Skip to content

ESET participates in joint efforts to strengthen cyber-resilience with NATO´s Locked Shields exercise

BRATISLAVA — May 5, 2022 — From April 19 to April 22, 2022, Locked Shields, the biggest international live-fire cyber defense exercise, took place in Tallinn, Estonia. Since 2010, the NATO Cooperative Cyber Defense Centre of Excellence (CCDCOE) has been organizing this annual event, putting the cyber capability of NATO member countries to the test. This exercise took more than six months to prepare to ensure its success. It aims to strengthen the collective digital defense across the Alliance and test the skills of Allies. The participants had a unique opportunity to prove their ability to protect national civilian and military IT systems and critical infrastructure.

The Locked Shields 2022 exercise subjected around 5,500 virtualized systems to more than 8,000 live-fire attacks. However, the exercise is not as significant in its size as in its complexity. The involved teams had not only to prove their ability to protect entrusted critical infrastructure of an imaginary country, but also their effectiveness in reporting details about the situation on the digital battlefield, executing strategic decisions and solving forensic, legal and information operations challenges. For the first time, in 2022, the technical exercise also included the simulation of reserve management and financial messaging systems of a central bank. The main focus of the exercise was on the interdependencies of international IT systems.

This year, more than 2000 participants from 32 nations were involved. Twenty-four were NATO member nations, including the Slovak Republic who has taken part in the exercise every year and was joined in 2022 by cybersecurity experts from the Czech Republic. Since there was interest from many nations, several nations joined forces to create joint teams like the Slovak-Czech, Lithuanian-Polish, and Estonian-Georgian ones.

The Slovak-Czech team was formed from experts in the armed forces, government organizations, and the private sector, including ESET. Twenty-nine of ESET´s security experts participated in the exercise, helping the SK-CZ team to fifth place overall, and the top position in two subcategories: forensics and reporting.

ESET is glad to have had the opportunity to join Slovakia in this exercise once more and thus prove itself as a valuable member and partner to the country.

“Once again, the team from ESET demonstrated its technical expertise at Locked Shields 2022 and helped the Slovak-Czech blue team achieve a very good ranking. ESET’s products had high incident detection efficiency and enabled us to proactively respond to emerging threats in a short period of time. At thank you to everyone involved for their participation and high level of professionalism,” says, the Director of the Cyber Defence Center of the Slovak Republic.

The need for digital security and locking shields is increasingly evident given current events like the invasion in Ukraine and the COVID-19 pandemic. As the global community becomes increasingly dependent on technology, malicious cyber actors are growing their efforts to attack both public and private sectors. In response, the Locked Shields exercise uses the latest technologies to train national teams within an exercise environment based on realistic scenarios.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

Failed Industroyer2 attack leads to calls for heightened vigilance on ICS networks


Russian-backed Group Attempts to Compromise Ukrainian Power Grid Using Industroyer2 Malware

As part of their ongoing military assault against neighboring Ukraine, Russian-backed hacker group Sandworm launched a series of cyber attacks that threaten the critical infrastructure of the beleaguered country. 

Continue reading

SafeDNS – Web Content Filtering For Business

Threat Awareness: The Spectre of Ransomware

An extract from GDR The Guide to Data as a Critical Asset – Edition 1. The whole publication is available at https://globaldatareview.com/guide/the-guide-data-critical-asset/edition-1

Introduction1

Twenty-first-century businesses rely on data to run their operations; data is their life-blood and any interference can be deadly – a risk identified by criminals.

The task of defending information technology (IT) networks, therefore, is all about the data moving across them; inactive data is a risk or potential threat at worst. The challenge when data is moving is knowing what it is doing.

Ideally a company would want to know what happens to every piece of data in transit on its network and set rules about its use. However, this is a potentially technically challenging solution and an inflexible method requiring significant amounts of data storage.

Furthermore, such a system would present serious problems for the move to home working popularised by the covid-19 pandemic because it would mean that each device would need to authenticate via insecure, public networks to access a corporate network. The virtual private network (VPN) method that most companies currently use to achieve this is designed for flexibility, which means that it is open to all internet protocol addresses, apart from those that are blacklisted.

The freedom this gives to employees reflects the risks to data from a potential attacker. Data can be stolen, it can be put out of reach or it can be destroyed. This means each organisation must decide several security issues, such as the perceived value of data, the capability of tracking its movement and the balance that can be struck between the employees’ freedom and the threats to that data.

There are a number of cybercrime threats to data, ranging from data breaches that focus on the theft of passwords, usernames and financial information to threats to networks, such as distributed denial of service attacks (DDoS), which attempt to overload a network or computer (in most cases, a web server hosting a website) with automated junk traffic to make it unavailable for its intended users for a certain period.

The most reported form of attack is ransomware, which has refined most cybercrime techniques and has become the most effective method of making money using modern developments in technology. Ransomware relies on an attacker gaining access to a company network, encrypting the data on it and denying the company access to either data or devices unless a ransom is paid.

Although not a new threat – in the 1990s there were several cases of disgruntled employees encrypting data and demanding ransoms for access – the advent of cryptocurrencies and the internet have generated a huge increase in the activity. In the 20th century, the ransom had to be picked up either in cash or by bank transfer, which left the extortioner very vulnerable to arrest. That risk no longer exists.

As a result, the sheer scale of the attacks is forcing businesses to factor a response to a ransomware attack into their business models, which could expose a business to legal issues over whether to pay.

What is even more problematic is that, often, even if a ransom is paid, a company may not regain access to all its data.

Another factor is that the payment of a ransom not only confirms to the criminals that their crime pays, it also has reputational issues: first, regarding the business’s cybersecurity and second, regarding the future integrity of the business’s data.

A final factor is the legality of payment as cybercriminals are often either sanctioned or operating from sanctioned states.

This issue received stark emphasis in November 2021 from the US Department of Treasury’s Office of Foreign Asset Control (OFAC), which updated the Sanction List with a number of cryptocurrency wallets specifically concerning individuals associated with cybercrime, who were the alleged perpetrators of ransomware attacks. The update also included for the second time a crypto exchange known as Chatex, which is suspected of facilitating financial transactions for hackers.

The regulatory landscape has also changed. The US Federal Deposit Insurance Corporation, a US regulator of the financial industry, announced on 18 November 20212 that banking organisations will be required, from 1 April 2022, to report computer security incidents within 36 hours. The new regulations, which other industry sectors are likely to adopt, mean that organisations will find it more difficult to hide an incident.

The Ransomware Disclosure Act proposed by Senators Elizabeth Warren and Deborah Ross3 is likely to make payment even more problematic. The Act, if passed, will require companies that are the victims of ransomware attacks to report ransom payment information to the Department of Homeland Security, which will provide the US government with critical data on cybercrime activity. It may also have the effect of reducing a company’s or its insurer’s willingness to pay, knowing that they may face government scrutiny when they disclose the payment, which is likely to include how payment was made, how much was paid and to whom. Similar legislation is being proposed in other parts of the world, such as Australia.4

So, perhaps a business’s first step in developing a response should be to seek legal advice regarding a ransomware insurance policy.

