Cybersecurity News & Trends – 09-14-2023

/0 Comments/in /by

Fall is in the air, and the leaves will soon be changing colors, which is fitting because today is National Coloring Day. SonicWall may not have any crayons, but we’ve been adding some color to the media this week with SonicWall EMEA Vice President Spencer Starkey talking to SC Media about threat geomigration and Security Boulevard citing data from our Mid-Year Cyber Threat Report.

In industry news, Bleeping Computer had the lowdown on the latest Lazarus gang cryptojacking attack as well as the massive cyberattack at MGM Resorts. Tech Crunch covered the near-parallel attack at Caesars Entertainment. Dark Reading reported on a brand-new malware variant with a late-night theme.

Remember to keep your passwords close and your eyes peeled – cybersecurity is everyone’s responsibility.

SonicWall News

How to promote online student safety

Security Boulevard, SonicWall News: Worse yet, cybercriminals are upping the ante with a host of sophisticated new attack vectors. SonicWall identified over 270,000 never-before-seen malware variants in just the first half of 2022 — a 45% year-over-year increase. For perspective, that’s the equivalent of 1,500 new malware strains daily.

UK military data possibly compromised in LockBit attack against third party

SC Media, SonicWall News: “Such an attack shows the persistent risk of cyberattacks faced by governments amid threat geomigration,” according to SonicWall Vice President of EMEA Spencer Starkey. “These cyberattacks raise concerns about a country’s own national security, critical national infrastructure as well as the safety of sensitive information,” Starkey added.

Stealthier Means of Malicious Cyber-Attacks and What It Means for IT Departments

Nasdaq, SonicWall News: Bob VanKirk, CEO, SonicWall, joins Jill Malandrino on Nasdaq TradeTalks to discuss stealthier means of malicious cyber-attacks and what it means for IT departments.

SonicWall: ‘Complacency is the enemy in the cybersecurity game’

Unleash, SonicWall News: SonicWall’s VP of EMEA Spencer Starkey’s topline message to organizations is: “Don’t let the overall data fool you.” Yes, the first quarter of 2023 saw the lowest number of attacks since the fourth quarter of 2019 (51.2 million). However, the second quarter of this year saw the number of attacks rocket to 74% higher than Q1 at 88.9 million. Indeed, SonicWall predicts that ransomware attacks are “poised for a rebound” later this year.

Liongard Expands SonicWall Relationship to Enhance Configuration Change Detection and Response with Capture Client Platform to Mitigate Cybersecurity Risk

Business Wire, SonicWall News: “Extending Liongard’s relationship with SonicWall gives us the ability to inspect and assess across the SonicWall solution portfolio,” said Michelle Accardi, CEO of Liongard, “Our integrated solution will proactively monitor SonicWall Capture Client policy configurations, guarding against human errors and changes, both on and off network. With this comprehensive protection in place, our partners gain effective threat protection, increased visibility and protection, and centralized management.”

SonicWall Promotes Michelle Ragusa-McBain To Global Channel Chief

CRN, SonicWall News: SonicWall has promoted Michelle Ragusa-McBain to head its sizable global partner organization, just months after hiring the channel veteran as its North America channel chief. Looking ahead, SonicWall is planning to roll out a “soft launch” of its revamped SecureFirst Partner Program in September, with a full global launch of the new program planned for February 2024, Ragusa-McBain told CRN.

SonicWall Promotes Cisco Vet to Global Channel Leader

Channel Futures, SonicWall News: SonicWall has promoted Michelle Ragusa-McBain to vice president and global channel leader. She joined SonicWall as vice president and North America channel leader in May. A key theme for SonicWall’s channel strategy is embracing an outside-in approach to crafting its strategy and executing with partners. What that means is we’re listening to our partners and customers more than ever before, rather than operating in a vacuum and telling you what you need.

Ransomware Attacks Skyrocket in Q2 2023

Infosecurity Magazine, SonicWall News: “Ransomware attacks surged by 74% in Q2 2023 compared to the first three months of the year, a new report has found.

The 2023 SonicWall Mid-Year Cyber Threat Report observed two “very unbalanced quarters” regarding the volume of ransomware attacks so far this year. SonicWall Capture Labs Threat Researchers recorded 51.2 million attacks in Q1 2023, representing the smallest number of attacks since Q4 2019.”

How Bitcoin Swings Helped Drive an Almost Nin-fold Surge in Cryptojacking attacks in Europe

DL News, SonicWall News: Cryptojacking attacks skyrocketed when Bitcoin prices fell, and could be the overture to something worse, according to SonicWall researchers. These attacks turn victims’ computers into unknowing crypto mining rigs. Bitcoin reached a $68,000 high in November 2021 before crashing down to as low as just above $16,000 in 2022. It currently hovers around $30,000.

