Frequently Asked Questions: The E-rate Program

While we’ve explained the ins and outs of the E-rate program during the five-part SonicWall E-rate Fear Less series, we wanted to use the final episode to explore the common questions about the E-rate program itself and how SonicWall cyber security solutions may be funded via the program.

Episode Five: E-rate Fear Less Series Q&A

Holly Davis interviews SonicWall software business development director John Mullen.

The final video in our five-part series explores these common E-rate program questions:

  • Why SonicWall for the K12 Environment?
  • What is SonicWall Capture ATP?
  • Why would SonicWall Capture ATP sandboxing be necessary for K12?
  • What is SonicWall SECaaS?
  • Does E-rate fund firewalls in their entirety?
  • Is Capture ATP funded by the E-rate program?
  • Is SECaaS funded by the E-rate program?
  • How do I get started with the E-rate program?
  • Where can we find additional resources about the E-rate program?

What technology is eligible for funding the E-rate program?

To help offset funding and staffing shortages, the U.S. Department of Education and the FCC launched the E-rate program, which helps make telecommunications and information services more affordable for schools, campuses, districts and libraries.

The E-rate program is operated by Universal Service Administration Company (USAC), which has a core focus of providing underfunded verticals the access to affordable technology and security services. This includes schools, libraries, rural healthcare organizations and more.

USAC provides a yearly Eligible Services List (ESL), which outlines which types of products and services can be procured via E-rate program discounts.

SonicWall and E-rate

With the most comprehensive channel program in the industry, combined with additional E-rate discounts, SonicWall and our partners are best positioned to meet the needs of K12 customers and help them take full advantage of the funding E-rate provides for securing their networks.

Through its global channel of more than 24,000 technology partners, SonicWall is actively involved in helping K12 education organizations cost-effectively obtain and deploy network security solutions. SonicWall provides a broad array of E-rate-eligible products and services, including firewalls and turnkey Security-as-a-Service solutions.

If you are an eligible K12 organization, please contact your preferred SonicWall reseller for information on E-rate benefits and discounts, or visit the SonicWall E-rate page for information, tools and guidance.

New Cyber Threat Intelligence Shows Growing Malware Volume, Encrypted Attacks

The latest cyberattack data from SonicWall shows increases across the board for global malware, ransomware, TLS/SSL encrypted attacks and intrusion attempts.

Highlighting these new findings, the SonicWall Capture Advanced Threat Protection sandbox, with Real-Time Deep Memory Inspection (RTDMITM), discovered 1,099 new malware variants each day in April.

This cyber threat intelligence, which is available in the SonicWall Security Center, maps the behavior of cybercriminals and the tactics they employ to breach the networks of businesses and organizations across the world.

Globally, the SonicWall Capture Threat Network, which includes more than 1 million sensors across the world, recorded the following 2018 year-to-date attack data:

  • 4,050,797,027 malware attacks (152 percent increase from 2017)
  • 1,233,667,979,688 intrusion attempts (67 percent increase)
  • 132,266,265 ransomware attacks (426 percent increase)
  • 914,975 instances of malware using SSL/TLS encryption (351 percent increase)

Breaking this down to the customer level, in April 2018 alone, the average SonicWall customer faced:

  • 2,254 malware attacks (95 percent increase from April 2017)
  • 78 ransomware attacks (343 percent increase)
  • 73 encrypted threats
  • 10 phishing attacks each day

1,099 new malware variants discovered by Capture ATP each day

Stop cyberattacks in memory

Included with Capture ATP, SonicWall’s patent-pending RTDMI technology catches more malware than behavior-based sandboxing methods, with a lower false positive rate. In 2018, RTDMI has discovered more than 5,000 never-before-seen malware variants — attacks likely missed by competing signature-based offerings.

First announced in February 2018, RTDMI technology is used by the SonicWall Capture Cloud Platform to identify and mitigate even the most insidious cyber threats, including memory-based attacks. RTDMI proactively detects and blocks unknown mass-market malware — including malicious PDFs and attacks leveraging Microsoft Office documents — via deep memory inspection in real time.

