Cybersecurity News & Trends

/0 Comments/in /by

Cybersecurity News & Trends

This week, SonicWall is on a winning streak with another strong showing in general news and industry press. There were continued mentions of the 2022 SonicWall Cyber Threat Report, new product reviews, and partner news. In industry news, the Tenet healthcare network suffered a cyberattack that disrupted operations at two hospitals in Palm Beach, FL. While cyberattacks rage in Ukraine, US Intel warns of fresh attacks on US targets by state-sponsored cyber gangs from China, Russia, and North Korea. Krebs is following a developing situation where hackers are using fake Emergency Data Requests (EDRs) to gain fraudulent law enforcement actions that can compromise companies and agencies. Meanwhile, JPMorgan is getting sued for a hack, the US State Department antes $10M for information about Russian hackers, the malware loader Bumblebee is loose, and experts examine predictive analytics for cybersecurity.

SonicWall News

Cyberwar Zone: Biden, Experts Warn Business Attacks are Coming

Virginia Business, News: But many cybercrimes go unreported, and private sector numbers paint a far worse picture. Cybersecurity firm SonicWall reports that its researchers recorded 623.3 million ransomware attacks worldwide in 2021 — a 105% increase from 2020.

What Should You Do If Your Brand is the Target of a Data Breach?

TFL, Threat Report Mention: The same is true in the U.S., with ransomware attacks, alone, rising by almost 100 percent in 2021 according to SonicWall’s 2022 Cyber Threat Report.

SonicWall Virtual Firewall Tested and Certified in AWS Public Cloud – Ideal for Distributed Networks

Markets Insider, News: SonicWall today announced a new report by The Tolly Group, which detailed the testing and analysis of the performance of the SonicWall NSv 470 virtual firewall. Using Keysight’s CyPerf cloud-native testing solution to provide the test infrastructure for standardized, repeatable performance tests, Tolly benchmarked the throughput and connection performance of the virtual firewall in Amazon Web Services (AWS).

For Over 30 Years, Jeff Dann Has Had the People, Process, And Technology To Ensure Their Customers Are Protected

MSP Success, Threat Report Mention: SonicWall reports there were 304.7 million ransomware attacks, 51.1 million crypto-jacking attacks, and 32.2 million IoT malware attacks in 2021. The report states that attackers targeted web applications with financial and personal information for a big payday.

The Industry Takes Stock of Cyberattacks In Hawaii

Pacific Inno, News: Each year, the SonicWall Cyber Threat Report uncovers insights extracted from global cyberthreat data collected and analyzed by expert researchers. SonicWall calls its report “the world’s most quoted ransomware threat intelligence,” and it is an annual snapshot of the threat landscape, helping business and government leaders make informed decisions about cybersecurity.

Learn how NLP Can Help to Understand the Cyber-Exposure And The Silent Cyber

Intelligent Insurer, Threat Report Mention: Corporate IT teams handled 623 million ransomware attacks in 2021, up 105% year on year, according to security vendor SonicWall. The firm reports an 1,885 percent increase in attacks on government targets, healthcare (755 percent), education (152 percent) and retail (21 percent).

Cyber Threats to Media Companies Are on The Rise

E&P, Threat Report Mention: Reporter Amiah Taylor explained ransomware research by SonicWall, an internet cybersecurity company, and its 2022 Cyber Threat Report, which offers some alarming statistics about ransomware attacks, in particular governments worldwide saw a 1,885% increase in ransomware attacks, and the health care industry faced a 755% increase in those attacks in 2021.

How To Choose the Best VPN For Security and Privacy

CSO Magazine, Product Mention: For example, SonicWall’s Mobile Connect supports Ping, Okta and OneLogin identity providers.

Privacy Coin Monero’s Use in Ransomware Fuels Growing Security Concerns

PYMNTS.com, Threat Report Mention: That comes as ransomware is exploding, with attacks up 105% last year, according to the 2022 Cyber Threat Report released in February by cybersecurity company SonicWall.

Industry News

Tenet Says, ‘Cybersecurity Incident’ Disrupted Hospital Operations

Healthcare Dive: Tenet is one of the largest US for-profit health systems. It reported that it suffered a cybersecurity incident last week, which disrupted some acute care operations. According to the statement issued Tuesday by the Texas-based operator, most critical functions have been restored, and affected facilities are beginning normal operations. Tenet did not disclose the nature or extent of the incident or the affected facilities. It also didn’t say whether hackers accessed any patient data.

SC Media and CBSNews affiliate WEPC offered additional details on the incident, reporting that the attack forced caregivers to chart patient care using paper because the network’s phone and computer systems were down. As a result, the company’s “acute care operations” at Good Samaritan Hospital in West Palm Beach and St. Mary’s Medical Center were temporarily interrupted.

Cyberattacks Rage in Ukraine, Support Military Operations

Threat Post: At most, five advanced persistent threats (APTs) are believed to be behind attacks tied to ground campaigns that aim to harm Ukraine’s digital infrastructure. Five state-sponsored APT groups are behind the attacks on Ukraine that started in February. The groups used the cyberattacks against Ukraine strategically to support the ground campaign. Microsoft published research on Wednesday that revealed that Russia had state-sponsored the APTs in the campaign.

Separate reports this week shed light on cyberattacks against Ukrainian digital assets carried out by APTs linked to Russia. Microsoft researchers have found that six distinct Russia-aligned threat agents carried out 237 cyber operations, resulting in threats to civilian welfare. They also attempted to launch dozens of cyber espionage attempts against Ukrainian targets.

US Intel, Google Warn of Cyberattacks from China, Russia, North Korea

Newsweek: In the past month, intelligence agencies, President Joe Biden and large companies such as Google all issued the same warning — sounding alarms about the growing threat of cyberattacks coming from foreign governments. Christopher Wray, Director of the Federal Bureau of Investigation, stated that the People’s Republic of China and the Chinese Communist Party are the biggest threats to the country’s counterintelligence. He said they target our innovation, trade secrets, and intellectual property at a scale never before seen in history. According to Google’s Threat Analysis Group (TAG), Iran, North Korea and Russia are the top cyberattacks on the US.

Fighting Fake EDRs with ‘Credit Ratings’ for Police

Krebs On Security: The Krebs security team recently examined how cybercriminals used hacked email accounts of police departments worldwide to obtain warrantless Emergency Data Requests from technology providers and social media companies. Many security experts called it an insurmountable problem. Matt Donahue is a former FBI agent who recently left the agency to start a startup to help tech companies screen out fraudulent law enforcement data requests. This includes assigning credit ratings or trustworthiness to law enforcement agencies worldwide.

Manufacturer Sues JPMorgan After Cybercriminals Stole $272m

Computer Weekly: Essilor Manufacturing sued JP Morgan, alleging that the bank failed to report suspicious activity, leading cybercriminals to steal $272 million. According to reports, Ray-Ban sunglasses’ French manufacturer claimed that the bank failed to notify them of suspicious activity in New York. As a result, the manufacturer claimed an increase in money transactions and money sent to offshore companies in high-risk countries in papers filed in Manhattan federal court.

