Juniper Networks simplifies path to a secure and automated multicloud

Juniper Networks has expanded its campus portfolio, including extending EVPN-VXLAN fabric to the campus, enabling a common architecture for campus and data center fabrics by unifying disparate architectures.

Through this unification, Juniper Networks is providing the building blocks for an enterprise-wide fabric, a key component in building a simple, secure and automated multicloud.

Juniper also announced enhancements to its branch portfolio with new capabilities in its Contrail SD-WAN solution, utilizing NFX Series, SRX Series and vSRX Series WAN Edge devices combined with Contrail Service Orchestration.

Most enterprises have separate campus and data center networks, leveraging entirely different architectures to provide connectivity across the two domains. This leads to divergent operations, which inhibits enterprises’ attempts to unify their infrastructure under a common operational umbrella. With Juniper’s new EVPN-VXLAN campus architecture, enterprises can build campus networks using the same protocols that are popular in the most stable and efficient data centers that exist today.

To facilitate the way customers can deploy their entire campus, Juniper has also expanded its campus portfolio via a resell agreement with a global Wi-Fi leader, Aerohive Networks, and today announced the expansion of their strategic partnership to provide a cloud-managed, wired, wireless and WAN solution.

Juniper Sky Enterprise integrates with Aerohive’s Cloud Services APIs and Aerohive’s HiveManager Network Management System to provide a single pane of glass for monitoring the entire wired and wireless campus network. The solution offers customers choice of deployment models – including public cloud, private cloud or on-premises.

Understanding that the branch is also an integral part of the customer’s journey to multicloud, Juniper is enhancing its Contrail SD-WANcapabilities with support for fine-grained Application Quality of Experience (AppQoE) and industry-first active-active clustering for Juniper’s NFX and SRX Series branch devices.

Juniper is also expanding its 5-step multicloud migration framework to include evolution paths for campus and branch networks. The 5-step multicloud migration provides enterprises with a set of best practices, natural technology insertions and recommended products and services to more easily complete the journey to a secure and automated multicloud.

“Since implementing Juniper Networks’ switching products, James Cook University now has the foundation for secure and automated multicloud, giving the university flexibility to accelerate our use of private and public cloud resources,” said Swain Kirk, Head of ICT Infrastructure Services at James Cook University.

“Our network now has a consistent design for the core, data center and campus networks using Juniper’s QFX and EX Series switches, which deliver significant operational simplicity. Our IT team can consistently apply policies and operations across multiple campuses, clouds and other locations. Previously, if one switch went offline, it could take down seven floors or three buildings. But now with a highly resilient, redundant network design, we can lose a piece of equipment in the chain without impacting the user experience.”

Researchers Uncover New Attacks Against LTE Network Protocol

If your mobile carrier offers LTE, also known as the 4G network, you need to beware as your network communication can be hijacked remotely.

A team of researchers has discovered some critical weaknesses in the ubiquitous LTE mobile device standard that could allow sophisticated hackers to spy on users’ cellular networks, modify the contents of their communications, and even can re-route them to malicious or phishing websites.

LTE, or Long Term Evolution, is the latest mobile telephony standard used by billions of people designed to bring many security improvements over the predecessor standard known as Global System for Mobile (GSM) communications.

However, multiple security flaws have been discovered over the past few years, allowing attackers to intercept user’s communications, spy on user phone calls and text messages, send fake emergency alerts, spoof location of the device and knock devices entirely offline.

4G LTE Network Vulnerabilities

Now, security researchers from Ruhr-Universität Bochum and New York University Abu Dhabi have developed three novel attacks against LTE technology that allowed them to map users’ identity, fingerprint the websites they visit and redirect them to malicious websites by tampering with DNS lookups.

All three attacks, explained by researchers on a dedicated website, abuse the data link layer, also known as Layer Two, of the ubiquitous LTE network.

The data link layer lies on top of the physical channel, which maintains the wireless communication between the users and the network. It is responsible for organizing how multiple users access resources on the network, helping to correct transmission errors, and protecting data through encryption.

Out of three, identity mapping and website fingerprinting developed by the researchers are passive attacks, in which a spy listens to what data is passing between base stations and end users over the airwaves from the target’s phone.

