Tag Archives: DatAlert

🚨 Massive Ransomware Outbreak: What You Need To Know

🚨 Massive Ransomware Outbreak: What You Need To Know

Remember those NSA exploits that got leaked a few months back? A new variant of ransomware using those exploits is spreading quickly across the world – affecting everyone from the NHS to telecom companies to FedEx.

Here’s What We Know So Far

Ransomware appears to be getting in via social engineering and phishing attacks, though vulnerable systems may also be at risk if TCP port 445 is accessible. Unlike most ransomware that encrypts any accessible file from a single infected node, this ransomware also moves laterally via exploit (i.e., EternalBlue) to vulnerable unpatched workstations and servers, and then continues the attack. Unpatched windows hosts (Vista, 7, 8,10, server 2008, 2008 R2, 2012, 2012 R2, and 2016) running SMB v1 are all vulnerable.

Infected hosts are running strains of ransomware, such as Wanna Decrypt0r (more below) that encrypts files and changes their extensions to:

  •  .WRNY
  • .WCRY (+ .WCRYT for temp files>
  • .WNCRY (+ .WNCRYT for temp files)

The Ransomware also leaves a note with files named @Please_Read_Me@.txt, or !Please_Read_Me!.txt, and will display an onscreen warning.

Here’s What You Can Do

MS17-010, released in March, closes a number of holes in Windows SMB Server. These exploits were all exposed in the recent NSA hacking tools leak. Exploit tools such as EternalBlue, EternalChampion, EternalSynergy and EternalRomance (all part of the Fuzzbunch exploit platform) all drop DoublePulsar onto compromised hosts. DoublePulsar was created by the NSA and is basically a malware downloader, which is used as an intermediary for downloading more potent malware executables onto infected hosts.

If you’re an existing DatAlert customer, you can set up office hours with your assigned engineer to review your threat models and alerts. Don’t have DatAlert yet?  Get a demo of our data security platform and see how to detect zero-day attacks.

DatAlert Customers

If you’re a DatAlert Analytics customer, the threat model “Immediate Pattern Detected: user actions resemble ransomware” was designed to detect this and other zero-day variants of ransomware; however, we also strongly recommend that you update the dictionaries used by DatAlert signature-based rules. Instructions for updating your dictionaries are here: https://connect.varonis.com/docs/DOC-2749

If for some reason you can’t access the connect community, here is how to update your dictionaries to include the new extensions for this variant:

Open the DatAdvantage UI > Tools > Dictionaries > Crypto files (Predefined)

Open the DatAdvantage UI > Tools > Dictionaries > Encrypted files (Predefined)

Details

Vulnerabilities

The Malware exploits multiple Windows SMBv1 Remote Code vulnerabilities:

Windows Vista, 7, 8,10, server 2008, 2008 R2, 2012, 2012 R2, 2016 are all vulnerable if not patched and SMBv1 Windows Features is enabled.

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Ransomware strains

WCry / WannaCry / WannaCrypt0r / WannaCrypt / Wana Decrypt0r

This outbreak is version 2.0 of WCry ransomware which first appeared in March. Until this outbreak, this ransomware family was barely heard of. Though likely spread via phishing and social engineering attacks, if tcp port 445 is exposed on vulnerable windows machines, that could be exploited using the Fuzzbunch exploit platform.

Other helpful links

 

Introducing the Automation Engine, DatAlert Analytics Rewind, and more

Introducing the Automation Engine, DatAlert Analytics Rewind, and more

Put Least Privilege on Autopilot

Getting to least privilege can be a nightmare. The first steps – tracking down inconsistent ACLs and remediating global access groups can turn even the most basic file share clean-up project into a huge to-do.

And so we’re thrilled to announce the upcoming availability of the Automation Engine, which will take the headache out of least privilege by discovering undetected security threats and fixing hidden vulnerabilities without all the manual legwork.

The Varonis Automation Engine automatically repairs and maintains file systems so that you’re less vulnerable to attacks, more compliant, and consistently enforcing a least privilege model.

  • Fix hidden security vulnerabilities like inconsistent ACLs and global access.
  • Revoke unnecessary access that users no longer need or use, reducing your risk profile.
  • Accelerate and automate least privilege.

Interested?  Get a demo now and be the first in line to try it.

What’s past is prologue

One of our earliest patents was our simulation capability in DatAdvantage – which our customers now use consistently to test access control changes against past access activity, highlighting users that would be disrupted or applications that might break if they had made those changes in the past.