State Dept Offering $10 Million For Information on Russian Cybercriminals

The Hill: The State Department has announced it is offering a reward of up to $10 million for information on a group of Russian cybercriminals. The department released a press release on Tuesday stating that its Rewards for Justice program (RFJ) is looking for information about six people who are allegedly involved in a criminal conspiracy involving malicious hacking activities that affect the critical infrastructure of the United States. According to the State Department, these individuals were part of a criminal conspiracy that infected computers with destructive malware in June 2017. The malware was called NotPetya.

Cybercriminals Using New Malware Loader’ Bumblebee’ in the Wild

Hacker News: The cybercriminals who were previously seen delivering IcedID and BazaLoader as part of their malware campaigns may have switched to a new loader called Bumblebee, which is currently actively being deployed. Researchers report that Bumblebee may be the new multifunctional tool of choice for spreading malware based on cybercriminals’ timing and early proliferation of the loader. The new loader was distributed in March 2022. There are overlaps between malicious activity and Conti ransomware deployments.

Predictive Analytics could be the Future of Cybersecurity

Analytics Insight: While it might not be possible to prevent every data breach, it is possible to minimize the risk. Even the most skilled cyber professionals admit that it is impossible to control all data breaches. It is impossible to stop determined hackers from getting into systems. This is not because they are too sophisticated; even the most experienced security professionals fall prey to human error. Nevertheless, it is possible to minimize the risk, which is good news. Organizational leaders must accept this fact as soon as possible. It is best to assume that data breaches will happen and set up cyber defenses to reduce the damage. A crisis checklist can help prepare for the worst.

In Case You Missed It

Five Times Flawless: SonicWall Earns Its Fifth Perfect Score from ICSA Labs – Amber Wolff

NSv Virtual Firewall: Tested and Certified in AWS Public Cloud – Ajay Uggirala

How SonicWall’s Supply-Chain Strategies Are Slicing Wait Times – Amber Wolff

SonicWall SMA 1000 Series Earns Best-Of Enterprise VPNs Award from Expert Insights – Bret Fitzgerald

World Backup Day: Because Real Life Can Have Save Points Too – Amber Wolff

CRN Honors SonicWall With 5-Star Rating in 2022 Partner Program Guide – Bret Fitzgerald

Cyberattacks on Government Skyrocketed in 2021 – Amber Wolff

Meeting the Cybersecurity Needs of the Hybrid Workforce – Ray Wyman

Third-Party ICSA Testing – Perfect Score Number 4 – Kayvon Sadeghi

Ransomware is Everywhere – Amber Wolff

Shields Up: Preparing for Cyberattacks During Ukraine Crisis – Aria Eslambolchizadeh

Capture Client 3.7: Rapid Threat Hunting with Deep Visibility and Storylines – Suroop Chandran

2021 Threat Intelligence Shows Attacks Rising Across the Board – Amber Wolff

Break Free with SonicWall Boundless 2022 – Terri O’Leary

SonicWall’s Bob VanKirk, HoJin Kim & David Bankemper Earn 2022 CRN Channel Chief Recognition – Bret Fitzgerald

Don’t Let Global Supply Chain Issues Impact Your Security – Kayvon Sadeghi

Unpacking the U.S. Cybersecurity Executive Order – Kayvon Sadeghi

Everything Old Is New Again: Remote Access Comes Full Circle – James Whewell

WSO2 API Manager RCE Vulnerability

/in /by

Overview:

  WSO2 offers a platform of middleware products for agile integration, application programming interface (API) management, identity and access management, and smart analytics.

  A directory traversal vulnerability has been reported in WSO2 API Manager. The vulnerability is due to improper validation of file names.

  A remote attacker can exploit this vulnerability by sending a crafted POST request to the target server containing a crafted “filename” and/or “name” parameter. Successful exploitation of this vulnerability could result in a remote shell being written to a random location, leading to a remote code execution under the security context of the user running the vulnerable application.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-29464.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 9.3 (E:F/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is functional.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  When an HTTP request is made to the “/fileupload” endpoint, the execute() method of CarbonXml FileUpload ExecHandler is triggered, which iterates over the actions defined in the XML. If a match is found, the executeGeneric() method of the associated executor class is triggered. In the case of ToolsAnyFileUploadExecutor, the implementation of the parent class, AbstractFileUploadExecutor, is called. This method parses the parameters in the request by calling the parseRequest() method, and then uploads the file by calling the execute() method. The parseRequest() method reads names and values of the files included in the request using the multipart/form-data encoding. Later, the execute() method iterates over the files parsed, and for each file the File() method is called with the service upload directory and the name of the file parameter.

  However, the code fails to sanitize directory traversal patterns from the parameter name. This allows for arbitrary creation/writing of files outside of the service upload directory, which can lead to arbitrary file write and arbitrary code execution. For example, an attacker can upload an arbitrary JSP file to the webapps directory of the Tomcat server implementing the web-based interface. Then, this JSP file can be accessed via the web-based interface, which would lead to arbitrary Java code execution.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The attacker must have network connectivity to the affected ports.

Triggering Conditions:

  The attacker sends an HTTP request containing maliciously crafted parameters to the target server. The vulnerability is triggered when the server processes the request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 9837 Web Application Suspicious File Upload 2

  • IPS: 15759 WSO2 Products Unrestricted File Upload

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Updating to a non-vulnerable version or by applying the vendor supplied patch.
    • Filtering traffic based on the signatures above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Five Times Flawless: SonicWall Earns Its Fifth Perfect Score from ICSA Labs

/0 Comments/in /by

It’s exactly one week after National High Five Day, and exactly one week before Cinco de Mayo. But this year, SonicWall has its own reason to celebrate the number five: SonicWall Capture Advanced Threat Protection (ATP) with patented Real-Time Deep Memory Inspection (RTDMI)™ just earned its fifth consecutive perfect score in independent ICSA testing.

Starting in Q1 2021, SonicWall Capture ATP has found 100% of malicious threats in quarterly test rounds without issuing a single false positive. This means that for 160 days of continuous testing, consisting of 6,719 total test runs, SonicWall Capture ATP found all 3,131 malicious samples — the majority of which were four hours old or less. And it did so without misidentifying a single one of the 3,588 innocuous apps scattered throughout.

“SonicWall has now received an amazing five consecutive perfect scores when tested against some of the most unknown and rigorous threats — an unprecedented achievement among tested vendors,” said SonicWall President and CEO Bill Conner. “These third-party, real-world tests validate SonicWall as a clear leader in the cybersecurity space and play a significant role in our efforts to deliver quality-driven security products.”

