SonicWall Recognizes Bill Conner for Transition of Business, Impact on Cybersecurity Industry

/0 Comments/in /by

Led by former President and CEO Bill Conner, SonicWall experienced more than six years of record growth and profitability. Conner, whose tenure as Executive Director of SonicWall’s Board of Directors concluded at the close of January 2023, has dedicated years of his career to cybersecurity — with many more likely to come — and laid out the path for the company’s future growth.

“I am passionate about security and the positive impact that security has protecting people, data, information, governments and economies,” Conner once told Authority Magazine.

And the impact of that passion is clear. Conner’s leadership helped reshape SonicWall at a pivotal time. It included:

  • Relaunching the SonicWall brand in 2016
  • Rebuilding the global channel ecosystem
  • Innovating critical virtual and cloud capabilities, including a 15% increase in cloud revenue and key subscription services
  • Introducing the progressive Boundless Cybersecurity model
  • Releasing SonicWall’s market-leading RTDMI™ technology, which discovers hundreds of thousands of never-before-seen malware variants each year
  • Successfully delivering a full suite of Generation 7 cybersecurity products and solutions

“During my time with SonicWall, I was fortunate to lead an incredible team that delivered unprecedented financial performance, including more than eight consecutive quarters of double-digit top-line and bottom-line growth,” said Conner. “I couldn’t be happier with what was built at SonicWall while I was here, and the path that is now set for the company’s customers and partners for many years ahead.”

With a career spanning more than 30 years across high-tech industries, Conner is a seasoned global leader in cybersecurity, data protection and network infrastructure. He has re-engineered product lines, built world-class service organizations, re-aligned global sales organizations, and created industry-leading marketing campaigns.

“The SonicWall team is grateful for Bill’s tenacity, leadership and vision,” said SonicWall President and CEO Bob VanKirk. “Personally, I can’t thank Bill enough for his dedication to the company, but also sharing his experience with me for over 20 years working together.”

A staunch supporter of public-private cybersecurity partnerships, Conner regularly shares expertise with global leaders at major financial institutions, enterprises and governments. Conner has been quoted or featured in major global publications and television programs including The Financial Times, BBC News, Forbes, The Register, VentureBeat, The Hill and the Dallas Morning News.

Key Milestones:

  • November 2016: SonicWall formally spun out of Dell Software and acquired by Francisco Partners and Elliott Management. Conner announced by Francisco Partners as the company’s new President and CEO.
  • March 2017: SonicWall introduced the SecureFirst Partner Program. Within its first 150 days as an independent company under new CEO Conner, SonicWall saw unprecedented growth in partner engagement with over 10,000 registered SonicWall partners.
  • June 2017: SonicWall announced that it surpassed aggressive financial and operational metrics shipping its three millionth firewall. SonicWall earned 19 industry awards for its strategy, portfolio and leadership.
  • September 2017: SonicWall named Cybersecurity Company of the Year by CyberSecurity Breakthrough. There were more than 2,000 nominations from over 12 different countries throughout the world, and all nominations were evaluated by an independent panel of experts within the information security industry.
  • January 2018: SonicWall drove record numbers during its inaugural year of its SecureFirst Partner Program. The program, which launched in November 2016, grew 500% with more than 21,000 registered partners, 7,700 of which were new to SonicWall at the time.
  • May 2018: SonicWall continued to surpass the expectations set, which facilitated a recap accelerated by aggressive growth of the SonicWall Capture Advanced Threat Protection (ATP) service. Year-over-year, the multi-engine cloud sandbox service saw 188% revenue growth and a 150% increase in attachment rates.
  • January 2019: SonicWall announced plans to expand its global sales team and increase its marketing investment as the company continued to generate significant business momentum. SonicWall continued its launch of a range of new products and service enhancements.
  • April 2020: Already in position to help organizations remain operational during the COVID-19 pandemic, Conner introduced SonicWall’s Boundless Cybersecurity model designed to secure organizations that are increasingly remote, mobile, and less secure, and empower organizations and businesses to close the growing cybersecurity business and skills gaps.
  • November 2021: Filling an urgent need for greater cybersecurity, SonicWall launches SonicOS 7 and 17 new firewalls in less than 18 months.
  • April 2022: The SonicWall Capture ATP service earned its fifth consecutive perfect score in independent ICSA Labs Advanced Threat Defense (ATD) certification testing across the last five quarters. At the time no other vendor currently participating had ever achieved two consecutive perfect scores.
  • May 2022: Bill Conner was nominated by SC Awards as a Security Executive of the Year Finalist. Executives were recognized in this category were influential in the cybersecurity development community, with a history of leadership in companies that have their pulse on the needs of users and have a proven track record in delivery of products and services that meet the requirements of businesses large and small.
  • July 2022: Leaning into the next phase of the company’s growth, Bill Conner takes on the strategic role of Executive Chairman of SonicWall’s Board of Directors.

