Cybersecurity News & Trends – 02-25-22

/0 Comments/in /by

As predicted, cyber-attacks are rising just as the Ukrainian crisis heats up. As a result, news organizations worldwide are quoting the 2022 SonicWall Cyber Threat Report, topping the best first-day launch in the report’s history. The report found itself in the pages of notable publications like The Seattle Times, The Register, The Telegraph, ZDNet, and The Express. In industry news, turmoil in Ukraine highlights a new round of “wiper” attacks. Ukraine also took the unusual step of asking for the hacker underworld to help protect their infrastructure. Also, as it turns out, cybersecurity burnout is a real thing now, Iranian hackers are stealing passwords, and a cyber firm in Beijing says a US hacker group is targeting research organizations in India, Russia, and China.

SonicWall News

Ukraine Hit by DDOS Attacks, Russia Deploys Malware

The Register: Bill Conner, CEO of firewall firm SonicWall, told The Register: “Cyberattacks can be leveraged to cause financial loss, create disruption and misdirection, and in extreme cases take down critical infrastructure. Those are key ingredients for causing unrest in any situation, regardless of the parties involved.”

Boris Johnson Announces Extra Defensive Weapons Are Being Sent To Ukraine

The Telegraph (UK): Cyberattacks could be used as a “key ingredient” to prompt unrest amid the current diplomatic crisis around the escalating situation in Ukraine, a former adviser to GCHQ has said. Bill Conner, the SonicWall chief executive and former advisor to GCHQ, said such activity can be leveraged to “cause financial loss, create disruption and misdirection, and in extreme cases take down critical infrastructure.”

SonicWall Cyber Threat Report Highlights That Ransomware Attacks Doubled In 2021

Continuity Central: SonicWall has released its 2022 Cyber Threat Report. This details a sustained surge in ransomware with 623.3 million attacks globally. Additionally, nearly all monitored threats, cyber-attacks and malicious digital assaults rose in 2021, including ransomware, encrypted threats, IoT malware, and cryptojacking.

SonicWall: Ransomware Attacks Increased 105% In 2021

Tech Target: Cybercriminals are becoming bolder and more prolific in developing and deploying ransomware attacks. According to researchers at SonicWall, who said in its annual threat report that ransomware attacks over the last year have grown by an eye-watering 105%, with 20 attacks being attempted every second.

SonicWall Threat Intelligence Confirms 981% Increase of Ransomware Attacks in India

Ele Times (India): SonicWall, the publisher of the world’s most quoted ransomware threat intelligence, today released the 2022 SonicWall Cyber Threat Report. The bi-annual report details a sustained meteoric rise in ransomware with 623.3 million attacks globally. Nearly all monitored threats, cyberattacks and malicious digital assaults rose in 2021, including ransomware, encrypted threats, IoT malware and cryptojacking.

Report: Ransomware, Attacks on Networks Soared In 2021

DC Velocity: Business leaders are worried about the growing volume of malicious attacks on IT networks, and are especially concerned about supply chain vulnerability in 2022, according to a report from cybersecurity firm SonicWall, released this month. The company’s 2022 Cyber Threat Report tracked a 232% increase in ransomware globally since 2019 and a 105% increase from 2020 to 2021. Ransomware is malware that uses encryption to hold a person or organization’s data captive, so they cannot access files, databases, or applications. According to the report, such attacks in the US were up 98% last year and up 227% in the UK.

Security Spend to Reach $1 Billion In Brazil In 2022

ZDNet: With over 33 million intrusion attempts in 2021, Brazil is only behind the US, Germany and the UK in terms of ransomware attacks, according to a cyber threats report released by SonicWall. In 2020, Brazil ranked ninth in the same ranking, with 3,8 million ransomware attacks. According to the SonicWall report, Brazil stands out regarding the number of malware attacks. In this category, attacks in Brazil increased over 61% in 2021, with 210 million attacks in 2021, compared to approximately 130 million seen in the prior year.

Companies Prepare as Threat of Russian Cyberattacks Increases

Seattle Times: According to an annual report from internet security company SonicWall, ransomware volume increased 232% in the last two years. It reported there were more than 623 million ransomware attacks in 2021. SonicWall found that new types of malware detected also increased 65% year over year.

Washington Companies Prepare as Threat of Russian Cyberattacks Increases

The Chronicle: As major American businesses prepare for possible Russian-led cyberattacks, some Northwest information security experts raise the alarm while others argue many companies are already prepared. According to a new report from SonicWall, ransomware volume increased 232% in the last two years. The annual report also reported more than 623 million ransomware attacks in 2021. In addition, new types of malware detected also increased 65% year over year.

Weekly Threat Report 18th February 2022

National Cyber Security Center (UK): Ransomware attacks more than doubled in 2021. According to an analysis by researchers at SonicWall, the volume of ransomware attacks rose by 105% in the last year. A total of 623.3 million attempted incidents were recorded in 2021.

22 Very Bad Stats on The Growth Of Phishing, Ransomware

Venture Beat: The report comes after several major cybersecurity firms had released data on just how bad things got last year when it came to cyberattacks. For instance, SonicWall reported that the total number of ransomware attacks more than doubled in 2021 — jumping 105% during the year compared to 2020. CrowdStrike, meanwhile, disclosed that data leaks related to ransomware surged 82% in 2021, while the average ransom demand grew 36% to $6.1 million.

Britons Hit By Terrifying Crypto Crime Surge – Attacks Up More Than 500 Percent

Daily Express (UK): A new form of cybercrime, which sees hackers hijack online devices to steal and mine crypto, has become increasingly common worldwide. According to SonicWall, global crypto-jacking crimes rose by almost one-fifth to 91.7 million cases. In the UK, attacks have skyrocketed by 564 percent, rising from less than 66,000 in 2020 to over 436,000 in 2021.

Industry News

New Destructive Malware Used in Cyber Attacks on Ukraine

Security Intelligence: IBM’s Security X-Force reported a wiper malware — a destructive family of malware designed to permanently destroy data from the target — executing on systems belonging to Ukrainian organizations. Analysts obtained a sample of the wiper named HermeticWiper. It uses a benign partition manager driver (a copy of empntdrv.sys) to perform its wiping capabilities corrupting all available physical drives’ Master Boot Record (MBR), partition, and file system (FAT or NTFS). This is not the first wiper malware targeting Ukrainian organizations X-Force has analyzed. For example, in January 2022, X-Force analyzed the WhisperGate malware and did not identify any code overlaps between WhisperGate and HermeticWiper. Several other outlets also reported and expanded this story, including The GuardianHelp Net SecurityBBC, and ZDNet.

