Cybersecurity is Infrastructure

With the Infrastructure Investment and Jobs Act’s passing, state and local governments move to secure themselves against rampant cyberattacks.

When President Joe Biden signed into law the $1.2 trillion Infrastructure Investment and Jobs Act’s in November 2021, we saw a celebration of bipartisanship that emphasized the importance of the legislation. The bill’s journey to passage drew on support from both Democrats and Republicans to create jobs across the country by dispersing billions of dollars to state and local governments to help amend decades of neglect.

The bill specifically targets the country’s crumbling bridges, tunnels, roads and railways. In addition, it expands broadband internet access to millions of Americans, and it gives state and local governments the means to enhance and expand local cybersecurity.

Why worry about cybersecurity?

Although cybersecurity has always been a part of all-things-internet, the recent massive rise in malware and other threats has forced the whole world to sharpen its attention on cybersecurity in ways we never thought necessary.

In the first half of 2020, there were 4.4 million attacks against government customers. However, as reported in the mid-year update to the 2021 SonicWall Cyber Threat Report, during the same period in 2021, that number rose to 44.6 million — a staggering 917% increase and the most significant jump of any industry examined by SonicWall. 

In SonicWall’s follow-up report, The Year of Ransomware, the attacks showed no sign of slowing. After posting a groundbreaking high in June, the third quarter saw 190.4 million ransomware attempts, the highest ever recorded in a single quarter by SonicWall. In contrast, there were 195.7 million total ransomware attempts logged during the first three quarters of 2020.

What’s does the infrastructure bill do for cybersecurity?

The $1.2 trillion Infrastructure Investment and Jobs Act allocates about $2 billion for cybersecurity. About half of that amount is set aside for the State, Local, Tribal and Territorial (SLTT) Cyber Grant Program and distributed over four years.

The Department of Homeland Security (DHS) will administrate funding. Therefore, SLTTs will need to present comprehensive plans that fully and accurately describe new resource procurement, implementation and management to access the funding. As written, the bill provides $200 million in 2022, $400 million in 2023, $300 million in 2024, and $100 million in 2025.

How does the infrastructure bill specify what qualifies as cybersecurity?

The Infrastructure Investment and Jobs Act’s language offers a much-needed definition for state and local governments on the types of investments they are expected to make. But, more than likely, DHS will provide additional compliances and rules as a condition for funding.

Specifically, the bill identifies firewalls (on-prem and virtual), secure mobile access (on-prem and virtual) and advanced software that provides endpoint threat detection and response. That means funding rules will probably focus on technology that offers operational capability or services, including computer hardware, software and related assets that enhance operators’ ability to protect themselves against threats.

What kind of broadband spending does it offer?

The legislation identifies $42.45 billion for an initiative called “Broadband Equity, Access, and Deployment.” This portion of cyber activity will expand grants available to underserved communities. The Assistant Secretary of Commerce for Communications and Information will soon announce funding details.

Still, this funding is expected to touch on local cybersecurity considerations as expansion will likely involve wireless communication and participation from local utilities (e.g., mobile, broadband).

How SonicWall Fits into the Plan

While the Infrastructure Investment and Jobs Act identifies security technology like firewalls, secure mobile access and endpoint threat protection software, it doesn’t specify performance metrics to help state and local governments target their plans more precisely. Additionally, we won’t have funding specifics from managing agencies until early next year.

In the meantime, state and local governments are already forming their procurement teams. Some are preparing themselves by establishing early partnerships with the cybersecurity industry to identify technology and best practices for managing local networks.

Among the many considerations:

  • Recognize and address the increased cybersecurity risks from all aspects of your network. SonicWall helps you uncover hidden dangers with high-level analytics and reporting.
  • Create and maintain robust data policies and procedures. Network management and policy management tools are built into SonicWall Network Security Manager. NSM gives IT teams the power to govern centrally, meet compliance rules and regulations, and manage risks as they emerge.
  • Look for automated real-time breach detection and prevention. SonicWall offers automated TLS inspection, patented Real-Time Deep Memory Inspection (RTDMI), Reassembly-Free Deep Packet Inspection (RFDPI) and Capture ATP cloud-based multi-engine sandboxing. Networks gain added security and resilience with Capture Security Appliance (CSA) on-premises advanced threat detection and Cloud App Security for Office 365 and G Suite applications.
  • Seek out proven efficacy and innovation. Technological efficiency will be a significant consideration for funding since the kinds and variations of threats are constantly changing. SonicWall’s latest threat data included a report of a 73% increase in unique malware variants. The company’s patented technology uncovered this significant data point.
  • Plan a layered approach to cybersecurity. For example, SonicWall solutions offer ‘end-to-end’ layers of protection, detection and inspection. Our portfolio provides firewallsswitchessecure mobile accessWi-Fiemail securitycloud application security, endpoint security and control — all orchestrated within a consolidated Network Security Manager through a single pane of glass.
  • Build organizational consensus and ownership. The best cybersecurity implementation starts with total buy-in from everyone in the organization. Your network security is strengthened when everyone complies with security measures you’ve chosen to help keep your network and digital assets safe from hackers.
  • Demand the correct certifications from your vendors. SonicWall meets federal governmental certification and interoperability requirements (e.g., NIST, FIPS 140-2, CSfC, Common Criteria, DoDIN APL, USGv6 and NSA CNSA Suite B.)

