Malicious Android banker for Serbank (February 24, 2017)

/in /by

Sonicwall Threats Research team observed reports of another Android banker that targets a specific bank, this time the target is a Russian bank – Serbank.

Infection Cycle

Once the apk is installed and opened we see an overlay that covers the entire screen, this overlay asks for Administrative access and the language used is Russian. There is no way for the user to close this overlay and he is forced to grant the privileges. Upon receiving administrative access however the app displays an error message (shown in the images below) and closes the User Interface. This gives an impression to the user that the app stopped working but in reality the app keeps running in the background.

The app initiates a WebSocket connection with the attacker and uses this protocol to perform further communication:

The app transmits sensitive data stored on the device to the attacker:

  • Sensitive device related data is transmitted to the attackers:
    • IMEI
    • Operator Name
    • Phone number
    • Country
  • User’s contact list:

During our analysis the app attempted to send SMS to Sberbank which is a Russian banking and financial services company. As seen in the image below the app sends a message “balance” to the number 900, this is a facility provided by Sberbank to its customers for checking their balance:

The code in the app is obfuscated to make it difficult for automated tools and security analysts to easily understand/analyze its real motives:

This app has an image for the logo of Serbank in its resources folder:

We installed the official Serbank app on the device but did not see any activity that would use this image. In the past we have seen apps that would show a custom overlay image when a particular targeted app is opened on an infected device, however that was not the case here. Perhaps there will be some additions to this app in the future.

Overall this is yet another targeted Android banker malware that attempts to extract sensitive user information and send SMS messages to perform specific activities.

MD5 with package name com.jfaxw.azatbtvf:

  • a52d34bc0271b5668b42346fec9df662

SonicWALL provides protection against this threat via the following signature:

  • GAV: AndroidOS.Banker.SB (Trojan)

The sample communicated with the following domain/ip:

  • jkj13kfhk2j42fo17h2deh3lk3hkl4gk.com
  • 185.110.132.96

Microsoft Security Bulletin Coverage (Feb 23, 2017)

/in /by

Though Microsoft delayed the Feb patch Tuesday, this week they released a patch for security update resolving vulnerabilities in Adobe Flash Player.This patch updates the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge.

SonicWall has analyzed and addressed Microsoft’s security advisory for the month of February 2017. A list of issues reported, along with SonicWall coverage information are as follows:

MS17-005 Security Update for Adobe Flash Player

  • CVE-2017-2982 Adobe Flash Player Vulnerability
    ASPY:1387 “Malformed-File swf.MP.535”

  • CVE-2017-2984 Adobe Flash Player Vulnerability
    ASPY:1388 “Malformed-File mp4.MP.0 “

  • CVE-2017-2985 Adobe Flash Player Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-2986 Adobe Flash Player Vulnerability
    ASPY:1390 “Malformed-File flv.MP.0 “

  • CVE-2017-2987 Adobe Flash Player Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-2988 Adobe Flash Player Vulnerability
    ASPY:1391 “Malformed-File swf.MP.536”

  • CVE-2017-2990 Adobe Flash Player Vulnerability
    ASPY:1392 “Malformed-File mp4.MP.1 “

  • CVE-2017-2991 Adobe Flash Player Vulnerability
    ASPY:1396 “Malformed-File swf.MP.537”

  • CVE-2017-2992 Adobe Flash Player Vulnerability
    ASPY:1397 “Malformed-File swf.MP.538”

  • CVE-2017-2993 Adobe Flash Player Vulnerability
    ASPY:1398 “Malformed-File swf.MP.539”

  • CVE-2017-2994 Adobe Flash Player Vulnerability
    ASPY:1399 “Malformed-File swf.MP.540”

  • CVE-2017-2995 Adobe Flash Player Vulnerability
    ASPY:1400 “Malformed-File swf.MP.541”

  • CVE-2017-2996 Adobe Flash Player Vulnerability
    ASPY:2061 “Malformed-File swf.MP.542”

New variants of Sage ransomware Spotted in the Wild. (Feb 17, 2017)

/in /by

The SonicWall Threats Research team observed reports of a new variant family of Sage Ransomware [GAV: Suspicious#polycrypt.1_2 and Sage.B] actively spreading in the wild.