Ukraine Asks For S Korea Cybersecurity Aid Amid Russia Invasion

Reuters: Top Ukraine security officials in the Republic of Korea (South Korea) said on Friday that his country is requesting Seoul’s assistance in boosting its cybersecurity capability to defend against Russian attacks. As missiles pounded the Ukrainian capital and Russian forces pressed their advance after launching attacks on Thursday, Kyiv asked for more help from the international community. Dmytro Ponomarenko, Ukraine’s ambassador-designate to South Korea, said the websites of the country’s governmental institutions were suffering from Russian attacks. A global cybersecurity firm has also noted that a newly discovered piece of destructive software circulated in Ukraine and has hit hundreds of computers, part of what was deemed an intensifying wave of hacks aimed at the country. Reuters also reports that Ukraine has also asked for help from the hacker underground community to protect critical infrastructure and conduct cyber spying missions against Russian troops, according to two people involved in the project.

Hacker Collective Anonymous Declares ‘Cyber War’ Against Russia, Disables State News Website

ABC News (Australia): Hacker collective Anonymous has disabled several Russian government websites, including the state-controlled Russia Today news service. They had launched cyber operations that briefly took down Russia Today (RT.com) and the websites of the Kremlin, the Russian government, and the Russian defense ministry websites. Russia Today confirmed the attack, saying it slowed some websites down while taking others offline for “extended periods of time.” According to the news outlet, Russia Today’s coverage of the situation in Ukraine has been overwhelmingly from a pro-Russian perspective, showing fireworks and cheerful celebrations in the newly occupied territories.

Cybersecurity Burnout Is Real and It’s Going to Be A Problem For All Of Us

ZDNet: Employers are already facing something of a dilemma when it comes to cybersecurity in 2022. Not only is the number of attempted cyberattacks escalating worldwide, but employers face the added pressure of a tightening hiring market and record levels of resignations that are also affecting the tech industry. The talent battle has already hit cybersecurity particularly hard. According to a survey of more than 500 IT decision-makers by threat intelligence company ThreatConnect, 50% of private sector businesses already have gaps in their company’s fundamental, technical IT security skills. What’s more, 32% of IT managers and 25% of IT directors are considering quitting their jobs in the next six months – leaving employers open to a cacophony of issues across hiring, management, and IT security. And as ZDNet observes, cybersecurity is challenging work, so beware of staff burnout.

Cyberattacks Could Soon Strike the West

Fortune Magazine: Russia is home to some of the world’s most infamous criminal hackers, some of them state-sponsored, so are broader and stronger cyberattacks coming? And could they hit the West? “I think the risk right now is high and rising,” said Derek Vadala, chief risk officer at the US cyber risk rating firm BitSight. He warned that Western companies should ensure their systems are patched against known vulnerabilities. The UK’s National Cyber Security Centre, a division of the GCHQ spy agency, advised Tuesday that British organizations should “bolster their online defenses” as “there has been a historical pattern of cyberattacks on Ukraine with international consequences.” THIS WEEK, the US Department of Homeland Security also launched a “shields up” drive for critical infrastructure against possible Russian actions. They also warned that all US companies are at risk.

Iranian Hackers “Tools” Steal Passwords and Deliver Ransomware

ZDNet: Hackers linked to the Iranian Ministry of Intelligence and Security are exploiting a range of vulnerabilities to conduct cyber espionage and other malicious attacks against organizations worldwide, a joint alert by US and UK authorities has warned. The advisory issued by the FBI, CISA, the US Cyber Command Cyber National Mission Force (CNMF), and the United Kingdom’s National Cyber Security Centre (NCSC) says an Iranian government-sponsored advanced hacking operation known as MuddyWater is going after a wide range of targets.

US Group Hacked Top Research Institutes in India, Russia And China, Says Beijing Cyber Firm

The Hindu (India): A new report from a Beijing-based cybersecurity firm said hackers linked with the US National Security Agency (NSA) were found to have inserted “covert backdoors” that may have given them access to sensitive information in dozens of countries, including India, Russia, China and Japan. Among the reportedly compromised websites listed in the report were those linked to one of India’s top microbial research labs —the Institute of Microbial Technology (IMTech) under the Council of Scientific & Industrial Research — as well as the Indian Academy of Sciences in Bengaluru. In addition, websites linked to the Banaras Hindu University were also hacked into. The Beijing-based cybersecurity firm Pangu Lab released a technical report explaining how it had found the backdoors and attached it to “unique identifiers in the operating manuals of the NSA” that had come to light in the 2013 leak of NSA files by insiders.

In Case You Missed It

 

H2 Database JDBC URL Arbitrary Code Execution

/in /by

Overview:

  The H2 console application allows a user to access a SQL database using a browser interface.

  H2 is an open source Java SQL database that includes the following technology; JDBC, (Java Database Connectivity) is a Java API that can access any kind of tabular data, especially data stored in a relational database. JDBC helps you to write Java applications that manage some of the activities below:
    • Connect to a data source, like a database
    • Send queries and update statements to the database
    • Retrieve and process the results received from the database in answer to your query

  A remote code execution vulnerability has been reported in H2 Database console. This vulnerability is due to improper input validation when handling a specific JDBC URL. A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted request to the target server. Successfully exploiting this vulnerability could result, in the worst case, arbitrary code execution.

  H2 Homepage
  JDBC Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-23221.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C).

  Base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.8 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  When accessing a JDBC database, the H2 console will ask the user for the location of the database. A user can access an existing database or create a new database if one does not exist and the connection option FORBID_CREATION is not set. The JDBC URL is stored in the variable databaseUrl and is passed into the function getConnection(). The variable databaseUrl is then trimmed of whitespace and is checked if the variable starts with the string “jdbc:h2:”. If so, the current user key, in the variable userKey, is compared to the default key, in the variable key. The variable userKey has a value of null for new users and the variable key has a default value of null for non-privileged connections. Since both keys are the same, the string “;FORBID_CREATION=TRUE” is appended to databaseUrl.

  This information is passed into the function JdbcUtils.getConnection() which then calls the function ConnectionInfo(). This function will check the settings in the JDBC URL by calling the function readSettingsFromURL(). This function checks for settings inside of the JDBC URL. An exception will be thrown if any unknown settings exist and the setting IGNORE_UNKNOWN_SETTINGS setting is not set. After checking the JDBC URL, the connection information is eventually passed into the function openSession() through the ConnectionInfo variable, ci. ci is then parsed to find settings inside of the current URL. The settings are stored into the following boolean variables: ifExists, forbidCreation, and ignoreUnknownSetting.