Cryptojacking attacks surge 399% globally as threat actors diversify tactics

ITPro, SonicWall News: Security experts have issued a warning over a significant increase in cryptojacking attacks as threat actors seek to ‘diversify’ their tactics. The volume of cryptojacking attacks surged by 788% in Europe during the first half of the year, with attacks in North America also rising by 345%.

SonicWall: Ransomware Declines Further As Attackers ‘Pivot’ Their Tactics

CRN, SonicWall News: Ransomware continued to lose favor among malicious actors during the first half of 2023, but overall intrusions increased as some attackers switched focus to other types of threats, according to newly released SonicWall data. In the cybersecurity vendor’s report on the first six months of the year, ransomware attack volume dropped 41 percent from the same period a year earlier, the report released Wednesday shows.

Industry News

MGM Resorts Cyberattack Causes IT Shutdown

The main website, online reservation system, and some in-casino services of MGM Resorts International were shut down following a cyberattack this week. As of Thursday, systems have now been down for four full days. The company stated that it began an immediate investigation as soon as it noticed a cyberattack was underway. The systems appear to have been shut down by MGM Resorts itself as a protection measure – not shut down by the hackers. According to a local news outlet, some guests at the resort even reported that their room keys were no longer working. While it appears many systems have been affected, the type of cyber incident that led to this has not been released publicly. A hacking group known as ‘Scattered Spider’ has taken credit for the attack. Scattered Spider is believed to be made up of young adults and teenagers from the United States and United Kingdom. They’ve claimed the attack on MGM but denied involvement with a similar attack on Caesars Entertainment. Dark Reading believes they are responsible for both.  This string of attacks on casinos has certainly shaken things up in Las Vegas. It’s unclear when MGM’s systems may come back online at this time. This isn’t MGM Resorts’ first rodeo with cybersecurity incidents. In 2019, hackers stole more than 10 million customer records from the company. Further information should become available as time goes on.

Caesars Entertainment Suffers Massive Data Breach

MGM isn’t the only casino getting hit with cyberattacks this week. On Thursday, Caesars Entertainment reported that hackers had stolen a significant amount of customer data in a cyberattack. The hackers allegedly stole a complete copy of Caesars’ customer loyalty database. The stolen data has loads of sensitive information including Social Security numbers, driver’s license numbers and more. The report from Caesars indicated that they may have paid a ransom to the hackers, stating, “We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result.” Some reports claimed Caesars had paid around $15 million to the hackers to stop the leak of its data. The attack was apparently the result of a social engineering attack on a third-party IT company that works with Caesars. Representatives of Caesars Entertainment haven’t responded to any requests for comments but have confirmed that they’ve reached out to relevant law enforcement agencies concerning the breach. The hacking group that has now taken credit for the attack on MGM, Scattered Spider, denies any involvement in the attack on Caesars, but Dark Reading states otherwise.

Hackers Unveil Never-before-seen ‘3AM’ Malware After LockBit Fails

Threat actors attacking a construction company using LockBit ransomware had a surprise trick up their sleeve. When the LockBit ransomware failed to infiltrate the network, they pulled out a never-before-seen malware variant called ‘3AM.’ According to Dark Reading, the new malware is nothing to write home about other than its cutesy name, but it did sneak through one computer on the system making the attack successful. After deploying 3AM, a thematic note appeared saying, “Hello, ‘3 am’ The time of mysticism, isn’t it? All your files are mysteriously encrypted, and the systems ‘show no signs of life’, the backups disappeared. But we can correct this very quickly and return all your files and operation of the systems to [sic] original state.” While the note reads like a bad attempt at creative writing, the ransomware was indeed successful. Researchers noted that organizations should expect hackers to have more than one method of attack. An attacker using multiple malware families isn’t unheard of. The best thing any organization can do is have robust cybersecurity capable of thwarting multiple malware variants in place.

CoinEx Loses $53 Million of Cryptocurrency in Cryptojacking Attack

CoinEx, a global cryptocurrency exchange platform, announced this week that cyber attackers had stolen more than $50 million worth of cryptocurrency from them. The stolen cryptocurrencies include Ethereum, Tron and Polygon. CoinEx did state that cryptocurrencies held by its users were not affected by this attack, and if it’s discovered that any have been, the affected parties will receive full compensation from CoinEx. According to Bleeping Computer, a blockchain investigator has linked the attack to North Korea’s Lazarus gang. Lazarus has been responsible for many high-profile cryptojacking attacks this year including attacks on Atomic Wallet, Alphapo and CoinsPaid. At this point, one would almost assume that any high-profile cryptojacking will be linked to Lazarus. Crypto exchanges seem to be the favorite target of the group as of late.

