Cybersecurity News & Trends

News outlets continue quoting the Mid-Year Update to the 2021 SonicWall Cyber Threat Report.  Meanwhile, SonicWall’s The Year of Ransomware report catches attention with third-quarter data: a 148% surge in global ransomware attacks making 2021 the worst year ever recorded. In industry news, hackers launch SEO poisoning, Microsoft launches a cybersecurity job campaign, U.S. cyber teams take down REvil, and Russian hackers hide behind American home Wi-Fi networks.


SonicWall in the News

‘The Year of Ransomware’ Continues with Unprecedented Late-Summer Surge

AIThority: Citing SonicWall’s “The Year of Ransomware” report, there was a 148% surge in global ransomware attacks (495 million) year to date. The third-quarter surge makes 2021 the worst year SonicWall has ever recorded.

The World Is Now Facing a Spate of Coordinated Cyber Attacks

Telecom TV: Ransomware incursions have reached “pandemic levels” while old-fashioned DDoS attacks still pack a punch. Meanwhile, “never-before-seen” malware variants are emerging every day, according to a recent cyber threat report from SonicWall. The author goes on to name SonicWall “the world’s most quoted expert on ransomware.”

Unprecedented and Coordinated Cyber Attacks

National Security News: An “unprecedented” and “coordinated” spate of cyberattacks is hitting many U.K. VoIP services. So says the Comms Council in the U.K. There have been 495 million known ransomware attacks perpetrated so far this year, according to a recent threat report from SonicWall titled “The Year of Ransomware.”

Thwarting Phishing Threats with Simulations

Security Boulevard: Social engineering schemes continue to flourish, making their way into company inboxes with the intent to mislead employees into downloading malicious software. How likely is this to happen to your company? According to SonicWall, there was a record-high 304.7 million ransomware attacks in the first half of 2021. So the short answer is, it’s very likely.

How Safe is the U.K. From Cybercrime?

TechMonitor: The U.K. comes fifth in a new global ranking that combines five cybersecurity and anti-money laundering protections indices. The author notes the growing importance of countering phishing and ransomware attacks, significantly as the latter has increased by 151% in the first half of 2021, from the same period in 2020, according to the mid-year update on SonicWall’s Cyber Threat Report.

The Invisible War

Handelsblatt (Germany): An outstanding article in one of Germany’s most important daily newspapers mentions SonicWall as an expert in cybersecurity and quotes the 2021 Cyber Threat Report Mid-Year Update. The authors cite several vital stats from the report to explain the rise of various threats that have weakened cybersecurity throughout the world. The article appeared online and in the print issue of the publication.

How to Create a Relevant Cybersecurity Strategy

Accounting Web (U.S.): Using SonicWall’s Mid-Year Update on the 2021 Cyber Threat Report, the author illustrates the sharp rise in cybersecurity attacks. The article is mostly about how CPAs and other accounting professionals play a crucial role in protecting financial data. However, the author also provides an overview of the most common cyberattacks, such as malware and phishing, and offers tips on making sure your organization has the proper protections in place.

‘Clumsy’ BlackByte Malware Reuses Crypto Keys, Worms into Networks

Dark Reading (U.S.): A unique malware named “BlackByte” was discovered during a recent incident response engagement. The malware reportedly avoids Russian computers and uses a single symmetric key for encrypting every compromised system. Additionally, the report cites SonicWall’s “Cyber Threat Report: Mid-Year Update” and notes that the number of ransomware attacks in the first half of the year rose 150% to almost 305 million.


Industry News

Ransomware Gangs Use SEO Poisoning to Infect Visitors

Bleeping Computer: SEO poisoning, also known as “search poisoning,” is an attack method that relies on optimizing websites using ‘black hat’ SEO techniques to rank higher in Google search results. Due to their high ranking, victims who land on these sites believe they are legitimate, and actors enjoy a heavy influx of visitors who look for specific keywords. According to this story, two campaigns have surfaced recently. One is linked to Gootloader and the other to the SolarMarker backdoor. Most campaigns deploy SEO poisoning payloads via PDFs that drop the malware into the victim’s device. Additionally, threat actors use redirects to prevent their sites from being removed from search results. Adding to the problem, threat actors also hacked the Formidable Forms plugin found on many WordPress websites.

Microsoft Launches Campaign to Fill 250,000 Cybersecurity Jobs

Axios: Microsoft announced Thursday that it’s launching a national campaign to help fill 250,000 cybersecurity jobs in the U.S. by 2025, including providing a free curriculum to every public community college. The company’s president Brad Smith warned that the current workforce shortage is at crisis levels and threatens to undermine the country’s ability to protect itself against cyber and ransomware attacks.

