Cyber Security News & Trends – 08-31-18

/0 Comments/in /by

Each week, SonicWall collects the cyber security industry’s most compelling, trending and important interviews, media and news stories — just for you.

SonicWall Spotlight

Air Canada Presses Reset After App Security Snafu – Infosecurity Magazine

  • SonicWall CEO Bill Conner talks to Infosecurity Magazine about the wider implications of the Air Canada app data breach.

T-Mobile, Sprint both hit by Security Breaches ahead of Merger – MSSP Alert

  • In an article detailing the recent T-Mobile and Sprint security breaches ahead of the announced mega-merger, SonicWall’s Bill Conner is featured as a security expert providing perspective on the significance of these security breaches for companies.

Fortnite app for Android let hackers hijack players’ phones, Google warn – The Independent (UK)

  • SonicWall’s VP of Product Management Lawrence Pingree is featured providing commentary to the recent Fortnite vulnerability and the risk organizations face as Fortnite continues to grow.

Cyber Security News

The Untold Story of NotPetya, the Most Devastating Cyberattack in History – Wired

  • In 2017 there was a massive cyberattack that caused billions of dollars of damage worldwide, including almost completely wiping out the systems of a one of the biggest international shipping firms. This is the full story of NotPetya.

Artificial Intelligence Is Now a Pentagon Priority. Will Silicon Valley Help – New York Times

  • The Pentagon and Silicon Valley eye each other up and try and find a common ethical middle ground so they can work together.

ThreatList: Ransomware Attacks Down, Fileless Malware Up in 2018 – Threat Post

  • Cybercrime changes but never goes away.

Give yourselves a pat on the back, top million websites, half of you now use HTTPS – The Register

  • 51.8 percent of the top million websites ranked by Alexa are now using HTTPS, with a little help from Google Chrome and a shaming website.

How Mindfulness Can Help Prevent Hacks, and Four More Cybersecurity Tips – University of Virginia Today

  • This blog might be what you need if all this cybercrime news is getting you down.

In Case You Missed It

A long running Android spyware which targets social apps is still active

/in /by

There are a number of commercial spyware products for Android devices which advertise themselves as “monitoring” apps for children or spouse. Such products have always been in the grey area as they perform questionable activities but at least they are advertise themselves for being what they really are, there is no pretense about their purpose.

The problem arises when a malware starts using similar features and infect a victim’s device tearing it open for an attacker to spy and siphon sensitive data from it. SonicWall Capture Labs Threat Research team observed malware apps with powerful spying capabilities actively spreading in the wild.

INSTALLATION AND INITIAL OBSERVATIONS
The malware uses the old logo of Google Play, this is the first sign that something might be amiss. Further the malware gives a prompt with an input box for email field,  this should be a clear warning sign for a user that something is wrong with this app as the official Google Play app does not show such a prompt:

Upon execution the malware does something that was very unexpected. It runs a series of tests, we have not encountered something like this in recent times:

The email entered by the user is used as an identifier for the infected device and is reported to the attacker:


MAKE ME A SYSTEM APP
The malware then tries to make itself a system application by transferring the apk onto /system/app folder. The benefit of being a system app is that a user cannot remove a system application. This is a good defense mechanism for a malware that allows it to stay on the device even if the victim understands and tries to remove it by conventional means:


INITIATING SPY MODE
During our analysis, the malware started its spy operation by attempting to steal sensitive information from the infected device. We have listed some of the functions based on different categories:

Device related data:

The malware has a component – named MessageSenderTask#work – that steals device related information and sends it to the attacker:

Browser History:

This component – named BrowserHistoryReader#sendBrowserHistory – steals and sends browser history. The collected data is first saved locally in a csv file which is sent at a later stage:

Databases of well known apps:

The malware looks for databases of well known apps, we have listed some of them based on their categories –

Chat/messenger apps – Blackberry BBM, WhatsApp, Line messenger, Skype, Viber

Email clients – Gmail, Hotmail, Outlook

Social media – Twitter, Facebook


WEAK SECURITY
A good coding practice with respect to security that should be followed by a developer – whenever sensitive information is being saved on a device, it should be well protected as someone might misuse this locally saved data. This guideline should be followed by any app developer, fortunately for us the malware author did not follow this.