SonicWall Blog

Why Firewall Throughput Numbers Don’t Tell the Whole Story – Tiju Cherian

Elevate Your Network with The Ultimate 3 & Free Promotion – Michelle Ragusa-McBain

Why Education is the New Cybercrime Epicenter – Amber Wolff

How SonicWall Offers High Availability at the Lowest Price – Tiju Cherian

Cryptojacking Continues Crushing Records – Amber Wolff

Why Should You Choose SonicWall’s NSsp Firewalls? – Tiju Cherian

Utilize APIs to Scale Your MySonicWall Operation – Chandan Kumar Singh

First-Half 2023 Threat Intelligence: Tracking Cybercriminals Into the Shadows – Amber Wolff

If It’s Easy, It’s TZ – Tiju Cherian

Sonic Boom: Getting to Know the New SonicWall – Michelle Ragusa-McBain

SonicWall’s Traci McCulley Orr Honored as a Talent100 Leader – Bret Fitzgerald

3 & Free Promotion: How to Upgrade to a Gen 7 NSsp Firewall for Free – Michelle Ragusa-McBain

Monthly Firewall Services Option for Simplicity and Scalability – Sorosh Faqiri

Microsoft Security Bulletin Coverage for September 2023

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of September 2023. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2023-36802 Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability
ASPY 476: Exploit-exe exe.MP_338

CVE-2023-38142 Windows Kernel Elevation of Privilege Vulnerability
ASPY 479:Exploit-py py.MP_3

CVE-2023-38143 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 477:Exploit-exe exe.MP_339

CVE-2023-38144 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 478:Exploit-exe exe.MP_340

CVE-2023-38148 Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
IPS 4033:Windows ICS Remote Code Execution (CVE-2023-38148)

CVE-2023-38152 DHCP Server Service Information Disclosure Vulnerability
IPS 4032:Windows DHCP Server Information Disclosure (CVE-2023-38152)

The following vulnerabilities are under investigation:
CVE-2023-36761 Microsoft Word Information Disclosure Vulnerability
There are exploits in the wild; SonicWall is investigating this CVE.

The following vulnerabilities do not have exploits in the wild :
CVE-2023-29332 Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-33136 Azure DevOps Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35355 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-36736 Microsoft Identity Linux Broker Arbitrary Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36739 3D Viewer Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36740 3D Viewer Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36742 Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36744 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36745 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36756 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36757 Microsoft Exchange Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-36758 Visual Studio Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-36759 Visual Studio Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-36760 3D Viewer Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36762 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36763 Microsoft Outlook Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-36764 Microsoft SharePoint Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-36765 Microsoft Office Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-36766 Microsoft Excel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-36767 Microsoft Office Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-36770 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36771 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36772 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36773 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36777 Microsoft Exchange Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-36788 .NET Framework Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36792 Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36793 Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36794 Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36796 Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36799 .NET Core and Visual Studio Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-36800 Dynamics Finance and Operations Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2023-36801 DHCP Server Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-36803 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-36804 Windows GDI Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-36805 Windows MSHTML Platform Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-36886 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2023-38139 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-38140 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-38141 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-38146 Windows Themes Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-38147 Windows Miracast Wireless Display Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-38149 Windows TCP/IP Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-38150 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-38155 Azure DevOps Server and Team Foundation Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-38156 Azure HDInsight Apache Ambari Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-38160 Windows TCP/IP Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-38161 Windows GDI Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-38162 DHCP Server Service Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-38163 Windows Defender Attack Surface Reduction Security Feature Bypass
There are no known exploits in the wild.
CVE-2023-38164 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2023-41764 Microsoft Office Spoofing Vulnerability
There are no known exploits in the wild.

RZML ransomware exfiltrates files, cookies and clipboard data

/in /by

The SonicWall Capture Labs threats research team has been tracking a recent family of ransomware called RZML.  This ransomware appeared in the wild over the last 7 days and appears to be a variant of the STOP/Djvu family.  The sample we analyzed is a dropper that downloads multiple modules.  In addition to encrypting files, which is standard practice for ransomware, it also steals files, clipboard and browser cookie data from the infected system.  File decryption costs $490 USD in bitcoin after a “50% discount”.  However, as we have seen with most ransomware today, exfiltrated files can be used later to apply additional pressure to pay up.

