An Explanation of E-rate: How to Cost-Effectively Protect K12 Networks

/0 Comments/in , /by

Networks security is often too focused on traditional business. But there are more than 100,000 K12 campuses in the U.S. alone. Each have similar security challenges as the standard enterprise or business, but its users (i.e., most commonly students) require more careful and dedicated protection.

Video 1: An Explanation of E-Rate

To help K12 organizations and technology partners better understand opportunities provided by the E-rate program, SonicWall E-rate and cyber security experts explain the history of the program, its importance to K12 organizations, discount levels, and eligible technologies and solutions.

K12 At A Glance

  • 104,000 public K12 schools in the U.S.
  • 55 million public K12 student enrollment
  • Education is the No. 1 target for ransomware attacks
  • Ransomware has hit over 23 percent of educational institutions
  • U.S. K12 spends over $230 million annually on cyber security
  • Maintaining a secure network is one of the top challenges faced by K12 school districts

What is E-rate?

To help offset funding and staffing shortages, the U.S. Department of Education and the FCC launched the E-rate program, which helps make telecommunications and information services more affordable for schools, campuses, districts and libraries.

“Eligible schools and libraries may receive discounts on telecommunications, telecommunications services and internet access, as well as internal connections, managed internal broadband services and basic maintenance of internal connections,” explains the FCC website. “Discounts range from 20 to 90 percent, with higher discounts for higher poverty and rural schools and libraries. Recipients must pay some portion of the service costs.”

The E-rate program is operated by Universal Service Administration Company (USAC), which has a core focus of providing underfunded verticals the access to affordable technology and security services. This includes schools, libraries, rural healthcare organizations and more.

USAC provides a yearly Eligible Services List (ESL), which outlines which types of products and services can be procured via E-rate program discounts.

SonicWall and E-rate

Through its global channel of more than 21,000 technology partners, SonicWall is actively involved in helping K12 education organizations cost-effectively obtain and deploy network security solutions. SonicWall provides a broad array of E-rate-eligible products and services, including firewalls and turnkey Security-as-a-Service solutions.

SonicWall integrated solutions meet the needs of school districts at the highest efficacy and at price points that fit within K12 budget constraints. SonicWall helps reduce the total cost of ownership (TCO) for these under-funded organizations.

With the most comprehensive channel program in the industry, combined with additional E-rate discounts, SonicWall and our partners are best positioned to meet the needs of K12 customers and help them take full advantage of the funding E-rate provides for securing their networks.

If you are an eligible K12 organization, please contact your preferred SonicWall reseller for information on E-rate benefits and discounts, or visit the SonicWall E-rate page for information, tools and guidance.

TinyPOS a new multi-component POS family actively spreading in the wild.

/in /by

The SonicWall Capture Labs Threat Research Team observed reports of a new multi-component variant POS family named Tinypos Detected as GAV: Tinypos.A actively spreading in the wild.

Contents of TinyPOS Malware

 

Infection Cycle:

Tinypos is a multi-component malware family that has been very active in the wild. Multi-component malware is easy to detect because individual components are themselves malicious.

TinyPOS contains following components:

Loaders: this is a downloader component.  The core functionality of a loader is to establish communication with C&C servers.

Mappers: Mappers are only responsible for steal types of information from the infected machine.

Scrapers: this component responsible for scraping memory to retrieve Track 1 and Track 2 credit card data during its scan.

Cleaners: wiping malware evidence such as running processes, registry keys and files once the operation is finished.

 

Once the computer is compromised, the malware creates a new process to maintain persistence and then launches a component to monitor for sensitive payment card data.

 

The malware tries to Enumerate POS process by uses API functions calls such as following APIs:

TinyPOS retrieves a list of running processes; the malware is responsible for scraping the memory of current processes on the infected machine for credit card information periodically.