As the latest in a streak of perfect scores, SonicWall’s Q1 2022 test results reflect not only excellence, but also consistency. From Jan. 19 through Feb. 19, 2022, a SonicWall NSa 3600 next-generation firewall equipped with Capture ATP and patented RTDMI™ technology was once again put through its paces. And once again, it correctly identified all 553 of the malicious samples (100% detection rate) without alerting on any of the 578 innocuous apps (0% false positive rate).

ICSA Advanced Threat Defense: Real-World Results

Standard ICSA Labs Advanced Threat Defense (ATD) testing evaluates vendor solutions designed to detect new threats that traditional security products miss.

Eligible security vendors are tested quarterly for a minimum of three weeks. During that time, ICSA Labs subjects the vendors’ advanced threat solutions to hundreds of test runs consisting of a mixture of innocuous applications, new threats and little-known threats. These threats are delivered via the primary vectors that lead to enterprise breaches, according to Verizon’s Data Breach Investigations Report. The test cycles evaluate how good vendor ATD solutions are at detecting unknown and little-known threats — and whether they can do so while minimizing false positives.

100% Efficacy. One Solution.

The continued success of SonicWall Capture ATP with RTDMI is due to two main factors: the solution’s ability to identify even the most sophisticated and obfuscated threats, and its ability to use what it learns doing so to improve itself over time.

SonicWall Capture ATP is a multi-layer sandbox service designed to mitigate new forms of malware capable of circumventing traditional network defenses.

Included as part of Capture ATP, RTDMI™ leverages proprietary memory inspection, CPU instruction tracking and machine-learning capabilities to become increasingly efficient at recognizing and mitigating never-before-seen cyberattacks — including threats that traditional sandboxes will most likely miss.

And since RTDMI can detect malicious code or data in memory and in real time during execution, no malicious system behavior is necessary for detection. In other words, the presence of malicious code can be identified prior to any malicious behavior taking place, allowing for a quicker verdict.

Best of all, because it incorporates AI and machine learning technologies, RTDMI™ is continuously becoming more efficient and effective.

In 2021, the technology identified a total of 442,151 never-before-seen malware variants, a 65% increase over 2020’s count. And while 2022 numbers have not yet been tallied, in 14 of the last 16 quarters through the end of 2021, the number of new malware variants identified has exceeded that found in the previous quarter.

“In today’s fast-moving and unpredictable threat landscape, it is really hard to earn consistent third-party validation,” said SonicWall Vice President of Software Engineering & Threat Research Alex Dubrovsky. “Our five consecutive perfect scores are a confirmation of our vision and a significant milestone to the SonicWall team’s dedication to providing organizations with the very best threat intelligence technology.”

Cybersecurity News & Trends

/0 Comments/in /by

Cybersecurity News & Trends

This week, SonicWall generated an excellent balance of press ink for the 2022 SonicWall Cyber Threat Report, product mentions, Bill Conner, and two articles that feature the company and its products. Very well done! In industry news, we see that Microsoft is taking the hacks of its MSO line of products very seriously and showing some success. Hackers claim to have hacked several Russian institutions with a “barrage” of cyberattacks. Meanwhile, hackers “DeFi” cryptocurrency security measures with new attacks. And among the top state-sponsored cyber hackers, North Korea earns recognition as the truly weirdest.

SonicWall News

How To Choose the Best VPN For Security and Privacy

CSO Magazine, Product Mention: For example, SonicWall’s Mobile Connect supports Ping, Okta and OneLogin identity providers.

Privacy Coin Monero’s Use in Ransomware Fuels Growing Security Concerns

PYMNTS.com, Threat Report Mention: That comes as ransomware is exploding, with attacks up 105% last year, according to the 2022 Cyber Threat Report released in February by cybersecurity company SonicWall.

Ransomware Is on the Way and Backups Are Your Best Defense

The New Stack, SonicWall Threat Report Mentioned: You may ask, “Is ransomware really that bad?” It is. Last year, network security vendor SonicWall called 2021 The Year Of Ransomware thanks to an average of 1,748 ransomware attempts per customer by the end of September. Altogether SonicWall reported spotting a crazy 495 million ransomware attempts by the end of September.

Work to Secure Hawaii’s Digital Future

Honolulu Daily Advertiser, SonicWall Threat Report Mentioned: SonicWall’s 2022 Cyber Threat Report revealed that Hawaii is one of the top 10 riskiest states for malware.

The Funky Pigeon Pauses All Orders After ‘Security Incident’

The Register, SonicWall’s Bill Conner Quoted: Another example of how relentless cybercriminals are in their search for profit. Holding victim organizations’ business hostage uniquely impacts retailers and other organizations that provide daily, direct services to their customers. Such attacks directly affect the victim’s revenue generation and thus provide additional leverage to the attackers.

Ransomware Prevention for State & Local Governments

Tech Register, 2022 Threat Report Mention: According to the 2022 Cyber Threat Report from SonicWall, two industries saw large spikes in malware in 2021: healthcare (121 percent) and government (94 percent). In North America, ransomware rose 104 percent in 2021, according to the report, just under the 105 percent average increase worldwide.

Today’s Firewall is More Important in a Multi-Perimeter World; New Cornerstone for Enterprise Security

SME Channels, SonicWall feature: With increasing numbers of devices and remote workers, enterprises are facing even more daunting challenges in protecting the business. Many enterprises, educational institutions, and government agencies have deployed several stand-alone appliances and disjointed defenses, which include traditional firewalls.

Manage and Secure Access to SonicWall NSv with JumpCloud

Security Boulevard, Blog Featuring SonicWall NSv: SonicWall firewalls are widely used by managed service providers (MSPs) to provide affordable and effective perimeter security. The NSv is a next-generation firewall that runs in the cloud, or as a virtualized device in your data center, thereby reducing the costs of buying an appliance. JumpCloud reduces the management overhead for your IT department.

Ransomware Response: 5 Steps to Protect Your Business

Security Boulevard, SonicWall Cyber Threat Report Mention: Last year was the most costly and dangerous year on record for businesses dealing with ransomware attacks. That’s according to network security experts, SonicWall, who by Q3 2021 were reporting an almost 150% year-on-year increase in ransomware attacks worldwide.

Industry News

Microsoft Is on the Hunt for Cyber Criminals

Tech-Co: In a story also reported by Microsoft and Hacker News, big moves against hackers have at least disrupted their activities for now. Microsoft’s Digital Crimes Unit obtained a court order by the United States District Court of the Northern District of Georgia to allow us to take control of 65 domains the ZLoader Gang used to control, grow and communicate with their botnet. These domains have been directed to a Microsoft sinkhole, where they are no longer available for criminal botnet operators. In addition, Zloader embeds a domain generation algorithm in the malware. This allows Zloader to create additional domains that can be used as a backup or fallback communication channel. The court order also allows Microsoft to control 319 other DGA domains.

During the group’s investigation, they discovered that Denis Malikov, from Simferopol, Crimea, was one of the criminals responsible for creating a component in the ZLoader botnet used to distribute ransomware. The group notes that the legal action was the culmination of months of investigations that began before the conflict in the region.

