Looking Ahead to Black Friday: Fortify Your Network Security

/0 Comments/in /by

One of my first customers in IT was a large retailer, with more than a thousand stores. This was at a time when e-commerce was just beginning, at least for large, traditional retailers. Giving their customers the ability to purchase on the web was still a year or two away.

This retailer made about 90 percent of its annual revenue between Thanksgiving and New Year’s Day. That was “Season”, and the entire year’s IT schedule was built around getting ready for Season. Any and all hardware upgrades, OS changes, and software updates were to be completed and locked in by mid October. Change control during Season was very simple: No changes unless something broken absolutely had to be fixed, you were able to make a 100% solid case for the change, and not doing the change would impact revenue. Otherwise, hold off until January.

Retail’s a lot more complex these days, and brick-and-mortar is only one of the revenue-generating retail channels. Still, Season remains Season. And it all begins with Black Friday. Estimates of 2015’s revenue for the first two days of Season, including Black Friday, top $4 billion in the U.S., with about a third of that coming from online sales. More than 150 million shoppers purchased online during the 2015 Thanksgiving holiday weekend.

Clearly, this is not a time to have security issues with your infrastructure, and especially so with your payment systems, whether online or POS systems in your stores.

The relevant compliance standard is PCI DSS (Payment Card Industry Data Security Standard). Version 3.1 takes effect on June 30, and includes a number of changes from the previous version (3.0). These include, with some exceptions, removal of SSL and early versions (1.0 and 1.1) of TLS, along with some additional clarifications of existing requirements, a number of which are common sense clarifications (For example, don’t send unencrypted account numbers in a text message. You think?).

Complying with PCI DSS is a good way to reduce your business’s risk of cyber attack, but it’s really only a waypoint toward better security, not an end in and of itself. That’s a point SonicWall Security’s Tim Brown, our CTO and a SonicWall Fellow, makes in an on-demand webcast highlighting the changes to PCI DSS in version 3.1, so that you can be best prepared for Black Friday. We offer SonicWall network security solutions to help you stay PCI compliant, and improve security well beyond the PCI basics. And staying in line with 3.1 will put you in better shape to have a more secure, successful Black Friday, Cyber Monday, and holiday Season. It will also prepare you for PCI DSS 3.2, which includes additional clarifications and new requirements, particularly around multifactor authentication for anyone having access to cardholder data. While 3.2 succeeds 3.1 as a standard for assessments as of this October, its new requirements will not be mandated until February 2018 until then, they’ll just be considered best practices.

Learn more about the changes in PCI DSS 3.1, and how they can help your business prepare for Black Friday. View Focusing on security to meet compliance: responding to changes in PCI DSS 3.1.

REGISTER NOW FOR WEBCAST

Apache Struts Dynamic Method Invocation Remote Code Execution (CVE-2016-3081)

/in /by

A remote, unauthenticated vulnerability exists in Apache Struts. The vulnerability allows an attacker to execute arbitrary code on the server with the privileges of the user running the Java Web Container process (e.g. JBoss, Tomcat etc). CVE-2016-3081 is assigned to this vulnerability.

Apache Struts is a MVC (model-view-controller) franework for building Java applications. It uses Java Servlet APIs to expose ActionServlet controller. Any requests coming from a client are sent to the controller in the form of ‘actions’. These actions are outlined as a map in a configuration file. Accordingly, the corresponding method is invoked. An interface called ActionMapper is used to provide mapping between the request and the corresponding action. The default implemtation maps to DefaultActionMapper class.

A remote code exection vulnerability exists in Apache Struts 2 framework due to lack of proper santization inside the constructor of DefaultActionMapper. It fails to properly validate the values provided by the attacker. This allows a remote attacker to craft a malicious request to cause the vulnerable server to execute arbitrary code.

The following verions of Apache Struts are vulnerable:

  • Apache Struts 2

Dell Sonicwall team has written the following signature that helps protect our customers from this attack:

  • 11631:Apache Struts Dynamic Method Invocation Remote Code Execution 1
  • 11632:Apache Struts Dynamic Method Invocation Remote Code Execution 2

DMA Locker 4.0, yet another ransomware (June 2nd, 2016)

/in /by

The Dell Sonicwall Threats Research team have observed yet another ransomware in the wild called DMA Locker. Ransomware remains a very lucrative business for its operators. The only way of recovering files is to pay the ransom assuming no backup is available. With this ransomware we can measure some level of success by observing the bitcoin transactions associated with the given address:

Infection Cycle:

The Trojan uses the following PDF icon:

The Trojan drops the following files to the filesystem:

  • %ALLUSERSPROFILE%cryptinfo.txt (encrypted file)
  • %ALLUSERSPROFILE%select.bat (encrypted file)
  • %ALLUSERSPROFILE%svchosd.exe [Detected as GAV: DMALocker.D (Trojan)]
  • %USERPROFILE%Start MenuProgramsStartupx.vbs (encrypted file)

The Trojan adds the following keys to the registry:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun Windows Firewall “%ALLUSERSPROFILE%svchosd.exe”
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun Windows Update “%ALLUSERSPROFILE%select.bat”

The Trojan can be seen running in the process list:

The Trojan exhibited 4 “action” commands which are used when communicating with the C&C server:

  • “action=0” : request for unique ID
  • “action=1” : request for RSA Public Key
  • “action=2” : status information from C&C
  • “action=3” : ransom data

The Trojan obtains a unique bot ID from a remote C&C server (“action=0”):

It then uses this bot ID to request an RSA public key from the server (“action=1”):

The bot ID and RSA Public Key are stored in the registry:

  • HKEY_CURRENT_USERSoftware dma_id “111E7723E0A34AD3815C0D8A85327F54”
  • HKEY_CURRENT_USERSoftware dma_public_key hex:2d,2d,2d,2d,2d,42,45,47,49,4e,20,50,55,42,4c,49,43….

The Trojan requests the ransom information that is to be displayed to the user (“action=3”):

The following ransom information is displayed on the screen of the infected machine:

A quick lookup of the bitcoin address using the blockchain.info website shows that the same bitcoin address is being used for multiple infections. The campaign has been successful and 6.0001 BTC (totaling $3,150 USD at the time of writing this alert) has been paid by victims so far:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: DMALocker.D (Trojan)