Cybersecurity News & Trends

This week, attacks by cybercriminals in Russia and China made headlines — and the U.S. government is mobilizing to fight back.

SonicWall in the News

‘A Perfect Score’: SonicWall Capture ATP Aces Latest ICSA Lab Test, Finds More ‘Never-Before-Seen’ Malware Than Ever — Company Press Release

  • SonicWall Capture Advanced Threat Protection (ATP) sandbox service with Real-Time Deep Memory Inspection™ (RTDMI) received a perfect score in the latest ICSA Labs Advanced Threat Defense test for Q1 2021.

Industry News

Here’s what Russia’s SVR spy agency does when it breaks into your network, says U.S. CISA infosec agency — The Register

  • Following attribution of the SolarWinds supply chain attack to Russia’s APT29/Cozy Bear, the U.S. CISA infosec agency has published a list of the spies’ known tactics.

Ransomware crooks threaten to ID informants if cops don’t pay up — Ars Technica

  • Ransomware operators have delivered a stunning ultimatum to Washington, D.C.’s Metropolitan Police Department: pay them $50 million, or they’ll leak the identities of confidential informants to street gangs.

Navy SEALs to Shift From Counterterrorism to Global Threats — Security Week

  • U.S. Navy SEALs are undergoing a major transition to improve leadership and expand their commando capabilities to battle threats from global powers like China and Russia.

Cyberspies target military organizations with new Nebulae backdoor — Bleeping Computer

  • A Chinese-speaking threat actor has deployed a new backdoor in multiple cyber-espionage operations, spanning roughly two years and targeting military organizations from Southeast Asia.

Suspected Chinese hackers are breaking into nearby military targets — Cyberscoop

  • The suspected PLA hackers are back in action.

Microsoft Weighs Revamping Flaw Disclosures After Suspected Leak — Bloomberg

  • Microsoft Corp. may revise a program that shares coding flaws in its products with other companies after a sprawling cyberattack against thousands of Microsoft Exchange email clients.

U.S. warns of Russian state hackers still targeting U.S., foreign orgs — Bleeping Computer

  • The FBI, the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency warned of continued attacks by Russian-backed APT 29 hacking group against U.S. and foreign organizations.

Law enforcement delivers final blow to Emotet — Cyberscoop

  • Law-enforcement officials are sending a specially crafted file to infected machines.

Selling of Mobile Phone Data Presents Security Risk for U.S. Armed Forces — The Wall Street Journal

  • Apps show troop movements buried in data available for purchase: a “major risk to national security.”

Ransomware’s perfect target: Why one industry needs to improve cybersecurity, before it’s too late — ZDNet

  • Dependencies on just-in-time supply chains and sometimes out-of-date technology make shipping and logistics an ever-more-tempting target for cybercriminals.

Apple’s ransomware mess is the future of online extortion — Ars Technica

  • Hackers want $50 million in exchange for not releasing schematics they stole from an Apple supplier.

China could ‘control the global operating system’ of tech, warns UK spy chief — ZDNet

  • The head of the UK’s intelligence service warns that the West must be prepared to face a world where technology is developed and controlled by states with “illiberal values.”

New cryptomining malware builds an army of Windows, Linux bots — Bleeping Computer

  • A recently discovered cryptomining botnet is actively scanning for vulnerable Windows and Linux enterprise servers and infecting them with Monero (XMRig) miner and self-spreader malware payloads.

ToxicEye: Trojan abuses Telegram platform to steal your data — ZDNet

  • This recently discovered RAT is using bots to propagate across Telegram channels.

In Case You Missed It

SonicWall Capture ATP Receives Perfect Score in ICSA Labs ATD Certification

In 2020, the pandemic forced businesses to find new ways to conduct their operations. But it also revealed that cybercriminals can adapt to new workplace realities as quickly as corporations. When your adversaries are as nimble as you are, third-party validation of your advanced security solutions is more important than ever.

That’s why we’re proud to announce that SonicWall Capture ATP (Advanced Threat Protection) has received a perfect score from ICSA Labs. Capture ATP uses patented RTDMITM (Real-Time Deep Memory Inspection) technology to catch more malware faster than traditional behavior-based sandboxing methods, with a lower false positive rate. This fact can be seen in the test results, as Capture ATP detected 100% of previously unknown threats with no false positives. This marks the fifth consecutive ICSA certification for SonicWall Capture ATP.

During the 35-day test cycle, ICSA conducted a total of 1,471 tests against Capture ATP, with a mixture of 580 new and little-known malicious samples and 891 innocuous applications. Capture ATP correctly identified all malicious samples while allowing all clean samples through, proving the effectiveness of the solution against unknown threats.

According to the report, “SonicWall Capture ATP did remarkably well during this test cycle — detecting 100% of previously unknown threats while having zero false positives.

The full report can be downloaded here.

What is ICSA Advanced Threat Defense?

