Cybersecurity News & Trends

June 24, 2022/0 Comments/in Weekly News /by Ray Wyman Jr

Curated stories about cybersecurity news and trends from major news outlets, trade pubs and infosec bloggers.

SonicWall finishes an intense week with news articles citing the 2022 Cyber Threat Report, a quote from Bill Conner, and articles written by our frontline cybersecurity experts. From industry news, we have three big reads. One is about the day the Internet died a few hours earlier in the week, compiled from posts by Computer World, Bleeping Computer, and ZDNet. From Bleeping Computer, we learned that Conti was busy with the ARMattack campaign, ransoming 40 organizations in only one month. Finally, from Dark Reading and CSO Online, according to researchers, there are 56 vulnerabilities in operational technology products used in everything from factories to hospitals. Is our technology insecure by design?

Remember, cybersecurity is everyone’s business. Be safe out there!

SonicWall News

Best Practices for Protecting Against Phishing, Ransomware and Email Fraud

CXOtoday (India), SonicWall Byline: Security teams and the organizations they support live in difficult times: they increasingly are the targets of sophisticated threats developed by a shadowy and very well financed cybercrime industry that has demonstrated it can often outsmart even the most robust security defenses.

Dicker Data, Hitech Support, Next Telecom, Datacom score SonicWall Honors

CRN (Australia), SonicWall News: “SonicWall has awarded Australian partners Dicker Data, Hitech Support, Next Telecom, Datacom System and Dell Australia for their work at its Asia-Pacific Partner Awards for the 2022 financial year.”

What is a Cyberattack? Types and Defenses

eSecurity Planet, SonicWall Threat Report Mention: Driven by the global pandemic, the increase in remote and hybrid work, and unprepared network defenses, cyberattacks have been rising exponentially. The 2022 SonicWall Cyber Threat Report found that all types of cyberattacks increased in 2021. Encrypted threats spiked 167%, ransomware increased 105%, and 5.4 billion malware attacks were identified by the report.

Ransomware, the Cyberattack that Set Off Alarms in Latin America

Forbes Colombia, SonicWall Threat Report Mention: The Cyber Threat Report 2022 of the US firm SonicWall, shows a rebound of 105% in data hijacking last year, surpassing 623 million attacks worldwide – almost twenty attempts per second – with the United States in the lead (421 million or 67.5% of the total).

Buy Access to a Company’s Data on the Dark Web for Less Than The Cost of a MacBook

Tech Radar Pro, Bill Conner Quote: “Ransomware attacks have simply exploded last year. Recent figures from SonicWall recorded more than 600 million ransomware attacks took place across the world in 2021, representing an increase of 105% compared to the year before. Compared to 2019, the figures are even worse, showing a rise of 232%. Cyberattacks become more attractive and potentially more disastrous as dependence on information technology increases,” said SonicWall President and CEO Bill Conner.

Russia’s Invasion of Ukraine Elevates Cybersecurity Concerns for Emerging Markets

Oxford Business Group, Threat Report Mention: According to security vendor SonicWall, ransomware attacks were up 105% in 2021, including a 1885% increase in attacks on government agencies, 755% in the health care sector, 152% in education and 21% in retail.

Fortinet vs. SonicWall: Enterprise Wireless LAN Comparison

Enterprise Networking Planet, Product Comparison: Fortinet and SonicWall are both well regarded enterprise wireless LAN vendors. This article will help you decide which solution is best for your business.

Detecting the Silent Cryptojacking Parasite to Remain Disease-free

Teiss, Published Byline: Immanuel Chavoya at SonicWall describes the dangers of cryptojacking, a damaging and parasitical use of an organization’s computer resources.

Digital Infrastructure Becomes Pivotal for Businesses and Personal Lives

Markers (APAC), SonicWall Executive Interview: Digital transformation is disrupting businesses across the globe as digital infrastructure becomes pivotal for the success and survival post-Covid-19. Over the years since the pandemic hit, we have witnessed a huge surge in digital platforms and tools used in business operations which in turn has increased the risk of cyberattacks. At this junction, the role of next-gen cyber security solution provider plays a significant role. Here is an interview with Debasish Mukherjee, Vice President, Regional Sales, APJ at SonicWall sharing his views on the cybersecurity market post-pandemic, threats to businesses, key cybersecurity recommendations, and how SonicWall can help organizations overcome these challenges.

Industry News

Half of the Internet died earlier this week

Compiled from Multiple Sources: A server outage at Cloudflare’s servers led to many websites and services going down. The resulting blackout affected significant services like Google, AWS and Twitter. Although the online security company quickly identified and fixed the problem (the service was down for a few minutes), it created a flurry of worry and spun up rumors about the cause.

Initially, we were all left in the dark about the nature of the blackout, which was even more worrisome as ComputerWorld reported major disruptions to large areas. Customers trying to access Cloudflare-supported websites experienced ‘500 errors’ (Internal server errors) for approximately two hours before the service was restored around 9 am GMT.

Bleeping Computer reported that the event was reminiscent of another outage when Cloudflare stopped a 26 million request-per-second DDoS attack, which was the most severe ever recorded. The record-breaking attack, which occurred last week, targeted one of Cloudflare’s customers using the Free plan. Experts speculated that the threat actor behind the attack used stolen servers and virtual machines, as it originated from Cloud Service Providers rather than weaker IoT devices from compromised Residential Internet Service Providers.

ZDNet updated the story with a Cloudflare apology that blamed the outage THIS week on a configuration error during a “routine” network upgrade.

Conti Ransomware Hacking Spree Breaches Over 40 Orgs in a Month

Bleeping Computer: Conti is a cybercrime syndicate that runs one of the most aggressive ransomware campaigns. It has become highly organized to the point where affiliates were able to hack more than 40 primarily US-based businesses in just over a month.

Security researchers identified the hacking campaign as “ARMattack” and said it was one of the group’s most productive and effective. ARMattack was also very fast, considering how quickly the group compromised the networks. Additionally, the ransom requested by the attacker is unknown, nor do we know if any victims paid it.

Bleeping Computer also claims Conti is currently the third most frequent ransomware gang in terms of attack frequency.

The number of victims who have not paid Conti ransoms increased to 859; however, this count is based only on publicly available data on the group’s leak site and is probably higher.

This number shows that Conti has published data from at least 35 organizations that did not pay ransom each month.

Insecure By Design: 56 Vulnerabilities Discovered in OT Products

Dark Reading: A new analysis of data from multiple sources has uncovered 56 vulnerabilities in Operational Technology (OT) products from 10 vendors, including notable ones such as Honeywell, Siemens, and Emerson.

These security issues are collectively called OT.ICEFALL. They stem from insecure cryptographic implementations, weak authentication schemes or weak cryptographic implementations, insecure firmware updates mechanisms and improperly protected native functionality, which hackers can use for remote code execution. CSO Online reports that 14% of the vulnerabilities could lead to remote code execution, and 21% could allow for firmware manipulation.

The problem stems from device vendors not including basic security features like encryption and authentication. Plus, these vulnerable devices are often installed in older products that their owners continue to use, even though there are better options. So now we have the element of false confidence as many vulnerable products have been subject to an audit and are now certified as safe for OT networks.

Researchers compared their findings with those from Project Basecamp, conducted ten years ago. Then as now, they focused on insecure-by design problems in remote terminal units (RTUs), programable logic controllers (PLCs), and other controllers in SCADA (Supervisory Control and Data Acquisition) used in industrial installations.

The bottom line: the vulnerabilities are still present.

