SonicWall Continues to Rack Up Awards, CRN Recognizes Another Rising Channel Star

/0 Comments/in /by

SonicWall continues its collection of industry-recognized awards. The company’s director of solutions engineers, Wayne Wilkening, added to CRN’s 100 People You Don’t Know But Should for 2021. Every year, this CRN list honors the people working tirelessly behind the scenes to support not only their partners, but the broader channel ecosystem, as well.

“I’ve long since had a passion for security and networking fields, and SonicWall has given me the opportunity to immerse myself in both,” said Wilkening. “Taking this journey with our customers and loyal partners has allowed me to solve new problems every day while building lasting relationships across North America. It’s great to be recognized for what I love to do.”

Wilkening is a SonicWall staple, having been at the company for almost two decades. He plays a vital role in helping enable, manage and mentor his team of pre-sales channel and territory engineers across the United States and Canada.

“There are truly talented folks who make game-changing, creative and strategic decisions every day behind the scenes,” said Blaine Raddon, CEO of The Channel Company. “With the 100 People You Don’t Know But Should, we are excited to shine a light on this exceptional group and honor them for their remarkably important work on behalf of their partners and their contributions to the IT channel at large.”

The CRN editorial team compiles the list each year to bring well-deserved attention to the best and brightest who may not be as visible or well-known as some channel executives, but whose roles are just as important. The selections are based on feedback from leading solution providers and industry executives.

SonicWall, founder of the award-winning SecureFirst partner program and SonicWall University, is celebrating its 30-year anniversary in 2021. The company has grown to include more than 17,000 channel partners worldwide and provides them with more training, tools and rewards than ever before.

Cybersecurity News & Trends – 09-24-21

/0 Comments/in /by

SonicWall is in the news in Europe this week, with announcements about a support center in Romania and SonicWall’s country manager, Sergio Martinez, participating in regional discussions about cybersecurity. The FBI reportedly held onto a vital encryption key for three weeks before handing it to victims tops our industry news list. Plus, recent research reveals that multi-party breaches cause 26-times more damage than single-party breaches, SUEX is sanctioned, Biden and hackers debate “critical,” seven countries are being spoofed, and TinyTurla weighs in for big damage. 

SonicWall in the News

SonicWall to open customer support centre in Romania

  • Telecompaper (NL): US cyber-security specialist SonicWall is in the process of opening a technical support centre in Romania, writes local paper Ziarul Financiar citing SonicWall sales director for Southeast Europe, Cosmin Vilcu. According to the news outlet, the operation has already recruited staff and begun regional marketing activities.

European recovery funds: a good way to improve corporate cybersecurity

  • Dealer World (Spain): Sergio Martínez, our country manager, participated in a special issue about the European recovery funds: “The rain comes, the European rain in the form of millions. Millions that will allow many companies to improve deficit aspects to be more competitive. Will cybersecurity be one of them?

SonicWall continues to expand its offering to combat cyberattacks

  • Director TIC.es (Spain): In an interview with Sergio Martínez, SonicWall’s country manager, the publication discusses the layered security promoted by SonicWall based on a comprehensive portfolio of solutions. Martinez explains the latest developments in SonicWall’s offer, including its new generation of firewalls and solutions for secure access and protecting credentials.

IBM Launches New Lto-9 Tape Drives with More Density, Performance And Resiliency

  • TiBahia (Portugal): IBM is launching tape drives that give systems more resilience to cyberattack. Additionally, the company has repeatedly cited the Mid-Year Update to the 2021 SonicWall Cyber Threat Report as an example of the marketplace’s need for such products. In this release, they cite the Threat Report, noting ransomware is one of the costlier types of breaches, with an average cost of $4.62M per breach and one of the most common.

Industry News

FBI Held Back Ransomware Decryption Key from Businesses to Run Operation Targeting Hackers

  • Washington Post: After a devastating ransomware attack this summer, the FBI’s investigations uncovered the digital key needed to unlock maliciously encrypted computer systems. However, the FBI held onto the digital key for almost three weeks, knowing that the attack hobbled the computers of hundreds of businesses and institutions. According to the report, investigators discovered the digital key through access to servers operated by the Russia-based cybercrime gang behind the attack. Deploying the digital key immediately could have helped the victims, including schools and hospitals, avoid what analysts estimate was millions of dollars in recovery costs.

Multi-party breaches cause 26-times the financial damage of the worst single-party breach

  • ZDNet: The researchers found that when a ripple event triggers a loss of income, it can lead to losses of $36 million per event. RiskRecon, a Mastercard company, and the Cyentia Institute released a study on Tuesday showing that some multi-party data breaches cause 26-times the financial damage of the worst single-party breach. The researchers used Advisen Cyber Loss Database to investigate cybersecurity incidents since 2008. They report that nearly 900 multi-party breach incidents have been recorded in the database, with 147 newly uncovered “ripple incidents” across the entire data set, with 108 occurring within the last three years.

US Sanctions Crypto Exchange Accused of Catering to Ransomware Criminals

  • Wall Street Journal: The Biden administration blacklisted a Russian-owned cryptocurrency exchange – SUEX OTC – for allegedly helping launder ransomware payments. This is a genuinely unprecedented action meant to deter future cyber-extortion attacks by disrupting their primary means of profit. By targeting a digital currency platform, the Treasury Department is also renewing its warning to the private sector that businesses risk high penalties and fines for paying ransoms and – more importantly – that the Department is watching.

Biden Cybersecurity Leaders Back Incident Reporting Legislation As ‘Absolutely Critical’

  • Senior Biden administration officials are backing congressional efforts to enact new cyber incident reporting requirements for critical infrastructure operators and other companies, as well as other measures to entrench further the Cybersecurity and Infrastructure Security Agency (CISA) at the center of the civilian executive branch’s digital security apparatus. CISA Director Jen Easterly said that incident reporting is “absolutely critical” and called CISA’s “superpower” its ability to share cyberthreat information across agencies and critical infrastructure sectors.

