Microsoft SharePoint server flaw CVE-2019-0604 actively being exploited in the wild

/in /by
This week, SonicWall Capture Labs Threat Research team observed a huge spike in the hits targeting the Microsoft SharePoint server flaw. These HTTP requests are made to command and control the hosts that are infected with the exploits of CVE-2019-0604. It is seen to hit almost 100 countriesbut most observed only in the United States.

CVE-2019-0604 | Microsoft SharePoint Remote Code Execution Vulnerability:

A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. An attacker can exploit these vulnerabilities by sending malicious crafted requests to a vulnerable SharePoint server or enticing a SharePoint user to upload a specially crafted SharePoint application package to a vulnerable server. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.

Exploit:

Earlier this month, Canadian Center for Cyber Security and Saudi National Cyber Security Center have reported evidences of active exploitation of Microsoft SharePoint Remote Code Execution Vulnerability ( CVE-2019-0604).  The Threat actors exploited this vulnerability in order to deploy the China Chopper web shell. After establishing the initial foothold, threat actors utilized the web shell to run PowerShell scripts to download other malicious files including backdoor. The threat actors then installed HTTP backdoor to handle any requests to “hxxp://localhost:80/TEMPORARY_LISTEN_ADDRESSES/WSMAN”, or other folders such as WSMAN3 and SMSSERVICE. Through HTTP requests, malware receives commands encrypted by AES. The malware on the infected hosts has the ability to execute commands, download and upload files. The result is encoded and sent back to C&C server.

 

The majority of requests come from the IP address ‘188.166.64.99‘ trying to command & control the SharePoint servers that have been exploited already. The scan is so massive that around 30,000 SonicWall firewalls have observed these malicious HTTP requests and blocked them successfully. 

 

We have observed the following malicious HTTP requests :
  • hxxp://188.166.64.99/TEMPORARY_LISTEN_ADDRESSES/WSMAN
  • hxxp://188.166.64.99/TEMPORARY_LISTEN_ADDRESSES/WSMAN3
  • hxxp://188.166.64.99/TEMPORARY_LISTEN_ADDRESSES/SMSSERVICE

Trend Chart

The trend line below shows how this vulnerability in recent days has been actively exploited. 

Heat Map:

Heat map is based on the no of unique firewalls geographically hit by this attack

Fix:

Microsoft has released a patch that fixes the vulnerability. Please find the vendor advisory regarding this vulnerability: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604

The affected software versions are
  • Microsoft SharePoint Foundation 2010 Service Pack 2
  • Microsoft SharePoint Foundation 2013 Service Pack 1
  • Microsoft SharePoint Server 2010 Service Pack 2
  • Microsoft SharePoint Server 2013 Service Pack 1
  • Microsoft SharePoint Enterprise Server 2016
  • Microsoft SharePoint Server 2019

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS 14201 Microsoft SharePoint Remote Code Execution 4
IPS 14216 WSMAN Inbound Access
IPS 14217 SMSSERVICE Inbound Access
IPS 14218 Microsoft SharePoint Remote Code Execution 5
IPS 14219 Microsoft SharePoint Remote Code Execution 6
IPS 14231 Microsoft SharePoint ActionRedirect.aspx Access
IPS 14232 Microsoft SharePoint downloadexternaldata.aspx Access
IPS 14233 Microsoft SharePoint profileredirect.aspx Access
WAF 1711 Microsoft Sharepoint Picker.aspx Remote Code Vulnerability

Cyber Security News & Trends – 05-31-19

/0 Comments/in /by

This week, Baltimore battles ransomware, IoT attacks are increasing, and the potential vulnerabilities in a driverless car are investigated.

SonicWall Spotlight

5 Steps to Robust Network Security – Business World (India)

  • IT security teams around the world are dealing with an ever-increasing level of complexity in the threat landscape. SonicWall’s Debasish Mukherjee argues that the best way to overcome these challenges is with a comprehensive approach to cybersecurity, he then recommends five steps to take in order to get there.

How to Mitigate the IoT Attacks That Are Increasing at 217.5% – IoT Agenda

  • Internet of Things (IoT) devices are expected to increase in number to 75.44 billion worldwide by 2025. Using the 2019 SonicWall Cyber Threat Report IoT Agenda explains why preventative measures need to be developed sooner rather than later.

Cyber Security News

Baltimore Ransomware Attack: NSA Faces Questions – BBC

  • After a ransomware attack currently estimated to cost at least $18M Baltimore officials are questioning why the hacking vulnerability known as EternalBlue was not disclosed when discovered by the NSA years ago. The NSA are declining to comment on the issue.