In Case You Missed It

Enhance Security and Control Access to Critical Assets with Network Segmentation – Ajay Uggirala

Office Documents are Still Not Safe for Cybersecurity – Ray Wyman

Three Keys to Modern Cyberdefense: Affordability, Availability, Efficacy – Amber Wolff

BEC Attacks: Can You Stop the Imposters in Your Inbox? – Ken Dang

SonicWall CEO Bill Conner Selected as SC Media Excellence Award Finalist – Bret Fitzgerald

Cybersecurity in the Fifth Industrial Revolution – Ray Wyman

What is Cryptojacking, and how does it affect your Cybersecurity? – Ray Wyman

Why Healthcare Must Do More (and Do Better) to Ensure Patient Safety – Ken Dang

SonicWall Recognizes Partners, Distributors for Outstanding Performance in 2021 – Terry Greer-King

Anti-Ransomware Day: What Can We Do to Prevent the Next WannaCry? – Amber Wolff

CRN Recognizes Three SonicWall Employees on 2022 Women of the Channel List – Bret Fitzgerald

Enjoy the Speed and Safety of TLS 1.3 Support – Amber Wolff

Four Cybersecurity Actions to Lock it All Down – Ray Wyman

Understanding the MITRE ATT&CK Framework and Evaluations – Part 2 – Suroop Chandran

Five Times Flawless: SonicWall Earns Its Fifth Perfect Score from ICSA Labs – Amber Wolff

NSv Virtual Firewall: Tested and Certified in AWS Public Cloud – Ajay Uggirala

How SonicWall’s Supply-Chain Strategies Are Slicing Wait Times – Amber Wolff

SonicWall SMA 1000 Series Earns Best-Of Enterprise VPNs Award from Expert Insights – Bret Fitzgerald

World Backup Day: Because Real Life Can Have Save Points Too – Amber Wolff

CRN Honors SonicWall With 5-Star Rating in 2022 Partner Program Guide – Bret Fitzgerald

Cyberattacks on Government Skyrocketed in 2021 – Amber Wolff

Meeting the Cybersecurity Needs of the Hybrid Workforce – Ray Wyman

Third-Party ICSA Testing – Perfect Score Number 4 – Kayvon Sadeghi

Ransomware is Everywhere – Amber Wolff

Shields Up: Preparing for Cyberattacks During Ukraine Crisis – Aria Eslambolchizadeh

Enhance Security and Control Access to Critical Assets with Network Segmentation

June 24, 2022/0 Comments/in Network Security /by Ajay Uggirala

Before COVID-19, most corporate employees worked in offices, using computers connected to the internal network. Once users connected to these internal networks, they typically had access to all the data and applications without many restrictions. Network architects designed flat internal networks where the devices in the network connected with each other directly or through a router or a switch.

But while flat networks are fast to implement and have fewer bottlenecks, they’re extremely vulnerable — once compromised, attackers are free to move laterally across the internal network.

Designing flat networks at a time when all the trusted users were on the internal networks might have been simpler and more efficient. But times have changed: Today, 55% of those surveyed say they work more hours remotely than at the physical office. Due to the rapid evolution of the way we work, corporations must now contend with:

Multiple network perimeters at headquarters, in remote offices and in the cloud
Applications and data scattered across different cloud platforms and data centers
Users who expect the same level of access to internal networks while working remotely

While this is a complex set of issues, there is a solution. Network segmentation, when implemented properly, can unflatten the network, allowing security admins to compartmentalize internal networks and provide granular user access.

What is network segmentation?

The National Institute of Standards and Technology (NIST) offers the following definition for network segmentation: “Splitting a network into sub-networks; for example, by creating separate areas on the network which are protected by firewalls configured to reject unnecessary traffic. Network segmentation minimizes the harm of malware and other threats by isolating it to a limited part of the network.”

The main principle of segmentation is making sure that each segment is protected from the other, so that if a breach does occur, it is limited to only a portion of the network. Segmentation should be applied to all entities in the IT environment, including users, workloads, physical servers, virtual machines, containers, network devices and endpoints.

Connections between these entities should be allowed only after their identities have been verified and proper access rights have been established. The approach of segmenting with granular and dynamic access is also known as Zero Trust Network Access (ZTNA).

As shown in Figure 1, instead of a network with a single perimeter, inside which entities across the network are freely accessible, a segmented network environment features smaller network zones with firewalls separating them.

Achieving network segmentation

Implementing segmentation may seem complex, and figuring out the right place to start might seem intimidating. But by following these steps, it can be achieved rather painlessly.

1. Understand and Visualize

Network admins need to map all the subnets and virtual local area networks (VLANs) on the corporate networks. Visualizing the current environment provides a lot of value right away in understanding both how to and what to segment.

At this step, network and security teams also need to work together to see where security devices such as firewalls, IPS and network access controls are deployed in the corporate network. An accurate map of the network and a complete inventory of security systems will help tremendously in creating efficient segments.

2. Segment and Create Policies

The next step in the process is to create the segments themselves: Large subnets or zones should be segmented, monitored and protected with granular access policies. Segments can be configured based on a variety of categories, including geo-location, corporate departments, server farms, data centers and cloud platforms.

After defining segments, create security policies and access-control rules between those segments. These polices can be created and managed using firewalls, VLANs or secure mobile access devices. In most cases, security admins can simply use existing firewalls or secure mobile access solutions to segment and create granular policies. It’s best for administrators to ensure that segments and policies are aligned with business processes.

3. Monitor and Enforce Policies

After creating segments and policies, take some time to monitor the traffic patterns between those segments. The first time the security policies are enforced, it may cause disruption to regular business functions. So it’s best to apply policies in non-blocking or alert mode and monitor for false positives or other network errors.

Next, it’s the time to enforce policies. Once the individual policies are pushed, each segment is protected from cyber attackers’ lateral movements and from internal users trying to reach resources they are not authorized to use. It’s a good idea to continuously monitor and apply new policies as needed whenever there are changes to networks, applications or user roles.

Policy-based segmentation: A way forward for distributed networks

What today’s enterprises require is a way to deliver granular policy enforcement to multiple segments within the network. Through segmentation, companies can protect critical digital assets against any lateral attacks and provide secure access to remote workforces.

The good news is that, with the power and flexibility of a next-generation firewall (NGFW) and with other technologies such as secure mobile access and ZTNA solutions, enterprises can safeguard today’s distributed networks by enforcing policy-based segmentation.

SonicWall’s award-winning hardware and advanced technologies include NGFWs, Secure Mobile Access and Cloud Edge Secure Access. These solutions are designed to allow any network— from small businesses to large enterprises, from the datacenter to the cloud — to segment and achieve greater protection with SonicWall.

Learn more about how segmenting your network can help you enhance security and control access to your organization’s critical assets.

Office Documents are Still Not Safe for Cybersecurity

June 23, 2022/0 Comments/in General /by Ray Wyman Jr

Emotet is back. Word, Excel and other Office 365 files are still a critical cyberthreat vector. How do we stop it?

Although it was almost a week late, Tom finally received the pricing proposal from Tetome Supply.

He was excited to begin reviewing it. However, he knew from the quarterly cybersecurity courses that he should be cautious. So he carefully studied the email address and name of the sender and made sure that the attachment was a Word document and not a .exe file. He was further reassured by the email’s text, in which the sender thanked him for being patient and inquired about his new puppy.

Tom was sipping his morning coffee as he scanned the headlines from the day on his smartphone. A message appeared on the monitor informing Tom that the .doc had been created in iOS and that he must enable editing and content. Finally, he could see the contents of his document, but it also set off a chain reaction.

As far as Tom knew, the document only contained the pricing information. Nothing indicated that Emotet was downloaded from a compromised website by a Powershell command. Or that Trickbot had been used to backup Emotet.

It was too late. When Tom opened his laptop a few days later, a note informed him that all his files were encrypted and that the hackers would not unlock them until Tom paid $150,000 in bitcoin. The note was signed by Ryuk.

No time for a sigh of relief.

For the first half of 2019, malicious PDFs showed an edge over malicious Office 365 files, outpacing them 36,488 to 25,461. Then in 2020, the number of PDFs dipped 8% over the same period in 2019 while the number of malicious Microsoft Office files skyrocketed to 70,184 — a 176% increase.

