PowerShell script in a PDF launch action command dropping trojans

/in /by
SonicWall Threat Research lab  is observing a fresh wave of PDF’s with a launch action command that runs PowerShell script to download a remote payload and execute it on the targeted device. Remote servers are still active in  delivering payloads.

 

Dynamic Data Exchange (DDE) is one of the methods that Windows provide for transferring data between office applications. Users get notified through prompts before executing DDE commands. However It doesn’t stop malicious payloads from getting into the machine if unaware users click ‘Allow’.  DDE has been leveraged by attackers to perform malicious code execution on the targeted device without requiring macros enabled & they have had great success in carrying out DDE attacks in office documents to drop exploits, trojans & malwares. As part of the Microsoft Tuesday Security patch, Microsoft has shipped an Office update that disables the DDE feature in Word applications. Similar to DDE, PDF has an option \Launch action to launch an application or a command to run executable.

 

Infection cycle:

In an email phishing campaign, attacker can send the crafted PDF document as email attachment to the targeted user. The file should be convincing for the user to disable the protected mode and click through additional prompts to allow commands to get executed. After execution, it brings down malicious payload from the remote server and executes it.

 

Sha256 hashes:

The below are the Sha256 hashes of the PDF exploits that we have seen in the past few days.
All of them have PDF instruction ‘OpenAction’ to be performed when the document gets viewed. and within ‘OpenAction’, it contains ‘Launch’ action  to run  the application cmd.exe or PowerShell.exe. PowerShell can be executed directly or it can be passed as an argument to cmd.exe. PowersShell can also be used to run commands that are encoded with Base64.

 

  • 72dc3d631e4b831f231aaa503fcbe3b197822f8cb09d8fbd4d1d653d8d94765c
  • caedcc3365e786e991c3d01abcdfd3e75f68cc866c545b6c3903fd7882dd3736

  • 518630ec59c1c41ef486c6f89d3a531f4580628f34a99bcfc18884a85bd7117c

 

In this file, PowerShell.exe is in mixed case & the script has been obfuscated with base64 encoding to evade from static detection.
Find below the decoded PowerShell command:

  • 81d0ef59803776b054a1fd220dfb19db31a4c50c633bb79371d8602b0cfe2ce2

  • 5614bd2d19c948c883d0fbef8f6af1953872244b5c892c21e1f58a43050b4fd9

 

Payload Servers:

Find below some of the payload URL’s that we see. Looks like the attacker is taking advantage of the compromised WordPress websites to host the malicious payloads.

 

  • hxxp://operationships.com/wp-content/themes/twentyfourteen/car/SERVER1.exe’
  • hxxp://www.mozambiquecomputers.com/css/fbet.exe,
  • hxxp://operationships.com/wp-content/themes/twentyfourteen/move/bin.exe
  • hxxp://kaigo-taxi.tokyo/wp-content/themes/spacious/moon/PO.exe
  • hxxp://funrunfunclimb.com/wp-content/themes/gaukingo/coo/server.exe

 

Launching the pdf in Foxit reader triggers the launch command
PowerShell script gets the malicious payload through HTTP request

Trend Graph:

The trend line below shows how this attack is being used today:

 

 

SonicWALL Capture ATP (Advanced Threat Protection), a cloud-based multi-engine dynamic sandbox analysis provides protection against this attack

 

 

SonicWALL Threat Research Lab provides protection against this threat via the following signature

SPY: 2177 PDF-POS

Adware with a cryptocurrency stealing functionality spotted in the wild

/in /by

Cybercriminals these days have employed ingenious ways to steal cryptocurrencies. Cryptojacking has become a conventional money maker for tech savvy website owners and has also been the method of choice by hackers of vulnerable websites. Serving ads has been one of the most conventional ways to make money online with your website, but it seems that “borrowing” cpu power of unaware website visitors is becoming commonplace. This week, the Sonicwall Capture Labs Threats Research team has observed an adware dubbed as Pbot Adware for most of its components are written in python. This version however has an added functionality of stealing cryptocurrency from its victim.

Infection Cycle:

This Adware arrives as a nullsoft installer. It installs itself in the %APPDATA% directory. It drops a copy of the Python interpreter and then executes its components sequentially.