We’re extending our simulation capabilities with Analytics Rewind.

DatAlert Analytics Rewind allows customers with three or more months of data to analyze past user and data activity with DatAlert threat models, and identify alerts that they would have gotten in the past. You can not only pre-emptively tune out false positives, but also look back at your data activity history to identify breaches that may have already occurred.

New Threat Models for Exchange and DS

You asked, we listened.  We’re adding more threat models to DatAlert Analytics to detect and prevent impersonation, exploitation, and account hijacking.  The latest set keeps you aware of suspicious mailbox and Exchange behaviors, password resets and unusual activity from personal devices.

Email security and Exchange:  New threat models flag abnormal amount of emails sent to accounts outside the organization, unusual mailbox activity from service accounts, and automated forwarding that might indicate an attacker trying to redirect and exfiltrate data.

Directory Services:  New threat models detect suspicious password resets that may indicate attempts to hijack a user account, unusual access to personal devices, suspicious attempts to access an unusual amount of resources, and unusual login activity that may indicate a credential stuffing attack.

Want to see them in action? Get a demo our data security platform and see how you can stop data breaches.

Varonis + Splunk: Epic Threat Detection and Investigations

Varonis + Splunk: Epic Threat Detection and Investigations

We’re bringing our powerful DatAlert functionality to Splunk® Enterprise to give you comprehensive visibility into data security with our new Varonis App for Splunk – now available for download on splunkbase!

DatAlert can now send alerts to the Varonis App for Splunk, providing Splunk additional context into anomalous file system, email, and Active Directory behavior. Users of the App can view Varonis alerts directly from Splunk Enterprise, and drill into DatAlert for additional insight into what’s going on and accelerate security investigations, reducing mean time to resolution.

At-a-glance Dashboards

Our at-a-glance dashboards set SysAdmins and Security Analysts up for success – correlating Varonis alerts with Splunk events, and providing additional insight and context into potential security threats.

Want to learn more?

You can take a closer look at selected entities in the drill-down dashboard – access a complete list of all alerts on a specific entity (user, asset, threat model, device) within the selected timeframe.

Streamline your investigation with the DatAlert Web UI – and determine whether suspicious activity is malicious or a misconfiguration.

Want to try out the Varonis for Splunk app? Download it directly from splunkbase to get started.

Not yet a Varonis customer? What are you waiting for! Check out a demo of our data security platform today and get a personalized walkthrough of the Varonis App for Splunk while you’re at it.

Detecting Malware Payloads in Office Document Metadata

Office Documents with Malicious Metadata

Ever consider document properties like “Company,” “Title,” and “Comments” a vehicle for a malicious payload? Checkout this nifty PowerShell payload in the company metadata:

Here’s the full VirusTotal entry. The target opens the Office document and, with macros enabled, the payload stored within the document’s own metadata executes and does its work. No extra files written to disk or network requests made.

The question  about whether DatAlert can detect stuff like this came up in the Twitter thread, so I decided to write up a quick how-to.

Finding Malicious Metadata with Varonis

What you’ll need: DatAdvantage, Data Classification Framework, DatAlert

Step 1: Add Extended File Properties to be scanned by Data Classification Framework.

  • Open up the Varonis Management Console
  • Click on Configuration → Extended File properties
  • Add a new property for whichever field you’d like to scan (e.g., “Company”)

Varonis Management Console

(Note: prior to version 6.3, extended properties are created in DatAdvantage under Tools → DCF and DW → Configuration → Advanced)

Step 2: Define a malicious metadata classification rule

  • In the main menu of DatAdvantage select Tools → DCF and DW → Configuration
  • Create a new rule
  • Create a new filter
  • Select File properties → Company (or whichever property you’re scanning)
  • Select “like” to search for a substring
  • Add the malicious value you’d like to look for (e.g., .exe or .bat)

Varonis DCF New Classification Rule

Step 3: Create an alert in DatAlert to notify you whenever a file with malicious metadata is discovered

  • In the main menu of DatAdvantage select Tools → DatAlert
  • Click the green “+” button to create a new rule
  • Click on the “Where (Affected Object)” sub menu on the left
  • Add a new filter → Classification Results
  • Select your rule name (e.g., “Malicious Metadata”)
  • Select “Files with hits” and “Hit count (on selected rules)” greater than 0

DatAlert Rule for Malicious Document Metadata

You can fill out the rest of the details of your alert rule–like which systems to scan, how you want to get your alerts, etc.

