Security Platform Vendors vs. Best-of-Breed Approach to Security Architecture

In the debate over adopting an all-in-one cybersecurity platform versus assembling best-of-breed solutions, there’s only one answer: It depends. The questions are: How many tools can you afford, and is the software in your stack designed for security? Do you have skilled resources to manage? Does this approach make sense now that we have a greater number of users outside the organization, and most of the services we use are in the cloud?

Traditionally, a best-of-breed approach means buying multiple security programs, each a separate tool that is the best at the individual problem it solves, given your particular use case. For example, you might use SonicWall for next-gen firewall, but another vendor for next-gen endpoint, yet another vendor for log correlation, etc.

Business challenges

Hybrid and remote work have changed the IT landscape forever, as users are working from anywhere and at any time. With as many as 70% of employees embracing remote work today, protecting endpoints has never been a more critical component of securing your perimeter.

Alongside this shift, the COVID-19 pandemic has accelerated digital transformation, resulting in more customers moving to cloud and SaaS applications.

It’s past time for organizations to take another look at their security architecture.

Advantages and Disadvantages of Best-of-Breed Security Technology Vendors

First, let’s look at the advantages:

  • Security products are more specifically focused, leading to better fit and functionality.
  • Provides best-in-class capabilities for security operations to manage and monitor security risks.
  • Security technologies are easier to switch out for something else if necessary, making you more agile in responding to business needs.
  • Less risk of vendor lock-in, as you can replace any security product in your architecture with that of another vendor.
  • Less stakeholders involved in the decision and management of a point solution.

But there are also some significant drawbacks to the best-of-breed approach:

  • Implementing best-of-breed security technology at every layer becomes cumbersome. When integrating multiple vendor security technologies in the detection and response layer, interoperability becomes challenging.
  • Today’s security architecture is shifting from a preventative approach to a detection and response approach with “assume compromise” design. Adding best-of-breed security technology at every problem increases cost and makes management challenging.
  • The security skill shortage is another big challenge in the cybersecurity industry, and this is exacerbated by a best-of-breed approach. This patchwork of products increases complexity and increases the trained resources required to manage security operations.
  • If best-of-breed solutions aren’t well managed, the cost of ownership can be significant — especially for SMBs. Not to mention, managing security vendors and vendor relationships may require a substantial time investment.

Advantages and Disadvantages of Security Platform Vendors

Here are some advantages of the security platform approach:

  • One of the biggest advantages of security platform vendors is intermesh operation: endpoint, network, and cloud security technologies work together to address both known and unknown threats.
  • Enabling artificial intelligence and automation can be easier when there’s just a single interface to manage, and they work in security mesh.
  • With an assume-compromise approach to security architecture, security platform vendors lower your TCO by providing EDR/XDR capabilities into their platform. Customers can use these vendor tools to detect and respond to threats and implement artificial intelligence to detect advanced threats.
  • Security platform vendors are offering disruptive technologies such as SASE, CASB and XDR, which are cloud-native security solutions that work together to address risk from advanced threats.

But there are also disadvantages:

  • Vendor lock-in can become a concern.
  • Security functionality of certain features can be compromised for ease of use when you compare that feature to a specialized security product, e.g., dedicated XDR solutions, SIEM solutions or SOAR solutions.
  • Security platform vendors might not offer all the security solutions that an organization is looking for. (You might still have to use a hybrid best-of-breed/security platform vendor approach to mitigate risk.)
  • For security platform vendor selection, broader stakeholder and management involvement may be required.

In the past, you might have heard more CIOs tell you that vendor lock-in was a concern — but these days, you hear this much less frequently.

That’s because the advantages of vendor security platforms are overriding the negatives. This represents a tremendous change in the industry from three or four years ago: the hybrid movement has significantly narrowed the gap between these two approaches.

Security technology convergence is accelerating across multiple disciplines. Security vendor consolidation is occurring on the heels of a large architectural shift, which in turn is due to the hybrid shift among today’s workforce.

The consolidated security platform approach is the future, driven by the need to reduce complexity, leverage commonalities and minimize management overhead. Technology consolidation is not limited to one technology area or even to a closely related set of technologies; these consolidations are happening in parallel across many security areas.

There may still be some customers — such as those with full-blown Security Operation Centers and Incident Response teams, who still have many applications hosted in physical data centers — for whom a best-of-breed approach may be the way to go. (However, even in this case, security assessment and ROI need to be considered to lower the TCO.)

But for many customers, particularly those with distributed enterprises covering multiple branches and those with many cloud-native applications, a single-platform vendor that offers SASE, CASB, NGFW and endpoint protection solutions makes much more sense.

Over the past four years, SonicWall has introduced countless new security products and innovations. Our product portfolio now includes offerings that scale to businesses of all sizes and provide industry-leading performance at a lower TCO.

SonicWall’s solutions are well suited to either a best-of-breed approach or a single-vendor strategy. For more details on SonicWall’s security platform, please visit our website: https://www.sonicwall.com/capture-cloud-platform/.

Cybersecurity News & Trends

Here’s your summary of curated cybersecurity news and trends from leading media and IT security bloggers.

The mid-year update to the 2022 SonicWall Cyber Threat Report continues to garner press hits while other SonicWall news (delivery of Wi-Fi 6 Wireless Access Points) rises to the top of the cycle. Industry News was shaken up with the discovery that Microsoft’s multi-factor authentication was hacked by a Russian group called Nobelium. The MFA hack is our Big Read for the week with sources from Microsoft, ZDNet, TechRadar, and Bleeping Computer. In other news, from Hacker News, SMS-based phishing attacks against employees at Twilio, Cloudflare and other companies were part of an extensive smartphone attack campaign. From TechMonitor, the LockBit ransomware group was targeted with a DDoS attack after they released hacked Entrust data. And according to Bleeping Computer, hackers use a zero-day bug to steal more crypto from Bitcoin ATMs.