As stated earlier, the malware registers the infected device with the server using the email we entered. The malware also generates a password for the device and saves it locally. This data can be used to access the dashboard for each infected device, we were able to login using data pertaining to our registered device:

All the spy related functions are present on the left side in the panel, results are shown on the right side:

Panel showing installed apps on our infected device:

It is also important to check if sensitive information is given out by an error message on our web application. When we entered wrong credentials an error message gave out an email address, this can potentially be the admin email address which is used to overlook all the infected devices via the panel:

 

DIGGING FURTHER
The malware we analyzed was communicating with pages on the domain movi333.com. We tried to find more information about this domain and during our search we stumbled across few resources being hosted on this domain:

Premium.pdf

This is essentially an advertisement this spyware, it highlights the different features and how to use each feature after a device is infected:

Steps on how to access the panel and description about all the spy functionalities:

They advice on installing all the apps whose databases are targeted by the spyware, these apps are even hosted on their website if a user wishes to circumvent Google Play:

root.pdf

This document talks about rooting Android devices and points to few tools which can achieve root on a device:

 

Mail system of the domain:

One of the links on this domain led us to its mail system:

This is setup most likely for the users/customers for this spyware.

 

Advertisements, a good and easy to use UI for monitoring the infected devices and a mail system are all indications that this is a well setup operation. Some of the malicious apk’s associated with this campaign are a little old (from 2014) but we found a number of apk’s that are as new as July 2018, coupled with the fact that the domain is still operational indicate that this spyware is most likely still in business.

The best way to stay protected against such spyware is to be vigilant about the apps installed on our devices.

 

SonicWall Capture Labs provides protection against this threat via the following signatures:

GAV: Tarambuka.SPY (Trojan)
GAV: Tarambuka.SPY_2 (Trojan)

 

APPENDIX

MD5 for the indicators of compromise (IOC):

  • 5e24febce239b795d8b65aec28c65616
  • 5607d106f33cd70de1cea968fcf642b4
  • 062afaa5ad37aa3b1da8b85939c05a66
  • 6203348069f7bbb23bdf98596bdd1edf
  • 1aa69ffb952a4a9044332dda432c9d06

The malware creates the following database table on the device – sms_logs –  and saves the following data

  • sms sender
  • sms recipient
  • sms body
  • sms type
  • time when the sms was sent/recieved

We observed the following hardcoded commands in the malware we analyzed:

  • PULLREQUEST_skypelog
  • PULLREQUEST_twitterlog
  • PULLREQUEST_vibermsg
  • PULLREQUEST_whatsapplog
  • PULLREQUEST_gmaillog
  • PULLREQUEST_hotmaillog
  • PULLREQUEST_linemessenger
  • PULLREQUEST_fblog
  • PULLREQUEST_fbmessenger
  • PULLREQUEST_bbmessenger
  • ACAPON/ACAPOFF
  • ACAPDAILYON/ACAPDAILYOFF
  • GPSNOW
  • APPSETTINGS

 

 

Cryptocurrency stealing malware hijacks the windows clipboard

/in /by

Over a billion worth of cryptocurrencies have been reportedly stolen this year so far and we continue to see reports of crypto theft daily. Every time a huge cyberheist is reported cryptocurrency prices slump but they remain attractive to cybercriminals looking to capitalize on its growth potential.

This week, the SonicWall Capture Labs Threat Research Team has come across a crypto-stealing malware which monitors the victim’s clipboard to watch out for cryptocurrency wallet addresses. Once detected, they will change the clipboard data with their own address. Unless the user is vigilant and carefully examines the address after they paste it, the transaction that happens after, will go to the cybercriminal’s address instead of the intended recipient.

Infection Cycle:

This malware purports to be an important document and uses the following filenames:

  • DOC_[*random numbers*].pdf
  • SCN_[*random numbers*].pdf
  • PDF_[*random numbers*].pdf

For more savvy users, looking at the file properties reveal that it pretends to be a text to speech application with an internal name of texttowav.exe.

