Retail POS Fraud: The Rising Challenge

/0 Comments/in /by

I have a confession: I. Love. Shopping.

Recently, I had to return few items that I ordered online from one of America’s premium designer stores. I expected this to be a pain-free and smooth experience, but I had to wait for half an hour for the sales rep to complete the process.

While I was waiting impatiently — thinking of what to do next — I heard the sales rep complaining about the speed and age of their systems. Coming from a cyber security background, this made me think how easy it would be for threat actors to breach old, outdated systems.

If your systems are not updated and maintained correctly and consistently, you will be an easy target for cybercriminals. Not only will you compromise your data, you could put your customers’ information at risk, too. If you are relying on outdated systems, time’s up. Let go of all the old infrastructure and focus on building a network with security in mind.

Cyberattacks Against the Retail Industry

It does not matter if you are a small retail chain or a global corporation, hackers will target your data. According to a recent study conducted by Ponemon Institute in 2017, SMBs are huge target for hackers. Our most recent infographic shows that, on average, $1.2 million were spent by SMBs due to disruption to normal activities. Some 61 percent of SMBs experienced a cyberattacks in the last 12 months.

I can’t stress this enough: in this day and age, it is critical to secure your data as well as your customers’. You have a duty to protect their data and privacy, so incidents like the Facebook data leak do not happen to your organization or store.

How Retailers Can Protect Customer Data

So, how do you ensure that your data, and your customers’, is secure?

Installing next-generation firewalls and enabling DPI-SSL to inspect your encrypted traffic will help eliminate majority of the cyberattacks. But, hackers are re-tooling and finding new ways and means of attacking your infrastructure.

An example of a vulnerability is a memory attack, like Meltdown. These memory exploits leverage old point-of-sale (POS) system that are easy targets. Until recently, there were no solutions that could detect memory-based attacks.

SonicWall took on this challenge and invented Real-Time Deep Memory Inspection (RTDMITM). SonicWall’s patent-pending RTDMI technology detects and blocks malware that does not exhibit any malicious behavior or hides its weaponry via encryption. RTDMI is part of SonicWall Capture Advanced Threat Protection (ATP), a cloud-based, multi-engine sandbox designed to discover and stop unknown, zero-day attacks, such as ransomware, at the gateway with automated remediation.

Why RTDMI Is Critical

To discover packed malware code that has been compressed to avoid detection, the RTDMI engine allows the malware to reveal itself by unpacking its compressed code in memory in a secure sandbox environment. It sees what code sequences are found within and compares it to what it has already seen.

Identifying malicious code in memory is more precise than trying to differentiate between malware system behavior and clean program system behavior, which is an approach used by some other analysis techniques.

Besides being highly accurate, RTDMI also improves sample analysis time. Since it can detect malicious code or data in memory in real time during execution, no malicious system behavior is necessary for detection. The presence of malicious code can be identified prior to any malicious behavior taking place, thereby rendering a quicker verdict.

Upon detailed analysis, SonicWall Capture Labs threat researchers discovered that RTDMI had the ability to stop new forms of malware trying to exploit the Meltdown vulnerability. The RTDMI engine’s CPU-level intrusion detection granularity (unlike typical behavior-based systems, which have only API/system call-level granularity) is what allows RTDMI to detect malware variants that contain exploit code targeting Meltdown vulnerability.

By forcing malware to reveal its weaponry in memory, where weaponry is exposed for less than 100 nanoseconds, the RTDMI engine proactively detects and blocks mass-market, zero-day threats and unknown malware with a very low false positive rate.

Capture ATP & Retail

With Capture ATP and RTDMI, you should see a significant improvement in detection rates when analyzing files on a larger scale. Best part? This technology is available within Capture ATP at no added cost to you.

This solution is definitely a big win for the security industry. Leverage technologies like the Capture ATP sandbox with RTDMI to protect your retail stores from advanced threats, so that you can focus more on your business and fear less about security.

To learn more, explore SonicWall’s retail security solutions.

 

Cyber Security News & Trends – 07-13-18

/0 Comments/in /by

Each week, SonicWall collects the cyber security industry’s most compelling, trending and important interviews, media and news stories — just for you.