Microsoft claimed that the operation was carried out in partnership with ESET and Lumen’s Black Lotus Labs. Palo Alto Networks Unit 42 and Avast.

WIRED Magazine cautions that while actions like these are heartening, this is no time to be complacent. According to SonicWall’s 2022 Cyber Threat Report, ATTACKS in the United States and all over the globe reached a fever pitch by 2021. Private companies and governments have made the most comprehensive promises to stop such attacks and eliminate the cybercriminal community. These efforts have been highlighted by a flurry of activity over the past weeks. Nevertheless, cybercrime remains at an all-time high, and researchers warn that there is no one solution.

Hackers Claim to Target Russian Institutions in Barrage of Cyberattacks and Leaks

New York Times: Hackers claim that they have hacked into Russian institutions dozens of times in the last two months. This includes the Kremlin’s internet censor and one of its primary intelligence services. In an extraordinary hack-and-leak campaign, they also leaked internal documents and emails to the public.

The leaked information includes names of Russian soldiers that operated in Bucha, where there was a massacre of civilians and agents of FSB (a principal Russian intelligence agency), along with other identifying information such as dates of birth and passport numbers.

Many of the data are difficult to verify by nature. The FSB is an intelligence agency. The FSB is an intelligence agency and would not confirm the identity of its officers. Even the organizations that distributed the data warned that files taken from Russian institutions might contain malware, manipulated, or faked information, and other tripwires.

Researchers say that some data could also be recycled from prior leaks and presented new to boost hackers’ credibility artificially. The data could also be propaganda, which is not unusual for Russia and Ukraine’s ongoing cyberconflict.

Hackers’ DeFi’ Threat Risk Expectations with New Attack Vectors In Crypto

SC Media: In recent years, Decentralized finance platforms (DeFi) have seen much popularity. They have attracted much attention from the bad guys, too.

According to research by Chainalysis, cryptocurrency transfers from illegal digital wallets have risen nearly 2,000% to the DeFi platform between 2020 and 2021. Although malfeasance is decreasing, cryptocurrency and DeFi networks are booming. Chainalysis found that 2021 was the third year in a row where cryptocurrency exchanges didn’t process more than half their transactions for bad actors. Chainalysis also discovered $8.6 billion worth of cryptocurrency transferred from illegal wallets to services between 2021 and 2021.

This is a growing problem for crypto finance as a whole. Nearly $3.2 Billion has been stolen by DeFi systems. $1.3 Billion was taken during the first quarter. Two years ago, DeFi was responsible for less than 30% of all digital data stolen. According to Chainalysis research, hackers took 97% of the cryptocurrency stolen this year from DeFi platforms.

Among Top Hacking Nations, North Korea’s The Weirdest

Washington Post: North Korea is a standout among the global pantheon of government-backed hackers. Not only does it have a lot of activity, and the weirdness also makes it stand out in the hacker world. Hackers are more likely than others to steal cryptocurrency. Most of the money is used to finance the nation’s nuclear program and other government operations.

The Lazarus Group, Pyongyang’s most prominent hacking gang, has recently been in the news for its brazen theft of more than $600 million in cryptocurrency via the Axie Infinity video game. This is just the latest in a series of significant cryptocurrency thefts.

But things get more bizarre, especially when contrasted by other state hacks that usually target US and Euro government offices. For example, North Korea’s 2014 hack of a movie theater — Sony Pictures Entertainment — was to settle a dispute over a negative portrayal of its dictator Kim Jong Un.

Reuters reported further that the UN monitors of North Korean sanctions enforcement reported that cybercrime was vital for Pyongyang’s ability to finance banned weapons programs. UN body stated that cyber activity was essential for North Korea to evade UN sanctions and raise money for its missile and nuclear programs. However, the biannual reports of the experts’ panel did not reflect this because member states were reluctant to report breaches.

 

In Case You Missed It

NSv Virtual Firewall: Tested and Certified in AWS Public Cloud – Ajay Uggirala

How SonicWall’s Supply-Chain Strategies Are Slicing Wait Times – Amber Wolff

SonicWall SMA 1000 Series Earns Best-Of Enterprise VPNs Award from Expert Insights – Bret Fitzgerald

World Backup Day: Because Real Life Can Have Save Points Too – Amber Wolff

CRN Honors SonicWall With 5-Star Rating in 2022 Partner Program Guide – Bret Fitzgerald

Cyberattacks on Government Skyrocketed in 2021 – Amber Wolff

Meeting the Cybersecurity Needs of the Hybrid Workforce – Ray Wyman

Third-Party ICSA Testing – Perfect Score Number 4 – Kayvon Sadeghi

Ransomware is Everywhere – Amber Wolff

Shields Up: Preparing for Cyberattacks During Ukraine Crisis – Aria Eslambolchizadeh

Capture Client 3.7: Rapid Threat Hunting with Deep Visibility and Storylines – Suroop Chandran

2021 Threat Intelligence Shows Attacks Rising Across the Board – Amber Wolff

Break Free with SonicWall Boundless 2022 – Terri O’Leary

SonicWall’s Bob VanKirk, HoJin Kim & David Bankemper Earn 2022 CRN Channel Chief Recognition – Bret Fitzgerald

Don’t Let Global Supply Chain Issues Impact Your Security – Kayvon Sadeghi

Unpacking the U.S. Cybersecurity Executive Order – Kayvon Sadeghi

Everything Old Is New Again: Remote Access Comes Full Circle – James Whewell

How SonicWall ZTNA protects against Log4j (Log4Shell) – Rishabh Parmar

VMware Workspace ONE Access & Identity Manager (vIDM) RCE Vulnerability

/in /by

Overview:

  VMware’s Workspace ONE Access, VMware Identity Manager (vIDM), vRealize Lifecycle Manager, vRealize Automation, and VMware Cloud Foundation products; contain a remote code execution vulnerability due to server-side template injection. A remote, unauthenticated attacker can exploit this vulnerability by sending crafted requests to the server. If the injection is successful, the attack (exploit) will result in a remote code execution (RCE) which could lead to information disclosure, addition or modification of data or denial-of-service conditions. VMware has confirmed that exploitation of CVE-2022-22954 has occurred in the wild.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-22954.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

  Base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 9.8 (E:X/RL:X/RC:X), based on the following metrics:
    • The exploit code maturity level of this vulnerability is not defined.
    • The remediation level of this vulnerability is not defined.
    • The report confidence level of this vulnerability is not defined.

  CVSS Calculator Metrics

Technical Overview:

  SSTI(server-side template injection) attacks can occur whenever user input is concatenated directly into a template, rather than being passed in as data. Moreover, attackers can manipulate the template engine by injecting arbitrary template directives.

  An attacker can execute commands and reverse shell payloads that could potentially result in Remote Code Execution; granting complete server control.

