NEWS 5

Cradlepoint acquire Ericom Software for SASE capabilities

by News

Ericom Cradlepoint

Ericsson ERIC subsidiary Cradlepoint acquired Ericom Software and its enterprise cloud security platform for an undisclosed amount. The acquisition will likely enhance Cradlepoint’s Secure Access Service Edge (SASE) framework and zero-trust offerings for hybrid 5G and wireline environments. By offering secure access service edge (SASE) capabilities for both users and devices via its agentless architecture, Ericom complements Cradlepoint NetCloud Exchange by providing zero trust-based access to both users and devices.

It is generally accepted that traditional security solutions rely on agents installed on the devices. However, this approach only works for IoT/IIoT devices or unmanaged devices connected to 5G/cellular networks. A SASE and zero trust policy are vital for IoT devices’ secure and reliable operation. Their number is rapidly increasing, becoming the favorite target of bad actors.

“Enterprise adoption of 5G requires an innovative network security approach that minimizes the attack surface caused by IoT and IIoT device proliferation. In addition, it provides agentless identity-based secure access from ever-growing IoT/IIoT devices and users to private and SaaS applications,” said Cradlepoint SVP Manish Tiwari.

 

A key point: Useful information for internal content:

  1. Ericom Browser Isolation
  2. Software Defined Internet Exchange
  3. SASE Model
  4. SD WAN SASE
  5. Zero Trust SASE
  6. SASE Definition

 

Cradlepoint Consultation

Having established many LTE networks worldwide, Ericsson is the world’s largest supplier of LTE technology. User demand for coverage speed and quality has grown manifold since the advent of the smartphone market and the subsequent use of mobile broadband. Additionally, network tuning and optimization are continuously needed to maintain superior performance as traffic grows. As a result, there is a high demand for Ericsson’s network coverage expansion and network upgrades for higher speeds and capacities among operators.

5G system development is the company’s main focus. Digitizing industries and broadband will be possible only with the standardization of 5G.In conjunction with 5G deployment, technologies such as network slicing are expected to gain traction in IoT devices. Currently, Ericsson has 145 5G networks active across 63 countries.

 

CradlePoint’s Netcloud Exchange

While Cradlepoint’s Netcloud Exchange platform focuses on private cellular networks and WAN security, the Ericom acquisition allows Cradlepoint to provide converged networking and security software. 

With the Ericom acquisition, Cradlepoint will be able to offer cellular-focused enterprise customers a converged networking and security stack. As a result, users and devices can be mobile across cellular networks and WANs with a unified platform offering asset visibility and segmentation.

Through Cradlepoint NetCloud Exchange (NCX), organizations can combine 5G performance, SD-WAN efficiency, Zero Trust Network Access (ZTNA), and VPNs into one WWAN solution that combines 5G performance, SD-WAN efficiency, and Zero Trust Network Access (ZTNA). 

Through integrating 5G, SD-WAN, and security, NetCloud Exchange on the Cradlepoint NetCloud platform facilitates growth and performance across the wide area network. What are the benefits of NetCloud Exchange for organizations?

 

  • 5G comes first

The NCX platform is designed to help organizations transform their business into a 5G enterprise. By using this technology, vehicles, IoT devices, remote workers, fixed and temporary location users, and fixed and temporary locations can benefit from improved performance, latency, and network slicing capabilities.

  • Optimized QoE

The SD-WAN services offered by NCX are designed to optimize the flow of cellular and wired traffic for the highest quality of experience (QoE). To achieve high quality of service, traffic is optimized over both dual cellular connections and hybrid WAN connections.

  • A zero-trust foundation

It is through the use of identity- and context-based parameters that ZTNA restricts users from moving from one network to another. It is through the implementation of simple security policies and authentication requirements that the bad guys are kept out of the system, thereby reducing the attack surface.

  • Built for scale

NCX architecture is designed for cellular scale thanks to the “pay as you grow” model that we offer. So no matter how many vehicles, sites, or things you have, whether you are onboarding a small fleet or expanding your fleet to tens of thousands, WAN growth can be accommodated easily.

  • Simplified management

It is a powerful combination of name-based routing, adaptive traffic management, and built-in traffic orchestration that simplifies lean IT teams’ setup, monitoring, and troubleshooting process.

  • Unified WAN architecture

In contrast to multi-vendor solutions, NCX combines 5G, SD-WAN, and security into one WAN architecture that shares standard components, policies, and streamlined processes across all its supported services to offer a complete solution.

By acquiring Ericom, Cradlepoint is further extending the Netcloud Exchange architecture, making it possible to offer a unified 5G enterprise security stack with a secure private cellular network, secure wide area network, and secure web application to protect both devices and users, providing consistent policies regardless of whether they are connected to a 5G WAN or a private cellular network.

With the ZTEdge security service edge (SSE) platform, Ericom will provide Cradlepoint customers with security capabilities such as remote browser isolation (RBI), secure web gateway (SWG), cloud access security broker (CASB), virtual meeting isolation (VMI), web app isolation (WAI), and zero trust network access (ZTNA).

