San Jose, California, December 2022. We are glad to announce that Tis Tech has signed a partnership agreement with Wazuh. Tis Tech core business is focused on the Information and Communication Technologies (ICT) sector, and its main objective is to deliver solutions for its customer’s businesses.
Among the business consulting services offered by Tis Tech, we can mention the following: Project Management, BPM, Process Integrity, Systems and Information Security, Application Development, ERP and CRM, Change Management, Training, and Infrastructure.
Tis Tech works for companies worldwide, and its main clients are public sector institutions, oil & gas industries, financial institutions, private organizations, telecoms, and utility companies.
“We have chosen to work with Wazuh because they are one of the best in their field. They developed a great open-source software, which captivated a large crowd to follow the brand and cultivated a wonderful support community. The software is easy-to-use and customizable, requires no changes to the infrastructure, and is cloud-based, which means it can be deployed to all our office branches without additional equipment cost. Above all, Wazuh provides excellent technical assistance and has been extremely helpful throughout this partnership. We are excited to be working with Wazuh and foresee a great future together.” commented Ivo Domingos, Systems Analyst at Tis Tech.
As a multicultural organization, Tis Tech has an international presence, with modern and functional facilities at their Angolan headquarters and their global representation points located in Brazil, Argentina, India, Portugal, China, and Mozambique.
“We at Wazuh are delighted that Tis Tech has chosen to work with Wazuh and that they appreciate the benefits of our open-source platform. Tis Tech has told us that they are satisfied with our technical support and have found it very helpful since the beginning of our partnership,” states Alberto Gonzalez, COO at Wazuh.
If you want to learn more about Tis Tech, please visit its official website. For more information on Wazuh Partnerships, please visit our partners’ page.
We’re introducing new capabilities for exporting your organization’s data, giving our customers greater flexibility over managing their organization’s data export needs. These changes include the option to:
Export user generated content by organizational unit
Export user generated content by group
This update is available for Google Workspace Enterprise Plus, Education Standard, and Education Plus customers.
Who’s impacted
Admins
Why it’s important
Historically, data export has been limited to a customer’s full set of user generated content. However, we know our customers sometimes need a more frictionless experience for managing their data exports, especially as their business and compliance needs continue to evolve. By providing more granular and flexible export tools, our customers can retrieve the specific data they need, when they need it.
Available to Google Workspace Enterprise Plus, Education Standard, and Education Plus customers
Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Education Fundamentals, Frontline, and Nonprofits, as well as legacy G Suite Basic and Business customers
We are half way between the re:Invent conference and the end-of-year holidays, and I did expect the cadence of releases and news to slow down a bit, but nothing is further away from reality. Our teams continue to listen to your feedback and release new capabilities and incremental improvements.
This week, many items caught my attention. Here is my summary.
The AWS Pricing Calculator for Amazon EC2 is getting a redesign to provide you with a simplified, consistent, and efficient calculator to estimate costs. It also added a way to bulk estimate costs for EC2 instances, EC2 Dedicated Hosts, and Amazon EBS services. Try it for yourself today.
Amazon CloudWatch Metrics Insights alarms now enables you to trigger alarms on entire fleets of dynamically changing resources (such as automatically scaling EC2 instances) with a single alarm using standard SQL queries. For example, you can now write a query like this to collect data about CPU utilization over your entire dynamic fleet of EC2 instances.
SELECT AVG(CPUUtilization) FROM SCHEMA("AWS/EC2", InstanceId)
AWS Amplify is a command line tool and a set of libraries to help you to build web and mobile applications connected to a cloud backend. We released Amplify Library for Android 2.0, with improvements and simplifications for user authentication. The team also released Amplify JavaScript library version 5, with improvements for React and React Native developers, such as a new notifications channel, also known as in-app messaging, that developers can use to display contextual messages to their users based on their behavior. The Amplify JavaScript library has also received improvements to reduce the overall bundle size and installation size.
