If the practical simplicity of Chrome OS is what made you choose a Chromebook, chances are you’d prefer something along the same lines for your presentation needs. With Zoho Show for Chromebook, we’re proud to offer a better, simpler presentation experience for users worldwide.
Create informative presentations with ease
If you are planning to present a complex topic to a large audience, it might be tedious to fit in all the information on the slides and still make it engaging for viewers. On top of that, it can be a frustrating experience if the presentation tool UI is complicated.
With Show’s clutter-free interface, you can create visually engaging slideshows with ease. The tool is packed with a number of useful features and resources. You can add custom charts to showcase your data in an easy-to-grasp format and choose free images from Unsplash to catch the attention of the audience. You can also throw in a GIF to lighten the mood with our Giphy integration. If you wish to give the audience variety, Show makes it easy to add a video as well.
Collaborate and Deliver your ideas
If you are working in a team for your school or college project, effective collaboration is key and it’s important to ensure that there is no communication gap between team members. Forget about different versions and emailing files to each other: Show lets you work with all your teammates at once. Make comments, review changes on slides and work together without any hassle.
Simplify presenting with Remote View
Have you ever accidentally switched to the next slide while giving a presentation or dropped your notecards and lost your place? You can now make use of the Remote View option to ensure that both you and your audience have the best possible experience. Show gives the presenter easy access to notes with this view, while your audience remains focused on the current slide only.
Enhance classroom learning
Educators are often on the forefront of using innovative tools to impart knowledge. Chromebooks are easy-to-use and according to Google, almost 30 million students and educators use Chromebooks to enhance their learning experience. With the increasing use of Chromebooks for educational purposes, it’s important that educators have the necessary tools to make learning enjoyable for the students.
With Show’s abundant list of features, conveying complex information through slides has never been simpler. Creating engaging, visually interesting presentations that students will appreciate and never forget can be the difference between a memorable class and a class students just want to get over with.
By using Zoho Show for Chromebook, you can simplify your slide creation process and create engaging and innovative stories for your audience.
As we described last week in this KBA, Sophos and its customers were the victims of a coordinated attack by an unknown adversary. This attack revealed a previously unknown SQL injection vulnerability that led to remote code execution on some of our firewall products. As described in the KBA, the vulnerability has since been remediated.
This post is the result of many hours of research and reverse-engineering by SophosLabs and Sophos internal security teams, working in conjunction with product management to coordinate a hotfix and global response within two days of discovering this attack. In the spirit of transparency, we want to describe the nature of the attack and a detailed analysis of the malware based on our investigation and current understanding.
There was significant orchestration involved in the execution of the attack, using a chain of Linux shell scripts that eventually downloaded ELF binary executable malware compiled for a firewall operating system. This attack targeted Sophos products and apparently was intended to steal sensitive information from the firewall.
How the attack began
The infection process started when an attacker discovered, and exploited, a zero-day SQL injection remote code execution vulnerability. The exploit of this vulnerability resulted in the attacker being able to insert a one-line command into a database table.
This initial injected command triggered an affected device to download a Linux shell script named Install.sh from a remote server on the malicious domain sophosfirewallupdate[.]com. The command also wrote this shell script to the /tmp directory on the device, used the chmod program to designate the file as executable, and executed it.
The script (written to the appliance as x.sh) ran a series of SQL commands and dropped additional files into the virtual file system to lay the groundwork for the rest of the attack.
The Install.sh script, initially, ran a number of Postgres SQL commands to modify or zero out the values of certain tables in the database, one of which normally displays the administrative IP address of the device itself. It appears that this was an attempt to conceal the attack, but it backfired: On some appliances, the shell script’s activity resulted in the attacker’s own injected SQL command line being displayed on the user interface of the firewall’s administrative panel. In place of what should have been an address, it showed a line of shell commands.
This script also dropped at least two other shell scripts into the /tmp directory, and modified at least one shell script that is part of the firewall’s operating system to add a set of commands to the end of the script. This last script, in particular, is relevant because the malware modified services to ensure it ran every time the firewall boots up; it served as a roundabout persistence mechanism for the malware.
The three shell ELF game
The installer script, x.sh, dropped two completely new shell scripts, and modified an existing script that’s part of the operating system.
One of the dropped shell scripts was named .lp.sh and its primary function was to connect to the malicious sophosfirewallupdate site, and download a Linux ELF executable file compiled to run on the firewall operating system named lp. The script wrote that downloaded file to /tmp with a filename of just b.
The b program, when run, deleted itself from the filesystem of the device, so it was only present in memory. It appeared in the process list as a program whose name, cssconf.bin, is one character off from a legitimate process that normally runs on a firewall, cscconf.bin. The highlighted process list below shows the malicious program as it would have appeared running on an infected firewall. It is also notable that it listed its parent process ID as 1, which the legitimate cscconf.bin would never have done.
While b was in memory, it repeated a series of tasks every 3 to 6 hours — a delay interval chosen at random the first time it ran, and reused thereafter.
First, b checks to see if it can make a connection to a machine with the IP address of 43.229.55.44. If the ELF cannot make a connection to that IP address, it attempted to resolve the IP address for the malicious domain sophosproductupdate[.]com.
If it resolved the IP for that domain, and DNS did not return a value of 127.0.0.1 as a result, then it downloaded another Linux ELF executable called sophos.dat, which we’ll discuss in the next section.
Shell script number two dropped by the Install.sh/x.sh script is written to the /tmp directory with a filename of .pg.sh. Its main purpose was to download a second, different ELF executable, which was called bk on the webserver and gets written to the filesystem with the name .post_MI.
Earlier we mentioned that Install.sh, the first stage dropper, ran a number of Postgres SQL commands. One of these commands modified a specific service value entry so that .post_MI executed whenever that service executed; this provided persistence by starting the malware at every reboot.
This executable had limited functionality: It checked to see whether a file named .a.PGSQL (more on this in a minute) has been written to the /tmp directory, and if it didn’t find it, it attempted to download a shell script from the web server hosted at ragnarokfromasgard.com, called patch.sh. At the time we performed the analysis of the attack, this server wasn’t responding.
The third shell script is a modification of a shell script that is already part of the firewall’s internal operating system, named generate_curl_ca_bundle.sh. The Install.sh/x.sh script makes a backup copy of the original (prepending a dot to the filename, .generate_curl_ca_bundle.sh) before it modified the original script to append code to the file. That code writes out and drops yet another shell script, /tmp/I (just a capital letter i).
The I script has two primary functions. First, it performs a “touch” of the /tmp/.a.PGSQL file (an act that, if the file does not exist, creates it in the /tmp directory). The previously-mentioned .post_MI ELF executable checks to see if .a.PGSQL exists as part of its execution.
I then retrieves a shell script file named lc from the sophosfirewallupdate domain, and writes that to the /tmp directory as .n.sh and executes it. This script replicated the same behavior as the .lp.sh script (mentioned above), and attempts to download and execute the b ELF executable from the malicious sophosfirewallupdate website. This download of b is the persistence mechanism, given that the b process deletes itself off disk as one of its first actions.
Data exfiltration process
Note: This section describes our understanding of the data exfiltration capabilities of the malware at the time of publication of this article, but we have not discovered any evidence that the data collected have been successfully exfiltrated.
The steps involving the shell scripts and ELF binary executables apparently were done in order to bring the attack to the point where the malware downloaded and executed a file that had been named Sophos.dat on the remote server, saved to the filesystem as 2own.
This malware’s primary task appears to be data theft, which it can perform by retrieving the contents of various database tables stored in the firewall, as well as by running some operating system commands. At each step, the malware collects information and then concatenates it to a file it stores temporarily on the firewall with the name Info.xg.
First, the binary attempts to retrieve the public-facing IP address where the firewall is installed. It does this first by querying the website ifconfig.me, and if that site is not reachable for some reason, it tries to do the same by contacting checkip.dyndns.org.
Next, it queries a number of data storage areas on the firewall to retrieve information about the firewall and its users.
This diagram below shows the capability of the malware to exfiltrate data. As of the date of publication, we have not discovered any evidence that the data collected have been successfully exfiltrated.