The 2018 SonicWall Cyber Threat Report advises that cybercriminals will continue to leverage users’ trust in PDFs and Microsoft Office applications (which represented five of the top 10 attacked applications of 2017). Because of obfuscation techniques, many legacy firewalls and anti-virus solutions are unable to effectively identify and mitigate PDFs or Microsoft Office file types that contain malicious content.

 

Exploit for PDF vulnerability CVE-2018-4990 exists in the wild

An out-of-bounds read vulnerability has been recently reported in the JPEG2000 component of the Adobe Acrobat Reader. This vulnerability is due to lack of validation while processing the embedded JPEG2000 image in the PDF document. JPEG image can be manipulated to cause out-of-bounds read and eventually arbitrary free as those addresses get freed by the caller.  The embedded JavaScript in the PDF makes use of the JPEG image object to cause arbitrary free and later utilize heap spray techniques to read and write into the memory.

Lets look into the PDF that exploits the above mentioned vulnerability.

Using pdf-parser, we see an embedded JPEG image object inside of the field button Button1.

 

 

 And an embedded JavaScript that gets into action when launched the PDF document. Lets decompress  & extract the JavaScript for further analysis.

 

 

The below JavaScript allocates & frees large array buffers that way it has reference to the freed address space. Later it triggers the out of read bug by calling into the Button1 object which allocates into the previously freed slot & eventually free up pointers that attacker needs to carry out the attack. Later heap spray technique is being utilized to read & write into the memory.

 

 

The below stack trace is retrieved by enabling gflags.exe with page heap & user mode stack. Crash occurred due to access violation as JP2KLib.dll (JPEG2000 component) is trying to free memory that doesn’t belong to it.

 

It locates the base address of the dll, builds the rop chain with the given offsets, sprays them into the heap to redirect the execution flow to the arbitrary code in the heap.

 

A remote attacker could exploit this vulnerability by enticing a user to open a PDF document with a crafted JPEG image & an embedded JavaScript that allows arbitrary code execution in the context of the application.

This can be mitigated by upgrading to the latest non-vulnerable version of the software or by disabling JavaScript in the Adobe Acrobat Reader.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • CVE-2018-4990

Sigrun 1.0 Ramsomware spotted (May 25 2018)

The SonicWall Capture Labs Threat Research Team have observed reports of ransomware named Sigrun, after the Norse mythological figure.  As expected, this Trojan encrypts files and demands a ransom for recovery.  To lighten the mood it attempts to play Vivaldi’s The Four Seasons in the background.

 

Infection Cycle:

Upon infection, the Trojan immediately encrypts files on the system.  Encrypted files are given a .sigrun extension.  The following files are dropped into all directories containing encrypted files:

    • RESTORE-SIGRUN.html
    • RESTORE-SIGRUN.txt

RESTORE-SIGRUN.html is displayed and contains the following ransom note :

 

The HTML page also contains code to play Vivaldi’s The Four Seasons in the background:

 

RESTORE-SIGRUN.txt contains the following message:

image-invert

 

We reached out to sigrun_decryptor@protonmail.ch and received the following message:

 

However the $500 ransom quickly grew to 1 BTC ($7550 at the time of writing) in an email received the following day.  Additionally, a threat is made to increase the ransom to 2 BTC if not paid within 24 hours:

 

It seems that the operators may have been successful.  The transaction history of the supplied bitcoin address 1XPYJt98eZDcPfLd57ysaGbc7Lp7pBnFr shows 18 transactions totaling 3.56 BTC so far.  The history also suggests that some form of the malware may have been in effect as early as March 2018:

 

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Sigrun.RSM (Trojan)

Cyber Security News & Trends

Each week, SonicWall collects the cyber security industry’s most compelling, trending and important interviews, media and news stories — just for you.


SonicWall Spotlight

Real-Time Cyber Threat Intelligence Is More Critical Than Ever Forbes

  • SonicWall CEO Bill Conner discusses the importance of organizations utilizing real-time cyber threat intelligence as the cybersecurity landscape grows increasingly dangerous.

