WebProNews

Tag: palo alto networks

  • Companies Race to Fix Critical Zero-Day Vulnerability

    Companies Race to Fix Critical Zero-Day Vulnerability

    Companies around the world are racing to patch a critical zero-day vulnerability that is among the worst ever found.

    Cyber security experts and government officials began warning Friday of a critical bug in “Log4j,” a Java-based logging framework used in Apache. As news of the vulnerability became known, the list of impacted companies grew to include some of the biggest in the world.

    Palo Alto Networks reported that iCloud, Twitter, Amazon, Baidu and Minecraft were impacted, to name just a few. Even worse, the vulnerability is actively being exploited and attacked, putting many companies at risk.

    The director of the Cybersecurity & Infrastructure Security Agency (CISA) issued a statement outlining the seriousness of the vulnerability.

    “We are taking urgent action to drive mitigation of this vulnerability and detect any associated threat activity. We have added this vulnerability to our catalog of known exploited vulnerabilities, which compels federal civilian agencies — and signals to non-federal partners — to urgently patch or remediate this vulnerability. We are proactively reaching out to entities whose networks may be vulnerable and are leveraging our scanning and intrusion detection tools to help government and industry partners identify exposure to or exploitation of the vulnerability. 

    To be clear, this vulnerability poses a severe risk. We will only minimize potential impacts through collaborative efforts between government and the private sector. We urge all organizations to join us in this essential effort and take action.” 

    Cybersecurity experts are echoing CISA’s assessment of the danger, calling the vulnerability a major issue for the tech and cybersecurity community.

    Dr. Richard Ford, CTO of cybersecurity research firm Praetorian, told WebProNews the Log4j is even worse than other, widely reported vulnerabilities.

    “Praetorian researchers weaponized the vulnerability within hours and have a fully working exploit that we can use in the field,” said Dr. Richard Ford. “As background, Praetorian is an Austin-based cybersecurity solutions company that helps solve complex cybersecurity problems across critical enterprise assets and product portfolios. Their combination of software and security expertise puts them at the forefront of vulnerabilities such as this. Earlier this year, Praetorian was at the forefront of another critical vulnerability, proxylogon. The company says, as critical as proxylogon was to resolve, it had a much smaller potential impact than Log4j.

    “The company’s engineers and researchers have been working since last night in a war room to scan its customers and are finding vulnerabilities in the field. Worse yet, we’re also inadvertently discovering the vulnerability in 3rd parties who are on adjacent or integrated systems. Naturally, we are following responsible disclosure policies so cannot call out these systems by name, but it is one of the largest exposures we have seen at Internet scale. All vulnerabilities are typically scored by how dangerous they are: this vulnerability has practically the highest score possible, and it seems likely that even some professionals are unaware of its potential impact. The situation is rapidly evolving, and we are learning a great deal about the scope and impact of this vulnerability as we quickly work with customers to help mitigate the risk in the short term while they work on a long term solution, which will require patching all instances of the vulnerable code – a process which could take months.”

    Due to Log4J’s widespread use, experts believe companies will continue to come under attack in the coming days as mitigation efforts are being taken.

    “ This vulnerability feels similar to ShellShock, first identified in 2014, and still observed by GreyNoise,” Andrew Morris, Founder and CEO of cybersecurity firm GreyNoise told WebProNews. “Due to ease of exploitation and prevalence of Log4J, GreyNoise researchers believe that this activity will continue to increase over the next few days.”

  • 96% of Third-Party Cloud Container Apps Have Known Vulnerabilities

    96% of Third-Party Cloud Container Apps Have Known Vulnerabilities

    A whopping 96% of third-party cloud container apps have known vulnerabilities, highlighting ongoing cloud security challenges.

    Cloud computing is often touted as more secure than traditional options. Unfortunately, this is only true if all parties involved make security a prime objective.

    According to Palo Alto Networks’ Unit 42 team, some 96% of third-party container apps have known vulnerabilities. In addition, 63% of third-party code templates contain insecure configurations.

    The news is especially concerning given the rise of supply chain attacks. Hackers are increasingly targeting widely used, third-party software, services, containers and plugins. Successfully compromising a single vendor who’s product is used by thousands of customers can have a far greater impact than compromising a single target.