It copies itself as drpbx.exe in the %APPDATA% directory. It also adds the following registry key to ensure persistence:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run drpbx %APPDATA%\drpbx\drpbx.exe

This malware was developed with Microsoft .NET framework and its assembly description shows it pretending to be a legitimate firefox file but misspelled “Mozzilla.”

To mislead the victim even more, upon execution it throws off a fake error.

During analysis, we noticed that this sample is packed using ConfuserEX and the main module is named “Bitcoinstealer” which establishes the real purpose of this malware.

Within its resource section is a subsection named “VanityAddresses.” This listed 10,000 different digital currency wallet addresses.

This malware’s method of stealing cryptocurrency is to monitor the clipboard data and match the contents using regex to identify whether a cryptocurrency wallet address has been copied, it then swaps that data with one from the 10,000 hardcoded addresses.

To demonstrate this functionality, we took some known WannaCry bitcoin addresses and tried to copy it over to notepad and found that a slightly different address was copied over as seen in the video below.

Clipboard hijacking demo

Sonicwall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Kazy.B_203  (Trojan)

Cyber Security News & Trends – 08-24-18

/0 Comments/in /by

Each week, SonicWall collects the cyber security industry’s most compelling, trending and important interviews, media and news stories — just for you.

SonicWall Spotlight

SonicWall Email Security Wins Coveted 2018 CRN Annual Report Card (ARC) Award  — Ganesh Umapathy

  • SonicWall Email Security solution has been named the overall winner at the CRN Annual Report Card, this is the third award it’s won this year so far.

Industry Reactions to Foreshadow Flaws: Feedback Friday — SecurityWeek

  • SonicWall’s Bill Conner was featured amongst industry professionals for his insight on the Foreshadow flaw.

Cyber Security News

US airports’ new facial recognition tech spots first imposter — Engadget

  • Facial Recognition has only been used for 3 days in Dulles airport and has already caught an imposter.

After the Bitcoin Boom: Hard Lessons for Cryptocurrency Investors — New York Times

  • The current digital currency bust could be a sign that the always volatile virtual currency market is on a permanently downward trend.

Super-mugs: Hackers claim to have snatched 20k customer records from Brit biz Superdrug — The Register

  • British Cosmetics firm Superdrug argue with hackers over whether or not they were hacked and whether or not the hack affected 20,000 or 386 customers.

Hackers steal more than $1M from global economy in a single minute: analysis — The Hill

  • A new report has worked out that $1 million is stolen every minute through cybercrime and is pushing to make “Evil Internet Minute” happen.

In Case You Missed It

Exploit in the wild for Apache HTTP vulnerability

/in /by

The Apache HTTP Server, also called Apache or httpd is a free and open-source HTTP server. Apache is the most popular web server on the Internet for over two decades. Apache’s core functionality is to process HTTP request/response and dispatch data to threads and processes using it’s Multi Processing Module (MPM). A wide range of modules (mods) available to extend the core functionality.

Apache module mod_md is used to manage domains across virtual hosts, automate SSL certificate provisioning using the ACME protocol.

A null pointer dereference vulnerbility has been reported in the mod_md module of Apache (CVE-2018-8011). This is due to insufficient validation of input requests. A remote unauthenticated attacker could exploit this vulnerability by sending a crafted HTTP request to a vulnerable Apache. Successful exploitation of this vulnerability can lead to denial of service.

CVE-2018-8011 : 

Apache httpd can be configured to load the module mod_md. if Apache running with mod_md, module functions md_http_challenge() or md_require_https_maybe() get called subsequently. These functions deference the pointer to PATH string without checking for NULL. This leads to segmentation fault or access violation.

Standard URI: <scheme>://<host>:<port>/<path1>/<path2>?<quername>=<queryvalue>#<fragment>

If Request-URI is sent with no path component in the HTTP request as follows:

GET <scheme>:// HTTP/1.1
Host: <host>

md_http_challenge() gets called with r->parsed_uri.path as NULL. String comparison dereferences the NULL pointer leading to access violation.