Amazon RDS Proxynow supports PostgreSQL major version 14. RDS Proxy is a fully managed, highly available database proxy for Amazon Relational Database Service (Amazon RDS) that makes applications more scalable, more resilient to database failures, and more secure. It is typically used by serverless applications that can have a large number of open connections to the database server and may open and close database connections at a high rate, exhausting database memory and compute resources.
AWS Gateway Load Balancer endpoints now support Ipv6 addresses. You can now send IPv6 traffic through Gateway Load Balancers and its endpoints to distribute traffic flows to dual stack appliance targets.
Amazon Location Service now provides Open Data Maps maps, in addition to ESRI and Here maps. I also noticed that Amazon is a core member of the new Overture Maps Foundation, officially hosted by the Linux Foundation. The mission of the Overture Maps Foundation is to power new map products through openly available datasets that can be used and reused across applications and businesses. The program is driven by Amazon Web Services (AWS), Facebook’s parent company Meta, Microsoft, and Dutch mapping company TomTom.
X in Y. Jeff started this section a while ago to list the expansion of new services and capabilities to additional Regions. I noticed 11 Regional expansions this week:
Upcoming AWS Events Check your calendars and sign up for these AWS events:
AWS re:Invent recaps in your area. During the re:Invent week, we had lots of new announcements, and in the next weeks, you can find in your area a recap of all these launches. All the events will be posted on this site, so check it regularly to find an event nearby.
AWS re:Invent keynotes, leadership sessions, and breakout sessions are available on demand. I recommend that you check the playlists and find the talks about your favorite topics in one collection.
Stay Informed That is my selection for this week! Heads up – the Week in Review will be taking a short break for the end of the year, but we’ll be back with regular updates starting on January 9, 2023. To better keep up with all of this news, do not forget to check out the following resources:
The Official AWS Podcast – Listen each week for updates on the latest AWS news and deep dives into exciting use cases. There are also official AWS podcasts in your local languages. Check the ones in French, German, Italian, and Spanish.
Chaos is a fast-spreading malware written in Go. It infects Windows and Linux systems across multiple architectures, including ARM, Intel i386, MIPS, and PowerPC. The malware can enumerate the infected endpoint, run remote shell commands, load additional modules, and launch DDoS attacks against entities across the gaming, financial services, media, and entertainment industries. Chaos malware spreads itself by exploiting unpatched vulnerabilities on endpoints.
This blog post analyzes the Indicators of Compromise (IOCs) of Chaos malware and mitigates the infection using Wazuh.
Chaos malware behavior
Below are some actions performed by Chaos malware when it is executed on the victim endpoint:
File creation: Immediately Chaos malware is executed, the Windows variant of the malware creates a copy of itself in the C:ProgramDataMicrosoft directory to mimic a legitimate Windows process, csrss.exe. The Linux variant creates a copy of itself in the Linux system configuration folder /etc/id.services.conf. The Linux variant also creates a reverse shell module, /etc/profile.d/bash_config.sh that allows the malware actor to run arbitrary commands on an infected endpoint.
Persistence: The Windows variant of the malware maintains persistence by creating a registry key HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun. This key has the value C:ProgramDataMicrosoftcsrss.exe, ensuring the malware is executed after reboot. To maintain persistence, the Linux variant of the malware creates a bash script at /etc/32678. The script references the dropped copy of the malware /etc/id.services.conf. Below is the content of the script:
#!/bin/sh
while [ 1 ]; do
sleep 60
/etc/id.services.conf
done
DNS query to rogue hosts: The malware attempts to establish a connection with a C2 by querying the host yusheng.j0a.cn. Every successful ping to the C2 returns a QueryStatus of 0.
Detection with Wazuh
In this blog post, we use VirusTotal, Sysmon, and Auditd with Wazuh to detect Chaos malware behavior on the victim endpoint.
Infrastructure
A pre-built ready-to-use Wazuh OVA 4.3.10. Follow this guide to download the virtual machine.
A Windows 10 victim endpoint with Wazuh agent installed.
