February 2020 | Page 2 of 3

Ako ransomware demands $3000. Operators hide behind tOr.

February 14, 2020/in Threat intelligence /by Security News

The SonicWall Capture Labs Threat Research Team have recently come across a new variant of Ako ransomware. The malware spreads via spam email and shares similarities to MedusaLocker. This has lead many to believe that the malware is a variant of MedusaReborn. However, the operators have reportedly denied this claim and state that Ako is thier own creation. The malware demands $3000 USD in Bitcoin for file retrieval. The operators run a website hosted behind tOr to facilitate file decryption for its victims.

Infection Cycle:

Upon infection, the malware encrypts files and appends <.random{6}> to their filenames. eg. finance.docx.C564Ec

The following files are dropped into directories where files were encrypted:

ako-readme.txt
id.key

ako-readme.txt contains the following text:

id.key contains the public key used to encrypt files.

During the encryption process, the following file types are ignored:

.exe ,. dll, .sys, .ini, .lnk, .key, .rdp

Folders containing the following strings are also skipped:

Appdata Program files Program Files (x86) Appdata boot Perflogs Programdata Google Intel Microsoft Application data Tor browser Windows

Each encrypted file is given the following infection marker (CECAEFBE):

The following keys are added to the registry:

HKEY_CURRENT_USER\Software\akocfg aid “.<random{6}>”
HKEY_USERS\S-1-5-21-3032013890-123666948-3153623785-1001\Software\akocfg aid “.<random{6}>”

The following commands are executed to delete shadow copies of files and to disable any possibility of system recovery and repair:

vssadmin.exe Delete Shadows / All / Quiet bcdedit.exe / set {default} recoveryenabled No bcdedit.exe / set {default} bootstatuspolicy ignoreallfailures wbadmin DELETE SYSTEMSTATEBACKUP wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest wmic.exe SHADOWCOPY / nointeractive

The ransom note contains the following tOr address:

http://kwvhrdibgmmpkhkidrby4mccwqpds5za6uo2thcw5gz75qncv7rbhyad.onion/U0T9NR3RCU3PNABN

The address leads to the following site hosted on the tOr network:

After entering the unique key from the ransom note, the following page is presented which states that 0.2932 BTC (approx $3000 USD at this time) is required to restore files:

Activity recorded for the supplied BTC address (1Ag76nHNv1mPUf3Qki1EnoHgV4Cbt6dLft) suggests that the operators may have been successful in their endeavours:

SonicWall Capture Labs provides protection against this threat via the following signature:

GAV: Ako.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Cyber Security News & Trends

February 14, 2020/0 Comments/in Weekly News /by SonicWall Staff

This week, SonicWall partners with Perimeter 81, Puerto Rico loses millions from a phishing attack, and new figures show how cryptocurrency losses boomed in 2019.

SonicWall Spotlight

2020 SonicWall Cyber Threat Report: Threat Actors Pivot Toward More Targeted Attacks, Evasive Exploits – SonicWall Press Release

This week saw the release of the always anticipated yearly SonicWall Cyber Threat Report! Key takeaways include a drop in malware and ransomware attack volumes but an increase in more targeted attacks, a continued rise in encrypted attacks, and a massive fall in cryptojacking.

Inside Cybercriminal Inc.: SonicWall Exposes New Cyberattack Data, Threat Actor Behaviors in Latest Report – Geoff Blaine

SonicWall Vice President of Marketing Geoff Blaine digs into the 2020 Cyber Threat Report, laying out and analyzing the data SonicWall’s Cyber Threat Team have found over the past year.

The CyberWire Daily Briefing – Cyberwire

The SonicWall 2020 Cyber Threat Report is picked up in the CyberWire Daily news report. Other English language coverage include pieces by Politico, SC Magazine, Dark Reading, Tech Republic, Information Age, The Register, Channelnomics, HelpNetSecurity, VMBlog, Blockonomi, Computer Weekly, ChannelWeb and Var India.