Sage 2.0 encrypts the victims files with a strong encryption algorithm until the victim pays a fee to get them back.

Infection Cycle:

The Malware uses the following icon:

The Malware adds the following files to the system:

  • Malware.exe

    • %Userprofile%Application DataW3UoRbov.exe

The Trojan adds the following files to the Windows to ensure persistence upon reboot:

  • %Userprofile%Start MenuProgramsStartup6OICFYbI

    • “%Userprofile%Application DataW3UoRbov.exe”

The Trojan adds the following keys to the Windows registry:

Once the computer is compromised, the malware copies its own executable file to %Userprofile% Application Data folder and deletes its own executable file.

The Malware encrypts all personal documents and files it shows the following webpage:

It demands that victims pay using Bitcoin in order to receive the decryption key that allows them to recover their files.

Command and Control (C&C) Traffic

The Malware performs C&C communication over TCP and UDP ports. The malware sends your system UID to its own C&C server via following format, here are some examples:

We have been monitoring varying hits over the past few days for the signature that blocks this threat:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Suspicious#polycrypt.1_2 (Trojan)

  • GAV: Sage.B (Trojan)

SonicWall is on a Winning Streak in the Cyber Arms Race at RSA 2017

/0 Comments/in /by

As we wrap up a “winning” week at the 2017 RSA conference in San Francisco, attended by more than 45,000, I am excited to highlight incredible momentum from our Threat Report, recent industry awards, and most importantly the conversations with our loyal customers and partners. We are excited to hear the overwhelming enthusiasm for the 2017 Annual Threat Report, the launch of Email Security 9.0 with Capture, the technical preview of SonicOS 6.2.7 and our SecureFirst Partner Program. In the kiosks in our booth, we demoed solutions to prevent breaches, stop phishing attacks, block ransomware, uncover SSL encrypted threats and identify compromised IoT devices.

All of the innovation to get ahead of the cyber arms race we are delivering to the marketplace has resulted in four awards. Just yesterday, SonicWall won the prestigious SC Magazine Trust Award for Best UTM Security Solution for our SonicWall TZ Firewall Series. The TZ is the most secure, sophisticated and widely deployed small-business firewall platforms on the market today. The TZ Series offers a range of Unified Threat Management solutions for SMB and distributed enterprises across retail, government, remote sites and branch offices. SonicWall also won in three categories from InfoSecurity Products Guide – Global Excellence Awards:

New Products and Services

Bring Your Own Device (BYOD) Security

  • SILVER for SonicWall Secure Mobile Access 1000 Series (version OS 12.0)
    Info Security Products Guide 2017 - Global Excellence Silver Award

Advanced Persistent Threat Detection and Response

The conference was also an opportunity to showcase our ground breaking 2017 SonicWall Annual Threat Report. We continue to build on the momentum of the unique threat data presented in the report. Among the findings discussed were:

  • Volume of unique malware samples declined to 60 million, a 6.25 percent decrease.
  • Point-of-sale malware creation declined by 93% percent since 2014.
  • Secure Sockets Layer/Transport Layer Security encrypted traffic increased by 34 percent year-over-year.
  • Cyber criminals shifted their focus to new threats, including ransomware attacks which grew by 167x year-over-year. Internet of Things devices created a new attack vector opening the door for large scale distributed denial-of-service attacks.

RSA 2017 Awards

Because email is a constant target for attacks, we had a kiosk presenting our new SonicWall Email Security 9.0 with Capture ATP. The cloud sandboxing allows you to deploy a next-gen solution for protecting email files, stop phishing and block zero-day attacks and ransomware.