    Unit 42 highlights the danger of supply chain cloud attacks:

    In most supply chain attacks, an attacker compromises a vendor and inserts malicious code in software used by customers. Cloud infrastructure can fall prey to a similar approach in which unvetted third-party code could introduce security flaws and give attackers access to sensitive data in the cloud environment. Additionally, unless organizations verify sources, third-party code can come from anyone, including an Advanced Persistent Threat (APT).

    Organizations that want to stay secure must start making DevOps security a priority:

    Teams continue to neglect DevOps security, due in part to lack of attention to supply chain threats. Cloud native applications have a long chain of dependencies, and those dependencies have dependences of their own. DevOps and security teams need to gain visibility into the bill of materials in every cloud workload in order to evaluate risk at every stage of the dependency chain and establish guardrails.

  • Microsoft Warns Customers of Major Azure Security Issue

    Microsoft Warns Customers of Major Azure Security Issue

    Microsoft is warning impacted customers of a flaw in Azure Container Instances (ACI) that could allow individuals to access other customers information.

    It’s been a bad few weeks for Microsoft on the security front. Research firm Wiz discovered a flaw — named #ChaosDB — in Azure’s Cosmos DB that could allow a hacker to access other users’ databases.

    Now Palo Alto Networks have discovered a new flaw that could allow a malicious user to gain access to other information in the ACI service, according to Microsoft. The company says it has already fixed the vulnerability and has notified impacted customers.

    There is no indication any customer data was accessed due to this vulnerability. Out of an abundance of caution, notifications were sent to customers potentially affected by the researcher activities, advising they revoke any privileged credential that were deployed to the platform before August 31, 2021.

    If you did not receive a Service Health Notification, no action is required. The vulnerability is fixed and our investigation surfaced no unauthorized access in other clusters. If you are unsure whether your subscription or organization has received a notification, please contact Azure Support. If you have any concerns, rotating privileged credentials is a good periodic security practice and would be an effective precautionary measure.

    As the second-largest cloud provider, Microsoft better get a handle on its security issues before it starts losing customer confidence.

  • AWS Network Firewall Unveiled to Help Protect VPCs

    AWS Network Firewall Unveiled to Help Protect VPCs

    AWS has unveiled the AWS Network Firewall in an effort to help customers protect their cloud-based virtual networks.

    AWS is currently the top cloud platform, with 31% of the cloud computing market. One of AWS’ biggest strengths is the breadth and depth of services the platform offers.

    The company is building on that with its latest announcement, AWS Network Firewall, “a high availability, managed network firewall service” for virtual private clouds (VPC). The new service complements the other firewall capabilities AWS currently provides, such as “Security Groups to protect Amazon Elastic Compute Cloud (EC2) instances, Network ACLs to protect Amazon Virtual Private Cloud (VPC) subnets, AWS Web Application Firewall (WAF) to protect web applications running on Amazon CloudFront, Application Load Balancer (ALB) or Amazon API Gateway, and AWS Shield to protect against Distributed Denial of Service (DDoS) attacks.”

    The AWS Network Firewall can be setup with just a few clicks, and the company touts its ability to scale as needed, eliminating the need to manage additional infrastructure.

    “With AWS Network Firewall, you can implement customized rules to prevent your VPCs from accessing unauthorized domains, to block thousands of known-bad IP addresses, or identify malicious activity using signature-based detection,” writes Channy Yun is a Principal Developer Advocate for AWS. “AWS Network Firewall makes firewall activity visible in real-time via CloudWatch metrics and offers increased visibility of network traffic by sending logs to S3, CloudWatch and Kinesis Firehose. Network Firewall is integrated with AWS Firewall Manager, giving customers who use AWS Organizations a single place to enable and monitor firewall activity across all your VPCs and AWS accounts. Network Firewall is interoperable with your existing security ecosystem, including AWS partners such as CrowdStrike, Palo Alto Networks, and Splunk. You can also import existing rules from community maintained Suricata rulesets.”

    The news is a welcome addition to AWS’ cybersecurity services and will help customers keep their VPCs even safer.

  • Google Cloud Releases New Security Tools

    Google Cloud Releases New Security Tools

    Google used RSA Conference to announce new security tools aimed at helping secure customers’ data and cloud services.

