10 Reasons to Upgrade to the Latest SonicWall TZ Firewall

Some people prefer not to upgrade their products till the bitter end. In some cases, this is fine — you may be able to live with the fact that the laptop you got for college graduation a decade ago won’t run “Hitman 2” or “Metro Exodus,” as long as it’ll connect to the internet and give you a place to store all your MP3s.

But the risks of running an aging firewall extend far beyond fear of missing out: Firewalls must be updated regularly to stop advanced cyberattacks, as well as keep up with the speed, performance and productivity needs demanded by today’s workplace. Here are the top ten reasons why you should consider updating your legacy firewall to the latest SonicWall TZ Series next-generation firewall:


Stop the Most Advanced Threats

Advanced cyber threats are on the rise and affect all businesses and organizations. The cloud-based, multi-engine SonicWall Capture Advanced Threat Protection (ATP) sandbox service provides high security effectiveness against advanced persistent threats and new attacks, including ‘never-before-seen’ ransomware, malware and side-channel attacks. Capture ATP subscribers discover and stop over 1,000 new attacks each business day.

Why upgrade: SonicWall Capture ATP is only available for SOHO 250, TZ350, TZ400 and above firewalls, as well as the NSa and NSsp line. This service is not available for legacy firewalls, including TZ105, TZ205 and TZ215 firewalls.


Inspect More Encrypted Traffic without Slowing Performance

Never be forced to choose between performance and security. With the increased network bandwidth requirements from today’s SaaS apps, video streaming and social media, firewalls with faster deep packet inspection (DPI) offer better network security without performance degradation.

During the first half of 2020, 1 in 12 SonicWall customers with DPI-SSL activated saw malware on encrypted traffic. And the numbers are on the rise: In June, SonicWall recorded 378,736 of these attacks—more than at any other point in 2020 or the last half of 2019.

Simply put, faster DPI performance provides organizations with a greater capacity to utilize higher internet speeds and support more concurrent users — all without sacrificing security.

Why upgrade:  SonicWall TZ350 and TZ400 firewalls offer significantly faster DPI performance than the TZ 105 (up to 24x), TZ 205 (up to 15x) and TZ 215 (up to 10x).


Inspect Encrypted Traffic without Increasing Costs

The vast majority of web traffic is now encrypted. And without the proper security controls in place, traffic encrypted by TLS/SSL standards provides cybercriminals a backdoor to your network.

That’s why deep packet inspection of encrypted traffic (DPI for TLS/SSL) is mandatory for businesses of all sizes. Unfortunately, some firewall vendors upcharge you for proper TLS/SSL inspection capabilities (or don’t offer it at all).

Why upgrade: SonicWall TZ350 and TZ400 firewalls include the DPI-SSL license (by default) to inspect encrypted traffic at no additional cost, thereby reducing capital expense. Unfortunately, the TZ105, TZ205 and TZ215 do not support inspection of encrypted traffic.


Upgrade Your TZ Firewall

Ready to upgrade to the newest SonicWall TZ firewall? Take advantage of the SonicWall Secure Upgrade Plus program to save money when you replace your existing SonicWall firewall or other eligible security appliance.


Secure Growing Remote Workforce

With today’s remote workforce far larger than ever before, companies need the ability to provide employees with secure access to data — anytime and anywhere. A larger number of secure VPN connections is essential to support the increasing number of remote users. But based on the firewall(s) you have deployed, you may have a limit on how many remote employees you can protect at a single time.

Why upgrade: The latest SonicWall TZ400 firewall supports 10 times the number of SSL-VPN clients as the TZ 205 and TZ 215 (100 vs. 10). The TZ350 firewall enables 7.5 times as many SSL-VPN clients as the TZ 205 and TZ 215 (75 vs. 10). The latest SonicWall TZ400 firewall supports 10 times the number of SSL-VPN clients as the TZ 205 and TZ 215 (100 vs. 10). The TZ350 firewall enables 7.5 times as many SSL-VPN clients as the TZ 205 and TZ 215 (75 vs. 10).


Support Faster Wi-Fi Speeds

The world is wireless. Wi-Fi speeds — and users’ appetite for connectivity — are increasing exponentially. The 802.11ac wireless standard delivers the performance, range and reliability of high-speed wireless technology for an enhanced user experience. But in a properly secured environment, they must be paired with a firewall that can support 802.11ac wireless standards.

Why upgrade: The SonicWall TZ350 and TZ400 firewalls support the 802.11ac wireless standard as well as SonicWave 802.11ac Wave 2 access points for high-speed wireless networking. Unfortunately, the legacy TZ105, TZ205 and TZ215 firewalls only support the slower legacy 802.11n wireless standard, and do not work with the latest SonicWave wireless access points.


Reduce Support Costs

Single sign-on (SSO) technology helps improves employee productivity and reduce IT support costs by enabling users to safely gain access to connected systems with a single ID and password. Simply, the more users can access with a single ID, the fewer support calls, IT tickets and complaints will be generated. This equals real savings to your organization.

Why upgrade:

The SonicWall TZ350 and TZ400 firewalls enable twice the population of users (500 vs. 250) to benefit from the use of single sign-on.


Protect More Concurrent Users

There should rarely be a limit on how many users you are able to protect. A higher number of concurrent connections provides greater scalability by enabling more simultaneous user sessions to be active and protected by the firewall.

Why upgrade: The newest SonicWall TZ350 and TZ400 firewalls enable a much larger number of concurrent connections per second, plus deep packet inspection of TLS/SSL-encrypted connections, compared to the TZ105, TZ205 and TZ215.


