SonicWall Expands Scalability of its Next-Generation Firewall Platforms and DPI SSL to Address Encrypted Threats

Day after day, the number of users is growing on the web, and so is the number of connections. At the same time, so is the number of cyberattacks hidden by encryption. SonicWall continues to tackle the encrypted threat problem by expanding the number of SSL/TLS connections that it can inspect for ransomware.

Today, a typical web browser keeps 3-5 connections open per tab, even if the window is not the active browser tab. The number of connections can easily increase to 15 or 20 if the tab runs an online app like Microsoft SharePoint, Office web apps, or Google Docs. In addition, actions such as loading or refreshing the browser page may temporarily spike another 10-50 connections to retrieve various parts of the page. A good example this scenario is an advertisement heavy webpage that can really add connections if the user has not installed an ad blocker plugin. Also keep in mind that many ad banners in web pages embed a code to auto-refresh every few seconds, even if the current tab is inactive or minimized. That said, it makes a lot of difference how many browser tabs your users typically keep open continuously during the day and how refresh-intensive those pages are.

We can make some assumptions on the average number of connections for different types of users.  For example, light web users may use an average of 30-50 connections, with peak connection count of 120-250.  On the other hand, heavy consumers may use twice that, for up to 500 simultaneous connections.

If a client is using BitTorrent on a regular basis that alone will allocate at least 500 connections for that user (with the possibility to consume 2,000+ connections). For a mainstream organization it is safe to assume that on average 80% of the users are considered as light consumers, whereas the remaining 20 percent are heavy consumers. The above numbers will provide a ballpark of a few hundred thousand connections for a company of 1,000 employees – 3 to 5 times higher than the number of connections for the same organization a decade ago.

With all the changes in browser content delivery and presentation, as well as users’ advanced manipulation of the web and its content, it’s necessary for SonicWall to address the forever increasing demand in the number of connections to satisfy the customer need and provide them with a better user experience. In the recently released SonicOS 6.2.9 for SonicWall next-gen firewalls, our engineering team has increased the number of stateful packet inspection (SPI) and deep packet inspection (DPI) connections to better serve this need.

Below is the new connection count  for Stateful Packet Inspection connections for SonicWall Gen6 Network Security Appliance  (NSA) and SuperMassive Series firewalls in the new SonicOS 6.2.9 when compared to the same count in the previous 6.2.7.1:

SPI Connection Chart

In addition, the number of DPI connections has increased up to 150 percent on some platforms. Below is a comparison of the new connection count in SonicOS 6.2.9 against SonicOS 6.2.7.1.
DPI Connection Chart

Finally, for security-savvy network administrators we have provided a lever to increase the maximum number of DPI-SSL connections by foregoing a number of DPI connections. Below is a comparison of the default and maximum number of DPI-SSL connection by taking advantage of this lever.

Increase Max DPI SSL Connections Chart

We also enhanced our award winning Capture ATP, a cloud sandbox service by improving the user experience of the“Block Until Verdict” feature, which prevents suspicious files from entering the network until the sandboxing technology finishes evaluation.

In addition, SonicOS 6.2.9 enables Active/Active clustering (on NSA 3600 and NSA 4600 firewalls), as well as enhanced HTTP/HTTPS redirection.

Whether your organization is a startup of 50 users or an enterprise of few thousand employees, SonicWall is always considering its customers’ needs and strives to better serve you by constantly improving our feature set and offerings.

For all of the feature updates in SonicOS 6.2.9, please see the latest SonicOS 6.2.9 data sheet (s). Upgrade today.

Hackers Attack Websites with Ransomware

SonicWALL Threat Research Labs recently received reports of attackers targeting websites with ransomware. Attackers are uploading malicious PHP files onto the websites. These PHP files allow the attacker to encrypt the website’s files and then extort money from the site’s owner.

