Maq Verma, Author at Admiration Tech News

Ashok – A OSINT Recon Tool, A.K.A Swiss Army Knife

Posted on July 31, 2024 - July 31, 2024 by Maq Verma

Reconnaissance is the first phase of penetration testing which means gathering information before any real attacks are planned So Ashok is an Incredible fast recon tool for penetration tester which is specially designed for Reconnaissance” title=”Reconnaissance”>Reconnaissance phase. And in Ashok-v1.1 you can find the advanced google dorker and wayback crawling machine.

Main Features

- Wayback Crawler Machine
- Google Dorking without limits
- Github Information Grabbing
- Subdomain Identifier 
- Cms/Technology Detector With Custom Headers

Installation

~> git clone https://github.com/ankitdobhal/Ashok
~> cd Ashok
~> python3.7 -m pip3 install -r requirements.txt

How to use Ashok?

A detailed usage guide is available on Usage section of the Wiki.

But Some index of options is given below:

Docker

Ashok can be launched using a lightweight Python3.8-Alpine Docker image.

$ docker pull powerexploit/ashok-v1.2
$ docker container run -it powerexploit/ashok-v1.2  --help

Credits

hackertarget

Download Ashok

CrowdStrike Warns of New Phishing Scam Targeting German Customers

Posted on July 31, 2024 - July 31, 2024 by Maq Verma

CrowdStrike is alerting about an unfamiliar threat actor attempting to capitalize on the Falcon Sensor update fiasco to distribute dubious installers targeting German customers as part of a highly targeted campaign.

The cybersecurity company said it identified what it described as an unattributed spear-phishing attempt on July 24, 2024, distributing an inauthentic CrowdStrike Crash Reporter installer via a website impersonating an unnamed German entity.

The imposter website is said to have been created on July 20, a day after the botched update crashed nearly 9 million Windows devices, causing extensive IT disruptions across the world.

“After the user clicks the Download button, the website leverages JavaScript (JS) that masquerades as JQuery v3.7.1 to download and deobfuscate the installer,” CrowdStrike’s Counter Adversary Operations team said.

“The installer contains CrowdStrike branding, German localization, and a password [is] required to continue installing the malware.”

Specifically, the spear-phishing page featured a download link to a ZIP archive file containing a malicious InnoSetup installer, with the malicious code serving the executable injected into a JavaScript file named “jquery-3.7.1.min.js” in an apparent effort to evade detection.

Users who end up launching the bogus installer are then prompted to enter a “Backend-Server” to proceed further. CrowdStrike said it was unable to recover the final payload deployed via the installer.

The campaign is assessed to be highly targeted owing to the fact that the installer is password-protected and requires input that’s likely only known to the targeted entities. Furthermore, the presence of the German language suggests that the activity is geared towards German-speaking CrowdStrike customers.

“The threat actor appears to be highly aware of operations security (OPSEC) practices, as they have focused on anti-forensic techniques during this campaign,” CrowdStrike said.

“For example, the actor registered a subdomain under the it[.]com domain, preventing historical analysis of the domain-registration details. Additionally, encrypting the installer contents and preventing further activity from occurring without a password precludes further analysis and attribution.”

The development comes amid a wave of phishing attacks taking advantage of the CrowdStrike update issue to propagate stealer and wiper malware malware –

A phishing domain crowdstrike-office365[.]com that hosts rogue archive files containing a Microsoft Installer (MSI) loader that ultimately executes a commodity information stealer called Lumma.

A ZIP file (“CrowdStrike Falcon.zip”) that contains a Python-based information stealer tracked as Connecio that collects system information, external IP address, and data from various web browsers, and exfiltrates them to SMTP accounts listed on a Pastebin dead-drop URL.
An email phishing campaign orchestrated by the Handala Hacking Team targeting Israeli entities that tricks recipients into downloading an “outage fix,” which launches an installer responsible for unpacking and executing an AutoIt script to launch a data wiper and exfiltrate system information via Telegram’s API.

Web infrastructure and security company Akamai said it uncovered no less than 180 newly created counterfeit typosquat domains purporting to assist with navigating the incident, whether it be technical support, quick fixes, or legal support, in an attempt to introduce malware or steal sensitive information.

On Thursday, CrowdStrike’s CEO George Kurtz said 97% of the Windows devices that went offline during the global IT outage are now operational.