Cybersecurity News & Trends

SonicWall’s widely quoted threat reports (The Year of Ransomware and Mid-Year Update to the 2021 Cyber Threat Report) are still attracting US and European journalists and editors. This week, SonicWall scored another big hit with a report from Wall Street Journal. In industry news, the previously mentioned article in Wall Street Journal reports on the possible extradition of a Russian entrepreneur to the US. Meanwhile, US Government cybersecurity initiatives lean hard on partnerships with corporations and academia, banking regulators push hard on banks to report breaches quickly, the US House approves an additional $500 million for cybersecurity funding, and insurance companies run away.


SonicWall in the News

US Accuses Russian of Money Laundering for Ryuk Ransomware Gang

Wall Street Journal (US): A Moscow entrepreneur was detained during a vacation abroad this month and is now facing extradition to the US on charges that he helped a notorious Russian ransomware group launder payments. Denis Dubnikov, a Russian citizen, was expelled from Mexico and placed on a plane to Amsterdam, where Dutch police arrested him on Nov. 2 on a US charge of conspiracy to commit money laundering, according to his lawyer Arkady Bukh. Dubnikov, 29 years old, is being sought to stand trial as part of a Federal Bureau of Investigation investigation of Ryuk, which was linked to one-third of all US ransomware attacks in 2020, according to cybersecurity firm SonicWall.

Cryptojacking – A Poison For Latin America’s Digital Economy

Intelligent CIO (Brazil): Arley Brogiato, Sales Director, SonicWall Latin America, explains the risk of cryptojacking in the region. Like a pest that silently gnaws at corporate IT, cryptojacking does unnoticed, unconfronted and unresolved damage. This expression comes from the word ‘crypto,’ from cryptocurrencies and ‘jacking,’ which refers to something used illegally.

Sonicwall: ‘Largest Platform Evolution In Company History’ Unifies Cloud, Virtual & Hardware Portfolio

Scoop Sci-Tec (Singapore): SonicWall today announced the latest additions of its Generation 7 cybersecurity evolution, the largest in the company’s 30-year history. Driven by this innovation, SonicWall unifies cloud, virtual and hardware offerings across a single and fully integrated cloud-powered platform.

Toronto Transit Commission Still Recovering from Ransomware Attack

IT World (Canada): IT staff at the Toronto Transit Commission (TTC) are still dealing with the effects of a ransomware attack that was detected just as the weekend started. In a report released Friday, SonicWall said that it had logged 495 million ransomware attempts so far this year to date. At that rate, it said, 2021 will be the most costly and dangerous year on record.

Ransomware: How to Mitigate Attacks

ARN-IDG (US): Ransomware is a form of malicious software that encrypts a user’s sensitive data when deployed on a device. The victim is asked to pay a ransom to the attacker, usually in Bitcoin, to secure a decryption key or initiate a decryption process. Posted by Jeff Marshall, Country Manager & Regional Director.

Mitiga Releases Cloud Incident Readiness and Response Solution for Ransomware Attacks

CISION (US): Ransomware attacks are on the rise worldwide, increasing in complexity as cyberattackers adapt to defensive strategies. Recent research by SonicWall shows that ransomware attacks reached 304.7 million in the first half of 2021, exceeding the 304.6 million attacks logged in all of 2020.

Be Cyber Smart and Lock It Down

ELE Times: According to the widely quoted Mid-Year Update for the 2021 SonicWall Cyber Threat Report, ransomware attacks rose to 304.6 million in 2020, up 62% over 2019. The increase occurred as more of the US workforce started working from home due to the pandemic. There were also 226.3 million ransomware attacks through May of this year, up 116% year to date over last year. Author: Debasish Mukherjee: Vice President, Regional Sales APAC at SonicWall.


Industry News

NSA Director: Evolving Cyber Threats Require Deeper Public-Private Partnerships

Nextgov: The government has long leaned on partnerships with companies and academia to advance technology, but according to one top cybersecurity leader, the complexities of the modern conflict landscape warrant cross-sector collaboration that goes deeper than any before. “I do think that there is a realization that we can’t do this alone,” Gen. Paul Nakasone said Tuesday night at an Intelligence and National Security Alliance-hosted dinner in Virginia. “So, this partnership has to exist—and it’s got to get even more powerful.”

