File-less execution and use of steganography by IcedId Bot

/in /by

Sonicwall Capture Research team has found an MS-Word document file which is being used as initial vector for IcedId bot infection. The malicious word file is being circulated as an email attachment.

The document file is enriched with a malicious macro whose execution is kicked off with “AutoOpen” method. The document also contains an image which carry a message for the user to enable content as shown below:

Execution Flow

Upon execution, the macro creates three folders as listed below:

  • C:\PrideTxT\
  • C:\GroupLogs\
  • C:\LogDsktop\

One of the three folders, “C:\LogDsktop\” is used to drop batch scripts named “Light.cmd” and “Dark.cmd” whose malicious content is present in UserForm.

It drops another file named “blue.cmd” in the “C:\GroupLogs\” folder which contains junk data.

  • C:\LogDsktop\Light.cmd
  • C:\LogDsktop\Dark.cmd
  • C:\GroupLogs\blue.cmd

Dark.cmd batch script contains obfuscated VBS code in between data to hide malicious intent of the script which is to download putty.exe from “hxxps://the.earth.li/~sgtatham/putty/latest/w32/putty.exe”. The downloaded executable file is saved in the disk as “c:\GroupLogs\BrainGos.exe”.

Like other dropped batch scripts, Light.cmd file also starts with junk data after which the malicious PowerShell code begins. The code is present in Base64 encoded form and is taken from the UserForm “UserForm2” as shown below:

(Image: Obfuscated Light.cmd)

The purpose of the encoded script is to download another PoweShell script and execute it as shown below:

(Image: De-Obfuscated Light.cmd)

The downloaded PowerShell script is highly obfuscated. After ten levels of de-obfuscation, the PowerShell script becomes quite readable and easy to understand.

(Image: Obfuscated PowerShell Script)

(Image: De-obfuscated PowerShell Script)

The de-obfuscated script first loads a PNG file named “photo.png” from the %LOCALAPPDATA% folder. If the file is not found on disk, it tries to download the file from a list of URLs which are hardcoded in the script.

(Image: Download PNG file)

After successful download, the script copies itself into windows registry. This helps it evade detection from security products which don’t scan registry. For persistence, a Windows task is created which loads the PowerShell script from the registry at user logon and executes the script.

 

(Image: Registry Entry)

(Image: PowerShell code and Task Scheduler)

After ensuring persistence, the malware performs following checks to ensure the downloaded file is the same PNG file which it received from the remote server:

  • Size of the file is less than 65535 and
  • 0x57th byte in the file is 0x49 which is an IDAT identifier

Shellcode extraction from the PNG file:

  1. Bytes from offset 0x5B to 0x62 is the RC4 decryption key.
  2. Bytes from offset 0x63 to the end of the file is the RC4 encrypted data.
  3. The eight byte key is used to extract shellcode from the PNG file using RC4 decryption.

 

After shellcode extraction, the malware determines the entry point in the shellcode by checking the processor architecture. If the processor is ‘AMD64’, the DWORD value at the twelfth byte otherwise at the eighth byte is the execution point.

(Image: entry point identification)

The malware then requests memory with Read/Write/Execute permission equivalent to the size of the shellcode, copies the shellcode into the allocated memory and transfer execution to the shellcode by creating a thread passing the previously computed entry point as the thread start address.

(Image: memory allocation & thread creation)

Purpose of shellcode

The shellcode first launches svchost process in suspended mode, injects IcedId bot payload i.e. the shellcode itself and resumes execution from the entry point of the injected code. Finally execution of IcedId bot starts in svchost and svchost communicates to the server.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: IcedId.A (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI .

 

 

E-rate Funding 2020: Use It or Lose It?

/0 Comments/in /by

The new FCC Report & Order on the U.S. government’s E-rate rules of engagement for 2020 and beyond are here. And it includes some critical E-rate funding changes that could impact current K-12 budgets.

First, this highly anticipated order permanently locks in Category Two (CAT2) funding for the E-rate program. Many rumors were flying around that E-rate program funding for infrastructure was going away. Well, we have our answer: it is here to stay!

Another critical change of the E-rate program concerns budgets. E-rate budgets begin a new cycle that will be in subsequent five-year periods starting in 2021.

What does that mean to schools and libraries participating in the program? Essentially, if a school or library is sitting on a bucket of CAT2 monies from the 2015-2020 season, then they must spend it now in E-rate 2020 or they will lose that funding (exact date to be released in January). This means there are millions of dollars sitting idle that schools and libraries must take advantage of this funding period.

