Nibiru ransomware actively spreading in the wild

/in /by

The SonicWall Capture Labs Threat Research Team observed reports of a new variant family of NIBIRU ransomware [NIBIRU.RSM] actively spreading in the wild.

The NIBIRU ransomware encrypts the victim’s files with a strong encryption algorithm until the victim pays a fee to get them back.

Infection Cycle:

The ransomware adds the following files to the system:

  • Malware.exe
    • %App.path%\ [Name]. <NIBIRU >

Once the computer is compromised, the ransomware runs the following commands: (Actual Source code)

When NIBIRU is started it will create and assign a unique ID number to the victim then scan all local drives for data files to encrypt.

When encrypting files it will use the AES encryption algorithm and only encrypt those files that match the following extensions:

The ransomware encrypts all the files and appends the [NIBIRU] extension onto each encrypted file’s filename.

After encrypting all personal documents, the ransomware shows the following picture containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: NIBIRU.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Another Reason to Not Pay the Ransom: Trouble with Uncle Sam

/0 Comments/in /by

It’s an idea so ingrained in our culture that it’s been repeated by action movie stars, debated at length by political scholars, and cited in literature from young-adult fiction to parenting advice books: Do not negotiate with terrorists.

The rationale, according to Peter R. Neumann, director of the Center for Defense Studies at King’s College, London, is simple: “Democracies must never give in to violence, and terrorists must never be rewarded for using it. Negotiations give legitimacy to terrorists … undercut international efforts to outlaw terrorism, and set a dangerous precedent.”

If you’re an everyday civilian, it’s hard to imagine any practical application for this knowledge aside from the occasional action movie daydream. But there is, in fact, a situation in which everyday people are routinely given the choice of whether to negotiate with criminals: Ransomware.

Ransomware is a growing problem, and the COVID-19 pandemic seems to have accelerated this growth. According to the mid-year update to the SonicWall Cyber Threat Report, ransomware overall rose 20% during the first half of 2020. While some areas, such as the U.K., saw a year-over-year decline, the spike in ransomware in North America more than made up for it. The U.S., in particular, saw a staggering 109% increase in ransomware during the first half of 2020.

Last year, the monthly ransomware totals followed a neat, sine-wave-like pattern. In 2020, the numbers have been much more erratic. The late summer trough of 2019 never materialized this year — instead, numbers reversed course in July and have been skyrocketing since. The data from September, the most recent data we have, shows a staggering 34,112,981 ransomware attacks — more than double­ the total for September of last year. It’s too soon to see what the totals for October will be, but if the trends from last year hold, that number could climb even higher.

Worse still, the percentage of overall attacks focused on SMBs, education, local governments, public administration agencies, and even hospitals has been increasing as well. Because these organizations are usually smaller, and are working within tighter budgets, they often lack the security of larger companies — meaning ransomware attempts are more likely to succeed.

Should you pay a ransomware ransom?

Modern companies are built on, depend on and, in some cases, owe their existence to data. Faced with the prospect of starting over from square one, enduring major operational disruption and facing damage to customer relationships and reputation, some ransomware victims are tempted to pay the ransom just to make the problem go away.

But this isn’t advisable, for several reasons. For one, the criminals could simply abscond with your money — while ransomware operators tend to uphold their end of the bargain based on a very twisted concept of honor, not all do. Even dealing with an “ethical” ransomware operator gives no guarantees — it isn’t at all rare for the decryption key to be granted, only for the victim to find it didn’t decrypt the data entirely … or at all. According to a recent survey by research and marketing firm CyberEdge Group, nearly 1 in 5 ransomware victims surveyed paid the ransom and still lost all their data for good.

There’s also the matter of reinforcement: If you pay the ransom, your experience becomes a case study in why ransomware works and is a profitable and worthwhile undertaking. The more successful ransomware appears to be, the more attractive it becomes to those wishing to make a quick buck — potentially for the purpose of funding even more unsavory activities.

