DPI-SSL: What Keeps You Up at Night? Protect More. Fear Less.

/0 Comments/in /by

If you have been in this industry for more than a few years, you have probably heard the sales pitch, “What keeps you up at night?” It’s a typical sales tactic to elicit an emotional response to threats that seem to be out of your control. It’s designed to draw you out, start a conversation, and ultimately, prey on your fears.

We have enough security issues to concentrate on without having to prey on fears.  That is one of the reasons I never liked this sales pitch. I have always felt it is better to address the challenges facing network security and do what we can to face those threats.

Growing up in Santa Cruz California, I learned to swim in the ocean with some pretty scary waves.  If you did not see a wave coming, you would get swamped by the wave.  But if you faced the wave and dove under it, the threat was mitigated.  If we do not see the threats in network security, we too can be swamped. For this same reason, we must look into encrypted packets to mitigate those threats.  We cannot face what we do not see.

The SonicWall 2017 Annual Threat Report shows that over half the mechanisms delivering malware utilized encryption to mask the threats.  The threat actors who create malware know that if they encrypt their payload, the odds of end system infection are very high while intrusion detection is low.  As far as effort to create an encrypted session than a standard, plain-text session, is minimal.  So, there is little extra work to create encrypted payloads while the reward is large.

In the last few months, there have been some tests and claims from well-respected Web Browser vendors making the claim that Security Devices doing Deep Packet Inspection (DPI) of encrypted packets weaken security. Their testing showed that many security product vendors deploying ‘Man in The Middle’ tactics to de-crypt and re-encrypt packets for the inspection, re-encrypted with a lower quality of encryption.  This effectively did weaken security, and by doing so, drew the conclusion that security devices performing DPI-SSL weaken your protection.

This position is understandable, however, SonicWall takes this opportunity to actually increase security by hardening HTTPS encryption when weaker cyphers or invalid certificates are presented.

Workstations and end systems do a very good job of updating browsers, checking for revoked certificates and supporting strong encryption methods. But there are many times in which we find the same is not true for hosted sites that contain many servers but have limited IT resources. Encryption methods get depreciated, but these often to not get updated and within the server negotiation of Transportation Layer Security (TLS) session, older and outdated methods still exist today. Secure Sockets Layer 1, 2 and 3 protocols are no longer recommended for sensitive data and should not be used.

The SonicWall next-generation firewall can detect when a server is presenting these weak encryption methods and block session initiation. Of course, there are times when this is not desirable. In that case, we also have the ability to let these connections establish. When I am confronted with incidents where TLS is not supported from a host that contains sensitive data, I have been successful in reaching out to that organization and letting them know they are not complying with Transport Layer best practices.

When networks are breached, sometimes the only time you find out is when these compromised devices “phone home.”  In doing so they will use encryption.  Trojans, malware, and botnets leverage Command and Control Centers for updates and orders.  They use non-standard ports and are not typically web connections. SonicWall is not dependent on port numbers or browsers but all ports. Every packet in each direction is inspected, securing your network.

The next time someone comes into your office and asks you, “What keeps you up at night,” don’t fall into this fear trap.  With SonicWall, sleep sound.  Protect More and Fear Less.

Download Threat Report

WannaCry Ransomware Attack – It’s a Tragedy: What’s Next for Your Network?

/0 Comments/in /by

“It’s a tragedy.” At least that is what we are told.  Time and time again, when bad things happen, we hear the same things replayed over and over again, or “what could we’ve done to prevent this,” or “we didn’t know.”  In life, this can be an honest reaction to certain things. Some things are left to powers way beyond our mortal control, but that doesn’t apply to the cyber world in this digital age. Exploits are a daily thing; this is not new.  There are more than forty new viruses created every sixty seconds, of every minute, of every hour, of every day.  The “I didn’t know” defense can only play out so long.

