Cyber Security News & Trends

/0 Comments/in /by

This week, SonicWall is looking for Beta Testers for the SonicWall Community, Ransomware-as-a-Service is put under the spotlight, and Disney+ accounts are hacked only hours after going live.

SonicWall Spotlight

SonicWall Leads Series a Round Funding in Zero-Trust Security Provider Perimeter 81 – SonicWall Press Release

  • SonicWall has signed a commercial agreement for the development of joint solutions with Perimeter 81. This agreement means that we are able to provide a wide range of businesses, from SMBs to Fortune 500s and governments, with SonicWall’s award-winning Capture Cloud Platform and real-time breach detection and prevention solutions, while also allowing them to adopt a zero-trust security architecture that delivers tremendous efficacy in securing the modern organization.

Call for Beta Testers – The SonicWall Community

  • SonicWall is delighted to announce that it will be launching the SonicWall Community in 2020. The community will be a place where our customers, partners and product experts can collaborate to share knowledge, experiences, resources and opinions. Do register your interest if you are want to be a beta tester for our pilot community.

The CyberWire Daily Podcast – The Cyberwire

  • The CyberWire Daily Podcast rounds up the cybersecurity news each day and SonicWall CEO Bill Conner makes an appearance on Thursday 21st of November, discussing the Q3 threat intelligence data from SonicWall Capture Labs.

Ransomware-as-a-Service: SaaS for Cyber Criminals – SC Magazine (UK)

  • Ransomware’s simplicity and lucrativeness as a form of cyberattack has led to a growth in what is known as Ransomware-as-a-Service – a user-friendly version of ransomware that can easily be deployed with minimal technical knowledge. SonicWall CEO Bill Conner explains how it works, why it is so popular, and how to fight it in SC Magazine.

Cybersecurity News

1.2 Billion Records Found Exposed Online in a Single Server – Wired

  • A researcher has found a database containing over a billion records on an easily accessed, unsecured server. The data does not contain passwords or financial information, but does contain phone numbers, social profiles, and work histories of the huge number of those affected.

Thousands of Hacked Disney+ Accounts Are Already for Sale on Hacking Forums – ZDNet

  • Hackers hijacked Disney+ accounts and put them up for sale within hours of the service launching this week. Prices for the details of account vary from $3 to $11 on online forums, in comparison to a legitimate subscription that costs a user $7 a month.

WhatsApp Remote Code Execution Triggered by Videos – Threat Post

  • A newly discovered vulnerability in WhatsApp was discovered and quietly patched this week. The flaw would allow an attacker to target a user simply by sending them an MP4 file by WhatsApp. There is no evidence that the vulnerability had been exploited in the wild before the patch was sent out.

Attacks on Healthcare Jump 60% in 2019 – so Far – Dark Reading

  • A new report has named the healthcare system as the seventh-most targeted industry by malware, but also an industry that is still dragging its heels when it comes to preparedness, with a large number of legacy hardware and software systems still in use.

Financial Advisors Need to Put Cybersecurity Plans to the Test – CNBC

  • The U.S. Securities and Exchange Commission has released cybersecurity guidance for financial advisory firms. The simple message of this notice is that no firm is too small to have cybersecurity protections in place, and no firm should be so confident in their systems that they do not regularly test them.
And Finally

Influencer Marketing Comes to Cybersecurity – Axios

  • Perhaps it was only a matter of time, but the popular culture world of influencers has finally caught up with the usually more scientific world of cybersecurity. Eagle-eyed watchers of social-media have noticed an uptick in follower-rich cybersecurity Twitter accounts running individualized adverts. Other popular accounts have since come out and denounced accepting payments for adverts as unethical in the world of cybersecurity.

In Case You Missed It

Cyber Security News & Trends

/0 Comments/in /by

This week, SonicWall meets a Russian ransomware cell, the first 2020 cyber-predictions are coming in, and cybersecurity has a color.

