Hackers are actively trying to exploit vulnerable Microsoft Exchange Servers

/in /by

SonicWall Capture Labs Threat Research team observes attackers actively probing for vulnerable Microsoft Exchange servers.

Vulnerability | CVE-2020-0688:

A remote code execution vulnerability has been reported in Microsoft Exchange Server. The weakness is due to the server failing to properly create unique keys at the time of installation. Microsoft Exchange Server does not randomly generate a key for each installation, but instead, all installations of Microsoft Exchange Server includes the same validationKey and decryptionKey values ​​in web.config. Knowledge of the static key allows an authenticated attacker with a mailbox to trick the server into deserializing maliciously crafted data. 

Exploitation:

  • Exchange User Account Takeover:

This is a crucial step in leveraging this vulnerability as compromising an Exchange user account would allow an attacker to take over the vulnerable Microsoft Exchange Server. As a result, attackers try to locate the Exposed Vulnerable Outlook Web Application using search engines such as Shodan, and then try to authenticate through credential stuffing. In this stage, hackers take sets of credentials that have been leaked through data breaches or other means, then attempt to use these credentials to log in to an exchange account.

  • Retrieve Session Information:  

External users who connect to Outlook on the web (OWA) will also have access to the ECP to access their own options page. ECP (Exchange Control Panel) is the web-based management console in Exchange Server. After an exchange user account has been successfully taken over, the attackers log in to the Exchange Control Panel i.e “https://<ServerFQDN>/ecp” to retrieve ViewStateGenerator and ViewStateUserKey from the authenticated session.

ValidationKey is already known to attackers as vulnerable versions of exchange server use the same static key “CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF” as validationKey  and SHA1 as validation algorithm.

  1. ViewStateGenerator – retrieved from the authenticated session.
  2. ViewStateUserKey – retrieved from the authenticated session.
  3. ValidationKey – static for vulnerable servers.
  4. ValidationAlg – known for vulnerable servers.
  • Generate ViewState Payload:

The next step is to create a ViewState payload. Many ASP.Net Websites use Viewstate to exchange the state of controls on a page between the Client and the Server to achieve state-fullness. Viewstate, a base64 serialized parameter is then posted back from the client to the server within the body of the page via a hidden parameter called __VIEWSTATE. This parameter is deserialized on the server-side to retrieve the data. With all the retrieved information, attackers create a ViewState payload using .Net exploit tools like shown below.

ysoserial.exe -p ViewState -g TextFormattingRunProperties -c <malicious code>

--validationalg="SHA1" --validationkey=<Validationkey> --generator=<ViewStateGenerator>

--viewstateuserkey=<ViewStateUserKey> --isdebug –islegacy

  • Remote Code Execution:

After successfully generating the ViewState payload, attackers perform remote code execution by submitting the following URL to the vulnerable Exchange server.

https://<ServerFQDN>/ecp/default.aspx?__VIEWSTATEGENERATOR=<ViewStateGenerator>&__VIEWSTATE=<CraftedViewStatePayload>

Patch:

Find the vendor advisory here

Microsoft patched this vulnerability in February 2020 by randomizing the cryptographic keys at install time.

SonicWALL Capture Labs Threat Research team provides protection against this threat with the following signatures:

IPS: 14826 Microsoft Exchange Server Remote Code Execution (CVE-2020-0688)

IPS: 14825 /ecp/default.aspx Access (INFO)

IOC’s (Indicators of Compromise):

Find below some of the IP addresses that SonicWall firewall blocked

13.57.228.15
54.185.160.4
138.68.14.1
12.251.232.10
134.209.89.216
138.197.128.133
139.162.189.189
157.245.238.238
159.203.19.15
159.203.47.213
172.105.64.188
172.105.90.222
173.255.200.120
178.79.185.139
192.241.180.240
192.241.181.54
45.33.69.57
45.33.70.185
45.33.81.143
45.79.49.174
45.79.57.25
46.101.117.27
46.101.245.165
46.101.98.23
66.175.201.230
69.164.221.241
97.107.135.129

Cyber Security News & Trends – 02-28-20

/0 Comments/in /by

This week, SonicWall firewalls win an award and the company is named one of the coolest Network Security Companies of 2020.

