Cyber Security News & Trends – 03-13-20

/0 Comments/in /by

This week, vote for SonicWall in this year’s CRN Channel Madness!

SonicWall Spotlight

2020 CRN Channel Madness – CRN

  • This year’s CRN Channel Madness has SonicWall’s HoJin Kim up for best channel leader in the security category. Vote early, vote often, vote today!

8 Million UK Shopping Records Exposed – Information Security Buzz

  • SonicWall’s Terry Greer-King is reached for comment after researchers uncovered a leak of personal data from third-party apps used by Amazon UK. Greer-King explains the value of personal information on the Dark Web and the importance of a good cybersecurity plan.

7 Factors to Consider When Evaluating Endpoint Protection Solutions – MSSPAlert

  • SonicWall’s Vishnu Chandra Pandey lists 7 basic checks to help enhance endpoint compliance and better protect from cyberattacks.

Cybersecurity News

State-Sponsored Hackers are now Using Coronavirus Lures to Infect their Targets – ZDNet

  • Government-backed hacking groups worldwide have been detected using coronavirus-based phishing lures as part of their efforts to spread malware. ZDNet investigates campaigns that have taken place over the past month.

Election Commission Hires Cybersecurity Expert to Help States With 2020 Infrastructure – CyberScoop

  • The Election Assistance Commission has hired Joshua Franklin, who spent six years as an engineer at the National Institute of Standards and Technoligy, to act as top cybersecurity expert helping oversee the technology that will be involved in the 2020 US Presidential Election.

Commission to Propose Sweeping National Cybersecurity Strategy – Axios

  • An upcoming report on cybersecurity will, over the course of 75 recommendations, propose “a very ambitious reorganizing of the federal government, perhaps the most ambitious since the 9/11 Commission,” to combat cybersecurity threats.

Australia Sues Facebook over Cambridge Analytica Data Breach – The Hill

  • The Australian information commissioner has sued Facebook for sharing the personal data of more than 300,000 Australians as part of the Cambridge Analytica controversy. The Australian government says that it is actively seeking an order that Facebook pay a monetary penalty.

European Power Grid Organization says its IT Network was Hacked – CyberScoop

  • The European Network of Transmission System Operators for Electricity (ENTSO-E) this week confirmed that its IT network was successfully compromised by hackers. It stresses that the network was not connected to any critical control systems that would have allowed the hackers access to any power infrastructure.

Hackers Get $1.6 Million for Card Data from Breached Online Shops – Bleeping Computer

  • A known MageCart hacking group has collected $1.6 million from selling more than 239,000 payment card records on the dark web.

In Case You Missed It

Windows SMBv3 Remote Code Execution Vulnerability CVE-2020-0796

/in /by

A remote code execution vulnerability (CVE-2020-0796) exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploits the vulnerability could gain the ability to execute code on the target server or client.To exploit the vulnerability, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server.

Microsoft has released an OOB update for this vulnerability.

Following Windows version are vulnerable :
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows Server, version 1903 (Server Core installation)
Windows Server, version 1909 (Server Core installation)

SonicWall Capture Labs Threat Research team provides protection against this vulnerability with the following signatures:

  • IPS 14854: Windows SMBv3 Remote Code Execution Vulnerability (CVE-2020-0796) 1
  • IPS 14857: Windows SMBv3 Remote Code Execution (CVE-2020-0796) 2
  • IPS 14858:Windows SMBv3 Remote Code Execution (CVE-2020-0796) 3

Microsoft Security Bulletin Coverage for March 2020

/in /by

SonicWall Capture Labs Threat Research Team has analyzed and addressed Microsoft’s security advisories for the month of March 2020. A list of issues reported, along with SonicWall coverage information are as follows:

