Samba LDAP Server Privilege Escalation

Samba is a free software re-implementation of the SMB/CIFS networking protocol, providing file and print services for various Microsoft Windows clients and can integrate with a Microsoft Windows Server domain, either as a Domain Controller (DC) or as a domain member. As of version 4, it supports Active Directory and Microsoft Windows NT domains.The Active Directory it supports, is a directory service used by Microsoft systems on Windows domain networks, in which Samba will provide user authentication services as the Active Directory Domain Controller (AC DC). To store the user privilege information, a object called nTSecurityDescriptor will be used.A vulnerability exists in Samba. As Samba has mistakenly allowed a nTSecurityDescriptor object with dangerous privilege, change Password extended right, to be assigned to the group “everyone” (SID S-1-1-0), which includs all authenticated users:

 aces: struct security_ace // Security Access Control Element (DACL)
 flags : 0x00 (0)
 size : 0x0028 (40)
 access_mask : 0x00000100 (256)
 object : union security_ace_object_ctr(case 5)
 object: struct security_ace_object
 flags : 0x00000001 (1)
 type : union security_ace_object_type(case 1)
 type : ab721a53-1e2f-11d0-9819-00aa0040529b // GUID for Change Password Extended Right
 inherited_type : union security_ace_object_inherited_type(case 0)
 trustee : S-1-1-0 // SID = "Everyone", causing the vulnerability

An authenticated user could reset the password for arbitrary users, causing a remote privilege escalation. Because changing the password requires the old password, this vulnerability cannot be exploited by a unauthenticated user.

SonicWall Capture Labs Threat Research team has developed the following signature to identify and stop the attacks:

  • IPS 13274: Samba LDAP Server Privilege Escalation



Sonicwall RTDMI engine discovers malicious MS Office file containing Java RAT in the wild

Sonicwall RTDMI engine as part of Sonicwall Capture ATP service identified a new malicious Microsoft Office Document file embedded with a Java malware RAT (Remote Access Trojan) in real time. Among many of its previously announced detection capabilities, SonicWall RTDMI engine can also look inside multiple layers of packaging and obfuscation to find well entrenched malware components in real-time and provide unparalleled detection capabilities. The non-existence of this malicious file on popular malware search portals (VirusTotal or Reversing Labs) indicates how fresh the malware sample is in the wild and the effectiveness of RTDMI. The figure below was taken when we started analysis of this threat and found no results on Virustotal:

Fig-1 : Virustotal results for the malicious file

On opening the office document, it advises the victim to open the embedded olepackage to view the fake invoice. This fake invoice is actually a malicious Jar (Java-Archive) file:

Fig-2 : Microsoft Office file

Upon further analysis, Sonicwall Capture Labs threat researchers determined that the malicious jar file belongs to a notorious Java JRat family called Adwind. If the system has Java runtime installed, then upon opening this Jar file, it’s malicious behaviour is exhibited. On execution, it drops a copy of itself into %temp% folder, drops a vbscript file and further downloads password recovery and other spying tools from internet into %temp% folder and executes them. It then proceeds to modify windows system registry to disable different antivirus and security software which are installed. It also disables System Restore from registry.

Few of the registry modifications are mentioned below:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
    • “DisableConfig”=dword:00000001
    • “DisableSR”=dword:00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe
    • “debugger”=”svchost.exe”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FProtTray.exe
    • “debugger”=”svchost.exe”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortiClient.exe
    • “debugger”=”svchost.exe”


Indicators of Compromise:

  • e8a3e9178d871b89db608615f663f7b09d6bad78421c3e1ce95c6776ed4df239 : Malicious Document File
  • f1d0a8c11e4eed1165e9434c1dff914cf9c7baf5be1f528d026ee0f683f1ce26 : Malicious Java JRat File

Evidence of the detection by RTDMI engine can be seen below in the Capture ATP report for this file:

How to Use Threat Intelligence to Stop Cyber Attacks

To proactively protect networks and data in today’s fast-moving cyber arms race, organizations must be able to collect, analyze and apply threat intelligence to make smart and agile security decisions.