Once uploaded, the attacker then connects to the ransomware via a web browser, as follows:

The attacker can then submit a complex encryption key to encrypt the site’s content. This results to:

The malware overwrites the .htaccess file with the following contents:

#Bug7sec Team
DirectoryIndex shor7cut.php
ErrorDocument 404 /shor7cut.php

This redirects the website to the file shor7cut.php.

In addition, the ransomware traverses the directory searching for files to encrypt. The file contents are then encrypted using PHP’s mcrypt function. And then it is renamed with the .shor7cut extension name.

Once the malware is done encrypting, it sends an email to the attacker containing the encryption key used:

Once the site owner pays the ransom, the attacker then goes back to the ransomware PHP and choose the “DeInfection” option:

Entering the appropriate key, the ransomware then restores the files:

SonicWALL Threat Research Team has the following signature to protect their customers from this type of attack:

  • GAV 17970: Ronggolawe.RSM
  • WAF 1669: Ronggolawe.RSM

SyncCrypt Ransomware hides behind an image file

This week, the SonicWall Capture Labs Threat Research team has received reports of yet another ransomware being distributed via spam. The email purports to be a message with a sense of urgency and importance that comes with a document attached but in fact contains a Windows Script file (.wsf) within a zip archive. Once executed it will download a seemingly non-malicious image file and then installs a ransomware called SyncCrypt.

Infection Cycle:

Upon execution, it downloads a jpg file as seen in the snippet of the javascript code below:

Trying to download the jpg file from the sources above will get you this non-malicious looking file:

But upon careful examination, this jpg file appears to be an archive containing the ransomware components.

These files are then unpacked and saved in the following location:

  • %temp%/BackupClient/sync.exe [Detected as GAV: SyncCrypt.RSM (Trojan) ]
  • %temp%/BackupClient/readme.html
  • %temp%/BackupClient/readme.png

It then tries to confuse the victim by displaying this error message after the script runs.

Meanwhile the ransomware encrypts the victim’s file like usual and appends .KK to all encrypted files. The ransomware note with details on payment instructions is then displayed as shown in the figure below:

Because of the prevalence of these types of malware attacks, we urge our users to back up their files regularly.

SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: SyncCrypt.RSM (Trojan)
  • GAV: WScript.SyncCrypt.RSM (Trojan)

SonicWall and Dell EMC: A Strategic Partnership Providing Network Security Solutions to Stay Ahead of the Cyber Arms Race

I am pleased to announce that, Dell EMC is now shipping the OEM version of the SonicWall next-generation cyber security firewall solutions in the United States and Canada.  Continuing on our long time partnership and resale relationship, Dell EMC will offer the powerful combination of SonicWall’s innovative threat protection technology and Dell EMC’s broad set of solutions from the data center all the way to endpoint devices.

Organizations today are looking to transform their business to drive IT innovation, enhance workforce mobility and reduce risk. However, digital transformation can increase exposure to risks that can directly impact an organization’s data, reputation, and credibility.

Addressing customer’s security needs as they move to the cloud, extend their network and storage solutions, and migrate to more mobile and IoT environments is critical with today’s threat landscape.  The combination of Dell EMC solutions and SonicWall is a great value add to Dell EMC customers and the partner community.

Here are some key points on the OEM:

SonicWall next-generation firewalls provide effective threat prevention through a layered approach on top of our multi-engine cloud-based SonicWall Capture Advanced Threat Protection Service. This solution protects organizations from today’s most insidious threats including ransomware, encrypted malware, mobile threats and email-borne attacks.

The SonicWall OEM security solution is a critical affirmation of how important the Dell EMC – SonicWall partnership is for their large customer base and their Dell EMC Partner Program members.

For additional information, please see the following press release – https://www.sonicwall.com/en-us/about-sonicwall/news/press-releases/pr-articles/sonicwall-and-dell-emc-announce-oem-launch-of-next

Connecting and Protecting the Remote Islands of Corporate IT – BYOD and Mobility

How Dell and SonicWall’s SMA and Next-Generation Firewall solution builds secure virtual bridges for today’s fragmented environments

As employees are no longer restricted to the physical structures of their company headquarters, what and how they connect to their corporate network presents a multitude of challenges. Corporate IT environments consist of a seemingly uncontrollable combination of devices, operating systems, and geographic locations. Securely connecting all of these is one of the most crucial IT initiatives companies are faced with as Gartner reports that 70% of mobile professionals will conduct their work on personal smart devices by 2018.