Increase Speed to Keep Pace with Threat Processing

Modern cybersecurity requires firewalls that can manage network traffic more quickly to deliver the high performance needed for modern-day threat processing. Legacy firewalls can’t process as much traffic volume, sometimes hindering performance and efficiency. This can result in businesses being unable to achieve their promised internet speeds.

Why upgrade: The SonicWall TZ400 firewall, for example, has double the number of security processors as the TZ205 and TZ215 (4 vs. 2). In addition, TZ350 and TZ400 have higher speed processors (1.2 GHz and 800 MHz, respectively), compared with 400/500 MHz processors in the previous TZ205 and TZ215 firewalls. These speed boosts keep your business humming and safe from modern threats.


Boost Memory for Added Users, Logs & Policies

The number of users who require security on your network grows by the day. Unfortunately, the on-board memory of legacy firewalls can only support a finite footprint of users on the network. Advanced firewalls offer more onboard memory to allow for more rules and policies, users, and log messages to be stored on the firewall, making reporting easily accessible.

Why upgrade: The SonicWall TZ350 and TZ400 firewalls have up to four times the onboard memory of the TZ205 and TZ215 (1 GB vs. 256 MB/512 MB). This increased capacity empowers organizations to use a single TZ firewall to protect a larger userbase with deeper and more robust rules and policies.


Boost Performance, Security with Additional VLANs

Creating a greater number of virtual local area networks (VLAN) enables organizations to segment users and devices into additional groups, improving performance and security while reducing hardware costs. The ability to scale these VLANs depends on a number of factors, most notably how many may be protected by a firewall.

Why upgrade: The SonicWall TZ400 firewall provides the ability to create up to five times the number of VLANs as the TZ 205 and TZ 215 (50 vs. 10/20). The TZ350 firewall enables the creation of 2.5 times more VLANs than the TZ 205 (25 vs. 10).


About SonicWall TZ Next-Generation Firewalls

Get high-speed threat prevention in a flexible, integrated security solution with the SonicWall TZ Series. Designed for small networks and distributed enterprises with remote and branch locations, SonicWall TZ next-generation firewalls offer five different models that can be tuned to meet your specific needs.

Feature TZ105/W TZ205/W TZ215/W TZ300/W TZ400/W
Memory (RAM) 32/256 MB 32/256 MB 32/512 MB 1 GB 1 GB
DPI performance 25 Mbps 40 Mbps 60 Mbps 100 Mbps 300 Mbps
Maximum connections
     per Second 1,000/sec 1,500/sec 1,800/sec 5,000/sec 6,000/sec
     SPI 8,000 12,000 48,000 50,000 100,000
     DPI 8,000 12,000 32,000 50,000 90,000
     DPI SSL 500 500
SSL VPN licenses (max.) 1 (10) 1 (15) 2 (10) 1 (50) (100)
Wireless standards 802.11n 802.11 a/b/g/n 802.11 a/b/g/n 802.11 a/b/g/n/ac 802.11 a/b/g/n/ac
SSO users 150 250 250 500 500
VLAN interfaces 5 10 20 25 0
DPI SSL licenses included Yes Yes
Capture Advanced Threat Protection (ATP) sandbox service Yes Yes

Advanced networking and management features, such as Secure SD-WAN and Zero-Touch Deployment, make it easy to bring up new sites as you need. Adding optional capabilities, such as PoE/PoE+ support and 802.11ac Wi-Fi, helps create a unified security solution that protects your network and data from the latest threats over wired and wireless connections.

Ready to upgrade to the newest SonicWall TZ firewall? Take advantage of the SonicWall Secure Upgrade Plus program to save money when you replace your existing SonicWall firewall or other eligible security appliance.

10 Reasons to Upgrade to the Latest SonicWall NSa Firewall

There are some things that are with you for life: Leather workboots on their fifth resole, your grandpa’s fishing vest, a thermos from scout camp that’s still going strong decades later. But when it comes to protection, staying current matters.

If you wouldn’t trust a 15-year-old tube of sunscreen to protect your skin, and you wouldn’t put your child in the carseat your mother saved from when you were a kid, why would you trust a legacy firewall to protect your network?

If you’re still running an older SonicWall NSA or E Series model, here are 10 reasons you should consider upgrading to the latest mid-range SonicWall NSa next-generation firewall.

Stop the Most Advanced Threats

Advanced persistent threats move with great speed and tenacity, and are designed to target and infiltrate all businesses and organizations.

However, a cloud-based, multi-engine sandbox, such as the SonicWall Capture Advanced Threat Protection (ATP) service, provides real-time security against advanced cyberattacks, including ‘never-before-seen’ ransomware, malware and side-channel attacks. Capture ATP subscribers discover and stop more than 1,000 new attacks each business day.

Why upgrade: SonicWall Capture ATP is only available for the NSA/NSa 2600 and newer next-generation firewalls, as well as the current TZ and NSsp product lines (sixth generation or newer). This service is not available for legacy SonicWall firewalls, including some NSA and E Series models (usually silver in color with the old blue SonicWall logo).


Inspect Traffic without Slowing Performance

You should never be put into a position to choose between security and performance. With bandwidth-hungry apps woven into our everyday lives — SaaS apps, video streaming and social media — firewalls with faster deep packet inspection (DPI) are better at securing networks without greatly affecting performance.

During the first half of 2020, 1 in 12 SonicWall customers with DPI-SSL turned on saw malware on encrypted traffic. And the numbers are on the rise: In June, SonicWall recorded 378,736 of these attacks—more than at any other point in 2020 or the last half of 2019.