New Zealand Budget Leak: ‘Hackers’ Had Simply Searched Treasury Website – The Guardian

  • After the embargoed New Zealand budget was leaked to the opposition National Party days before it was due to be released, officials were quick to call it a hack. However, it has now been found that the documents were searchable on the New Zealand treasury website.

HawkEye Malware Campaign Upticks on Business Users – SC Magazine

  • Hawkeye, a keylogger than has been around for six years, has seen a major increase in a campaign targeting business users worldwide.

Startups: Embrace Cybersecurity Priorities From Day One – Forbes

  • Forbes argues that cybersecurity in startups should not be considered an add-on or a luxury product and provide four cybersecurity priorities that a startup needs to think about from day one.

Emotet Made up 61% of Malicious Payloads in Q1 – Dark Reading

  • A new study has found that 61% of all malware payloads in the first quarter of 2019 contained the Emotet botnet.

Security Expert: Here’s How Driverless Cars Could Be Hacked – Yahoo! Finance

  • As cars modernize and driverless cars are becoming a reality it is fair to say that they are becoming more and more like a series of interconnected computers. Yahoo! Finance looks at where the security weakpoint in these computers might be found, how it could be targeted by hackers, and how the car industry is struggling to keep up with security requirements.

Nation-State Security: Private Sector Necessity – SecurityWeek

  • Attackers with the funding and technical support of nation-states are now targeting commercial entities and the obvious split between commercial and political cyberattacks is disappearing. SecurityWeek examine the current threat landscape, including the increasing number of organizations embracing “Zero Trust” security models where all environments are considered untrusted until proven otherwise. They then offer some advice on how to ensure your organization is ready for cyberattacks.

Microsoft Issues Second Warning About Patching BlueKeep as PoC Code Goes Public – ZDNet

  • Microsoft again warned users to ensure their patches are up to date to protect against the Bluekeep vulnerability – described as similar to the EternalBlue exploit – after a proof-of-concept attack appeared online. SonicWall provides protection against this threat.

In Case You Missed It

Robbinhood Ransomware left city government crippled for weeks

/in /by

The City of Baltimore remains paralyzed after a ransomware has hit 10,000’s of the city government’s computers holding their data hostage for the past couple of weeks now. The ransomware dubbed as Robbinhood has also attacked the City of Greenville in North Carolina just a month ago. Baltimore’s information technology office has said that the city was using computers that were out of date and with no back up, calling them “a natural target for hackers and a path for more attacks in the system.”

Infection Cycle:

It was unclear how this ransomware arrives to a victim’s machine, but upon execution it spawns a number of cmd.exe instances to execute a plethora of commands – mostly to disable system services which include Antivirus, automatic updates, networking services, email services, removing mapped drives, backup and replication services just to name a few.

cmd.exe /c sc.exe stop AVP /y cmd.exe /c sc.exe stop MMS /ycmd.exe /c sc.exe stop ARSM /y cmd.exe /c sc.exe stop SNAC /y cmd.exe /c sc.exe stop ekrn /y

cmd.exe /c net use * /DELETE /Y cmd.exe /c sc.exe stop KAVFS /y cmd.exe /c sc.exe stop RESvc /y cmd.exe /c sc.exe stop SamSs /y cmd.exe /c sc.exe stop W3Svc /y cmd.exe /c sc.exe stop WRSVC /y cmd.exe /c sc.exe stop bedbg /y

cmd.exe /c sc.exe stop masvc /y

cmd.exe /c sc.exe stop SDRSVC /y cmd.exe /c sc.exe stop TmCCSF /y cmd.exe /c sc.exe stop mfemms /y cmd.exe /c sc.exe stop mfevtp /y cmd.exe /c sc.exe stop sacsvr /y

cmd.exe /c sc.exe stop DCAgent /y cmd.exe /c sc.exe stop ESHASRV /y cmd.exe /c sc.exe stop KAVFSGT /y cmd.exe /c sc.exe stop MySQL80 /y cmd.exe /c sc.exe stop POP3Svc /y cmd.exe /c sc.exe stop SMTPSvc /y cmd.exe /c sc.exe stop Smcinst /y cmd.exe /c sc.exe stop SstpSvc /y cmd.exe /c sc.exe stop TrueKey /y cmd.exe /c sc.exe stop mfefire /y

