Hornetsecurity Cyber Threat Report

Introduction and Chapter 1

Hornetsecurity recently published their Cyber Threat Report Edition 2021/22. This post will examine why cybersecurity, and the Cyber Threat Report, are relevant in today’s digital world.

Cybercrime ranks amongst the highest of threats worldwide. In the UK, we have experienced cyberattacks on public services such as healthcare and local authorities. Just looking up cyberattacks in the news confirms recent attacks on a wide range of industries, such as retail providers, snack companies, news corporations, research centres, political parties, and airlines.

The impact of these attacks is far and wide reaching. Individuals can be impacted by data breaches, fraud, and loss of products and services. On a national scale, society can be impacted by the loss of critical national infrastructure, underpinning things like financial services and emergency response services.

Chapter 1 of the Cyber Threat Report starts by examining the monetary cost of cybercrime on a global scale, which has increased by 345 billion US dollars in just 2 years. The author moves on to more thought provoking subjects: world affairs like a pandemic, global espionage, and even war, can all be accelerated by cyberattacks.

Public sector and private sector industries of all kinds have multiple attack vectors in common. The report makes the case that email is typically one such example. This can be as an ingress point for ransomware attacks, or as a means of hijacking business or official email addresses. The news search I mentioned earlier highlights the breach of an official email address within one of the world’s largest intelligence and security services. Clearly anything we use in day-to-day life with a digital footprint carries a risk of being compromised, and that’s why this report is so important.

Chapter 2

The second chapter starts to lift the lid on the risk of email; starting out by stating that around 300 billion emails are sent every day. This number is expected to rise by a further 61.6 billion over the next 2 years, leading to an exponential rise in threats.

By analysing the email traffic of the first half of 2021, the Hornetsecurity Security Lab concluded that 40% of emails sent were classified as undesired emails. That’s potentially 120 billion unsolicited emails sent every day.

Most of these emails will already be blocked in advance, using known spam filters, known bad sender’s lists, and identifying common traits. It’s obvious that executables will be rejected, and individuals are now savvier to opening links or Excel files from unknown senders. However, as education and cybersecurity protection improves, attackers themselves are becoming more sophisticated.

Embedding web pages, downloads, and links in HTML files or PDFs is now a common attack format. The Cyber Threat Report goes into the detail behind the most-used file types in malicious emails, really showing the wide range of tools attackers have adopted.

This same trend is echoed when it comes to both the industries affected, and the type of attacks carried out by cybercriminals. Examples include phishing, spearphishing, malicious attachments, blackmail, ransom leaks, and brand impersonation.

The global covid-19 pandemic accelerated a shift towards online services, for public services like healthcare, as well as private services like shopping and banking. Although digital enablement is a good thing, it does have potential to increase the attack surface. Brand impersonation is a great example, and it’s good to see the report call out the impact of the pandemic on this type of attack vector. As expected, impersonation of brands like Amazon, DHL, and Fedex are commonly used with malicious URLs.

The final section of the second chapter talks to the rise of as-a-service offerings on the dark web, which is something I was hoping would be called out. There is a growing market for Ransomware-as-a-Service, as well as for attackers to penetrate networks or systems, and then sell that access to the highest bidder. There are several use cases for this type of transaction, it could be selling secrets to competitors, opposing governments or nation states, for criminal or monetary extortion, and so on.

Chapter 3

The third chapter in the Cyber Threat Report breaks down Malware-as-a-Service (MaaS) further, with a compelling example. Emotet evolved from a banking trojan to a widely distributed MaaS operation, forming a network of cybercriminals. Before being disabled in early 2021, Emotet could infect a system and hijack email conversations, spreading amongst email contacts and mailbox recipients.

Emotet was eventually taken down by an international operation of law enforcement. In the aftermath, many other botnets have emerged, but none yet have the same scale. That said, the landscape is ever changing and as the report highlights, the existing customer base of Emotet’s MaaS operation still exists.

The final note for the ‘threat-highlights’ of 2021 is the Microsoft Exchange hack. Microsoft Exchange is perhaps one of the worlds widest used technologies, and an estimated 250,000 email servers were hit by attacks in March 2021.

The vulnerabilities were made up of 4 separate types, impacting multiple versions of Microsoft Exchange Server. Although an unscheduled security update was released, breaches were widespread before the patch could be fully rolled out.

It is believed the attack was carried out by a Chines state-sponsored hacker group, and in the clean-up that followed even the FBI were involved in removing traces from corporate networks to take out the risk of further attacks.