 

Infection Cycle:

 

Upon execution, the malware reports the infection to a C&C server which replies with a public key used for file encryption:

 

It also requests data on what file types to target for exfiltration:

 

It proceeds to download the ransomware module and names it build2.exe:

 

It downloads a clipboard grabber component and names it build3.exe:

 

It also downloads htdocs.zip which contains some utility dlls including an sqlite database module:

 

Files on the system are encrypted and given a .rzml extension.

 

The following files are added to the filesystem:

  • %USERPROFILE%\AppData\Roaming\Microsoft\Network\mstsca.exe [Detected as: GAV: ClipBanker.RSM (Trojan)]
  • %USERPROFILE%\AppData\Local\2bbb528e-26aa-4e54-82c0-428df9bab7e7\build2.exe [Detected as: GAV: StopCrypt.RSM (Trojan)]
  • %USERPROFILE%\AppData\Local\2bbb528e-26aa-4e54-82c0-428df9bab7e7\build3.exe (copy of mstsca.exe) [Detected as: GAV: ClipBanker.RSM (Trojan)]
  • C:\SystemID\PersonalID.txt
  • %USERPROFILE%\AppData\Local\bowsakkdestx.txt
  • C:\ProgramData\55054064606124780548020057 (sqlite database)
  • _readme.txt (written to all directories with encrypted files)

 

The following registry entries are made:

  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysHelper
  • HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatability Assistant\Store {malware file}

 

PersonalID.txt contains the following data:

M5o7GW95xOUM45FRYk7SEflLRpNXVqiExQDcPCGh

 

bowsakkdestx.txt contains the public key that was downloaded earlier:

 

_readme.txt contains the following message:

 

When build3.exe is run, it uses the CreateMutex API function with “M5/610HP/STAGE2” as the parameter to check if it has been run previously:

 

If this mutex is not present, it proceeds to grab clipboard data:

 

 

The malware also steals browser cookies.  It stores this data in a sqlite database.  The following screenshot shows the database structure:

 

We visited chase.com and bankofamerica.com and can see that the cookies are stored in the database:

 

Targeted files, clipboard data and cookies stored in the sqlite database are uploaded to a remote server:

 

We reached out to the operator email addresses (support@freshmail.top, datarestorehelp@airmail.cc) stated in the ransom note and received the following reply:

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: ClipBanker.RSM (Trojan)
  • GAV: StopCrypt.RSM (Trojan)

 

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Cybersecurity News & Trends – 09-08-2023

/0 Comments/in /by

Fall is fast approaching, and with the new season comes SonicWall’s season of sales – check out our promotion page to find deals on firewalls, endpoint protection and more. This week, SonicWall CEO Bob VanKirk went on Nasdaq TradeTalks to discuss how IT departments can fend off stealthier cyberattacks. Be sure to check out the Mid-Year Update to the 2023 Cyber Threat Report to see more of what to watch out for.

In industry news, Dark Reading detailed Microsoft’s discovery of a Russian misinformation campaign in Africa and a brand-new cloud attack vector that should have DevOps on notice. Bleeping Computer covered Okta’s warning of IT help desk attacks in the United States. Tech Crunch had the lowdown on Flipper Zero’s latest disruptive ability.

Remember to keep your passwords close and your eyes peeled – cybersecurity is everyone’s responsibility.

SonicWall News

Stealthier Means of Malicious Cyber-Attacks and What It Means for IT Departments

Nasdaq, SonicWall News: Bob VanKirk, CEO, SonicWall, joins Jill Malandrino on Nasdaq TradeTalks to discuss stealthier means of malicious cyber-attacks and what it means for IT departments.

SonicWall Promotes Michelle Ragusa-McBain To Global Channel Chief

CRN, SonicWall News: SonicWall has promoted Michelle Ragusa-McBain to head its sizable global partner organization, just months after hiring the channel veteran as its North America channel chief. Looking ahead, SonicWall is planning to roll out a “soft launch” of its revamped SecureFirst Partner Program in September, with a full global launch of the new program planned for February 2024, Ragusa-McBain told CRN.

SonicWall Promotes Cisco Vet to Global Channel Leader

Channel Futures, SonicWall News: SonicWall has promoted Michelle Ragusa-McBain to vice president and global channel leader. She joined SonicWall as vice president and North America channel leader in May. A key theme for SonicWall’s channel strategy is embracing an outside-in approach to crafting its strategy and executing with partners. What that means is we’re listening to our partners and customers more than ever before, rather than operating in a vacuum and telling you what you need.