TinyPOS has an exclusion list that functions to ignore certain system processes; it gathers track data by scanning the memory of all running processes except for the following List:

Once it locates payment card data, TinyPOS makes one HTTP request to determine the infected system’s external IP address.

Once the public IP is acquired, TinyPOS tries to verify Credit Cards numbers and then sends track 1 and track 2 credit card data in encrypted format.

TinyPOS tries to Enumerate Credit Card data from POS Software using the Luhn algorithm and then encrypts and sent to one of the given C&C Servers.

Here is an example of Track data:

Command and Control (C&C) Traffic

TinyPOS performs C&C communication over various ports. Requests are made on a regular basis to statically defined IPs such as following:

  • 43.147.209:40071
  • 174.102.20:17771
  • 183.160.137:6317
  • 183.160.137:8181
  • 248.100.188:7454
  • 126.77.137:4119
  • 126.77.137:4357
  • 126.77.137:4358
  • 126.77.137:443
  • 126.77.137:6317
  • 126.77.137:8181
  • 126.77.137:9090
  • 142.30.201:1192
  • 142.30.201:1193
  • 142.30.201:17771
  • 142.30.201:17799
  • 142.30.201:9290
  • 28.179.200:10012
  • 28.179.200:27117
  • 165.16.165:1444
  • 165.16.165:1445
  • 165.16.165:17771
  • 165.16.165:19991
  • 165.16.165:22143
  • 165.16.165:22144
  • 165.16.165:7450
  • 165.16.165:7451
  • 165.16.165:7453
  • 165.16.165:8181
  • 165.16.165:8289
  • 165.16.165:9090
  • 165.16.166:17771
  • 165.16.166:443
  • 165.16.166:444
  • 165.16.199:17771
  • 165.16.165:17799
  • 228.232.92:1192
  • 228.232.92:1195
  • 228.232.92:1196
  • 184.234.108:10011
  • 184.234.108:10012
  • 161.40.145:1192
  • 161.40.145:1193
  • 161.40.145:1195
  • 161.40.145:1196
  • 161.40.145:1393
  • 161.40.145:17771
  • 161.40.145:4356
  • 161.40.145:4357
  • 161.40.145:4358
  • 161.40.145:4360
  • 161.40.145:443
  • 161.40.145:444
  • 161.40.145:8181
  • 161.40.145:9290
  • 8.18.222:1191
  • 8.18.222:1192
  • 8.18.222:17771
  • 210.36.112:27117
  • 210.36.112:3341
  • 72.84.115:17771
  • 93.20.42:1191
  • 93.20.42:1192
  • 93.5.136:50011
  • 197.232.26:17771
  • 197.232.26:9090
  • 154.199.104:27117

We have been monitoring varying hits over the past few days for the signature that blocks this threat:

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: TinyPOS.A (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

4 Ways the WhatsApp Exploit Could Use Employees to Infiltrate Your Network

/1 Comment/in , /by

The recent WhatsApp breach was very sophisticated and clever in the manner it was delivered. And that should be expected considering who was reported as being behind the zero-day attack against the popular messaging application.

But the attack against the WhatsApp app is not just a concern for its millions of global customers. There’s a very real and imminent threat to businesses and enterprises, too.

For example, let’s assume one of your employees has WhatsApp installed on their device and it is subsequently compromised via the latest WhatsApp exploit. In many situations, this employee will, at some point, connect their device to the corporate network.

This legitimate access could be via VPN, cloud applications (e.g., Office 365, Dropbox, etc.), corporate Wi-Fi or, my personal “favorite,” plugging the device into the USB port of a corporate laptop so the phone can charge. Understanding how and where users connect to the corporate network is critical.