Fig:1 code snippet from mod_md.c

A remote attacker with no authentication can send a crafted HTTP request to a vulnerable Apache servers leading to Denial of Service (DOS).

Trend Graph:

SonicWall has observed attackers actively leveraging this vector as you can see below the total no of unique hosts hit by this on just a day.

Patch:
Apache Software Foundation httpd 2.4.30 to 2.4.33 are affected by this vulnerbaility.
This is patched in httpd 2.4.34

Shodan search engine tells us that >1% of Apache servers on the internet (~300,000) are vulnerable to this, if they are configured to use the module mod_md.

SonicWall strongly recommends customers using Apache to update to the latest version.
If you continue to use the affected version, configure firewall access rules to block unauthenticated access.

Sonicwall Threat Research Lab provides protection against this exploit with the following signature:

  • IPS: Suspicious Request URI 26
  • IPS: Suspicious Request URI 27
  • WAF: Protected. No new signature required.

Advancing Beyond Hygiene to Next-Gen Email Protection Services

/0 Comments/in /by

This story originally appeared on MSSP Alert and was republished with permission.

Most of us have a love-hate relationship with email. It’s been around for what seems like forever and while new channels of communication like Slack are making inroads, email is still the primary means of communicating in most organizations.

Since it is so ubiquitous, we know it will be a primary target of malicious attackers. Because of the attack surface area, attackers have been targeting email as a point of entry into organizations for over a decade. Most companies have responded with some form of email security solution. However, there seems to be a disconnect in outcomes versus goals in the industry.

For instance, 90 percent of current attacks against organizations use spear phishing as the primary means of breaching those organizations, yet most people would say they have email security in place.

Preventing Spam is Only the First Step

The major problem we are having as a security industry is that most people believe they have “security” for their email systems, but what they really have is hygiene. Email hygiene can be defined as “the process of keeping the inbox clean by keeping spam and unwanted advertisements away.”

It’s easy to think that hygiene is security because when email was new, spam was the major source of annoyance and security breaches — we’ve all dealt with Nigerian prince scams.

According to a recent FBI Public Service Announcement, business email compromise is a $12 billion problem today. Anti-malware and anti-spam are hygiene tools provided for free by cloud service providers, such as O365 and G Suite, as part of their mailbox functionality, but these tools do not stop evolving, sophisticated attacks.

Unfortunately, security industry nomenclature to customers hasn’t changed. The consequence has been continual breaches in organizations that believe they have security in place, but the reality is the hygiene solutions they have in place aren’t up to the task of stopping advanced email penetration techniques.

We need to move our language more toward discussing hygiene solutions and advanced email security solutions. What customers need isn’t email security (aka hygiene) but next-generation email security focused on identifying advanced threats. A next-gen email security solution should include:

  • Targeted phishing and email fraud protection
  • Unknown threat detection capabilities beyond just a “sandbox”
  • Compatibility beyond on-premises email server to O365, Gmail, etc.
  • Outbound protection to minimize potential data leakage
  • Hygiene capabilities as needed

Next-Gen Email Security Opportunity

While education is required, customers are starting to realize the need to supplement the native security functionalities with dedicated advanced threat protection (ATP) capabilities.

Gartner says over 50 percent of customers will look for dedicated security tools. MSSPs should look to provide a next-gen email security solution to their customers. This not only solves a real customer problem, but can also:

  • Increase your monthly recurring revenue with a next-gen email security solution as an additional value-added service for your customer
  • Lower analyst workload by blocking threats proactively
  • Enable better translation to real business impact – email addresses are associated with real people in the business rather than just an IP address
  • Reduce risk of liability – if customers are better protected, the chance of a significant breach is lower
  • Ride on the Microsoft Office 365 wave

The transition to Microsoft Office 365 (O365) is interesting as it both presents an opportunity and creates additional fear, uncertainty and doubt in the market. Businesses realize the benefits of moving their IT to the cloud (lower total cost of ownership, easier management, etc.) and email Exchange server was one of the first to move to the cloud.

