Kaspersky Lab discovers TajMahal, a spying platform with distinctive functionality and no known links to current threat actors

Kaspersky Lab researchers have uncovered a technically sophisticated cyberespionage framework, TajMahal, which has been active since at least 2013 and appears to be unconnected to any known threat actors. It features around 80 malicious modules and includes functionality never before seen in an advanced persistent threat (APT), such as the ability to steal information from printer queues and grab previously seen files from a USB device.

Kaspersky Lab researchers discovered TajMahal late last year. It is a technically sophisticated APT framework designed for extensive cyberespionage. Malware analysis shows that the platform has been developed and used for at least the last five years, with the earliest sample dated April 2013, and the most recent August 2018. The name TajMahal comes from the name of the file used to exfiltrate the stolen data.

The TajMahal framework is believed to include two main packages, self-named as ‘Tokyo’ and ‘Yokohama’. Tokyo is the smaller of the two, with around three modules. It contains the main backdoor functionality, and periodically connects with the command and control servers. Tokyo leverages PowerShell and remains in the network even after the intrusion has moved to stage two.

Stage two is the Yokohama package: a fully armed spying framework. Yokohama includes a Virtual File System (VFS) with all plugins, open source and proprietary third-party libraries, and configuration files.  There are nearly 80 modules in all, and they include loaders, orchestrators, command and control communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers.

TajMahal is also able to grab browser cookies, gather the backup list for Apple mobile devices, steal data from a CD burnt by a victim as well as documents in a printer queue. It can also request the theft of a particular file from a previously seen USB stick, and the file will be stolen the next time the USB is connected to the computer.

The targeted systems found by Kaspersky Lab were infected with both Tokyo and Yokohama. This suggests that Tokyo was used as first stage infection, deploying the fully-functional Yokohama package on interesting victims, and then left in for backup purposes.

So far, only one victim has been observed - a foreign based, central Asian diplomatic entity, infected by 2014. The distribution and infection vectors for TajMahal are currently unknown.

“The TajMahal framework is a very interesting and intriguing finding. The technical sophistication is beyond doubt and it features functionality we have not seen before in advanced threat actors. A number of questions remain. For example, it seems highly unlikely that such a huge investment would be undertaken for only one victim,” said Alexey Shulmin, lead malware analyst at Kaspersky Lab. “This suggests that there are either further victims not yet identified, or additional versions of this malware in the wild, or possibly both. The distribution and infection vectors for the threat also remain unknown.  Somehow, it has stayed under the radar for over five years. Whether this is due to relative inactivity or something else is another intriguing question. There are no attribution clues nor any links we can find to known threat groups.”

All Kaspersky Lab products successfully detect and block this threat.

In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky Lab researchers recommend use of advanced security tools like Kaspersky Anti Targeted Attack Platform (KATA) and make sure your security team has access to the most recent cyber threat intelligence; update all software used in the organization on a regular basis, particularly whenever a new security patch is released. Security products with Vulnerability Assessment and Patch Management capabilities may help to automate these processes.

The security company also recommended choosing a proven security solution such as Kaspersky Endpoint Security that is equipped with behavior-based detection capabilities for effective protection against known and unknown threats, including exploits, and ensuring that staff understand basic cybersecurity hygiene, as many targeted attacks start with phishing or other social engineering technique.

OpenStack Stein boosts bare metal and network management, while launching Kubernetes clusters

The OpenStack community released Stein, the 19th version of open source cloud infrastructure software, which powers over 75 public cloud data centers and thousands of private clouds at a scale of more than 10 million compute cores.

OpenStack is the one infrastructure platform uniquely suited to deployments of diverse architectures—bare metal, virtual machines (VMs), graphics processing units (GPUs) and containers.

Kubernetes is a key container orchestration framework running on OpenStack, with 61 percent of OpenStack deployments indicating they integrate the two platforms, according to the 2018 OpenStack User Survey.

In Stein, OpenStack continues to deliver the core infrastructure management features delivering the bare metal and network functionality that containers need. OpenStack Magnum, a Certified Kubernetes installer, improved Kubernetes cluster launch time significantly—down from 10-12 minutes per node to five minutes regardless of the number of nodes.

With the OpenStack cloud provider, users can now launch a fully integrated Kubernetes cluster with support from the Manila, Cinder and Keystone services to take full advantage of the OpenStack cloud it’s created on.