“At CrowdStrike, our mission is to earn your trust by safeguarding your operations. I am deeply sorry for the disruption this outage has caused and personally apologize to everyone impacted,” Kurtz said. “While I can’t promise perfection, I can promise a response that is focused, effective, and with a sense of urgency.”

Previously, the company’s chief security officer Shawn Henry apologized for failing to “protect good people from bad things,” and that it “let down the very people we committed to protect.”

“The confidence we built in drips over the years was lost in buckets within hours, and it was a gut punch,” Henry acknowledged. “We are committed to re-earning your trust by delivering the protection you need to disrupt the adversaries targeting you. Despite this setback, the mission endures.”

Meanwhile, Bitsight’s analysis of traffic patterns exhibited by CrowdStrike machines across organizations globally has revealed two “interesting” data points that it said warrants additional investigation.

“Firstly, on July 16 at around 22:00 there was a huge traffic spike, followed by a clear and significant drop off in egress traffic from organizations to CrowdStrike,” security researcher Pedro Umbelino said. “Second, there was a significant drop, between 15% and 20%, in the number of unique IPs and organizations connected to CrowdStrike Falcon servers, after the dawn of the 19th.”

“While we can not infer what the root cause of the change in traffic patterns on the 16th can be attributed to, it does warrant the foundational question of ‘Is there any correlation between the observations on the 16th and the outage on the 19th?'”

Update#

While the full impact of the IT outage remains to be tallied, cloud insurance services firm Parametrix Solutions estimates that the event impacted nearly a quarter of the Fortune 500 companies, resulting in a direct financial loss of $5.4 billion (excluding Microsoft), including $1.94 billion in losses for healthcare, $1.15 billion for banking, and $0.86 billion for the airlines sector.

John Cable, Microsoft’s vice president of program management for Windows servicing and delivery, said the incident “underscores the need for mission-critical resiliency within every organization.”

“These improvements must go hand in hand with ongoing improvements in security and be in close cooperation with our many partners, who also care deeply about the security of the Windows ecosystem,” Cable said, urging enterprises to have a major incident response plan (MIRP) in place, periodically take data backups, utilize deployment rings, and enable Windows security baselines.

With endpoint detection and response (EDR) software requiring kernel-level access to detect threats in Windows, the disruptive event appears to have also had the desired effect of Microsoft rethinking the entire approach.

Redmond said alternative features like virtualization-based security (VBS) enclaves, which it introduced back in May, could be used by third-party developers to create an “isolated compute environment that does not require kernel mode drivers to be tamper resistant.” Azure Attestation, another security solution, enables remote verification of the “trustworthiness of a platform and integrity of the binaries running inside it.”

Microsoft further described the issue as arising due to a “read-out-of-bounds memory safety error in the CrowdStrike developed CSagent.sys driver,” and that such kernel drivers are leveraged for tamper resistance and performance improvements, not to mention for gaining system wide visibility into security related events.

“Windows provides several user mode protection approaches for anti-tampering, like Virtualization-based security (VBS) Enclaves and Protected Processes that vendors can use to protect their key security processes,” David Weston, vice President of enterprise and OS security at Microsoft said.

“Windows also provides ETW events and user-mode interfaces like Antimalware Scan Interface for event visibility. These robust mechanisms can be used to reduce the amount of kernel code needed to create a security solution, which balances security and robustness.”

(The story was updated after publication to include Microsoft’s analysis of Windows crash reports stemming from the CrowdStrike programming error.)

Exit Scam: BlackCat Ransomware Group Vanishes After $22 Million Payout

Posted on July 31, 2024 - July 31, 2024 by Maq Verma

The threat actors behind the BlackCat ransomware have shut down their darknet website and likely pulled an exit scam after uploading a bogus law enforcement seizure banner.

“ALPHV/BlackCat did not get seized. They are exit scamming their affiliates,” security researcher Fabian Wosar said. “It is blatantly obvious when you check the source code of the new takedown notice.”

“There is absolutely zero reason why law enforcement would just put a saved version of the takedown notice up during a seizure instead of the original takedown notice.”

The U.K.’s National Crime Agency (NCA) told Reuters that it had no connection to any disruptions to the BlackCat infrastructure.

Recorded Future security researcher Dmitry Smilyanets posted screenshots on the social media platform X in which the BlackCat actors claimed that the “feds screwed us over” and that they intended to sell the ransomware’s source code for $5 million.

