Join technology journalist Sean Michael Kerner and Gus Evangelakos of XM Cyber, as they discuss how businesses can use breach and attack simulation to improve security, help meet compliance requirements, and secure cloud and hybrid environments.

The post How Breach & Attack Simulation Can Improve Your Security Strategy appeared first on eWEEK.

Red Hat Enterprise Linux 8 adds multiple new features including a web console, application streams, improved security and updated configuration capabilities. Red Hat Enteprise Linux is Red Hat’s flagship platform, serving as a foundational component for application, container and cloud infrastructure delivery. 

The impact of Red Hat Enterprise Linux is non-trivial, with a Red Hat sponsored IDC study reporting that the enterprise Linux platform has a $10 trillion impact on global business revenues.

The Red Hat Enteprise Linux 8 update is the first major version upgrade since Red Hat Enterprise Linux 7 launched in June 2014. The first public beta of Red Hat Enteprise Linux 8 was released in November 2018, providing an early look at the new features.

Interest in the beta was high according to Ron Pacheco, director, Product Management for Red Hat Enterprise Linux. Pacheco told eWEEK that there were more than 10,000 downloads of Red Hat Enterprise Linux 8 beta. In contrast, for the version 7 beta, he said that Red Hat only had approximately 2,000 downloads.

Web Console

Among the features that beta users were particularly interested in was the new Web Console feature.

“We received a lot of interest in the Red Hat Enterprise Linux Web Console, even though we have a lot of command line heroes in our installed base,” Pacheco said.

The Web Console is based on the open-source Cockpit project that first appeared in Red Hat’s community Fedora 25 Linux distribution in 2016. Pacheco said that that the Red Hat Enterprise Linux web console is based on the Cockpit project, scaled and hardened to support the production role of Red Hat Enterprise Linux 8. He explained that the web console is intended to do specific, system-level monitoring and maintenance, like managing virtual machines and assessing system.

“It’s there to give sysadmins tool a way to abstract the complexities of dealing with increasingly heterogeneous operating system footprints,” Pacheco said.

Red Hat users have long had multiple options for system management, with the other primary tools being Satellite. Pacheco said that Satellite is intended to manage at-scale.

“The web console works well with Satellite, but one is intended for systems-level management while the other is at scale,” Pacheco said.

Application Streams

In the past with Red Hat Enterprise Linux, each major release was closely associated with a specific set of version numbers for programming languages and core application software stacks. With Red Hat Enterprise Linux 8, organizations will no longer be tethered to specific version numbers of software, thanks to the Application Streams feature.

With Application Streams, an organization can choose different version numbers of supported software stacks that can run on Red Hat Enterprise Linux 8. A primary reason why Red Hat has long associated specific version numbers with a given enterprise platform release has been to provide certifiable software that won’t break other software running on a system. The concept of compatibility and stability will still carry forward with Application Streams as well.

“Red Hat Enterprise Linux continues to publish an Application Compatibility Guide, which clearly defines the application binary interfaces (ABIs) that we will preserve and for how long,” Pacheco said. “The vast majority of the user space will continue to have a 10 year ABI that we will preserve, so this will continue to support certifications and application stability.”

Universal Base Image

As part of the new platform rollout, Red Hat is also announcing its new Universal Base Image (UBI) effort. 

“The Universal Base Image is derived from Red Hat Enterprise Linux – so it brings two of the key characteristics of Red Hat Enterprise Linux, security and stability, into a base layer image that’s freely available and redistributable,” Pacheco said. “This provides a level of stability and curation to cloud-native applications built with the base image, even if the developer isn’t necessarily a Red Hat Enterprise Linux subscriber.”

At the core of Red Hat Enterprise Linux is a Linux 4.18 kernel, which is a kernel that was first released by Linus Torvalds in August 2018. Pacheno noted that the Red Hat kernel benefits from extensive backports. 