Ransomware is big business

Although no exact figures exist for the annual criminal proceeds of ransomware, the activities of law enforcement in arresting gang members and recovering stolen funds do give an indication of the scale of the activity. This policing activity has led to seizures of millions of dollars in cash and expensive assets, as well as the freezing of criminal cryptocurrency accounts.

To gain an insight into the scale of the issue, in one notable event on 14 January 2022, Russian Federal Security Service (FSB) agents arrested 14 members of one of the most notorious ransomware gangs – Sodinokibi (aka REvil)5 – and confiscated US$6.6 million worth of cash assets, 20 luxury cars and a parcel of cryptocurrency wallets used to run its affiliate business.

Before the Russian raid, law enforcement agencies had already arrested seven affiliates of the gang, and even recovered US$6.1 million from another affiliate still at large.

In a business model often used in computer crime, the Sodinokibi gang runs ransomware-as-a-service (RaaS) affiliate operations, and takes a cut of 30 to 40 per cent from ransom payouts made to their affiliates around the world.

According to the US Department of Justice,6 in November 2021, the Sodinokibi ransomware operation collected more than US$200 million in ransom payouts and encrypted no fewer than 175,000 computers.

The impact of ransomware on global business and its data has been severe. This trend has been reflected in media headlines, most notably the 2021 attack on the US company Colonial Pipeline.7 This incident resulted in petrol shortages because of panic buying of fuel and a US$4.4 million ransom demand.

An idea of the scale of the problem can be gauged from analysis carried out by the European Union’s cybersecurity agency ENISA, which in 2019 put the cost of ransomware payouts at €10 billion, and the US Financial Crimes Enforcement Network, which, in the first part of 2021, estimated bitcoin payments it associated with ransomware to be in the region of US$5.2 billion.

These figures also mask one other often overlooked factor, which is that the success of ransomware is only possible because of the criticality of data to run modern businesses. Lose access to your data and you lose your business.

<>The psychological pressure ransomware generates for critical data

Ransomware  generates  huge  psychological  pressure  because  organisations  are  conscious of potential reputational damage, service outages and legal and financial penalties, to which is added the obvious knowledge of losing control of core data. It is a mark of the importance of critical data that the ransomware trend has reached such levels as its specific purpose is to take advantage of how dependent businesses are on their computer networks.

In November 2019, the Maze ransomware gang started a trend called doxing (taking valuable or sensitive data from victims’ systems before encrypting it). The gang then threatens to either publicly release the data or sell it to other malicious actors unless they are paid an additional fee on top of the ransom – a type of double extortion.

To increase the pressure still further on their victims, some ransomware operators take the step of directly contacting business partners or customers of victim organisations that have not paid a ransom demand. They will imply that sensitive data has been accessed in the attack and suggest that the business partners or customers also put pressure on the victim organisation to pay the ransom, or even demand payment directly from the business partners or customers.8

What is also particularly interesting about the crime trend is the acute awareness that criminals have developed regarding the value and use of information in the internet age.

In a final brazen twist, they have begun to offer insider information to short the stock of publicly traded companies in tandem with a public announcement of a ransomware attack. The DarkSide ransomware gang used this technique in April 20219 when it released a notice on its dark web portal offering information about companies listed on NASDAQ and other stock exchanges that had fallen victim to the gang. The group’s ruse was that the combination of bad publicity, a dip in stock prices and the sale of insider information might put pressure on some companies to pay the ransom.

Gangs have homed in on market pressure in the wake of Verizon’s 2017 acquisition of Yahoo. Following news of two data breaches, Verizon reduced its original offer for Yahoo by US$350 million, which was noted by the cyber gangs. This was a development the US Federal Bureau of Investigation (FBI) highlighted in November 202110 when it released a private industry notification warning that ransomware actors now coordinate their attacks with current mergers and acquisitions to maximise extortion bids.

Acutely conscious of the value of the data it is denying to the company, the gangs’ modus operandi is usually to keep ratcheting up the pressure with a range of other attacks. Furthermore, if victims refuse to pay, ransomware gangs will often threaten multiple follow-up disruptions. These range from DDoS attacks on victims’ websites11 to personal threats against company executives12 using data found on their devices.

Sometimes, the criminals advertise their presence on a network using shock tactics such as print bombing, in which multiple printers on a network are commanded to print a ransom note – threatening management’s ability to control internal and external communication about an incident.13 Some gangs have also taken to cold calling executives using data on companies’ databases to further increase the sense of being under siege.

In a 2020 attack, the Ragnar Locker ransomware gang even used funds from a US man’s hacked Facebook account to run a Facebook Ads campaign14 against Campari, in a bid to coerce it to pay for a ransomware attack. The campaign failed when Facebook detected the advertisements and quickly capped the campaign spend at US$35.

Preamble to a ransomware attack and other threats to data

A corporate ransomware attack is typically preceded by a two-stage preparation process that begins with initial access and is followed by reconnaissance, possibly accompanied by the theft of data. 

Typically, ransomware operators rely on access brokers who specialise in gaining initial access to a network. To gain entry, these attackers probe networks for insecure system configurations, especially in remote access software tools such as remote desktop protocol (RDP, a tool that allows a device to be accessed via a network), or look for vulnerable software to exploit. Other lines of attack involve spearphishing (i.e., targeting individuals with an email they are likely to reply to because it appears to come from someone they trust) or bulk phishing emails. Both types of email contain malicious attachments or links that aim to trick unwary recipients into unwittingly giving up their credentials or allowing malware to be downloaded and installed.

For these access brokers, often hired via the dark net, the coronavirus pandemic was a godsend because of the number of office employees forced to work from home who suddenly became dependent on remote access tools. As a result, RDP became an essential requirement for people working from home. It works both ways, also enabling support staff to remotely manage employees’ machines.

Unfortunately, RDP can be a significant risk, and to expose it to the internet – especially at scale – is a decision that should not be taken without some thought.15

Although gaining access from the internet to devices running RDP may require more effort than ransomware delivered via other channels, such as email, RDP does offer attackers significant benefits, such as misuse of legitimate access, the potential to evade protections and the ability to compromise multiple systems, or whole networks within a single organisation, especially if attackers successfully elevate their privileges to ‘admin’ or compromise an administrator’s machine. Since RDP is a legitimate service – unlike malware – attacks via RDP can also fly under the radar of many detection methods, meaning fewer records and less threat awareness.

Full-on search for vulnerabilities

The quest for vulnerable companies by access brokers is relentless. Once one avenue has been exhausted, they switch to another, taking advantage of unpatched vulnerabilities in legitimate system software both to gain initial access and, once inside, to extend access to additional connected systems. It is a process like that used in the animal world by predators on herds – they search for weaknesses and the target is pursued because of its weakness. It is only afterwards, once identified, that it is examined for its potential exploitation value.

Another method of attack used as part of this pattern of victim identification is the use of ‘zero days’. A vulnerability is a mistake in the coding of some software of which a cyber criminal can take advantage to conduct an attack. A zero-day vulnerability occurs when there is no yet a patch in place to mitigate it, there being ‘zero days’ since a patch has been made available to the public. Discovering zero-day vulnerabilities can be an expensive process that generally involves well-funded and sophisticated threat actors such as advanced persistent threat (APT) groups and nation state-sponsored actors.