Wired Magazine once labeled Emotet the most dangerous malware in the entire world. So no surprise that back in January 2021, law enforcement from every major country launched a massive effort to disrupt Emotet’s infrastructure found embedded in servers and computers in more than 90 countries. The effort resulted in the arrest of criminals and confiscation of equipment, cash, and even rows of gold bars accumulated by the gangs.

Indeed, utilization of Microsoft Office files in attacks fell. According to the 2022 SonicWall Cyber Threat Report, PDFs returned as the preferred attack vector with a 52% increase in malicious utilization and malicious Microsoft Office files decreased by 64%. This trend was a marked reversal and yet, there was no time for even a sigh of relief.

Emotet attacks are back.

According to recent reports by Bleeping Computer, Threatpost and the Sans Technology Institute, within 10 months since the high-profile January 2021 takedown, Emotet is back with a vengeance. Threat actors are actively distributing infected Microsoft Office documents, ZIP archives and other files laden with Emotet code.

While it is still too early to see a data trend, anecdotally we see significant changes such as encryption of malware assets and new strategy that includes targeted phishing attacks that include reply-chain emails, shipping notices, tax documents, accounting reports or even holiday party invites.

In less than 10 months, previous eradication efforts were erased and now we’re back to square one.

How to protect from malicious Office 365 files.

Even with serious threats on the fly, there are several simple things you can do to protect yourself and others on your network. You can start by changing your Office 365 settings to disable scripts and macros and keeping your endpoints and operating system up to date with the latest patches for Windows.

You can set a business policy not to transfer documents and other files via email. You can also keep up with Microsoft’s regular distribution of patches and updates. We all get busy, but when we let our updates lapse, we’re literally allowing attacks targeting these vulnerabilities to succeed.

We can also take stronger steps to strengthen our resistance to attack. 2021 was another banner year for SonicWall’s patented Real-Time Deep Memory Inspection™ (RTDMI) technology which detected 442,151 total never-before-seen malware variants in 2021, a 65% increase over 2020’s count and an average of 1,211 per day.

Capture ATP, 100% Captures, and 0% False Positives.

The best part about RTDMI is that it is integrated with SonicWall’s Capture Advanced Threat Protection (ATP). And in quarterly third-party testing by ICSA Labs, RTDMI identified 100% malicious threats without posting a single false positive for five quarters in a row.

Capture ATP with RTDMI leverages proprietary memory inspection, CPU instruction tracking and machine learning capabilities to recognize and mitigate never-before-seen cyberattacks, including threats that do not exhibit any malicious behavior and hide their weaponry via encryption — attacks that traditional sandboxes will likely miss.

This is particularly important in cases such as Tom’s, as Trickbot and Emotet both use encryption to hide their misdeeds. Emotet can also determine whether it’s running inside a virtual machine (VM) and will remain dormant if it detects a sandbox environment.

Trust Us, We’re Certified
(Again, and again, and again …)

With ransomware, cryptojacking, IoT attacks and more on the rise, the reassurance that comes with third-party certification is more important than ever. For more on SonicWall’s recent ICSA testing results, download our solution brief, “Perfecting Security Efficacy: SonicWall Sets New Standard for Threat Protection.”

READ IT NOW

Three Keys to Modern Cyberdefense: Affordability, Availability, Efficacy

June 22, 2022/0 Comments/in Network Security /by Amber Wolff

Choosing a cybersecurity vendor can feel like a never-ending series of compromises. But with SonicWall’s portfolio of high-quality solutions — available at industry-leading TCOs and in stock — it doesn’t have to.

(Our previous supply-chain updates can be found here and here.)

If you’ve ever been to a small-town mechanic, chances are you’ve seen the sign: “We offer three types of service here — Good, Fast and Cheap. Pick any two!”

In cybersecurity, this can be framed as “Affordability, Availability and Efficacy,” but the idea is the same — when making your choice, something’s got to give.

The effects of this mentality are sending ripples across the cybersecurity industry. At the 2022 RSA Conference, Joe Hubback of cyber risk management firm ISTARI explained that based on his survey, a full 90% of CISOs, CIOs, government organizations and more reported they aren’t getting the efficacy promised by vendors.

Several reasons for this were discussed, but most came back to this idea of compromise —buyers want products now, and they’re facing budget constraints. So, they often believe the vendors’ claims (which tend to be exaggerated). With little actual evidence or confirmation for these claims available, and little time to evaluate these solutions for themselves, customers are left disappointed.

To make the buying process more transparent and objective, Hubback says, vendor solutions should be evaluated in terms of Capability, Practicality, Quality and Provenance. While his presentation didn’t reference the Affordability-Availability-Efficacy trifecta directly, these ideas are interconnected — and regardless of whether you use either metric or both, SonicWall comes out ahead.

Availability: Supply-Chain Constraints and Lack of Inventory

Order and install times have always been a consideration. But the current climate has led to a paradox in modern cybersecurity: With cyberattack surfaces widening and cybercrime rising, you really ought to have upgraded yesterday. But in many cases, the components you need won’t be in stock for several months.

While many customers are being locked into high-dollar contracts and then being forced to wait for inventory, this isn’t true for SonicWall customers: Our supply chain is fully operational and ready to safeguard your organization.

SonicWall is currently fulfilling 95% of orders within three days.

Procurement Planning & Forecasting

“We’re hearing more often than not that our competitors don’t have the product on the shelf, but we’ve been managing this for over two years,” SonicWall Executive Vice President of Operations Yew-Joo Hoe said.

In autumn of 2020, as lead times began to creep up, SonicWall’s operations department immediately began altering internal processes, changing the way it works with suppliers and ships goods, and even re-engineering some products to deliver the same performance with more readily available components.

So now, even amid remarkable growth — 2021 saw a 33% increase in new customer growth, along with a 45% rise in new customer sales — SonicWall is currently fulfilling 95% of orders within three days.

But even as we’ve zeroed in on supply-chain continuity, our dedication to the Provenance of our supply chain has been unwavering. We aim to secure, connect and mobilize organizations operating within approved or authorized regions, territories and countries by ensuring the integrity of our supply chain from start to finish.

SonicWall products are also compliant with the Trade Agreements Act in the U.S., and our practices help ensure SonicWall products aren’t compromised by third parties during the manufacturing process.

Affordability: The Two Facets of TCO

SonicWall’s goal is to deliver industry-leading TCO. But this is more than a marketing message for us — we put it to the test.

SonicWall recently commissioned the Tolly Group to evaluate the SonicWall NSsp 13700, the NSsp 15700, the NSa 2700 and more against equivalent competitor products. Each time, the SonicWall product was named the better value, saving customers thousands, tens of thousands and even hundreds of thousands while delivering superior threat protection.

But we also recognize that the measure of a product’s affordability extends beyond the number on an order sheet, to how much labor that solution requires. Hubback summarized the idea of Practicality as “Is this actually something I can use in my company without needing some kind of Top Gun pilot to fly it and make it work?” With cybersecurity professionals getting harder to find, and their experience becoming more expensive every day, the ideas of Practicality and Affordability have never been so intertwined.

Fortunately, SonicWall has long recognized this association, and we’ve built our products to reduce both the amount of human intervention and the required skill level needed to run our solutions.

Innovations such as Zero-Touch Deployment, cloud-based management, single-pane-of-glass interfaces, simplified policy creation and management, and one-click rollback in the event of a breach have brought increased simplicity to our portfolio without sacrificing performance or flexibility.

Efficacy: How It’s Built and How It Performs

Hubback’s final two criteria, Quality and Capability, describe how well a solution is built, and how well it can do what it promises. Taken together, these form the core of what we think of as Efficacy.

While Quality is the most enigmatic of Hubback’s criteria, it can be reasonably ascertained based on a handful of factors, such as longevity, customer satisfaction and growth.