  The URL encoded string given as a parameter to the “deviceUdid” argument is:

Triggering the Problem:

  • The target must be running a vulnerable version of the software.
  • The attacker must have network connectivity to the vulnerable server.
  • The target must have network connectivity to the attacker controlled server.

Triggering Conditions:

  Using the maliciously crafted request; the vulnerability is triggered after the target receives the request below.

  Vulnerable Versions:
    VMware Workspace ONE Access Appliance – 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0
    VMware Identity Manager Appliance – 3.3.6, 3.3.5, 3.3.4, 3.3.3

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP,
    • SSL/TLS

  Client GET Request Below:

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 2642 VMware Workspace ONE Access Server Side Template Injection 1
  • IPS: 2649 VMware Workspace ONE Access Server Side Template Injection 2
  • IPS: 2651 VMware Workspace ONE Access Server Side Template Injection 3

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Applying the vendor supplied patch.
    • Detecting and blocking malicious traffic using the signatures above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

NSv Virtual Firewall: Tested and Certified in AWS Public Cloud

/0 Comments/in /by

More than 90% of enterprises use the cloud in some way, with 69% of those considered hybrid cloud users (utilizing both private and public clouds). Along with widespread remote work adoption, this shift is driving the need for scaled-out, distributed infrastructure.

Within this new cloud landscape, security has become more complex as the number of perimeters and integrations grow, and cybercriminals increasingly focus on security gaps and vulnerabilities in cloud implementations. It’s often easier for threat actors to exploit these vulnerabilities than it is to breach hardened components of the cloud deployment.

A next-generation firewall deployed in the cloud can protect critical data stored in the cloud. But it’s important to make sure this firewall provides the same level of security and performance as an on-premises firewall.

Recently, Tolly Group used Keysight Technologies’ brand-new native cloud testing solution — CyPerf — to measure the performance of SonicWall NSv 470 virtual firewall in Amazon Web Services (AWS). AWS is the major public cloud vendor, with a projected 49% market share in enterprise cloud adoption for 2022. AWS recommends a shared responsibility model, meaning AWS is responsible for the security of the cloud, and the customer is responsible for security in the cloud.

What is SonicWall NSv virtual firewall?

SonicWall’s NSv Series virtual firewalls provide all the security advantages of a physical firewall, plus all the operational and economic benefits of the cloud — including system scalability and agility, speed of system provisioning, simple management and cost reduction. NSv delivers full-featured security tools including VPN, IPS, application control and URL filtering. These capabilities shield all critical components of the private/public cloud environments from resource misuse attacks, cross-virtual-machine attacks, side-channel attacks, and common network-based exploits and threats.

What is Keysight Technologies CyPerf?

Keysight CyPerf is the industry’s first cloud-native software solution that recreates every aspect of a realistic workload across a variety of physical and cloud environments. CyPerf deployed across a variety of heterogeneous cloud environments realistically models dynamic application traffic, user behavior and threat vectors at scale. It validates hybrid cloud networks, security devices and services for more confident rollouts.

Putting SonicWall NSv to the Test

Keysight Technologies and Tolly Group engineers tested a SonicWall NSv 470 virtual firewall running SonicOSX version 7. The AWS instance for the NSv 470 under test was AWS C5.2xlarge. The engineers deployed CyPerf agents on AWS C5.n2xlarge instances to be certain that the agents would have sufficient resources to stress the firewall under test. Each of two agent instances was provisioned with 8 vCPUs, 21GB memory and 25GbE network interfaces.

Product Image

Test methodology and results

The engineers used three different traffic profiles to collect results — unencrypted HTTP traffic, encrypted (HTTPS/TLS) traffic, and Tolly’s productivity traffic mix, which includes five applications: JIRA, Office 365, Skype, AWS S3 and Salesforce. Engineers used CyPerf application mix tests to create the Tolly productivity mix and generate stateful, simulated application traffic.

The tests were run against three different security profiles:

1) Firewall: Basic firewall functions with no policy set

2) IPS: Firewall with the intrusion prevention system feature enabled

3) Threat Prevention: Firewall with IPS, antivirus, anti-spyware and application control features enabled

The results observed in the AWS public cloud environment are similar to the results observed in virtual environment.

Test Unencrypted HTTP Traffic Encrypted HTTPS/TLS Traffic 
Firewall Throughput 7.70 Gbps 3.10 Gbps
IPS Throughput 7.60 Gbps 3.05 Gbps
Threat Prevention 7.40 Gbps 3.04 Gbps

Table 1: Test measurements for NSv 470 in AWS Cloud

Note: The table above highlights just a few of the test results. For complete results and test parameters, please download the report.

Conclusion

Most enterprises are moving their datacenters away from traditional on-premises deployments and to the cloud. It is imperative that security teams provide the same level of security for cloud server instances as they have been doing for on-premises physical servers. A next-generation firewall with advanced security services like IPS and application control is the first step to securing cloud instances against cyber threats.

In addition to security features, it also important to choose a firewall that provides the right level of performance needed for a given cloud workload. SonicWall NSv series offers a variety of models with performance levels suited to any size of cloud deployment, with all the necessary security features enabled. To learn more about how SonicWall NSv Series excels in AWS environments, click here.

 

"TargetCompany" ransomware directed at Carone & Company Inc.

/in /by

The Sonicwall CaptureLabs threat research team has observed reports of ransomware which, in the Antivirus community, goes by the name TargetCompany.  The malware surfaced in June 2021.  The current variant that we have obtained is aimed at infecting a construction management company called Carone & Company.  Ransom payment and negotiation is initiated via a tOr site that is run by the attackers.

 

Infection Cycle:

 

Upon execution, files on the system are encrypted.  Each encrypted file is given a “.carone” file extension.

 

The following commandline prompt appears during the file encryption process:

 

A file named “How to decrypt files.txt” is dropped into each directory containing encrypted files.

 

“How to decrypt files.txt” contains the following message:

 

The malware executable is not packed.  It is written in C and is easy to decompile.  Decompilation reveals that the following file types are targeted for encryption:

 

The following registry entries are deleted if they are present:

 

 

After encryption of files in the local file system, files on any attached storage shares are targeted:

 

The tOr link from the ransom message leads to the following page:

 

 

After filling out the form with the ID and email address, we were contacted via email:

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: TargetCompany.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Cybersecurity News & Trends

/0 Comments/in /by

SonicWall continues to generate a steady flow of hits from various industry and trade publications and bloggers. In general cybersecurity news, some folks in the cyber security community are uncomfortable with a loophole found in the Cybersecurity Act of 2022. Another news item raises more concern for a rapidly developing threat for US energy companies. Meanwhile, the feds shut down a hacker’s marketplace; a UK government office apologized for an email breach; more malware grief for Microsoft windows and the hacker group NB65 claims they used Russian malware tools to hack the Russian space agency.