Faster DPI performance gives businesses greater capacity to utilize higher internet speeds and support more concurrent users without ever sacrificing security.

Why upgrade:  For example, NSa 2650 delivers a 25% DPI-SSL performance improvement over the NSA 2600. SonicWall NSa 2650 and newer firewalls (e.g., 2650-9650) offer significantly faster DPI performance than their predecessors, the NSA 2600-9600 range, E Series models and other older appliances.


Inspect TLS/SSL Traffic without Increasing Costs

The majority of web traffic is encrypted today. Without proper security controls in place, TLS/SSL encryption standards provide cybercriminals easy access to your network.

That’s why deep packet inspection of encrypted traffic (DPI for TLS/SSL) is mandatory. Some firewall vendors, unfortunately, upcharge for proper TLS/SSL inspection capabilities or simply don’t offer the capability at all. Unfortunately, inspecting TLS/SSL traffic also takes compute power, and organizations need a firewall that can process TLS-encrypted traffic without hurting performance.

Why upgrade: The latest SonicWall NSa firewalls include the DPI-SSL license (by default) to inspect encrypted traffic at no additional cost, thereby reducing capital expense. Unfortunately, older-generation NSA firewalls (usually silver in color with our old logo) do not support inspection of encrypted traffic.

Upgrade Your NSa Firewall

Ready to upgrade to the newest SonicWall NSa firewall? Take advantage of the SonicWall Secure Upgrade Plus program to save money when you replace your existing SonicWall firewall or other eligible security appliance.


Expand Remote Branch/Site Security

For organizations with remote and branch locations, such as retail POS businesses, schools, banks and more, the ability to create a larger number of site-to-site VPN tunnels to connect distributed networks together and securely share data is essential. But not all firewalls have the capability or capability to make this happen.

Why upgrade: By moving to the latest NSa Series firewall, your organization can secure more remote branches, services and devices. This is particularly powerful for distributed enterprises, retail organizations, etc. The NSa 2650, for example, enables the creation of 4x more site-to-site VPN tunnels than the NSA 2600 (1,000 vs. 250).


Support More High-Speed Wi-Fi Connections

Fast and secure Wi-Fi is a requirement in today’s hyper-connect world. Today’s wireless standard, 802.11ac, delivers the performance, range and reliability of high-speed wireless technology for a safe and fast user experience.

In a properly secured environment, wireless access points must be paired with a firewall that can support 802.11ac wireless standards.

Why upgrade: Newer firewalls can support more connections. The option to connect a larger number of wireless access points to a single firewall enables organizations to extend their wireless network farther without purchasing additional hardware.

Combine the latest NSa Series next-generation firewall with a SonicWall SonicWave 802.11ac Wave 2 wireless access point to create a high-speed wireless network security solution.

NSa Series firewalls and SonicWave 400 Series wireless access points both feature 2.5 gigabit Ethernet ports that can support multi-gigabit wireless throughput, which is available in the 802.11ac Wave 2 wireless standard. In addition, you can connect more wireless access points to the latest NSa firewall. The NSa 2650, for example, supports 1.5x the number of connected SonicWave wireless access points as the NSA 2600 (48 vs. 32).

Unfortunately, legacy NSA and older firewalls (as well as those on SonicOS 5.x or older firmware) do not offer multi-gigabit ports to accommodate the faster throughput supported by Wave 2 wireless standard.


Decrease Support Costs

Single sign-on (SSO) technology helps secure your environment, as well as employees, to be more productive and helps shrink IT support costs (e.g., tickets, calls, etc.) by enabling users to safely gain access to connected systems with a single ID and password.

Simply, the more users who can access a system with a single ID, the fewer support calls, IT tickets and complaints that will be generated. This self-service approach means real savings to your business or enterprise.

Why upgrade: The NSa 2650, for example, allows a larger population of users (40,000 vs. 30,000) to benefit from the use of SSO compared to the legacy NSA 2600. This disparity widens the further you go up the product line.


Increase Network Capacity

With increased network bandwidth requirements from apps, video streaming and social media, faster DPI and DPI-SSL performance provides a secure network without performance degradation.

Faster DPI performance also provides organizations with a greater capacity to utilize higher internet speeds and support more concurrent users. A higher number of concurrent connections provides greater scalability by enabling more simultaneous user sessions to be active and protected by the firewall.

Why upgrade: The NSa 2650 enables 500,000 deep packet inspection (DPI) connections and up to 100,000 deep packet inspection of TLS/SSL-encrypted (DPI-SSL) connections compared to the 250,000 for DPI and 1,000 for DPI-SSL on the NSA 2600 and older models, such as the NSA 220 (32,000 for DPI).


Boost Memory for Added Users, Logs & Policies

The number of users who require security on your network grows by the day. Unfortunately, the on-board memory of legacy firewalls can only support a finite footprint of users on the network.

Advanced NSa firewalls offer more onboard memory to allow for more rules and policies, users, and log messages to be stored on the firewall, making reporting easily accessible.

Why upgrade: The NSa 2650 has twice the onboard memory of the NSA 2600 (4 GB vs. 2 GB) and eight times the memory of the NSA 220 (4 GB vs. 512MB). This increased capacity empowers organizations to use a single NSa firewall to protect a larger userbase with deeper and more robust rules and policies.


Many Ports in a Storm

It’s time to clean up your server room or IT area. Having a greater number of ports allows organizations to connect more SonicWall devices directly to the firewall without needing to purchase a switch. In addition, organizations that require increased throughput to support bandwidth-intensive applications and data transfer need multi-gigabit ports.