In most cases, organizations can’t prevent personal BYOD phones from being compromised — particularly when outside the network perimeter. They can, however, protect the network from exploits delivered via the compromised phone. Here are the four most common ways the WhatsApp vulnerability could be leveraged to infiltrate a corporate network and, more importantly, how SonicWall can prevent it:

  1. Via VPN. If an employee connects to corporate over VPN, SonicWall, for example, would be the endpoint where they establish the VPN Threat prevention (e.g., firewalls, Capture ATP) and access control (e.g., Secure Mobile Access) would prevent the WhatsApp breach from spreading any further than the compromised phone.
  2. Via Wi-Fi. In this scenario, next-generation firewalls and secure wireless access points should be in place to inspect all internal traffic and prevent the exploit from going further than the phone.
  3. Via compromised credentials. Because the WhatsApp exploit enabled attackers to steal credentials to cloud services and apps, organizations with Cloud Access Security Broker (CASB) solutions, like SonicWall Cloud App Security, would mitigate account takeovers (ATO), unauthorized access and any related data leakage.
  4. Via USB port. Users often forget that a powered USB port on their laptop is an entry point for attackers — even when doing something as innocent as charging a phone. A sound endpoint protection solution (see diagram), such as Capture Client, would monitor the connection to the laptop and inspect any malicious activity attempting to leverage the USB port to deliver malware payloads.

Cyber Security News & Trends

/0 Comments/in /by

This week, the Zombieland vulnerability leads to a patching frenzy, a global cybercrime gang is shutdown, and a GDPR update.

SonicWall Spotlight

Intel MDS ‘Zombieload’ Vulnerability Software Patch List for MSSPs – MSSPAlert

  • “Zombieload” is a recently discovered vulnerability open to side-channel attacks that affects all Intel processors manufactured since 2011. MSSPAlert quote SonicWall CEO Bill Conner on how it could be used to “pick locks” in highly secure data centers. SonicWall RTDMI technology can discover and block side channel attacks in real-time.

Creating a Culture of Resilience – New Statesman (UK)

  • The New Statesman uses the 2019 SonicWall Cyber Threat Report to review the threat landscape and, noting how cybersecurity is often “bolted onto products as an afterthought,” explains how and why a culture of cyber resilience will have to be built.

Cyber Security News

Russian Government Sites Leak Passport and Personal Data for 2.25 Million Users – ZDNet

  • An investigation into Russian government websites and user portals has found that over 2.25 million Russian citizens had their personal information, including insurance and passport details, left easily accessible online.

GDPR: Europe Counts 65,000 Data Breach Notifications so Far – BankInfoSecurity

  • European privacy authorities have received nearly 65,000 data breach notifications since the EU’s new privacy law went into full effect, with over $63 million in fines issued so far.

Rattled by Cyberattacks, Hospitals Push Device Makers to Improve Security – Wall Street Journal

  • Nervous U.S. hospitals are pressing medical-device makers to improve the cyberdefenses of internet-connected infusion pumps, biopsy imaging tables and other health-care products after being rattled by a rise in cyberattack reports in other hospitals.

Bluetooth Harvester Signals Hacking Group’s Growing Interest in Mobile – Ars Technica

  • ScarCruft, a Korean-speaking advanced persistent threat group, has launched a malware that steals Bluetooth-device information. It is likely that the malware is targeting intelligence and diplomatic agencies for political purposes.

Microsoft Warns Wormable Windows Bug Could Lead to Another WannaCry – Ars Technica

  • Microsoft is warning that the internet could see another exploit of the magnitude of WannaCry unless a high-severity vulnerability is patched. Such is the level of fear that patches for the no-longer supported Windows 2003 and XP have been issued. The vulnerability has not yet been exploited but, due to its low complexity, once the details are known an attack will likely be developed and launched very quickly.

Global Hackers Are Thwarted by FBI, Europe in $100 Million Heist – Bloomberg

  • U.S. and European law enforcement officials have dismantled a “highly specialized and international criminal network” in an operation that has been ongoing since 2016. The members of the group pooled their technical skills together online to craft and circulate malware that attempted to steal around $100 million from thousands of businesses.