For some organizations, this is part of everyday life — even if it’s still increasingly difficult. For others, it’s just not possible based on company size, expertise, budget or any number of challenging factors.

SonicWall wants each and every organization to know what they’re up against. We’ve discussed the enhanced SonicWall Security Center, but it’s important for organizations to realize that it includes real-time Threat Meters that provide actionable cyber threat intelligence that may be leveraged to better protect their business.

The SonicWall Threat Meters offer a graphical view of the worldwide attacks over the last 24 hours, countries being attacked and geographic attack origins. This complimentary tool helps accurately illustrate the pace and speed of the cyber arms race.

Within the SonicWall Security Center, the highly interactive threat meters provide real-time threat intelligence about today’s most critical attack trends. This includes attacks data about:

Knowing the cyber threats — in real time

But identifying the attacks isn’t the only value here. Understanding what’s at risk and what is being mitigated is unmistakably valuable for organizations of all types. For example, did you know that in February 2018 alone, the average SonicWall customer faced the following:

  • 2,510 malware attacks, a month-over-month increase of 138 percent
  • 45 ransomware attacks, a month-over-month increase of 122 percent
  • 169 encrypted cyber attacks, a month-over-month increase of 125 percent
  • 715 new attack variants per business day, a month-over-month increase of 43 percent
  • 11 phishing attacks per day

Security Center Malware Map

How to stop cyber attacks

Organizations should leverage this threat intelligence to implement a security strategy that delivers automated, real-time breach detection and protection. This can be achieved via an integrated suite of cyber security controls that include next-generation firewalls, cloud sandbox, email security, remote access solutions, SSL and TLS deep packet inspection, and security management and reporting capabilities.

SonicWall is ready to help you design and deploy a security strategy that matches the business objectives, size and budgets of your organization. Connect with a SonicWall security expert, or an authorized SonicWall partner, to get started.

See Real-Time Threat Intelligence

Did you know you can improve your security posture by knowing what attacks are most likely to target your organization? Visit the SonicWall Security Center to see the latest attack trends, types and volume across the world.

UselessDisk: A fake ransomware bootlocker

DescriptionThe SonicWall Capture Labs Threat Research Team have come across a fake ransomware Trojan that functions as a bootlocker. It is named Uselessdisk because of the debugging symbols and project name strings that the developer has left in the executable file. Its aim is simple: render the system unbootable and pretend that files on the system have been encrypted. Ask for $300 USD in bitcoin for file recovery.

Infection Cycle:

Upon running the malware, it quickly reboots the machine and displays the following message:

Usually the process of encrypting files takes at least a few seconds so we were suspicious when this malware claimed to achieve this so quickly. We were doubtful as to whether any encryption was actually taking place at all. Running the malware through a debugger and analysing its behavior confirmed this doubt.

The Trojan is quite simply, a boot locker. Its first step is to acquire direct access to the physical drive by using the CreateFileA API to open “\\.PHYSICALDRIVE0”. It also attempts to lock the volume for exclusive access to the drive by using the IO control code FSCTL_UNLOCK_VOLUME with the DeviceIOControl API call:

These functions only return successful if the Trojan is run in administrator mode. If the above calls return successfully the Trojan then calls WriteFile to overwrite the MBR (Master Boot Record):

This causes the above message to be shown on the screen at boot time and renders the operating system unbootable.

Once the MBR has been overwritten, the Trojan unlocks the volume then uses WinExec to run the shutdown command with arguments to reboot the system immediately:

There are no other file or encryption API functions present in the malware executable.

The Trojan is unlikely to be lucrative. The bitcoin address (1GZCw453MzQr8V2VAgJpRmKBYRDUJ8kzco) has received no transactions yet at the time of writing this alert:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: UselessDisk.RSM (Trojan)



Phishing Emails: The Spear of the Cyber Attack

As we know, email is the most popular attack vector used by threat actors to carry out targeted cyber attacks. In fact, more than 90 percent of cyber attacks start with a phishing email campaign. It is the easiest way for a cyber criminal to enter a network and execute tactics to accomplish an objective — be it data exfiltration, delivering a malicious payload or phishing for credentials.