Conner also earned many accolades during his six-year tenure, including:

SonicWall has been extremely fortunate to have Conner’s leadership for over six years as he navigated the challenges and opportunities of SonicWall’s divestiture from Dell and Quest, and the reestablishment and growth of its brand and business.

Conner’s passion for delivering high-quality and world-class cybersecurity solutions that are accessible to organizations of all sizes will be part of his lasting legacy. This vision ensures SonicWall is positioned to accelerate the business — and empower its global partner base — for future growth.

SonicWall’s Jason Carter and Matt Brennan Earn 2023 CRN Channel Chief Recognition

/0 Comments/in /by

SonicWall Chief Revenue Officer (CRO) Jason Carter and Vice President Americas Channel Sales Matt Brennan have been named to CRN’s 2023 Channel Chiefs list. Every year, CRN honors the IT channel executives who drive the channel success and evangelize the importance of channel partnerships within the IT industry.

“As we monitor and adjust to the economy and business dynamics, we recognize that we must consider those impacts on our partners, and how we can collectively address them together,” said SonicWall President and CEO Bob VanKirk. “To counter challenges with the economy, we’ve rolled out programs to our partners which deliver key cost-savings based upon our industry leading TCO. SonicWall is proud to be a 100% channel company and we’re grateful to CRN for recognizing our executive sales team, who tirelessly work to ensure our partners are successful today and into the future.”

The 2023 CRN Channel Chiefs were selected by the editorial staff based on their record of business innovation and dedication to the partner community. The 2023 accolade represents the top IT executives responsible for building a robust channel ecosystem.

“Once again, this year’s list gives well-deserved recognition to the IT Channel Chiefs who are dedicated to driving the channel agenda and advocating for the development of strong channel partnerships,” said Blaine Raddon, CEO of The Channel Company. “Under their exceptional leadership, influence and innovation, the IT channel vendor community continues to deliver solutions and services that meet the rapidly evolving needs of their solution provider partners and their customers.”

As CRO for SonicWall, Jason Carter is responsible for driving top-line sales across SonicWall’s global distribution network and oversees the teams, strategy and execution related to SonicWall’s global partner success.

Brennan drives the development of SonicWall’s NOAM channel efforts. He leads the implementation of the company’s modern channel strategy to build a sustainable competitive advantage for SonicWall’s partners.

CRN’s 2023 Channel Chiefs list will be featured in the February 2023 issue of CRN Magazine and online at www.CRN.com/ChannelChiefs.

Berbew Backdoor Spotted In The Wild

/in /by

This week, the Sonicwall Capture Labs Research team analyzed a sample of Berbew, a trojan that has been seen used in connection with Download.Ject and FormBook to steal user passwords for banking and other financial institutions. Berbew acts as both an infostealer and proxy to allow for command and control (C2) activities or routing of additional malware.