  • %APPDATA%\*Random*\ml.py – runs launchall.py
  • %APPDATA%\*Random*\launchall.py – main browser/website tracking, url parsing, analytics gathering module
  • %APPDATA%\*Random*\update.py – update module of the adware
  • %APPDATA%\*Random*\httpfilter.py – implements rules.ini and settings.ini
  • %APPDATA%\*Random*\rules.ini – URL redirect settings and implements the javascript modules
  • %APPDATA%\*Random*\settings.ini – list of processes to lookout for which includes all common browsers – firefox, chrome, iexplore, opera and even skype.exe
  • %APPDATA%\*Random*\js\fingerprint2.js – browser fingerprinting module
  • %APPDATA%\*Random*\js\c.js –cryptocurrency stealing module

The figure below shows the list of processes that this Adware is interested in.

While the figure below shows the content of the rules.ini file:

PBot adware not only serves ads and redirects your browser session which are all common behaviors of an adware. It also looks for cues that the victim might be executing  cryptocurrency transactions online. Once it identifies the website the victim is on, it overlays a gif image on the website.

This gif is base64 encoded on the javascript as shown in the figure above, but decodes to this gif below which makes it look like the website is still loading its content.

But in the background this adware will attempt to steal and send your virtual currencies to some hardcoded addresses. This version of adware appears to be targeting Bitcoins (BTC), Bitcoin cash (BCH) and Ethereum (ETH) as seen in the code below.

We checked these hard coded virtual wallet addresses and we can speculate that whoever is behind this Adware has been successfully stealing cryptocurrencies from unwilling victims.

Sonicwall Capture Labs provides protection against this threat via the following signatures:

  • GAV: PBot.A_9 (Adware)
  • GAV: PBot.A_10 (Adware)
  • GAV: PBot.A_11 (Adware)
  • GAV: Pbot.PY (Trojan)
  • GAV: Cryptostealer.D (Trojan)

Cyber Security News & Trends – 06-29-18

/0 Comments/in /by

Each week, SonicWall collects the cyber security industry’s most compelling, trending and important interviews, media and news stories — just for you.

SonicWall Spotlight

SonicWall Targets Mid-Tier Enterprises with New Network Security Software and Appliances SiliconANGLE

  • Following the release of SonicWall’s latest product news, SiliconANGLE unpacks updates to the SonicWall Capture Security Center. This article also touches on the company’s six new firewall appliances.

Cyber Security News

Despite Caution Over Cryptocurrency, Investors are Bullish The New York Times

  • Initial coin offerings are raising billions for cryptocurrency start-ups, like the Russia messaging service Telegram, which raised nearly $2 billion.

Marketing Firm Exactis Leaked a Personal Info Database With 340 Million Records Wired

  • Earlier this month, security researcher Vinny Troia discovered that Exactis, a data broker based in Palm Coast, Florida, had exposed a database that contained close to 340 million individual records on a publicly accessible server. The haul comprises close to 2 terabytes of data that appears to include personal information on hundreds of millions of American adults, as well as millions of businesses.

Reality Winner, N.S.A. Contractor Accused in Leak Pleads Guilty The New York Times

  • Reality Winner, the former government contractor charged with leaking classified information, pleaded guilty in federal court Tuesday as part of a plea agreement reached with federal prosecutors.

Hotels, Airlines and Travel Sites Battle Bot Attacks ZDNet

  • Attackers in certain countries appear to have a particular focus on breaching organizations operating in the travel sector.

60,000 Android Devices Hit With Ad-Clicking Bot Ransomware SC Magazine

  • A new malicious Android app has infected at least 60,000 devices gaining the ability to extract some important information from each device along with installing some ad click malware.

New Fears Over Chinese Espionage Grip Washington The Hill

  • Lawmakers are scrutinizing the Pentagon over its efforts to keep military secrets safe from hackers, after Chinese actors allegedly breached a Navy contractor’s computer and collected data on submarine technology.

In Case You Missed It

Manage Shadow IT, Ensure Safe Adoption of SaaS Applications

/in , /by

Small- and mid-sized organizations are increasingly moving their business applications and IT infrastructure to the cloud. According to IDC, adoption rose from 20 to 70 percent for small companies (up to 100 employees), and 90 percentage for midsize organizations (up to 999 employees).