Standard ICSA Labs Advanced Threat Defense (ATD) testing is aimed at vendor solutions designed to detect new threats that traditional security products miss. The test cycles evaluate how effectively vendor ATD solutions detect these unknown and little-known threats while minimizing false positives.

Cybersecurity News & Trends

This week hackers ramped up attacks on office workers, with malicious emails impersonating Slack, BaseCamp and Bloomberg Industry Group.

SonicWall in the News

The 8 Best Wireless Routers for Business in 2021 — Solutions Review

  • SonicWall SOHO 250 was included on Solutions Review’s (alphabetically organized) list of the top wireless routers of 2021.

Higher the Factors, Stronger the Security — Security MEA

  • Mohamed Abdallah, SonicWall regional director for MEA, explores the importance of multi-factor authentication.

Saudi GDP Can Spike Automation — Khaleej Times

  • Mohamed Abdallah, SonicWall regional director for MEA, discusses digital transformation initiatives in Saudi Arabia and the need for intelligent automation deployments.

Industry News

Apple Targeted in $50 Million Ransomware Hack of Supplier Quanta — Bloomberg

  • The REvil ransomware group is threatening Apple after one of its key MacBook suppliers, Quanta, allegedly refused to pay a $50 million ransom.

Hackers pose as Bloomberg employees in email scam — Cyberscoop

  • The ruse seeks to capitalize on the influence of Bloomberg Industry Group, whose analysis major corporations use to track markets.

Japan says Chinese military likely behind cyberattacks — The Washington Times

  • Tokyo police are investigating cyberattacks on about 200 Japanese companies and research organizations, including the country’s space agency, by a hacking group believed to be linked to the Chinese military.

US takes steps to protect electric system from cyberattacks — The Washington Times

  • The initiative encourages power plants and electric utilities to improve their ability to identify cyber threats, including implementing technologies to spot and respond to intrusions in real time.

Fake Microsoft Store, Spotify sites spread info-stealing malware — Bleeping Computer

  • Sites that impersonate the Microsoft Store, Spotify, and an online document converter are using malware to steal credit cards and passwords saved in web browsers.

Millions of web surfers are being targeted by a single malvertising group — Ars Technica

  • Hackers have compromised more than 120 ad servers over the past year in an ongoing campaign that displays malicious advertisements on sites that seem completely benign.

Discord Nitro gift codes now demanded as ransomware payments — Bleeping Computer

  • A new ransomware calling itself “NitroRansomware” encrypts victims’ files and then demands a Discord Nitro gift code in exchange for decryption.

Ryuk ransomware operation updates hacking techniques — Bleeping Computer

  • Recent attacks from Ryuk ransomware operators show that the actors have a new preference when it comes to gaining initial access to the victim network.

BazarLoader Malware Abuses Slack, BaseCamp Cloud — Threat Post

  • The BazarLoader malware’s email messages leverage worker trust in collaboration tools like Slack and BaseCamp to get them to click links containing malware payloads.

Did Someone at the Commerce Dept. Find a SolarWinds Backdoor in Aug. 2020? — Krebs on Security

  • On Aug. 13, 2020, someone uploaded a suspected malicious file to VirusTotal, a service that scans submitted files against more than five dozen antivirus and security products. Last month, Microsoft and FireEye identified that file as a newly discovered fourth malware backdoor used in the sprawling SolarWinds supply-chain hack.

Cyberattack on UK university knocks out online learning, Teams and Zoom — ZDNet

  • The attack cancelled all live online teaching for the rest of the week.

How the Kremlin Provides a Safe Harbor for Ransomware — Security Week

  • Ransomware is crippling local governments, hospitals, school districts and businesses by scrambling their data files until they pay up — and law enforcement has been largely powerless to stop it.

Swinburne University confirms over 5,000 individuals affected in data breach— ZDNet

  • The university confirmed the personal information included in the breach contained names, email addresses and phone numbers of staff, students and external parties.

HackBoss malware poses as hacker tools on Telegram to steal digital coins — Bleeping Computer

  • The authors of a cryptocurrency-stealing malware are distributing it over Telegram to aspiring cybercriminals under the guise of free malicious applications.

In Case You Missed It

A Look Back: SonicWall Reflects on its 42nd CRN Award

For many, the number 42 holds an elevated degree of significance. Sports fans will recognize it as MLB great Jackie Robinson’s jersey number. Comic book fans will associate it with the spider that bit Miles Morales, creating the next Spider-Man. And science-fiction fans will remember it as “the answer to the ultimate question of life, the universe, and everything,” as revealed by supercomputer Deep Thought in Douglas Adams’ 1979 novel, The Hitchhiker’s Guide to the Galaxy.

It has added significance for SonicWall, as well: It’s the number of CRN awards that SonicWall, its team and its partner program have received since 2016.