U.S. to Create Diplomatic Bureau to Lead Cybersecurity Policy

Dark Reading: Plans are underway to revitalize the State Department and make cybersecurity a core priority with the addition of 500 new civil service positions, a 50% increase in its information technology budget, and the creation of the Bureau of Cyberspace and Digital Policy, officials have announced.

Ransomware Hackers Freeze Millions in Aid for Papua New Guinea

Bloomberg: The government’s payment system was locked by attackers last week. Hackers demanded payment from the nation hard hit by Covid-19. While government officials restored the system, they claimed they did not pay a ransom.

Martin County Tax Collector’s Possibly Hit by Ransomware Attack

WPTV News: A possible ransomware attack may have caused a lengthy closure of the Martin County Tax Collector’s offices for nearly two weeks. The Florida county office has been sending residents to a nearby county for help with processing payments. WPTV news investigated the incident when county officials did not explain the lengthy “network problems” they were experiencing.

Avista Warns Customers of Ransomware Attack

KXLY News: Avista, the chief energy provider for the Pacific Northwest, announced that one of its energy efficiency vendors was the target of a ransomware attack earlier this month. The company said it doesn’t believe any of its customers’ sensitive information was compromised. However, the company also noted that hackers got access to customers’ email addresses, utility numbers, service addresses and energy usage.

Feds Take Down Top Ransomware Hacker Group REvil

The Verge: The government has successfully hacked the hacking group REvil, the entity behind the ransomware that’s been linked to leaked Apple leaks, attacks on enterprise software vendors, and more, according to a report from Reuters. The outlet’s sources tell it that the FBI, Secret Service, Cyber Command, and organizations from other countries have worked together to take the group’s operations offline this month. In addition, the group’s dark web blog, which exposed information gleaned from its targets, is also reportedly offline.

Russian Hackers Reportedly Hid Behind Americans’ Home Networks to Mask Their Activities

Gizmodo: In case you missed it, the “SolarWinds” hackers are back. A recent report from Microsoft researchers shows that certain cyber-spies—believed to be members of Russia’s Foreign Intelligence Service—have been targeting droves of American tech firms with a new hacking campaign. According to Microsoft and other sources, Russian military hackers used weaknesses in home WiFi networks to wage hacking campaigns against high-level American targets.


In Case You Missed It

Apache Httpd Traversal Vulnerability

Overview:

  The Apache HTTP server is the most popular web server used on the Internet. The server is capable of being utilized with many different options and configurations. A wide variety of runtime loadable plug-in modules can be used to extend its functionality.

  A directory traversal vulnerability exists in Apache httpd. The vulnerability is due to improper normalization of paths in the request URI.

  A remote attacker could exploit the vulnerability by sending a crafted HTTP request to the target server. Successful exploitation would result in disclosure of the content of files outside the expected document root, or in the worst case, execution of arbitrary code under the security context of the server process.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-41773.

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 9.3 (E:F/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is functional.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  When httpd receives an HTTP request, it is handled by the ap_process_async_request() function. The request data is processed by the ap_process_request_internal() function. This function normalizes the path submitted in the request URI by calling the ap_normalize_path() function. This function normalizes the path submitted by decoding URL-encoded characters, collapsing multiple slash (‘/’) characters, and interpreting “../” by traversing to the parent directory in the path.

  After the normalization function, the ap_run_translate_name() function is called, which calls translate_alias_redir(). This function calls try_alias_list(), which looks up any ScriptAlias entries in the httpd server configuration file that match the request URI. If a match is found, apr_filepath_merge() is called, which merges the server root path with the normalized path. The merged path is later saved to the filename field of the request_rec structure. Next, access permissions are checked by calling ap_run_access_checker_ex(), which looks up the appropriate Require entries in the httpd server configuration.

  If access is allowed, the appropriate handler is invoked for processing the request. If the request URI path begins with “/cgi-bin/”, and the mod_cgi module is enabled in the server configuration, the cgi_handler() function is called to handle the request. This function uses the filename field of the request_rec structure to build an OS command and runs the command in a child process. Then, the HTTP POST request data submitted is sent to the created process as input.

  A directory traversal vulnerability exists in Apache httpd. The vulnerability is due to a flaw in the normalization of the path submitted in the URI of HTTP requests. The ap_normalize_path() function attempts to resolve “../” sequences in the path by traversing to the parent directory. However, if the second dot character (‘.’) in a “../” sequence is URL-encoded (i.e. “.%2e/”), the “../” sequence will not be interpreted and the sequence will remain in the normalized path. When this path is later merged with the server root path using the apr_filepath_merge() function, the resulting path saved to the filename field of the request_rec structure could traverse beyond the server root path. If access is granted to the server’s root directory and the mod_cgi module is enabled, an arbitrary executable on the server can be called, leading to arbitrary code execution.