Microsoft Office 365: Change These Settings or Risk Getting Hacked, Warns US Govt – ZDNet

  • The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has posted its advice for organizations using Microsoft Office 365. Its major request is that administrators at organizations turn on the many security features, like multi-factor authentication, that are not automatically enabled by default.

In Case You Missed It

Non-Standard Ports Are Under Cyberattack

/0 Comments/in /by

If you like watching superhero movies, at some point you’ll hear characters talk about protecting their identities through anonymity. With the exception of Iron Man, hiding their true identities provides superheroes with a form of protection. Network security is similar in this respect.

‘Security through obscurity’ is a phrase that’s received both praise and criticism. If you drive your car on side streets instead of the freeway to avoid potential accidents, does that make you safer? Can you get to where you need to go as efficiently? It’s possible, but it doesn’t mean you can evade bad things forever.

Difference between standard and non-standard ports

Firewall ports are assigned by the Internet Assigned Numbers Authority (IANA) to serve specific purposes or services.

While there are over 40,000 registered ports, only a handful are commonly used. They are the ‘standard’ ports. For example, HTTP (web pages) uses port 80, HTTPS (websites that use encryption) uses port 443 and SMTP (email) uses port 25.

Firewalls configured to listen on these ports are available to receive traffic. Cybercriminals know this too, so most of their attacks target the commonly used ports. Of course, companies typically fortify these ports against threats.

In response to the barrage of attacks aimed at standard ports, some organizations have turned to using ‘non-standard’ ports for their services. A non-standard port is one that is used for a purpose other than its default assignment. Using port 8080 instead of port 80 for web traffic is one example.

This is the ‘security through obscurity’ strategy. While it may keep cybercriminals confused for a while, it’s not a long-term security solution. Also, it can make connecting to your web server more difficult for users because their browser is pre-configured to use port 80.

Attacks on non-standard ports

Data in the 2019 SonicWall Cyber Threat Report indicates that the number of attacks directed at non-standard ports has grown. In 2017, SonicWall found that over 17.7% of malware attacks came over non-standard ports.

In comparison, that number was 19.2% in 2018, an increase of 8.7 percent. December 2018 alone hit an even higher number at 23%.

GET THE FULL INFOGRAPHIC

How do I protect non-standard ports?

The best defense against cyberattacks targeting services across both standard and non-standard ports is to have a layered security strategy.

Using ‘security through obscurity’ is just one layer. Relying on it too heavily, however, won’t provide the level of security you need. It may help against port scans, but it won’t stop cyberattacks that are more focused.

You’ll also want to take some other actions, such as changing passwords frequently, using two-factor authentication, and applying patches and updates. And, you’ll want to use a firewall that can analyze specific artifacts instead of all traffic (i.e., proxy-based approach).