Using social engineering, the tactics of accomplishing these objectives are highly sophisticated and targeted. Email is a primary collaborative tool to share documents, such as PDFs and Microsoft Word files, and URLs that could be weaponized with malware. Logically, phishing has evolved with this user behavior.

How email attachments are weaponized

File attachments, such as Microsoft Word documents and Adobe PDFs, have the ability to include embedded URLs, macros and scripts. This makes it possible for these files to work as executable malware. These malicious file attachments are used as delivery vehicles for ransomware and other zero-day threats. Here are some of the most popular methods files can be weaponized:

Embedded macros and scripts that hide malicious payloads
First, attackers embed a macro that obfuscates malicious payloads in the document. They then use personal information gathered through social engineering to mislead the user into enabling the macro content to run and infect the victim’s computer. These exploits take advantage of software vulnerabilities and then launch the intended payload to infect the computer.

Embedded macros and scripts that download malware from external sites
Documents can also be embedded with scripts that call external Command & Control (C&C) servers or websites to download malware inconspicuously. Often, these downloaded payloads take the form of ransomware, trojans, infostealers or botnets that make your system part of the malicious networks that carry out attacks on behalf of cyber criminals.

Fake attachments and embedded links
In some cases, attackers send documents or fake attachments, such as a PDF or a Word file, with embedded URLs. After clicking on the URL, the victim is redirected to a sign-in page that looks and feels authentic. These sign-in pages are well crafted and designed to deceive even educated users. Unsuspecting victims often fall prey by entering their credentials into the sign-in page.

High-profile phishing attacks

Google, January 2017
This phishing scam targeting Google users was clever and deceiving. Victims received an email that seemed to come from a familiar contact. The email included a legitimate file attachment that looked like a PDF or Word document. But the attachment was, in fact, an image with an embedded URL. Victims who clicked the attachment for a preview were redirected to a well-designed Google sign-in page that looked authentic. The fake page prompted the victim to enter credentials that enabled the cyber criminals to compromise the user’s Google account.

DocuSign, May 2017
A company that provides digital document-signature services, DocuSign, was the victim of a targeted phishing campaign. Users received an email that appeared to come from DocuSign and included a “Review Document” link. Once the link was clicked, a weaponized Word document with embedded malicious macro was downloaded. When the user enabled the content, the macro called a C&C server to download malware payload stealthily onto the victim’s computer.

Netflix, November 2017
Toward the end of last year, Netflix made the headlines for all the wrong reasons. A successful and sophisticated phishing campaign targeted the streaming service’s subscribers. This attack did not include any file attachments. Instead, attackers crafted a personalized email informing them that their account was suspended. They were asked to take an action by clicking on a fake link that redirected the then to a well-designed web page to collect credentials and credit card information.

Pyeongchang Olympics, January 2018
The 2018 Winter Olympics in Pyeongchang, South Korea, was one of the first victims of 2018 via a deadly, targeted spear-phishing attack. Appearing to be sent by National Counter-Terrorism Center (NCTC), the email included an attachment — a malicious Microsoft Word document with the original file name 농식품부, 평창 동계올림픽 대비 축산악취 방지대책 관련기관 회의 개최.doc (“Organized by Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics”). This spear-phishing campaign’s objective was to establish back doors into the networks once the victim opened the Microsoft Word document attachment.

How to stop phishing and other email attacks

Email security is no longer just about blocking mass spam and phishing campaigns. The above incidents indicate the evolution of how cyber criminals use email as a threat vector, and how they use the versatility of PDFs and Microsoft documents to their advantage.

These are advanced email threats that are carefully planned and highly targeted attacks. Traditional anti-spam and signature-based anti-malware simply cannot stop these attacks.

A multi-layered security approach provides the best defense against these email threats. The layers should include advanced threat protection features, such as sandbox analysis for email file attachments and embedded URLs, and email authentication technologies such as SPF, DKIM and DMARC.