Vulnerability in Linear eMerge Access Controllers Exploited in the Wild – SecurityWeek

SecurityWeek picks up on SonicWall’s recent SonicAlert about a known vulnerability in Nortek Security & Control’s Linear Emerge E3 Access Controller actively being exploited. Despite this vulnerability being raised a year ago and considered critical, no fix has yet been implemented.

Cybersecurity News

Kobe Bryant Wallpaper Shows how Hackers Exploit Mourning Fans for Cryptocurrency Mining – The Independent (UK)

Cybercriminals have been detected attempting to profit from the death of Kobe Bryant by hiding malware within downloadable wallpapers of the basketball star.

Internet of Things: Smart Cities Pick Up the Pace – Financial Times

As 5G and the Internet of Things go from a future development to a reality, so do smart cities. The Financial Times investigates where smart cites are right now, how deep 5G and IoT penetration currently goes and what they are likely to look like in the future, including the prediction that up to 30% of smart city programs will be abandoned by 2023.

Magecart Group Jumps from Olympic Ticket Website to new Wave of E-Commerce Shops – ZDNet

Despite recent arrests of a major magecart group, a new wave of the malware has been detected spreading across a Russian hosting provider using a Chinese domain registrar, who suspended the domain when the malware was reported.

Watch Out for Coronavirus Phishing Scams – Wired

A number of phishing scams have been detected where attackers disseminate malicious links and PDFs that claim to contain information on how to protect yourself from the spread of the Coronavirus. SonicWall’s Cyber Threat team have also detected malicious executables being spread using fears of the virus as bait.

Feds are Lining up More Indictments Related to Chinese Cyber-Activity, Officials say – Cyberscoop

U.S. prosecutors are preparing to issue new charges against Chinese nationals related to alleged hacking and insider threats at U.S. organizations. U.S. officials have repeatedly accused China of breaking a 2015 agreement not to conduct “cyber-enabled” intellectual property theft and have ramped up pressure by announcing criminal charges against Chinese nationals. Strain over Huawei and the nascent 5G network may bring the whole thing to a head.

SonicWall Secures 3 Spots on Annual CRN Channel Chief List

February 12, 2020/0 Comments/in Industry News and Events /by SonicWall Staff

As a 100% channel-based company, SonicWall strives to provide its over 20,000 partners around the world with one of the industry’s strongest partner programs. With that work comes the tireless effort of the SonicWall channel team and its leaders, two of which were recently named to the prestigious CRN 2020 Channel Chief list, with one also taking their place among the top 50.

SonicWall Vice President, Worldwide Channel Sales, HoJim Kim returns to the outlets Channel Chief list and along with him SonicWall Vice President Channel Sales, North America David Bankemper.

CRN’s 2020 Channel Chiefs list honors the distinguished leaders who have most influenced the IT channel with cutting-edge strategies and partnerships. The 2020 Channel Chiefs have shown outstanding commitment, an ability to lead, and a passion for progress within the channel through their partner programs.

As a result of introducing SonicWall Security-as-a-Service, the two have been focused on the addition of MSP/MSSP partners and, in November 2019, introduced a monthly billing engine to 10 beta partners. Working around the clock, SonicWall announced the updates globally in December 2019 in a coordinated launch, a massive effort completed within seven months.

Kim takes his place within ‘The Top 50 Most Influential Channel Chiefs’ listed, individuals that were chosen by the CRN editorial staff that stand at the very top of the already select group of Channel Chief honorees. These top executives have cultivated the greatest professional and channel achievements, and their leadership will greatly impact the future IT community, driving growth and innovation.

“The nature of the IT channel is fast growth and constant challenges to overcome,” said Bob Skelley, CEO of The Channel Company. “CRN’s Channel Chiefs work tirelessly, leading the industry forward through superior partner programs and strategies. Our team here at The Channel Company congratulates these outstanding individuals for their dedication to the channel.”

SonicWall offers the SecureFirst Partner Program that accelerates partners’ ability to be thought-leaders and game-changers by providing them with best-in-class tools, such as a partner portal, SonicWall University as well as opportunities to expand their training and earn certificates.