“This means that we have established a kernel ABI that we will preserve for the life of RHEL 8 and backports are measured against,” he said.

Red Hat Enteprise Linux 7 Continues

With Red Hat Enteprise Linux 8 now available, that doesn’t mean that it’s the end of the line for existing Red Hat Enteprise Linux 7 or even version 6 customers.

“Red Hat Enterprise Linux 7 provides a stable, mature platform for production workloads and continues to be supported as part of the 10-year Red Hat Enterprise Linux lifecycle,” Pacheco said. “All Red Hat Enterprise Linux subscriptions have the opportunity to upgrade to newer versions of the platform at any time; with RHEL 8, we provide several tools to make this process easier, including enhancements to in-place upgrades to improve the overall process.”

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

The post Red Hat Enterprise Linux 8 Delivers New Server Management Features appeared first on eWEEK.

The Linux kernel is at the core of any Linux-based operating system, providing drivers, CPU, storage, networking and memory enablement. In Linux 5.1, performance is enhanced via a new asynchronous I/O interface, as well as the ability to better use persistent memory as RAM. Security gets a boost in Linux 5.1 with the SafeSetID Linux Security Module (LSM). 

“On the whole, 5.1 looks very normal with just over 13k commits (plus another 1k+ if you count merges, which is pretty much our normal size these days,” Torvalds wrote in his 5.1 kernel release announcement. “No way to boil that down to a sane shortlog, with work all over.”

The 5.1 kernel is the second major Linux kernel release of 2019 and follows the release of the Linux 5.0 kernel that became available on March 3.

Security

Among the many different security capabilities that are integrated into Linux is the concept of the Linux Security Module (LSM). Two of the most well known LSMs are SELinux, which is commonly found in Red Hat based systems and AppArmor which is used by Ubuntu and its’ derivatives.

In Linux 5.1, the SafeSetID LSM module is being added, providing yet another option for Linux administrators to provide security and policy controls.

“SafeSetID gates the setid family of syscalls to restrict UID/GID transitions from a given UID/GID to only those approved by a system-wide whitelist,” Linux developer Micah Morton wrote in his kernel commit message. “These restrictions also prohibit the given UIDs/GIDs from obtaining auxiliary privileges associated with CAP_SET{U/G}ID, such as allowing a user to set up user namespace UID mappings.”

User ID (UID) and Group ID (GID) are ways to identify users and groups within a Linux system and are the basic units of identification and control used for SafeSetID.

Persistent Memory

Linux has long enabled regular storage devices including hard drives to be used for limited forms of memory usage, including swap space. With Linux 5.1, administrators will now be able to more fully use storage, and specifically a class of storage now often referred to as “persistent memory” as regular system memory.

“This is intended for use with NVDIMMs that are physically persistent (physically like flash) so that they can be used as a cost-effective RAM replacement,” Linux developer Dave Hansen wrote in his kernel commit message. “Intel Optane DC persistent memory is one implementation of this kind of NVDIMM.”

Live Patching Improvements

Linux has integrated live patching capabilities since the Linux 4.0 release in April 2015. Live patching enables a running system to be patched without the need for a full system reboot. With Linux 5.1 a new capability is being added to live patching, that is called Atomic Replace.

“It (Atomic Replace) allows creation of so called “Cumulative Patches”,” the Linux kernel documentation on the new feature states. “They include all wanted changes from all older livepatches and completely replace them in one transition.”

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

The post Linux 5.1 Advances Performance and Security With New Features appeared first on eWEEK.

During a keynote address and in a private press session at DockerCon on May 1, Docker executives provided a formal response to the data breach, which impacted 190,000 accounts. The data breach response wasn’t the only thing announced by Docker Inc on day two of DockerCon, as the company behind the eponymous container technology also announced new technology efforts including service mesh integration.

“There are bad actors in the world and we had a security incident and we have resolved that issue,” Docker CEO Steven Singh said during the media session.