SonicWall Spotlight

Mindhunter: Meeting a Russian Ransomware Cell – SonicWall Webinar

  • On November 19, SonicWall will proudly present Mindhunter: my two-week conversation with a ransomware cell. Join SonicWall security expert Brook Chelmo as he gives you an inside look into the human-side of a modern ransomware cell, their advice on how to stop them from infiltrating your organization, encrypting your endpoints, and spreading to other drives and segments of your network.

Retail’s Weakness Is Cyber Crime’s Opportunity – Retail Technology Review

  • The festive shopping season is about to kick off with Black Friday 2019. Writing in Retail Technology Review, SonicWall CEO Bill Conner details the size and scale of cyberattacks over the same period last year and offers advice on to retailers on how to best protect themselves.

Attack on Labour Shows Need for DDoS Defence but Should Alarm Few – Computer Weekly (UK)

  • The UK Labour party’s website suffered a DDoS attack this week. While Cloudflare successfully prevented any major damage from occurring, the attack acts as a reminder that modern election campaigns need to ensure that their cybersecurity is prepared for anything. SonicWall’s Terry Greer-King provides commentary.

Cybersecurity News

Predictions 2020: This Time, Cyberattacks Get Personal – ZDNet

  • The first cyber predictions for 2020 have started rolling in. Initial contenders include the weaponizing of mergers and acquisitions data, deepfake scams, and the closing off of AI and Machine Learning data from outsiders.

Breach Affecting 1 Million Was Caught Only After Hacker Maxed out Target’s Storage – Ars Technica

  • A hacker breached an IT provider in May 2014, stealing data and creating a data archive on their server that went unnoticed for almost two years. The hack was only noticed in 2016 when the hackers archive grew so big the server ran out of disk space. The company have now been fined for failing to detect the breach.

Cybersecurity: Why More Needs to Be Done to Help Older People Stay Safe Online – ZDNet

  • Internet users are no longer just the young or most technologically up-to date. ZDNet argues that not enough is being done to protect less tech-savvy elderly people online.

As 5G Rolls out, Troubling New Security Flaws Emerge – Wired

  • 5G is entering use in major urban domains worldwide, and its uptake is likely only to increase rapidly. Despite this, major security vulnerabilities continue to be found, including 11 design flaws in a single recent study.

Cybersecurity Is an Asset, Not a Nuisance – Forbes

  • Forbes argues that a good way to think about cybersecurity is not as a nuisance but like the braking system on a race car. Without it, the potential top speed of the car would be considered reckless.

The Time to Tackle Cybersecurity in Self-Driving Cars is Now – Newsweek

  • Upcoming self-driving cars contain a myriad of computers connected both to each other and to many external networks. With cyberattacks a constant threat to systems worldwide, Newsweek argues that cybersecurity should be integral to the very design of cars from the ground up, not as an add-on at a later point.
And Finally

What Color Is Cybersecurity? – Forbes

  • A new large-scale study into how cybersecurity is talked about and advertised online has found the color code #235594 to be dominant in imagery.

In Case You Missed It

Meeting a Russian Ransomware Cell

/0 Comments/in , /by

Ransomware is one of the most notorious and effective types of cyberattacks in the last decade. And I had the opportunity to go inside the minds that operate a real-world ransomware cell.

It starts with the young leader — nicknamed “Twig” — of a Russian ransomware cell. After two weeks of chatting through a secure channel, what I found was very interesting.

On social media, some cybersecurity firms like to portray him in black hoodies with leather gloves and a backdrop of matrix-style digits. They namedrop buzzwords like advanced-generation V attacks and other trumped up terms, which could be more fitting for nation-state attacks, but this isn’t the case with most hacking groups.

Carrying out successful ransomware attacks typically only requires a mixture of scripts, common vulnerabilities, brute-force efforts, bad IT policies at target organizations, and generations of frustration between eastern and western politics.