Banks Ordered to Promptly Flag Cybersecurity Incidents Under New US Rule

Reuters: US banking regulators on Thursday finalized a rule that directs banks to report any significant cybersecurity incidents to the government within 36 hours of discovery. Separately, the banking industry said it had completed a massive cross-industry cyber security drill that aims to ensure Wall Street knows how to respond in the event of a ransomware attack that threatens to disrupt a range of financial services.

More Than $500M For Cybersecurity Included in Sweeping House-Passed Package

The Hill: The House approved more than $500 million in cybersecurity funding on Friday as part of its version of President Biden’s roughly $2 trillion Build Back Better package. The social and climate spending bill, passed by a narrow vote of 220-213, would primarily funnel those funds to the Cybersecurity and Infrastructure Security Agency (CISA) to help address issues including cybersecurity workforce training and state and local government cybersecurity.

Beware the Chinese Ransomware Attack with No Ransom

Bloomberg: A breach by Chinese hackers of almost a dozen targets in Taiwan looked, on the surface, like just another ransomware attack: infiltrate a network, encrypt a ton of files, lock the owners out of their systems, and wait to be paid. But this one was different for what it didn’t contain and portends a type of threat that could hinder attempts by corporate and government leaders to make their computer systems more secure. Companies like the semiconductor maker Powertech Technology Inc., communications provider Chunghwa Telecom Co., plastics conglomerate Formosa Petrochemical Corp. and state-run petroleum company CPC Corp. were among those hit in May 2020 by the Chinese Winnti group. Last year, seven members were indicted by the US for a series of attacks that allegedly affected more than 100 high-tech and online gaming companies globally.

North Korean Hacking Group Targets Diplomats, Forgoes Malware

Dark Reading: A North Korean cyber-operations group has increased its focus on cyber espionage and targeting diplomats and regional experts, using captured user credentials to fuel phishing attacks and only rarely using malware to persist in targeted organizations. A new report found that the North Korean group mainly targets individuals in the United States, Russia, and China, and usually attempts to quietly harvest credentials, siphon off information, and — like many attacks attributed to North Korea — turn compromises into financial gain.

Iran-Backed Hackers Exploited Microsoft, Pose Major Cyber Threat

Fox News: Law enforcement agencies in the U.S., Britain, and Australia have issued a joint statement labeling an Iran-sponsored group as a serious threat to cyber security. The Cybersecurity and Infrastructure Security Agency (CISA), FBI, Australian Cyber Security Center (ACSC), and British National Cyber Security Center (NCSC) released a joint cybersecurity advisory Wednesday that linked a group of hackers to the Iranian government.

Hackers Deploy Linux Malware, Web Skimmer on E-Commerce Servers

Bleeping Computer: Security researchers discovered that attackers are also deploying a Linux backdoor on compromised e-commerce servers after injecting a credit card skimmer into online shops’ websites. The PHP-coded web skimmer (a script designed to steal and exfiltrate customers’ payment and personal info) is added and camouflaged as JPG image files common folders. The attackers use this script to download and inject fake payment forms on checkout pages displayed to customers by the hacked online shop.

Businesses Worried About Cyberattacks During the Holidays

CBS News: After a year of headline-grabbing ransomware attacks, businesses say they’re worried about the possibility they’ll face cyber intrusions this holiday season, a time when many of their cybersecurity operations rely on skeleton staffing. A whopping 89% of the respondents from the US, U.K., France, Germany, Italy, Singapore, Spain, South Africa, and UAE indicated that they were concerned about a repeat cyber intrusion ahead of the holiday season. However, 36% said they had no “specific contingency plan in place to mount a response.”

Insurers Run from Ransomware Cover as Losses Mount

Reuters: Insurers have halved the amount of cyber cover they provide to customers after the pandemic, and shift toward work-at-home drove a surge in ransomware attacks that left them smarting from hefty payouts. Major European and US insurers and syndicates operating in the Lloyd’s of London market face increased demand. They have been able to charge higher premium rates to cover ransoms, repair hacked networks, business interruption losses, and even PR fees to mend reputational damage.


In Case You Missed It

Cryptojackers target servers running Alibaba Cloud

This week the Sonicwall Capture Labs Research team analyzed malware samples that appear to be targeting one of the popular cloud computing platforms, Alibaba Cloud (Aliyun). Alibaba Cloud might not be the first name that comes to mind when you think of cloud computing service providers. However, it is the 4th largest cloud provider globally behind Amazon Web Services, Microsoft Azure and Google Cloud, thus a very appealing target to cybercriminals. The end goal of this malware is to use the victim machine for mining cryptocurrencies.

Infection cycle:

The malware arrives as a bash script. Upon execution it disables Alibaba cloud monitoring agents and cloud assistant service. These services allow for monitoring resources and applications and set alarms for difference scenarios. Disabling these services lets the malware execute without possibly notifying the owner of the victim machine when certain metrics or rules have been triggered.

It then proceeds to disable other processes and cryptomining services that can compete with the CPU resources. These commands are within a function named “kill_miner_proc().”