It is also true that not all sandboxes offer equal protection. The cloud-based SonicWall Capture Advanced Threat Protection (ATP) service blocks the most evasive malware with its multi-engine approach.

Capture ATP now includes the recently announced, patent-pending Real-Time Deep Memory Inspection (RTDMITM) technology. RTDMI blocks malware that does not exhibit any malicious behavior or hides its weaponry via encryption.

By forcing malware to reveal its weaponry in memory, the RTDMI engine proactively blocks mass-market, zero-day threats and unknown malware utilizing real-time memory-based inspection techniques. This means, by design, RTDMI can sniff out malware obfuscated within PDF files and Microsoft Office documents by threat actors.

With high performance, fast scan times and block-until-verdict capability, Capture ATP offers comprehensive protection against advanced cyber threats.

To learn more about our analysis of the cyber arms race, and what you can expect in 2018, download a complimentary copy of the 2018 SonicWall Cyber Threat Report.

Download the 2018 SonicWall Cyber Threat Report

The cyber arms race is a challenge we face together. And it’s the core reason we’re committed to passing our findings, intelligence, analysis and research to the global public via the SonicWall 2018 Cyber Threat Report.

NTP Daemon decodearr Function Buffer Overflow


Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks. In operation since before 1985, NTP is one of the oldest Internet protocols in current use. NTP’s has a native application implementation, ntpq, which can be accessed from command line.

A stack overflow vulnerability is reported in ntpq. Because the request parse function decodearr() failed to validate the size of request parameters, an attacker could overwrite the stack content with controllable content. A successful attack could lead to an arbitrary code execution on the target server with the privilege of the service application.

The format of the NTP message data has been specified in rfc1305:

Leap Indicator: 2 bits
Version Number: 3 bits
Mode: 3 bits Message Mode
Response Bit: 1 Bit (0x0/0x01 for requests/responses)
Error Bit: 1 Bit
More Bit: 1 Bit
Operation Code: 5 bits
Sequence: 16 bits
Status: 16 bits
Association ID: 16 bits
Offset: 16 bits
Count: 16 bits
Data: key-value format data

The data section is represented in the following format:

key = value1 value2 .... valueN (array of values)

When handling the request’s data section, the function decodearr() used a 80 bytes fixed length buffer, which is a local variable allocated in stack. If the request is longer than 79 bytes (as shown in the figure below), a typical stack overflow will occur.

SonicWall Capture Labs Threat Research team has developed the following signature to identify and stop the attacks:

  • IPS 13276: NTP Daemon decodearr Function Buffer Overflow

UDPoS malware spotted in the wild


The SonicWall Capture Labs Threat Research Team observed a new POS malware Called UDPOS [UDPOS.A].

UDPOS is a newly-discovered malware that preys upon credit card payment systems. UDPoS uses DNS tunneling to exfiltrate the data from the system.

Infection Cycle:

The Malware adds the following files to the system:

  • Malware.exe
    • C:\WINDOWS\system32\LogMeInUpdService\hdwid.dat [Machine ID]
    • C:\WINDOWS\system32\LogMeInUpdService\sinf.dat [Process Name Logs ]
    • C:\WINDOWS\system32\LogMeInUpdService\[Rndom Number].dat [ Track Data ]
    • C:\WINDOWS\system32\LogMeInUpdService\infobat.bat [ Net Commands ]
    • %Userprofile%\Local Settings\Temp\7ZSfx000.cmd [ Wipe Commands ]

Once the computer is compromised, the malware creates a new system service to maintain persistence and then launches a component to monitor for sensitive payment card data.

The malware adds the following keys to the Windows registry to ensure persistence upon reboot:

The malware uses a basic encryption and encoding method to obfuscate various strings such as the C&C server, filenames, and process names to evade detection.

The malware terminates itself if it detects the presence of antivirus software or if debugger is presents on the infected system.

The Malware retrieves a list of running processes; the malware is responsible for scraping the memory of current processes on the infected machine for credit card information periodically. The malware tries to Enumerate Credit Card Data from POS Software with following API functions:

The malware logs POS process name into sinf.dat file:

The malware generates random identifier for the target machine and saves into hdwid.dat file:

Once it locates payment card data, the Malware makes one HTTP request to determine the infected system’s external IP address.