The disappearing act comes after it allegedly received a $22 million ransom payment from UnitedHealth’s Change Healthcare unit (Optum) and refused to share the proceeds with an affiliate that had carried out the attack.

The company has not commented on the alleged ransom payment, instead stating it’s only focused on investigation and recovery aspects of the incident.

According to DataBreaches, the disgruntled affiliate – who had their account suspended by the administrative staff – made the allegations on the RAMP cybercrime forum. “They emptied the wallet and took all the money,” they said.

This has raised speculations that BlackCat has staged an exit scam to evade scrutiny and resurface in the future under a new brand. “A re-branding is pending,” a now-former admin of the ransomware group was quoted as saying.

Menlo Security, citing HUMINT sources with direct contact to the affiliate, described them as likely associated with Chinese nation-state groups. The affiliate, who goes by the name Notchy, is said to have engaged on ransomware-related topics in the RAMP forum as early as 2021.

BlackCat had its infrastructure seized by law enforcement in December 2023, but the e-crime gang managed to wrest control of their servers and restart its operations without any major consequences. The group previously operated under the monikers DarkSide and BlackMatter.

“Internally, BlackCat may be worried about moles within their group, and closing up shop preemptively could stop a takedown before it occurs,” Malachi Walker, a security advisor with DomainTools, said.

“On the other hand, this exit scam might simply be an opportunity for BlackCat to take the cash and run. Since crypto is once again at an all-time high, the gang can get away with selling their product ‘high.’ In the cybercrime world, reputation is everything, and BlackCat seems to be burning bridges with its affiliates with these actions.”

The group’s apparent demise and the abandonment of its infrastructure come as malware research group VX-Underground reported that the LockBit ransomware operation no longer supports Lockbit Red (aka Lockbit 2.0) and StealBit, a custom tool used by the threat actor for data exfiltration.

LockBit has also tried to save face by moving some of its activities to a new dark web portal after a coordinated law enforcement operation took down its infrastructure last month following a months-long investigation.

It also comes as Trend Micro revealed that the ransomware family known as RA World (formerly RA Group) has successfully infiltrated healthcare, finance, and insurance companies in the U.S., Germany, India, Taiwan, and other countries since emerging in April 2023.

Attacks mounted by the group “involve multi-stage components designed to ensure maximum impact and success in the group’s operations,” the cybersecurity firm noted.

Android Reverse Engineering Tools List

Posted on July 30, 2024 - July 30, 2024 by Maq Verma

A list of top most popular Android Reverse Engineering Tools to decode, re-encode and signing apk

1: APK EDITOR STUDIO – Free, Open source & Cross-platform APK editor
Supported OS: Windows, Mac, Linux
Interface: GUI
Info: APK Editor Studio is a powerful yet easy to use APK reverse-engineering tool. Extract, edit or replace APK resources, images and icons; add translations, create your own APK mod or learn its internal structure. Multiple handy tools will help you to easily change application icon, application title, automatically sign APK and install it on your device.

2: jadx – Dex to Java decompiler
Supported OS: Windows, Mac, Linux
Interface: Command line, GUI
Info: Produce Java source code from Android Dex and Apk files

3: Apktool – Decode & Rebuild Apk
Supported OS: Windows, Mac, Linux
Interface: Command line
Info: Decode resources to nearly original form and rebuild them after making some modifications. It also makes working with an app easier because of the project like file structure and automation of some repetitive tasks like building apk, etc.

4: Uber Apk Signer – Signing and zip aligning Apk
Supported OS: Windows, Mac, Linux
Interface: Command line
Info: A tool that helps signing, zip aligning and verifying multiple Android application packages (APKs) with either debug or provided release certificates (or multiple). It supports v1, v2 and v3 Android signing scheme. Easy and convenient debug signing with embedded debug keystore. Automatically verifies signature and zipalign after every signing.

5: dex2jar – Tools to work with android .dex and java .class files
Supported OS: Windows, Mac, Linux
Interface: Command line
Info: Read/write the Dalvik Executable (.dex) file, Convert .dex file to .class files, disassemble dex to smali files and assemble dex from smali files

6: GDA – Android Reversing Tool
Supported OS: Windows
Interface: GUI
Info: GDA is a new decompiler written entirely in c++, so it does not rely on the Java platform, which is succinct, portable and fast, and supports APK, DEX, ODEX, oat.