  A remote code execution vulnerability exists H2 Database. A remote, unauthenticated attacker could exploit this vulnerability by sending a Database name value with the IGNORE_UNKNOWN_SETTINGS setting set and a backslash at the end of the string. The backslash causes the added semicolon delimiter to be escaped and interpreted as part of the appended FORBID_CREATION option name, causing it to be ignored. Without the FORBID_CREATION option, a new database can created with full administrator privileges. An SQL TRIGGER query can be used to run either JavaScript or Ruby code. Successful exploitation could lead to remote code execution under the security context of the H2 process.

Triggering the Problem:

  • The target must be running a vulnerable version of the software.
  • The attacker must have network connectivity to the vulnerable server.
  • The target must have network connectivity to the attacker controlled server.

Triggering Conditions:

  The attacker sends three maliciously crafted requests to the target server. The vulnerability is triggered after the target server receives a malicious .sql file and executes the file’s code.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 2496 H2 Database JDBC URL RCE

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Applying the vendor-supplied patch to eliminate this vulnerability.
    • Filtering traffic based on the signature above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Shields Up: Preparing for Cyberattacks During Ukraine Crisis

/0 Comments/in , , /by

SonicWall provides real-time protection against HermeticWiper malware and Conti ransomware expected during escalating conflict in Ukraine.

With the recent escalation of events in Ukraine and the resulting sanctions imposed by various Western administrations, there is a dramatically heightened risk of cyberattacks on organizations in the United States, Europe and elsewhere.

State-sponsored threat actors and other cybercriminals will be actively targeting the U.S. and other businesses in an attempt to interfere with their operations, steal or destroy data, and damage infrastructure.

Your organization needs to have a heightened sense of awareness and security during this crisis.

In January 2022, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued Alert (AA22-011A): Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure. CISA also began urging U.S. organizations to prepare for data-wiping malware attacks (more below).

At that time, the “Ukraine Cyber Police say they are investigating the use of Log4j vulnerabilities and stolen credentials as another means of access to the networks and servers,” according to Bleeping Computer.

On Feb. 18, CISA shared that the New Zealand National Cyber Security Centre (NCSC-NZ) released a General Security Advisory (GSA) on preparing for cyber threats relating to tensions between Russia and Ukraine.

CISA: Time to ‘Shield Up’

It is critical that you take preemptive measures in anticipation of a surge in cyberattacks targeting your business or organization. CISA has published ‘Shield Up,” which is helpful guidance for organizations of all sizes and their leaders. Some of the steps detailed by CISA include:

  • Reduce the likelihood of a damaging cyber intrusion.
  • Take steps to detect a potential intrusion quickly.
  • Ensure your organization is prepared to respond if an intrusion occurs.
  • Maximize your organization’s resilience to a destructive cyber incident.

Other important steps can make a big difference in deterring and/or detecting attacks, such as setting robust inbound policies on your network perimeter (e.g., preemptively blocking connections or sign-ins originating from Russia or other risky nations) and otherwise taking a highly cautious approach to all inbound traffic, even if it means trading off some performance for security.

SonicWall strongly urges that your organization be in touch with your internal and external cybersecurity professionals and resources to ensure that you are as prepared as you can be for the inevitable increase in cyberattacks.

SonicWall also stresses the importance of layered defenses, like IPS, email security, two-factor authentication and real-time sandboxing, such as Capture ATP with RTDMI. With a defense-in-depth strategy in place, your organization will be better prepared to detect the impact of a zero-day attack or other targeted threats.

SonicWall Protections Against Notable Cyberattacks

Zero-day attacks are becoming a common threat. While they may exploit previously unknown weaknesses, defenders have the advantage of being able to detect anomalous activity in real time, and contain and recover before destructive zero-days disrupt your business or organizations.

SonicWall actively protects organizations from cyberattack types known or feared to be used during the Ukraine-Russia conflict.

HeremticWiper Malware

SonicWall helps organizations proactively defend against emerging threats like HermeticWiper. For instance, SonicWall Capture ATP, with RTDMI, detected HeremticWiper as documented in our SonicAlert, “HermeticWiper Data-Wiping Malware Targeting Ukrainian Organizations.”

HeremticWiper Malware Signature Protection

  • GAV: HermeticWiper.A (Trojan)
  • GAV: HermeticWiper.A_1 (Trojan)

Conti Ransomware

The Conti ransomware gang publicly announced that they would attack any organization that launched a cyberattack against Russian infrastructure. As such, it’s important organizations have protection against Conti ransomware. Both SonicWall Capture ATP with RTDMI and active SonicWall firewall with current signatures are protected from Conti ransomware.

Conti Ransomware Signature Protection

  • GAV: Conti.RSM (Trojan)
  • GAV: Conti.RSM_2 (Trojan)
  • GAV: Conti.RSM_3 (Trojan)
  • GAV: Conti.RSM_4 (Trojan)
  • GAV: Conti.RSM_5 (Trojan)
  • GAV: Conti.RSM_6 (Trojan)

PartyTicket Ransomware

Believed to be deployed in conjunction with the aforementioned data-wiping HeremticWiper malware, SonicWall Capture Labs analyzed the PartyTicket ransomware in the SonicAlert, “A Look at PartyTicket Ransomware Targeting Ukrainian Systems.” The ransomware arrives as an executable Windows file, but overall appears to be unsophisticated ransomware created quickly to take advantage of the current climate.

SonicWall customers are protected from the PartyTicket ransomware variant via the below signature, as well as by real-time Capture ATP with RTDMI and Capture Client endpoint protection.

PartyTicket Ransomware Signature Protection

  • GAV: PartyTicket.RSM (Trojan)

For additional information, please visit sonicwall.com/support or the SonicWall Capture Labs Portal. You may also join discussions on the SonicWall Community.

BitPyLock ransomware leaves decryption key visible in decompiled code

/in /by

The Sonicwall threat research team have recently observed a new variant of BitPyLock ransomware.  This family of ransomware surfaced in early 2020.  It encrypts files and also threatens extortion by claiming to have sent files to the attackers server.  This claim, however, is not true.  In addition to this, the decryption key can be easily obtained through basic reverse engineering.