The malware shows the capability to retrieve only firewall resident information, which may include:
The firewall’s license and serial number
A list of the email addresses of user accounts that are stored on the device, followed by the primary email belonging to the firewall’s administrator account
Firewall users’ names, usernames, the encrypted form of the passwords, and the salted SHA256 hash of the administrator account’s password. Passwords were not stored in plain text.
A list of the user IDs permitted to use the firewall for SSL VPN and accounts that are permitted to use a “clientless” VPN connection.
The malware then queried an internal database of the firewall to retrieve a list of the IP address allocation permissions for the users of the firewall, as well as information about the appliance itself: What version of the operating system is running, what type of CPU and amount of memory is present on the device; how long has it been operational since the last reboot (the ‘uptime’); and the output of the ifconfig and ARP tables.
Once the malware wrote all this information to Info.xg, it then compressed it using the tar compression tool, and then used OpenSSL to encrypt the archive file. The attackers used the Triple-DES algorithm to encrypt the file, and for a pass phrase, the word “GUCCI” in all capital letters. The malware is then intended to attempt to upload this encrypted file to a machine at the IP address 38.27.99.69, and then cleans up its tracks by deleting the files temporarily created while it collected the information.
Remediation and response
Files associated with this attack have been added to the definition Linux/Agnt-G and domains and IP addresses have been flagged as malicious in the SophosXL domain reputation service.
A hotfix update has already been released to Sophos customers to plug the hole used by the attackers to access the firewalls. If you don’t have automatic updates enabled in the firewall, please follow these instructions to enable them.
While the best source of information for sysadmins will be the Sophos knowledge base entry on this issue, there are a few steps Sophos customers can take immediately to prevent this from happening to firewall appliances.
Since the attack was discovered, Sophos has taken a number of steps, which we can summarize as follows: SophosLabs blocked domains found in initial forensic analysis of the attack, and later identified and blocked additional domains and IP addresses associated with the attack. We notified customers about mitigation steps. We issued a telemetry update to firewalls; and we designed, developed, and tested a hotfix to mitigate the SQL injection and this attack, and then pushed the hotfix to supported devices. Sophos also has submitted a request for a CVE and will add the CVE number to the knowledge base article once available. We have also taken additional actions that fall outside the scope of this article.
This issue has manifested itself on systems that have exposed the HTTPS admin service or the User Portal on the WAN interface. Community manager Marco Ginoccio writes: ” To prevent this issue, choose the Administration link on the left-hand navigation panel of the management console, then click the Device Access page illustrated below. Customers must ensure that both Admin services and User Portal are deactivated on the WAN interface as highlighted:”
/tmp/ip (result of http://checkip.dyndns.org/ip_dyn)
/tmp/ip_dyn (result of https://ifconfig.me/ip)
Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services. Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.
A popular solution for organizations looking to enable employees to work remotely, virtual desktops have come a long way from the clunky VPN sessions you may be used to. Services such as Windows Virtual Desktop delivered on Azure provide users with access to all the applications and services that they require for their day-to-day work.
Deploying Windows Virtual Desktop
When run on a virtual machine hosted with a cloud provider such as Azure, a large part of the virtual desktop solution is managed by the cloud provider. While this lightens the admin load, you still need to secure the service against cyber threats, and ensure compliance with your organization’s web browsing and data loss prevention policies.
To help you get started, we’ve created two demo videos to help you get setup quickly. The first guides you through deploying Windows Virtual Desktop in an Azure Subnet from Azure marketplace and securing it with Sophos Intercept X. The second walks you through configuring Windows Virtual Desktop to route traffic to your XG Firewall.
VDI or RDS – which virtual desktop deployment is right for you?
During deployment of your virtual desktop environment you’ll be asked to decide between two options, each with cloud provider cost implications.
RDS (Remote Desktop Session) – also known as ‘Pooled’ or ‘Multi Session’. RDS utilizes the Windows Server operating system (Windows 10 multi-session) to support multiple user sessions on the same virtual machine, sharing the same resources (pool). This is the most cost-effective solution as one virtual machine is used by multiple users.
VDI (Virtual Desktop Infrastructure) – also known as ‘Personal’. VDI utilizes the Windows client operating system (Windows 10 Enterprise) to provides a single user with a dedicated workstation experience. This means the solution will also use a single virtual machine for each user which can become costly but may be required for resource hungry users.
Securing Virtual Desktops with Sophos Intercept X
Virtual desktops are susceptible to the same threats as physical laptops and desktops such as malware and exploits. You can protect them with Sophos Intercept X for Server or Sophos Intercept X for Endpoint: which license you need will depend on whether you choose RDS or VDI.
Protecting RDS environments
In RDS environments you need to secure the session host i.e. the virtual machine used to run virtual desktops sessions for your user. As a result the Windows Virtual Desktop is detected as Windows Server in Sophos Central, our security management platform, and is protected with Sophos Intercept X for Server. Simply apply one server license for each virtual machine (VM).
The table below shows the default number of VMs provisioned based on usage profile and number of users:
Users
Usage
VMs / Sophos licenses
Usage
VMs / Sophos licenses
Usage
VMs / Sophos licenses
100
Light
5
Medium
11
Heavy
21
250
Light
11
Medium
16
Heavy
32
500
Light
21
Medium
32
Heavy
63
Protecting VDI environments
VDI is a little different, as here we’re securing an individual user. Therefore, to secure VDI environments you need Sophos Intercept X for Endpoint – one licence per user.
Applying Sophos protection to Virtual Desktop for Azure
In our setup video, we selected Pooled (or RDS) as this is the most common scenario. After the initial setup of Virtual Desktop for Azure, the next step is to download the Intercept X for Server agent to protect your multi-session environment.
The second half of the demo video covers downloading the Sophos Intercept X for Server installer from Sophos Central, running the installer on the session host, and configuring your policy to protect users.
Securing the network with XG Firewall
Once your host session is secure, you now need to secure traffic going out to the internet, or to other networks. Sophos XG Firewall will secure the inbound and outbound traffic to your virtual desktop environments and enable your teams to enforce compliance on a network level.
Watch the second demo video to see how to configure Windows Virtual Desktop to route traffic to your XG Firewall and get best practices for configuring the XG Firewall to protect the Windows Virtual Desktop environment.
Helpful Resources:
Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services. Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.
Ransomware operators are always on the lookout for a way to take their ransomware to the next level. That’s particularly true of the gang behind LockBit. Following the lead of the Maze and REvil ransomware crime rings, LockBit’s operators are now threatening to leak the data of their victims in order to extort payment. And the ransomware itself also includes a number of technical improvements that show LockBit’s developers are climbing the ransomware learning curve—and have developed an interesting technique to circumvent Windows’ User Account Control (UAC).
Because of recent dynamics in the ransomware world, we suspect that this privilege-escalation technique will pop up in other ransomware families in the future. We’ve seen a surge in “imposter” ransomware that are essentially rebranded variants of already-existing ransomware. Not a single day goes by where a new brand of ransomware does not come out. It has become surprisingly easy to clone ransomware and release it, with small modifications, under a different umbrella.
The Ransomware Learning Curve
Before we jump into the synopsis of LockBit, let’s take a moment to look at how ransomware is developed, in general. Many families follow a common timeline when it comes to the techniques and procedures ransomware developers implement at each stage. This appears to stem from the learning curve involved in creating ransomware, and the iteration of the malware as the developer builds his or her related knowledge of the malware craft.
Each ransomware seems to have an “infancy phase,” where the developer implements TTPs hastily just so the “product” can come out and start gaining its reputation. In this phase, the simplest ideas are implemented first, strings are usually plain text, the encryption is implemented in a way that only a single-thread is used, and LanguageID checks are in place to avoid encrypting computers in CIS countries. and avoid attracting unwanted attention from CIS law enforcement agencies.
After about 2 months into the ransomware operation, the developer starts implementing more sophisticated elements. They may introduce multi-threading, establish a presence in underground forums, obfuscate or encrypt strings in the binary, and there is usually a skip list/kill list for services and processes.