SonicWall University is a sophisticated online, role-based platform that provides web training for sales, sales engineering and post-sales support. Partners that complete training have achieve a point-of-sale increase over the same quarter one year prior.

Microsoft Security Bulletin Coverage for Feb 2020

February 11, 2020/in Threat intelligence /by Security News

SonicWall Capture Labs Threat Research Team has analyzed and addressed Microsoft’s security advisories for the month of February 2020. A list of issues reported, along with SonicWall coverage information are as follows:
CVE-2020-0618 Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-0655 Remote Desktop Services Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-0657 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 5885:Malformed-File exe.MP.118
CVE-2020-0658 Windows Common Log File System Driver Information Disclosure Vulnerability
ASPY 5885:Malformed-File exe.MP.118
CVE-2020-0659 Windows Data Sharing Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0660 Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-0661 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-0662 Windows Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-0663 Microsoft Edge Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0665 Active Directory Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0666 Windows Search Indexer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0667 Windows Search Indexer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0668 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0669 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0670 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0671 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0672 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0673 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-0674 Scripting Engine Memory Corruption Vulnerability
ASPY 14745:HTTP Client Shellcode Exploit 114
CVE-2020-0675 Windows Key Isolation Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0676 Windows Key Isolation Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0677 Windows Key Isolation Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0678 Windows Error Reporting Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0679 Windows Function Discovery Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0680 Windows Function Discovery Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0681 Remote Desktop Client Remote Code Execution Vulnerability
IPS 14793:Remote Desktop Client Remote Code Execution Vulnerability (CVE-2020-0681)
CVE-2020-0682 Windows Function Discovery Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0683 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0685 Windows COM Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0686 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0688 Microsoft Exchange Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-0689 Microsoft Secure Boot Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-0691 Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0692 Microsoft Exchange Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0693 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-0694 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-0695 Microsoft Office Online Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-0696 Microsoft Outlook Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-0697 Microsoft Office Tampering Vulnerability
There are no known exploits in the wild.
CVE-2020-0698 Windows Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0701 Windows Client License Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0702 Surface Hub Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-0703 Windows Backup Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0704 Windows Wireless Network Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0705 Windows Network Driver Interface Specification (NDIS) Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0706 Microsoft Browser Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0707 Windows IME Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0708 Windows Imaging Library Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-0709 DirectX Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0710 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-0711 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-0712 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-0713 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-0714 DirectX Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0715 Windows Graphics Component Elevation of Privilege Vulnerability
ASPY 5889:Malformed-File exe.MP.122
CVE-2020-0716 Win32k Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0717 Win32k Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0719 Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0720 Win32k Elevation of Privilege Vulnerability
ASPY 5890:Malformed-File exe.MP.123
CVE-2020-0721 Win32k Elevation of Privilege Vulnerability
ASPY 5891:Malformed-File exe.MP.124
CVE-2020-0722 Win32k Elevation of Privilege Vulnerability
ASPY 5892:Malformed-File exe.MP.125
CVE-2020-0723 Win32k Elevation of Privilege Vulnerability
ASPY 5893:Malformed-File exe.MP.126
CVE-2020-0724 Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0725 Win32k Elevation of Privilege Vulnerability
ASPY 5888:Malformed-File exe.MP.121
CVE-2020-0726 Win32k Elevation of Privilege Vulnerability
ASPY 5888:Malformed-File exe.MP.121
CVE-2020-0727 Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0728 Windows Modules Installer Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0729 LNK Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-0730 Windows User Profile Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0731 Win32k Elevation of Privilege Vulnerability
ASPY 5887:Malformed-File exe.MP.120
CVE-2020-0732 DirectX Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0733 Windows Malicious Software Removal Tool Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0734 Remote Desktop Client Remote Code Execution Vulnerability
ASPY 5884:Malformed-File exe.MP.117
CVE-2020-0735 Windows Search Indexer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0736 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0737 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0738 Media Foundation Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-0739 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0740 Connected Devices Platform Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0741 Connected Devices Platform Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0742 Connected Devices Platform Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0743 Connected Devices Platform Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0744 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0745 Windows Graphics Component Elevation of Privilege Vulnerability
ASPY 5886:Malformed-File exe.MP.119
CVE-2020-0746 Microsoft Graphics Components Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0747 Windows Data Sharing Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0748 Windows Key Isolation Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0749 Connected Devices Platform Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0750 Connected Devices Platform Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0751 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-0752 Windows Search Indexer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0753 Windows Error Reporting Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0754 Windows Error Reporting Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0755 Windows Key Isolation Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0756 Windows Key Isolation Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0757 Windows SSH Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0759 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-0767 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-0792 Windows Graphics Component Elevation of Privilege Vulnerability
There are no known exploits in the wild.