 

Ericom Global Cloud platform

Ericom solutions are delivered via the Ericom Global Cloud platform. Ericom Global Cloud protects your users, data, and applications. As a result, your remote and home-based workers and globally distributed teams can easily access the resources they need without latency. A simple-as-a-service model allows Cradlepoint to deliver these security capabilities through Ericom Global Cloud. With Ericom Global Cloud, users have high availability elastic cloud infrastructure that scales to meet their needs. 

In addition to being hosted by Tier 1 IaaS providers, it leverages multi-cloud infrastructure-as-code technologies. A geolocation service routes users to the closest cloud access point to minimize latency. As a result of auto-scaling and load balancing, high performance is ensured regardless of demand. New PoPs can be deployed in several days and are centrally managed and monitored.

Cradlepoint is now working on integrating Ericom capabilities with NetCloud Exchange to provide a 5G SASE stack as soon as possible.

 

new4

Fortinet’s new FortiOS 7.4 enhances SASE

by News

 

Fortios 7.4: Fortios 7.4 Release Date

A new FortiOS operating system update has been unveiled by Fortinet at Accelerate 2023, enhancing automation and internal integration across all its security products. In addition, by unifying management and analytics across Fortinet’s secure networking portfolio, the updated version reinforces Fortinet’s networking and security convergence vision.

 

FortiOS: Operating System

FortiOS is an operating system developed by Fortinet, a leading provider of network security solutions. 

  1. It is designed to provide comprehensive protection for your network by providing an integrated set of security technologies, such as a firewall, intrusion prevention, antivirus, antispam, and web filtering. 
  2. FortiOS offers a range of features to help secure your organization’s network. It provides a secure gateway to the internet, allowing only authorized traffic to pass through. 
  3. It also offers advanced firewall capabilities like application control, content filtering, and VPN. 
  4. In addition, it includes intrusion prevention, which detects malicious traffic and blocks it from entering the network. FortiOS also offers advanced malware protection and antispam capabilities to help keep your network safe from malicious code and spam.

The FortiOS security platform is part of Fortinet’s Security Fabric, which encompasses over 50 products across networks, endpoints, and clouds and pairs its software with its custom ASICs. Fortinet CMO and EVP of Product John Maddison claims the new FortiOS 7.4 offers better platform integration than version 7.2. It “enables more of this kind of come together work, so that the SD-WAN works with the SASE that works with the firewalls that work with zero trust, and it’s all working on our ForOS platform,”

 

A key point: For pre-information, you may find the following posts helpful:

  1. SD WAN SASE
  2. Zero Trust SASE
  3. SASE Model
  4. Cisco Secure Firewall
  5. SASE Solution
  6. SASE Definition

 

Back to Basics: SASE ( Secure Access Service Edge )

Secure Access Service Edge (SASE) is a cloud-based security platform that provides organizations with secure, cloud-enabled access to corporate applications, data, and resources from any device, anytime, from any location.

SASE delivers a single platform that enables organizations to unify network and security services, including user authentication and authorization, data encryption, security policies, and threat protection, into a single, cloud-based service. With SASE, organizations can ensure users have secure access to corporate applications, data, and resources while maintaining compliance with security policies.

SASE utilizes a web proxy between the user’s device and the cloud-based applications and resources. This web proxy provides authentication, authorization, and encryption services to ensure only authorized users can access the applications and resources. It also allows organizations to enforce security policies and protect against threats. Additionally, SASE provides real-time analytics, enabling organizations to monitor user activity and detect threats.

SASE explained
Diagram: SASE explained—source Fortinet.

 

What’s New in FortiOS 7.4

As part of FortiOS 7.4, new features enhance the Fabric’s ability to deliver unprecedented visibility and enforcement across hybrid environments. Additionally, AI-driven prevention, automation, and real-time response accelerate security operations.

FortiOS 7.4 enhances the Fortinet Security Fabric and provides:

  • Better prevention and early detection.
  • Real-time response.
  • Risk reductions for cyber-physical and industrial control systems.

As a result of FortiOS 7.4 and enhancements across our secure networking portfolio, which includes hybrid mesh firewalls, secure SD-WAN, SASE, Universal ZTNA, and secure LAN/WLAN solutions, IT leaders can unify management and leverage analytics across their entire hybrid network.

Through the Security Fabric, security teams can optimize security operations, automate response times, and improve time to resolution. Advanced persistent threats (APTs) such as weaponized AI attacks, ransomware, and targeted attacks are the types of attacks we defend against. In addition, threat intelligence powered by AI, endpoint security, SOC automation, identity and access, and application security have all been enhanced.

With Fortinet’s Security Fabric for OT, IT and security teams can access new capabilities. By using our OT dashboard aligned with MITRE ATT&CK for ICS, teams can correlate and map security events to the Purdue model and use OT-specific threat analysis and playbooks to address threats proactively.

 

Key FortiOS 7.4 Enhancements

Secure Networking and Management

FortiManager, hybrid mesh firewall, secure SD-WAN, single-vendor SASE, Universal ZTNA, and secure WLAN/LAN are the innovations to Fortinet’s Secure Networking Portfolio.