Around 4 months into the ransomware’s life, we start seeing things get more serious. The business model may now switch to Ransomware as a Service (RaaS), putting an Affiliate program in place. Oftentimes, binaries are cryptographically signed with valid, stolen certificates. There is a possibility that the ransomware developer starts implementing UAC bypasses at this stage. This appears to be the stage the LockBit group is entering.
Advertising the goods
As with most ransomware, LockBit maintains a forum topic on a well-known underground web board to promote their product. Ransomware operators maintain a forum presence mainly to advertise the ransomware, discuss customer inquiries and bugs, and to advertise an affiliate program through which other criminals can lease components of the ransomware code to build their own ransomware and infrastructure.
In January, LockBit’s operators created a new thread in the web board’s marketplace forum, announcing the “LockBit Cryptolocker Affiliate Program” and advertising the capabilities of their malware. The post claims that the new version had been in development since September of 2019, and emphasizes the performance of the encryptor and its lower use of system resources to prevent its detection.
A forum post announcing LockBit’s affiliate program.
LockBit’s post indicates that “we do not work in the CIS,” meaning that the ransomware will not target victims in Russia and other Commonwealth of Independent States countries. This comes as no surprise—as we have seen previously, CIS authorities don’t bother investigating these groups unless they are operating against targets in their area of jurisdiction.
That does not mean that the LockBit group won’t do business with other CIS-based gangs. In fact, they won’t work with English-speaking developers without a Russian-speaking “guarantor” to vouch for them.
Escalating the extortion
In this most recent evolution of LockBit, the malware now drops a ransom note that threatens to leak data the malware has stolen from victims: “!!! We also download huge amount of your private data, including finance information, clients personal info, network diagrams, passwords and so on. Don’t forget about GDPR.”
LockBit ransom note
If the threat were to be carried out, it might result in real-world sanctions against the ransomware victims from regulators or privacy authorities—for example, for violating the European Union’s General Data Privacy Rules (GDPR) that make companies responsible for securing sensitive customer data in their possession.
An increasing number of ransomware gangs use extortion that threatens the release of private data, which might include sensitive customer information, trade secrets, or embarrassing correspondence to incentivize victims to pay the ransom, even if they have backups that prevented data loss. The data leak threat has become a signature of the REvil and Maze ransomware gangs; the Maze group has gone as far as to publicly publish chunks of data from victims who fail to pay by the deadline, taking down the dumps when they are finally paid.
Picking through LockBit’s code
From a first glance at the recent LockBit sample with a reverse-engineering tool, we can tell that the program was written primarily in C++ with some additions made using Assembler. For example, a few anti-debug techniques employ the fs:30h function call to manually check the PEB (Process Environment Block) for the BeingDebugged flag, instead of using IsDebuggerPresent().
The first thing the ransomware does at execution is to check whether the sample was executed with any parameters added from the command line. Usually, this is done to check for whether the sample is being executed in a sandbox environment. Contemporary malware often requires that the command to run the malware use specific parameters to prevent the malware from being analyzed by an automated sandbox, which often execute samples without parameters. But the LockBit sample we examined doesn’t do that—it won’t execute if there is any parameter entered from the command line. If there are no arguments in the command that executes it, Lockbit hides its console output, where the malware prints debug messages, and proceeds to do its job.
The command-line parameter checker in LockBit halts the ransomware if there’s any parameter passed.
This could be intended to detect if the sample was executed in a sandbox environment. But it’s possible that either the malware author made a mistake in the implementation of the check (and wanted to check the other way around), or that this behavior is just a placeholder, and future versions will introduce different logic.
Hiding strings
LockBit’s author also used several techniques to make it more difficult to reconstruct the code behind it. The Portable Executable (PE) binary shows signs of being heavily optimized, as well as some efforts by the group to cover their coding tracks—or at least get rid of some of the low-hanging fruit that reverse engineering tools look for, such as unencrypted text strings.
Those heavy optimizations also increase LockBit’s performance. The binary makes heavy use of Intel’s SSE instruction set and architecture-specific features to boost its performance. That includes the use of multiple XMM registers used to store and decrypt the service names, process names and other strings used to interact with the operating system that are unique to the ransomware.
Xmmword registers store encrypted LockBit strings
These string variables get decrypted on the fly with a 1-byte XOR key unique to each string: the first hex byte of every variable.
Almost all the functions contain a small routine that loops around and is in charge of decrypting hidden strings. In this case, we can see that how the original MSSQLServerADHelper100 service name gets de-obfuscated: the malware leverages a one-byte “0A” XOR key to decrypt the plaintext service name.
Deobfuscating service names in the source
Check your privilege
To ensure that it can do the most damage possible, LockBit has a procedure to check whether its process has Administrator privileges. And if it doesn’t, it uses a technique that is growing in popularity among malware developers: a Windows User Account Control (UAC) bypass.
Leveraging OpenProcessToken, it queries the current process via a TOKEN_QUERY access mask. After that, it calls CreateWellKnownSid to create a user security identifier (SID) that matches the administrator group (WinBuiltinAdministratorsSid), so now the malware has a reference it can use for comparisons. Finally, it checks whether the current process privileges are sufficient for Administrator rights, with a call to CheckTokenMembership.
Checking Administrator SID against the current process’ SID
If the current process does not have Admin privileges, the ransomware tries to sidestep Windows UAC with a bypass. In order for that to succeed, a Windows COM object needs to auto-elevate to Admin-level access first.
To make this possible, LockBit calls a procedure called supMasqueradeProcess upon process initialization. Using supMasqueradeProcess allows LockBit to conceal its process’ information by injecting into a process running in a trusted directory. And what better target is there for that than explorer.exe?
The source code for the masquerade procedure can be found in a Github repository.
LockBit “masquerades” as explorer.exe
With the use of IDA Pro’s COM helper tool, we see two CLSIDs—globally unique identifiers that identify COM class object—that LockBit’s code references. CLSIDs, represented as 128-bit hexadecimal numbers within a pair of curly braces, are stored in the Registry path HKEY_LOCAL_MACHINESoftwareClassesCLSID.
CLSIDs recognized by IDA.
Looking up these reveals that the two CSLIDS belong to IColorDataProxy and ICMLuaUtil—both undocumented COM interfaces that are prone to UAC bypass.
Name
CLSID
DLL
CMSTPLUA
{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
..system32cmstplua.dll
Color Management
{D2E7041B-2927-42fb-8E9F-7CE93B6DC937}
..system32colorui.dll
Masquerading as explorer.exe, LockBit calls CoInitializeEx to initialize the COM library, with COINIT_MULTITHREADED and COINIT_DISABLE_OLE1DDE flags to set the concurrency model. The hex values here (CLSIDs) are then moved and aligned into the stack segment register, and the next function call (lockbit.413980) will further use them.
UAC bypass step 1
UAC bypass step 2
Lockbit.413980 hosts the COM elevation moniker, which allows applications that are running under user account control (UAC) to activate COM classes (via the following format: Elevation:Administrator!new:{guid} ) with elevated privileges.
The malware adds the 2 previously seen CLSIDs to the moniker and executes them.
The COM Elevation Moniker in use.
Now, the privilege has been successfully elevated with the UAC bypass and the control flow is passed back to the ransomware. We also notice two events and a registry key change during the execution:
LockBit enumerates the currently running processes and started services via the API calls CreateToolhelp32Snapshot, Process32First, Process32Next and finally OpenProcess, and compares the names against an internal service and process list. If one process matches with one on the list, LockBit will attempt to terminate it via TerminateProcess.
The procedure to kill a service is a bit different. The malware will first connect to the Service Control Manager via OpenSCManagerA. It then attempts to check whether a service from the list exists via OpenServiceA. If the targeted service is present, it then tries to determine its state by calling to QueryServiceStatusEx. Based on the status returned, it will call ControlService with the parameter SERVICE_CONTROL_STOP (0x00000001) on the specific service to stop it. But before that, another function (0x40F310) will cycle through all dependent services in conjunction with the target service, so dependencies are stopped too. The malware will initiate calls to EnumDependentServicesA to achieve this.