In one example in March 2021, a spate of attacks occurred when Microsoft rushed out emergency updates to address a chain of four ‘zero-day’ flaws – subsequently named ProxyLogon16 – that affected versions of Microsoft Exchange, a server software used by organisations to deliver email via Outlook.

The speed and scale of the attack on Exchange servers around the world by more than 10 APT groups was striking. Companies that were too slow to patch or had not protected their systems sufficiently saw threat actors accessing their Exchange servers and attempting to steal email, download data and compromise machines with stealth malware to obtain long-term access to their networks.17

When coupled with ransomware, the automated exploitation of a vulnerability can become devastating. One of the best examples of this was WannaCry ransomware,18 one of whose victims was the United Kingdom National Health Service in 2017. That attack came about because of the misuse of a high-severity vulnerability in Microsoft’s Server Message Block (SMB) protocol, which is used for file and printer sharing in large company networks. Despite patches having been available for two months before the WannaCry outbreak on 12 May 2017, attackers still found and encrypted more than 200,000 vulnerable machines.19

That ransomware gangs do their homework is obvious as is their attention to detail, aware that some companies have managed to avoid paying them by backing up their data. It is therefore not surprising that the network-attached storage (NAS) devices commonly used to share files and make backups have also attracted their attention. This was confirmed in 2021, when the NAS appliance maker QNAP alerted its customers that a ransomware called eCh0raix was attacking its NAS devices, most successfully with those with weak passwords.20

In January 2022, the DeadBolt group kicked off a ransomware campaign targeting internet-connected QNAP NAS devices. The attackers claimed to be exploiting a zero-day vulnerability that they would disclose to QNAP in return for US$1.85 million.

If such a device is connected to the internet and vulnerable, the best advice is to disconnect it right away. Considering that NAS devices are commonly used to store backups that can help organisations recover from a ransomware attack, this can be a particularly damaging type of attack.

As mentioned earlier, many criminals still use email attachments to deliver the malign code that installs ransomware. The attachments will either deliver downloaders that install malware on the email recipient’s machine or establish a foothold on a machine within an organisation’s network.

Email is one of the primary routes for botnets (such as Trickbot, Qbot and Dridex), one of the blights of the internet. Botnets are software programs that link a huge number of infected computers to form a usually automated ‘robot network’ – hence ‘botnet’, one of the core criminal internet entities. They are available for hire on a metered basis (often for as little as 15 minutes) to take down websites and online computer systems by sending a stream of automated requests for information that overloads the computers and forces them to crash. They provide the essential delivery mechanism for junk email campaigns, the DDoS attacks discussed earlier, and for ransomware.

The criminals scan the internet looking for vulnerable computers to infest while simultaneously sending out junk email to catch the unwary. Once installed, the software harvests and sends data about the victims’ machines to the attackers’ server. The attackers then take control of the machine and link it with others they have infected to form a botnet, a network of computers that can be used in large-scale attacks, such as malicious email campaigns, DDoS attacks on websites and ransomware. For the owner of the computer, the only sign of the infection may be that it begins to run slowly.

Botnets such as Trickbot commonly attach Microsoft Office documents tainted with malicious code in email campaigns for initial intrusion that can later lead to ransomware as the final payload. In these cases, the botnet operators usually act as initial access brokers who sell or rent their access to compromised networks to the ransomware operators. It is because of this that there are often direct links between botnet and ransomware software.21

Criminals have also managed to pollute the legitimate software supply chain. People commonly acquire software by downloading it from websites and then, over the lifetime of using that software, receiving updates directly from the update servers of the software company. These servers routinely push updates that include bug fixes, security patches and new features.

In 2017, for example, it was found that an accounting software suite named M.E.Doc was being used by criminals to push the DiskCoder.C (aka NotPetya) malware as part of its cyberwar against Ukraine,22 where M.E.Doc is widely used. The attackers penetrated the software company’s update servers and added their own code to legitimate application update files. When users of the accounting software clicked to install program updates, they were also installing a malware backdoor, opening the way for what became the most devastating cyberattack in history.23

Kaseya VSA became another target of a supply-chain attack in July 2021. Kaseya is an IT management software provider whose main clients are managed service providers (MSPs). Its VSA product delivers automated software patching, remote monitoring and other capabilities so that MSPs can manage their customers’ IT infrastructure.

The attackers compromised scores of MSPs using VSA and sent a fake update to the MSPs’ customers that contained Sodinokibi ransomware.

Definitive proof that crime gangs were attempting to suborn employees to obtain access to their employers’ networks came in July 2020 when the FBI arrested a Russian who tried to recruit a Tesla employee into a ransom scheme against the company. The employee was offered US$1 million in return for details about Tesla’s network that would be used to develop custom malware to steal the company’s data, which the employee would install during a diversionary DDoS attack.

The risk of insider threats is a continuing problem. According to a survey of IT firms in the United States conducted in December 2021, 65 per cent of employees revealed that hackers had offered them bribes to hand over access to their corporate networks. These campaigns used email, social media and even phone calls to reach out to employees.

Once inside a network, attackers will move on to the second stage and begin to explore, often with the aim of increasing their level of access. Modern operating systems typically assign a set of privileges to specific processes and users, which allows them to perform certain actions. This increases the security of a system because attackers that compromise systems as low-level users are limited in what they can do – having the highest level of privilege would allow attackers to do almost anything they want on the computer. So the attackers’ first task is to check whether the operating system or any installed applications allow them to elevate their privilege level, ideally to that of administrator. The second objective is to maintain access for future intrusions.

This task becomes easier if the attackers are on a computer storing information about the people using the network, as one option is to look for people who have not used their accounts in a long time and to assume their identities. This is a very good reason for network administrators to disable and remove the accounts of former employees, lest a ghost of them should reappear in the network. Although an attacker could create a new user account, this would likely be noticed by the IT administrator. This is why maintaining an inventory of internet-facing assets, users and software is a basic step in preventing attacks.

Another approach used by attackers to achieve future access is to introduce ‘backdoor’ software into a system that allows them to come and go at will, but ideally, an attacker will try to introduce as little malicious code as possible to minimise the chances of detection. This is a strategy known as ‘living off the land’ because it uses legitimate software, often used by the system’s actual administrators, and standard tools installed with the base operating system, to extend network penetration. There are valid reasons for these programs to be executed and so detecting abuse by an attacker can be difficult, although not impossible.

If endpoint protection is installed on the system and it can be turned off by a user with administrator privileges, the attacker will want to turn it off; therefore checking that all security solutions are protected with strong, unique passwords should be the first item in a security software audit.

How to protect your critical data

A basic step in defending against RDP attacks is to make an inventory of internet-facing accounts, listing those that have remote access enabled and deciding whether that access is necessary. Those accounts should have long and unique passwords – or passphrases, which are easier to remember.

Knowing you are under attack is useful. Some security products have brute-force attack protection that detects groups of failed external login attempts and blocks further attempts. In a brute-force attack, typically an attacker uses automated software tools to attempt to log in with standard administrator account names, such as ‘admin’, and lists of default or leaked passwords, sometimes making millions of attempts.

This can also be stopped by setting an account login threshold. For example, after three invalid login attempts, further login attempts could be blocked for a set period or still allow subsequent attempts but require longer intervals to flag the failed login.