Unified Management and Analytics Across Hybrid Networks:

With FortiManager, IT leaders have unprecedented visibility and control over hybrid mesh firewalls, single-vendor SASEs, Universal ZTNAs, secure SD-WANs, and secure WLANs.

Hybrid Mesh Firewall for Data Center and Cloud:

Through ASIC technology and AI/ML-powered advanced security, FortiGate 7080F delivers higher performance than current next-generation firewalls (NGFWs). 

Secure SD-WAN for Branch Offices:

In addition to providing consistent security and superior user experience for business-critical applications, Fortinet Secure SD-WAN supports a seamless transition to single-vendor SASEs. Overlay orchestration was automated to accelerate site deployments, and the monitoring map view was redesigned to provide WAN status globally.

Single-Vendor SASE for Remote Users and Branch Offices:

By combining cloud-based security and networking, FortiSASE simplifies hybrid network operations. In addition, the FortiManager integration with FortiSASE allows for unified policy management across SD-WAN, SASE, and remote users and unparalleled visibility. 

FortiSASE
Diagram: FortiSASE. Source is Fortinet

 

Universal ZTNA for Remote Users and Campus Locations:

Fortinet Universal ZTNA provides unparalleled zero-trust application access control in the industry. In addition to continuous monitoring of application access, Universal ZTNA now offers user-based risk scoring.

WLAN/LAN for Branch Offices and Campus Locations:

FortiAP secures WLAN access points are now integrated with FortiSASE, marking the industry’s first AP integration with SASE. As a result, secure micro-branches can be deployed using an AP to send traffic to a FortiSASE solution, ensuring comprehensive security for all devices.

 

Security Automation and Real-time response

With Fortinet’s new real-time response and automation capabilities, SOC teams can protect against and reduce time to resolution for sophisticated attacks such as weaponized AI attacks, targeted ransomware, and criminal-sponsored APTs.

Endpoint Security and Early Response:

With FortiEDR and FortiXDR, customers can visualize incident data with enriched contextual information based on multiple threat intelligence feeds to simplify and expedite investigations.

Combined with pragmatic analysis and breach protection technology, FortiNDR Cloud has robust artificial intelligence. As part of the solution, network data is retained for 365 days, playbooks are built-in, and threat-hunting capabilities are available to detect abnormal or malicious behavior on the network. 

FortiGuard Labs offers a guided SaaS offering maintained by advanced threat experts or a self-contained, on-premises deployment powered by the Fortinet Virtual Security Analyst.

With the support of threat experts from FortiGuard Labs, FortiRecon now delivers enhanced proactive threat intelligence into the critical risks associated with supply chain vendors and partners, including externally exposed assets, leaked data, and ransomware attacks.

Vulnerability outbreak defense is now available in FortiDeceptor. As soon as FortiGuard Labs reports a vulnerability, it is automatically pushed as a feed to the outbreak decoy to redirect attackers to fake assets and quarantine the attack early in the kill chain. Moreover, a SOAR playbook can automatically create deception assets and strategically place them to gather granular intel and stop suspicious activity. Moreover, FortiDeceptor offers a new attack exchange program, enabling users to exchange intel anonymously on current attacks and prevent breaches.

SOC Automation and Augmentation 

A new intuitive rules editor that can be mapped to MITRE ATT&CK use cases enhances FortiAnalyzer’s event correlation capabilities across multiple log sources.

With FortiSOAR, you now have the option to subscribe to a turnkey subscription service that includes machine learning-driven inline playbook recommendations, extensive OT security features and playbooks, and the ability to create playbooks without writing a line of code.

FortiSIEM’s new link graph technology lets you easily visualize the relationships between users, devices, and incidents. Additionally, the solution can detect anomalies and outliers that traditional methods may miss, thanks to an advanced machine learning framework.

FortiGuard SOC-as-a-Service now offers AI-assisted incident triage and enhanced SOC operations readiness and compromise assessment services from FortiGuard Labs.

FortiSOAR
Diagram: FortiSOAR. The source is Fortinet.

 

AI-Powered Threat Intelligence

Using global threat intelligence, zero-day research, and CVE query services, FortiGuard Industrial Security Service significantly reduces the time to protection.

The FortiGuard IoT Service enhances granular OT security at the industry level with the convergence of IIoT and IoMT devices.

OT-specific playbooks for threat remediation are now integrated into FortiSIEM’s unified security analytics dashboards, and the ICS MITRE ATT&CK matrix is used to analyze OT threats.

Identity and Access

FortinetPAM provides remote access to IT and OT networks. It includes zero-trust network access (ZTNA) controls to secure access to critical assets. Device posture can be checked continuously for vulnerabilities and updated antivirus signatures, location, and grouping of machines with the help of ZTNA tags.

Application Security

In addition to software development security testing, FortiDevSec also provides runtime application security testing. The solution includes SAST, DAST, and SCA for detecting early vulnerabilities and misconfigurations.