SonicWall News

Ransomware Response: 5 steps to Protect Your Business

Security Boulevard: Last year was the most costly and dangerous year on record for businesses dealing with ransomware attacks. That’s according to network security experts, SonicWall, who by Q3 2021 were reporting an almost 150% year-on-year increase in ransomware attacks worldwide.

Russia-Ukraine Conflict: The Time for Cyber Security Is Now

Seeking Alpha: “According to security provider SonicWall, ransomware attacks climbed an unprecedented 105% year-over-year in 2021 to a total of 623.3M attacks. Encrypted threats increased 167% year-over-year to 10.1 million, almost as many as 2018, 2019, and 2020 combined.”

Panasonic Canadian Operations Suffer Data Breach

Security Magazine: According to SonicWall’s 2022 Cyber Threat Report, governments worldwide saw a 1,885% increase in ransomware attacks, and the health care industry faced a 755% increase in those attacks in 2021.

Clumio Protect releases turnkey ransomware protection solution for Amazon DynamoDB

VentureBeat: The announcement comes as ransomware attacks are on the rise, with SonicWall researchers recording 623.2 million ransomware attempts in 2021, an increase of 105% from the year before.

Cyber Threats And Ransomware Attacks Surge As The Government And Private Industry Try To Keep Up

Wisconsin Public Radio: According to the SonicWall Cyber Threat Report, ransomware attack volume increased 105% in the last year and is up 232% since 2019. We hear from a cybersecurity expert about what’s being done by the government and the private sector to push back against the flood of digital and online threats.

Enterprise Infrastructure VPN: Which solution is best?

IDG Connect: In a review of SonicWall Netextender, the author says that SonicWall “enforces granular access policies and extends network access through native clients. It also enhances firewall encryption and security by redirecting all client traffic through VPN.”

Rise of RaaS

Professional Security Magazine: In fact, the number of ransomware attacks has been so frequent that SonicWall’s 2022 Cyber Threat Report revealed governments worldwide saw an 1,885 per cent increase in 2021.

Industry News

Cybersecurity Act of 2022: A Step in the Right Direction with a Significant Loophole

Dark Reading: Recently, the Strengthening American Cybersecurity Act 2022 passed without any partisan debate, such are the cyberthreats facing the United States and the rest of the world. Most cybersecurity communities were pleased to see Congress quickly act on this critical issue. However, some were alarmed by a loophole in the legislation that may hinder a basic tenet of the bill to share cyber security information across all platforms to increase cybersecurity. This loophole includes a complete exclusion of DNS services from reporting requirements and other obligations required of all other companies and entities. This article explains what appears to be an astonishing and deliberate omission in detail. MeriTalk posted a related story. The CISA will roll out a new protected Domain Name System technology (DNS) in 2022 under the Trusted Internet Connections program. Although the new DNS technology will strengthen protections, there are no provisions to share WHOIS or other DNS operations or make cyber security incidents easier to report and track.

US Warns Energy Firms of A Rapidly Advancing Hacking Threat

EnergyWire/E&E News: US intelligence services and the Department of Energy reported that “custom-made malware” was discovered targeting electricity and natural gas infrastructure systems. The FBI and CISA issued a joint alert urging energy companies to strengthen their cybersecurity defenses against a possible attack that could gain “full system access.” This news comes after the Ukrainian government announced Tuesday that it had stopped an attack by the “Sandworm,” an elite Russian hacking group, to disrupt industrial control systems (ICS) that run high-voltage substations. It is possible that the attack would have caused temporary power outages to 2 million people if it had been successful (MIT Technology Review). ARS Technica reports that the FBI and CISA have discovered a “Swiss Army Knife” that can hack industrial control systems. The hack tool, dubbed “Pipedream”, is a versatile malware toolkit designed explicitly for refineries and power grids. This report follows a CISA “shields-up” alert regarding cybersecurity awareness that Forbes reported in February.

Feds Shut Down RaidForums Hacking Marketplace

ThreatPost: US law enforcement shut down the largest cybercriminal online forum in the world and announced federal charges against 21-year-old Portuguese citizen Diogo Santos Coelho on six criminal counts, including conspiracy, access device fraud and aggravated identity theft. Security professionals pointed out that hackers will still be able to buy and sell data stolen from cyber-attacks. However, this takedown is unlikely to cause a lasting disruption. Tuesday, the Department of Justice (DoJ) announced that it had seized three domains to shut down RaidForums, an English-language online marketplace used by cybercriminals to purchase and sell databases taken from companies through ransomware or other cyber-attacks. According to a Tuesday press release, the domains that federal agents seized after they obtained judicial authorization were “raidforums.com,” “Rf.ws” and “Raid.lol”.

Home Office’s Visa Service Apologizes for Email Address Data Breach

The Guardian: The UK’s Home Office’s Visa Service has apologized for a data breach that saw the email addresses of over 170 people accidentally copied into an email sent last week. On 7 April 2022, a message was sent to more than 170 addresses about the need to change the location of a visa appointment with the UK Visa and Citizenship Application Service. Private contractor Sopra Steria manages the UKVCAS on behalf of the Home Office. Some email addresses looked like personal Gmail accounts, while others were associated with lawyers from various firms.

Investigation Into A Computer Breach Involves City Officials And Employees

Fox News (Cleveland): An investigation is ongoing into a computer security breach in the City of Cleveland. Multiple sources claimed it occurred on Saturday. A message was sent to officials and employees of the city, stating that it had been reported. The message said, “We have identified an account compromised on our network trying to harvest log-in passwords.”

Advisory: Hackers Are Using a Simple Trick To Hide Their Windows Malware

ZDNet: Microsoft exposed Tarrask as malware likely to have been created by a state-sponsored hacking organization in China. The program targets Windows computers and makes invisible software updates. The malware was attributed to Hafnium by the Windows maker, the same hacking group that the US and UK blamed for the Exchange Server hacks last year. Tarrask malware causes Windows to run unscheduled tasks and can be installed on Windows machines and remain there undetected after a reboot. The malware uses the Windows Task Scheduler, which admins can use to automate tasks like software updates for browsers or other apps. However, in this instance, the attackers are the ones using it.

Anonymous-Affiliated Hacking Group Used Russia’s Own Ransomware Against Russian Space Agency

Daily Mail (UK): Last month, Anonymous-affiliated Network Battalion 65 claimed it had stolen files from Russia’s space agency Roscosmos. It claimed it also had taken down Roscosmos satellites. Dmitry Rogozin, the head of the Agency, denied that it had lost control over its systems and called out the group’s claims as a scam. However, according to a wide swath of cybersecurity experts, Russia-watchers, and verified by several news outlets, the ransomware ‘Conti’ was indeed used by the NB65 group in a successful hack of Roscosmos. This draws us to the last bit of irony: Conti originates from a Russian cyber-crime organization of the same name.