SonicWall Spotlight

As Malware, Ransomware Surge in 2018, SonicWall Raises Alarm on Encrypted Threats and Chip-Based Attacks

  • SonicWall publishes a mid-year update of 2018 SonicWall Cyber Threat Report, finds more than 5.99 billion total malware attacks, up 102 percent, in the first six months of 2018.

Ghostbusters 2: how to deal with Spectre, the sequel – SC Magazine (UK)

  • Lawrence Pingree, SonicWall’s VP of Product Management discusses the possibilities of future exploits built on the Spectre vulnerability

Big Enterprise or Small Business, It Doesn’t Matter: Hackers Are Coming for You, Right Now – Joseph Steinberg

  • Quotes from a 2017 interview between Bill Conner and Joe Steinberg are resurfaced to explain that about half of all cyber-attacks are on small businesses.

Cyber Security News

Now Pushing Malware: NPM package dev logins slurped by hacked tool popular with coders – The Register

  • An unfortunate chain reaction was averted today after miscreants tampered with a widely used JavaScript programming tool to steal other developers’ NPM login tokens.

Hackers are selling backdoors into PCs for just $10 – ZDNet

  • Cyber criminals are offering remote access to IT systems for just $10 via a dark web hacking store — potentially enabling attackers to steal information, disrupt systems, deploy ransomware and more.

Senators press federal election officials on state cybersecurity – The Hill

  • Senators on Wednesday pressed top officials from the U.S. Election Assistance Commission (EAC) about their efforts to boost state cybersecurity election systems, with a focus on whether each state should have a mechanism in place to audit their results.

Cryptocurrency service Bancor robbed of billions; MyEtherWallet users targeted via malicious VPN Chrome extension – SC Magazine

  • Cryptocurrency token conversion service Bancor disclosed yesterday that hackers stole millions in funds from one of its online wallets, while Etherium crypto wallet service MyEtherWallet warned that hackers may have compromised anyone who accessed its service while using the free VPN service Hola and its Chrome extension.

Breach department: Unauthorized party accesses Macys.com and Bloomingdales.com customer accounts – SC Magazine

  • For nearly two months, an unauthorized party reportedly used stolen usernames and passwords to log into the online accounts of certain Macys.com and Bloomingdales.com customers.

In Case You Missed It

5 Cyberattack Vectors for MSSP to Mitigate in Healthcare

/in , /by

It’s no secret that healthcare continues to be one of the most targeted industries for cybercriminals. Healthcare providers store and maintain some of the most valuable data and the appetite for fraudulent claims or fake prescription medications is insatiable.

Despite all of the regulations, there are still fewer watchdogs overseeing healthcare. For many providers, cyber security hasn’t been a priority until very recently.

With more and more organizations reaching out to cyber security experts for assistance, it’s more important than ever that managed security services providers (MSSPs) understand the healthcare industry so that they can tailor solutions aimed at improving the security posture of healthcare providers.

Inside Users Present the Greatest Threat

According to a 2018 survey of cyber security professionals conducted by HIMSS, over 60 percent of threat actors are internal users within a healthcare organization. Email phishing and spear-phishing attempts are aimed at tricking users into providing credentials or access to information for cybercriminals. Negligent insiders, who have access to trusted information, can facilitate data breaches or cyber incidents while trying to be helpful.

In addition to systematically monitoring and protecting infrastructure components, MSSPs need to consider a multi-faceted campaign that creates a cyber security awareness culture within healthcare organizations. This campaign should include template policies and procedures for organizations to adopt, regular and routine training efforts, and human penetration-testing.

From a systematic perspective, it’s important to have tools that will do everything possible to mitigate cyberattacks. Tools like next-generation email security to block potential phishing or spear phishing attempts; endpoint security solutions to monitor behavior through heuristic-based techniques; and internal network routing through a next-generation firewall to perform deep packet inspection (DPI) on any information transgressing the network — especially if it’s encrypted.

Mobile Devices Open Large Attack Surfaces

Mobile devices have changed the way that we do just about everything. And the same is true for the manner in which healthcare conducts business.

To enable mobility and on-demand access, many electronic health record (EHR) applications have specific apps that create avenues for mobile devices to access portions of the EHR software. The widespread adoption of mobile devices and BYOD trends are pushing healthcare to adapt new business models and workflows. Cyber risk mitigation must be a priority as momentum continues to build.