However, the third, DNS spoofing attack, dubbed “aLTEr” by the team, is an active attack, which allows an attacker to perform man-in-the-middle attacks to intercept communications and redirect the victim to a malicious website using DNS spoofing attacks.

What is aLTEr Attack?

Since the data link layer of the LTE network is encrypted with AES-CTR but not integrity-protected, an attacker can modify the bits even within an encrypted data packet, which later decrypts to a related plaintext.

“The aLTEr attack exploits the fact that LTE user data is encrypted in counter mode (AES-CTR) but not integrity protected, which allows us to modify the message payload: the encryption algorithm is malleable, and an adversary can modify a ciphertext into another ciphertext which later decrypts to a related plaintext,” the researchers said in their paper.

In aLTEr attack, an attacker pretends to be a real cell tower to the victim, while at the same time also pretending to be the victim to the real network, and then intercepts the communications between the victim and the real network.

As a proof-of-concept demonstration, the team showed how an active attacker could redirect DNS (domain name system) requests and then perform a DNS spoofing attack, causing the victim mobile device to use a malicious DNS server that eventually redirects the victim to a malicious site masquerading as Hotmail.

The researcher performed the aLTEr attack within a commercial network and commercial phone within their lab environment. To prevent unintended inference with the real network, the team used a shielding box to stabilize the radio layer.

Also, they set up two servers, their DNS server, and an HTTP server, to simulate how an attacker can redirect network connections. You can see the video demonstration to watch the aLTEr attack in action.

The attack is dangerous, but it is difficult to perform in real-world scenarios. It also requires equipment (USRP), about $4,000 worth, to operate—something similar to IMSI catchers, Stingray, or DRTbox—and usually works within a 1-mile radius of the attacker.

Forthcoming 5G networks may also be vulnerable to these attacks, as the team said that although 5G supports authenticated encryption, the feature is not mandatory, which likely means most carriers do not intend to implement it, potentially making 5G vulnerable as well.

“The use of authenticated encryption would prevent the aLTEr attack, which can be achieved through the addition of message authentication codes to user plane packets,” the researchers said.

“However, the current 5G specification does not require this security feature as mandatory, but leaves it as an optional configuration parameter.”

What’s Worse? LTE Network Flaws Can’t be Patched Straightaway

Since the attacks work by abusing an inherent design flaw of the LTE network, it cannot be patched, as it would require overhauling the entire LTE protocol.

As part of its responsible disclosure, the team of four researchers—David Rupprecht, Katharina Kohls, Thorsten Holz, and Christina Pöpper—notified both the GSM Association and the 3GPP (3rd Generation Partnership Project, along with other telephone companies, before going public with their findings.

In response to the attacks, the 3GPP group, which develops standards for the telecommunications industry, said that an update to the 5G specification might be complicated because carriers like Verizon and AT&T have already started implementing the 5G protocol.

How Can You Protect Against LTE Network Attacks?

The simplest way to protect yourself from such LTE network attacks is to always look out for the secure HTTPS domain on your address bar.

The team suggests two exemplary countermeasures for all carriers:

1.) Update the specification: All carriers should band together to fix this issue by updating the specification to use an encryption protocol with authentication like AES-GCM or ChaCha20-Poly1305.

However, the researchers believe this is likely not feasible in practice, as the implementation of all devices must be changed to do this, which will lead to a high financial and organizational effort, and most carriers will not bother to do that.

2.) Correct HTTPS configuration: Another solution would be for all websites to adopt the HTTP Strict Transport Security (HSTS) policy, which would act as an additional layer of protection, helping prevent the redirection of users to a malicious website.

New Malware Family Uses Custom UDP Protocol for C&C Communications

Security researchers have uncovered a new highly-targeted cyber espionage campaign, which is believed to be associated with a hacking group behind KHRAT backdoor Trojan and has been targeting organizations in South East Asia.

According to researchers from Palo Alto, the hacking group, which they dubbed RANCOR, has been found using two new malware families—PLAINTEE and DDKONG—to target political entities primarily in Singapore and Cambodia.

However, in previous years, threat actors behind KHRAT Trojan were allegedly linked to a Chinese cyber espionage group, known as DragonOK.