President and CEO Bill Conner has been a key driver behind the numerous awards bestowed upon the company and its team members, products and partner program since taking the helm at SonicWall. During his tenure, the company’s channel leaders have consistently earned spots on CRN’s lists of ‘Channel Chiefs’ and ‘Most Influential’ — including this year’s honorees, Bob VanKirk, HoJin Kim and Dave Bankemper. A testament to the diversity of its expansive, global channel team, several SonicWall channel drivers have also been recognized as ‘CRN Women of Channel.’

“After arriving at SonicWall, I was blown away by the company’s portfolio, team and partner program,” Conner said. “I wanted all of those who had been working hard to feel appreciated and recognized for a job well done. Looking back at the tally of CRN awards is satisfying, and also a reflection of where we have taken this company as a team.”

SonicWall itself has been the recipient of numerous awards, and has been honored on lists such as ‘Coolest Network Security Vendors’, ‘The 25 Hottest Edge Security Companies’ and ‘Security 100’, which provides a look at 100 vendors across five market segments to help solution providers determine which security technologies and vendors they can place their bets on in a crowded market.

SonicWall’s products have earned their share of accolades as well, including ‘2021 Tech Innovator’ for the SonicWall TZ 570, 670 and NSsp 15700; ‘2018 Products of the Year’ for SonicWall Capture Cloud Platform; and SonicWall Email Security, which received top marks in the ‘2018 Annual Report Card’ based on performance in 24 product categories, including product innovation, support and partnership.

“We’re proud of our work here at SonicWall, our offerings, and our partner program but, most importantly, we’re proud of the loyal and dedicated support we get from our amazing partners around the world,” said SonicWall VP, Worldwide Channel Sales HoJin Kim.

For more additional details regarding SonicWall accolades, please visit

Cybercrime on Campus: How Education Became Attackers’ Biggest Target

At the core of educational philosophy is the idea that no two schools (or students) are alike. But regardless of differences in location, revenue or grade level, educational institutions are increasingly facing a common problem: They’re all being targeted by cybercriminals and an arsenal of malware, ransomware and other sophisticated cyberattacks.

In just the past month or so, more than half a dozen K-12 and primary schools, colleges and universities have been hit with ransomware attacks, including two colleges in Dublin, Ireland; a K-12 school district in Fort Lauderdale, Fla., that serves nearly 300,000 students; and a small school system in Basking Ridge, N.J.

But while this wave of attacks is alarming, it’s nothing new. Cyberattacks on schools have been happening for years, but 2020 pushed the number of these attacks to new heights, making 2020 a “record-breaking” year for cyberattacks on American schools.

According to an alert issued by the FBI, in August and September 2020 the percentage of ransomware incidents involving K-12 schools jumped from 28% to 57%. What’s even more concerning is that this figure doesn’t even include colleges and universities, many of which have been at the center of high-profile attacks.

But this isn’t a uniquely American problem. In a statement issued in March, Britain’s National Cyber Security Centre (NCSC) noted spikes in cyberattacks among educational institutions in the UK in August and September 2020, along with another wave of attacks as students were preparing to return to class this past February.

“In recent incidents affecting the education sector, ransomware has led to the loss of student coursework, school financial records, as well as data relating to COVID-19 testing,” the statement read. “It is therefore vital that organizations have up-to-date and tested online backups.”

SonicWall Capture Labs threat researchers recorded similar trends in the recently released 2021 SonicWall Cyber Threat Report. In 2020, ransomware rose 62% globally, bolstered by disruption from the COVID-19 pandemic, the large-scale shift to remote work and an all-time high in the price of Bitcoin.

Broken down by industry below, our data shows that education is being increasingly targeted. The number of ransomware attempts per education customer remained comparatively low in the first part of 2020. However, in October it skyrocketed. And in December, the number of ransomware attempts per customer in education was higher than in any other industry in any other month.

While non-ransomware cyberattacks don’t tend to make as many headlines, they can also be highly disruptive and costly. Unfortunately, the education industry didn’t fare any better when it came to most other attack vectors.

Education customers were more likely to see cryptojacking and IoT malware attempts, with the latter being particularly concerning. The number of IoT malware attempts per customer in education was higher than for any other industry. Moreover, a significantly higher percentage of education customers was targeted by IoT malware than for any other industry — a trend which held for the entire year.

Unfortunately, with many workers still remote, schools struggling to operate on hybrid models as reopening progresses, and Bitcoin now trading at more than double the record it set at the end of last year, attacks have continued to rise. And cybercriminals, emboldened by prior successes, are getting greedier.

In early March 2021, the Broward County School District in Fort Lauderdale, Fla., found itself on the receiving end of a $40 million ransom demand — the second-highest ever. The average ransom demand now stands at $447,000, an amount that doesn’t even account for remediation or any of the other costs associated with an attack.

But those who opt not to pay the ransom — or who are targeted by another type of malware — may still take a huge financial hit. According to Ponemon Institute, in 2020 the average cost of a data breach in education was $3.9 million. The cost and frequency of these incidents has grown to the point that, in late March 2021, the credit rating agency Moody’s Corp. warned that a continued worsening of attacks could impact the credit ratings of higher-ed institutions, which could compound the difficulties these institutions have had mounting an effective cybercrime defense in the first place.

