ShadowPad has become the RAT of choice for several state-sponsored Chinese APTs

Read Time:38 Second

The ShadowPad malware came into the spotlight in 2017 when it was used in two software supply-chain attacks by a suspected Chinese state-sponsored hacker group. Since then it has become the tool of choice for several cyberespionage groups that are believed to be associated with China’s Ministry of State Security (MSS) and the People’s Liberation Army (PLA).

“The malware was likely developed by threat actors affiliated with Bronze Atlas and then shared with MSS and PLA threat groups around 2019,” researchers from security firm Secureworks said in a new report. “Given the range of groups leveraging ShadowPad, all organizations that are likely targets for Chinese threat groups should monitor for TTPs associated with this malware.”

To read this article in full, please click here

Read More

Trousseau bolsters its Kubernetes security capabilities with support for HashiCorp Vault

Read Time:34 Second

The project managers of an open-source plug-in for Kubernetes that allows the orchestration software to better use encryption to protect its secrets has announced support for its first key management provider. The move is a step forward for Trousseau, the plug-in that creates a universal way to protect secrets in Kubernetes.

Without Trousseau, managing secrets to protect sensitive data in Kubernetes can be complicated. Many components need to be created to support the process, which can be a headache for security teams. With Trousseau, secrets management can be added easily to Kubernetes along with support for any key management encryption providers.

To read this article in full, please click here

Read More

Log4Shell: A Tale of Two Detection Techniques

Read Time:2 Minute, 45 Second

Endpoint detection and response (EDR) can only take you so far in identifying Log4j exploit attempts. Here’s why dynamic checks are needed to uncover vulnerable versions of Log4j.

When the Log4j vulnerability was disclosed at the tail end of 2021, it caused many IT teams to put down their well earned eggnog and cast a concerned look at their environment. Unfortunately, understanding what was vulnerable to this newly disclosed flaw was far more difficult than simply pulling an accurate inventory of Log4j instances, with the troublesome library often harder to track down than a Playstation 5.

Using an endpoint agent, for example endpoint detection and response (EDR), or a credentialed scan to identify Log4j instances will only get you so far. Like many Java libraries, Log4j is often bundled into “Fat Jars” (Jar files that include all external dependencies) or inserted directly into the source code as a way of shading the library versions to lessen the probability of conflicts. Simply asking “Do you have Log4j installed?” isn’t going to give you a very clear understanding of where you’re vulnerable.

But “EDR will block attempts to exploit Log4j!” I hear you all cry out in delight. Not so fast. An attacker could easily stay within the Java Virtual Machine (JVM), away from the prying eyes of the EDR process monitors; blocking outbound calls from a server is going to end badly. The idea of hiding nefarious activity within the Java virtual machine isn’t new, but all the top EDR vendors have been slow to address this rather large chink in their armor. EDR can stop breaches (as long as they’re not Java based).

In order to deal with the Log4j detection issue, Tenable released a whole new approach to assessment within hours of the legendary flaw being announced. Put simply, our dynamic checks fired a Java Naming and Directory Interface (JNDI) query into targets that instructed any systems vulnerable to Log4j to send a unique token to a Tenable hosted system that the scanner could look up to see if a message had been received. This approach ensured we’d be able to more easily uncover vulnerable versions of Log4j across a multitude of ports and protocols, because the only tokens being sent would be from those systems that had the flawed library somewhere within the stack or application code.

And we saw a lot of those unique tokens being sent to Tenable. Days after disclosure, we were seeing over 1,400 new tokens … EVERY SECOND and one in 10 assets assessed by Tenable were vulnerable.

In the case of Log4j, a false negative could mean a system is left vulnerable due to a poor assessment. Relying on endpoint detection to block exploitation is nowhere near enough of a defense, leading to a surefire foothold for any enterprising attacker. Tenable is investing significant effort in ensuring we continue to lead the market in detecting Log4Shell across the ever growing list of applications and protocols that are vulnerable.

Learn more

Read the technical whitepaper for more information on the new approach to identifying Log4j via the dynamic plugins
VIsit our landing page to keep up to date with all the log4j news
Read the blog, Assess Log4Shell Like an Attacker with Tenable’s Dynamic Detections

Read More

F5 integrates application, cloud security in a unified SaaS platform

Read Time:30 Second

Aiming at enterprises that are managing increasingly complex IT infrastructure, F5 is releasing a new SaaS-based security, multicloud networking, and edge computing platform, F5 Distributed Cloud Services, as an expansion to its application delivery and security product portfolio.

As part of the announcement, made at its annual Agility conference Tuesday, the company also unveiled the first new service on the platform, F5 Distributed Cloud WAAP (Web application and API protection), which integrates the existing security capabilities from across F5 applications into a unified SaaS (software-as-a-service) based offering.

To read this article in full, please click here

Read More

How to secure microservices in a Zero-Trust environment

Read Time:5 Minute, 37 Second

This blog was written by an independent guest blogger.