Don’t lose E-rate 2020 funding

Now is the time for schools to act. There will undoubtedly be a tidal wave of applications to surge in the coming weeks. This E-rate season has been slow for Form 470 postings compared to past years and the delay in the Order has created a ‘watch-and-wait-to-post’ environment.

This delay created a short window for schools and libraries to act upon their funding requests. But when will the Universal Service Administration Company (USAC) start the clock on Form 471 posting season? Usually this would happen mid-January. With the rules of engagement posting so late in the year, will the E-rate 2020 season extend beyond March? We should know more soon.

What is E-rate?

To help offset funding and staffing shortages, the U.S. Department of Education and the FCC launched the E-rate program, which helps make telecommunications and information services more affordable for schools, campuses, districts and libraries.

The E-rate program is operated by the USAC, which has a core focus of providing underfunded verticals the access to affordable technology and security services. This includes schools, libraries, rural healthcare organizations and more. USAC provides a yearly Eligible Services List (ESL), which outlines which types of products and services can be procured via E-rate program discounts.

SonicWall and E-rate

Through its global channel of more than 21,000 technology partners, SonicWall is actively involved in helping K-12 education organizations cost-effectively obtain and deploy network security solutions. SonicWall provides a broad array of E-rate-eligible products and services, including firewalls and turnkey Security-as-a-Service solutions.

SonicWall integrated solutions meet the needs of school districts at the highest efficacy and at price points that fit within K-12 budget constraints. SonicWall helps reduce the total cost of ownership (TCO) for these under-funded organizations.

With the most comprehensive channel program in the industry, combined with additional E-rate discounts, SonicWall and our partners are best positioned to meet the needs of K-12 customers and help them take full advantage of the funding E-rate provides for securing their networks.

If you are an eligible K-12 organization, please contact your preferred SonicWall reseller for information on E-rate benefits and discounts, or visit the SonicWall E-rate page for information, tools and guidance.

For more information on applying for E-rate funding, watch SonicWall’s step-by-step video series. Or, you can submit a request to talk to a SonicWall E-rate expert now.

Navigating the E-rate Program

Microsoft Security Bulletin Coverage for December 2019

/in /by

SonicWall Capture Labs Threat Research Team has analyzed and addressed Microsoft’s security advisories for the month of December 2019. A list of issues reported, along with SonicWall coverage information are as follows:

CVE-2019-1332 Microsoft SQL Server Reporting Services XSS Vulnerability
There are no known exploits in the wild.
CVE-2019-1349 Git for Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-1350 Git for Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-1351 Git for Visual Studio Tampering Vulnerability
There are no known exploits in the wild.
CVE-2019-1352 Git for Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-1354 Git for Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-1387 Git for Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-1400 Microsoft Access Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-1453 Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2019-1458 Win32k Elevation of Privilege Vulnerability
ASPY 5854:Malformed-File exe.MP.114
CVE-2019-1461 Microsoft Word Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2019-1462 Microsoft PowerPoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-1463 Microsoft Access Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-1464 Microsoft Excel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-1465 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-1466 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-1467 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-1468 Win32k Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-1469 Win32k Information Disclosure Vulnerability
ASPY 5855:Malformed-File exe.MP.115
CVE-2019-1470 Windows Hyper-V Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-1471 Windows Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-1472 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-1474 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-1476 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-1477 Windows Printer Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-1478 Windows COM Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-1480 Windows Media Player Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-1481 Windows Media Player Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-1483 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-1484 Windows OLE Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-1485 VBScript Remote Code Execution Vulnerability
ASPY 14631:VBScript Remote Code Execution Vulnerability (DEC 19) 1
CVE-2019-1486 Visual Studio Live Share Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2019-1487 Microsoft Authentication Library for Android Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-1488 Microsoft Defender Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2019-1489 Remote Desktop Protocol Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-1490 Skype for Business and Lync Spoofing Vulnerability
There are no known exploits in the wild.

Black Friday Cyberattacks: Businesses Face Surge of Malware, Ransomware on U.S. Shopping Holiday

/1 Comment/in /by

Cyber Monday and Black Friday are the proverbial holiday shopping seasons for cybercriminals and their strategic cyberattacks, including malware, ransomware and phishing attacks. Eager online shoppers are hurried to fill holiday dreams — often at the detriment of cybersecurity best practices and common sense.

According to Adobe Analytics, consumers spent $7.4 billion online during this year’s Black Friday event, up $1.2 billion over 2018. Those numbers jumped for Cyber Monday, where retailers collected $9.4 billion in online sales on the frantic shopping holiday.

That kind of volume — in terms of both people and dollars — makes for a lucrative target for the modern cybercriminal. In 2018, SonicWall Capture Labs threat researchers discovered a spike in ransomware attacks during the Black Friday and Cyber Monday shopping events, as well as a 45% jump in phishing attacks.