cmd.exe /c sc.exe stop EhttpSrv /y cmd.exe /c sc.exe stop IISAdmin /ycmd.exe /c sc.exe stop IMAP4Svc /ycmd.exe /c sc.exe stop McShield /ycmd.exe /c sc.exe stop MySQL57 /y cmd.exe /c sc.exe stop kavfsslp /y cmd.exe /c sc.exe stop klnagent /y cmd.exe /c sc.exe stop macmnsvc /y cmd.exe /c sc.exe stop ntrtscan /y cmd.exe /c sc.exe stop tmlisten /y cmd.exe /c sc.exe stop wbengine /y

cmd.exe /c sc.exe stop Antivirus /y cmd.exe /c sc.exe stop MSSQL$TPS /y cmd.exe /c sc.exe stop SQLWriter /y cmd.exe /c sc.exe stop ShMonitor /y cmd.exe /c sc.exe stop UI0Detect /y cmd.exe /c sc.exe stop sophossps /y

cmd.exe /c sc.exe stop MSOLAP$TPS /y cmd.exe /c sc.exe stop MSSQL$PROD /y cmd.exe /c sc.exe stop SAVService /y cmd.exe /c sc.exe stop SQLBrowser /y cmd.exe /c sc.exe stop SmcService /y cmd.exe /c sc.exe stop swi_filter /y cmd.exe /c sc.exe stop swi_update /y

cmd.exe /c sc.exe stop MSExchangeMGMT /y cmd.exe /c sc.exe stop MSSQL$BKUPEXEC /y cmd.exe /c sc.exe stop MSSQL$SQL_2008 /y cmd.exe /c sc.exe stop MsDtsServer100 /y cmd.exe /c sc.exe stop MsDtsServer110 /y cmd.exe /c sc.exe stop SQLSERVERAGENT /y cmd.exe /c sc.exe stop VeeamBackupSvc /y cmd.exe /c sc.exe stop VeeamBrokerSvc /y cmd.exe /c sc.exe stop VeeamDeploySvc /y cmd.exe /c sc.exe stop “Sophos Agent” /y cmd.exe /c sc.exe stop svcGenericHost /y

cmd.exe /c sc.exe stop EPUpdateService /y cmd.exe /c sc.exe stop MBEndpointAgent /y cmd.exe /c sc.exe stop MSOLAP$SQL_2008 /y cmd.exe /c sc.exe stop MSSQLFDLauncher /y cmd.exe /c sc.exe stop McAfeeFramework /y cmd.exe /c sc.exe stop SAVAdminService /y cmd.exe /c sc.exe stop SQLAgent$ECWDB2 /y cmd.exe /c sc.exe stop SQLAgent$SOPHOS /y cmd.exe /c sc.exe stop SQLAgent$TPSAMA /y cmd.exe /c sc.exe stop VeeamCatalogSvc /y

cmd.exe /c sc.exe stop BackupExecAgentBrowser /y cmd.exe /c sc.exe stop MSSQLFDLauncher$TPSAMA /y cmd.exe /c sc.exe stop MSSQLServerADHelper100 /y cmd.exe /c sc.exe stop MSSQLServerOLAPService /y cmd.exe /c sc.exe stop SQLAgent$SBSMONITORING /y cmd.exe /c sc.exe stop VeeamDeploymentService /y cmd.exe /c sc.exe stop VeeamHvIntegrationSvc /y cmd.exe /c sc.exe stop “Acronis VSS Provider” /y cmd.exe /c sc.exe stop “Sophos Clean Service” /y

The ransomware drops a ransom note on the %Desktop% detailing how to pay and to reach out to the ransomware authors through the Onion Tor website.

With the recent price surge of Bitcoins, the attackers are asking for a steep ransom of 3BTC per each infected computer or 7BTC for all computers which can amount to over $57,000.

This ransomware is written in Go programming language (GoLang) with evidence of some references to its source repositories or workspace structures in its strings.

SonicWALL Capture Labs provides protection against this threat via the following signatures:

  • GAV: Robinhood.RSM (Trojan)
  • GAV: Robinhood.RSM_2 (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Inside the Modern Phishing Campaigns of 2019

/3 Comments/in /by

The world of cybersecurity is dominated by headlines of malware, ransomware, data breaches, app vulnerabilities, IoT threats and botnet attacks. But phishing has been a serious threat since the early 2000s and is widely regarded as the most common attack vector for cybercriminals.

Today, phishing is not about volume. These email threats are now tuned to successfully trick a high-value target into taking a desired action: clicking on a malicious link, opening a malware-laden file, providing a password or authorizing financial transactions.

In the current cyber arms race, threat actors are constantly trying to get around security systems. In the context of email as a threat vector, phishing has evolved into spear-phishing, impersonation and Business Email Compromise (BEC) types of attacks. These messages are highly targeted with extensive social engineering efforts to carefully select and study the victim.