  A remote attacker could exploit this vulnerability by sending a request with a crafted URI to the target service. Successful exploitation could lead to exposure of the contents of arbitrary files on the server. If the mod_cgi module is enabled, exploitation could lead to execution of arbitrary code on the target server.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The attacker must have network connectivity to the affected ports.
  • Permissions must be granted to the server’s root directory in the httpd.conf configuration file.
  • Arbitrary code on the target server, the mod_cgi module must be enabled in the httpd.conf configuration file.

Triggering Conditions:

  The attacker sends an HTTP request with a maliciously crafted URI path. The vulnerability is triggered when the server attempts to process the HTTP request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP, over port 80/TCP
    • HTTPS, over port 443/TCP

  Http Request:

  

  Http Request In Text:

  

  Password File:

  

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 2140 Web Application Directory Traversal 48

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Applying the vendor-supplied patch to eliminate this vulnerability.
    • Filtering traffic based on the signature above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

PowerShell script that steals email addresses from Outlook

SonicWall Threats Research team has observed an obfuscated batch(BAT) file inside an archive which is delivered to the victim’s machine as an email attachment. The BAT file executes a PowerShell script which steals and sends email addresses from Outlook contacts:

 

BATCH SCRIPT:

The batch script contains a PowerShell cmdlet which communicates over HTTPS to execute remote PowerShell script:

 

PowerShell SCRIPT:

The PowerShell script is responsible for stealing and sending Outlook contacts email addresses to the remote machine.

The PowerShell script checks for the presence of file ‘$env:APPDATA\Microsoft\.Outlook’ , to ensure its single execution for a machine. If the file is already present then this script does not execute:

 

The PowerShell script enumerates outlook contacts and retrieves their email addresses to add them in a global list. However the code won’t work as it needed correction in the variable name and a property field as highlighted in the below snippet:

 

 

The stolen email addresses are sent to the remote machine at “https://puwq9m8p.educabrasil.live/gravadados.php?lista=”:

 

Unavailability of the archive file in any of the popular threat intelligence sharing portals like the VirusTotal and the ReversingLabs indicates its uniqueness and limited distribution:

 

Evidence of detection by RTDMI ™ engine can be seen below in the Capture ATP report for this file:

Cyber Threat Alert: Ransomware Breaks Another Record

As the ‘Year of Ransomware’ roars on, SonicWall observes 3rd Quarter with another unprecedented, record-breaking surge in attacks.

In July 2021, SonicWall released its widely quoted Mid-Year Update to the 2021 SonicWall Cyber Threat Report with alarming news of the sharp rise in ransomware and other malicious attacks. We’re back again with more data and a message: ransomware’s rise has not slowed.

This year was already proving to be the most active year for cyberattacks on record. After posting a groundbreaking 188.9 million ransomware attacks in the second quarter of 2021, SonicWall Capture Labs threat researchers have found that ransomware attacks broke another record of 190.4 million in the third quarter. The total 495.1 million ransomware attacks represent a 148% year-to-date increase over 2020, making 2021 the most costly and dangerous year on record.

A Nearly Unimaginable Upward Trend

The 190.4 million ransomware attacks in the third quarter is the highest ever recorded by SonicWall. Additionally, the statistic nearly eclipses the 195.7 million total ransomware attacks recorded during the first three quarters of 2020.

“As we see it, ransomware is on a nearly unimaginable upward trend, which poses a major risk to businesses, service providers, governments and everyday citizens,” SonicWall President and CEO Bill Conner said in the official release.

Despite movements to secure cyber infrastructures from respective national governments, the U.K. has seen a 233% surge in the number of ransomware attacks, and the U.S. has witnessed a 127% year-to-date increase.

Cyberattacks: A Severe Global Crisis

The sheer volume of attacks illicit words like “global crisis,” “ruthless,” and “a significant national security threat.” Yet, many people appear to be determined to restore a sense of normalcy while this severe global crisis roils on.

“Cybercriminals have never let up, driving ransomware campaigns to record numbers through the first three quarters of 2021,” said Conner. “These criminal organizations will continue to launch highly sophisticated cyberattacks that are designed to target organizations and business with weak or lax security controls.”