SonicWall Spotlight

SonicWall Wins Best UTM Security Solution at SC Awards 2020 – SonicWall Blog

  • SC Media honors SonicWall and the NSa 2650 Firewall with its Best UTM Security Solution at the 2020 SC Awards Gala. Marrying Capture Advanced Threat Protection (ATP) and Real-Time Deep Memory Inspection (RTDMI) the NSa 2650 firewall proactively blocks mass-market, zero-day threats and unknown malware, and examines every byte of every packet.

The 20 Coolest Network Security Companies Of 2020: The Security 100 – CRN

  • As part of CRN’s 2020 Security 100 list, SonicWall is named as one of the 20 companies that have “raised their game to meet continued network security needs.” SonicWall’s My WorkSpace interface and improvements in Capture Client and Cloud App Security are cited as the reasons SonicWall is included on the list.

Life Lessons: Look at Business as a Game of Chess – IoT NOW

  • SonicWall EMEA VP Terry Greer-King is interviewed by IoT Now. He talks about his career so far, some of the worst bosses he has worked under, and what’s firing up his imagination in 2020 when it comes to the Internet of Things.

Cybersecurity News

To Secure Satellites, Bolster Cybersecurity Standards in Space – Undark

  • With Space X planning to launch tens of thousands of satellites over the next decade, the reality of cyberattacks on such a system is something that needs to be dealt with sooner rather than later. Despite some movement by the US government to address these issues, there are currently no cybersecurity standards for satellites and no governing body to regulate and ensure their cybersecurity.

Cybersecurity: Do These Ten Things to Keep Your Networks Secure from Hackers – ZDNet

  • In the wake of continued cyberattacks on the health sector, the European cybersecurity agency, ENISA, has issued cybersecurity recommendations to hospitals and medical institutions in the form of ten good practices to help resilience against cyberattacks.

How Personality Influences Cybersecurity Behavior – Security Boulevard

  • The Myers-Briggs Company has released preliminary findings of a study investigating how personality types can influence cybersecurity behaviors, breaking down the results into their famous personality types. From this, a list of guidelines and tips on how to best structure security awareness solutions for the different personality types has been developed.

Australian Banks Targeted by DDoS Extortionists – ZDNet

  • A criminal gang has been attempting to extort banks and other financial institutions in Australia, threatening DDoS attacks on their websites unless a ransom is paid. Based on current evidence, the attackers have not followed through on any of their threats.

One in Four Americans Won’t do Business with Data-Breached Companies – ZDNet

  • A new survey of over 1,000 people in the USA has found that over 20% of them are willing to hand over financial information to a company that has suffered a data breach. Almost all respondents agree that businesses are financially liable to their customers after a breach.

Cybersecurity Threats for 2020 – Security Boulevard

  • Deepfakes, ransomware… and how to protect yourself from them. Security Boulevard looks at the biggest cybersecurity threats of 2020.

In Case You Missed It

Coronavirus themed Android RAT on the prowl

/in /by

Malware writers have already started misusing the recent Coronavirus scare as a means to propagate their malicious creations as highlighted in one of our earlier blogs. SonicWall Capture Labs Threats Research team recently observed this tactic being used in the Android ecosystem as well in the form of a Remote Access Trojan (RAT).

An Android apk that simply goes by the name Coronavirus has been spotted, based on the upload date on Virustotal and Koodous (early February, 2020) this sample appears to be fairly new.

Initial Observations

After installation and execution, this sample requests the victim to re-enter the pin/pattern on the device and steals it while repeatedly requesting for Accessibility Service capabilities:

Mysterious Classes and Encrypted Code

On viewing the code structure it becomes apparent that some form of packing/encoding is being used in this sample. The class names appear random but have a structure in themselves, most of the class names are of similar length and equally random in terms of their names. On inspecting the Manifest.xml files most of the activities listed are unavailable in the decompiled code, this indicates that the ‘real’ class files will be decrypted during runtime. This is a mechanism that makes it difficult for automated tools to analyze the code and give a verdict.