Global phishing volume down, attacks more targeted

Published in the 2019 SonicWall Cyber Threat Report, our Capture Labs threat researchers recorded 26 million phishing attacks worldwide, a 4.1 percent drop from 2017. During that time, the average SonicWall customer faced 5,488 phishing attacks.

2018 Global Phishing Volume

As businesses get better at blocking email attacks and ensuring employees can spot and delete suspicious emails, attackers are shifting tactics. New data suggests they’re reducing overall attack volume and launching more highly targeted phishing attacks (e.g., Black Friday and Cyber Monday attacks).

Explore the five common tactics phishers are using to steal credentials, deploy malware, infiltrate networks and damage brands.

  1. Malicious URLs and fake or spoofed websites
    With improvements in secure email solutions that mitigate phishing, cybercriminals are resorting to innovative methods to execute targeted attacks, such as using weaponized URLs in email to deliver malicious payloads or creating phishing websites with fake login pages to harvest user login credentials.In late 2017, it was reported that nearly 1.5 million phishing sites are created each month. And the detection of phishing sites has become harder because phishers are obfuscating phishing URLs with multiple redirections and URL shortners.

    In addition, about half of these phishing sites are using HTTPS and SSL certificates, which make it easier for cybercriminals to deceive their victims.

    Source: “PhishPoint: New SharePoint Phishing Attack Affects an Estimated 10% of Office 365 Users,” Avanan, August 2018.

    According to Microsoft’s security intelligence report, “attackers increasingly use popular document sharing and collaboration sites and services to distribute malicious payloads and fake login forms that are used to steal user credentials.”

  2. Phishing targeting Office 365 applications, users
    SaaS and webmail services are increasingly targeted by phishing campaigns. According to the Anti-Phishing Working Group (APWG), phishing that targeted SaaS and webmail services doubled in the fourth quarter of 2018.As Office 365 gains adoption as the most popular choice of cloud email platform across organizations of all sizes and verticals, it comes as no surprise that Microsoft is the most impersonated brand.

    “As Microsoft’s SEG market share increases, smart attackers will specifically target Microsoft’s defenses,” reports Gartner.

    This is not unconceivable because an Office 365 subscription is available to anyone with a credit card, making its security features very accessible to cybercriminals. This theoretically enables criminal groups to design phishing campaigns that can evade Microsoft’s native defenses. In fact, in another report, researchers found 25% of phishing emails bypass Office 365 security.

  3. Compromised credentials
    In January 2019, security researcher Troy Hunt discovered “Collection 1,” a trove of 773 million email addresses and 21 million passwords available for sale on Hacker Forum.These compromised user IDs and password combinations are used to carry out attacks from the inside. A common attack includes account takeover that involves threat actors compromising employee corporate credentials by either launching a credential phishing campaign against an organization or buying credentials on the Darkweb due to third-party data leaks. The threat actor can then use the stolen credentials to gain additional access or escalate privileges. Compromised credentials may remain undiscovered for months or years.
  4. Impersonation, CEO fraud and Business Email Compromise (BEC)
    According to the FBI, Business Email Compromise, or BEC, is a scam targeting businesses working with foreign suppliers and/or businesses regularly performing wire transfer payments. These sophisticated scams are carried out by fraudsters compromising email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfer of funds.These types of attacks are hard to stop because they do not contain malicious links or attachments, but a message to the victim seemingly from a trusted sender requesting transfer of funds.

    The FBI Internet Complaint Center (IC3) reported last summer that from October 2013 to May 2018, total losses worldwide for known BEC scams hit $12.5 billion.

  5. Malicious PDF files and Office doc attachments
    Email attachments are a popular delivery mechanism for malicious payloads, such as ransomware and never-before-seen malware. SonicWall Capture Labs threat researchers recently found a substantial increase of malicious or fraudulent PDF files.These fraud campaigns take advantage of recipients’ trust in PDF files as a “safe” file format that is widely used and relied upon for business operations. I recommend reading “New PDF Fraud Campaign Spotlights Shifting Cybercriminal Phishing Tactics, written by Dmitriy Ayrapetov, Executive Director of Product Management, to learn more about these types of phishing campaigns and how you can stop them.

The E-rate ‘Fear Less’ Technology Infrastructure

/1 Comment/in /by

Before you begin the RFP process, it’s important to explore the technology infrastructure (specifically what’s eligible in Category Two) as defined within the E-rate program by Universal Service Administration Company (USAC) and how each relates to the E-rate funding process.