7: JD-GUI – Displays Java sources from CLASS files
Supported OS: Windows, Mac, Linux
Interface: GUI
Info: JD-GUI is a standalone graphical utility that displays Java source codes of ‘.class’ files. You can browse the reconstructed source code with the JD-GUI for instant access to methods and fields.

8: Dexplorer – Explore apk from Android Device
Supported OS: Android
Interface: GUI
Info: Explore the Dex/Apk files of all your installed apps and downloaded apk’s. A simple decompiler is included, but is not able to show method bodies.

Hope this list of android reverse engineering tools will help you to explore more inside of android apk

VMware ESXi Flaw Exploited by Ransomware Groups for Admin Access

Posted on July 30, 2024 - July 30, 2024 by Maq Verma

A recently patched security flaw impacting VMware ESXi hypervisors has been actively exploited by “several” ransomware groups to gain elevated permissions and deploy file-encrypting malware.

The attacks involve the exploitation of CVE-2024-37085 (CVSS score: 6.8), an Active Directory integration authentication bypass that allows an attacker to obtain administrative access to the host.

“A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group (‘ESXi Admins’ by default) after it was deleted from AD,” Broadcom-owned VMware noted in an advisory released in late June 2024.

In other words, escalating privileges on ESXi to the administrator was as simple as creating a new AD group named “ESX Admins” and adding any user to it, or renaming any group in the domain to “ESX Admins” and adding a user to the group or using an existing group member.

Microsoft, in a new analysis published on July 29, said it observed ransomware operators like Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest leveraging the post-compromise technique to deploy Akira and Black Basta.

“VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named ‘ESX Admins’ to have full administrative access by default,” researchers Danielle Kuznets Nohi, Edan Zwick, Meitar Pinto, Charles-Edouard Bettan, and Vaibhav Deshmukh said.

“This group is not a built-in group in Active Directory and does not exist by default. ESXi hypervisors do not validate that such a group exists when the server is joined to a domain and still treats any members of a group with this name with full administrative access, even if the group did not originally exist.”

In one attack staged by Storm-0506 against an unnamed engineering firm in North America, the threat actor weaponized the vulnerability to gain elevated permissions to the ESXi hypervisors after having obtained an initial foothold using a QakBot infection and exploiting another flaw in the Windows Common Log File System (CLFS) Driver (CVE-2023-28252, CVSS score: 7.8) for privilege escalation.

Subsequently, phases entailed the deployment of Cobalt Strike and Pypykatz, a Python version of Mimikatz, to steal domain administrator credentials and move laterally across the network, followed by dropping the SystemBC implant for persistence and abusing the ESXi admin access to deploy Black Basta.

“The actor was also observed attempting to brute force Remote Desktop Protocol (RDP) connections to multiple devices as another method for lateral movement, and then again installing Cobalt Strike and SystemBC,” the researchers said. “The threat actor then tried to tamper with Microsoft Defender Antivirus using various tools to avoid detection.”

The development comes as Google-owned Mandiant revealed that a financially motivated threat cluster called UNC4393 is using initial access obtained via a C/C++ backdoor codenamed ZLoader (aka DELoader, Terdot, or Silent Night) to deliver Black Basta, moving away from QakBot and DarkGate.

“UNC4393 has demonstrated a willingness to cooperate with multiple distribution clusters to complete its actions on objectives,” the threat intelligence firm said. “This most recent surge of Silent Night activity, beginning earlier this year, has been primarily delivered via malvertising. This marked a notable shift away from phishing as UNC4393’s only known means of initial access.”

The attack sequence involves making use of the initial access to drop Cobalt Strike Beacon and a combination of custom and readily-available tools to conduct reconnaissance, not to mention relying on RDP and Server Message Block (SMB) for lateral movement. Persistence is achieved by means of SystemBC.

ZLoader, which resurfaced after a long gap late last year, has been under active development, with new variants of the malware being propagated via a PowerShell backdoor referred to as PowerDash, per recent findings from Walmart’s cyber intelligence team.

Over the past few years, ransomware actors have demonstrated an appetite for latching onto novel techniques to maximize impact and evade detection, increasingly targeting ESXi hypervisors and taking advantage of newly disclosed security flaws in internet-facing servers to breach targets of interest.

Qilin (aka Agenda), for instance, was originally developed in the Go programming language, but has since been redeveloped using Rust, indicating a shift towards constructing malware using memory-safe languages. Recent attacks involving ransomware have been found to leverage known weaknesses in Fortinet and Veeam Backup & Replication software for initial access.

