Aug 31, 2018

Alternative Download For HP Proliant SPP

Is it just me or should hardware manufacturers make their drivers easy to download regardless of support contracts? I've been a loyal HP server user for years, but just recently something really chapped my ass! I went to download the latest Service Pack for Proliant (SPP) so I could install drivers on an older Proliant system and couldn't! Why? Because I didn't have a current support contract with HP!

I've also been a loyal Lenovo user for years. Guess what? I can download their System Update tool fine! No need to have some bullshit login for it! In the past I could always download HP's SmartStart CD's without a login. Why now all of a sudden is there a change?

Now you're probably just saying, why not buy a support contract? Well, I already have full hardware support from our aftermarket re-seller Curvature at a fraction of the cost of HP's support. I don't feel the need to pay extra for roughly the same level support. The only draw back, at least for HP, is that I can't get tools like SPP!

Well, I found a good Samaritan that is making the downloads for the SPP available for free!  At the time of this writing the March and June 2018 versions of SPP are available here.

Hurry up and grab them before they are gone!

Aug 28, 2018

End of an Era: Coleman University is Out of Business



This is a real shame. I myself am a Coleman Alumnus. I just heard the news while interviewing someone for my company's open Systems Administrator position in San Diego.

Via Fox 5:
Coleman University -- a private college that's operated in San Diego since 1963 -- is closing at the end of the current term, school leadership announced Thursday. 
"To all our very fine students, staff, and faculty, I am personally sorry that we have to close Coleman University," President & CEO Norbert J. Kubilus said. 
In a letter to students, faculty and staff obtained by FOX 5, Kubilus said that Coleman learned in late June that they had lost a bid for accreditation from the Western Association of Colleges and Universities Senior College and University Commission, putting the school in a financial bind.
Continue Reading


Aug 27, 2018

Shadow Admins: What Are They and How Can You Defeat Them?

Managing something you don’t even know exists in your network is always a challenge. This is why the problem of stealthy or shadow admins needs to be acknowledged by security officers. after all, it only takes compromising a single account with elevated privileges to put the security of an entire company in jeopardy.

So, who are these shadow admins and what strategies may help you combat the threats they pose? Keep on reading to find answers to these questions.

Shadow admins: what are they?

When talking about the shadow or stealthy admins, we are referring to the accounts that were delegated admin-level privileges in Active Directory, usually with a direct permission assignment. This is why these shadow admins can also be called delegated admins.

In general, there are four main groups of privileged accounts:

  • Domain admins
  • Local admins
  • Application/services admins
  • Business privileged accounts

Any of these categories may have both legitimate and shadow administrative accounts. However, while legitimate privileged accounts are easy to identify, stealthy admins are not members of any of the default administrative groups in Active Directory and, therefore, can’t be found that easily. As a result, many organizations simply don’t take delegated admins into account when looking for privileged users in Active Directory.

Ignoring delegated admins is not an option though. These accounts can possibly have unrestricted control over legitimate Active Directory admins and be able to:

  • change passwords for privileged accounts
  • change permissions on the existing admin groups or accounts
  • add new accounts to the existing administrative groups
  • create new admin groups in Active Directory, and so on.

Therefore, a successful attack on just one delegated admin account can have consequences just as devastating as when a legitimate privileged account was compromised.

Let’s take a closer look at the main risks posed by shadow admins.

Top risks posed by unmanaged admin accounts


The presence of stealthy administrators in your network creates a variety of problems, including:

  • Cybersecurity risks
  • Financial risks

Unmanaged privileged accounts are like a Christmas gift for the attackers. Since they are often not taken into account by an organization’s cybersecurity policy, they can be easier to compromise while still providing the attackers with unrestricted access to your company’s critical data.

With the increased risks of data leakage, the presence of shadow admins in the network creates additional financial risks for the company. Not to mention that the news about the loss of valuable, sensitive data can cause severe damage to the company’s reputation.