MINDHUNTER

On-Demand Webinar: My Two-Week Conversation with a Ransomware Cell

Join SonicWall security expert Brook Chelmo as he gives you an inside look into the human-side of a modern ransomware cell, their advice on how to stop them from infiltrating your organization, encrypting your endpoints, and spreading to other drives and segments of your network.

WATCH NOW

How does a ransomware attack work?

The number of organizations and verticals targeted each week, including the demands they make on the compromised device(s), are all private. Twig, however, is open to saying that their attack style is generally through spear-fishing and port-scanning for common vulnerabilities.

Twig’s favorite ports are “5900 and 5901 which are open and unpassworded.” Together, these two ports rank as the 19th most scanned port. These ports are used by virtual network computing (VNC) for desktop-sharing and remote-control application for Linux and Windows machines.

Over the years, several vulnerabilities related to these ports have allowed attackers to bypass authentication and gain access to the system. If Twig can get in, then your participation isn’t even required to activate the ransomware script (e.g., enable macros on a malicious Word document received in email). In fact, SonicWall research shows that anywhere between 17% and 20% of all malware attacks come through non-standard ports.

While Twigs scripts are pinging a range of IP addresses for vulnerabilities, he runs a PHP script alongside unnamed services that spam targets to gain remote access to their systems.

HILDACRYPT, for example, uses file extensions that are not normally scanned, such as .vbox, to evade inspection and detection by firewalls or email security services. Once access has been granted, he will log in after-hours and run a batch file through PsExec throughout the entire network to make it “go boom.”

Or, in less dramatic words, to “make Hilda run on the entire network.” It’s the same headache caused by the likes of WannaCry, NotPetya and SamSam ransomware strands, the infamous attack wave from three years ago. Since admins tend to have access to multiple drives — and sometimes read/write ability on endpoints via access manager roles — exploiting them is critical to mission success.

“If Twig can get in, then your participation isn’t even required to activate the ransomware script.”

Once systems are compromised, they don’t exfiltrate the files and sell the data like some do. They just set the demand and wait.

Initially, they asked victims to watch the Hilda series on Netflix (yes, really), join their Discord server for support, then pay the stated ransom amount in bitcoin (a popular way to couch the demand).

What can you do to stop ransomware attacks?

First of all, Twig says to “use proper passwords” for ransomware protection. He said many passwords are either written by the ‘crazy or the lazy.’ Most of them are too simple and are often guessed by his scripts. His favorite story was when he found a password to be two quotation marks. I guess the administrator thought it was too simple to guess. Well, he was wrong and had to pay for it.

Second, he said “write your programs in a real programing language.” He said that real programmers write in C or C++, and that Java or PHP is for the lazy and stupid (an opinion not shared by all professional programmers).

When he sees programs written in Java, he feels he is dealing with a non-qualified individual and, therefore, an easy target. It is also worth noting that some security professionals advise not to program in C when it comes to security.

Third, he casts shade on Americans and tech workers over the age of 35 either because of his belief in their lack of modern skills or energy to do the job properly. He says organizations should hire qualified people who can both code and understand security. If he was in charge of hiring at your company, and didn’t discriminate by age or nationality, he would hire people who hold qualifications in C or C++ and have the energy to follow security best practices.

Misconfigured firewalls leave doors open for ransomware attacks

Finally, Twig points out that misconfigured firewalls are his best friend. In fact, he has strong opinions for some firewall makers that enable him “to uninstall [the firewall] from the computer.” In the case of network firewalls, misconfigurations are easily done and can be one’s downfall. It happens more than you think.

In the case of endpoint firewalls, end-users should be under the principle of least privilege (POLP), which means they will have just enough rights to do their job and without the ability to modify their endpoints. In 2016, Microsoft reported that 94% of critical vulnerabilities can be mitigated by removing administrative rights from users.

