Attacks on SCADA facilities are not always attacks on SCADA Systems But don’t relax yet

/0 Comments/in /by

When SonicWall published its 2015 Annual Threat Report, a standout statistic was the jump in attacks on SCADA (supervisory control and data acquisition) facilities. Telemetry data showed attacks increasing from 91,000+ in January 2012 to 675,000+ attacks in January 2014. I’ve been asked whether these are always attacks on the control systems themselves. The answer is no. In fact, most often the attacks are not a direct attack but rather indirect. The reason is that SCADA systems are not directly accessible from the Internet. Thank goodness for that. Think of the damage that could be done daily if these systems were part of an easily attacked threat surface. Think of the extortion opportunities. Think of the financial motives. Think of all the havoc that could be wrought given what these systems actually control.

In fact, what is SCADA? SCADA refers to types of industrial control systems (ICS). Wikipediaâ„¢ defines Industrial Control Systems as, “computer-based systems that monitor and control industrial processes that exist over the physical world. SCADA systems historically distinguish themselves from other ICS systems by being large-scale processes that can include multiple sites and large distances. These processes include industrial, infrastructure, and facility-based processes . . .” OK, think refineries, clean water plants, power plants, and . . . gulp . . . nuclear power plants. So, yes, these are real important systems. As you would expect, there is a lot of concern when you see data on SCADA facility attacks. After all, the list of possible nightmares is long and dramatic.

But, are any of these dangers real? The answer is kind of yes, and kind of no.

The reality is that “most” of the access to SCADA systems is off the grid. At least, off the Internet. So, Joe Hacker is usually not in a position to poke and prod along and launch an attack. In fact, Joe Hacker is usually not very acquainted with the underlying systems, rendering Joe Hacker somewhat ineffective even if he had direct access.

OK, so should we relax? No. Here’s why. Hundreds of thousands of times every month, the infrastructure that houses SCADA systems is attacked. The point of the attacks is often to gather information about the networks and points of vulnerability, i.e. reconnaissance. Repeating from above, SCADA systems historically distinguish themselves from other ICS systems by being large-scale processes that can include multiple sites and large distances. If these are large-scale systems that require communications over great distances, might a schematic of the entire infrastructure be valuable? Would information on control points for access to the wired or wireless network be useful? What about data on multiple points of physical or control points for wireless locations? Would the service log information about where service was performed be of value to an attacker? How about delivery schedules, hardware equipment purchases, requisition information, deployment information, upgrade cycles, etc.? If you were going to attack a system that is not on the Internet, yet those networks used much of the same equipment used on the Internet (servers, wired networks, closed wireless networks, etc.) could you get the info you need to attack the network?

The answer is most likely yes. And clearly, there are a lot of people that agree, especially bad people. Thus, the huge jump in SCADA attacks as reported in the threat report. Consider this: A power company has a lot of locations from which they control remote equipment. That equipment for example controls the pressure in pipelines. If the systems utilize closed wireless, you would then still have the opportunity to utilize proximity to attempt an intrusion to a vulnerable system. Today’s Industrial Control Systems are distributed. These systems have both automation and have a way to communicate over distances. This creates a threat surface.

These systems also face cost and productivity demands. As facilities continue to depend on more traditional Internet “type” equipment, they are increasingly vulnerable to attack. The more wireless used, the greater the chance proximity can become a vector of attack.

Lastly, we certainly know that some attacks have been successful. There is, of course, the famous case of the nuclear centrifuge that was attacked and severely damaged. That was a proof point. Some considered that unlikely to be repeated as it was a state sponsored attack. Yet, if you simply realize that bad guys come in all shapes and sizes, and when you consider what is at stake, then yes, we all should wake up and realize, even systems not on the public Internet can provide enough data that causes risk at a terrifying scale. Common sense security is not enough. Common sense paranoia is a good place to start.

For more information on our research on SCADA attacks, read the 2015 SonicWall Security Annual Threat Report.