In Case You Missed It

Microsoft Security Bulletin Coverage for April 2022

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of April 2022. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2022-24474 Windows Win32k Elevation of Privilege Vulnerability
ASPY 315: Malformed-File exe.MP_249

CVE-2022-24481 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 316: Malformed-File exe.MP_250

CVE-2022-24491 Windows Network File System Remote Code Execution Vulnerability
IPS 81080: Malformed RPC Portmapper Request 2

CVE-2022-24497 Windows Network File System Remote Code Execution Vulnerability
IPS 81090: Malformed RPC Portmapper Request 3

CVE-2022-24521 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 310: Malformed-File exe.MP_244

CVE-2022-24542 Windows Win32k Elevation of Privilege Vulnerability
ASPY 317: Malformed-File exe.MP_251

CVE-2022-24546 Windows DWM Core Library Elevation of Privilege Vulnerability
ASPY 313: Malformed-File exe.MP_247

CVE-2022-24547 Windows Digital Media Receiver Elevation of Privilege Vulnerability
ASPY 312: Malformed-File exe.MP_246

CVE-2022-26809 Remote Procedure Call Runtime Remote Code Execution Vulnerability
IPS 15757:RPC Microsoft RPC Runtime Remote Code Execution (CVE-2022-26809)

CVE-2022-26904 Windows User Profile Service Elevation of Privilege Vulnerability
ASPY 314: Malformed-File exe.MP_248

CVE-2022-26914 Win32k Elevation of Privilege Vulnerability
ASPY 311: Malformed-File exe.MP_245

Adobe Coverage :
CVE-2022-28244 Acrobat Reader Arbitrary code execution
ASPY 318: Malformed-File pdf.MP_523
CVE-2022-27799 Acrobat Reader Arbitrary code execution
ASPY 319: Malformed-File pdf.MP_524
CVE-2022-24102 Acrobat Reader Arbitrary code execution
ASPY 320: Malformed-File pdf.MP_525

The following vulnerabilities do not have exploits in the wild :
CVE-2022-21983 Win32 Stream Enumeration Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-22008 Windows Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-22009 Windows Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-23257 Windows Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-23259 Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-23268 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-23292 Microsoft Power BI Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2022-24472 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2022-24473 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24475 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24479 Connected User Experiences and Telemetry Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24482 Windows ALPC Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24483 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-24484 Windows Cluster Shared Volume (CSV) Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-24485 Win32 File Enumeration Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24486 Windows Kerberos Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24487 Windows Local Security Authority (LSA) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24488 Windows Desktop Bridge Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24489 Cluster Client Failover (CCF) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24490 Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-24492 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24493 Microsoft Local Security Authority (LSA) Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-24494 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24495 Windows Direct Show – Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24496 Local Security Authority (LSA) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24498 Windows iSCSI Target Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-24499 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24500 Windows SMB Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24513 Visual Studio Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24523 Microsoft Edge (Chromium-based) Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2022-24527 Windows Endpoint Configuration Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24528 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24530 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24532 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24533 Remote Desktop Protocol Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24534 Win32 Stream Enumeration Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24536 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24537 Windows Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24538 Windows Cluster Shared Volume (CSV) Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-24539 Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-24540 Windows ALPC Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24541 Windows Server Service Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24543 Windows Upgrade Assistant Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24544 Windows Kerberos Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24545 Windows Kerberos Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24548 Microsoft Defender Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-24549 Windows AppX Package Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24550 Windows Telephony Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24765 GitHub: Uncontrolled search for the Git directory in Git for Windows
There are no known exploits in the wild.
CVE-2022-24767 GitHub: Git for Windows’ uninstaller vulnerable to DLL hijacking when run under the SYSTEM user account
There are no known exploits in the wild.
CVE-2022-26783 Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-26784 Windows Cluster Shared Volume (CSV) Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-26785 Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-26786 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26787 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26788 PowerShell Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26789 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26790 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26791 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26792 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26793 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26794 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26795 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26796 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26797 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26798 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26801 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26802 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26803 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26807 Windows Work Folder Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26808 Windows File Explorer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26810 Windows File Server Resource Management Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26811 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26812 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26813 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26814 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26815 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26816 Windows DNS Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-26817 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26818 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26819 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26820 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26821 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26822 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26823 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26824 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26825 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26826 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26827 Windows File Server Resource Management Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26828 Windows Bluetooth Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26829 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26830 DiskUsage.exe Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26831 Windows LDAP Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-26832 .NET Framework Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-26891 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26894 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26895 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26896 Azure Site Recovery Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26897 Azure Site Recovery Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26898 Azure Site Recovery Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26900 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26901 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26903 Windows Graphics Component Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26907 Azure SDK for .NET Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-26908 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26909 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26910 Skype for Business and Lync Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2022-26911 Skype for Business Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-26912 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26915 Windows Secure Channel Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-26916 Windows Fax Compose Form Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26917 Windows Fax Compose Form Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26918 Windows Fax Compose Form Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26919 Windows LDAP Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26920 Windows Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-26921 Visual Studio Code Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26924 YARP Denial of Service Vulnerability
There are no known exploits in the wild.

Cybersecurity News & Trends

/0 Comments/in /by

SonicWall keeps up the pressure in global trade news with more ink for the 2022 SonicWall Cyber Threat Report and general mentions from online magazines that cater to cybersecurity vendors. In cybersecurity news, several topics received strong coverage: analysis of the vulnerabilities found in data centers and an inside perspective on the US-China cyberwar. In other news, a breakdown of three major SaaS attacks, Block (formerly Square) reports a massive breach of customer data, Russian-state media hacked by Anonymous, and the FBI says they stopped a Russian Botnet attack.

SonicWall News

Cyber Threats Surge as Government And Private Industry Try To Keep Up

NPR-Wisconsin Public Radio: According to the SonicWall Cyber Threat Report, ransomware attack volume increased 105% in the last year and has been up 232% since 2019. We hear from cybersecurity experts on what’s being done by the government and the private sector to push back against the flood of digital and online threats.

How can Healthcare Prepare for a “WannaCry 2”?

Healthcare Innovations: Governments worldwide saw a 1,885% increase in ransomware attacks in 2021, and the healthcare industry faced a 755% increase in those attacks, according to the SonicWall 2022 Cyber Threat Report. Of the victims, the United States came out on top. Most of these attacks have been found to have originated in Russia.

Russia-Ukraine Conflict: The Time for Cybersecurity Is Now

Seeking Alpha: Cybersecurity has always been a concern for individuals, corporations, and governments. However, the current conflict exacerbates the broader trend of attacks as they continue to increase in size, volume, and sophistication. This poses significant financial, reputational, and legal risks for the agencies targeted. For example, according to security provider SonicWall, ransomware attacks climbed an unprecedented 105% year-over-year in 2021 to 623.3M attacks. In addition, encrypted threats increased 167% year-over-year to 10.1 million, almost as many as 2018, 2019, and 2020 combined.