TeamTNT and Kinsing are two of the top threat groups dominating the cryptojacking arena by infiltrating vulnerable servers for the purpose of running cryptominers.  This malware has a special function named “fuckyou()” specifically targeting processes and other files known to be used by the aforementioned cybercriminal groups effectively disabling them if present in the infected system. This establishes a clean slate for when this malware finally runs its cryptominer.

It then proceeds to download XMRig miner and executes it.

To maintain persistence it deletes the current cronjob and adds the miner process and a copy of itself into cron.

And the entire infection cycle continues.

It is unlikely that the owner of a compromised server will notice the issue right away. Unlike with ransomware, where the victim is made aware of the infection so the cybercriminal can collect its dues, attacks such as this can quietly run in the background, silently profit without demanding a ransom and persist for a long period of time.

Sonicwall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Coinminer.AIY (Trojan)
  • GAV: XMRig.XMR_13 (Trojan)

This threat is also detected by Sonicwall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Command Injection Vulnerability in Hikvision products

Hikvision provides top-of-the-line IoT solutions and video security systems for a broad range of verticals.

Command Injection Vulnerability
The goal of command injection attack is the execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation

CVE-2021-36260
A command injection vulnerability exists in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.

A seen in the example, the attacker sends a command to reboot the affected device. This attack will be successful if attacker has access to the device network or the device has direct interface with the internet.

The device firmware is affected by this security vulnerability (CVE-2021-36260) if its version dated earlier than 210628. Hikvision has patched this vulnerability

SonicWall Capture Labs provides protection against this threat via following signatures:

    • IPS 15701:Hikvision IP Camera Command Injection

Threat Graph

Frost & Sullivan Commend SonicWall for Security Excellence

On its most recent analysis of the global network firewall market, Frost & Sullivan awarded SonicWall with its 2021 Global Competitive Strategy Leadership Award. Frost & Sullivan applies a rigorous analytical process to evaluate multiple nominees for each award category before determining the final award recipient.

“We appreciate the recognition of SonicWall’s cybersecurity prowess as we charge forward in our mission to deliver partners and customers with proven protection for organizations that have become borderless,” said SonicWall President and CEO Bill Conner in an official release. “Our commitment to providing world-class security solutions for businesses of any size, coupled with our frequent product innovations, reinforce the company’s position as a leading cybersecurity innovator well into the future.”


SonicWall has been at the forefront of providing advanced cybersecurity solutions for service providers, data centers, large distributed enterprises, as well state, local and federal government agencies, for over three decades.

When evaluating SonicWall and its products, Maksym Beznosiuk, Best Practices Research Analyst at Frost & Sullivan said, “SonicWall frequently redefines its roadmap to deliver the best network security and cybersecurity solutions to organizations across industry verticals, ensuring higher efficiency, security and reliability.”

The award process involves a detailed evaluation of best practices criteria across two dimensions for each nominated company. SonicWall exceled across the criteria in the network firewall space.

“SonicWall leads the way in the network firewall marker by frequently redefining its roadmap to deliver the best network security and cybersecurity solutions to organizations across industry verticals, ensuring higher efficiency, security and reliability,” said Beznosiuk. “SonicWall positions itself strategically by broadening its portfolio with on-premise, hybrid, or virtual firewalls while also ensuring flexible price ranges.”

If you want to learn more about SonicWall and Frost & Sullivan’s 2021 Global Competitive Strategy Leadership Award, please visit here.

Cybersecurity News & Trends

SonicWall’s The Year of Ransomware and Mid-Year Update to the 2021 Cyber Threat Report are still circulating in US and European news outlets. Meanwhile, trade news is tracking SonicWall’s penetration into regional markets. In industry news, the FBI warns about Iranian hackers, the Robinhood hack took from customers and gave to the hackers, the BlackMatter ransomware had a coding flaw that lost millions, and the world of Superman and Batman was ransomed.


SonicWall in the News

How the Cloud Enables Fast, Easy Recovery from Ransomware and Disasters

CPO Magazine (US): Ransomware attacks are skyrocketing, fueled by the rise in remote work during the pandemic. There were more than 300 million ransomware attacks during the first half of this year — up 151% over 2020 — according to the 2021 Cyber Threat Report from security firm SonicWall.

Back to Basics: Hardware Security as the Ultimate Defense Against Ransomware Attacks

Techspective (US): Ransomware has been a growing threat for a while. But it seems 2021 is the year that evolving attacks have exploded worldwide — citing SonicWall’s “The Year of Ransomware” cyber threat update.

IT Paves the Way to Return To Village

Newsbook (Spain): SonicWall’s participation in a unique article about how IT helps companies return to rural Spain: The transfer of the usual areas of residence caused by remote work during the covid-19 pandemic has revealed the urgency of closing the digital divide between the different territories.

Education, One of The Main Targets of Cybercriminals

ComputerWorld /CSO (Spain): SonicWall byline article about the education sector. Written by Luis Fisas, SonicWall’s Southern Europe director.