“The Qilin ransomware is capable of self-propagation across a local network,” Group-IB said in a recent analysis, adding it’s also equipped to “carry out self-distribution using VMware vCenter.”

Another notable malware employed in Qilin ransomware attacks is a tool dubbed Killer Ultra that’s designed to disable popular endpoint detection and response (EDR) software running on the infected host as well as clear all Windows event logs to remove all indicators of compromise.

Organizations are recommended to install the latest software updates, practice credential hygiene, enforce two-factor authentication, and take steps to safeguard critical assets using appropriate monitoring procedures and backup and recovery plans.

New SideWinder Cyber Attacks Target Maritime Facilities in Multiple Countries

Posted on July 30, 2024 - July 30, 2024 by Maq Verma

The nation-state threat actor known as SideWinder has been attributed to a new cyber espionage campaign targeting ports and maritime facilities in the Indian Ocean and Mediterranean Sea.

The BlackBerry Research and Intelligence Team, which discovered the activity, said targets of the spear-phishing campaign include countries like Pakistan, Egypt, Sri Lanka, Bangladesh, Myanmar, Nepal, and the Maldives.

SideWinder, which is also known by the names APT-C-17, Baby Elephant, Hardcore Nationalist, Rattlesnake, and Razor Tiger, is assessed to be affiliated with India. It has been operational since 2012, often making use of spear-phishing as a vector to deliver malicious payloads that trigger the attack chains.

“SideWinder makes use of email spear-phishing, document exploitation and DLL side-loading techniques in an attempt to avoid detection and deliver targeted implants,” the Canadian cybersecurity company said in an analysis published last week.

The latest set of attacks employ lures related to sexual harassment, employee termination, and salary cuts in order to negatively impact the recipients’ emotional state and trick them into opening booby-trapped Microsoft Word documents.

Once the decoy file is opened, it leverages a known security flaw (CVE-2017-0199) to establish contact with a malicious domain that masquerades as Pakistan’s Directorate General Ports and Shipping (“reports.dgps-govtpk[.]com”) to retrieve an RTF file.

The RTF document, in turn, downloads a document that exploits CVE-2017-11882, another years-old security vulnerability in the Microsoft Office Equation Editor, with the goal of executing shellcode that’s responsible for launching JavaScript code, but only after ensuring that the compromised system is legitimate and is of interest to the threat actor.

It’s currently not known what’s delivered by means of the JavaScript malware, although the end goal is likely to be intelligence gathering based on prior campaigns mounted by SideWinder.

“The SideWinder threat actor continues to improve its infrastructure for targeting victims in new regions,” BlackBerry said. “The steady evolution of its network infrastructure and delivery payloads suggests that SideWinder will continue its attacks in the foreseeable future.”

‘Stargazer Goblin’ Creates 3,000 Fake GitHub Accounts for Malware Spread

Posted on July 29, 2024 - July 29, 2024 by Maq Verma

A threat actor known as Stargazer Goblin has set up a network of inauthentic GitHub accounts to fuel a Distribution-as-a-Service (DaaS) that propagates a variety of information-stealing malware and netting them $100,000 in illicit profits over the past year.

The network, which comprises over 3,000 accounts on the cloud-based code hosting platform, spans thousands of repositories that are used to share malicious links or malware, per Check Point, which has dubbed it “Stargazers Ghost Network.”

Some of the malware families propagated using this method include Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine, with the bogus accounts also engaged in starring, forking, watching, and subscribing to malicious repositories to give them a veneer of legitimacy.

The network is believed to have been active since August 2022 in some preliminary form, although an advertisement for the DaaS wasn’t spotted in the dark until early July 2023.

“Threat actors now operate a network of ‘Ghost’ accounts that distribute malware via malicious links on their repositories and encrypted archives as releases,” security researcher Antonis Terefos explained in an analysis published last week.

“This network not only distributes malware but also provides various other activities that make these ‘Ghost’ accounts appear as normal users, lending fake legitimacy to their actions and the associated repositories.”

Different categories of GitHub accounts are responsible for distinct aspects of the scheme in an attempt to make their infrastructure more resilient to takedown efforts by GitHub when malicious payloads are flagged on the platform.

These include accounts that serve the phishing repository template, accounts providing the image for the phishing template, and accounts that push malware to the repositories in the form of a password-protected archive masquerading as cracked software and game cheats.

