Phishing scam abusing trust

WWCD: Defending Against Browser App Mode Abuse

Bill Toulas at Bleeping Computer recently highlighted a new phishing technique in the wild that is designed to abuse user’s increased likelihood of trusting applications that appear to be desktop applications over those that appear inside a web browser.  As with many other types of attacks in the wild, these are designed to take advantage of the fact that experiences – and most security training – prime users to expect phishing and other malicious sites to look and behave a certain way.

In the attack Toulas describes, threat actors utilize a little-used feature in Chromium-based browsers to launch web pages in “application mode”. In application mode, the website loads in a clean browser window that hides all the tell-tale signs that the user is on a web site. There are no tabs, no URL bar, no toolbars, nor anything else that normally distinguishes a web application from a desktop one. Since users aren’t primed to suspect phishing pages to load in this type of environment, their guard may be down.

So, What Would Conceal Do (#WWCD)?

We have some good news: Conceal would stop this attack. Since ConcealBrowse protects users by scanning URLs and blocking or isolating them as appropriate, the user’s trust – or lack thereof – is irrelevant.

Let’s take a look at how the attack works, and how ConcealBrowse stops it.

  1. An attacker sends a user a Windows shortcut that launches a web page in Chromium application mode when clicked.
    Chromium application mode
  2. When the user clicks on the icon, the malicious page is loaded in a Window that mimics a desktop application but is actually a Chromium window without any of the usual UI elements.
    Desktop mimic
  3. Despite appearances, the page is still a normal web page and ConcealBrowse scans its URL as well as any other URLs it might call or load.
  4. Because Conceal’s decision engine has flagged the URL as malicious, the page is loaded in a virtual environment in the cloud instead of on the user’s computer.
    URL scan
  5. When the page tries to download a malicious file to the user’s computer, the file is scanned and stopped by ConcealBrowse.

ConcealBrowse protects users and organizations from the types of trust abuse that are commonly responsible for successful malware and phishing attacks like this one, regardless of how creative the technique. Want to learn more? Contact us for a demo today!

press release hero

Conceal and Spire Solutions Sign International Partnership Agreement for Zero Trust Security

DUBAI, United Arab Emirates–(BUSINESS WIRE)–(GITEX GLOBAL) – Conceal, the leader in Zero Trust isolation and ransomware prevention technology, and Spire Solutions, a leading value-added distributor, signed a strategic partnership agreement today at GITEX 2022 for Spire to serve as the distributor for Conceal’s platform and ConcealBrowse solution in the Middle East and Africa regions.

According to Gartner, increasing cyberattacks, threats to cyber-physical infrastructures, and the malicious nature of ransomware are expected to increase end-user spending on security and risk management in the Middle East and North Africa to total $2.6 billion in 2022, an increase of 11.2% from 2021.

“Globally, we are at a critical inflection point as Zero Trust becomes validated as the most effective approach for securing enterprise IT environments and online services delivery,” said Sanjeev Walia, Founder & President at Spire Solutions. “Conceal’s patented zero trust solutions are proven in their deployment with the Fortune 100 and some of the world’s largest government agencies. We are honored to partner with Conceal to make these solutions accessible in the Middle East & African regions too.”

ConcealBrowse was recently introduced and performs pre and post-processing of code on a computer to protect against browser-borne attacks including RATs, Trojans, Worms, Ransomware, Browser Hijacking, and more. It leverages an intelligence engine that works at machine speed with near-zero latency to dynamically and transparently pre-process and analyze code and move suspicious, unknown, and risky code to a cloud-based isolation environment. This unique, patented approach ensures that malicious code or files never enter enterprise devices and cannot infiltrate the network. ConcealBrowse works with existing browsers and supports all popular operating systems, integrates with Microsoft Active Directory, single sign-on authentication, and other identity management systems.

“The proven success of our platform is enabling Conceal to embark on an aggressive global growth strategy,” said Gordon Lawson, CEO of Conceal. “The Middle East and Africa are experiencing significantly increasing demand for zero trust solutions and are a natural next step for Conceal. The Spire team has proven their leadership in these regions and we look forward to a mutually beneficial partnership.”

While at GITEX, you can meet Conceal in the Spire Stand H2-B1 in Hall 2 of the Dubai World Trade Center.

