two Ecosystem members to limit access to specified sources and destinations, network protocols and ports, application protocols as well as application programs.
Secure Scan addresses a key weakness in many security tools today. 90%+ of all communications is encrypted, yet only 10% of organizations have the means to secure these communications. Encrypted Secure Scan decrypts, scans, and re-encrypts communications inline and in real-time.
Any malicious content embedded in the encrypted payload is blocked, while the clean and validated communication is delivered to its final destination.
Identity with MFA
User Authorizes access to the Ecosystem by a user’s identity, including MFA, as authenticated by the organizations’ Directory Services such as Active Directory or LDAP, as well as third-party Identity Service Providers such as Okta, Ping, Duo, and CloudJump among others.
Device Specifies a unique identity to each device to validate that a specified device that does not rely on a user to operate – such as an autonomous application or IoT, is allowed to join the Ecosystem.
Network Protocol / Port
Control the network protocol (TCP, UDP, ICMP) and Port (1-65535) any Ecosystem member can use to communicate with any other Ecosystem member or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.
Application Protocol
Control the application protocol (HTTP, DNS, SMTP, SMB, etc…) any Ecosystem member can use to communicate with any other Ecosystem members or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.
Application Program
Control the application program (MS-Exchange, Oracle, Facebook, GMail, etc…) any Ecosystem member can use to communicate with any other Ecosystem members or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.
Content Category
Control communication based on content categories such as Adult, Gambling, Politics, Malware sites among 90+ category options.
File Type Upload / Download Controls
Control upload/download of files by type such .EXE, PDF, XLS, DOC, SCR, and MSI among hundreds of options.
Data Leak Prevention
Prevent data leaks by identifying and mitigating the upload or download of sensitive data such as:
Credit Cards Upload / Download Controls
Social Security Number Upload / Download Controls
RegEx Pattern Upload / Download Controls
After verification of network protocol, port, application protocol and application program, a deep inspection is performed on all communications. The effectiveness of this method is amplified by inline Encrypted Secure Scan. Threat prevention capabilities utilize two key methods:
Threat Signature
Identifies and mitigates known bad exploits, malware, botnets and ransomware.
Zero-Day Behavioral Analysis
Looks for behavioral indication of threats based on how system functions react to the payload, immediately and over time.
Acreto Ecosystems are very easy to provision and deploy. There are no hardware dependencies or associated logistics.
Provisioning an Ecosystem takes 3-5 minutes. Simply provide a unique name to the Ecosystem then choose the bandwidth desired and within a few minutes your Ecosystem providing a dedicated security infrastructure is ready.
Depending on your connection options for Ecosystem members, deployment can take between 10 minutes to a few hours.
Acreto Ecosystems utilize a sustainable model without any dependency on products and their associated logistics. There are no more updates, upgrades or technology refreshes.
Change Management
Different Ecosystems operate completely independently from one another. Therefore, change management impacts only members of a specified Ecosystem, not the entire organization. This simplifies the traditionally complex change management process.
Policy Management
Policy management also benefits from Ecosystems. Because Ecosystems are specific to a customer scenario such as an application, use-case, project or third-party, all policies apply to the scenario. Moreover, when its time for policy cleanup, when an application or use-case is retired, disabling or deleting the Ecosystem automatically prunes the policies. This has traditionally been a complex task that is at best inaccurate.
CVE-2021-3560 – Red Hat Polkit: Red Hat Polkit, an application-level toolkit for managing the policy between privileged and unprivileged processes, has an incorrect authorization vulnerability. Attackers can bypass credential checks for D-Bus requests, leading to privilege escalation.
CVE-2014-0196 – Linux Kernel: The Linux Kernel is susceptible to a race condition vulnerability within the n_tty_write function. Local users can exploit this flaw to cause denial-of-service or gain elevated privileges through read and write operations involving long strings.
CVE-2010-3904 – Linux Kernel: The Linux Kernel’s Reliable Datagram Sockets (RDS) protocol implementation contains an improper input validation vulnerability. Local users can exploit this flaw by crafting the sendmsg and recvmsg system calls, gaining elevated privileges.
For more details on CVEs, visit: CVE – CVE (mitre.org)
About Acreto
Acreto delivers full-stack cybersecurity without products, logistics or significant security expertise. It creates and consolidates the best of cybersecurity into a single plug-and-play platform with automated updates to stay ahead of threats. Acreto activates enterprise-grade security instantly, so organizations can run safely, easily, and without interruption.
Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.
Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.
Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.
Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.