Even better than relying on passwords is to use multi-factor authentication, which requires another piece of information in addition to the usual username and password.

Hardening and patching should be performed for all remotely accessible devices. All non-essential services and components should be removed or disabled and all system settings configured for maximum security.

Companies should adopt an email strategy. Many already have basic spam filtering and phishing detection in place but they can go further and block unused attachment types.

Organisations should protect all their endpoints and servers with endpoint protection software that stops employees going to web pages blacklisted by the software for hosting malware or deemed inappropriate for work use. The software also allows central management and updating and can control access to external devices, such as removable USB sticks, that are connected to a system.

Providing cybersecurity training for employees that reflects the latest trends significantly reduces cybersecurity incidents. Employees should report suspicious messages and attachments to the help desk or security team immediately.

Organisations should also have a comprehensive, properly managed and well thought out backup program. For example, when backup storage is ‘always on’, it can be compromised by ransomware in exactly the same way as local and other network-connected storage. This risk can be prevented by:

• ensuring that backups are not routinely and permanently online;
• protecting backed-up data from automatic and silent modification or overwriting by malware whenever online;
• protecting earlier generations of backed-up data from compromise, to provide a fallback;
• examining the organisation’s legal liability to its customers; and
• carrying out regular testing, validation of readiness and optimisation of the backup process.

Conclusion: To pay or not to pay?

The threat of cybercrime has raised the costs of the internet-enabled computer systems that are essential to modern businesses and forces three choices on organisations: invest in cybersecurity, pay for cyber insurance or foot the cost of an attack – sometimes a combination of the three.

From a technical viewpoint, there are several potential points where a ransom payment made in the hope of receiving a decryption key can go wrong:

• some of the data might have been corrupted in the encryption process and is not recoverable;
• the process for delivering the decryption key fails;
• the decryption tool might be bundled with other malware, might not work properly, or is much slower than backup recovery; or
• if the ransomware has been removed, the encrypted data may no longer be recoverable even with the cooperation of the criminals, because the decryption mechanism is often part of the malware.

Paying a ransom also has its risks: the criminals may not keep their word, although this is not ‘good’ business. It is also an acknowledgement of weakness. According to a survey carried out in 2021, almost half of the organisations that paid ransoms were attacked a second time, apparently by the same gang.

Cyber insurers now play an important part in protecting companies from cyber incidents but the increase in attacks is driving up premiums. Potentially large payments also encourage the growth of ransomware – there have already been cases of gangs digging through an attacked company’s files to discover whether it has a cybersecurity policy and how much it is covered for, suggesting the role of cyber insurers may need to change to providing insurance against the cost of recovery, rather than paying a ransom.

Regulatory attention is also beginning to be focused on ransomware gangs. This has led to a requirement in some jurisdictions to disclose incidents, and to add groups and individuals known to be associated to them to sanctions lists. A pushback is also occurring against the practice of ransom payment. It is possible governments may insist on mandatory disclosure before paying and limit the circumstances in which it can occur. As the FBI makes clear: ‘Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity.’24

However, taking the moral high ground by not paying is not always the cheaper option. When WannaCryptor hit the UK’s National Health Service, experts estimated the rebuilding costs at £92 million in costs to rebuild.

When critical services such as healthcare are hit, some point out the potential harm to human life by not paying the ransom. There have already been two cases,25 in 2019 and 2020, in which a ransomware attack was named as one of the possible contributory causes of the death of a patient.

Paying ransoms also masks another issue, which is that perhaps companies should legally be obliged to protect their systems, particularly in certain industries.

In fact, the long-term costs of taking the easy path of paying now seem to be sparking new impetus among insurers to push organisations right back to the basic cybersecurity practices and tools in which they should have been investing all along.

 

Endnotes

1 René Holt is a security writer at ESET. The author acknowledges that the main source of the information in this chapter is a white paper, updated by ESET Security Awareness Specialist Ondrej Kubovič in August 2021, that includes contributions by Stephen Cobb, former senior security researcher at ESET, and current ESET colleagues Research Fellow Bruce P Burrell and Chief Security Evangelist Tony Anscombe. See https://www.welivesecurity.com/wp-content/uploads/2021/08/ransomware_paper.pdf (last accessed 10 Mar. 2022).

2 https://www.fdic.gov/news/financial-institution-letters/2021/fil21074.html (last accessed 8 Mar. 2022).

3 https://www.warren.senate.gov/newsroom/press-releases/warren-and-ross-introduce-bill-to-require-disclosures-of-ransomware-payments (last accessed 8 Mar. 2022).

4 ‘New Australian bill would force companies to disclose ransomware payments’, The Record (21 Jun. 2021), https://therecord.media/new-australian-bill-would-force-companies-to-disclose-ransomware-payments/ (last accessed 8 Mar. 2022).

5 ‘Russia arrests REvil ransomware gang members, seize $6.6 million’, Bleeping Computer (14 Jan. 2022)),  https://www.bleepingcomputer.com/news/security/russia-arrests-revil-ransomware-gang-members-seize-66-million/ (last accessed 8 Mar. 2022).

6 ‘DOJ charges 2 men allegedly behind REvil ransomware attacks’, ABC News (8 No. 2021), https://abcnews.go.com/Politics/doj-charges-men-men-allegedly-revil-ransomware-attacks/story?id=81037690 (last accessed 8 Mar. 2022).

7 https://en.wikipedia.org/wiki/Colonial_Pipeline_ransomware_attack (last accessed 8 Mar. 2022).

8 ‘Ransomware gang urges victims’ customers to demand a ransom payment’, Bleeping Computer (26 Mar. 2022),  https://www.bleepingcomputer.com/news/security/ransomware-gang-urges-victims-customers-to-demand-a-ransom-payment/ (last accessed 8 Mar. 2022).

9 ‘Ransomware gang wants to short the stock price of their victims’, The Record (22 Apr. 2022)), https://therecord.media/ransomware-gang-wants-to-short-the-stock-price-of-their-victims/ (last accessed 8 Mar. 2022).

10 ‘Ransomware Actors Use Significant Financial Events and Stock Valuation to Facilitate Targeting and Extortion of Victims’, Federal Bureau of Investigation (1 Nov. 2021), https://www.ic3.gov/Media/News/2021/211101.pdf (last accessed 8 Mar. 2022).

11 ‘Another ransomware now uses DDoS attacks to force victims to pay’, Bleeping Computer (24 Jan. 2021),  https://www.bleepingcomputer.com/news/security/another-ransomware-now-uses-ddos-attacks-to-force-victims-to-pay/ (last accessed 8 Mar. 2022).

12 ‘Some ransomware gangs are going after top execs to pressure companies into paying’, ZDNet (9 Jan. 2021), https://www.zdnet.com/article/some-ransomware-gangs-are-going-after-top-execs-to-pressure-companies-into-paying/ (last accessed 8 Mar. 2022).

13 This is highlighted by ESET in its 2020 Q4 Threat Report, at  https://www.welivesecurity.com/wp-content/uploads/2021/02/ESET_Threat_Report_Q42020.pdf (last accessed 8 Mar. 2022).

14 ‘Ransomware Group Turns to Facebook Ads’, Krebs on Security (10 Nov. 2020), https://krebsonsecurity.com/2020/11/ransomware-group-turns-to-facebook-ads/ (last accessed 8 Mar. 2022).

