Name: [APRIL] Technical Update for Sophos Partners
Uploaded: 2025-04-08T13:01:30.480Z
Duration: 30 min 12 s
Description: [APRIL] Technical Update for Sophos Partners

Transcript for "[APRIL] Technical Update for Sophos Partners": Hello. Welcome to this month's monthly technical update. We are in April 2025. And, yeah, since we started our new fiscal year at Sophos, April, we wanted to change a little bit, of the format of this webinar. So in this monthly pay calculation update, we will proceed a little bit different than we did until now. So, we basically split it up the webinar in three sessions. So the first session will be covering new, yeah, new things in the threat landscape that our teams in the NDR, in incident response, in the exploit ops teams have seen. So we will discuss these topics a little bit. So you will receive every month a new topic on specific threat actors, on reports that we publish, or similar things. The second part will be like always, updates on products. So, news, that we have for specific releases, upcoming releases, and all these product related stuff. And in the end, we will also have an ask me anything session. So please feel free to enter, your questions in the q and a panel. And in the background, we also have chat support, so my colleagues will answer, your questions. And we will also pick some questions, which I will answer live at, towards the end of the session. So, yeah, let's get started. So the first thing I want to talk about is the topic of the threat landscape like I already said. And, we will focus on not really a threat actor, but, more or less, yeah, a ransomware as a service operations that we have seen in the past, yeah, probably around about three years. And, this ransomware as a service operation is called Blackbuster. So what did they do? So they basically came merged in the beginning of of, 2022 as a ransomware as a service operation. So you see that we constantly see the trends that, specific threat actors or criminal organizations are specializing on specific fields. So Blackbasto specialized really in the ransomware as a service, so encryption services, but also services for payments of the ransom and similar stuff. So they were not focusing on like hacking organization. They were providing, ransomware as a service to other criminals. So they were pretty successful. So last year we have seen a report by the CISA and FBI where, we have seen that the, yeah, affiliates of this ransomware as a service organization breached over 500 organizations between April 22 and May 24. And they were also successful in the past months. But why we want to talk about them is because we have seen, a, very interesting attacks taking place from threat actors who are leveraging the Blackbust ransomware as a service. And another thing that we also have seen in February was the Blackbusta leak. So some of you might remember, there was a leak in 2022 when, the war between Russia and Ukraine just started. Then we had the, leak from the group which was called Conti back then. So, like, internal chat protocols, everything was revealed because this group was made up, between Russians and Ukrainians. So, of course, because of the war, they basically split up the organization, and some guys released, like, all the internal information there. So this was, very interesting for us because we could, of course, gain some insights how professional these organizations are currently working and performing. And similar applies also to Blackbusta. So why did someone leak information from Blackbusta now? Quite interesting. Blackbusta is, or at least we think or most experts think that, Blackbusta is operated by, Russian Russians, so Russian threat actors. Now there's of course one unwritten law in Russia. When you're performing offensive cybersecurity operations or hacking other organization, then it's fine if you're attacking organizations outside of Russia. But if you attack an organization within Russia, that's a very bad idea. And this seems to be the reason, that, there was a leak of Blackbustr. And, it seems that, Blackbustr or affiliates using their ransomware as a service operation were attacking a bank in Russia. This was, like I said, a no go. So some guys came up and, basically published their internal, matrix chats. And again, we have seen, like, internal information including, like, phishing templates, chat conversations, emails, cryptocurrency addresses, data drops, victims credentials, so everything was basically valuable is within this chat. So for us, it's a great opportunity to gain some more insights, of course, how Blackbustr is operating, which, things they're using, or how they are basically also working with their affiliates and everything. So very useful information in this league. We also saw within this league that they really have a hard time with Sophos. So people are one of the vendors who were, like mentioned the most because they couldn't get through, our defenses because of our adaptive attack protection, all the other features that we have in our product. So a nice proof coming from an unexpected side, but still it gives us really good insights how they are operating. And just a few weeks before this Blackpaster leak, we have seen some threat actors who are basically using the services from Blackpaster that they did a new, basically a new attack scheme on victims. So what those guys did was, they were using email bombing, but not to deliver spam messages or phishing messages or whatever. They were just producing huge amounts of spam so that basically the poor victim will get overwhelmed by all those spam messages that he is receiving. And they spell, like, as many as 3,000 email messages in less than an hour. Now the fun thing begins. They bombed the victim with thousands of e mails and then the victim gets contacted by IT support. So someone was basically, contacting the victims via Teams, voice, or video calls, or chat messages, and we're telling them, hey. I'm from IT. I heard that you currently experienced a problem with spam messages. Let me help you. I'm very trustful. I'm from IT. And then, basically, when a victim reacted, they established, remote access to the machine. So either via the