Analysis

Berbew has previously been reported as being a second-stage payload once the first stage has infiltrated a target and used an exploit; Download.Ject targeted Microsoft IIS services, FormBook is transmitted via phishing email attachments. Static analysis shows that the file is 56kb in size with a timestamp set in the year 2036.

 

 Figure 1: Future creation date

 

There are a variety of additional red flags in the form of file sections, in which each is a random alphanumeric string. Two of these are also self-modifying, a method that malware can use to change its own code. The second section (.E9Mdns0) is also making use of virtualized code which is a protective measure against analysis, but it’s empty before runtime meaning that data will be inserted during runtime. The last item to note is that the entry-point is set within section ‘.neYm’; this is atypical because the entry-point is generally in the first section of any program.

 

Figure 2: Items to note, 1) section names, 2) self-modifying sections, 3) virtualized code, 4) entry-point address

 

The strings show some additional context as to what the program can do. WININET.DLL is a networking library which appears will read from URL entries. It has the ability to read, write and search through registry entries using the ‘Reg’ values, as well as obtaining security settings on the system.

 

Figure 3: Berbew program strings

 

At runtime, the executable drops 934 files within ‘C:\Windows\SYSWOW64’ and executes between 23-25 in sequence. Of the files dropped, 467 are duplicates of the main executable, with the other half being DLL files. They have a naming scheme of six alphabetic characters and 32.exe, or eight alphabetic characters (this applies to both the .EXE and .DLL files). A hook is set up for capturing data using ‘DirectDrawCreateEx’, which allows for saving keyboard, mouse, clipboard, and screen activity.

 

Figure 4: Runtime sequence of dropped executables

 

In addition, there are also registry keys written for persistence:
– HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Web Event Logger
– HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32
– HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

These will be triggered on restart to load one of the dropped DLL files and restart the program. The dropped DLL files are all identical to each other and only 7kb in size.

Figure 5: Detection of dropped DLL

 

When a financial website has been brought up, or during regular use, the system will bring up prompts to change passwords. This info is then relayed to one of the URLs in memory; however, no connections are made before data has been collected.

SonicWall Capture Labs provides protection against this threat via the following signature:

GAV: Berbew.F (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

IOCs

Sample 1
MD5: 7350C5C9F3020FB201AD2184453DBBAC
SHA1: C68E9514A58D803C65647191153F35BD742A7463
SHA256: BCC12EEF62B196293032ECB05804510474A276B9A12DD70248F55EFFD405474C
Size: 56kb

Sample 2
MD5: FE1AE2707A3D86E7EF8B921A77D571EB
SHA1: 01F484BA1B4B28555FD8DD959A428C94A652443D
SHA256: 73AE10E87168EA0F543C0CFE23B1BA71726AC597E52F06075432EFE30FDED843
Size: 7kb

Registry Keys

– HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Web Event Logger
– HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32
– HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

URLs

hxxp://adult-empire[.]com/index.php
hxxp://color-bank[.]ru/index.php
hxxp://crutop.nu
hxxp://crutop.nu/index.htm
hxxp://crutop.nu/index.php
hxxp://crutop.nuAWM
hxxp://crutop[.]ru/index.htm
hxxp://crutop[.]ru/index.php
hxxp://cvv[.]ru/index.htm
hxxp://cvv[.]ru/index.php
hxxp://devx.nm[.]ru/index.php
hxxp://fethard.biz/index.htm
hxxp://fethard.biz/index.php
hxxp://gaz-prom[.]ru/index.htm
hxxp://hackers.lv/index.php
hxxp://kadet[.]ru/index.htm
hxxp://kavkaz[.]ru/index.htm
hxxp://kidos-bank[.]ru/index.htm
hxxp://konfiskat.org/index.htm
hxxp://ldark.nm[.]ru/index.htm
hxxp://master-x
hxxp://parex-bank[.]ru/index.htm
hxxp://promo[.]ru/index.htm
hxxp://ros-neftbank[.]ru/index.php
hxxp://trojan[.]ru/index.php
hxxp://virus-list.com/index.php
hxxp://www.redline[.]ru/index.php

 

 

 

 

 

 

 

 

Zoho ManageEngine SAML Response RCE Vulnerability

/in /by

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  ManageEngine is a subsidiary of Zoho Corporation that provides IT management software for businesses. The company offers a range of products for network, systems, applications, security, and service desk management. ManageEngine’s solutions aim to help organizations simplify and automate their IT operations, allowing them to focus on their core business objectives.