Download Report

Why Dual-Radio Wireless Makes Sense

/0 Comments/in /by

You’ve decided to make the move to high-speed wireless. Maybe you’re upgrading to 802.11ac or you’re building a new wireless network from scratch. Either way, you’ve got to decide whether the access points you’re going to purchase will have a single radio or dual radios. If price is an issue, choosing an access point with only one radio will save you a little money. However is that the best decision for your wireless networking needs? Here’s why purchasing dual-radio access points makes financial and practical sense.

Dual-radio access points offer several advantages over those with a single radio.

  1. Extend your investment in 802.11x standards – An access point with two radios allows you to dedicate one radio to 802.11ac clients (laptops, tablets and smartphones) and the other to legacy 802.11b/g/n clients. If you still have a significant investment in devices supporting older wireless standards, a dual radio access point helps you extend that investment until you’re ready to upgrade.
  2. Use bandwidth-intensive services – Similarly, dual-radio access points allow you to dedicate one radio to services such as Voice over IP, streaming video and others that take up large amounts of bandwidth while your clients connect to the other radio without being negatively impacted by the services.
  3. Enhance wireless security – Having multiple radios enables you to enhance the security of your wireless network in two ways. First, you can use one radio for employees and provide them with access to internal resources while everyone else (guests, partners, etc.) connects to the second radio which offers internet-only access. Second, having a second radio allows you to use one for wireless intrusion detection and prevention scanning including scanning for rogue access points while the other is used to provide client access. Having only one radio would require all users to disconnect in order to perform the scan and then reconnect again later.
  4. Achieve better signal quality – The 802.11ac wireless standard operates in the less-crowded 5 GHz frequency band, providing better signal quality. Dedicating one radio to 5 GHz and the other to 2.4 GHz enables you to take advantage of the higher signal quality 802.11ac offers while still supporting legacy 802.11b/g/n clients over 2.4 GHz thanks to backward compatibility.
  5. Realize higher client capacities – Very simply, an access point with two radios allows you to have more WiFi-enabled devices connected at the same without experiencing signal interference.

Secure, high-speed wireless

If you have access points with multiple radios then you’re in position to realize the advantages listed above. If you’re looking at purchasing new access points, consider the benefits dual-radio solutions provide over those with a single radio. SonicWall offers several dual-radio access points as part of its SonicPoint Series. The SonicWall SonicPoint ACe and SonicPoint ACi feature two radios, one dedicated to 802.11ac and the other to 802.11n, while the SonicPoint N2 includes two 802.11n radios. Read more about the SonicPoint Series and how these secure, high-speed access points can help your organization.

Download White Paper

SonicWall Security and SonicWall Channel Partners: A Two-Way Street to Greater Security

/0 Comments/in , /by

As part of the SonicWall Network Security Group, we strive to expand the reach of SonicWall Security solutions across the globe using many tools of communication. Our mission is to get our top rated, most effective security solutions into every large, medium and small network across the planet. Part of our strategy to do that is working with excellent security VARs. VARs are absolutely key to customers deploying great security. VARs are often the trusted security advisors for companies of all sizes. We are honored to partner with as many top quality trusted security advisors, like Jason Hill of Exertis VAD Solutions pictured below, to protect as many customers as possible.

To transfer crucial knowledge, and to gain knowledge in return, we run Peak Performance events (our Partner Security Conference). SonicWall Security EMEA Peak Performance in Berlin just finished, and I had the opportunity to present and hear from our partners. To state the obvious, security changes FAST. Way, way too fast to assume everyone can keep up with it easily. And it is too complex to assume all information can be communicated in short emails, marketing blurbs, or webinars. Sometimes, information has to be transferred eyeball to eyeball. Don’t get me wrong. All those other forms of content are REQUIRED but sometimes, there is an extra effort needed.

That extra effort is face-to-face communications. And to my subtle point above (“. . . and to gain crucial knowledge”), we run SonicWall Security Peak Performance not just to give information, but to GET it. Security is far too complex to assume we know everything. Our VARs protect so many customers and are experts in their field. This gives them unique perspectives on what is working and what is not. So knowledge transfer is a two-way street at Peak Performance. We provide tremendous amounts of knowledge coming from the experts representing everything from engineering to business. We covered the technical bits and bytes and the strategy. We communicate about the things we see affecting customers and we predict what will be the new vectors of attack going forward. And our VARs communicate what success and pains their customers are experiencing. They educate us on the state of reality, not the state of a marketing messaging. They are feet on the street and ears to the ground. Our VARs have essential insights that we need and that we consume.