Black Friday and Cyber Monday in 2019 resulted in much of the same. SonicWall Capture Labs threat researchers recorded* a double-digit malware spike (63%) in the U.S. between the eight-day holiday shopping window from Nov. 25 to Dec. 2.

  • 129.3 million malware attacks (63% increase over 2018)
  • 639,355 ransomware attacks (14% decrease over 2018)
  • 51% increase in phishing attacks on Black Friday (compared to the average day in 2019)

Cyber Monday attacks dips, Black Friday takes the hit

Cybercriminals weren’t waiting until Cyber Monday to launch their campaigns, either. In the U.S., both malware (130%) and ransomware attacks (69%) were up on Black Friday compared to 2018. This trend continued on Cyber Sunday with increases in malware (107%) and ransomware (9%).

Interestingly, ransomware attacks were down on Cyber Monday (-41%) and Small Business Saturday (-55%), resulting in an overall 14% decrease in U.S. ransomware attacks during the eight-day shopping window.

Malicious Android apps spotted during Black Friday

It’s no secret that much of holiday shopping is done on mobile apps. Busy online shoppers often leverage mobile apps that keep track of deals, provide discount coupons and offer the convenience of skipping long lines at shopping malls.

To diversify their attack strategies, cybercriminals and malware writers use this opportunity to spread malware under the guise of shopping and deal-related apps — particularly during this eight-day Thanksgiving holiday shopping window.

In the past few weeks alone, SonicWall Capture Labs threat researchers observed a number of malicious Android apps that use the shopping theme to trick users into downloading and installing these apps.

One of the more notable malicious apps is this Amazon Shopping Hack, which is tied to a range of survey scams that attempt to steal user data and sensitive information.

Name: Amazon Shopping Hack
Package: com.amazon.mShop.android.shopping.hack
SHA: fa87b95eead4d43b2ca4b6d8c945db082b4886b395b3c3731dee9b7c19344bfa

After execution, this app shows a human verification page to continue using this app. This “verification” essentially leads to survey-related scams that attempt to extract sensitive user information, such as email address, credit card details, address, etc.

One of the domains contacted by this app during execution is mobverify.com. A quick search about this domain revealed a number of other survey related pages:

The mobverify.com domain is associated with a number of malevolent apps, survey scam links and malicious executables. During analysis, we observed a GET request to mobverify.com, which downloads a json file containing a list of different survey scams:

For additional examples of malicious Android apps, please review the in-depth findings of the Capture Labs threat team: Malicious Android Apps Observed During Thanksgiving Season 2019.

Intelligence for this report was sourced from real-world data gathered by the SonicWall Capture Threat Network, which securely monitors and collects information from global devices and resources including more than 1 million security sensors in nearly 215 countries and territories.

* As a best practice, SonicWall routinely optimizes its methodologies for data collection, analysis and reporting. This includes improvements to data cleansing, changes in data sources and consolidation of threat feeds. Figures published in previous reports may have been adjusted across different time periods, regions or industries.

3LOSH RAT is using GitHub available njRAT C# Stub by NYAN CAT

/in /by

The malware authors tend to find detection prevention from security vendors. The malware authors are learning the behavior and detection capabilities of security products, accordingly they are modifying the malware code and updating the infection chain to prevent the detection. The 3LOSH RAT (Remote Access Trojan) uses Living Off The Land tactics and changes its infection chain based on the presence of Avast Antivirus on victim’s machine. SonicWall RTDMI ™ engine has recently detected the initial vector for 3LOSH RAT, a VBScript file inside an archive which is being delivered to the victim’s machine as an email attachment:

 

The VBScript loads the PowerShell code from Pastebin (text storage site) and invokes “BasharBachir” function using powershell.exe:

 

The PowerShell code downloads “C:\Users\Public\Nod.ps1” and “%APPDAT%\Microsoft\Windows\Start Menu\Programs\Startup\avastt.vbs” from GitHub (subsidiary of Microsoft provides hosting for software development). The PowerShell code also downloads “C:\Users\Public\avastt.ps1”, if “C:\Program Files\AVAST Software\Avast\AvastUI.exe”  is not present on the victim’s machine. The PowerShell code executes the avastt.vbs:

 

The avastt.vbs VBScript executes Nod.ps1 PowerShell script file:

 

The PowerShell scripts contains 3LOSH RAT executable file and a Dynamic Link Library (DLL) file. If AvastUI.exe executable is not present on victim’s machine, the PowerShell script loads the DLL file and invokes “FUN” module passing “C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe” and 3LOSH RAT executable bytes as arguments. The DLL does process hollowing to load the 3LOSH RAT executable file into RegAsm.exe and resumes the thread. The malware exhibits the process hollowing behavior only if Avast Antivirus is not installed on victim’s machine:

 

If Avast executable is present on the victim’s machine the PowerShell script executes another PowerShell script from “C:\Users\Public\avastt.ps1”. The avastt.ps1 PowerShell script reads content from Pastebin, reverses the content and performs Base64 decoding to get the 3LOSH RAT executable file. The PowerShell script loads the 3LOSH RAT executable and invokes its EP (Entry Point):

 

3LOSH RAT:

The 3LOSH RAT is using njRAT C# Stub by NYAN CAT, available at GitHub. The RAT has modified the code, which is capable of:

  • Steal system information
  • Download and execute another malware
  • Control Windows registry entries
  • Execute plugin
  • Capture victim’s screen
  • Update RAT executable

 

The malware delays execution by 40 seconds using sleep Application Programming Interface (API) then sets registry value “HKEY_CURRENT_USER\di” to “!” . The malware ensures that only one malware process should be running at a time by creating mutex ‘“165d6ed988ac1dbec1627a1ca9899d84”’, if present already it terminates the process immediately:

 

The malware invokes the “install” module which executes “netsh firewall add allowedprogram [RAT path] [RAT executable name] ENABLE” command in shell and sets environment variable “SEE_MASK_NOZONECHECKS” to “1”:

 

The malware creates a thread which communicates with Command and Control (C&C) server. The main thread executes in a loop which keeps flushing reserved memory of the malware and keeps sending foreground window title to the C&C:

 

C&C Communication:

The malware connects to the “h[t][t]p://daqexploitfree.duckdns.org/” (C&C server). The malware gathers victim’s system information like computer name, username and Operating System (OS) etc. The Malware sends the stolen information to its C&C server and waits for the reply:

 

The malware receives data from C&C server, contains commands, sub-commands and necessary data which is separated using the delimiter “3losh@rat”.

Received data format:

command delimiter sub-command
(optional)		 delimiter value1
(optional)		 delimiter value2
(optional)		 delimiter value3
(optional)

 

The RAT supports various commands from the C&C server:

Command Action
ll
(Connection State)		 The malware sets the connection state as “disconnected”
kl
(Ideal)		 Does nothing
prof
(Registry Access)		 Sub-command: ~
The malware sets registry value “HKEY_CURRENT_USER\”Software\””165d6ed988ac1dbec1627a1ca9899d84″\value1” to value2
Sub-command: !
The malware sets registry value “HKEY_CURRENT_USER\”Software\””165d6ed988ac1dbec1627a1ca9899d84″\value1” to value2. The malware reads registry value from “HKEY_CURRENT_USER\”Software\””165d6ed988ac1dbec1627a1ca9899d84″\!” and sends “getvaue[delimiter]![delimiter][registry value]”
Sub-command: @
The malware deletes registry value from “HKEY_CURRENT_USER\”Software\””165d6ed988ac1dbec1627a1ca9899d84″\value1”
rn
(Run Executable)		 If first byte in value2 is “0x1F”, the malware considers value2 as gzip compressed PE file. The malware decompresses the value2 and writes decompressed bytes into [TempFileName].[value1]. If first byte is not “0x1F”, the malware downloads PE executable from value2 URL (Unified Resource Locator) and writes downloaded bytes into [TempFileName].[value1]. The malware executes the [TempFileName].[value1] and sends “bla” and “MSG[delimiter]Executed As [dropped file name]”.
If there is an error while decompression, the malware sends “MSG[delimiter]Execute ERROR” and “bla”. If there is an error while downloading, the malware sends “MSG[delimiter]Execute ERROR” and “bla”.
inv
(Invoke Plugin)		 The malware reads registry value “HKEY_CURRENT_USER\”Software\””165d6ed988ac1dbec1627a1ca9899d84″\value1”. If registry data length is 0 and value3 length is less than 10, the malware sends “pl[delimiter]value1[delimiter]1”.
If value3 length is more than 10 the malware decompresses gzip binary from value3, writes the binary decompressed data into registry “HKEY_CURRENT_USER\”Software\””165d6ed988ac1dbec1627a1ca9899d84″\value1”. The malware sends “pl[delimiter]value1[delimiter]0” and executes the decompressed plugin data.
ret
(Return Plugin Output)		 The malware reads registry value “HKEY_CURRENT_USER\”Software\””165d6ed988ac1dbec1627a1ca9899d84″\value1”. If registry data length is 0 and value2 length is less than 10, the malware sends “pl[delimiter]value1[delimiter]1”.
If value2 length is more than 10 the malware decompresses gzip binary from value2, writes the binary decompressed data into registry “HKEY_CURRENT_USER\”Software\””165d6ed988ac1dbec1627a1ca9899d84″\value1”. The malware sends “pl[delimiter]value1[delimiter]0” and executes the decompressed plugin data. The malware sends “ret[delimiter]value1[delimiter][plugin output]”.
CAP
(Capture Screen)		 The malware captures the victim’s screen, saves its MD5 as “LastCapturedImage” and sends “CAP[delimiter][captures image bytes]”
un
(Uninstall RAT)		 Sub-command: ~
Uninstalls the malware.
Sub-command: !
Terminates the malware process.
Sub-command: !
Restarts the malware process.
up
(Update RAT)		 If first byte in value1 is “0x1F”, the malware considers value1 as gzip compressed PE file. The malware decompresses the value1 and writes decompressed bytes into [TempFileName].exe. If first byte is not “0x1F”, the malware downloads PE executable from value1 URL (Unified Resource Locator) and writes downloaded bytes into [TempFileName].exe. The malware executes the [TempFileName].exe and sends “bla” and “MSG[delimiter]Updating To[dropped file name]”. The malware uninstalls the current malware.
If there is an error while decompressing or downloading the malware sends “MSG[delimiter]Update ERROR” and “bla”.
Ex
(Execute Current Pulgin)		 If current plugin value is NULL, the malware sends “PLG” and executes the current plugin.
PLG
(Set Current Plugin)		 The malware decompresses bytes from the value1, sets decompressed bytes to current plugin and executes the plugin.