Episode 4: The E-rate Fear Less Technology Infrastructure

On the fourth episode of the E-rate Fear Less series, Holly Davis dives further into the program and reviews other options school districts have in building a secure, future-proof network with the E-rate program.

At a high level, E-rate Category Two technology in three primary pillars. Category Two components are those that relate to cyber security solutions, hardware, software and other services. For more details about E-rate categories, please review the 2019 Eligible Services List (PDF).

Technology Function
Broadband Internal Connections (IC) On-premise solution internally managed; equipment may be owned or leased.
Managed Internal Broadband Services (MIBS) Managed service solution owned, leased or hosted in the cloud.
Basic Maintenance
of Broadband Internal Connections		 Support for the IC solution.
Source: 2019 Eligible Services List (PDF)

E-rate Category 2 technology funding with SonicWall

School and campus networks range in size and manage different types of sensitive data. Mitigating potential weak points in the network — and the data that can be targeted — is no easy task for standard IT teams that haven’t undergone extensive cyber security training. SonicWall network and cyber security solutions meet the needs of school districts at the highest efficacy — all at price points that fit within K-12 budgets.

If you are utilizing E-rate funding to assist you in buying your networking and cyber security solutions, SonicWall can help. Our team of E-rate funding experts ensure your SonicWall solution aligns with the rules and regulations of the E-rate program.

SonicWall Security as a Service (SECaaS) is an alternative solution for schools that do not have a large capital outlay to invest in a future-proof security solution or a dedicated IT team trained to manage cyber security.

“Security-as-a-Service provides more flexibility,” said Jenna Burros, Director of Business Services, at the Calistoga Joint Unified School District in California. “It is such an improvement to be able to have enough control to differentiate various levels of accessibility.”

Under Burros’ guidance, the California school district upgraded the flexibility and granularity of its existing content-filtering solution, while also keeping costs at minimum — a key obstacle for K-12 organizations regardless of E-rate eligibility.

With the most comprehensive channel program in the industry, combined with additional E-rate discounts, SonicWall and its partners are best positioned to meet the needs of K-12 customers and help them take full advantage of the funding E-rate provides for securing their networks.

If you are an eligible K-12 organization, please contact your preferred SonicWall reseller for information on E-rate benefits and discounts, or visit the SonicWall E-rate page for information, tools and guidance.

E-rate Episode Video Series for K-12 School Districts

What is E-rate?

To help offset funding and staffing shortages, the U.S. Department of Education and the FCC launched the E-rate program, which helps make telecommunications and information services more affordable for schools, campuses, districts and libraries.

The E-rate program is operated by Universal Service Administration Company (USAC), which has a core focus of providing underfunded organizations access to affordable technology and security services. This includes schools, libraries and rural healthcare organizations.

USAC provides a yearly Eligible Services List (ESL), which outlines which types of products and services can be procured via E-rate program discounts.

 Applicant Steps & Resources

Prep: Before You Begin
Step 1: Competitive Bidding
Step 2: Selecting Service Providers
Step 3: Applying for Discounts
Step 4: Application Review
Step 5: Starting Services
Step 6:  Invoicing 

Resources provided by USAC

Sodinokibi ransomware uses Oracle WebLogic exploit to infect servers

/in /by

The SonicWall Capture Labs Threat Research Team have observed reports of Sodinokibi, ransomware that exploits a deserialization vulnerability in Oracle WebLogic servers (CVE-2019-2725) as its primary infection vector. The exploit has also been used by other attackers to install crypto miners, info stealers and botnets. The attackers charge $1500 USD in Bitcoin for file decryption if the ransom is paid within 7 days. If the ransom is not paid within this period it doubles to $3000 USD.

Infection Cycle:

The trojan uses the following icon:

Upon infection, the following text and background is displayed on the desktop:

It makes the following DNS query:

  • breathebettertolivebetter.com

It creates the following files:

  • 0vhra-readme.txt (copied to every directory containing encrypted files)
  • 2cb12ec9.lock (0 bytes. copied to every directory containing encrypted files)

It adds the following keys to the registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\recfg rnd_ext “.2cb12ec9”
  • HKEY_LOCAL_MACHINE\SOFTWARE\recfg pk_key (encryption key related hex values)
  • HKEY_LOCAL_MACHINE\SOFTWARE\recfg sk_key (encryption key related hex values)
  • HKEY_LOCAL_MACHINE\SOFTWARE\recfg 0_key (encryption key related hex values)
  • HKEY_LOCAL_MACHINE\SOFTWARE\recfg stat (encryption key related hex values)

It executes the following command to disable startup repair and remove Windows shadow copies:

It encrypts files on the system and gives each file an extension consisting of a random alphanumeric string.  In this case “2cb12ec9.