A summary of SonicWall Q3 2021 findings:

  • 148% surge in global ransomware attacks in 2021, the worst year SonicWall has ever recorded
  • 714 million ransomware attacks predicted by the close of 2021
  • 1,748 ransomware attempts per customer through the third quarter
  • 33% rise in IoT malware globally; upticks in North America and Europe
  • 21% increase in cryptojacking with massive 461% growth across Europe

Another Growing Concern: Increases in Unique Malware Variants

Amid the stats, there is another reason for concern: SonicWall Real-Time Deep Memory InspectionTM discovered 307,516 never-before-seen malware variants during the first three quarters of 2021 — a 73% year-to-date increase. That’s an average of 1,126 new malware variants discovered each day in 2021.

The rise in variants points to maturation in cybercriminals ability to rapidly diversify the tactics they use to attack organizations, their networks and their users. Coupled with a constant flood of cyberattacks, businesses and individuals will find it increasingly difficult to protect themselves with old or expired cybersecurity technology.

Patented RTDMI™ technology is part of the cloud-based Capture Advanced Threat Protection (ATP) sandbox service. Among several patented innovations, RTDMI leverages memory inspection and CPU instruction-tracking with machine-learning capabilities. As a result, the system efficiently recognizes and mitigates cyberattacks, including threats that do not initially show malicious behavior.

The Grace Period Has Come to an End

All told, SonicWall logged 1,748 ransomware attempts per customer through the third quarter. From another perspective, this is the equivalent of 9.7 ransomware attempts per customer per business day. With the increased ability to diversify their means of attack, criminals have a growth business on their hands.

“The real-world damage caused by these attacks is beyond anecdotal at this point. It’s a serious national and global problem that has already taken a toll on businesses and governments everywhere,” said Conner.

With a predicted 714 million ransomware attacks by the end of the year, the grace period for companies and individuals to increase their protections and change their behavior has come to an abrupt end.

“The techniques deployed by ransomware actors have evolved well beyond the smash-and-grab attacks from just a few years ago,” said SonicWall Vice President of Platform Architecture Dmitriy Ayrapetov. “Today’s cybercriminals demonstrate deliberate reconnaissance, planning and execution to surgically deploy toolchains targeting enterprise and government infrastructure. This results in larger victims and leads to higher ransoms.”

Squid Game themed Android malware hides SpyNote spyware

The series Squid Game has been a global phenomenon in the last few weeks and malware writers are using this popularity as a means to spread their malicious creations. We have started seeing numerous malicious Android apps use the name and icons of Squid Game. One of the highlights was SpyNote that has been masquerading as popular Android apps.

We have reported previously about the android spyware SpyNote that masquerades itself as popular applications. It uses the popularity of these apps to spread the infection and in this case its using the popularity of Squid Game to do the same.

 

  • Application Name: Squid Game Fake Call 1
  • Package Name: cmf0.c3b5bm90zq.patch
  • MD5: 785a9475c1088a798512ca6ab6d8b0f1

The app requests for a large number of suspicious permissions for a application that does ‘Fake Call’:

 

SpyNote requests for accessibility services and device admin privileges once installed and executed:

Spynote can install a legitimate apk present in the resources – res/raw/google.apk. It uses this to list a legitimate accessibility services entry when executed.

 

Upon execution the icon disappears from the app drawer but in the background the malware starts performing malicious actions. Few functionalities are listed below:

  • The app checks the applications installed on the device:

 

  • It uses hardcoded server address and port number and later communicates using sockets:

 

  • We identified multiple malicious apk’s that are linked to this campaign as they communicate with the same server, below VirusTotal graph highlights this:

 

  • It captures details about the device which can be used by the perpetrators to identify the victim and gather additional details. Following was identified:
    • Device manufacturer
    • Device model
    • OS version
    • SIM
    • Wifi
    • Bluetooth
    • Location

 

  • It has access to call logs and can make calls from the infected device:

 

SpyNote has been known to masquerade as popular Android apps. It is good at selecting trending topics and modifying the malware look and feel to mimic on such topics. We anticipate more malware writers to follow this trend and use the popularity of Squid Game to spread malware.

 

Sonicwall Capture Labs provides protection against multiple threats associated with this campaign using the signatures listed below:

  • AndroidOS.SpyNote.GN
  • AndroidOS.SpyNote.PT
  • AndroidOS.SpyNote.SP
  • AndroidOS.SpyNote.SC

Why Cybersecurity Must be First

If you think that cybersecurity is something that only people who manage data centers need to worry about, you’d better think again.

The reasons why cybersecurity first should resonate with everyone is all over the news. Ransomware attacks rose to 304.6 million during the first six months in 2020, up 62% over 2019, according to our own widely quoted Mid-Year Update on the 2021 SonicWall Cyber Threat Report.

And ransomware volume continues to break records. Through the first three quarters of 2021, SonicWall Capture Labs recorded another historical 148% spike for the year-to-date. Through September 2021, we’ve seen more than 495 million ransomware attempts globally.