While monitoring the C&C infrastructure associated with KHRAT trojan, researchers identified multiple variants of these two malware families, where PLAINTEE appears to be the latest weapon in the group’s arsenal that uses a custom UDP protocol to communicate with its remote command-and-control server.

To deliver both PLAINTEE and DDKONG, attackers use spear phishing messages with different infection vectors, including malicious macros inside Microsoft Office Excel file, HTA Loader, and DLL Loader, which includes decoy files.

“These decoys contain details from public news articles focused primarily on political news and events,” researchers explain. “Additionally, these decoy documents are hosted on legitimate websites including a government website belonging to the Cambodia Government and in at least once case, Facebook.”

Moreover, PLAINTEE downloads and installs additional plugins from its C&C server using the same custom UDP protocol that transmits data in encoded form.

“These families made use of custom network communication to load and execute various plugins hosted by the attackers,” researchers say. “Notably the PLAINTEE malware’ use of a custom UDP protocol is rare and worth considering when building heuristics detections for unknown malware.”

On the other hand, DDKONG has been in use by the hacking group since February 2017 and doesn’t have any custom communication protocol like PLAINTEE, though it is unclear whether one threat actor or more only use this malware.

According to researchers, the final payload of both malware families suggests that the purpose of both malware is to conduct cyber espionage on their political targets; instead of stealing money from their targets.

Since RANCOR group is primarily targeting non-tech-savvy users, it is always advised to be suspicious of any uninvited document sent via an email and never click on links inside those documents unless adequately verifying the source.

Moreover, most importantly, make use of behavioral-based antivirus software that can detect and block such malware before it can infect your device, and always keep it and other apps up-to-date.

Think unconventionally to mitigate cybersecurity risks

Taking a conventional approach to security is typically about “keeping the bad stuff out” of your network, whether it be spam, viruses, malware, DDoS attacks, or any number of other common threats. But in today’s constantly evolving threat landscape, conventional is not enough.

Proactively assessing your security posture and focusing on mitigating risk on a constant basis is crucial. Not only will this reduce the probability of an attack actually happening, but it will also enable the ability to remediate and recover your business quickly in the event of exposure.

So, how should organisations take this approach?

1. Mitigate the risk posed by targeted email attacks

Spear phishing and business email compromise (BEC) attacks are highly targeted and researched attacks where criminals typically attempt to defraud individuals and lead them to transfer money or share credentials. Criminals engage in casual conversation with victims through email in an attempt to gain their trust before actually doing anything malicious. In many cases, criminals gather background information on victims through social media, which helps make their efforts more convincing.

The success criminals are experiencing makes targeted threats one of the highest risk vectors for organisations. Based on the Global State of Information Security Survey 2018 by PwC, 31% of respondents cited that BEC compromised their businesses in Singapore. This is among the top five cybersecurity incidents that has impacted businesses. The FBI also estimates that more than US$5 billion has been lost to BEC in recent years. The real challenge for security is that traditional solutions, such as email security gateways and anti-virus solutions, fail to detect these attempts because the messages don’t contain malicious links or attachments. To mitigate the risk of targeted email attacks, an entirely new approach needs to be taken leveraging less traditional methods.

Artificial intelligence (AI) is increasingly been used to provide messaging intelligence to determine whether an email is part of a spear phishing attack with a high degree of accuracy. Domain fraud protection using DMARC (Domain-based Message Authentication, Reporting & Conformance) authentication is also been used to monitor data on domains and get actionable insight on legitimate and fraudulent usage of a domain. Another approach is to use fraud simulation training for high risk individuals to periodically and automatically train and test security awareness with simulated attacks.

2. Mitigate the risk posed by careless or untrained users

Human error is the Achilles’ heel in cybersecurity systems. In the same Global State of Information Security® Survey 2018, 38% of Singapore companies cited employees to be the likely source of cyber incidents as they are on the front lines of ever increasing email-based threats like phishing, ransomware, and malware. As hackers become more sophisticated and prevalent, users need to be aware of the threats and able to easily recognise malicious emails. Email security is not just the responsibility of IT – it’s the responsibility of every employee in your organisation.