 

Infection Cycle:

 

Upon infection, files on the system are encrypted.  Unlike most ransomware, the filenames remain unchanged.

 

The following message is displayed on the desktop:

 

The note mentions that files have been transfered to the attackers server.  However, this is not the case.  There was no network traffic observed during the infection cycle.

 

The following keys are added to the registry:

  • HKEY_CURRENT_USER\Software\Rnz     ID “1”
  • HKEY_USERS\S-1-5-21-4236731928-1562650142-1211730654-1001\Software\Rnz      ID      “1”

 

The following file is added to the filesystem:

  • %APPDATA%\Roaming\rnz.bin

 

rnz.bin contains the following data (list of encrypted files):

 

Each encrypted file has the string “root” prepended to its contents:

 

The malware is written in C# and is trivial to decompile.  The encryption and decryption functions can be easily seen in the code:

 

 

A registry key is added to mark infection:

 

The decryption key and file type targets can be clearly seen in the code:

 

The following file types are targeted for encryption:

"1ng", "1scp", "1v1", "31k", "3dm", "3ds", "3fr", "3g2", "3gp", "3pr", "72e", "7s", "7sp", "7tt", "7z", "ARC", "PAQ", "ab4", "accdb", "accde", "accdr", "accdt", "ach", "acr", "act", "adb", "ads", "aes", "agdl", "ai", "aimi", "ait", "al", "alf", "apj", "apk", "ari", "arw", "asc", "asf", "asm", "asmx", "asp", "aspx", "asset", "asx", "avi", "awg", "back", "backup", "backupdb", "bak", "bank", "bas", "bat", "bay", "bdb", "bgt", "big", "bik", "bikey", "bin", "bkf", "bkp", "blend", "bmp", "bpw", "brd", "bsa", "bz2", "c", "cab", "cad", "capx", "cd", "cdf", "cdr", "cdr3", "cdr4", "cdr5", "cdr6", "cdrw", "cdx", "ce1", "ce2", "cer", "cfm", "cfp", "cgi", "cgm", "cib", "class", "cls", "cmd", "cmt", "cfg", "conf", "config", "cos", "cpi", "cpp", "cr2", "craw", "crt", "crw", "cs", "csh", "csl", "csproj", "csr", "csv", "cxi", "dac", "dat", "db", "db3", "dbf", "dbx", "dc2", "dch", "dcr", "dcs", "ddd", "ddoc", "ddrw", "dds", "ddv", "deb", "der", "des", "design", "dgc", "dif", "difz", "dip", "djvu", "dng", "doc", "docb", "docm", "docx", "dot", "dotm", "dots", "dotx", "drf", "drw", "dtd", "dwg", "dxb", "dxf", "dxg", "edb", "eip", "eml", "epk", "eps", "erbsql", "erf", "exf", "fdb", "ff", "ffd", "fff", "fh", "fhd", "fla", "flac", "flv", "fmb", "forge", "fpx", "frm", "fxg", "g8z", "gblorb", "gif", "go", "gpg", "gpx", "gray", "grey", "gry", "gz", "h", "hbk", "hpp", "htm", "html", "hwp", "ibank", "ibd", "ibz", "idx", "iif", "iiq", "img", "incpas", "indd", "iso", "j6i", "jar", "java", "jpe", "jpeg", "jpg", "js", "json", "jsp", "k25", "kbx", "kc2", "kdbx", "kdc", "key", "kml", "kmz", "kpdx", "lay", "lay6", "lbf", "ldf", "litemod", "log", "ltd", "ltx", "lua", "m", "m2ts", "m3u", "m4a", "m4u", "m4v", "max", "md", "mdb", "mdc", "mdf", "mdl", "mef", "mfw", "mid", "mkv", "mlv", "mml", "mmw", "moneywell", "mos", "mov", "mp3", "mp4", "mpeg", "mpeg4", "mpg", "mpk", "mpq", "mrw", "msg", "myd", "myi", "nd", "ndd", "nef", "nk2", "nop", "nrg", "nrw", "ns2", "ns3", "ns4", "nsd", "nsf", "nsg", "nsh", "nwb", "nx2", "nxl", "nyf", "oab", "obj", "odb", "odc", "odf", "odg", "odm", "odp", "ods", "odt", "ogg", "oil", "old", "onetoc2", "orf", "ost", "otg", "oth", "otp", "ots", "ott", "p12", "p7b", "p7c", "pab", "pages", "pak", "papa", "pas", "pat", "patch", "pbl", "pcd", "pck", "pct", "pdb", "pdd", "pdf", "pef", "pem", "pfx", "php", "php5", "phtml", "pkg", "pl", "plc", "png", "pot", "potm", "pots", "potx", "ppam", "pps", "ppsm", "ppsx", "ppt", "pptm", "pptx", "prf", "ps", "ps1", "psafe3", "psark", "psd", "pspimage", "pst", "psw", "pta", "ptx", "py", "pyc", "qba", "qbb", "qbm", "qbr", "qbw", "qbx", "qby", "qst", "r33", "r3d", "raf", "rar", "rat", "raw", "rb", "rdb", "rem", "rgss3a", "rm", "rofl", "rtf", "rw2", "rwl", "rwz", "rx3", "s3db", "sas7bdat", "sav", "say", "sch", "sd0", "sda", "sdc", "sdd", "sdf", "sdp", "sdw", "sgl", "sh", "sldm", "sldx", "slk", "sln", "snt", "spx1", "sql", "sqlite", "sqlite3", "sqlitedb", "sr2", "srf", "srt", "srw", "st4", "st5", "st6", "st7", "st8", "stc", "std", "sti", "stw", "stx", "suo", "sv2i", "svg", "swf", "swift", "sxc", "sxd", "sxg", "sxi", "sxm", "sxw", "t3", "tar", "targz", "tbk", "tc", "tex", "tga", "tgz", "thm", "tib", "tif", "tiff", "tiger", "tlg", "ttarch", "txt", "uasset", "uax", "unicy3d", "uof", "uop", "uot", "upk", "vb", "vbproj", "vbs", "vcd", "vcf", "vdi", "vef", "vib", "vmdk", "vmx", "vob", "vor", "vsd", "vsdx", "wallet", "war", "wav", "wb2", "wk1", "wkl", "wks", "wma", "wmf", "wmv", "wpd", "wpl", "wps", "wsf", "wtf", "x11", "x3f", "xex", "xhtml", "xis", "xla", "xlam", "xlc", "xlk", "xlm", "xlr", "xls", "xlsb", "xlsm", "xlsx", "xlt", "xltm", "xltx", "xlw", "xml", "xtbl", "ycbcra", "ydk", "yrp", "yuv", "ze4", "zip"

 

Upon entering the decryption key “Gt4vJ04kZ9bAe36A” into the ransomware interface, all files are decrypted back to their original form:

 

 

 

We reached out to ranzon@protonmail.com but did not receive a reply.