The /data/ folders where the app is installed on the device contains a couple of interesting files:

The ZE.json is a .dex file in reality, renaming it and opening it in a dex class viewer finally shows us the missing class files from Manifest.xml file:

This .dex file contains a lot of garbage classes – classes which do not contain useful code – but we saw few class files that contain legible code. However we were faced with another challenge, a number of strings in these classes are encoded and do not make sense:

Using the decryption logic present in the code (highlighted below) we were able to decrypt these strings and understand the real functionalities of this malware:

Abilities and Functionalities

This malware listens for the following commands issued by the attacker and executes corresponding functions:

  • rat_cmd
  • rat_disconnect
  • open_folder
  • upload_file
  • get_apps
  • connect_teamviewer
  • open_teamviewer
  • device_unlock

 

We observed additional capabilities based on traces present in the code:

  • grabbing_pass_gmail
  • grabbing_lockpattern

  • logs_keylogger
  • logs_contacts
  • logs_saved_sms
  • package_name_defultsmsmenager
  • check_protect
  • run_disable_protect
  • time_run_bypass_protect
  • remove_app
  • time_run_injects
  • time_run_cc
  • admin

Using some of these commands the attacker can control the device remotely making this malware a RAT (Remote Access Trojan).

Network Communication

During our analysis we observed the malware communicate with hxxp://otispride.site and hxxp://kryll.ug as shown below:

Based on the parameters used in the above network packets – info_device – we can determine that information regarding the infected device is being transmitted. We found more such parameters in the code as listed below:

  • d_attacker_two
  • d_attacker
  • is_attacker
  • info_device
  • new_device
  • saved_data_attacker
  • saved_data_device
  • pause_attacker
  • saved_accessibility_events
  • upgrade_patch
  • connecting
  • saved_all_sms
  • saved_contacts
  • saved_applications
  • rat_connect
  • rat_cmd

Persistence

This malware achieves persistence on the device by a number of ways:

Android’s battery optimization feature puts an app in a suspended state to conserve battery, but since this malware is a RAT it works best when it is constantly listening for incoming commands from the attacker. Upon installation this malware asks the user to ignore battery optimization for this app thereby preventing this app from going in a low power/sleep state. Later when we tried revoking this permission from the app, it pulls a basic trick where it presses the back button just before we can revoke the permission:

The same trick is used when we tried to revoke Accessibility Services rights:

This trick is used when we tried to uninstall the app from the device:

We could see traces in the code where this trick was employed for blocking removal of TeamViewer app from the device. However this component did not work for us and we could easily remove TeamViewer in the usual way.

Part of a bigger campaign

We came across a post recently where similar traits in an Android malware were highlighted. Inspection of the sample mentioned in the post – SHA cce3f896a0143deea326d803d27cda0faed292a3 – revealed that this sample and the Coronavirus sample that we analyzed both belong to the same family.

 

SonicWall Capture Labs provides protection against these threats with the following signatures:

  • AndroidOS.CoronaVirus.Spy (Trojan)

Indicators Of Compromise:

  • b8328a55e1c340c1b4c7ca622ad79649
  • ba6f86b43c9d0a34cfaac67f933146d6

Update – March 23,2020

We have consolidated the detection into a single signture instead of the two signatures listed earlier. The new signature is GAV: AndroidOS.CoronaVirus.Spy

SonicWall Wins Best UTM Security Solution at SC Awards 2020

/1 Comment/in /by

What is the best firewall solution? According to SC Media, that honor now belongs to SonicWall and the NSa 2650 firewall.

The NSa firewall was honored as the Best UTM Security Solution during the 2020 SC Awards gala at the InterContinental Hotel in San Francisco on Feb. 25, highlighting SonicWall’s tremendous showing at RSA Conference 2020.

SC Awards honors the achievements of the cybersecurity brands and professionals striving to safeguard businesses, their customers, and critical data in North America. Product and solution entries are reviewed and scored by two panels of jurors comprised of cybersecurity industry luminaries, including current and former CISOs to vendor-neutral consultants to educators from academic institutions.

“After averages for each category are tallied, finalists and winners are decided. Results are completely independent. Financial/advertising considerations play no part in the results. That is, no one can ‘buy’ a win by advertising, partnering or working with SC and its various team members,” states SC Media.

More than just a sentry standing between an organization’s most valuable assets and the threats that lie beyond, the SonicWall NSa 2650 firewall provides high-speed threat prevention over thousands of encrypted and unencrypted connections, delivering high security effectiveness to mid-sized networks, branch offices and distributed enterprises — all without diminishing network performance.