There may be hope on the horizon, however. With the signing of the American Rescue Plan Act of 2021 (ARP) in March, the existing E-rate program — which provides a source of funding for U.S. public and private K-12 schools and libraries — received a $7.1 billion infusion in the form of the Emergency Connectivity Fund. Unlike with traditional E-rate funds, this additional funding can be used for cybersecurity needs both on and off campus.

The ARP also included a $40 billion increase in the Higher Education Emergency Relief Fund (HEERF), on top of the $14 billion originally approved as part of the CARES Act in March 2020. While some of this money is earmarked for student assistance, the institutional portion can be used to improve campus cybersecurity.

This funding will provide a much-needed boost to cybersecurity efforts in the education sector, but unfortunately it won’t be available immediately. In the meantime, schools should continue following guidance issued by bodies such as CISA and the UK’s National Cyber Security Centre, as well as established best practices.

To learn more about how cyberattacks on education compare to those in other industries, such as healthcare, retail and government, download the 2021 SonicWall Cyber Threat Report.

Cybersecurity News & Trends

This week utilities were under attack, as an Iran nuclear plant and a Kansas water facility both faced sabotage attempts.

SonicWall in the News

Internet of Things Malware Attacks Increase by 152% in North America in 2020, Other Continents also Witness a Significant Spike — Digital Information World

  • This article features data from SonicWall’s recent 2021 Cyber Threat Report, with a focus on the increase in IoT and malware attacks.

Video: 10 Minute IT Jams – SonicWall VP on the cybersecurity lessons learned from the last 12 months — Security Brief Asia

  • SonicWall’s vice president of regional sales – APAC, Debasish Mukherjee, discusses cybersecurity lessons learned from the pandemic.

Why some jobseekers have turned to cyber crime during the pandemic — ComputerWeekly

  • ComputerWeekly spoke with SonicWall EMEA Vice-President Terry Greer-King about cybercriminal activity during the pandemic.

‘Boundless Cybersecurity’: How SonicWall is helping to uncover unknown threats — Intelligent CISO

  • Intelligent CISO interviewed Osca St. Marthe, SonicWall’s executive director of sales engineering for EMEA, about the company’s boundless security model.

Remote Work Sparking Rise in Cybersecurity Threats, HTSA Told — Consumer Electronics Daily

  • SonicWall Solutions Architect Rick Meder was quoted in reference to the 2021 Cyber Threat Report.

Industry News

U.S. House committee approves blueprint for Big Tech crackdown — Reuters

  • The U.S. House of Representatives Judiciary Committee has formally approved a report accusing Big Tech companies of buying or crushing smaller firms, Rep. David Cicilline’s (D-R.I.) office said in a statement Thursday.

NSA, FBI, DHS expose Russian intelligence hacking tradecraft — Cyberscoop

  • The U.S. government warned the private sector that Russian government hackers are actively exploiting vulnerabilities to target U.S. companies and the defense industrial base.

NBA’s Houston Rockets Face Cyber-Attack by Ransomware Group — Bloomberg

  • The NBA’s Houston Rockets are investigating a cyberattack against their networks from a relatively new ransomware group claiming to have stolen internal business data.

 IBM Uncovers More Attacks Against COVID-19 Vaccine Supply Chain — Bloomberg

  • A hacking campaign detected by IBM last year targeting organizations involved in the manufacturing, transportation and storage of COVID-19 vaccines is now thought to have targeted more than 40 companies in 14 countries.

Iran nuclear attack: Mystery surrounds nuclear sabotage at Natanz — BBC

  • Within hours of Iran proudly announcing the launch of its latest centrifuges at its site in Natanz, a power blackout damaged some of the machines.

Bitcoin hits record before landmark Coinbase listing on Nasdaq — Reuters

  • Bitcoin hit a record of $62,741 on Tuesday, extending its 2021 rally to new heights a day before the listing of Coinbase shares in the U.S.

100M More IoT Devices Are Exposed—and They Won’t Be the Last — Wired

  • The “Name: Wreck” flaws in TCP/IP are the latest in a series of vulnerabilities with global implications.

QBot malware is back replacing IcedID in malspam campaigns — Bleeping Computer

  • Malware distributors are rotating payloads once again, switching between trojans that in many cases serve as an intermediary stage in a longer infection chain.

Cybersecurity: Victims are spotting cyberattacks much more quickly – but there’s a catch — ZDNet

  • Cybercriminals are spending less time inside networks before they’re discovered. But that’s partly because when hackers deploy ransomware, they don’t stay hidden for long.

Small Kansas water utility system hacking highlights risks — The Washington Times

  • A former Kansas utility worker has been charged with remotely tampering with a public water system’s cleaning procedures, highlighting the difficulty smaller utilities face in protecting against hackers.