Microsoft Security Bulletin Coverage for May 2019

/in /by

SonicWall Capture Labs Threat Research Team has analyzed and addressed Microsoft’s security advisories for the month of May 2019. A list of issues reported, along with SonicWall coverage information are as follows:
CVE-2019-0707 Windows NDIS Elevation of Privilege Vulnerability
ASPY5495:Malformed-File exe.MP.72
CVE-2019-0708 Remote Desktop Services Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0725 Windows DHCP Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0727 Diagnostic Hub Standard Collector, Visual Studio Standard Collector Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-0733 Windows Defender Application Control Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2019-0734 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-0758 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0819 Microsoft SQL Server Analysis Services Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0820 .NET Framework and .NET Core Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2019-0863 Windows Error Reporting Elevation of Privilege Vulnerability
ASPY5496:Malformed-File exe.MP.73
CVE-2019-0864 .NET Framework Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2019-0872 Azure DevOps Server and Team Foundation Server Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2019-0881 Windows Kernel Elevation of Privilege Vulnerability
ASPY5497:Malformed-File exe.MP.74
CVE-2019-0882 Windows GDI Information Disclosure Vulnerability
ASPY1114:Malformed-File emf.TL.10
CVE-2019-0884 Scripting Engine Memory Corruption Vulnerability
IPS14210:Scripting Engine Memory Corruption Vulnerability (MAY 19) 3
CVE-2019-0885 Windows OLE Remote Code Execution Vulnerability
ASPY5493:Malformed-File bmp.MP.3
CVE-2019-0886 Windows Hyper-V Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0889 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0890 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0891 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0892 Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-0893 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0894 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0895 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0896 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0897 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0898 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0899 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0900 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0901 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0902 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0903 GDI+ Remote Code Execution Vulnerability
ASPY5494:Malformed-File ttf.MP.26
CVE-2019-0911 Scripting Engine Memory Corruption Vulnerability
IPS14206:Scripting Engine Memory Corruption Vulnerability (May 19) 1
CVE-2019-0912 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2019-0913 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2019-0914 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2019-0915 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2019-0916 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2019-0917 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2019-0918 Scripting Engine Memory Corruption Vulnerability
IPS14207:Scripting Engine Memory Corruption Vulnerability (May 19) 2
CVE-2019-0921 Internet Explorer Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2019-0922 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2019-0923 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2019-0924 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2019-0925 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2019-0926 Microsoft Edge Memory Corruption Vulnerability
IPS14208:Microsoft Edge Memory Corruption Vulnerability (May 19) 2
CVE-2019-0927 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2019-0929 Internet Explorer Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2019-0930 Internet Explorer Information Disclosure Vulnerability
IPS14209:Internet Explorer Information Disclosure Vulnerability (May 19) 1
CVE-2019-0931 Windows Storage Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-0932 Skype for Android Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0933 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2019-0936 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-0937 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2019-0938 Microsoft Edge Elevation of Privilege Vulnerability
IPS14203:Microsoft Edge Elevation of Privilege (May 19) 1
CVE-2019-0940 Microsoft Browser Memory Corruption Vulnerability
IPS14202:Microsoft Edge Memory Corruption Vulnerability (May 19) 1
CVE-2019-0942 Unified Write Filter Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-0945 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0946 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0947 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0949 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2019-0950 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2019-0951 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2019-0952 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0953 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0956 Microsoft SharePoint Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0957 Microsoft SharePoint Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-0958 Microsoft SharePoint Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-0961 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0963 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2019-0971 Azure DevOps Server and Team Foundation Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0976 NuGet Package Manager Tampering Vulnerability
There are no known exploits in the wild.
CVE-2019-0979 Azure DevOps Server and Team Foundation Server Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2019-0980 .NET Framework and .NET Core Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2019-0981 .Net Framework and .Net Core Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2019-0982 ASP.NET Core Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2019-0995 Internet Explorer Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2019-1000 Microsoft Azure AD Connect Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-1008 Microsoft Dynamics On-Premise Security Feature Bypass
There are no known exploits in the wild.

Cyber Security News & Trends

/0 Comments/in /by

This week, SonicWall CEO Bill Conner is interviewed by SC Magazine, a Zero-Day vulnerability travelled around the world without ever being disclosed publicly, and Facebook are working to prevent election meddling in Europe.

SonicWall Spotlight

In Focus: SonicWall CEO Bill Conner – SC Magazine

  • SonicWall CEO Bill Conner joins Illena Armstrong of SC Magazine in an exclusive video interview. They discuss what companies are missing in the global cyber arms race, the non-traditional points of entry where the threats are emerging and what steps an organization can take to secure its infrastructure.

Cyber Security News

The Strange Journey of an NSA Zero-Day into Multiple Enemies’ Hands – Wired

  • Wired tell the story of an NSA-discovered zero-day vulnerability that made its way around the globe over several years; first intercepted by China, then stolen by hackers before being picked up by North Korea and Russia, all without being publicly disclosed.