quick assistance utility or, also via Teams screen sharing, and they gained access to this device. So they were executing scripts on this device so that they established a foothold in this organization. After they basically took over the first machine with the poor victim who got the email bombing, they also spread laterally. And again, they used the tools that we always see. So they used RDP. They used WinRM to spread over the network. In some cases, they even, basically use the domain credentials that they collected from their victims and use it to log in, from outside, via the VPN gateway of the organization. And, yeah, they've stolen data. And in the end, this threat actor, in some cases, also tried to execute a black buster ransomware. So basically to start the ransom process there. So pretty interesting, attack, I think. So it's really, yeah, social engineering at its best. So I'm targeting someone with high volumes of spam that he's overwhelmed. Then I'm, like, trying to or at least pretend to help him because I'm the good guy from IT. And let me fix it for you. Just let me connect to a computer. And that's the way how they basically broke into these organizations. How did we react? Of course, we created detections that are capable of basically detecting all those malware components that were used during this specific campaign. So we have not only like the proactive protection in place that also stop the black bus to ransomware, but we also added some more detections there that you can basically stop it immediately when we see something popping up. And very important also for the organization, what are the recommendations? So how to prevent these kinds of attacks? First of all, organization should really ensure that the Microsoft three sixty five service provisions restrict team calls from outside the organization or at least restrict that capability to trusted business partners. Because if this would be in place as protection, the attackers wouldn't have a chance because they couldn't use, like, Teams, a trusted platform for every employee to get contact to their victim. Also applications, such as Quick Assist should be restricted by policy unless they're specifically used by your organization's technical support team. You can do this with our endpoint, application control. And we also strongly recommend that Microsoft three sixty five integrations with the security environment for the monitoring is turned in. So if you are running XDR, if you're running MDR, please activate the Microsoft three sixty five integration because this gives you an additional insight to see what's really happening. And organizations should also raise, their awareness for these kind of attacks because this is not like the typical topic covered in anti phishing training. Like you all know, so US Soft Spotners should also invest to basically, yeah, educate your customers that this is currently a problem, that this is a current attack, technique that those guys are using. And in my opinion, it's pretty mean, of course. So, not really something where you can, do a lot. So you really need to handle your platform properly. You have to disallow the remote tools that you are not using and you have to inform your employees, of course. This is our small take on the threat landscape. We will, of course, have another interesting topic next month. Let's talk a little bit about the product updates or stuff that we just released or stuff that will be available shortly. First, we want to cover some changes in the XCR product. We added or we enhanced the detection suppression that we have in XCR. I mean, every organization has specific things always popping up again in XCR which are basically not relevant because they are either accepted or this is some, alert that's probably misleading. So of course, we want to exclude those, detections from popping up. And therefore, we have, detection suppression capability, and this was now enhanced. So we have additional attributes now available for Windows and Linux devices, so including users, devices, IP addresses, or specific files. And each attribute that we are using to define these rules also comes with its own conditions for more precise control as you can see in a screenshot here. So, the new attributes are also, of course, available within the existing detection rule workflow. So you can basically just go there in your rules and basically apply those changes that you want to have that you can basically, yeah, reduce the noise that's, being created by the XDR solution. So I guess this also helps to basically lower the risk of an alert fatigue because you are just reducing the noise and you are just seeing the signals that are relevant for you as security analyst, for example. Another thing that's quite important and that was asked, by, a few customers was the topic of the case activities that they wanted to have it also in the software central audit logs. Now we are basically tracking all the XCR case activity in the audit log so we have better visibility what's happening within this customer account, meaning that we are now reporting when a case is is created, updated, deleted, and with all the information that are relevant. So who which user performed the action, when did it procure, and which case does it relate to. So you can see here in a screenshot, like, we have the date for, for example, February. Janet did the modification and she, like, created a case initially. She updated a case and then she deleted a case. So Pretty straightforward and this is now fully locked in SDR as well. Another big change that's coming for the Linux platform, that's our ransomware detections that we now have. Most of them are in Beta. You can also see it in the UI that this is at the moment visible here. We basically have added those run time detections, very important. So these are just detections to help us detect also ransomware activities on Linux machines. So this includes basically four kinds of detection. One detection, that's the ransomware activity. So we are detecting programs that are overwriting regular files and where the data appears to be encrypted. So we are basically checking the file and checking and look how does it