Should the third set of accounts be detected and banned by GitHub, Stargazer Goblin moves to update the first account’s phishing repository with a new link to a new active malicious release, thereby allowing the operators to move forward with minimal disruption.

Besides liking new releases from multiple repositories and committing changes to the README.md files to modify the download links, there is evidence to suggest that some accounts part of the network have been previously compromised, with the credentials likely obtained via stealer malware.

“Most of the time, we observe that Repository and Stargazer accounts remain unaffected by bans and repository takedowns, whereas Commit and Release accounts are typically banned once their malicious repositories are detected,” Terefos said.

“It’s common to find Link-Repositories containing links to banned Release-Repositories. When this occurs, the Commit account associated with the Link-Repository updates the malicious link with a new one.”

One of the campaigns discovered by Check Point involves the use of a malicious link to a GitHub repository that, in turn, points to a PHP script hosted on a WordPress site and delivers an HTML Application (HTA) file to ultimately execute Atlantida Stealer by means of a PowerShell script.

Other malware families propagated via the DaaS are Lumma Stealer, RedLine Stealer, Rhadamanthys, and RisePro. Check Point further noted that the GitHub accounts are part of a larger DaaS solution that operates similar ghost accounts on other platforms such as Discord, Facebook, Instagram, X, and YouTube.

“Stargazer Goblin created an extremely sophisticated malware distribution operation that avoids detection as GitHub is considered a legitimate website, bypasses suspicions of malicious activities, and minimizes and recovers any damage when GitHub disrupts their network,” Terefos said.

“Utilizing multiple accounts and profiles performing different activities from starring to hosting the repository, committing the phishing template, and hosting malicious releases, enables the Stargazers Ghost Network to minimize their losses when GitHub performs any actions to disturb their operations as usually only one part of the whole operation is disrupted instead of all the involved accounts.”

The development comes as unknown threat actors are targeting GitHub repositories, wiping their contents, and asking the victims to reach out to a user named Gitloker on Telegram as part of a new extortion operation that has been ongoing since February 2024.

The social engineering attack targets developers with phishing emails sent from “notifications@github.com,” aiming to trick them into clicking on bogus links under the guise of a job opportunity at GitHub, following which they are prompted to authorize a new OAuth app that erases all the repositories and demands a payment in exchange for restoring access.

It also follows an advisory from Truffle Security that it’s possible to access sensitive data from deleted forks, deleted repositories, and even private repositories on GitHub, urging organizations to take steps to secure against what it’s calling a Cross Fork Object Reference (CFOR) vulnerability.

“A CFOR vulnerability occurs when one repository fork can access sensitive data from another fork (including data from private and deleted forks),” Joe Leon said. “Similar to an Insecure Direct Object Reference, in CFOR users supply commit hashes to directly access commit data that otherwise would not be visible to them.”

In other words, a piece of code committed to a public repository may be accessible forever as long as there exists at least one fork of that repository. On top of that, it could also be used to access code committed between the time an internal fork is created and the repository is made public.

It’s however worth noting that these are intentional design decisions taken by GitHub, as noted by the company in its own documentation –

Commits to any repository in a fork network can be accessed from any repository in the same fork network, including the upstream repository
When you change a private repository to public, all the commits in that repository, including any commits made in the repositories it was forked into, will be visible to everyone.

“The average user views the separation of private and public repositories as a security boundary, and understandably believes that any data located in a private repository cannot be accessed by public users,” Leon said.

“Unfortunately, […] that is not always true. What’s more, the act of deletion implies the destruction of data. As we saw above, deleting a repository or fork does not mean your commit data is actually deleted.”

How Searchable Encryption Changes the Data Security Game

Posted on July 29, 2024 - July 29, 2024 by Maq Verma

Searchable Encryption has long been a mystery. An oxymoron. An unattainable dream of cybersecurity professionals everywhere.

Organizations know they must encrypt their most valuable, sensitive data to prevent data theft and breaches. They also understand that organizational data exists to be used. To be searched, viewed, and modified to keep businesses running. Unfortunately, our Network and Data Security Engineers were taught for decades that you just can’t search or edit data while in an encrypted state.

The best they could do was to wrap that plaintext, unencrypted data within a cocoon of complex hardware, software, policies, controls, and governance. And how has that worked to date? Just look at the T-Mobile breach, the United Healthcare breach, Uber, Verizon, Kaiser Foundation Health Plan, Bank of America, Prudential… and the list goes on. All the data that was stolen in those breaches remained unencrypted to support day-to-day operations.