Remember that cybersecurity is everyone’s business. Be safe out there!

SonicWall News

SonicWall Ships Wi-Fi 6 Wireless Access Points

Channel Pro Network, SonicWall News: SonicWall has introduced a pair of remotely manageable Wi-Fi 6 access points designed to secure wireless traffic while boosting performance and simplifying connectivity. The SonicWave 641 and SonicWave 681, part of the vendor’s new SonicWave 600 series, are based on the 802.11ax standard, which according to SonicWall can increase overall wireless throughput by up to 400% compared to Wi-Fi 5 technology and reduce latency by up to 75%.

10 States Most at Risk for Malware Attacks

Digital Journal, SonicWall News: Malware attacks—when an intruder tries to install harmful software on the victim’s computer without their knowledge—are a huge problem around the world. Beyond Identity collected data from the 2022 SonicWall Cyber Threat Report to rank the top 10 US states that are the most at risk for malware attacks.

Managing Risk: Cloud Security Today

Silicon UK, Bill Conner Quoted: GCHQ advisor and cybersecurity veteran at SonicWall, Bill Conner, commented on the rise in attacks: “We are dealing with an escalating arms race. At the same time, threat actors have gotten better and more efficient in their attacks. They are now leveraging readily available cloud tools to reduce costs and expand their scope in targeting additional attack vectors. The good news is, that the cybersecurity industry has gotten more sophisticated in identifying and stopping new ransomware strains and protecting organizations.”

Norway’s Oil Fund Warns Cybersecurity is Top Concern

The Financial Times, Bill Conner Quoted: Perpetrators can range from private criminal groups to state-backed hackers. Russia, China, Iran and North Korea are the most active state backers of cyber aggression, according to Bill Conner, executive chairman at SonicWall. “As sanctions go up, the need for money goes up as well,” he said. A cyber security expert who advises a different sovereign wealth fund said the “threat landscape” for such groups was “massive.” “When it comes to ransomware, about half of network intrusions are phishing attempts and the other half are remote access attacks using stolen credentials. You’ve also got insider threats [involving] someone with a USB drive, and sometimes people with access are just bribed,” he added.

How to be Ransomware Ready in Four Steps

Security Boulevard, SonicWall Threat Report Mention: 2021 was a breakout year for ransomware, growing 105% and exceeding 623.3 million attacks, according to SonicWall’s 2022 Cyber Threat Report.

SonicWall’s New CEO on M&A, Channel Commitment and the Biggest Cyber Threats

CRN, SonicWall Mention: Bob VanKirk took command of the platform security vendor on Aug. 1, six years after the company’s spin-off from Dell Technologies.

New SonicWall CEO Bob VanKirk on XDR, SASE & Going Upmarket

Information Security Media Group, SonicWall Mention: New CEO Bob VanKirk wants to capitalize on SonicWall’s distributed network technology and strength in the education and state and local government sectors to expand beyond the company’s traditional strength with small and mid-sized businesses and into larger enterprises. VanKirk says the company’s new high-end firewalls and security management capabilities should be a natural fit for larger customers.

Basingstoke’s Racing Reverend ready for Silverstone Classic

Basingstoke Gazette, SonicWall Mention: Simons Le Mans Cup program is supported by a number of companies including Asset Advantage, SonicWall and The Escape.

Is the drop in ransomware numbers an illusion?

The Washington Post, SonicWall Threat Report Mention: Also in July, SonicWall, NCC Group and GuidePoint Security pointed to decreases across the board, although the companies covered various time periods.

SonicWall Capture ATP Receives 100% ICSA Rating for Threat Detection Again

InfoPointSecurity (Germany), SonicWall News: SonicWall Capture Advanced Threat Protection (ATP) has once again achieved 100% threat detection at ICSA Labs Advanced Threat Defense certification for the second quarter of 2022 – for the sixth time in a row.

How will the crypto crash affect ransomware attacks and payments?

SC Magazine, Threat Report: Ransomware attacks dropped 23% globally from January to June, according to U.S. cybersecurity firm SonicWall’s 2022 mid-year cyber threat report. Though this time period overlaps with crypto’s bear market, many experts emphasize that the political conflict between Russia and Ukraine is the biggest factor in ransomware’s decline.

Industry News

Big Read: Attackers are Circumventing Microsoft’s Multi-Factor Authentication

Various Source: According to ZDNet, TechRadar, Bleeping Computer, Microsoft recently discovered that a Russian-based threat group called Nobelium could gain access to systems and bypass multifactor authentication. Microsoft is asking Windows administrators limit and restrict access to Active Directory servers.

The attackers can gain administrative rights to Active Directory Federated Services servers using a tool called MagicWeb. They replace a legitimate DLL file with one of theirs. This tool allows Active Directory authentication tokens to be modified, which allows hackers to log in as any user to bypass multifactor authentication. Hackers have long sought administrative access to servers and domain controllers like Active Directory. These must be isolated and accessible only to designated admin accounts. They also need to be regularly monitored for changes. It is important to keep servers updated with the most recent security updates and take steps to prevent attackers from lateral movement.

According to Bleeping Computer, the campaign started June 2022 when analysts noticed a spike in phishing attempts against specific business sectors (ex: credit unions) and users of Microsoft email services.