Four ways SonicWall stops ransomware attacks

Stopping ransomware attacks isn’t always easy. A conversation with Twig makes that apparent. But he also highlights that if you follow best practices and implement security across different layers, ransomware attacks won’t be nearly as successful. Leverage the four key ways SonicWall helps organizations block ransomware attacks — automatically and in real time.

  • Deploy a firewall and keep security services active. Firewall vendors like SonicWall are now security platform providers that protect the traffic to and from branches (SD-WAN), and examine traffic through the firewall with gateway antivirus to stop known versions of malware. It’s also smart to leverage Intrusion Prevention Services (IPS) to identify known communication patterns within malware and stop what it wants to do, like travel laterally to other drives or networks. The combination of gateway security and IPS was critical in stopping WannaCry ransomware attacks for SonicWall customers on Day 1.
  • Block unknown ransomware with a sandbox. However, all of the updated versions of the strain that came after Version 1 were blocked automatically by the Capture Advanced Threat Protection (ATP) sandbox (if the other ransomware variants were found by a customer before SonicWall could create a definition/signature to block it on firewalls and email security).
  • Protect your inbox. To make it even more difficult to attack your network or users, use secure email solutions to block spoofed emails and examine attachments within all email to look for malware. Email is still highly effective at getting malware exploits onto your network.
  • Secure your endpoints. Finally, protect your endpoints with a next-generation anti-virus (NGAV) For example, Capture Client will help stop intrusions and ransomware attacks from initiating. Even if a ransomware strain did execute, Capture Client would give the administrator the ability to roll back the damage to a previously known clean state.

For the full story on my chats with Twig, I urge you to attend my upcoming webinar, “Mindhunter: My Two-Week Conversation with a Ransomware Cell.”

Cyber Security News & Trends

/0 Comments/in /by

This week, ransomware in Spain, a doomsday cybersecurity exercise, and why rebooting your computer won’t rid it of malware.

SonicWall Spotlight

Spanish Ryuk Ransomware Attack Hints at New WannaCry – IT Pro (UK)

  • With several institutions and businesses in Spain currently under attack by a strain of the Ryuk ransomware, there is a fear that a problem of the scale of WannaCry is at risk of being unleashed. SonicWall CEO Bill Conner talks to IT Pro on the similarities between the two ransomwares, and how to best protect your business from them.

How Healthy Is Your Web of Connected Devices? – Security Boulevard

  • There are over 25 billion Internet of Things (IoT) connected devices currently in the world, and this number is rising. Security Boulevard uses SonicWall Cyber Threat Intelligence to demonstrate the dangers of, and from, these devices if they are not shielded from cyberthreats.

Cybersecurity News

The Financial Industry Just Finished Its Annual ‘Doomsday’ Cybersecurity Exercise — Here’s What They Imagined Would Happen – CNBC

  • The Securities Industry and Financial Markets Association recently held a worst-case scenario cybersecurity simulation dubbed Quantum Dawn. The fictional event centered around a financial giant being attacked by malicious ransomware.

Ransomware Is Crippling Schools. What Can They Do About It? – EdSurge

  • Tech and education website EdSurge takes a look at the recent rise in ransomware attacks on educational institutions. It explains how ransomware works, why education is being attacked, and how to protect against cyberattacks.

Cybersecurity Risk Is Growing, and We Are Not Ready – Infosecurity Magazine

  • In a new survey of over 4 thousand people in 140 countries, cybersecurity is named as the biggest worry to companies. Between a skills shortage and a general lack of understanding of the threats, many companies are simply unprepared for cyberattacks.

Specially Crafted ZIP Files Used to Bypass Secure Email Gateways – Bleeping Computer

  • A new malware campaign has been discovered by researchers that hides the payload in a complex system of compressed files and archive restructuring. It appears to have been specifically designed by bypass secure email scanners, although at the cost of not always extracting correctly.