Again, much of this rise is credited to the highly distributed workforces caused by the pandemic. However, these stats point to an underlying weakness in cybersecurity, and it’s all about OUR behavior.

Skipping Security, Raising Risk

Working from home blurs the lines between personal space and corporate security. A recent story in CPO Magazine revealed that a shocking 30% of remote workers who consider themselves IT professionals say that they circumvent or ignore corporate security policies when they get in the way of getting work done.

Another surprise: 91% of survey participants agreed that they felt pressure to compromise security for productivity, with 76% saying that sometimes security had to take a backseat to business needs. But then, 83% of the respondents admitted that these attitudes had created a “ticking time bomb” for a breach. And these are people who should know the risks very well.

Why does it matter?

Times have changed. The criminals are out there in droves. They are motivated by profit, and they want your data and, ideally, your money too. Unfortunately, our primary means of communication – text, email, instant messaging – make everyone accessible targets. Those of us who don’t know the basics of security, or worse yet, ignore security measures, are the ones who are putting everyone else at risk.

Bottom line, if you’re not making security a priority today, a hacker will come along – eventually – and help change your mind. The new generation of hackers are bold, and they know that people are the weakest link and they’re ready to attack.

Cybersecurity is everyone’s business.

There’s an expectation in polite society for people to think about good manners and hygiene. This is because such rules make it easier for everyone to feel comfortable in social situations. So when we follow social hygiene rules – like washing hands and covering our mouths when we cough or sneeze – we convey expectations on social quality.

Odd then that we don’t think about good manners and hygiene when it comes to using computers and our digital devices. Think about people who do things like let their antivirus software expire or insist on using old tech that we know is hackable. What about folks who cavalierly use passwords like ‘12345678’? What do these behaviors say to everyone who is in our sphere of communication?

Stop thinking about technology and hackers for a moment and look at this as a holistic problem. If the survey about IT professionals is remotely accurate, and if the threats are as real as the data says, it means our attitude toward security needs serious adjustment.

Establish a #CybersecurityFirst Mindset

How do we get to a level of care that avoids security risks? We start by making sure that everyone is aware and able to make themselves more resilient to hacking. It sounds complex but comes down to knowing the difference between what’s considered poor and good behavior.

For instance, poor behavior may cause people to assume that computers and digital devices are safe and that nobody cares about the single user plugging away at an accounting spreadsheet in a coffee shop. Good behavior takes personal responsibility and recognizes that being online has definite and inherent risks. Some risks are far more severe than others, but above all poor behavior (like denying there’s a risk) raises not only your chances of getting hacked but also raises risks for everyone who connects with you.

Prevention is a Full-Time Job

Even experts who take the best precautions can’t always prevent hacks and virus infections. So, along with accepting personal responsibility, we make it harder for hackers by creating layers of security:

  • Use and maintain antivirus software and a firewall. Contrary to some myths, people who use PCs, Macs, phones and pads are equally exposed and should have active antivirus programs, firewalls, malware sniffers, and VPN. Install patches (automatic updates) and keep your firewalls up-to-date. Hackers scan for people with old or expired software. And, if you don’t have either, you’re just a sitting duck.
  • Establish your own personal online usage guidelines. You can start with the rules and guidelines from your company. The rules are usually simple enough. Many are simple common sense: don’t share passwords, use good passwords, think before clicking (any link) and always be cautious about installing unknown or untested software and IoT devices.
  • Double-check email attachments. When it comes to phishing and ransomware, you can never be sure about an unexpected text message, email, or phone call. Hackers are very clever and adept at making email look like it comes from someone you know or a company you trust. Before opening attachments or clicking links, verify the identity of the sender.
  • Trust your instincts. Attackers are constantly releasing new viruses. So, scan documents and attachments with antivirus software before opening them. If an email or text message looks suspicious, delete it. Suppose it’s really important, someone will try to contact you again. Always remember technology can only help so much, so trust your instincts!

Be Cyber-Resilient

The entire Cybersecurity Awareness Campaign create by the CISA is intended to raise our awareness about the risks WE ALL FACE. For example, when we share #CybersecurityFirst we encourage everyone around us to be more watchful and vigilant about our security. But the effort goes far beyond hashtags and slogans.

When we educate ourselves and help stakeholders, we’re taking a firm stand about where we are in the long-term journey to safety. Read SonicWall’s Ultimate Enterprise Ransomware Guide and see where we are in developing systems that are secure and resilient to ransomware and other threats.