We are also celebrating the launch of our SonicWall Secure First Partner Program. As a 100% channel company, SecureFirst is the way our channel partners access the entire SonicWall portfolio of technology and solutions. With the different levels of commitment to the program come various levels of rewards and benefits. Central to the new program is Reward for Value, SonicWall’s partner profitability framework that rewards partners for the value they bring to selling, implementing, and supporting SonicWall solutions. And SecureFirst is off to a really fast start. In the first 90 days:

  • SecureFirst program registrations reached 8,563 across 90 countries
  • SecureFirst registrations in North America exceeded 5,400
  • SecureFirst New Partner Registrations more than 1,500
  • SecureFirst partner deal registrations spike 66% since divestiture

At SonicWall, we are committed to helping our customers and partners fight the attacks to get ahead of the cyber arms race with the intelligence of our GRID Network, next-gen firewalls, extending our award-winning Capture capabilities with our Email Security solutions, and IoT security to protect the enterprise and drive business productivity. Our goal is to have our award-winning breach prevention, IoT device security and encrypted threat solutions reinforce each other and defend independently to ensure we are setting the highest level of protection for value for our customers and partners.

Microsoft Postpones February Security Updates to March

/in /by

SonicWall has worked closely with Microsoft to provide real-time protection to our customers. Recently Microsoft had announced that February patches will be delayed “due to a last minute issue that could impact some customers”. Microsoft must have considered all options and chosen the best approach.

Back in November 2016, Microsoft announced overhaul of Patch Tuesday. The new system is scheduled to go online this month, and we are not sure if these two incidents are related. Hope Microsoft can fix the root problem ASAP that it won’t affect future security releases.

Practical Defense for Cyber Attacks and Lessons from 2017 SonicWall Annual Threat Report

/0 Comments/in /by

The 2017 SonicWall Annual Threat Report, published last week, covers the evolution of the cybersecurity landscape through 2016. Based on the data from the SonicWall Capture Labs Threat network, the report highlights the advances of the criminal and the defense sides of the global cyber security landscape.

For example, law enforcement apprehended the writers of the popular Angler exploit kit and POS malware dropped significantly, as the industry adopted better security practices and technology. This prompted a wholly expected move from the malware writers as they shifted their efforts into new opportunities ripe for profit –such as ransomware, which emerged as the attack of choice for 2016. Read SonicWall President and CEO, Bill Conner’s, Annual Threat Report blog from last week for a great overview.

We can track much of this evolution in the cybersecurity landscape with the mantra “follow the [easy] money.” In other words, the majority of attacks will move to where the attackers can make the most money with the least amount of effort. A good method of defensive security thinking, therefore, is “How can I make it significantly more difficult for someone to make money off me and my network than from someone else on the Internet?” This may remind some readers about the joke where you have to outrun the other person, not the bear, in order to survive.

So how do you stay ahead?

Go through the following checklist and evaluate whether you are an easy target:

  1. Cover the known attacks: This is foundational. Prevent previously seen malware from being deployed against your users by the lazy attackers who are just looking for an easy opportunity. Protect *all* networks in your organization including small branch offices and remote workers. You must treat those as you would treat your primary corporate site; otherwise, you have a soft side in your defense with a direct route back to your network. Top-notch gateway anti-malware, intrusion prevention and botnet traffic filtering will help you cover these previously-seen threats.
  2. Cover the unknown attacks: Now you are looking for advanced malware. This is the cutting edge. Network sandboxing technology analyzes suspicious files to detect malware that has not yet been observed, studied and classified. For example, if network sandboxing observes bad behavior from a suspicious file, such as encrypting everything in sight or an MS Word document that opens network connection, it can rule with a high degree of confidence that the file is malicious.
    • A few critical points about network sandboxing:
    • a. Invest in evasion-resistant sandboxing technologies. By combining multiple sandboxing technologies, you reduce the probability of evasion virtually to zero. This is analogous to running an MRI, a CAT scan and an X-ray simultaneously. Attackers know that sandboxing is starting to be widely deployed, so they look to evade low-tech “checklist” type sandboxes.
    • b. Invest in sandboxing that does not just ring the alarm, but also blocks the threat. Otherwise, you just receive a notification that an advanced piece of malware got through two minutes ago and “Good Luck!” Technology must work for you – sandboxing must block until it reaches a verdict on the unknown file.
    • c. Deploy everywhere – network and email: Our Threat Report found that the most popular payload for malicious email campaigns in 2016 was ransomware (Locky, deployed by Nemucod). You must look for known and unknown malware in your network and email/messaging traffic to cover all your bases.
  3. Cover known and unknown attacks inside encrypted traffic: How much of your traffic is SSL/TLS or SSH? 20%? 50%? 70%? Whichever percentage is correct for you, that is the amount of network traffic that you’re letting in un-inspected if you do not actively intercept that traffic. Malware writers know that this is emerging as the soft spot in many networks. Cover all your bases by looking for known and unknown malware inside of encrypted channels.
  4. Establish a ring of trust by segmenting off your IoT devices: A camera is a computer that can record and send video. A thermostat is a computer that controls temperature. A phone is a computer that can make phone calls. A “smart” refrigerator is a… you get the point. You cannot escape the proliferation of IoT devices in your network, and while the IoT vendors are wrapping their heads around security, you can control your IoT risk by segmenting those devices from the rest of your real network. Grant access on an as-needed basis.