It’s no secret that businesses adopt cloud and SaaS applications to enhance agility and productivity to stay ahead of competition. But the same can be said for individuals within the business, who can deploy and on-board SaaS applications (e.g., Jira, Dropbox, Slack) with just a few clicks. Business unit heads or even project managers just submit their credit card information and voila, the team has access to an instance of a new collaboration tool.

This is great for productivity. But what about security?

Typically, when individual teams set up an instance of a SaaS application, it is outside the control or knowledge of the IT department. IT administrators do not have the visibility into which users are using these applications and what data is being consumed. In addition, employees use free accounts on public cloud services, such as Dropbox and Gmail, to collaborate. This is shadow IT.

According to Gartner, by 2020 one-third of security breaches will be because of shadow IT. In this new world, CSOs and IT struggle with the following problems:

  • Losing control over sensitive corporate data traversing through public or hybrid clouds and data centers, giving rise to risks such as unauthorized access, malware propagation, data leakage and non-compliance
  • Balancing security budgets, shadow IT practices and employee productivity.

IT administrators need a tool that provides visibility with the context of risk to understand the overall risk posture of the organization and a tool to assess all the shadow IT applications being used on the network.

For SMBs and mid-tier enterprises, this means a cost-effective offering that delivers functionality like a Cloud Access Security Broker (CASB) solution, which provides discovery, visibility and control over the usage of all the cloud applications and corporate data being accessed.

Introducing SonicWall Cloud App Security

SonicWall Cloud App Security is a cloud-based security service that enables organizations to secure SaaS application usage and reduce risk of shadow IT.

Delivered through SonicWall Capture Security Center (CSC), Cloud App Security is available as part of the SonicWall Capture Security Center Analytics subscription bundle. The solution seamlessly integrates with your existing SonicWall infrastructure and leverages next-generation firewall (NGFW) logs to provide CASB-like functionality by delivering discovery, visibility and control of cloud application usage.

Cloud App Security analyzes log files from SonicWall NGFWs against an in-house registry of 9000-plus SaaS applications, and reveals:

  • Applications in use and by which users
  • Data volumes uploaded to and downloaded from the cloud
  • Risk and category of each cloud service.

In effect, SonicWall Cloud App Security makes your existing infrastructure cloud-aware.

Automated cloud application discovery with SonicWall next-generation firewalls

Real-Time Dashboard

The SonicWall Cloud App Security real-time dashboard enables administrators to quickly assess the overall risk posture.

The dashboard displays risk assessment for real-time and trending views of:

  • Number and type of cloud applications being used
  • Number of users accessing cloud applications
  • Amount of data being used by cloud applications

Administrators can also monitor the top users and application by usage, and location from which the application is being used.

Discovery & Control

In the Discovery view, IT administrators can classify applications based on the risk score and other organizational factors as Sanctioned or Unsanctioned IT applications for use. Through the SonicWall Capture Security Center, the solution empowers administrators to set block/unblock policies and control Sanctioned and Unsanctioned IT applications on the network.

With employees increasingly using cloud applications for work, Cloud App Security enables administrators to detect gaps in security posture, classify cloud applications into sanctioned and un-sanctioned IT applications, and enforce access policies to block risky applications. The solution ensures safe adoption of cloud applications without impacting employee productivity at a low total cost of ownership.

SonicWall Cloud App Security is available with the SonicWall Capture Security Center Analytics bundle.

Capture Client Endpoint Protection: What’s New in Version 1.5

/0 Comments/in /by

In April 2018, SonicWall released Capture Client 1.0 featuring a next-generation, behavior-based antivirus (AV) engine, reporting and management, trusted certificate management, and endpoint enforcement on modern SonicWall firewalls. Despite landing with great enthusiasm as a superior upgrade over previous SonicWall AV clients, this was just the beginning.

In September 2018 we will release Capture Client 1.5, a next-generation endpoint antivirus solution. This blog will cover the five core missions of the release:

  • Expanded visibility and control
  • Better white/blacklisting
  • Automated malware analysis and response
  • Enriched threat intelligence
  • General enhancements

Expanded Visibility and Control

Capture Client will support Microsoft Windows servers. Furthermore, the cloud-based management console how allows persistent visibility and control of managed servers, irrespective of whether they are on premise or in a hosted private/public cloud.

Better White/Blacklisting

With a full application inventory, administrators will be able to easily — with one-click action — whitelist known good applications to minimize any false positives and proactively ensure a good user experience when deploying Capture Client.