TechRadar adds that the source of the vulnerability is still Log4Shell, which was one of the largest and potentially most devastating vulnerabilities to ever be discovered. The flaw is still being leveraged by threat actors more than half a year after it was first observed and patched. Attackers used the flaw on SysAid applications, which is a relatively novel approach according to analysts, noting that while other hacks use Log4j 2 exploits with vulnerable VMware apps, using SysAid apps as a vector for initial access is new.

ZDNet reports that if there’s no additional verification around the MFA enrollment process, anyone who knows the username and password of an account can apply multi-factor authentication to it, so long as they are the first person to do so – and hackers are using this to gain access to accounts. In one instance, attackers attributed to APT29 gained access to a list of undisclosed mailboxes they obtained through unknown means and successfully managed to guess the password of an account that had been set up, but never used.

Twilio Suffers Cybersecurity Breach After Employees Fall Victim to SMS Phishing Attack

Hacker News: Customer engagement platform Twilio on Monday disclosed that a “sophisticated” threat actor gained “unauthorized access” using an SMS-based phishing campaign aimed at its staff to gain information on a “limited number” of accounts.

The SMS phishing attacks were also directed against employees at Cloudflare, and other companies were part of an extensive smartphone attack campaign. Reports say that almost 10,000 people have fallen into the scheme to steal their credentials. They were mainly in the United States. Three of the targeted companies were in Canada. Most organizations use Okta’s access and identity management software. They received texts containing links to fake websites that mimicked Okta’s authentication page. The hackers obtained their usernames, passwords, and login credentials when they logged into the system. It is still not clear how the hackers got a list with targets and mobile phone numbers. Two critical lessons from this incident: One is that administrators must continually remind users/employees about the dangers of logging in from links in emails and text messages, and two is that companies must recognize the risk of continual use of SMS-based multifactor authentication.

The social-engineering attack was bent on stealing employee credentials, the company said, calling the as-yet-unidentified adversary “well-organized” and “methodical in their actions.” The incident came to light on August 4.

LockBit Ransomware Group Targeted with DDoS Attack After Entrust Data Leak

TechMonitor: Ransomware gang LockBit says it has been hit with a distributed denial of service (DDoS) attack, which appears to have knocked its leak site offline. The attack comes after the gang claimed responsibility for a hack on security giant Entrust earlier this year. The DDoS attack on LockBit’s darkweb server, which hosts leaks from companies the gang has attacked, began yesterday, and according to analysts, the gang has been receiving 400 requests a second from over 1,000 servers.

Hackers Steal Crypto from Bitcoin ATMs by Exploiting Zero-Day Bug

Bleeping Computer: Hackers have exploited a zero-day vulnerability in General Bytes Bitcoin ATM servers to steal cryptocurrency from customers. When customers would deposit or purchase cryptocurrency via the ATM, the funds would instead be siphoned off by the hackers. General Bytes is the manufacturer of Bitcoin ATMs that, depending on the product, allow people to purchase or sell over 40 different cryptocurrencies. The Bitcoin ATMs are controlled by a remote Crypto Application Server (CAS), which manages the ATM’s operation, what cryptocurrencies are supported, and executes the purchases and sales of cryptocurrency on exchanges.

In Case You Missed It

Why Organizations Should Adopt Wi-Fi 6 Now – David Stansfield

Vote for SonicWall in Computing Security Awards 2022 – Bret Fitzgerald

SonicWall Earns 2022 CRN Annual Report Card (ARC) Honor – Bret Fitzgerald

SonicWall Capture ATP Earns 100% ICSA Threat Detection Rating for Sixth Straight Quarter – Amber Wolff

Ten Cybersecurity Books for Your Late Summer Reading List – Amber Wolff

CoinDesk TV Covers Cryptojacking with Bill Conner – Bret Fitzgerald

First-Half 2022 Threat Intelligence: Geopolitical Forces Rapidly Reshaping Cyber Frontlines – Amber Wolff

2022 CRN Rising Female Star – Bret Fitzgerald

Enhance Security and Control Access to Critical Assets with Network Segmentation – Ajay Uggirala

Three Keys to Modern Cyberdefense: Affordability, Availability, Efficacy – Amber Wolff

BEC Attacks: Can You Stop the Imposters in Your Inbox? – Ken Dang

SonicWall CEO Bill Conner Selected as SC Media Excellence Award Finalist – Bret Fitzgerald

Cybersecurity in the Fifth Industrial Revolution – Ray Wyman

What is Cryptojacking, and how does it affect your Cybersecurity? – Ray Wyman

Why Healthcare Must Do More (and Do Better) to Ensure Patient Safety – Ken Dang

SonicWall Recognizes Partners, Distributors for Outstanding Performance in 2021 – Terry Greer-King

Anti-Ransomware Day: What Can We Do to Prevent the Next WannaCry? – Amber Wolff

CRN Recognizes Three SonicWall Employees on 2022 Women of the Channel List – Bret Fitzgerald

Enjoy the Speed and Safety of TLS 1.3 Support – Amber Wolff

Four Cybersecurity Actions to Lock it All Down – Ray Wyman

Understanding the MITRE ATT&CK Framework and Evaluations – Part 2 – Suroop Chandran

TightVNC Heap Buffer Overflow Vulnerability

Overview:

  TightVNC is a remote desktop software application. It lets you connect to another computer and display its live remote desktop or control the remote computer with your mouse and keyboard, just as you would sitting in front of that computer. Since it is designed to work out of a box, TightVNC can be very handy not only for system administrators and support service, but for all users who want to benefit from TightVNC. Like other VNC systems, it consists of two parts: the Server, which shares the screen of the machine it’s running on, and the Viewer, which shows the remote screen received from the server.