However, O365 customers are often unsure of the level of security they get. An SMB customer typically evaluates the two Exchange Online Protect plans (EOP 1 and EOP 2). Let’s see what the customer is paying for:

  • In EOP 1, for $4/user/month, customers get the mailbox functionality and known malware protection included with anti-spam and anti-virus. Customer must upgrade to EOP 2 plan at $8/user/month for the addition of DLP functionality.
  • What’s not included is the ATP sandbox. If a customer wants that protection against today’s advanced threats, he needs to pay an additional $2/user/month for the add-on service.

Powering Your Advanced Email Protection Service with SonicWall

This opportunity is ripe, so it’s important that you not only find an effective technology, but a partner that will help you enable your service quickly. To protect against today’s advanced threats, SonicWall’s award-winning solution provides a multi-layered defense mechanism:

  • A multi-engine sandbox to catch the most evasive of malware. Our sandbox supports and scans extensive file attachment types and can scan over 70 percent of the files in under five seconds.
  • To stop spoofing attacks, business email compromise and email fraud, powerful email authentication, including SPF, DKIM and DMARC, is automatically included.
  • In-house anti-phishing, anti-spam and multiple anti-virus technologies protect against known threats.
  • Real-time threat intelligence feeds powered by Capture Labs that include signatures of newly found threats and IP based reputation for URL filtering.

Purpose-Built for MSSPs

The SonicWall secure email platform is built with MSSPs in mind to not only reduce the cost of management, but to ensure your brand is at the forefront:

  • Multi-tenant platform with flexible deployment options – hardware, software, virtual and cloud
  • Customizable branded experience
  • Integration with restful APIs and syslog alerting
  • Built-in O365 integration

The SonicWall SecureFirst MSSP program will help you implement the email security solution quickly, reduce time to market and take advantage of this great market opportunity. Some of what the MSSP program includes:

  • Service description templates
  • MSS pricing option
  • MSS specific setup and operation guides

MSSPs have a major opportunity here to educate their market on the differences between hygiene and security. And SonicWall’s MSSPs are doing exactly that.

A case in point: According to Erich Berger of Secure Designs Inc., a SonicWall SecureFirst MSSP Partner: “Within an hour of being installed it saved one particular customer from an Emotet infostealer malware variant.”

New NIST Cybersecurity Policy Provides Guidance, Opportunities for SMBs

/0 Comments/in , /by

Small- and medium-sized business (SMB) are often one of the segments most targeted by cybercriminals. Now, SMBs are backed by legislation signed by U.S. President Trump and unanimously supported by Congress.

On Aug. 14, President Trump signed into law the new NIST Small Business Cybersecurity Act. The new policy “requires the Commerce Department’s National Institute of Standards and Technology (NIST) to develop and disseminate resources for small businesses to help reduce their cybersecurity risks.”

The legislation was proposed by U.S. Senators Brian Schatz (D-Hawai‘i) and James Risch (R-Idaho). This new policy is a follow-on effort to the Cybersecurity Enhancement Act of 2014, which was the catalyst for the NIST Cybersecurity Framework.

“As businesses rely more and more on the internet to run efficiently and reach more customers, they will continue to be vulnerable to cyberattacks. But while big businesses have the resources to protect themselves, small businesses do not, and that’s exactly what makes them an easy target for hackers,” said Senator Schatz, lead Democrat on the Commerce Subcommittee on Communications, Technology, Innovation, and the Internet, in an official statement. “With this bill set to become law, small businesses will now have the tools to firm up their cybersecurity infrastructure and fight online attacks.”

Per the NIST Small Business Cybersecurity Act (S. 770), within the next year the acting director of NIST, collaborating with the leaders of appropriate federal agencies, must provide cybersecurity “guidelines, tools, best practices, standards, and methodologies” to SMBs that are:

  • Technology-neutral
  • Based on international standards to the extent possible
  • Able to vary with the nature and size of the implementing small business and the sensitivity of the data collected or stored on the information systems
  • Consistent with the national cybersecurity awareness and education program under the Cybersecurity Enhancement Act of 2014
  • Deployed in practical applications and proven via real-world use cases

The law follows the structure presented by U.S. Rep. Dan Webster (R-Florida) and passed by the House of Representatives. He originally presented the bill to the U.S. House Science, Space, and Technology Committee in March 2017.