 

comcast SD-WAN

Comcast SD-WAN Expansion to SMBs

by News

Comcast SD-WAN Expansion to SMBs

Comcast Business will expand its SD-WAN portfolio for small and midsize businesses (SMBs) with a single location or multiple standalone locations that need to connect to cloud or software-as-a-service (SaaS) applications but avoid site-to-site networking. Frost and Sullivan recognized this.

In its 2022 Managed SD-WAN Services in North America report, Frost & Sullivan. In North America, Comcast was the second-largest SD-WAN provider at the time. Frost & Sullivan noted that the provider is “especially successful among enterprise customers with 250 or more sites.”

Using a centralized intelligent SDN console, Comcast Business SD-WAN brings software-defined networking to businesses. As a result, network management is simplified. SD-WAN is an over-the-top (OTT) service provided through universal customer premises equipment (uCPE) that combines Comcast-provided and customer-supplied underlay. As a result, a single location can access cloud-based applications, or multiple sites can participate in virtual networking.

 

A key point: Useful links for pre-information:

  1. SD WAN SASE
  2. SD WAN Security
  3. SD WAN Diagram
  4. SD WAN Overlay
  5. WAN Virtualization

 

Stephen Thomas, Senior Industry Director, Network Services, Frost & Sullivan, said:

“Comcast Business continues to establish itself as a leader in managed SD-WAN and, with its white-glove service and customer focus, translates well into the larger enterprise market,” he said. In addition, he continued, “Its acquisition and integration of Masergy have also proven helpful overall given Masergy’s solid reputation, industry-leading SLAs, and leadership in customer self-portal technologies.”

Frost RadarTM ranks Comcast Business as a Leader among the top twelve North American-managed SD-WAN providers. One of Comcast Business’ key differentiations is its position as the second-largest SD-WAN provider in North America, its reputation for success among enterprise customers with 250 or more sites, and its acquisition of global SD-WAN leader Masergy, which has enabled the company to enhance its portfolio and expand its partner ecosystem.

 

Back to basics with SD-WAN

SD-WAN, or Software-Defined Wide Area Network, is a networking technology that allows organizations to manage their wide area network (WAN) more efficiently and securely. With SD-WAN, businesses can use technologies like MPLS, broadband, and LTE to connect their branch offices, data centers, and cloud applications securely.

The main benefit of SD-WAN is that it provides a centralized management platform that enables IT teams to control their network traffic, monitor performance, and apply security policies across all their branch locations from a single dashboard. This can reduce the complexity of managing an extensive WAN infrastructure and improve network uptime and performance.

Another advantage of SD-WAN is that it can help organizations reduce their WAN costs. By leveraging multiple types of connectivity, businesses can choose the most cost-effective option for each location and optimize their bandwidth usage. SD-WAN can also enable businesses to prioritize critical applications over less important traffic, ensuring their network resources are used efficiently.

sd-wan technology

Comcast SD-WAN supports the following core features:

Standalone site support

  • You can get scalable, resilient Internet connectivity with multiple or one location. 
  • Optimize availability and performance for cloud applications. 

Centralized network policy management

  • With a single click, you can change multiple sites.
  • Create templates for sites sharing routing policies so that changes can be made remotely simultaneously.
  • Run the network and applications locally.
  • Use a voice-activated device or your desktop to check network performance. 

Network flexibility

  • A maximum of four underlays may be used.
  • Ensure your network is always up and running with 4G LTE backup.

Application-aware traffic steering

  • Organize applications according to priority.  
  • Create dynamic policies to direct traffic on the optimal path.
  • Enable automatic failover. 

Cost-efficient connectivity

  • Connect via low-cost megabit broadband.
  • Aggregate bandwidth.

Open-system flexibility

  • The service is delivered via universal CPEs.
  • Enable multi-vendor technologies integration to scale new applications.

Integrated security

  • Integrate Advanced Security for on-premises or cloud-based security.
  • SD-WAN offers both. 

Reporting and analytics

  • With detailed reporting, you will understand your network.
  • Utilize application intelligence and predictive analytics to empower IT, teams.

 

Advanced security includes:

Cybersecurity and virtual network functions for on-premise businesses.

  • Multifaceted solutions and expert support
  • Advanced firewall protection
  • Simple visibility into security logs
  • Site-to-site traffic inspection
  • Secure Remote Access protects remote workers and systems

 

With Comcast Business and Masergy. With security offerings and managed services, Comcast provides a full range of fiber, broadband, and software-defined network solutions. In addition, Comcast has a list of SD-WAN experts to help you identify the SD-WAN solution best suited to your organization’s location, applications, and teams.

  • Get support for multiple network access options, including single or multiple hybrid Internet connections. Or connect directly to secure private networks.
  • Establish secure virtual connections through our many vendor-agnostic solutions.
  • Secure Access to third-party services and applications you already use.
  • Help protect your environment with advanced security, SASE options, and managed security.
  • Control it all via our advanced digital experience with managed services know-how.

According to a company statement, the updated capabilities are designed for companies without IT budgets or corporate networks. However, they must support single locations with cloud connectivity through public Internet services. Several providers are noticing small businesses’ networking challenges and expanding their portfolios accordingly. Comcast is just one of these providers. In addition, with a new entry price of under $150 per site, Aryaka recently announced enhanced SD-WAN and SASE products for SMEs.