  A heap buffer overflow vulnerability has been reported in TightVNC vncviewer. This vulnerability is due to missing integer value validation in InitialiseRFBConnection in rfbproto.c.

  A remote attacker could exploit this vulnerability by sending a maliciously crafted message to a target user using TightVNC vncviewer.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-23967.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 9.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:U/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 9.4 (E:P/RL:U/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is unavailable.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  VNC uses the Remote Framebuffer (RFB) protocol; a simple protocol for remote access to graphical user interfaces that allows a client to view and control a window system on another computer.

  A heap buffer overflow exists in TightVNC. The problem occurs while collecting the desktop name from a ServerInit message in InitialiseRFBConnection(). The function calls ReadFromRFBServer() to read the ServerInit message fields excluding the variable sized name-string field. It calls malloc() using the name-length field, stored in si.nameLength, adding an additional byte to include the null termination. When a name-length value of the maximum 32 bit value (0xFFFFFFFF) is sent, an unsigned integer overflow occurs, causing malloc() to be called with a size of 0. The zero size buffer is then used to copy up to 0xFFFFFFFF bytes into the heap.

  A remote attacker could exploit this vulnerability by sending a maliciously crafted message to a target user using TightVNC vncviewer. Successful exploitation could lead to remote code execution under the security context of the client process, while an unsuccessful attack could lead to a denial-of-service condition.

  View RFB Protocol

Triggering the Problem:

  • The target system must have the vulnerable product installed.
  • The target must have network connectivity to the attacker port.

Triggering Conditions:

  The target connects to the attacker server, performs the protocol and security handshakes, sends the ClientInit message, and receives the malicious ServerInit message. The vulnerability is triggered when the affected product processes the ServerInit message.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • RFB

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 18698 TightVNC Client Heap Buffer Overflow 2

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Filtering attack traffic using the signature above.
    • Blocking VNC connections traffic to untrusted hosts.
    • Avoid using the TightVNC client on Linux systems.
  At the time of writing, the vendor has not released a patch for this vulnerability.
  Bug Report

Why Organizations Should Adopt Wi-Fi 6 Now

Organizations are evolving — some more quickly, others more reluctantly. But over the past three years, the pace of change for everyone has accelerated to hyperspeed.

In early 2020, very few people could have foreseen the changes that were about to be unleashed on the world. And even fewer could have successfully predicted the long-term impact that COVID-19 would have on the way the world’s eight billion people live and work.

Prior to the pandemic, only about 2% of employees worked remotely. By May 2020, that number had risen to 70%, according to the Society for Human Resource Management. This pivot was possible because organizations were able to adjust their infrastructure to meet new working demands — and wireless technology played an important part in this solution.

The importance of wireless technology goes far beyond simply enabling employees to work remotely.  According to a study, 87% of organizations believe that adopting advanced wireless capabilities can be a competitive advantage, because it allows them to innovate and increase agility. And 86% of networking executives believe advanced wireless will soon transform their organization.

But wireless technology impacts more than just how we work: It has changed the way we shop, watch movies, listen to music, navigate in our cars, or spend time with family and friends (some of whom may be a half a world away). And every one of us expects a good experience every single time we use wireless. That’s a tall order, especially given the sheer number of existing devices and the ever-growing amount of bandwidth being consumed.

The need for high-performing, secure wireless technology has never been greater — and Wi-Fi 6 is a massive next step toward this reality. SonicWall’s SonicWave 641 and SonicWave 681 access points provide the combination of performance and security that we all demand.

What is Wi-Fi 6?

Wi-Fi 6, also known as 802.11ax, is the successor to 802.11ac Wave 2, or Wi-Fi 5. While the primary goal of Wi-Fi 6 is to enhance throughput in complex environments, there are additional benefits:

  • OFDMA’s multi-user support can make Wi-Fi 6 access points more efficient than Wi-Fi 5’s single-user OFDM. This results in lower latency.
  • Wi-Fi 6 utilizes WPA3, which provides advanced security features to enable more robust authentication.
  • BSS coloring marks traffic on a shared frequency to determine if it can be used. The result is less interference and more consistent service in complex environments.
  • Target Wake Time (TWT) allows devices to determine how often to wake to send or receive data, improving battery life.
  • Wi-Fi 6’s multi-user, multiple input, multiple output (or MU-MIMO) supports multiple users within a single network environment. This allows multiple users to upload and download data at the same time, resulting in less wait time and faster network speed.

Some of these features are designed to improve performance, while some are designed to improve security. Any one of them can make a positive difference in an organization’s wireless network.  Combined, however, the feature improvements provided by Wi-Fi 6 can create a significant wireless network advancement for any organization.

SonicWave 641 and SonicWave 681

SonicWall’s SonicWave 641 and SonicWave 681 are Wi-Fi 6 access points that deliver wireless performance and security that are superior to the 802.11ac standard.

But there are additional benefits available with the SonicWave 641 and SonicWave 681, such as SonicWall Capture Security Center, a scalable cloud security management system that helps you control assets and defend your entire network against cyberattacks.

SonicWave 600 series APs also integrate with Wireless Network Manager, an intuitive centralized network management system that leverages the cloud to make it easy to manage complex wireless and security environments with a single-pane-of-glass management portal.

WiFi Planner is a site-survey tool that allows you to optimally design and deploy a wireless network to get maximum coverage with the fewest number of APs, resulting in a lower TCO.

And the SonicExpress mobile app allows you to easily register and use the Wireless Network Manager to set up, manage and monitor SonicWall wireless appliances.