Once the public IP is acquired, the malware tries to verify Credit Cards numbers and then sends track 1 and track 2 credit card data in encrypted format to one of the given C&C Servers based on DNS Traffic format such as following example:

Sonicwall Capture Labs provides protection against this threat via the following signature:

  • GAV: UDPOS.A (Trojan)

Top 7 Wireless Best Practices for Better Wi-Fi Coverage & User Experiences

Many of us face slow Wi-Fi and connectivity issues on wireless networks. Just the other day, I was in a café having coffee and browsing the internet. Suddenly, my connectivity dropped. I tried to reconnect, but the signal strength was too low. In the end, I gave up.

I am sure you have faced the same issue. Usually, at this point, you might blame the wireless network and question the capability of the access point (AP). But did you know often this is not the case? Mostly, the AP is not to blame. Connectivity problems arise due to improper designing and planning of the wireless network. Below are some of the best practices that you can follow to provide the best user experience from your wireless network.

  • Perform a site survey before installing access points

Before deploying your AP, it is critical you understand your environment and the type of deployment you require. Would you prefer coverage over density, or vice versa? To ensure the café scenario doesn’t happen, plan your network based on density. This ensures you are prepared for data traffic during peak hours on your wireless network.

Performing a site survey before deploying your wireless network can help with determining how many access points are required, and what type of coverage you can expect with your APs. Advanced site survey tools, such as SonicWall’s Wi-Fi Planner, will be able to predict the coverage automatically. This tool also lets you choose the coverage zones, and identifies what type of obstacles and areas are present in your location.

Wifi Planner

SonicWall’s Wi-Fi Planner uses heat maps to help you accurately design a dense, secure and reliable wireless environment.

  • Before plugging in your AP, check if it requires 802.3af or 802.3at

It is essential to check the power compliance of your AP before connecting it to your network. The maximum power from an 802.3af source is 15.4W, whereas 802.3at is 50W. If you are plugging an 802.3af-complaint AP into an 802.3at power source, make sure that your power supply is backward compatible with 802.3af devices. If not, your AP could be fried.

  • Max AP power does not mean max performance

Blasting your AP at full power does not ensure maximum performance. While it would showcase more coverage, the user experience may be impacted.

Think about two people in a room. They are in close proximity to each other, trying to have a conversation, and both of them are screaming at the top of their voices at the same time. Neither of the two would be able to understand each other and carry out a meaningful conversation. Similarly, based on your environment, it is essential to tweak the transmit power of the AP.

  • AP mounting is critical for ubiquitous coverage

APs are built to work in certain use cases or environments. For instance, an indoor, integrated-antenna AP is designed to work as a ceiling-mount AP in spaces like indoor office environments. This is because the APs with integrated, omni-directional antennas have a 360 degree radiation pattern. Much like the sun radiating rays, the omni-directional access points radiate RF signals. Barriers like walls, concrete and metal partitions can cause RF blockage.

  • Use 20 MHz or 40 MHz channels for high-density deployments

For high-density deployments, it is essential to choose lower channel widths, such as 20 MHz and 40 MHz. With 80MHz channels, there are just five non-overlapping channels, while for 160 MHz, there are only two non-overlapping channels. This makes it hard to deploy the higher channel widths without causing co-channel interference. Higher channel widths are ideal for low-density, high-performance requirements.

  • Deploy indoor APs every 60 feet for high-density deployments

APs should be deployed based upon your coverage or density requirements. For high-density, high-bandwidth requirements, deploy your APs every 60 feet. Make sure your Received Signal Strength Indicator (RSSI) stays above -65 dBm. Up to -65 dBm is recommended for VOIP and streaming.

  • Disable lower data rates

Based on your coverage design, it is advisable to turn off lower data rates below 24 Mbps. This ensures that the AP and client do not communicate at, say, 6 Mbps, which could result in low performance and lead to a poor user experience.