Docker Inc. is the lead commercial sponsor behind the open-source Docker container technology that enables developers to build, package and deploy applications as containers. The Docker Hub is a popular repository for Docker users to find freely available Docker application images to run.

During his keynote Docker CTO Kal De provided the assembled Docker community at DockerCon with his commitment to security and to reinforce a security by-design approach for Docker technologies.

“I will simply share with you that we will continue to do the best we possibly can,” De said. “We must as a company, and we will, take security very, very seriously and stay laser focussed on it.”

Breach Details

Docker is currently publicly providing updates on the data breach incident via a dedicated support page. There are still some things that’s aren’t publicly known, such as how long the attackers may have been in the system as well as identification of the root cause of the breach.

In a response to a question from eWEEK, Singh noted that Docker has engaged in a rigorous forensics and incident response activity to fully understand the Docker Hub data breach.

“One of the things we have at Docker is a standard incident response function, so that includes bringing in external resources to really do a deep forensic analysis,” Singh said. “It’s a standard professional model for response.”

Overall Singh sees the breach as an opportunity for his company to improve its processes and help both itself and customers stay secure.

Service Mesh Support

Beyond addressing the data breach, Docker announced new capabilities that will be available in tech preview as part of the company’s Docker Enterprise 3.0 release. Among the new features that was announced on the DockerCon keynote stage was support for the open-source Istio service mesh.

Istio is an emerging technology that has already garnered the backing of big name IT vendors including IBM, AWS, Cisco and Google among others. The Isto service mesh enables a more efficient type of container to container, or microservice to service communications and networking model, by offloading the connectivity to a side car proxy.

ContainerD Support

At the core of Docker’s engine is the open-source ContainerD container runtime project, which is an effort that is hosted by the Cloud Native Computing Foundation (CNCF). To date, Docker had only provided support for Containerd as an integrated part of the Docker Enterprise Platform.

Moving forward, Docker announced that it will also provide commercial support for just the containerd component, for those organizations that only want or need support for that piece and don’t require the full Docker Enterprise platform. With Docker Enteprise as the flagship platform and containerd support at the granular level of support there is the potential for Docker to introduce a mid-tier offering, specifically aimed at small and medium sized businesses (SMBs). Singh said that it is likely that Docker will introduce something in the future that might be a focussed offering for SMBs. 

“I couldn’t be happier, this company is not just hitting its stride, we’re really solving problems with a deep commitment to our customers and that’s the only way to build a great business, ” Singh said.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

The post Docker Responds to Data Breach and Outlines the Container Future appeared first on eWEEK.

DockerCon runs from April 29 – May 2 with approximately 5,000 attendees gathered to learn and discuss the container technology that Docker created. DockerCon also served as the venue for the company’s new Docker Enterprise 3.0 release announcement, bringing together new desktop, application, Kubernetes and cloud innovation to market, in an effort to help fuel the next stage of the digital economy.

‘In a world of cognitive computing, containers are that basic unit or the standard upon which all transformation will occur,” Singh said. “In fact, by next year, more than 50% of global organizations are going to be running containers in production.”

“Container platforms are now the mainstream for how you build applications how you share them, and frankly how you manage them,” Singh added.

Docker Enterprise 3.0

Docker Enterprise is Docker’s flagship commercial offering providing a complete container developer, deployment and lifecycle management platform.

Docker Enterprise 3.0 is the first major version change since the 2.0 release in April 2018, which was the first to integrate the Kubernetes container orchestration system. Prior to Docker Enterprise 2.0, Docker only supported its own Swarm orchestration system. Docker’s last milestone release of Enterprise Edition was version 2.1, which was announced in November 2018.

With Docker Enterprise 3.0, Docker is delivering on several technologies that it first announced during its DockerCon EU 2018 event in December 2018. Among them is the Docker Enterprise Desktop, which is now generally available and integrated into the Docker Enteprise 3.0 platform.