Neutron, OpenStack’s networking service, has faster bulk port creation, targeting container use cases, where ports are created in groups, while Ironic, the bare metal provisioning service, continues to improve deployment templates for standalone users to request allocations of bare metal nodes and submit configuration data as opposed to pre-formed configuration drives.

Within Neutron, Network Segment Range Management enables cloud administrators to manage segment type ranges dynamically via a new API extension, as opposed to the previous approach of editing configuration files. This feature benefits StarlingX and edge use cases, where ease of management is critical.

For network-heavy applications, it is crucial to have a minimum amount of network bandwidth available. Work began during the Rocky cycle to provide scheduling based on minimum bandwidth requirements, and the feature was delivered in Stein. As part of the enhancements, Neutron treats bandwidth as a resource and works with the OpenStack Nova compute service to schedule the instance to a host where the requested amount is available.

API improvements boost flexibility, adding support for aliases to Quality of Service (QoS) policy rules that enable callers to execute the requests to delete, show and update QoS rules more efficiently.

Blazar, the resource reservation service, introduced a new Resource Allocation API allowing operators to query the reserved state of their cloud resources.

Placement is a new project introduced in the Stein release. Extracted from the Nova project, Placement offers the ability to target a candidate resource provider, easing the task of specifying a host for workload migration. This increases API performance by 50% for common scheduling operations. The internal Placement service in Nova will be removed by the Train release. At that point Nova installations should make use of the separate Placement service.

Sahara, a project for provisioning Hadoop clusters, has been refactored into a core+plugins architecture, making it easier to take advantage of this functionality.

“OpenStack has become a powerful platform for managing Kubernetes clusters in private and multi-cloud deployments,” said Jonathan Bryce, executive director of the OpenStack Foundation. “With Stein, operators gain new capabilities for bare metal management and networking, running high-performance workloads with GPUs, operating NFV deployments, and for a diversity of enterprise application use cases. Stein’s arrival is a tribute to the community’s hard work in delivering open infrastructure services that solve real, pressing problems for operators and users.”

Intel, Google Cloud partner to accelerate hybrid cloud; develop Anthos reference design to simplify deployment

Intel and Google Cloud announced on Tuesday a partnership aimed at helping enterprise customers seamlessly deploy applications across on-premise and cloud environments. The reference design will be delivered by the middle of this year, with expected solution delivery from OEMs and solutions integrators in market later this year.

The two companies will collaborate on Anthos, a new reference design based on the 2nd-Generation Intel Xeon scalable processor and an optimized Kubernetes software stack that will deliver increased workload portability to customers who want to take advantage of hybrid cloud environments. Intel will publish the production design as an Intel Select Solution, as well as a developer platform.

While organizations are embracing multi-cloud solutions to fuel their businesses, many companies remain challenged to find the right hybrid cloud solutions that enable seamless workload migration across clouds. The Anthos reference design will address this challenge by delivering a stack optimized for workload portability, enabling deployment of applications across on-premise data centers and public cloud provider services.

This collaboration is an extension of a technology alliance between the two companies that already spans many infrastructure optimizations, collaboration on high-growth workloads like artificial intelligence, and integration of new technologies into the Google Cloud Platform, such as the 2nd-Generation Intel Xeon Scalable processors and Intel Optane DC Persistent Memory.

“Our collaboration with Google in delivering the infrastructure and software optimizations required to advance their hybrid and multi-cloud solution is a natural fit with Intel’s vision for data-centric computing,” said Navin Shenoy, executive vice president and general manager of the Data Center Group at Intel. “We’re delivering an Intel technology foundation for customers to take advantage of their data, and that requires delivery of architectures that can span across various operating environments. This collaboration will give customers a choice of optimized solutions that can be utilized both in the on-prem as well as cloud environments.”

StackRox brings container and Kubernetes security for Stratus Medicine on Google Cloud Platform

StackRox, a provider of container and Kubernetes security, announced on Tuesday that Stratus Medicine has deployed the StackRox Kubernetes Security Platform to secure healthcare data and achieve Health Insurance Portability and Accountability Act (HIPAA) compliance.

Stratus Medicine provides a platform-as-a-service for healthcare providers and technology suppliers to collaborate on innovative applications. Using the Stratus Platform running in Google Cloud Platform, these healthcare entities can test and validate new technologies while keeping patient and other sensitive data protected by Stratus. Stratus Medicine relies on StackRox to secure and protect critical customer and healthcare data running in its multi-tenant platform.