 

Programming Deficiency:

After analyzing the malware code, we found the malware contains code which is never executed. After diving deep into the unexecuted code, we found that the code contains errors. The malware author has used extra double quotes (‘’”) while declaring string values. The malware author could not fix these errors but managed to build working RAT executable by disabling some features.

Disabled Features:

  • Copy and execute malware from %TEMP%\microsoft.exe and terminate the current process.
  • Registry entry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • Registry entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • Copy malware into startup folder.
  • Base64 decoding for victim’s name (NYAN CAT)

 

Unavailability of the archive file in any of the popular threat intelligence sharing portals like the VirusTotal and the ReversingLabs at the time of writing this blog indicates its uniqueness and limited distribution:

 

Evidence of the detection by RTDMI(tm) engine can be seen below in the Capture ATP report for this file:

 

Clop Ransomware

/in /by

Overview:

SonicWall Capture Labs Threat Research Team recently found a new sample and activity for the “Clop” ransomware. The unique parts of the sample use Asymmetric Encryption and use the Mersenne Twister pseudo-random number generator. The sample will encrypt only files created in 2019. The sample will check for Anti-Virus software installed such as Malwarebytes before going into the final stages of the ransomware.

The sample will also do the following:

  • Delete the shadow volumes with vssadmin (“vssadmin Delete Shadows /all /quite”).
  • Resize the shadow storage for devices starting from C to H to avoid the shadow volumes being recreated.
  • Using bcedit to disable the recovery options in the boot config and ignore any failures.
  • The service: “WdiSystemSHost” is created.

Sample Static Information:

Unpacking The Sample:

Lets peer into the starting routine of the first stage:

First stage buffer or code cave:

After the buffer is created it will decrypt and copy code into the code cave:

Calling the decrypted code cave:

The code cave will have the second stage compressed:

After decompression, the PE in memory:

Dumping Second Stage:

Second Stage Static Information:

Unpacked Starting Routine:

Asymmetric Public Key:

Mersenne Twister Indicators:

First Call To MT, the byte_419000 is the character array in which the Mersenne Twister Engine is used on:

Range of engine:

GetTickCount is used with the engine:

Seeding:

Twisting:

Anti-Virus Checks:

Shell Execute Commands:

Open image in new tab to see larger version of the picture.

Service Activity:

The service name is: “WdiSystemSHost”

Service procedure and controls:

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: Clop.RSM_2 (Trojan)

Cyber Security News & Trends – 12-06-19

/0 Comments/in /by

This week, SonicWall strengthens MSSP security offerings, cyberthreats to the upcoming census, and the end of decade lists begin.

SonicWall Spotlight

SonicWall Strengthens MSSP Security Offerings, Simplifies Account Management, Product Registration, Licensing Control. – SonicWall Press Release

553: Opening a Spin-off’s Liberated Growth Chapter – CFO Thought Leader podcast

  • How do you take a business unit, extract it, and set it up to be a running company on its own, all within one year? SonicWall CFO Ravi Chopra sits down with the CFO Thought Leader podcast and explains exactly how he did it with SonicWall. He also discusses his career path, his experiences in the dot com crash, and how he learns from his mentors.