But if all of this isn’t enough of a deterrent — and obviously for some companies it isn’t, or we wouldn’t still be seeing ransomware — there’s also the chance that paying the ransom could get you in trouble with Uncle Sam.

On Oct. 1,  the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory stating that in some cases, paying ransoms could be illegal. Any organizations that do so — regardless of whether it’s the victim company or a third party that facilitated the ransom payment — could be violating OFAC regulations and thus be subject to prosecution and hefty fines.

At issue here isn’t the payment of the ransom itself — it’s who the ransom is going to. The U.S. Department of the Treasury administers sanctions against countries and regimes, terrorists, and others recognized as threats to national security or the U.S. economy based on US foreign policy and national security goals. These individuals, groups and entities are recorded in the OFAC Sanctions List— which includes “numerous malicious cyber actors under its cyber-related sanctions program and other sanctions programs, including perpetrators of ransomware attacks and those who facilitate ransomware transactions,” according to the advisory.

In short, if the ransomware you’re infected with has been associated with an individual or group deemed to be a threat to the United States, you could have to pay.

Among the groups and individuals mentioned by name are some of the most well-known and prolific cybercriminals: Evgeniy Mikhailovich Bogachev (developer of Cryptolocker), individuals associated with the SamSam ransomware, the Lazarus Group and two subgroups (linked to WannaCry), and Evil Corp (cited for its involvement with Dridex malware, but also recently connected with WastedLocker). Note, however, that these were listed as examples, and not an all-inclusive list: There are other cybercriminals on the list, and more could be added at any time.

While the advisory does state that “a company’s self-initiated, timely and complete report of a ransomware attack to law enforcement” could be considered a significant mitigating factor in evaluating possible enforcement, remember that even in a best-case scenario — one that results in no federal fines or penalties whatsoever —  you’re still left between ransomware’s proverbial rock and a hard place. In other words, by the time you’re impacted by ransomware, there are no good options left. Your opportunity for a “good” outcome to a ransomware attack depends entirely on the actions you take before the fact.

Fortunately, there are many things you can do to nip ransomware in the bud, including regular patching, creating and maintaining quality backups, implementing employee education initiatives and more.

In the meantime, follow the latest trends in ransomware, such as where and how ransomware operators are attacking, by checking out the mid-year update of the SonicWall 2020 Cyber Threat Report.

Cybersecurity News & Trends

/0 Comments/in /by

This week, increasingly sophisticated ransomware is being deployed by ransomware groups increasingly functioning like businesses.

SonicWall in the News

Sonicwall Trusted By U.S. Federal Agencies, Driving Thought-Leadership With Live Webinar Event — SonicWall Press Release

  • Thursday, Oct. 15, 1 p.m. EDT, SonicWall will host a live webinar event, ‘Securing Federal Agencies in Unprecedented Times’, exploring the effects of COVID-19 on federal networks and employees, changes in the federal space in 2020, and SonicWall’s certified federal solutions.

How The Enterprise Can Shut Down Cyber Criminals and Protect A Remote A Staff  — TechRepublic

  • Hackers accidentally allowed into company software by security-noncompliant employees cost businesses millions annually. Experts to weigh in on best safety practices.

5 Campaign Cybersecurity Lessons Learned from Enterprise — SDxCentral

  • Campaigns can — and should — take a page from enterprise security best practices to harden their defenses and hunt for threats in their environments.

SonicWall Unveils Boundless 2020, Company’s Largest Ever Global Virtual Partner Event — CRN India

  • On the heels of a record-setting year that has included the introduction of the Boundless Cybersecurity platform and numerous new products, services and programs, SonicWall is hosting a three-day virtual partner event, Boundless 2020, from Nov 17-19.

The Best Firewalls For Small Business In 2020 —  Digital Trends

  • In a roundup of the top firewalls for small businesses, SonicWall’s firewalls are ranked first in the category of data-dependent small businesses. *Syndicated on Yahoo Finance

Cybersecurity Experts React on Hackney Council Cyber Attack — Information Security Buzz

  • Media outlets are reporting that Hackney Council in London has been the target of a serious cyberattack, which is affecting many of its services and IT systems.