7 Factors to Consider When Evaluating Endpoint Protection Solutions

February 10, 2020/1 Comment/in BYOD and Mobile Security /by SonicWall Staff

The threat landscape is evolving. Attackers are getting craftier with infiltrating secure environments. Is your endpoint protection able to keep up? In many cases, organizations just aren’t sure.

The increase in the number of cyberattacks targeting endpoints — and attackers using craftier methods to gain access to user machines — has lead to a highly competitive endpoint protection market. There’s plenty of confusion surrounding what differentiates one endpoint protection solution from another, let alone which product will meet your unique business needs.

Among the claims and counter-claims about which solution is best, the reality is that the right solution for your organization is not necessarily the one with the loudest voice in the marketplace.

Instead, consider whether your approach to endpoint protection matches that of the providers you evaluate. With rapid changes in the way malware and threat actors are compromising victims, which security solutions are keeping up?

Let’s take a look at seven basic checks that can help enhance endpoint compliance and lead to better protection against cyberattacks.

Don’t underestimate the risks of mobility

The traditional approach that legacy AV software is just there to protect your devices from malware and data loss creates a blind spot in defensive thinking. The task is to protect your network from both internal and external threats, and that includes the potential threat from end-user behavior when they’re mobile and off-network.

Today, users who login from airports and cafés using public and open access points pose a greater threat to the corporate network.

Modern, integrated security thinking understands that this means more than just anti-malware or AV coverage on the device. Off-network content filtering and media control are necessary adjuncts to protect your entire network, regardless of where the threat may come from.

And in the event a verdict from the agent doesn’t have confidence, having a second layer of defense via a cloud-based malware analysis engine helps handle it in real-time.
Avoid drowning in the noise of alerts

Even today, some endpoint vendors still believe that the quantity — rather than the quality — of alerts is what should differentiate a superior product from the rest. But alerts that go unnoticed because they are swimming in a sea of hundreds of other alerts clamoring for attention are as good as no alerts at all.

The Target Corporation learned this lesson at a great cost. False positives (i.e., the boy who cried wolf) condition weary admins and SOC specialists to “tune out” things that may be the next big threat because they simply cannot cope with the quantity of work.

Rather than a security solution that provides hundreds of single alerts for each command with little or no context, choose one that provides a single alert with the telemetry and details of all the related commands — whether that be one or 100 — automatically mapped into the context of an entire attack storyline.
Secure the endpoint locally

We live in the age of the cloud, but malicious software acts locally on devices, and that’s where your endpoint detection needs to be, too.

If your security solution needs to contact a server before it can act (e.g., get instructions or check files against a remote database), you’re already one step behind the attackers.

Make sure that your endpoint protection solution has the capability to secure the endpoint locally by taking into consideration the behavioral changes and identify malicious processes without cloud dependency.

And when using a cloud-based second layer, make sure the suspected threat is contained to eliminate impact while a verdict is made.
Keep it simple, silly

There’s power in simplicity, but today’s threat landscape is increasingly sophisticated. While some vendors think the number of tools they offer is a competitive advantage, it just increases the workload on your staff and locks knowledge into specialized employees who may one day take themselves — and that knowledge — elsewhere.

