About Us

HEAT Bypasses Traditional Security Defenses

Menlo Security has discovered an increase in cyber threats defined as Highly Evasive Adaptive Threats (HEAT), that bypass traditional security defenses.

HEAT attacks are a type of cyberattack that uses strategies to evade detection by several layers in today’s security stacks, including firewalls, Secure Web Gateways, sandbox analysis, URL reputation, and phishing detection. HEAT threats are used to transfer malware or compromised credentials, leading to ransomware attacks in many circumstances.

The research team concluded that 69 % of malicious domains used HEAT methods to deliver malware after analyzing over 500,000 of them. By adapting to the intended environment, these attacks allow bad actors to transmit malicious content to the endpoint. HEAT attacks have increased by 224 % since July 2021.

CEO of Menlo Security, Amir Ben-Efraim said, “With the abrupt move to remote working in 2020, every organization had to pivot to work from an anywhere model and accelerate their migration to cloud-based applications. An industry report found that 75% of the working day is spent in a web browser, which has quickly become the primary attack surface for threat actors, ransomware, and other attacks. The industry has seen an explosion in the number and sophistication of these highly evasive attacks and most businesses are unprepared and lack the resources to prevent them. Cyber threats are a mainstream problem and a boardroom issue that should be on everyone’s agenda. The threat landscape is constantly evolving, ransomware is more persistent than ever before, and HEAT attacks have rendered traditional security solutions ineffective.”

ESG Senior Analyst, John Grady said, “Highly Evasive Adaptive Threat (HEAT) attacks evade existing security defenses by understanding all the technology integrated into the existing security stack and building delivery mechanisms to evade detection. Organizations should focus on three key tenets to limit their susceptibility to these types of attacks: shifting from detection to a prevention mindset, stopping threats before they hit the endpoint, and incorporating advanced anti-phishing and isolation capabilities.”

AdaptiveMobile Security announced first unified 5G network security solution to secure mobile networks

AdaptiveMobile Security, the global leader in mobile network security, announced a new trio of interlinked 5G security platforms that enable carriers to secure their 5G infrastructure from both internal and external security threats. This is the first unified 5G network security solution, combining a variety of cybersecurity features to secure 5G networks, vertical APIs, slices and subscribers.

5G networks are likely to be the subject of increasingly sophisticated cyberattacks. The security of 5G networks is an order of magnitude more difficult than that of prior mobile technologies. The attack surface has grown in size, telecom and internet technologies are merging, and attacker tools are becoming more freely available. To prevent nation-state adversaries and criminal groups from using other perceived “trusted” networks to perform missions against an operator’s 5G infrastructure, 5G networks must be secured at the interconnects with other networks and systems installed. Internally, networks must be secured against threat actors compromising rogue slices and new application APIs provided by 5G networks. Internally, networks must be secured against threat actors compromising rogue slices and new application APIs exposed by 5G networks must be secured to avoid the creation of new attack vectors.

“As it currently stands, we do not appear to have learned the security lessons from 3G and 4G. Security in 5G networks is not built-in as promised and major vulnerabilities have been exposed even before the technology has been deployed. 5G network core technologies will be fundamentally insecure, and operators face having to protect their networks from both existing and emerging threats. Attackers already have access to the tools and techniques that are known to be effective, exploiting the IT protocols on which 5G architectures are built. Trust is not a security or a business strategy – governments, regulators, mobile operators, and network equipment vendors must all step up and secure the critical infrastructure of 5G networks. Nation-states and cyber-criminal adversaries will take advantage of any security gaps in mobile networks with catastrophic consequences for nations, networks, enterprises and subscribers,” said Brian Collins, CEO, AdaptiveMobile Security.

AdaptiveMobile Security enables governments, regulators, and mobile operators to understand the nature of new threats, pinpoint global threat actors attacking their network, and prevent internal attacks on network slices by identifying and correlating sources of external and internal attacks on 5G networks and subscribers. Mobile operators can analyze, forecast, and protect against attackers’ methods, intentions, infrastructure, and evolution with the 5G network security solution, which proactively maintains defences against known sources of signalling attacks.

“5G is driving the mobile industry into adopting the technology and techniques of the IT world to increase efficiency and improve functionality. However, while laudable, there needs to be a wider mind-set change. When it comes to securing 5G, the telecoms industry needs to fully embrace a holistic and collaborative approach to secure networks across standards bodies, working groups, operators, and vendors. This new unified approach to 5G network security will be critical in protecting operators’ networks, enterprise customer and subscribers from new and emerging cybersecurity threats,” said Dr. Silke Holtmanns, Head of 5G Security Research, AdaptiveMobile Security.