Industry News

Study: Half of battleground states facing cybersecurity challenges ahead of election — The Hill

  • Around half of battleground states are facing cybersecurity challenges that put them at increased risk of a cybersecurity breach, a study found.

BazarLoader used to deploy Ryuk ransomware on high-value targets — Bleeping Computer

  • The TrickBot gang operators are increasingly targeting high-value targets with the new stealthy BazarLoader trojan before deploying the Ryuk ransomware.

Android Ransomware Has Picked Up Some Ominous New Tricks — Wired

  • Though ransomware has been around for years, it poses an ever-increasing threat to hospitals, municipal governments, and basically any institution that can’t tolerate downtime.

Apple pays $288,000 to white-hat hackers who had run of company’s network — Ars Technica

  • The company has so far processed about half of the vulnerabilities reported and committed to paying $288,500 for them. Once Apple processes the remainder, the total payout might surpass $500,000.

US Cyber Command: Patch Windows ‘Bad Neighbor’ TCP/IP bug now — Bleeping Computer

  • U.S. Cyber Command warns Microsoft customers to patch their systems immediately against the critical and remotely exploitable CVE-2020-16898 vulnerability addressed during this month’s Patch Tuesday.

Amid an Embarrassment of Riches, Ransom Gangs Increasingly Outsource Their Work — Krebs on Security

  • Judging from the proliferation of help-wanted ads for offensive pentesters in the cybercrime underground, today’s attackers have exactly zero trouble gaining that initial intrusion: The real challenge seems to be hiring enough people to help everyone profit from the access already gained.

Hackers Eye Their Next Targets, From Schools to Cars — The Wall Street Journal

  • Hackers will tell you that just about anything with software and an internet connection can get hacked. The next decade will test how much that is true, and the challenge it poses to everyday life.

Ransomware Attackers Buy Network Access in Cyberattack Shortcut — Threatpost

  • Network access to various industries is being offered in underground forums at as little as $300 a pop – and researchers warn that ransomware groups like Maze and NetWalker could be buying in.

Court orders seizure of ransomware botnet controls as U.S. election nears — Reuters

  • Microsoft said Monday it had used a court order to take control of computers that were installing ransomware and other malicious software on local government networks and threatening to disrupt the November election.

The Man Who Speaks Softly—and Commands a Big Cyber Army — Wired

  • Meet General Paul Nakasone. He reined in chaos at the NSA and taught the U.S. military how to launch pervasive cyberattacks. And he did it all without you noticing.

Canva design platform actively abused in credentials phishing — Bleeping Computer

  • Free graphics design website Canva is being abused by threat actors to create and host intricate phishing landing pages.

In Case You Missed It

A potent keylogger on Github

/in /by

SonicWall Threats Research team came across an interesting Tweet that mentions about a repository on Github. This repository is named as Hakistan and it boasts of hacking related tools. One tool among the list of tools is a keylogger named Hakistan keylogger which does not appear to be created for malicious purposes.

 

Application details

 

Interestingly, the application name for this app is Google Service and it has a relevant icon as well. Clearly this keylogger application is trying to masquerade as a legitimate application thereby violating Google Play policies.

Install_image

Some of the services and receivers in this app request for dangerous permissions like:

  • BIND_NOTIFICATION_LISTENER_SERVICE
  • BIND_DEVICE_ADMIN
  • BIND_ACCESSIBILITY_SERVICE

Keylogging

Once execution begins, as expected the application requests the victim to grant several permissions and access:

One the required permissions are granted the keylogger keeps running in the background and monitors the victim’s keystrokes. The keystrokes are stored in a file locally as shown:

 

Additional Features

This keylogger logs more than just keystrokes. Some additional data stolen by this keylogger is as shown below:

Captures SMS on the device

 

Monitors incoming SMS

 

Forward SMS present on the device

 

Captures system information

 

Clients receive data about vicitims via email messages where the ‘from’ is keylogger@hakistan.org:

 