You want to be able to eliminate threats fast and close the gaps without needing a large or dedicated SOC team. Look for endpoint protection that takes a holistic approach, builds all the features you need into a unified client and is managed by a user-friendly console that doesn’t require specialized training.
Build for the worst-case scenario

Let’s face it, ANY protection layer can fail. It’s the nature of the game that attackers will adapt to defenders. If you can’t see what your endpoints are doing, how can you be sure that one of them hasn’t been compromised?

Has a remote worker clicked a phishing link and allowed an attacker access to your network? Is a vulnerability in a third-party application allowing cybercriminals to move around inside your environment undetected? Have you factored for attackers who have now embraced encrypted threats (e.g., HTTPs vectors) and acquired their own SSL certificates?

The modern cyber threat landscape requires a defense-in-depth posture, which includes SSL/TLS decryption capabilities to help organizations proactively use deep packet inspection of SSL (DPI-TLS/SSL) to block encrypted attacks. DPI-SSL technology provides additional security, application control, and data leakage prevention for analyzing encrypted HTTPs and other SSL-based traffic.

In addition, drive visibility into application vulnerability risk and control over web content access to reduce the attack surface.
Drive compliance across all endpoints

It’s the quiet ones at the back you have to look out for. If your enterprise is 95% harnessed to one platform, it doesn’t mean you can write-off the business risk presented by the other 5% as negligible.

Attackers are able to exploit vulnerabilities in one device and jump to another, regardless of what operating system the device itself may be running. To avoid the risk of vulnerable endpoints connecting to your corporate network, integrate endpoint security with your firewall infrastructure and restrict network access for endpoints that don’t have endpoint protection installed on the machine.

Remember, you’re only as strong as your weakest link.
Don’t trust blindly

Blocking untrusted processes and whitelisting the known “good guys” is a traditional technique of legacy AV security solutions that attackers have moved well beyond, and businesses need to think smarter than that, too.

With techniques like process-hollowing and embedded PowerShell scripts, malware authors are well-equipped to exploit AV solutions that trust once and allow forevermore. Endpoint protection needs to look beyond trust and inspect the behavior of processes executing on the device. Is that “trusted” process doing what it’s supposed to be doing or is it exhibiting suspicious behavior?

Endpoint protection integrated across your environment

SonicWall Capture Client is a unified endpoint offering with multiple protection capabilities. With a next-generation malware protection engine powered by SentinelOne, Capture Client applies advanced threat protection techniques, such as machine learning, network sandbox integration and system rollback.

The solution uses automated intelligence to adapt and detect new strains of malware through advanced behavior analytics. It provides multi-layered defense against advanced threats, like fileless malware and side-channel attacks, using SentinelOne’s AI-driven behavioral analysis and SonicWall Real-Time Deep Memory Inspection^TM (RTDMI) engine with the Capture Advanced Threat Protection (ATP) sandbox service.

The solution also delivers granular visibility into threat behavior, helping identify potential impact and remediation actions. A sound endpoint protection solution also should be paired with a defense-in-depth security strategy across all the key layers of transport, including email, network and cloud.

Fitting Endpoint Security To Your Organization

Endpoint security needs are unique to every organization. Endpoint security demands a best-fit approach. This brief explores how best practice requirements vary by organization type, including enterprises, government agencies, SMBs, MSSPs and more.

GET THE BRIEF

RSA 2020: SonicWall Returns with Stories from the Cyber Battlefront

February 10, 2020/0 Comments/in Industry News and Events /by SonicWall Staff

Nothing reminds you that you’re not quite clear of winter than a spirited return to San Francisco for the industry-favorite RSA Conference.

SonicWall at RSA 2020
Booth 5559
North Expo Hall
Moscone Center
Feb. 24-27

This year, RSA Conference 2020 promises to unite the technology that drives cybersecurity and the human element.

“With all the new technologies, strategies and artificial intelligence being employed by both security pros and threat actors, one thing remains constant: us. We are the Human Element within cybersecurity,” proclaims the conference’s website. “The goal of RSA Conference is to help the industry mature while preparing individuals to grow into their roles as defenders of the world.”

And it’s for this reason SonicWall makes it a priority to attend the annual North American event.