SonicWall President and CEO Bill Conner also was instrumental in helping form the groundwork for U.S. cybersecurity laws. In 2009, Conner worked with U.S. Senator Jay Rockefeller (D-West Virginia) and other security-conscious leaders on the Cybersecurity Act of 2010 (S.773). And while the proposal was not enacted by Congress in March 2010, it served as a critical framework to today’s modern policies. Rockefeller was eventually the sponsor of the aforementioned Cybersecurity Enhancement Act of 2014 (S.1353), which became law in December 2014.

SMBs Highly Targeted by Cybercriminals, Threat Actors

According to a recent SMB study by ESG, 46 percent of SMB decision-makers said security incidents resulted in lost productivity in their small- or medium-sized business. Some 37 percent were affected by disruption of a business process or processes.

“Criminals target SMBs to extort money or steal valuable data, while nation states use small businesses as a beachhead for attacking connected partners,” wrote ESG senior principal analyst Jon Oltsik for CSO.

In fact, in July 2018 alone, the average SonicWall customer faced escalated volumes of ransomware attacks, encrypted threats and new malware variants.

  • 2,164 malware attacks (28 percent increase from July 2017)
  • 81 ransomware attacks (43 percent increase)
  • 143 encrypted threats
  • 13 phishing attacks each day
  • 1,413 new malware variants discovered by Capture Advanced Threat Protection (ATP) service with RTDMI each day

“Criminals target SMBs to extort money or steal valuable data, while nation states use small businesses as a beachhead for attacking connected partners,” wrote ESG senior principal analyst Jon Oltsik for CSO.

Leverage NIST Policy, Frameworks

While SMBs await guidance from the new NIST Small Business Cybersecurity Act, they can leverage best practices from the NIST Cybersecurity Framework, which helps organizations of all sizes leverage best practices to better safeguard their networks, data and applications from cyberattacks.

At a high level, the framework is broken down into three components — Implementation Tiers, Framework Core and Profiles — that each include additional subcategories and objectives. Use these key NIST resources to familiarize your organization to the framework:

Applying Cybersecurity Designed for SMBs

The NIST framework provides a solid foundation to improve an SMB’s security posture. But the technology behind it is critically important to achieving a safe outcome. SonicWall, for instance, is the No. 2 cybersecurity vendor in the SMB space, according to Gartner’s Market Share: Unified Threat Management (SMB Multifunction Firewalls), Worldwide, 2017 report.

With more than 26 years of defending SMBs from cyberattacks, SonicWall has polished and refined cost-effective, end-to-end cybersecurity solutions. These solutions are tailored specifically for small- and medium-sized businesses and can be further customized to meet the needs of specific security or business objectives. A sound, end-to-end SMB cybersecurity should include:

For example, the SonicWall TZ series of NGFWs is the perfect balance of performance, value and security efficacy for SMBs, and delivers access to the SonicWall Capture ATP sandbox services and Real-Time Deep Memory Inspection.TM This integrated combo protects your organization from zero-day attacks, malicious PDFs and Microsoft Office files, and even chip-based Spectre, Foreshadow and Meltdown exploits.

For organizations that want to take it a step further, the SonicWall NSa series of firewall appliances were given a ‘Recommended’ rating by NSS Labs in a 2018 group test. SonicWall topped offerings from Barracuda Networks, Check Point, Cisco, Forcepoint, Palo Alto Networks, Sophos and WatchGuard in both security efficacy and total cost of ownership.

Contact SonicWall to build or enhance your cybersecurity posture for true end-to-end protection from today’s most malicious cyberattacks, online threats and even the latest Foreshadow exploits.

SonicWall solutions are available to SMBs through our vast channel of local security solution providers, many of which are SMBs themselves. In fact, many SonicWall SecureFirst Partners even provide security-as-a-service (SECaaS) offerings to ensure it’s easy and cost-effective for SMBs to protect their business from advanced cyberattacks.