Part of mitigating the risk means having the ability to provide regular security training to test employees and increase security awareness of various targeted attacks. Simulated targeted attack training is the most effective form of training. Focus on training high-risk individuals, not just senior executives. Turn your users from part of the attack surface to part of the solution.

3. Mitigate the risk posed by rapid application development

Identifying and remediating application vulnerabilities while maintaining development agility is sometimes challenging. This is particularly true when adopting cloud platforms like AWS and Azure that enable rapid application deployments.

Unfortunately, your applications can act as a significant vector for today’s advanced threats. A single unpatched vulnerability can let an attacker penetrate your network, steal or compromise your (and your customers’) data, and profoundly disrupt your operations. Vulnerabilities in your websites and other public-facing applications can lead to costly data breaches and infiltration. Proactively check for vulnerabilities regularly in your sites and applications.

4. Mitigate the risk of data loss

Sometimes you can do everything right in your approach to security and still have something ugly happen — like have your data lost or held for ransom. That’s why there’s one important step you should take to mitigate the risk of data loss. Protect it. Implement a data protection strategy that not only includes a backup plan, but one that allows for easy recovery as well.

If criminals encrypt your files with ransomware, you’ll be able to eliminate the malware, then delete the encrypted files and restore them from a recent clean backup. The whole process can take as little as one hour, allowing you to get right back to business, and leaving the criminals empty-handed.

By taking these proactive steps to mitigate the security risks in your organisation, you’ll greatly reduce the attack probability, and have the ability to remediate and quickly recover in the event of exposure. Being truly secure requires a lot more than just focusing on keeping the bad stuff out. Instead learn how to mitigate the potential risks before they ever come your way.

100iNG price

cyberoamlogo

Cyberoam Hardware Firewall

cyberoam firewall

cyberoam firewall

Buy Best Price Hardware Appliance UTM Cyberoam Firewall from authorized Dealer, Partner, Reseller with remote, on-site installation support in India at best price.

We are Providing our Antivirus, Antispam solutions all over India like Mumbai, Thane, Navi Mumbai, Vasai. Virar, Panvel, Kharghar, Bhiwandi, Kalyan Gujrat, Kolkata, Dehli, Chennai, Tamil Nadu etc. To buy our Firewall Service.

SOHO / ROBO Appliances
SMB Appliances
For Enterprise
Cyberoam 15i NG

Hardware UTM Appliances for Small & Branch Offices

Cyberoam UTM appliances enables small offices to shift from plain firewall to comprehensive UTM protection with cost effective, which gives powerful security to protect your network from malware, spam, trojan, DoS, DDoS, Phishing, pharming and intrusions. Large organizations can implement uniform security and gain high visibility into remote and branch offices with centralized management and Layer 8 Identity-based security.

Key Features
  • Stateful Inspection Firewall
  • VPN (SSL VPN & IPSec)
  • Intrusion Prevention System
  • Anti-Virus & Anti-Spyware
  • Anti-Spam
  • Outbound Spam Protection
  • Web Filtering
  • Bandwidth Management
  • Application Visibility & Control
  • Web Application Firewall
  • 3G / 4G / WiMAX Connectivity
  •  IM Archiving & Controls
  • Multiple Link Management
  • On-Appliance Reporting
  • IPv6 Ready
  •  Wi-Fi Appliances
Key Features
Layer 8 Identity-based policies
  • Role-based access at remote locations Visibility into who is doing what
Comprehensive UTM Security
  • Stateful Inspection Firewall
  • Intrusion Prevention System
  • Anti-Virus & Anti-Spyware
  • Anti-Spam
  • Web Filtering
  • Application Visibility & Control
  • On-appliance Reporting
  • Web Application Firewall
  • Outbound Spam Protection
Secure Remote Access
  • IPSec VPN
  • L2TP
  • PPTP
  • SSL VPN
WAN Connectivity & Availability            
  • Bandwidth Management
  • Multiple Link Management
  • 3G / 4G / WiMAX Support
Advanced Networking
  • Multi-core Processing
  • Extensible Security Architecture
  • Active-Active High Availability
  • IPv6 Ready Gold Certified
Wi-Fi Security  
  • Wireless Standards IEEE 802.11a/b/g/n (WEP, WPA, WPA2,802.11i, TKIP, AES, PSK)
  • Up to 8 bssid Access Points
Centralized Security Management         
  • CCC Appliances
  • Cyberoam iView Open Source Solution – Logging & Reporting
  • Cyberoam iView Appliances – Logging & Reporting
  • We deales with all range of Cyberoam firewall for your Home and Office use. To know more about Cyberoam Next Generation series and Cyberoam ia Series you can contact us.