As we are all well aware, all endpoints pose significant threats to network security. Specifically, BYOD consumer devices are usually the most difficult to manage and secure. Data loss or leakage and unauthorized access or transmission are a constant concern. Mobile devices can also retain sensitive or proprietary data while wirelessly connected to the corporate network. White-listing apps for distribution on IOS and Android platforms help lock down mobile devices, but unmanaged laptops require greater endpoint control via the VPN.

What can you do to protect it all?

Dell and SonicWall’s VPN and Next-Generation Firewall solution delivers a layered defense strategy to ensure employees have the access they need while providing the security the company requires.

Components of a VPN and Next-Generation Firewall Solution:

  • Secure Mobile Access (SMA) Appliances – Provide mobility and secure access for up to 20,000 concurrent users from a single, powerful, and granular access control engine.
  • Next-Generation Firewalls – Network security, control, and visibility through sandboxing, SSL inspection, intrusion prevention, anti-malware, application identification, and content filtering.
  • Remote Access Management & Reporting – Powerful, web-based remote IT management platform to streamline appliance management and provide extensive reporting.
  • VPN Clients/Mobile Connect – Simple, policy-enforced secure access to mission-critical applications and data for iOS, OS X, Android, Chrome OS, Kindle Fire, and Windows mobile devices.

Deploying a SonicWall VPN and Next-Generation Firewall solution provides multi-layered protection that can authorize, decrypt, and remove threats from SSL VPN traffic before it enters the network environment. The dual protection of a SonicWall SMA and Next-Generation Firewall is critical to ensuring the security of both VPN access and traffic. SonicWall’s remote access management and reporting also allows organizations to view, define, and enforce how application and bandwidth assets are used.

Securely connecting your workforce, partners, and customers has never been more important. Reach out today to your Dell and SonicWall contacts today to learn what implementing a SonicWall VPN and Next-Generation Firewall solution can mean for the future of your company.

The evolution of Android RAT SpyNote continues

Code for the Android Remote Administration Tool (RAT) SpyNote was being distributed in underground forums in mid 2016. Since then multiple variants have surfaced with slight modifications but preserving the core functionality of SpyNote intact – which is spying on its victims.

Yet again a new variant has been spotted and according to few reports some of samples belonging to this new variant were available on Google Play and have been potentially installed by few users.

An overview of SpyNote

Spynote is an Android Remote Administration Tool (RAT) that aims at capturing sensitive data on the victim’s device and sends it to the attacker. It is usually found advertised on underground forums as shown below, based on the descriptions on one such forum SpyNote is currently at version 4 (as per the below post on 4/30/2017):

A new variant

We received reports of a new campaign that has been spreading for a while that is heavily based off SpyNote. This variant carries most of the features of SpyNote, some of them are as listed below:

  • Read call logs
  • Call a number
  • Extract contact details from the device
  • List files present in different folders on the device
  • Record Audio
  • Delete an app from the device

Spying on the user is not the only only objective of this app, it makes the device vulnerable to further attacks. One of the commands is to initiate a download using a URL, this can be used to download additional malicious apps and further infect the device or use the device as a conduit for spreading other malicious campaigns

  • Initiate a download via URL

A major addition in the new variant is how he attacker communicates with the malware post infection. Commands are sent by the attacker which follow the code A[number] like A0,A1 and so on. For every such code there is a case which determines what the malware should do:

The output is displayed to the attacker using the format B[number] like B3, B4 followed by the data:

The code contains as many as 72 hardcoded commands.