Biden budget request calls for major investments in cybersecurity, emerging technologies — The Hill

  • President Biden called for over $1.3 billion in cybersecurity funds, along with major investments in emerging technologies such as quantum computing and artificial intelligence, as part of his proposed budget request sent to Congress.

Financial industry preps for proposal that would require 36-hour breach notification — Cyberscoop

  • A proposal would mandate that financial firms report more kinds of cyber incidents to regulators within 36 hours.

Joker malware infects over 500,000 Huawei Android devices — Bleeping Computer

  • More than 500,000 Huawei users have downloaded from the company’s official Android store applications infected with Joker malware that subscribes to premium mobile services.

In Case You Missed It

Understanding the Difference Between Azure Firewall Services and SonicWall NSv

The firewall market has always been full of options, with a number of vendors each offering a variety of models. This is truer today than ever, with cybersecurity companies now developing firewalls for the cloud — for example, the Microsoft Azure Firewall and the SonicWall NSv.

If you’re curious about the differences between the two, you’re not alone. To help shed some light, we’ve put together a short guide on which product is best in which situation, and why you’d pick one over the other.

Microsoft Azure Firewall

Before Azure Firewall, there were Azure Network Security Groups (NSG). NSGs are often auto-generated when deploying a new compute resource. NSGs serve the same purpose as access lists on routers and switches, but they directly pre-empt critical resources. Unlike old style access lists, NSGs are stateful filters: for convenience, rules only have to be written in the client-to-server direction. NSGs offer similar features to firewalls of the late 90s, sufficient for basic packet filtering.

The Azure Firewall itself is primarily a stateful packet filter. Packet filters, regardless of whether they’re stateful or stateless, have no visibility into the actual data stream that is transported over the network. They have become much less effective, as virtually everything on the Internet uses port 80 (HTTP) and 443 (HTTPS) today. They also miss application identification and decoding.

With the introduction of Azure Firewall, Microsoft appeared to monetize on NSGs, but added only a small bit of new functionality — for example, rudimentary application-layer rules and Network Address Translation (NAT). Application-layer rules in Azure Firewall can ONLY filter web traffic by URL name by looking into the application layer’s HTML header, and for encrypted traffic by doing a reverse name lookup.

This is, by firewall standards, less than a percent of what a NGFW like the SonicWall NSv can do. Deep packet inspection is one of the core requirements for getting visibility to encrypted data. TLS 1.3 is partially supported on Azure Firewall. The TLS tunnel from client to the firewall is based on TLS 1.2.

The user can enable intrusion prevention services, but Microsoft does not provide many details on this service. Microsoft neither reveals the number of signatures supported, nor discloses how often these signatures are updated. There is no sandbox or in-memory analysis of zero-day threats.

Moreover, Network Address Translations normally allow for the mapping of any part of source/destination IP and source/destination ports. Azure natively supports the one-to-one mapping of private IPs to public IPs. Beyond that, Azure Firewall only adds the mapping of destination ports, which has very limited use in reality because most services run over port 80 and 443 and do not accept different ports. Other NAT combinations are often used to merge networks of trade partners, but corporate acquisitions are not supported.

Managing and reporting tend to be problematic in the Azure Firewall. NSGs can generate traffic logs, but you need a third party to review them. This is mostly useful for debugging. Azure Firewall has a monitoring resource, but it only gives you an overview — meaning it’s not useful for audits or troubleshooting.

Managing Azure Firewall is very similar to managing NSG and must be done via typical Azure settings management. Once you set it, you cannot change it.

You may be used to the quirks of Azure user interface, but imagine using it to manage a large rulebase with groups, nested objects and the need to periodically clean it up while you grow it — for example, changing the names of objects. This is close to impossible with Azure Firewall. Plus, Azure Policy does not offer any structured policy elements, such as object-based rule creation or nested objects.

SonicWall NSv Series Virtual Firewall

SonicWall’s NSv Series virtual firewall provides all the security advantages of a physical firewall with the operational and economic benefits of virtualization — including system scalability and agility, speed of system provisioning, simple management and cost reduction.

Modern firewalls such as the NSv Series, also known as next-generation firewalls (NGFWs), offer application-layer filtering on top of stateful socket filtering. Instead of just filtering out some traffic going to TCP ports 80 or 443 — the two ports utilized by almost all internet traffic — you can filter on the actual traffic flowing over these ports and distinguish between legitimate traffic and malware.

NSv delivers full-featured security tools to shield all critical components of the private/public cloud environments from resource misuse attacks, cross-virtual-machine attacks, side-channel attacks, and common network-based exploits and threats. With infrastructure support for reliable distributed clustering and scaling, the SonicWall NSv Series ensures system resiliency, operational uptime, service delivery and availability, and conformance to regulatory requirements.

NSv is available for VMware ESXi, and also runs for lab use on VMware Workstation and VMware Fusion, Hyper-V, KVM, AWS and Azure. You will find the same features on the virtual and cloud versions as you find on the appliances, including Deep Packet Inspection (DPI) and Gateway Anti-Virus (GAV), with real-time cloud support and our award-winning, patented RTDMI™ in-memory scanner, which captures dormant malware and zero-day threats. NSv is rated by the independent NetSecOPEN as one of the most effective next-generation firewalls on the market.