To learn more about wireless networking best practices, read our solution brief, “Best Practices for Wired, Wireless and Mobile Security.”

A New Cyber Security Certification: SonicWall Network Security Administrator Course

SonicWall has spent the last 12 months deeply focused on training and enablement for our partners, customers and employees. Based on student feedback and market requirements, the company’s Education Services Organization is introducing the SonicWall Network Security Administrator (SNSA) course; a completely new training course and certification exam that will replace the Network Security Basic Administration (NSBA) class.

The SNSA training curriculum is designed to teach students specific SonicWall network security technology. The course will provide students with the skills to successfully implement and configure SonicWall firewall appliances and security services.

Improvements included with SNSA:

  • Two days of instructor-led classroom training, with 80 percent hands-on labs and 20 percent lecture
  • Six hours of online learning modules, which may be completed before or after the classroom portion
  • Based on the recently released SonicOS 6.5 firmware
  • Generic network security theory is removed and provided in supplemental training material

Consistent SonicWall training across the globe

To support the launch of the SNSA course, SonicWall Education Services is also launching a new Authorized Training Partner (ATP) strategy to enhance consistency in the delivery of training content and guidance. This new strategy encompasses:

  • Coverage provided by three global strategic training partners, augmented by key regional partners
  • Global fulfillment of materials and virtual labs via a single strategic training partner
  • Price adaptation to fit local-market currencies and demand
  • SonicWall global ATP managers to ensure content, delivery and lab experience are consistent worldwide
  • Proctoring service to ensure certification authenticity for both students and sponsoring partners

What happened to Network Security Basic Administration (NSBA)?

For the last 10 years, SonicWall offered a series of technical certification courses to its partners, customers and employees. The core certification training was focused on foundational understanding of network security, particularly basic administration found in the SonicWall Network Security Basic Administration (NSBA) course.

With a focus on training network security administrators, NSBA provided students with a broad overview of network security technology and the skills needed to configure and administer a basic SonicWall firewall appliance.

While this course satisfied initial learning objectives, student feedback indicated the content was not sufficient to meet the needs of deeper skillsets (e.g., installation, management and troubleshooting). Students left the course feeling they needed additional in-depth technical training and expertise.

In addition, due to a widespread number of ATPs around the world, student experience varied by geography and instructor. The changes to the course and the improvement of the ATP strategy ensure SonicWall will deliver best-in-class technical training to its partners and customers.

For individuals who completed the NSBA exam and hold a current CSSA certification, SonicWall will continue to acknowledge these important certifications through March 2020. Students wishing to re-certify an expiring CSSA certification will, however, be required to complete the new SNSA course and certification.

To enroll in the new SNSA program, students may access the newly launched external SonicWall University site.

SonicWall Security Certification Courses

SonicWall offers other training and certification courses to support the needs of our partners, customers and employees. These include:

Network Security Advanced Administration (NSAA) Course

Designed to further enhance an individual’s network security technical skills, the NSAA course is available to students who have achieved either the CSSA or the SNSA certification.

This two-day, instructor-led course provides students with the latest information on application control, bandwidth management, troubleshooting and advanced networking. Completion of this course prepares students to complete the Certified SonicWall Security Professional (CSSP) certification exam.

Secure Mobile Access Basic Administration (SMABA) Course

The SMABA course provides students with the technical skills necessary to administer and manage SonicWall Secure Mobile Access (SMA) appliances.

The SMABA course covers the use of Appliance Management Control to provide secure access — to any application from any network — based on secure authentication and authorization policies. Completion of this course prepares students for the Certified SonicWall Security Administration (CSSA-SMABA) certification exam.

Secure Mobile Access Advanced Administration (SMAAA) Course

Recommended for engineers or administrators of SonicWall SMA devices installed in larger networks, the SMAAA course provides students with in-depth technical training covering deployment options, authentication and authorization policies and troubleshooting.

Completion of this course prepares students for the Certified SonicWall Security Professional (CSSP-SMAAA) certification exam.