A strong wireless network is not a “nice to have” — it’s a necessity. What today’s organizations require is the high performance and security of the SonicWave 641 and SonicWave 681 access points.

To learn more about the SonicWave 641 and SonicWave 681 access points, as well as SonicWall’s entire wireless portfolio, visit www.sonicwall.com/wireless.

Vote for SonicWall in Computing Security Awards 2022

SonicWall is excited to announce that the company has been selected as a finalist in several categories for the Computing Security Awards 2022. We are privileged to be included alongside other admired companies — a testament to the loyalty of our customers and the dedication of our more than 17,000 global partners.

SonicWall was included in the finals of four categories:

  • Remote Monitoring Security Solution of the Year: SonicWall Capture Security Center
  • Security Hardware Solution of the Year: SonicWall NSa Firewall Series
  • New Security Hardware Product of the Year: SonicWall NSa Firewall Series
  • Web Application Firewall of the Year: SonicWall Web Application Firewall (WAF)

Voting is now open and ends Sept. 30, 2022. Please vote for SonicWall in each of the categories in which we are finalists. To access the Computing Security Awards 2022 portal, click here.

After entering your information in the predefined sections, you can vote for your favorite solution in each of the mentioned categories. Don’t forget to click the ‘Submit’ button. Only then will your answers be recorded. Please note that votes from personal email accounts, such as Hotmail, Gmail, Yahoo, etc., will not be counted.

Thank you in advance for voting for SonicWall.

Java based remote access trojan is being distributed via spam

Java based malware are not seen often, as they need Java Runtime Environment (JRE) to execute on a victim’s machine. Java based malware has an advantage of low detection rate than usual file type like Portable Executable (PE). The SonicWall Capture Labs Threat Research team has observed a JavaScript file inside an archive that is being delivered to the victim’s machine as an email attachment which further downloads Java based Remote Access Trojan (RAT) known as “STRRAT” to the victim’s machine.

First Layer JavaScript

The first layer JavaScript contains a pretty simple code which performs base64 decoding after replacing some characters in a string to get the second layer JavaScript:

Second Layer JavaScript

The second layer JavaScript is responsible for preparing environment and executing STRRAT on the victim’s machine. The malware contains a base64 encoded string which is decoded and dropped in to %APPDATA% folder. The dropped script is executed which only makes a comment “// Coded by v_B01 | Sliemerez -> Twitter : Sliemerez“:

The malware now decodes and drops the STRRAT into %APPDATA% directory with <random>.txt:

 

The malware retrieves the Java installation directory using registry entry, to prepare the path for java application executor (javaw.exe). The malware contains a code to make the persistence entry which is commented in this variant. The malware executes the STRRAT using java application executor:

 

If Java Runtime Environment (JRE) is not pre installed on to the victim’s machine, the malware downloads and installs the JRE from the web. Now the malware also makes the persistence entry and executes STRRAT:

 

STRRAT

The malware is obfuscated using “Allatori obfuscator v7.3 DEMO” version which on deobfuscator reveals the actual strings used by the malware. The malware retrieves the execution path of itself and if the malware fails in retrieving the path, the malware says “This PC is not supported” and terminates the execution. The malware creates a lock file to prevent multiple instances execution at a time. The malware looks for the dependency files into “%APPDATA%\lib” and “%USERPROFILE%\lib”, if they are already present:

 

If the dependency files are not present, the malware downloads them from web into “%USERPROFILE%\lib” and copies them to %APPDATA%\lib. The malware also copies itself into %USERPROFILE% and executes from there. The malware contains encrypted config.txt file but the file is not referenced in this variant of malware:

 

Persistence Entries

The malware makes persistence by creating schedule task, making run registry entry and copying itself into startup folder:

 

C&C Communication

The malware supports below commands from its C&C server:

  • reboot
  • shutdown
  • uninstall
  • disconnect
  • down-n-exec
  • update
  • up-n-exec
  • remote-cmd
  • power-shell
  • file-manager
  • keylogger
  • o-keylogger (Offline keylogger)
  • processes
  • h-browser
  • startup-list
  • remote-screen
  • rev-proxy
  • hrdp-new
  • hrdp-res
  • chrome-pass
  • foxmail-pass
  • outlook-pass
  • fox-pass
  • tb-pass (Thunderbird-pass)
  • ie-pass
  • all-pass
  • chk-priv
  • req-priv
  • rw-encrypt
  • rw-decrypt
  • show-msg (crimson_info.txt)
  • screen-on

Unavailability of the archive file in any of the popular threat intelligence sharing portals like the VirusTotal and the ReversingLabs indicates its uniqueness and limited distribution:

 

Evidence of detection by RTDMI ™ engine can be seen below in the Capture ATP report for this file:

SonicWall Earns 2022 CRN Annual Report Card (ARC) Honor

SonicWall is thrilled to share that CRN has named the company as one of the winners in the Enterprise Network Security category of the 2022 CRN Annual Report Card (ARC) Awards. This award honors the industry’s top technology vendors for success in providing high levels of satisfaction for channel partners through innovative products, services and partner programs — and SonicWall was rated as the top-performing channel provider for enterprise network security.

“As a 100% channel company, we remain completely committed to delivering our partners and customers with the absolute best products and support to face today’s increasingly complicated security challenges,” said SonicWall President and CEO Bob VanKirk. “We’re excited to be recognized by CRN, especially knowing that they celebrate best-in-class vendors that are committed to driving partner growth and demonstrating outstanding channel performance. SonicWall is uniquely positioned to help partners, including MSSPs, evolve and help facilitate their growth.”