This was never truer than just this past week with the incredibly dynamic Ransomware attack – the WannaCry Exploit– in the UK and Spain. Here is what we know, some exploit kits that allegedly were created by certain government agencies was again allegedly stolen and leaked online to the masses. Some elements of these exploit kits were then leveraged in a new extremely aggressive form of Ransomware that leverages a worm-like attack against connected network machines through various read/write functions of the Windows Operating System.  This latest Ransomware variant was then set loose on the world, infected more than 200,000 systems in more than 100 countries, including several healthcare institutions in the United Kingdom, and even a couple of telecommunications companies in Spain. Guess what? It is certainly not the first exploit to leverage this form of attack, and it certainly will not be the last.

It has been for far too long that companies and institutions continue to treat cyber security like it is still the 1990’s. Back then, it was typical for network admins to simply deploy this new technology called a “firewall” behind their router, and then let it sit for months, even years, without so much as logging into the unit. They had no need to. If the unit was up, that was all that mattered. Perhaps they would log into add a new Access Rule or a VPN Policy, but for the masses that was it. It was a terrible practice then; today it a death sentence for the network, and maybe even the career.

Network admins need to alert their senior management, including those C-Level employees, and let them know that security is no longer a back-office job that is performed only when needed. Security has evolved. It is a front office task that demands daily attention. And guess what else? Sometimes that means that there is some heavy lifting involved.

Here is the basic truth: proper security procedures, training, and architecture prevent breaches. This starts with ensuring that all traffic is being inspected, including that pesky encrypted traffic. This can not be a half-baked solution that only inspects partial traffic flows, or has to rely on multiple endpoint clients to alert before identifying threats. Crossing one’s fingers and wishing for the best simply will not do. Only implementing an aggressively secure countermeasure to stop the aggressive advanced persistent threats will protect networks from malicious exploits.

Install a solution that delivers automated security updates, that is fully application aware, has built in intrusion prevention and anti-virus scanning, including encrypted traffic inspection. All of these features, including the fully integrated SonicWall Capture Threat Prevention – a multi-engine cloud-based sandbox for zero-day malware attacks, are included on the SonicWall UTM Appliance and next-generation firewalls. SonicWall customers and partners were protected on April 20, when the SonicWall Capture Labs Threat Network issued a signature for the WannaCry exploit.

Recently, I had the pleasure of sitting down with a business owner of a company that had been breached. It was a typical story. A user’s credentials had been compromised, and unauthorized access through an unprotected RDP session led to devastating consequences.  When questioned why a VPN front-end to the RDP session was not deployed, the response was that it was to many extra configurations to maintain.  When asked what about enabling a two-factor authentication solution to send a text message to users’ phones, the response was it was too complex. What if they forget their phone that day? Then when I am asked why there was a breach, I just WannaCry.

For more information, please read SonicWall’s Ransomware Review and Defeating the Encrypted Threat.
Protect More Fear Less

SonicWall Protects Customers from the Latest Massive WannaCry Ransomware Attack

/0 Comments/in /by

Note: This blog was updated on Monday, May 15.

First, if you are a SonicWall customer and you are using our Gateway Anti-Virus, Intrusion Prevention service, and Capture Advanced Threat Protection then your SonicWall firewall has been protecting your network from WannaCry ransomware and the worm that spreads it since 17 April, 2017. Since the release of the first version of the code, we have identified several new variants and have released additional counter measures. We will continue to update this blog as our Capture Labs research team uncovers more information and as additional protection is automatically rolled out to our customers’ firewalls.

Here’s more:

The Attack

This massive ransomware attack became infamous by shutting down a number of hospitals in the UK’s National Health Service (NHS) system and thus preventing patients from receiving critical care. The attack hit over 100 countries across the world with an untold number of victims. WannaCry is a combination of a Trojan/ransomware and a worm that leverages an SMB file sharing protocol exploit named EternalBlue. The Shadow Brokers leaked EternalBlue in April 2017 as part of a bigger dump of NSA developed exploits. This exploit affects various versions of Microsoft Windows operating systems, including a number of versions that are in end-of-life status. Although Microsoft released a large number of patches on March 14 to address this vulnerability, the attack remains dangerous as many organizations have not applied the patch.