Ransomware Attacks Skyrocket in Q2 2023

Infosecurity Magazine, SonicWall News: “Ransomware attacks surged by 74% in Q2 2023 compared to the first three months of the year, a new report has found.

The 2023 SonicWall Mid-Year Cyber Threat Report observed two “very unbalanced quarters” regarding the volume of ransomware attacks so far this year. SonicWall Capture Labs Threat Researchers recorded 51.2 million attacks in Q1 2023, representing the smallest number of attacks since Q4 2019.”

How Bitcoin Swings Helped Drive an Almost Nin-fold Surge in Cryptojacking attacks in Europe

DL News, SonicWall News: Cryptojacking attacks skyrocketed when Bitcoin prices fell, and could be the overture to something worse, according to SonicWall researchers. These attacks turn victims’ computers into unknowing crypto mining rigs. Bitcoin reached a $68,000 high in November 2021 before crashing down to as low as just above $16,000 in 2022. It currently hovers around $30,000.

Cryptojacking attacks surge 399% globally as threat actors diversify tactics

ITPro, SonicWall News: Security experts have issued a warning over a significant increase in cryptojacking attacks as threat actors seek to ‘diversify’ their tactics. The volume of cryptojacking attacks surged by 788% in Europe during the first half of the year, with attacks in North America also rising by 345%.

SonicWall: Ransomware Declines Further As Attackers ‘Pivot’ Their Tactics

CRN, SonicWall News: Ransomware continued to lose favor among malicious actors during the first half of 2023, but overall intrusions increased as some attackers switched focus to other types of threats, according to newly released SonicWall data. In the cybersecurity vendor’s report on the first six months of the year, ransomware attack volume dropped 41 percent from the same period a year earlier, the report released Wednesday shows.

Evolving Threats – Evolved Strategy

ITVoice, SonicWall News: The ever-evolving cybersecurity landscape is rapidly changing, and businesses must change with it. The massively expanding, distributed IT reality is creating an unprecedented explosion of exposure points for sophisticated cybercriminals and threat actors to exploit.

Britain’s Biggest Hospital Held To Ransom

Cyber Security Intelligence, SonicWall News: SonicWall expert Spencer Starkey said “The healthcare sector continues to be a prime target for malicious actors as evidenced by the recent attack on Barts Health NHS Trust. Not only does this attack risk the potential for exposed patient data, but any significant IT issue that halts patient care poses an immediate threat to life.”

Hackers claim breach is the ‘biggest ever’ in NHS history

Silicon Republic, SonicWall News: Spencer Starkey, vice-president of EMEA at cybersecurity company SonicWall, said that the healthcare sector continues to be a “prime target” for hackers globally. “Not only does this attack risk the potential for exposed patient data, but any significant IT issue that halts patient care poses an immediate threat to life,” said Starkey, referring to the Barts Health cyberattack. The ramifications of an attack on the healthcare sector can be disastrous and it’s important to place the utmost amount of time, money and efforts on securing it.

How to Reach Compliance with HIPAA

TrendMicro, SonicWall News: According to the 2022 SonicWall Cyber Threat Report, healthcare continued a large spike in malware in 2021, at 121%. While the largest jump in IoT malware attacks belonged to healthcare, which saw a 71% year-over-year increase. To shed light on the significance malware can carry, it’s important to look at how recent breaches could’ve been circumvented by abiding to the HIPAA rules and safeguards.

Industry News

Russia Begins Misinformation Campaign in Africa

An investigation by Microsoft has revealed Russia’s nefarious actions in some African countries. According to the investigation, Russia has launched fake media outlets that sympathize with Russia and express anti-French sentiments. According to Dark Reading, they’ve also created fake civil society organizations in less stable African nations. Russia is capitalizing on already-present instability in countries like Mali, Niger, Gabon, Burkina Faso and Guinea. Some of these countries have ongoing coups, and Russia’s operations in these countries have praised coup leaders and stoked anger at France. Apparently, some of these operations were being run by Russia’s notorious Wagner Group, so the group’s presence on the African continent is now up in the air following the death of its leader, Yevgeny Prigozhin. The misinformation campaign has taken part largely through social media and fake news outlets. It has been successful enough that French diplomats have been recalled from some nations due to rising tensions. This is all going on in the background of Russia’s war against Ukraine, so only time will tell how long they can continue these operations with pressure boiling at home.