NEWS 4

Rise in Ransomware Attacks

by News

 

Ransomware is costing companies. The core functionality of Ransomware is two-fold: to encrypt data and deliver the ransom message. 85% of critical infrastructure organizations encountered a ransomware attack in 2022, according to Barracuda Networks’ recent global 2023 Ransomware Insights Report released. 

The 2023 Ransomware report discusses the prevalence and impact of ransomware attacks worldwide. In addition, their international survey explored the experience of ransomware attacks on organizations over the last 12 months.

Depending on the complexity of the malware and its mechanism for gaining access, the encryption can be primary or maddeningly complex, and it may affect only a single device or an entire network. So, in my experience, especially with quick partial encryption, once the bad actor has set off the Ransomware binaries, it’s game over. Therefore, it’s better to discover Ransomware in the detection than once the encryption process has started. The kill chain is about five days.

 

News Preliminary Information: Useful Links to Relevant Content

A key point: Useful pre-information

  1. DNS Security Solutions
  2. Zero Trust Security Strategy

 

Olesia Klevchuk, product marketing director at Barracuda, said, “Critical infrastructure is an appealing target for cybercriminals because of the impact a successful attack can cause — the bigger the impact, the more chances of a big payout,”

The survey interviewed 1,350 IT specialists from frontline to senior roles at companies across different industries. An overview of the finds is as follows:

  1. 73% of respondents said being hit with one successful ransomware attack in 2022. On top of that, there was 38% hit twice or more. 
  2. Then we had 85% of energy, oil/gas, and utility organizations and had at least one ransomware attack. 
  3. The Energy, oil/gas, and utility industries were the most likely at 53% to report two or more successful ransomware attacks. 
  4. 31% of I.T., technology, and telecoms have one attack, and 25% experienced two attacks. 
  5. Alarmingly, up to 42% of those hit three times or more paid to restore. This is compared to the 31% of victims of a single attack.

 

How are bad actors getting in? Ransomware entry points

The bad actors need somehow to get the Ransomware binaries past your perimeter and layers of defense to a valuable target, more than likely files to decrypt. So, they will only land on the critical assets and need to pivot and move laterally in search of valuable assets. 

Often with privileged credentials making it harder to detect. How do you know if a bad actor uses PSExec to move from machine to machine, or is it an I.T. admin carrying out their daily task? Also, how do you think bad actors are getting in? Email is still the most vulnerable entry method for bad actors.

 

A summary of the findings is as follows:

  1. Up to 69% of surveyed organizations were hit with Ransomware with email as the primary entry method.
  2. In I.T., tech, and telecom industries, there were 69% of ransomware attacks via email. Then we had 56% by web traffic or web applications and 39% by network traffic. 
  3. In the energy, oil/gas, and utilities industry, 78% of ransomware attacks started with email, 54% by web traffic or web applications, and 60% by network traffic.

“There is a lot of pressure on these industries to be up and running as soon as possible, and paying cybercriminals is one of the routes they may take,” said Klevchuk. “This makes it very appealing to hackers as they can ask for large ransoms.”

​​The 2021 Colonial Pipeline attack is the best recent example of an attack on critical infrastructure, Klevchuk added. The company paid $4 million, and the entire U.S. The East Coast was impacted.

Ransomware’s main problem is that the victim, an organization being penetrated via email, has no access to a key to decrypt the data once the Ransomware binaries have encrypted it. Depending on the strength of the encryption algorithm, the data is essentially unrecoverable. 

While some older algorithms can be broken given enough time and are still occasionally used in business either because the infrastructure is outdated or there’s a perceived benefit to having more straightforward encryption, there’s no need for a ransomware attacker to use this – they don’t want the data to be readily accessible. So for all practical purposes: if Ransomware hits you, your data is lost unless you get the key or can recover it from somewhere that hasn’t been affected.

 

Ransomware: The way forward.

As I mentioned, you need to focus on the detect stage, as once the binaries have been activated, it’s game over. And as email is noted as the primary entry method, your defense layers are bypassed. So, you must adopt a Zero Trust Model and assume a breach.  

Splunk has a good UEBA and detection mechanism for Ransomware. These products have assumed there has been a breach. However, an additional security layer would be prevention and not detection. However, this is challenging. It’s hard to detect Ransomware in email.  

So it would help if you had best-in-class email security. Mimecast’s email ransomware protection relies on sophisticated, multi-layered detection engines to identify threats and halt them before they execute. With central control and unsurpassed API integration, you can act fast wherever Ransomware emerges.

 

news3

New Variants of IcedID Malware Loader

by News

 

New variants of IcedID malware loader

Security researchers have cautioned against the new variants of IcedID malware loader. The IcedID, or BokBot, is a new strain of malware recently discovered in 2017. Its classification is based on a banking and remote access trojan (RAT). 