The first version of the worm/ransomware package had a kill switch that was accidently used to disable the worm feature which slowed its advance on Friday, 12 May 2017. However, new variants are appearing in the wild without this weakness. While the first version of the worm code can no longer spread the ransomware code, systems encrypted by WannaCry 1.0 will remain encrypted. Unfortunately, there is no known decryption method to recover files affected by WannaCry without paying cyber criminals (which is not advised).

Since Friday, 12 May 2017, SonicWall’s Capture Labs released six new signatures to block all known versions of WannaCry.  It is also worth noting that SonicWall security services on the firewall have built-in protections against the many components of this code, ranging from blocking contact with WannaCry Command and Control (C&C) servers to blocking attempts at exploitation of any unpatched SMB Microsoft vulnerabilities (such as EternalBlue).

WannaCry Ransomware

The Protection

SonicWall Capture Labs analyzed the EternalBlue attack in mid-April immediately after the Shadow Brokers file dump and rolled out protection for all SonicWall firewall customers well in advance of the first public attack.  All known versions of this exploit can be blocked from SonicWall protected networks via active next-generation firewall security services.

As a SonicWall customer, ensure that your next-generation firewall has an active Gateway Security subscription to receive automatic real-time protection from known ransomware attacks such as WannaCry. Gateway Security includes Gateway Anti-virus (GAV), Intrusion Prevention (IPS), Botnet Filtering, and Application Control. This set of technology has signatures against WannaCry (part of GAV), protections against vulnerabilities outlined in Microsoft’s security bulletin MS17-010 (part of IPS), and it blocks communication with the C&C servers where WannaCry’s payload comes from (part of botnet filtering).

Since SonicWall Email Security uses the same signatures/definitions as Gateway Security, we can effectively block the emails that deliver the initial route to infection. Ensure all email security services are also up to date to block malicious emails.  Since 65% of all ransomware attacks happen through phishing emails, this needs to be a major focus when giving security awareness training. Additionally, customers with SonicWall Content Filtering Service should activate it to block communication with malicious URLs and domains, which works in a similar way Botnet filtering disrupts C&C communication.

As a best practice always deploy Deep Packet Inspection of all SSL/TLS (DPI-SSL) traffic since more than 50% of malware is encrypted. This will enable your SonicWall security services to identify and block all known ransomware attacks. Enabling DPI-SSL also allows the firewall to examine and send unknown files to SonicWall Capture Advanced Threat Protection for multi-engine processing to discover and stop unknown ransomware variants.

View our webpage to learn more on how SonicWall protects against ransomware.

WannaCrypt Signatures

The most recent list of GAV/IPS signatures against EternalBlue and WannaCrypt as of 14 May 2017 at 11:45 AM PST

What’s Next

The party behind this attack has already released several variations of this attack for which we have established protections in place (see above). To ensure you are safe from newly developed updates and similar copycat attacks, first apply the Windows patch provided by Microsoft listed in the resources section.  Second, apply Capture Advanced Threat Protection (Capture ATP), SonicWall’s multi-engine network sandbox, to examine suspicious files coming into your network to discover and stop the latest threats just as we did with Cerber ransomware. Enable the service’s block until verdict feature to analyze all files at the gateway to eliminate malware before it can enter your network. Additionally, Capture Labs will continue to email customers Sonic Alerts on new threats.

Finally, phishing emails are the most common delivery mechanism for ransomware. It is possible that future variants of this ransomware will be delivered via emails. SonicWall’s email security solution uses Advanced Reputation Management (ARM) to inspect not only the sender IP but also the message content, embedded URLs and attachments. In addition, make sure you enable SPF, DKIM and DMARC advanced email authentication to identify and block spoofed emails and protect from spam and phishing attacks. For the best possible protection against such attacks, deploy SonicWall’s email security solution with Capture ATP service to inspect every email attachment in a multi-engine sandbox environment.