StackRox finds and secures all deployments and pods across namespaces and clusters, allowing Stratus to run at the speed and scale of DevOps while protecting applications and development infrastructure. It also streamlines vulnerability management for Stratus’ Kubernetes environments by integrating with the CI/CD pipeline to prevent known vulnerabilities from ever getting deployed.

StackRox automates checks for HIPAA compliance, identifies gaps or non-compliance with controls, provides clear and detailed remediation information, and exports evidence of compliance ahead of audits. It also provides a dynamic, multi-factor risk assessment that enables Stratus to immediately prioritize and triage the highest-risk deployments in the environment at all times, and leverages a combination of rules, whitelists, and behavioral modeling to automatically detect threats and leverage built-in controls in Kubernetes for response.

“Containers and Kubernetes enable us to deploy new applications rapidly while maintaining isolation, decreasing the risk of data breach,” said Chris Mutzel, principal architect for Stratus Medicine. “StackRox enables us to protect patient data, ensure HIPAA compliance, and protect our systems from vulnerabilities in the applications that our customers upload. The StackRox platform continuously hardens our container and Kubernetes environments, and it automatically detects and prevents threats. As we evaluated vendors, we found that StackRox was the only solution that was both container-centric and Kubernetes-centric, which provides both deeper context for risk prioritization and Kubernetes-native policy enforcement.”

“Stratus Medicine is providing critical infrastructure that is much needed in improving health outcomes and reducing costs,” said Kamal Shah, CEO of StackRox. “StackRox helps Stratus Medicine to realize all the benefits of containers and Kubernetes and address their various security and compliance requirements. Furthermore, StackRox was seamless to deploy within their environment, enabling security to be automated and part of their DevOps workflow.”

The StackRox Kubernetes Security Platform supports all Kubernetes deployments, including self-managed clusters; managed services such as Amazon EKS, Azure AKS, and Google GKE; and Kubernetes distributions such as Red Hat OpenShift and Docker Enterprise Edition. The latest StackRox update includes capabilities to enable organizations to verify and provide evidence for compliance with NIST SP 800-190, PCI DSS 3.2, and HIPAA standards.

Actifio unveils Actifio GO backup-as-a-service offering on Google Cloud

Actifio announced Tuesday at Google Cloud Next '19 the availability of Actifio GO Backup-as-a-Service on the Google Cloud Platform (GCP) Marketplace, extending the software that enables organizations everywhere for faster and simpler backup and restore, the acceleration of DevOps and analytics initiatives, as well as compliance with regulatory requirements without the need for additional on-premises licensing or infrastructure.

As a Google Cloud Technology Partner, Actifio has already helped numerous enterprises accelerate access to their mission-critical databases and other workloads on Google Cloud.

Actifio GO on GCP addresses not only the need to contain copy data sprawl and reduce storage costs, but also enables enterprises to meet today's scale, speed and data transformation requirements while delivering the low-friction cloud experience.

Actifio GO accelerates customers' time to go-live by up to 17x, by eliminating the need to deploy and manage copy data management software, by requiring no on-premises storage, and with a no-risk free trial, pay-per-use model and no lock-in -- not even to Actifio GO.

"Enterprises are modernizing and optimizing their IT infrastructure by utilizing the security and reliability of Google Cloud," said Rich Sanzi, VP of Engineering, Google Cloud. "Backup-as-a-Service solutions from technology partners like Actifio enable organizations with an easy way to protect their cloud workloads as an extension of their business continuity strategy with Google Cloud."

"Applications and data are increasingly distributed across multi-cloud environments and need to be seamlessly protected, managed, moved and accessed anywhere,” said Ash Ashutosh, co-founder and CEO of Actifio. “We have worked closely with Google Cloud to integrate pioneering multi-cloud operational automation technologies with our battle-tested data virtualization and data pipelining technologies. Actifio GO for Google Cloud will deliver an outstanding user experience and proven business value at cloud scale, cloud speed and cloud agility."

Kaspersky Lab exposes Genesis underground e-shop with large number of digital doppelgangers for sale to bypass financial anti-fraud solutions

Kaspersky Lab has published on Tuesday the results of an investigation into Genesis, an e-shop that is trading over 60,000 stolen and legitimate digital identities, making successful credit card fraud that much easier to conduct. This marketplace as well as other malicious tools involve abusing the machine-learning based anti-fraud approach of ‘digital masks’, a unique, trusted customer profile based on known device and behavior characteristics.