Act Now To Protect Yourself Against Cybercrime

Bristol Post (UK): Cybercrime is a fast-growing threat to every organization online. According to the 2021 SonicWall Cyber Threat Report, in the first half of this year, there were 304.7 million ransomware threats – a rise of more than 150% on the same time last year.

Safe-T Group Boosts iShield with Advanced Ransomware Protection Capabilities

Yahoo Finance (New Zealand): Over just the past year, more than 495 million ransomware attacks have been logged by SonicWall, a leading publisher of ransomware threat intelligence, making 2021 the most costly and dangerous year on record.

Safe-T Group Announces Boost To iShield Consumer Cybersecurity Product

Proactive Investors (UK): Safe-T noted that over just the past year, more than 495 million ransomware attacks had been logged by SonicWall, a leading publisher of ransomware threat intelligence, making 2021 the most costly and dangerous year on record.

Can Small Companies and Branches Survive the Crisis?

Security Insider (Germany): This article reviews a SonicWall webinar about the global ransomware crisis.

SonicWall Merges Sales Regions

Channel Observer (Germany): This article discusses the news alert about SonicWall expanding the central Europe sales account.

Cyberattacks Cost the Education Sector An Average Of 2.34 Million Euros

El Economista (Spain): SonicWall Cyber Threat Report mentioned in an article about cybersecurity in the Education Sector.

SonicWall Reports Nearly ‘Unimaginable Upward Trend’ In Ransomware

Intelligent CISO (UK): SonicWall has recorded a 148% increase in global ransomware attacks through the third quarter of 2021.

10 Minute IT Jams – SonicWall VP Discusses SASE and Zero Trust

Techday Network (New Zealand): Virtual Interview with Vice President of Products Jayant Thakre. They discussed SASE and Zero Trust among other topics.

Types of Malware: How to Detect and Prevent Them

Security Boulevard (US): Cyberattacks are rampant, wreaking havoc on organizations of all sizes. SonicWall recorded 304.7 million global ransomware attacks during the first half of 2021, a 151% year-to-date increase.

A Record 714 million Ransomware Attacks Are Forecast By 2021

IT Reseller (Spain): Press release, the year of ransomware: There has been a 148% increase in global ransomware attacks so far this year, as well as a 33% increase in IoT malware globally, with spikes in the United States and Europe. Cryptojacking has also emerged, with a massive growth rate of 461% across Europe.


Industry News

FBI Warns US Companies About Iranian Hackers

CNN: Iranian hackers have searched cybercriminal websites for sensitive data stolen from American and foreign organizations that could be useful in future efforts to hack those organizations, the FBI said in an advisory sent to US companies. In addition, Iranian hackers are interested in dark-web forums, where scammers leak information on their victims, such as stolen emails and network configurations.

Daily Crunch: Malicious hackers gain access to 7 million Robinhood customer names, emails

TechCrunch: A social-engineering hack led to Robinhood’s internal tools being accessed by an external party. According to the report, hackers took a database of more than 5 million customer email addresses and 2 million customer names. Also taken was a much smaller set of more specific customer data. For a company that recently posted somewhat lackluster earnings, it’s not a great look.

Travel Site Booking.com reportedly hacked by a US intel agency; customers never informed

ARS Technica: According to a book published on Thursday, a hacker working for a US intelligence agency breached the servers of Booking.com in 2016 and stole user data related to the Middle East. The book also says the online travel agency opted to keep the incident secret. The Amsterdam-based company decided that it didn’t need to notify customers or the Dutch Data Protection Authority because it wasn’t legally required to do so because the hack didn’t reveal sensitive or financial information.

Ransomware Criminals Lost Millions When Researchers Secretly Uncover Errors

ZDNet: A significant ransomware operation was blocked from collecting millions of dollars when a cybersecurity research group discovered a flaw in their code. Researchers found an error in the encryption that allowed files to be recovered without paying the ransom. The group, housed at Emsisoft, detailed the encryption error behind BlackMatter ransomware. They reportedly saved several victims from paying the ransom. The group kept the flaw secret until more people could be helped. Eventually, however, researchers disclosed the flaw and how they could undermine BlackMatter and provide decryption keys to victims of their attacks.

US Targets Darkside Ransomware And Its Rebrands With $10 Million Reward

Bleeping Computer: The US government targeted the DarkSide ransomware group and various rebrands with a $10 million reward for information leading to the identification or arrest of members of the operation. In addition, rewards of $5 million are also offered for information leading to the arrest of participants in a Darkside attack.

The US Joins International Cybersecurity Partnership Previously Ignored

CNN: The United States has joined an 80-country agreement that condemns reckless behavior in cyberspace and seeks to mobilize resources to secure the software supply chain that the Trump administration declined to join. Vice President Kamala Harris announced the agreement on Wednesday following a meeting with French President Emmanuel Macron.