Cyberoam Firewall Price

 

Cyberoam Firewall Price
Cyberoam cr 10iNG with 1 year license
( For 20 User )
Rs. 28,078
Cyberoam cr 15iNG with 1 year license
( For 30 User )
Rs. 42,237.65
Cyberoam cr 25iNG with 1 year license
( For 50 User )
Rs. 68,914.30
Cyberoam cr 35iNG with 1 year license
( For 70 User )
Rs. 98,508.00
Cyberoam cr 50iNG with 1 year license
( For 100 User )
Rs. 159,432.00
Cyberoam cr 100iNG with 1 year license
( For 200 User )
Rs. 289,432.00

For more details just call or email us on
Phone:+91 9582907788 Email: sales@itmonteur.net

Fortigate 100e Price

Fortinet - FortiGate Firewalls

Fortinet – FortiGate Firewalls
Fortinet - FortiGate Firewalls

FortiGate® Network Security Platform

Fortinet Consolidated Security Platform delivers unmatched performance and protection while simplifying your network. Fortinet’s Network Security Appliances offer models to satisfy any deployment requirement from the FortiGate-20 series for Small Offices to the FortiGate-5000 series for very Large Enterprises, Service Providers and Carriers. FortiGate platforms integrate the FortiOS operating system with FortiASIC processors and the latest-generation CPUs to provide comprehensive.

Buy Hardware Appliance UTM Firewall from India based authorized Dealer, Partner, Supplier, Reseller with remote, on-site installation support  in India at best price.

We are Providing our Antivirus, Antispam solutions all over India like  Mumbai, Thane, Navi Mumbai, Vasai. Virar, Panvel, Kharghar, Bhiwandi, Kalyan Gujrat, Kolkata, Dehli, Chennai, Tamil Nadu etc. To buy our Firewall Service contact us.

Fortinet Firewall:

High-Performance security
High Performance Firewall/VPN
Next Generation Firewalls

Products

High-End
Mid-Range
Desktops
Application Firewall

Solution Guides

Fortinet’s Solution for the Enterprise Campus
Connected UTM Solution Brief
Application Delivery Network Solutions From Fortinet
Fortinet Data Center Solution Brief
Fortinet UTM Solution Guide
The Password as you Know it is Dead
Fortinet Secure Wireless LAN

IT Monteur understands the increasing threats faced by the SME community, and can offer the right solutions tailored to your company’s needs.

Small office technology needs are increasing

To support employee mobility, many small offices are adding wireless and enabling BYOD – technologies that have traditionally been confined to larger enterprises. These new technologies add new data security and compliance requirements.

Small businesses are a target

Small businesses have historically lacked security capabilities often found at larger enterprises, primarily due to cost and complexity. For this reason, data breaches are increasingly hitting smaller organisations, either for their data or access to the larger businesses they may serve.

According to the Verizon Data Breach Incident Report, data breaches were more common in small than large organisations (25% vs 20%, with 50% from size unknown).

Why choose Fortinet?

Fortinet’s commitment to quantified, independent third party validation of security effectiveness is unmatched in the industry. Security technologies deployed from network edge to individual endpoints have all earned top marks in real-world testing by NSS Labs, Virus Bulletin, AV Comparatives and more.

Single vendor, comprehensive portfolio

Fortinet is the only UTM vendor able to offer the broad range of security and networking capabilities to dramatically simplify IT infrastructure and security.

Because all products are built in-house they will integrate more tightly and reduce your administration. Your life becomes even easier by working with a single vendor, single procurement process, single administrative experience across products, single support group and single volume licensing program.

FortiGate unified threat management

  • Get up and running in 20 minutes or less with Plug and Play install.
  • Stop attacks before they enter the network.
  • Quickly resolve issues with one-click drill down and actions.
  • Select from the widest variety of performance, port, Wi-Fi and PoE combinations
  • Manage all networking and security from a single console.