Each day at Booth 5559 in the North Hall, SonicWall cybersecurity experts will host dialogs on emerging threat trends, explore innovative new security technologies and field questions on how best to enhance your security posture.

Our in-booth theatre will be packed with fresh content throughout the week, covering tomorrow’s hottest cybersecurity topics, including:

How ‘Anytime, Anywhere’ Business Changed the IT Landscape Forever
Inside the 2020 SonicWall Cyber Threat Report
Mindhunter: A Two-Week Conversation with a Russian Ransomware Cell
Secure SD-WAN Implementations & Best Practices
Innovations in SaaS Security

Free RSA Conference 2020 expo pass

Want to be sure you don’t miss the latest cybersecurity trends and technology innovation while in San Francisco? SonicWall has you covered.

Gain free access to the RSA 2020 expo hall at the Moscone Center using the code “XS0USONIC” — compliments of SonicWall. While on the show floor, head over to Booth 5559 in the North Hall to connect with SonicWall’s full team of cybersecurity experts.

SonicWall will be health-conscious at RSA

News of the coronavirus outbreak has the global health community focused on prevention and education. So much so, RSA is encouraging attendees and exhibitors to follow the guidance of the CDC for everyday preventive actions to help prevent the spread of viruses and outbreaks, including coronavirus. CDC best practices include:

Wash hands often with soap and water for at least 20 seconds, especially after going to the bathroom; before eating; and after blowing your nose, coughing, or sneezing.
If soap and water are not readily available, use an alcohol-based hand sanitizer with at least 60% alcohol. Always wash hands with soap and water if hands are visibly dirty.
Avoid touching eyes, nose, and mouth with unwashed hands.
Avoid close contact with people who are sick.
Stay home when sick.
Cover a cough or sneeze with a tissue, then throw the tissue in the trash.
Clean and disinfect frequently touched objects and surfaces using a regular household cleaning spray or wipe.

SonicWall is taking this guidance to heart. The SonicWall booth will feature signage about healthy best practices, but also friendly reminders that booth staff may be exercising extreme caution with regards to physical contact (e.g., handshakes, etc.). Let’s stay healthy. Together.

RSA Conference 2020 promises to be as exciting as ever. Don’t miss SonicWall at Booth 5559 in the North Hall. We’ll be available all week. We can’t wait to connect.

Project "Androm" Backdoor Trojan

February 8, 2020/in Threat intelligence /by Security News

Overview:

SonicWall Capture Labs Threat Research Team analyzed a new sample found in (Feb. 2020) for a project named: “Androm” a backdoor Trojan. Trojans appear to contain benign or useful functionality, but also contain code paths that are hidden from normal operation that violate the intended security policies of the user or system administrator. The code paths may include embedded, non-replicating, and/or replicating code snippets. The technical impact, would be to execute unauthorized code or commands on the victims machine.

Sample Static Information:

As we look through the PE File format. We are searching for corrupted data. Corruption from a memory dump will be highlighted in red. The GIF below verifies the no red policy. This tells us we have a complete sample for analysis. This should theoretically make analysis easier. Depending on if its packed, protected, encrypted or armed. We know one thing is true, we will not have to rebuild a memory dumped file and this is great news:

Metadata:

A Look Into The Samples Starting Routine:

Windows GUI applications need to register a windows class before creating a graphical window. This is completed by the use of the RegisterClassExA windows API. This function uses a structure called WNDCLASSEXA to accomplish this. There are twelve members inside WNDCLASSEXA, one is ultra important. The member (WNDPROC lpfnWndProc) is the heart of any Windows GUI application. The windows procedure processes messages sent to a window. Here we can see the code path of the Windows Procedure:

As we open the sample for the first time in Ida Pro, we clearly see normal operation of the application such as LoadIconA, RegisterClassExA, CreateWindowExA and reference to “PlanetCpp – RichEdit example strings”:

The hardest part of analyzing any Trojan is finding the hidden (Call or Pointer) to the malware code. We can see this call here (sub_911090). Looking up at the window procedures picture above. We can see the location of this call within the WNDPROC code path in (white) on the left of the picture above:

Encryption & Decryption Routines:

After stepping through the application and setting your favorite breakpoints you will arrive to an encrypted code cave:

The code caves instructions will cycle through the decryption loop, its only one while loop. However, its nested deep inside the sample:

The largest section of the decryption logic places many xor and shift operations on the encrypted code cave to decode the encrypted buffers data:

Once the data has been decrypted, you will see the following decoded code cave:

Malware Logic:

Stepping into the code caves buffer and following the logic. You will see the following instructions:

The instructions above, show the starting area of the malware architects logic. We can see the whole payload here:

The first few calls will find each Windows API by Hash:

API Hashes:

There are currently 104 Windows API Hashes that are needed to understand the Malware’s logic above:

HASH DESCRIPTION
——————————————–
0x7BB4C07F WinExec
0x3867269F Wow64DisableWow64FsRedirection
0x7DD9B6D8 Wow64RevertWow64FsRedirection
0x13398F97 IsWow64Process
0x887753C1 GetCurrentProcess
0x18AE55D2 GlobalAlloc
0x8B8A0B81 GlobalReAlloc
0xC962E0DD GlobalFree
0x533FF50C GetFileAttributesA
0x3B9403BF MultiByteToWideChar
0x88AAD5AC CreateFileA
0x7DA426FD ReadFile
0x54B43706 WriteFile
0x2C265D94 GetFileSize
0x1CA655F1 CloseHandle
0x61FB2970 GetModuleFileNameA
0x231CBE70 CreateProcessA
0x540559D3 ReadProcessMemory
0xD485A88C WriteProcessMemory
0x7C03517B VirtualAllocEx
0x9E5A8833 VirtualAlloc
0x4FAEF192 VirtualFree
0x659005B0 GetThreadContext
0xE59005B2 SetThreadContext
0xAAF2FD77 ResumeThread
0x8590BA7 Sleep
0x759DF562 TerminateProcess
0xFD0B55A7 OpenProcess
0xF88DDF46 CreateToolHelp32SnapShot
0x3F347695 Process32First
0x93E12339 Process32Next
0x810B9665 ExitProcess
0x243CB902 GetTickCount
0xD6D48E5A CreateThread
0xB430264A GetCurrentDirectoryA
0x850A2076 VirtualAllocExNuma
0xA0568251 IsDebuggerPresent
0x44155EB6 OutputDebugStringA
0x44155ECC OutputDebugStringW
0x3467D7DA CheckRemoteDebuggerPresent
0xE5360DD3 GetCurrentThread
0x659005B0 GetThreadContext
0xD3C98A82 GetVersionExA
0xCFAA6E2C DeleteFileA
0xCFAA6E42 DeleteFileW
0xC6984765 CopyFileA
0x9016C35B GetUserDefaultUiLanguage
0xDD3D54EE GetSystemInfo
0x4A6A0E7 GlobalMemoryStatus
0xF63D4C20 GetDriveTypeA
0x112A6907 GetLogicalDrives
0x485D688D GetDiskFreeSpaceA
0xC34F9FC1 FileTimeToLocalFileTime
0x6C9A05ED FileTimeToSystemTime
0x89EEB6C5 SystemTimeToFileTime
0xC6DFD663 CompareFileTime
0x263546AE GetLocalTime
0x2DBE5D94 GetFileTime
0x930E608E GetComputerNameA
0xCA8E9498 WaitForSingleObject
0x6F45D8C8 CreateRemoteThread
0xB52EB4C0 GetSystemDirectoryA
0xB52EB4D6 GetSystemDirectoryW
0xED5616E8 GetWindowsDirectoryA
0x88358832 GetTempPathA
0x95CB7306 GetBinaryTypeA
0x83259FD6 GetStartupInfoA
0x5B8D5E53 CreateMutexA
0xC964A8DD LocalFree
0xA284D745 GetLastError
0x46218786 NtUnmapViewOfSection
0xE110E5ED NtQueryIntoProcess
0xCC926BD FindWindowA
0x9E8D13D2 CharUpperA
0x292291D0 WsPrintfA
0x7D9D5BE1 GetWindowThreadProcessId
0x6794D2F0 RegOpenKeyExA
0xF56B5F2C RegCloseKey
0xAC03010A RegQueryValueExA
0xCD6872F4 RegCreateKeyA
0xEC658443 RegSetValueExA
0x659084F0 RegEnumKeyExA
0x6457C825 RegDeleteValueA
0x3BDD8993 GetUserNameA
0x8A9044D OpenProcessToken
0x8B03CAA1 GetTokenInfo
0xFC759D60 ConvertStringSecurityDescriptorToSecurityDescriptorA
0x807EAEF7 SHGetSpecialFolderPathA
0x6F024DA9 ShellExecuteExA
0x3CBE3BD0 SHCreateItemFromParsingName
0x7C88F586 SHCreateDirectoryExA
0x5923AEC4 CoInitialize
0x3ADA792E CoCreateInstance
0x4CE5ED53 CoGetObject
0x3AC7B3B4 CoUninitialize
0xD0488B42 GetAdaptersAddresses
0xE3C6DAB4 InternetOpenA
0x9A280099 InternetConnectA
0x73FA8F2B HttpOpenRequestA
0x2C244C89 InternetCloseHandle
0x81716702 InternetCrackUrlA
0x1BBF63F7 InternetReadFile
0xAA02D728 HttpSendRequestA
0x870EDA86 HttpQueryInfoA