But remember, there’s no quick fix, no “set-and-forget” software, no universal rules for cyber-resilience. Good cybersecurity technology like virtual firewall platforms, physical firewalls, and other security services help, but good behavior is where the real work begins.

Cybersecurity News & Trends

The news outlets are back to quoting the Mid-Year Update to the 2021 SonicWall Cyber Threat Report, with a big hit in Germany in Handelsblatt, a major news outlet. In industry news, analysts debate the significance of “killware,” hackers are stealing telecom records, hosting admins sentenced with RICO charges, Dark Web goes darker, Macs are still safer, and beware of YouTube trojans.


SonicWall in the News

The invisible war – how global hacker gangs threaten our security and prosperity

Handelsblatt (Germany): An outstanding article in one of Germany’s most important daily newspapers mentions SonicWall as an expert in cybersecurity and quotes the 2021 Cyber Threat Report Mid-Year Update. The authors cite several vital stats from the report to explain the rise of various threats that have weakened cybersecurity throughout the world. The article appeared online and in the print issue of the publication.

SonicWall’ Returns Choice’ To Customers by Securing Different Network Environments

Security Brief (Asia): SonicWall has declared that organizations should no longer change how they operate to secure their networks, devices and people, prompting the company to bring ‘customer choice’ back into its range of cybersecurity solutions.

Protect any network combination

LANline (Germany): This article picked up SonicWall’s media alert on protecting virtual, hybrid, cloud-based and local systems with SonicWall.

SonicWall Webinar: Can small companies and branches survive the crisis?

Infopoint Security (Germany): This article promotes a SonicWall webinar that shows how small businesses can best protect themselves during the “crisis” of increased cyberattacks.

Could your company recover from a ransomware attack?

BizJournals (U.S.): Citing SonicWall’s mid-year update on the 2021 Cyber Threat Report, the author notes the sharp rise in ransomware attacks in North America as a reason for companies to create contingency plans.

How to Create a Relevant Cybersecurity Strategy

Accounting Web (U.S.): Using SonicWall’s Mid-Year Update on the 2021 Cyber Threat Report, the author illustrates the sharp rise in cybersecurity attacks. The article is mostly about how CPAs and other accounting professionals play a crucial role in protecting financial data. However, the author also provides an overview of the most common cyberattacks, such as malware and phishing, and offers tips on making sure your organization has the proper protections in place.

‘Clumsy’ BlackByte Malware Reuses Crypto Keys, Worms into Networks

Dark Reading (U.S.): A unique malware named “BlackByte” was discovered during a recent incident response engagement. The malware reportedly avoids Russian computers and uses a single symmetric key for encrypting every compromised system. Additionally, the report cites SonicWall’s “Cyber Threat Report: Mid-Year Update” and notes that the number of ransomware attacks in the first half of the year rose 150% to almost 305 million.

The Ransom Disclosure Act Proposed — Gives 48 Hours to Report Ransom Payments

LinkedIn Pulse: Citing Ransom Disclosure Act legislation proposed in the U.S. Senate, the author offers “hard-numbers perspective” of data from the Mid-Year Update on the 2021 SonicWall Cyber Threat Report, ransomware attacks surged a staggering 304.7 million attempted ransomware attacks within SonicWall Capture Labs’ Capture Threat Network, which monitors and collects information from global devices.


Industry News

DHS Secretary: “Killware” Malware Designed to Do Real-World Harm

CPO Magazine: This article opens with comments made by U.S. Department of Homeland Security Alejandro Mayorkas where he asserts that “killware is poised to be world’s next breakout cybersecurity threat.” The reference is on recent attacks on water treatment plants and hospitals where hackers could – in theory – trigger events that may harm or kill people. Mayorkas’ claim appears to be backed up by research from Gartner that projects that threat actors will be weaponizing operational environments to harm and kill people within the next four years. While the danger is real, other analysts believe that the “hype is bigger than the threat, for now.” While the attacks on SolarWinds and the Colonial Pipeline are very worrisome, and the recent attempted attack on a water treatment plant in Florida is alarming to the extreme, they are not necessarily harbingers of imminent danger. Since nearly all cybercrime is motivated by profit, we need to define… “exactly when a given cyberattack moves from being a purely criminal matter to a national security threat,” said one analyst. “If cyberattacks, especially those perpetrated across international boundaries, regularly cause bodily harm or loss of life, they will receive treatment as a threat to national security.”

Cybercrime Group Hacking Telecoms to Steal Phone Records

Gizmodo: A new report shows that a particular hacker group, believed to be based in China, has been targeting telecommunication companies all over the world. The report, which goes into a significant amount of detail, shows that the hackers behind the campaign have managed to infiltrate 13 different global telecoms in the span of just two years. Reuters reports that this has included exfiltrating “calling records and text messages” directly from carriers.