With over 30 years of experience, SonicWall is a veteran cybersecurity leader trusted by SMBs, enterprises and government agencies around the globe. In the crowded cybersecurity market, this sort of longevity isn’t possible without quality offerings — and our quantity of repeat purchasers and scores of customer case studies attest to the high standards we maintain for every solution we build.

In contrast, Capability can be very easy to judge — if a vendor chooses to put its products to the test. Independent, third-party evaluation is the gold standard for determining whether products live up to their promises. And based on this metric, SonicWall comes out on top.

To provide customers objective information about its performance, SonicWall Capture ATP with RTDMI has been evaluated by third-party testing firm ICSA Labs, an independent division of Verizon. For the past seven consecutive quarters, the solution has found 100% of the threats while issuing only a single false positive. SonicWall has now earned more perfect scores — and more back-to-back perfect scores — than any other active vendor.

Today, thousands of organizations will shop for new or upgraded cybersecurity solutions. While they may differ in size, industry, use case and more, at the end of the day, they’re all looking for basically the same thing: A reliable solution that performs as advertised, at a price that fits within their budget, that can be up and running as soon as possible.

There will always be those who tell you that you can’t have everything; that the center of this Venn diagram will always be empty. But at SonicWall, we refuse to compromise — and we think you should, too.

Save by Switching to SonicWall

If your current vendor can’t do any better than empty shelves and lengthy backorders, reach out to a SonicWall expert—you could be up and running by this time next week.

Our current competitor trade-in programs make switching easier than ever. And with our Boundless Cybersecurity Bundle, you can mix and match the products you need — the more you buy, the more you save.

Get started here

Cybersecurity News & Trends

June 17, 2022/0 Comments/in Weekly News /by Ray Wyman Jr

Stories about cybersecurity news and trends curated from major news outlets, trade pubs and infosec bloggers.

SonicWall news finishes a strong week with more mentions from the 2022 SonicWall Cyber Threat Report, bylines by our cybersecurity leaders, and quotes. And of course, Industry News was very busy. From DarkReading, we learn about the retiring Internet Explorer and how it (and the associated cyber risk) will linger for years. KrebsOnSecurity and SC Media report on ransomware attackers launching a searchable public database of their victims. SiliconValley News reports on the 9-year jail sentence earned by the infamous hacker who stole millions of private images from iCloud. From Reuters, hackers managed to crash the Russian Davos event and (temporarily) stop President Vladimir Putin from speaking. In the New Zealand Herald, the story about how a spelling error saved a man from Perth $6M. And finally, our big read for the week on the successful dismantling of a huge Russian Botnet, compiled from the US Department of Justice, Bloomberg Law, Politico, and Forbes.

Remember, cybersecurity is everyone’s business. Be safe out there!

SonicWall News

Contractors Beset by Ransomware Threats Have Too Few Options

Bloomberg Law, Bill Conner Quote: The contracting community is aware of the confusion. Chester Wisniewski at Sophos, Carolyn Crandall at SentinelOne, and Bill Conner at SonicWall all outlined suggestions to Bloomberg Government in a series of interviews. Conner, SonicWall’s president and CEO, said he wants the government to install so-called “cyber czars” at each federal agency to better streamline communication.

SonicWall Recognizes APAC Partners and Distributors at FY2022 Partner Awards

Channel Life (Australia), SonicWall News: SonicWall has recognized its distributors and partners for their efforts in producing the company’s most successful year to date. The recent SonicWall FY2022 Partner Awards recognized companies for their commitment to demonstrating excellence, innovation and leadership in cybersecurity during the fiscal year. They are also thanked for continuing to drive digital transformation for businesses that leverage SonicWall solutions.

The Powerful Cyberattack That Has America on Alert

Swiss Info (Deutsch), SonicWall Threat Report Mention: The Cyber Threat Report 2022 of the US firm SonicWall, shows a rebound of 105% in data hijacking last year, surpassing 623 million attacks worldwide – almost twenty attempts per second – with the United States in the lead (421 million or 67.5% of the total).

SonicWall Awards Top Partners for FY22

ARN (Australia), SonicWall News: Cyber security vendor SonicWall has awarded its top-performing partners for its 2022 fiscal year ending 31 January.

The Cybersecurity Challenges of Remote Working and How a Brand Can Eliminate Them

E Business (UK), SonicWall Mention: SonicWall provides trusted solutions delivering wireless, switches, firewalls, and CCTV that can keep businesses safe from an attack and avoid downtime.

Best Practices for Protecting Against Phishing, Ransomware and Email Fraud

Dicker Data, Hitech Support, Next Telecom, Datacom score SonicWall Honors

What is a Cyberattack? Types and Defenses

Ransomware, the Cyberattack That Set Off Alarms in Latin America

Industry News

Internet Explorer Is Now Retired but Remains an Attack Target

DarkReading: Microsoft’s June 15th official end-of-support for Internet Explorer 11 desktop software has left behind a browser that has been around for almost 27 years. Even so, IE will likely remain a lucrative target for attackers.

Despite Microsoft’s long-standing plans to discontinue Internet Explorer (IE), some organizations continue to use it. Microsoft has maintained the MSHTML (aka Trident), IE browser engine in Windows 11 through 2029. This allows organizations to continue to use IE mode while transitioning to Microsoft Edge. So IE is not dead yet.

Although IE is typically a minor player in the global browser market (0.52%), many companies use it internally or have legacy applications tied to IE. This week, Nikkei Asia stories and Japan Times cited a Keyman’s Net survey showing that almost 49% of 350 Japanese companies surveyed use IE daily. Likewise, South Korea’s MBN indicated that many large organizations are still using IE and will likely continue using it for the foreseeable future.

Ransomware Group Launches Searchable Victim Data

KrebsOnSecurity – Cybercriminals that target corporate data theft and demand ransoms to keep it from being published have tried many methods to shame victims into paying. The ALPHV ransomware group, also known as “BlackCat,” has made the gambit harder and harder to avoid.

They previously tried publishing victim data in repositories on the Dark Web. Now they’re going big with a new public website to post their booty on individual victims. And they’re inviting the public to search the leaked data.

ALPHV announced its new victim-shaming website that they had hacked a luxury resort and spa in the western United States. The database of shame includes the personal data of more than 1,500 resort employees and 2,500 resort residents. In addition, the page’s top has two buttons that allow guests to “Check Yourself” – one for employees and the other for guests.

SC Media also reported that their security expert described the site as “kinda like a bad guy’s version of HaveIBeenPwned,” with the main difference being that data on HaveIBeenPwned is anonymized. ALPHV displays all, including full names, dates, expenditures, and other personal data, including email addresses, birthdays, and social security numbers.

SC Media and KrebsOnSecurity chose not to reveal the hotel’s name to protect their personal information. The whole point of the ALPHV website is to pressure the hotel for payment.

Hacker Sentenced to 9 Years for Hacking Apple iCloud and Stealing Private Images

SiliconValley: Nine years of federal imprisonment have been given to a Californian man accused of hacking Apple iCloud and stealing private images and videos of young women, some nude and some engaged in personal activities.

According to court records, Hao Kuo Chi, 41, from La Puente in California, was sentenced Wednesday at a federal court in Tampa, Florida. According to court records, he pleaded guilty to three counts of computer fraud and one count of conspiracy to commit computer crime last October.

Chi also ran a notorious website Anon-IB for many years, where users posted images labeled as “revenge porn.” Officials claim that Chi hacked into victims’ Apple iCloud accounts to steal their private photos and videos. They also said he shared and traded the images with other users on AnonIB.

Chi’s email accounts contained the iCloud credentials for approximately 4,700 victims and had collected enough media to fill 3.5 terabytes on iCloud and physical storage devices.

Court testimony reveals that he shared stolen content with conspirators over 300 times. While some conspirators publicly released the images, he kept some of the images for himself connected to 500 victims.