In case of the current sample the to address is base64 encoded, which decodes to dashdashpass7@gmail.com

 

These findings go in line with what is advertised about this keylogger:

 

Research related tools on Github are dime-a-dozen, if they are being used for research purpose most of them have a disclaimer that states their purpose. In this case the fact that the application is being saved as Google Services with believable icon makes it look a bit suspicious.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: AndroidOSHakis.KLG (Trojan)

Securing Devices at Home and at Work

/0 Comments/in /by

2020 has seen sweeping changes in everything from where we work, to how we shop, to how we secure our networks. Never before have we seen such concerted attacks on home networks — and never has the security of home networks been so tied to the security of corporate networks. According to Security Boulevard, more than half of SMBs and nearly two-thirds of large enterprises feel that remote work increases their vulnerability to cyberattacks. And with good reason: the FBI has noted a 400% increase in the number of cyberattack reports compared with before the pandemic, and 71% of cybersecurity professionals have seen a rise in cyberattacks since the COVID-19 outbreak began.

During National Cybersecurity Awareness Month (NCSAM), we’re taking a closer look at the reality of securing devices at home and at work today. SonicWall President and CEO Bill Conner was recently invited to offer his cybersecurity expertise on this subject to the listeners of Harvard Business School’s “Managing the Future of Work” podcast. This week, we’re sharing some of his insights with you.

According to Conner, businesses are recognizing the increased risks associated with working from home and have begun responding accordingly. “It’s no longer about just getting access to the corporate network and applications. It’s about getting that access globally for all your employees and making it secure,” he explained.

In the meantime, however, cybercriminals are using this disruption to their advantage. According to a June 16 U.S. House meeting on cybercrime, Rep. Emanuel Cleaver stated, “We are seeing a 75% spike in daily cybercrimes reported by the FBI since the start of the pandemic.”

And many of these attacks are directly leveraging fear surrounding the pandemic. As reported in the mid-year update to the 2020 SonicWall Cyber Threat Report, a full 7% of all phishing attempts dealt with topics surrounding COVID-19.

While attacks on remote workers have risen sharply, many criminals see them less as a target and more as a means to an end. Many people, because they lack the knowledge or simply feel they’re unlikely to be targeted, don’t adequately secure devices such as gaming consoles, smart TVs or security cameras. But as employees connect to corporate network from home, these home devices can be used as a back door into their employer’s network. “With the post-COVID environment, where everyone works remote and mobile, it’s obviously a whole new world in terms of how you can attack homes, how you can attack businesses and how you can attack governments,” Conner said.

When attackers are targeting organizations directly, they’re often going after those focused on addressing the global pandemic. “We’re seeing hospitals that are getting hit with ransomware. Criminals want money, and with hospitals being overrun in their emergency rooms and intensive care, that’s a great opportunity,” Conner said.

There’s also been an uptick in attacks on scientists and researchers. “Research institutions, either on the government side or an agency side, are seeing an influx of threats, particularly phishing and intellectual property hunting, attempting to get their research—both by country states and others,” Conner explained.

With the “new normal” no longer new, companies are shifting from a reactive posture to a forward-looking one and are considering the IT implications of a potential new work reality, Conner said. “I think that what’s changing right now is people are having to rearchitect their business, and therefore they’re having to rearchitect their networks.”

According to PwC’s US Remote Work Survey, most office workers wish to work remotely at least one day a week, and roughly a third say they’d like to continue working at home full time indefinitely. Conner believes that a third, more nomadic group will emerge, splitting their time between travel, home and the corporate office. “As the IT managers and business managers plan for reopening … they’ve got to plan for the workflows and business and security to happen in all three of those settings seamlessly,” Conner said.

As a result, there’s likely to be an increased focus on endpoints going forward. “What we’re going to learn out of COVID is now it’s not just the enterprise structure — the building’s castles, if you will — that you’ve got to protect. Those endpoints are now your users, your employees, your CEO, your CFO, your researchers. Now we’re learning how we’re going to have to bring that protection to the home.”