Hosting Administrators Sentenced for Helping Cybercrime Gangs

Bleeping Computer: Two Eastern European men were sentenced to prison on Racketeer Influenced Corrupt Organization (RICO) charges for bulletproof hosting services used by multiple cybercrime operations to target U.S. organizations. They provided cybercrime-affiliated clients with the infrastructure needed to host exploit kits and run malicious campaigns distributing spam emails and malware for roughly seven years, between 2008 and 2015.

The Dark Web Goes Darker and Busier

TechSpot News: Cybercrime services cost less than $500, and stolen data now spreads 11 times faster than it did six years ago, according to a recent study by BitGlass. Why this matters: The dark web is not only alive and kicking, and it’s growing more dangerous than ever.

Cybersecurity Offers Jobs, High Wages — If Enough People Can Be Trained

Argus Leader: As people consider careers or new options in work, high-paying jobs in traditional fields like health may come to mind, but one industry is prospering from protecting the data of others. Cybersecurity, the protection of computer systems and networks, is emerging as a promising industry with more than enough jobs. The issue? There aren’t enough faculty to train people to fill that work.

Macs Still Targeted Mostly with Adware, Less with Malware

Dark Reading: For people who rely on Macs, the news is a little better. An ongoing study of vulnerabilities, the top 10 categories of digital threats on macOS are all adware programs, with only a sliver of the share of victims affected by actual malware. Apple Macs are not immune to malicious attacks. Still, outside of some significant nation-state efforts, new research shows that bad actors continue to use adware as the method of choice to make money from infecting the macOS operating system.

Massive Campaign Uses YouTube to Push Password-Stealing Malware

Tech Times: Widespread malware campaigns are creating YouTube videos to distribute password-stealing trojans to unsuspecting viewers. Initially reported by Bleeping Computer, video descriptions may contain links that lead to password-stealing trojan malware. These infections quietly run on a computer while stealing passwords, screenshots of active windows, cookies, credit cards stored in browsers, FTP credentials, and arbitrary files decided by the threat actors. When installed, the malware will communicate with a Command & Control server, where it waits for commands to execute by the attacker, which could entail the running of additional malware. According to this report, the best way to avoid the attack is not to click links in the video description.


In Case You Missed It

 

Free game download links spread via Facebook come with free Infostealer

Even back in the day, cybercriminals have been masking malware within pictures, screensavers or games that can be downloaded for free. But now, since the Internet has grown immensely into a huge form of entertainment for everyone especially with the popularity of social media, the threat from free downloads has greatly multiplied. This week we have come across free game download being distributed on Facebook which installs malware.

Infection cycle:

The sample we observed purportedly installs a free Nintendo Super Mario game. The main installer uses the following icon:

Upon execution it displays a fake splash screen that appears to install the game.

But instead it drops a Trojan along with a few legitimate libraries and python packages which it uses for a robust set of functionalities including data gathering and reconnaissance, downloading additional software, messaging functionality, receive commands from a remote server and more.

No game is installed but upon successful installation, the Trojan, janma.exe, runs in the background and begins gathering information about the victim machine like querying system security settings, browser settings, etc.

It intermittently sends and receives data from a remote server.

To maintain persistence it adds 5 scheduled jobs named “UpdateCore0x” to run a copy of the Trojan upon logon and every 10 minutes.

During further analysis, we observed that this Trojan gathers a lot of Facebook account information that might be available on the victim’s machine.

It gathers login information that might have been saved in the internet browsers.

It has the ability to add friends and confirm pending requests. In case the victim uses Facebook ad account, it has the ability to look at ad spent, retrieve ad ids, ad status and disable notifications, and therefore the victim will not be notified if there are any changes made on their ad account.

It also has the functionality to change Facebook security settings, check if the user uses two-factor authentication and to retrieve recovery codes.

This extensive amount of account information gathered can presumably be used to further this malicious campaign and spread via Facebook.

As always we urge our users to be vigilant and to be cautious of any free software download specially if you are not certain of the source.

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: FBSpam.FB (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

 

 

WordPress WooCommerce Plugin SQL Injection

WooCommerce Blocks offers a range of Gutenberg blocks you can use to build and customize your site. Designed to work with the new Block Editor introduced with WordPress 5.0, WooCommerce Blocks offers a range of blocks you can use to build and customize your site. A SQL injection vulnerability exists in the WooCommerce Blocks feature WordPress plugin.

Sql Injection
SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands. A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data and execute administration operations on the database.