Every time someone enters financial, payment and personal information in an online transaction, advanced, analytic, machine learning anti-fraud solutions match that person against something called a digital mask. These masks are unique to each user and combine the fingerprints of devices and browsers commonly used to make payments/bank online (i.e. screen and OS information, a range of browser data like headers, time zone, installed plugins, window size, etc.) with advanced analytics and machine learning (the individual user’s cookies, online and computer behavior, etc.).

That way, the financial organizations’ anti-fraud teams can determine whether it is truly that person entering their credentials, or a malicious carder trying to buy goods using a stolen card, and either approve or deny the transaction, or send it on for further analysis.

However, the digital mask can be copied or created from scratch, and Kaspersky Lab’s investigation has found that cybercriminals are actively using such digital doppelgangers to bypass advanced anti-fraud measures.

In February, Kaspersky Lab research uncovered the Genesis Darknet marketplace – an online shop selling stolen digital masks and user accounts at prices ranging from $5 to $200 each. Its customers simply buy previously stolen digital masks together with stolen logins and passwords to online shops and payment services, and then launch them through a browser and proxy connection to mimic real user activity. If they have the legitimate user’s account credentials, the attacker can then access their online accounts or make new, trusted transactions in their name.

“We see a clear trend of carding fraud increasing around the world,” said Sergey Lozhkin, security researcher, Kaspersky Lab. “While the industry invests heavily in anti-fraud measures, digital doppelgangers are hard to catch. An alternative way to prevent the spread of this malicious activity is to shut down the fraudsters’ infrastructure. That is why we urge law enforcement agencies across the world to pay extra attention to this issue and join the fight.”

Other tools enable attackers to create from scratch their own unique digital masks that won’t trigger anti-fraud solutions. Kaspersky Lab researchers have investigated one such tool, a special Tenebris browser with an embedded configuration generator to develop unique fingerprints. Once created, the carder can simply launch the mask through a browser and proxy connection and conduct any operations online.

In order to enhance security, Kaspersky Lab recommends businesses enable multi-factor authentication at every stage of user validation processes; consider introducing new methods of additional verification, such as biometrics; harnessing advanced analytics for user behavior; and integrating Threat Intelligence feeds into SIEM and other security controls in order to get access to the most relevant and up-to-date threat data, and to prepare for possible future attacks.

WatchGuard Cloud Platform helps MSPs’ demand for simplified, scalable security deployments, management and reporting

WatchGuard Technologies unveiled on Tuesday the WatchGuard Cloud platform, which centralizes security management and reporting from a single cloud-based interface. Built from the ground up to support and enable managed service providers (MSPs), WatchGuard Cloud reduces infrastructure costs, accelerates customer acquisition, and minimizes time spent on reporting and operational tasks.

The WatchGuard Cloud platform is the management platform of the future for MSPs because it simplifies how they protect their customers while enabling rapid, efficient and profitable growth. It delivers true multi-tier, multi-tenant capabilities, scaling automatically to allow MSPs to create and manage an unlimited number of customer accounts, deploy new WatchGuard appliances, manage and deploy WatchGuard applications, and gain valuable insights into a customer’s network.

WatchGuard Cloud is built on a multi-tier, multi-tenant architecture, allowing service providers to create and onboard any number and type of customer accounts, while ensuring separation of data between tenants and role-based access to information. The platform responds immediately and automatically to changing compute and storage requirements, allowing the platform to maintain high performance, running reports in seconds across terabytes of data while providing summarized insights.

WatchGuard Cloud’s inventory management features let service providers view and track licensing across all customers. They can also allocate and deallocate services to those customers on terms that fit their service models. Additionally, WatchGuard Cloud provides tenants with the ability to delegate access to another tenant, including control over duration and permissions.

As a centralized management interface, the WatchGuard Cloud platform allows users to quickly and easily configure alerts and notifications across all security applications, including visibility of Firebox UTM and AuthPoint multi-factor authentication events. MSSPs can access notifications on anything from customer licenses, usage or expirations to security and performance updates.