  Apache Santuario is an open-source implementation of the XML Security specifications. It provides a library for securing XML documents, including signing and encryption, and offers a secure and stable XML security solution. Santuario is used by various software projects, including the Apache Axis2 Web services engine, to secure their XML communications. It is apart of the Apache Software Foundation and is governed by it’s open-source community.

  A remote code execution vulnerability has been reported in multiple Zoho ManageEngine products. The vulnerability is due to an outdated version of Apache Santuario in the impacted products allowing an attacker to execute XSLT in SAML response messages.

  A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted request to the target server. Successful exploitation could result in arbitrary code execution under the security context of SYSTEM.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-47966.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 9.3 (E:F/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is functional.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  Before understanding this vulnerability it’s important to research the key technologies below:

    1. SAML SSO (Security Assertion Markup Language Single Sign-On)
    2. SAML 2.0
    3. XSLT (eXtensible Stylesheet Language Transformations)
    4. Apache Xalan

  SAML SSO is a protocol that allows users to authenticate to multiple web applications using a single set of credentials. This technology provides a secure and convenient way for users to access multiple web applications with a single login, which is managed by a central identity provider. SAML SSO eliminates the need for users to remember and manage multiple sets of login credentials, which can improve the user experience and reduce the risk of password-related security breaches.

  SAML 2.0 is the latest version of the SAML standard and includes a number of improvements over SAML 1.1, making it the dominant standard for SSO. SAML 2.0 provides greater security, improved encryption and signing, and a more flexible data format, making it well-suited to a wide range of use cases. This technology is widely adopted by organizations of all sizes and is supported by a large number of identity providers and service providers.

  XSLT is a language used to transform XML (eXtensible Markup Language) documents into other formats. XSLT is used to define a set of rules for transforming the structure and content of an XML document into a different format that can be more easily displayed or processed. This technology is commonly used in conjunction with XML to create dynamic, data-driven websites, generate reports, and transform XML data into other formats for data exchange between systems. XSLT provides a powerful way to manipulate and display XML data, making it an essential tool for many XML-based applications.

  Apache Xalan is an open-source implementation of the XSLT and XML Path Language (XPath) standards. It provides a library for transforming XML documents into other formats, such as HTML, plain text, or XML with a different structure. Apache Xalan is written in Java and is part of the Apache XML Project, which is maintained by the Apache Software Foundation. This technology is widely used in a variety of applications for transforming and processing XML data, including for generating reports, transforming data for data exchange between systems, and creating dynamic, data-driven websites. Apache Xalan provides a high-performance, flexible, and easy-to-use solution for transforming XML data.

  The vulnerability is due to the server processing user XSLT transformations received in SAML responses. When an identity provider authenticates a user through SAML SSO on Key Manager Plus, it will send a request to the endpoint “/saml2” on the server and will be processed by the function service().

  Before a transformation is executed, the function checkSecureValidation() is called. This function will check if secureValidation in the Transform object is set to “true” and if the “Algorithm” attribute of the “transform” XML element is set to “http://www.w3.org/TR/1999/REC-xslt-19991116” corresponding to an XSLT transformation. If both are true, the function will throw an exception, as XSLT transformation are forbidden when secureValidation is enabled. If the checkSecureValidation() function does not throw an exception, the functions t.performTransform() and transformSpi.enginePerformTransform() will be called to execute the transform.