Ransomware Attack Attempts

After reading the full 2017 SonicWall Annual Threat Report, evaluate whether your current network, email and mobile defenses cover the points above and keep you ahead of the attackers. Can they make easy money off you and your users?

SonicWall has technologies that can make you a significantly more difficult target by automating advanced protection and by turning breach detection into breach prevention.

SonicWall Next-Generation and UTM firewalls help to look for known and unknown threats on the network, on both unencrypted and on SSL/TLS encrypted traffic. SonicWall’s line of Access Security solutions can secure mobile users and facilitate proper network and IoT device segmentation.

SonicWall Capture ATP is an award-winning network sandboxing service that runs on SonicWall firewalls and Email Security 9.0 products. Capture utilizes multiple analysis engines with block-until-verdict capability, ensuring that unknown malware does not get through and impact your business. Due to the cloud nature of the service, the intelligence collected from the SonicWall Email Security product line strengthens the protection for firewall users and vice versa – it is a self-reinforcing, learning network.

DOWNLOAD SONICWALL ANNUAL THREAT REPORT

OpenSSL Multiple Vulnerabilities (Feb 10, 2017)

/in /by

OpenSSL is a widely-used software library in applications that need to secure communications over computer networks against eavesdropping or need to ascertain the identity of the party at the other end. It contains an open-source implementation of the SSL and TLS protocols. OpenSSL is available for most Unix and Unix-like operating systems (including Solaris, Linux, macOS, QNX, and the various open-source BSD operating systems), OpenVMS and Microsoft Windows.

Multiple vulnerabilities have been discovered in OpenSSL library. An advisory has been released by the vendor here. Among them CVE-2017-3731 is an integer underflow vulnerability leading to an out of bounds read of truncated packet, usually resulting in a crash. CVE-2017-3730 is a NULL pointer dereference vulnerability of bad parameters for a DHE or ECDHE key exchange from malicious server.

The vendor has patched the vulnerabilities. For OpenSSL 1.1.0, please upgrade to 1.1.0d. For Openssl 1.0.2, please upgrade to update to 1.0.2k.

SonicWall threat team has researched these vulnerabilities and released the following IPS signatures to protect their customers:

  • IPS:12606 OpenSSL ChaCha20-Poly1305 and RC4-MD5 Integer Underflow 1
  • IPS:12607 OpenSSL ChaCha20-Poly1305 and RC4-MD5 Integer Underflow 2
  • IPS:12608 OpenSSL DHE and ECDHE Parameters NULL Pointer Dereference 1
  • IPS:12609 OpenSSL DHE and ECDHE Parameters NULL Pointer Dereference 2

Cancer Ransomware forgets how to ransomware (Feb 10, 2017)

/in /by

With Locky ransomware activity at an all time low, new smaller players in this scam has been observed to continue to proliferate in the wild. This week, SonicWALL Threats research team has received reports of yet another variant seemingly still in its early stages. This Trojan behaves like a ransomware, but during our analysis it failed to show a warning or instructions on how to regain files and send the payment – the most common sign of a ransomware infection. It ended up being more of an annoyance than a Trojan trying to defraud its victim.