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: BitPyLock.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

 

 

 

HermeticWiper data wiping malware targeting Ukrainian organizations

/in /by

The SonicWall Capture Labs Threat Research team has analyzed a sample which is widely believed to be targeting Ukrainian organizations.

The malware sample is digitally signed issued under the company name ‘Hermetica Digital Ltd’. There is a possibility that the attacker might have used a shell company to issue this digital certificate.

At the start and in due course of the execution it looks for the following privileges:

  • SeShutdownPrivilege
  • SeBackupPrivilege
  • SeLoadDriverPrivilege

The malware sample then identifies the operating system architecture and depending upon that loads the relevant driver.

If the malware is running on x64bit system it uses Wow64DisableWow64FsRedirection windows API to disable file system redirection so that the sample can copy the driver file in the %system32%\Drivers folder.

This malware’s resource section contains EaseUS Partition Manager drivers.
These are legitimate drivers associated with EaseUS Partition Master application which is a free partition software. These driver files are compressed by the Lempel-Ziv algorithm.

The malware enumerates the registry key SYSTEM\CurrentControlSet\Control\CrashControl and sets the value of CrashDumpEnabled form 2 (default value) to 0 so that Windows does not record any information in the memory dump file.

The malware drops the driver file in the %System%\Drivers folder and using SeLoadDriverPrivilege loads the driver.

It then uses the CreateServiceW and StartServiceW to load the driver as a Service.

The malware establishes connection with service control manager using OpenSCManager API and using OpenServiceW and ChangeServiceConfigW, it disables the VSS service (Volume Shadow Copy Service). This service is used to back up the application data.

The malware enumerates the physical drives starting from 0-100 and for each physical Drive \\.\EPMNTDRV\ device is called for a device number.

The EaseUS partition manager driver epmntdrv.sys is then used to access physical drives directly as well as getting partition information through specific IOCTLs.

The malware corrupts the first 512 bytes, the Master Boot Record (MBR) for every Physical Drive. It then waits for all sleeping threads to complete before initiating a reboot. And once the system is rebooted the missing OS prompt is displayed leaving the system unusable.

SonicWall RTDMI engine – part of Capture ATP – has a proactive 0-day protection against this malware.

 

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: HermeticWiper.A (Trojan)
  • GAV: HermeticWiper.A_1 (Trojan)

Capture Client 3.7: Rapid Threat Hunting with Deep Visibility and Storylines

/0 Comments/in , /by

As a threat hunter, your main mission is to understand the behavior of your endpoints and to capture abnormal behavior with rapid mitigation actions. You need the ability to, with a single click, search your fleet for indicators such as those mapped by the MITRE ATT&CK framework. You also need the ability to automate threat hunts for known attacks according to your own criteria.

With SonicWall Capture Client’s new Storylines capability, you can do all this and more, faster than ever before. Let’s take a look.

What is a Storyline?

Capture Client’s Deep Visibility offers rapid threat hunting capabilities thanks to SentinelOne’s patented Storylines technology. Each autonomous agent builds a model of its endpoint infrastructure and real-time running behavior.

The Storyline ID is an ID given to a group of related events in this model. When you find an abnormal event that seems relevant, use the Storyline ID to quickly find all related processes, files, threads, events and other data with a single query.

With Storylines, Deep Visibility returns full, contextualized data — including context, relationships and activities — allowing you to swiftly understand the root cause behind a threat with one search.

Image describing a query

The Storylines are continuously updated in real time as new telemetry data is ingested, providing a full picture of activity on an endpoint over time. This allows greater visibility, enables easy threat hunting and saves time.

Deep Visibility Comes with Ease of Use

Threat hunting in the Management console’s graphical user interface is powerful and intuitive. The Deep Visibility query language is based on a user-friendly SQL subset common on many other tools.

The interface assists in building the correct syntax by providing completion suggestions and a one-click command palette. This saves time and spares threat hunters — even those unfamiliar with the syntax — the pain of remembering how to construct queries.

A visual indicator shows whether the syntax is valid or not, eliminating time spent waiting for a bad query to return an error.

For example, users can search for a common “Living off the Land” technique by running a query across a 12-month period to return every process that added a net user:

Image describing common technique

(We also provide a great cheatsheet to rapidly power up your team’s threat hunting capabilities here.)

Use Case: Responding to Incidents

Suppose you’ve seen a report of a new Indicator of Compromise (IOC) in your threat intel feeds. Has your organization been exposed to it? With Storylines, you can quickly find out with a simple query across your environment. Here’s how:

In the Console’s Forensics view, copy the hash of the detection. In the Visibility view, begin typing in the query search field and select the appropriate hash algorithm from the command palette. Select or type =, then paste the hash to complete the query.

Image describing visibility view

The results will show all endpoints that ever had the file installed. Constructing powerful, threat hunting queries is that simple, even for members of your team with little to no experience with SQL-style syntax.

Deep Visibility = Fast Results

Forget about using query time to grab a cup of coffee: Deep Visibility returns results lightning fast. And thanks to its Streaming mode, you can preview the results of subqueries before the complete query is done.

Deep Visibility query results show detailed information from all your endpoints, displaying attributes like path, Process ID, True Context ID and much more.

With Deep Visibility, you can consume the data earlier, filter the data more easily, pivot for new drill-down queries, and understand the overall story much more quickly than with other EDR products.

Quicker Query of MITRE Behavioral Indicators

Deep Visibility makes hunting for MITRE ATT&CK TTPs fast and painless. It’s as easy as entering the MITRE ID.

For example, you could search your entire fleet for any process or event with behavioral characteristics of process injection with one simple query:

IndicatorDescription Contains “T1055”

There’s no need to form separate queries for different platforms. With Deep Visibility, a single query will return results from all your endpoints regardless of whether they are running Windows, Linux or macOS.

Image describing all results

Stay Ahead with Automated Hunts

Deep Visibility is designed to lighten the load on your team in every way, including giving you tools such as Watchlist, which allows you to set up and run custom threat hunting searches on your own schedule.