It’s safe to conclude that the way we’re securing that data just isn’t working. It’s critical that we evolve our thought and approach. It’s time to encrypt all data at rest, in transit, and also IN USE. So, how do we effectively encrypt data that needs to be used?

The Encryption Challenge#

As stated, it’s well established that most data is not being encrypted. Just look at the well documented, ongoing growth rate of cybercrime activity. In short, all data breaches and data ransom cases have one glaring common thread— every target maintains millions of private, sensitive, and confidential records in an unencrypted state. Stores of data, fully indexed, structured and unencrypted as easy to read plaintext simply to support operational use cases. This challenge falls under the auspices of “Acceptable Risk”.

It’s often viewed that if an organization has good cyber hygiene, that organization is encrypting data at rest (in storage, archived, or backed up) and in transit or motion (i.e. email encryption, or sending data from one point to another point). And many may think that’s enough—or that is the best they can do. After all, encryption at rest and in motion is the only encryption focus of current compliance and governance bodies, where they address database encryption.

In truth, most compliance lacks any real definition of what would be considered strong database encryption. Unfortunately, the mindset for many is still ‘if compliance doesn’t address it, it must not be that important, right?’

Let’s unpack this a little. Why don’t we encrypt data? Encryption has a reputation for being complex, expensive, and difficult to manage.

Just looking at traditional encryption of data at rest (archives and static data), these encryption solutions commonly involve a complete “lift and shift” of the database to the encryption at rest solution. This exercise often requires a network architect, database administrator, detailed mapping, and time.

Once encrypted, and assuming that long-string encryption such as AES 256 is utilized, the data is only secure right up to the point that it is needed. The data will eventually be needed to support a business function, such as customer service, sales, billing, financial service, healthcare, audit, and/or general update operations. At that point, the entire required dataset (whether the full database or a segment) needs to be decrypted and moved to a datastore as vulnerable plaintext.

This brings another layer of complexity—the expertise of a DBA or database expert, time to decrypt, the build out of a security enclave of complex solutions designed to monitor and “secure” the plaintext datastore. Now this enclave of complex solutions requires a specialized team of experts with knowledge of how each of those security tools function. Add in the need to patch and refresh each of those security tools just to maintain their effectiveness, and we now understand why so much data is compromised daily.

Of course, once the data set has been utilized, it’s supposed to be moved back to its encrypted state. So, the cycle of complexity (and expense) begins again.

Because of this cycle of complexity, in many situations, this sensitive data remains in a completely unencrypted, vulnerable state, so it is always readily available. 100% of threat actors agree that unencrypted data is the best kind of data for them to easily access.

This example focuses on encryption of data at rest, but it’s important to note that data encrypted in transit goes through much of the same process—it’s only encrypted in transit but needs to be decrypted for use on both ends of the transaction.

There is a much better approach. One that goes beyond baseline encryption. A modern, more complete database encryption strategy must account for encryption of critical database data in three states: at rest, in motion, and now IN USE. Searchable Encryption, also called Encryption-in-Use, keeps that data fully encrypted while it’s still usable. Removing the complexity and expense related to supporting an archaic encrypt, decrypt, use, re-encrypt process.

Merging Technologies for Better Encryption#

So why, now, is Searchable Encryption suddenly becoming a gold standard in critical private, sensitive, and controlled data security?

According to Gartner, “The need to protect data confidentiality and maintain data utility is a top concern for data analytics and privacy teams working with large amounts of data. The ability to encrypt data, and still process it securely is considered the holy grail of data protection.”

Previously, the possibility of data-in-use encryption revolved around the promise of Homomorphic Encryption (HE), which has notoriously slow performance, is really expensive, and requires an obscene amount of processing power. However, with the use of Searchable Symmetric Encryption technology, we can process “data in use” while it remains encrypted and maintain near real-time, millisecond query performance.

IDC Analyst Jennifer Glenn said, “Digital transformation has made data more portable and usable by every part of the business, while also leaving it more exposed. Searchable encryption offers a powerful way to keep data secure and private while unlocking its value.”

“Technologies like searchable encryption are rapidly becoming a staple for organizations to keep data usable, while ensuring its integrity and security,” Glenn said.