No longer will there be a need to remember the path, executable name or even the hash value of the file. Just select the application to whitelist (even specific to a version) and off you go. In a similar fashion, administrators will be able to leverage blacklisting capabilities to disallow the running of unauthorized application in the environment.

Automated Malware Analysis and Response

Capture Client Advanced will integrate with SonicWall Capture Advanced Threat Protection (ATP), the network sandbox featuring RTDMI, which examines the behavior of suspicious files to discover new malware.

If you are paying attention, you’re thinking, “But doesn’t Capture Client continuously monitor the system for suspicious behavior?”

Yes, but a network sandbox can manipulate code and do things with files that an endpoint with antivirus is not supposed to do, like strip apart sequences in memory or fast-forward malware into the future. This is designed to find malware, such as Trojans, before they execute, and save people time from remediation, such as rolling the endpoint back to a state before the malware was downloaded and/or activated (e.g., malware with timing delays).

Enriched Cyber Threat Intelligence

Every business day, Capture ATP receives over 1.5 million requests to analyze suspicious files. To analyze that volume of files, the following process is followed:

  1. In order to make it as efficient as possible, every file is given a hash (unique identifier).
  2. Next, it checks to see if there is a verdict for the same hash.
  3. Then it completes a community check of over 60 virus scanners to better understand if the research community knows anything about the file.
  4. It is only after that investigation do we funnel the file automatically into the behavior-based engines of Capture ATP to process the file in question.

Since 45 percent of all requests are unique, the third and fourth processes eventually create hundreds of thousands of new verdicts every business day that we instantly apply in the second step listed above.

This growing database is then leveraged by Capture Client administrators to conduct manual checks of suspicious files on computers with Capture Client without the need to manually upload the file for analysis. This will return a near-instant verdict (for previously evaluated files) and will help mitigate any compliance issues for potentially sensitive files.

General Enhancements

Beyond the delivery of more features without a change to price, multiple stability and user-experience enhancements will be added to Capture Client 1.5, including:

  • Attack Execution Visualization – For threats that are detected during execution, the Capture Client console will show an advanced visualization of all the indicators of attack associated with the threat and how it progressed through its lifecycle.
  • Advanced Network Visualization – A unique network map will show admins the status of endpoints behind SonicWall firewalls that are enforcing the clients and allowing for drill down into device status, threat events and response actions.
  • Alerting and Notifications – Addition of email-based alerting for threat events as a foundation for admin notifications, reducing the need for “eyes-on-glass” monitoring.
  • Threat Analysis UX Improvements – Multiple enhancements will be made to the user experience of the threats page, providing more information about the threats, its lifecycle stage, indicators of attack and easy-to-understand threat response actions.
  • Client Improvements – Improved install/uninstall/upgrade experience for Capture Client and its modules.

Capture Client Endpoint Protection

To learn more about SonicWall Capture Client endpoint protection, download the in-depth data sheet. It explores the solution’s key capabilities, including advanced malware protection, continuous behavioral monitoring, workflow automation, cloud-based management and more.

GET THE DATASHEET

Capture Security Center: Knowledge, Visibility & Control of Your Cyber Security Ecosystem

/in /by

For many organizations, the fear of being targeted by cybercriminals runs deep, especially as news of the latest high-profile cyberattacks dominate the headlines. Managing security and responding to cyber risks and events are major issues organizations face on a daily basis.

In May 2018 alone, the average SonicWall customer faced 2,302 malware attacks — a 56 percent year-over-year increase. Of those, on average, 62 were ransomware attacks, which are well known for forcing entire organizations to cease operations.

Insufficient visibility and knowledge of these risks within the network fabric compounds the problem. This makes it nearly impossible for security teams to detect and uncover unsafe network and user activities, and calibrate security policies at the speed and accuracy they need to maintain a robust security posture.

Making matters worse, organizations are burdened with managing and operating complex and fragmented security silos. Administrations are often cumbersome and labor-intensive.

Tasks and processes are generally uncorroborated and non-compliant. This level of technology fragmentation and operation disarray has businesses demanding for an integrated approach for security, management and reporting, analytics and real-time threat intelligence.

Unified Security Governance, Compliance & Risk Management

To help organization in that effort, SonicWall is expanding the capabilities of the Capture Security Center to deliver the foundation for a unified security governance, compliance and risk management strategy.