Why upgrade: Newer NSa firewalls offer many more ports than their predecessors. For example, the NSa 2650 has 2.5x the number of ports as the NSA 2600 (20 vs. 8). The NSa 2650 also features eight 2.5 GbE ports while the NSA 2600 has none.


Improve Business Continuity

Many enterprises and larger organizations build businesses continuity and disaster recovery plans into their process. Part of this planning is ensuring there’s a contingency for as many scenarios as possible, not the least of which is power. Many legacy firewalls only offer a single power supply. Newer models offer a second power supply to ensure business continuity if one power supply fails.

Why upgrade: While the current NSa line and last-generation NSa Series both include a single power supply, the NSa 2650-9650 have an additional slot to add an optional second power supply for critical redundancy.


About SonicWall NSa Next-Generation Firewalls

The SonicWall Network Security appliance (NSa) Series mid-Range firewalls consolidate automated advanced threat prevention technologies in a mid-range next-generation firewall platform.

Built on a multi-core hardware architecture featuring 10-GbE and 2.5-GbE interfaces, the NSa Series scales to meet the performance demands of mid-size networks, branch offices and distributed enterprises. NSa Series firewalls feature cloud-based and on-box capabilities such as TLS/SSL decryption and inspection, application intelligence and control, Secure SD-WAN, real-time visualization and WLAN management.

For a closer look at the NSa range of firewalls, explore the specifications table below or download the complete SonicWall NSa data sheet.

UPGRADE YOUR NSA FIREWALL

Ready to upgrade to the newest SonicWall NSa firewall? Take advantage of the SonicWall Secure Upgrade Plus program to save money when you replace your existing SonicWall firewall or other eligible security appliance.

Built on a multi-core hardware architecture featuring 10-GbE and 2.5-GbE interfaces, the NSa series scales to meet the performance demands of mid-sized networks, branch offices and distributed enterprises. NSa series firewalls feature cloud-based and on-box capabilities such as TLS/SSL decryption and inspection, application intelligence and control, Secure SD-WAN, real-time visualization and WLAN management.

SonicWall’s Jason Carter Recognized as One of CRN’s ‘100 People You Don’t Know But Should’

As COVID-related issues plague 2020, some individuals rose to meet these new challenges head-on, helping channel partners eager to address customer needs in what would become the ‘new business norm.’

One of them — SonicWall Vice President, Global Inside Sales and Installed Base Programs Jason Carter — has been named one of the CRN’s 100 People You Don’t Know But Should for 2020.

“This year has certainly had its hurdles, but it’s been amazing to be part of a concerted industry effort that provides the security solutions newly distributed networks desperately need,” said Carter. “I look forward to collaborating with existing partners, new recruits and distributors to solve new challenges as organizations face unprecedented, pervasive attacks.”

Based on feedback from leading solution providers and industry executives, the CRN editorial team uses the 100 People You Don’t Know But Should list to draw attention to those outstanding channel players who may not be household names, but still work tirelessly to keep their partners thriving and the IT channel growing.

“Managing a successful channel partner program today calls for a small army of people, but only a few Channel Chiefs tend to enjoy widespread recognition,” said Blaine Raddon, CEO of The Channel Company. “With the 100 People You Don’t Know But Should, we are delighted to shine a spotlight on an exceptional group of unsung team members, giving them some of the acclaim they deserve for their indispensable contributions to channel success.”

Jason works as part of the SonicWall SecureFirst partner program, which consists of over 20,000 channel partners worldwide. The program provides real-time cyber-threat intelligence; education on current and emerging threats and the SonicWall solutions designed to address them; and an accreditation and certification capability that significantly accelerates our partner’s effectiveness and success. Since its inception, the program has administered 668,303 successful exams and more than 334,152 hours of training.

Cybersecurity News & Trends

This week, foreign hackers made headlines for targeting everything from COVID-19 research, to NASA, to the U.S. presidential election.


SonicWall in the News

Top 5 CyberSecurity Innovations and Why They’re Drawing In The Money — TechGenix

  • SonicWall’s product with Perimeter 81 was in included in article, as an innovation in the zero-trust sector.

ChannelPro Weekly Podcast: Episode #157 – The New M&A (Mongrels & Animals) — ChannelPro Weekly

  • In its weekly news podcast, ChannelPro Network discussed SonicWall’s 7th generation of security products.

Coronavirus Puts Security At The Heart Of The Agenda — MicroScope

  • Terry Greer-King, vice-president for EMEA at SonicWall, says the “mass shift” from working within the corporate perimeter to working from home has made everyone inherently less secure, ushering in an era of “boundless cyber security”

Making Work-From-Home Security Work — ChannelPro Network

  • In an article about how to successfully and securely work from home, SonicWall’s data on the increase in ransomware from the midyear update to the 2020 Cyber Threat Report is included to showcase the dangers of ransomware attacks.

Industry News

U.S. warns ‘foreign actors’ aim to sow doubts over mail-in voting — Reuters

  • U.S. federal law enforcement and cybersecurity agencies on Tuesday warned that “foreign actors” will likely try to discredit the November presidential election by taking advantage of the slow counting of mail-in ballots.

UK Govt Advisor Warns: Universities the Latest Frontier for Cybercriminals — IT Supply Chain

  • Students’ return to universities has coincided with a spate of attacks against academic institutions across the North of England, prompting the National Cyber Security Centre to issue a warning: Prepare for disruption as the term starts.