About Spire Solutions
Spire Solutions is the Middle East & Africa’s leading value-added distributor (VAD), with exclusive distribution rights for some of the world’s best-known cybersecurity vendors (OEMs). With a key focus on solving problems without creating new ones, Spire has built a reputation of being the preferred security partner to CISOs of several government organizations and enterprises in the region. www.spiresolutions.com

About Conceal
Conceal enables organizations to protect users from malware and ransomware at the edge. The Conceal Platform uses Zero Trust isolation technology to defend against sophisticated cyber threats. Conceal is used by Fortune 500 and government organizations globally to ensure their users and IT operations remain secure, anonymous and isolated from attacks. For more information, visit https://conceal.io/.

WWCD: How can ConcealBrowse stop abuse of trust?

VirusTotal recently analyzed its trove of malware and associated metadata to identify ways attackers abuse users’ trust of big digital brands. Specifically, attackers focus on co-opting trusted domains and branding materials like official logos and icons to trick users into downloading and installing malware.

Current “state of the art” in avoiding these types of attacks relies on training end users to identify non-obvious signs that trusted brands are being used maliciously, and by scanning files on the endpoint after a user has already downloaded them. We all know from experience that, regardless of how much training users receive, they far too often let down their guard when they believe they are interacting with a trusted party. Fortunately, Conceal takes over the task of distrusting everything and isolating malicious activity regardless of the user’s perception of safety. So, What Would Conceal Do to subvert these types of attacks?

Check Everything

As the VirusTotal report points out, many of these types of attacks rely not only on humans’ propensity to trust certain brands, but also on defensive systems’ propensity to trust certain domains. Fortunately, ConcealBrowse checks every URI accessed by users or loaded in the background by web apps. Even if most resources accessed via squarespace.com are trustworthy, Conceal’s decision engine identifies the specific URI’s that aren’t and isolates them from the user’s machine.

When a URI is flagged as suspicious, it is opened in a container in the cloud where it can’t cause harm to the user’s system. Additionally, any files downloaded from isolated sites are first scanned in the cloud so that they can be blocked before they are ever sent to a user’s device. In these cases, even if a user or a security system trusts a domain, ConcealBrowse doesn’t.

Trust No One

While the VirusTotal report specifically discusses the use of trusted branding in file icons, we’ve also all seen phishing sites that display a trusted logo to lull victims into thinking they can safely enter their credentials. Again, where a user might be tricked into trusting the attacker, Conceal distrusts the attacker for them.

Using computer vision technology, ConcealBrowse can identify when trusted logos and branding are being misused by attackers and can block phishing sites before the user ever has the chance to compromise their information.

What Would Conceal Do (#WWCD)?

Long ago, attackers figured out how to take advantage of peoples’ trust biases to bypass defenses designed to protect us from the untrustworthy. Fortunately, as more and more zero trust technologies – like ConcealBrowse – provide the necessary distrust, these types of attacks will become less and less successful.

We are excited to empower every individual to protect their personal data from cybercrime throughout this cybersecurity education campaign.  Stay in the loop on all the great content we will be releasing by bookmarking our NCAM landing page.

press release hero

Conceal Partners with Barrier Networks to Increase Cyber Resiliency of UK Businesses and Critical Infrastructure Sector

ConcealBrowse to Help Barrier Customers Avoid Ransomware on Devices and the Network through Patented Browser Isolation and Zero Trust Technologies

AUGUSTA, Ga.–(BUSINESS WIRE)–Conceal, the leader in Zero Trust isolation and ransomware prevention technology, today announced a strategic partnership with Barrier Networks, a UK-based security solutions reseller and managed service provider with clients spanning the financial, legal, HMG/MoD and public critical infrastructure sectors.

“Barrier Networks provides assurance to customers that their systems are resilient to cyber attacks,” said Ian McGowan, Managing Director of Barrier Networks. “Conceal will help our customers avoid ransomware attacks at the earliest point of entry, the browser. ConcealBrowse is a highly effective, new way of transparently isolating malware away from devices, keeping attackers away from devices and networks, while preserving the user experience.”

“For years, Conceal has supported U.S. government agencies and Fortune 100 clients with our patented zero trust technologies,” said Gordon Lawson, CEO of Conceal. “We are excited to work with Barrier Networks, a seasoned managed cyber security service provider serving high profile businesses and the public sector across the UK.”