CVE-2020-0645 Microsoft IIS Server Tampering Vulnerability
There are no known exploits in the wild.
CVE-2020-0684 LNK Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-0690 DirectX Elevation of Privilege Vulnerability
ASPY 5907:Malformed-File exe.MP.131
CVE-2020-0700 Azure DevOps Server Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-0758 Azure DevOps Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0762 Windows Defender Security Center Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0763 Windows Defender Security Center Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0765 Remote Desktop Connection Manager Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0768 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-0769 Windows CSC Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0770 Windows ActiveX Installer Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0771 Windows CSC Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0772 Windows Error Reporting Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0773 Windows ActiveX Installer Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0774 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0775 Windows Error Reporting Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0776 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0777 Windows Work Folder Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0778 Windows Network Connections Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0779 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0780 Windows Network List Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0781 Windows UPnP Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0783 Windows UPnP Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0785 Windows User Profile Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0786 Windows Tile Object Service Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-0787 Windows Background Intelligent Transfer Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0788 Win32k Elevation of Privilege Vulnerability
ASPY 5844:Malformed-File exe.MP.113
CVE-2020-0789 Visual Studio Extension Installer Service Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-0791 Windows Graphics Component Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0793 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0795 Microsoft SharePoint Reflective XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-0796 Windows SMBv3 Client/Server Remote Code Execution Vulnerability
IPS 14854: Windows SMBv3 Remote Code Execution Vulnerability (CVE-2020-0796) 1
IPS 14857: Windows SMBv3 Remote Code Execution (CVE-2020-0796) 2
IPS 14858: Windows SMBv3 Remote Code Execution (CVE-2020-0796) 3
CVE-2020-0797 Windows Work Folder Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0798 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0799 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0800 Windows Work Folder Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0801 Media Foundation Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-0802 Windows Network Connections Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0803 Windows Network Connections Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0804 Windows Network Connections Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0806 Windows Error Reporting Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0807 Media Foundation Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-0808 Provisioning Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0809 Media Foundation Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-0810 Diagnostic Hub Standard Collector Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0811 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-0812 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-0813 Scripting Engine Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0814 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0815 Azure DevOps Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0816 Microsoft Edge Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-0819 Windows Device Setup Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0820 Media Foundation Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0822 Windows Language Pack Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0823 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-0824 Internet Explorer Memory Corruption Vulnerability
IPS 14850:Internet Explorer Memory Corruption Vulnerability (CVE-2020-0824)
CVE-2020-0825 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-0826 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-0827 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-0828 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-0829 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-0830 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-0831 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-0832 Scripting Engine Memory Corruption Vulnerability
IPS 14847:Scripting Engine Memory Corruption Vulnerability (CVE-2020-0832)
CVE-2020-0833 Scripting Engine Memory Corruption Vulnerability
IPS 14848:Scripting Engine Memory Corruption Vulnerability (CVE-2020-0833)
CVE-2020-0834 Windows ALPC Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0840 Windows Hard Link Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0841 Windows Hard Link Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0842 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0843 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0844 Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0845 Windows Network Connections Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0847 VBScript Remote Code Execution Vulnerability
IPS 14849:Scripting Engine Memory Corruption Vulnerability (CVE-2020-0847)
CVE-2020-0848 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-0849 Windows Hard Link Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0850 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-0851 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-0852 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-0853 Windows Imaging Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0854 Windows Mobile Device Management Diagnostics Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0855 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-0857 Windows Search Indexer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0858 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0859 Windows Modules Installer Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0860 Windows ActiveX Installer Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0861 Windows Network Driver Interface Specification (NDIS) Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0863 Connected User Experiences and Telemetry Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0864 Windows Work Folder Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0865 Windows Work Folder Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0866 Windows Work Folder Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0867 Windows Update Orchestrator Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0868 Windows Update Orchestrator Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0869 Media Foundation Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-0871 Windows Network Connections Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0872 Remote Code Execution Vulnerability in Application Inspector
There are no known exploits in the wild.
CVE-2020-0874 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0876 Win32k Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0877 Win32k Elevation of Privilege Vulnerability
ASPY 5904:Malformed-File exe.MP.128
CVE-2020-0879 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0880 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0881 GDI+ Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-0882 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0883 GDI+ Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-0884 Microsoft Visual Studio Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-0885 Windows Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0887 Win32k Elevation of Privilege Vulnerability
ASPY 5905:Malformed-File exe.MP.129
CVE-2020-0891 Microsoft SharePoint Reflective XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-0892 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-0893 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-0894 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-0896 Windows Hard Link Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0897 Windows Work Folder Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0898 Windows Graphics Component Elevation of Privilege Vulnerability
ASPY 5906:Malformed-File exe.MP.130
CVE-2020-0902 Service Fabric Elevation of Privilege
There are no known exploits in the wild.
CVE-2020-0903 Microsoft Exchange Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-0905 Dynamics Business Central Remote Code Execution Vulnerability
There are no known exploits in the wild.

