Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Houdini Malware Returns and Amazon’s Sidewalk Enters Corporate Networks

The nature of a secure access service edge (SASE) platform provides visibility into a large number of internet data flows – and the larger the platform, the more dataflows can be analyzed. An analysis of more than 250 billion network flows during Q2 2021 shows increasing threats, a new use of an old malware, and the growing incidence of consumer devices in the workplace.

The nature of a secure access service edge (SASE) platform provides visibility into a large number of internet data flows – and the larger the platform, the more dataflows can be analyzed. An analysis of more than 250 billion network flows during Q2 2021 shows increasing threats, a new use of an old malware, and the growing incidence of consumer devices in the workplace.

Houdini is back

Cato Networks SASE Threat Research Report (PDF) has discovered a new version of the old Houdini malware now being used to steal device information to subvert access rules that check on the device as well as the user. Spoofing device IDs has been a top priority for attackers, evolving from simple point solutions to cloud-based services. As such, device identification verification has become crucial for strong user authentication.

Houdini now collects data about its victim system. This data is used to create virtual machines that are offered on dark web forums in what Cato describes as ‘spoofing as a service’. Matching user credentials (obtained either from those already available on the dark web, or from new phishing attacks) provides access to targets that defeats both user ID and device ID access solutions. Since the attacker is using a virtual machine throughout the process, periodic device checks are also defeated. It is a way of defeating nascent zero-trust policies.

[ Related: Learn About SASE Industry Trends at SecurityWeek’s Virtual CISO Forum – Sept 14-15 ]

“A hard-to-come-by solution is now more widely available,” comments Etay Maor, Cato’s senior director of security strategy. “The bar for launching attacks against organizations is lower — enabling and motivating newcomers in the cybercrime field.”

Rising threat levels

During Q2, Cato detected 9.5 billion network scans across its platforms. Maor is confident that the company’s combination of AI-based threat detection with human support ensures that these are ‘malicious’ scans rather than researcher scans.

Advertisement. Scroll to continue reading.

Cato also detected almost 817 million security events triggered by malware, and more than 475 million events triggered by either inbound or outbound communication with domains with a known bad reputation.

There were almost 400 million policy violations that violated either Cato’s security policy or common best practices for network security; and 241 million vulnerability scans from scanners such as OpenVAS, Nessus and others.

Also worth noting, says the report, was the detection of 108 million remote code execution (RCE) events, and 1.3 million privilege escalation events.

By far the most frequent exploit attempt (7,957,186 attempts) was against the CVE-2020-29047 vulnerability – a WordPress wp-hotel-booking vulnerability. The next three most common attempts were against new Microsoft vulnerabilities disclosed this year: CVE-2021-28482 (741,004), CVE-2021-28442 (669,614), and CVE-2021-28324 (611,995).

Consumer devices at work

“What used to be called ‘bring your own device’ has almost become ‘bring all your devices’,” commented Maor. The issue is the growing interconnection of smart home devices through developments such as Amazon’s Sidewalk. A controversial feature, Sidewalk constructs a shared network between other smart devices including Echo, Ring Security Cams, outdoor lights and more.

“Cato Research Labs has identified hundreds of thousands of Sidewalk enterprise networks, with some enterprises having hundreds of such devices,” says the report. For the moment, there is little or no indication of attackers yet trying to exploit these consumer devices to gain access to corporate devices – but it remains a possibility.

Maor doubts that many companies would be happy with hosting on-site networks that incorporate an array of home devices, and possibly even devices automatically signed in by Sidewalk belonging to the neighbors of staff. Just as concerning, he said, “How many companies are even aware that home devices have been brought into the corporate network and are sharing the corporate infrastructure. With lines blurring between the home office and the corporate network,” he continued, “more devices and applications find their way to the organization’s network but not necessarily to the organization’s risk assessment.”

Tel Aviv, Israel-based Cato Networks was founded by Gur Shatz (president and COO), and Shlomo Kramer (CEO) in 2015. In November 2020, it raised $130 million in a Series E funding round led by Lightspeed Venture Partners, bringing the total raised to date to $332 million. A series D funding round in April 2020 raised $77 million.

Related: SASE Firm Cato Networks Revamps Managed Detection and Response Solution

Related: Report Highlights Massive Scale of Automated Cyberattacks

Related: Getting SASE, Without the Hyperbole

Related: SASE Provider Versa Networks Raises $84 Million

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Threat intelligence firm Team Cymru has appointed Joe Sander as its Chief Executive Officer.

Madhu Gottumukkala has been named Deputy Director of the cybersecurity agency CISA.

Wendi Whitmore has taken the role of Chief Security Intelligence Officer at Palo Alto Networks.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.