Facebook Opens a Command Post to Thwart Election Meddling in Europe – New York Times

  • After the harsh criticism it faced following the 2016 US election Facebook has opened a “command post” in Ireland charged with preventing any meddling in the upcoming European election.

Hackers Steal Over $40 Million Worth of Bitcoin From One of the World’s Largest Cryptocurrency Exchanges – CNBC

  • Over $40 million worth of bitcoin has been stolen from Binance, one of the world’s largest cryptocurrency exchanges, in a “large scale security breach.” The well-organized attack managed to bypass the security checks and exited over 7,000 bitcoin, about 2% of total holdings.

Cybersecurity Jobs Abound. No Experience Required. – Wall Street Journal

  • Large tech companies are scrambling to hire hundreds of thousands of corporate hackers to defend their networks and data, pursuing workers without traditional four-year degrees or formal experience.

How to Close the Critical Cybersecurity Talent Gap – Dark Reading

  • “If we don’t change our ways, the gap will keep getting worse.” Dark Reading commentator Thomas Weithman calls for “outside-the-box thinking” to bridge the cybersecurity talent gap, suggesting introducing cybersecurity curriculum in K-12 courses and setting up programs to allow people in a similar industry to retrain.

Russian Cyberspies Are Using One Hell of a Clever Microsoft Exchange Backdoor – ZDNet

  • An email backdoor named LightNeuron that integrates directly with Microsoft Exchange is being called “one of the most complex backdoors ever spotted.” Despite being in use since 2014 it has avoided detection until very recently.

Amazon Hit by Extensive Fraud With Hackers Siphoning Merchant Funds – Bloomberg

  • A court filing has revealed that Amazon believes it was the victim of a “serious” online attack between May and October 2018. Hackers accessed around 100 seller accounts and funneled cash from loans or sales into their own bank accounts.

TRON Critical Security Flaw Could Break the Entire Blockchain – ZDNet

  • A critical vulnerability with a “high” severity rate has been found in the TRON network’s TRX cryptocurrency. If exploited the vulnerability could render the entire network unusable.

Without Strong Cybersecurity, Backdoors Will Remain Open – Silicon Republic

  • Former Europol Executive Director John O’Mahony is warning that not enough companies and individuals have “even adequate cybersecurity” in place to prevent bad actors exploiting backdoors in their networks.

In Case You Missed It

GandCrab Ransomware Windows PE

/in /by

Overview:

SonicWall Capture Labs Threat Research Team recently found a new sample and activity in May for GandCrab Ransomware. GandCrab is well known across 2018 and 2019 as ransomware-as-a-service (RaaS). The RaaS model allows affiliates to attack victims with minimal effort. GandCrab encrypts critical data files, demands ransom payments and escalates if the victim delays payment. Once the victim provides payment, their data will be decrypted with a secret key that is provided once the payment is completed. The kill chain for this sample is a 32 bit PE file with resource files that are encrypted. The resource will be decrypted and placed on your system then executed through ShellExecuteExW. Once executed the infection will spread across well known files and network shares encrypting everything it can get access too.

Distribution Methods:

GandCrab has seen many distribution methods in the past such as Javascript and Document downloaders attached to e-mails. Along with Drive-By downloads using exploit kits such as Grandsoft, RIG, and Magnitude. It’s much easier for an attacker to use an exploit kit. Exploit kits usually require a browser and trivial passing of an address link to the victim. The victim just needs to click on the address link to get infected. Exploit kits are usually developed for each Operating System version. So, the Operating System would have to be vulnerable in order to use such an easy method. This is also why the current GandCrab is using e-mail Javascript, and Document downloaders. More recent GandCrab campaigns have been seen using Encrypted Documents containing a password to open the document.

Sample Static Information:

Sample Overview:

SHA-256 Hash: bbbb28aaa1050337356d9931a03533a522cd911e17aac2ac5003915419b126d7

Packer Information:

This sample has aPLib Compression and an Entropy of 7.31:

Unpacking The Sample:

The sample is not packed, only compressed with aPLIb, so this makes the sample easier to research inside Ida Pro:

We can also see that the malware has about 787 functions available to research.