A banker Trojan is malware that endeavors to steal credentials from a financial institution’s clients or gain access to other types of financial information. A remote access trojan (RAT) is malware enabling a bad actor to remotely control an infected computer. Once the RAT is running, unknowingly to the user, the bad actor can send commands and receive data back in response.

The IcedID malware loader is considered to have abilities comparable to other sophisticated banking Trojans such as Zeus, Gozi, and Dridex. Its capabilities can be alarming. As a banking trojan, IcedID collects login credentials for finance user accounts. IcedID is also capable of dropping malware. While Emotet, a botnet malware, commonly distributes IcedID, it is not the only delivery vector for IcedID.

As a side note, Emotet is a highly sophisticated, self-propagating Trojan. Emotet started its damage as a banking trojan; however, its modular design has allowed it to evolve into a distributor for other types of malware. Emotet is frequently spread through phishing spam emails.

 

News Preliminary Information: Useful Links to Relevant Content

  • A key point: Useful Links for Pre Information
  1. DNS Security Solutions
  2. Identity Security 
  3. Implementing Network Security

 

Security researchers from Proofpoint said in a new report.

“A cluster of threat actors is likely using modified variants to pivot the malware away from typical banking Trojan and banking fraud activity to focus on payload delivery, which likely includes prioritizing ransomware delivery.”

With its research team, Proofpoint has identified multiple IcedID campaigns from 2022 through 2023. Additionally, at least five threat actors have been observed distributing the malware in campaigns since 2022. These five threat actors are TA578, TA551, TA557, TA544, and TA581, which we will highlight soon. Most threat actors and unattributed threat activity clusters use the Standard IcedID variant. 

  • Standard IcedID Variant – This is the variant most observed in the threat landscape and is used by most threat actors. 
  • Lite IcedID Variant – New variant observed as a follow-on payload in November Emotet infections that do not exfiltrate host data in the loader check-in and a bot with minimal functionality. 
  • Forked IcedID Variant – New variant observed by Proofpoint researchers in February 2023 used by a few threat actors, which again delivers the bot with minimal functionality.

At this point, Proofpoint researchers consider most of these bad actors to be initial access brokers facilitating infections leading to ransomware.

 

  • Threat Actor: TA578

The TA578 has been using IcedID since around the time of June 2020. Its email-based malware distribution campaigns commonly use lures such as “stolen images” or “copyright violations.” The group uses what Proofpoint considers the standard variant of IcedID. However, it has also been seen delivering Bumblebee, another malware loader preferred by initial access brokers. 

 

  • Threat Actor: TA551

Then we have another group that uses the standard IcedID variant TA551, which has been operating since 2018. This group uses email thread hijacking techniques to distribute malicious Word documents, PDFs, and, newly, OneNote documents. In addition to IcedID, TA551 payloads include the SVCReady and Ursnif malware programs.

 

  • Threat Actor: TA577

The TA577 has used IcedID in limited campaigns since February 2021. This threat actor uses thread hijacking to deliver malware, with Qbot being TA577’s preferred payload. However, Proofpoint has observed IcedID provided by TA577 in six campaigns since 2022. TA577 uses the Standard IcedID variant.

 

  • Threat Actor: TA544

The TA544 uses IcedID in limited campaigns throughout 2022. This actor targets organizations in Italy and Japan and typically delivers Ursnif malware. TA544 uses the Standard IcedID variant.

 

  • Threat Actor: TA581

TA581 is a newly classified threat actor Proofpoint has tracked as an unattributed activity cluster since mid-2022. This actor uses business-relevant themes such as payroll, customer information, invoice, and order receipts to deliver a variety of file types or URLs. TA581 typically delivers IcedID but has been observed using Bumblebee malware and telephone-oriented attack delivery (TOAD) payloads. Additionally, TA581 uses the Forked IcedID variant. The forked IcedID campaigns, in particular, used Microsoft OneNote attachments and unusual attachments with the.URL extension.

 

  • A final note: What the future holds

Cybercriminals are dedicating significant effort to IcedID and the malware’s codebase. Finally, although IcedID was initially used as a banking trojan, bad actors are more prone than ever to remove the malware’s banking functionality. This has resulted in bad actors moving from using IcedID s banking malware and looking at new avenues to use it as a loader for ransomware and other malicious activities. 

Meanwhile, Proofpoint expects many threat actors to continue using the Standard IcedID variant. At the same time, the Lite and Forked IcedID variants will likely continue to be used in malware attacks.

 

A Key Point: Additional Information Check 

  1. Brower Isolation
  2. Kubernetes Security Best Practice

 

Cloud Security Solutions

Carriers Based on Open Ethernet with SONiC

by News

 

Carriers Based on Open Ethernet with SONiC

At a recent Nvidia GPU Technology Conference (GTC) session, specialists from Nvidia and Comcast summarized how and where the open-source NOS can fit in to sustain 400 gigabit Ethernet deployment. Comcast discusses leveraging NVIDIA’s open Ethernet networking technologies in this session for their Cloud Fabric services deployment.

Comcast uses the open Ethernet approach to build its data centers and carrier-neutral facilities. These deployments consist of SONiC-enabled Nvidia SN4700 networking switches that support 32 ports of 400G.