After Biden Warning, Hackers Define ‘Critical’ as They See Fit

  • Bloomberg: After a furious run of ransomware attacks in the first half of the year, President Joe Biden in July warned his Russian counterpart, Vladimir Putin, that Russia-based hacking groups should steer clear of 16 critical sectors of the US economy. But if a recent attack on a grain cooperative in Iowa is any indication, apparently hackers will define what should be considered “critical.”

Alaskan health department still struggling to recover after ‘nation-state sponsored’ cyberattack

  • CNN: Alaska is still dealing with the fallout of a hack. Many of their systems are offline after foreign government-backed hackers breached the department in May, a spokesperson told CNN on Monday. As the department continued to warn Alaskans that hackers might have stolen their personal data, the department’s spokesperson declined to comment on which foreign government was behind the intrusions or their motives. However, Alaskan officials now say that hackers exploited a vulnerability in the health department’s website to access department data. The hackers may have accessed Alaskans’ Social Security numbers and health and financial information.

Republican Governors Association email server breached by state hackers

  •  Bleeping Computer: The Republican Governors Association (RGA) revealed in data breach notification letters sent last week that its servers were breached during an extensive Microsoft Exchange hacking campaign that hit organizations worldwide in March 2021. This attack follows a breach on Synnex back in July, a network management contractor for the Republican National Committee (RNC).

BlackMatter Ransomware Has Infected Marketron’s Marketing Services

  • Cyber Intel: The BlackMatter ransomware group targeted Marketron, a cloud-based revenue and traffic management tools supplier. The company has a customer base of over 6,000 and reportedly manages about $5 billion in advertising revenue per year. This was the second ransomware attack by BlackMatter in so many days. Another one involved a ransom of $5.9 million when this group attacked the NEW Cooperative United States Farmers organization.

Epik data breach impacts 15 million users, including non-customers

  • Ars Technica: Epik has now confirmed that an “unauthorized intrusion” did, in fact, occur into its systems. The announcement follows last week’s incident of hacktivist collective Anonymous leaking 180 GB of data stolen from online service provider Epik. To mock the company’s initial response to the data breach claims, Anonymous had altered Epik’s official knowledge base, as reported by Ars.

TinyTurla: New Malware by Russian Turla

  • Cyware: According to Cisco Talos, TinyTurla is a previously unknown malware backdoor from the Turla APT group, in use since at least 2020. The malware got the attention of researchers when it targeted Afghanistan before the Taliban’s recent takeover of the government. Now, it is suspected in recent attacks against the U.S., Germany, and other countries.

Ongoing Phishing Campaign Targets APAC, EMEA Governments

  •  Security Week: Government departments in at least seven countries in the Asia-Pacific (APAC) and Europe, the Middle East and Africa (EMEA) regions have been targeted in a phishing campaign that has been ongoing since spring 2020. The attacks appear to be focused on credential harvesting. During the first half of 2020, operators transferred the phishing domains used as part of the campaign to their current host. In addition, investigators have found at least 15 active “spoofing” pages, posing as various ministries within the targeted country’s governments, including energy, finance, and foreign affairs departments. The spoofed pages target Belarus, Georgia, Kyrgyzstan, Pakistan, Turkmenistan, Ukraine, and Uzbekistan. Other pages posed as the Pakistan Navy, the Main Intelligence Directorate of Ukraine, and the Mail.ru email service.

In Case You Missed It

Buffalo routers path traversal vulnerability

/in /by

SonicWall Capture Labs threat research team observed attacks exploiting vulnerability in Buffalo routers.

Buffalo company builds quality storage, networking, and other technology-related solutions. Their network attached storage (NAS) devices, many with scale-as-you-go options, are installed with pre-tested hard drives that eliminate the hassle of sourcing and testing drives, saving you time and money. Buffalo also builds Wireless Router which is a high speed, open source dual band solution, and is ideal for creating a high speed 11ac wireless home network. A path traversal vulnerability exists in web interface of certain firmware versions of these routers.

Vulnerability | CVE-2021-20090

A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder by manipulating variables that reference files with dot-dot-slash sequences. A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote attackers to bypass authentication. Successful exploitation of this vulnerability could allow an attacker to access pages that would otherwise require authentication. An unauthenticated attacker could gain access to sensitive information, including valid request tokens, which could be used to make requests to alter router settings.

The vulnerability exists due to a list of folders which fall under a “bypass list” for authentication. One such folder is images . The exploit looks like this

The attacker is able to bypass authentication through path traversal. The attacker uses POST request to access and modify the configuration of the attacked device. The attacker then downloads and executes malicious script from attacker controlled server .

Following versions are vulnerable:

  • WSR-2533DHPL2 firmware version <= 1.02
  • WSR-2533DHP3 firmware version <= 1.24

The Vendor advisory is here.

SonicWall Capture Labs provides protection against this threat via following signatures:

      • IPS 15659:Buffalo Routers Configuration File Injection
      • GAV: Shell.LOL

Threat Graph

IoCs
212.192.241.87
054320be2622f7d62eb6d1b19ba119d0a81cb9336018d49d9f0647706442ae8f

Living in the Wild West of the IoT

/0 Comments/in /by

What started as a siloed technology called IoT (Internet of Things) has now evolved into a complete ecosystem for automation to make our everyday life simpler and more productive. The signs are everywhere as the adoption skyrockets. All industries are rushing headlong with smart “things” – smart cities, smart homes, smart cars, smart drones, and smart appliances.

By 2025, Statista forecasts that there will be more than 75 billion Internet of Things (IoT) connected IoT devices in use. This would be a nearly threefold increase from the IoT installed base in 2019. The original estimate from 2018 was 23 billion and 31 billion in 2020. See what I mean by “the trajectory goes up like a rocket?”.

IoT and its associated automation bring a very compelling value once you had tried it. My own experience is with the smart home side of things. However, the industrial and enterprise side of IoT are even more pervasive, and innovative. Thanks to the Artificial Intelligence technology that are often tightly coupled.