Unfortunately, many companies were already struggling to keep up with their cybersecurity needs before, and COVID-19 has only made matters worse. According to the ISACA State of Enterprise Risk Management 2020, 59% of organizations said they had too few security personnel, and 39% reported inadequate security budget — and this was based on data collected before COVID-19.

“The points of exposure for business networks are escalating — almost asymptotically — certainly exponentially. Your headcount required to protect that need to follow that same high growth rate, and so does your budget, in a traditional model. The reality is, though, we don’t have enough people,” Conner explained. “No company has enough capital to do everything they need to lock down digitally and protect themselves using traditional methods.”

As Champions of National Cyber Security Awareness Month, SonicWall is committed to helping businesses solve the cybersecurity business gap. To learn more, listen to the podcast here, and check back next week as we continue to explore the role each of us play in securing our online spaces in the new work reality.

Microsoft Security Bulletin Coverage for October 2020

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of October 2020. A list of issues reported, along with SonicWall coverage information are as follows:

CVE-2020-16896 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability
IPS 15203:Windows Remote Desktop Protocol Information Disclosure (CVE-2020-16896)

CVE-2020-16898 Windows TCP/IP Remote Code Execution Vulnerability
IPS 2416:Windows TCP/IP Remote Code Execution (CVE-2020-16898)

CVE-2020-16899 Windows TCP/IP Denial of Service Vulnerability
IPS 2427:Windows TCP/IP DoS (CVE-2020-16899)

CVE-2020-16907 Win32k Elevation of Privilege Vulnerability
ASPY 108:Malformed-File exe.MP.158

CVE-2020-16913 Win32k Elevation of Privilege Vulnerability
ASPY 5998:Malformed-File exe.MP.159

CVE-2020-16915 Media Foundation Memory Corruption Vulnerability
IPS 15202:Windows Media Foundation Memory Corruption Vulnerability (CVE-2020-16915)

CVE-2020-16922 Windows Spoofing Vulnerability
ASPY 5999:Malformed-File cat.MP.1

Following vulnerabilities do not have exploits in the wild :
CVE-2020-0764 Windows Storage Services Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1047 Windows Hyper-V Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1080 Windows Hyper-V Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1167 Microsoft Graphics Components Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1243 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-16863 Windows Remote Desktop Service Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-16876 Windows Application Compatibility Client Library Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16877 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16885 Windows Storage VSP Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16886 PowerShellGet Module WDAC Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-16887 Windows Network Connections Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16889 Windows KernelStream Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16890 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16891 Windows Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16892 Windows Image Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16894 Windows NAT Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16895 Windows Error Reporting Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16897 NetBT Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16900 Windows Event System Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16901 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16902 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16904 Azure Functions Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16905 Windows Error Reporting Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16908 Windows Setup Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16909 Windows Error Reporting Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16910 Windows Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-16911 GDI+ Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16912 Windows Backup Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16914 Windows GDI+ Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16916 Windows COM Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16918 Base3D Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16919 Windows Enterprise App Management Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16920 Windows Application Compatibility Client Library Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16921 Windows Text Services Framework Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16923 Microsoft Graphics Components Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16924 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16927 Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-16928 Microsoft Office Click-to-Run Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16929 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16930 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16931 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16932 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16933 Microsoft Word Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-16934 Microsoft Office Click-to-Run Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16935 Windows COM Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16936 Windows Backup Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16937 .NET Framework Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16938 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16939 Group Policy Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16940 Windows – User Profile Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16941 Microsoft SharePoint Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16942 Microsoft SharePoint Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16943 Dynamics 365 Commerce Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16944 Microsoft SharePoint Reflective XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-16945 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-16946 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-16947 Microsoft Outlook Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16948 Microsoft SharePoint Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16949 Microsoft Outlook Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-16950 Microsoft SharePoint Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16951 Microsoft SharePoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16952 Microsoft SharePoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16953 Microsoft SharePoint Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16954 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16955 Microsoft Office Click-to-Run Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16956 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-16957 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16967 Windows Camera Codec Pack Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16968 Windows Camera Codec Pack Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16969 Microsoft Exchange Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16972 Windows Backup Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16973 Windows Backup Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16974 Windows Backup Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16975 Windows Backup Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16976 Windows Backup Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16977 Visual Studio Code Python Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16978 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-16980 Windows iSCSI Target Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16995 Network Watcher Agent Virtual Machine Extension for Linux Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17003 Base3D Remote Code Execution Vulnerability
There are no known exploits in the wild.