SonicWall Splits from Quest, Surpasses Financial Objectives Dark Reading

  • Dark Reading breaks down SonicWall’s recent momentum announcement, touching on the company’s newfound financial and operational independence, as well as innovations on the partner and customer front

SonicWall Boasts 60% YOY Partner Deal-Registration Increase Channel Partners

  • Due to SonicWall’s recent announcement, the company is featured for its success in the channel with the SecureFirst program which enabled partner deal registrations to hit a year-over-year increase of 60 percent.

Cyber Security News

VPNFilter Malware With Bricking Capabilities Poses Major Threat After Infecting 500,000+ Networking Devices SC Magazine

  • A potentially highly-destructive malware is estimated to have infected at least 500,000 networking devices in at least 54 countries since as far back as 2016, in what could be the prelude to a massive attack potentially capable of cutting off the internet from hundreds of thousands around the world.

U.S. Launches Criminal Probe into Bitcoin Price Manipulation Bloomberg

  • The Justice Department has opened a criminal probe into whether traders are manipulating the price of Bitcoin and other digital currencies, dramatically ratcheting up U.S. scrutiny of red-hot markets that critics say are rife with misconduct, according to four people familiar with the matter.

UK Threatens to Name and Shame State Backers of Cyber-attacks The Guardian

  • In a speech referring to Russian and North Korean “campaigns of intrusion”, Jeremy Wright QC called for international sanctions to be applied against countries that exploit cyberspace for illegal purposes.

Cyber Amendments to Watch in the House’s Defense Authorization Bill Nextgov

  • The House Rules Committee is considering more than a dozen cyber-focused amendments to the National Defense Authorization Act, a must-pass policy bill.

Intel Responds to Spectre-Like Flaw in CPUs Threat Post

  • Intel acknowledged that its processors are vulnerable to another dangerous speculative execution side channel flaw that could give attackers unauthorized read access to memory.

In Case You Missed It


Upcoming Webinars & Events

May 30
Webinar
11 a.m. PDT
Identify and Stop Malware in the Quickest and Most Accurate Way Possible
> Register Now

June 4
Webinar
1 a.m. PDT
Technical Deep Dive – Securing Office 365 with SonicWall Email Security
> Register Now

SonicWall RTDMI engine identifies malicious VBA macro laced MS Office Document in real-time (May 22, 2018)

SonicWall RTDMI engine identified a new malware campaign using malicious Microsoft Office Document files. The document file contains VBA macro code, which gets triggered once the document is opened. Upon execution the macro decrypts a URL hidden inside an embedded form in the document and downloads the payload. SonicWall RTDMI engine technology can look inside multiple layers of packaging and obfuscation to find well entrenched malware components in real-time and provide unparalleled detection capabilities. The non-existence of this malicious file on popular malware search portals (VirusTotal or Reversing Labs) indicates the effectiveness of the RTDMI engine .

On opening the office document, VBA code is executed to decrypt the URL. XOR based encryption is used by the malware and the key is stored as a custom variable in the document itself:

Encrypted URL is stored inside a form as shown below:

The payload being downloaded belongs to a Ransomware family called GANDCRAB, we blogged about this ransomware recently. The RTDMI engine  also detects the payload ransomware as it gets downloaded.

On execution, the ransomware drops a copy of itself into %appdata%/Microsoft/<random_name.exe> folder, and starts encrypting the files on the hard drive. It modifies the desktop background with a ransom alert. It also drops a text file named ‘CRAB-Decrypt.txt’ with ransom notes as shown below:

Indicators of Compromise:

  • e549dcafa0c389662bb1e2a82515b4ec0f0f11d374c0ed03f67ffe0020689560 : Malicious Document File
  • 52b4f795ace71a37c133fa8c36f8502103f0ae4dcbe3bc4210f0f95557ec66ac : GandCrab Ransomware
  • hxxp://209.141.49.93/upxxxe.fud

Capture ATP Report:

 

 

 

Cyber Security News & Trends

Each week, SonicWall collects the cyber security industry’s most compelling, trending and important interviews, media and news stories — just for you.