“The SonicWall NSa firewalls deployed at our locations have instilled confidence that these front lines of defense devices are protecting our digital assets with industry-leading security, scalability and manageability,” said SonicWall customer Scott Pratt, Chief Information Officer of a North American financial services company.

Marrying two advanced security technologies — the multi-engine Capture Advanced Threat Protection (ATP) sandbox service enhanced by Real-Time Deep Memory Inspection (RTDMI) technology and the company’s Reassembly-Free Deep Packet Inspection — the NSa 2650 firewall proactively blocks mass-market, zero-day threats and unknown malware and examines every byte of every packet.


Catapult the Wi-Fi User Experience: Fast, Secure & Easy to Manage

/0 Comments/in /by

We all face Wi-Fi issues at some point — either once in a while or on a daily basis. Heck, I have been there and it can be quite frustrating! In a world where everything is connected, this could lead to a ripple effect.

Not only do you have to keep your users happy, but you also need to make sure that medical devices, lighting, wearables, smart devices and even your refrigerators require Wi-Fi access. To ensure seamless and always-on connectivity, we need to make sure Wi-Fi can keep pace with changing network trends.

SonicWall ensures this by bringing you new features and enhancements across its Wi-Fi products. Our Wi-Fi portfolio now includes 802.11ac Wave 2 SonicWave access points and a cloud-based management dashboard.

SonicWall WiFi Cloud Manager (WCM) is a scalable, centralized Wi-Fi network management system, simplifying wireless access, control and troubleshooting capabilities across networks of any size or region. Accessible through SonicWall Capture Security Center, WCM unifies multiple tenants, locations and zones while simultaneously supporting tens of thousands of SonicWave wireless access points (APs).

So what are some of the new features and enhancements added to WCM?

Although the new WCM release packs a punch by delivering a ton of features and enhancements, in this blog we will discuss the top five of these features and its benefits. These enhancements are significantly beneficial to higher education, government, retail and hospitality markets.

Amplify guest experiences with Captive Portal

Have you ever walked into a hotel and after connecting to their Wi-Fi network and been prompted for login, using your room number and some personal info? This is exactly what a captive portal enables.

A captive portal is a web page (also called a splash screen) displayed before the user can access the internet using a desktop or mobile device. With SonicWall Captive Portal support, businesses can amplify brand awareness and customer satisfaction by providing customizable screens for Wi-Fi access.

This portal also provides customized access to guest users through its splash page. Also, the login data can be collected and repurposed for marketing purposes. Captive Portal controls data usage on the network and provides legal protection as users may be required to agree to terms and conditions set by the business.

Boost wireless performance

A school is an example of a high-density use case. Students are congregated in classrooms, hallways and auditoriums, and yet still expect uninterrupted Wi-Fi connectivity and superior experience. How do you ensure seamless coverage and high performance in these spaces?

Radio Frequency (RF) enhancements provide superior Wi-Fi performance. Features such as Global Dynamic Channel Selection (DCS) and Radio Resource Management (RRM) drive maximum performance by always enabling wireless access points to choose the best channels and boost connectivity in multi-AP environments. It further minimizes interference from neighboring channels through auto-channel and power assignment. This way, APs are always using the best channels and power levels. This feature uses the third radion on SonicWave access points for analysis, thereby not affecting performance on the client-serving radios.

Enhance Wi-Fi security

According to 2020 SonicWall Cyber Threat Report, SonicWall Capture Labs threat researchers recorded 9.9 billion malware attacks in 2019. While, serious data breaches and exposures, such as the one that hit Canva leaving 139 million credentials exposed in the education sector.

Cybercriminals are finding new ways to attack. Focused ransomware and phishing attack targets include educational institutions, hospitals and government institutions.

It is becoming increasingly critical to ensure maximum security to the end-users regardless of how they , are connected — wired or wireless. To ensure the best protection over Wi-Fi, SonicWall offers advanced security services on its access points. These security services include the multi-engine Capture Advanced Threat Protection (ATP) sandbox, Content Filtering Service and more.

In this release, the advanced security services get an upgrade. We have added multi-engine Cloud-AV support to provide increased security and efficiency. This acts as a ‘pre-check’ to Capture ATP sandboxing. It is an additional security layer to filter data that passes through the Wi-Fi network. It improves efficiency by caching known signatures, thereby reducing the number of files that are sent to the cloud for analysis.