WatchGuard Cloud offers a variety of data retention options — including 30 days with the WatchGuard Total Security Suite — removing the need to configure, deploy, maintain and scale servers and appliances for logging and reporting. As a cloud-hosted service, the platform has no hardware requirements for service providers to deploy, resulting in reduced cost and time spent deploying and maintaining servers either locally or in data centers.  

Building upon the Dimension solution, WatchGuard Cloud comes equipped with more than 100 dashboards and reports that identify key network security threats, issues and trends, while accelerating users’ ability to set and enforce meaningful security policies. Security of the centrally managed, cloud-hosted platform itself is a top priority for WatchGuard.

Not only are user logins protected by advanced multi-factor authentication, but WatchGuard Cloud offers built-in security for data in transit, and at rest, which enables users to implement role-based access control and supports the logical separation of data between tenants, as well as partitions between subscriber accounts.

“MSPs need a modern, cloud-hosted security solution that’s capable of providing powerful security insights, unlimited scalability and easy deployment processes,” said Andrew Young, SVP of product management at WatchGuard. “WatchGuard’s mission is to make cyber security simple, and this applies not just to end users, but also to the partners who deploy, configure, and manage our products and services. Simplicity is in our DNA, so we are extending that to our partners with the launch of WatchGuard Cloud.”

“WatchGuard Cloud’s easy deployment, granular insight and cost-effectiveness has been a game-changer for our business,” said Carl Mazzanti, president of eMazzanti Technologies. “In the retail industry, delays, downtime and breaches can be impossible to come back from. Our customers have unrivaled peace of mind knowing that through the intuitive WatchGuard Cloud interface we can spin up new stores that are highly secure and compliant, manage and monitor each location from anywhere, and always access in-depth insight into performance and security anomalies in real time.”

The WatchGuard Cloud platform provides centralized management of security applications and strengthens MSPs’ ability to deliver differentiated, profitable services to their customers.

CentralSquare debuts cloud-based software for mid-tier government; delivers security, lowers costs

CentralSquare announced that Tehama County, California, has begun their migration to Public Administration Finance Professional, CentralSquare’s cloud-hosted finance suite, to manage the county’s accounting, payroll and treasury functions.

CentralSquare Finance Pro provides numerous benefits, including more secure and resilient environments as a result of greater emphasis on disaster recovery and backup, ongoing and automated updates for leveraging the latest functionality and lower total cost of ownership, making it the most compelling software suite for local governments nationwide.

In the digitally connected world, emerging technologies have the potential to transform public service operations. Yet government agencies are challenged by increased demands on limited resources and cumbersome IT systems, even as they recognize the need to rethink their use and adoption of technology.

CentralSquare Public Administration Suite Pro answers this challenge by delivering a unified, end-to-end enterprise suite for finance, asset management, community development, human capital management, municipal services, utilities and citizen engagement.

Among its advancements, Public Administration Suite Pro helps improve government operations and citizen satisfaction by offering workspaces that enable easy access to finance, utility billing, community development and analytics software from a single, intuitive user interface. It also delivers single sign-on and user-management launch point that simplifies the login process and eliminates the hassle of remembering multiple passwords.

The offering also delivers workflow engine that streamlines paper forms into digital workflows and automates land-use planning, permitting and inspection processes for community development; and citizen engagement portal which empowers citizens with the convenience of applying online for building permits, business licenses, code compliance and utilities, without the extra effort of having to call or visit the municipality.

By taking advantage of the benefits of the cloud, public sector agencies maximize limited resources, increase IT flexibility and improve service. Shared infrastructure and economies of scale leverage scarce budget dollars by enabling agencies to scale their usage to match requirements, pay for only the IT resources they use and centralize IT services and data elements on a secure network.

Additionally, Public Administration Pro’s embedded analytics and automation unify business processes spanning multiple applications and datasets through a single user interface. As a result, governments realign organizational thinking by shifting their focus away from managing data to providing services, which creates a significant and measurable impact for citizens.

“We no longer have to maintain servers onsite, so there’s an extra level of security and reliability,” said Krista Peterson, Assistant Auditor for Tehama County. “That’s especially important right now with several neighboring counties experiencing massive fires recently, so having our data storage securely maintained by CentralSquare offsite is a big plus for us.”

She adds, “It has been difficult to find the budget for upgrades and additional IT services for our onsite system. Now, anytime there’s an update, we’ll have the latest and greatest without the need to contract out for IT assistance to help with basic needs like W-2 or 1099 updates.”