FortiAP secure wireless access points

  • Expand wireless coverage with dedicated indoor, outdoor and remote access points
  • Extend security to the very edge with integrated security of Smart APs
  • Simplify remote telework with wireless APs that include wired ports
  • Optimise traffic flow with application prioritisation and other features.

FortiSwitch secure access switches

  • Expand network connectivity and/or physical segmentation with Layer 2 and 3 switching
  • Manage from the established FortiGate console
  • Choose among a wide range of port speeds (1G and 10G), density (8, 24, 32, 48 or 64* ports) and PoE/PoE+ combinations.

Fortinet – Fortigate Firewall Price in india

Fortinet – FortiGate Firewall Price
FortiGate-30E
Hardware plus 1 year 8×5 Forticare and FortiGuard UTM Bundle
1 to 15 users
Rs.53,395/-
FortiGate-60D
Hardware plus 1 year 8×5 Forticare and FortiGuard UTM Bundle
1 to 40 users
Rs. 82,331/-
FortiGate-70E
Hardware plus 1 year 8×5 Forticare and FortiGuard UTM Bundle
1 to 40 users
Rs. 1,09,902/-
FortiGate-90E
Hardware plus 1 year 8×5 Forticare and FortiGuard UTM Bundle
15 to 60 users
Rs. 1,37,438/-
FortiGate-100E
Hardware plus 1 year 8×5 Forticare and FortiGuard UTM Bundle
15 to 100 users
Rs. 2,74,757/-

For more details just call or email us on
Phone:+91 9582907788 Email: sales@itmonteur.net

Yahoo Hacker linked to Russian Intelligence Gets 5 Years in U.S. Prison

A 23-year-old Canadian man, who pleaded guilty last year for his role in helping Russian government spies hack into email accounts of Yahoo users and other services, has been sentenced to five years in prison.

Karim Baratov (a.k.a Karim Taloverov, a.k.a Karim Akehmet Tokbergenov), a Kazakhstan-born Canadian citizen, was also ordered on Tuesday by United States Judge Vince Chhabria to pay a fine of $250,000.

Baratov had previously admitted his role in the 2014 Yahoo data breach that compromised about 500 million Yahoo user accounts. His role was to “hack webmail accounts of individuals of interest to the FSB,” Russia’s spy agency.

In November, Baratov pleaded guilty to a total of nine counts, including one count of conspiring to violate the Computer Fraud and Abuse Act, and eight counts of aggravated identity theft.

According to the US Justice Department, Baratov and his co-defendant hacker Alexsey Belan worked for two agents—Dmitry Dokuchaev and Igor Sushchin—from the FSB (Federal Security Service) to compromise the accounts.

The Justice Department announced charges for all of the four people in March last year, which resulted in the arrest of Baratov in Toronto at his Ancaster home and then his extradition to the United States.

However, Belan—who is already on the FBI’s Most Wanted Hackers list—and both FSB officers currently reside in Russia, due to which they are unlikely to face the consequences for their involvement.

Baratov ran an illegal no-questions-asked hacking service from 2010 until his arrest in March 2017, wherein he charged customers around $100 to obtain another person’s webmail password by tricking them to enter their credentials into a fake password reset page.

According to the court documents, Baratov managed to crack more than 11,000 email accounts in both Russia as well as the United States before the Toronto Police Department caught him.

As part of his plea, Baratov admitted to hacking thousands of webmail accounts of individuals for seven years and send those accounts’ passwords to Russian spy Dokuchaev in exchange for money.

The targeted attack allowed the four to gain direct access to Yahoo’s internal networks, and once in, co-defendant hacker Belan started poking around the network.

According to the FBI, Belan discovered two key assets:

  • Yahoo’s User Database (UDB) – a database containing personal information about all Yahoo users.
  • The Account Management Tool – an administrative tool used to make alterations to the targeted accounts, including their passwords.

Belan then used the file transfer protocol (FTP) to download the Yahoo’s UDB, which included password recovery emails and cryptographic values unique to each Yahoo account, eventually enabling Belan and Baratov to access specific accounts of interest to the Russian spies.