Patrick Sweeney on stage speaking at SonicWall Security EMEA Peak Performance 2015 in Berlin

SonicWall Security Peak Performance therefore is not something that can be done as a webinar. Webinars are one-way streets for the most part. Peak Performances are two-way streets. They are essential for both the SonicWall Network Security Group and to the VARs that protect customers. All have to come ready to learn. All have to be ready to educate. And in that spirit, I want to say,”Thank You.” Thank you to all the VARs that came, those that listened, those that spoke, those that learned, and those that educated. I cannot tell you how much it motivates me and my entire team to get those three days with you. Sometimes the difference between good and great is hard to define. But sometimes it is easy to identify one thing that does have a material impact. Getting together at Peak has a material impact on making the world just a little bit safer for our customers. Thank you!

We invite you to check out SonicWall Security Peak Performance for North America Aug. 30 to Sept.2 in Las Vegas.

Microsoft Security Bulletin Coverage (May 12, 2015)

/in /by

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of May, 2015. A list of issues reported, along with Dell SonicWALL coverage information are as follows:

MS15-043 Cumulative Security Update for Internet Explorer (3049563)

  • CVE-2015-1658 Internet Explorer Memory Corruption Vulnerability
    IPS: 10927 Internet Explorer Memory Corruption Vulnerability (MS15-043) 3
  • CVE-2015-1684 VBScript ASLR Bypass
    There are no known exploits in the wild.
  • CVE-2015-1685 Internet Explorer ASLR Bypass
    This is a local vulnerability.
  • CVE-2015-1686 VBScript and JScript ASLR Bypass
    IPS: 10926 Internet Explorer ASLR Bypass Vulnerability (MS15-053)
  • CVE-2015-1688 Internet Explorer Elevation of Privilege Vulnerability
    This is a local vulnerability.
  • CVE-2015-1689 Internet Explorer Memory Corruption Vulnerability
    IPS: 10929 Internet Explorer Memory Corruption Vulnerability (MS15-043) 4
  • CVE-2015-1691 Internet Explorer Memory Corruption Vulnerability
    IPS: 10930 Internet Explorer Memory Corruption Vulnerability (MS15-043) 5
  • CVE-2015-1692 Internet Explorer Clipboard Information Disclosure Vulnerability
    IPS: 10931 Internet Explorer Clipboard Information Disclosure Vulnerability (MS15-043) 1
  • CVE-2015-1694 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-1703 Internet Explorer Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-1704 Internet Explorer Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-1705 Internet Explorer Memory Corruption Vulnerability
    IPS: 10932 Internet Explorer Memory Corruption Vulnerability (MS15-043) 6
  • CVE-2015-1706 Internet Explorer Memory Corruption Vulnerability
    IPS: 10933 Internet Explorer Memory Corruption Vulnerability (MS15-043) 10
  • CVE-2015-1708 Internet Explorer Memory Corruption Vulnerability
    IPS: 10934 Internet Explorer Memory Corruption Vulnerability (MS15-043) 8
  • CVE-2015-1709 Internet Explorer Memory Corruption Vulnerability
    IPS: 10937 Internet Explorer Memory Corruption Vulnerability (MS15-043) 10
  • CVE-2015-1710 Internet Explorer Memory Corruption Vulnerability
    IPS: 10935 Internet Explorer Memory Corruption Vulnerability (MS15-043) 12
  • CVE-2015-1711 Internet Explorer Memory Corruption Vulnerability
    IPS: 2121 Internet Explorer Memory Corruption Vulnerability (MS15-043) 1
  • CVE-2015-1712 Internet Explorer Memory Corruption Vulnerability
    IPS: 2122 Internet Explorer Memory Corruption Vulnerability (MS15-043) 2
  • CVE-2015-1713 Internet Explorer Memory Corruption Vulnerability
    This is a local vulnerability.
  • CVE-2015-1714 Internet Explorer Memory Corruption Vulnerability
    IPS: 2123 Internet Explorer Memory Corruption Vulnerability (MS15-043) 7
  • CVE-2015-1717 Internet Explorer Memory Corruption Vulnerability
    IPS: 2125 Internet Explorer Memory Corruption Vulnerability (MS15-043) 11
  • CVE-2015-1718 Internet Explorer Memory Corruption Vulnerability
    IPS: 2143 Internet Explorer Memory Corruption Vulnerability (MS15-043) 13