Infection Cycle:

This Trojan arrives as a fake VirusTotal-related file. It uses the following icon and file properties:

Upon execution, it tries to send an ID to a remote server presumably to “register” the infection.

It creates a copy of itself in the AppData directory and also drops the following files:

  • %APPDATA%Local~~42340900CANCER~~.dat
  • %APPDATA%Localewwwwww~cancer.png

The png file looks like an image that will be used to change the victim’s desktop background after a successful infection:

While the dat file has nothing but some strings with no use. This might be a placeholder for a file that can later be used to log infection data.

During infection, an image of a face will start floating on the desktop like a screensaver.

At this point, the victim’s files are not encrypted but they are overwritten.

Filenames stay the same as well as file extensions but they will no longer function as expected. File associations are modified and any overwritten file will now have the fake Virustotal icon and will launch the Trojan when executed.

The following registry changes were also made:

When opened with a text editor, the victim’s files will now just bear the string “_cancer” and nothing else.

At this point, the machine became so unstable that it bluescreened. No warning note or any file with payment instructions has been observed during the analysis. The victim will be unable to reboot his machine since operating system boot related files are also encrypted which will render the machine useless.

Because of the prevalence of these types of malware attacks, we urge our users to back up their files regularly.

SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: Cancer.KOI (Trojan)

Announcing New and Enhanced SonicWall Email Security 9.0 with Capture ATP to Detect Zero-Day

/0 Comments/in /by

Ransomware attacks in 2016 grew by 167x year-over-year to 638 million. As today’s malware and ransomware pose ever evolving malicious, zero-day threats, organizations need to defend their network’s beyond their perimeters. SonicWall introduces a powerful defense: the new SonicWall Email Security 9.0 integrates with our award-winning Capture Advanced Threat Protection (ATP) Service. This unique combination delivers a cloud-based, multi-engine sandbox that not only inspects email traffic for suspicious code, but also blocks ransomware, zero-day and other malicious files from entering the network until a verdict is reached. This release is available in cool new SonicWALL hardware appliances, virtual appliances and Hosted Email Security service.

In his blog our President and CEO Bill Conner, highlighting SonicWall’s 2017 Annual Threat Report, points out that email is a highly vulnerable attack vector for cyber criminals. Employees fall victim all too often to ransomware, phishing and unknown threats. The enhanced SonicWall Email 9.0 with Capture cloud-based sandboxing technology detects these advanced threats. It scans a range of email attachment types, analyzes them in a multi-engine sandbox, blocks them until reviewed by an administrator, and rapidly deploys remediation signatures. Signatures for newly discovered malware are quickly generated and automatically distributed across the SonicWall GRID Threat Network, preventing further infiltration by the malware threat. We offer organizations a choice of administrative options ranging from removing an offending email attachment to blocking an entire message. The result is higher security effectiveness and faster response times.

Innovative features of SonicWall Email Security 9.0 include:

  • Advanced Threat Protection: Integrates Capture cloud-based sandboxing technology for detection of zero-day threats such as ransomware, for fine-grained inspection of SMTP traffic
  • Next-generation Email Protection: Incorporates anti-spam, anti-virus and anti-spoofing functionalities to not only detect and prevent spam and other unwanted email, but also scan email messages and attachments for ransomware, Trojan horses, worms and other types of malicious content.
  • Improved Office 365 Support: Enhances security for multi-tenant environments by providing a method for ensured, mapped delivery of emails for SonicWall Hosted Email Security environments
  • Updated Line of Appliances: Refreshes SonicWall’s line of Email Security hardware appliances, helping customers to better face threats delivered by email.
  • Encryption Protection: Supports not only SMTP Authentication, but also the encryption service feature enables any email containing protected data to be automatically encrypted, routed for approval or archived.
  • Policy and Compliance Management: Enables an administrator to enact policies that filter messages and their contents as they enter or exit the organization. This allows organizations to meet regulatory requirements based on government legislation, industry standards or corporate governance activities.