In April 2017, for instance, Oracle’s Solaris operating platform was targeted by hackers using shadow admins to get into the system. In particular, there were two malicious programs discovered (EXTREMEPARR and EBBISLAND) that were able to elevate the rights of existing users to the administrative level. Thus, they turned regular users into shadow admins with remote root access to platform networks.

The only way to mitigate risks posed by such accounts is by identifying all shadow admins within your network and managing them effectively. In the next section, we talk about the ways you can find and manage all administrative accounts in your company’s network.

Best practices for detecting and managing shadow admins

As of today, there are two ways you can detect delegated admins in your network and mitigate the risks they pose:

  • By analyzing Access Control Lists (ACLs) on Active Directory
  • By building an effective privileged access management strategy

ACLs analysis. When trying to identify all of the privileged accounts present in your company’s network, look for the tools that scan ACLs and analyze effective permissions rather than an account’s presence in a particular Active Directory group. Thus, you’ll be able to find even the accounts that were delegated additional privileges without being added to any of the admin groups on Active Directory.

Once identified, make sure that only legitimate administrators (such as members of Domain Admin groups) are granted such critical privileges as Replicating Directory Changes All, Reset Password, or Full Control.

Privileged access management. Building a well thought out privileged access management strategy can also help you solve the problem of stealthy admins. Your cybersecurity strategy should include two measures:

  • Continuous monitoring and audit of the network
  • Effective management of privileged access to critical data and assets


Audit and monitoring are important for several reasons. First and foremost, it ensures a better level of visibility within the network: you gain the knowledge about who can access what. Secondly, all information gathered at this stage is essential for investigating security incidents should any of them take place in your organization.

When monitoring your network, pay special attention to the following factors:

  • What accounts have elevated privileges and can access your company’s critical assets (who can access particular servers or domains, who can work with your company’s sensitive information)
  • What privileged accounts and elevated permissions were added just recently (to identify a possible attack in progress)
  • If there’re any suspicious activities (a sudden use of a “dead” privileged account, an admin logging in from an unusual IP address, and so on)


Ensuring an appropriate level of privileged access management is the second step in building an efficient cybersecurity strategy and combating shadow admins. Once you know who can access your company’s valuable data, you can take necessary measures to either secure or dismiss these accounts. Consider implementing the least-privilege approach for all privileged accounts and assigning any elevated permissions only on an “as needed” basis.

When looking for an efficient solution to these problems, turn your attention to Ekran System. It’s a universal platform for monitoring, auditing, and managing both regular and privileged users. This platforms gives you a full visibility into your network and allows taking proactive measures for preventing privilege misuse at any level.

Conclusion

Delegated or shadow administrative accounts can pose a serious threat to an organization’s cybersecurity when remaining undiscovered. However, identifying stealthy admins isn’t enough – you need to manage them effectively in order to mitigate any cybersecurity and financial risks they can pose. While ACLs scanning works well for discovering accounts with elevated permissions, the only way you can effectively manage and secure these accounts is by implementing an appropriate level of Privileged Access Management.

Aug 24, 2018

Sandbox-Evading Malware Are Coming: 7 Most Recent Attacks

Nowadays, anti-malware applications widely use sandbox technology for detecting and preventing viruses. Unfortunately, criminals are developing new malware that can evade this technology. If such malware detects the signs of VM environment, it remains inactive until they are outside of the sandbox. Experts predicted that in 2018 we would see an increasing number of cyber attacks performed with sandbox-evading. However, the epidemic has actually started two years ago. Let's look at the most recent attacks that were successful because modern security solutions weren't able to detect sandbox-evading malware.

1. Grobios

Since early March 2018, there have been cases of attacks performed with the RIG Exploit Kit that infects victims with a backdoor trojan called Grobios. This malware is packed with PECompact 2.xx that allows it to evade static detection. Though the unpacked file has no functions, it uses hashing to obfuscate the names of API functions it invokes. It also divides the PE header of the DLL files to match the name of a function to its hash. In addition, the trojan performs a series of checks to become aware of its environment. Particularly, it looks for virtual machine software, like Hyper-V or VMWare, a username with the words "malware", "sandbox", or "maltest", and compares the driver names with its blacklist of VM drivers.