MS15-044 Vulnerabilities in Microsoft Font Drivers Could Allow Remote Code Execution (3057110)

  • CVE-2015-1670 OpenType Font Parsing Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-1671 TrueType Font Parsing Vulnerability
    There are no known exploits in the wild.

MS15-045 Vulnerability in Windows Journal Could Allow Remote Code Execution (3046002)

  • CVE-2015-1675 Windows Journal Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-1695 Windows Journal Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-1696 Windows Journal Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-1697 Windows Journal Remote
    Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-1698 Windows Journal Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-1699 Windows Journal Remote Code Execution Vulnerability
    There are no known exploits in the wild.

MS15-046 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3057181)

  • CVE-2015-1682 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-1683 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.

MS15-047 Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (3058083)

  • CVE-2015-1700 Microsoft SharePoint Page Content Vulnerabilities
    There are no known exploits in the wild.

MS15-048 Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (3057134)

  • CVE-2015-1672 .NET XML Decryption Denial of Service Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-1673 Windows Forms Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

MS15-049 Vulnerability in Silverlight Could Allow Elevation of Privilege (3058985)

  • CVE-2015-1715 Microsoft Silverlight Out of Browser Application Vulnerability
    There are no known exploits in the wild.

MS15-050 Vulnerability in Service Control Manager Could Allow Elevation of Privilege (3055642)

  • CVE-2015-1702 Service Control Manager Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

MS15-051 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057191)

  • CVE-2015-1776 Microsoft Windows Kernel Memory Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-1777 Microsoft Windows Kernel Memory Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-1778 Microsoft Windows Kernel Memory Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-1779 Microsoft Windows Kernel Memory Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-1780 Microsoft Windows Kernel Memory Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-1701 Win32k Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

MS15-052 Vulnerability in Windows Kernel Could Allow Security Feature Bypass (3050514)

  • CVE-2015-1774 Windows Kernel Security Feature Bypass Vulnerability
    There are no known exploits in the wild.

MS15-053 Vulnerabilities in JScript and VBScript Scripting Engines Could Allow Security Feature Bypass (3057263)

  • CVE-2015-1784 VBScript ASLR Bypass
    There are no known exploits in the wild.
  • CVE-2015-1786 VBScript and JScript ASLR Bypass
    IPS: 10926 Internet Explorer ASLR Bypass Vulnerability (MS15-053)

MS15-054 Vulnerability in Microsoft Management Console File Format Could Allow Denial of Service (3051768)

  • CVE-2015-1781 Microsoft Management Console File Format Denial of Service Vulnerability
    SPY: 4880 Malformed-File msc.MP.1

MS15-055 Vulnerability in Schannel Could Allow Information Disclosure (3061518)

  • CVE-2015-1716 Schannel Information Disclosure Vulnerability
    There are no known exploits in the wild.

Tips for Deploying Wireless in Your Small Business

/0 Comments/in , /by

As a product manager in the security industry I have the opportunity to travel all over the world. On my trips it’s been very rare that I’ll find a location that does not provide some sort of wireless access. Even the most remote locations that may have a small coffee shop, eating establishment or small gathering area offer WiFi. Today it should be a no brainer for businesses of all kinds to provide wireless access to employees and maybe even extend this to their guests.

Most employees use mobile devices such as laptops, smartphones and tablets. Looking at the latest laptop models online most, if not all, come standard with an 802.11ac wireless adapter and you would be hard pressed to find a smaller laptop that has a LAN network interface which does not require an additional dongle or add-on cable.