Control bandwidth and prioritize traffic

This feature allows admins to control data usage on the network. Based on the network usage and needs, data can be allocated or throttled. While using Wi-Fi during an event, you may notice that the performance degrades as the load on the network increases. Most likely, the network admin would have enforced bandwidth restrictions.

With Wireless Bandwidth Management Control (BWM), organizations can enforce bandwidth restrictions on their Wi-Fi networks. It allows admins to set bandwidth values and prioritize traffic in the network.

Analyze RF spectrum

Wi-Fi radio channels are limited and often crowded, which leads to interference. When interference increases, Wi-Fi performance decreases. RF interference can be better analyzed through spectrum analysis. This feature provides visualization on RF spectrum and give you a deep understanding on the RF environment so that you can spot anomalies quickly and mitigate them.

Fake website serves fake vpn to steal cryptocurrency

/in /by

The Sonicwall Capture Labs Threat Research team has analyzed a malware purporting to be an installer of a popular VPN software. This is not the first time that malware has pretended to be a VPN installer as we have previously reported here. This time, it mimicked the website of ProtonVPN. Downloaded software from the fake website installs a Trojan once executed.

The fake website looks very similar to the legitimate website.


The Trojan installer which can be downloaded from the now defunct website uses the same icon as the legitimate software and uses the following filename:

Upon execution it peruses through the user’s system to collect information.

Cookies, browsing history, user login data that might have been saved in commonly used browsers like Firefox, Google Chrome, Yandex browser, Comodo IceDragon, Kometa, QIP Surf,CentBrowser, 7Star, Rafotech Mustang, Epic Privacy Browser, among many others, are just some of the data this Trojan collects.

It also tries to steal locally stored cryptocurrency information by searching for commonly used cryptocurrency apps and wallets like Bitcoin ABC, Bitcoin Gold, Exodus, MultibitHD, Electrum and Jaxx.


Encrypted data are then sent out to a remote server.


We urge our users to always be vigilant and cautious when installing software programs particularly if you are not certain of the source.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • Dropper.A_3050 (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Scripting Engine Memory Corruption Vulnerability CVE-2020-0674

/in /by

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka ‘Scripting Engine Memory Corruption Vulnerability’. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Observing the exploit code the parameter in sort function is not added to the garbage collection hence it can be used later to achieve arbitrary code execution.

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.

The attacker connects to following malicious domains.

The IE crashes indicating the vulnerable dll

SonicWall Capture Labs Threat Research team provides protection against this vulnerability with the following signature:

  • IPS 14744 Scripting Engine Memory Corruption Vulnerability (CVE-2020-0674)

Microsoft hasa issued a patch for this vulnerability.

IoCs :

12e976a740b85e6a388d05e7f2a7cf718c74542ae5ecf920018c3ed4622704b9
7bd93ca00a16d87be656d1aab6a551f9e95d8001bc402de66402df49dbd999fd
c22379c184b5d40cdd49cda83208c71aee423d69890826a7c738f709bda0dc6c
77fb4527f2a0d5671bff164bb0e845275eb2559b3941a9a289fc778bc918a6c0
1efbf18887f7ffbbb7d6fb4436154e5558ff9ffea5b963b496bd354a47359b40
c170d81cce2fd67e21aa18623395c7eb457026ac41208df7b9821013117ce465
ebd8162e8966197c9fd72b51d49318d96155e6a6b18cc14c17c227e104fa6f46
437b49242ee018a3ef407d2aa0838dfcdb55013bf7a599ad2bbd2db4fa48aca5
202.122.128.28

Cyber Security News & Trends – 02-21-20

/0 Comments/in /by

This week, a SonicWall firewall achieves a perfect score in a real-world conditions laboratory test, and airports are getting ahead of the game when it comes to cybersecurity readiness.

SonicWall Spotlight

Tip of the Spear – Ping Podcast Episode 13 – Firewalls.com

  • SonicWall’s Matt Brennan talks on the latest episode of Ping, Firewalls.com’s podcast. He explains the risks of spearphishing and business email compromise for Office 365 users, and talks about the worst hands-on cybersecurity situation he has ever seen.