Revil Ransomware Cyberattack, The Year’s Biggest Cyberattack on Kaseya Ltd: FBI, CISA Offer Guidance

The REvil cybergang claimed responsibility for the large ransomware attack on managed service provider Kaseya Limited. The ransomware attack is huge and it is considered the single largest worldwide ransomware attack ever this year. Financial services, tourism, retail and government computer systems in several nations are all affected. The attackers claim to have infected 1 million Kaseya-connected computers and are seeking $70 million in bitcoin in exchange for a decryption key. The number of enterprises affected is estimated to be in the thousands, according to federal authorities.

The attack is massive and considered the single biggest global ransomware attack on record. Affected are financial services, travel and leisure and public sector computer systems located across many countries.

The infamous cybergang REvil claimed responsibility for the attack in a posting posted to a hacker site on Sunday. The message was as follows:

“On Friday (02.07.2021) we launched an attack on MSP providers. More than a million systems were infected. If anyone wants to negotiate about universal decryptor – our price is 70 000 000$ in BTC and we will publish publicly decryptor that decrypts files of all victims, so everyone will be able to recover from attack in less than an hour. If you are interested in such deal – contact us using victims “readme” file instructions.” – REvil.

The gang (also known as Sodinokibi ransomware group) has been operating since April 2019 when the GrandCrab cybergang split, according to a detailed investigation of the REvil attack by Kaspersky. “REvil ransomware has been advertised on underground forums for three years and it is one of the most prolific Ransomware as a Service (RaaS) operations,” researchers wrote.

Later, Deputy National Security Advisor Anne Neuberger issued a statement stating that US President Joe Biden had “directed the full resources of the government to investigate this incident” and urging anyone who believes they have been hacked to contact the FBI.

In related news, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) of the United States offered support to those affected by the massive cyberattack.

“We encourage all who might be affected to employ the recommended mitigations and for users to follow Kaseya’s guidance to shut down VSA servers immediately. As always, we stand ready to assist any impacted entities,” according to a security alert.

“If you feel your systems have been compromised as a result of the Kaseya ransomware incident, we encourage you to employ all recommended mitigations, follow guidance from Kaseya and the Cybersecurity and Infrastructure Security Agency (CISA”) to shut down your VSA servers immediately and report your compromise to the FBI.

Kaseya helpdesk stated –

“On Friday, July 2nd, Kaseya received reports from customers and others suggesting unusual behavior occurring on endpoints managed by the Kaseya VSA on-premises product.  Shortly thereafter, customer reports indicated that ransomware was being executed on endpoints.  In light of these reports, the executive team convened and made the decision to take two steps to try to prevent the spread of any malware:  we sent notifications to on-premises customers to shut off their VSA servers and we shut down our VSA SaaS infrastructure.

The attackers were able to exploit zero-day vulnerabilities in the VSA product to bypass authentication and run arbitrary command execution.  This allowed the attackers to leverage the standard VSA product functionality to deploy ransomware to endpoints.  There is no evidence that Kaseya’s VSA codebase has been maliciously modified.   

Mandiant was quickly engaged to investigate the incident.  We have been actively engaged with Mandiant to assess the manner and impact of the attack.  We are also cooperating with federal law enforcement to ensure that they have the information they need to investigate this attack.  Below, we provide some of the technical details that we have been able to confirm in the course of the investigation.

To date, we are aware of fewer than 60 Kaseya customers, all of which were using the VSA on-premises product, who was directly compromised by this attack.  While many of these customers provide IT services to multiple other companies, we understand the total impact thus far has been to fewer than 1,500 downstream businesses.  We have not found any evidence that any of our SaaS customers were compromised.

We have begun our restoration process and are developing and readying for deployment to our VSA customers a fix for this issue.  On July 3rd, Kaseya released a Compromise Detection Tool to customers.  This tool analyzes the user’s system (either VSA server or managed endpoint) and determines whether any indicators of compromise (IOC) are present.  To date, over 2,000 customers have downloaded the tool.  Updates on this are being posted at the following link: https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689.  We are working to bring our SaaS environment up safely and provide an update for on-premises customers.

We know there is a lot of information circulating about this incident.  Some of it is accurate, much of it is not.  We will continue our efforts to keep you updated as we have solid, actionable information to share.”