Apart from SonicWall security protections in place (listed above), as a best practice we recommend to disallow or block inbound SMB traffic (TCP 445, UDP ports 137-138, and TCP 139) and RDP traffic coming  from the internet on edge-facing Firewalls. If such access is required, implement secure remote access solutions like IPsec or SSL-VPN with proper authentication mechanisms in place.

Apply vulnerability patches on servers and PCs as recommended in Microsoft MS17-010 bulletin (listed above and below), disable SMBv1 communication (limit access via SMBv2/v3), as well as monitor for any suspicious activity on TCP 445.

Resources

Visit SonicWall

Type Confusion Vulnerability in Microsoft Security Products CVE-2017-0290

/in /by

A few days ago, Google Security Research published a POC detailing a vulnerability in Microsoft’s Malware Protection service’s MsMpEng engine.

The main component is called mpengine.dll. This is responsible for scanning and analyzing various files. It contains various interpreters and emulators for analyzing various file formats, compression and encryption algorithms.

Scanning the provided POC using Windows 7’s Windows Defender, we get the following crash notification:

After restarting, and checking the running processes from the task manager, we concluded that MsMpEng was not present for this setup. We then checked the services tab of task manager and found the following:

Searching the PID 3420 in the process list, we see that the service is attached to svchost.exe:

We then attached the debugger to this instance of svchost and attempted to scan the POC.

As it turns out, the vulnerable function is found in mpengine.dll’s MPContainerWrite.

SonicWALL Threat Research Team has researched this vulnerability and have the following signatures in place to protect their customers:

  • SPY 1468: Malformed-File js.MP.3

The Problem with Breach Detection

/0 Comments/in /by

According to ITC (http://www.idtheftcenter.org) data breaches in the US increased 40% in 2016, and through the first four months of 2017 are up an additional 42% over the same period last year.  Just over half of all breaches are caused by cyber attacks, defined by ITC as hacking, credit card skimming and phishing.  And the breaches are distributed across most if not all industries, hitting education, government, health and financial organizations alike. So, this is a big problem in 2017 that is threatening to explode into a huge problem.  You need to be aware that if you hold sensitive customer data, there is a very real possibility that you will be targeted.

What are your options for protecting yourself from data breaches?

In the past, organizations have focused the majority of efforts on breach detection and remediation.  In effect, they had given up on trying to prevent an attack and focused instead on cleanup.  Historically, this was more of a necessity since dedicated breach detection systems (BDS) from vendors like FireEye were the only type of solution available for detecting zero-day attacks that often are used in successful breaches.

The challenges with this approach are many:

  1. The standalone products used to detect breaches are expensive and take a sophisticated dedicated security team to manage.
  2. According to SonicWall GRID Threat Network, in 2016 over half of internet traffic was encrypted using SSL/TLS, so traditional breach detection systems can’t even see the threats coming into the organization. This is an issue because most modern malware is being created with the ability to download to unsuspecting victims using the same encryption technology.  SSL/TLS is being used to cloak or hide zero-day malware, making it very difficult for traditional breach detection solutions to be effective.
  3. Finally, most organizations just don’t have the cyber security skills to deal effectively with remediation.  It is estimated that, at the end of 2016, there was a one million person gap between the number of cyber security professionals available and the number the industry needs to effectively fight cyber crime.

What is breach prevention?

Fortunately, the security community now has more options at their disposal.  The best next-generation firewalls have integrated either on-board or cloud-based network sandboxes that are designed to detect zero-days much like the dedicated breach detection solutions available in the past.  And because a firewall sits at the Internet gateway, it is possible to block zero-day attacks before they ever make it into the network.  Here are five keys to finding the best breach prevention solution:

  1. The first requirement for breach prevention is decrypting the large component of your internet traffic that is using SSL/TLS.  Your next-generation firewall needs to be able to do this without impacting the network performance, so look for a scalable high performance solution.
  2. Look for a firewall that has high security effectiveness to ensure that the maximum number of “known” threats are detected and blocked before they get into your organization.
  3. For unknown threats, make sure the firewall can not only detect zero-day threats but automatically block them in near real-time.  This element is key to a breach prevention strategy.
  4. We recommend multiple sandbox engines running in parallel, which makes it much more difficult for an attacker to execute an evasion designed to target a specific vendor or engine type.
  5. Make sure the TCO of the solution fits within your budget, not only the upfront capital but also the resources needed to manage the solution and the ability to effectively scale capacity in the future to accommodate growth.
Learn More

Microsoft Security Bulletin Coverage

/in /by

SonicWall has analyzed and addressed Microsoft’s security advisories for the month of May, 2017. A list of issues reported, along with SonicWall coverage information are as follows:

Microsoft Coverage

  • CVE-2017-0064 Internet Explorer Security Feature Bypass Vulnerability
    IPS:12779 Internet Explorer Security Feature Bypass Vulnerability (May 17)

  • CCVE-2017-0077 Win32k Information Disclosure Vulnerability
    SPY:1462 Malformed-File exe.MP.32

  • CVE-2017-0171 Windows DNS Server Denial of Service Vulnerability
    IPS:12777 Windows DNS Server Denial of Service Vulnerability (May 17)

  • CVE-2017-0175 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0190 Windows GDI Denial of Service Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0212 Windows Hyper-V vSMB Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0213 Windows COM Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0214 Windows COM Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0220 Windows COM Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0221 Microsoft Edge Memory Corruption Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0222 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0224 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0226 Microsoft Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0227 Microsoft Edge Memory Corruption Vulnerability
    IPS:12778 Microsoft Edge Memory Corruption Vulnerability (MAY 17) 1

  • CVE-2017-0228 Scripting Engine Memory Corruption Vulnerability
    IPS:12780 Scripting Engine Memory Corruption Vulnerability (MAY 17) 1

  • CVE-2017-0229 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0230 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0231 Microsoft Browser Spoofing Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0233 Microsoft Edge Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0234 Scripting Engine Memory Corruption Vulnerability
    IPS:12782 Scripting Engine Memory Corruption Vulnerability (MAY 17) 2

  • CVE-2017-0235 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0236 Scripting Engine Memory Corruption Vulnerability
    IPS:12783 Scripting Engine Memory Corruption Vulnerability (MAY 17) 3

  • CVE-2017-0238 Scripting Engine Memory Corruption Vulnerability
    IPS:12784 Scripting Engine Memory Corruption Vulnerability (MAY 17) 4

  • CVE-2017-0240 Microsoft Edge Memory Corruption Vulnerability
    IPS:12785 Microsoft Edge Memory Corruption Vulnerability (MAY 17) 2

  • CVE-2017-0241 Microsoft Edge Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0242 Microsoft ActiveX Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0243 Office Remote Code Execution Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0244 Windows Kernel Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0245 Win32k Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0246 Win32k Elevation of Privilege Vulnerability
    SPY:1466 Malformed-File exe.MP.33

  • CVE-2017-0248 .Net Security Feature Bypass Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0254 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0255 Microsoft SharePoint XSS Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0258 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0259 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0261 Microsoft Office Remote Code Execution Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0262 Microsoft Office Remote Code Execution Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0263 Win32k Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0264 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0265 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0266 Microsoft Edge Remote Code Execution Vulnerability
    IPS:12781 Microsoft Edge Remote Code Execution Vulnerability (May 17) 1

  • CVE-2017-0267 Windows SMB Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0268 Windows SMB Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0269 Windows SMB Denial of Service Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0270 Windows SMB Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0271 Windows SMB Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0272 Windows SMB Remote Code Execution Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0273 Windows SMB Denial of Service Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0274 Windows SMB Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0275 Windows SMB Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0276 Windows SMB Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0277 Windows SMB Remote Code Execution Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0278 Windows SMB Remote Code Execution Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0279 Windows SMB Remote Code Execution Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0280 Windows SMB Deni
    al of Service Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0281 Microsoft Office Remote Code Execution Vulnerability
    There are no known exploits in the wild.