The ARC Awards are based on an invitation-only research survey conducted by The Channel Company. Responses from 3,000 solution providers across North America were evaluated in this year’s survey, rating 82 vendor partners across four criteria: product innovation, support, partnership, and managed cloud services. Scores were awarded in 25 major product categories in technology areas that are critical to channel partner success.

SonicWall’s SecureFirst Partner Program and its industry-leading security products help partners and MSSPs exceed customer demands. More than 17,000 active SonicWall partners help protect our customers every day, and because of them SonicWall is one of the unquestioned leaders in the cybersecurity space.

“It’s our pleasure to honor vendors that consistently deliver top-performing products and services to establish and foster successful channel partner relationships,” said Blaine Raddon, CEO, The Channel Company. “In addition to highlighting our winners, CRN’s Annual Report Card Awards provide vendors with actionable feedback and insight into their current standing with partners that can be incorporated into their channel strategies in the future.”

Winners will be featured throughout The Channel Company’s XChange 2022 conference, taking place Aug. 21-23 in Denver, Colorado. Coverage of the CRN 2022 ARC results can be found online at www.CRN.com/ARC and will be featured in the October 2022 issue of CRN Magazine.

 

Cybersecurity News & Trends

A summary of curated cybersecurity news and trends from leading media and security bloggers in the IT industry.

The mid-year update to the 2022 SonicWall Cyber Threat Report was quoted in dozens of news publications, namely the Washington Post and the Financial Times, plus several other professional journals serving a wide range of industries. From Industry News, we focused on big stories from Washington Post on the drop in ransomware this year. But cybersecurity professionals are extremely cautious against calling this a victory. A story from Bleeping Computer reports a shocking discovery of Android malware apps with more than two million installs. Wall Street Journal and Radio Free Europe reported that a Russian accused of money laundering for the Ryuk ransomware gang was extradited to the US. And finally, this week’s Big Read: DDoS attacks are on the rise, with contributions from Al JazeeraCyberwireBleeping Computer and Hacker News.

Remember that cybersecurity is everyone’s business. Be safe out there!

SonicWall News

Is the drop in ransomware numbers an illusion?

The Washington Post, SonicWall Threat Report Mention: Also in July, SonicWall, NCC Group and GuidePoint Security pointed to decreases across the board, although the companies covered various time periods. See additional comments in “Industry News.”

SonicWall Capture ATP Receives 100% ICSA Rating for Threat Detection Again

InfoPointSecurity (Germany), SonicWall News: SonicWall Capture Advanced Threat Protection (ATP) has once again achieved 100% threat detection at ICSA Labs Advanced Threat Defense certification for the second quarter of 2022 – for the sixth time in a row.

How will the crypto crash affect ransomware attacks and payments?

SC Magazine, Threat Report: Ransomware attacks dropped 23% globally from January to June, according to U.S. cybersecurity firm SonicWall’s 2022 mid-year cyber threat report. Though this time period overlaps with crypto’s bear market, many experts emphasize that the political conflict between Russia and Ukraine is the biggest factor in ransomware’s decline.

Dutch Authorities Arrest Suspected Developer of Crypto Mixer Tornado Cash

The Financial Times, Bill Conner Quote: “If you look at this mixing capability . . . all [the government] is doing is inserting itself in the crypto supply chain to say, look, it can be used for good, for privacy, correct, but it can also be used for bad, which is what is alarming,” said Bill Conner, executive chair of SonicWall, a US cyber security group.

The Importance of Tech in Safeguarding Patient Health Information

CIO & Leader (India), SonicWall Byline: Patient care is shifting from treating acute medical problems to a new model: fostering ongoing wellness and quality of life. This transition is significantly transforming healthcare operational norms: today, there are many digital health innovations helping make patient-provider engagements more interactive, personalized and flexible throughout the patient-care continuum.

Cybersecurity: “Potentially real life or death situations”

Unleashed, Bill Conner Q&A: One of the report’s most shocking statistics was that there has been a 775% increase in global ransomware attacks in the health sector. Conner warns that this number of incidents is likely to go up again in the next 12 months before adding context into what is happening: ”COVID-19 challenged the resilience of the health care information systems – and bad actors were aware of this fact.”

ICYMI: Our Chanel News Roundup

ChannelProNetwork, Threat Report Feature: The midyear update to the 2022 SonicWall Cyber Threat Report charts the rise of global malware, including a 77% spike in IoT attacks, and a 132% rise in encrypted threats. The report found that cybercriminal activity increased at least partly in response to geopolitical strife. That meant a 63% increase in ransomware attacks in Europe with a focus on financial sector companies, despite a 23% reduction in attack volume worldwide.

SonicWall Threat Report Highlights Significant Changes in The Threat Landscape

Continuity Central, Threat Report: SonicWall has released a mid-year update to its 2022 SonicWall Cyber Threat Report. This shows an 11 percent increase in global malware, a 77 percent spike in IoT malware, a 132 percent rise in encrypted threats and a geographically-driven shift in ransomware volume as geopolitical strife impacts cybercriminal activity.

Ransomware Attacks Drop by 23% Globally but Increase by 328% in Healthcare

HIPAA Journal, Threat Report: SonicWall has released a mid-year update to its 2022 Cyber Threat Report, which highlights the global cyberattack trends in H1 2022. The data for the report was collected from more than 1.1 million global sensors in 215 countries and shows a global fall in ransomware attacks, with notable increases in malware attacks for the first time in 3 years.