One can consider this type of network transformation as moving from a static and conservative mindset that results in cost overrun and inefficiencies to a dynamic routed environment. Now we can build more stable data centers based on an underlay and overlay technology with the stability of Layer 3 routing. 

 

News Preliminary Information: Useful Links to Relevant Content

A key point: Additional technical information

  1. Open Networking
  2. Spine Leaf Architecture
  3. Data Center Security
  4. Data Center Topologies

 

The NVIDIA® Spectrum®-3 based SN4000 is an open ethernet switch supporting all speeds ranging from 1GbE through 400GbE, SN4000. This switch is the perfect building block for building large layer-2, layer-3, and virtualized network fabrics for greenfield and brownfield environments. 

 

Core technical highlights include:

  1. Max Port Speed 400Gb/s
  2. Max Flow Counters 512K entries
  3. Max Access-Control Lists (ACLs) 512K entries
  4. Network Address Translation (NAT) 100K+ entries
  5. Max IPV4 Routes 512K entries

 

Additional Networking capabilities:

  •  Visibility: NVIDIA Spectrum SN4000 switches support detailed and contextual telemetry with NVIDIA What Just Happened® (WJH). Spectrum switches implement hardware-accelerated histograms to track and summarize queue depths at a sub-microsecond granularity. Hardware-accelerated histograms avoid false alerts common to simple watermarks and threshold-based methods.

 

  • Performance: NVIDIA Spectrum SN4000 switches feature a fully shared packet and monolithic buffer architecture. This unique buffer architecture delivers a fair, predictable, high-performance data path essential for scaling out software-defined storage and modern multi-tenant cloud deployments. Spectrum switches have a robust high bandwidth and a low latency data path for remote direct-memory access over converged Ethernet (RoCE) and machine learning applications that leverage GPUDdirect®.

 

  • Scale: NVIDIA Spectrum SN4000 switches support best-in-class Virtual Extensible LAN (VXLAN) with the backing for 10X more tunnels and tunnel endpoints. Its 512K shared forwarding entries can be flexibly used across access-control lists (ACL), longest prefix match (LPM) routes, host routes, MAC tables, and equal-cost multi-path (ECMP) and tunnel applications.

 

These features allow network and data center managers to design and implement a cost-effective switch fabric based on the “pay-as-you-grow” principle. Therefore, a material consisting of a few servers can slowly grow to include hundreds or thousands of servers. The Spectrum Ethernet switch family is powered by the Spectrum application-specific integrated circuit (ASIC). As a result, spectrum switches feature dynamic, flexible shared buffers and predictable wire-speed performance.

 

The SN2000, SN3000, and SN4000 series are available in three versions:

  1. Pre Installed with NVIDIA Cumulus® Linux, NVIDIA’s flagship network operating system that takes the Linux user experience from servers to switches and provides a rich routing and automation functionality for large-scale applications 
  2. Bare-metal switches, including an Open Network Install Environment (ONIE) image ready to be installed with the SONiC or another ONIE-mounted operating system 
  3. Pre Installed with NVIDIA Onyx™, a home-grown operating system utilizing an industry-standard command-line interface (CLI)

 

One significant advantage is that leaf and spine architectures can quickly scale up to 10K+ nodes in two tiers.

 

SONiC: Open-Source Network Operating System

SONiC is an open-source network operating system based on Linux that works on switches from multiple vendors and ASICs. In addition, SONiC offers a full suite of network functionality, like Border Gateway Protocol (BGP).

 

SONiC core features:

  1. Decouples Hardware & Software: SONiC is built on Switch Abstraction Interface that helps accelerate hardware innovation.
  2. Accelerates Software Evolution: First solution to break monolithic switch software into multiple containerized components that accelerate software evolution.
  3. Rapidly Growing Ecosystem: SONiC has gained broad industry support over the last year, including significant network chip vendors.

 

SONiC System Architecture 

SONiC system’s architecture comprises various modules that interact with each other through a centralized and scalable infrastructure. This infrastructure relies on a redis-database engine: a key-value database to provide a language-independent interface, a method for data persistence, replication, and multi-process communication among all SONiC subsystems. 

By relying on the publisher/subscriber messaging paradigm offered by the redis-engine infrastructure, applications can subscribe only to the data views they require and avoid implementation details irrelevant to their functionality. SONiC positions each module in independent docker containers to maintain cohesion among semantically-affine components while reducing coupling between disjointed ones. Each piece is written to separate from the platform-specific details required to interact with lower-layer abstractions.

SONiC is the leading open-source community network operating system for cloud data centers. David Iles, senior director of Ethernet Switching at Nvidia, said. “It’s modular, containerized, and built from the ground up to be scalable for large network deployments.”

 

  • A key point: Final comments on SONiC

SONiC was initially built by Microsoft and formally became an open-source project in 2015 when it joined the Open Compute Project (OCP). In 2022, the project moved to its current home at the Linux Foundation.