Creating a Watchlist is simplicity itself. In the Visibility view of the Management console, run your query. Then, click “Save new set,” choose a name for the Watchlist, and choose who should be notified. That’s it. The threat hunt will run across your environment at the specified timing interval and the recipients will receive alerts of all results.

With Storyline Automated Response (STAR) Custom Rules, you can save Deep Visibility queries or define new ones, let the queries run periodically and get notifications when a query returns results. This helps ensure your organization is secure regardless of whether you or your team are on duty.

Deep Insight at Every Level

Deep Visibility is built for granularity, allowing you to drill down on any piece of information from a query result.

Each column shows an alphabetical, filterable list of the matching items. Expanding the cell displays details; for most of these details, you can open a submenu and drill down even further. Or just use the selected details to run a new query.

Conclusion

As detailed in the 2022 SonicWall Cyber Threat Report, attacks of all types are on the rise. So it’s never been more important to proactively hunt for threats and find suspicious behaviors in its early stages — or to ensure your SOC has the tools to be as agile and efficient as possible.

SentinelOne’s Deep Visibility capabilities are available with Capture Client Premier. Click here for a free trial of Capture Client to see how Deep Visibility’s ease of use, speed and context can greatly improve your mean-time-to-detection and free up your analysts’ time.

Cybersecurity News & Trends – 02-18-22

/0 Comments/in /by

Lots of big news today. SonicWall’s upcoming Boundless 2022 global virtual event continues to rack up record registrations. See the video here and visit this page to register. Then there’s the release of the 2022 SonicWall Cyber Threat Report, which had the best first-day launch in its history. Attention garnered by the annual report toppled all previous company records. In industry news, turmoil in Ukraine ratchets up cyber threat fears, Iranians targeting VMWare, hackers targeting US defense contractors, hackers breaking into Microsoft Teams, and much more.

SonicWall News

There’s A Huge Surge In Hackers Holding Data For Ransom

Fortune Magazine: Governments worldwide saw a 1,885% increase in ransomware attacks, and the health care industry faced a 755% increase in those attacks in 2021, according to the 2022 Cyber Threat Report released Thursday by SonicWall, an internet cybersecurity company. According to the report, ransomware also rose 104% in North America, just under the 105% average increase worldwide.

Britain Should Never Seek A ‘Special Relationship’ With The EU, Says Lord Frost

The Telegraph (UK): UK ransomware climbed by 227 percent last year, the just-published SonicWall Threat Report also shows, while attempted cyberattacks also reached a record high.

SonicWall CEO On Ransomware: Every Good Vendor Was Hit In Past 2 Years

The Register: Public and private sectors are under attack as malware evolution accelerates. SonicWall’s annual cyber-threat report shows ransomware-spreading miscreants are making hay and getting quicker at doing so.

Why The Cloud Is A No-Brainer For Startups

Maddyness (UK): The global spike in ransomware due to the pandemic is alarming; according to the SonicWall Cyber Threat Report, there has been a 62% increase in ransomware globally.

Report Finds IoT Malware Attacks Targeting Routers On The Rise

CEPro: Research by SonicWall finds that ransomware attacks more than doubled last year, but IoT malware threats and cybersecurity attacks also continued to climb, hitting 60.1 million such attacks in 2021, the highest number ever recorded by the company in a single year.

Ransomware Attacks Surged 2X In 2021, SonicWall Reports

Venture Beat: new data released today by cybersecurity vendor SonicWall reveals that the total number of ransomware attacks more than doubled in 2021 — jumping 105% during the year compared to 2020.

SonicWall: Ransomware Attacks Increased 105% In 2021

TechTarget: According to researchers at SonicWall, who said in its annual threat report that ransomware attacks have grown by an eye-watering 105% over the last year, with 20 attacks being attempted every second.

Cybercriminals Target Retail With 264% Surge in Attacks

Charged Retail Tech News (UK): Cybercriminals have targeted the retail sector over the past 12 months, with a 264% surge in ransomware attacks on eCommerce and online retail businesses.

Over 620 million Ransomware Attacks Detected in 2021

InfoSecurity: According to SonicWall, corporate IT teams were faced with a triple-digit (105%) growth in ransomware attacks last year to over 623 million.

Threat Actor Adds New Marlin Backdoor to Its Arsenal

InfoRisk (UK): The massive amount of malware strains that cybercriminals can leverage today enables them to “concoct new cocktails capable of thwarting both past and present security systems,” Bill Conner, CEO and president of cybersecurity firm SonicWall, says.

Crypto Crime: UK’ Crypto Jacking’ Attacks Jump 564 Percent in One Year

City AM (UK): Global ransomware attacks doubled to 623m incidents in 2021, with some 91.7m crypto-jacking incidents taking place, up by almost a fifth compared to the previous year, according to a new report from cyber security company SonicWall.

Ransomware Attacks More Than Doubled Last Year

ZDNet: According to an analysis by cybersecurity researchers at SonicWall, the volume of attempted ransomware attacks targeting their customers rose by 105% in 2021 to a total of 623.3 million attempted incidents throughout the year.

Ransomware Data Leaks Saw Major Surge In 2021

ITProPortal: A separate report from SonicWall said that, for the first three quarters of 2021, attempted ransomware attacks grew 148 percent, year-on-year. At the same time, the average ransom demand rose 36 percent to $6.1 million.

Report: Pretty Much Every Type Of Cyberattack Increased In 2021

Planet Storyline: SonicWall’s 2022 Cyber Threat Report has come to some alarming, but likely unsurprising, conclusions: Pretty much every category of cyberattack increased in volume throughout 2021.

Ransomware Attacks Surged 2X In 2021, SonicWall Reports

TECHIO: In the latest indicator of just how severe the ransomware problem became last year, new data released today by cybersecurity vendor SonicWall reveals that the total number of ransomware attacks more than doubled in 2021 – jumping 105% during the year compared to 2020.

Cyberattacks Increased In 2021

TechRepublic: The only category to decrease was malware attacks, but SonicWall said in its report that even that number was deceptive.

Ransomware Attacks Increase 105% In 2021, SonicWall Report Finds

TechDecisions: SonicWall’s Cyber Threat Report reveals that ransomware volume has exploded over the last two years, rising 232% since 2019.

Breaking Comments On Red Cross Cyber Attack

Information Security Buzz: It’s been confirmed the Red Cross cyber attack was the work of nation-state actors. SonicWall’s latest report, released today, confirms this is not a standalone development, revealing a +1885% and +755% of ransomware attacks on the global government and healthcare sectors, respectively.