HTTP Network Objects:

The domain the sample connects to is “carder.bit” and another ip associated is “4.7.93.154”.

The ransom id is also sent through the network.

Closing Processes:

The sample contains a list of hardcoded process names which are closed and terminated before the encryption starts. This solves a handle issue that might arise when trying to encrypt the following list of processes.

List of User-Mode Anti-Virus Detections:

Compares running processes with hardcoded Anti-Virus executable process names.

List of Kernel-Mode Anti-Virus Detections:

Kaspersky:


F-Secure:

Symantec:




Ransom Strings:

This sample has pretty complex encryption and decryption techniques mostly for Anti-Analysis. This is what was found after a few rounds of decryption.

Debugging System:

The sample was tested and debugged on (x86) – 32 Bit, Windows 7 Professional.

Summary:

GandCrab ransomware is a well-known malware that is distributed with multiple exploit kits, email spam and the Dark Web. GandCrab is Russian in origin, and targets many different countries in 2019 such as the US, Australia, Sweden and Canada. GandCrab currently has many active affiliates over the web and thousands of samples scattered across the wild in 2019. It’s estimated that ransom payouts in 2018 reached millions of dollars.

Hit Graph & Statistics:

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: GandCrab.C_2

Oracle WebLogic Vulnerability actively being exploited in the wild

/in /by

An insecure deserialization vulnerability has been reported in Oracle WebLogic server. This vulnerability is due to insufficient validation of XML data within the body of HTTP POST requests. A remote attacker can exploit this vulnerability without authentication. Successful exploitation can result in arbitrary code execution under the context of the affected server.

Oracle WebLogic is one of the widely used Java application servers. It helps building and deploying distributed enterprise Java EE applications.

Serialization is the process of translating application data such as objects into a binary format that can be stored and reused by the same application or transmitted over the network to be used by another application.

Deserialization is the reverse of that process that takes data structured from some format, and rebuilding it into an object. By running deserialization, we should be able to fully reconstruct the serialized object.

Insecure Deserialization is a vulnerability which occurs when user input data is not sanitized or validated properly . This untrusted user data can be used to abuse the logic of an application, inflict a denial of service (DoS) attack, or even execute arbitrary remote code execution upon it being deserialized. Hence attackers craft the serialized data and the attack depends on what the application code does with the data.

CVE-2019-2725:

An insecure deserialization vulnerability has been reported in Oracle WebLogic server. User input is validated to ensure that tags that result in arbitrary method and constructor calls are blacklisted. The <class> tag is not correctly blacklisted. This allows the attacker to initiate any class with arbitrary constructor arguments. Attackers leverage this to achieve arbitrary code execution, by initiating a class object which accepts a byte array as a constructor argument. Upon initialization, the crafted malicious serialized byte array gets deserialized causing arbitrary remote code execution.

Exploit:

The below POST request to Oracle WebLogic server contains a shell code to download and execute a malicious payload on the vulnerable server.

POST / _Async / AsyncResponseService Http / 1.1
Host:x.x.x.x :7001

Fix:

Oracle has released an out-of-band patch that fixes the vulnerability. Please find the vendor advisory regarding this vulnerability: https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 14180 Oracle Weblogic 10.3.6.0.0/12.1.3.0.0 Remote Code Execution 1
IPS: 14181 Oracle Weblogic 10.3.6.0.0/12.1.3.0.0 Remote Code Execution 2
IPS: 14186 Oracle WebLogic Server Insecure Deserialization 9
IPS: 14187 Oracle WebLogic Server Insecure Deserialization 8
WAF: 1706 Oracle Weblogic 10.3.6.0.0/12.1.3.0.0 Remote Code Execution

Threat Graph:

 

 

Cyber Security News & Trends

/0 Comments/in /by

This week, SonicWall CEO Bill Conner is interviewed by on Federal Tech Talk, the potential of a 5G future is considered, and more details emerge about the Citrix data breach.