Capture Security Center offers the ultimate in visibility, agility and capacity to govern entire SonicWall security operations and services with greater clarity, precision and speed — all from one simple, common cloud interface that can be accessed from any location and any web-enabled device.

The integration-friendly nature of the Capture Security Center is ideal for a variety of organizations and use cases, including distributed enterprises and service providers that are adopting cloud computing for cost efficiencies.

Now, these organizations can easily manage their complete security ecosystem with single-sign-on access to license, provision and manage their network, endpoint and cloud security services. This includes:

New Enhancements to Capture Security Center

Capture Security Center simplifies and automates various tasks to promote tighter security coordination while reducing the complexity, time and expense of performing security operations and administrations. Key Capture Security Center updates include:

  • Integrated Threat Intelligence — Improve security outcomes from the firewall to the endpoint with integrated threat intelligence between the SonicWall Capture Advanced Threat Protection (ATP) sandbox service, Capture Client endpoint protection and SentinelOne threat databases.
  • Workflow Automation — Conform to customary firewall policy change management and auditing requirements of various regulatory mandates, such as PCI, HIPAA and GDPR.
  • Zero-Touch Deployment — Reduce time, cost and complexity associated with the installation, configuration and provisioning of firewalls at remote and branch office locations.
  • Flexible Reporting — Leverage more than 140 pre-defined report templates to gain awareness of network events, user activities, threats, operational and performance issues, security efficacy, risks and security gaps, compliance readiness and post-mortem analysis.
  • Intelligence-Driven Analytics — Use aggregation, normalization, correlation and contextualization of security data to empower security teams, analysts, auditors, boards, C-suites and stakeholders to discover, interpret, prioritize and implement intelligence-driven decisions.
  • Scalable Cloud Architecture — Scale Capture Security Center on demand to support thousands of SonicWall security devices under its management, regardless of location.

Predictable, Cost-Effective Security Management

With Capture Security Center, there is no upfront cost and no on-premise equipment. It is offered as a cloud-hosted solution with yearly subscription license options. With software updates and support included in an active subscription service, access to the latest innovations and enhancements is immediate.

This gives organizations and managed service providers (MSP) a unified security management, analytic and reporting platform without the financial risks or technical challenges of supporting a solely owned infrastructure.

Visit the Capture Security Center to access additional information and learn how it can enables security team take smarter security policy and control actions towards a sharper, safer, and compliant network environment.

Next-Generation Firewalls Designed for Mid-Tier Enterprises & Service Providers

/in /by

Mid-tier enterprises, data centers and large service provides have security, performance and high-availability demands much greater than the average organization.

These organizations must support an exploding number of smartphones, computers and IoT devices. Each generates a huge number of web connections. Just take a look at your browser and count the number of tabs you have open. Each is a connection that likely goes through the firewall.

More devices means more web sessions a firewall has to support. Now, imagine how many connections mid-tier enterprises and services providers must support, manage and secure.

What’s more, it’s likely that the website is using encryption to protect the transmission of data. Reported in the 2018 SonicWall Cyber Threat Report, almost 70 percent of web traffic now uses the HTTPS protocol to secure the session.

Core to an expanding focus to serve mid-tier enterprises and larger service providers — and to better empower organizations to decrypt, inspect and mitigate cyberattacks in encrypted traffic — SonicWall is introducing six new next-generation firewalls.

New NSa Next-Generation Firewalls

The Network Security appliance (NSa) series 6650, 9250, 9450 and 9650 scale high security efficacy and extensive feature sets to larger mid-tier enterprises, including distributed enterprises, school districts and data centers.

These new NSa models offer a high availability (HA) solution that pairs a second, similar firewall with the primary. In the event the primary fails, the secondary HA unit takes over until the primary is up and running again. The two can also share the deep packet inspection (DPI) load.

Many competitors require a full-price purchase of the failover unit, as well as full subscription services after the first year. In comparison, SonicWall is ensuring network security is available via bundles designed with the requirements of mid-tier enterprises in mind.