Hackers Crash “Russian Davos” and Stops Putin’s Speech

Reuters: Hackers impeded President Putin’s speech at Russia’s top economic forum last Friday. This happened as Russia worked to adjust to its “new reality.” The meeting was already struggling due to a lack of Western participation. Nevertheless, the 25th St Petersburg International Economic Forum was attended by many state companies, with many stalls featuring floor-to-ceiling display screens and glamorous attendants.

Dmitry Peskov, a spokesperson for the Kremlin, stated that a denial-of-service attack (which involves flooding servers with fake traffic) had caused the forum’s admission and accreditation systems to be hampered. Although he did not blame the incident on the ongoing war in Ukraine, reporters noted that it was unofficially suspected.

Spelling Mistake Stops Perth Man’s $6m Fortune from Being Stolen by BEC Hackers

NZ Herald: This story illustrates how cybersecurity is everyone’s business. A Perth businessman almost lost $6 million to hackers, but one misspelled word saved him from watching his fortune falling into the wrong hands.

He was at the end of a multimillion-dollar property settlement with a trusted buyer. But unfortunately, the other party’s business email account in the deal was compromised by cybercriminals. The hackers intercepted the emails and changed the bank account details to their accounts.

An entry-level employee noticed that the word “group” was misspelled as “gruop.” After her timely alert, an inspection revealed that the business email account was compromised, and the bankers stopped the transaction just in time.

Also see “BEC – Business Email Compromise”

US and Global Law Enforcement Partners Dismantle Russian Botnet

Multiple Sources: According to the US Department of Justice, US cybersecurity agents worked with law enforcement partners from the UK, Netherlands and Germany to dismantle the infrastructure of a Russian botnet called RSOCKS that hacked into millions of computers around the globe.

A botnet is an internet-connected group of devices that have been hacked and are controlled by attackers. They are often used to commit malicious acts. Each device connected to the internet has an Internet Protocol (IP) address.

Bloomberg Law provides additional details that the Botnet targeted IoT devices like clocks, routers and streaming devices. Hackers used these compromised devices as proxy servers to allow paying customers to access the compromised devices’ IP addresses and launch attacks. According to Bloomberg, the group’s Twitter account claimed access to more than eight million residential IPs and more than a million mobile IPs.

Politico reported that proxy services, which aren’t inherently illegal, provide IP addresses for their clients for a fee. However, the service includes bypassing censorship and accessing geo-blocked for a specific region. Prosecutors claim that RSOCKS was hacking into millions of devices using brute force attacks.

Customers could visit a web-based storefront to rent proxies for a specified period. Additionally, the customer could download a list of IP addresses and ports associated with the Botnet’s backend server and route malicious internet traffic through these compromised devices while hiding the source.

A related story by Forbes states that the Botnet was the home of a darknet market called Hydra Market. The marketplace’s closure is linked to subsequent seizures, including a superyacht owned by Viktor Vekselberg and $5.4M cash from Konstantin Malofeyev. The US DOJ identified Malofeyev as a Russian oligarch who attempted to use the Botnet services to circumvent sanctions.

In Case You Missed It

BEC Attacks: Can You Stop the Imposters in Your Inbox? – Ken Dang

SonicWall CEO Bill Conner Selected as SC Media Excellence Award Finalist – Bret Fitzgerald

Cybersecurity in the Fifth Industrial Revolution – Ray Wyman

What is Cryptojacking, and how does it affect your Cybersecurity? – Ray Wyman

Why Healthcare Must Do More (and Do Better) to Ensure Patient Safety – Ken Dang

SonicWall Recognizes Partners, Distributors for Outstanding Performance in 2021 – Terry Greer-King

Anti-Ransomware Day: What Can We Do to Prevent the Next WannaCry? – Amber Wolff

CRN Recognizes Three SonicWall Employees on 2022 Women of the Channel List – Bret Fitzgerald

Enjoy the Speed and Safety of TLS 1.3 Support – Amber Wolff

Four Cybersecurity Actions to Lock it All Down – Ray Wyman

Understanding the MITRE ATT&CK Framework and Evaluations – Part 2 – Suroop Chandran

Five Times Flawless: SonicWall Earns Its Fifth Perfect Score from ICSA Labs – Amber Wolff

NSv Virtual Firewall: Tested and Certified in AWS Public Cloud – Ajay Uggirala

How SonicWall’s Supply-Chain Strategies Are Slicing Wait Times – Amber Wolff

SonicWall SMA 1000 Series Earns Best-Of Enterprise VPNs Award from Expert Insights – Bret Fitzgerald

World Backup Day: Because Real Life Can Have Save Points Too – Amber Wolff

CRN Honors SonicWall With 5-Star Rating in 2022 Partner Program Guide – Bret Fitzgerald

Cyberattacks on Government Skyrocketed in 2021 – Amber Wolff

Meeting the Cybersecurity Needs of the Hybrid Workforce – Ray Wyman

Third-Party ICSA Testing – Perfect Score Number 4 – Kayvon Sadeghi

Ransomware is Everywhere – Amber Wolff

Shields Up: Preparing for Cyberattacks During Ukraine Crisis – Aria Eslambolchizadeh

BEC Attacks: Can You Stop the Imposters in Your Inbox?

June 14, 2022/0 Comments/in Network Security /by Ken Dang

BEC attacks are a $1.8 billion dollar racket — and statistically, your business will be targeted sooner rather than later. Watch this webinar to learn how to stop them.

If asked which of the threat types tracked by the FBI causes the most financial damage, most people would say ransomware.

They’d be wrong.

In 2021, the FBI’s Internet Crime Complaint Center (IC3) received 19,954 Business Email Compromise (BEC) reports, with adjusted losses totaling almost $2.4 billion. That’s an average of more than $120,270 per incident, compared with just under $13,200 per incident for ransomware attacks.

Since the FBI began tracking these threats in 2013, tens of billions in financial losses have been recorded, resulting from nearly 170,000 incidents in 178 countries.

So why hasn’t this threat risen to the notoriety of ransomware?

During many ransomware attacks, business operations grind to a halt. When a company loses access to customer information, payment systems and mission-critical applications, it often becomes clear in short order that something is wrong.

But BEC attacks are comparatively silent. Even when these attacks have a huge impact on an organization’s bottom line, operations can generally continue as usual. As a result, businesses frequently opt to keep these attacks out of the public eye to avoid risking reputation damage and loss of trust.

But although ransomware still dominates security news, the growing frequency, volume and cost of BEC attacks have begun attracting more attention.

As a result, BEC attacks have become a top threat concern for many organizations today, according to a recent SonicWall-sponsored white paper by Osterman Research. “How to Deal with Business Email Compromise” reports primary research data from an in-depth customer survey of 119 respondents, each of which has direct knowledge of how their organization is addressing or planning to address the risk of BEC.

The results from this study offer a look at how security influencers and decision-makers are taking BEC into account when formulating their spending plans for the next 12 months. For example, while just 46% of organizations said they considered protecting against BEC attacks “important” or “extremely important” 12 months ago, 76% said they considered it important or extremely important today.

80%
Organizations indicating that protecting against BEC attacks in 2023 is of high importance

The data also shows that three-fifths of organizations in the study view protecting against BEC attacks as one of their top five security priorities.

62%
Organizations ranking protecting against BEC attacks as one of their top five priorities.

How BEC Attacks Fly Under the Radar

But what makes BEC attacks so dangerous when compared with other forms of cyberattacks? And why are they harder to stop?

BEC is a specialized type of phishing attack that relies on social engineering. They often use a proven pretexting technique to engineer a quick introduction and establish a believable scenario in order to manipulate the victim to take a specific action.

While these attacks can target employees at any level of an organization, they generally start with an attacker impersonating a person with authority, such as a CEO or CFO, a manager, or a supplier. The attacker uses the authority figure’s identity to start a chain of plausible (but fake) requests to gain monetary payment. This typically involves instructing someone in accounts payable, someone in HR or even someone with a company credit card to pay a fake invoice, transfer funds, send gift cards or make payroll payouts. The urgent tone of these messages encourages the victim to respond or act quickly, bypassing any checks and balances that may be in place.