SonicWall Firewall Achieves Perfect Effectiveness Score, Tested in Real-World Conditions via NetSecOPEN Laboratory – SonicWall Press Release

  • This week SonicWall announced that it is one of the first security vendors to receive firewall certification in the 2020 NetSecOPEN Test Report. The SonicWall NSa 4650 firewall achieved 100% security effectiveness against all private CVEs used in the test.

Facilities Firm ISS World Crippled by Ransomware Attack – ComputerWeekly

  • Denmark-based facilities management firm ISS World disconnected from the internet after suffering a suspected ransomware attack that has left hundreds of thousands of employees without access to their systems or email. SonicWall CEO Bill Conner is quoted talking about changing ransomware tactics, as recently reported in the 2020 SonicWall Cyber Threat Report.

Cybersecurity News

Anxiety, Depression and PTSD: The Hidden Epidemic of Data Breaches and Cyber Crimes – USA Today

  • USA Today explores the psychological effects of cyberattacks, arguing that they can rival those of terrorism. According to a recent survey 86% of victims of identity theft reported feeling worried, angry and frustrated, nearly 70% felt they could not trust others and they felt unsafe, and more than two-thirds reported feelings of powerlessness or helplessness.

Oil Industry Boosts Spending on Cybersecurity Five-Fold Since 2017 – Security Boulevard

  • The Oil & Gas sectors have been investing heavily cyber-defenses over the past three years. In a just published global survey of the industry, cybersecurity was cited as the biggest current investment.

US Defense Agency Says Personal Data ‘Compromised’ in 2019 Data Breach – Tech Crunch

  • The Defense Information Systems Agency (DISA), charged with providing information technology and communications support to the U.S. government, including the president and other senior officials, says its network may have been compromised between May and July 2019. Full details on the attack or what was accessed have not been released.

Phishing on Instagram Baits Russians With Free Money Promise – Bleeping Computer

  • A large-scale phishing campaign has been discovered running on Instagram to bait Russians with a fake presidential decree that promises a lump-sum payment for a citizen to start their own business.

Hacking Brain-Computer Interfaces – ZDNet

  • Brain-computer interfaces are still new tech, but it has already been proven that current models can be hacked.

Cybersecurity Check-in: How Airports are Innovating Against Cyberattacks, Security Breaches and Failing Tech Systems – ItProPortal

  • Airports are always under the microscope when it comes to security breaches, whether physical or digital. ItProPortal investigates the current cybersecurity innovations taking place at airports and by airlines in general.

In Case You Missed It

SonicWall Firewall Certified via NetSecOPEN Laboratory Testing, Earns Perfect Security Effectiveness Score Against Private CVE Attacks

/0 Comments/in /by

Security-conscious customers face tough choices when evaluating security vendors and their next-generation firewall offerings.

To simplify this process and improve transparency in the cybersecurity market, NetSecOPEN announces SonicWall is one of only four security vendors to be certified in its 2020 NetSecOPEN Test Report.

Tested with 465 combined Public and Private Common Vulnerability and Exposure (CVE) vulnerabilities at the InterOperability Laboratory of the University of New Hampshire, the SonicWall NSa 4650 firewall achieved 100% security effectiveness against all private CVEs used in the test — CVEs unknown to NGFW vendors. Overall, SonicWall rated 99% when factoring in the results of the public CVE test.

“This apples-to-apples comparison provides security buyers with validation of real-world performance and security effectiveness of next-generation firewalls when fully configured for realistic conditions,” said Atul Dhablania, Senior Vice President and Chief Operating Officer, SonicWall, in the official announcement.

Testing firewalls in real-world conditions

The NetSecOPEN open standard is designed to simulate various permutations of real-world test conditions, specifically to address the challenges faced by security professionals when measuring and determining if the tested firewall is performing the way vendors had promised. The value of this service is maximized when test findings help you make clear and conclusive product decisions based on incontrovertible evidence.