Features & Performance

  • Enterprise-grade 10-GbE and 2.5-GbE firewalls
  • Available in HA bundle
  • Up to 1.5 times higher performance than predecessors
  • Up to 10 times more encrypted connections than predecessors
  • Real-time TLS/SSL decryption and inspection
  • Redundant power supplies and fans
  • Built-in modular storage
  • Powered by new SonicOS 6.5.2

“This new range of NSa firewalls delivers the performance, value and security our mid-tier enterprise customers can’t get from traditional security vendors,” said Boris Wetzel, CEO choin! GmbH, a SecureFirst partner and NSa beta customer. “Coupled with SonicWall’s cost-effective HA offering, the new NSa series will help disrupt a segment of the market that has been forced into antiquated pricing structures for far too long.”

The NSa 6650, 9250, 9450 and 9650 include 10-GbE and 2.5-GbE interfaces to enable more devices to connect directly to the firewall without requiring a switch.

The new NSa firewalls also enable more connections than its predecessors, including nearly five times the number of stateful packet inspection (SPI) connections and 25 times the number of SSL/TLS deep packet inspection (DPI) connections.

“This new range of NSa firewalls delivers the performance, value and security our mid-tier enterprise customers can’t get from traditional security vendors.”

New NSsp Next-Generation Firewalls

Complementing the new NSa series, we are also launching our new Network Security services platform (NSsp) 12000 series, which includes new NSsp 12400 and NSsp 12800 firewalls.

Built specifically for large, distributed enterprises, data centers, universities and service providers, these scalable, 4U next-generation firewalls build upon our extensive NSa feature set and are capable of scanning millions of connections for the latest cyberattacks.

Features & Performance

  • High port density featuring 40-GbE and 10-GbE interfaces
  • Cloud-based and on-box threat prevention
  • Real-time TLS/SSL decryption and inspection
  • Built-in modular storage
  • Redundant power supplies and fans
  • 4U rackmount chassis
  • Built-in redundancy features
  • Powered by new SonicOS 6.5.2

“The volume and sophistication of today’s cyberattacks continues to grow and we require reliable, high-performance security solutions that can keep pace,” said Antonio Cisternino CIO University of Pisa, a SonicWall NSsp beta customer. “Because of the number of end users we service in a highly complex and dynamic environment, we depend on networking capabilities that can simultaneously support millions of connections and mitigate cyberattacks hiding within encrypted traffic without compromising the research needs.

“The new SonicWall NSsp 12000 series firewalls combine the best of both worlds: high security efficacy and high performance.”
With multiple 40-GbE interfaces, the NSsp series enables the high-speed throughput large organizations need into today’s fast-paced networked environment.

To learn more about SonicWall’s new NSa and NSsp next-generation firewalls, please visit sonicwall.com.

12 New Products Usher in SonicWall’s Expansion into Mid-Tier Enterprise Market

/in /by

It’s been just 20 months.

And in that short time as an independent company, SonicWall employees, customers and partners have accomplished so much together. Our short-term mission was to rebuild the SonicWall brand, launch new and advanced cyber security solutions and services in the SMB space, and bring our global partner community back home.

SonicWall, it’s good to have you back.

Now that our heart, soul and technology are deeply rooted in protecting organizations in the SMB space, we feel it’s time to focus on another segment we serve: the mid-tier enterprise market, where we are the No. 5 player, according to Gartner.

That’s why today we announced a focused technology, security and partner mission to deliver network security solutions that align with the performance, security efficacy and high availability required by the modern mid-tier enterprise.

But we’re also focusing on disrupting the market with our Capture Cloud Platform, which brings together network, endpoint and application security with management, reporting, analytics and visual cyber threat intelligence.

“SonicWall is ensuring network security is available via bundles designed with the requirements of mid-tier enterprises in mind.”

This will usher in a new cost structure with an assertive total cost of ownership (TCO) offering via our Capture Security Center, Capture Client endpoint protection and our new NSa series high availability (HA) offerings.

In fact, most of our competitors still require a full-price purchase of the failover firewall unit, as well as full subscription services after the first year. We don’t think that’s right. And it certainly doesn’t make much business sense.

So, SonicWall wants to ensure two things:

  • Network security is available via bundles designed with the requirements of mid-tier enterprises in mind.
  • It’s easy for mid-tier enterprises to do business with our SecureFirst partners.

What’s New from SonicWall

All told, this platform announcement includes 12 new products, updates or enhancements. And we couldn’t be more excited to share this innovation with you. Please explore each in detail. We will have detailed blogs on many of the new and updated products in the coming days.