Chapter 4 and Summary

The report closes by highlighting the increase in digitalisation, as well as the number of devices and accounts, all providing opportunities for cybercrime to continue across borders and continents. As predicted, a huge increase in ransomware attacks is already starting to materialise. We’ve read throughout the report of the many and evolving attack options for cybercriminals, and the role in which email plays.

Microsoft 365 is an Office 365 suite with over 258 million active users, it provides Microsoft Exchange and other Microsoft products as Software-as-a-Service (SaaS). Whilst SaaS in general can help reduce the manual overhead of securing IT infrastructure, it doesn’t in any way rule out cyberattacks.

According to Hornetsecurity, every fourth business that uses Microsoft 365 has been affected by an email security vulnerability. Reading the Cyber Threat Report is really an eye opener for both individuals and business as to the risks we encounter, and often don’t even see, every time we carry out any form of digital interaction.

The Cyber Threat Report Edition 2021/22 from Hornetsecurity is available to download and read now.

April 2022 VMware Multi-Cloud Briefing

The VMware Multi-Cloud Briefing is an online quarterly series, in its fifth iteration, that brings vision, technology, and customer stories to the table. The briefing series has evolved through cloud platform, operations, and application development since its introduction in the summer of 2020. Both cloud technology and cloud adoption is advancing at a fast pace, and this April briefing provides an opportunity to see what’s new directly from VMware engineering, independent industry experts, and customers.

The latest session is opened with Joel Neeb, VP Execution and Transformation, VMware, and former F-15 pilot. Joel will talk through the history of aviation and the advancements in the cockpit, from having limited technology to running over 300 different instruments. With so many new features and capabilities, there comes a tipping point where it cannot be practically managed by a single operator, or it takes more time than it offers value. These instruments are now streamlined into a handful of features, displayed on screens instead of through switches and dials, with the computer systems surfacing what’s important to the operator at a given time.

We can learn from this approach, and apply similar models to be able to abstract and simplify multi-cloud complexity across different environments and locations. VMware Cross-Cloud Services can remove complexity, whilst enabling the agility of different cloud providers and the freedom to choose the right target environment for each application. Offering standardisation and consistency at the infrastructure layer allows scale and flexibility. Then, as requirements change and new use cases are uncovered, IT teams and developers can move quickly to accelerate overall business transformation.

VMware Cross-Cloud Services

The session continues with quick fire customer stories around streamlining operations with VMware technology, and a customer interview with S&P Global covering their approach to solving multi-cloud complexity. Later, we’ll also hear a partner perspective from DXC Technology, on how they work with customers to deliver multi-cloud outcomes, and what trends they are seeing across the market.

Next is a technology deep dive, starting out with examining how we’ve arrived at the complexity of running environments across public cloud, private cloud, and the edge. You can then expect to see:

  • How easy it is to add a new VMware environment to a hyperscaler, using vRealize Automation. In this demo we’ll start with an on-premises hosted environment, and scale out by spinning up new environments in the cloud, with the same management tooling and policies.
  • How to manage multiple cloud environments from a single tool, using vRealize Operations. In this demo we’ll look at a consistent way of managing and optimising resources, performance, capacity, and costs, with a unified troubleshooting interface.
  • How to add Kubernetes clusters in different hyperscalers to a common management plane, using Tanzu Mission Control. In this demo we’ll see how you can standardise the management of Kubernetes services, which will likely compliment your existing virtual machine infrastructure. Furthermore, we’ll find out how Tanzu Service Mesh can secure the communication of micro-services between environments and across clouds. Tanazu Service Mesh is able to bring micro-services under the same security umbrella, and automate features like mutual TLS encryption across all services.

The final segment is an industry interview with IDC and VMware, talking about what it means for customers to standardise their infrastructure and cloud platforms. There are multiple layers of abstraction and standardisation, covering the likes of management, optimisation, and security. IDC will detail where you can start, and what they see as good first steps.

The April 2022 VMware Multi-Cloud Briefing, and associated launch blog, is now live and available on YouTube. The video is embedded below. You can watch the current and previous briefings on the VMware Multi-Cloud Briefing page, each video is between 30-40 minutes long.

VMware Multi-Cloud Briefing April 2022

VMware Skyline Advisor Pro Overview


Skyline Advisor Pro is a cloud-based, pro-active, support technology that helps VMware customers avoid issues before they occur. It automates the capture and analysis of configurations, support bundles, and trend telemetry, and provides granular visibility throughout the global environment with predictive and prescriptive recommendations.