MSSPs need to pay very careful attention to the access that mobile devices have to the EHR application, whether hosted on-premise or in the cloud. For more protection, implement a mobile device management (MDM) solution if the organization doesn’t already have one.

IoT Leaves Many Healthcare Providers at Risk

The Internet of Things (IoT) is bringing connectivity and statistical information to providers in near real-time while offering incredible convenience to the patient. Even wearable devices have immense capabilities to monitor chronic illnesses, such as heart disease, diabetes and hypertension. With these devices comes an incredible opportunity for hackers and immense threat for healthcare providers.

IoT devices tend to have weaker protections than typical computers. Many IoT devices do not receive software or firmware updates in any sort of regular cadence even though all of them are connected to the internet. There are so many manufacturers of IoT devices, and they are distributed through so many channels. There are no standards or controls regarding passwords, encryption or chain of command tracking capabilities to see who has handled the device.

If it’s feasible for the organization, totally isolate any IoT-connected devices to a secure inside network not connected to the internet (i.e., air gapped).

Encryption for Data at Rest Is Critical

For healthcare providers, it’s equally important to have a strong encryption for both data at rest and data in transit. Encryption for data at rest includes ensuring the software managing PHI doesn’t have a really weak single key that could unlock everyone’s PHI. If at all possible, records should be encrypted with unique keys so that a potentially exposed key doesn’t open the door to everyone’s information.

Attacks Are Hiding within Encrypted Traffic

MSSPs serving healthcare organizations need to realize that there is not one layer of defense that they should rely on. That said, perhaps the most important layer is the firewall.

A next-generation firewall, with DPI capabilities, is a critical component to securing a healthcare network. Even internal traffic transgressing the network should be routed through the firewall to prevent any potential malicious traffic from proliferating the entire LAN and to log transactions.

As much as possible, isolate medical devices and software applications that host PHI inside a secure network zone and protect that zone with an internal DPI-capable firewall that will only allow access to authorized services and IP addresses.

About ProviNET

ProviNET is a SonicWall SecureFirst Gold Partner. For nearly three decades, ProviNET has delivered trusted technology solutions for healthcare organizations. Whether it’s a single project or full-time onsite work, ProviNET designs and implements customized solutions so healthcare organizations can focus on core services.

ProviNET’s tight-knit group of experienced, industry-certified personnel are focused on customer satisfaction. They are a reputable organization, fulfilling immediate IT needs and helping plan for tomorrow. They are ready to put their extensive knowledge to work for healthcare, developing strategies and solving challenges with the latest technology.

To learn more about ProviNET, please visit www.provinet.com.

Microsoft Security Bulletin Coverage for July 2018

/in /by

SonicWall Capture Labs Threats Research Team has analyzed and addressed Microsoft’s security advisories for the month of July 2018. A list of issues reported, along with SonicWall coverage information are as follows:

CVE-2018-0949 Internet Explorer Security Feature Bypass Vulnerability
IPS : 13412 Internet Explorer Security Feature Bypass Vulnerability (JUL 18)
CVE-2018-8125 Chakra Scripting Engine Memory Corruption Vulnerability
IPS : 13418 Chakra Scripting Engine Memory Corruption Vulnerability (JUL 18)
CVE-2018-8171 ASP.NET Core Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2018-8172 Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8202 .NET Framework Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8206 Windows FTP Server Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2018-8222 Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2018-8232 Microsoft Macro Assembler Tampering Vulnerability
There are no known exploits in the wild.
CVE-2018-8238 Skype for Business and Lync Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2018-8242 Scripting Engine Memory Corruption Vulnerability
13414Scripting Engine Memory Corruption Vulnerability (JUL 18) 4
CVE-2018-8260 .NET Framework Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8262 Microsoft Edge Memory Corruption Vulnerability
IPS : 13415 Microsoft Edge Memory Corruption Vulnerability (JUL 18) 1
CVE-2018-8274 Microsoft Edge Memory Corruption Vulnerability
IPS : 13417 Microsoft Edge Memory Corruption Vulnerability (JUL 18) 2
CVE-2018-8275 Scripting Engine Memory Corruption Vulnerability
IPS : 13416 Scripting Engine Memory Corruption Vulnerability (JUL 18) 5
CVE-2018-8276 Scripting Engine Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2018-8278 Microsoft Edge Spoofing Vulnerability
IPS : 13419Microsoft Edge Spoofing Vulnerability (JUL 18)
CVE-2018-8279 Scripting Engine Memory Corruption Vulnerability
IPS : 13420Microsoft Edge Memory Corruption Vulnerability (JUL 18) 3
CVE-2018-8280 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2018-8281 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8282 Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8283 Scripting Engine Memory Corruption Vulnerability
IPS : 13421 Scripting Engine Memory Corruption Vulnerability (JUL 18) 6
CVE-2018-8284 .NET Framework Remote Code Injection Vulnerability
There are no known exploits in the wild.
CVE-2018-8286 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2018-8287 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2018-8288 Scripting Engine Memory Corruption Vulnerability
IPS : 13422 Scripting Engine Memory Corruption Vulnerability (JUL 18) 7
CVE-2018-8289 Microsoft Edge Information Disclosure Vulnerability
IPS : 13423 Microsoft Edge Information Disclosure Vulnerability (JUL 18) 3
CVE-2018-8290 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2018-8291 Scripting Engine Memory Corruption Vulnerability
IPS : 13407 Scripting Engine Memory Corruption Vulnerability (JUL 18) 1
CVE-2018-8294 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2018-8296 Scripting Engine Memory Corruption Vulnerability
IPS : 13410 Scripting Engine Memory Corruption Vulnerability (JUL 18) 3
CVE-2018-8297 Microsoft Edge Information Disclosure Vulnerability
IPS : 13408 Microsoft Edge Information Disclosure Vulnerability (JUL 18) 1
CVE-2018-8298 Scripting Engine Memory Corruption Vulnerability
IPS : 13409 Scripting Engine Memory Corruption Vulnerability (JUL 18) 2
CVE-2018-8299 Microsoft SharePoint Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8300 Microsoft SharePoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8301 Microsoft Edge Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2018-8304 Windows DNSAPI Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2018-8305 Windows Mail Client Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8306 Microsoft Wireless Display Adapter Command Injection Vulnerability
There are no known exploits in the wild.
CVE-2018-8307 WordPad Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2018-8308 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8309 Windows Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2018-8310 Microsoft Office Tampering Vulnerability
There are no known exploits in the wild.
CVE-2018-8311 Remote Code Execution Vulnerability in Skype For Business and Lync
There are no known exploits in the wild.
CVE-2018-8312 Microsoft Access Remote Code Execution Use After Free Vulnerability
There are no known exploits in the wild.
CVE-2018-8313 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8314 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8319 MSR JavaScript Cryptography Library Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2018-8323 Microsoft SharePoint Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8324 Microsoft Edge Information Disclosure Vulnerability
IPS : 13411 Microsoft Edge Information Disclosure Vulnerability (JUL 18) 2
CVE-2018-8325 Microsoft Edge Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8326 Open Source Customization for Active Directory Federation Services XSS Vulnerability
There are no known exploits in the wild.
CVE-2018-8327 PowerShell Editor Services Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8356 .NET Framework Security Feature Bypass Vulnerability
There are no known exploits in the wild.

Adobe Flash (APSB18-24 ) and Adobe Reader (APSB18-21) Coverage :

CVE-2018-5007 Arbitrary Code Execution
ASPY: 5192 Malformed-File swf.MP.595
CVE-2018-5008 Information Disclosure
ASPY: 5189 Malformed-File swf.MP.594

CVE-2018-5028 Heap Overflow
ASPY : 5188 Malformed-File xps.MP.5
CVE-2018-5040 Heap Overflow
ASPY : 5184 Malformed-File pdf.MP.317
CVE-2018-5052 Heap Overflow
ASPY : 5185 Malformed-File pdf.MP.318
CVE-2018-5061 Out-of-bounds read
ASPY : 5186 Malformed-File emf.MP.63
CVE-2018-12789 Out-of-bounds read
ASPY : 5187 Malformed-File emf.MP.64

Ransomware Surges, Encrypted Threats Reach Record Highs in First Half of 2018

/0 Comments/in /by

To ensure organizations are aware of the latest cybercriminal attack behavior, today SonicWall published a mid-year update to the 2018 SonicWall Cyber Threat Report.

“The cyber arms race is moving faster than ever with bigger consequences for enterprises, government agencies, educational and financial institutions, and organizations in targeted verticals,” said SonicWall CEO Bill Conner in the official announcement.