Ransomware Attacks Are Rising at An Unprecedented Rate

HotHardware: The ransomware threat is rising at an alarming rate, and a new report by SonicWall fleshes out the picture. 2020 alone saw 304 million ransomware attacks. As if that wasn’t enough, the doubling of ransomware attacks in 2021 over 2020 amounts to a total of 623 million ransomware attacks globally in 2021. Together, these two years represent a 232% rise in the volume of ransomware attacks since 2019.

SonicWall Research: Hackers Attempted 623M Ransomware Attacks in 2021

MSSP Alert: Nearly all monitored threats, cyberattacks and malicious digital assaults increased in 2021, according to the 2022 SonicWall Cyber Threat Report.

Healthcare Sector Saw The Largest Increase In IoT Malware Attacks In 2021

SCMagazine: The healthcare sector saw the largest increase in target IoT malware attacks in 2021, according to the latest annual SonicWall Cyber Threat Report. Compiled from data collected from 1.1 million global sources, researchers saw a 71% increase in IoT malware against healthcare clients.

105% Increase Seen in Global Ransomware Attacks, Reports SonicWall

ReadITQuik: The 2022 SonicWall Cyber Threat Report is now out, announced SonicWall. The report identified a 167% year-over-year increase in encrypted threats, a 6% volume rise in IoT malware, totaling 60.1 million hits by year’s end, as well as a ransomware volume rise of 232% since 2019.

SonicWall Releases New Cyber Threat Report 2022

Infopoint Security (De): SonicWall today released their annual Cyber ​​Threat Report for 2022. As the bi-annual report shows, ransomware attacks have increased significantly, with 623.3 million attacks worldwide.

Alarming Rise in Ransomware And Malicious Cyberattacks, With Threats Doubling In 2021

AAS (De): Over 623 million ransomware attacks worldwide – a whopping 105% increase + ransomware attacks up 232% since 2019 + ransomware up a whopping 98% in US and UK respectively.

Industry News

US Companies Warned to Prepare for Russian Cyber Attacks

Defense One: US companies, particularly in the defense industry, should be prepared for an increase in cyberattacks aimed at stealing data or disrupting operations due to new aggressive Russian activity aimed at Ukraine, a top Department of Justice official said on Thursday. The remarks come one day after a recent alert from the FBI, National Security Agency, and the Cybersecurity and Infrastructure Security Agency, or CISA, warning that Russian hackers had hit defense contractors and were likely to continue their attempts.

Ukraine Cyberattack Is Largest of Its Kind In Country’s History, Says Official

CNN: A high-volume cyberattack that temporarily blocked access to the websites of Ukrainian defense agencies and banks on Tuesday was “the largest [such attack] in the history of Ukraine,” according to a government minister. Speaking at a press conference Wednesday, Ukrainian Minister of Digital Transformation of Ukraine Mykhailo Fedorov added that it is too early to tell who was responsible for the attack. However, officials said the distributed denial of service (DDoS) attack — which bombarded Ukrainian websites with phony traffic — was coordinated and well planned.

Iranian Hackers Targeting VMware Horizon Log4j Flaws to Deploy Ransomware

The Hacker News: A “potentially destructive actor” aligned with the government of Iran is actively exploiting the well-known Log4j vulnerability to infect unpatched VMware Horizon servers with ransomware. Cybersecurity firm SentinelOne dubbed the group “TunnelVision” owing to their heavy reliance on tunneling tools, with overlaps in tactics observed to that of a broader group tracked under the moniker Phosphorus as well as Charming Kitten and Nemesis Kitten.

Russian Hackers Have Targeted Defense Contractors to Steal Sensitive Data

Gizmodo: US Intelligence authorities say that a multi-year hacking campaign has resulted in sensitive IT information being stolen from Pentagon-linked defense contractors and subcontractors. According to the report, the goal is to steal sensitive data and information using spear phishing, brute force attacks, credential harvesting, and other typical intrusion techniques. The purpose of the hacking campaigns appears to have been to acquire “sensitive information” about things like US weapons and missile development, intelligence, surveillance, and reconnaissance capabilities, vehicle and aircraft design, and command, control, and communications systems, officials said.

Hackers Circulate Malware by Breaking Into Microsoft Teams Meetings

PC Magazine: Hackers have been spotted infiltrating Microsoft Teams meetings to circulate malware to unsuspecting users. Last month, email security provider Avanan noticed the attacks, which involve hackers dropping malicious executable files on Microsoft Teams through in-session chats. “Avanan has seen thousands of these attacks per month,” the company warned in a Thursday report. The hackers are likely infiltrating Microsoft Teams after first compromising an email account belonging to an employee. The email account can then be used to access Teams meetings at their company. Also reported by Bleeping Computer, if you are one of the 270 million people who use Microsoft Teams every day, it may be time to make sure your account is locked down. Part of the onus here does fall on Microsoft, too. Teams isn’t precisely feature-rich when it comes to security and scanning files for malicious content. The ability for guests and other temporary users to share files also poses a security risk, though that isn’t necessarily how the hackers spread this particular malware.

In Case You Missed It

Functionality rich Android malware identified in the wild

/in /by

SonicWall Threats Research Team  received reports of an Android malware in the wild that was hosted on an active domain. This malware appears to be a Remote Access Trojan that has a number of capabilities.

 

Application Specifics

 

App Execution

Installing the application, the icon is visible without any application name:

 

The AndroidManifest.xml file can be used to identify how the application starts the execution flow. In this application the main activity is listed as – com.depart.buddy.lz. However looking at the code, this class is not visible in the list of classes:

 

This indicates that most likely a new dex file might be dropped during execution and this file will contain the class pointed as the main activity. Once executed, a file named kreaslX.json is dropped in the folder below:

 

Renaming the .json file to .zip and opening it in a disassembler shows us the missing class files:

 

The file shared preferences file settings.xml can be viewed as the configuration file for this application. A number of capabilities of this malware are listed in this file:

 

Notable capabilities include:

  • Log SMS messages on the device
  • Log applications installed on the device
  • Log contacts
  • Request for Admin privileges
  • Lock device
  • Start TeamViewer application
  • Switch the sound off
  • Kill an application
  • Keylogger functionality
  • Turn PlayProtect off

Network Investigation

The application is hosted on hxxps://www.kisa.link/PMmG. VirusTotal graph shows multiple malicious indicators connected with this domain:

 

A hardcoded admin panel IP was identified in the shared_preferences.xml fille – hxxp://helalolsundayiogli.co.vu. VirusTotal graph for this domain shows multiple apk files connected to this domain:

 

Overall this application appears to be part of a larger campaign which is being propagated via the links mentioned. The nature of this application is that of a Remote Access Trojan which is capable of accepting commands and executing the in-built functionality.