Compared with other forms of cyberattacks, BEC attacks are among the hardest to detect because the threat signals are far less obvious. Relying on trickery and impersonation, the approach is very subtle, and the actual delivery generally doesn’t use weaponized URLs or malicious attachments, which are easily detected.

In addition, the email content and the delivery mechanism are usually of higher quality and often tailored to target a specific person or persons. With little to no apparent sign of a threat, these messages can bypass most email security filters to reach the inbox — and the absence of any sort of alert, such as a contextual warning advising them to exercise caution, leaves the victim more vulnerable to falling for the scam.

Because so many of these scams are successful, their use has grown dramatically — today, roughly 80% of companies targeted by BEC attacks each year. While there isn’t much you can do to avoid being targeted, there’s plenty you can do to safeguard your organization’s finances. To learn more about BEC attacks and how to stop them, check out our webinar, “Can You Stop the Imposters in Your Inbox?”

Cybersecurity News & Trends

June 10, 2022/0 Comments/in Weekly News /by Ray Wyman Jr

Curated stories about cybersecurity news and trends from major news outlets, trade pubs and infosec bloggers.

A fresh batch of articles for SonicWall News surfaced this week from nearly every business sector, plus quotes from SonicWall CEO and President, Bill Conner, and General Director of SonicWall in Iberia, Sergio Martínez. Our biggest problem this week for Industry News was deciding what to leave out. From Forbes, a guide on how to inspire your employees to care about cybersecurity. From Bleeping Computer, ransomware gang Black Basta attacks VMware ESXi servers. Then from the BlackBerry Threat Vector blog, a new Linux malware called “Symbiote” that’s almost impossible to detect. Next, from Dark Reading, the Emotet banking trojan resurfaces—and skates past email security. And finally, a compiled reading from CNN, MIT Technology Review, and PC Magazine on Chinese hackers breaking into “major” telecom firms.

As always, click through to the links in the headlines to see the full stories from our sources. And remember, cybersecurity is everyone’s business. Be safe!

SonicWall News

An Update from SonicWall on ICSA Certification

Security Brief (Asia), SonicWall in the News: Ken joins us today to discuss SonicWall’s recent ICSA certification and also current threat detection research that is currently taking place.

How Can Small Businesses Protect Themselves from Cyber Threats?

Insurance Business America, Threat Report Mention: Separate data gathered by cybersecurity firm SonicWall has shown that there were almost 421.5 million ransomware attempts against US businesses in 2021 – a figure that dwarfed that of second-placer Germany, which registered about 34.3 million hits.

An Update From SonicWall On ICSA Certification

Security Brief (Asia), SonicWall news: “Ken joins us today to discuss SonicWall’s recent ICSA certification and also current threat detection research that is currently taking place.”

How Can Small Businesses Protect Themselves from Cyber Threats?

Why is Ransomware Getting the Better of Us?

Security Boulevard, Threat Report Mention: The ransom crisis is particularly bad in the UK. A SonicWall report found that UK-based organizations faced the second-highest number of ransomware attacks in the world in the first half of 2021. According to SonicWall, ransomware attacks increased by 234% across Europe in that time, while CyberEdge’s 2022 Cyberthreat Defense Report found that 80% of UK organizations had been successfully targeted in the past year.

Special Cloud Security

ComputerWorld CSO (Spain), SonicWall Quote: Sergio Martínez, general director for Iberia at SonicWall, gives his vision, in the gallery Ensuring the availability of information, the pillar of the contingency plan, on new security strategies in a context in which there are more and more devices connected to business networks.

Ransomware Losses, Frequency Increase Rates: Howden

Business Insurance, Threat Report Mention: London-based Howden Broking Group Ltd. said in its report that the annualized number of globalized ransomware incidents was up 235% in 2021 compared with 2019, and average U.S. ransom payments increased by 370% over the same period. It was citing data from San Jose, California-based cybersecurity company SonicWall Inc. and ransomware incident response company Westport, Connecticut-based Coveware Inc.

Contractors Beset by Ransomware Threats Have Too Few Options

SonicWall Recognizes APAC Partners and Distributors at FY2022 Partner Awards

Industry News

Inspire Your Employees to Care About Cybersecurity

Forbes: We spent a lot of time talking about how humans are the weak link in cybersecurity. First, let’s recognize that a company’s employees are a significant vulnerability due to the increasing complexity and threat of cybersecurity. With more than 15 billion devices in circulation, including computers, servers and mobile phones operating worldwide—digital fluency and literacy remain challenges in the transforming cybersecurity landscape.

Many functions are performed by devices that we don’t even know about. These functions include tracking and storing location information, saving passwords and sharing information with apps, and listening to our conversations. Today, organizations have greater responsibility for cybersecurity to protect their interests and that of their employees.

It is essential to communicate basic cybersecurity expectations to raise awareness. For example, employees need to be familiarized with complex password requirements, multi-factor authentication (2FA/multi-factor authentication), screen locks, and the importance of keeping current with software updates. Understanding cybersecurity requires that you know the basics.

If your team is not in person, create attention-grabbing graphics that include slogans and statistics about the company’s cybersecurity policies. Then, share the policies by any means throughout the workforce environment. Growing threats means educating employees about cyber threats while taking steps to protect their data.

Black Basta Ransomware Attacks VMware ESXi Servers

Bleeping Computer: Black Basta is the latest ransomware gang that supports encryption of VMware ESXi virtual machine (VM) on enterprise Linux servers. Ransomware groups have been focusing their attacks on ESXi VMs because this strategy aligns with their enterprise targets. They can encrypt multiple servers faster with one command. So it makes sense to encrypt VMs, as many companies recently switched to virtual machines. From purely a business perspective, hackers now have the dual benefits of simpler device management and more efficient resource use.

Linux ransomware encryptions are not new. BleepingComputer has reported similar encryptions by numerous other gangs, including LockBit and HelloKitty, BlackMatter and REvil, AvosLocker and RansomEXXX.

However, Black Basta’s ransomware will search for the /vmfs/volumes containing the virtual machines stored on compromised ESXi server servers. And if no such folders are present, the ransomware exits. Additionally, this encryptor does not have command-line arguments that can target other encryption paths, indicating that it is only designed to target ESXi servers.

Ransomware employs the ChaCha20 algorithm for encrypting files. Additionally, multithreading is used to speed up encryption by using multiple processors.

The ransomware will encrypt encrypted files by adding the .basta extension and creating ransom notes called readme.txt within each folder. Notes include a chat support panel link, which unique ID victims can use to communicate directly with the attackers.

Symbiote — The New Linux Malware That’s Almost Impossible To Detect

BlackBerry ThreatVector Blog: As if Linux’s malware problems couldn’t get any worse, recent reports have revealed that Symbiote is a new type of Linux malware that’s “almost impossible to detect.”

This rootkit-level hack is being called Symbiote by the research team, which includes lead members from Intezer and BlackBerry. It has the parasitic ability to act like a shared object (SO) and loads on all processes via LD_PRELOAD native function. This is why it’s so terrible.

Researchers say the shared object library “parasitically compromises” a target machine. Once its claws are embedded deep in the system, malware gives attackers rootkit functionality.

Researchers discovered the first sample in November 2021. It appears that it was created to attack Latin American financial institutions. Researchers aren’t sure if Symbiote has been used in broad or targeted attacks because it is still new malware. However, Symbiote is full of interesting features. The malware employs Berkeley Packet Filter hooking (BPF), a function that hides malicious traffic from infected machines. BPF is also used in malware created by Equation Group. BPF bytecode can be injected into the kernel to determine which packets are captured. Administrators use BPF to start any packet capture software on infected machines. Symbiote then adds its own bytecode to the kernel to filter out any network traffic it does not want the packet-capturing program to see.