Cybersecurity Should Be the Core Pillar of Any Modern Digital Hospital: Dmitriy Ayrapetov – The Economic Times of India

  • SonicWall’s Dmitriy Ayapetov is interviewed talking about the impact of cyberattacks on the health industry – with ransomware attacks growing and the rise of the Cloud and Internet of Things devices leading to potentially many new entry points for a cybercriminal, he stresses the need for greater cybersecurity awareness.

Cybersecurity News

Black Friday UK: Just One in 20 Discounts Are Genuine, Research Finds – The Guardian (UK)

  • Research by consumer group Which? Has found that the majority of Black Friday deals are sold at the same price or cheaper throughout the year. SonicWall figures on ransomware are also referred to, highlighting the increase in cyberattacks around the Black Friday period.

Special Report: 2020 U.S. Census Plagued by Hacking Threats, Cost Overruns – Reuters

  • An in-depth investigation into the upcoming 2020 US census has found that despite a major technology overhaul, fears of hacking attempts are running high and a lack of adequate training and understanding of cybersecurity risks internally is not helping.

Report Highlights Nation-State Cyberthreats Facing SMBs in 2020 – Tech Republic

  • A new survey of over 1000 cybersecurity officials working at SMBs has found that more than 60% of respondents intend to increase their cybersecurity budgets next year due to growing fears of cyberattacks from both at home and abroad, especially during the upcoming elections.

India Plans Security Audit of WhatsApp After Hacking Attempt – Reuters

  • The Indian government is pushing for a security audit of WhatsApp after revelations emerged last month that spyware inserted by surveillance groups allowed access to the phones of roughly 1400 users.

44 Million Microsoft Users Reused Passwords in the First Three Months of 2019 – ZDNet

  • Microsoft has completed an audit of their accounts and found that 44 million people are still using usernames and passwords that were leaked online in 2019. A forced password reset has been enacted to help solve the problem.

FBI Issues Smart TV Cybersecurity Warning – Infosecurity Magazine

  • The Federal Bureau of Investigation has issued a warning to holiday shoppers over the cyber-risks an unsecured smart TV might pose to a household. Default passwords should be changed, and a familiarization of all connection options is recommended at a bare minimum.
And Finally

A Decade of Malware: Top Botnets of the 2010s – ZDNet

  • It’s the end of a decade, and with it comes the lists! ZDNet round up some of the biggest, in both size and infamy, botnets that hit throughout the 2010s, including those old favorites, Emotet, Trickbot, and Dridex.

In Case You Missed It

Using some photo editing apps on Android might infect you with Adware

/in /by

SonicWall Threats Research Team found a few Photo editor applications which were distributed via Google Play Store. Upon analysis, these apps were found to be Adware. These apps are no longer available in the Google Play Store as these have been removed after we reported about these apps to the concerned team.

Reported malicious apps are shown below:

 

All the applications have similar functionality though the developer name is different. The number of downloads of these apps, indicate many users might be affected.

The malicious file is not available on popular threat intelligence portals like the VirusTotal which indicates the uniqueness of the samples:

 

INFECTION CYCLE:

Some of the permissions requested by these apps which could give access to user’s sensitive data are listed below:

  • INTERNET
  • READ SETTINGS
  • ACCESS FINE LOCATION
  • READ PHONE STATE
  • READ EXTERNAL STORAGE
  • WRITE EXTERNAL STORAGE
  • WAKE LOCK

Upon installation, the app appears on the app drawer as shown below:

 

Upon launching the application, an alluring screen is presented to the user to appear a genuine photo editing application. Later, it starts showing full screen Ads with no close button as shown below:

 

NETWORK COMMUNICATION:

While Ads are displayed to the user, the app requests for a resource from malicious web server. The response data contains list of Ad serving URLs in the encrypted form as shown below:

(Code Snippet)

(Request & Response)

UNVEILING RESPONSE DATA:

The key to decrypt the encrypted response data is present in the code itself. The decrypted data contains list of Ad serving URLs, parameters which are used to compute the Ad display time:

 

The ‘egt’ parameter with value 10 when multiplied with 1000 gives the Ad display time in milliseconds. The ‘al2’ and ‘cts’ parameters which contains list of URLs are loaded in the browser:

(code snippet for URL loading)

Ads keep popping up in new tabs whenever web browser is launched as shown in the following image:

 

The app hides its icon from the device which makes it difficult for the user to identify the app responsible for the activity:

 

The user’s device location is traced to display geo-location specific Ads:

 

Like any other Adware application, it not only annoys the user by showing Ads at regular intervals, but also drains the battery, consume bandwidth and other resources:

(code Battery and Bandwidth consumption by the app)

 

Currently these apps are no longer present on the Play Store. However if these apps were installed before they were removed from the Play Store we advise users to uninstall them from their devices.