  • Capture Cloud Platform — Expanded for mid-tier enterprises and now delivers integrated cloud-scale management and true end-to-end security that protects networks, email, endpoints, mobile and remote users. This all-in-one approach enables our complete portfolio of high-performance hardware, virtual appliances and clients to harness the power, agility and scalability of the cloud.
  • Capture Security Center — Fully enhanced to deliver a unified security governance, compliance and risk management strategy. Improve security outcomes from the firewall to the endpoint with integrated threat intelligence between the SonicWall Capture Advanced Threat Protection (ATP) sandbox service, Capture Client endpoint protection and SentinelOne threat databases.
  • Capture Client 1.5 — Now integrated with the SonicWall Capture ATP sandbox service. Suspicious files that Capture Client gives a moderate threat score (but not high enough to merit an alert), may be automatically uploaded for analysis.
  • New NSa Next-Generation Firewalls — Replacing the SuperMassive 9200, 9400 and 9600 models, our new NSa 6650, 9250, 9450 and 9650 series deliver elite levels of performance, security efficacy and high availability for mid-tier enterprises — all with industry-low TCO.
  • New NSsp 12000 Next-Generation Firewalls — A brand new product line, the new NSsp 12400 and 12800 series next-generation firewalls align with advanced requirements of service providers and data centers and are capable of scanning millions of connections for the latest cyber threats.
  • Cloud App Security — Cloud-based security service that enables organizations to secure SaaS application usage and reduce risk of shadow IT. The solution provides functionality similar to Cloud Access Security Broker (CASB) offerings to deliver real-time visibility and control of applications being used by employees.
  • Analytics — Available in cloud-hosted or on-premise options, SonicWall Analytics provides network analysts, security operations engineers and incident responders deeper visibility into network traffic, threat information and cross-product insights to perform network forensics, security analysis and threat hunting for businesses, organizations and managed service providers (MSP) of all sizes.
  • SonicOS 6.5.2 — Adds 40 new security features to better secure wired, wireless and mobile network environments. It offers more dynamic defenses against modern zero-day threats, including attacks hidden within encrypted traffic, absolute control of application traffic without compromising performance and availability, and optimal wireless user experiences regardless of location.
  • Secure Mobile Access (SMA) 1000 Series 12.2 — Delivers consolidated access management and eliminates bad password habits with federated SSO to cloud and on-premise applications. Adds Always-On VPN for Windows devices for seamless and secure access from any location.
  • SMA 100 Series 9.0 — Integrates with Capture ATP to block malicious file uploads from remote users. Adds Always-On VPN for Windows devices for seamless and secure access from any location.
  • Email Security 9.2 — Blocks and quarantines messages with malicious URLs before they reach the inbox. Integrates with Google’s G Suite to provide advanced threat protection, strong data loss prevention and compliance engine, and email continuity.
  • Global Management System (GMS) 8.6 — Upgrades authentication measures with strict enforcement of password complexity and account lockout policies before granting access to its management platform. This protects against automated brute-force attacks (e.g., password spray campaigns). Update also adds management and provisioning support for the new NSa series firewalls running the latest SonicOS 6.5.2 and the “Firewall Sandwich” solution.

Enhancing our Go-to-Market Strategy

Fundamental to the release of these new enterprise-focused products and services is the strengthening of SonicWall go-to-market focus and resources. SonicWall will engage with organizations in key verticals, including retail, K12 and higher education, and state, local and federal government. SonicWall will also continue to focus on its partnership with Dell while building and expanding relationships with MSSPs.

To our existing customers, vendors and partners, thank you for making SonicWall what it is today. We can’t wait to see what we do next together.

To our future customers, trust us to protect what’s most important to you: your business, data and livelihood. Contact one of our cybersecurity experts to learn how our automated, real-time breach detection and prevention platform can protect your organization from both known and unknown cyberattacks in the fast-moving cyber arms race.

Capture Cloud Platform: A Security Ecosystem that Harnesses the Power of the Cloud

/in /by

We have fantastic advancements in technologies right now. With software-defined everything (SDx) and cloud becoming more accessible and affordable, both large and small organizations can effectively execute their digital business strategies with greater ease and speed.

As new applications, systems and SDx architecture are deployed to advance the digital business, many organizations also find themselves retooling their cyber security model to maintain the health and defense of their networks and services.