Some similarities between earlier versions of Spynote and the current malware which strongly suggest ties between the two are:

  • The code structure and class names are similar
  • The focus is on extracting sensitive user information
  • All of the different versions however contain a string screamHacker

Android malware constantly evolves with modifications and addtions, we have seen that with a number of malware families. It is the same with SpyNote as well, similar to current changes we can expect more modifications from this malware family that improve the potency of this campaign.

SonicWall Capture Labs Threat Research team provides protection against this threat via the following signatures:

  • GAV: AndroidOS.SpyNote.SH (Trojan)
  • GAV: AndroidOS.SpyNote.BN (Trojan)

Static Analysis of Malicious PDFs

PDF documents are made of objects and streams. Sometimes attackers use PDF documents to embed malicious scripts in it.
These documents when opened execute the scripts which in turn try and connect to the attacker’s webserver to download malicious executables.

Below is such an example. Let’s analyze this PDF statically:

Observe that this PDF has embedded javascript and openaction objects which makes it suspicious.

The javacript is obfuscated.

Beautifying it makes it easier to read.

Looking at the javascript closely notice the presence of unescape and eval functions .
These indicate that attacker is trying to exploit some vulnerability and is probably spraying the memory with shellcode.

SonicWall Capture Labs Threat Research team have researched these PDFs and released following signatures to protect their customers.

  • SPY :Malformed-File pdf
  • GAV: Pdfka.AK

NSS Labs Affirms SonicWall Excellence in Security Value Map

On June 6, 2017, NSS Labs published its annual 2017 Next-Generation Firewall (NGFW) Test Report and Security Value MapTM (SVM). For the first time in five years, NSS Labs did not place SonicWall in its “Recommended” quadrant of the SVM. In response, SonicWall immediately resolved the identified issues, automatically updated our firewalls worldwide, and was then publicly retested by NSS Labs to place in its upper right quadrant.

The results of this public retest mean that, SonicWall has excelled in the industry’s most comprehensive, real-world testing of NGFWs once again. With its updated 2017 findings, NSS Labs verifies that the SonicWall NSA 6600:

  • Blocked 99.76% of real-time, real-world live exploits
  • Tested 100 percent effective in countering all advanced HTTP evasion, obfuscation and fragmentation techniques
  • Earned 100 percent in stability and reliability, firewall, application control and identity awareness tests

Rapid response

It is perfectly normal in these types of cyber war games to uncover security gaps. It took NSS Labs five years and seven iterations of its test methodology to introduce a new evasion technique that uncovered a security gap in the SonicWall device.  In the initial tests, the SonicWall NSA 6600 running SonicOS version 6.2 had failed a number of HTTP evasion test cases.  After analyzing the evidence provided by NSS Labs, SonicWall immediately mitigated the identified issues with an automatic worldwide update to our security services on our installed base of next-generation firewalls.

Affirmation from NSS Labs

Only one vendor has been able to maintain the NSS Labs Recommended rating for all five years since the NGFW report first published.  In fact, for four years straight, SonicWall was one of only two vendors to be recommended each year, and in last year’s test, we earned a 100% score in the evasions category.

With SonicWall’s updates, NSS Labs retested the NSA 6600 using the same HTTP evasion techniques with a modified exploit. NSS Labs verified that SonicWall was no longer susceptible to the previously cited HTTP evasion techniques. The NSA 6600 now consistently blocks tested HTTP evasion techniques. NSS Labs noted this in both its SVM and its individual SonicWall SVM test report.

As the graph below shows, the SonicWall NSA 6600 now is strongly positioned in the upper right quadrant.  The blue dot (Figure 1) shows the new SonicWall positioning and demonstrates that the SonicWall NSA 6600 is one of the highest-rated, best-valued NGFWs in the industry, with scores of 97.8% Security Effectiveness and a low TCO of $10 per Protected Mbps.  Another critical data point is that in this retest, the SonicWall NSA 6600 scored 100 percent of evasions in the HTTP evasion test. (Figure 2).