15 Data collected by ESET security products deployed around the world shows that attackers have been making billions of attempts to brute force RDP logins by guessing passwords and usernames. The data revealed 29 billion malicious password guesses in 2020 alone. This number exploded in 2021, closing the year with 288 billion attacks, an almost tenfold increase in absolute numbers (897 per cent increase year-on-year).

16 ‘Exchange servers under siege from at least 10 APT groups’, We Live Security (10 Mar. 2021), https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/ (last accessed 8 Mar. 2022).

17 ESET’s detection data for 2021 showed the ProxyLogon vulnerability chain to be the second most frequently used attack avenue, at 14 per cent, beaten only by password guessing at 47 per cent.

18 ‘WannaCryptor remains a global threat three years on’, WeLiveSecurity (12 May 2020), https://www.welivesecurity.com/2020/05/12/wannacryptor-remains-global-threat-three-years-on/ (last accessed 8 Mar. 2022).

19 ‘Microsoft Exchange exploits – step one in ransomware chain’, ESET (29 Mar. 2021), https://www.eset.com/blog/enterprise/microsoft-exchange-exploits-step-one-in-ransomware-chain/ (last accessed 8 Mar. 2022).

20 ESET research from Q4 2020 showed that eCh0raix was the most prominent ransomware targeting NAS devices.

21 Some of the many known relationships between botnet and ransomware families include Emotet with Qbot, and Trickbot and Ryuk.

22 ‘TeleBots are back: Supply-chain attacks against Ukraine’, We Live Security (30 Jun. 2017), https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/ (last accessed 8 Mar. 2022).

23 ‘New TeleBots backdoor: First evidence linking Industroyer to NotPetya’, We Live Security (11 Oct. 2018), https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/ (last accessed 8 Mar. 2022).

24 FBI Cyber Division Assistant Director James Trainor quoted in ‘Incidents of Ransomware on the Rise – Protect Yourself and Your Organization’, FBI News (29 Apr. 2016), https://www.fbi.gov/news/stories/incidents-of-ransomware-on-the-rise (last accessed 8 Mar. 2022).

25 The first was in connection with a baby’s death (30 Sep. 2021), https://www.wsj.com/articles/ransomware-hackers-hospital-first-alleged-death-11633008116; the second with a woman’s death (17 Sep. 2020),  https://www.zdnet.com/article/first-death-reported-following-a-ransomware-attack-on-a-german-hospital/; and a third clarifying the impact of ransomware (12 Nov. 2020), https://www.technologyreview.com/2020/11/12/1012015/ransomware-did-not-kill-a-german-hospital-patient/ (web pages last accessed 8 Mar. 2022).

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

Supply Chain Attacks: What You Need to Know to Protect Against Them

Before 2020, only logistics nerds ever talked about supply chains. Then came the blatantly disruptive supply chain crunch, courtesy of the COVID-19 pandemic. West Coast ports began to choke, and Chicago railyards swelled with traffic impeding the timely shipments of goods. This led topolitical finger-pointing, heavy corporate profits and losses, and disgruntled consumers nationwide.

In 2020, we began hearing much more about supply chains and the issues facing them – but bogged down ports, crowded railways, and delayed shipping times were not the primary issues making headlines. Before all of this, most had never heard of a supply chain attack in the cyber sense until reports of the SolarWinds breach came out that year.

Prior to this expansive cyberattack, asking most folks what a supply chain attack was might conjure images of a Somali pirate heist on a container ship, plotting to resell stolen consumer goods on the black market. From a technological standpoint however, a supply chain attack involves software rather than ships, and is merely analogous to an actual chain of supplies.

A Supply Chain Attack, Defined

The heart of a supply chain attack involves corrupting a trusted application, allowing the attacker to leverage that trust and gain access to any or all users of the corrupted application. The “supply chain” references derive from the fact that modern software build applications comprise a mixture of third-party components, completely new code, and code connecting all the pieces together to solve some problem for the users of the software.

Software developers integrate the various components of the application and build or deploy the software for use. In this type of attack, malware or a “back door” gets inserted into the software itself, either through one of the third-party components, or by getting malware built in as its own component, compromising the application itself.

As an example, if an attacker were able to get into a web browser, then everyone who downloaded the browser would be downloading malware as well. In the case of SolarWinds, the attackers penetrated the corporate network, and after many months of quiet effort, gained access to the software build system of the company’s most popular product.

After that compromised SolarWinds product was installed, the inserted malware notified the attackers that it was inside a corporate network. The attackers could then use the malware to gain access to that network. From their new perch, they could deploy any number of other malware tools to exploit the corporate network.

Now what if you aren’t a software company? Can you simply ignore supply chain attacks? Probably not. Most companies write software—whether for internal use, for partners, or their customers—even if it’s only their corporate website. Any software or website can be infiltrated and used to deliver malware to the ultimate. Consequently, most companies have some inherent vulnerability to supply chain attacks.

Keeping Supply Attacks at Bay

So what should you do to prevent supply chain attackers? The most important factor is to limit access to critical assets that are part of the software development lifecycle. This means identifying which assets are critical to software creation.

The first line of defense is to ensure that they can’t get to your assets in the first place. If these critical assets are in your data center, you should implement network access control (NAC) to ensure that only authorized users on authorized devices have access to your network. For cloud assets, zero-trust network access (ZTNA) serves a similar access control function. Both NAC and ZTNA allow for micro-segmentation of network access so that users can only access required assets because limiting lateral movement can dramatically decrease the impact of any breach.

Additionally, critical assets should be protected by privilege access management (PAM), a tool that acts as a proxy between users and assets. The user logs into the PAM—preferably with multi-factor authentication—and the PAM logs into the asset itself, often auditing all user actions while logged-in.

For network devices, TACACS+ is a similar kind of proxy used for accessing network devices, which are also critical assets in any supply chain. Along the same lines, implementing the principle of least privilege limits what any given account can do in the event of a compromise.

Key Takeaways

A robust vulnerability management program strongly complements access control because it reduces the likelihood that an attacker could leverage an unpatched vulnerability in any of your software to slip past layers of access control. Controlling access, limiting lateral movement, and reducing risk from software vulnerabilities provide considerable protection against the risk of a supply chain attack.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Portnox
Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。

How to secure remote access in education in 2022

Remote learning and remote teaching are indispensable concepts in higher education around the world. Since the shift to remote working and online learning, the sector is facing more and more cybersecurity challenges. Where before the biggest part of school operations stayed in the school’s environment, there is now an increased use of technology in a remote environment. That means that there are also more potentially vulnerable access points for attackers. But how can you let staff and students securely access a desktop or application without putting the school network at risk?

IT admins of universities and colleges are thus looking for secure remote access solutions in education, as security is one of the primary worries in an increasingly digital world. We’re talking about enormous user groups (dozens of teachers and often thousands of students) that use many different devices to access applications and files with a lot of personal and sensitive data.

Remote learning is a standard part of the curriculum, but it comes with its own cybersecurity challenges

In this blog, we will be looking at  the top 4 remote access solutions used in education. Those are Teamviewer, VPN, RDP and secure unified workspaces. Needless to say, all these solutions are valid options to enable remote access in education – but they’re not always equally secure. Nevertheless, it’s important to keep the specific problems you want to solve in mind. Define how you want to enable remote access, and what remote access solution fits your query. That way, it will be clear that some solutions offer more advantages, often in terms of security, than others.