Now let’s look at what it will take to roll out a wireless deployment for a small business properly and securely.

To begin with, initiate a site survey for the building. This will help you figure out how many access points you will need to provide awesome wireless coverage throughout the structure. It will also enable you to determine whether there are any issues with walls, microwaves or anything else that may interfere with the wireless signal.

Next, decide if you want to provide guest access. If you do, you will need to understand the wireless security requirements you’ll need to enforce, such as setting up a virtual access point, enforcing the use of encryption or leaving the guest access open, but requiring authentication to a captive portal, similar to what airports may use before guests are able to access the internet.

For employee wireless security you can require standards-based WPA2 encryption and decide if you will use PSK or EAP which require an authentication server. For an additional level of security you can mandate the use of SSL VPN to access company resources over the wireless network.

With this new wireless network you will also need to take into consideration the security of the traffic going into and out of the wireless network for both employees and guests. This may include adding content/web filtering as a way to limit access to sites that could contain malware, and scanning all traffic through a deep packet inspection engine to look for potential intrusions and malware-based attacks that could impact employee or guest devices.

Additionally, you will want to enforce application-level bandwidth controls on the wireless network to ensure employees and guests don’t consume all the Internet bandwidth watching HD movies or downloading content.

Now that you’ve read through some of the basic requirements for deploying a wireless network, it might be a good time to get in contact with your local reseller or partner who can help with the planning, deployment and ongoing management of your wireless network.

download white paper

UC Browser: Web Browsing Incognito (Dell SonicWALL Application Control)

/in /by

UC Browser on Android

UC Browser (UCWeb Inc.) is a mobile web browser with a large market share in China, and India. It has versions for most of the popular mobile devices. As of 2015, they claim to support over 3,000 models of cell phone devices. The browser tunnels your web traffic via the UCWeb servers located in China. They claim that their compression of web data improves download speeds and reduces data usage charges for customers. The Incognito mode allows user web surfing to evade firewall filtering. This article analyses UC Browser Incognito mode traffic to their UCloud from an Android smart phone, and the stand-alone PC version. The company is affiliated with TaoBao, and the parent company is Alibaba.

Install the App from the Google Play Store

Beware of the Terms of Agreement

Many mobile apps include access to your pictures and other media on the phone, camera, and microphone, device ID and call information, identity, other.

Enable Encrypt with UCloud

Go to the options menu, and choose “Encrypt with UCloud”.

Enter a URL

Here I am browsing to www.craigslist.com.

Network Packet Traces

Here you can see a few representative samples of traffic collected from the application.


This application is collecting data from the application and sending it back to a UCWeb domain.

Proxy Servers hosted by MileWeb

Most of the application traffic passes through proxy servers hosted by a company called MileWeb (www.mileweb.com). The traffic to the server seems to be encrypted. The traffic coming from the server HTTP Chunk (Transfer) Encoded. I was not able to decode the encrypted traffic in either direction. After de-chunking the servers traffic, it appears to be using compression format called TTComp archive data. However it did not decode as such, so may be a proprietary compression format.

Blocking this traffic with Dell SonicWALL Application Control

To block this traffic, enable the following Dell SonicWALL Application signatures:

  • 10913 UC Browser — HTTP Activity 1
  • 10914 UC Browser — HTTP Activity 2
  • 10915 UC Browser — HTTP Activity 3
  • 10921 UC Browser — HTTP Activity 4
  • 10922 UC Browser — HTTP Activity 5

To block unknown encrypted traffic communications from your network, enable the following:

  • 5 Encrypted Key Exchange — Random Encryption (Skype,UltraSurf,Emule)
  • 7 Encrypted Key Exchange — UDP Random Encryption(UltraSurf)

SonicWall Security Named Grand Trophy Winner

/0 Comments/in /by

On April 20, 2015, Info Security Products Guide, the industry’s leading information security research and advisory guide, announced the winners for its 11th Annual Info Security 2015 Global Excellence Awards. These prestigious global awards recognize security and IT solutions that have a profound impact on the Security industry. More than 50 industry leaders including CISOs, executives, and industry analysts and experts from around the world participated in the selection of the winners for 72 security and IT product and service categories.