SonicWall Spotlight

New DHS National Cybersecurity Framework Sets Goals, Milestones — MSSP Alert

  • As a result of the recent elimination of the White House cybersecurity coordinator role, SonicWall CEO Bill Conner is featured for his perspective and insight into what the move implies for the future of cybersecurity policy.

SonicWall Pushes Capture Cloud Platform with Endpoint Security — Chinabyte.com

  • SonicWall’s recent updates including the company’s new Capture Cloud Platform, enhanced RTDMI technology and more are featured in this article.

Cybersecurity Sourcebook 2018 Looks at Evolving Data Threat Landscape — Database Trends & Applications

  • This article explains the serious need to safeguard data using key SonicWall threat data. Specifically, they’ve included stats sharing that cyberattacks are becoming the number-one risk to businesses, brands, operations, and financials, and that there were 9.32 billion malware attacks in total in 2017, representing an 18.4% increase over 2016.

Cyber Security News

Brutal Cryptocurrency Malware Crashes Your PC When Discovered — ZDNet

  • The malware, dubbed WinstarNssmMiner by 360 Total Security researchers, has been used in half a million attempted attacks leveraged at PCs in only three days.

What Makes ZTE a Cybersecurity Threat? Congress Wants to Know — CNET

  • Congress wants a detailed explanation on what cybersecurity threats the Chinese phone company poses.

Mexico Central Bank Says Hackers Siphoned $15 Million from Five Companies — Reuters

  • Mexico’s central bank said on Wednesday that a cyber attack had sucked around 300 million pesos ($15.33 million) in fraudulent transfers from five companies, but it was unclear how much thieves had managed to pull out in cash.

Former CIA Software Engineer ID’ed as Suspect in Vault 7 Leaks — SC Magazine

  • The former CIA software engineer believed to have leaked the CIA’s Vault 7 hacking tools is already behind bars at the Metropolitan Correctional Center in New York City, after being indicted for possessing child pornography.

DHS Issues More Medical Device Cybersecurity Alerts — GovInfo Security

  • The Department of Homeland Security has yet again issued a warning about cybersecurity vulnerabilities in medical devices. These warnings have come after independent researchers, or the companies themselves, have reported the problems.

Cybersecurity Whistleblowers are Growing Corporate Challenge — The Wall Street Journal

  • Signals from the U.S. Securities and Exchange Commission over how seriously it takes cybersecurity, combined with a Supreme Court ruling on whistleblower protections, are putting pressure on companies to be more careful about how they deal with potential tipsters, lawyers say

In Case You Missed It


 

 

Rig Exploit Kit remains active delivering malicious payloads

RIG EK has been the most popular exploit kit with many different malicious payloads. Compromised domains are injected with malicious iframes to redirect the users visiting those domains to Rig EK landing page.  Rig EK can then exploit using Javascript, VBSscript or Flash vulnerabilities.  After successfully exploiting, it drops more malicious payloads from Trojans to Ransomwares to execute in the victim’s environment.

Read more

Gandcrab Ransomware actively spreading in the wild

The SonicWall Capture Labs Threat Research Team observed reports of a new variant family of Gandcrab Ransomware [Gandcrab.RSM] actively spreading in the wild.

Gandcrab Ransomware encrypts the victims files with a strong encryption algorithm until the victim pays a fee to get them back.

An example of a Script file that leads to the Gandcrab ransomware.

 

Infection Cycle:

The Malware adds the following files to the system:

  • Malware.JS
    • %Userprofile%\ Local Settings\Temp\[Random Numbers].exe
      • Executable dropper File
    • %Userprofile%\Desktop\ CRAB-DECRYPT.txt
      • Instruction for recovery

Once the computer is compromised, the Ransomware downloads its own executable file from its own C&C server and copies into %Temp% folder and runs following commands:

While Ransomware is encrypting files, it will encrypt all files and append the .CRAB extension onto each encrypted file’s filename.