Hardcoded service names being checked against running services
The services that the malware tries to stop include anti-virus software (to avoid detection) and backup solution services. (Sophos is not affected by this attempt.) Other services are stopped because they might lock files on the disk, and might make it more difficult for the ransomware to easily acquire handles to files—stopping them improves LockBit’s effectiveness.
Some of the services of note that the ransomware attempts to stop, in the order they are coded into the ransomware, are:
DefWatch
Symantec Defwatch
ccEvtMgr
Norton AntiVirus Event Manager Service
ccSetMgr
Symantec Common Client Settings Manager Service
SavRoam
Symantec AntiVirus suite
RTVscan
Symantec AntiVirus
QBFCService
QuickBooks is an accounting software
QBIDPService
QuickBooks for Windows by Intuit, Inc..
Intuit.QuickBooks.FCS
QuickBooks for Windows by Intuit, Inc..
QBCFMonitorService
QuickBooks for Windows by Intuit, Inc..
YooBackup
Wooxo Backup
YooIT
Wooxo Backup
zhudongfangyu
360 by Qihoo 360 Deep Scan
sophos
Sophos
stc_raw_agent
STC Raw Backup Agent
VSNAPVSS
StorageCraft Volume Snapshot VSS Provider
VeeamTransportSvc
Veeam Backup Transport Service
VeeamDeploymentService
Veeam Deployment Service
VeeamNFSSvc
Veeam Backup and Replication Service
veeam
Veeam
PDVFSService
Veritas Backup Exec PureDisk Filesystem
BackupExecVSSProvider
Veritas Backup Exec VSS Provider
BackupExecAgentAccelerator
Veritas Backup Exec Agent Accelerator
BackupExecAgentBrowser
Veritas Backup Exec Agent Browser
BackupExecDiveciMediaService
Veritas Backup Exec Media Service
BackupExecJobEngine
Veritas Backup Exec Job Engine
BackupExecManagementService
Veritas Backup Exec Management Service
BackupExecRPCService
Veritas Backup Exec RPC Service
AcrSch2Svc
Acronis Scheduler Service
AcronisAgent
Acronis Agent
CASAD2DWebSvc
Arcserve UDP Agent service
CAARCUpdateSvc
Arcserve UDP Update service
In addition to the list of services to kill, LockBit also carries a list of things not to encrypt, including certain folders, specific files and files with certain extensions that are important to the operating system—since disabling the operating system would make it difficult for the victim to receive and act upon the ransom note. These are stored in obfuscated lists within the code (shown below), A function within LockBit uses the FindFirstFileExW and FindNextFileW API calls to read through the file names and folder names on the targeted disk, and then a simple lstrcmpiW function is called to compare the hardcoded list with those names.
This slideshow requires JavaScript.
Accelerating file encryption
Recently, we have seen ransomware groups taking more advanced concepts and applying it to their craft. One of these advanced concepts applied in LockBit is the use of Input/Output Completion Ports (IOCPs).
IOCPs are a model for creating a queue to efficient threads to process multiple asynchronous I/O requests. They allow processes to handle many concurrent asynchronous I/O more quickly and efficiently without having to create new threads each time they get an I/O request.
That capability makes them well-suited to ransomware. The sole purpose of ransomware is to encrypt as many delicate files as possible, rendering the user’s data useless. REvil (Sodinokibi) ransomware also uses IOCPs to achieve higher encryption performance.
LockBit’s aim was to be much faster than any other multi-threaded locker. The group behind the ransomware claims to have used the following methods to boost the performance of their file encryption:
Open files with the FILE_FLAG_NO_BUFFERING flag, write by sector size
Transfer work with files to Native API
Use asynchronous file I/O
Use I/O port completion
Pass control to the kernel yourself, google KiFastSystemCall
Once a file is marked for encryption—meaning, it did not match entries on the skip-list—a LockBit routine checks whether the file already has a .lockbit extension. If it does not, it encrypts the file and appends the .lockbit extension to the end of the filename.
Lockbit relies on LoadLibraryA and GetProcAddress to load bcrypt.dll and import the BCryptGenRandom function. If the malware successfully imports that DLL, it uses BCRYPT_USE_SYSTEM_PREFERRED_RNG which means use the system-preferred random number generator algorithm. If the malware was unsuccessful calling bcrypt.dll, it invokes CryptAcquireContextW and CryptGenRandom to invoke the Microsoft Base Cryptographic Provider v1.0 and generates 32 bytes of random data to use as a seed.
BCryptGenRandom in use
Also, at this stage, the hardcoded ransom note, Restore-My-Files.txt, gets de-obfuscated and the ransomware drops the .txt file in every directory that contains at least one encrypted file.
Victim ID
LockBit creates 2 registry keys with key blobs as values under the following registry hive: HKEY_CURRENT_USERSoftwareLockBit
The two registry keys are:
LockBitfull LockBitPublic
These registry keys correlate with the Victim ID, file markers, and the unique TOR URL ID that LockBit builds for each system it takes down.
Let’s take the unique TOR URL from the ransom note:
LockBit ransom note
In this example, the 16 byte long unique ID is at the end of the URL, http://lockbitks2tvnmwk[.]onion/?A0C155001DD0CB01AE0692717A2DB14A :
The file marker (0x10 long) is divided into 2 sections:
A0C155001DD0CB01
The first 8 bytes of the file marker and the first 8 bytes of the TOR unique URL ID.
D4EA7A79A0835006
The second 8 bytes are same for all encrypted files in a given run
Also, the value of the full registry key (0x500 long, starting as 1A443C7179498278B40DC082FCF8DE26… in this example) is also present in every encrypted file, just before the file marker.
LockBit registry keys (full and Public) that are related to the victim machine.
Share enumeration
For a successful ransomware hit and run, the goal is to encrypt as many files as possible. So naturally, LockBit scans for network shares and other attached drives with the help of the following API calls.
First, the malware enumerates the available drive letters with a call to GetLogicalDrives, then it cycles through the found drives and uses a call to GetDriveTypeW to determine whether the drive letters it finds are network shares by comparing the result with 0x4 (DRIVE_REMOTE).
Once it finds a networked drive, it calls WNetGetConnectionW to get the name of the share, then recursively enumerates all the folders and files on the share using the WNetOpenEnumW, WNetEnumResourceW API calls.
The ransomware can also enter network shares that might require user credentials. LockBit uses the WNetAddConnection2W API call with parameters lpUserName = 0 and lpPassword = 0, which (counterintuitively) transmits the username and password of the current, logged in user to connect to the given share. Then it can enumerate the share using the NetShareEnum API call.
Enumeration of attached, remote drives
Don’t quit just yet
I an attempt to ensure that LockBit would not be kept from finishing its job by a system shutdown, the developers of this ransomware implemented a small routine that uses a call to ShutdownBlockReasonCreate.
The developers didn’t try to conceal the ransomware as the cause of the shutdown block: the ransomware sets the message for blocking shutdown as LockBit Ransom. Computer users would also see the message LockBit Ransom under the process’ name.
SetProcessShutdownParameters is also called to set the shutdown order level of the ransomware’s process to 0, the lowest level, so that the ransomware’s parent process will be active as long as it can, before a shutdown terminates the process.
If the system is shut down, the malware also has capability to persist after a reboot. LockBit creates a registry key to restart itself under HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun, called XO1XADpO01.
Placing a persistence Run key in registry
Stop me if you’ve heard this before
LockBit prevents multiple ransomware instances on a single system by way of a hardcoded mutex: Global{BEF590BE-11A6-442A-A85B-656C1081E04C}. Before LockBit starts encrypting, the ransomware checks that the mutex does not already exist by calling OpenMutexA, and calls ExitProcess if it does.
As soon as the ransomware is mapped into memory and the encryption process finishes, the sample will execute the following command to maintain a stealthy operation:
exe /C ping 1.1.1.1 -n 22 > Nul & ”%s”(earlier version of LockBit)
exe /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”(recent version of LockBit)
The ping command at the front is used because the sample can’t delete itself, due to the fact that it is locked. Once ping terminates, the command can delete the executable.
We clearly see an evolution to the applied technique here: in the earlier versions, the sample was missing a Del procedure at the end, so the ransomware would not delete itself.