Cyber threat intelligence is a key weapon in organizations’ fight against criminal organizations within the fast-moving cyber arms race. The mid-year update outlines key cyberattack trends and real-world threat data, including:

Data for the annual SonicWall Cyber Threat Report is gathered by the SonicWall Capture Threat Network, which sources information from global devices and resources including more than 1 million security sensors in nearly 200 countries and territories.

“SonicWall has been using machine learning to collect, analyze and leverage cyber threat data since the ‘90s,” said Conner. “This commitment to innovation and emerging technology is part of the foundation that helps deliver actionable threat intelligence, security efficacy and automated real-time bread detection and prevention to our global partners and customers.”

Get the Mid-Year Update

Dive into the latest cybersecurity trends and threat intelligence from SonicWall Capture Labs. The mid-year update to the 2018 SonicWall Cyber Threat Report explores how quickly the cyber threat landscape has evolved in just a few months.

GET THE UPDATE

6 Reasons to Switch to SonicWall Capture Client from Sophos Intercept X

/0 Comments/in /by

While Sophos claims to be a leading next-generation antivirus solution, are they really able to protect your organization’s endpoints — not to mention the rest of your network ­— in today’s threat landscape?

SonicWall Capture Client, powered by SentinelOne, was designed to deliver stronger security with better functionality against ransomware and other advanced cyberattacks. Explore these six key reasons to switch to SonicWall Capture Client:

  1. Certified for business.
    Although Sophos Intercept X is recommended by NSS Labs, it is not certified by OPSWAT and AV-Test. SentinelOne, the core engine within Capture Client, is also recommended by NSS Labs and has certifications for OPSWAT and has AV-Test certifications for corporate use. Capture Client is also compliant with HIPAA and PCI mandates.
  2. True machine learning.
    Sophos only leverages machine learning as code executes on a system. In contrast, Capture Client applies machine learning before, during and after execution to reduce the risk of compromise to your endpoints, thereby better protecting your business.
  3. Real remediation.
    Sophos Intercept X relies on the Sophos Cleaner to restore potentially encrypted files. Not only can it be bypassed, but it is limited to using 60 MB of cache to save up to 70 “business” file types. Capture Client creates shadow copies of your data, which does not discriminate on size or file type. Capture Client rollback capabilities revert the impact of a malware attack, leaving the device clean and allowing the user to continue working — all without any risk of further damage.
  4. Firewall synergies.
    Although Sophos Endpoint Protection is closely linked to their next-generation firewall, this integration is lacking on Intercept X. Capture Client goes beyond the endpoint and has built-in synergies with SonicWall next-generation firewalls (NGFW). Although not required, when combined with a SonicWall next-generation firewall, it can enforce use of the client and redirect non-Capture Client users to a download page to update the endpoint.
  5. Easy digital certificate management.
    With more than 5 percent of malware using SSL/TLS encryption today, the inspection of encrypted traffic is vital. Sophos firewalls have limited SSL/TLS decryption capabilities, nor do they offer automated re-signing certificate distribution. Capture Client makes it easy to install and manage re-signing digital certificates required for SSL/TLS decryption, inspection and re-encryption.
  6. Better roadmap.
    In September 2018, SonicWall will add network sandboxing. Capture Client will be able to route suspicious files to the award-winning, multi-engine Capture Advanced Threat Protection (ATP) cloud sandbox service to more forcibly examine code in ways an endpoint can’t (e.g., fast- forward malware into the future). Administrators will be able to query known verdicts for the hashes of their suspicious files without having to upload them for analysis.

If you’d like to see for yourself the difference Capture Client makes over a limited and aging endpoint solution, contact us or ask your SonicWall partner representative for a one-month trial. Existing customers can log in to MySonicWall to begin the trial today.

 

Ready to ditch Sophos?

Strengthen your security posture today. Switch now and receive up to 30 percent* off of SonicWall Capture Client endpoint protection. It’s the smart, cost-effective approach for extending security to endpoints that exist outside of the network.