 

Upgrade Your Firewall for Free

Are you a SonicWall customer who needs to stop the latest attacks? Take advantage of our ‘3 & Free’ program to get the latest in SonicWall next-generation firewall technology — for free. To upgrade, contact your dedicated SecureFirst Partner or begin your upgrade process via the button below.

BEGIN UPGRADE

Report: Business Email Compromise (BEC) Now A $12.5 Billion Scam

/0 Comments/in /by

Email continues to be the top vector used by cybercriminals, and business email compromise (BEC) is gaining traction as one of the preferred types of email attacks.

BEC attacks do not contain any malware and can easily bypass traditional email security solutions. For cybercriminals, there is no need to invest in highly sophisticated and evasive malware. Instead, they engage in extensive social engineering activities to gain information on their potential targets and craft personalized messages.

What makes these attacks dangerous is that the email usernames and passwords of corporate executives are easily available to cybercriminals on the dark web, presumably due to data breaches of third-party websites or applications.

“Through 2023, business compromise attacks will be persistent and evasive, leading to large financial fraud losses for enterprises and data breaches for healthcare and government organizations,” says Gartner in their recent report, Fighting Phishing – 2020 Foresight 2020.

What is Business Email Compromise?

BEC attacks spoof trusted domains, imitate brands and/or mimic corporate identities. In many cases, the emails appear from a legitimate or trusted sender, or from the company CEO typically asking for wire transfers.

According to the FBI, BEC is defined as a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. This is a very real and growing issue. The FBI has put up a public service announcement saying that BEC is a $12.5 billion scam.

Types of BEC or Email Fraud

Email has been around since the 1960s and the current internet standard for email communication —  Simple Mail Transfer Protocol (SMTP) — was not designed to authenticate senders and verify the integrity of received messages. Therefore, it’s easy to fake or “spoof” the source of an email. This weak sender identification will continue to present opportunities for creative attacks.

For example, here is a screenshot of a recent spoofing email that I encountered. The messaging seemingly originated from my colleague. The displayed sender’s name invokes an immediate recognition for the recipient. But a closer examination of the sender’s domain reveals the suspicious nature of the email.

Now, let’s look at the different types of spoofing techniques a threat actor might use to initiate an attack:

Display Name Spoofing
This is the most common form of BEC attack. In this case, a cybercriminal tries to impersonate a legitimate employee, typically an executive, in order to trick the recipient into taking an action. The domain used could be from a free email service such as Gmail.

Domain Name Spoofing
This includes either spoofing the sender’s “Mail From” to match that of the recipient’s domain in the message envelope, or using a legitimate domain in the “Mail From” value but using a fraudulent “Reply-To” domain in the message header.

Cousin Domain or Lookalike Domain Spoofing
This type of attack relies on creating visual confusion for the recipient. This typically involves using sister domains such as “.ORG” or “.NET” instead of “.COM,” or swapping out characters, such as the numeral “0” for the letter “O,” an uppercase “I” for a lowercase “L.” This is also sometimes referred to as typosquatting.

Compromised Email Account or Account Take Over (ATO)
This is carried out by compromising legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds or data theft.

Best Practices for Stopping BEC Attacks

Concerned your organization could fall prey to business email compromise? Here are some email security best practices that you can implement to protect against sophisticated BEC attacks.

  1. Block fraudulent emails by deploying Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM) and Domain-Based Message Authentication, Reporting and Conformance (DMARC) capabilities.
  2. Enable multi-factor authentication and require regular password changes to stop attacks from compromised accounts.
  3. Establish approval processes for wire transfers.
  4. Deliver periodic user-awareness training for a people-centric approach to combat email attacks.

How to Stop Email Spoofing

Whether it’s CEO fraud, forged emails, business email compromise (BEC), impostor emails or impersonation attacks, all email spoofing attacks present a dangerous risk to organizations. Review the solution brief to gain four key best practices to help mitigate the email spoofing attacks that impact your business.

GET THE BRIEF

SonicWall Email Security Wins Coveted 2018 CRN Annual Report Card (ARC) Award

/0 Comments/in /by

Once again, SonicWall Email Security has been recognized at the top of its class for protecting the No. 1 threat vector: email. The solution was named the overall winner by sweeping the 2018 CRN Annual Report Card (ARC) email security category.