In the recent version, the crooks had decided to use fsutil to basically zero out the initial binary to perhaps throw off forensic analysis efforts. After the file is zeroed out, the now null-file is deleted also, making double-sure the malware is not forensically recoverable.
Language matters
As we noted earlier, LockBit’s developers wanted to avoid having their ransomware hit victims in Commonwealth of Independent States (CIS) countries. The mechanism used by the ransomware to achieve this calls GetUserDefaultLangID and looks for specific language identifier constants in the region format setting for the current user. If the current user’s language setting matches any of the values below, the ransomware exits and does not start the encryption routine.
If your computer’s UserDefaultLangId is set to one of these values, LockBit does no damage
Changing the wallpaper
To get the affected user’s attention, the malware (as is typical) creates and displays a ransom note wallpaper. A set of API calls are involved in this process, listed below.
The created wallpaper gets stored under %APPDATA%LocalTempA7D8.tmp.bmp.
In the meantime, the malware also sets a few registry keys so that the wallpaper is not tiled, and the image is stretched out to fill the screen:
HKEY_CURRENT_USERControl PanelDesktop
TileWallpaper=0 – (No tile)
WallpaperStyle=2 – (Stretch and fill)
Wallpaper used by a previous version of LockBitWallpaper set by a recent version of LockBit
Stack Exchange for crooks
LockBit leverages a very similar service-list to MedusaLocker ransomware. It comes as no surprise that crooks copy these lists, so they don’t have to reinvent the wheel.
The unique Registry run key and ransom note filename that was written by LockBit—XO1XADpO01 and Restore-My-Files.txt — were also seen being used by Phobos, and by a Phobos imposter ransomware. This would suggest that there is a connection between these families, but without further evidence that is hard to justify.
The future for LockBit
A recent Twitter post demonstrates what the future looks like for LockBit. In a recent LockBit attack, the MBR was overwritten with roughly 2000 bytes; The infected machine would not boot up unless a password is supplied. The hash of this sample is currently not known.
The e-mail used for extortion [email protected] was also seen with STOP ransomware—an uncanny connection. The group behind might be related.
There is also speculation that application Diskcryptor was combined with the ransomware to add this extra lockdown layer. The MAMBA ransomware was also using this technique, leveraging Diskcryptor to lock the victim machine. DiskCryptor is currently being detected as AppC/DCrpt-Gen by Sophos Anti-Virus.
A list of the indicators of compromise (IoCs) for this post have been published to the SophosLabs Github.
Acknowledgments
The author would like to acknowledge the public contributions of @demonslay335 and @hfiref0x.
Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services. Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.
Emily McGuire is the owner and Chief Email Marketer at Flourish & Grit, an email marketing and automation studio based in the US. She helps businesses uncover hidden revenue in their email lists by using data to better understand what moves customers to convert.
Gaurav Sharma is the founder of Attrock, an Indian digital marketing agency that offers services like influencer marketing, content marketing, SEO, online PR, mobile app marketing, conversion, and sales funnel optimization.
Expert Diaries from Zoho Campaigns connects avid email marketers to the experts in this space, and help them learn some best practices and tips. Our aim is to connect email geeks and form a community that learns email marketing from one another. Check out our amazing line-up of Season 1.
The COVID-19 pandemic and the lockdown that followed has changed the way marketing is being done.
Traditional methods will not necessarily work, as the way marketing is done digitally has changed drastically.
Digital marketers around the world are tweaking their plans of action in terms of strategy, content and intent. These changes are likely to continue in the long run, even after the lockdown is over. This will bring about a change in many social norms, including the way we communicate and interact.
We have two email marketing experts from two different parts of the world – Emily McGuire and Gaurav Sharma to help us understand how email marketing can be useful in times like these.
These two experts have shared their ideas and perspectives on email marketing during these unprecedented times.
When going digital is the only option
Emily: We’re lucky enough to live during a time when digital communication is widely adopted and easier to access. We are avoiding in-person interactions to avoid the spread of this virus. If you are ignoring digital media right now, you’re missing the opportunity to have conversations with your ideal customers and current customers.
This situation could lead to new opportunities. That means we can also get creative with our events by moving them online or finding other ways to create a community in a digital space. It means we can shift our focus to how we project our brand digitally if it hasn’t been a priority previously.
Gaurav: Given the situation we are in, digital media is the only way to stay connected with your audience. Brands need to invest more time, money and efforts on leveraging digital media channels to engage their audiences and encourage sales.
I recommend that brands and marketers take the time to streamline their marketing strategies for social media, SEO, email marketing, affiliate campaigns, and so on.
Why email marketing?
Gaurav: Email marketing is one reliable way for brands to stay connected with their audiences. You should spend time creating engaging drip email sequences and use advanced level marketing automation to keep your audience updated.
Emily: We are more digitally connected than ever as people turn to the internet for their news updates. That also means people will be spending a substantial amount of time in their inboxes.This also means you have a lot of opportunities to get in front of those people as they’re checking their emails multiple times throughout the day.
How to overhaul your marketing strategy
Gaurav: It is definitely crucial for brands to communicate with their audiences (both paying customers and subscribers) either via social media or other digital channels. Some of the most popular mediums are emails, blog posts, and press releases published on a news site or on an authoritative website in your niche.
Afterall, communication is the key to building strong relationships. And brands need to understand this well in order to overcome the current situation and win more customers.
Emily: It is always important to communicate regularly, but it is equally important to ensure that communication makes sense for where people are at with your brand and within the context of the current cultural climate.
Also, if your primary audience is disproportionately impacted by COVID-19 (for example the healthcare industry), and you’re trying to launch a new product to them, you might want to consider postponing (unless that product helps with treating COVID-19). They are already overwhelmed with responding to what’s going on and preparing for what’s to come.
Sending out an email that feels totally out of sync with what’s happening in the world right now can turn off your prospects and customers.
Additionally, if you haven’t emailed your subscribers in a while, and you want to send out an update on how coronavirus is impacting the way you serve your clients or customers, then consider sending it to ONLY active customers and hot leads. These are the people who have the most vested interest in their relationship with your brand and how it is going to impact their level of service.
Sending a coronavirus email update to people who haven’t done business with you in years, can, again, seem tone-deaf.
What kind of content works?
Emily: Definitely send out an update on how COVID-19 is impacting how you serve your customers (to current customers). Always lead with empathy. Put yourself in your subscribers’ shoes.
Is there a way you can better serve them through digital communication?
Can they expect any delay or disruption in their service?
Are you offering new ways for them to engage with your brand virtually?
Make sure to do this in a way that starts with the customer at the center. Wait to promote any services or products that might help your customers in a follow-up email.
Sending your email as a letter from the executive leadership of your brand can make your message feel more human.
If it’s particularly relevant for your business, for example, if you are hosting events in the next month or two, you might want to let your attendees know what happens if you have to cancel, and any other plans you might have to take your events online.
If you’re a service-based business, talk about measures you are taking to comply with guidelines from the CDC or your local health department.
And most of all, and I can’t stress this enough, send this content to the subscribers for whom this matters the most. That is, your current clients and any warm or hot leads.
Your inactive contacts do not need to know about how a service or product they aren’t using, is handling the COVID-19.
You can also consider adding a banner message at the top of your homepage that links to your updates on the COVID-19.
Gaurav: To run effective email marketing campaigns, brands should leverage multiple types of content. Some of the most popular types of content that can help boost your campaign ROI include:
Relevant tutorials and tips
Your brand’s story in relation to the current crisis
Discount offers (with emotional copy to show empathy)
Collaboration emails (working with another brand or influencer to co-create great content)
Automated lead generation emails
It is important for you as a brand or marketer to decide what your campaign objectives are. Once you’ve finalized your goals, you can plan the type of content to use accordingly to hit the sweet spot of your audience.
Empathy is the key
Emily: All marketing requires empathy. If you don’t consider where your audience is coming from, or where they are in your customer lifecycle, then you risk sending messaging that’s way off base, which can damage your brand more than it helps.
When thinking about your content, make sure it is relevant to your subscribers RIGHT NOW. Meaning, again, if they are an active customer or are in a warm or hot phase of being a prospect, then yes, make sure they know how stopping the spread of COVID-19can affect the service they might receive.