Files Executed:

RT5380 exe and SS exe

Systems Supported By This Trojan:

Summary:

Lets turn back to the APIs listed above and pick out a few to talk about and see if we can understand a summary of what this sample is doing:

WinExec, CreateFileA, CreateProcessA, DeleteFileA, DeleteFileW, CopyFileA, GetDriveTypeA, GetLogicalDrives, GetComputerNameA, RegCreateKeyA, GetUserNameA, ShellExecuteExA,
SHCreateDirectoryExA, InternetConnectA, HttpSendRequestA

The sample can execute pre-programmed commands with (WinExec & ShellExecuteExA), Create new processes with (CreateProcessA), Create and Read files with (CreateFileA), Delete files, Copy files, Get Hard Drive Information, The Computer Name, The User Name, Create and Delete Directories, Add and Edit Registry Keys, and Send, Receive requests and responses over the wire.

The processes it drops and executes provides the malware components to be modular in design. Such as the key-logging and remote viewing capabilities.

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

GAV: Androm.H_2 (Trojan)

Appendix

Sample Hash: 1ea6b3e99bbb67719c56ad07f5a12501855068a4a866f92db8dcdefaffa48a39

ENC Ransomware actively spreading in the wild

February 7, 2020/in Threat intelligence /by Security News

The SonicWall Capture Labs Threat Research Team observed reports of a new variant family of ENC ransomware [ENC.RSM] actively spreading in the wild.

The ENC ransomware encrypts the victim’s files with a strong encryption algorithm until the victim pays a fee to get them back.

Infection Cycle:

The ransomware adds the following files to the system:

Malware.exe
- % App.path%\ HOW TO RECOVER ENCRYPTED FILES.txt
  - Instruction for recovery
- %App.path%\ [Name]. <cryptopatronum@protonmail.com.enc>

Once the computer is compromised, the ransomware runs the following commands: (Actual Source code)

When ENC is started it will create and assign a unique 16 hexadecimal number to the victim then scan all local drives for data files to encrypt.

When encrypting files it will use the AES encryption algorithm and only encrypt those files that match the following extensions:

The ransomware encrypts all the files and appends the [cryptopatronum@protonmail.com.enc] extension onto each encrypted file’s filename.

After encrypting all personal documents, the ransomware shows the following text file containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

We have been monitoring varying hits over the past few days for the signature that blocks this threat:

SonicWall Capture Labs provides protection against this threat via the following signature:

GAV: Filecoder.RSM_60 (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.