Microservices architecture is a convenient way to silo different software services compared to traditional software architecture and design. However, with multiple microservices communicating amongst each other – the attack surface of the network is greatly increased.

The security of such a system depends on the security of all the services. Any deviation in the system’s security ultimately undermines the integrity of the entire network. The number of vulnerabilities in a network based on microservices architecture can quickly grow from several to thousands of individual links depending on the number of services and how they communicate together.

This article will examine edge security in the context of microservices deployments and how APIs and API gateways set up at the edge can be used to secure service-to-service communications in a zero-trust environment.

A quick rundown on microservices

There is no single definition for what qualifies as a microservice. However, over time developers and industry standards have accepted a few key ideas. Microservices function similarly to how WordPress plugins provide a variety of siloed services on a website.

First, services in a microservice architecture typically communicate amongst one another on a network using protocols like HTTP. One advantage to utilizing a microservices architecture is that it greatly enhances the speed of your entire network. These services are then organized based on their function and developed independently of one another (and are also independently deployable). 

Why microservices security is vital

Ensuring that your microservices architecture is secure is essential. Hackers can use phishing scams to steal credentials and break into your network. So, if you build a network that has only a single point of security, you may find that a single breach can give hackers access to any number of services within your entire network.

Outdated software can easily lead to network vulnerabilities. By establishing a system to secure each microservice you can prevent hackers from spreading their reach if they manage to crack into a single service.

Defining a Zero-Trust environment

A zero-trust environment in a cybersecurity context means the elimination of trust between individual parts of a digital system, which would otherwise expose those parts to security vulnerabilities. Although some connections are obvious, cybersecurity consultation can help you assess how vulnerable your network is. 

Essentially, by siloing a network’s set of services and then eliminating their ability to trust one another we can increase security. If you find that you are unable to remove trust in your microservices architecture, the least you can do is minimize trust between services. Often businesses that have had their internal security breached, have had to seek reputation management services to protect their brand.

Another way to think of it is like this: your network represents a house that is full of rooms and each room is a service. Eliminating trust means locking all the doors to each room and then requiring a key every time a user wants to open that door.

Establishing security in service-to-service communications

How do we go about creating this security? Typically, when a microservices architecture is used, HTTP or gRPC are used to communicate in real-time. Apache Kafka and RabbitMQ are also examples of other communication protocols for applications. In order to secure these messages, we need to make sure that requests from a client application not only pass through security at the edge, but also internally.

How to build reliable authentication and authorization using mTLS

One way to make sure that access between services is secure is to implement authentication between services using Mutual Transport Layer Security (mTLS). However, in order to increase security, requests must be validated at the edge of the microservice and not just the edge of the network.

Each microservice then validates the certificate of the calling microservice and determines whether the certificate itself and the certificate’s issuer are trusted. Once the microservice has identified the caller, the microservice performs an authorization based only on the authentication credentials provided. This will check whether the caller is even able to do what it is requesting.

One way to enhance open source security and increase authentication and authorization speed is to utilize a proxy component that is deployed alongside the microservices. The proxy then intercepts all the calls that are placed to and from the microservice and prevents them from accessing the microservice directly.

Cryptographically safe methods for passing user context among microservices

The next step is to ensure that user context is passed securely between microservices. It’s important to ensure your network is secure, but also to ensure that communications intra-network are also secure.

The most common way this system works is by placing an API gateway at the edge of the microservices architecture deployment. The API gateway checks and validates user context corresponding to the application that made the call. Typically, the calling application can run the API just by itself, or for another user.

In either case, the API gateway acts like a sluice to regulate the flow of user context calls. When carrying these calls, the best way to cryptographically carry them is by using a JSON Web Token (JWT).

At the edge of the microservice, the JWT will be validated to make sure that it comes from a trusted issuer. Then, when one microservice communicates to another, the calling microservice can either feed the validated JWT to the new service or exchange it for a new JWT by communicating with another security token service that the recipient microservice trusts.

This way, one microservice could have an independent security token service separate from another verification service. This double-redundancy further strengthens the security of your services.

Once the end-microservice has verified the JWT, it can authorize the calling user based on the credentials that the JWT carries. Like with authentication and authorization, a proxy component intercepts these requests that come in and out of the microservice.

A functioning microservices security framework

Your entire network is only as secure as its weakest link. Every day businesses leave their data unprotected and vulnerable to hackers. Securing your microservices through multiple layers of security is one way to minimize these attack vectors. However, even if you take all of these steps it’s still important to consider threat detection and monitoring services.

Upgrade the security of your microservices architecture and consider where your vulnerabilities are in order to prevent unauthorized access to one microservice bleeding through to your other services. When you develop microservices as silos remember to utilize proxies and silo the security of the services by using JWT and mTLS. Your end goal should be to minimize trust, or if possible, establish a zero-trust environment.

Read More