 

Sonicwall Capture Labs provides protection against this threat using the signature listed below:

  • AndroidOS.Spy.SM

 

Indicators of Compromise:

  • bfdd4663a096b21a1d2b7c993bb0aecd
  • 2dc70002c841181ee1e832381f8429ab

 

Realtek Jungle SDK remote code execution

/in /by

Realtek currently manufactures and sells a variety of microchips globally. Realtek chipsets are found in many embedded devices in the IoT space. Realtek offers total HomeKit solutions with Ameba (RTL8711 series) and iCOM (RTL8196/8188 series) that can be easily implemented into various IoT platform designs, e.g. smart plug, smart home appliances, home security systems, and smart sensor/lighting devices.RTL8xxx SoCs provide wireless capabilities and the SDK exposes services over the network.

CVE-2021-35395
Realtek Jungle SDK version v2.x up to v3.4.14B provides an HTTP web server exposing a management interface that can be used to configure the access point.There are two versions of of this management interface namely one based on Go-Ahead named webs and another based on Boa named boa. Arbitrary command execution in formSysCmd via the sysCmd parameter exists in this SDK. Successful exploitation of this vulnerability allows remote attackers to gain arbitrary code execution on the device.

The HTTP web server ‘boa’ is also vulnerable to multiple buffer overflows due to unsafe copies of some overly long parameters submitted in the form, such as

  • unsafe copy of ‘submit-url’ parameter in formRebootCheck/formWsc/formWlanMultipleAP
  • unsafe copy of ‘peerPin’ parameter in formWsc

  • unsafe copy of ‘ifname’ parameter in formWlSiteSurvey

  •  unsafe copy of ‘hostname’ parameter in formStaticDHCP


The root cause of the above vulnerabilities is insufficient validation of the  buffer size and unsafe calls to sprintf/strcpy. An attacker can exploit these vulnerabilities by crafting arguments in a specific request. Successful exploitation could lead  server crash and denial of service.
Realtek has patched these vulnerabilities.

SonicWall Capture Labs provides protection against this threat via following IPS signatures:

  • 18646:Realtek Jungle SDK Remote Code Execution 2
  • 18645 Realtek Jungle SDK Remote Code Execution 1
  • 18649 Realtek Jungle SDK HTTP Server Buffer Overflow 5
  • 18648 Realtek Jungle SDK HTTP Server Buffer Overflow 4
  • 18647 Realtek Jungle SDK HTTP Server Buffer Overflow 3
    • 18644 Realtek Jungle SDK HTTP Server Command Injection
  • 18643 Realtek Jungle SDK HTTP Server Buffer Overflow 2
  • 18642 Realtek Jungle SDK HTTP Server Buffer Overflow

Threat Graph

2021 Threat Intelligence Shows Attacks Rising Across the Board

/0 Comments/in /by

While the world continued to grapple with the challenges of 2020 — such as the ongoing COVID-19 pandemic and the shift to remote work — cybercriminals were building on what they learned that year to become more adaptable and formidable in 2021.

But as cybercriminals followed the moves of an ever-changing world, SonicWall Capture Labs threat researchers followed the movement of cybercriminals, recording where they attacked, who they targeted and what sorts of new techniques they developed. By compiling these findings into the 2022 SonicWall Cyber Threat Report, we’re offering organizations the actionable threat intelligence they need to combat the rising tide of cybercrime.

“It’s imperative to understand the skill set of bad actors to ultimately thwart their increasingly sophisticated and targeted attacks,” SonicWall President and CEO Bill Conner said. “The 2022 SonicWall Cyber Threat Report shines a spotlight on the growing plague of ransomware and other attempts of digital extortion.”

Here are a few of the key findings from the report:

Ransomware

In 2021, SonicWall Capture Labs Threat Researchers recorded 623.2 million ransomware attempts globally, an increase of 105% year over year. This increase was fueled by large volumes of Ryuk, SamSam and Cerber attacks, which together made up 62% of the total ransomware volume.

While the growth in ransomware was unusually aggressive, so were many of the techniques ransomware gangs used to separate legitimate organizations from their money. Double extortion continued to grow in 2021, and terrifying new triple extortion techniques began taking hold as well. Supply-chain attacks and attacks on vital infrastructure also increased, putting pressure on lawmaking bodies around the world to unify against ransomware’s growing threats.

Malware

As attacks of nearly every type have grown over the past couple of years, we’ve been able to count on one silver lining: “Well, at least malware volume is down.” A look at the data for 2021, however, shows signs that this sustained fall may soon be coming to an end.

While malware was still down 4% year-over-year, this is the smallest percentage drop we’ve seen in some time, with a rebound in the second half almost completely erasing the 22% drop recorded for the first half. Moreover, malware didn’t fall everywhere: the UK and India saw increases of 48% and 41% respectively.

Log4j Exploits

From Dec. 11, 2021, through Jan. 31, 2022, SonicWall Capture Labs Threat Researchers logged 142.2 million Log4j exploit attempts — an average of 2.7 million attempts each day. The data shows threat actors pivoting to attack these vulnerabilities at an alarming rate, with large numbers of attempts continuing to this day.

(As a reminder, SonicWall has released a number of signatures to help protect customers against Log4j exploit attempts — if you haven’t yet patched your organization’s internal systems against these vulnerabilities, we strongly urge you to do so.)

Capture ATP and RTDMI

In 2021, SonicWall Capture Advanced Threat Protection (ATP) with Real-Time Deep Memory Inspection (RTDMI)™ became the only solution in ICSA Labs Advanced Threat Defense (ATD) certification history to earn four straight perfect scores, all without a single false positive.

SonicWall’s data on the evolution of Capture ATP and RTDMI shed some light on how we accomplished this feat. In 2021, RTDMI identified 442,151 never-before-seen malware variants, an increase of 65% year over year and an average of 1,221 per day.

Cryptojacking

Given 2021’s record-high cryptocurrency prices, not even mining crackdowns and increased federal scrutiny were enough to keep cryptojacking down. SonicWall Capture Labs threat researchers recorded a 19% year-over-year increase in cryptojacking, amounting to an average of 338 attempts per customer network.