“What we often find in enterprises is a small cadre of Docker experts, but then there are also hundreds, if not thousands, of developers who want to use Docker, who are not yet experts,” Scott Johnston, EVP & GM, Enterprise, Docker, told eWEEK.  “So Docker desktop enterprise, is the way that we’re going to onboard them and make them productive with Docker quickly, without them having to become experts first.”

CNAB

Another effort first announced at Dockercon EU that is now coming to productized fruition is the Cloud Native Application Bundle (CNAB) as a joint effort with Microsoft. Now at DockerCon 2019, CNAB is making its way into Docker Enterprise 3.0 as a product offering known as Docker Applications. 

“Docker Applications is a way to package a container of containers, including packages and the application descriptors,” he explained.

The goal with CNAB and Docker Applications is to simplify how developers and operations can build, share and run multi-container applications. Johnson said that CNAB as a specification is still being enhanced by Docker, Microsoft and their partners, with a direction to turn CNAB over to some form of open governance body in the future.

For existing Docker users, Johnson said that embracing Docker Applications will be an easy step, since it uses existing constructs that developers have already been using, including the Docker Compose tool.

“If the customer is using Docker Compose today, the Docker apps tooling just automatically ingest that into the Docker app format,” Johnson explained. “So that’s the beauty of the Docker app is it lets you consume any sort of app descriptor format and make it productive in the DevOps pipeline.”

Docker Kubernetes Service and Docker Swarm

The Docker Enterprise 3.0 update also integrates an enhanced Kubernetes container orchestration integration that is now being dubbed as the Docker Kubernetes Service (DKS).

With DKS, Johnson said the goal is to align the version of Kubernetes that a developer is using on the desktop for developer with the target Kubernetes cloud deployment, to reduce any potential version conflict friction.

While Docker is advancing its Kubernetes effort, it is still working on its own Docker Swarm container orchestration system which has been enhanced in the 3.0 update. Johnson said that among the new Swarm capabilities is improved Microsoft Windows authentication and automation capabilities.

Docker Enterprise as a Service

To date, Docker has offered its commercial products on a subscription model, with organizations running the platform on their own. There has also been a consumption service model, with Docker Enterprise available on Amazon Web Services (AWS). At DockerCon, Docker is expanding with the announcement of Docker Enterprise as a Service, which provides a managed service for Docker Enteprise. The service manages deployment and operations for users.

“Our goal is to simplify the complexity of technology, whether it’s the complexity of creating containers or managing a current set of Kubernetes clusters, across multiple clouds, Singh said.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

The post Docker Enterprise 3.0 Advances Container Development appeared first on eWEEK.

At the Open Infrastructure Summit in Denver on April 29, Shuttleworth delivered a keynote where he took issue with the direction the OpenStack Foundation is headed, by extending its focus beyond the core OpenStack cloud platform. Shuttleworth also said that for his part he was “doubling-down” on OpenStack as a cloud platform, on which his company is seeing solid success. That said, Shuttleworth is also a realist and he sees organizations using all manner of infrastructure technologies, which is why he announced the new Ubuntu Advantage program for Infrastructure, providing a supported service to help organizations with open infrastructure.

“We’re no longer the rebel outsiders; we are in a sense becoming the Empire, and it’s really important for us to think about how we want to lead,” Shuttleworth said. “I know for a fact that nobody asked to replace dueling vendors with dueling foundations.”

Although Shuttleworth did not specifically call out the “dueling foundations,” his remark is a not-so-subtle reference to tensions between the OpenStack Foundation and the Cloud Native Computing Foundation (CNCF), which is home to the Kubernetes container orchestration platform, among other efforts.

The OpenStack Foundation has embarked on an effort to add new projects that enable open infrastructure, including Kata containers, Zuul continuous integration/continuous, StarlingX edge and Airship lifecycle management projects.