NSS Labs

SonicWall recognizes and values NSS Labs long-standing reputation as an unbiased third party product test and validation organization. We endorse NSS Labs’ test methodology and trust its results. NSS Labs tests have produced extremely useful test results that challenge security vendors to be continuously vigilant. The value of this type of service is maximized when the tests uncover security gaps in security devices before real adversaries do.

Flexible, automated, self-healing security

More importantly, the flexibility of our solution allowed us to automatically provide protections for the evasions NSS Labs discovered to all of our worldwide firewalls, with no need for firmware updates. This flexibility is unique in the market, and a core strength of SonicWall’s automated real-time breach detection and prevention solution, consisting of our next-generation firewalls, intrusion prevention, gateway anti-malware, Capture Advanced Threat Protection, email security and secure remote access products.

In fact, our Capture Labs team provided remediation for the newly discovered NSS issues within 24 hours! This means our customers don’t need to wait for days or even months until new, fully tested firmware is available. Remember, in cases like this, any network is vulnerable until the solution patch is applied.

Staying ahead of the pack

It is important to note that in this year’s NSS Labs SVM, eight of the ten vendors were actually susceptible to the new HTTP evasion test cases. Of the eight, only SonicWall and one other vendor were able to remediate the evasions in an automated fashion.  Tellingly, several vendors placed in the “Recommended” quadrant had still not provided remediation at all. This is why an automated, self-healing solution is absolutely required in today’s extremely fast-paced and complicated cyber threat landscape.

We encourage you to read the full NSS Labs SonicWall Secure Value Map report to learn more.

NewShell ransomware spotted in the wild

The SonicWall Threats Research team observed reports of a new variant family of NewShell Ransomware [GAV: NewShell.RSM] actively spreading in the wild.

NewShell encrypts the victims files with a strong encryption algorithm until the victim pays a fee to get them back.

Infection Cycle:

The Trojan adds the following keys to the Windows registry startup:

Once the computer is compromised, the malware copies its own executable file to C:tmp folder and runs following commands:

The malware downloads following image from its own server and set it as backgroud wallpaper.

The Malware encrypts all personal documents and files it shows the following webpage:

It demands that victims pay using Bitcoin in order to receive the decryption key that allows them to recover their files.

The malware adds ‘.enc’ extension all target files.

Command and Control (C&C) Traffic

NewShell performs C&C communication over HTTP protocol.

The malware sends HTTP request to its own C&C server with following formats, here is an example:

SonicWall Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: NewShell.RSM (Trojan)

Microsoft Security Updates Coverage

SonicWall has analyzed and addressed August 2017 Microsoft Security Updates. A list of issues reported, along with SonicWall coverage information are as follows:

  • CVE-2017-0174 Windows NetBIOS Denial of Service Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-0250 Microsoft JET Database Engine Remote Code Execution Vulnerability
    Anti-Spyware:1541 Malformed-File mdb.MP.1
  • CVE-2017-0293 Windows PDF Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8503 Microsoft Edge Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8516 Microsoft SQL Server Analysis Services Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8591 Windows IME Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8593 Win32k Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8620 Windows Search Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8622 Windows Subsystem for Linux Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8623 Windows Hyper-V Denial of Service Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8624 Windows CLFS Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8625 Internet Explorer Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8627 Windows Subsystem for Linux Denial of Service Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8633 Windows Error Reporting Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8634 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8635 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8636 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8637 Scripting Engine Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8638 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8639 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8640 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8641 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8642 Microsoft Edge Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8644 Microsoft Edge Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8645 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8646 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8647 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8650 Microsoft Edge Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8651 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8652 Microsoft Edge Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8653 Microsoft Browser Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8654 Microsoft Office SharePoint XSS Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8655 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8656 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8657 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8659 Scripting Engine Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8661 Microsoft Edge Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8662 Microsoft Edge Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8664 Windows Hyper-V Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8666 Win32k Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8668 Volume Manager Extension Driver Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8669 Microsoft Browser Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8670 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8671 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8672 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8673 Windows Remote Desktop Protocol Denial of Service Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8674 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8691 Express Compressed Fonts Remote Code Execution Vulnerability
    There are no known exploits in the wild.