An Ubuntu 22.04 victim endpoint with Wazuh agent installed.
Using VirusTotal integration
VirusTotal is an online IT security platform that analyzes suspicious files, URLs, domains, and IP addresses to detect threats. Wazuh provides an out-of-the-box VirusTotal integration which, when combined with the Wazuh File integrity monitoring (FIM) module, detects malicious file hashes on an endpoint.
We configure the VirusTotal integration on the Wazuh server and FIM on the Windows and Linux endpoints to monitor the Downloads directory using this guide. Alerts are generated on the Wazuh dashboard whenever the malicious Chaos malware file is added to the Downloads directory.
The image below shows FIM and VirusTotal alerts on the Wazuh dashboard:
Using detection rules
We detect Chaos malware by comparing extracted Auditd and Sysmon logs from the Linux and Windows endpoints with a custom ruleset to look for matches.
Windows endpoint
We can detect Chaos malware activities by enriching the Windows Wazuh agent logs with Sysmon.
Configure the Wazuh agent as described below to collect Sysmon logs and transfer them to the Wazuh server for analysis:
Download Sysmon from the Microsoft Sysinternals page.
In this section, we use Auditd rules to detect when Chaos malware creates malicious files on the Linux victim endpoint. Auditd is a Linux utility for monitoring system calls, file access, and creation.
To configure the Wazuh agent to capture Auditd logs on the Linux endpoint, we install Auditd and configure custom rules.
Install Auditd on the endpoint:
# apt -y install auditd
Add the following custom rules to the Auditd rules /etc/audit/rules.d/audit.rules file:
-w /boot/System.img.config -p wa -k possible_chaos_malware_infection
-w /etc/32678 -p wa -k possible_chaos_malware_infection
-w /etc/init.d/linux_kill -p wa -k possible_chaos_malware_infection
-w /etc/id.services.conf -p wa -k possible_chaos_malware_infection
-w /etc/profile.d/bash_config.sh -p wa -k possible_chaos_malware_infection
Reload the Auditd rules to apply the changes and verify the applied configuration:
In this section, we create rules to detect Chaos malware using the techniques, tactics, and procedures (TTPs) identified. We add the rules below to the /var/ossec/etc/rules/local_rules.xml file on the Wazuh server:
<group name="chaos_malware_windows,">
<!-- Rogue file creation -->
<rule id="100112" level="15">
<if_sid>61613</if_sid>
<field name="win.eventdata.image" type="pcre2">(?i)(\\Users\\.+\\)</field>
<field name="win.eventdata.targetFilename" type="pcre2">(?i)\\ProgramData\\Microsoft\\csrss.exe</field>
<description>Malicious activity detected. csrss.exe created at $(win.eventdata.targetFilename)</description>
<mitre>
<id>T1574.005</id>
</mitre>
</rule>
<!-- Registry key creation for persistence -->
<rule id="100113" level="15">
<if_sid>92300</if_sid>
<field name="win.eventdata.image" type="pcre2">(?i)[c-z]:(\\Users\\.+\\)</field>
<field name="win.eventdata.details" type="pcre2">(?i)[c-z]:(\\ProgramData\\Microsoft\\csrss.exe)</field>
<description>Possible Chaos malware activity: $(win.eventdata.details) added itself to the Registry as a startup program to establish persistence</description>
<mitre>
<id>T1547.001</id>
</mitre>
</rule>
<!-- DNS query to rogue hosts -->
<rule id="100114" level="5" ignore="600">
<if_sid>61600</if_sid>
<field name="win.eventdata.image" type="pcre2">(?i)(\\Users\\.+\\)</field>
<field name="win.eventdata.queryName" type="pcre2">(?i)yusheng.j0a.cn</field>
<description>Possible Chaos malware activity: DNS query to rogue host</description>
<mitre>
<id>T1071.004</id>
</mitre>
</rule>
</group>
<!-- Rule to detect Chaos malware on Linux -->
<group name="chaos_malware_linux">
<rule id="100120" level="15">
<if_sid>80700</if_sid>
<field name="audit.key">possible_chaos_malware_infection</field>
<description>Possible Chaos malware infection - Auditd</description>
<mitre>
<id>T1204.002</id>
</mitre>
</rule>
</group>
Where:
Rule id 100112 detects when Chaos malware creates a copy of itself csrss.exe in the ProgramData directory.