A 30+ year old data management company, Paperclip, has created a solution to achieve what was once referred to as the ‘holy grail of data protection’, encryption of data in use. By leveraging patented shredding technology used for data storage and Searchable Symmetric Encryption, a solution was born that removes the complexity, latency and risk inherent with legacy data security and encryption strategies.

The SAFE Encryption Solution#

Understanding that necessity is the mother of all inventions, Paperclip, founded in 1991 as a content supply-chain innovator, realized they themselves needed to do more to secure the cadre of sensitive data their client’s trusted them with. When analyzing the growing number of data breaches and data ransom attacks, one reality became abundantly clear: threat actors aren’t compromising or stealing encrypted data.

They are laser focused on the vast amounts of unencrypted, plaintext data being used to support key operational activities. That’s where they can do the most damage. That’s the best data to hold hostage. It was this critical data that needed to be addressed. It was time to evolve the way we encrypted our most active data, at the database layer.

This was the genesis of SAFE, first as a solution then to bring it to the commercial market.

Of course, identifying the challenge was easy. All organizations have sensitive data to protect, and all organizations have sensitive data they rely on to run their core operations. The next stage was to build a practical solution.

Paperclip SAFE is a SaaS solution that makes fully encrypted, searchable data encryption a practical reality. The entire process of encrypting, decrypting, using, re-encrypting—and the resources needed to accomplish those tasks— is no longer required. More importantly, SAFE removes the excuse related to why millions of records are left fully exposed to data theft and ransom attacks right now.

SAFE Searchable Encryption is commonly referred to as a Privacy Enhancing Technology (PET) Platform. As a PET, SAFE evolves the way data is secured at the core database layer. SAFE is unique to all other encryption solutions because it provides the following features:

Full, AES 256 encryption supporting data owner and data holder key vaults – A threat actor must compromise both disparate keys. Even then they don’t get access to the data.
Patented Paperclip Shredded Data Storage (SDS) – Even before any data is encrypted with AES 256, complex encryption, the data is shredded into pieces, salted and hashed. This breaks all context and creates entropy. Imagine a threat actor compromises both encryption keys. What they end up with is like taking a micro cross-cut shredder, running one million documents through it, throwing out a third of the shredded pieces, replacing that third with shredded old encyclopedias, shaking it up and throwing it on the floor like some sick, demented jigsaw puzzle. Based on current technology it will take about 6,000 years to reassemble all those pieces.
Always Encrypted dataset supporting full create, read, update, delete (CRUD) functionality. – Inherently, when the data isn’t in use, it’s at rest, still fully encrypted. No more encrypted, unencrypted… It’s always encrypted.
Fast encrypted compound searching (<100 milliseconds over a standard SQL query). End users won’t even realize that SAFE is running in the background.
Continuous Machine Learning and AI Threat Detection and Response (TDR) – SAFE is based on Zero Trust so the solution will monitory and learn user trends. Any out-of-band activity will be blocked and will require administrative action. The solution is also monitoring for SQL injections, data fuzzing, and other threat actor actions. As part of the solution, SAFE produces a lot of telemetry that can feed a Client’s SOC monitoring service.
Simple JSON API integration. There is some development involved, but the result is no disruption to the end user and a dataset of always available, always encrypted data.
Implementation Flexibility – SAFE is a SaaS solution, but it was also designed to be implemented as a lightweight on-premises solution. In addition, SAFE can be integrated within a third-party application where that third-party is maintaining sensitive data on behalf of the Client (outsourced application like human resources, payroll, banking platforms, healthcare EMR & PHR, etc.). If you outsource your sensitive data to a third-party vendor, it’s time to ask how they’re encrypting that data. What happens if that vendor is breached? Is your data encrypted?

We’re in a race, one that the threat actors seem to be winning. It’s time to build a better encryption engine. It’s time for SAFE.

In today’s cyber-centric business landscape, the need for searchable encryption spans many industries and use cases such as Financial Services, Healthcare, Banking, Manufacturing, Government, Education, Critical Infrastructure, Retail, and Research to name a few. There isn’t an area where data doesn’t need to be more SAFE.

SAFE as a SaaS solution can be implemented in less than 30-days with no disruption to end users or network architecture. To learn more about SAFE searchable encryption, visit paperclip.com/safe.

Note: This article is expertly written and contributed by Chad F. Walter, Chief Revenue Officer at Paperclip since June 2022, leading Sales and Marketing initiatives, with over 20 years of experience in cybersecurity and technology.