LEARN MORE

Fake Fortnite apps target Android gamers

/in /by

Popularity of the free-to-play shooter game Fortnite has been nothing less than a phenomenon. The number of Fortnite players as of June 2018 is recorded at a staggering 125 million. Fortnite is available on popular platforms – Windows, Mac, Playstation, Xbox and mobile devices. But when we say mobile devices, in this case, we mean Apple devices. Yes, Fortnite is currently not available for Android as shown on both Google Playstore and the official Epic website below:

However according to uploaders on Youtube, Fortnite can be installed on Android devices just fine:

SonicWall Threats Research Team observed a number of fake Fortnite apps that claim to be Fortnite for Android but end up fooling the victims into installing third party apps for the benefit of the scammers.

We highlight few popular scams in circulation right now that use Fortnite as their cash cow:

Scam I: Get verified

This scam is probably the most popular one right now that involves Youtube. There have been a flurry of videos that claim to show instructions to install and run Fortnite on Android. The scam works as follows:

  • Step I: Youtubers create videos showing how they can download, install and play Fortnite on Android devices. They add a link in their videos from where the fake Fortnite apps can be downloaded:

<

  • Step II: After installing the app and running it the victim is greeted with logos, images and videos which are copied straight from the official game. This is very critical as it cements the victim’s belief that this app may actually be real:
  • Step III: The victim is informed that some sort of mobile verification is needed before the game can be played:
  • Step IV: On clicking “OK” a link opens where the victim is asked to install an app. The link and app changes based on the scam but a legitimately clean app (which is usually available on Google Play) is asked to be installed on the device. The victim installs this app with the belief that after this step he will be able to play Fortnite.
  • Step V: When the victim returns back to the fake app, all he gets is an empty screen and is left wondering if he did something wrong. Most of the victims may try the previous step once more to try and “rectify” what they did wrong or they may try a different Youtube video thereby propagating the scam.

Scam II: App update

The initial step of this scam are similar to the one described above (Step I). The difference is what happens once the fake app runs on the device.

  • Step II: Once the app runs it displays a screen stating that an update is needed, however shady terms are listed at the bottom where a user needs to scroll down.
  • Step III: Both update and skip buttons move us forward and we begin seeing advertisements, also an update gets downloaded in the background:
  • Step IV: Just like the previous scam, a legitimate app gets installed on the device:

In our case the fake Fortnite app installed Fortnite Battle Death but in reality it installed a legitimate game called Battle Death Combat:

But where is Fortnite ?? Anywhere but here…

Scam III: V-Bucks

V-Bucks are virtual in-game currency which can be used to purchase customization for a player character. These can be purchased online at legitimate places but in V-Bucks scammers saw an avenue for spreading their malicious schemes. The Playstore is littered with apps that promise free V-Bucks but are just another scam:

One such app entices the user to do something for the author/creator in exchange of V-Bucks, for instance follow a certain Twitch channel. But after doing so just displays a congratulatory message:

Another V-Bucks app has a little more depth. It requests for the Fortnite username of the user and puts up a show wherein fake V-Bucks are “calculated”:

The next screen asks the user to rate the current app and then claim the V-Bucks.  When the user tries to claim the reward he is just transferred to either a survey scam or a website that tries to fish for emails or phone numbers. Either way this part of the scam is interested in the user’s data:

Although not malicious (as of now) these apps certainly trick users and seep sensitive data from them.

Scam IV – Droidjack

These are straight-up malicious apps that are disguised as Fortnite apps. They show no pretense whatsoever and contain malicious code that infects the device. Currently, we observed Droidjack infested apps – which has been covered earlier in our blogs.

We can expect other malicious apps to trojanize themselves as Fortnite in the near future.

Notable mention – Fortnite guides and tips

These are apps that contain few pages of tips and tricks for Fortnite, they may contain ads but are generally not malicious. Their sole purpose is to get installs from the users:

Why Fortnite?

The main reason for using Fortnite is its popularity – Scammers and malware writers constantly target trending apps as their cover for spreading malicious apps. Another reason is that Fortnite is not available on Android at the moment but its available for Apple devices. This creates a void for Android users which leads some eager gamers to try alternative routes thereby committing the mistake of installing apps from untrustworthy sources.

What do they gain from these scams?