General FeaturesNSvAzure NSGAzure FW
Stateful packet filtering
Zone based securityX
Protection of multiple networksXX
Socket based securityXXX
CIDR and port range definitionsXXX
Custom Protocol IDX
Address groupsXX
Service groupsX
Object NestingX
Deny vs DiscardX
Flow logsIPFIX
Inside VM
Azure storageAzure storage
Event Hub
Network Address Translation
Basic Static NATXXX
Port Address TranslationXX
Basic Dynamic Address TranslationXXX
Surgical NAT combinationX
Next-generation security services
App ControlX
Gateway Anti Virus (GAV)X
Intrusion Detection and Prevention (IPS)XX (basic)
Anti SpywareX
Anti SpamX
Content FilteringX
URL filteringXX
Malicious URLsX
Geo FencingX
Inspection of encrypted trafficX (SSL and SSH)
SSL Server offloadingX
RTDMI and 0-day threatsX
Networking Features
Log AnalyticsNSv NSMThird partyAzure Monitor
Bandwidth loggingIPFIX Syslog Inside VMAzure storage

In addition, the SonicWall NSv Series offers three major features that take NGFWs into the 21st century. SonicWall NSv has the ability to intercept, decode, inspect and reencode encrypted traffic so that an intruder cannot evade the firewall altogether (DPI-SSL). It also features the ability not just to classify known traffic into good or malicious, but also to detonate and test unknown traffic in real-time in a safe sandbox environment (Capture ATP). Finally, with RTDMI, it has the ability to analyze malicious software that lays undetected and dormant until some trigger activates it.

These three features cover a large percentage of today’s malware — malware for which traditional signature-based filters such as the Azure Firewall are not effective.

NSv can also terminate VPN tunnels, either to a physical office, vendor or work-from-home employee, or within the cloud. In addition, NSv is a fully functional security router. Besides standard dynamic routing protocols, it also offers smart routing according to traffic content and congestion.

As far as reporting and analytics, NSv is the clear winner. In addition of a clean and easy to operate WebUI, SonicWall NSv offers highly scalable rule management, monitoring and analytics via cloud-based SonicWall NSM, managing hundreds or thousands of instances.

In short, Azure Firewall offers the sort of functionality you can find on a $100, big-box-purchased broadband router. It offers none of the many features that you find on an enterprise firewall — and for that matter, not a lot of valuable functionality over free NSGs.

Do yourself a favor: Save your organization some money and look at an actual cloud-based firewall. If you are familiar with managing enterprise firewalls, the SonicWall NSv is an instinctive choice for a cloud firewall.

Clear and Present Danger: Why Cybersecurity is More Critical than Ever

As the world began battling a once-in-a-century pandemic in 2020, global companies were caught grossly underprepared for what followed. With remote working and digital tech becoming the default, companies scrambled to adjust, which exposed severe technological vulnerabilities that threatened business continuity.

Cybersecurity has become one of the biggest challenges facing businesses around the world today. The pandemic has set into motion a wave of cybersecurity incidents, the ripples of which are still being felt a year into this so-called “new normal.” As outlined in the 2021 SonicWall Cyber Threat Report:

  • By March 2020, cyberattacks across the world doubled.
  • In June, mobile phishing increased by 37%.
  • During the same month, an unidentified European bank became the target of an 809 million packet-per-second DDoS attack — the largest to hit any network.
  • In July, the Twitter accounts of several high-profile individuals, including Joe Biden, Barack Obama, Bill Gates and Elon Musk, were hacked to scam Bitcoin from followers.
  • In September, cybercriminals threatened thousands of global organizations across a variety of industries with DDoS attacks unless they paid a ransom within six days.
  • December 2020 saw the infamous SolarWinds intrusion, which industry pundits say had the most significant impact of any cyberattack in American history.

The SonicWall Cyber Threat Report for 2021 also highlights key cybersecurity trends from 2020: While malware attacks went down by 43% (perhaps due to limited visibility as the global workforce worked remotely), this drop coincided with record or near-record highs in other forms of attack. For instance, ransomware increased by a staggering 63% over 2019, intrusion attempts increased by 20% compared to 2019 (year-over-year attacks in Europe quadrupled), and IoT malware skyrocketed by a whopping 66%.

Research by Bain & Company near the end of 2019 found that executives at several corporations overrate their cybersecurity effectiveness and lack the strategic capabilities essential for a robust posture, with only 25% of companies following cybersecurity best practices. Given these findings, the exponential increase in cyberattacks once COVID-19 hit should come as little surprise.