Buncombe County IT Requests Extra Funding to Bolster Cybersecurity

ABC 13 News (North Carolina): Buncombe County’s IT department wants to enhance its cyberdefense. County commissioners will consider a request from Buncombe County IT for $225,197 to augment and strengthen the county’s cybersecurity program. Governments worldwide saw a 1,885% increase in ransomware attacks, according to the 2022 Cyber Threat Report released by SonicWall, an internet cybersecurity company.

Mafia Moves: How to Combat Ransomware Extortion

Security Magazine (Event Announcement): Ransomware is big business, and no company is immune. In fact, ransomware attacks doubled last year, jumping 105% compared to 2020 (SonicWall). A ransomware attack can devastate a company by encrypting all its data and offering only one viable path to recovery: money. In this session, we will walk you through the anatomy of a ransomware attack, where you will learn step by step what to expect.

Ransomware Response: 5 Steps to Protect Your Business

Techspective: Last year was the most costly and dangerous year for businesses dealing with ransomware attacks. According to network security experts, by Q3 2021, SonicWall was reporting an almost 150% increase in ransomware attacks worldwide.

SonicWall: Security That Can be Licensed

CRN (Poland): SonicWall celebrated its 30th-anniversary last year. During this time, he developed solutions that make up an integrated security environment that has gained the recognition of industry experts and millions of satisfied customers worldwide.

SonicWall’s Next-Generation Wi-Fi Solution for Small And Medium-Sized Enterprises

BCN (Japan): With the promotion of workstyle reforms and the scourge of corona, even small and medium-sized enterprises are becoming more mobile within the company. However, the security measures of the introduced Wi-Fi products are vulnerable, and there are conspicuous dangerous cases where they are exposed to the risk of unauthorized access and malware from the outside. SonicWall Japan’s enterprise Wi-Fi solution has advanced security functions that provide real-time protection from known / unknown threats and management tasks that reduce person-hours at the time of introduction and significantly reduce the time and effort of the administrator.

Industry News

Physical Infrastructure Cybersecurity: A Growing Problem for Data Centers

Facility managers have more control over modern data center infrastructure management platforms (also known as ‘DCIM’) and other tools. As a result, managing data centers is now more efficient, scalable, faster and more effective than ever before. And, as it turns out, their physical infrastructure is now more vulnerable to cyberattacks than ever before. According to DataCenterKnowledge, research revealed that thousands of data center management systems were exposed to the Internet. Any attacker who has access to infrastructure management platforms may be able to manipulate cooling systems, which can cause servers to overheat and damage critical components. They could also upload malicious backup files or disrupt backup processes. In addition, The Hacker News reported that attackers can now remotely hack and disable uninterruptible power supply systems if they have dashboards accessible via the Internet. Dark Reading noted that the Cybersecurity and Infrastructure Security Agency (CISA) and Department of Energy (DoE) distributed a joint alert last week that threat actors are hacking Internet-connected uninterruptible power supply (UPS) devices typically via default username and password combinations.

Russian-Backed Hackers Spreading Disinformation on Facebook

The Hill: A new Facebook report found that government-affiliated hackers from Russia and Belarus attempted to use the social media platform for cyber espionage and disinformation campaigns targeting Ukrainians. The hackers attacked the Ukrainian telecom industry and defense and energy sectors. They also targeted tech platforms, journalists, activists, and tech platforms. Facebook claimed it had stopped a disinformation campaign associated with the Belarusian KGB. It posted that Ukrainian troops were surrendering and that leaders fled the country after Russia invaded. The tech company claimed it had disabled the account and ended the campaign the same day. In a related report, CNN reported that Ukrainian soldiers found their Facebook accounts targeted by hackers, some posing as journalists and independent news outlets online to push Russian talking points, running coordinated campaigns to get posts by critics of Russia removed from social media. And The Verge reported that hackers also planted false reports of a Ukrainian surrender into on-screen messages during live broadcast news. Though such statements are quickly disproved, experts have suggested that their purpose is to erode Ukrainians’ trust in media.

Hacked: Inside the US-China Cyberwar

AlJazeera: The United States has a long history of cyberespionage. However, cyberespionage has also been a long-standing problem for the government and private businesses in the United States. The Chinese government has been enhancing its technological, economic and military capabilities to be a global leader in cyberwarfare since the late 90s. Experts claim that China is now welcoming its citizen hacker group as a resource to combat aggressive actions by US-based attackers. Once thought to be patriotic internet nerds, Chinese hackers emerge in the mainstream as China and the US fight in cyberspace. There are also many allegations that Chinese hackers are state-sponsored. In a separate report, Bloomberg says suspected state-sponsored Chinese hackers recently targeted India’s power generation sector as part of an apparent ongoing cyber-espionage campaign.

Breaking Down 3 SaaS App Cyber Attacks in 2022

The Hacker News: Three major tech companies, Okta and HubSpot, reported data breaches last week. The first two were performed by DEV-0537 (also known as LAPSUS$). This highly skilled group uses state-of-the-art attack vectors with great success. The identity of the HubSpot attackers was not revealed. This article is on our recommended reading list. It provides a solid forensic examination of the evidence behind the three breaches, based on publicly available information with best practices that could help reduce the chance of attacks for other companies bracing for more attacks.

Block Confirms Cash App Breach After Former Employee Accessed US Customer Data

TechCrunch: Block has confirmed a data breach involving a former employee who downloaded reports from Cash App that contained some US customer information. In a filing with the Securities and Exchange Commission (SEC) on April 4, Block — formerly known as Square — said that the reports were accessed by the insider on December 10. Mashable reported separately that the company notified 8.2 million US customers of the data breach, noting that the compromised data included their customers’ full names and brokerage portfolio values.

Anonymous Affiliate NB65 Breached State-Run Russian Broadcaster

HackRead: NB65 (Network Battalion 65) is a hacker group linked with the Anonymous hacktivist collective. The group claims to have breached the servers of Russian state-run television and radio broadcaster called the “All-Russia State Television and Radio Broadcasting Company” (VGTRK). The data leak reportedly contains 4,000 files and more than 900,000 emails from VGTRK.

FBI Says It Disrupted Russian Hackers

Reuters: The FBI says that its cyber defense unit wrested control of thousands of routers and firewall appliances away from Russian military hackers by hijacking the same infrastructure Moscow’s spies were using to communicate with the devices, US officials said on Wednesday. An unsealed redacted affidavit described the unusual operation as a pre-emptive move to stop Russian hackers from mobilizing the compromised devices into a “botnet” – a network of hacked computers that can bombard other servers with rogue traffic. FoxNews reports that the attack involved thousands of infected network hardware devices under the control of a threat actor known as Sandworm, which the US government previously attributed to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (the GRU). The Daily Mail (UK) added that the FBI stopped the attack by hijacking the same infrastructure Moscow’s spies used and stopping the botnet in its tracks. It’s important to note the unusual nature of this operation, a pre-emptive move to prevent some Russian hackers from mobilizing the compromised devices. ‘Botnet’ is a network of hacked computers that can bombard servers with traffic.

In Case You Missed It