Ubuntu OpenStack Momentum

While Shuttleworth wasn’t shy about criticizing the OpenStack Foundation, he emphasized that OpenStack is an important part of his company’s business. He said that today more than half of the 20 largest financial institutions in the world are building open infrastructure on Ubuntu.

“This week alone, Canonical’s delivering 27 brand-new OpenStack clouds to companies around the world,” he said. “OpenStack is clearly critical and clearly part of the solution, but many use cases don’t require all of that complexity.”

Shuttleworth emphasized that the best solutions come from multiple areas, including other open-source projects and even proprietary solutions from organizations such as VMware and Microsoft.

“It is really important for us to find and celebrate the best ideas,” Shuttleworth said. “What’s the difference between a vendor that only promotes the ideas that are in its own interests and a foundation that does the same?”

Ubuntu Infrastructure Advantage

One of the cornerstones of Canonical’s commercial efforts is the Advantage program, which provides support for enterprises for different components. Previously, Canonical had provided separate support programs for Kubernetes and OpenStack, but now it is merging efforts with a unified support offering called Ubuntu Infrastructure Advantage.

“We’ve always supported multiple different kinds of open-source infrastructure,” Shuttleworth said. “Starting today we will consolidate and unify the contracts and the commitments that we make to open infrastructure for multiple different projects.”

The overall goal of Ubuntu Infrastructure Advantage is to remove friction for organizations trying to deploy infrastructure and enable them to make decisions based on outcomes, not specific technologies. While OpenStack is the right solution for many things, it isn’t the right solution for everything in Shuttleworth’s view.

Fundamentally, Shuttleworth really just wants the OpenStack Foundation to focus on OpenStack.

“I’m here for this project, for OpenStack. I believe it’s the best game in town for complex multi-tenant and virtualization infrastructure,” he said. “For it to stay that way, we have to retain our focus. Yes, we’re a mature project, but that’s no excuse to have a midlife crisis. We don’t need to flail around and go find something new and shiny to drive.”

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

The post Shuttleworth Tells OpenStack to Keep Its Focus on the Cloud appeared first on eWEEK.

The Kata Containers secure container effort and the Zuul Continuous Integration/Continuous Deployment (CI/CD) projects have now been confirmed as top-level projects at the OpenStack Foundation, joining the group’s namesake OpenStack cloud. While not yet a top-level project, the Airship lifecycle management project is also celebrating a major milestone with its 1.0 release.

Additionally, the OpenStack Foundation is promoting its Ironic bare metal program as a way for organizations to deploy cloud resources on physical hardware.

The Open Infrastructure Summit runs April 29-May 1 in Denver and is the first OpenStack event to officially carry that name, as an evolution of the former OpenStack Summit.

“In a modern cloud, you have more than OpenStack almost every time,” Mark Collier, chief operating officer of the OpenStack Foundation, told eWEEK. “If the point is to run your infrastructure as open-source, and we want to have an event about it, then the event really should probably have a name that is a little bit broader. So that’s why we renamed it.”

At the final OpenStack Summit event, which was held in Berlin, Germany, in November 2018, the open-source organization discussed its intentions to rename its flagship event as part of a broader focus on open infrastructure and not just the core OpenStack cloud platform. 

The core OpenStack platform was created in 2011 as a joint effort between Rackspace and NASA and has steadily grown in the years since. The Open Infrastructure Summit follows the OpenStack Stein release that became generally available on April 10.

OpenStack Ironic

OpenStack as a cloud platform comprises multiple projects that help to enable a complete open-source cloud deployment. 

When OpenStack first started, deployment and management of virtualized compute resources, via the Nova project, was the primary use case. In the intervening years, a strong use case has emerged for organizations that want and need to directly manage and deploy cloud resources onto bare metal hardware, which is where the OpenStack Ironic project fits in. Ironic debuted alongside the OpenStack Kilo platform release in April 2015.

