The nature of a secure access service edge (SASE) platform provides visibility into a large number of internet data flows – and the larger the platform, the more dataflows can be analyzed. An analysis of more than 250 billion network flows during Q2 2021 shows increasing threats, a new use of an old malware, and the growing incidence of consumer devices in the workplace.
Houdini is back
Cato Networks SASE Threat Research Report (PDF) has discovered a new version of the old Houdini malware now being used to steal device information to subvert access rules that check on the device as well as the user. Spoofing device IDs has been a top priority for attackers, evolving from simple point solutions to cloud-based services. As such, device identification verification has become crucial for strong user authentication.
Houdini now collects data about its victim system. This data is used to create virtual machines that are offered on dark web forums in what Cato describes as ‘spoofing as a service’. Matching user credentials (obtained either from those already available on the dark web, or from new phishing attacks) provides access to targets that defeats both user ID and device ID access solutions. Since the attacker is using a virtual machine throughout the process, periodic device checks are also defeated. It is a way of defeating nascent zero-trust policies.
“A hard-to-come-by solution is now more widely available,” comments Etay Maor, Cato’s senior director of security strategy. “The bar for launching attacks against organizations is lower — enabling and motivating newcomers in the cybercrime field.”
Rising threat levels
During Q2, Cato detected 9.5 billion network scans across its platforms. Maor is confident that the company’s combination of AI-based threat detection with human support ensures that these are ‘malicious’ scans rather than researcher scans.
Cato also detected almost 817 million security events triggered by malware, and more than 475 million events triggered by either inbound or outbound communication with domains with a known bad reputation.
There were almost 400 million policy violations that violated either Cato’s security policy or common best practices for network security; and 241 million vulnerability scans from scanners such as OpenVAS, Nessus and others.
Also worth noting, says the report, was the detection of 108 million remote code execution (RCE) events, and 1.3 million privilege escalation events.
By far the most frequent exploit attempt (7,957,186 attempts) was against the CVE-2020-29047 vulnerability – a WordPress wp-hotel-booking vulnerability. The next three most common attempts were against new Microsoft vulnerabilities disclosed this year: CVE-2021-28482 (741,004), CVE-2021-28442 (669,614), and CVE-2021-28324 (611,995).
Consumer devices at work
“What used to be called ‘bring your own device’ has almost become ‘bring all your devices’,” commented Maor. The issue is the growing interconnection of smart home devices through developments such as Amazon’s Sidewalk. A controversial feature, Sidewalk constructs a shared network between other smart devices including Echo, Ring Security Cams, outdoor lights and more.
“Cato Research Labs has identified hundreds of thousands of Sidewalk enterprise networks, with some enterprises having hundreds of such devices,” says the report. For the moment, there is little or no indication of attackers yet trying to exploit these consumer devices to gain access to corporate devices – but it remains a possibility.
Maor doubts that many companies would be happy with hosting on-site networks that incorporate an array of home devices, and possibly even devices automatically signed in by Sidewalk belonging to the neighbors of staff. Just as concerning, he said, “How many companies are even aware that home devices have been brought into the corporate network and are sharing the corporate infrastructure. With lines blurring between the home office and the corporate network,” he continued, “more devices and applications find their way to the organization’s network but not necessarily to the organization’s risk assessment.”
Tel Aviv, Israel-based Cato Networks was founded by Gur Shatz (president and COO), and Shlomo Kramer (CEO) in 2015. In November 2020, it raised $130 million in a Series E funding round led by Lightspeed Venture Partners, bringing the total raised to date to $332 million. A series D funding round in April 2020 raised $77 million.
Related: Getting SASE, Without the Hyperbole