    The first new feature is related to Chronicle, the Alphabet-sponsored cybersecurity firm that has since been rolled into Google Cloud. Chronicle’s security analytics software helped “change the way any business could quickly, efficiently, and affordably investigate alerts and threats in their organization.” Google says the new feature is designed to help companies “detect threats using YARA-L, a new rules language built specifically for modern threats and behaviors, including types described in Mitre ATT&CK. This advanced threat detection provides massively scalable, real-time and retroactive rule execution.”

    Google is also “introducing Chronicle’s intelligent data fusion, a combination of a new data model and the ability to automatically link multiple events into a single timeline. Palo Alto Networks, with Cortex XSOAR, is our first partner to integrate with this new data structure to enable even more powerful threat response.”

    The company has also announced the general availability of its reCAPTCHA Enterprise and Web Risk tools. reCAPTCHA Enterprise helps protect websites from unauthorized scraping, automated account creation and more, while the Web Risk API lets companies check URLs against Google’s list of malicious sites.

    The announcement comes as Google is working hard to build its cloud business, trying to make headway against rivals Microsoft and Amazon, and will likely help the company as it works to attract new enterprise clients.

  • Modified Malware Hijacking WiFi Routers, Killing Competing Malware

    Modified Malware Hijacking WiFi Routers, Killing Competing Malware

    Another day, another malware attack. ZDNet is reporting that a modified version of Gafgyt is targeting WiFi routers in a rather aggressive fashion.

    The malware in question has a long history of targeting known vulnerabilities in popular home and small-office routers. Once compromised, the routers become part of a botnet for use in distributed denial of service (DDoS) attacks-for-hire. The latest version of the malware has been updated to target three wireless routers: the Huawei HG532, Realtek RTL81XX and the Zyxel P660HN-T1A.

    Because Gafgyt’s purpose is to build a botnet powerful enough to generate income through paid attacks, the malware’s creators have programmed it to seek and destroy competing malware on any devices it infects.

    Researchers at Palo Alto Networks have been studying the malware and provided ZDNet with more information about how it works.

    “The authors of this malware want to make sure their strain is the only one controlling a compromised device and maximizing the device’s resources when launching attacks,” said Asher Davila, security researcher at the Palo Alto Networks Unit 42 research division.

    “As a result, it is programmed to kill other botnet malware it finds, like JenX, on a given device so that it has the device’s full resources dedicated to its attack.”

    Because most of the vulnerable routers are relatively old—by technology standards—most trouble can be avoided by upgrading to a newer model or, at the very least, updating the router’s software.

    “In general, users can stay safe against botnets by getting in the habit of updating their routers, installing the latest patches and implementing strong, unguessable passwords,” Davila explained.

    “The more frequent the better, but perhaps for simplicity, considering timing router updates around daylight savings, so at least you’re updating twice a year.”

  • How Palo Alto Networks Blocks 30,000 New Pieces of Malware Daily Via AI, Machine Learning, and Big Data

    How Palo Alto Networks Blocks 30,000 New Pieces of Malware Daily Via AI, Machine Learning, and Big Data

    “The platform we have uses big data analytics and machine learning in the cloud to process and find all of the unknown malware, make it known and be able to block it,” says Scott Stevens, SVP, Global  Systems Engineering at Palo Alto Networks. “We find 20-30 thousand brand new pieces of malware every day. We’re analyzing millions and millions of files every day to figure out which ones are malicious. Once we know, within five minutes we’re updating the security posture for all of our connected security devices globally.”

    Scott Stevens, SVP, Global  Systems Engineering at Palo Alto Networks, discusses how the company uses AI, machine learning, and big data to find and block malware for its customers in an interview with Jeff Frick of theCUBE which is covering RSA Conference 2019 in San Francisco:

    We Find 20-30 Thousand New Pieces of Malware Every Day

    There are two ways to think about artificial intelligence, machine learning, and big data analytics. The first is if we’re looking at how are we dealing with malware and finding unknown malware and blocking it, we’ve been doing that for years. The platform we have uses big data analytics and machine learning in the cloud to process and find all of the unknown malware, make it known and be able to block it.