Encrypted Cyber Attacks: Real Data Unveils Hidden Danger within SSL, TLS Traffic

Since the shocking announcement of serious Meltdown and Spectre vulnerabilities in early 2018, we have yet to hear of a mega-breach that would signal the start of another vicious hacking year.

Has it been luck? Are our network security defenses stronger? Or are current hacks hiding their efforts? Whatever the situation, the expectations from lessons learned in historical security events are that hacking tools will evolve and new threat vectors will emerge — year after year.

To help organizations gain confidence to make informed decisions and take calculated security actions against the latest cyber attacks, SonicWall shares its threat findings in the recently published 2018 Cyber Threat Report.

The report focuses on the ongoing battle of innovations and advancements between cybercriminals and security industries. The detailed threat information was gathered, recorded, researched and analyzed by the SonicWall Capture Labs research team so you can easily follow what’s happening in the threat landscape.

Today, we’ll underscore our observations on the good and bad of SSL/TLS-encrypted web traffic and respective encrypted threats.

The cyber battle inside encrypted traffic

For five straight years of monitoring and reporting on encrypted traffic trends, SonicWall continues to record strong growth in SSL/TLS-encrypted web connections, with a 24 percent increase over 2016. This increase accounted for 68 percent of overall web connections in 2017.

We believe the rise was attributed to the growing use of secured cloud applications and websites. Again, use of SSL/TLS encryption continues to be trending in the right direction. Companies securing websites and cloud services, to create safer web interactions, is a win for internet users and security teams.

SSL/TLS Use Increased

Despite the security advantages provided by SSL/TLS encryption, SonicWall collected real-world empirical evidence on cyber attacks executed inside of SSL/TLS-encrypted web sessions.

Using full-year data samples from a subset of SonicWall firewalls with active Deep Packet Inspection of SSL (DPI-SSL) service in 2017, we observed that an average of nearly 5 percent of all file-based malware propagation attempts used SSL/TLS encryption to avoid detection.

SonicWall Capture Labs also found, on average, 60 file-based malware propagation attempts per SonicWall firewall each day. Without the ability to inspect encrypted traffic, the typical organization would have missed over 900 file-based attacks per year hidden by SSL/TLS encryption. Remember, it takes only a single miss to create severe damage to an organization.

How to stop encrypted cyber attacks

Organizations can easily block attacks within SSL/TLS web connections. However, many have not activated existing security features — like DPI-SSL — to do so.

If you choose not to inspect encrypted traffic — or if your firewall is limited in its ability to do so — you are truly missing a critical value of your firewall.

It is possible for organizations to enjoy the security benefits of SSL/TLS encryption without providing a hidden tunnel for attackers. Here are some helpful guidelines:

  1. Understand what’s at risk. If you haven’t conducted a security audit recently, complete a comprehensive analysis to identify your risks and needs.
  2. Build a defense. Upgrade to a capable, extensible next-generation firewall (NGFW) with integrated IPS security services and DPI-SSL design that can scale performance to support future growth.
  3. Evaluate and improve. Update your security policies to defend against a broader array of threat vectors and establish multiple security defense methods to respond to both HTTP and HTTPS attacks.
  4. Create awareness. Train your staff continually to be aware of the dangers of social media, social engineering and suspicious websites and downloads, as well as various spam and phishing scams in personal and business email accounts. Start with this Phishing IQ test.
  5. Inspect digital certificates. Inform users never to accept a self-signed, non-valid certificate from unknown applications.
  6. Keep it current. Make sure all your software is up to date. This will help protect your organization from older SSL exploits that have already been neutralized.

The growth of SSL/TLS encryption can and will be a positive security trend for the global community, but it will remain a channel for malicious activity until companies recognize and address the risks.

By investing in updated solutions, and enabling SSL/TLS inspection capabilities, organizations can have the best of security and performance at the same time.

Download the 2018 SonicWall Cyber Threat Report

The cyber arms race is a challenge we face together. And it’s the core reason we’re committed to passing our findings, intelligence, analysis and research to the global public via the SonicWall 2018 Cyber Threat Report.