0vhra-readme.txt contains the following message:

The following link is provided in the message:

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B3EC8BB678B73C19

 

It is a webpage that is located on the tOR network:

Pressing “SUBMIT” or opening the second link (http://decryptor.top/B3EC8BB678B73C19) leads to the following page:

SonicWALL Capture Labs provides protection against this threat via the following signatures:

  • GAV: Sodinokibi.RSM_4 (Trojan)
  • GAV: Sodinokibi.RSM_3 (Trojan)
  • GAV: Sodinokibi.RSM_2 (Trojan)
  • GAV: Sodinokibi.RSM (Trojan)
  • GAV: Sodinokibi.FN (Trojan)
  • IPS: 14180 Oracle Weblogic 10.3.6.0.0/12.1.3.0.0 Remote Code Execution 1
  • IPS: 14181 Oracle Weblogic 10.3.6.0.0/12.1.3.0.0 Remote Code Execution 2
  • IPS: 14186 Oracle WebLogic Server Insecure Deserialization 9
  • IPS: 14187 Oracle WebLogic Server Insecure Deserialization 8
  • WAF: 1706 Oracle Weblogic 10.3.6.0.0/12.1.3.0.0 Remote Code Execution

Also, this threat is detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

The E-rate ‘Fear Less’ Solution

/0 Comments/in /by

The E-rate program is critical for K-12 organizations that lack the funding to procure appropriate technology, such as networking and cyber security solutions (e.g., firewalls, wireless network security, etc.). But understanding the program — as well as confirming your E-rate eligibility — can be daunting.

Episode 3: The E-rate Fear Less Solution

On the third episode of the E-rate Fear Less series, Komplement CEO Holly Davis discusses school eligibility, discounts levels and the competitive bidding process.

E-rate discounts are based on the category of service requested, level of poverty, urban/rural status of the population served and the level of participation of students in the Nation School Lunch Program (NSLP).

  • School districts derive their discount, for purposes of determining their level of poverty, from the total percentage of students eligible for the NSLP in the school district.
  • Libraries derive their discount, for purposes of determining their level of poverty, from the NSLP eligibility percentage of the public-school district in which the main branch of the library is located.
  • Rural discount eligibility is determined at the school district or library system level. If more than 50 percent of the schools in a school district or libraries in a library system are considered rural, the district or system is eligible for the rural discount. Note: Non-instructional facilities (NIFs) are not included in this percentage calculation.

Once eligibility is confirmed, it is very important to understand that the government requires a fair and competitive bidding process. Please contact a SonicWall E-rate expert to help guide your organization through the rules and guidelines of the E-rate process.

E-rate technology discounts with SonicWall

Applicant Steps & Resources

Prep: Before You Begin
Step 1: Competitive Bidding
Step 2: Selecting Service Providers
Step 3: Applying for Discounts
Step 4: Application Review
Step 5: Starting Services
Step 6: Invoicing

Resources provided by USAC

SonicWall network and cyber security solutions meet the needs of school districts at the highest efficacy — all at price points that fit within K12 budgets.

If you are utilizing E-rate funding to assist you in buying your networking and cyber security solutions, SonicWall can help. Our team of E-rate funding experts ensure your SonicWall solution aligns with the rules and regulations of the E-rate program. SonicWall provides services in the following areas:

  • Managed Internal Broadband Services
  • Internal Connections
  • Basic Maintenance for Internal Connections

With the most comprehensive channel program in the industry, combined with additional E-rate discounts, SonicWall and its partners are best positioned to meet the needs of K12 customers and help them take full advantage of the funding E-rate provides for securing their networks.

If you are an eligible K12 organization, please contact your preferred SonicWall reseller for information on E-rate benefits and discounts, or visit the SonicWall E-rate page for information, tools and guidance.

E-rate Episode Video Series for K-12 School Districts

Know the E-rate Terminology

The E-rate program is replete of acronyms, form numbers and other unique nomenclature. Learn the key terms to successfully guide your K12 organization through the E-rate process.

VIEW THE GLOSSARY

What is E-rate?

To help offset funding and staffing shortages, the U.S. Department of Education and the FCC launched the E-rate program, which helps make telecommunications and information services more affordable for schools, campuses, districts and libraries.

The E-rate program is operated by Universal Service Administration Company (USAC), which has a core focus of providing underfunded verticals the access to affordable technology and security services. This includes schools, libraries, rural healthcare organizations and more.