Financial Firms See Huge Rise in Cryptojacking

Payments, Threat Report Feature: Cybersecurity firm SonicWall has released new data that shows that hackers are increasingly targeting financial firms such as banks and trading houses with cryptojacking attacks designed to use their computer systems to mine cryptocurrencies.

Reports Show Hackers Turning to Cryptojacking and DeFi to Siphon Crypto

Crypto News BTC, Threat Report Feature: In accordance with a current report issued by cybersecurity agency SonicWall, international incidents of cryptojacking hit document highs earlier this 12 months. Cryptojacking refers to a cyberattack during which hackers implant malware on a pc system after which surreptitiously commandeer that system to mine cryptocurrency for the good thing about the hackers.

How Deep Instinct Uses Deep-Learning to Advance Malware Prevention

VentureBeat, Threat Report Feature: According to SonicWall, there were 5.4 billion malware attacks in 2021. At the heart of the challenge is the fact that by the time a human analyst detects malicious activity in the environment, it’s already too late.

Industry News

Is the drop in ransomware numbers an illusion?

The Washington Post: Ransomware has been a major problem in cyberspace for years. Ripping off from victims billions of dollars is widely reported, but it can also cause panics about food, fuel, and possibly even the death of a child. However, ransomware has been showing signs of decline over the past few months. So, what’s behind these diminishing figures? As mentioned earlier, Washington Post notes SonicWall, among other companies, as sources for their story. While the story doesn’t quote the Mid-Year Update to the 2022 SonicWall Cyber Threat Report, it echoes a few key points from the report.

First, the changing geopolitical landscape have undoubtedly complicated cybercriminal activity, along with volatile cryptocurrency prices, and increased pressure from international law enforcement. However, while a decrease in ransomware volume is unquestionably good news, keeping this drop in perspective is essential. The amount of ransomware we’ve seen in the first half of 2022 has already eclipsed the full-year totals for each of the years 2017, 2018 and 2019, meaning we’re still far above pre-pandemic levels. The bottom line: ransomware may be down, but it certainly isn’t out.

Android malware apps with 2 million installs found on Google Play

Bleeping Computer: A new batch of thirty-five malware Android apps that display unwanted advertisements was found on the Google Play Store, with the apps installed over 2 million times on victims’ mobile devices. The apps were found by security researchers at Bitdefender, who employed a real-time behavior-based analysis method to discover the potentially malicious applications. Following standard tactics, the apps lure users into installing them by pretending to offer some specialized functionality but change their name and icon immediately after installation, making them difficult to find and uninstall.

Russian Accused of Money-Laundering Tied to Ryuk Ransomware Gang is Extradited to the US

Wall Street Journal: A Russian national who was extradited from the Netherlands to Portland, Ore., this week pleaded not guilty to charges of allegedly laundering cryptocurrency proceeds from ransomware attacks in the U.S. and abroad, the Justice Department said. Denis Dubnikov, a 29-year-old Russian, was arraigned in federal court in Portland, Ore., where he was arraigned and pleaded not guilty. If he is convicted, Dubnikov faces a maximum sentence of 20 years in federal prison; three years supervised release and a fine of $500,000. He and his co-conspirators laundered the proceeds of ransomware attacks on individuals and organizations throughout the U.S. and abroad.

According to Radio Free Europe/Radio Liberty, Dubnikov owns small crypto exchanges in Russia. In November, he was detained in the Netherlands after being denied entry to Mexico and put on a plane back to the EU country. The arrest has been one of U.S. law enforcement’s first potential blows to the Ryuk ransomware gang, which is suspected of being behind a rash of cyberattacks on U.S. healthcare organizations.

BIG READ: DDoS Are on the Rise

Various Sources: It’s not your imagination; distributed denial-of-service (DDoS) attacks are growing in frequency and in size.

Google Cloud just reported one attack that clocked 46 million requests per second (rps) which is the largest Layer 7 DDoS reported to date – more than 76% larger than the largest reported by Cloudflare earlier this year.

Not only do threat actors use infected routers, servers, and computers to launch a flood of requests to a website in denial-of-service attacks, they use the attacks to harass and divert the attention of IT security teams from cyber-attacks elsewhere on the network. For example, this attack on Google was carried out by a threat actor who assembled a botnet of more than 5,000 devices distributed across 132 countries.

Al Jazeera reported that Estonia repelled a wave of cyberattacks shortly after its government opted to remove Soviet monuments in a region with an ethnic Russian majority. According to government sources, the attack was the most extensive the country has faced in more than ten years and targeted both public and private organizations but was stopped, and hackers did not disrupt services.

Cyberwire reported a DDoS attack against Energoatom, the Ukrainian state operator of the country’s four nuclear power plants. Energoatom described the incident, which took place this week, as “powerful,” and that it was mounted from “the territory of the Russian Federation” and carried out by the Russian group Narodnaya Kiberarmya, the “popular cyber army,” a hacktivist front organization. Energoatom said the attack used 7.25 million bots and lasted about three hours.

According to Bleeping Computer, in September 2021, the Mēris botnet hammered Russian internet giant Yandex with an attack peaking at 21.8 million requests per second. Previously, the same botnet pushed 17.2 million RPS against a Cloudflare customer. And last November, Microsoft’s Azure DDoS protection platform mitigated a massive 3.47 terabits per second attack with a packet rate of 340 million packets per second.

To top it off, Hacker News reports that a new service called ‘Dark Utilities’ has already attracted 3,000 users for its ability to provide command-and-control (C2) services to commandeer compromised systems. The service offers remote access, command execution, distributed denial-of-service (DDoS) attacks and cryptocurrency mining operations on infected systems. Hacker News also reports that Dark Utilities emerged earlier this year, advertised as a “C2-as-a-Service” (C2aaS), offering access to infrastructure hosted on the clearnet and the TOR network and associated payloads with support for Windows, Linux, and Python-based implementations for a mere €9.99 or $10USD.