Researchers Defeat AMD’s SEV Virtual Machine Encryption

German security researchers claim to have found a new practical attack against virtual machines (VMs) protected using AMD’s Secure Encrypted Virtualization (SEV) technology that could allow attackers to recover plaintext memory data from guest VMs.

AMD’s Secure Encrypted Virtualization (SEV) technology, which comes with EPYC line of processors, is a hardware feature that encrypts the memory of each VM in a way that only the guest itself can access the data, protecting it from other VMs/containers and even from an untrusted hypervisor.

Discovered by researchers from the Fraunhofer Institute for Applied and Integrated Security in Munich, the page-fault side channel attack, dubbed SEVered, takes advantage of lack in the integrity protection of the page-wise encryption of the main memory, allowing a malicious hypervisor to extract the full content of the main memory in plaintext from SEV-encrypted VMs.

Here’s the outline of the SEVered attack, as briefed in the paper:

“While the VM’s Guest Virtual Address (GVA) to Guest Physical Address (GPA) translation is controlled by the VM itself and opaque to the HV, the HV remains responsible for the Second Level Address Translation (SLAT), meaning that it maintains the VM’s GPA to Host Physical Address (HPA) mapping in main memory.

“This enables us to change the memory layout of the VM in the HV. We use this capability to trick a service in the VM, such as a web server, into returning arbitrary pages of the VM in plaintext upon the request of a resource from outside.”

“We first identify the encrypted pages in memory corresponding to the resource, which the service returns as a response to a specific request. By repeatedly sending requests for the same resource to the service while re-mapping the identified memory pages, we extract all the VM’s memory in plaintext.”

During their tests, the team was able to extract a test server’s entire 2GB memory data, which also included data from another guest VM.

In their experimental setup, the researchers used a with the Linux-based system powered by an AMD Epyc 7251 processor with SEV enabled, running web services—the Apache and Nginx web servers—as well as an SSH server, OpenSSH web server in separate VMs.

As malicious HV, the researchers used the system’s Kernel-based Virtual Machine (KVM) and modified it to observe when software within a guest accessed physical RAM.

While Apache and Nginx web servers the extraction of memory data was high (at a speed of 79.4 KB/sec), OpenSSH had a higher response time which reduced the extraction speed to only 41.6 KB/sec.

“Our evaluation shows that SEVered is feasible in practice and that it can be used to extract the entire memory from an SEV-protected VM within a reasonable time,” the researchers said. “The results specifically show that critical aspects, such as noise during the identification and the resource stickiness are managed well by SEVered.”

The researchers also recommended a few steps AMD could take to isolate the transition process between the host and Guest Physical Address (GPA) to mitigate the SEVered attack.

The best solution is to provide “a full-featured integrity and freshness protection of guest-pages additional to the encryption, as realized in Intel SGX. However, this likely comes with a high silicon cost to protect full VMs compared to SGX enclaves.”

However, securely combine the hash of the page’s content with the guest-assigned GPA could be a low-cost, efficient solution, which ensures “pages cannot easily be swapped by changing the GPA to HPA mapping.”

Researchers unearth a huge botnet army of 500,000 hacked routers

More than half a million routers and storage devices in dozens of countries have been infected with a piece of highly sophisticated IoT botnet malware, likely designed by Russia-baked state-sponsored group.

Cisco’s Talos cyber intelligence unit have discovered an advanced piece of IoT botnet malware, dubbed VPNFilter, that has been designed with versatile capabilities to gather intelligence, interfere with internet communications, as well as conduct destructive cyber attack operations.

The malware has already infected at least 500,000 in at least 54 countries, most of which are small and home offices routers and internet-connected storage devices from Linksys, MikroTik, NETGEAR, and TP-Link. Some network-attached storage (NAS) devices known to have been targeted as well.

VPNFilter is a multi-stage, modular malware that can steal website credentials and monitor industrial controls or SCADA systems, such as those used in electric grids, other infrastructure and factories.

The malware communicates over Tor anonymizing network and even contains a killswitch for routers, where the malware deliberately kills itself.

Unlike most other malware that targets internet-of-things (IoT) devices, the first stage of VPNFilter persists through a reboot, gaining a persistent foothold on the infected device and enabling the deployment of the second stage malware.