USAC provides a yearly Eligible Services List (ESL), which outlines which types of products and services can be procured via E-rate program discounts.

Emotet malware delivered through spam emails

/in /by

SonicWall Capture Labs Threat Research team has observed a spam email campaign sending fake remittance advice emails that spreads Emotet malware through malicious Word document attachments. The message claims that a recent payment has been made to the victim, luring them to open the attached Word document.

Infection Cycle:

The attached document when opened looks like a warning prompting the victim to enable content. The document has hidden macros in it.

This will launch a PowerShell command upon enabling the ‘active content’. The PowerShell command  downloads the Emotet malware on the victim’s computer.

789.exe is the Emotet malware.

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

GAV Downloader.CQC_9 (Trojan)

GAV: Emotet (Trojan)

SonicWall Capture Advanced Threat Protection (ATP) with RTDMI provides protection against this threat.

Threat Graph:

IoC:

Doc:

e9e9f78904bfff3c083ac80f14b6b67eb9548de76c70c074436c5c3be0fcd6e6

a82a5bb9f568bf1c2dbb0cfa775f6d86a71cfca1e783dd790434c7691d3c573d

241a37ec6cb4c435bcea7e4f9c74edec59a3d8bd803e271a32f2a0e8e1f88549

9f36d3b724b46fa352ca56e371fd3322f7fea335fe59a71c36a046fb29c034cc

2030bb87b7253368bd608882d2c4d2b365aeccd41e40679148d171a1fd96f9c7

24b50a35f37950ea20fd32c7a206e7e75a16304fc5740a12e78a5b051354cae3

16b073a56a77d960ee2a7c6426a4da145ca030e2fe9212df4ca41108ee86435b

ce0de64b9421a663165e5edad87c2d77e530a1c55c8c7323d13caa898d5d0699

2030bb87b7253368bd608882d2c4d2b365aeccd41e40679148d171a1fd96f9c7

Malware:

48ebd06305d102461a3f3028734536b8b631b88685ac819509b17036520ab378

Email :

bb6bbe6839749ea9dfd1ce64fdb691d6d10985820ffb7f03d8f7cd1f411b6ac2

 

Navigating the E-rate Program: Forms, Filling Cycles & Rules

/0 Comments/in /by

Participating in your first E-rate season can be overwhelming. It is important to understand eligibility requirements of the program since the forms and terminology can become confusing. To better understand the ins and outs of the E-rate program, watch Episode 2 of the SonicWall E-rate video series below.

Episode 2: Navigating the E-rate Program

On the second episode of the E-rate Fear Less series, Komplement CEO Holly Davis highlights key elements of the E-rate program to help you navigate the process. You will learn about the filling cycle, ESL, 470 and 471 forms, and rules of the program.

Before you get started, it’s important to remember some key dates. First, the E-rate program operates on a fiscal year (FY) calendar. This year, FY2020 is July 1, 2019, to June 30, 2020. From here, there are two primary dates to remember:

  • 470 Filing: July 1, 2019 (RFP Posting)
  • 471 Filing: January 11, 2020-March 22, 2020

Applicant Steps & Resources

Prep: Before You Begin
Step 1: Competitive Bidding
Step 2: Selecting Service Providers
Step 3: Applying for Discounts
Step 4: Application Review
Step 5: Starting Services
Step 6: Invoicing 

Resources provided by USAC

Each year, before the FCC Form 471 application filing window opens, the FCC releases Eligible Services List (ESL) for the upcoming funding year (it is typically released between September and November).

The ESL contains a description of the products and services that will be eligible for discounts, along with additional helpful information such as eligibility conditions for each category of service for each specified funding year.

Be sure to review the list before you post a form 470 request for services to properly align your products and service needs.

SonicWall and E-rate

Through its global channel of more than 23,000 technology partners, SonicWall is actively involved in helping K-12 education organizations cost-effectively obtain and deploy network security solutions. SonicWall provides a broad array of E-rate-eligible products and services, including firewalls and turnkey Security-as-a-Service solutions.

SonicWall can discuss its products and services prior to the posting of a school/library Form 470, which begins the competitive bidding process. Once Form 470 is filed, SonicWall and its partners are restricted to rules and regulations of the program and are respondents to the bidding.