Modular Emotet Variant

/in /by

Overview:

SonicWall Capture Labs Threat Research Team recently found a new sample and activity for Emotet. Emotet is an advanced, self-propagating modular malware. Historically, Emotet was a advanced banking malware with botnet capabilities and indicators. Emotet has a variety of install sequences for many different content delivery mechanisms. Mostly Emotet is spread through phishing spam emails containing attachments. The command and control, payloads, and delivery solutions change over time. Emotet first emerged in June of 2014.

Sample, Static Information:

Checking for valid values within the PE File:

Command-line Static Information:

Capabilities, Privilege Escalation and Keylogging stand out here:

Dynamic Information:

WinMain:

Processes Created, Svchost, Calc, MSpaint, and itself twice:

Pipes are used to transfer data:

Network Artifacts:

Injection into mspaint.exe, IP Address: 212.83.168.196

IP Information:

Graph:

Other EXEs that align with this sample:

Supported Systems:

  • Windows 10
  • Windows 8.1
  • Windows 8.0
  • Windows 7
  • Windows Vista

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: Emotet.N (Trojan)

Appendix:

Sample SHA256 Hash: 5c5267ba9105ed1ebd26d50db8886030a601ffcda46fdbedf85b9a0bdc46e431

Cybersecurity News & Trends

/0 Comments/in /by

This week, cybercriminals deployed attacks on both U.S. political parties, the shipping industry, and COVID-19 researchers.

SonicWall in the News

Sonicwall Unveils Boundless 2020, Company’s Largest Ever Global Virtual Partner Event — SonicWall Press Release

  • SonicWall unveils Boundless 2020, a three-day virtual partner event hosted online Nov. 17-19. 

Marina Pharmacy Secures Its Branches With SonicWall Next-Gen Firewalls — Intelligent CIO

  • How UAE-based Marina Pharmacy’s SonicWall implementation has improved the group’s security posture and secured network connectivity across its 40 retail stores.

Surge In Ransomware Attacks Threatens Student Data — TechTarget

  • SonicWall CEO Bill Conner explains why K-12 schools are an increasingly attractive target, and why they shouldn’t give in to ransom demands.

Rethinking Cloud Security Amidst Pandemic and Mounting Threats — Digital TechMedia

  • A closer look at how the pandemic has affected cybersecurity in India and around the globe.

Industry News

Cyber Pirates Hit Global Shipping Industry Nearing Peak Season — Bloomberg

  • Two key players in the global shipping industry are trying to restore computer networks and assess the damage from separate cyberattacks just ahead of peak season.

Hackers are using DNC volunteer pitch to deliver malware, researchers warn — The Washington Times

  • Democratic National Committee messaging has been repurposed and weaponized as part of a hacking campaign spotted by cybersecurity researchers following the debate

Ransomware: Gangs are shifting targets and upping their ransom demands — ZDNet

  • Ransomware gangs are getting smarter, factoring in companies’ revenues when determining the ransom they try to collect.

‘Mercenary’ hacker group runs rampant in Middle East, cybersecurity research shows — Reuters

  • Saudi diplomats, Sikh separatists and Indian business executives have been among those targeted by a group of hired hackers.

Phishing emails lure victims with inside info on Trump’s health — Bleeping Computer

  • A phishing campaign pushing a network-compromising backdoor pretends to have the inside scoop on President Trump’s health after being infected with COVID-19.

US warns: Big surge in Emotet malware campaigns makes it one of today’s top threats — ZDNet

  • CISA’s intrusion detection system has recorded 16,000 Emotet threats to government networks since July.

Will We Have Cyberwar or Cyber Peace? — The Wall Street Journal

  • The Wall Street Journal’s Richard Clark takes a look at what cyber warfare could look like in 2030.