Brand New Attack Vector Should Have DevOps on Watch

A first-of-its-kind cloud attack should have DevOps keeping their eyes peeled. Attackers have found a way to take full control over systems using MinIO, which is a distributed object storage system. MinIO is compatible with Amazon S3 cloud storage, which is used by many companies. Security researchers discovered the new attack vector when cybercriminals recently tricked a DevOps engineer into updating MinIO with the attackers’ own corrupt “update.” The update included a built-in command shell function that allowed the attackers to remotely execute code and take over the system. The GitHub repository for the fake update is literally named “Evil_MinIO,” which is quite on the nose, even for cybercriminals. The researchers warned that companies using MinIO should be on watch, DevOps in particular. Make sure any and all updates are coming directly from MinIO and not a third party.

Flipper Zero Can Spam Nearby iPhones Via Bluetooth

The list of troublesome attacks that the Flipper Zero hacking device can perform continues to grow. It’s already been responsible for car theft and more, but it can now also spam iPhone users from thousands of feet away. A security researcher demonstrated the attack, comparing it to a denial-of-service attack. Essentially, any person with a Flipper Zero device can tweak the firmware to send out Bluetooth Advertisements to nearby iPhones. The attack renders the device useless due to the constant flurry of popups. Tech Crunch tested the attack and was able to successfully interfere with an iPhone 8 and an iPhone 14 Pro. While most of these attacks would have a far more limited range, the researcher who sounded the alarm on the attack noted that an attacker could use a simple amplifying board to increase the device’s range to thousands of feet or more. That would allow an attacker in a busy area to attack potentially hundreds of iPhones at once. The researcher, who only goes by Anthony, stated that Apple could defend against the attacks by ensuring that the Bluetooth devices attempting to connect to iPhones are legitimate.

Okta Warns of Attacks on IT Service Desks

The identity and access management business Okta warned of attacks on IT help desks in the United States this week. The attackers have been attempting to gain access to Okta Super Administrator accounts which would give them full access to the organizations they’re infiltrating. Okta stated that the attackers typically already have passwords for the high-access accounts before beginning their attack. Once they’ve gained control, they elevate privileges for other accounts and remove multi-factor authentication (MFA) for some accounts as well. Okta recommends that users take multiple steps to prevent an attack on their organization including enforcing phishing-resistant authentication using Okta FastPass, requiring re-authentication for privileged app access and more. Organizations using Okta should carefully review the steps Okta has listed to provide optimal protection for their networks.

SonicWall Blog

Why Firewall Throughput Numbers Don’t Tell the Whole Story – Tiju Cherian

Elevate Your Network with The Ultimate 3 & Free Promotion – Michelle Ragusa-McBain

Why Education is the New Cybercrime Epicenter – Amber Wolff

How SonicWall Offers High Availability at the Lowest Price – Tiju Cherian

Cryptojacking Continues Crushing Records – Amber Wolff

Why Should You Choose SonicWall’s NSsp Firewalls? – Tiju Cherian

Utilize APIs to Scale Your MySonicWall Operation – Chandan Kumar Singh

First-Half 2023 Threat Intelligence: Tracking Cybercriminals Into the Shadows – Amber Wolff

If It’s Easy, It’s TZ – Tiju Cherian

Sonic Boom: Getting to Know the New SonicWall – Michelle Ragusa-McBain

SonicWall’s Traci McCulley Orr Honored as a Talent100 Leader – Bret Fitzgerald

3 & Free Promotion: How to Upgrade to a Gen 7 NSsp Firewall for Free – Michelle Ragusa-McBain

Monthly Firewall Services Option for Simplicity and Scalability – Sorosh Faqiri

Linux Kernel KSMBD NULL Pointer Dereference Vulnerability

/in /by

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  KSMBD is an integral server component within the Linux kernel. Its primary function is to implement the SMBv3 protocol, which is essential for sharing files over a network. Operating in kernel space ensures that KSMBD offers efficient and seamless file sharing capabilities to users of the Linux operating system.

  Recently, a significant vulnerability has been identified in ksmbd. This vulnerability stems from a NULL pointer dereference issue, a critical flaw in the system’s architecture. The root cause of this vulnerability is the system’s inability to validate user-supplied data adequately, especially when processing compounded requests. Given the importance of ksmbd in the Linux Kernel, this vulnerability raises substantial security concerns.

  The vulnerability provides an avenue for remote attackers to compromise the system. By sending specifically crafted packets to the target, which is vulnerable, attackers can exploit this flaw. If they succeed in their exploitation attempt, the aftermath can be detrimental, leading to a denial of service. This means that the targeted system could be rendered inoperable, disrupting its functionality and potentially causing significant downtime.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-3866.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C).