FBI Open China-Related Counterintelligence Case Every 10 Hours — SC Media

  • FBI Director Christopher Wray offered the House Homeland Security Committee some sobering news about China: the FBI opens a new China-related counterintelligence case roughly every 10 hours.

Ransomware gang targets Russian businesses in rare coordinated attacks — ZDNet

  • Group breaks an unofficial rule in the cybercrime underground not to target the former Soviet space.

Lessons from the ransomware death: Prioritize cyber emergency preparedness — SC Magazine

  • The death of a woman, at least in part due to a ransomware attack, has placed security teams on high alert.

“LokiBot,” the malware that steals your most sensitive data, is on the rise — Ars Technica

  • Officials are seeing a big uptick in infections coming from LokiBot, an open-source DIY malware package that’s openly sold or traded in underground forums. It steals passwords and cryptocurrency wallets, and can also download and install new malware.

The dark web won’t hide you anymore, police warn crooks — ZDNet

  • ‘Operation Disruptor’ involved agencies from nine countries and resulted in the seizure of over $6.5m in cash and cryptocurrencies, as criminals are warned law enforcement will track them down.

Healthcare lags behind in critical vulnerability management, banks hold their ground — ZDNet

  • New research sheds light on which industries are performing well when it comes to patching high-risk bugs.

Officials say NASA facing increased targeting by foreign and domestic hackers — The Hill

  • Top officials at NASA say the agency is facing increasing attempts by foreign hackers to target sensitive information as it works to improve its IT security during the COVID-19 pandemic.

FBI sounds alarm on rampant personal-data theft by China-backed hackers — The Washington Times

  • China is engaged in massive data mining in the U.S. and likely has stolen personal information on nearly half of the entire U.S. population, FBI Director Christopher Wray revealed.

Chinese and Russian hackers pose ‘very, very real threat’ to COVID-19 research: FBI Director Wray — The Washington Times

  • Foreign hackers searching for ways to steal coronavirus research remain a “very, very real cyber threat,” FBI Director Christopher A. Wray told the House Homeland Security Committee.

U.K. warns of surge in ransomware threats against education sector — Bleeping Computer

  • The U.K. National Cyber Security Centre has issued an alert about a surge in ransomware targeting educational institutions, urging them to follow new recommendations for mitigating attacks.

In Case You Missed It

Advanced Threats: Am I At Risk?

In “The Art of War,” Sun Tzu said, “If you know the enemy and know yourself, you need not fear the result of a hundred battles … if you know neither the enemy nor yourself, you will succumb in every battle.”

While he couldn’t have foreseen the digital salvos of two thousand years hence, his words ring as true for today’s cybersecurity arms race as they did for ancient Chinese military strategy. And now that the COVID-19 pandemic has ushered in a future where everyone is remote, everyone is mobile and everyone is less secure, cybercriminals are redoubling their efforts and specifically targeting remote workers — making it more important than ever to know what you’re up against.

Unfortunately, when it comes to cybercrime, it’s often much harder to know who your enemy is, where they’re located, or what weaponry they’re bringing to bear. Worse, in some cases you may not know until much later that you’ve even been attacked at all. We’ve seen cyberthreats evolve from basic computer viruses to widespread and devastating attacks such as Stuxnet, WannaCry, NotPetya, Spectra and more. But exactly how advanced and prevalent are today’s attacks?

According to the midyear update to the 2020 SonicWall Cyber Threat Report, while the quantity of malware deployed overall is dropping, the malware that is going out is both more advanced and more targeted than ever before. The degree of sophistication displayed in some phishing and social engineering strategies proves that even if you don’t know your adversary, they certainly know you — and if they’re successful in fooling you, their weapons of choice are often capable of completely circumventing legacy cybersecurity solutions.

These sorts of threats will often obfuscate in front of security solutions, only to execute later when in memory — or worse, in the CPU and hardware where you are a tenant, perhaps in a service you have in the cloud where the hardware itself executes the code and steals your information.

And if you’re thinking only a handful of cybercriminals have access to this level of sophistication, think again.

So far in 2020, every month has seen a significant year-over-year increase in the number of malware variants found by SonicWall Capture ATP (Advanced Threat Protection) and RTDMI (Real-time Deep Memory Inspection) — combined, they represent a full 62 percent increase over 2019’s first-half totals. In the first six months of 2020, Capture ATP and RTDMI found 315,395 new malware variants, including threats that do not exhibit any malicious behavior and hide their weaponry via encryption.

During this time, there has also been a whopping 176 percent increase in the number of malicious Office files, including some that can evade signature based anti-malware engines and hinder sandbox debugging and analysis. These files look just like any other file you may receive through the course of your workday, but can lead to data exfiltration, ransomware infections and more.

With the time between an attack’s proof of concept and threat researchers spotting the attack in the wild narrowing to just hours — and with attackers developing ways to create hundreds of variations on an attack faster than they can be identified and patched — it’s tempting to concede defeat.

Fortunately, however, it’s still possible to thwart a majority of cyberthreats, if you deploy the correct countermeasures. Join SonicWall cybersecurity expert Simon Wikberg as he explores today’s biggest threats and why they succeed in our upcoming webinar, “A Step Ahead: Future-proofing Against Tomorrow’s Attacks.

He’ll tackle the “know yourself” side of the equation by offering ways to determine your risk and profile your existing cybersecurity strategy.

And by sharing data from the SonicWall 2020 Mid-Year Cyber Threat Report, he’ll also help you become better acquainted with your adversaries, by revealing the places cybercriminals are targeting, spotlighting the techniques they’re using, and offering clues as to what they may be doing next.