VPNFilter is named after a directory (/var/run/vpnfilterw) the malware creates to hide its files on an infected device.

Since the research is still ongoing, Talos researchers “do not have definitive proof on how the threat actor is exploiting the affected devices,” but they strongly believe that VPNFilter does not exploit any zero-day vulnerability to infect its victims.

Instead, the malware targets devices still exposed to well-known, public vulnerabilities or have default credentials, making compromise relatively straightforward.

Talos researchers have high confidence that the Russian government is behind VPNFilter because the malware code overlaps with versions of BlackEnergy—the malware responsible for multiple large-scale attacks targeting devices in Ukraine that the U.S. government has attributed to Russia.

Although devices infected with VPNFilter have been found across 54 countries, researchers believe the hackers are targeting specifically Ukraine, following a surge in the malware infections in the country on May 8.

“The malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide,” Talos researcher William Largent said in a blog post.

The researchers said they released their findings prior to the completion of their research, due to concern over a potential upcoming attack against Ukraine, which has repeatedly been the victim of Russian cyber attacks, including large-scale power outage and NotPetya.

If you are already infected with the malware, reset your router to factory default to remove the potentially destructive malware and update the firmware of your device as soon as possible.

You need to be more vigilant about the security of your smart IoT devices. To prevent yourself against such malware attacks, you are recommended to change default credentials for your device.

If your router is by default vulnerable and cannot be updated, throw it away and buy a new one, it’s that simple. Your security and privacy is more than worth a router’s price.

Moreover, always put your routers behind a firewall, and turn off remote administration until and unless you really need it.

Hackers are exploiting a new zero-day flaw in GPON routers

Even after being aware of various active cyber attacks against the GPON Wi-Fi routers, if you haven’t yet taken them off the Internet, then be careful—because a new botnet has joined the GPON party, which is exploiting an undisclosed zero-day vulnerability in the wild.

Security researchers from Qihoo 360 Netlab have warned of at least one botnet operator exploiting a new zero-day vulnerability in the Gigabit-capable Passive Optical Network (GPON) routers, manufactured by South Korea-based DASAN Zhone Solutions.

The botnet, dubbed TheMoon, which was first seen in 2014 and has added at least 6 IoT device exploits to its successor versions since 2017, now exploits a newly undisclosed zero-day flaw for Dasan GPON routers.

Netlab researchers successfully tested the new attack payload on two different versions of GPON home router, though they didn’t disclose details of the payload or release any further details of the new zero-day vulnerability to prevent more attacks.

TheMoon botnet gained headlines in the year 2015-16 after it was found spreading malware to a large number of ASUS and Linksys router models using remote code execution (RCE) vulnerabilities.

Earlier this month, at least five different botnets were found exploiting two critical vulnerabilities in GPON home routers disclosed last month that eventually allow remote attackers to take full control of the device.

As detailed in our previous post, the 5 botnet families, including Mettle, Muhstik, Mirai, Hajime, and Satori, have been found exploiting an authentication bypass (CVE-2018-10561) and a root-RCE (CVE-2018-10562) flaws in GPON routers.

Shortly after the details of the vulnerabilities went public, a working proof-of-concept (PoC) exploit for GPON router vulnerabilities made available to the public, making its exploitation easier for even unskilled hackers.

In separate research, Trend Micro researchers spotted Mirai-like scanning activity in Mexico, targeting GPON routers that use default usernames and passwords.

Unlike the previous activity, the targets for this new scanning procedure are distributed,” Trend Micro researchers said. “However, based on the username and password combinations we found in our data, we concluded that the target devices still consist of home routers or IP cameras that use default passwords.”

 

How to Protect Your Wi-Fi Router From Hacking

The previously disclosed two GPON vulnerabilities had already been reported to DASAN, but the company hasn’t yet released any fix, leaving millions of their customers open to these botnet operators.

So, until the router manufacturer releases an official patch, users can protect their devices by disabling remote administration rights and using a firewall to prevent outside access from the public Internet.

Making these changes to your vulnerable routers would restrict access to the local network only, within the range of your Wi-Fi network, thus effectively reducing the attack surface by eliminating remote attackers.

We will update this article with new details, as soon as they are available. Stay Tuned!