2. GootKit

This banking trojan attacks users mainly in Europe through spam sent via MailChimp since 2017. It steals the credentials of bank’s customers and manipulates their online sessions. Before installation, the malware uses a dropper to become aware of its environment. Thus, the dropper looks for specific names in the Windows Registry and virtual machine resources on disk. It also checks the device’s BIOS to discover whether there is a virtual machine client installation and examines the machine’s MAC address. If the dropper doesn't find any signs of the sandbox, the virus payload is executed and GootKit trojan carries out additional checks, like looking for hard drives, CPU names that confirm a physical machine, and virtual machine values.

3. ZeuS Panda

This is another banking trojan that uses environment-aware techniques to skip the sandbox. Its main goal is stealing user’s banking credentials and account numbers by implementing “man in the browser” attack. In order to infect a targeted computer, it changes the browser security settings and alarms. After loading, the trojan checks for indicators of the sandbox environment, like the presence of Sandboxie, ProcMon, SoftICE debugger, and other tools. In 2018, ZeuS Panda targeted banks in Japan, Latin America, the United States, as well as popular websites like YouTube, Facebook, and Amazon.

4. Heodo

Heodo is a banking trojan that was first detected in 2016 and subsequently was used in a 2017 attack against the US bank clients. This malware infects victims through invoice emails from a known contact that contains an attached PDF file. After a user clicks on the attachment, the trojan is loaded. It uses a technology known as a crypter that allows the malware to hide from the sandbox environment. Heodo imbeds itself within the software that is already installed on the infected computes and makes mutated copies of itself on the infected system.

5. QakBot Trojan

A massive attack with the QakBot Trojan was detected in 2017 when the malware caused the lockouts of Active Directory users from their company's domain by stealing user credentials. This malware infects victims with a dropper that uses delayed execution to evade the sandbox. It loads to the targeted computer and waits for 10 to 15 minutes before its execution. While antivirus sandboxes analyze newly loaded files for a short period of time, the dropper remains undetected.

6. Kovter

This trojan was initially developed as a police ransomware, but in 2017 it was detected as a fileless malware that can easily bypass the sandbox detection. It infects victims via a malspam email with an attachment that contains macros for Microsoft Office files or a .zip attachment that contains infected JavaScript files. By using the Windows registry, Kovter leaves the sandbox undetected. Victims are requested to pay a $1,500 ransom in Bitcoin.

7. Locky

Locky is a classic example of environment aware malware that was released in 2016. It was spread during an email campaign that contained an infected Microsoft Word document. The document had a malicious macros that saved and run a binary file that downloads the encryption trojan. This malware easily bypasses the sandbox, as the virus execution begins with a user interaction, such as starting the macros, but the VM environment doesn't perform any interactions with the infected document.
How to withstand sandbox-evading malware
As you can see, hackers are applying different sandbox evasion techniques to make their viruses undetectable in the sandbox. After infecting the victimized computer, this malware tries to understand its environment by doing the following:

  • looking for signs of virtual machine (ZeuS Panda)
  • detecting system files (GootKit)
  • waiting for user interactions (Locky, Kovter, Heodo)
  • beginning its execution in a specified time (QakBot Trojan)
  • obfuscating the system data (Grobios)

Sandbox technology is unable to detect environment-aware viruses and let them harm your computer. Thus, developers of security software should pay their attention to more progressive approaches of malware detection that are based on a customized sandbox environment, behavior analysis, machine learning, and others.

Conclusion

Sandbox-evading viruses are a new type of modern malware that can't be detected by traditional antivirus solutions. Computer users are now at a high risk to become a victim of cyber criminals as this malware is rapidly spreading across the Web. While users should follow the best cybersecurity practices, software developers should hurry up with the implementation of the latest technologies to improve their anti-malware solutions.



Twitter Delicious Facebook Digg Stumbleupon Favorites More

 
Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | stopping spam