And if you’re in doubt about whether or not to send an email about COVID-19, wait a few days. People are being inundated with these emails right now. You don’t want to add to already packed inboxes. Your message will irrelevant and lost.
Monitor how people are talking about the COVID-19with social media listening, and see if and how it relates to your brand. If something sticks out to you on how your business can help, then consider sending out a message.
Anxiety is high right now. We don’t want to overwhelm the already overwhelmed. Ask yourself if your email campaign is helping your customers genuinely. If it’s not, then consider waiting for the right moment and message to be relevant.
You don’t want to overreach here. You don’t want to send out an email that sounds disingenuous and self-serving as we all collectively come together to keep each other safe.
Gaurav: As responsible marketers, it is important for you to understand the sensitivity of the situation and act accordingly.
I believe that marketers should focus on creating educational posts to help their consumers stay safe. In fact, you can also make your consumers feel better by sending them free giveaways or special discount codes for their favorite products.
If you show empathy to consumers who are suffering because of this pandemic disease, there are higher chances that you’ll get returns in multiple folds. That’s because of the Principle Reciprocity by Dr. Robert Cialdini that states, “human beings are wired to return favors and pay back debts – to treat others as they’ve treated us.”
How the experts did it themselves
Emily: I have many clients across a wide range of industries.
One client is launching a new product that targets HR professionals. We are revisiting our messaging and timeline. HR professionals are most likely overwhelmed with trying to coordinate communications to their employees and handle the transition of office workers to remote teams.
This product launch campaign could easily get lost in the inbox due to the attention that COVID-19 needs right now. We are currently game planning on how to best address that.
I have another client who’s had to cancel some events, so we are segmenting and sending messages to the multiple types of attendees with tailored messaging to all of them.
And then one more client who is a small brick and mortar store who has a light and fun brand voice. Crafting email copy that reflects that voice and also understands the levity of this situation is delicate. But we came at it from a place of helping and concern for health and safety.
All email communication is acknowledging this unprecedented event while also still serving customers from a place of offering value. That might be content that gives access to resources to get through challenges people are facing. That might highlight products or services that can lighten the mood.
Whatever it is, we can’t ignore COVID-19. We have to work within it and around it in our offers and marketing.
We came up with a strategy to educate our subscribers and clients about what they need to do to overcome the COVID-19 situation.
We sent this email, which received a 26.7% open rate and a lot of positive (overwhelming) responses from our 11K subscribers. Also, we are giving heavy discounts to our customers to help their businesses grow during these difficult times.
In the end, it is all about understanding the needs of your customers.
In the mean time, stay home, stay safe and communicate.
If there is one thing that analysts and pundits can predict to a great degree of certainty, it is that cyberattacks will continue to rise, becoming a major global threat to businesses. Given that what’s at stake is not just critical customer data, but also the enterprise’s revenue and brand reputation – not to mention hefty penalties stemming from regulators should their networks be compromised – it is imperative that enterprises use every bit of security technology available to prevent the possibility of a network breach.
The challenge is that implementing an effective and consistent security strategy is increasingly difficult to achieve and maintain. The erosion of traditional perimeter boundaries, the expansion of cloud adoption, and the growth of mobile and IoT devices has led to increasingly complex network architectures where traditional tools like dedicated IPS devices are falling short on delivering security value.
The Pitfalls of Dedicated IPS Solutions
Traditional IPS solutions were designed for a single purpose: deep packet inspection of traffic to proactively identify and block malicious content. That myopic focus led to IPS systems becoming a point solution with very little integration and few automation capabilities beyond their traditional use case. With limited innovation, IPS systems have failed to evolve fast enough to address the challenges being posed by today’s evolving threats and network landscape. Compounding the challenges facing dedicated IPS solutions even further, digital transformation around security tool consolidation has caught IPS products unprepared to adapt. Enterprises that want visibility, flexibility and scalability also want to manage their portfolio through a single pane of glass for ease of use and to simplify deployments, and this function is missing in single point IPS products.
IPS has long relied on the presumption that other technologies would not be able to deliver the same capabilities with similar performance. As a result, very little development in the standalone IPS space has taken place for some time. This vacuum of innovation has led ancillary products, like Next-Generation Firewalls, to offer integrated IPS capabilities in addition to their core functions as an add-on.
This led to a decline in the market for dedicated IPS appliances, since enterprises could simplify deployment and management by simply enabling IPS functionality within their existing or upgraded network firewalls. They could manage their entire security policy – from adding application awareness and control to their firewall functionality, to deploying and managing things like IPS and VPN, all through a single network appliance. This was a great solution for enterprise security teams starved of resources and struggling with a shortage of skilled staff.
It’s Not a Battle of Equals Among NGFWs Providing an IPS Solution
What most organizations, and vendors, forgot was that one of the things that dedicated IPS appliances did fairly well was provide deep inspection of encrypted traffic. Of course, that functionality came at a pretty steep cost. But by moving IPS functions to an integrated NGFW system, that functionality has been all but lost.
That’s because most traditional NGFW vendors rely on a generic intel-based compute architecture that was simply never designed to meet the performance requirements of inspecting encrypted data. But today, as more and more network traffic is encrypted – according to the Google Transparency Report, between 87% and 97% of internet traffic is now encrypted, while the volume of malware using encryption is also increasing at a breakneck pace – the limited performance capacity of NGFW devices running IPS as an add-on comes at a significant cost of performance vs security. In fact, performance numbers are so low that most security vendors refuse to even publish them.
Even worse, turning on more IPS signatures to inspect the growing volume of encrypted traffic also results in the serious deterioration of the performance of the firewall, along with other functions critical to the network firewall. As a result, organizations are faced with the devil’s choice of not inspecting encrypted traffic, or turning off SSL and passing critical data through the firewall unencrypted. As a result, enterprises are struggling with how to balance security with performance, and whether the high expense of a dedicated IPS or a slow NGFW that includes IPS is a better fit.
Why Fortinet’s FortiGate Offers the Best of Breed IPS Solution
Fortunately, those aren’t the only choices available to organizations. Fortinet enables organizations to achieve a security-driven network with the highest-performing firewalls, innovative product portfolio, and deep integration with the Security Fabric and trusted partners to reduce complexity and protect the entire network from sophisticated threats. This includes the highest performing IPS solution of any NGFW in the industry – in fact, 20X faster than the industry average.
The FortiGate security platform, with its purpose-built hardware, leverages the superior performance provided by its dedicated security processors and network processors to deliver high IPS performance without impacting the flow of network traffic. Because FortiGate products deliver very high IPS inspection with very low latency, they have a unique advantage over other NGFW vendors who struggle with performance once their IPS functions are turned on. FortiGate products not only offer better protection per Mbps of inspection than traditional dedicated IPS, but also offer additional capabilities which are missing in other IPS products available in the market.
FortiGate NGFWs, with their unique hardware design and architecture, have a proven track record of being successfully deployed as dedicated IPS solutions. Enterprises can realize the dual benefits of managing both their FortiGate network firewall and FortiGate IPS through a single pane of glass to leverage consistent security and policy management across their entire infrastructure, whether deployed in the data center, core network, branch office, or in a public or private cloud environment.
The other critical component that differentiates Fortinet over dedicated IPS vendors as well as other NGFWs vendors competing in this space is our unmatched threat intelligence delivered by FortiGuard Labs. FortiGuard Labs collects, correlates, and delivers real-time intelligence on the threat landscape, providing comprehensive and actionable security updates across the full range of threats. This enables enterprises to prevent, detect, and mitigate advanced attacks automatically with the integrated, AI-driven breach prevention and advanced threat protection services from FortiGuard Labs. With over 14,000+ IPS signatures and real-time updates, Fortinet’s IPS solution enables enterprises to respond to the latest threats faster, while offering complete protection for known, unknown, and zero-day threats.
For more details on how the FortiGate IPS offers a replacement strategy for existing dedicated IPS download a copy of our whitepaper.
Engage in our Fortinet user community (Fuse). Share ideas and feedback, learn more about our products and technology, or connect with peers.