Symbiote can facilitate everything, from data scrapes to backdoors. Hackers can use Symbiote to stealthily harvest credential information from hacked Linux devices by hooking the “libcread” function. This is an important mission for targeting Linux servers in high-value networks. Hackers can gain unimpeded lateral movement and unlimited access by stealing administrator account credentials. Symbiote allows remote SHH access for its operators via the PAM service. It also allows the threat actor or a hacker to gain root privileges.

Many IT and cybersecurity bloggers have reported on this story. Keep an eye out for new developments.

Emotet Banking Trojan Resurfaces, Skates Past Email Security

Dark Reading: After being taken down by a joint international task force in January 2020, the malware botnet Emotet is back in an advanced form. The Emotet malware was a prolific threat during the pandemic. It originated as a trojan for banks in 2014. Its creators were the first to offer malware-as-a-service (MaaS) to criminal organizations.

Although it still uses many of the same attack methods it used in the past, Emotet has seen a rise in its ability to collect and use stolen credentials. According to the report, hackers can use these stolen credentials to distribute malware binaries. In addition, attackers are using hijacked email threads to use those accounts as a launch pad and trick victims into activating macros in attached malicious office documents.

Emotet also uses 64-bit shell code, advanced PowerShell and more advanced active scripts. Nearly a fifth of malicious samples exploits the 2017 Microsoft vulnerability CVE-2018-11882.

The attacks were mainly focused on Japan’s victims, but the focus has shifted to targets in the United States of America and Italy since March.

Chinese Hackers Breach “Major” Telecom Firms

Compiled Reading: The report is compiled from multiple sources offering a slightly different perspective: CNN, MIT Technology Review, and PCMagazine.

First, CNN’s headline: Chinese government-backed hackers have breached major telecommunications companies, among other targets, the US CISA warned this week. Cyber defenders often overlook these devices as they struggle to keep up with the routine software patching of Internet services and endpoint devices. CISA, FBI, and NSA did not identify the hackers; the advisory appears to focus on getting organizations aligned on security measures and updating their software and equipment. CNN named devices manufactured by Cisco, Fortinet, or other vendors.

MIT Technology Review included Netgear and Citrix security vendors. All vulnerabilities were publicly known, including a five-year-old critical flaw in Netgear equipment that allows attackers to bypass authentication checks to execute any code they want. This will enable them to take over the entire device and gain unrestricted access to the victim’s network. MIT says the campaign’s success shows how dangerous software flaws can be even after being made public. Zero-day attacks—hacks exploiting previously unknown weaknesses—pack a punch and demand our full attention. Plus, known flaws are still dangerous because it can be hard to update and secure networks and devices with limited resources, personnel and money.

PCMagazine stated that the vulnerabilities allowed actors to access victim accounts via publicly available exploit codes against VPN services and public-facing applications without using any unique or identifying malware.

In Case You Missed It

SonicWall CEO Bill Conner Selected as SC Media Excellence Award Finalist – Bret Fitzgerald

Cybersecurity in the Fifth Industrial Revolution – Ray Wyman

What is Cryptojacking, and how does it affect your Cybersecurity? – Ray Wyman

Why Healthcare Must Do More (and Do Better) to Ensure Patient Safety – Ken Dang

SonicWall Recognizes Partners, Distributors for Outstanding Performance in 2021 – Terry Greer-King

Anti-Ransomware Day: What Can We Do to Prevent the Next WannaCry? – Amber Wolff

CRN Recognizes Three SonicWall Employees on 2022 Women of the Channel List – Bret Fitzgerald

Enjoy the Speed and Safety of TLS 1.3 Support – Amber Wolff

Four Cybersecurity Actions to Lock it All Down – Ray Wyman

Understanding the MITRE ATT&CK Framework and Evaluations – Part 2 – Suroop Chandran

Five Times Flawless: SonicWall Earns Its Fifth Perfect Score from ICSA Labs – Amber Wolff

NSv Virtual Firewall: Tested and Certified in AWS Public Cloud – Ajay Uggirala

How SonicWall’s Supply-Chain Strategies Are Slicing Wait Times – Amber Wolff

SonicWall SMA 1000 Series Earns Best-Of Enterprise VPNs Award from Expert Insights – Bret Fitzgerald

World Backup Day: Because Real Life Can Have Save Points Too – Amber Wolff

CRN Honors SonicWall With 5-Star Rating in 2022 Partner Program Guide – Bret Fitzgerald

Cyberattacks on Government Skyrocketed in 2021 – Amber Wolff

Meeting the Cybersecurity Needs of the Hybrid Workforce – Ray Wyman

Third-Party ICSA Testing – Perfect Score Number 4 – Kayvon Sadeghi

Ransomware is Everywhere – Amber Wolff

Shields Up: Preparing for Cyberattacks During Ukraine Crisis – Aria Eslambolchizadeh

Cybersecurity News & Trends

June 3, 2022/0 Comments/in Weekly News /by Ray Wyman Jr

Read a curated collection of stories about cybersecurity news and trends from major outlets, trade journals, and infosec bloggers.

We found another crop of articles for SonicWall news, with one from Financial Times that reasons the best defense can be identifying vulnerabilities and “blocking digital assault pathways.” And in another article, Insurance Business America wonders how small businesses can protect themselves from cyber threats. Both use SonicWall’s 2022 Cyber Threat Report and are good reads for anyone tracking solid ideas and solutions. It was another week of dizzying details from Industry News, starting with a story from Politico about why politicians’ phones are getting hacked. Next is from Krebs on Security with additional information from Dark Reading about the pawn game between Costa Rica, Hive, Conti, and US sanctions. Next is a story from CNN detailing a confession from US Cyber Command: yes, they have been hacking Russian assets. And another story is about Chinese hackers exploiting new Microsoft vulnerabilities reported by The Verge and Tech Crunch. Finally, from Bleeping Computer, a story about a ransomware group that’s added a new twist: they’re going public by putting the ransom note on your website.

As always, click through to the links in the headlines to see the full stories from our sources. And remember, cybersecurity is everyone’s business. Be safe!

SonicWall News

SonicWall Honors Its Partners and Distributors Who Achieved Outstanding Lines In 2021

IT Reseller (Deut), SonicWall in the News: Cybersecurity specialist SonicWall has honored its most important partners and distributors of 2021. The SonicWall FY2022 Security Awards are awarded to one partner per region and, according to the manufacturer, are based on various factors such as annual sales, portfolio distribution, online activities, project success rate, certification level, the degree of commitment and feedback from their team.

GCHQ Advisor: It’s A Cyberarms Race as Ransomware Builder Emerges

IT Supply Chain (UK), Bill Conner quote: It’s an arms race, because as good as we’ve gotten, the bad guys have gotten even better and more efficient in their threat- actually moving at a faster pace than, than we can defend right now. The bad guys have gotten more sophisticated tools that enable smarter ways to store stock – for example in the cloud and around the world in multiple places.

SonicWall Celebrates Multiple Award Wins, Amidst Outstanding Business Performance in Asia-Pacific

CXOToday, Threat Report Mention: SonicWall today announced that the company has been awarded several prestigious awards on top of its growing list of accolades. SonicWall’s consistent track record and recognition by cybersecurity industry experts over the last few years is a testament to the vision, commitment and innovative spirit of its employees, leaders and partners to continuously deliver value to customers by way of optimizing business efficiencies and enhancing security.

Cyber Attackers: If You Can’t Stop Them, Disrupt Them

Financial Times, Threat Report Mention: Companies in all industries have been targeted. Data from SonicWall show a 105 per cent rise in ransomware attacks in 2021.

How To Ensure the Security of Company Data?

RCN Radio (Colombia), Threat Report mention: According to SonicWall’s 2022 Cyber Threat Report, in 2021 there were more than 623 million ransomware attacks worldwide. And Colombia, with more than 11 million threats detected in that year, is in the top 10 of the most attacked countries worldwide.