  The function enginePerformTransform() will be called to execute the XSLT transformation. The function will call selectNode() to find the stylesheet XML element containing the transformation. The function TransformerFactor.newInstance() is called to create a TransformerFactory object. The function setFeature() is called on the TransformerFactory object with the parameters “http://javax.xml.XMLConstants/feature/secureprocessing” and “Boolean.TRUE” to enable secure processing in Apache Xalan where the XSLT will be executed. The function transform() will be called to execute the XSLT in the transform element. However, the version of Apache Xalan included in the impacted version KeyManager Plus is vulnerable to CVE-2014-0107. This vulnerability allows an attacker to bypass some restrictions imposed by secure processing on a TransformerFactory object by using certain attributes such as “content-handler” that can load arbitrary classes, possibly leading to arbitrary code execution.

  As secureValidation in the included version of Apache Santuario is set to false by default, and secure processing can be bypassed in the included version of Apache Xalan an attacker can send a crafted SAML response to the target containing an XML “Transform” element containing an arbitrary XSLT transformation.

Triggering the Problem:

  • The attacker must have network access to the target server.
  • The target must be running a vulnerable version of the software.
  • The target server must have SAML SSO enabled.

Triggering Conditions:

  The attacker sends a crafted SAML response to the target server. The vulnerability is triggered when the server validates the response and executes XSLT in a transformation in the XML.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTPS
    • HTTP

  Attacker Transform Payload, Executes Calc.:

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 3481 ManageEngine products xmlsec Remote Code Execution 1
  • IPS: 3491 ManageEngine products xmlsec Remote Code Execution 2
  • IPS: 18881 ManageEngine products xmlsec Remote Code Execution 3

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Upgrading the product to a non-vulnerable version.
    • Filtering traffic based on the signatures above.
    • Disabling SAML SSO if not needed.
    • Blocking the affected ports from external network access if they’re not required.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Cybersecurity News & Trends – 02-03-2023

/0 Comments/in /by

Curated cybersecurity news and trends from the industry’s leading bloggers and news outlets, for you from SonicWall.

It’s the first week of February, and SonicWall has continued to draw interest in the news for excellent products and relevant research. Ask by Geek calls the TZ400 one of the best firewalls for small businesses. Charged Retail cites SonicWall’s data to contextualize a breach in the retail sector. Networking+ discusses rising ransomware numbers using data from our threat report.

It’s been another busy week for the cybersecurity world. Bleeping Computer has the lowdown on a recent attack from Russia’s Sandworm hacking group. Dark Reading warns of the return of North Korea’s state-backed hacker organization known as Lazarus. Google Fi lost customer data in a breach reported on by TechCrunch. Info Security breaks down how threat actors have been impersonating DocuSign in an elaborate phishing scheme. Hacker News unravels a Realtek vulnerability that is wreaking havoc on IoT devices.

Keep your passwords close and your eyes peeled — cybersecurity is everyone’s responsibility.

SonicWall News

Challenges For Startups in The IoT Sector

TechToday, SonicWall News: According to a report by SonicWall, 2.8 billion malware attacks were registered, up 11% in the first half of 2022, marking the first increase in global malware volume in over three years.

JD Sports Cyber Attack: Why Online Retail Is Vulnerable and What Can Be Done?

Charged Retail, SonicWall News: The JD Sports incident is yet another example of the rise in cyberattack incidents, with the retail industry experiencing a 90% increase in ransomware attacks last year, according to a report from SonicWall.

The Best Hardware Firewalls for Small Businesses

Ask by Geeks, SonicWall News: One of the best small business firewalls is the SonicWall TZ400 Security Firewall. The SonicWall TZ400 NGFW Premium is considered a little more expensive than other firewall options, but its security, reliability, ease of use and unique features justify its price.

10 million Customers Exposed in JD Sports Cyber Attack

ITPro, SonicWall News: A study last year by SonicWall found that the retail sector saw a 264% surge in ransomware attacks between February 2021 and 2022. The widespread consumer shift to online shopping during the pandemic prompted hackers to escalate attacks against online retailers.