If you are utilizing E-rate funding to assist you in buying your networking and cyber security solutions, SonicWall can help. Our team of E-rate funding experts ensure your SonicWall solution aligns with the rules and regulations of the E-rate program. SonicWall provides services in the following areas:

  • Managed Internal Broadband Services
  • Internal Connections
  • Basic Maintenance for Internal Connections

SonicWall integrated solutions meet the needs of school districts at the highest efficacy and at price points that fit within K-12 budget constraints. SonicWall helps reduce the total cost of ownership (TCO) for these under-funded organizations.

If you are an eligible K-12 organization, please contact your preferred SonicWall reseller for information on E-rate benefits and discounts, or visit the SonicWall E-rate page for information, tools and guidance.

What is E-rate?

To help offset funding and staffing shortages, the U.S. Department of Education and the FCC launched the E-rate program, which helps make telecommunications and information services more affordable for schools, campuses, districts and libraries.

“Eligible schools and libraries may receive discounts on telecommunications, telecommunications services and internet access, as well as internal connections, managed internal broadband services and basic maintenance of internal connections,” explains the FCC website. “Discounts range from 20 to 90 percent, with higher discounts for higher poverty and rural schools and libraries. Recipients must pay some portion of the service costs.”

The E-rate program is operated by Universal Service Administration Company (USAC), which has a core focus of providing underfunded verticals the access to affordable technology and security services. This includes schools, libraries, rural healthcare organizations and more.

USAC provides a yearly Eligible Services List (ESL), which outlines which types of products and services can be procured via E-rate program discounts.

E-rate Episode Video Series for K-12 School Districts

RDP Vulnerability CVE 2019 0708

/in /by

Overview:

The Microsoft Security Response Center (MSRC) stated, “On Microsoft’s Patch Tuesday”, that a remote code execution vulnerability exists in the Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends a specially crafted Protocol Data Unit (PDU) aka packet request to the Terminal Server. The server component of RDS is the Terminal Server (termdd.sys) driver, which listens on TCP port 3389. Other components involved are the (rdpwd.sys) driver. This is where the Multipoint Communication Service (MCS) Stack is located. The heap or pool is allocated in (rdpwd.sys). This heap is corrupted in (termdd.sys) when the MS_T120 reference channel is processed within the context of a channel other than 31 as stated below. Lets see where the vulnerability is located below:

Finding (termdd.sys) inside the Windows Update:

When you download a Windows update from the (MSRC) you will end up with either one of the following files.

  • .exe – XP, Windows 2000, 2003 server.
  • .msu – Windows 7/8/10 and Server 2008/2012/2016.

Our testing was executed on Windows 7, so we are going to pay attention to the (.msu) update file. When we expand the file we see the following:

Looking at the (.cab) file, we will also expand this file next. We now have the following:

The 1,573 files are the updated files. This is what Microsoft calls a (Cumulative Update) which patches a variety of areas of the Operating System. We know the component we are looking for is called (termdd.sys) so we can do a simple search. Sure enough the file has been updated. The next part is to locate what has changed.

termdd.sys File Updates:

Using your favorite BinDiff tool. We can locate the functions that have changed.

The two functions which have been updated are “_IcaBindVirtualChannels and _IcaRebindVirtualChannels”.

Let’s have a closer look at the changes. The patched versions are on the left side of the images, and the unpatched versions are on the right side of the image. You can open the images below in a new tab, by right clicking. This will make the code more readable.

_IcaBindVirtualChannels:

_IcaRebindVirtualChannels:

From the images above, Microsoft has now patched the functions by adding a string comparison check for a client connection request using the channel name of “MS_T120” and ensures it binds to channel 31 only.

Vulnerability Sequence:

To recap, the “MS_T120” virtual channel is being bound as a reference channel to number “31” during the PDU packet request to the Server called “MCS Connect Initial PDU with GCC Conference Create Request”. This is labeled in the picture below as the “Basic Settings Exchange”. During this exchange the Client will supply the channel name which is not whitelisted by the server, meaning the attacker can setup another sequence named “MS_T120” on a channel other than 31. It’s this virtual channel use of “MS_T120” on a channel other than 31 that leads to the heap memory corruption and (RCE) Remote Code Execution.

Vulnerable Operating Systems:

  • Windows 2003
  • Windows XP
  • Windows 7
  • Windows Server 2008
  • Windows Server 2008 R2

Summary & Recommendations:

  • SonicWall, can confirm that a patched system will stop the (RCE)-Remote Code Execution exploit.
  • Disabling of the RDP Services from outside of your network and limiting the RDP Services internally.
  • RDP Client requests with “MS_T120” on any channel other than 31 during GCC Conference initialization should be blocked.

SonicWall, provides protection against this threat:

  • IPS:14225 “Windows Remote Desktop Services Remote Code Execution (MAY 19)”