regularly look and how did it look after the write operation. If we deem that this is like being encrypted then this raises some detection. Then we have one quite interesting thing and that's the, extensions written detection. So of course ransomware is, created in a way that it always leaves like a ransomware note, where should I like transfer the money to and all these things. And this is covered also here. So we are detecting if we see some regularly dropped ransomware notes, some of them in a Linux machine. The third detection is obfuscated file modification. This detects attempts where we see that an attacker is potentially trying to hide the file modification activity. The last detection that we have here is covering the, process encryption. So we are detecting here file encryption activity that is basically, performed by using methods that we commonly see associated with ransomware. And, yeah, last but not least, now one more topic regarding the macOS client. If you're using Mac, I must say I am a Windows user and I like Windows more than Mac, but I know that Mac out there is pretty popular. For all of those who are like Apple or Mac lovers, you might have noticed that Apple changed a lot regarding the security of macOS operating system, which is good because it hardens the operating system, but which presents challenges, of course, to an endpoint protection that is installed on Mac machine. So therefore, we, have the issue that basically to gain full disk access, for example, we would have need basically the approval of a local administrator on this machine or you could use a mobile device management, a unified endpoint management solution that basically approves this request for this full disk access. If we don't have the full access to the operating system, we cannot properly protect. And for this, we, of course, we are informing the end user, but we are now also informing the administrators within Sophos Central so they can see, like in this example, that we basically, are lacking specific, requirements to properly operate on an Echo SDWise. And therefore, we should in this case, we need to enable the network extension so that we can properly protect the Mac. So this is now, giving you, like, a heads up if there's some, yeah, misconfiguration on the, macOS operating system. This will be handy for all these administrators out there. Next thing I want to talk about is the managed services. We introduced a new MDR Event Pipeline widget, as you can see here on the screenshot. This visualizes a little bit like the life cycle of all those signals that we are receiving in the sub central platform. It also demonstrates you, I think pretty nicely how we are reducing the noise that's coming in. For example, in this little account, we have like 93 ks basically events popping up or detections popping up. We are like reducing this to roundabout five k suspicious detections. Then we are generating cases for the interesting ones. These cases are examined by the MDI analyst. And in the end, you have, like, a really small number coming out where we really need to take action. So this also displays you, like, you can see in a screenshot, also a breakdown of the events also. So you can see, okay, how many events are coming from the endpoint, from e mail, network, firewall, all those integrations that we have here. This widget is available now. It's directly on the MDR dashboard and you can also use it of course for your own custom dashboards that you might have within Sophos Central. Another nice addition for those currently running EMDR is that we have new thread timeline visualization. This is also available for XDR customers if they join the early access program. And this thread timeline visualization, which is also called lineage, you can, basically trace, how a thread unfolded within your corporate environment. So you will see the impacted processes, the lineage, their surrounding activities. You will see the time basically, between specific actions. And you will also see, like, relevant information there, yeah, which is, like, part of this whole thread. So you will see if there were some, DNS queries, if, they were using specific command line prompts, if they're using specific MITRE techniques, URLs, IP addresses. So it's basically a different time view for the attack that was happening in a corporate environment. So this extends the capabilities of the platform and gives analysts a better view into this. So coming to the network security segment. One big news, of course, is that we made life a little bit easier for all those running, virtual or software appliances of our software software firewall operating system. So until recently, we had, the situation that we were limited by CPU cores and by RAM. So we lifted this restriction so now we just limit by core count only and you can basically use as much RAM as you want to have and the appliance will automatically allocate all the RAM that's available. So I think that's a really nice change making things a little bit easier. And what we also have here is, that we will stick with the old SKUs. So don't be irritated, please. So we're just counting the course now, ignore the like the RAM mount which is like the second part of the SKU. We just need a correct number of course and that's it. It should be making everything easier. Another addition that we also have is that for DNS protection, we have now expanded the management regions. So beside the traditional EU and US, capabilities of having DNS protection in those data center regions. We now also added Canada, Brazil, India, Japan, and Australia as well. Coming to Sophos, we recently released MR1 for firewall OS v21. The initial release was on February 29, but we saw some minor issues. So we rereleased the, maintenance release on March 12. So that's a build number, 272. We fixed those issues. So, typically, it was anyways a soft release. So you, had to download it manually and then install it. So for all your most of your customers, of course, now they will get the rerelease. So those things will be fixed for them already making things easier. And then, big news. Just, before a few moments, we also, we also had a situation that we released our early