Let me give you an example of how home automation has simplified my life. I started with a smart thermostat that monitors peak usage cost, and a smart irrigation system that can auto-dial water usage based on the weather. But the most compelling value comes from the humblest smart switches that turn legacy home devices on and off based on preprogrammed parameters.

The race has driven the cost to $4 a pop. Who wouldn’t find it compelling?

Before long, I have a gang of 20 smart switches invaded my home. Is IoT really a blessing?

Well, it is indeed as long as you put safety precautions around it. Otherwise, it can be a curse. According to the SonicWall Threat Report, it is the second most common attack after ransomware.

What makes the IoT devices so vulnerable is the fact the lack of security foundation. Let’s take a look at the smart switch vendors. At $4 a pop, they must rely on open source and unhardened firmware. Once released, it will never patch even when a vulnerability is discovered. Bringing these IoT devices into your environment is like putting a Trojan horse!

The security issue is so dire and the specter of IoT attacks continuing to explode exponentially, many legislative bodies opted to consider legislation strengthening cybersecurity on these IoT devices during the first half of 2021, including UK, US, Australia.

Governments are now involved. Yes, these are not private entities that usually coax the adoption of security measures through standards or best practices. IoT is indeed the new Wild West.

Shouldn’t you also be prepared?

How to secure IoT devices connecting to my network?

So, what steps can you take to make sure all your IoT devices can connect securely to your organization’s network? Here are three questions you should address:

  1. Can my firewall decrypt and scan encrypted traffic for threats?
    The use of encryption is growing both for good and malicious purposes. More and more, we’re seeing cybercriminals hiding their malware and ransomware attacks in encrypted sessions, so you need to make sure your firewall can apply deep packet inspection (DPI) to HTTPS connections, such as DPI-SSL.
  2. Can my firewall support deep packet inspection across all my connected devices?
    Now think of all the encrypted web sessions each IoT device might have. You need to make sure your firewall can support all of them while securing each from advanced cyberattacks. Having only a high number of stateful packet inspection connections doesn’t cut it anymore. Today, it’s about supporting more deep packet inspection connections.
  3. Can my firewall enable secure high-speed wireless?
    OK, this one sounds simple. Everyone says they provide high-speed wireless. But are you sure? The latest wireless standard is 802.11ac Wave 2, which promises multi-gigabit Wi-Fi to support bandwidth-intensive apps. Access points with a physical connection to the firewall should have a port capable of supporting these faster speeds. So should the firewall. Using a 1-GbE port creates a bottleneck on the firewall, while 5-GbE and 10-GbE ports are overkill. Having a 2.5-GbE port makes for a good fit.

So, What’s Next?

VIEW ON-DEMAND WEBCAST

Cybersecurity News & Trends – 09-17-21

/0 Comments/in /by

While the Mid-Year Update to the 2021 SonicWall Cyber Threat Report continues to be recognized as an authoritative source of statistics, the company was also noted in an education piece and a product review for the SonicWall SWS12 switch. In industry news, discussions on launching security for commercial maritime, employees bypassing “inconvenient” security measures, the Nigerian aviation industry is grounded, cyberattackers hit with crypto-sanctions, and OMIGOD is getting more guidance.

SonicWall in the News

The weak points where hackers could hijack the supply chain — The Grocer (U.K.)

  • Like many businesses, the food system runs online – and, increasingly, many operations are from the homes of its workers. Consequently, the industry faces an increasing risk of cyberattack. This vertical market news outlet references the Mid-Year Update to the 2021 SonicWall Cyber Threat Report and SonicWall’s V.P. of Platform Architecture, Dmitriy Ayrapetov, to analyze increasing attacks on the U.K. food supply chain.

IT security for schools: New requirements. Limited resources. Unused funding — All About Security (DACH)

  • Schools have adopted more network mobility, but now they face greater cyberthreats. This report explores SonicWall solutions for schools. It outlines the challenges schools are confronted with in everyday life and how SonicWall can help.

Between blackboard and tablet: IT security in schools — All About Security (DACH)

  • To deliver safe classroom and distance learning experiences, schools need to secure wireless networks, cloud apps, and endpoints while stretching budgets through grants. This report also includes an invitation for readers to participate in an upcoming webinar for educators.

Why open source isn’t free: Support as a best practice — IBM (U.S.)

IoT: An Internet of Threats? — Maddyness (U.K.)

How Nonprofits Can Defend Against Ransomware Attacks — BizTech (U.S.)

Hybrid working: six steps to managing cybersecurity and data privacy risks — Raconteur (U.K.)

  • As pandemic restrictions are eased and staff head back to the office, many will want to continue working from home for part of the week, raising cybersecurity concerns for employers. According to the Mid-Year Update to the 2021 SonicWall Cyber Threat Report, there was a 65% year-on-year increase globally in ransomware attacks.

Using Power over Ethernet to Support Connected Devices — Ed Tech

  • The SonicWall SWS12 switch is mentioned to “handles [PoE management] by adding deep power management to the suite of standard networking configuration options.” This is a good thing. The switch can provide up to 130 watts of power spread across ten ports, and each port can supply up to 30 watts of power.

IBM ships new LTO 9 Tape Drives with greater density, performance, and resiliency — IBM (U.S.)

  • IBM is launching tape drives that give systems more resilience to cyberattack. Additionally, the company has repeatedly cited the Mid-Year Update to the 2021 SonicWall Cyber Threat Report as an example of the marketplace’s need for such products. In this release, they cite the Threat Report, noting ransomware is one of the costlier types of breaches, with an average cost of $4.62M per breach and one of the most common.

Industry News

We Cannot Afford to Wait to Bolster Maritime Cybersecurity — Nextgov

  • This article summarizes the reality of cloud-connected businesses and industries and the cyberthreats they face. With the increased dependence of offshore activities on cyber-enabled systems, the author points out that maritime operations need more secure cybersecurity infrastructure at sea.