Ransomware: Surge in attacks as hackers take advantage of organisations under pressure — ZDNet

  • Cyber criminals are doubling down on ransomware attacks, deploying more sophisticated campaigns at a time when remote working is already creating additional security challenges for businesses

US brokerage firms warned of widespread survey phishing attacks — Bleeping Computer

  • The U.S. Financial Industry Regulatory Authority (FINRA) has issued a notice warning member brokerage firms of widespread phishing attacks using surveys to harvest information.

COVID-19 Clinical Trials Slowed After Ransomware Attack — Threatpost

  • The attack on eResearchTechnology potentially slowed down coronavirus research worldwide, and researchers suggest a nation-state actor could be behind the incident.

In Case You Missed It

The Scope of Application Vulnerabilities

/0 Comments/in /by

The use of business applications has grown 68% over the past four years — which has created headaches for IT, who are responsible for managing and for cleaning up any messes. To help you understand the scope, the average company today uses 129 applications. In the largest 10% of companies, that number is well over 200. If you’re a small business manager reading this, you’re not off the hook: You have, on average, 73 applications in use today. Despite the spending dip seen across IT this past year, we are on pace to see over $450B USD spent on enterprise software by year’s end.

In 2019 alone, CNAs assigned 9.0+ critical CVSS scores to over 16 thousand vulnerabilities.  Android was the worst offender (414), followed by Debian Linux (360), Windows Server 2016 (357), Windows 10 (357), Windows Server 2019 (351), Acrobat Reader DC & Reader (342) and Cpanel (321).

In my experience, ranging from communicating with ransomware attackers in Russia to a few Anonymous operators this past year, the main vulnerabilities are often used when trying to penetrate companies using spray-and-pray techniques. However, when the attack is more targeted towards specific business roles, I found that many critical vulnerabilities for applications that are less well-known (e.g. Vbox) are used in the attack. Since some static defenses may not be even looking to block attacks using these applications, they feel the target is more easily breached.

To supplement this anecdotal experience, SonicWall’s 2020 Mid-Year Threat Report shows a shift toward more targeted attacks, as indicated by a drop in overall malware attacks and a rise in unique variants found by our RTDMI technology. The data also shows shifts in the top applications attacked — but this is not news to those that have to defend against these attacks.

So how is SonicWall helping our friends in IT solve the sprawling ecosystem of applications and their vulnerabilities?

In June 2019, we released a unique feature within Capture Client (our next-generation endpoint security platform) called Application Vulnerability Intelligence. This feature, first of all, helps our CISOs and friends in IT catalog every application within the organization. Secondly, the management console displays the number of critical vulnerabilities within your apps on the dashboard, so one can quickly see and react. Thirdly, and more importantly, one can drill down and see what specific applications are vulnerable, what the severity rating for a particular application is, and the justification for that rating.

This knowledge helps IT help prioritize patching by either uninstalling the application from the administration console or by notifying the end user to patch. This will ultimately reduce the attack surface and thereby breaches and other IT headaches. If you would like to see this in action, please view this video.

For a more in-depth look at how to fit endpoint protection into your organization’s security posture, please see our Solution Brief: A Unified-Client Platform for Enterprise-Grade Endpoint Security.

SonicWall Unveils Boundless 2020, Company’s Largest Ever Global Virtual Experience

/0 Comments/in , /by

The cybersecurity and technology landscapes have never changed so quickly — and without warning — as they did in 2020.

During the COVID-19 pandemic, SonicWall and its global partner community of more than 20,000 strong pivoted, innovated and protected more than 500,000 customers across the world. While it was business as usual, it was anything but.

We learned together. Persevered together. Worked together.

But now we look toward 2021 to take on new challenges and opportunities to better protect, connect and secure our customers. To unify us in this mission, SonicWall introduces Boundless 2020, a worldwide virtual event, Nov. 17-19, connecting SonicWall partners with our elite innovators, experts, leaders and special guests.