As an extra precaution, you could also create a Data Transport Engine rule based on the same classification result that will automatically quarantine files that are found to have malicious metadata.

That’s it! You can update your “Malicious Metadata” over time as you see reports from malware researchers of new and stealthier ways to encode malicious bits within document metadata.

If you’re an existing Varonis customer, you can setup office hours with your assigned engineer to review your classification rules and alerts. Not yet a Varonis customer? What are you waiting for? Get a demo of our data security platform today.

Introducing a new security dashboard, enhanced behavioral analysis, and mor...

Introducing a new security dashboard, enhanced behavioral analysis, and more

Every day we hear new stories about how our customers are using DatAlert to stop cyberattacks: detecting and disabling ransomware infections, discovering misconfigurations and vulnerabilities, and setting up automatic responses to malware infections.

And so, we’ve updated DatAlert to be more intuitive, powerful, and insightful than ever: 6.3.150 includes major updates to DatAlert, additional platform support, and performance enhancements.

New Security Dashboard: DatAlert is easier than ever to use as a starting point for investigating suspicious behavior, spotting unusual activity on file servers, and finding security vulnerabilities.  We’re introducing a configurable dashboard where you can easily identify and prioritize at-risk areas like global access, stale data, and overexposed sensitive information.

Alert investigation page: A new alert page enables quick triage on individual alerts – drill down on suspicious activity that might indicate that an attack is under way and triage for further investigation.  The alert investigation page offers additional security insights about users, data, time, and affected devices.

Enhanced behaviors and analysis:

  • Behavioral Peers: DatAlert can compare file and email touches of one user – along with other activity – to that of her peers. Behavioral peer comparisons are available directly within the alerts page to streamline investigation and help identify the severity of alerted behavior.
  • Device Insight: Review device context cards, and get insight through the DatAlert UI to see alerts triggered on specific devices.  Insights into devices also help highlight abnormal device usage per user account to pinpoint a computer that’s been compromised for insider activities.
  • Normal Working Hours: Varonis determines normal working hours for each individual based on email & file activity – and compares activity against their peers, to catch suspicious activity more quickly than ever.
  • Flags & Watch list: Customers can now flag suspicious users, putting them on a watch-list for tracking – making it easier to keep an eye on suspicious users and devices. Users can be highlighted based on past alerts or based on information from legal, HR, or other departments.

Want to see DatAlert in action?  Schedule a free demo and see how it works in your environment.

 

 

Visualize your risk with the DatAlert dashboard

Visualize your risk with the DatAlert dashboard

Last week, we introduced over 20 new threat models to help defend your data against insider threats, ransomware attacks and threats to your most sensitive data.

But with all this analysis – and all these threat models – how do you interpret and prioritize what to do next?

Enterprises have been using our UBA threat models to stop insider attacks and catch ransomware before their data gets compromised: and with so much attention to data security and heightened risk of data breaches, they need a better way to interpret and prioritize their investigations.

So we’ve created a new dashboard and web interface for DatAlert: an intuitive interface where you can quickly recognize whether your data is under attack, prioritize your investigation, drill down, and take action.

The new UI gives you a clean visualization of your data, designed to show a clear state of the system.

DatAlert_web_full

Context cards give you all the information you need on one screen with detailed analysis of alerts and activity, in order to simplify security processes and take next steps.

datalert_web_context

DatAlert’s web UI makes it easy to spot threats to your data: who’s behaving suspiciously, which data assets are threatened, and identify ransomware before it’s too late.

Curious to see how DatAlert looks with your data?   Get a free demo and find out.

Varonis Keeps Union Bank’s Data Safe from Insider Threats and External At...

Varonis Keeps Union Bank’s Data Safe from Insider Threats and External Attacks

Today we’re excited to share another interesting customer success story out of the UK. Union Bank UK PLC needed better visibility into the different types of sensitive data its employees were storing and accessing across its file systems. Regulatory requirements necessitated that the bank’s IT department regularly audit and report on who was accessing sensitive data, when and where, but they had no way of doing so efficiently. Also, with malware and ransomware on the rise, the bank needed a solution that could quickly alert the IT staff to unusual file access behavior such as rapid encryption of files stored on its servers.