New Cybersecurity Challenges as Workers Commonly Bypass Inconvenient Measures — CPO Magazine

  • Working from home blurs lines between personal spaces and corporate security. And this may be why, in a recent survey conducted by Hewlett-Packard’s Wolf Security Division, a surprising 30% of remote workers under the age of 24 who claim that they circumvent or ignore certain corporate security policies when they get in the way of getting work done.

How cyber resilience will reshape cybersecurity – TechRadar

  • Businesses are operating in a world with myriad cybersecurity risks, but many are caught underprepared because they have not developed cyber resilience despite the headlines. The question, therefore, is how do businesses recognize resilience in cybersecurity?

Cryptocurrency launchpad hit by $3 million supply chain attack – Ars Technica

  • SushiSwap’s chief technology officer says a software supply chain attack has hit the company’s MISO platform. The report goes on to point out that an “anonymous contractor” with the GitHub handle AristoK3 and access to the project’s code repository had pushed a malicious code commit that was distributed on the platform’s front end.

Cyberattacks against the aviation industry linked to Nigerian threat actor – ZDNet

  • The investigation began after a Microsoft tweet concerning AsyncRAT. Researchers revealed a lengthy campaign against the aviation sector, starting with an analysis of a Trojan by Microsoft. The operator of the campaign reportedly used email spoofing to pretend to be legitimate organizations in these industries.

U.S. to Target Crypto-Ransomware Payments With Sanctions – The Wall Street Journal

  • The Biden administration hopes to disrupt the digital finance infrastructure that facilitates ransomware cyberattacks, a national security threat traced to Russia. According to people familiar with the matter, sanctions are among an array of actions, making it harder for hackers to use digital currency to profit from ransomware attacks.

FTC warns health apps to notify consumers impacted by data breaches – The Hill

  • The Federal Trade Commission (FTC) voted 3-2 Wednesday that a decade-old rule on health data breaches applies to apps that handle sensitive health information, warning these companies to comply. In addition, the FTC’s new policy statement will clarify the agency’s 2009 Health Breach Notification Rule.

FBI and CISA warn of state hackers exploiting critical Zoho bug – Bleeping Computer

  • TODAY, the FBI, CISA, and the Coast Guard Cyber Command (CGCYBER) warned that state-backed advanced persistent threat (APT) groups are actively exploiting a critical flaw in a Zoho single sign-on and password management solution since early August 2021. Zoho’s customer list includes “three out of five Fortune 500 companies,” including Apple, Intel, Nike, PayPal, HBO, etc.

Mirai Botnet Starts Exploiting OMIGOD Flaw as Microsoft Issues More Guidance – Security Week

  • Microsoft on Thursday published additional guidance on addressing recently disclosed vulnerabilities in the Open Management Infrastructure (OMI) framework, along with new protections to resolve the bugs within affected Azure Virtual Machine (V.M.) management extensions.

Ransomware attackers targeted app developers with malicious Office docs, says Microsoft – ZDNet

  • Hackers linked to ransomware deployments used a recently discovered flaw to target application developers. Microsoft reports how it recently saw hackers exploiting a dangerous remote code execution vulnerability in Internet Explorer through rigged Office documents and targeted developers.

Customer Care Giant TTEC Hit By Ransomware – Krebs on Security

  • TTEC, a company used by some of the world’s largest brands to help manage customer support and sales online and over the phone, is dealing with disruptions from a network security incident resulting from a ransomware attack by Ragnar Locker an aggressive ransomware group.

Free REvil ransomware master decrypter released for past victims – Bleeping Computer

  • A free master decryptor for the REvil ransomware operation has been released, allowing all victims encrypted before the gang disappeared to recover their files for free. Bitdefender created the REvil master decryptor in collaboration with a law enforcement partner.

Email scammers posed as DOT officials in phishing messages focused on $1 trillion bill – Cyberscoop

  • Shortly after Congress took action on a $1 trillion infrastructure bill, hackers posing as U.S. Researchers say that Transportation Department officials offered fake project bid opportunities to seduce companies into handing over Microsoft credentials.

Ransomware encrypts South Africa’s entire Dept of Justice network – Bleeping Computer

  • The justice ministry of the South African government is working on restoring its operations after a recent ransomware attack encrypted all its systems, making all electronic services unavailable both internally and to the public.

In Case You Missed It

Microsoft Security Bulletin Coverage for September 2021

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of September 2021. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2021-36963 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 214:Malformed-File exe.MP_199

CVE-2021-36955 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 221:Malformed-File exe.MP_203

CVE-2021-36975 Win32k Elevation of Privilege Vulnerability
ASPY 219:Malformed-File exe.MP_202

CVE-2021-38633 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 215:Malformed-File exe.MP_200

CVE-2021-38639 Win32k Elevation of Privilege Vulnerability
ASPY 216:Malformed-File exe.MP_201

CVE-2021-40444 Microsoft MSHTML Remote Code Execution Vulnerability
GAV 25418:CVE-2021-40444_7
GAV 25417:CVE-2021-40444_6
GAV 25414:CVE-2021-40444_5
GAV 25413:CVE-2021-40444_4
GAV 25412:CVE-2021-40444_3
GAV 25390:CVE-2021-40444_2
GAV 25389:CVE-2021-40444_1
GAV 25387:CVE-2021-40444
GAV 25379:CVE-2021-40444.X
GAV 25378:CVE-2021-40444.AB
GAV 25377:CVE-2021-40444.C

Adobe Coverage:
CVE-2021-39836 Acrobat Reader Use After Free Vulnerability
ASPY 217:Malforned-File pdf.MP.490

CVE-2021-39843Acrobat Reader Out-of-bounds Write Vulnerability
ASPY 218:Malforned-File pdf.MP.491