Rule id 100113 detects when the malware sets the malicious copy csrss.exe as a run key in the Registry.
Rule id 100114 detects when the malware makes a DNS request.
Note
Due to the large volume of DNS requests from the malware, rule 100114 can cause agent event queue flooding. Therefore, the detection rule is optional.
Rule id 100120 is the rule created to detect when Auditd rules are triggered.
Once the rules have been added, restart the Wazuh manager to apply the changes using the command below:
# systemctl restart wazuh-manager
Below is the screenshot of the alerts generated on the Wazuh dashboard when the Chaos malware is executed on the Windows victim endpoint:
Also, the screenshot below shows the alerts generated on the Wazuh dashboard when Chaos malware is executed on the Ubuntu victim endpoint:
Conclusion
In this blog post, we demonstrated how to detect Chaos malware using Wazuh. We showed how to utilize Wazuh integration with VirusTotal, Sysmon, and Auditd, to detect Chaos malware and its malicious activities.
Unless otherwise indicated, the features below are fully launched or in the process of rolling out (rollouts should take no more than 15 business days to complete), launching to both Rapid and Scheduled Release at the same time (if not, each stage of rollout should take no more than 15 business days to complete), and available to all Google Workspace and G Suite customers.
Drive approvals available on Android and iOS apps
Google Drive users have had the ability to send an item for approval on the web since 2021. These approvers can comment, approve, or reject a request on a file. Starting this week, Drive approvals are now available on the Drive Android and iOS apps. | Available to Google Workspace Essentials, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, Enterprise Plus, Education Plus, and legacy G Suite Business customers only. | Learn more.
New keyboard shortcuts for Google Sheets on Android
Adding shared drive storage limits and shared drives IDs are now available as part of the new set of tools for managing storage. Please refer to our original announcement for more information. | Learn more.
Previous announcements
The announcements below were published on the Workspace Updates blog earlier this week. Please refer to the original blog posts for complete details.
Facet Enhancements for Cloud Search
It’s now easier to configure and use Cloud Search search filters and facets with multiple enhancements to our existing functionalities. With this launch, you can use the Cloud Search Query API to configure new additional capabilities. | Available to Google Cloud Search Customers. | Learn more.
Easily format and display code in Google Docs
We’ve added a new smart canvas feature that makes this process much easier by enabling you to format and display code in Docs with code blocks. | Available to Google Workspace Business Standard, Business Plus, Enterprise Standard, Enterprise Plus, Education Standard, Education Plus customers and Nonprofits only. | Learn more.
Email notifications from Google now available in the Alert Center
Admins routinely receive notifications from Google to inform them about important Google Workspace updates. Now when admins receive these notifications, they’ll also be captured in the Alert Center in the admin console. This will help make it easier for admins to stay on top of important communications from Google. | Learn more.
Enjoy improved call performance with intelligent network switching in Google Voice
To ensure the best call experience, Google Voice now automatically switches ongoing calls between cellular data service and Wi-Fi when it determines that one network type will lead to better call quality. | Learn more.
Expanded language support for captions and translated captions in Google Meet
We’ve expanded language support for standard captions and translated captions in Google Meet. | Standard captions are available for all users. Translated captions are available for meetings organized by Google Workspace Business Standard, Business Plus, Enterprise Starter, Enterprise Standard, Enterprise Plus, Education Plus, and the Teaching and Learning Upgrade customers.| Learn More.
Client-side encryption for Gmail available in beta
We’re expanding customer access to client-side encryption in Gmail on the web. Google Workspace Enterprise Plus, Education Plus, and Education Standard customers are eligible to apply for the beta until January 20th, 2022. | Learn more.