The search led Union Bank’s IT team to our DatAdvantage and DatAlert solutions. Union Bank’s IT team is now alerted in real-time to any breach of its file systems, and they’re able to put control over file access in the hands of data owners, eliminating much of the burden previously placed on their team. They are also able to keep an eye on access privileges and ensure that no one is getting access to data that they do not need.

  • DatAdvantage makes it easy to see and report on who can access, and who does access data in the bank’s Windows, Exchange, and Active Directory environments by tracking and monitoring file activity.
  • Union Bank can intelligently identify who owns which data, and can alert on unusual activity through DatAlert, which uses user behavior analytics to spot insider threats like abusive administrators, ransomware, compromised accounts, and rogue employees.
  • Keeping files secure when employees leave the company was another important capability identified by Union Bank. Varonis allows the bank to monitor and baseline employees’ access profiles and detect if files are unusually accessed prior to their departure.

David Pennant, an IT Manager at Union Bank told us, “Before Varonis we had no real view of what was happening on the file servers or changes happening on a day-to-day basis. We can’t afford to spend a large amount of time sifting through logs – we need to stay focused on day-to-day tasks and therefore needed a more efficient approach. It was obvious straight away that Varonis could give us the automated, efficient approach we were looking for. Thanks to Varonis, IT now has better insight into the bank’s data, and that of course reduces security risk, which is something which you can’t always put a price on.”

Varonis Risk Assessments quickly show you where your most vulnerable data is stored, who is accessing it, and what needs to be done to secure it.  Learn more here.

Here’s Why Most Companies Are Easy Prey for Cyberattackers

Here’s Why Most Companies Are Easy Prey for Cyberattackers

Today we announced the results of anonymous data that our DatAdvantage and Data Classification Framework solutions collected throughout 2015 during risk assessments conducted for potential customers on a limited subset of their file systems. The results show a staggering level of exposure in corporate file systems, including an average of 9.9 million files per assessment that were accessible by every employee in the company.

Varonis DatAdvantage provides full visibility into who can and does access file systems and unstructured data. Varonis Data Classification Framework identifies sensitive and regulated content, like credit card numbers and health records, and maps them to exposures in their host file systems. Even while assessment and remediation projects are in progress, Varonis DatAlert can detect and stop insider threats, unwanted privilege escalations and abuse, and ransomware like Cryptolocker.

Of the insights gleaned from dozens of customer risk assessments conducted in mid-to-large enterprises prior to remediation, Varonis found the average company had, in a subset of its file systems:

averages2

  • 35.3 million files, stored in 4 million folders
  • 1 million folders, or an average of 28% of all folders, with “everyone” group permission enabled –open to all network users
  • 9 million files that were accessible by every employee in the company regardless of their roles
  • 8 million folders, or 70% of all folders, contained stale data — untouched for the past six months
  • 25,000 user accounts, with 7,700 of them or 31% “stale” – having not logged in for the past 60 days, suggesting former employees, or consultants and contractors whose engagements have ended

The ‘everyone’ group is a common convenience for permissions when originally set up. That mass access also makes it astonishingly easy for hackers to steal company data.

Some individual companies’ lowlights that were gleaned from the Varonis risk assessments:

  • In one company, every employee had access to 82% of the 6.1 million total folders.

  • Another company had more than 2 million files containing sensitive data (credit card, social security or account numbers) that everyone in the company could access.

  • 50% of another company’s folders had “everyone” group permission, and more than 14,000 files in those folders were found to contain sensitive data.

  • A single company had more than 146,000 stale users – accounts whose users had not logged in for the past 60 days. That’s nearly three times more users than the average FORTUNE 500 company has employees.

Although this data presents a bleak look at the average enterprise’s corporate file system environment, the organizations running these risk assessments are taking these challenges seriously. Most of them have since implemented Varonis, embracing a more holistic view of the data on their file and email systems and closing these gaping, often unseen security holes before the next major breach causes heavy damage. Our software is able to provide a granular look at where sensitive data lives, where it is over-exposed within an organization, who is accessing that data, and how to lock it down. While that remediation process is running, our ability to detect and stop many types of insider threats has been a major revelation for our customers.

***

Our Risk Assessments quickly show you where your most vulnerable data is stored, who is accessing it, and what needs to be done to secure it.