Hackers Face Up To 100 Years in Prison If Prosecuted in the US

FoxNews: Suspected hackers connected to the cyber ransom group ‘REvil’ have been arrested and charged by the Department of Justice. The group attacked JBS Beef, the world’s largest meat supplier in the US, and tech company Kaseya. Officials also recovered $6 million in ransom payments extorted by the hackers. Cybersecurity expert and attorney Leeza Garber joined The National Desk Thursday to provide more information on these hackers.

Electronics Retailer MediaMarkt Hit by Ransomware Demand for $50M Bitcoin Payment

CoinDesk; MediaMarkt, Europe’s largest electronics retailer, has reportedly been hit by a Hive ransomware attack with demands to pay $50 million in bitcoin. The attack by the Hive ransomware group encrypted MediaMarkt’s servers, causing the retailer to shut down its IT systems to prevent further problems. That caused many stores, mainly in the Netherlands, to be unable to accept credit and debit card payments. Germany-based MediaMarkt has more than 1,000 stores across the continent.

Ukrainian Hackers Indicted in Texas After $6.1 Million Ransomware Attack

SanAngelo Live: The US Justice Department has taken against two foreign nationals charged with deploying Sodinokibi/REvil ransomware to attack businesses and government entities in the United States. An indictment unsealed on Nov. 8 charges Yaroslav Vasinskyi, 22, a Ukrainian national, with conducting ransomware attacks against multiple victims, including the July 2021 attack against Kaseya, a multi-national information technology software company. The department also announced today the seizure of $6.1 million in funds linked to the attacks.

Major Comics Distributor Regains Access to Its Website Following A Ransomware Attack

GamesRadar: The comic book world of Superman and Batman were attacked by ransomware earlier this week. The attack affected one of the print comic books’ largest distributors, Diamond Comic Distributors. Diamond Comics updated the report saying that they have regained access to some of the systems initially taken down as part of what the company confirmed was a third-party ransomware attack that began on Nov. 5. On Nov. 11, Diamond reported that it regained access to its main website (www.DiamondComics.com), and it is now functioning for public usage.


In Case You Missed It

An Android crypto wallet stealer

With the rise in popularity and investments in Crypto currency there has been a rise in Crypto related scams as well. SonicWall Threats Research team identified an Android crypto wallet stealing malicious Android application.

 

 

Initial Activity

Upon installation and execution the app requests the user to grant Accessibility Services:

 

The app needs these services so that it can perform clicks in the background on behalf of the user. This is the modus-operandi used by the app to steal crypto wallets from the targeted wallet app – com.wallet.crypto.trustapp.

 

Accessibility Services

In order to gain the user’s trust and to convince the user to grant Accessibility Services, the malware provides an explanation to the user:

 

The malware creates a service – com.test.accessibility.MyAccessibilityService – that contains a number of interesting elements

  • Hardcoded server URL – http://159.69.139.252:999

 

  • Elements of communication using Telegram bot

 

  • A number of app elements related to the target wallet app – com.wallet.crypto – which govern the different components of the legitimate crypto wallet app

  • performAction(16) can be seen at several places in the code. This action performs a ‘click’ or ‘touch’ on a mobile device, so these actions are intended to click a button. Accessibility services allows an application to perform such clicks in the background without the user’s knowledge

 

Overall this malware is a crypto wallet stealer with a single target app that is quite popular on the Google Play store. With the rise in crypto investments we expect more such malicious apps and scams to surface in the near future.

 

Sonicwall Capture Labs provides protection against this threat using the signature listed below:

  • AndroidOS.CryptoStealer.HT

SonicWall Answers the Call with New NGFWs

Filling an urgent need for greater cybersecurity, SonicWall completes 17 new Gen-7 firewalls in less than 18 months.

If we’ve learned anything during the unprecedented surge of malware and ransomware this year with 70% of full-time workers working from home in hybrid multi-cloud environments – we’re more vulnerable than ever.

According to a new report we published titled The Year of Ransomware, there have been 495 million known ransomware attacks so far this year, a stunning 148% increase year-over-year. That puts 2021 on track to be the worst year for cybersecurity we’ve ever recorded and leads us to predict that the pace of attacks will grow worse.

Not only are there more attacks, but the variants of malware used to attack our networks have also increased. For example, in the third quarter of this year, SonicWall customers experienced 1,748 ransom attempts. That means there were 9.7 ransomware attempts per customer for each business day. Worse yet, there were 307,516 “never-before-seen” malware variants – a 73% increase over previous years.

More variants together with a greater number of hits mean higher consequences for all of us. Obviously, any grace period we may have enjoyed from enforcing stricter cybersecurity and better technology has come to an abrupt end.

What is needed today is a rapid evolution of the way we conduct cybersecurity. Not only will we have to change our behavior with better personal security practices, but we must also deploy more innovative technology that has the capacity and durability to meet the urgent call for better protection.