Organizations now must have complete knowledge, visibility and control of the security ecosystem, and the capacity to manage and remove cyber risks that can be disruptive and disastrous to the business.

To help make the cloud journey powerful, agile and safe, SonicWall developed its Capture Cloud Platform to address CISOs’ top three cyber security priorities:

  1. Give actionable cyber threat intelligence to help better understand security risks and quickly respond to them
  2. Reduce security silos by consolidating and integrating security technologies
  3. Manage cyber risk with greater visibility and control

Integrated Security, Management & Analytics

The core value of the Capture Cloud Platform is the integration of several key capabilities with our cloud-based centralized management, reporting and analytics services, including the Capture Advanced Threat Protection (ATP) sandbox, which includes Real-Time Deep Memory Inspection (RTDMITM) technologies, and Capture Labs and Capture Threat Network threat intelligence services.

This all-in-one approach enables our complete portfolio of high-performance hardware, virtual appliances and clients to harness the power, agility and scalability of the cloud and allows organizations to:

  • Drive end-to-end visibility and share intelligence across a unified security framework
  • Proactively protect against known and unknown cyberattacks (e.g., zero days)
  • Gain contextual awareness to detect and respond to security risks with greater speed and accuracy
  • Make informed security policy decisions based on real-time and consolidated threat information

SonicWall Capture Cloud Platform service-oriented architecture tightly unifies the current and future SonicWall security and management services organizations needs to run an efficient security operation center (SOC). It eases and, in most cases, automates the governance of their network, endpoints and cloud security services with single-pane-of-glass (SPOG) experience.

10 Components of the Capture Cloud Platform

Organizations are empowered by Capture Cloud Platform to make the shift from the old on-premises world of IT into the new hybrid cloud-as-a-service world by coalescing SonicWall security solutions with simple, common management tools that not only help achieves desired security and operational goals but also real business values.

Currently, Capture Cloud Platform is comprised of 10 key SonicWall security and service components:

  1. Capture Security Center
  2. Real-Time Cyber Threat Intelligence
  3. Capture Client
  4. Capture ATP
  5. Cloud App Security
  6. Management & Analytics
  7. NSv Series virtual firewalls
  8. NSa Series hardware firewalls
  9. Web Application Firewall (WAF)
  10. MySonicWall & Licensing (credentials required)

The combination of these services delivers mission-critical layered cyber defense, threat intelligence, analysis and collaboration, and common management, reporting and analytics, that work synchronously together.

This help organizations stay on top of the cyber threat landscape, protect sensitive information, meet compliance, and maintain normal service operations while moving the company’s digital transformation forward safely.

Visit our Capture Cloud Platform to get detailed information on each of the solution values and learn how the platform can securely accelerate your cloud journey.

RTF exploits in the wild

/in /by
SonicWall Threat Research lab is seeing a huge volume of RTF exploits with embedded OLE objects exploiting the Microsoft vulnerabilities (CVE-2017-11882  &  CVE-2017-0199 ). CVE-2017-11882 is because of incorrect handling of embedded Equation Editor OLE objects in Office documents and  CVE-2017-0199  is due to incorrect parsing of embedded OLE2Link objects. Successful exploitation in both the cases can lead to arbitrary code execution under the context of the host.

Infection cycle:

This gets started by sending phishing campaign to the target user either with an attachment or a link to a compromised website hosting the malicious document. Malicious document can either be a Word or PDF  with embedded (.rtf) Rich Text Format file.  Upon launching the main document, embedded .rtf file which actually exploits the above mentioned vulnerabilities get exported & executed. When .rtf file is done exploiting, control returns to the attacker’s specified address where the shell code is present. When shell code gets executed, it brings down the payload from the remote server and execute it on the compromised machine. We see many variants of final payloads getting delivered through these exploits and upon execution they create a reverse shell and give the attacker control over the host.

 

Trend Graph:

The trend line below shows how this attack is being used in the wild today:

 

Prevalence Map:

This can be mitigated by using the up-to-date software with all the security patches. Enable protected view for office documents and do not allow editing of RTF files.  Review carefully before editing or doing anything that requires Protected View to be disabled.

SonicWALL Threat Research Lab provides protection against this threat via the following signatures

  • GAV: 23807  CVE2017-11882.BJ_2
  • SPY: 5164 Malformed-File pdf.MP.316