By learning their tactics, you’ll be better able to create a plan, deploy proper countermeasures, and significantly decrease your risk of compromise in the next hundred battles — and beyond.

Click here to register for the webinar.

SiteCloak Page Obfuscation Techniques Leading to Greater Number of Missed Phishing Attacks

Ever since COVID-19 began closing offices and largely restricting people to their homes, cyber adversaries have been having a field day using the pandemic as a launchpad for phishing attacks. Organizations and individuals must be aware of the detective, preventive and protective measures required to safeguard their information assets against these attacks. We have seen a rise in the number of phishing attacks that bypass Office 365 due to the attackers’ use of obfuscation techniques on the credential harvesting website.

These SiteCloak methods bypass Microsoft’s real-time URL-filtering scanners by obfuscating the credential-harvesting page. This behavior is widespread, using a variety of techniques from multiple threat actors.

Attack Summary Overview:

Platform: Microsoft 365 Email

Email Security: Exchange Online Protection and Microsoft Advanced Threat Protection

Targets: All organizations, all sizes

Payload: Malicious Link

Technique: Obfuscation of Credential Harvesting Page

What is a SiteCloak attack?

To identify a malicious URL within an email, Microsoft will follow a link to scan the target page for potential malware or phishing behavior. To combat this, attackers are hiding the intent of the target page by using a variety of obfuscation techniques. This behavior is widespread and utilizes a variety of methods, some more sophisticated than others, borrowed from multiple threat actors. Most of these methods are capable of fooling Microsoft’s scanners.

In most cases, the target page turns out to be a credential harvesting site, but because these techniques are now in widespread use by several organizations, they are independent of the purpose of the page. If the user is not vigilant and provides their credentials, the user account is compromised.

Why are SiteCloak methods effective?

  • Concealed Page Intent: Microsoft URL filters are unable to determine the intent of an obfuscated page, so a malicious email is allowed to reach the user inbox.
  • Multiple Vulnerabilities: While categorized as a single method, attackers are using a variety of obfuscation techniques, meaning there is no single vulnerability to close. Even simple techniques are successful today, but while these are eventually caught, more advanced methods continue to remain effective.
  • Multiple Actors: Page obfuscation is now in use by multiple actors. The techniques are typical of email obfuscation, and many of them are old, so there is no direct link between a threat actor and their methodology.

What can you do?

  • Use a Password Manager: The best defense against most credential harvesting attacks is the use of a password manager. Most are free, and none can be fooled into entering a password into a malicious site, no matter how authentic it seems. You should never actually know your password.
  • Enable Multi-factor Authentication: MFA renders a username/password pair useless to an attacker.

Attack examples

These techniques are in use by a large number of threat organizations, so their methods vary widely.

  • Basic SiteCloak Obfuscation: ZeroFont
    In the simplest version of the attack, the credential harvesting page uses the same ZeroFont technique that was once a popular method to bypass Microsoft’s email scanners. Even old techniques can successfully fool the website scanner.
  • Advanced SiteCloak Obfuscation: JavaScript EncodingIn more advanced methods, the webpage is encoded using multiple layers of JavaScript obfuscation.
    The “unescaped” command is another JavaScript function that reads the ‘html_encoder_data’ to render the malicious web page.

    The rendered page is fairly advanced in that it does not ask the user to enter their email address, as it is encoded in the URL. It also asks for the password twice before redirecting the user to a real outlook.com page. Not only does this error-check the password for the attackers, but it also leaves the user the user with no hint that they entered their password on a fake site.

How SonicWall Can Help

SonicWall Cloud App Security can identify SiteCloak-obfuscated websites, because the web-rendering and scanning engines utilize the same indicators of attack discovered by the email-rendering and scanning filters. With CAS Protection enabled, the attacks are prevented from ever reaching your inbox, making email more secure and reliable.

To learn more about SonicWall Cloud App Security, click here.

Cybersecurity News & Trends

Between legislation to protect government IoT devices, developments in the TikTok saga and Supreme Court arguments, what’s happening at the federal level this week could have far-reaching implications for cybersecurity.


SonicWall in the News

Politics in the Technology World Order — Verdict Magazine
SonicWall President and CEO Bill Conner weighs in on the future of the U.S. data privacy landscape.

Perimeter 81 Looks To Take Firewall Appliances Out — Security Boulevard
SonicWall, an investor in Perimeter 81’s recent funding round, has partnered with the firm on its firewall-as-a-service software.

Sectigo to Be Acquired by GI Partners — Sectigo Press Release
In a comment about the acquisition, SonicWall President, CEO and Sectigo Board Chairman Bill Conner said, “The future is bright for Sectigo as the company builds on its impressive position as a digital identity and web security solutions leader.”


Industry News

This security awareness training email is actually a phishing scam — Bleeping Computer
A creative phishing campaign spoofs a well-known security company in an email pretending to be a reminder to complete security awareness training.

Oracle-TikTok Deal to Undergo U.S. Security Review — The Wall Street Journal
The Treasury Department said it would review an agreement for Oracle and others to revamp TikTok’s U.S. operations, with the aim of avoiding a ban of the popular video-sharing app.

House approves bill to secure internet-connected federal devices against cyber threats — The Hill
The Internet of Things (IoT) Cybersecurity Improvement Act, passed unanimously by the House, would require all internet-connected devices purchased by the federal government to comply with minimum security recommendations.

Hackers are getting more hands-on with their attacks. That’s not a good sign — ZDNet
Both nation-state-backed hackers and cybercriminals are trying to take advantage of the rise in remote working — and getting more sophisticated in their approach.