SonicWall Answers the Call

We’re not talking about re-embracing next-generation firewalls (NGFW). Instead, we’re looking to launch the power and flexibility of 7th generation advancements that bring enterprises to a level where they can stop attacks from many vectors. Our vision for cybersecurity is to protect organizations from the broadest spectrum of intrusions, pre-emptively reduce cyber risk, and achieve greater protection across devices, new perimeters and network segments more efficiently while lowering the total cost of ownership.

The big news is that we launched 17 new Gen-7 NGFWs in less than 18 months. So, whether you’re a small business or a large enterprise in your home or the cloud, you’ll benefit from our relentless dedication to bring you NGFWs that offer the security, control, and visibility you need to maintain an effective cybersecurity posture.

New NSa 5700 and NSsp 10700/11700 models are designed for enterprises, governments and MSSPs quadruple performance.

The SonicWall Network Security Appliance (NSa) 5700 and Network Security Services Platform (NSsp) 10700/11700 complete the introduction of our Gen-7 NGFWs. They run on the new SonicOS 7 and include advanced networking features such as high availability, SD-WAN and dynamic routing. These firewalls were bred to meet the current high-demand cybersecurity landscape with combined validated security effectiveness and best-in-class price performance in a single rack unit appliance.

Our Gen-7 NGFWs protect all types of business no matter the size with comprehensive, integrated security services, such as malware analysis, encrypted traffic inspection, cloud application security and URL filtering. In addition, the entire line of 17 NGFWs is ready to be quickly managed by SonicWall’s cloud-native Network Security Manager (NSM), which gives distributed enterprises a single, easy-to-use cloud interface for streamlined management, analytics and reporting.

Gen-7 pushes security and performance thresholds to protect the educational institutions, financial industry, health care providers, service providers, government agencies and MSSPs. The following NGFW line-up is designed for small, medium, and the largest enterprises to protect their assets in data centers, virtual environments, and the cloud.

Entry-level NGFWs: SonicWall TZ firewalls protect small business or branch locations from intrusion, malware and ransomware with an easy-to-use, integrated security solution designed specifically for your needs. TZ series includes five models; 270, 370, 470, 570 and 670; delivering enterprise-grade protection without cost or complexity.

Mid-range NGFWs: Our Gen-7 Network Security Appliance (NSa) offers medium- to large-sized enterprises industry-leading performance at the lowest total cost of ownership in their class. NSa series consists of five models; 2700, 3700, 4700, 5700 and 6700; and includes comprehensive security features such as intrusion prevention, VPN, application control, malware analysis, URL filtering, DNS Security, Geo-IP, and Bot-net services.

High-end NGFWs: Gen-7 Network Security services platform (NSsp) High-End Firewall series delivers the advanced threat protection, fast speeds, and budget-friendly price that large enterprises, data centers, and service providers’ demand. NSsp series consists of four models, 10700, 11700 and 13700, including high port density and 100 GbE interfaces, which can process several million connections for zero-day and advanced threats.

Virtual Firewalls: Gen-7 NSv Series virtual firewall is built to secure the cloud and virtual environments with all the security advantages of a physical firewall, including system scalability and agility, speed of system provisioning and simple management in addition to cost reduction. NSv series consists of three models; 270, 470 and 870; securing virtualized compute resources and hypervisors to protect public clouds and private cloud workloads on VMware ESXi, Microsoft Hyper-V, Nutanix and KVM.

Powered by the new SonicOS/OSX 7

SonicWall Gen-7 NGFWs run on SonicOS/OSX 7, the latest version of our new SonicOS operating system. This OS was built from the ground up to deliver a modern user interface, intuitive workflows and user-first design principles. In addition, it provides multiple features designed to facilitate enterprise-level workflows, easy configuration, and simplified and flexible management — all of which allow enterprises to improve security and operational efficiency.

SonicOS/OSX 7 features:

Read more details about the new SonicOS/OSX 7.

Overall Solution Value

SonicWall’s award-winning hardware and advanced technology are built into each Gen-7 NGFW to give every business the edge on evolving threats. With solutions designed for networks of all sizes, SonicWall firewalls are designed to meet your specific security and usability needs, all at a cost that will protect your budget while securing your network.

To learn more about the SonicWall Gen-7 NGFW, click here.

Illuminating Cybersecurity with Unified Insights

SonicWall delivers cross-product security visibility and greater efficiency with a single pane of glass.

Gone are the days when cybersecurity managers have to rely on individual product monitors to determine the security status of their networks. Instead, the increase in threats and attack vectors, the rise in the cost of operations and the shortage of skilled IT candidates make it necessary to leverage a unified workspace that delivers clarity and actionable insights all in one interface. In addition, they now want the means to give their security teams the ability to drill through analysis quickly and springboard into their investigations more efficiently.