As well as proactive avoidance of downtime, Skyline also monitors and provides remediation guidance for security risks across the VMware estate. IT staff can spend less time fixing issues or manually searching through security vulnerabilities, and more time improving services and aligning to strategic initiatives. If an issue does occur; Skyline also helps speed up the support request resolution, since VMware Global Support Services (GSS) already have visibility into the VMware logs through the Log Assist feature.

How Does Skyline Advisor Pro Work?

Skyline Advisor Pro is setup in the VMware Cloud Services portal. You need a Cloud Services Organisation to activate Skyline, and any other VMware Cloud services. You can create a new org or use an existing one to group your VMware Cloud services together. The Cloud Services Organisation acts as a logical container where you will manage features like identity and access management, subscriptions, billing, and support. Skyline Advisor Pro is included at no extra cost for VMware customers with production and premier support, or vRealize Cloud Universal and Customer Success 360 consumers.

The Skyline Advisor Pro intelligence and user interface is all provided and hosted as a cloud service, known as Software-as-a-Service (SaaS). The Skyline Collector is a small virtual appliance, it is deployed in the customers VMware environment and facilitates the secure connection back to the SaaS control plane. The collector appliance is a standard OVA deployment, and will allocate 2 vCPU, 8 GB RAM, and 1.1 GB thin provisioned disk (or 87.1 GB thick provisioned).

Once the collector is deployed, endpoints for vCenter and other products can be added. Skyline Advisor Pro is able to provide proactive intelligence for vSphere, vSAN, NSX, VMware Cloud Foundation, Horizon, vRealize Automation, and vRealize Operations. After registering endpoints, the Skyline collector automatically and securely collates product usage data. Skyline then analyses the data to identify patterns, events, trends, design-compliance, and cross-product interaction.

Data collected is encrypted both at-rest and in-transit (transmitted back to the Skyline platform using the TLS 1.2 encryption protocol). Access is limited to VMware employees in customer support roles that have undergone full training. Although object names and IP addresses are included in the product usage data, there is no personally identifiable information collected. Skyline is GDPR compliant and certified in SOC2, Cyber Essentials Plus, and others. You can find out more in the VMware Cloud Trust Centre and VMware Skyline Frequently Asked Questions, see also VMware Skyline Data Collection Examples.

Proactive findings and recommendations are presented back to users through the Skyline portal in the VMware Cloud console, or through the vRealize Operations Cloud integration. The availability of the Skyline collector is critical in ensuring visibility into the environment from the Skyline portal. Depending on the size and scale of the environment, you may have multiple collector appliances. You can learn more about the high level architecture in the Skyline Architecture Documentation.

Skyline Advisor Pro Components

What’s New in Skyline Advisor Pro?

Just before VMworld 2021, VMware announced Skyline Advisor Pro. This latest iteration provides a major step forward in user experience from its predecessor, and it’s not just dark mode either. Both functional and operational improvements have been made to the product.

Skyline Advisor Pro significantly accelerates data processing and insights; now surfacing issues and inventory changes within 4 hours. With Skyline, this process was previously taking 48 hours. Further environment insights have been added to Skyline Advisor Pro, such as end of life notifications and historical insights. The Skyline Advisor Pro API now allows users to interrogate findings data with other tools, or trigger events to be sent to collaboration tools or ticketing systems. You can read more about these features in the VMware Skyline Advisor Pro is here blog.

Getting Started With Skyline Advisor Pro

The easiest way to enable Skyline Pro is to follow the Get Started link on the VMware Skyline product page. This will direct you to log into the VMware Cloud Services portal, use your corporate/work account that has an active support subscription aligned. Once logged in you will be invited to create or select a Cloud Services Organisation and activate Skyline, the Skyline administrator role is assigned to your account as part of the process.

The onscreen instructions will allow you to download and link the collector appliance. You can also download the VMware Skyline Collector from the Customer Connect downloads site. When you deploy the OVA to your environment you will be prompted for configuration such as network settings and endpoint registration. For more detailed information see the Skyline Planning and Deployment section of the VMware Skyline Documentation.

After setup is complete the Skyline Advisor Pro panel is added to your available services in the VMware Cloud Services portal:

Skyline Advisor Pro Dashboard

Within the Findings and Recommendations tab you’ll be able to see findings with affected objects, risk, recommendations, and historical data. You can click into each finding for more information, context, and fixes or links to KB articles if applicable.

Another thing to note is that Skyline integrates with vRealize Operations (vROps), either using the management pack for on-premises vROps, or directly for vROps Cloud. To see which features and findings can be pulled into vROps see the Extending Skyline’s Integration with vRealize Operations Cloud via the Skyline Management Pack blog post.

Skyline Advisor Pro Active Findings