SonicWall Spotlight

Federal Tech Talk’ Hosts SonicWall CEO Bill Conner to Examine Cybercriminal Strategies that Threaten Federal Agencies – SonicWall Blog

  • SonicWall CEO Bill Conner joins John Gilroy on Federal Tech Talk, a radio show and podcast on the Federal News Network. They discuss emerging cyber threats including attacks over non-standard ports, encrypted threats and malicious PDFs and Office files.

SonicWall Reports Dramatic Rise in Fraudulent PDF Files in Q1 2019 – Tech Observer (India)

  • With SonicWall Capture Labs researchers releasing details on the growth of fraudulent PDFs and Office files, SonicWall’s Debasish Mukherjee talks to Tech Observer about how Real-Time Deep Memory Inspection (RTDMI) can detect new malware almost instantly.

Cyber Security News

Cybersecurity: The Key Lessons of the Triton Malware Cyberattack You Need to Learn – ZDNet

  • The Triton malware attack of 2017 was unsuccessful but still managed to shut down industrial operations at a critical infrastructure firm in the Middle East. ZDNet explore how real-world physical security problems intersected with cyber security problems and allowed a cyberattack to go very far before being caught.

P2P Weakness Exposes Millions of IoT Devices – Krebs on Security

  • Peer-to-peer communications software iLnkP2P includes several critical security flaws that leaves millions of Webcams, baby monitors and more open to a cyberattack.

The Terrifying Potential of the 5G Network – The New Yorker

  • While some claim 5G technology will usher in a fourth industrial revolution, there’s a worry that such a huge change could have disastrous effects and policymakers may not be taking the cyber security concerns seriously enough.

“Denial of Service” Attack Caused Grid Cyber Disruption: DOE – E&E News

  • A “cyber event” interrupted power grid operations in the western United States on March 5 of this year. Initially details on what happened were scarce but it has now been confirmed that a denial-of-service (DDOS) attack occurred against an unnamed energy company.

Putin Signs Law to Isolate Russian Internet – Financial Times

  • Russian president Vladimir Putin signed a law that will allow the Kremlin to disconnect Russia from the global internet. Critics are casting it as an attempt to curb free speech or internal dissent within Russia, but the Kremlin says the law is a cyber security safeguard that would allow the Russian internet to continue running in the event of a hostile cyberattack on its infrastructure.

DC Metro Vulnerable to Cybersecurity Attacks, Says Inspector General – The Hill

  • The Washington D.C. Metro has vowed to hire experts to help with cyber security vulnerabilities present in its current systems.

Hackers Lurked in Citrix Systems for Six Months – ZDNet

  • The FBI has become involved in an ongoing investigation into an “intermittent” but long-lasting data breach at Citrix. Information on what data was accessed by hackers is not yet known but it is possible that the data stolen includes names, Social Security numbers, and financial information.

Financial Data for Multiple Companies Dumped Online in Failed Extortion Bid – Dark Reading

  • 516GBs of potentially sensitive stolen data was dumped online after German digital infrastructure service provider Citycopy refused to pay up in an attempted cyber-extortion attempt. The data dump has not been verified or fully examined yet, but the would-be extortionists claim it includes “financial and private information on all clients include VAG, Ericsson, Leica, MAN, Toshiba, UniCredit, and British Telecom (BT).”

Docker Hub Breach Hits 190,000 Accounts – SecurityWeek

  • Docker Hub, the world’s largest library and community for container images, suffered a data breach with 5% of users affected. Usernames and hashed passwords were accessible. Docker says the company breach has now been sealed and that they are working to ensure it cannot happen again.

In Case You Missed It