SonicWall Capture Labs provides protection against this threat with the following signature:

  • AndroidOS.HiddenAds.D (Adware)

Indicators Of Compromise (IOC’s) :

  • 822ae1937a2b9bec931ebfd8da639f05fb308b90c03d5f2cadf66fce7e72b138
  • bbe60005d5104d917f4ce56b1cd145537e84509e9bb7807b7597bddd3a4308a8
  • 4d15fee618798efba7b6cda5575236e761fcde5a58168877b7e7e02bfb9f6439
  • 7f8faa0fff45fa40668cd935c1da632d2707756e7563f0648842dfb4dc76505f
  • 0d6ea8a13bbb87482fee12fc88db958a8b103c952dc05896afc8a552625dcec2

My Workspace: Streamlining Asset Management for MSSPs

/2 Comments/in /by

Managed security services providers (MSSP) are being trusted more and more to help small- and medium-sized business (SMB), as well as distributed enterprises, remove the costs and complexity (i.e., headaches) of managing and protecting their digital assets and users.

There is a constant need for easing customer and asset lifecycle management for MSSPs. This includes everything from onboarding new tenants, managing and accounting for assets used by customers (dedicated or shared, leased or co-managed) to granting visibility and control to employees and customers.

For over 15 years, SonicWall partners and customers have used the MySonicWall portal to manage their assets, including registering products and licensing services.

To cater to the changing dynamics of security operations, SonicWall introduces My Workspace to easily manage customers, assets and access control.

Gain ‘snapshot’ view of all tenants, assets

As the new home for MySonicWall users, My Workspace functions as a dashboard offering a snapshot view of all tenants and assets registered to an MSSP with actionable intelligence.

Quick alerts for calls to action, including licenses that may be expiring or new software updates for hardware/software products, guide administrators to where they should prioritize their time for the day. My Workspace is also a shortcut to customer lifecycle management workflows, including tenant management, product management and user management.

Organize customers by ‘Tenants’

Tenants are the new way to segregate assets used by different customers — especially when using cloud services like Capture Security Center, Capture Client, Cloud App Security and WiFi Cloud Manager.

MSSPs can easily onboard new customers by launching the ‘Create Tenant’ wizard to assign a name and instantly provision role-based access control to user groups. User groups are assigned roles to manage and operate assets. Roles are assigned to operate every managed product, including MySonicWall operations as well.

Every tenant can have multiple user groups with access to MySonicWall (e.g., administrators and service line managers within the MSSP teams who need full admin or read-only access, or customer teams that may need varying degrees of privileges depending on their services requirements.)

Simplified product registration, management

Even product registration and product management workflows have been simplified. Registration is as easy as 1-2-3:

  1. Choose a tenant
  2. Enter serial number, auth-code or activation key
  3. Configure management options

Product views are faster and common workflows — like transfers across tenants, updating zero-touch settings for firewalls and activating additional services — are accessible via quick-action buttons. Bulk registrations have been simplified to allow the onboarding of multiple assets for one or more customers at the same time.

Simple learning processes for both end-users and MSSPs

While the user experience and interface are improved, the need for learning or “unlearning” existing practices is little to none. With contextual help available in each workflow, as well as the launch of a newly designed quick-start guide, both new and existing users will easily understand how to make the best of the new workflows to streamline daily operations.

My Workspace is open to all users and not limited only to MSSPs. Even SonicWall end-customers can take advantage of these features to streamline how they manage their own assets. Large enterprises may segregate their operations into multiple tenants based on their IT operating models.

Ready to see My Workspace? Customers and partners can log in to www.mysonicwall.com with their active credentials and take it for a spin!

SonicWall Simplifies Day-to-Day Operations for MSSPs

/2 Comments/in /by

For nearly three decades, SonicWall’s been a 100% channel company. Our global family of SonicWall SecureFirst partners, including MSSPs, are the lifeblood of our business.

To ensure their success — and to help protect more than 500,000 customers worldwide — SonicWall is always innovating with our partner community in mind. Today, we announce important ways SonicWall empowers MSSPs to simplify business, operations, security and customer management.