WordPress WooCommerce Plugin SQL Injection vulnerability | CVE-2021-32789
All WooCommerce sites running the WooCommerce Blocks feature plugin between version 2.5.0 and prior to version 2.5.16 are vulnerable to sql injection.This vulnerability could be exploited via a carefully crafted URL exploit against the   endpoint. A successful attack could lead to sensitive information disclosure. No authentication is needed to execute this attack.

Typical attack looks like this


This query will pull all the table schema information from the database.


This query will return admin users.


The query will return associated database fields with hashed passwords.

This vulnerability is patched.

SonicWall Capture Labs provides protection against this threat via following signatures:

  • IPS 15661: WordPress WooCommerce Plugin SQL Injection

Threat Graph

How to Protect Multi-Cloud Environments with a NSv Virtual Firewall.

Secure the virtual workforce in multi-cloud environments.

The drive for virtualization places enormous pressures on modern data centers to accommodate multi-cloud networking that often features a mix of private, public and hybrid cloud computing environments.

IDC’s latest forecast predicts that “whole cloud” spending is poised for annual growth of nearly 17% and will reach more than $1.3 trillion by 2025. The forecast includes worldwide spending on cloud services, the hardware and software components to keep the cloud supply chain moving, plus professional and managed services.

As more organizations embrace the technology and multi-cloud migration expands, organizations embrace technologies, such as containers, network virtualization must develop to adequately secure highly dynamic environments ranging from public clouds to private clouds to data centers. Otherwise, organizations face the risks of visibility blind spots and control challenges. To circumvent the blind spots, IT managers are reaching out for cloud security solutions that operate well together and are easily managed.

The benefits of cloud computing are well-known and significant. However, so are the security challenges, exemplified by the many recent high-profile data breaches. Whether stored in a physical data center or a public, private or hybrid cloud, your data is the hacker’s goal.

Securing the cloud introduces a range of challenges, including a lack of network traffic visibility, unpredictable security functionality and the struggle to keep pace with the rate of change commonly found in cloud computing environments. To be efficacious, organizations need a cloud security solution that:

  • Identifies and controls network traffic within the cloud-based on identity, not the ports and protocols they may use.
  • Stops malware from gaining access to and moving laterally within the cloud.
  • Determines who should be allowed to use the applications and grants access based on need and credentials.
  • Streamlines deployment and gets a new instance up and running with a click. You do not want to configure each virtual firewall since that is time-consuming. Ideally, you have a pre-defined configuration pushed to the device, and it is up and running.
  • Cost-effectively replaces expensive WAN connection technologies, such as MPLS, with secure SD-WAN.
  • Simplifies administration and minimizes the security policy delay as virtual machines (VM) are added, removed or moved within the cloud environment.

Securing the cloud with SonicWall NSv virtual firewalls

Recently, SonicWall announced a new firmware, SonicOSX 7.0.1, on its virtual firewall platforms to provide feature parity with its hardware firewall platform running SonicOS7.

SonicWall Network Security virtual (NSv) firewalls support secure SD-WAN, Zero-Touch Deployment, DNS security, Restful API and many more features that help solve the earlier problems. The new firmware also allows users to operate the firewall in the traditional classic mode or policy mode. SonicOSX is the new SonicWall firewall firmware that lets granular control and enforcement of dynamic Layer 7 applications within the security policy. SonicOSX combines Layer 3 to Layer 7 rules into a single rule called Security Policy. Hence, the user will no longer need to configure any rules in separate tabs, as in the case of global mode. It also includes multiple improvements around user experience with rule exporting, cloning of a rule, shadowing alerts, bulk editing, and many more.

SonicWall NSv firewalls help security teams reduce different security risks and vulnerabilities, which can cause severe disruption to business-critical services and operations. With full-featured security tools and services, including reassembly-free deep packet inspection (RFDPI), security controls and networking services equivalent to what a SonicWall physical firewall provides, NSv effectively shields all critical components of your private/public cloud environments.

NSv is easily deployed and provisioned in a multi-tenant virtual environment, typically between virtual networks (VN). This allows it to capture communications and data exchanges between VMs for automated breach prevention while establishing stringent access control measures for data confidentiality and VM safety and integrity.

Security threats (such as cross-virtual-machine or side-channel attacks and common network-based intrusions and application and protocol vulnerabilities) are neutralized successfully through SonicWall’s comprehensive suite of security services.

All VM traffic is subjected to multiple threat analysis engines, including intrusion prevention, gateway anti-virus and anti-spyware, cloud anti-virus, botnet filtering, application control and the Capture Advanced Threat Protection (ATP) multi-engine sandbox.

Clearly, the push for virtualization will continue and may even intensify. To learn more about SonicWall cloud solutions, please visit SonicWall.com/cloud.