Completed feature rollouts
The features below have finished rolling out to Rapid Release domains, Scheduled Release domains, or both. Please refer to the original blog posts for additional details.
We’re expanding customer access to client-side encryption in Gmail on the web. Google Workspace Enterprise Plus, Education Plus, and Education Standard customers are eligible to apply for the beta until January 20th, 2023.
Using client-side encryption in Gmail ensures sensitive data in the email body and attachments are indecipherable to Google servers. Customers retain control over encryption keys and the identity service to access those keys.
Who’s impacted Admins and end users
Why it’s important
Google Workspace already uses the latest cryptographic standards to encrypt all data at rest and in transit between our facilities. Client-side encryption helps strengthen the confidentiality of your data while helping to address a broad range of data sovereignty and compliance needs.
Client-side encryption is already available for Google Drive, Google Docs, Sheets, and Slides, Google Meet, and Google Calendar (beta).
Getting started
Admins:
Eligible Workspace customers can apply for the beta after completing a few steps to prepare your account.
This feature will be OFF by default and can be enabled at the domain, OU, and Group levels (Admin console > Security > Access and data control > Client-side encryption). Visit the Help Center to learn more about client side encryption.
End users: To add client-side encryption to any message, click the lock icon and select additional encryption, and compose your message and add attachments as normal. Visit the Help Center to learn more about using Client-side encryption for Gmail.
Rollout
We will be accepting beta applications and allowlisting customers over the next several weeks.
Availability
Available to Google Workspace Enterprise Plus, Education Plus, and Education Standard customers
Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Education Fundamentals, Frontline, and Nonprofits, as well as legacy G Suite Basic and Business customers
Not available to users with personal Google Accounts
In January 2022, we announced the general availability of translated captions in Google Meet. Translated captions provide real-time translations of the speaker's language, helping to make meetings more inclusive and collaborative for meeting participants.
We’re expanding on this feature and beginning today, you can:
Translate English calls into Japanese, Mandarin (simplified), and Swedish
Translate French, German, Portuguese, and Spanish calls into English
Additionally, standard captions are now available in Japanese, Russian, Italian, Korean, Dutch, Portuguese, Mandarin (traditional). Visit the Help Center for a complete list of available languages.
Some languages will include a “Beta” tag as we continue to optimize performance and introduce additional languages over time. We will continue to provide updates on the Workspace Updates blog as more languages become available.
Getting started
Admins: There is no admin control for this feature.
End users: This feature will be available by default. Visit the Help Center to learn more about captions and translated captions in Google Meet.
Meeting participants:
You can use live translated captions if the meeting is organized by a user with an eligible Google Workspace edition.
Available for meetings organized by Google Workspace Business Standard, Business Plus, Enterprise Starter, Enterprise Standard, Enterprise Plus, Education Plus, and the Teaching and Learning Upgrade
Captions
Available to all Google Workspace customers, as well as legacy G Suite Basic and Business customers
To ensure the best call experience, Google Voice now automatically switches ongoing calls between cellular data service and Wi-Fi when it determines that one network type will lead to better call quality. Previously, Voice identified the ideal network only at the time the call was placed and did not make any corrections for changes in network performance that might occur during the call.
Getting started
Admins: There is no admin control for this feature.
End users: There is no end user setting for this feature.
Replicate Azure NetApp Files volumes from one availability zone to another in a fast and cost-effective way, protecting your data from unforeseeable zone failures.
We use cookies to optimize our website and our service.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
. 
![]("https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7Pm2RnLsG6qrZ227WXq3UhJPHv7aGEVwx0j0e1OSvmhuNGxxvpnwzwk_uC71ZA70TyXKiDtfZWuJzNU5KgHcd-KV-ik7nwYzF9jJ2-01gkJBRIwosAPyk8d6W4I19y6g-TL0gSWo9_gL0b44b-SYU4q2Y3MDtyXS2yh6kcGNjACIDS2px9PmKWfJz/s900/1.gif")