The following vulnerabilities do not have exploits in the wild :
CVE-2021-26434 Visual Studio Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26435 Windows Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2021-26436 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26437 Visual Studio Code Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-26439 Microsoft Edge for Android Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-36930 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-36952 Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-36954 Windows Bind Filter Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-36956 Azure Sphere Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-36959 Windows Authenticode Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-36960 Windows SMB Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-36961 Windows Installer Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-36962 Windows Installer Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-36964 Windows Event Tracing Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-36965 Windows WLAN AutoConfig Service Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-36966 Windows Subsystem for Linux Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-36967 Windows WLAN AutoConfig Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-36968 Windows DNS Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-36969 Windows Redirected Drive Buffering SubSystem Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-36972 Windows SMB Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-36973 Windows Redirected Drive Buffering System Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-36974 Windows SMB Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-38624 Windows Key Storage Provider Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-38625 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-38626 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-38628 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-38629 Windows Ancillary Function Driver for WinSock Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-38630 Windows Event Tracing Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-38632 BitLocker Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-38634 Microsoft Windows Update Client Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-38635 Windows Redirected Drive Buffering SubSystem Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-38636 Windows Redirected Drive Buffering SubSystem Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-38637 Windows Storage Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-38638 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-38641 Microsoft Edge for Android Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-38642 Microsoft Edge for iOS Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-38644 Microsoft MPEG-2 Video Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-38645 Open Management Infrastructure Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-38646 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-38647 Open Management Infrastructure Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-38648 Open Management Infrastructure Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-38649 Open Management Infrastructure Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-38650 Microsoft Office Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-38651 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-38652 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-38653 Microsoft Office Visio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-38654 Microsoft Office Visio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-38655 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-38656 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-38657 Microsoft Office Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-38658 Microsoft Office Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-38659 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-38660 Microsoft Office Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-38661 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-38667 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-38669 Microsoft Edge (Chromium-based) Tampering Vulnerability
There are no known exploits in the wild.
CVE-2021-38671 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-40440 Microsoft Dynamics Business Central Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2021-40447 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-40448 Microsoft Accessibility Insights for Android Information Disclosure Vulnerability
There are no known exploits in the wild.

Atlassian Confluence and Data Center OGNL Injection Vulnerability

/in /by

Overview:

  Atlassian Confluence is a collaboration platform written in Java. Users can create content using spaces, pages, and blogs which other users can comment on and edit. It is written primarily in Java and runs on a bundled Apache Tomcat application server.

  An OGNL injection has been reported in the Webwork module of Atlassian Confluence Server and Data Center. The vulnerability is due to insufficient input validation leading to OGNL evaluation of user-supplied input.

  A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted request to the target server. Successful exploitation can result in arbitrary code execution under the security context of the affected server.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-26084.

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 9.3 (E:F/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is functional.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  Confluence uses the Webwork web application framework to map URLs to Java classes, creating what is known as an “action”. Action URLs end with the “.action” suffix and are defined in the xwork.xml file inside confluence “version”.jar (where “version” is the confluence version number) and in the atlassian-plugin.xml file within the JAR files of the included plugins. Each action entry contains at least a name attribute, defining the action name, a class attribute, defining the Java class implementing the action, and at least one result element which decides the Velocity template to render after the action is invoked based on the result of the action. Common return values from actions are “error”, “input”, and “success”, but any value may be used as long as there is a matching result element in the associated XWork XML. Action entries can contain a method attribute, which allows invocation of a specific method of the specified Java class. When no command is specified, the doDefault() method of the action class is called. The following is a sample action entry for the doenterpagevariables action:

  In the above example, the doEnter() method of the “com.atlassian.confluence.pages.actions.PageVariablesAction” class handles requests to “doenterpagevariables.action” and will return values such as “success”, “input”, or “error”, resulting in the appropriate velocity template being rendered.

  Confluence supports the use of Object Graph Navigational Language (OGNL) expressions to dynamically generate web page content from Velocity templates using the Webwork library. OGNL is a dynamic Expression Language (EL) with terse syntax for getting and setting properties of Java objects, list projections, and expressions. OGNL expressions contain strings combined together to form a navigation chain. The strings can be property names, method calls, array indices and so on. OGNL expressions are evaluated against the initial, or root context object supplied to the evaluator in the form of OGNL Context.

  The container object “com.opensymphony.webwork.views.jsp.ui.template.TemplateRenderingContext” is used to store objects needed to execute an Action. These objects include session identifiers, request parameters, spaceKey etc. TemplateRenderingContext also contains a com.opensymphony.xwork.util.OgnlValueStack object used to push and store objects against which dynamic Expression Languages (EL) are evaluated. When the EL compiler needs to resolve an expression, it searches down the stack starting with the latest object pushed into it. OGNL is the EL used by the Webwork library to render Velocity templates defined in Confluence, allowing access to Confluence objects exposed via the current context. For example, the $action variable returns the current Webwork action object.

  OGNL expressions in Velocity templates are parsed using the ognl.OgnlParser.expression() method. The expression is parsed into a series of tokens based on the input string. The ognl.JavaCharStream.readChar() method, called by the OGNL parser, evaluates Unicode escape characters in the form of “\uXXXX” where “XXXX” is the hexadecimal code of the Unicode character represented. Therefore, if an expression includes the character “\u0027”, the character is evaluated as a closing quote character (‘), escaping the context of evaluation as a string literal, allowing to append an arbitrary OGNL expression. If an OGNL expression is parsed in a Velocity template within single quotes and the expression’s value is obtained from user input without any sanitization, an arbitrary OGNL expression can be injected.

  An OGNL injection vulnerability exists in Atlassian Confluence. The vulnerability is due to insufficient validation of user input used to set variables evaluated in Velocity templates within single quotes. By including the “\u0027” character in user input, an attacker can escape the string literal and append an arbitrary OGNL expression.

  Before OGNL expressions are evaluated by Webwork, they are compared against a list of unsafe node types, and variables names in the “com.opensymphony.webwork.util.SafeExpressionUtil.containsUnsafeExpression()” method. However, arbitrary Java objects can be instantiated without using any of the unsafe elements listed. For example, the following expression, executing an OS command, would be accepted as a safe expression by this method:

  A remote attacker can exploit this vulnerability by sending a crafted HTTP request containing a malicious parameter to a vulnerable server. Successful exploitation can result in the execution of arbitrary code with the privileges of the server.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The attacker must have network connectivity to the affected ports.