ConcealBrowse leverages an intelligence engine that works at machine speed with near zero latency to dynamically and transparently pre-process and analyze code and move suspicious, unknown and risky code to a cloud-based isolation environment. This unique, patented approach ensures that malicious code or files never enter enterprise devices and cannot infiltrate the network. ConcealBrowse works with existing browsers and supports all popular operating systems, integrates with Microsoft Active Directory, single sign-on authentication and other identity management systems.

Availability
The Conceal Platform is available immediately from Barrier Networks.

About Conceal
Conceal enables organizations to protect users from malware and ransomware at the edge. The Conceal Platform uses Zero Trust isolation technology to defend against sophisticated cyber threats. Conceal is used by Fortune 500 and government organizations globally to ensure their users and IT operations remain secure, anonymous and isolated from attacks. For more information, visit https://conceal.io/.

Source: https://www.businesswire.com/news/home/20221004005330/en/Conceal-Partners-with-Barrier-Networks-to-Increase-Cyber-Resiliency-of-UK-Businesses-and-Critical-Infrastructure-Sector

Welcome to National Cybersecurity Awareness Month!

We are thrilled to announce that we are an official champion of National Cybersecurity Awareness Month (NCSAM)!  What is NCSAM you ask?  It’s only the best month of the year for the cybersecurity community!  NCSAM started 19 years ago as a partnership between the National Cybersecurity Alliance (NCA) and the U.S. Department of Homeland Security (DHS).  The campaign gives our industry the opportunity to collaborate between government and the private sector so that the importance of online security can be addressed.  Each year, a new theme is strategized and shared with the public. This year the theme is…

See Yourself In Cyber

While most of the cybersecurity news articles are about massive data breaches and hackers, it can be overwhelming, leaving you feeling powerless. Cybersecurity Awareness Month is a great reminder that there are all kinds of methods to keeping your data protected and can make a huge difference even by practicing the most basic cybersecurity measures. Each week we will release a series of content on how you can instill one of the four healthy habits that the NCA and DHS has outlined and encourages individuals to take control of their online lives:

  1. Enable Multi-Factor Authentication
  2. Use Strong Passwords and a Password Manager
  3. Update Your Software
  4. Recognize and Report Phishing

Each behavior will be the star of the show for a week in October.  This week we are starting with Multi-Factor Authentication (MFA).  Foreshadowing the details to come regarding MFA, NCA found that nearly half (48%) of US/UK respondents say they have “never heard of MFA.”  As an important aspect of any identity and access management (IAM) strategy, this reality highlights the need to have a conversation surrounding IAM.  The following three weeks recognize security behaviors with similar statistics.

We love the concept of NCAM.  The tools and tactics discussed throughout the month are helpful to not just educate yourself but also useful for employees, customers, families and friends.  Every weekday this month, Conceal will be providing content relevant and in line to what NCA and DHS are featuring.

We are excited to empower every individual to protect their personal data from cybercrime throughout this cybersecurity education campaign.  Stay in the loop on all the great content we will be releasing by bookmarking our NCAM landing page.

What Are The Keys To Combating Dark Web Threats?

Browser Security Case Study: Security Red Teams

Overview

Cybersecurity Red Teams play the role of attacker/adversary in cybersecurity wargames. They play the bad guys to help sharpen the skills and toolset of the good guys (the Blue Team). Some companies will maintain an in-house Red Team, and some will contract that roll out to consultants. In order to simulate attacks on the friendly target company, the red team has to maintain much of the same attack infrastructure as threat actors. This includes:

  • A Command and Control (C2) environment that serves as the home base for the attackers key systems.
  • A group of distributed attack systems scattered in different networks, acting at the point of attack against the adversary while communicating back to the Command and Control networks.
  • A set of programs for reconnaissance and penetration tools to perform their function.
  • Tradecraft which helps them gather information to discover weaknesses in the target’s defenses while allowing them to remain undetected

Unlike true attackers, Red Teams have the additional challenge of remaining a fresh challenge while attacking the same company over and over again. The defensive blue teams can learn the patterns of the Red Teams and develop an unfair advantage if the attack approaches remain the same.

