Cato Networks announced the results of its analysis of 263 billion enterprise network flows between April and June 2021. Researchers showed a novel use of Houdini malware to promote the spoofing of a device.
The report also documents how Amazon Sidewalk and other consumer applications operate on many enterprise networks, undermining effective risk assessment.
“Cybersecurity risk assessment is based on visibility to threats as much as visibility to what is happening in the organization’s network,” says Etay Maor, senior director of security strategy at Cato Networks.
“With lines blurring between the home office and the corporate network – more devices and applications find their way to the organization’s network but not necessarily to the organization’s risk assessment.”
Houdini malware returns to exfiltrate data within the user agent field
For years, enterprises have relied on device identity to authenticate users. More recently, the development of ZTNA and SASE architectures called for using device ID (in addition to user identity and location) to decide user access rights to corporate resources.
Spoofing device IDs has been a top priority for attackers, evolving from simple point solutions to cloud-based services. As such, device identification verification became crucial for strong user authentication.
The research suggests that device identity spoofing threatens to become far more prevalent. Houdini is a well-known remote access trojan (RAT), but the research shows this particular use is novel. Houdini exfiltrated data within the user agent field, an approach often undetected by legacy security systems. Researchers only identified such threats by cross-correlating security and network information.
Spoofing-as-a-Service offerings, where cybercrime forums provide virtual or physical machines based on specified requirements for attackers to launch an attack. “With cybercriminals offering, a hard-to-come-by solution is now more widely available,” says Maor. “The bar for launching attacks against organizations is lower – enabling and motivating newcomers in the cybercrime field.”
Amazon Sidewalk, consumer applications undermine enterprise risk assessment
In addition, the report found that the rapid move to work-from-home and adoption of bring-your-own-device have blurred the lines between professional and personal networks.
Researchers found hundreds of thousands of Sidewalk flows, with some enterprises having hundreds of such devices. “How can you possibly assess company risk when there is no visibility to what devices and applications truly reside on the network?” asks Maor.