Request a Risk Assessment from the Varonis Professional Services Team visit: https://info.varonis.com/assessment

 

DatAlert Analytics and the Varonis Behavior Research Laboratory

DatAlert Analytics and the Varonis Behavior Research Laboratory

Last November, we introduced Varonis UBA threat models to automatically analyze behavior and detect insider threats throughout the lifecycle of a breach.  Our UBA threat models, which are major enhancements to Varonis DatAlert and are in beta availability, have been helping our customers protect their data – from spotting signs of ransomware activity to catching unusual activity on sensitive data.

But with news of more data breaches rolling out every day and brand new variants of ransomware popping up all the time, how can you keep up?

We’ve established a professional behavior research laboratory for just that reason.

Security experts and data scientists from Varonis now continually introduce new behavior-based threat models as part of DatAlert Analytics, keeping you up-to-date with the latest in security issues, APTs, and insider threats. This dedicated team is focused exclusively on creating new threat models to better protect your data, including privileged and service account detection and integration with all up-to-date malware and crypto repositories.

As insider threats become more sophisticated, so do our security tactics.  Some of the things our experts will focus on in the coming months include:

  • Account detection and auto-profiling, so you can automatically detect executive accounts and see unauthorized attempts to gain access to c-level data.
  • Threat models designed to alert on new variants of CryptoLocker so you can spot ransomware attacks before they get out of hand.
  • Threat models that detect mass deletes and lockout activity so you can find out when somebody’s attempting to damage or destroy data before it’s gone.

DatAlert Analytics is like having your very own behavior research laboratory to stay on top of the latest in security attacks and develop more ways to fight back against insider threats. Want to get see DatAlert Analytics in action?  Get in touch.

Varonis DatAdvantage and DatAlert Are Now Interoperable with LogRhythm’s ...

Varonis DatAdvantage and DatAlert Are Now Interoperable with LogRhythm’s Security Intelligence Platform

Today we’re happy to announce the interoperability of our DatAdvantage and DatAlert solutions with the LogRhythm Security Intelligence Platform.

With the new interoperability, customers can combine critical security insight from LogRhythm with Varonis intelligence about file systems and unstructured data – the type of data they typically have the most of and know the least about. Varonis and LogRhythm can help organizations proactively spot signs insider threats before they end up in the news because of a data breach.

How does it work?

Varonis can automatically send alerts from Varonis DatAdvantage and DatAlert into LogRhythm Security Intelligence Platform and thereby increase the speed and accuracy with which customers are able to identify, prioritize and investigate unusual user behavior surrounding unstructured data. Anomalous activity spotted by Varonis analytics includes unusual access to sensitive and stale data, mass deletions and modifications, malware and ransomware infections like CryptoLocker and Cryptowall, privilege escalations, unusual access to PII, multiple failed login attempts, and many more potential warning signs. Installation of Varonis DatAdvantage and DatAlert can take as little as an hour, and integration with LogRhythm is as simple as configuring an IP address.

Click here to learn more.

Varonis DatAdvantage and DatAlert Are Now Interoperable with HP ArcSight

Today we are pleased to announce that we’ve teamed up with HP to integrate our DatAdvantage and DatAlert solutions with ArcSight, HP’s leading Security Information and Event Management (SIEM) platform. This new technology alliance is designed to help our customers gain unprecedented intelligence about their vast stores of unstructured data (the type of data they typically have the most of and know the least about), as well as bring together threat intelligence from many sources. From initial reconnaissance through data exfiltration and attack obfuscation, Varonis and HP ArcSight can help organizations spot the warning signs before they end up in the news because of a data breach.

Immediate Detection Capabilities

Through a single interface, users will now be able to easily send alerts from Varonis DatAdvantage and DatAlert into HP ArcSight, and begin identifying statistically unusual user behavior, mass deletions and modifications, malware and ransomware infections like CryptoLocker and Cryptowall, privilege escalations, unusual access to PII, multiple failed login attempts, and many more potential warning signs. Installation of Varonis DatAdvantage and DatAlert can take as little as an hour, and connection to HP ArcSight is as simple as configuring an IP address.

Why is Unstructured Data Important?

Organizations store massive quantities of unstructured data – files, emails, spreadsheets, presentations – comprising some of their most valuable and sensitive information assets. These assets are frequently stolen in high-profile breaches, either by insiders who abuse their access or by outsiders who compromise insiders’ credentials. Varonis has helped thousands of customers protect their unstructured data, through analyzing user activity with files and emails, permissions and file system metadata, as well as file content.

If you happen to be at HP Protect this week in National Harbor, MD, be sure to swing by our booth (#401) and check out the new interoperable solutions.