“As a loyal SonicWall channel partner, we at Napa Valley Networks were thrilled to see SonicWall resume operations as a standalone cybersecurity company and go back to its roots of driving a deeper focus on technological innovation,” said Julie Neely, founding partner of Napa Valley Networks. “SonicWall Email Security 9.0 with Capture Advanced Threat Protection Service is a clear demonstration of the company’s continued commitment to better serving its channel partners.”

“With the continued onslaught of ransomware, malware and other cyber-attacks, our customers are looking to us to provide them with solutions that allow them to spend more time conducting day-to-day business while staying abreast of the threat landscape. SonicWall allows our engineers, and most importantly our customers, to sleep at night! At Sterling Computers, our mission is to help government and education customers get the most out of their tech infrastructure,” said Steve Van Ginkel, Sterling Computers’ vice president of Business Development & Partner Alliances.

“KHIPU Networks Limited have been using the SonicWALL Email Security software/appliance for over 10 years,” said Andrew Brimson, Managing Director, KHIPU Networks Ltd. “Email Security has been instrumental in protecting our business interests from threats and attacks as well as protection against data leakage. We have found the SonicWALL Email Security software easy to configure, good for reporting and tailorable to our changing requirements.”

Learn more and download the SonicWall Email Security 9.0 data sheet and see all of the enhancements.

View Datasheet

SonicWall Annual Threat Report Reveals the State of the Cybersecurity Arms Race

/0 Comments/in /by

In the war against cyber crime, no one gets to avoid battle. That’s why it’s crucial that each of us is proactive in understanding the innovation and advancements being made on both sides of the cybersecurity arms race. To that end, today we introduced the 2017 SonicWall Annual Threat Report, offering clients, businesses, cybersecurity peers and industry media and analysts a detailed overview of the state of the cybersecurity landscape.

To map out the cybersecurity battlefield, we studied data gathered by the SonicWall Global Response Intelligence Defense (GRID) Threat Network throughout the year. Our findings supported what we already knew to be true – that 2016 was a highly innovative and successful year for both security teams and cyber criminals.

Security Industry Advances

Security teams claimed a solid share of victories in 2016. For the first time in years, our SonicWall GRID Threat Network detected a decline in the volume of unique malware samples and the number of malware attack attempts.  Unique samples collected in 2016 fell to 60 million compared with 64 million in 2015, whereas total attack attempts dropped to 7.87 billion from 8.19 billion in 2015. This is a strong indication that many security industry initiatives are helping protect companies from malicious breaches.  Below are some of the other areas where progress is clearly being made.

Decline of POS Malware Variants

Cybersecurity teams leveraged new technology and procedural improvements to gain important ground throughout the year. If you were one of the unlucky victims of the point-of-sale (POS) system attack crisis that shook the retail industry in 2014, you’ll be happy to learn that POS malware has waned enormously as a result of heightened security measures. The SonicWall GRID Threat Network saw the number of new POS malware variants decrease by 88 percent since 2015 and 93 percent since 2014. The primary difference between today’s security procedures and those that were common in 2014 is the addition of chip-and-PIN and chip-and-signature technology particularly in the United States, which undoubtedly played a big role in the positive shift.

Growth of SSL/TLS-Encrypted Traffic

The SonicWall GRID Threat Network observed that 62 percent of web traffic was Secure Sockets Layer/Transport Layer Security (SSL/TLS) encrypted in 2016, making consumers and businesses safer in terms of data privacy and integrity while on the web. This is a trend we expect to continue in 2017, based on Google’s announcement that it has a long-term plan to begin marking HTTP traffic in its Chrome browser as “not secure.” NSS Labs estimates that 75 percent of web interactions will be HTTPS by 2019.