LockBit ransomware launches data leak site to double-extort victims — Bleeping Computer
The LockBit ransomware gang has launched a new data leak site to be used as part of their double extortion strategy to scare victims into paying a ransom.

Zerologon attack lets hackers take over enterprise networks — ZDNet
If you’re managing enterprise Windows servers, don’t skip on the August 2020 Patch.

Security researchers slam Voatz brief to the Supreme Court on anti-hacking law — Cyberscoop
The Supreme Court is about to take up a case with major implications for computer research — and a group of high-profile cybersecurity specialists doesn’t want mobile voting firm Voatz to have the last word.

Don’t pay the ransom, mate. Don’t even fix a price, say Australia’s cyber security bods — The Register
Over the past 12 months, the Australian Cyber Security Centre has observed real-world impacts of ransomware incidents, which have typically originated from a user executing a file received as part of a spearphishing campaign.

Russian Intelligence Hackers Are Back, Microsoft Warns, Aiming at Officials of Both Parties — The New York Times
China is also growing more adept at targeting campaign workers, with Beijing mostly aiming at Biden campaign officials.

Iran Says US Vote Hack Allegation ‘Absurd’ — Security Week
Tehran on Friday hit back at allegations by Microsoft that Iran-based hackers had targeted the U.S. presidential campaigns.

Treasury Dept. sanctions Russian, Ukrainian individuals for election interference — The Hill
The Treasury Department has added four Russian and Ukrainian individuals to its specially designated nationals list, citing attempts by the individuals to interfere in U.S. elections.


In Case You Missed It

Cybersecurity News & Trends

This week, students are going back to school, cybersecurity is going into outer space, and Emotet is going through the roof.


SonicWall Spotlight

Cybersecurity for the post-COVID new normal of work — Managing the Future of Work podcast

  • SonicWall CEO Bill Conner discusses how COVID-19 and the 2020 election are creating unprecedented infrastructure challenges in cybersecurity, and how forces such as the cybersecurity business gap and the need for secure remote access will shape the cybersecurity landscape going forward.

Tackle the Growing Number of IoT Ransomware Threats — TechTarget – IoT Agenda

  • Ransomware attacks have increased 20% worldwide in the first half of the year and 105% in the U.S., according to SonicWall’s latest cyberthreat report.

Cybersecurity News

FBI: Thousands of orgs targeted by RDoS extortion campaign — Bleeping Computer

  • The FBI has warned U.S. companies that thousands of organizations around the world, from various industry sectors, have been threatened with DDoS attacks within six days unless they pay a Bitcoin ransom.

Inter: a ‘low bar’ kit for Magecart credit card skimmer attacks on e-commerce websites — ZDNet

  • Researchers say that any attacker with “a little cash to burn” can join the attack trend.

 Website Crashes and Cyberattacks Welcome Students Back to School — The New York Times

  • With many districts across the country opting for online learning, a range of technical issues marred the first day of classes.

Phishing adds overlay on official company page to steal logins — Bleeping Computer

  • A phishing campaign deployed recently at various businesses uses the company’s home page to disguise the attack and trick potential victims into providing login credentials.

Money from bank hacks rarely gets laundered through cryptocurrencies — ZDNet

  • Despite being considered a cybercrime haven, cryptocurrencies play a very small role in laundering funds obtained from bank hacks, the SWIFT financial organization said.

White House issues cybersecurity space policy — SpaceNews

  • Space Policy Directive 5 is the first comprehensive government policy on cybersecurity for satellites and related systems, and outlines best practices to protect space systems from hacking and other cyber threats.

U.S. Department of Defense discloses critical and high severity bugs — Bleeping Computer

  • The U.S. Department of Defense has disclosed details about four security vulnerabilities on its infrastructure. Two of them have a high severity rating, while the other two received a critical score.

France, Japan, New Zealand warn of sudden spike in Emotet attacks — ZDNet

  • Emotet activity has ramped up to new levels in September 2020, alarming some cybersecurity agencies.

In Case You Missed It

Overcoming Advanced Evasion of Malware Detection

Malware evasion tactics are now fully present in the arsenal of threat actors. It’s essential that any threat detection technology remain hidden from malware to be able to effectively detect advanced attacks. Equally important, the technology must be able to detect malicious objects that don’t have signatures and to identify malicious capabilities — even if the malicious code hasn’t yet executed. SonicWall Capture Advanced Threat Protection (ATP) with Real-Time Deep Memory Inspection™ (RTDMI) technology offers an advanced layered defense to stay ahead of advanced evasive threats.

It’s this technology stack that SonicWall security services, clients and devices plug into for advanced malware detection and protection. From Next-Generation Firewall (NGFW), to Email Security, to Capture Client and more, Capture ATP is exposed to the latest evasive threats from around the globe, all day, every day.

Overview of SonicWall Capture ATP

To protect customers against the increasing dangers of zero-day threats, SonicWall Capture ATP Service detects and can block advanced threats at the gateway until verdict (on select devices and services). This service is the industry’s first advanced threat-detection offering that combines multilayer sandboxing, including full system emulation and virtualization techniques, to analyze suspicious code behavior that can block until verdict.

Because of the increased focus on developing evasion tactics for malware, it’s important to apply a multi-engine approach to analyzing suspicious code, especially to find and stop ransomware and credential theft.

SonicWall’s award-winning multi-engine sandbox platform efficiently discovers what code wants to do — from the application, to the OS, to the software that resides on the hardware. This approach includes the ability to analyze code within the memory of a system using RTDMI.