SonicWall is among the first to excelled in one of the industry’s most comprehensive, rigorous benchmark tests ever created for NGFW. In summary, the NetSecOPEN Test Report reveals that the SonicWall NSa 4650 NFGW:

  • Demonstrated one of the highest security effectiveness ratings in the industry
  • Blocked 100% of attacks against all private vulnerabilities used in the test
  • Blocked 99% overall all attacks, private and public
  • Proved fast performance measured by NetSecOPEN at 3.5 Gbps of threat protection and up to 1.95 Gbps SSL decryption and inspection throughput
  • Affirmed its extremely high-performing and scalable enterprise security platform can meet the security and massive data and capacity demands of the largest of data centers
 

 

Firewall testing methodologies, metrics

Key performance indications (KPI), such as throughput, latency and other (see below) metrics, are important in determining products’ acceptability. These KPIs were recorded during NetSecOPEN testing using standard recommended firewall configurations and security features typically used in a real-world use case condition.

KPI MEANING INTERPRETATION
CPS TCP Connections Per Second Measures the average established TCP connections per second in the sustaining period. For “TCP/HTTP(S) Connection Per Second” benchmarking test scenario, the KPI is measured average established and terminated TCP connections per second simultaneously.
TPUT Throughput Measures the average Layer 2 throughput within the sustaining period as well as average packets per seconds within the same period. The value of throughput is expressed in Kbit/s.
TPS Application Transactions Per Second Measures the average successfully completed application transactions per second in the sustaining period.
TTFB Time to First Byte Measure the minimum, maximum and average time to first byte. TTFB is the elapsed time between sending the SYN packet from the client and receiving the first byte of application date from the DUT/SUT. TTFB SHOULD be expressed in millisecond.
TTLB Time to Last Byte Measures the minimum, maximum and average per URL response time in the sustaining period. The latency is measured at Client and in this case would be the time duration between sending a GET request from Client and the receival of the complete response from the server.
CC Concurrent TCP Connections Measures the average concurrent open TCP connections in the sustaining period.

Importance of transparent testing of cybersecurity products

Before making an important business-critical purchase decision that is central to the cyber-defense of an organization, decision-makers likely spent countless days exercising due diligence. This may include conducting extensive vendor research, catching up on analyst opinions and insights, going through various online forums and communities, seeking peer recommendations and, more importantly, finding that one trustworthy third-party review that can help guide your purchase decision.   

Unfortunately, locating such reviews can be a bewildering exercise as most third-party testing vendors and their methodologies are not well-defined nor do they follow established open standards and criteria for testing and benchmarking NGFW performance.

Recognizing the fact that customers often rely on third-party reviews to validate vendors’ claims, SonicWall joined NetSecOPEN in December 2018, the first industry organization focused on the creation of open, transparent network security performance testing standards adopted by the Internet Engineering Task Force (IETF), as one of its first founding member. 

SonicWall recognizes NetSecOPEN for its reputation as an independent and unbiased product test and validation organization. We endorse its IETF initiative, open standards and benchmarking methodology for network security device performance.

As a contributing member, SonicWall actively works with NetSecOPEN and other members to help define, refine and establish repeatable and consistent testing procedures, parameters, configurations, measurements and KPIs to produce what NetSecOPEN declares as a fair and reasonable comparison across all network security functions. This should give organizations total transparency about cybersecurity vendors and their products’ performance.

Seven Layers of Protection from Hacked Websites

/0 Comments/in /by

In January 2015, celebrity chef Jamie Oliver announced that his website, which attracts 10 million visitors per month, had been compromised. This followed an announcement by Forbes that a month earlier, in December of 2014, the highly visible “Thought of the Day” flash widget had been compromised as well. In both of these, the hacked website was simply the first step in a complex process that is carefully engineered to make money off of unsuspecting internet users.

Most people are surprised to learn that the Hollywood perpetuated stereotype of the cyber-criminal is a myth. We imagine an evil genius sitting in a dark room, typing feverishly to hack into the good guy’s networks in real time, guessing passwords and avoiding law enforcement through well-timed keystroke sequences as he goes. The reality is much less intriguing. The tools that are used for these exploits are often generic off-the-shelf software developed by third-party developers and then sold on the black market. The sale of criminal tools – exploit kits, malware droppers, malware itself and more — has become a big business in itself. In fact, according to researchers, in the case of the Jamie Oliver website, a popular and widely available hacking tool named Fiesta was used to scan visitors’ computers and look for vulnerabilities that could be exploited to deliver the malware. Our own  SonicWall threat research shows that Angler was the most commonly used exploit kit in 2014, resulting in over 60 percent of the exploits that we saw last year.