 

A Key Point: Additional Information Check 

  1. Active Active Data Center Design
  2. What Is VXLAN
  3. Virtual Switch
network Insight news

F5 New Distributed Cloud with Multi-Cloud Services

by News

F5 New Distributed Cloud with Multi-Cloud Services

Organizations use dispersed application deployments, traversing traditional and modern architectures and multiple hosting environments. Nevertheless, these distributed deployments add operational complexity creating gaps in visibility that will increase the surface area for bad actors to play with. 

Bad actors will get in eventually, and you want to minimize the attack surface as much as possible. F5 covers this with a platform-based approach offering distributed cloud services for networking and security. Specifically, F5 has recently introduced Distributed Cloud App Connect and Distributed Cloud Network Connect, allowing a variety of multi-cloud networking use cases.

 

News Preliminary Information: Useful Links to Relevant Content

A key point: Additional technical information

  1. GTM Load Balancer
  2. DNS Security Solutions
  3. Load Balancing
  4. Network Visibility 

 

Distributed Cloud App Connection: 

You can connect and secure modern applications and Application Programming Interfaces (APIs) across cloud locations and types. This service provides app-to-app connectivity and orchestration for workloads distributed across multiple cloud regions, providers, and edge sites. Now we can ensure secure application-layer networking between clouds with granular service and request-level controls for DevOps.

In summary, with Distributed Cloud App Connect, wherever an application is running, regardless of which it needs access to resources hosted on some other domain, everything from networking to visibility to security is connected to the control console provided by F5.

 

Some of the core capabilities include:

  1. Application networking: Load balancing for TCP, UDP, and HTTP/S requests
  2. Application segmentation: Granular policies to secure endpoint access
  3. End-to-end encryption Native TLS encryption from workload-to-workload
  4. Application security integration Same Distributed Cloud Console for app and API security
  5. Service discovery: Cross-cluster service discovery
  6. Observability: App-level dashboards and metrics
  7. Ingress and egress: Route-based policy enforcement for HTTP and HTTPS traffic

 

Distributed Cloud Network Connect:

The Distributed Cloud Network Connection lets you quickly and securely network across public clouds, hybrid clouds, and edge sites via an agile SaaS-based service. Now we can have cloud networking across regions or providers, allowing us to connect instances deployed across multiple cloud regions and providers rapidly. Distributed Cloud Network Connect operates at the network level, combining connectivity services from cloud providers, edge environments under a single organizational roof.

 

Some of the core capabilities include:

  1. Automated provisioning: One-click provisioning for connectivity and security
  2. Integrated services stack: Common routing, segmentation, and access everywhere
  3. Service insertion: Seamless insertion of services like firewalls
  4. Network segmentation: Network isolation across clouds, on-premises, and within the F5 Global Network
  5. End-to-end observability: Full network visibility across clouds and on-premises
  6. SaaS-based: As-a-service for simplified operations and scaling
  7. Private connectivity: Private links and backbone via the F5 Global Network
  8. Application networking integration: Application networking via Distributed Cloud App Connect

Distributed Cloud App Connect and Distributed Cloud Network Connect are now available for any F5 subscription plan under the F5 Distributed Cloud Mesh platform capability.  

 

F5’s Distributed Cloud Service

F5’s Distributed Cloud Service, which is a SaaS-based solution. That allows capabilities to extend applications, including a range of security and networking services across one or more public clouds. This also may include support for a range of hybrid deployments, native Kubernetes environments, along with edge sites, covering the most common use cases.

The F5 Distributed Cloud Services are delivered via software as a service (SaaS), allowing you to sign up for a free trial or a monthly plan with a credit card—the service(s) will be immediately available. 

There are four main tiers. The first is free; then we have individuals, teams, and finally, organizations. The tier you choose enables different network and security services, with the organization tier offering advanced API support and fast health checks across all locations in under 1 second.

You can also extend your design to create combinations based on your imagination—for example, deploying SD-WAN across two locations and building networks and security policies across these locations and to the public Internet.

 

The following are the main pillars that they offer:

Security:

  • DDoS Mitigation: Mitigate application-based and volumetric distributed denial of service (DDoS) attacks.
  • API Security: Discover API endpoints, allow legitimate transactions, and monitor for anomalous behaviors

Fraud and Risk

Account Protection: Powerful artificial intelligence for fraud protection.

  • Authentication Intelligence: Increase topline digital revenue and improve customer experience by eliminating login friction for legitimate returning consumers.

Muli-Cloud Networking

  • Network Connect: Easily network across cloud locations and providers with simplified provisioning and end-to-end security
  • App Connect: Securely connect distributed workloads across cloud and edge locations with integrated app security

Performance and Reliability

  • DNS: Get a primary or secondary DNS and boost apps’ global performance and resilience across multiple clouds and availability zones.
  • DNS Load Balancer: Simplify cloud-based DNS management and load balancing and get disaster recovery to ease the burden on operations and development teams
  • CDN: Enables rich digital experiences with a high-performing, multi-cloud, and edge-focused CDN that integrates with app security services.

 

A Key Point: Additional Information Check 

  1. Full Proxy
  2. Distributed Firewalls