Why have remote access for staff and students?

In their courses, students often have to use very class-specific applications and software, which are installed on computers in university PC rooms. In times where (partially) remote learning is the norm rather than the exception, it is usually not possible to offer this software personally to students, as it is very expensive for the university and/or cannot be installed on any hardware. A way to solve this, could then be to give students remote access to the school computers via their own device (Chromebook, tablet, …) . Depending on what type of access your provide for these forms or remote learning, they can easily access the software – even if it’s legacy software (that needs to be installed on the device) from outside the university or college.

Another often-heard use-case is that of network-restricted third-party services. Educational institutions often have memberships for services like JSTOR that they offer to their students and academic personnel. Often, access to those services is limited to the network of the university or college. If a researcher or student can get access to these services from anywhere, this would greatly benefit the institution’s (and their personal) academic prowess.

However, enabling remote access is not only a necessity for the students. There are also many administrative staff members working in universities and colleges who would like the option of working remotely. For example, they may need access to personnel files or work with accounting applications from home. For those people, universities and colleges should be looking for a secure and simple solution, because this administrative staff often works with personal data of staff and students. There must be absolutely no risk of data loss, so security is very important. Furthermore, the IT team should not be burdened with the fact that these employees want to work at home, so a school should look for a simple solution that requires few support (tickets). Of course, this is also the case for teachers who want to be able to access files and applications they need for lessons remotely.

Remote access solutions in education in 2022

There are many remote access solutions for education on the market. However, some of them are complex to use or to manage, and others pose a risk to the educational organization’s critical cybersecurity. Let’s take a look at the top 4 remote access solutions in education in 2022:

TeamViewer

TeamViewer is a remote control computer software, that allows you to maintain computers and other devices. In an educational context it is sometimes used by IT teams to give remote support to students or teachers when one of those parties is not present at school. With the software, users can share their screens, application window and even an entire remote desktop.

This solution is especially useful to share a remote desktop view between users to collaborate or support. However, it is a less ideal software for teachers and students to connect with lab computers in the school.

Disadvantages of TeamViewer

TeamViewer is used to remotely control a computer. It’s simple, but comes with a set of security issues.

  • It is free for home/personal use, but it cannot be used for free in the commercial settings. Prices are steep: $130/mo for 3 concurrent sessions – at that rate, giving entire classes remote access quickly becomes a costly affair.
  • TeamViewer offers built-in MFA, but there is as of yet no way to enforce its use. This is a long outstanding request by the TeamViewer community
  • Because integration of AD and MFA are not mandatory, you risk leaked credentials. Students will log in with a username and password, and they’re in. It is unwise to have thousands of credentials shared with users that can access your network, and that don’t necessarily adhere to the privacy protocols you have put up
  • In the past years, researchers (and hackers) have discovered multiple 0day exploits in the TeamViewer software, such as CVE-2018-16550 (brute-force vulnerability) and CVE-2020-13699 (allowing malicious websites to launch the host device’s TeamViewer application)
  • Depending on your license, you can miss out on mass deployment. If you’re configuring (and maintaining) accounts for the entire school, this can become a very time-consuming effort. Furthermore, users report that its AD integration is cumbersome and requires many steps (it requires an additional software download (the TeamViewer AD connector), API key generation, etc.)
  • TeamViewer doesn’t have the ability to use full screen with high-resolution screens
  • A student or teacher needs a fast and continuous internet connection if they want to use TeamViewer
  • Students and staff are not able to share large files in an easy way
  • Every system needs to have a TeamViewer and the same version installed on it to work which is not efficient when students work remotely on an unmanaged device

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Awingu
Awingu produces a browser-based Unified Workspace solution. It allows users to work and collaborate from virtually anywhere using any device compatible with HTML5 browsers. As a turnkey solution, Awingu offers businesses the ease and convenience of platform-independent mobility and offers everything you need to stay productive: legacy and cloud applications, documents and data. Awingu requires zero configuration and zero client software installation, making IT administration extremely simple.

Nmap Advanced Uses Pt.4: NSE

Intro

Now that we have covered some of the more important features of Nmap, we would like to talk about one of the most, if not the most, important features: NSE, short for Nmap Scripting Engine. Firstly, let’s mention the fact that the set of NSE scripts is quite diverse and constantly growing. NSE was designed to be flexible, specifically for network discovery, more sophisticated version detection, backdoor detection, vulnerability detection and exploitation.

NSE Scripts

NSE scripts are written in the Lua programming language. They are tagged with the -sC option (default scripts option) or with –script when we want to specify an exact set of scripts. Note that there are two types of scripts that are supported – host and service scripts. 

Service scripts pertain to some service (open port) that’s running on our target host. All results are shown next to the port in the Nmap output. Host scripts run only once for every target IP.

Before delving further into usage of NSE scripts, and some examples, we would like to provide a bit more context on what spurred the genesis of NSE and what was the original intention for them.

From the Nmap Network Scanning book:

Network discovery – “Examples include looking up whois data based on the target domain, querying ARIN, RIPE, or APNIC for the target IP to determine ownership, performing identd lookups on open ports, SNMP queries, and listing available NFS/SMB/RPC shares and services.”

More sophisticated version detection – “The Nmap version detection system is able to recognize thousands of different services through its probe and regular expression signature based matching system… Nmap could also recognize more SNMP services if it tried a few hundred different community names by brute force. Neither of these tasks are well suited to traditional Nmap version detection, but both are easily accomplished with NSE…

Vulnerability detection – “When a new vulnerability is discovered, you often want to scan your networks quickly to identify vulnerable systems before the bad guys do. While Nmap isn’t a comprehensive vulnerability scanner, NSE is powerful enough to handle even demanding vulnerability checks. Many vulnerability detection scripts are already available and we plan to distribute more as they are written.

Backdoor detection – Many attackers and some automated worms leave backdoors to enable later reentry. Some of these can be detected by Nmap’s regular expression based version detection. For example, within hours of the MyDoom worm hitting the Internet, Jay Moran posted an Nmap version detection probe and signature so that others could quickly scan their networks for MyDoom infections. NSE is needed to reliably detect more complex worms and backdoors.

NSE – Usage

As mentioned above, to use most common scripts, specify -sC. With –script, we can use a specific script we need, but we can also use this switch to further customize our scripts by providing them with some arguments. For example, we can say —script-args (for arguments), or —script-trace and –script-updatedb if we want to debug our script.