Now in 2019, the OpenStack Foundation is promoting Ironic as part of an effort to boost adoption. During the Open Infrastructure Summit, there will be multiple demonstrations of bare metal deployments.

Project Confirmations

Ironic is just one of many projects that fit under the OpenStack platform’s umbrella. As part of the effort to broaden its focus, the OpenStack Foundation also has top-level projects that are positioned on the same tier as OpenStack itself.

Among the projects that are part of the OpenStack Foundation, beyond just the OpenStack platform itself, are Airship lifecycle management, Kata containers, StarlingX edge computing and Zuul CI/CD. At the Open Infrastructure Summit, the Foundation is announcing that Kata Container and Zuul have now both been officially identified as “confirmed” projects.

Collier explained that projects join the OpenStack Foundation as pilot projects and then are considered for Confirmation status after they have demonstrated an open governance model and have delivered at least one stable release.

Airship 1.0

One of the projects that has not yet been confirmed is Airship, which is announcing its 1.0 release at the Open Infrastructure Summit. Airship is an effort that was originally developed by AT&T, which is using the open-source technology to help with its 5G wireless deployment effort.

Collier added that Airship is also useful for those organizations that are using the combination of OpenStack and Kubernetes for cloud-native application deployments.

“The Airship 1.0 release has 17 companies contributing, and it’s already much broader than just an AT&T thing,” Collier said. “Airship is really about enabling in a very repeatable way, a secure way to automate infrastructure and continuously upgrade what’s running all the way out to the edge in a way that doesn’t require human intervention.”

OpenStack Train

While the Open Infrastructure Summit is about the broader world of cloud development, the core OpenStack platform itself will still be a topic of discussion. The next major release of the core OpenStack cloud platform is code-named Train and is set for general availability in October.

At this early stage in the development of OpenStack Train, Collier identified a few key trends that he expects to see.

“I think that we’re going to continue to see the focus on automated operations and further efforts for container integration,” he said. “We’ll also be working hard to make sure that the way OpenStack Train is developed doesn’t break other projects, and vice versa.”

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

The post OpenStack Looks to Help Define the Future of Open Infrastructure appeared first on eWEEK.

The breach was first reported by Docker late on April 26 in an email sent to Docker Hub users, revealing a data breach that was detected the day before, on April 25. Docker Inc. is the lead commercial sponsor behind the open-source Docker container technology that enables developers to build, package and deploy applications as containers. The Docker Hub is a popular repository for Docker users to find freely available Docker application images to run.

“During a brief period of unauthorized access to a Docker Hub database, sensitive data from approximately 190,000 accounts may have been exposed (less than 5% of Hub users),” Kent Lamb, director of Docker Support, wrote in an email sent to Docker Hub users. “Data includes usernames and hashed passwords for a small percentage of these users, as well as GitHub and Bitbucket tokens for Docker autobuilds.”

Docker Hub was launched in June 2014 by Docker Inc. alongside the company’s Docker 1.0 release. The new data breach disclosure comes at a particularly inopportune time for Docker, as its DockerCon conference begins on April 30 in San Francisco.

Breach Impact 

According to Docker, the data breach involved unauthorized access to a single Docker Hub database that was only storing a subset of nonfinancial user data. At this time, it is not clear how the breach happened or how long attackers may have had unauthorized access.

Docker Hub contains many different types of application images and is used by a wide variety of users. Docker emphasized in an FAQ about the incident that no official application images were  compromised. Official images are those developed by Docker and its partners that benefit from additional authenticity and scrutiny.

“We have additional security measures in place for our Official Images including GPG signatures on git commits as well as Notary signing to ensure the integrity of each image,” Docker stated.

Notary is a code signing technology that makes use of the open-source The Update Framework (TUF), which provides multiple layers of verification and checking to help maintain the security and authenticity of application images and their updates.

The breach is particularly relevant for developers, more so than just regular users of Docker Hub.