Today, we are thrilled to announce that Info Security Product Guide has honored SonicWall as the Grand Trophy Winner as well as the winner of 12 additional awards outlined in the table below. These recognitions validate the feedback we get from our customers.

Info Security Products Guide 2015 Global Excellence Grand

For nearly two decades, SonicWall Security has created innovative products that have set and reset the standard for security. Our technologies have continued to lead the way with an advanced patented security architecture in addition to a best-in-class security research team enabling our customers to be future-ready. SonicWall’s industry experience, innovative technologies and technical excellence to solve security and compliance challenges have made us the vendor of choice for many leading Fortune 500 organizations across all sectors. Receiving these honors affirms our deep commitment to investing in ongoing research and development as well as our unique dedication to helping our customers experience a more secured future.

Category Award
Grand Trophy Winners SonicWall (2,500+ employees)
Firewalls GOLD Winner: SonicWall SuperMassive 9800
New Products & Services Silver Winner (2,500+ employees): SonicWall SuperMassive 9800
Integrated Security &
Unified Threat Management (UTM)		 Bronze Winner: SonicWall TZ Series
IP Sec/SSL/VPN Bronze Winner: SonicWall Secure Mobile Access (SMA)
Network Security & Management Silver Winner: SonicWall Global Management System (GMS)
Email Security & Management Bronze Winner: SonicWall Hosted Email Security
Auditing Silver Winner: SonicWall ChangeAuditor
Best Security Software (New or Updated) Bronze Winner: SonicWall One Identity-as-a-Service
Cloud Security Bronze Winner: SonicWall Cloud Access Manager
Compliance Bronze Winner: SonicWall ChangeAuditor
Identity Management Bronze Winner: SonicWall One Identity Manager
Endpoint Security Bronze Winner: SonicWall KACE K1000

If you are an IT leader responsible for your organization’s information and network security, defining the company’s security defense program and vetting security technologies can be a trying experience, especially when available choices are often equivocal. In these circumstances, how often do you find yourself looking for credible third-party endorsements such as the Info Security Product Guide Global Excellence Awards for guidance and validation prior to making critical purchase decisions? Before buying additional security technologies, here are some key recommendations to consider.

  1. Develop an information and user risk profile and determine the security controls that will be needed to protect the business from internal and external threats.
  2. Perform a comprehensive threat and vulnerability analysis and identify all possible ways users and systems can be exploited by cyber criminals.
  3. Explicitly call out security requirements that can best remediate identified threats, risks and liabilities that require immediate attention.
  4. Accurately map the award-winning SonicWall products listed above to the appropriate use cases identified in step 1 through 3.
  5. Last but not least, begin layering multiple security technologies together so that you have more than one way of preventing and responding to various attack methods that a hacker may use to harm the organization.

Angler.EK1: a drive by download exploit kit targets Adobe Flash Player

/in /by

The Dell SonicWALL Threats Research team analyzed a drive by download exploit kit targets Adobe Flash family named GAV: Angler.EK1 which leads to the download of additional malware on the target system upon successful exploit run. Angler exploit kit is known for its use of various Adobe Flash Player exploits, this time the attackers used Adobe Flash Exploits such as CVE-2015-0313.

Infection Cycle:

Md5s:

  • GAV: Angler.EKSWF1- SWF Flash Exploit

    • ae4e271b1923c17ef589acba603f2b8a

  • GAV: Angler.EKSWF2- SWF Flash Exploit

    • 4334efd4612b1f095b3919485dc66ecd

  • GAV: Angler.EK1 – Executable Dropper

    • a29acacfc2b5e44cdbfb769ce9cf9ccf

    • 2e297279f7d919e4e67464af91fb6516

  • GAV: Angler.EK2 – Executable Dropper

    • 37cd5cb1ebabcb921fe20341c2a63fc4

  • GAV: Angler.EK3 – Executable Dropper

    • f15e26ce666d26ef664c196d7ef3e0ed

The Malware adds the following files to the system:

  • Angler.EK1

    • %Userprofile%raxgyxjo.exe

    • %Userprofile%Local SettingsTemp6238.bat

  • Angler.EK2 ,3

    • %Userprofile%Local SettingsTempmmc32E964E3.xml [MMC + 8 Random strings].XML

    • %Userprofile%Local SettingsApplication Datakmqglxwyvq.png

The Malware adds the following keys to the Windows registry to ensure persistence upon reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

    • MSConfig”=””%Userprofile%raxgyxjo.exe

The file raxgyxjo.exe registered as auto startup on windows registry, after next restart the malware uses an injected Svchost.exe to collecting information about the target computer and sending Spam Emails to the new targets.

Once the computer is compromised, the Malware runs the following commands on the system:

Next, the malware generates a Unique ID from your system and save it into a PNG file over here %Userprofile%Local SettingsApplication Data kmqglxwyvq.png

This UID is saved for sending to C&C server, here is an example:

After a while malware tries to spread itself via spams to new targets, the injected Svchost.exe is responsible for that reason, here is an example:

Command and Control (C&C) Traffic

Angler.EK1 performs C&C communication over ports 25, 80 and 4101. The malware sends the UID of your system to its own C&C server via following Http format, here are some examples:

The malware retrieves the random Email addresses from its own C&C Server and starts to sending spams to those email addresses, here an example:

Here is some information about C&C server:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Angler.EKSWF1

  • GAV: Angler.EKSWF2

  • GAV: Angler.EK1

  • GAV: Angler.EK2

  • GAV: Angler.EK3

Why Digital Currencies Like Bitcoin Should Be on Your (security) Radar

/0 Comments/in /by

What’s the equivalent of cash on the Internet? PayPal? Western Union? Bank transfers? No, no and no ““ along with many other obvious choices. Each of these online payment methods first requires some sort of identity verification, whether through government issued ID cards, ties to existing bank accounts or to other resources that are directly linked to your identity. The closest equivalent to cash on the Internet is a collection of decentralized, peer-to-peer digital crypto currencies such as Bitcoin, Litecoin and other derivatives. These currencies allow instant online transactions that are completely anonymous, which is exactly what turns them into cash-equivalent payment instruments online. Digital currencies have become increasingly popular over the past several years, with established companies starting to accept them as payments. For example, SonicWall became the largest company in the world to accept Bitcoin as payments with its announcement in 2014. Just a few days ago, Michael SonicWall (@MichaelDell) tweeted that SonicWall received an 85 bitcoin order for servers, which is roughly $50K USD.

Bitcoins and other digital currencies are also called “crypto” currencies because they are generated through “mining”, a process in which banks of computers or specialized processors are set up to “mine” bitcoins by performing complex cryptographic operations of increasing difficulty. The more bitcoins are in circulation, the more difficult the mining becomes. For those who wish to bypass the mining, bitcoins can also be purchased through online exchanges. The value of bitcoins and other digital currencies is not set through any central authority, but is rather a reflection of several variables such as the number of bitcoins in circulation, popularity of a particular currency and very importantly, just like with real cash, trust in the system and people’s expectations of future value of a single unit of currency. Therefore, the decision to accept payments in bitcoin and other digital currencies carries an additional risk due to the volatility of the bitcoin value. On the day of publication of this blog, the value of a single bitcoin hovers around $228 USD, although was as high as $979 USD a little over a year ago. Interestingly, anyone can create their own crypto currency if that they can get others to use it, so the value of a currency can also fall should a competing currency become more popular or perceived as more secure.

The anonymity inherent in crypto currencies also makes the digital currency “wallets” into extremely lucrative targets for hackers. These wallets can exist on personal computers or in the cloud on wallet hosting providers’ websites. Once a wallet with digital currency is stolen, there is no way to trace the identity of the original owner ““ just like real world cash. Over the past few years, there’ve been several types of attacks on crypto currency users. Attacks that steal bitcoins can range from indirect and invisible to blatant and direct break-ins that steal the equivalent of the bank vault. The invisible and indirect attacks use botnets to harness victims’ computer power to mine currency for the botnet operator, effectively stealing electricity from thousands of individuals in amounts that may not be noticeable. More direct attacks steal individual’s unencrypted “wallets” from their PCs. The most brazen attacks target online exchanges, or bank equivalents, with poorly implemented security. Our recently published 2015 SonicWall Security Annual Threat Report outlines some attacks on online Bitcoin exchanges that put a few of those exchanges out of business or seriously dented their operations.