Three Ways Governments Can Better Protect Public Data

Networking+, SonicWall News: The chances of being hit by a ransomware attack are more significant than ever. Last year, global ransomware volume skyrocketed by 105% year over year, according to the 2022 SonicWall Cyber Threat Report. While no industry was spared, the numbers were particularly gruesome for governments. Ransomware attempts on government entities rose a staggering 1,885%. That’s more than double the increase reported by healthcare (755%), education (152%), and retail (21%) combined.

2023 Predictions: Emerging Tech & Global Conflict Bring New Cyber Threats

CyberSecurityInsiders, SonicWall News: 2022 saw a shifting cybersecurity landscape as rising geopolitical conflicts brought new tactics, targets, and goals for cybercrime. According to recent threat intelligence from SonicWall, global ransomware attempts declined 31% YoY as cybercriminals and nation-state actors opted for never-before-seen malware variants, IoT malware, and cryptojacking in attacks motivated by financial gain and state-sponsored hacktivism.

Cybersecurity ‘More Critical Than Ever’ In Era of Connected Care: BD

MedTechDive, SonicWall News: Ransomware attacks in which cybercriminals attempt to extort money declined by 23% overall during the first half of 2022 but increased 328% in healthcare, according to data from cybersecurity company SonicWall.

IT Services Industry Looks to Cyber, Cloud Consulting for Growth

TechTarget, SonicWall News: Logically’s MSSP offerings include extended detection and response, endpoint detection and response, and MDR; enterprise-level managed firewall services; and cybersecurity assessments, according to Skeens. The company runs a SOC. The company’s IT security technology partners include SonicWall.

The Sonicwall NSsp 15700 Brings Serious Network Protection Super Powers

iTWire, SonicWall News: iTWire really could go on and on; the list of features is almost endless. There is a database of applications for intelligent packet analysis, support for IoT devices, DNS protection and more. However, the best thing right now is to take it for a spin yourself. You can demo the SonicWall NSsp series firewalls online without any installation or commitment and see all the features and benefits in action.

Royal Mail ‘Cyber Incident’ Causes Widespread Disruption

Strategic Risk, SonicWall News: There were 623 million ransomware attacks globally in 2021 according to Sonic wall, representing a 105% year on year increase. The UK saw a 228% surge and a 65% increase in never-seen-before malware.

8 Safety Solutions to Keep Your Business Secure

Business Info, SonicWall News: Network security devices are essential for any business. They establish a firewall that will protect internal networks from external threats, such as attacks from the internet. The SonicWall TZ270 uses Real-Time Deep Memory Inspection to prevent cyber-attacks.

Safe Homes: Security Tech for Remote Workers

Silicon, SonicWall News: Speaking to Silicon UK, Rick Meder, VP of Strategic Partnerships and Platform Architecture at SonicWall, commented: “With most employees no longer within the protected perimeter of a traditional corporate network, the basic secure access tools in place for remote access workers have become quickly inadequate. The potential attack surface expands exponentially, oversite by security staff is met with extreme challenges, and policy complexity reaches levels like never before. Efforts to uphold an adequate security posture while maintaining workforce productivity quickly become overwhelming.”

Industry News

Realtek Vulnerability is Real Problem for IoT Devices

A now-patched vulnerability in Realtek’s Jungle SDK has resulted in over 134 million hack attempts on IoT devices since August 2022. Threat actors have been abusing the vulnerability to try and infect devices across the globe. The exploit makes some devices manufactured by D-Link, ASUS, LG, Belkin and NETGEAR vulnerable. Hacker News warned users of the importance of updating devices regularly to protect them from exposure to attacks like this.