Triggering Conditions:

  An attacker connects to a target server and submits an HTTP request containing a malicious parameter to a vulnerable XWork action. The vulnerability is triggered when the target server processes the XWork action, resulting in the processing of the malicious request parameter.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP, over port 8090/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 15673 Atlassian Confluence Server Webwork OGNL injection 1

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Upgrading the product to a non-vulnerable version.
    • Filtering attack traffic using the signature above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Cybersecurity News & Trends – 09-10-21

/0 Comments/in /by

Global news outlets and bloggers continue to reference the Mid-Year Update to the 2021 SonicWall Cyber Threat Report and celebrate our 30th anniversary. Meanwhile, in industry news, the perfect ransomware victim, the biggest DDoS attack in history, phishing attacks are more numerous than we thought, the “FudCo” empire expands, hackers use our brains against us, and REvil has reappeared.

SonicWall in the News

What makes the perfect ransomware victim? — FinTech Global (U.K.)

  • Report about Kela, a cybersecurity company in the U.K. that studied profiles of victims of significant ransomware attacks. The report named the Mid-Year Update to the 2021 SonicWall Cyber Threat Report as it noted how the number of ransomware attacks in 2021 outperformed the entire year of 2020.

The Rise in Ransomware: HAUSER Insurance Wants You to Know the Risks — American Reporter

  • This report asks, “Are we actually seeing an increase in ransomware attacks, or are they just becoming more high-profile? According to experts, the answer is both. The Mid-Year Update to the 2021 SonicWall Cyber Threat Report shows that ransomware attacks rose by 62% worldwide and 158% in North America alone between 2019 and 2020.

Tips for SMEs: What to do in the event of a ransomware attack — ITUser (Spain)

  • According to Excem, small and medium-sized companies are particularly vulnerable to ransomware attacks as they do not have sufficient human, technological and financial resources to protect themselves.

The Rise of Ransomware and How the Education Sector Can Protect Itself — FENews (U.K.)

SonicWall turns 30 — Computing Es (Spain)

  • The cybersecurity veteran reflects on the vision, people, technology, customers, and partners that have shaped the company over three decades. In addition, the report mentions SonicWall’s celebrated legacy of product innovation, channel-based DNA, and cybersecurity innovations.

SonicWall celebrates three decades of innovation as a 100% channel company — ITReseller (Spain)

  • The report quotes Bill Conner, president and SEO of SonicWall: SonicWall has demonstrated over three decades that its mission is to ensure the long-term success of its customers, partners and employees.

SonicWall, three decades of cybersecurity innovation — Newsbook

  • SonicWall just celebrated 30 years in the cybersecurity market. Three decades dedicated to security innovation to tackle digital criminals.

Cybersecurity pioneer celebrates three decades of innovation — CyberSecurity

  • Cybersecurity veteran reflects on the vision, people, technology, customers and partners that have shaped the company over three decades.

Stellar Cyber: Partners with SonicWall for Advanced Prevention, Response — MarketScreener (U.S.)

  • Partnership delivers seamless integration between advanced prevention technology from SonicWall and AI-powered detection and automated response technology from Stellar Cyber.

SonicWall has been an attractive partner for the channel for 30 years — Infopoint Security (DACH)

  • The article reports on the development of the SonicWall Partner Programme, the SonicWall University, and the SonicWall MSSP Programme.

Industry News

Russia’s Yandex says it repelled biggest DDoS attack in history — Reuters

  • Russian tech giant Yandex reported “the largest known distributed denial-of-service (DDoS) attack in the history of the Internet.” The attack began in August and peaked on Sept 5, with more than 22 million requests per second sent to the company’s servers.

South African Justice Department Is Hit by Ransomware Attack — Bloomberg

  • South Africa’s Justice Department said its systems were attacked by a ransomware campaign earlier this week. All of the department’s information systems were encrypted and unavailable.

Russian cybercrime continues as government-backed attacks on companies dwindle, CrowdStrike says — Cyberscoop

  • The Russian approach to hacking shifted considerably over the past year, with state-sponsored attacks on commercial organizations dropping off even as the local cybercrime scene dominated the field, CrowdStrike said in a report Wednesday.

Ukrainian extradited to U.S. for allegedly selling computer credentials: DOJ — The Hill

  • The Department of Justice (DOJ) announced Wednesday that a Ukrainian hacker was extradited to the U.S. for allegedly selling computer passwords on the dark web. If convicted, Ivanov-Tolpintsev faces up to 17 years in federal prison.

U.S. Gov Seeks Public Feedback on Draft Federal Zero Trust Strategy — Security Week

  • THIS WEEK, the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) and the Office of Management and Budget (OMB) announced they are seeking public feedback on draft zero-trust strategic and technical documentation.

SideWalk Backdoor Linked to China-linked Spy Group’ Grayfly’ — Threat Post

  • Grayfly campaigns have launched the novel malware against businesses in Taiwan, Vietnam, the U.S. and Mexico and target Exchange and MySQL servers. The attack revealed a “novel backdoor technique” that security experts dubbed “SideWalk.”

Microsoft: Attackers Exploiting Windows Zero-Day Flaw — Krebs on Security

  • Microsoft warned that attackers are exploiting a previously unknown vulnerability in Windows 10 and several Windows Server versions. The attack seizes control over P.C.s when users open a malicious document or visit a booby-trapped website.

Phishing attacks: One in three suspect emails reported by employees really are malicious — ZDNet

  • Up to a third of emails that were flagged as suspicious by employees were actually a threat, according to a new report released by F-Secure, an I.T. security company based in Finland. The analysis involved more than 200,000 emails during the first half of 2021.

Ransomware gang threatens to leak data if victim contacts FBI, police — Bleeping Computer

  • The Ragnar ransomware group is warning that they will leak stolen data from victims that contact law enforcement authorities. Ragnar previously hit prominent companies with ransomware attacks, demanding millions of dollars in ransom payment.