Adobe Coverage

APSB17-15 Security updates for Adobe Flash Player:

  • CVE-2017-3071 Adobe Flash Player Use After Free Vulnerability
    Spy:1471 Malformed-File swf.MP.558

  • CVE-2017-3068 Adobe Flash Player Memory Corruption Vulnerability
    Spy:1475 Malformed-File flv.MP.1

  • CVE-2017-3069 Adobe Flash Player Memory Corruption Vulnerability
    Spy:1469 Malformed-File swf.MP.556

  • CVE-2017-3070 Adobe Flash Player Memory Corruption Vulnerability
    Spy:1470 Malformed-File swf.MP.557

  • CVE-2017-3072 Adobe Flash Player Memory Corruption Vulnerability
    Spy:1472 Malformed-File swf.MP.559

  • CVE-2017-3073 Adobe Flash Player Memory Corruption Vulnerability
    Spy:1473 Malformed-File swf.MP.560

  • CVE-2017-3074 Adobe Flash Player Memory Corruption Vulnerability
    Spy:1474 Malformed-File swf.MP.561

Internet Explorer Memory Corruption Vulnerability CVE-2017-0202

/in /by

A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code
in the context of the current user, a.k.a. “Internet Explorer Memory Corruption Vulnerability.”

When the PoC is run in Internet Explorer , it crashes IE. As seen in the image the crash happens at MSHTML!CStyleSheetArray::BuildListOfProbableRules when the script tries to set an attribute to an invalid value.
This attribute was set already in the StyleSheet.

An attacker could host a malicious website to exploit this vulnerability (CVE-2017-0202), and lure the victim into visiting the website. The vulnerability could corrupt memory in such a way that the attacker
could execute arbitrary code on victim’s machine.

The call stack shows that the crash happens after “ApplyStyleSheets” suggesting a type confusion about the Style sheet element as seen in the code

The disassembly looks like this :

SonicWALL Threat Research Team has researched this vulnerability and released following signature to protect their customers.

  • IPS 12709: Internet Explorer Memory Corruption Vulnerability (APR 17) 1

Android botnet spreads via game guides

/in /by

Android malware writers constantly bring new ways to communicate with malware once it infects a victim’s mobile device. SonicWall Threats Research Team received reports of a malware campaign that is spreading under the guise of game guides that uses a new way to send messages to a victim’s device post infection. Most of the apps belonging to this campaign are spreading via Game guide apps which are apps that give walkthroughs about tasks/goals to be accomplished in a game. This campaign is thus being referred to as FalseGuide.

Infection Cycle

Most of the samples belonging to this campaign request for a number of permissions, but a few key permissions of interest to this campaign are as follows:

  • receive boot completed
  • com.google.android.c2dm.permission.receive
  • c2d message
  • receive adm message

Upon installation the malware asks for device admin privileges. This should be a red flag to a user as the app proclaims to be a guide for a specific game in most of the cases, a guide like that should not need administrator privileges. By receiving admin privileges the app makes it difficult for the user to uninstall it. On opening the app we do see some relevant content in it, but in the background the app registers and starts a number of services and broadcast receivers that listen for messages received via Firebase Cloud Messaging (FCM) events:


Messaging via Firebase

Firebase Cloud Messaging is a service that handles sending messages between server applications and a mobile client app. A mobile client app is essentially an FCM-enabled app that runs on a device (the infected device in our case). FCM was developed to help increase engagement between app developers and the users, developers can easily push notifications and messages to a set of users using their apps. For instance a developer can send messages to all the users of his app that have made an in-app purchase giving them a special offer, this adds to a more personalized user experience. Apart from that, FCM is a powerful way to get analytical data that can be further used to improve the app.

Most of the samples we observed come with firebase as a component in it thereby making the infected devices an FCM client:

FCM allows the developers to send messages to multiple devices that have opted for a particular topic – more information here. We see the same behavior in the apps belonging to this campaign as each one subscribes to a topic – the app name as seen below:

The apps monitor for any messages coming from FCM via background services:

We have a scenario where each infected device subscribes to a topic, by the app name, with the server. The developer can now send messages to all the devices infected by a particular app, thereby creating a botnet of infected devices that can be communicated with via the subscribed FCM topic. The attacker has the ability to send malicious modules transforming this app which already has device administrator privileges into something dangerous.