Businesses, particularly SMBs, need help. Now more than ever, and our hearts go out to each one of you. In our continued effort to best support you during this challenging time and help you ensure business continuity, we want to let you know about some generous relief offerings from our Marketplace partner community.
To all our customers, thank you for the deep trust you put in us. We are here for you—now and in the future. In this spirit, we encourage you to explore these offers.
Aircall is a flexible cloud phone solution to connect remote teams.
Offer: One month free subscription and tech support to help you make a smooth transition.
Redeem Offer >
CircleLoop is a cloud-based phone system for businesses.
Offer: Free business telephony for the next three months to any UK school, healthcare provider, or charity who need to facilitate remote, mobile, or flexible work on short notice.
Redeem Offer >
Formstack is an online form builder and data collection tool for registrations, surveys, payments, leads, and more.
Offer: Free Formstack HIPAA compliant forms to all qualified US-based healthcare, government, and nonprofit organizations to help them collect data from patients, employees, and volunteers.
Redeem Offer >
Intermedia offers video conferencing and webinar service with its AnyMeeting tool.
Offer: No cost through December 31, 2020 for AnyMeeting. This includes,
Free Intermedia AnyMeeting Video Conferencing Pro licenses for Intermedia’s customers and partners, with no restriction on meeting length
One free Webinar Pro license per account to enable companies to hold larger live broadcast events for up to 200 people
Redeem Offer >
JotForm is an online form builder for businesses.
Offer: Free, unlimited, HIPAA-compliant JotForm accounts to eligible first responders, healthcare workers, and government and nonprofit organizations that want to help their communities.
Redeem Offer >
PayU is a payment gateway that enables Indian businesses to accept online payments with all payment modes including credit card, debit card, net banking, UPI, wallets, and EMI.
Offer
Zero transaction fees for Indian NGOs and charities collecting relief donations for COVID-19
100% TDR waiver for SMBs on the first INR 50,000 worth of business done via PayU
PayU is helping small to medium businesses (SMBs) build free websites with zero transaction fees on the first ₹50,000 worth of business.
Redeem Offer >
Payway is an integrated payment gateway and merchant services solution designed to make credit card payment processing easier for businesses.
Offer: New customers who need support during the global COVID-19 crisis get free gateway service for six months.
Redeem Offer >
RingCentral is a cloud communications and collaboration solutions provider that empowers mobile workforces to communicate, collaborate, and connect.
Offer: Free access to RingCentral Office for all healthcare providers, schools (K-12), community colleges, news and media, public sector, and non-profit organizations who are new customers and impacted by COVID-19.
Redeem Offer >
Vonage Business Communications services enable flexible communication and collaboration via business phone systems, video conferencing, and team messaging.
Offer
3 free months of Vonage Business Communications (VBC) for new business accounts in the US using up to 250 softphones
3 months free of Vonage Business Communications services for education, healthcare, and non-profit companies based in the US, UK, and Australia
Vonage’s video conferencing service is free to use for everyone who unexpectedly needs to work remotely
We’re adding three features in new Google Sites (sites.google.com/new):
Site templates – Quickly and easily create high-quality sites optimized for common uses.
Announcement banners – Highlight important information to make sure site visitors see time-sensitive updates.
Access for Family Link accounts – Enable users with Google Accounts managed by Family Link to view and edit sites.
See more details below, or see our Cloud Blog to post to see how Sites can support remote work and learning.
Who’s impacted
Templates and announcement banners: All site owners and editors.
Access for Family Link accounts: Site editors and viewers with Family Link accounts.
Why it matters
We hope these new features make it easier to create and use sites, especially as our customers deal with the impact of COVID-19. For example, announcement banners can help businesses quickly communicate important information to customers. Using templates to create high-quality sites without requiring design or coding skills can help educational institutions and businesses enable remote learning and workings. Overall, we hope the enhancements make Sites a more useful tool to share information across dispersed audiences.
See our Cloud Blog to post to learn more about how Sites can support remote work and learning.
Additional details
Site templates
For this launch, we’ve built 10 templates for common site uses, available in 16 languages. With one click, you can start a site suited for a specific purpose with a professional look and feel. Then, you can customize the site to make it your own. Examples of sites that templates will make it easier to create include:
Help centers: Help users learn how to use new tools and resources, for example tools to enable a remote workforce or remote learning for students.
Project sites: Help colleagues or classmates collaborate on a project remotely.
Class or team sites: Have a centralized place for team resources and information.
Club sites: Enable students to continue club activities while remote learning.
Small business sites: Keep customers informed about your business, like your restaurant or design services, while they’re social distancing.
We’re building more templates and working to make templates available in more languages. You’ll see more templates for common business sites added to the available options in the next several weeks. Use our Help Center to find more information about using templates in Google Sites. Announcement banners
Created based on customer feedback, announcement banners help site owners communicate timely, important messages to visitors. They display information in a banner at the top of the site, grabbing viewers’ attention when they land on the page. Ways that customers can use banners include:
A business administrator at a large company can add a banner to an employee resource site to highlight newly added pages and information in the larger site.
A small business owner can add a banner to alert customers of changing operating hours or business practices.
A teacher can add a banner to a class site to notify students that a new assignment has been posted.
Use the Help Center to learn more about how to add an announcement banner to a site.
Access for accounts managed with Family Link
Until now, users with personal Google Accounts managed with Family Link have not been able to view or edit sites. To help increase access to valuable resources, we’ve made it possible for Google Accounts managed with Family Link to view public sites, and view and edit sites that are shared with them.
While personal Google accounts managed by Family Link can now access Sites, students with G Suite for Education accounts should continue to use their school accounts to log in and complete schoolwork in Sites and other G Suite services.
Important note: This only applies to sites created with new Sites. Personal accounts managed by Family Link will still not be able to view or edit sites managed with classic Sites. Use our Help Center to learn more about using Google Sites with Accounts managed with Family Link.
Getting started
Admins: These features will be ON by default. There are no admin controls for them.
End users: These features will be ON by default. Visit the Help Center to learn more about how to create a website from a template or add an announcement banner to a site. Note that parents can use Family Link to restrict websites or permissions if their child is using Chrome on an Android device or a Chromebook, and may have to allow their child to see your site.
Did you know that the Yubico Authenticator app is available for desktops as well as mobile devices? Today, we are excited to announce the support of the Yubico Authenticator desktop versions on their respective platform stores (Mac App Store, Microsoft and Snapcraft).
Achieving strong protection with authenticator apps
Authentication mechanisms today need to be highly secure, usable and portable, and these are the exact same principles we used to build Yubico Authenticator. Similar to other authenticator apps, Yubico Authenticator generates a one-time code used to verify your identity as you’re logging into various services. However, unlike other authenticator apps, the secrets are stored in the YubiKey rather than in the app itself, making it necessary for a user’s YubiKey to be physically present to receive the time-based codes.
Because secrets are stored on your YubiKey, if you change phones or laptops, there is no porting or re-registering of accounts required, regardless of operating system. Furthermore, the secrets cannot be stolen from the hardware key.
Yubico Authenticator advantages for desktop users
With recent availability of Yubico Authenticator on the Mac, Windows, and Linux app stores, we are able to seamlessly deliver the same security, portability and usability benefits of the product to desktop users. Besides simplifying and accelerating the authentication experience across many services and platforms, Yubico Authenticator for desktop carries specific advantages. It enables two-factor authentication (2FA) across unique environments including:
Desktop VPN authentication
Yubico Authenticator for desktop enables seamless VPN integrations by generating one-time codes with desktop VPN clients such as Cisco Anyconnect, Pulse Secure, or AuthLite. With the recent influx of remote workers, this is particularly useful in helping to secure employees who are working from home.
Mobile-restricted environments
Not all corporate setups allow for the use of mobile devices, making it impossible to use mobile-based authentication methods such as SMS or authenticator apps.SinceYubico Authenticator stores secrets on the YubiKey, users are able to replicate the same time-based codes that would be on a mobile device, on the desktop. This is particularly advantageous for corporate setups where mobile devices are restricted, such as call centers or doctor’s shared devices.