“For all Docker Hub users, there is no action required to preserve your security,” Docker stated. “A password reset link has been sent to any users who potentially had their password hash exposed.”

Docker is widely used as part of a DevOps tool chain in which code developed on GitHub and Bitbucket is automatically built at periodic intervals, with container images automatically deployed to Docker Hub as part of the build process.

“Users who have autobuilds who have had their GitHub or Bitbucket repositories unlinked will need to relink those repositories,” Docker stated.

Analysis

“There could be quite a broad impact from this attack—but it’s too early to know at this point,” John Morello, CTO at Twistlock, wrote in a blog post. “Access to a Hub account means read/write access to repos that anyone on the internet can easily reuse with a simple docker pull myrepo/myimage.”

Morello added that any Docker Hub user who has connected their account to GitHub should review access to identify any potential anomalies.

Overall, Docker recommends that impacted users:

• Change their Docker Hub account passwords.
• Review GitHub activity.
• Unlink and then relink GitHub access.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

The post Docker Hub Breach & Impact appeared first on eWEEK.

The 2019 Trustwave Global Security Report, released on April 25, has its fair share of bad news as it has found that multiple types of attacks have grown and attackers have continued to increase levels of sophistication. However, the 76-page report also provides insight into some positive trends—how organizations are actually doing the right things to improve cyber-security. For example, Trustwave found that threat response time has improved, with the time from intrusion to detection falling from 67 days in 2017 to 27 days in 2018.

In this eWEEK Data Points article, we look at some of the key highlights of the 2019 Trustwave Global Security Report.

Data Point No. 1: Cryptojacking is not dead.

Unauthorized cryptocurrency mining, commonly referred to as cryptojacking, grew exponentially in 2018. In 2017, Trustwave reported that only 0.2 percent of malware was coin-mining related, but that number grew to 3.0 percent in 2018.

“The most surprising story for me was the massive increase of coin-mining malware in 2018 compared to 2017,” Karl Sigler, threat intelligence manager at Trustwave SpiderLabs, told eWEEK. “While the rising trend of cryptojacking web scripts was expected, after the crash of the Bitcoin market toward the end of 2018, I was surprised to see that attackers were still interested in placing coin-mining malware on compromised systems.”

Data Point No. 2: All web applications are vulnerable.

Among the most startling findings in the report is that 100% of web applications tested by Trustwave had at least one vulnerability.

• The median number of vulnerabilities in web applications tested by Trustwave grew to 15, up from 11 in 2017. 
• 80% of the vulnerabilities discovered by Trustwave penetration testers were classified as low risk, with the remaining 20% rated medium to critical. 

Data Point No. 3: Social engineering is the top method of compromise.

While vulnerabilities are a risk, the top method by which attackers got into various organizations in 2018 was by way of tricking users in some way in an attack commonly referred to as social engineering.

• For point-of-sale and cloud environments, 60% of breach investigations conducted by Trustwave could be attributed to social engineering as the initial point of entry. 
• In corporate environments, social engineering was the root cause of 46% of breaches.

Data Point No. 4: Cyber-criminals look for payment card data.

• 36% of breaches observed by Trustwave involved payment card data.
• Online payment card data, also known as card not present, is increasingly being targeted, at 25% in 2018, up from 7% in 2017.
• In contrast, magnetic stripe data from payment cards represented 11% of breaches.

Data Point No. 5: Hiding malware is becoming more common.

• An increasing amount of malware is using data obfuscation techniques to stay hidden from defenders.
• 67% of malware analyzed by Trustwave in 2018 used some form of obfuscation, up from only 30% in 2017.

Data Point No. 6: Defenders are getting better.

• Median time duration from threat intrusion to containment was 27 days in 2018, down from 67 days in 2017. 
• Median time between intrusion and detection for externally detected compromises fell to 55 days, down from 83 days in 2017.