But what is it that will truly drive value for administrators and analysts? What is it that makes up such a unified workspace? Our customer research has shown us that it comes down to:

  1. A Unified Workspace – where the entire team can work together under a single pane of glass with complete insights from the network, endpoints, and cloud security controls.
  2. Customizable Insights – administrators and analysts need actionable insights, but what is actionable tends to vary; customization is required for each environment.
  3. Context-aware Investigations – insights are helpful, but they only give us the tip of the iceberg. Security administrators often need to dig deep to identify the root cause and review other additional indicators through context-aware investigative workflows.

Introducing Capture Security Center (CSC) Unified Insights

When we launched Capture Security Center (CSC), our vision was to create a platform that delivers standardized and unified experiences. CSC’s design offers the proper foundation for managing all aspects of the network ecology. The introduction of Unified Insights adds a streamlined cross-platform experience for everyone including CISOs, SOC administrators, security analysts, auditors, compliance managers and more.

Unified Insights is designed as a unified workspace for security teams of all sizes – from the small-medium businesses to enterprises to MSSPs – that delivers actionable insights in a single pane of glass across SonicWall’s Firewall, Endpoint, Wireless and Switch lines of products. In this first version, Unified Insights delivers unified dashboards with data from supported cloud-based platforms – currently, this includes Network Security Manager (SaaS), Capture Client, and Wireless Network Manager.

With Unified Insights, administrators gain a default dashboard configured with recommended charts based on what subscriptions are active in their tenant. Team members can customize their dashboard to a layout of their choice with graphs of their preference based on their tenants’ entitlements. The rich library of charts for each product area will continuously expand as the SonicWall portfolio evolves. Members of the same organization can also view dashboard layouts created by their colleagues to inspire more productive workspaces.

Every graph is clickable and supports drill-down investigations to the individual products that generated the data. For example, if a team member sees something that catches their attention, they will click a graph, icon, or list to see cumulative data they need to make an analysis. In addition, administrators can create a portable snapshot of the dashboard to be sent to business stakeholders or customers as part of a periodic “State of Security” report.

A Free Beta Test for all NSM SaaS Subscribers

CSC Unified Insights is currently in beta and automatically activated at no additional cost for all subscribers of NSM SaaS to manage their firewalls, Capture Client, or Wireless Network Manager to manage their SonicWall access points and switches. So, take it for a spin and participate in our Beta community, where you can ask questions or provide feedback and help drive the future of the product.

We’re at the beginning of this new development for Unified Insights. Our vision is to provide security and management teams the best single workspace they need for reporting, analytics, and incident management. With, Unified Insights, we continue to drive the Boundless cybersecurity model for our customers, and we invite you to be a part of that evolution!

For more information, read the datasheet.

Microsoft Security Bulletin Coverage for November 2021

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of November 2021. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2021-38666 Remote Desktop Client Remote Code Execution Vulnerability
ASPY 254: Malformed-File exe.MP_220

CVE-2021-42292 Microsoft Excel Security Feature Bypass Vulnerability
ASPY 253: Malformed-File xls.MP_74

CVE-2021-42298 Microsoft Defender Remote Code Execution Vulnerability
ASPY 252: Malformed-File html.MP_111

The following vulnerabilities do not have exploits in the wild :
CVE-2021-26443 Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-26444 Azure RTOS Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-36957 Windows Desktop Bridge Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-3711 OpenSSL: CVE-2021-3711 SM2 Decryption Buffer Overflow
There are no known exploits in the wild.
CVE-2021-38631 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-38665 Remote Desktop Protocol Client Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-40442 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-41349 Microsoft Exchange Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-41351 Microsoft Edge (Chrome based) Spoofing on IE Mode
There are no known exploits in the wild.
CVE-2021-41356 Windows Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-41366 Credential Security Support Provider Protocol (CredSSP) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-41367 NTFS Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-41368 Microsoft Access Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-41370 NTFS Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-41371 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-41372 Power BI Report Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-41373 FSLogix Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-41374 Azure Sphere Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-41375 Azure Sphere Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-41376 Azure Sphere Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-41377 Windows Fast FAT File System Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-41378 Windows NTFS Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-41379 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42274 Windows Hyper-V Discrete Device Assignment (DDA) Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-42275 Microsoft COM for Windows Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-42276 Microsoft Windows Media Foundation Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-42277 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42278 Active Directory Domain Services Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42279 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2021-42280 Windows Feedback Hub Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42282 Active Directory Domain Services Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42283 NTFS Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42284 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-42285 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42286 Windows Core Shell SI Host Extension Framework for Composable Shell Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42287 Active Directory Domain Services Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42288 Windows Hello Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-42291 Active Directory Domain Services Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42296 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-42300 Azure Sphere Tampering Vulnerability
There are no known exploits in the wild.
CVE-2021-42301 Azure RTOS Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-42302 Azure RTOS Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42303 Azure RTOS Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42304 Azure RTOS Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42305 Microsoft Exchange Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-42316 Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-42319 Visual Studio Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42321 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-42322 Visual Studio Code Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42323 Azure RTOS Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-43208 3D Viewer Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-43209 3D Viewer Remote Code Execution Vulnerability
There are no known exploits in the wild.