Select Page
Cynet 360: The Next Generation of EDR

Cynet 360: The Next Generation of EDR

Many organisations regard Endpoint Detection and Response (EDR) as their main protection against breaches. EDR, as a category, emerged in 2012 and was rapidly acknowledged as the best answer to the numerous threats that legacy AV unsuccessfully struggled to overcome – exploits, zero-day malware and fileless attacks are prominent examples.

While there is no dispute on EDR’s efficiency against a significant portion of today’s advanced threats, a new breed of “next-generation EDR” solutions are now available (learn more here) which on top of featuring all EDR capabilities, go beyond this to protect against prominent attack vectors that EDR does not cover such as those involving users and networks.

“Many people unknowingly mix two different things – endpoint protection and breach protection,” explained Eyal Gruner, co-Founder of Cynet (a next-generation EDR solution).

“It’s perfectly true that many attacks start at the endpoint and involve malicious files and processes, making EDR a perfect solution for the endpoint. However, the actual attack surface is much broader than this, and at the end of the day, it’s not the endpoints you want to protect – it’s your organization.”

Gruner, a former white-hat hacker (starting when he was 15-years-old), also founded BugSec, Israel’s largest cybersecurity consulting company. Today, he is a world-recognized expert 0n attacker tools, techniques, and practices.

“Think of it like this: by definition, each attacker’s activity generates some kind of anomaly. It only makes sense, because what we consider to be ‘normal behaviour’ doesn’t include compromising resources and stealing data. These anomalies are the anchor that enable security products – or threat analysts for that matter – to identify that something bad is happening and block it.”

Gruner said that these anomalies could manifest in three core places – process execution, network traffic, or user activity. For example, ransomware generates a process execution anomaly since there is a process that attempts to interact with a large number of files.

Many types of lateral movement, on the other hand, include a network traffic anomaly in the form of unusually high SMB traffic. In a similar manner, when an attacker logs in to a critical server with compromised user account credentials, the only anomaly is in the user behavior. In both cases, it’s impossible to unveil the attack through monitoring processes alone.

“EDR is a great tool for the attacks that can be identified through process anomalies,” said Gruner. “It sits on the endpoint and monitors process behaviour, so you’re fairly covered against this group of threats. But what about all the rest? There are many mainstream vectors that operate on the network traffic and user behaviour without triggering the slightest process anomaly and EDR is practically blind to these threats.”

images from Hacker News

Russian APT Map Reveals 22,000 Connections Between 2000 Malware Samples

Russian APT Map Reveals 22,000 Connections Between 2000 Malware Samples

Though Russia still has an undiversified and stagnant economy, it was one of the early countries in the world to realize the value of remotely conducted cyber intrusions.

In recent years, many Russia hacking groups have emerged as one of the most sophisticated nation-state actors in cyberspace, producing highly specialized hacking techniques and toolkits for cyber espionage.

Over the past three decades, many high profile hacking incidents—like hacking the US presidential elections, targeting a country with NotPetya ransomware, causing blackout in Ukrainian capital Kiev, and Pentagon breach—have been attributed to Russian hacking groups, including Fancy Bear (Sofacy), TurlaCozy BearSandworm Team and Berserk Bear.

images from Hacker News

1-Click iPhone and Android Exploits Target Tibetan Users via WhatsApp

1-Click iPhone and Android Exploits Target Tibetan Users via WhatsApp

A team of Canadian cybersecurity researchers has uncovered a sophisticated and targeted mobile hacking campaign that is targeting high-profile members of various Tibetan groups with one-click exploits for iOS and Android devices.

Dubbed Poison Carp by University of Toronto’s Citizen Lab, the hacking group behind this campaign sent tailored malicious web links to its targets over WhatsApp, which, when opened, exploited web browser and privilege escalation vulnerabilities to install spyware on iOS and Android devices stealthily.

“Between November 2018 and May 2019, senior members of Tibetan groups received malicious links in individually tailored WhatsApp text exchanges with operators posing as NGO workers, journalists, and other fake personas,” the researchers say.

What’s more? The researchers said they found “technical overlaps” of Poison Carp with two recently discovered campaigns against the Uyghur community in China—the iPhone hacking campaign reported by experts at Google and the Evil Eye campaign published by Volexity last month.

images from Hacker News

[Unpatched] Critical 0-Day RCE Exploit for vBulletin Forum Disclosed Publicly

[Unpatched] Critical 0-Day RCE Exploit for vBulletin Forum Disclosed Publicly

An anonymous hacker today publicly revealed details and proof-of-concept exploit code for an unpatched, critical zero-day remote code execution vulnerability in vBulletin—one of the widely used internet forum software, The Hacker News has learned.

One of the reasons why the vulnerability should be viewed as a severe issue is not just because it is remotely exploitable, but also doesn’t require authentication.

Written in PHP, vBulletin is a widely used proprietary Internet forum software package that powers more than 100,000 websites on the Internet, including Fortune 500 and Alexa Top 1 million companies websites and forums.

According to details published on the Full Disclosure mailing list, the hacker claims to have found a remote code execution vulnerability that appears to affect vBulletin versions 5.0.0 till the latest 5.5.4.

images from Hacker News

iOS 13 Bug Lets 3rd-Party Keyboards Gain ‘Full Access’ — Even When You Deny

iOS 13 Bug Lets 3rd-Party Keyboards Gain ‘Full Access’ — Even When You Deny

Following the release of iOS 13 and iPadOS earlier this week, Apple has issued an advisory warning iPhone and iPad users of an unpatched security bug impacting third-party keyboard apps.

On iOS, third-party keyboard extensions can run entirely standalone without access to external services and thus, are forbidden from storing what you type unless you grant “full access” permissions to enable some additional features through network access.

images from Hacker News