Meteoric Rise: Triangle Cybersecurity Startup JupiterOne Reaches ‘Unicorn’ Status With $70M Cash Injection

WRAL.com, Threat Report Mention: Governments worldwide saw a 1,885% increase in ransomware attacks in 2021, according to the 2022 Cyber Threat Report recently released by SonicWall, an internet cybersecurity company. Ransomware also rose 104% in North America, just under the 105% average increase worldwide, according to the report.

An Update from SonicWall on ICSA Certification

Security Brief (Asia), SonicWall in the News: Ken joins us today to discuss SonicWall’s recent ICSA certification and also current threat detection research that is currently taking place.

How Can Small Businesses Protect Themselves from Cyber Threats?

Industry News

Why We Expect More Hacking on Politicians’ Phones – HINT: It’s Politics

Politico: Government officials all over the globe are facing a hard truth: They will have to accept spyware infecting their devices because they don’t want to ban the technology.

Numerous government officials have had their phones hacked over the past few years. These include Spanish Prime Minister Pedro Sanchez and French President Emmanuel Macron. Staffers for Boris Johnson, British Prime Minister, and the EU’s justice commissary. There are also at least nine US diplomats.

Here’s the truth: many governments use the same spyware used against them—the tool of choice: Pegasus software by the Israeli company NSO Group. Pegasus has proven effective in pursuing terrorists planning attacks or pedophiles. Investigators have used tools like Pegasus to catch highly sought criminals such as Joaquin “El Chapo,” a well-known drug lord.

Pegasus can infect the target’s device and allow government agencies or organizations to access personal information, including (but not limited to) turning on microphones and cameras. As a result, anti-spyware activists have asked governments to ban spyware companies or at the very least regulate them. The United Nations Human Rights Office also called for governments to regulate the sale and use of spyware technology last year.

There are no international agreements restricting spyware. Even governments that ban Pegasus face the problem of other, less visible and more regulated spyware companies. As a result, officials are forced to use low-tech methods of protection with varying degrees of effectiveness.

And on it goes.

Costa Rica Pawned by Conti Ransomware Group’s bid to Rebrand and Evade Sanctions

Krebs on Security: The Russian ransomware group Hive hacked Costa Rica’s national healthcare system earlier this week. This intrusion occurred just weeks after Rodrigo Chaves, the Costa Rican president, declared a state emergency to address a ransomware attack by Conti. Cybersecurity experts say that there are good reasons to believe that the same cybercriminals are behind both attacks. Apparently, Hive helped Conti rebrand and avoid international sanctions designed to target ransomware payments to Russian hacker gangs.

Local media reported the Costa Rican Social Security Fund (CCSS) as being taken offline on May 31. However, the extent of the breach is still unknown. The CCSS oversees Costa Rica’s public healthcare sector. Worker and employer contributions are required by law.

The Dark Reading newsletter reports ransomware hackers sanctioned in the United States have learned how to rebrand their software and avoid the sanctions. This is a strategy to make victims pay more. Example: The Evil Corp gang was already subject to sanctions when the Department announced that it was responsible in part for a ransomware strain called WastedLocker. Evil Corp quickly stopped using WastedLocker software and created variants with different names and graphics. These ransomware variants were the most popular in the last two years. However, it was not always clear if Evil Corp was behind them.

Microsoft Disallows Iran-Linked Hacker Groups Targeting Israeli Companies

The Jerusalem Post: Microsoft’s Threat Intelligence Centre (MSTIC) detected that an Iran-linked hacking group was using their OneDrive cloud storage platform to command and control (C2) purposes. The hacking group was identified as “Polonium” and found to be targeting more than 20 Israeli companies and one intergovernmental organization with operations in Lebanon.

MSTIC assessed the group’s location and observed them creating and using legitimate OneDrive accounts, then utilizing those accounts to execute part of their attack operation.

Microsoft noted that the activity does not represent a vulnerability or cybersecurity issue on the OneDrive platform. However, Microsoft added that it has deployed security intelligence updates that will “quarantine” tools developed by Polonium operators. The story goes on to report that as part of their enforcement process, MSTIC suspended more than 20 malicious OneDrive applications.

US Confirms That Military Hackers Conducted Cyber Operations to Support Ukraine

CNN: The US Cyber Command made a rare public acknowledgment about hacking operations often shrouded in mystery. The hacking unit of the US military conducted cyber operations to support Ukraine in its defense against Russia’s invasion. Cyber Command admitted that they had conducted operations across all facets of the spectrum, including offensive, defensive and information operations.

This disclosure highlights how crucial projecting cyber power – to support Ukraine’s defenses and possibly deter Russia from conducting cyberattacks on US infrastructure – is to the Biden administration. This admission suggests that the Biden administration is comfortable in cyberspace and can counter Russia without fear of escalation. So long as the US and its allies don’t attack Russia, President Joe Biden has promised not to engage with Russia militarily in the Ukraine war.

This is the fullest example of foreign relations brinksmanship.

Chinese Company Accused NSA Hacking Has Global Ambitions

Washington Post: The US government and American cybersecurity firms have long claimed that China is responsible for brazen hacks that absconded troves worth of sensitive documents. Chinese officials denied the allegations and accused the US repeatedly of cyber-espionage without providing any evidence. In February, a well-connected Chinese cybersecurity company made public what it claimed to be a US National Security Agency campaign targeting computers in 45 countries and areas, including China. At the time, US officials did not respond to inquiries for comment.

This disclosure suggests that China takes a firmer stance against foreign hacking attempts. It also revealed the increasing influence of Qi An Xin Technology Group Inc., a Chinese technology company established in 2014 with ambitions to become a global cybersecurity leader.

The company’s headquarters are located a 10-minute drive from the Forbidden city. They have been part of a three-year plan to grow China’s cybersecurity sector to more than 250 billion Yuan ($39.3B) by 2023. This plan involves increasing investment in the industry and simplifying regulation.

China-Linked Hackers Exploit a New Vulnerability Within Microsoft Office

The Verge: According to threat analysis research by security firm Proofpoint, hackers are already exploiting a newly discovered Microsoft Office vulnerability.

TechCrunch also shared details about how a hacker group called TA413 used the “Follina” vulnerability to create malicious Word documents that purportedly were sent from the Central Tibetan Administration. This is the Tibetan government exiled in Dharamsala in India. The TA413 APT (a designation for “advanced persistent danger”) actor is believed to be connected to the Chinese government. It has previously been used to target the Tibetan exile community.

On May 27, Nao Sec, a security research group, first highlighted Microsoft Word’s vulnerability. They took to Twitter to share a sample they had submitted to the online malware scanner VirusTotal. Nao Sec reported that hackers delivered the malicious code via Microsoft Word documents. The files then executed PowerShell commands, a powerful tool for Windows system administration.

Chinese hackers have used security holes in the software to target Tibetans over the years. Citizen Lab published a report in 2019 that documented widespread targeting of Tibetan politicians with spyware. This included Android browser exploits as well as malicious links sent via WhatsApp. Proofpoint analysis has shown that browser extensions also spy on Tibetan activists.

Ransomware Gang Now Hacks Corporate Websites to Show Ransom Notes

Bleeping Computer: Ransomware gangs are taking extortion to new heights by hacking corporate websites and publicly displaying ransom notes.

Reporters identify Industrial Spy as the new extortion gang behind this new strategy. The group follows the usual expected process of deploying ransomware in their attacks to breach networks, steal data, and deploy malware on devices. The threat actors then threaten to sell the stolen data on their Tor marketplace if a ransom is not paid. In one case, the group is now selling data they claim was stolen by a French company called SATT Sud-Est for $500,000-USD.

The new bent to the crime is that the group found a way to hack into the company’s website, vandalized the home page with a message warning that 200GB of data had been stolen. Of course, if the victim doesn’t pay the ransom, the attackers are ready to sell the data. And then there’s the public disclosure for added measure.