As crypto currencies continue to become increasingly accepted by the general public, businesses and retailers will have to adapt and start accepting digital currencies alongside credit cards, PayPal and other online payment methods. This will save some money for these businesses through not having to pay credit card processing fees. However digital currencies are no free ride. Such businesses must ensure that they carefully manage both the economic and technical risks of such currencies. The economic risks lie in managing the volatility of the value of the digital currencies, while the technical risks are all about security. Losing online “cash” is the same as losing physical cash ““ it becomes nearly impossible to prove what’s yours once it’s in circulation.

To read more about attacks on digital currencies and other security trends tracked by our threat research team, download the 2015 SonicWall Security Annual Threat Report.

Download Report

Six Steps to Securing WiFi in a Small Business

/0 Comments/in , /by

In my job at SonicWall, I talk to a lot of people about IT security. One thing I hear a lot of the time from small business owners is something along the lines of “Why would anybody target me? I am just a small company. They would much rather go after big companies.” While this is very true for highly targeted attacks, where a highly motivated and funded attacker is going after a well-known entity, it is simply not true for the majority of attacks which are much more opportunistic in nature.

Let me give you an example. Let’s say you own a local insurance agency in a retail complex. You rely heavily on your computer system to connect to the insurance company and share information about the policies that you need to write. In the business, we call that “private customer information” and it is what you need to protect. Now, let’s assume you have a broadband connection and a consultant who has helped install and maintain your network including the security component. So far, so good.

Next, you decide you would like to add WiFi to your network so you and clients can connect more easily. You decide to go down to the local box store and purchase an off the shelf consumer class wireless access point and connect it to an open port in your office. You skip quickly through the startup menu choosing “quick start” and are up and running in a few minutes. Great, right? Not so fast. Most likely some of the steps you skipped over had to do with securing the wireless traffic, but that is difficult and requires some thought so you decided to do it later, which never happened.

At this point, you have a very secure wired network and an unsecured wireless network. Now, next door is a fast food restaurant with a lot of teenage kids who rotate in and out based on the season. One of them happens to be a wanna-be hacker, who notices a wide open wireless network and decides to investigate. She finds that she can connect to the wireless network and not only get wireless access, but also see the files on your computer, because you allow file sharing! And worse, she can see the private customer information that is so important to not only your local agency but also the nationwide company. And in a fit of teenage rebellion or altruism, she decides to download the customer data and then sends it to the nationwide agency to show them that one of their agents is not being responsible with their customer’s data. That is known as white hat hacking, and she is actually doing your insurance company a favor. Imagine if a neighbor with less noble intentions had been able to extract the data.

This is just an example, illustrating why wireless security is so important. Here are some tips to help you keep this fictional scenario from becoming a reality.

  1. Utilize a firewall with integrated wireless security that simplifies the implementation of wireless network security.
  2. Leverage deep packet inspection on the firewall to scan all traffic to and from the wireless users’ computers for viruses, malware and intrusions that may have been brought in from the outside.
  3. Since many websites are now leveraging SSL encryption to protect user data, make sure that your wireless network security solution can decrypt and scan encrypted traffic.
  4. Look for wireless network security solutions with wireless intrusion detection and prevention to block rogue access points and minimize the disruption from denial of service attacks.
  5. Apply application control to block unauthorized applications from being used on the wireless network.
  6. Set up a secure wireless guest network with encryption for your guests if you want to allow your customers to use WiFi in the lobby or conference rooms.

This is just one hypothetical example of what can happen if you don’t take security seriously. To learn more about wireless security, here is a quick and easy infographic with more information on this important topic.

Follow me on Twitter: @johngord

DOWNLOAD INFOGRAPHIC