REGISTER NOW

Boundless 2020: Three-Day, Multi-Language Virtual Experience

Exclusively for SonicWall partners, Boundless 2020 will feature more than 20 hours of exclusive content and hear from over 30 speakers and presenters. The event will include:

  • Engaging Keynotes
  • Special Celebrity Guests
  • Roadmap Previews
  • Key Go-To-Market Sessions
  • Product Breakouts
  • Industry Roundtables & Panels
  • Insights from Regional Sales Experts
  • Infinite Networking Opportunities

Tailored to the needs of SonicWall’s diversified global team, Boundless 2020 will also offer regional breakouts in local languages, including English, German, French, Italian, Spanish, Portuguese and Spanish.

“While challenging, this year has prompted companies to be more creative when bolstering solidarity amongst channel teams that are more dispersed than ever,” said The Channel Company CEO Blaine Raddon. “It’s inspiring to see the effort companies like SonicWall are putting forth to ensure the success of their partners, distributors and customers. This type of team investment is critical for end-of-year efforts by all, which will accelerate the business into and through the next few years.”

Supporting the event and SonicWall’s mission to deliver Boundless Cybersecurity that mitigates risk for enterprises, SMBs, higher education and government agencies are Boundless 2020 Diamond Sponsors ADT Cybersecurity, Ingram Micro and Infinigate, as well as Gold Sponsors The Channel Company, Exertis, Tech Data and ADN. SonicWall partners can boost brand awareness with remaining Gold or Silver sponsorship packages.

Featuring Celebrity Keynote Speaker Col. Chris Hadfield, Industry Experts

Referred to as “the most famous astronaut since Neil Armstrong,” Col. Chris Hadfield is a worldwide sensation whose video of David Bowie’s “Space Oddity” — seen by over 75 million people — was called “possibly the most poignant version of the song ever created,” by Bowie himself.

Acclaimed for making outer space accessible to millions, and for infusing a sense of wonder into our collective consciousness not felt since humanity first walked on the Moon, Hadfield continues to bring the marvels of science and space travel to everyone he encounters.

An international bestselling-author, Hadfield has written three books: ‘An Astronaut’s Guide to Life on Earth,’ ‘You Are Here’ and his children’s book, ‘The Darkest Dark.’ In addition, Hadfield released his musical album, Space Sessions: Songs from a Tin Can, in 2015. He is also featured on Ted.com for his talk, ‘What I Learned from Going Blind in Space.’

The event will also feature a deep bench of industry icons, including Bruce Schneier, Keren Elazari and John Sileo.

Bruce Schneier

American cryptographer and computer security professional Bruce Schneier will lead a session on how technology is a key initiative to the greater public interest. Called a ‘security guru’ by The Economist, Schneier is the author of over a dozen books, including his latest, Click Here to Kill Everybody,’ as well as hundreds of articles, essays, and academic papers.

Schneier has testified before Congress, is a frequent guest on television and radio, has served on several government committees, and is regularly quoted in the press. Schneier is a fellow at the Berkman Klein Center for Internet & Society at Harvard University; a Lecturer in Public Policy at the Harvard Kennedy School; a board member of the Electronic Frontier FoundationAccessNow, and the Tor Project; and an Advisory Board Member of the Electronic Privacy Information Center and VerifiedVoting.org.

Keren Elazari

Keren Elazari is an internationally recognized security analyst, researcher, author and speaker, working with leading security firms, government organizations and Fortune 500 companies.

Elazari is the first Israeli woman to give a TED talk at the official TED Conference, and her TED talk about hackers has been viewed by millions, translated to 30 languages and is one of TED’s most watched talks on the topic of cybersecurity.

John Sileo

Boundless 2020 will also feature cybersecurity industry speaker John Sileo, who is a fun, high-energy expert who molds his first-hand experiences into successes as an award-winning author, 60 Minutes guest and keynote speaker to the Pentagon, Schwab and thousands of audiences ready to take concrete action on cybersecurity, digital privacy and tech/life balance.

Sileo is a Harvard graduate and author of four books, including ‘Stolen Lives: Identity Theft Prevention Made Simple.’