Ads 468x60px

Featured Posts

17 June 2019

What’s new in FortiOS 6.2

You already know that I like reading and testing new features. I wrote about What’s new in FortiOS 5.6, What’s new in FortiOS 6.0 as well as What’s new in BIG-IP version 14.0. Therefore, I’m going to write about What’s new in FortiOS 6.2 where there are lots of new features and interesting enhancements for security engineers. Right now, I usually install FortiOS 6.0 for production firewalls but I think it’s good to know the new features and enhancements because, maybe, we’ll require these new features in the future.

Security Fabrics are increasingly useful when we have more than one Fortinet appliance. For example, FortiOS 6.0 was already able to integrate the firewall with many Fortinet appliances. Consequently, we can see interesting information from FortiView. However, FortiOS 6.2 is also able to integrate the firewall with more Fortinet appliances such as FortiMail and FortiWeb. In addition, there are more FabricConnectors available such as connectors for IP Addresses, Malware hashes and Multi-Cloud.

Security Fabric

SD-WAN is another feature which is getting better. We can already configure an IPsec VPN tunnel with more than one WAN interface against another FortiGate to make an Overlay Tunnel. Therefore VPN bandwidth can be increased easily with multiple Internet links. Traffic Shaping is also improved where we can configure shaping profiles with network requirements for applications such as maximum bandwidth or priority.

SD-WAN - Per Packet WAN Path Steering
There are another feature I really like. We can configure only one inspection mode in FortiOS 6.0. we have to choose between Flow-based mode or Proxy-based mode. However, if we want to enable the Web Application Firewall, we’ll need to enable the Proxy-based mode but if we want to configure firewall policies by applications, we’ll need to enable the Flow-based mode. Therefore, we can not have both features, WAF and firewall policies by applications at the same time. FortiOS 6.2 supports both inspection modes at the same time.

Inspection Mode
Wireless and Switching improvements have been included in FortiOS 6.2. This new version supports WPA3 and WIFI 6 (802.11ax). For instance, we’ll be able to configure the Transition WPA3 mode which will be useful for wireless networks where there mobile devices that support WPA2 but not WPA3. What’s more, security enhancements have been included to FortiSwitch such as maximum bandwidth and priorities for quarantine VLANs.

Twenty-year timeline of 802.11 standards
FortiOS 6.2 have lots of new security features and enhancements which will be very interesting for most companies and security engineers. Today, most FortiGate firewalls run with FortiOS 6.0 but they will run FortiOS 6.2 in the near future.

Regards my friends. Have a nice day ;-)

10 June 2019

Operation Sharpshooter

I would like to learn more and more about how latest malware work. In fact, from time to time, I read about what are the techniques they are using to exploit operating systems and get the information they are looking for. I like this kind of information because I think it’s useful for my job. Firstly, it’s useful because we are updated about the latest vulnerabilities and this is a best practice. Secondly, it’s useful because we can protect services better when we know how attacks work. Finally, it’s funny and rewarding to know how malware work.

Today, I’m going to write about the Operation Sharpshooter which is one of the latest malware campaign. This operation uses the malware Rising Sun against critical infrastructures, government and finance such as nuclear power stations, banking, electrical companies and the army. This malware is similar to the backdoor Duuzer because both decode and exfiltrate the information in the same way. Security researchers think the Operation Sharpshooter come from the Lazarus Group.

How this operation work? Firstly, they get lots of information about people who work in the company they want to attack. Secondly, they send a malicious document to victims about a new and better job. Thirdly, victims open the malicious document which execute a shellcode. This shellcode download the malware Rising Sun and a decoy document. Finally, the malware get lots of information, such as operating system, computer name, IP address, and send this information encrypted to the control server.

Infection flow of the Rising Sun implant, which eventually
sends data to the attacker’s control servers

Actually, I’ve seen many operations like this where social engineering and spear phishing are the ways of inserting malware in the organization. However, this kind of operations are increasingly persistent and directed to some companies. Therefore, it’s more difficult to detect these campaign. For instance, we already know about this operation, against some critical infrastructures, but we don’t know yet what is the goal of getting and exfiltrate this information.

Thanks for reading my blog!! If you know books about malware, write it down in the comments!
Related Posts Plugin for WordPress, Blogger...

Entradas populares