access program. So EAP one for the Sophos firewall, 21 dot five. So just, like, two hours ago, we also launched in a community. In this release, we will do some few big things. We will take some of the algorithms or some of the engines that we also have in NDR to the Sophos Firewall, we call it NDR essentials and this is available with the extreme protections license. We're integrating the encrypted payload analysis where we are capable of detecting command control server traffic even in encrypted traffic. So without breaking the encrypted connection, we can just use it. We are using AI to detect if you find some traffic that is highly likely to be part of, for example, Cobalt Strike Beacon or something similar. So this will be part of the, NDR essentials on the Sophos firewall as well as the domain generation algorithm which is capable of detecting automatically generated domains which attackers are frequently using when attacking organizations. So this will be part of the extreme protection license and will be part of 21.5. Few other things that will be coming. So we will have a better scalability. So we doubled the size of the route based VPN tunnels, now 3,000 tunnels. We also improved the number of the SD rates which are supported up to 850 devices there. So, 650. Sorry. So these changes are now available via early access program. And if everything works out well, we will shortly also have the full release of this version. So last topic in the products, we are talking about Software Central. So one thing that's basically should help to raise awareness on, expiring licenses is our new UI that we will have here with the notifications. So when customer licenses are near to expiration or already expired, we will now display a reminder directly in software center to renew them. So we'll, of course, still send renewal emails or notifications that something's about to expire to customer and to partners as well. But we will also have now a pop up which will display a sign in starting from thirty days before renewal. We will, advise that basically products and services will be restricted if not renewed before the expiry date. And thirty one days after all license expire, we will have a final warning message which can't be dismissed and customer can then only basically view and renewal licenses or sign out out of software central. And this will be like this is effective now. This will be active for licenses expiring from 04/02/2025 and later. This won't apply for free trials or previously expired licenses, of course. Last thing about products is the topic of Intellix. You know that we are using Intellix in a background for our network protection, for our web protection, email protection, firewall, for several email advance. So this is like our sandboxing solution but much, much more. And here we also have, like, a static analysis, which is basically leveraging AI to analyze specific files. And we extended the capabilities there. We have the new threat analysis tab in the Static Analysis Reports which will give you hundreds of new feature rules for Office documents, PDFs, RTFs, stuff like this. We're going to see that something is looking suspicious where we have VBA code being executed, where we have dynamic data exchange commands within specific documents, or where we have contents that look highly suspicious like social engineering, like the click here to view button and similar stuff. So this is now extended and available as well. So so far for the, product updates. So, I'll just take a few seconds and we have two two and a half minutes left for, the questions that we have. So, first question that we have is, the questions regarding NDR essentials and the Sophos firewall. I think that question is there. What's the difference between the Sophos firewall NDR essentials and Sophos NDR? We only have like two engines of the Sophos Firewall, which we are bringing from a Sophos Firewall from NDR, that's the Encrypted Payload Analytics. This is also the topic of the domain generation algorithms. On a firewall, they will be also detect only at the moment. Of course, we can only see the traffic that's passing through the firewall. So while NDR is basically sitting on a SPAN port on the switch, this can this device can also see, like, all the internal traffic laws, so all the East West traffic, while a firewall can only see, like, the typical North South traffic that's passing through the environment. So still in most cases, it makes totally sense to have a firewall and as well a network detection response solution because the firewall is like concentrating or like working as a gatekeeper while NDR is taking care of the rest and is basically inspecting all the network traffic flow also between specific endpoints which might sit in a specific segment. So this is the thing and the big difference. So it is a nice add on like I said already available in the extreme license then once we launch 20.5, but it's not a replacement for NDA of course. The second question that we had, is also regarding the ransomware detection now that we have on Linux. Don't call it CryptoGuard for short, I would say. It's not the same technology that we have on Windows. So on Windows, we have really blocking functionality where we are blocking the process, where we are blocking the remote access. If someone from another box wants to basically, encrypt my file share on my local computer, This is an active locking protection and we also have the capability of recover file of Windows operating system. On Linux machines, it's different. We just have detections and we also have no rollback capability. The operating system is, of course, different as we all know. So we couldn't translate, CryptoGUARD one to one to Linux, but we wanted to add more functionality here that we are capable of protecting, the machines better. But at the moment, it's detections. Like I said, beta at the moment, but feel please give it a try. It's available under the detections for, the Linux on this policy. So you can basically activate them and see if it will work properly in your environment. And since we are running out of time, thank you for joining, and I'm happy to see you next time. See you. Bye bye.