Different scams serve different purpose, here are a few insights:

  • Verification related scams – These scams require the victims to install specific legitimate apps, when these apps are downloaded it gives the referrers (the scammers in this case) money. Its a win-win for both scammers and app developers
  • The role of Youtubers – A lot of these scams are spreading via download links mentioned in YouTube video descriptions. App developers or companies offer Youtubers monetary benefits to promote their apps. A popular Youtuber can easily reach their audience with videos as YouTube is easily accessible these days
  • V-Bucks scams – These apps usually demand the victims to rate the apps as one of the steps in earning V-Bucks. As a result these apps have been rated highly by a large number of users:

However as time passes and the realization of the scam sets in, many users have given it a negative rating:

  • DroidJack is one example where the app is completely malicious by nature without showing any pretense. We can expect more malicious apps that use Fortnite logo, name and images

Who are the likely targets?

  • In case of the current Fortnite scams the prime targets are Android gamers as Fortnite is available on other platforms leaving Android gamers waiting for the official app. The long wait causes some people to take desperate measures and search for alternate ways to install Fortnite
  • Some of the scams require the victims to perform a certain task – that may be install other apps, run a particular app for a specified time – in exchange of virtual currency. This needs sufficient time and the motivation to earn virtual currency – younger gamers fit this description in most cases. Mobile phones are very accessible these days and younger users may not have the money to buy virtual currency by themselves and they may not be too eager to research about these apps, the need for instant gratification takes over and they fall victim to such scams
Scammers and malware writers will continue to use popular and trending topics as a cover to hide their apps. It is best to stay informed and practice safe browsing habits to stay away from such scams. We urge our users to install official apps only from the Google Play store and be informed about what apps are available for which platforms.

Sonicwall Capture Labs provides protection against this threat with the following signatures:

  • AndroidOS.Fortnite.AN
  • AndroidOS.DroidJack.MA_2

Appendix

The following are a few websites which host fake Fortnite apk’s. These are commonly present in the description of YouTube videos:

  • Domain – hxxps://fortnitemobile.club/
  • App link – hxxps://fortnitemobile.club/img/Fortnite%20Android.apk
  • Domain – hxxp://fortniteapk.fun
  • App link – hxxps://fortniteapk.fun/Fortnite.v4.0.Patch.Android.apk

The following are a few Fortnite apps containing the “get verified” scam:

  • 1f85475a71a1f0c08719fa76ac022307
  • 7a49c43612e09c7603b83ae5deedf618

The following are a few Fortnite apps with DroidJack component:

  • 62accd897ce6408ad8fb14eda9d21d0b
  • c11552a4b5d4caa8eef6662393b8938a

The following are a few Fortnite apps with “V-Bucks” scam:

  • 93f21cb14377e384b81beac6697fe380
  • 84a7042d86680e6c66cfd7472636eb86

The following are a few Fortnite guide/maps apps:

  • 91375ac120845b1ecb0f729fed1523dc
  • ca60539ef3c629036708b7aa5c05b486

Few interesting observations:

  • There are a large number of apps with the package name com.anizz14, a number of these apps are set to masquerade other popular apps:

  • DroidJack component has been added in a number of apps that masquerade other popular apps, we have already covered an instance where this component was added in an app meant to look like SuperMario for Android:

CVE-2018-1111 Network Manager command injection vulnerability

/in /by

SonicWall Threat Research Lab is seeing attempts to exploit the CVE-2018-1111 vulnerability – An OS command injection flaw in the Red Hat NetworkManager integration script included in its DHCP package. This is due to improper validation of DHCP responses by the Network Manager. Red Hat NetworkManager that’s shipped by default with Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier are vulnerable to this flaw. A remote attacker could exploit this vulnerability by sending a malicious DHCP response to a vulnerable target.  

The Dynamic Host Configuration Protocol (DHCP) is a network management protocol that issues DHCP requests to fetch network configurations such as IP address, Gateway, DNS servers and more. DHCP is implemented with two UDP port numbers (67 & 68). Port 67 is the destination port of a server and 68 is used by the client. A single DHCP transaction consists of several DHCP messages exchanged between the DHCP client and DHCP server.

When a Network Manager receives a DHCP response with option records, DHCP client package provided by Red Hat for the NetworkManager component tries to read DHCP Option data for each of the record using the script and evaluates it to set the necessary environment variables. As the Option data is not properly sanitized, supplied arguments  such as shell commands result in arbitrary command execution. Hence an attacker with a malicious DHCP server can spoof DHCP responses to vulnerable DHCP clients to execute arbitrary shell commands with root privileges.