CISA Issues Guidelines on Choosing a Managed Service Provider — Security Week

  • The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued new guidelines for government and private organizations to consider when looking to outsource services to a Managed Service Provider (MSP).

Dallas school district admits SSNs and more of all employees and students since 2010 accessed during security incident — ZDNet

  • If you were a student, employee or contractor of The Dallas Independent School District between 2010 and the present, your personal data was likely downloaded by an “unauthorized third party.”

Tech Industry Seeks Bigger Role in Defense. Not Everyone Is on Board — The Wall Street Journal

  • Tech-industry leaders are pushing the Pentagon to adopt commercially developed technologies on a grand scale to counter the rise of China. This initiative could transform the military and the multibillion-dollar defense-contracting business.

“FudCo” Spam Empire Tied to Pakistani Software Firm — Krebs on Security

  • In May 2015, KrebsOnSecurity briefly profiled “The Manipulators,” the name chosen by a prolific cybercrime group based in Pakistan that was very publicly selling spam tools and a range of services for crafting hosting and deploying malicious email. Six years later, a review of the social media postings from this group shows they are prospering. Brian Krebs reports.

Howard University shuts down network after ransomware attack — Cyberscoop

  • In Washington, the private Howard University disclosed that it suffered a ransomware attack late last week and is currently working to restore affected systems.

New Zealand banks, post office hit by outages in apparent cyberattack — Reuters

  • Websites of several financial institutions in New Zealand and its national postal service were briefly down on Wednesday, with officials saying they were battling a cyberattack.

How Hackers Use Our Brains Against Us — The Wall Street Journal

  • Cybercriminals take advantage of the unconscious processes that we all use to make decision-making more efficient. Blame it on our “lizard brains.”

Notorious Russian Ransomware Group ‘REvil’ Has Reappeared — Bloomberg

  • After vanishing this summer, the infamous criminal ransomware group behind the JBS SA cyberattack has returned to the dark web.

Juniper Breach Mystery Starts to Clear With New Details on Hackers and U.S. Role — Bloomberg

  • Tech company installed a flawed NSA algorithm that became a perfect example of the danger of government backdoors.’

Guntrader breach perp: I don’t think it’s a crime to dump 111k people’s details online in Google Earth format — The Register

  • A “pseudonymous person” reformatted Guntrader hack data as a Google Earth-compatible CSV and said they are prepared to go to prison, denying their actions are a criminal offense.

In Case You Missed It

IoT Devices: If You Connect It, Protect It

/0 Comments/in /by

7 “Smart” Steps to secure and protect your Home Network

A refrigerator that tells you there was a power outage — and whether it lasted long enough to spoil your food. Doorbells show you who’s at the door and allow you to communicate with them from across the country. Home medical devices that can collect data and transmit it directly to your doctor.

Present in countless applications, smart devices have revolutionized the way we live and work. Smart devices are a subset of a larger group of internet-connected products known as IoT (Internet of Things) devices. These devices can be controlled remotely, usually through a smartphone app or webpage, and send and receive data without human intervention.

In the 20 years since the term got wide usage, the number and scope of IoT devices have grown tremendously. According to Security Today, from 2018 through 2020, IoT devices jumped from 7 billion to 31 billion, with 127 new IoT devices coming online each second.

By 2020, IoT technology is expected to be present in the designs of 95% of new electronics products. And over the next five years, the number of connected devices is forecasted to climb to 41.6 billion and generate a mind-boggling 79.4 ZB of data (for reference, the entirety of the World Wide Web, as it existed in 2009, was estimated to be less than a half a ZB.)

Smart devices introduce conveniences unthinkable a decade ago. But unfortunately, they also bring a new set of risks that could endanger your privacy and your data, your other devices, and even other connected networks.

For starters, there’s currently no standard for securing IoT devices — companies are free to put as much or as little security in their products as they want. Even when vulnerabilities are discovered, many devices are not updated because their cost is too low, or there is no way to update them. When are updates are available, they’re never pushed out, or customers never hear about them. In all, IoT devices are open to wide exploitation.

However, there are several other risks related to the way people use these devices. Many users believe they don’t have the time or expertise to secure their IoT devices adequately — and that, because they’re not a large business or high-profile individual, they’re unlikely to be targeted.

But work statistics since COVID-19 has changed all that. According to Global Workplace Analytics, 25-30% of the American workforce now works from home. That means cybercriminals increasingly see remote employees’ home networks — especially poorly secured IoT devices that connect to them — as a back door to compromise corporate networks with lower chances of detection.

According to the mid-year update to the SonicWall 2021 Cyber Threat Report, cybercriminals have taken advantage of the increasingly distributed data landscapes. Not only have they increased the frequency of their attacks, but they’ve also expanded how they attack. As a result, ransomware attacks sharply rose to 304.6 million in 2020, up 62% over 2019. And the attacks increased to 226.3 million through May of 2021 — up 116% year-to-date over 2020.

While you can’t necessarily avoid being targeted, you can significantly decrease your odds of compromise by taking these 7 “smart” steps for better cybersecurity:

  1. Safeguard Your Router. By default, Routers are accessible with a simple password like “admin” — or no password — and are easily accessible to cybercriminals. Another risk flag is when users do not change the default Wi-Fi network name (or SSID), thus revealing the brand of the router. All a would-be hacker has to do is search default settings. Ditching the default settings go a long way toward increasing security.
  2. Stay Up to Date. Many devices offer the option to receive updates for firmware, vulnerability/bug fixes and more automatically. If this option is not enabled by default, turn it on. In cases where you must perform updates manually, make a note on your calendar to remind you to check for them regularly.
  3. Buy from the Best. Stick with companies known for prioritizing security in their offerings. These established brands are also more likely to push updates and patch vulnerabilities.
  4. Be Password Savvy. Password protection is significantly less effective when you use the same email and password combo for multiple accounts. If any of these accounts are breached, you’ve put your entire online existence at risk — and in the case of IoT devices connected to corporate networks, your company’s existence is at risk as well. With the advent of password managers, which assign a different password for each account and remember them for you, there’s no excuse to be lazy with credential hygiene.
  5. Leverage Two-Factor Authentication. With two-factor authentication (2FA), you’re offered the security of the traditional credential-based sign-in, plus an added layer of protection in the form of a code that is sent to a separate device and must be entered into the original app. With 2FA, even if the login credentials are compromised, the account won’t be accessible unless the attacker also has access to the secondary device.
  6. Divide and Conquer. Many popular routers provide a feature to create a secondary guest Wi-Fi access to your router. The guest Wi-Fi feature allows internet access without granting access to the full home network (and your computers, hard drives, etc.). Use Guest settings to isolate less-secure Wi-Fi connected smart home devices (and the malware that might infect them).
  7. Do I Need This? No matter how secure a smart device is, it can never match the safety and privacy of a non-internet-enabled device. Before purchasing a new smart device, ask yourself if the increased risk is worth adding convenience and features. If you’re likely to use the smart features only occasionally or not at all, opt for the non-smart device.

The network of connections created by the Internet of Things creates opportunities and challenges for individuals and businesses. SonicWall encourages everyone to be smart about smart devices and assume the responsibility of maintaining the health of their home network. Cybersecurity is everyone’s business. By being diligent, we can ensure the security of our home networks and anywhere else our connections may take us.

The Halfway Point: How Cybercrime Has Impacted Government in 2021

/0 Comments/in , /by

In August, the bipartisan U.S. Senate Committee on Homeland Security and Government Affairs released an update on the state of cybersecurity among federal agencies. The report, “Federal Cybersecurity: America’s Data Still at Risk,” noted that, even two years after a similar 2019 report revealed glaring cybersecurity shortcomings, there were still countless areas of concern.

Cybercriminals have always had an incentive to launch cyberattacks on the federal government, such as obtaining national secrets, disrupting a country’s operations at the highest possible level, and influencing politics. But now that they’ve been put on notice — twice — that launching a successful cyberattack might be far easier than they imagined, it’s no wonder we’ve seen attacks on federal, state and local governments rise at a pace far exceeding other industries.

Ransomware

As reported in the mid-year update to the 2021 SonicWall Cyber Threat Report, ransomware for the first half of 2021 increased an unprecedented 151% overall. But the increase in attacks for federal, state and local governments was actually much higher.

In the first half of 2020, there were 4.4 million attacks against government customers. During the same period in 2021, that number had risen to 44.6 million — a staggering 917% increase, the largest jump of any industry examined by SonicWall. 

As if having government data encrypted wasn’t bad enough, many of these attacks employed a tactic known as double extortion in order to increase the likelihood the targets would pay. In such attacks, cybercriminals exfiltrate large quantities of data before encrypting files and issuing a ransom demand. Then, they use the threat of releasing this sensitive data as a sort of “insurance policy” in case the target has followed best practices such as keeping up-to-date backups, etc.

One such incident, in April 2021, targeted the Washington, D.C., police department. In this attack, the ransomware group threatened to share data about informants and other such sensitive information with local gangs if the department failed to pay the ransom demand.

A similar attack targeted the Illinois Attorney General’s Office. In February 2021, a state audit had warned the office that it lacked adequate cybersecurity protections. But the department failed to heed the recommendations, and two months later a ransomware group launched a double extortion attack, with some of the stolen data eventually posted online.

Cybercriminals have since evolved the malicious tactic to triple extortion, where payment is demanded from customers, partners and other third parties.

The number of ransomware attempts per customer remained far higher for government than for any other industry.

Cryptojacking

Very few cryptojacking incidents made the headlines in 2021. This is unsurprising for a couple of reasons: first of all, anyone targeting the federal government is likely to find much more profit in demanding ransom or stealing data than in mining cryptocurrency. Secondly, illegal mining’s impact on the government in 2021 hasn’t been nearly as newsworthy as government’s impact on mining. (In fact, bans on mining in China, Iran and elsewhere are largely cited as one of the reasons cryptocurrency prices fell from their record highs in April.)

Still, the numbers don’t lie, and according to SonicWall’s threat data for the first six months of 2021, the volume of attacks on federal, state and local governments isn’t just up — it’s way up.

Across all industries, the number of cryptojacking attacks in the first half of 2021 rose 23% year to date. But for government customers, cryptojacking attack volume rose a whopping 329%.

IoT Attacks

In August, CISA issued an advisory about a public report detailing vulnerabilities in multiple real-time operating systems (RTOS). Known as “BadAlloc,” the report details a number of vulnerabilities in IoT devices that affect “a variety of sectors for every aerospace, robotics [and] rail industrial control system,” according to Vincent Sritapan, Cyber Quality Service Management Office Chief at CISA.

Unfortunately, attacks on similar systems have already been occurring. In February, an attacker took control of the Oldsmar, Fla., water supply, increasing the amount of sodium hydroxide, or lye, in the water to 110 times normal levels.

SonicWall threat research data indicates that IoT attacks on federal, state and local governments are rising — but the good news is that they seem to be rising more slowly than attacks as a whole. While the number of IoT attacks recorded overall in the first half of 2021 rose 59% year over year, for government customers, attack volume rose only 17% — not good news, per se, but better than it could be considering this attack type’s potential for disruption.

While it’s too early to say what the second half of 2021 will hold for government customers, a lot of it will depend on how federal, state and local governments and agencies respond to warnings like the one issued in August. If we see renewed efforts among these organizations to adhere to cybersecurity best practices, some of these trends may begin to slow or even reverse.

Otherwise, we’re likely to see an increase in the sorts of attacks that have dominated headlines recently, as cybercriminals increasingly shift to targeting the biggest game of all.

In the meantime, you can access all of SonicWall’s first-half threat data — including location-specific information and data on other industries and threat types — by downloading the mid-year update to the 2021 SonicWall Cyber Threat Report.