Challenges to Current Practices

Today, most Red Team practitioners build their toolset in company owned and registered cloud environments and use VPN connections to spoof their real network location while performing their network scans. Due to time and resource constraints, they often must reuse the same attack vectors. Internet service providers will often detect the activity on these nodes as an active threat and blacklist their traffic. This often forces Red Teams to use internal trusted networks or dedicated infrastructure to simulate attacks, presenting recognizable patterns to their Blue Team adversaries.

How Conceal.io Helps Red Teams

Conceal offers several benefits to the activities of a red team.

  1. Location Aware Scanning – Some networks and sites act differently depending on where it thinks a connection is originating. You may need to test a site from different egress regions to see how it really works. Red teams can use the Conceal Privacy Fabric to quickly change the egress location of the system with scanning and discovery tools to test for differences in response to the target network.
  2. Rotate Network Infrastructure – Most public VPN sites or personal sandbox environments used for red team hacking will eventually get tagged and marked as risky by ISPs and threat intelligence services. The ability to change egress nodes combined with the regular rotation of network nodes on the Conceal Privacy Fabric allows the red team to change the vector of attack with no additional investment in infrastructure.
  3. Securing C2 Environment – Keeping C2 environments save and free from discovery and counter-penetration by blue teams is important so that aren’t constantly having to be rebuilt. Keeping your C2 environments behind the Conceal network helps protect this critical infrastructure. In the case of a true discovery of the C2 environment’s obfuscated network location, the Red Team can drop that Conceal network egress tunnel and create a new one.

 

WWCD: Could Conceal Have Stopped Lapsus$?

Could Conceal have stopped Lapsus$?

Several multinational companies have been in the news in recent months thanks to being victims of the prolific data extortion group known as Lapsus$. The most recent victims are Uber and Grand Theft Auto videogame producer Rockstar Games. However, Lapsus$ has been in the news for a majority of 2022 with successful attacks on Okta, Microsoft, Samsung, and others.

One of the group’s earliest high-profile attacks was against authentication management firm Okta, which is used by many companies to control access to all the software used by employees. Its role in the security chain meant that Okta’s security reputation is paramount to keeping the trust of its customers. Although Okta claimed it was able to contain the breach quickly, the high-profile attack meant that the company’s reputation suffered permanent damage.

Modus Operandi

So how does Lapsus$ operate? The group relies heavily on a combination of stolen credentials and social engineering to gain access to privileged accounts within a company. They then use that access to obtain sensitive data and demand a ransom to prevent the data’s release. The ransom demand is usually accompanied by a release of a sample of the data on publicly accessible channels, like Telegram, to put added pressure on the company to pay up.

The initial target of the attacks are typically peripheral employees or contractors that may be less knowledgeable about social engineering or might be less inclined to stringently follow security protocols. If the group can access sufficiently valuable data from this initial access, that could be the end of the attack. Otherwise, they use this initial access as a foothold to gather targeting information for further social engineering attacks against better-placed individuals in the target company.

Could these attacks have been prevented?

Lapsus$ expertly leverages the fact that people are not perfect. Regardless of training, they can be tricked into clicking malicious links, open malicious files, or provide multi-factor authentication tokens to third parties. The interactions between attacker and victim can happen on several channels, some of which are controlled by an organization and others that are not. There are several techniques that can be employed to prevent access escalation and limit what can be accessed once an attacker is in your network.  But, ten times out of ten, it’s better to keep them from ever getting access in the first place.

How could Conceal have helped?

No single product is a cyber security panacea, but ConcealBrowse could have blocked some of Lapsus$’s credential-stealing techniques before they started. One of Lapsus$’s techniques is to steal credentials to gain their initial access, including getting users to click on malicious links that download the credential theft software to the user’s computer. The group also buys credentials from the dark web, and many times the groups selling those credentials have used the same technique.

The most common methods to prevent these attacks include training users to identify the links and not click on them. As we’ve seen, this method relies on teaching 100% of users to make the correct decision 100% of the time. ConcealBrowse eliminates this need. ConcealBrowse is the eyes, ears, and brain that protect users regardless of where they click and isolate questionable websites in a remote browser in the cloud, where any software downloads or zero-day exploits can’t affect a user’s device.

Regardless of what decision they make, ConcealBrowse keeps them safe. #WWCD