Trend Graph:

The trend line below shows how this vulnerability is being exploited today

SonicWALL Threat Research Lab provides protection against this exploit via the following signatures

IPS 13354: Suspicious DHCP Traffic 6
IPS 13355: UDP Application Shellcode Exploit 5

Cyber Security News & Trends – 07-06-18

/0 Comments/in /by

Each week, SonicWall collects the cyber security industry’s most compelling, trending and important interviews, media and news stories — just for you.

SonicWall Spotlight

Breaking down SonicWall’s 12 new features for mid-tier enterprises — TechRepublic

  • Following the release of SonicWall’s latest product news, TechRepublic provides an overview of the features released. This article concludes that the new mid-tier offerings make SonicWall an option for companies of any sector and size.

Review: SonicWall TZ400 Provides Local Governments with Deep, Frontline Protection – StateTech

  • SonicWall’s firewall appliance is a strong choice for state and local governments watching the bottom line.

Cyber Security News

Sophos shares tank as revenues slow – UK Investor Magazine

  • Shares in cyber security group Sophos fall by a fifth as growth slows. The company’s shares fell by more than 20% as it said billings growth – an indicator of future revenues – in the three months to the end of June had slowed to just 6pc, or 2pc when adjusted for foreign currency changes.

New Virus Decides If Your Computer Good for Mining or Ransomware — The Hacker News

  • Researchers at Kaspersky Labs have discovered a new variant of Rakhni ransomware family, which has now been upgraded to include cryptocurrency mining capability as well.

Macro-based malware campaign replaces desktop and Quick Launch shortcuts to install backdoor — SC Magazine

  • Researchers have uncovered an unusual malicious macro-based malware campaign that effectively modifies infected users’ shortcut files so that they secretly download a backdoor program.

Trump nominates former Energy official to lead Homeland Security tech research arm — The Hill

  • President Trump announces that he is tapping William Bryan, an Army veteran and former Department of Energy official, to lead the Department of Homeland Security’s technology research and development arm.

Adidas Reports Data Breach — The Wall Street Journal

  • Adidas warned late on Thursday that hackers may have lifted customer data from its US website.

In Case You Missed It

SonicWall Wins 7 New Awards, Bringing 2018 Total to Over 30

/0 Comments/in /by

SonicWall is proud to announce it has garnered seven awards, including three from the Network Products Guide IT World Awards, two from the Globee Awards, and one each from the PR World Awards and the CEO World Awards.

With these seven new accolades, SonicWall has earned more than 30 awards so far in 2018.

First from the Network Products Guide IT World Awards is a gold award in the ‘Firewalls’ category for the SonicWall NSA 2650 firewall. The SonicWall NSa 2650 is a next-generation firewall that delivers high-speed threat prevention over thousands of encrypted and unencrypted connections to mid-sized organizations and distributed enterprises.


SonicWall also won silver in the ‘Managed Security Services’ category for the SonicWall Global Cloud Management System, or Cloud GMS. Cloud GMS is a web-based management and reporting application that provides centralized management and high-performance reporting for the SonicWall family of firewalls.


Rounding out the three from Network Products Guide, SonicWall earned silver in the ‘Email, Security and Management’ category for SonicWall Email Security 9.1. SonicWall Email Security is a multi-layer solution dedicated to combating emerging threats. It protects organizations from outside attacks with effective virus, zombie, phishing and spam blockers, leveraging multiple threat-detection techniques.


In addition to the awards from Network Products Guide, SonicWall also garnered a silver award in the ‘PR Achievement of the Year’ category from the PR World Awards for the launch of the 2018 SonicWall Cyber Threat Report. The annual report is the go-to source for cyber threat intelligence, industry analysis and cyber security guidance for the global cyber arms race.

The launch of the 2018 SonicWall Cyber Threat Report also took home gold in the ‘Public Relations Achievement of the Year’ from the Globee Awards. The team also earned a silver in the Globee Awards in the ‘Product Management/Development Team of the Year’ for the team led by SonicWall COO Atul Dhablania.

Finally, SonicWall CEO Bill Conner won silver in the ‘CEO Excellence of the Year’ award for organizations with 500-2,499 employees.