Strength in Numbers: SonicWall Named New Member of Cyber Threat Alliance

/0 Comments/in /by

As the Dark Web evolves and the amount of cybercrime heist payouts climb, criminals have realized it’s more lucrative to work together rather than go it alone. Together, they take bigger risks and take aim at larger targets. This collective effort is now being duplicated by governments and nation states that are building their own ecosystems of trained cyber teams in preparation for cyberwarfare.

But that’s not the only team that is coming together.

For years it’s been an initiative across the IT security industry to break down the walls between agencies, vendors and sectors. Through hard work and determination to stay ahead of the forces that seek to harm or monetarily profit from an organization’s demise, alliances have formed to gather and leverage collected threat research to protect customers, critical infrastructure and defend online networks that connect more by the day.

One such organization is the Cyber Threat Alliance (CTA), which has been working over the last three years to prevent, identify and disrupt malicious activity by sharing actionable intelligence based on data from its participating members. CTA is the industry’s first formally organized group of cybersecurity practitioners that work together in good faith to share threat information and improve global defenses against advanced cyber adversaries and we’re excited to share that SonicWall now joins the ranks.

“Today’s threat landscape mandates a real-time view of threat activity and rapid response to effectively stop even the most elusive of cyberattacks,” says SonicWall Chief Operating Officer Atul Dhablania. “We look forward to collaborating with the Cyber Threat Alliance, combining years of security experience and leveraging resources to effectively tackle today’s cyber challenges.”

Members are required to share a minimum amount of threat intelligence with CTA which attributes all intelligence to the submitting member. Its dedicated staff ensures members have the resources and technology platform needed to share advanced threat data in a timely, actionable, contextualized and campaign-based intelligence.

“We’re very excited to have SonicWall join CTA. They will bring another perspective to our shared intelligence and bolster our efforts to raise the level of cybersecurity across the digital ecosystem,” said Michael Daniel, President and Chief Executive Officer (CEO) of CTA. “It’s heartening to see more and more companies realizing that joining an organization like CTA makes you even more competitive in today’s environment.”

As the alliance grows, so does the trove of threat data and combined years of researcher experience, creating a much-needed unified arsenal of defense.

GigaCLR Trojan – Quad Layer GigaRun Custom Loader

/in /by

Overview:

SonicWall Capture Labs Threat Research Team recently found a new sample and activity in March for the GigaCLR Trojan binary. It starts out as a self-extracting native executable, drops two binaries. One a .NET sample, and the other a native Win32 .dll library binary. The .NET binary is called DEO, this will call an exported function within the library called “GigaRun”. GigaRun is apart of the “GigaCLR” Custom loader. Which allows injection of .NET binaries into any native process. Once the payload is injected into the process it will decrypt a picture resource and run the malware on the operating system. This sample has four layers until you reach the core of the malware.

Samples: 1st Layer, Static Information:

Looking at the first layer in CFF Explorer, checking for corruption. The first layer is a Native Win32 binary.

Command line static information:

Main starting routine:

Resources

At this point, we can tell from the resources that this is a self-extracting installation binary. So, we can go forward with our research by unzipping the sample. Once decompression is complete you will see the following files:

Samples: 2nd Layer, Static Information:

Looking at the second layer in CFF Explorer, checking for corruption. The second layer is a .NET binary.

Command line static information:

Main starting routine inside Ida Pro:

Main starting routine inside .NET Reflector:

Samples: 3rd Layer, Injection Static Information:

Looking at the third layer in CFF Explorer, once again checking for corruption. The third layer is a .dll native Win32 binary.

Command line static information:

Main starting routine inside the .dll library:

GigaCLR Custom Loader:

GigaCLR Custom Loader posted on forum:

GigaCLR Parameters:

GigaRun Library Call Disassembled:

We can trap the call and look at the parameters of this special function:

Here we see the buffer with a newly created file. The 4th file, and it’s size are on the stack. Now we can dump the payload. It’s 1600 hex in size.

Samples: 4th Binary, The Payload:

Here we can see the payload used in parameter 1 of the GigaRun routine:

Payload Main inside .NET Reflector:

As you can see the 4th Binary will lead into the another decryption of the resource picture to finally reach the main malware.

Supported Systems:

  • All Windows Operating Systems…

Summary:

The GigaCLR Trojan allows injection into any process. There are pieces of forensic data, such as looking at the .dll exports for the GigaRun function. This function allows the injection to take place. The first parameter holds the payload of the malware. Using this technique, the malware author can inject any payload into any process. SonicWall has captured the following forensic artifacts within the signature below.