  Base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is none.
    • Impact of this vulnerability on data integrity is none.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 6.5 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  A NULL pointer dereference vulnerability has been identified in the ksmbd kernel module when it processes compounded SMB2 requests. This issue arises because certain pointer validations can be overlooked during the processing of combined SMB2_NEGOTIATE, SMB2_SESSION_SETUP, or SMB2_ECHO requests.

  The internal function, __handle_ksmbd_work, manages these incoming SMB messages. This function invokes smb2_check_user_session() to ensure the SMB2 message contains a valid session ID for the intended operation, and smb2_get_ksmbd_tcon() to check if the SMB2 message has a valid tree ID. Notably, these validations always pass for the aforementioned SMB2 requests since they haven’t established a session.

  The vulnerability emerges when the function doesn’t account for these SMB2 requests being part of compounded requests. If the NextCommand field in any such SMB2 message isn’t set to zero, subsequent SMB2 requests sidestep the validation, potentially leading to a NULL pointer being used in session or tree dereferences.

Triggering the Problem:

  • The vulnerable system must be listening on the vulnerable SMB port, and accept incoming connections.
  • The attacker must have connectivity to the target system.

Triggering Conditions:

  The attacker establishes a connection with the targeted ksmbd server. Once this connection is in place, the server becomes susceptible to the aforementioned threat. The vulnerability is activated when the attacker transmits a compounded request loaded with malicious content to the server in question. It’s essential for server administrators to be aware of such vulnerabilities to ensure their systems are adequately protected and to monitor for any unusual connection requests.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • SMB/CIFS
  

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 4022 Linux Kernel ksmbd NULL Pointer Dereference 1
  • IPS: 19332 Linux Kernel ksmbd NULL Pointer Dereference 2
  • IPS: 19333 Linux Kernel ksmbd NULL Pointer Dereference 3

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Configure the vulnerable product to allow access to trusted clients only.
    • Update to a non-vulnerable version of the product.
    • Filter attack traffic using the signatures above.
  The vendor has released the following commit regarding this vulnerability:
  Vendor Advisory

Why Firewall Throughput Numbers Don’t Tell the Whole Story

/0 Comments/in /by

When choosing a new vehicle, most people consider fuel economy as one of their criteria. Now imagine a new car manufacturer began running ads stating their large SUV achieved 60 mpg (or 25.5 km/l, if you prefer).

That sounds pretty impressive, right? If you found out that that estimate was achieved in a in lab with no simulated wind resistance or road friction, using an engine bolted to a bare chassis — no seats, no upholstery, steering wheels, lights, etc. — you’d probably be much less excited, and rightly so!

Unlike with vehicles and the EPA, however, when it comes to firewalls, there is no one set standard for evaluation. Vendors use a variety of deployments and conditions to collect metrics, with one of the most frequently used in NGFW evaluations being “firewall throughput.”

Firewall Throughput vs. Threat Prevention Throughput

A next-generation firewall (NGFW) is a security device that protects an organization from external as well as internal threats, both known and zero-day. When choosing a firewall for an organization, it is essential to consider the expected network traffic volume and the required security features, ensuring that the selected firewall can handle the network’s current and future demands effectively.

For this reason, a NGFW’s “stats” are often a crucial factor when choosing a NGFW vendor. But some are more useful to the decision-making process than others, as we see when we compare “firewall throughput” and “threat prevention throughput.”

Firewall throughput is the rate at which a stateful packet inspection (SPI) firewall can process and inspect network traffic while maintaining the stateful connection tracking information. SPI is a firewall technology that keeps track of the state of network connections and allows or denies traffic based on the context of those connections.

On the other hand, threat prevention throughput is the packet rate measured with all the security services like Intrusion Prevention (IPS), Anti-Virus, Anti-Spyware and Application Control turned ON.

(For best results, it is essential to actually check the threat inspection throughput, as opposed to just looking at the stated firewall throughput or threat inspection throughput numbers. Load testing and performance evaluations should also be performed to verify that the firewall’s throughput meets your organization’s requirements.)

How SonicWall Measures Up to Other Vendors Under Real-World Conditions

In situations in which other vendors’ threat prevention throughput numbers drop dramatically, SonicWall maintains its threat prevention throughput at a healthy number.

For instance, Vendor A’s threat prevention numbers dropped by 88% on their “Model B,” compared to a drop of 63% on the SonicWall TZ270. Please see below table for more info:

Comparison chart showing SonicWall's superior threat prevention performance.*Based on data publicly published by Vendor A, current as of 9/1/2023

Similarly, Vendor B’s threat prevention numbers dropped by 96% on their “Model A,” compared to a drop of 63% on a TZ270, as outlined in the table below:

Firewall throughput graph illustrating SonicWall's consistent performance.*Based on data publicly published by Vendor B, current as of 9/1/2023

How SonicWall Helps Solve Threat Inspection Requirements

Unlike other proxy-based firewalls, the SonicOS architecture is at the core of every SonicWall physical and virtual firewall, including the TZ, NSa, NSv and NSsp Series.