“I think organizations are developing a more mature security posture both through implementing basic best practices and educating their users,” Sigler said. “In 2018, this definitely forced attackers to forgo many of the typical wide net/lowest hanging fruit type attacks and launch smaller, more targeted attacks. I expect this to continue through this year as well.”

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

The post Cyber-security Is Improving, Though Risk Continues to Grow appeared first on eWEEK.

The attack has been dubbed “Beapy” by Symantec and apparently has been ongoing since January 2019. According to Symantec’s report, Beapy is a cryptojacking worm that initially infects systems via a phishing attack. If the attacked system has not been patched for the EternalBlue vulnerability, Beapy is then able to spread across an enterprise’s network, infecting other systems and using them to mine cryptocurrency.

“Multiple nefarious groups have leveraged EternalBlue since it was leaked in April 2017 and have incorporated them into a myriad of threats,” Alan Neville, threat intelligence analyst for Symantec, told eWEEK.

The EternalBlue vulnerability is a flaw in Windows that was patched by Microsoft with its MS17-010 advisory in March 2017. A month later in April 2017, working code for an EternalBlue exploit flaw was publicly revealed by a group known as the Shadow Brokers. EternalBlue is also the flaw that enabled the WannaCry ransomware attack in May 2017 to spread rapidly.

Although the EternalBlue flaw was patched by Microsoft in 2017, there are still plenty of systems that apparently have not deployed the patch. The Beapy attack makes use of EternalBlue to get a foothold in a network, but rather than deploy ransomware like WannaCry, Beapy deploys a cryptocurrency mining tool. The activity of conducting unauthorized cryptocurrency mining on a system is commonly known as cryptojacking, 

Cryptojacking in 2019

The Beapy campaign comes at a time when cryptojacking is in a state of decline.

The value of cryptocurrencies has fallen precipitously in recent months and along with that has followed an overall decline in cryptojacking. Symantec reported in its Internet Security Threat Report (ISTR) released on Feb. 19 that there was a 52% drop in the overall number of cryptojacking events between January and December 2018 as the value of the Monero cryptocurrency declined by 90%.

Beapy makes use of a file-based miner, which is an executable program that conducts the mining directly on the system.

“The use of file-based coinminers allows the cyber-criminals to mine cryptocurrency faster, and thus make money faster, which is appealing now that cryptocurrency values are significantly lower than where they were at their peak,” Neville said. “While we have not expanded the investigation to determine the potential amount attackers have made through Beapy alone, a 30-day file-based mining generates an average profit per machine of 25 cents.”

Neville added that with a botnet comprising 100,000 machines, a file-based mining operation could generate up to $750,000 in profit. 

How Beapy Works

Beapy is mining the Monero cryptocurrency and, according to Symantec, it is making use of the open-source XMRig mining code. The Beapy attack is also not entirely random, with 98% of Beapy’s victims identified by Symantec as being enterprises, rather than individual consumers.

Cryptocurrency mining is a very CPU-intensive process and often benefits from the use of GPU acceleration, thought that’s not something Beapy is specifically targeting. Neville commented that nothing specific was identified during analysis related to code that directs Beapy to look for systems with GPUs in order to mine cryptocurrency faster.

For Beapy to work effectively, the target system needs to be unpatched for EternalBlue, though Neville noted that it might still be able to propagate across a network where systems have in fact been patched.

“If the system has been patched, EternalBlue won’t be an effective means to gain access to a system on the network,” he said. “However, Beapy also makes use of embedded credential modules such as Mimikatz in order to dump network credentials and use these to spread across networks.”

Defending Against Beapy

For organizations, there are a few basic hygiene steps that Neville recommends to help defend against Beapy and other similar risks:

• Deploy the appropriate patches from Microsoft to stop EternalBlue.
• Ensure that all employees have appropriate training to recognize and report phishing attacks that are used to deliver malicious files such as Beapy. 

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

The post Beapy Cryptojacking Campaign Uses EternalBlue to Exploit Enterprises appeared first on eWEEK.