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: GigaCLR.NT

Appendix

Sample Hash: f87bcda31a5e53ebac41f3c994883bcdf3f92f2579c82a33100d11d696160b34

Cyber Security News & Trends – 03-06-20

/0 Comments/in /by

This week, find out what’s coming down the line in the world of channel, a 5G bill is passed by the senate, and ransomware attackers are going after your cloud backups.

SonicWall Spotlight

CEO Outlook 2020 Details – CRN

  • SonicWall CEO Bill Conner is interviewed by CRN on what the future of channel sales are, where technology investments is going, and where cybersecurity is going in general.

Network Rail and C3UK Suffer Massive Data Exposure Affecting Thousands – Teiss

  • After an exposed database was discovered on one of the UK’s biggest public Wi-Fi providers for the rail network, SonicWall’s Terry Greer-King gives his thoughts on the needs and capabilities of protecting consumer data.

Security Vendors Eye MSSPs as Key Route to Landing MSPs – Channel Pro Network

  • Over the next few years managed security spending is predicted to rise fast, outstripping other security spending. SonicWall CEO Bill Conner talks to the Channel Pro Network about why forging alliances with the very best Managed Security Providers (MSP) can be a more efficient way to construct a managed security channel than building thousands of MSP relationships individually.

Cybersecurity News

UK Cybersecurity Defense Standards Slip, Calls Made for Improvement – Infosecurity Magazine

  • New research into cybersecurity performance in the UK vs. the rest of the Europe has found that UK businesses need to further strengthen their defenses against cyberattacks after the UK slipped in Europe wide ratings.

What to Know About Cyberattacks Targeting Energy Pipelines – The Hill

  • The Cybersecurity and Infrastructure Security Agency (CISA) discloses a disruptive cyberattack on a U.S. energy facility, confirming reports that critical infrastructure in the US is increasingly coming under cyberattack from abroad.

Senate Passes Bill Requiring 5G Security Review – Wall Street Journal

  • The U.S. Senate passes legislation that would require the administration to identify security threats and possible fixes within the equipment and software that support 5G wireless networks.

FBI Working to ‘Burn Down’ Cybercriminals’ Infrastructure – Washington Times

  • FBI Director, Christopher Way, says that law enforcement agents are working to “burn down” the infrastructure of cybercriminals. With huge increases in ransomware attacks, much of it due to the relative ease for criminals to launch them, law enforcement agencies are targeting the host websites and toolmakers of the crimes, rather than “one bad guy at a time.”

Ethical Hackers Submitted More Bugs to the Pentagon than Ever Last Year – Cyberscoop

  • The Defense Department’s Cyber Crime Center has released its annual report, finding that white hat hackers are submitting more bugs than ever, with a 21.7% increase in submitted reports over the past year when compared to 2017.

Cathay Pacific Fined £500k by UK’s ICO over Data Breach disclosed in 2018 – TechCrunch

  • Cathay Pacific has been issued a £500,000 penalty by the UK’s data watchdog for a 2018 data breach which exposed the personal details of 9.4 million customers globally — 111,578 of whom were from the UK.

Ransomware Attackers Use Your Cloud Backups Against You – BleepinComputer

  • Ransomware operators are accessing cloud backups of potential victims in order to prevent them from restoring data. The cybercriminals are also using the backups to launch the cyberattacks themselves and to just plain steal personal data.

In Case You Missed It

MarraCrypt Ransomware actively spreading in the wild

/in /by

The SonicWall Capture Labs Threat Research Team observed reports of a new variant family of MARRACRYPT ransomware [MARRACRYPT.RSM] actively spreading in the wild.

The MARRACRYPT  ransomware encrypts the victim’s files with a strong encryption algorithm until the victim pays a fee to get them back.

Infection Cycle:

The ransomware adds the following files to the system:

  • Malware.exe
    • % App.path%\ MARRACRYPT_INFORMATION.HTML
      • Instruction for recovery
    • %App.path%\ [Name]. <MARRA>

Once the computer is compromised, the ransomware runs the following commands:

The ransomware encrypts all the files and appends the [MARRA]  extension onto each encrypted file’s filename.

After encrypting all personal documents, the ransomware shows the following HTML file containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

 

We have been monitoring varying hits over the past few days for the signature that blocks this threat:

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: MARRACRYPT.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.