To add to the problem, NSS labs estimates that 75 percent of the world’s computers and 85 percent of the computers in North America are poorly protected against these exploits. Even worse, anti-virus (AV) software that is typically used to protect computers provides only adequate security at best.

How do websites get compromised?

The attacker will generally target websites with vulnerabilities that allow them to modify the HTML on the web page. A prime target for cybercriminals is a website that is highly trusted and high volume like Forbes.com. In many cases, attackers will look to compromise ad servers which generate a huge amount of views. After a webpage with a vulnerability is identified, users can be tricked into clicking links to a separate landing page on a rogue web server that hosts the exploit kit. In the more disturbing case of a so-called drive-by download, an exploit kit automatically loads content from the malware server with zero end user interaction required.

The exploit kit then attempts to scan the user’s computer looking for vulnerabilities in common applications. We know that most people ignore OS patches, and even more people ignore browser, Java and Flash patches. A sophisticated attacker may independently find a vulnerability, but more likely he or she will use published vulnerabilities. The level of sophistication of these exploit kits varies, but some will even check IP addresses to ensure that the target computer matches the desired profile, for example a residential PC.

Once a vulnerable application is discovered, the exploit is launched and if successful the chosen malware payload is finally downloaded to the victim’s computer. While one common payload delivers malware that takes control of the victim’s computers (this is called a bot as in robot or zombie), other malware can be used to steal data, log keystrokes, or launch distributed DOS attacks on other websites. Another common payload is called ransomware because it encrypts all data on the victim’s computer and holds it until the data owner provides a valid credit card number and pays to unlock the data. The reality with these attacks is that anybody and everybody is a target – the mom and pop business owner, gas station attendant, grandma and grandpa, business executive or school teacher – everyone is a potential victim.

No single tool or technique is guaranteed to stop these attacks, but there are a variety of tactics that can be utilized to minimize the chance of a successful exploit.

  1. Gateway malware protection. Modern firewalls, also known as next-generation firewalls, provide much more intensive packet scanning than legacy firewalls. Deep packet inspection is used to inspect not only the header portion of the packet but also the payload, searching for viruses, Trojans and intrusion attempts. This level of inspection will often block the download of the malware payload.
  2. Patch management. Since most of the known exploits take advantage of vulnerable versions of applications, it is critical that you continuously apply the latest versions of software to all of your servers, PCs, Macs, Chromebooks, smartphones, tablets, printers, networking gear and other connected non-computing devices. Whew! Systems management solutions automate this patching for larger organizations.
  3. Automatically updated desktop AV clients. Standard desktop anti-virus clients provide a level of protection from the malware payloads that are used in these attacks, but it is critical that the desktop client is kept up-to-date. Ideally, if you are in charge of security, you would have a way to enforce the use of the clients because users love to turn off AV when they perceive that it slows down their computer. And unfortunately, in some cases malware disables AV or uses advanced methods to avoid detection so this is just one layer in the overall security strategy.
  4. Internet/web content filtering. There are a wide variety of solutions on the market that allow an organization to filter the URLs that can be accessed by users inside the network. Filtering in many cases will block the redirect to the malware server, and is a standard feature on most next-generation firewalls.
  5. Botnet filtering. Deep packet inspection also provides the ability to determine if connections are being made to or from botnet command and control servers. Many next-generation firewalls have continuously updated lists of these servers. Botnet filtering is a layer of security that will block communications to and from already compromised computers participating in botnets from behind the firewall.
  6. GeoIP filtering. Another feature of next-generation firewalls that can be useful in preventing bots from communicating with their command and control server is to restrict communications based on geography. GeoIP data includes the country, city, area code and much more. This is useful if an organization can exclude geographies that are known cyber-security risks such as Russia or China.
  7. Outbound email protection. Attackers will often use the computers that they are able to exploit as spambots to send spam mail as part of a larger spam campaign. These computers are often called zombies because they are remotely controlled by another person, in this case the spam botmaster. Email security solutions can scan outbound mail for signals that the computer has been compromised and determine that a system has been compromised.

Security professionals realize the complexity of the risks posed by compromised websites. Unfortunately, there is no magic bullet to preventing exploits, but a layered approach to security can minimize the risk to your organization.