    We find 20-30 thousand brand new pieces of malware every day. We’re analyzing millions and millions of files every day to figure out which ones are malicious. Once we know, within five minutes we’re updating the security posture for all of our connected security devices globally.

    Whether it’s endpoint software or it’s our inline next gen firewalls we’re updating all of our signatures so that the unknown is now known and the known can be blocked. That’s whether we’re watching to block the malware coming in or the command-and-control that’s using via DNS and URL to communicate and start whatever it’s going to do. You mentioned crypto lockers and there are all kinds of things that can happen. That’s one vector of using AI NML to prevent the ability for these attacks to succeed.

    Machine Learning Uses Data Lake to Discover Malware

    The other side of it is how do we then take some of the knowledge and the lessons we’ve learned for what we’ve been doing now for many years in discovering malware and apply that same AI NML locally to that customer so that they can detect very creative attacks very and evasive attacks or that insider threat that employee who’s behaving inappropriately but quietly.

    We’ve announced over the last week what we call the cortex XDR set of offerings. That involves allowing the customer to build an aggregated data lake which uses the Zero Trust framework which tells us how to segment and also puts sensors in all the places of the network. This includes both network sensors an endpoint as we look at security the endpoint as well as the network links. Using those together we’re able to stitch those logs together in a data lake that machine learning can now be applied to on a customer by customer basis.

    Maybe somebody was able to evade because they’re very creative or that insider threat again who isn’t breaking security rules but they’re being evasive. We can now find them through machine learning. The cool thing about Zero Trust is the prevention architecture that we needed for Zero Trust becomes the sensor architecture for this machine learning engine. You get dual purpose use out of the architecture of Zero Trust to solve both the in-line prevention and the response architecture that you need.

    How Palo Alto Networks Blocks 30,000 New Pieces of Malware Daily

    >> Read a companion piece to this article here:

    Zero Trust Focuses On the Data That’s Key to Your Business

  • Zero Trust Focuses On the Data That’s Key to Your Business

    Zero Trust Focuses On the Data That’s Key to Your Business

    “The fundamental way you look at Zero Trust is it’s an architectural approach to how do you secure your network focused on what’s most important,” says Scott Stevens, SVP, Global  Systems Engineering at Palo Alto Networks. “You focus on the data that’s key to your business. You build your security framework from the data out.”

    Scott Stevens, SVP, Global  Systems Engineering at Palo Alto Networks, discusses Zero Trust in an interview with Jeff Frick of theCUBE which is covering RSA Conference 2019 in San Francisco:

    Zero Trust Focuses On the Data That’s Key to Your Business

    We’ve been working with Forrester for about six years now looking at Zero Trust architecture. The fundamental way you look at Zero Trust is it’s a an architectural approach to how do you secure your network focused on what’s most important. You focus on the data that’s key to your business. You build your security framework from the data out. There are all kinds of buzzword bingo we can play about what Zero Trust means, but what it allows us to do is to create the right segmentation strategy starting in the data center of the cloud and moving back towards those accessing the data and how you segment and control that traffic.

    Fundamentally what we’re dealing with in security are two big problems that we have. First are credential based attacks. Do we have somebody with stolen credentials in the network stealing our data? Or do we have an insider who has credentials but they’re malicious where they’re actually stealing content from the company? The second big problem is software based attacks, malware exploits scripts. How do we segment the network where we can enforce user behavior and we can watch for malicious software so we can prevent both of those occurrences through one architectural framework? I think Zero Trust gives us that template building block on how we build out those networks because everybody’s enterprise network is a little bit different.

    You Need To Start With What’s Most Important.

    We have to build those things together. On the Palo Alto Networks side what we do is Layer 7 enforcement based on identity. Based on who the user is and what their rights are we are able to control what they are allowed access to or what they’re not allowed access to. Of course, if you’ve got a malicious insider or somebody that’s logged in with stolen credentials we can prevent them from doing what they’re not allowed to do. Working here with Forescout, we’ve done a lot of really good integration with them on that identity mapping construct. They help us understand all the identities and all the devices in the network so we can then map that to that user posture and control at Layer 7 what they’re allowed to do or not allowed to do.