Additional notes:

  • Some apps use UrbanAirship platform which also provides the ability to send push notifications to multiple devices
  • Most of these apps in this campaign are spreading under the guise of game guides, few are listed below:
    • Asphalt
    • Drift Zone
    • Injustice Gods
    • FIFA Mobile
    • LEGO Nexo Knights
    • LEGO City My City
    • Pokemon GO
    • Rolling sky
    • Subway Surfers
    • Terraria
    • World of Tanks

  • During our analysis we did not receive any FCM push notifications, we will update the blog if we receive such messages in future
  • Since these apps do not have malicious content in them they were able to evade Google’s automated malware scanners on the Google Play store
  • Reports indicate many apps from this campaign were downloaded from the Play store by unsuspecting users

Overall this campaign creates a botnet of devices that subscribe to a particular topic via Firebase Cloud Messaging. The fact that users have already downloaded samples belonging to this campaign shows that this campaign has been successful in penetrating onto a number of devices by hiding behind game guides. If you recently downloaded a game guide that requested for device administrator privileges then we urge you to consider removing said app from your device. Moreover always think twice before granting administrator privileges to an app.

SonicWall provides protection against multiple variants of this threat via the signatures below:

  • GAV: AndroidOS.FalseGuide.MS (Trojan)
  • GAV: AndroidOS.FalseGuide.AD (Trojan)

Below are few apps containing Firebase component:

  • 91df87ab4b0e170db3431cd8b8ce7944 – free.guidegame.slitherfree
  • 90a5cb2c5b7fbd43bc11a87eeec17941 – guide.tipscadillacs.infopro
  • 9d8888f3e8a3ce16108827333af3447c – guide.tipsfnaftwo.infopro

Below are few apps containing UrbanAirship component:

  • 10b174832cd65a518a98a857d27198d2 – free.guidegame.shadowfightfree
  • e2d996f2cf1570c366bd53a0201f1f07 – free.guidegame.mortalkombatxfree
  • 8adc23a56b77d56748811721725ee7c3 – free.guidegame.fifafree*

Below are few more apps from this campaign:

  • abbbb10fe5eb67a81b9ea06ec9cb4da2 – mobi.guide.dream.league.soccer.pro
  • 6fcbc296ffe9c893581310a9bb02c7ee – free.guidegame.hungrysharkfree

SonicWall at Dell EMC World 2017: Secure More. Fear Less.

/0 Comments/in /by

SonicWall is thrilled to be a silver sponsor at Dell EMC World (May 8 – 11 in Las Vegas) in booth #1515. While we are now a separate organization from Dell, we continue our close longtime partnership.

This year’s event theme is “Realize your Digital Future.” Organizations today are looking to transform their business to drive IT innovation, enhance workforce mobility and reduce risk. However, digital transformation can increase exposure to risks that can directly impact your customer data, your reputation, and your organizations’ credibility.  The partnership and solutions from SonicWall and Dell EMC provide the perfect combination to stay ahead of cybercriminals in the continually evolving cyber arms race.

At Dell EMC World, SonicWall experts will show you how our solutions can empower you to prevent breaches, stop phishing attacks, block ransomware, uncover SSL encrypted threats and identify compromised IoT devices.  Visit our booth to:

  • Discover recent advances made by both cybercriminals and cybersecurity, as outlined in our 2017 Annual Threat Report.
  • Watch a demo of our award-winning multi-engine sandbox, SonicWall Capture ATP, which can scan and block unknown files until it reaches a verdict in order to prevent zero-day and advanced threats.
  • Learn how our next-gen firewalls can help you prevent breaches caused by encrypted malware. Over 60% of today’s web traffic now uses SSL encryption, which can lead to under-the-radar hacks and expose your network to breaches. Most modern firewalls claim to decrypt and scan encrypted traffic, but not all perform well in the real world.
  • Find out how to stop ransomware in your email. Ransomware attacks have grown at a tremendous rate, with email as one of main attacks vectors. See a demo of SonicWall Email Security with Capture, a next-generation solution to protect email files, stop phishing and block ransomware. Talk to our experts in the booth and learn how to block spoofed email and attacks.
  • Explore our latest Secure Mobile Access solutions, which let you define granular access policies, enforce multi-factor authentication and monitor all activities for compliance. With an ever-growing number of devices connecting mobile workers and vendors, you need to rethink IoT security. SonicWall’s access security and network segmentation delivers the right level of access to your mobile workers and reduces the threat surface.
  • Learn how to integrate Dell EMC X-Series switches with SonicWall to extend your network infrastructure securely and centrally manage switching, firewalling, and wireless. Talk to our product experts and see how this integration can help to reduce complexity, cost, and potential misconfiguration.

Our goal is to help you stay protected and ahead of todays, ever-changing cyber-attacks. Start your Dell EMC World journey at booth #1515 on Monday night, and experience first-hand how SonicWall next-gen firewalls, access security, and email security offer the power to secure more and fear less. SonicWall’s booth theatre and World Chat presentations, demos and experts at the conference will empower you and your organization to overcome numerous crimes targeting weak spots in your network.

Be sure to also tune in via Twitter #DellEMCWorld and follow @SonicWall.  If you want a head start, you can get an on-line demonstration of our security solutions online by visiting our Live Demo site.

Live Demo site

SonicWall Cloud GMS Launches for Managed Service Providers: Protect More. Fear Less.

/0 Comments/in , /by

On May 1, 1969, Joni Mitchell released her album, Clouds. In Both Sides Now, she penned these lyrics about the enigmatic nature of clouds:

I’ve looked at clouds from both sides now
From up and down and still somehow
It’s cloud’s illusions I recall
I really don’t know clouds at all

Exactly forty-eight years later, on May 1, 2017, SonicWall proudly launches Cloud GMS, the Global Management System for its next-generation firewalls.  Then as now, the cloud is enigmatic:  how do you know if a cloud management is right for your business?  The good news is that SonicWall gives you freedom of choice by offering both cloud and on-prem versions of GMS.  Keep reading and we will look at the cloud from both sides now.

First, cloud’s usage-based subscription model has financial advantages because of its zero upfront capital expense, which eliminates the barrier to entry for capital-constrained budgets.  Secondly, cloud’s pay-as-you-grow model enables businesses to scale painlessly because growth occurs by cloud-driven increases in cash flow with no outlays for more infrastructure.  Lastly, cloud equals simplicity, with no updates and fewer maintenance headaches for limited IT staff.

But cloud is not a clear-cut alternative to on-prem IT infrastructure for every business. There are many factors that should be considered.  First, cloud services are often geographically dispersed, whereas data privacy restrictions such as the European Union’s General Data Protection Regulation (GDPR) requires local access of data for security and compliance reasons.  Second, cloud services use shared resources with other businesses and that may cause sleepless nights for some IT managers who prefer direct control of infrastructure.  Lastly, cloud services are remote and susceptible to latency- or bandwidth-related issues.

The real value of technology is to make the business work in ways that maximize its growth and profitability. This means enabling the business to move in new directions to capture more customers, or to keep up with the market by out-competing the competition.  Whether you choose cloud or on-prem, GMS makes your business work better by enabling resellers to transform into managed service providers.  Or in the case of managed service providers who don’t yet have GMS, to increase operational efficiencies.  In both cases, businesses can increase their top line while improving their bottom line.  We invite you to learn more about the MSP practice in A Lucrative Opportunity in Managed Security Services and Cloud GMS in Integrating Global Management of Network Security.  If you are SonicWall Partner, start a free trial of Cloud GMS now by logging in to and clicking the Try button for Cloud GMS.

Try Cloud GMS Here for Free