NSE scripts are defined by categories, and current categories are:

  • auth
  • default
  • discovery
  • external
  • intrusive
  • malware
  • safe
  • version
  • vuln
auth

As the name implies, these scripts try to decide what the authentication credentials are for the target machine. Some examples are: snmp-brute, ftp-anon.

default

These are run when we use the -A or -sC options. But, we can also explicitly specify them with the —script option. Some factors to consider when trying to decide if you should be running a script by default:

  • Speed
  • Verbosity
  • Usefulness
  • Reliability
  • Intrusiveness
  • Privacy

Of course, these are mostly subjective and subject to your discretion, as the limitations in their usage will vary depending on your use case. Thus, you should ponder which ones you would like to promote to the default category.

discovery

These look for information about our target network, mostly by querying SNMP-enabled devices, public registries, etc. Some examples would be: smb-enum-shares, html-title (looks for the root path of a website).

external

External scripts may, at times, send data to a db owned by a third-party. (Whois for example) Meaning, if that service is logging activity (which is very likely) they might see and record all that you’ve sent, which will most likely include your IP address. Note that most scripts send traffic strictly between the target (scanned machine) and the scanning machine (attacker machine). Those that don’t send traffic that way are placed in the external category.

intrusive

Scripts that do not end up in the safe category, due to the risks being too high (use a lot of resources – CPU, bandwidth, etc.) and/or considered to be malicious, end up within the intrusive category. Some of the examples are: snmp-brute, http-open-proxy,

malware

Scripts in this category check to see if the target is infected with malware. Some examples are: smtp-strangeport, auth-spoof. Strangeport looks for SMTP servers that are running on unorthodox ports. Auth-spoof looks for spoofing daemons that love giving fake answers even before queried. These are all signs of malware infected behavior.

safe

As the name implies, these scripts are designed specifically not to crash anything that’s running, hence they’re categorized as safe. However, they can still anger an administrator! Still, most usually do some regular things and are thus not considered to be a particular threat, or overly aggressive in behavior. Examples: ssh-hostkey, html-title.

version

These scripts basically extend the version detection, but cannot be specified explicitly. They’re covered under the -sV command. Examples include: skypev2-version, pptp-version, iax2-version.

vuln

Vuln scripts check against a specific known vulnerability. They only report results if the vulns are found. Examples would be: realvnc-auth-bypass, xampp-default-auth.

Mainly, there are five arguments when it comes to script scanning.

  • -sC – the default set of scripts, equivalent to –script=default
  • –script <script-categories> | <directory> | <filename> | all

Please note that Nmap scripts are stored in the scripts directory of Nmap. All would execute all scripts in the Nmap script db. Similarly, if we were to specify a directory, Nmap would load (and run) all the scripts inside – rather, all the files that have .nse extension. Also, note that these can harm your system since they are not run in a sandbox. Verify first. Always.

  • –script-args – with this, we can give arguments to our scripts
  • –script-trace – this option is akin to the –packet-trace, but with one main difference: it runs at the application layer.
  • –script-updatedb – only used if you’ve removed or added some scripts to the default scripts directory, or if some of the categories have been changed. It is ran by specifying the following command – nmap –script-updatedb

Conclusion

Network Scripting Engine, or NSE for short, is a big and important part of Nmap. We hope that by covering the basics in this article, you’re now at least a bit more familiar with some of the ways in which it works.

Remember that anyone can contribute to this project, too. So, if you have some special use cases that you would like to automate, or tweak further, this might be an option for you. There’s also many great resources on the Internet about NSE, so you can see what are some of the uses of it. For example, in the aftermath of the whole Log4j debacle, someone made an NSE script that will check against log4shell or LogJam vulns (CVE-2021-44228). You can check out the Github repo here.

Just typing Nmap in Github search gave us 4,577 hits!

And there you have it! Boosted with your knowledge of NSE, you can further improve on your Nmap mastery, and if you’re interested in writing your own NSE scripts, go and check out this link for NSE script writing tutorial. There is also a simple example script on Nmap’s official website, called finger, that might be a good starting point for you!

Resources

Below are some interesting links on the topic of NSE, but we greatly encourage you to go out and search them yourselves.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Topia
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

Shields up!

If you’re a sci-fi fan, especially if you’re 40 or over, you have heard “shields up” so many times in your reading and viewing career that you might see shields, deflectors, and force fields as lame carryovers from the early days of sci-fi film and TV. While perhaps Buck Rogers’ or Flash Gordon’s ships didn’t have shields, there aren’t too many space adventurers that have gone boldly into the cosmos without them.

Since most of us now stream our sci-fi addictions, perhaps you too simultaneously watch and research strange bits of geekdom and trivia. If that’s the case, while exploring the web for space and sci-fi geekery, let’s not strike out too boldly into the internet galaxy. Why? Because just like our heroes, we too can have chance encounters with hostile alien forces. When that does happen, our anxiety triggers the call to raise shields. The feeling is nearly universal.

Again, just like our heroes, we are also equipped with sophisticated tech. While we may not pilot the Starship Enterprise or the fabled Millennium Falcon, we still need to be observant and assess the risks that may hinder us from keeping our cyberspace vessels in good shape. Of course, many PC users secure their cyberspace ships with digital security solutions, but have you ever wondered about the built-in settings that your “shields” have and how these can meet your needs in different conditions?

Familiar terms
“General quarters, general quarters! All hands man your battle stations!” In US Navy lingo, this announcement is used to alert the crew to prepare the vessel for potential combat. Fandom’s Military Wiki site characterizes general quarters as follows: “Off-duty or sleeping crew members report to their stations and prepare for action, watertight doors and fireproof doors between bulkheads are shut and security is increased around sensitive areas, such as the bridge and engineering rooms.” For IT users armed with digital security products, we can identify the default “balanced” settings as equivalent to general quarters.

The “balanced” settings for ESET’s consumer security products are ideal for practically every scenario; however, they can be modulated to “aggressive.” The differences between these might be comparable to placing a 21st century warship side by side with a 20th century one. In the last century, warships were designed for aggressive protection and could feature hardened steel armor plate upwards of 30 cm thick to repel projectiles. Today, warships are designed with a more balanced approach, relying less on armored plates and more on electronic sensors to be lightweight and fast, and to detect and neutralize missile threats before they strike. This comparison provides a simple analog: balanced protection brings speed, adaptability, and intelligence vs. aggressive protection, which uses hardened protective armor as a shield to withstand attacks head-on.

<image 1. Detection Settings, Aggressive, Balanced, Cautious, Off>

 

Is cyberwar sci-fi? Although long anticipated, the potential emergence of cyberwar is now palpable. Misinformation, cyberespionage, surveillance, and the hacking of critical infrastructure are now on the table. Under such conditions home users might upgrade their digital security solutions, moving from a popular, but basic, product like ESET NOD32 Antivirus to ESET Smart Security Premium. Businesses may feel less flexibility to protect their business continuity as they’ve likely already committed to a particular course of action. Home users faced a similar dilemma with the move to remote work at the height of the COVID-19 pandemic.

But imagine you are in an acutely risky situation. Perhaps you are literally in a war zone or in a digital relationship with a business or individual that is likely to be targeted. What options do you have to beef up your protection?

Suppose you have assessed your risks and come up with the following:
– I work at an organization in possession of sensitive data or provides critical services.
– One or more digital relationships I hold have experienced digital disruption and security impacts.
– There is a failure in diplomatic relations with a powerful country.
– There have already been multiple cyberattacks and there is a high likelihood of more to come.

Now, if you were on one of sci-fi’s storied spacecraft, it would be easy: just raise shields to the aggressive setting, buy yourself some time, and think through the problem. But how is that done in cyberspace with your PC?