    You need to start with what’s most important. Clouds and data centers as a starting point are generally the same. How we segment is actually the same. Sometimes we think that clouds are are more difficult to secure than data centers, but they are the same basically. We’ve got north-south traffic, we have east-west traffic. How do we inspect and how do we segment that? How do we focus on what’s the most important critical data to their business? If we stratify their data sets and their applications that access that data and then move down we may have 50 percent of the applications in their cloud or data center that we don’t micro segment at all because they’re not critical to the business. They’re useful to the employees, but if something goes wrong they’re, no big deal and no impact to the business.

    Micro segmentation isn’t just a conversation of where we have to do things but it’s a conversation contextually in terms of what’s relevant and where is it important to do that and then where do you do a much less robust job? You always have to have inspection and visibility, but there are parts of your network where you’re going to be somewhat passive about it and there are parts of your network that you are going to be very aggressive. These include multi-factor authentication, tight user identity mapping, how do we watch for malware, how do we watch for exploits, all of the different aspects.

    Zero Trust Focuses On the Data That’s Key to Your Business

    >> Read a companion piece to this article here:

    How Palo Alto Networks Blocks 30,000 New Pieces of Malware Daily Via AI, Machine Learning, and Big Data

  • Facebook Accounts For 80% Social Media Traffic World-wide

    What type of social media site dominates a culture can say a lot about the people who use that site. Or the people. Or both. Without extrapolating any big conclusions from their data, Palo Alto Networks has taken a look at some of their data collected at the end of last year to see who is using which social media site and where.

    Palo Alto has already shown us the that growth of people are using social media sites at work is rising astronomically, but what’s intriguing is that despite 54% of businesses saying they don’t allow access to social networking sites at work, the bandwidth at businesses used for web mail and social networking has increased 500% since 2010. Seems that businesses either have flexible definitions of what is considered work-related social networking, or they just don’t want to set the precedent outright that states, “Hey, you can work here but feel free to use Facebook all you want.”

    Breaking down the social media traffic for countries around the world, Palo Alto found some telling statistics in their data. One that sticks out for perhaps it’s obviousness is that Asian markets such as Korea and China “have more usage of other social networking apps in the enterprise than Facebook.”

    Another fun take-away from Palo Alto’s report: French people use social networking games and plug-ins 50% more heavily than the global average. I guess that preoccupation explains why they couldn’t participate in Wikipedia’s SOPA protest earlier this month.

    For a full visualization of the findings from Palo Alto about how social media was used in the workplace this past year, check out the video below:

  • Twitter Activity At Work Up 700% In Past 14 Months

    Take one guess what you’re coworker next to you is doing right now. If you guessed that they’re putzing around on Twitter, you’re probably right.

    New research conducted by Palo Alto Networks, the network security company, reveals tremendous growth in use of social networks on corporate networks (i.e., at work) over the past year and a half. In fact, there has been a 300% increase in active social networking (this includes posting updates, app use, etc.) compared with the activity during the same period of time back in the latter half of 2010.

    While overall use of social networks might have increased threefold, here’s why you can probably assume your coworker is using Twitter instead of working: Twitter browsing at work alone grew by more than 700% in the past fourteen months. Palo Alto reports that since October 2010, out of the entire percentage of bandwidth consumed by social media activity at work, the portion of bandwidth consumed by Twitter increased from 3% to 21% (as of December 2011). The report goes on to explain the boom:

    One explanation is the changes Twitter made to the application itself, allowing users to attach files and pictures to their 140 character missives. Another more meaningful reason, outside of its use as a social networking application for individuals, is that businesses are using it as a public relations, recruiting, and marketing tool.

    But it’s not like people aren’t working while they’re Twittering. Palo Alto continues:

    Another reason is that Twitter has become a powerful tool that enables organizations, grass-roots or otherwise, to deliver their message to the masses quickly, effectively and repeatedly. There were examples where Twitter and other social networking applications significantly influenced the volume of news about, and visibility of, a particular world-news event.

    And in case any of you bosses out there are worried about what percent of total bandwidth consumption is taken up by the use of social networks, the combined bandwidth used by the 71 applications included in this study only consumed 1% of total bandwidth.

    So don’t worry, bosses – we’re still working.

    Palo Alto included the following infographic to illustrate some of the other findings from their study.