The Ransomware encrypts all personal documents and files it shows the following webpage containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

Command and Control (C&C) Traffic

Gandcrab performs C&C communication over HTTP protocol.

The malware sends HTTP request to its own C&C server with following formats, here is an example:

We have been monitoring varying hits over the past few days for the signature that blocks this threat:

Sonicwall Capture Labs provides protection against this threat via the following signature:

  • GAV: Gandcrab.RSM (Trojan)

The E-rate ‘Fear Less’ Technology Infrastructure

Before you begin the RFP process, it’s important to explore the technology infrastructure (specifically what’s eligible in Category Two) as defined within the E-rate program by Universal Service Administration Company (USAC) and how each relates to the E-rate funding process.

Episode 4: The E-rate Fear Less Technology Infrastructure

On the fourth episode of the E-rate Fear Less series, Holly Davis dives further into the program and reviews other options school districts have in building a secure, future-proof network with the E-rate program.

At a high level, E-rate Category Two technology in three primary pillars. Category Two components are those that relate to cyber security solutions, hardware, software and other services. For more details about E-rate categories, please review the 2019 Eligible Services List (PDF).

Technology Function
Broadband Internal Connections (IC)On-premise solution internally managed; equipment may be owned or leased.
Managed Internal Broadband Services (MIBS)Managed service solution owned, leased or hosted in the cloud.
Basic Maintenance
of Broadband Internal Connections
Support for the IC solution.
Source: 2019 Eligible Services List (PDF)

E-rate Category 2 technology funding with SonicWall

School and campus networks range in size and manage different types of sensitive data. Mitigating potential weak points in the network — and the data that can be targeted — is no easy task for standard IT teams that haven’t undergone extensive cyber security training. SonicWall network and cyber security solutions meet the needs of school districts at the highest efficacy — all at price points that fit within K-12 budgets.

If you are utilizing E-rate funding to assist you in buying your networking and cyber security solutions, SonicWall can help. Our team of E-rate funding experts ensure your SonicWall solution aligns with the rules and regulations of the E-rate program.

SonicWall Security as a Service (SECaaS) is an alternative solution for schools that do not have a large capital outlay to invest in a future-proof security solution or a dedicated IT team trained to manage cyber security.

“Security-as-a-Service provides more flexibility,” said Jenna Burros, Director of Business Services, at the Calistoga Joint Unified School District in California. “It is such an improvement to be able to have enough control to differentiate various levels of accessibility.”

Under Burros’ guidance, the California school district upgraded the flexibility and granularity of its existing content-filtering solution, while also keeping costs at minimum — a key obstacle for K-12 organizations regardless of E-rate eligibility.

With the most comprehensive channel program in the industry, combined with additional E-rate discounts, SonicWall and its partners are best positioned to meet the needs of K-12 customers and help them take full advantage of the funding E-rate provides for securing their networks.

If you are an eligible K-12 organization, please contact your preferred SonicWall reseller for information on E-rate benefits and discounts, or visit the SonicWall E-rate page for information, tools and guidance.

E-rate Episode Video Series for K-12 School Districts

What is E-rate?

To help offset funding and staffing shortages, the U.S. Department of Education and the FCC launched the E-rate program, which helps make telecommunications and information services more affordable for schools, campuses, districts and libraries.

The E-rate program is operated by Universal Service Administration Company (USAC), which has a core focus of providing underfunded organizations access to affordable technology and security services. This includes schools, libraries and rural healthcare organizations.

USAC provides a yearly Eligible Services List (ESL), which outlines which types of products and services can be procured via E-rate program discounts.

Applicant Steps & Resources

Prep: Before You Begin
Step 1: Competitive Bidding
Step 2: Selecting Service Providers
Step 3: Applying for Discounts
Step 4: Application Review
Step 5: Starting Services
Step 6:  Invoicing 

Resources provided by USAC