In Case You Missed It

SonicWall Capture ATP Earns 100% ICSA Threat Detection Rating for Sixth Straight Quarter – Amber Wolff

Ten Cybersecurity Books for Your Late Summer Reading List – Amber Wolff

CoinDesk TV Covers Cryptojacking with Bill Conner – Bret Fitzgerald

First-Half 2022 Threat Intelligence: Geopolitical Forces Rapidly Reshaping Cyber Frontlines – Amber Wolff

2022 CRN Rising Female Star – Bret Fitzgerald

Enhance Security and Control Access to Critical Assets with Network Segmentation – Ajay Uggirala

Three Keys to Modern Cyberdefense: Affordability, Availability, Efficacy – Amber Wolff

BEC Attacks: Can You Stop the Imposters in Your Inbox? – Ken Dang

SonicWall CEO Bill Conner Selected as SC Media Excellence Award Finalist – Bret Fitzgerald

Cybersecurity in the Fifth Industrial Revolution – Ray Wyman

What is Cryptojacking, and how does it affect your Cybersecurity? – Ray Wyman

Why Healthcare Must Do More (and Do Better) to Ensure Patient Safety – Ken Dang

SonicWall Recognizes Partners, Distributors for Outstanding Performance in 2021 – Terry Greer-King

Anti-Ransomware Day: What Can We Do to Prevent the Next WannaCry? – Amber Wolff

CRN Recognizes Three SonicWall Employees on 2022 Women of the Channel List – Bret Fitzgerald

Enjoy the Speed and Safety of TLS 1.3 Support – Amber Wolff

Four Cybersecurity Actions to Lock it All Down – Ray Wyman

Understanding the MITRE ATT&CK Framework and Evaluations – Part 2 – Suroop Chandran

Five Times Flawless: SonicWall Earns Its Fifth Perfect Score from ICSA Labs – Amber Wolff

NSv Virtual Firewall: Tested and Certified in AWS Public Cloud – Ajay Uggirala

How SonicWall’s Supply-Chain Strategies Are Slicing Wait Times – Amber Wolff

Cisco ASA and FTD Directory Traversal Vulnerability

Cisco ASA is a security device that combines firewall, antivirus, intrusion prevention, and virtual private network (VPN) capabilities. Cisco Adaptive Security Appliance (ASA) software is the core operating system for the Cisco ASA family.

Directory Traversal Vulnerability
A directory traversal attack aims to access files and directories that are stored outside the web root folder. It does this by manipulating variables that reference files with dot-dot-slash sequences. A directory traversal vulnerability exists in Cisco’s Adaptive Security Appliance software and Firepower Threat Defense software web services. The vulnerability is due to improper validation of user input.

Cisco ASA and FTD Directory Traversal Vulnerability |CVE-2020-3452
The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by a vulnerable device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device.
Some examples of exploits:

A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. An attacker could impersonate another VPN user and establish a Clientless SSL VPN or AnyConnect VPN session to the device as that user. The attacker can view files within the web services file system.

SonicWall Capture Labs provides protection against this threat via following signatures:

  • IPS 15716:Cisco ASA and FTD Directory Traversal 1
  • IPS 15717:Cisco ASA and FTD Directory Traversal 2

This vulnerability is patched.
Threat Graph

Android Adware reappears on third party after being taken down from the Google play store

SonicWall Capture Labs Threat Research team has been observing Android adware that were available on the Google play store, they are now removed from the play store but are still being distributed via third-party platforms. Hidden Adware continuously shows advertisements, some of which contain download links and lead to false clicks, and users end up with unwanted applications.

Fig1:Application removed from  Google Play Store

 

Fig2: Malicious applications available on third-party store

 

Infection Cycle:

After installation, the application changes its icon to a blank icon without a name, making it difficult for the user to identify which application is showing advertisements.

Fig3: Application icon change

 

Here <activity-alias> is used to change to a blank icon from the original icon and then launch the same application to perform Adware activities as shown in the below code snippet.

Fig4: Use of activity alias tag

 

After installation, multiple advertisements start showing with a long waiting time to close and this is a recurring action.

Fig5: Multiple Advertisement

 

This adware pretends to be protecting from harmful applications and shows a constant message in the status bar to get the benefit of doubt and remains unidentified source of advertisement.

Fig6: Message in the status bar

 

Similarly to persuade as an optimizer application Adware shows a notification after every new application installation.

Fig7: Pop up after new application installation

 

Sensitive device information(IMEI number, location etc) accessed by adware is shown in below code snippet.

Fig8: Access device information

 

To check the resource utilization, we tested after the device factory reset and the battery usage as compared to other applications was very high due to a huge number of advertisements.

 

Fig9: Battery usage

 

The problem caused by Adware:

  • Difficult to identify and uninstall the application.
  • Due to intensive resource usage device speed goes down and applications start crashing.
  • The battery starts draining quickly.
  • Leads to high internet usage.

 

SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.

Indicators of Compromise (IOC):

87fb25e1087b14c5da692667000f04615d90525277fcdc316ef7c6f0326c1bcf

b97b648b29f824a2abd3f84484249807ec00acb50d7aa914a059b34f6590a657

f68ca1129a5e57bdad18301100ee7a3f2ee3864362a9d939e78db09d8c10e6a2

87267d97fa3aa3eb55465021ad615ccf28b9f595053980f31ad804df49b2223c