Asia, a Fertile Ground for Cybersecurity Breaches

Even before the novel coronavirus disrupted businesses, only a handful of organizations, particularly in Asia and India, had the robust cybersecurity capabilities required to combat growing attacks. The pandemic has invariably expanded that risk multifold, given the shift in work patterns and operating models. The region is rife for cybercriminals to thrive (some reports suggest that Asia is 80% more likely to be targeted by hackers) due to poor cybersecurity awareness, growing cross-border data transfers, weak regulations and low cybersecurity investment.

Yet another report suggests that India witnessed the second-highest number of cyberattacks in Asia-Pacific in 2020 (second only to Japan), and accounted for 7% of all cyberattacks seen in the region.

And the data from the 2021 Cyber Threat Report supports these findings. For example, while Europe saw an average of 21% more encrypted attacks in 2020, in Asia, year-over-year totals increased by a mammoth 151%. Ransomware, too, saw a mind-boggling 455% spike in Asia.

Besides the lack of IT security-related awareness and limited budgets, the skill gap in the cybersecurity domain is another impediment faced by businesses in the region. And this gap continues to widen, with many cybersecurity experts constrained by the lack of career development and training offered to them and little strategic planning by organizations when it comes to cybersecurity.

The Road Ahead

Building a robust, viable cybersecurity system takes more than technology. It also demands long-term commitment and developing an array of strategic capabilities. While companies rolled out remote working security measures that included VPNs, endpoint protection and advanced authentication, they could not fully mitigate the inherent weaknesses in WFH models.

It is vital to continue ongoing measures such as continuously evaluating and adjusting technology standards, providing security awareness training to employees, and maintaining a security baseline for WFH. It is also essential for businesses to reassess and stay on top of their security capabilities as they modify operations for the post-pandemic world.

Over time, the cybersecurity business gap will continue to grow, threats will become more oblique, and skilled staff will be increasingly harder to find. It is vital for businesses to bridge the gap now, lest they fall victim to a cyberattack. Knowledge and business insights from assessing research and trends can alert you to the threats out there, but to become a truly robust and secure organization, cybersecurity should be a central pillar of your IT strategy supported by solutions that can identify and prevent sophisticated threats.

Emotet and Trickbot: The Battle of the Botnets

Emotet began as a banking trojan in 2014 — but from this inauspicious start, it grew to become “the world’s most dangerous malware” according to Europol, and one of the Cybersecurity and Infrastructure Security Agency’s “most prevalent ongoing threats.”

The botnet earned its reputation in a number of ways.

  • It was strikingly common. By 2021, Emotet was involved in one-third of malware attacks.
  • It was resilient. The botnet was capable of spreading laterally once it had gotten access to just a small number of devices in a network.
  • It was targeted. One Emotet module collected a portion of each email in a victim’s inbox, enabling highly targeted phishing attempts capable of replying to and quoting legitimate emails.
  • It was automated. Once it gained control of a device, it distributed itself to the user’s contacts and attempted to brute force its way onto any other devices connected over the same network.

And in many cases, it was just the beginning. In the SonicWall 2021 Cyber Threat Report, we detailed the meteoric rise of Ryuk ransomware. While Ryuk is certainly formidable in its own right (see rapid growth in graph below), a key to its swift success was the leg up it received in the form of Emotet. Emotet was offered for hire to Ryuk operators, who used access already established by Emotet to deploy the ransomware upon networks of those deemed valuable targets.

To compare it to crime in the physical space, consider a group of burglars with plans to rob a bank. What would be easier: finding a way to break in themselves, or hiring someone on the inside to simply leave a door open?

The End of Emotet

But in the end, it was Emotet’s success and versatility that led to its downfall. In response to the rampant proliferation of the botnet, law-enforcement agencies from at least eight different countries formed a multinational organization with the goal of disrupting it and taking it down.

In January 2021, law enforcement and judicial authorities succeeded in gaining control of the servers used by Emotet. Then, they replaced the Emotet malware on these servers with a harmless file created by law enforcement. By preventing new devices from downloading the malware, the spread of Emotet to additional targets was halted.

While this disruption will likely prevent a number of infections — some costing more than a million dollars to mitigate — in the short term, the long-term impact remains much less clear.

As Fernando Ruiz, Europol’s European Cybercrime Centre head of operations, told ZDNet, “We expect it will have an impact because we’re removing one of the main droppers in the market. For sure there will be a gap that other criminals will try to fill, but for a bit of time, this will have a positive impact on cybersecurity.”

History Repeating

It’s possible that, in a best-case scenario, this disruption will eliminate Emotet for good, and have a long-term positive effect on the amount of malware going forward.

For an idea of how a worst-case scenario might play out, however, we only have to look back about six months — to none other than the rumored Emotet heir apparent, Trickbot.

Since its development in late 2016, the operators of Trickbot have successfully infected over a million devices globally. As with Emotet, there are a variety of factors that contribute to make Trickbot an oversized threat, including its ever-evolving modular capabilities, ability to infect IoT devices and its proficiency at stealing information.

But it was Trickbot’s potential to deploy ransomware or DDoS attacks in advance of the 2020 U.S. presidential election that presented the most pressing danger.