Multi-device sign in
In a recent survey from Ponemon Institute, individuals use an average of 5 devices to access online accounts. With a YubiKey and Yubico Authenticator, the same secrets are accessible on desktop computers as well as mobile devices. This makes it easy to authenticate without needing to re-register every service with the authenticator app on different platforms.
Setting up Yubico Authenticator for desktop
Simply download the app for Windows, macOS, or Linux depending on the machine you’re using. Open the app, insert your YubiKey, and begin adding the accounts you wish to protect by scanning the QR code provided by each service. Yubico Authenticator is also available for download on iOS (iPhones and iPads) and Android operating systems.
Now you’re all set! Start using the Yubico Authenticator app and your YubiKey to securely login as a second factor to your services.
For added convenience, head over to the Yubico store to pick up a YubiKey 5Ci for seamless authentication across desktop and mobile devices!
Almost overnight, teleworking has become mainstream. And from all indications, it might stay that way for weeks or even months. And for many organizations, this may signal a new normal, where many workers may continue to work remotely. But regardless of the outcome, organizations need to ensure that their business continuity/disaster recovery (BCDR) plans are updated so they are ready to quickly ‘flip the switch’ to teleworking in the future – whether due to the next pandemic, a major weather event, or some other unforeseen event.
To do this, organizations need to architect access to their critical applications so they can remain resilient in the face of unexpected change, while maintaining the right security posture to protect valuable data, guard against threats, and adhere to compliance obligations. To achieve this, the following top three considerations are important for every organization, large or small, across every market segment. And they are steps that organizations can immediately put into action today:
1. Protect Your Critical Collaboration & SaaS Apps
Most customers today are fairly advanced in their adoption and transition to the cloud and SaaS apps. Even when an enterprise hasn’t yet directly embracing SaaS, users are self-selecting cloud-based applications – or what’s commonly called shadow IT – to get their jobs done. With the shift to teleworking, the reliance on SaaS and its universal access will only grow. For example, it’s easy to appreciate the value that file sharing and cloud storage applications like Sharepoint, G-Drive, or Box deliver. Even if the corporate network and local folders are unavailable, cloud applications make it easy to upload and share files. And this can easily be extended beyond employees, to partners or suppliers, or even end customers.
The challenge is to how to manage the security of these cloud solutions. Deep visibility and control mechanisms must be put in place to address potential SaaS challenges, such as the unauthorized downloading of files or creation of shadow IT resources. A Cloud Access Security Broker (CASB) provide critical technology designed to secure these cloud-based applications and assests, something that analysts call out as an ‘essential element of any cloud security strategy.’ CASB allows customers to understand their SaaS traffic, protect valuable data, guard against threats, and ensure that compliance objectives are met. And depending on the deployment, CASB can even provide visibility on unsanctioned application traffic, enabling policies can be put in place to shore up potential risk points.
Fortinet has taken a unique, 100% API-driven approach in its FortiCASB solution. Especially today, in this new age of teleworking, these APIs provide critical insights into application usage without the need for intercepting traffic through a proxy or by installing endpoint agents. These APIs provide a wealth of intelligence designed to uncover SaaS activity, ranging from who the top users are, to what’s being uploaded, to where it’ going and whether there any risks or risky activities going on. These APIs can also be used for remediation steps like changing permissions so, for example, a sensitive file is not visible to the public from Sharepoint, or by using FortiCASB’s built-in threat scanning technologies to identify malware ahead of costly damages or broad propagation from a Box folder. For full shadow IT visibility, FortiCASB can also be deployed in conjunction with FortiGate NGFW and leverage the FortiGate as powerful control point in the network.
But as with email, you need to protect who can gain access to these resources beyond just simple login-password combinations. That leads to the next point that is applicable to both email and an organization’s critical SaaS apps.
2. Enable Multi-Factor Authentication
At the RSA Security Conference this past March, Microsoft engineers shared that “99.9% of the compromised accounts they track every month don’t use multi-factor authentication.” To put this data in context, Microsoft monitors more than 30 billion logins per day and more than a billion users. And on average, Microsoft sees roughly 1.2 million accounts that have been compromised each month. So it’s no surprise that across all of the enterprise accounts they monitor, only 11% had MFA solution enabled.
Many of today’s most damaging security breaches are due to compromised user accounts and passwords. Whether bad actors collect login credentials via sophisticated phishing email scams or brute force attacks, without multifactor authentication in place they can use those credentials to easily gain unfettered access to the network and to move laterally across network and application resources to wreak havoc.
To address this, the adoption of additional authentication methods has accelerated. Two-factor or multifactor authentication (MFA) – achieved through physical hardware or mobile application tokens – increases the certainty of the identity of users as they enter the network, because even if a criminal knows a user’s name and password, they still cannot login under that stolen identity without also having that user’s unique identity token.
Fortinet’s FortiToken solution enables businesses of all sizes to manage their MFA token implementations for users connecting from anywhere, as long as there is an Internet connection. With the addition of FortiAuthenticator, customers can augment existing solutions like Active Directory and enable things like single sign-on (SSO) to improve user experience. FortiToken, with or without the addition of FortiAuthenticator, secures access to a wide range of enterprise applications, whether on-premise, hosted in private or public clouds, or for SaaS applications.
Multifactor authentication technology is widely available, but organizations need to enable it and make it mandatory for their employees. And as with the recommendations for email and SaaS applications, MFA provides a key complementary technology that can significantly bolster the security across these critical environments with minimal investment.
3. Lock Down Your Inbox
Email is the primary communication tool for doing business. It connects us to our peers, our partners and suppliers, even our customers. It needs to be reliable and accessible, but also protected. Many customers have come to rely on native security functions built into their email security solutions, but they don’t always measure up. A recently published report from third-party testing firm SE Labs sheds light on how different solutions perform. It includes results and ratings for popular email cloud providers like Exchange Online, Office 365, and G-Suite. In addition, FortiMail was submitted as part of the SE Labs testing as Fortinet believes strongly that truly effective security should hold up under the vetting of third-party, independent tests and benchmarks. SE Labs responded to our entry with the following:
“We congratulate Fortinet for its outstanding performance in this extremely challenging test. In our latest tests, Fortinet earned a AAA rating with a 90% total accuracy, which put it in high standing compared to other offerings in the market. For customers, this should provide additional assurance that FortiMail offers the appropriate, robust security protections needed for securing email traffic.”
The deluge of email-based threats has already begun to spike during this period, with the FortiGuard Labs team identifying upwards of 600 new phishing campaigns a day. Clearly, the bad actors are trying to take advantage of the confusion of such a rapid transition and novice remote users through their social engineering tricks and other exploits. Whether defending against phishing attacks, business email compromise, or the latest ransomware, Information Technology and Security leaders need to protect their users’ inboxes now more than ever.
Special consideration is also needed as users are more likely to connect to corporate resources not only from company-managed devices, but also from personal or unmanaged devices, including laptops, smartphones, and tablets. As a result, stopping email threats on the mail server or in the cloud, before it gets delivered to the user, is imperative. To do this, taking smart steps to avoid credential theft will be key. The same goes for protecting valuable data before it potentially leaves the organization.
Conclusion
With the industry quickly pivoting to teleworking, now is the time for organizations to move quickly and take these important steps – securing their critical email traffic, putting the right protections in place for their SaaS applications, and enabling the critical lynchpin technology of multifactor authentication to tied it all together. By implementing the right IT and Security strategy, customers will not only have a more secure environment today, but it also sets them up well for the future, enabling productivity and business agility gains even during extreme circumstances, without dangerous concessions to the overall security posture of the business.
Learn more about how to maintain business continuity through broad, integrated, and automated Fortinet Teleworker Solutions.
Learn how Fortinet’s dynamic cloud security solutions provide increased visibility and control across cloud infrastructures, enabling secure applications and connectivity from data center to cloud.
Read these customer case studies to see how Cuebiq and Steelcase implement Fortinet’s dynamic cloud security solutions for secure connectivity from data center to the cloud.
Engage in our Fortinet user community (Fuse). Share ideas and feedback, learn more about our products and technology, or connect with peers.
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Cookie settingsACCEPT
Privacy & Cookies Policy
Privacy Overview
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