  • SonicWall unifies MSSP security offerings via the SonicWall Capture Cloud platform, which delivers integrated, end-to-end security.
  • SonicWall helps eliminate complexities of day-to-day MSSP operations by simplifying oversight, visibility and management of cybersecurity ecosystems.
  • SonicWall enables new, emerging or fast-growing MSSPs simple, time-saving methods to manage accounts, register products and control licensing.
  • SonicWall empowers MSSPs with real-time, per-customer analytics for smarter, faster and better decision-making capabilities.

The complete Capture Cloud Platform includes SonicWall’s full product portfolio —  firewalls, email security, wireless security, endpoint protection, cloud application security, etc. — to strengthen and unify security across cloud, web, network, wireless, mobile and endpoints. And a handful of new and enhanced offerings make this even easier.

Eliminate complexities of day-to-day MSSP operations

Leading this MSSP-focused announcement is the introduction of My Workspace, an intuitive new user interface and experience within the SonicWall Capture Security Center (CSC). My Workspace makes running a complex managed security service business simpler and more effective. 

Available to MSSPs, partners and end-users alike, My Workspace provides an intelligent, fluid workstream to easily and quickly on-board new customers, set up and manage multiple tenants, and provision role-based access control to manage and operate different customer environments.

My Workspace also provides valuable self-service capabilities that allow MSSPs to engage, collaborate and communicate with customers, and facilitate, track and resolve issues and support cases, as needed.

Available within SonicWall Global Management System (GMS) 9.2, SonicWall Zero-Touch Deployment helps MSSPs simplify and accelerate the provisioning process for SonicWall firewalls at remote and branch office locations — even those without on-site IT staff. Admins also can centrally push custom configurations to all zero-touch appliances at multiple sites across the globe.

SonicWall Workflow Automaton, also available via GMS 9.2, offers rigorous configuration processes that review, compare, validate and approve firewall policies prior to deployment. Approval groups are user-configurable to enforce customer security policies and/or meet regulatory requirements.

Easily manage accounts, register products and control licensing

SonicWall My Workspace even provides a snapshot of all products that have been registered by the account across multiple tenants, including managed by current account (e.g., fully managed customers) and/or shared by other accounts (e.g., co-managed customers).

The intuitive My Workspace dashboard gives MSSPs instant visibility and awareness of products that have expiring licenses or require software/firmware updates. MSSPs can easily perform bulk product registrations, activate licenses and recommend trials.

With the tenants workflow, MSSPs and large distributed enterprises can quickly onboard new tenants and register products to individual tenants for separation of data and policies. Tenant workflows also provide instant access to security operations teams across organizations, including granular, role-based access control to all products managed by Capture Security Center.

Make smarter, faster and better decisions

Updates to SonicWall Analytics (2.5) provides MSSPs an eagle-eye view into everything that is happening within their customers’ SonicWall security environments — all through a single pane of glass.

With real-time threat intelligence, MSSPs can focus time and effort on making decisive defense actions and orchestrating rapid responses against identified risks against their customers with greater visibility, accuracy and speed — all through a single pane of glass.

MSSP can also gain complete authority, agility and flexibility to perform deep drill-down investigative analysis of network traffic, users’ activities, access, connectivity, applications and utilization, the state of security assets, security events, threat profiles and other firewall-related data.

To better understand customer security postures, MSSPs can now view customer-specific risk levels directly on the My Workspace dashboard. Integrated SonicWall Risk Meters deliver real-time indicators of customer security postures in relation to active security controls, including third-party services. Categorize attacker actions, underscore current security gaps and implement responses to neutralize incoming attacks.

New user-based analytics helps MSSPs responsibly know users, content behaviors and bandwidth consumption to maintain reliability and security.

Finally, MSSPs can track, measure and run compliant and effective customer networks and security operations with powerful, pre-defined and custom reports. GMS automatically create and deliver over 140 pre-defined reports as well as the flexibility to create custom or brandable reports using any combination of auditable data for various used outcomes.

How MSSPs can embrace the power of the Capture Cloud Platform

By leveraging the Capture Cloud Platform, MSSPs can ease customer fears by solving their top pain points, including ransomware attacks, application vulnerabilities, encrypted threats, intrusions, account takeover (ATO), business email compromise (BEC), wireless security, data loss prevention, mobile security, phishing, endpoint protection, security management, shadow IT and more.

MSSPs also can eliminate security silos with an intelligence-driven ecosystem, which applies SonicWall’s entire suite of interconnected and interdependent security and management solutions across entire cloud or on-prem customer environments.

These innovative new and enhanced capabilities within SonicWall Capture Security Center and Global Management System empower MSSPs with greater views into customer environments to simplify management, automate account processes, speed decision-making, improve support and correct security gaps.