Hoping to prevent a large-scale disturbance in the democratic process, Microsoft obtained a court order allowing it to shut down Trickbot’s operations. In a joint effort with global telecommunications companies, Microsoft was able to disable Trickbot’s infrastructure, taking down new servers that Trickbot was attempting to use as replacements almost as soon as they went online. The actual operation itself took less than a week, and by October 18, 2020, the vast majority of Trickbot’s critical infrastructure had been disabled.

While the takedown was a success in terms of preventing election tampering, this respite wasn’t long-lived: By the time the U.S. Electoral College held its confirmation vote in December, Trickbot was already showing signs of a resurgence. A new version was spotted that included upgraded means of evading detection, along with other features. And in January, ZDNet reported a malware campaign that “has the hallmarks of previous Trickbot activity.”

Will Emotet take a similar path and come roaring back to life? We don’t know yet, but with so much money to be made, it certainly isn’t out of the realm of possibility.

In the meantime, the takedown of Emotet in early 2021 seems to be fueling the ongoing resurgence in Trickbot, which is rising to fill the void left behind.

Until both are gone for good, the best protection against botnets like Emotet and Trickbot is a sound and proven security posture, frequent software and firmware updates, and comprehensive cybersecurity awareness. The latter includes everyday vigilance and adherence to best practices, along with staying up to date on current trends in cybercrime.

For more on Ryuk, Emotet and other malware, download the 2021 SonicWall Cyber Threat Report.

Cybersecurity News & Trends

This week, educational institutions around the world found themselves the target of malware, as lawmakers faced pressure to increase protection for schools and universities.

SonicWall in the News

Keeping Tabs on IoT Security — Enterprise IT News

  • SonicWall Vice President of Regional Sales (APAC) Debasish Mukherjee was interviewed on the recent 2021 Cyber Threat Report.

Logically Buys MSSP Company, Sets Sights on $100M — TechTarget: SearchITChannel

  • This article mentions SonicWall’s strategic alliance with MSSP company Cerdant.

Industry News

European Institutions Were Targeted in a Cyberattack Last Week — Bloomberg

  • A spokesperson for the commission said that a number of EU bodies “experienced an IT security incident in their IT infrastructure.”

China Creates Its Own Digital Currency, a First for Major Economy — The Wall Street Journal

  • A cyber yuan stands to give Beijing power to track spending in real time. It also could soften the bite of U.S. sanctions.

US DoD Launches Vuln Disclosure Program for Contractor Networks — Security Week

  • The U.S. Department of Defense announced the launch of a new vulnerability disclosure program to identify vulnerabilities in Defense Industrial Base contractor networks.

Ransomware Hits TU Dublin and National College of Ireland — Bleeping Computer

  • The National College of Ireland is working on restoring IT services after being hit by a ransomware attack that forced the college to take IT systems offline.

FBI, CISA Warn Fortinet FortiOS Vulnerabilities Are Being Actively Exploited — ZDNet

  • APT groups are suspected of harnessing three bugs, two critical, for data exfiltration purposes.

University of California Victim of Ransomware Attack — The Hill

  • The university said in a statement that it — along with several other government agencies, private companies and other schools — has been involved in an attack involving Accellion, a secure file transfer company.

Malicious Cheats for Call of Duty: Warzone Are Circulating Online — Ars Technica

  • Activision said that a popular cheating site was circulating a fake cheat for “Call of Duty: Warzone” that contained a dropper, a type of backdoor that installs specific pieces of malware.

Malware Attack is Preventing Car Inspections in Eight U.S. States — Bleeping Computer

  • A malware attack on emissions testing company Applus Technologies is preventing vehicle inspections in Connecticut, Georgia, Idaho, Illinois, Massachusetts, Utah and Wisconsin.

As Ransomware Stalks the Manufacturing Sector, Victims Are Still Keeping Quiet — Cyberscoop

  • While competition from companies with cheap labor has long been an economic concern for U.S. manufacturers, cyberattacks have crept gradually into the equation.

Lawmakers Urge Education Department to Take Action to Defend Schools from Cyber Threats — The Washington Times

  • Representatives urged the Department of Education to prioritize protecting K-12 institutions from cyberattacks, which have shot up in the past year as classes moved increasingly online.

Feds Say Man Broke Into Public Water System and Shut Down Safety Processes — Ars Technica

  • The indictment underscores the potential for remote intrusions to have fatal consequences.

Ransomware Gang Wanted $40 Million in Florida Schools Cyberattack — Bleeping Computer

  • Fueled by large payments from victims, ransomware gangs have started to demand ridiculous ransoms from organizations that cannot afford them.

U.S. DOJ: Phishing Attacks Use Vaccine Surveys to Steal Personal Info — Bleeping Computer

  • The U.S. Department of Justice warned of phishing attacks using fake post-vaccine surveys to steal money or trick people into handing over their personal information.

In Case You Missed It