The solution has won three prestigious security awards to date in 2018. This is a testament toward the innovation and effort the SonicWall team has invested the last 18 months in key focus areas: advanced threat protection, administrative ease, product support and channel enablement.

“An ARC award is one of the industry’s most prestigious honors. It symbolizes a vendor’s dedication to delivering high quality and innovative product and program offerings to their channel partners,” said Bob Skelley, CEO, The Channel Company. “CRN’s Annual Report Card provides solution providers with the rare opportunity to offer their invaluable insight on vendors’ products and services, as well as their partner programs. As a result, the technology suppliers are equipped with actionable feedback to bolster their efforts to remain the best-of-the-best.”

The Annual Report Card summarizes results from a comprehensive survey that details solution provider satisfaction across product innovation, support and partnership for hardware, services and software vendors. The vendors with the highest ratings are named to the prestigious Annual Report Card list of winners and celebrated as best-in-class by their partners.

The results also provide the IT vendor community with valuable feedback — directly from their solution providers — that can be used to refine product offerings, enhance support and improve communication with partners.

This year’s group of honorees was selected from the results of an in-depth, invitation-only survey by The Channel Company’s research team. More than 3,000 solution providers were asked to evaluate their satisfaction with more than 65 vendor partners in 24 major product categories.

SonicWall Email Security is a multi-layer solution that protects organizations against advanced email threats such as targeted phishing attacks, ransomware and business email compromise. The key capabilities include:

  • Real-time threat intelligence feeds from over 1 million security sensors deployed globally and delivered through the SonicWall Capture Cloud Platform.
  • Dynamic scanning of suspicious email attachments and embedded URLs using the award-winning, multi-engine SonicWall Capture Advanced Threat Protection (ATP) sandbox service with Real-Time Deep Memory Inspection (RTDMITM).
  • Anti-phishing technology uses a combination of methodologies such as machine learning, heuristics, reputation and content analysis.
  • Powerful antispam and antivirus engines to protect against known malware and spam.

The solution can be deployed as hardened physical appliances, robust virtual appliances or a resilient cloud email security service. And whether an organization uses on-premises email servers or cloud services, such as Microsoft Office 365 or Google G Suite, SonicWall’s solution delivers best-in-class threat protection through seamless and simple integrations.

Given that email continues to be a top attack vector in the cyber arms race, SonicWall is committed to enhancing the solution to better protect its users from advanced email threats.

The 2018 Annual Report Card results can be viewed online at www.crn.com/arc.

Ramnit delivers XMRig Monero Miner

/in /by

The SonicWall Capture Labs Threat Research Team have come across a variant of the Ramnit trojan dropping a Monero Cryptocurrency miner onto the infected system.   As cryptocurrency prices continue to drop (at the current time of writing), malware authors are still betting on its future success as they steal CPU resources in order to generate long term profits.

Infection Cycle:

The Trojan drops the following files on the infected system:

  • explores.exe [Detected as: GAV: XMRig.XMR_3 (Trojan)]
  • cresc.log
  • can.log
  • AutoRunApp.vbs
  • <originalfilename>Srv.exe [Detected as: GAV: Ramnit.XMR (Trojan)]

explores.exe and the original Ramnit trojan executable file contain the following metadata:

   

 

AutoRunApp.vbs contains the following autorun script:

 

can.log and cresc.log both contain the following log data.  This file is populated with mining job info and stats when mining is in progress:

 

explores.exe can be seen using considerable cpu power whilst mining is in progress:

 

Mining transaction data can be seen between the miner (explores.exe) and the mining pool at mine.ppxxmr.com:

Sonicwall Capture Labs provides protection against this threat via the following signatures:

  • GAV: XMRig.XMR_3 (Trojan)
  • GAV: CoinMiner.MN_3 (Trojan)
  • GAV: CoinMiner.MON (Trojan)
  • GAV: Ramnit.Z (Trojan)
  • GAV: Ramnit.MN (Trojan)