<image 2.Detection Settings for Firewall, Web and Email, and More>


“General quarters!” “Battle stations!” Or maybe not

There is a reason why you’ve likely never toyed with the advanced settings of your security software: I could screw it up! This is a distinct possibility. Luckily, in the case of ESET products, you can return to the default settings with a few clicks. To lessen any risks when experimenting with your settings, let’s compare the default “balanced” setting to the “aggressive” setting.

The balanced mode allows your PC to engage with the internet without raising overly suspicious alarms that might burden the user experience. The aggressive setting will set off multiple, paranoia-inducing alerts, appearing as:

– A blocked URL
– A warning about an untrustworthy URL
– A parental control warning about forbidden content

You will certainly encounter these alerts if you try to access mature or explicit content, or illegal download or streaming sites. However, in “aggressive” mode, even mundane websites may get flagged.

But back to sci-fi and shields. Clearly, having your shields up has a cost. That cost, among other things, would likely be the deterioration of usability. The right settings – the ability to modulate the shield’s protection – depend on what the shield is trying to block. The comparison with digital security holds up well here. Using the aggressive setting could yield a higher number of suspicious URLs blocked, but some useful resources could also be flagged and blocked too. The involved detections are largely based on longitudinal threat data held by ESET on the behavior of malicious websites and IP addresses, on malware samples, and on potentially unwanted applications, meaning ESET security products adjust in real-time to encountered threats.

Takeaway
Imagine that as an intergalactic explorer, large amounts of your attention and your ship’s energy supply is diverted to security and defensive shields. Logically, this slows down your efforts to discover new quadrants of the universe. Well, the internet is a universe too, and your exploration of it is also affected by how much attention and energy is diverted to your security.

This says a lot about why security software, malware research, and security awareness are all critical to our digital lives. We depend on each of these elements working in concert, and on each other as digital participants, for collective security.

After all, each machine running security software is part of an active sensor network feeding samples to be processed as clean, suspicious, or outright malicious. Once categorized, each machine in this network is updated with new detections and tuned or “modulated” in its defensive capability. Luckily, this journey into the “what if we used…?” aggressive settings was hypothetical. If we were really forced into an “aggressive” defensive posture on the internet, much of the fun and utility would be gone. In that scenario, we lose considerable benefit from digitalization and, instead of sci-fi fun, our user experience would become more akin to a zombie apocalypse.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

What is remote network monitoring?

Remote network monitoring is a technical specialty that was born almost at the same time as networks themselves. Since then, many strategies have emerged when it comes to monitoring network elements.

In this article we will talk about the current techniques based on SNMP polling and network statistic collection through Netflow, and we will also mention outdated systems such as RMON.

Most techniques are purpose-oriented, so they are especially useful. Some more modern ones use combined techniques to offer higher control and network knowledge.

What advantages does each one of them offer?

What is remote network monitoring?

Remote network monitoring consists of detecting and knowing the status of any device connected to the network.

It can be network-specific hardware (such as a router, server, printer) or a specialized device (such as a probe or IoT element).

Simple, right?

Then let’s talk about the different techniques you have to monitor a network remotely.

Basic Remote Network Monitoring Techniques

Often this monitoring takes place through basic techniques.

With basic techniques we mean something as well known as pinging and checking whether the computer responds to the network.

What is pinging? It is a communication mechanism that allows you to find out whether a computer is connected and responds when you “knock” on its door.

To use it you just have to know its IP address.

Other basic techniques include measuring latency times (network lagging) or packet loss (network packet loss).

Advanced Remote Network Monitoring Tool – Netflow

The most common and already much more network specific techniques include the use of the SNMP protocol (Simple Network Monitoring Protocol) that helps to obtain specific information from devices connected to the network: number of connections, incoming traffic through its network interface, firmware version, CPU temperature, etc.

Something that, if we use technical terms, is known as SNMP polling.

Other tools use protocols from the Netflow family (JFlow, SFlow, Netflow) to obtain statistical information about network usage.

This statistical information is incredibly useful to be able to analyze the use of the network, detect bottlenecks and, above all, to have a clear vision of what the communication flows between the different elements of a network are.

Advanced Network Remote Monitoring Techniques – RMON

There is an almost obsolete protocol called RMON. However, it is worth mentioning, because we can still find it in some installations.

This protocol used a technology network monitoring technology that listened to the wire to obtain statistical information using a specific SNMP agent. Something like what Netflow does.

Advanced Remote Network Monitoring Tools – SNMP Traps

On the other hand, most devices still use SNMP TRAPS to report incidents in asynchronous mode.

Although it is a very old method, it is still used today as a monitoring method on almost all network devices.

Not to be mistaken with the SNMP Polling that we discussed at the beginning!

Benefits of Network Monitoring

The most important and simple benefit is to find out the status of the network:

  • Whether it is active
  • Whether it is overloaded
  • Which devices have the most traffic
  • What kind of traffic is circulating over the network
  • Bottlenecks
  • Jams

An example of a traffic flow diagram captured with Pandora FMS could be the following:

Remote network monitoring tools
Remote network monitoring tools

Most network management and monitoring systems automatically detect connected systems and draw a network map representing the network.

The most advanced tools allow you to update that map in real time and see even the physical connections between interfaces (known as a link-level topology or Layer 2).

For example, like this automatic network map generated with Pandora FMS:

Remote monitoring in network management
Remote monitoring in network management

Some systems incorporate what is known as IPAM (IP Address Management) and, at the same time, monitor the network status, allowing IP addressing to be mapped and controlled so that you know which networks are free and how they are used.

How does a remote network monitoring service work?

Generally, a tool like this one has a central server that allows you to detect systems and launch network tests (ping, icmp, snmp) to find out the status of each device. 

To know the network in detail through its network flows in real time, you will need to configure the network routers and switches with the Netflow protocol and send that information to a Netflow collector. Although only professional medium/top-range network equipment supports the use of Netflow.

If you use an advanced monitoring tool, it will have its own Netflow collector.

Sometimes it is necessary to monitor devices that are in inaccessible networks, so intermediate polling servers, called proxies or satellites, are used.

These secondary servers perform network scans and monitoring on the devices nearby, and then send the collected data to a central system.

But what do we do with all this numerical data?

It is essential that the monitoring tool you use has graphs, reports and visual screens to display that data.

If we’re already talking about the top-of-the-range tools, those visual network maps will allow you to manually correct and add the details you need to manage those networks.

What are the best remote network monitoring software?

The professional tools that cover SNMP, Netflow, network maps and IPAM that work best today are:

  • SolarWinds
  • Whatsup Gold
  • Pandora FMS

Although they differ from each other in several respects, you may cover all your monitoring needs with any of them.

Would you like to know more about remote network monitoring tools? Then this will no doubt interest you:

Best network monitoring systems

Not all market tools cover these areas.

Some only support basic SNMP, but do not support Netflow. Others do not have good discovery or map editing capabilities and most of them do not have IPAM features. 

The basic thing a good network monitoring tool should have is:

  • SNMP v1, v2 and v3 capabilities
  • To be able to use proxy servers
  • SNMP Trap Collection
  • Device Discovery
  • Map drawing

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About PandoraFMS
Pandora FMS is a flexible monitoring system, capable of monitoring devices, infrastructures, applications, services and business processes.
Of course, one of the things that Pandora FMS can control is the hard disks of your computers.