RTDMI was specifically designed to provide complete visibility into malware behavior that other technologies miss, while remaining hidden from the malware itself. Combined with the rest of the Capture ATP technology stack, it offers a uniquely isolated inspection environment that simulates an entire host, including the CPU, system memory and all input/output devices.

This approach to advanced malware detection allows SonicWall to observe all the malicious actions engineered into a piece of malware, without being visible to the malware. Detecting evasive tactics is essential and complements our ability to detect malicious network, memory, settings, and other malware actions and changes.

Common malware evasion tactics

One of the key characteristics of advanced malware is its level of stealth and ability to evade detection. In addition to defeating signature-based detection products and behavior-based detection tools, there are dozens of these evasion techniques advanced malware uses to avoid detection. The table below lists the basic categories of these tactics.

Evasion Tactic Tactic Description Tactic Result
Stalling Delays Tactic remains idle to defeat timer-based recognition Most legacy sandboxes can detect if malware calls the OS sleep function, but they can’t spot evasion if the malware performs the delay internally without calling the OS.
Action-Required Delays Tactic delays malicious activity pending a specific user action (e.g., click mouse, open or close a file or app). Conventional sandbox will not detect malware waiting on user action.
Intelligent Delays Tactic discovers sandbox and suspends all malicious activities. Malware waits until it has completed penetration of host or machine before injecting, modifying or downloading code; decrypting files; moving laterally across network; or connecting to C2 servers
Fragmentation Tactic splits malware into fragments, which only execute when reassembled by the targeted system. As legacy sandboxes typically evaluate fragments separately, each fragment appears harmless, thus evading detection.
Return-Oriented Programming (ROP) Evasion Tactic modifies the stack (memory addresses of code to be executed next), thus injecting functionality without altering the actual code. ROP evasions delegates the execution of its malicious code to other programs, instead of the malware program, thereby hiding it from conventional detection.
Rootkits A rootkit is an application (or set of applications) that hides malicious code in the lower OS layers. A conventional sandbox does not monitor what an OS does with calls from applications, so the malicious actions performed by a rootkit will generally go undetected.

Espionage, ransomware and other advanced threats are growing ever more sophisticated. The only way to defeat these types of malware is to implement tools that have been designed specifically to detect known evasion techniques, easily adapt to new ones and work with your existing security stack. SonicWall leverages and maximizes your existing investment in security systems, and with SonicWall Capture ATP with RTDMI, you’ll be ready to defeat today’s sophisticated threats. Click here to learn more.

Cybersecurity News & Trends

This week, teenage hackers and nation-state attackers made trouble worldwide.


SonicWall Spotlight

SonicWall TZ 600 POE — SC Magazine

  • SC Media takes a close look at the TZ 600 POE and awards it top marks.

Why Small Businesses Must Deal With Emerging Cybersecurity Threats — Entrepreneur

  • Cybercriminals are counting on small businesses to be less protected — and they’re often right.

Surging CMS attacks keep SQL Injections On The Radar During The Next Normal — Help Net Security

  • Cyberattacks have risen during the pandemic, leaving businesses to wonder whether things will settle down when COVID-19 begins to wane, or if the increase in attacks is here to stay.

Cybersecurity News

Teenager arrested in cyberattacks on Miami-Dade schools — The Washington Times

  • A 16-year-old student has been arrested for orchestrating a series of network outages and cyberattacks during the first week of school in Florida’s largest district.

Microsoft Defender can ironically be used to download malware — Bleeping Computer

  • A recent update to Windows 10’s Microsoft Defender antivirus solution ironically allows it to download malware and other files to a Windows computer.

Twitter Hack May Have Had Another Mastermind: A 16-Year-Old — The New York Times

  • A Massachusetts teenager appears to have played a significant role in the July 15 Twitter attack, investigators and fellow hackers said.

Chinese Hackers Targeted European Officials in Phishing Campaign — Bloomberg

  • Chinese nation-state hackers launched a phishing campaign against European government officials, diplomats, non-profits and other organizations to gather intelligence about global economies reeling from the pandemic.

Minister: New Zealand Enduring Wave of Cyberattacks — Security Week

  • According to the Associated Press, tracking down the perpetrators will be extremely difficult, as the distributed denial of service attacks are being routed through thousands of computers.

Federal agencies deny seeing attacks on voting infrastructure — The Hill

  • The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have denied seeing any reports of attacks on voting infrastructure, following the publication of a report on potential Russian election interference.

The FBI Botched Its DNC Hack Warning in 2016—but Says It Won’t Next Time — Wired

  • Facing looming election threats and a ransomware epidemic, the bureau says it has revamped its process for warning hacking victims.

The accidental notary: Apple approves notorious malware to run on Macs — Ars Technica

  • Newfangled malware protection gives users a false sense of security, critics say, making it potentially worse than nothing at all.

Attackers abuse Google DNS over HTTPS to download malware — Bleeping Computer

  • More details have emerged on a malware sample that uses Google DNS over HTTPS to retrieve the stage 2 malicious payload.

‘UltraRank’ Gang Sells Card Data It Steals — Bank Info Security

  • A cybercriminal gang that has spent five years planting malicious JavaScript code in order to steal payment card data from hundreds of e-commerce websites also takes the unusual step of selling the data on its own.

Hackers Attack Norway’s Parliament — Security Week

  • Norway’s parliament said Tuesday it had been the target of a “vast” cyberattack that allowed hackers to access the some lawmakers’ emails.

In Case You Missed It