Decline of Dominant Exploit Kits

We also saw the disappearance of major exploit kits Angler, Nuclear and Neutrino after cybersecurity investigations exposed the likely authors, leading to a series of arrests by local and international law enforcement agencies. The SonicWall GRID Threat Network observed some smaller exploit kits trying to rise to fill the void. By the third quarter of 2016, runner-up Rig had evolved into three versions employing a variety of obfuscation techniques. The blow that dominant exploit kit families experienced earlier in 2016 is a significant win for the security industry.

Cyber Criminal Advances

As with any arms race, advances made by the good guys are often offset by advances made by the bad guys. This is why it’s critical for companies to not become complacent and remain alert to new threats and learn how to counterattack. Below are some of the areas where cyber criminals showed their ability to innovate and exploit new ways to launch attacks.

Explosive Growth in Ransomware

Perhaps the area where cyber criminals advanced the most was in the deployment of ransomware. According the SonicWall GRID Threat Network, ransomware attacks grew 167 times since 2015, from 3.8 million in 2015 to 638 million in 2016. The reason for this increase was likely a perfect storm of factors, including the rise of ransomware-as-a-service (RaaS) and mainstream access to Bitcoin. Another reason might simply be that as cybersecurity teams made it difficult for cyber criminals to make money in other ways, they had to look for a new paycheck.

Exploited Vulnerabilities in SSL/TLS Encryption

While the growth of SSL/TLS encryption is overall a positive trend, we can’t forget that it also offers criminals a prime way to sneak malware through company firewalls, a vulnerability that was exploited 72 percent more often in 2016 than in 2015, according to NSS Labs. The reason this security measure can become an attack vector is that most companies still do not have the right infrastructure in place to perform deep packet inspection (DPI) in order to detect malware hidden inside of SSL/TLS-encrypted web sessions. Companies must protect their networks against this hidden threat by upgrading to next-generation firewalls (NGFWs) that can inspect SSL/TLS traffic without creating performance issues.

IoT Became a New Threat Network

Many people who enjoy using Reddit, Netflix, Twitter or Spotify experienced another of our top threat trends firsthand. In October 2016, cyber criminals turned a massive number of compromised IoT devices into a botnet called Mirai that they then leveraged to mount multiple record-setting distributed denial-of-service (DDoS) attacks. The SonicWall GRID Threat Network found that at the height of the Mirai botnet usage in November 2016, the United States was by far the most targeted, with 70 percent of DDoS attacks aimed at the region, followed by Brazil (14 percent) and India (10 percent). The root cause leading to the Mirai attacks was unquestionably the lax security standards rampant in IoT device manufacturing today. Specifically, these devices do not prompt their owners to change their passwords, which makes them uncommonly vulnerable.

Combatting the New Cyber Threats

It’s worth noting that the technology already exists today to solve many of the new challenges cyber criminals threw at victims in 2016.  SSL/TLS traffic can be inspected for encrypted malware by NGFWs with high-performance SSL/TLS DPI capabilities.  For any type of new advanced threat like ransomware, it’s important to understand that traditional sandboxing solutions will only detect potential threats, but not prevent them. In order to prevent potential breaches, any network sandbox should block traffic until it reaches a verdict before it passes potential malware through to its intended target.  SonicWall’s family of NGFWs with SSL/DPI inspection coupled with the SonicWall Capture multi-engine cloud sandbox service is one approach to provide real-time breach prevention for new threats that emerge in the cybersecurity arms race.

If you’re reading this blog, you’re already taking an important first step toward prevention, as knowledge has always been one of the greatest weapons in the cybersecurity arms race. Take that knowledge and share it by training every team member in your organization on security best practices for email and online usage. Implement the technology you need to protect your network. And most importantly, stay up-to-date on the latest threats and cybersecurity innovations shaping the landscape. If you know where your enemy has been, you have a much better shot of guessing where he’s going.

DOWNLOAD 2017 SONICWALL THREAT REPORT