North Korean Lazarus Group Targeting Medical Research and Energy Intel

The North Korean hacker group known as Lazarus has made another appearance, this time targeting intel in medical research and the energy sector. The discovery was made by threat intelligence analysts at WithSecure. WithSecure was able to assert with high confidence that the attack came from Lazarus after discovering that the attacker made an operational security error. The actions carried out by Lazarus point to this being an intelligence-gathering attack. Per Dark Reading, Lazarus never lays low for long. They are a long-running group that is thought to be run by North Korea’s Foreign Intelligence and Reconnaissance Bureau. Lazarus first appeared on the scene in 2009 and has made numerous appearances since then with minimal time spent in the dark. Last year, Lazarus targeted Apple’s M1 chip in an attack. The group is a large source of income for the North Korean regime, so their attacks are usually both finance- and intel-based.

Sandworm Hacker Group Using Active Directory to Wipe Critical Files

A new malware capable of wiping critical files and data has been discovered following a cyberattack on a target in Ukraine. The malware, which the researchers who discovered it are calling ‘SwiftSlicer,’ uses Windows’ Active Directory Group Policy. The malware variant is being attributed to Russia’s Sandworm hacking group. According to Bleeping Computer, the target’s name has not been released. Sandworm recently attacked Ukrinform, which is Ukraine’s national news agency. A Tweet from ESET Research says, “Once executed, it deletes shadow copies; recursively overwrites files located in %CSIDL_SYSTEM%\drivers.” Bleeping Computer notes that by targeting that specific folder, the malware hopes to bring down entire Windows domains alongside wiping critical files. While the malware was only added to the Virus Total database on January 26, more than half of the antiviruses on the platform are currently detecting it.

Google Fi Loses Customer Data in Breach

Google’s cell phone service, Google Fi, lost customer data in a recent breach. The folks at TechCrunch believe it may be related to the recent T-Mobile breach that resulted in 37 million customers data being stolen. Google stated that information such as the content of calls and texts, payment card data, passwords, and customer personal information were not stolen in the breach. The attackers accessed limited customer information such as phone numbers, SIM card serial numbers and information on the type of plan customers were enrolled in. As of now, it’s unclear how many Google Fi customers were affected in the breach. Google has not made the total number of Google Fi customers public, so it is difficult to speculate how many people could be affected. Google notified customers in an email that they are attempting to secure the data and notify all customers whose data was taken.

Threat Actors Impersonate DocuSign to Target 10,000 People in Phishing Attack

A phishing attack from a group impersonating DocuSign targeted 10,000 users across multiple organizations. Attackers sent emails that managed to bypass security and reach the inbox of the targets. Cybersecurity researchers at Armorblox discovered the ploy and have issued guidance on how to avoid similar attacks. According to Info Security, victims were redirected to a fake DocuSign landing page after clicking the link provided in the email. The emails were sent from a valid domain to make it past security.

SonicWall Blog

Can You Catch All the Phish? Take Our New Phishing IQ Quiz and Find Out! – Ken Dang

Celebrating 2023 With Expanded “3 & Free” – Matt Brennan

‘3 & Free’ Promotion: How to Upgrade to a New SonicWall TZ Series NGFW for Free – Matt Brennan

The Art of Cyber War: Sun Tzu and Cybersecurity – Ray Wyman

Talking Boundless Cybersecurity at the Schoolscape IT 2022 Conference – Mohamed Abdallah

3 & Free: 1 Amazing Deal, 2 Exceptional Firewalls, 3 Years of Superior Threat Protection – Matt Brennan

SonicWall Wins CRN’s 2022 Tech Innovator Award in Enterprise Network Security – Bret Fitzgerald

SonicWall Included on the Acclaimed CRN Edge Computing 100 List for 2022 – Bret Fitzgerald

A New Era of Partnering to Win – Robert (Bob) VanKirk

Multiply Your Security with Multifactor Authentication – Amber Wolff

10 Reasons to Upgrade to the Latest SonicWall Gen 7 TZ Firewall – Sarah Choi