Feds Warn Against Hidden Cobra’s Hoplight Malware – SC Magazine

  • US federal agencies released a notification about Hoplight, a new sophisticated data collecting malware being used by North Korean cyberattack group Hidden Cobra.
And Finally

Experts: Don’t Reboot Your Computer After You’ve Been Infected With Ransomware – ZDNet

In a turnaround from the traditional “have you tried turning it off and on again” line, cybersecurity experts are not recommending rebooting your computer if caught by ransomware. The line of thinking is that if something has gone wrong with the ransomware, rebooting a computer might allow it try again, successfully this time.

In Case You Missed It

Cyber Security News & Trends

/0 Comments/in /by

This week, the financial cost in a worst-case scenario cyberattack, a nuclear power plant is targeted, and SonicWall figures are used to look at the Internet of Things.

SonicWall Spotlight

Intelligent Living: The Smart Home and IoT – Silicon (UK)

  • Silicon investigate the future of smart homes and rise of Internet of Things (IoT). When looking at the security risks they defer to SonicWall CEO Bill Conner and SonicWall research.

A Sneaky Online Security Threat: Encrypted Malware in SSL – Security Boulevard

  • Security Boulevard tackles the double-edged sword of encryption, used by both cybersecurity experts and cybercriminals alike. They refer to the 2019 SonicWall Cyber Threat Report for details on the rising number of cyberattacks coming in on encrypted channels.

Cybersecurity News

One Cyber Attack Can Cost Major APAC Ports $110B – ZDNet

  • A new study has laid out a possible “extreme” scenario where a single software virus infecting 15 ports across five Asian markets can result in losses totaling $110 billion. 92% of these costs are currently uninsured.

Indian Nuke Plant’s Network Reportedly Hit by Malware Tied to N. Korea Arstechnica

  • A cyberattack on India’s Kudankulam Nuclear Power Plant that took place in September of 2019 has been linked, through the use of the “Dtrack” malware, to a known North Korean government hacking group. Officials at the plant have stated that there was never any risk of losing control of the plant as the control systems are neither connected to the administrative network or any other networks in general.

ICS Attackers Set to Inflict More Damage With Evolving Tactics – ThreatPost

  • New research claims that future attacks on industrial control system (ICS) networks, such as the power grid, may inflict even more damage in the long run as attackers will learn from previous cyberattacks. Analysts expect attacks to evolve from immediate, direct impact to stealthy attacks with multiple infection stages.

Muhstik Ransomware: A Hack-Back Story – Security Boulevard

  • While ransomware is making headlines for the large targets, like government and multinational industries, there are still small scale ransomware attacks being launched. Security Boulevard report on one victim who, caught by Muhstik Ransomware, decided to hack back and took down the entire ransomware network, releasing a complete set of decryption keys in the process.

21 Million Stolen Fortune 500 Credentials for Sale on Dark Web – SecurityWeek

  • A new study on leaked data used deep-learning techniques to sift through millions of leaked credentials on the darkweb. After removing duplicates, anomalies and default passwords it still found around 21 million different credentials belonging to the Fortune 500 companies; more than 16 million of which were compromised during the last 12 months. All the results were cleartext passwords, either because they were never encrypted, or hackers had decrypted them already.

Ohio Establishes ‘Cyber Reserve’ to Combat Ransomware – NextGov

  • Ohio has become the first state to set up a “Cyber Reserve” force; five volunteer teams of 10 people apiece who are ready to be called into service in a cybersecurity emergency.

Why the EU Is About to Seize the Global Lead on Cybersecurity – Forbes

  • The European Commission has made cybersecurity a “high priority” and proposed that the cybersecurity budget for 2021-27 include €2 billion to fund “safeguarding the EU’s digital economy, society and democracies through polling expertise, boosting EU’s cybersecurity industry, financing state-of-the-art cybersecurity equipment and infrastructure.” Forbes argues that similar US legislation and programs have been left in a segmented and fragmentary state with little national or international cohesion to them.

In Case You Missed It