SonicOS leverages its patented, single-pass, low-latency, Reassembly-Free Deep Packet Inspection (RFDPI) and Real-Time Deep Memory Inspection (RTDMI™) technologies to deliver industry-validated high security effectiveness, SD-WAN, real-time visualization, high-speed virtual private networking (VPN) and other robust security features.

How Does Reassembly-Free Deep Packet Inspection® (RFDPI) Work?

Reassembly-Free Deep Packet Inspection (RFDPI) is a high-performance, proprietary inspection engine that performs stream-based, bi-directional traffic analysis. Best of all, it does so without proxying or buffering, to uncover intrusion attempts and malware and to identify application traffic regardless of port. This architecture includes:

  • Bi-directional inspection
    Scans for threats in both inbound and outbound traffic simultaneously to ensure that the network is not being used to distribute malware. It also ensures that the network does not become a launch platform for attacks in case an infected machine is brought inside.
  • Stream-based inspection:
    Proxy-less and non-buffering inspection technology provides ultra-low latency performance for deep-packet inspection of millions of simultaneous network streams without introducing file and stream size limitations. It can be applied on common protocols as well as raw TCP streams.
  • Highly parallel and scalable single-pass inspection
    The unique design of the RFDPI engine works with the multi-core architecture to provide high DPI throughput and extremely high new session establishment rates to deal with traffic spikes in demanding networks. A single-pass DPI architecture simultaneously scans for malware, intrusions and application identification, drastically reducing DPI latency and ensuring that all threat information is correlated in a single architecture.

How a Packet Passes Through a Competing NGFW with Proxy-Based Architecture vs. a SonicWall NGFW

The file limitations on other NGFWs can create dangers, because in some cases not all files are being scanned (see Fig. 1).

Stream-based inspection diagram explaining SonicWall's RFDPI technology.

Fig.1

SonicWall’s technology is designed to ensure files are scanned regardless of size (See Fig. 2).

Another stream-based inspection diagram explaining SonicWall's RFDPI technology.
Fig.2

Read the tech brief on RFDPI to learn more about this stream-based inspection technology.

Conclusion

When evaluating firewall vendors, keep in mind the importance of evaluating threat performance with all the security services turned ON. Threat prevention for firewalls is essential to maintain continuous network protection and reduce the risks of potential security incidents. With SonicWall’s NGFWs, threat prevention is enabled and threat prevention throughput numbers are maintained without the huge drops seen with other vendors.

Rockwell Automation Integer Overflow Vulnerability

/in /by

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  Rockwell Automation’s ThinManager is designed for managing thin clients, mobile devices, cameras, and industrial devices. Comprising both client and server components, the client facilitates device configuration while the server handles data transfer and client requests. To maintain data consistency across the system, ThinManager servers synchronize using messages sent via port TCP/2031. These messages, based on a proprietary protocol, are initiated with a Type value, with a notable emphasis on Type 13 messages.

  A significant vulnerability, specifically an integer overflow, has been identified in the Rockwell Automation ThinManager ThinServer. The root of this vulnerability is tied to the improper validation of input, particularly when processing Type 13 synchronization messages.

  This vulnerability is not merely a theoretical concern. In practical terms, a remote attacker, even without authentication, could harness this flaw. By dispatching a specially crafted request to the targeted server, they could exploit this vulnerability. If successful, the outcome could be severe, leading to a potential denial of service for the affected system.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-2914.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 7.7 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C).

  Base score is 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is none.
    • Impact of this vulnerability on data integrity is none.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 7.7 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  The vulnerability arises due to the unchecked value in the “Length of data” field. Specifically, this value is added to the current position pointer, which is set at 12 (0xC), without any prior verification.

  However, a problem emerges when a value exceeding 2,147,483,635 (0x7FFFFFF3) is inputted for the “Length of data” field. When combined with the current position pointer’s value, it leads to an overflow, converting the resultant value into a negative signed 4-byte integer. This altered “calcLength” value, now being negative, would successfully pass the condition that checks if “calcLength” is less than or equal to “remainLength”.

  This oversight is critical. As the aforementioned condition is met, the memcpy() function is subsequently invoked with an excessively large “Size” parameter. This can potentially trigger an out-of-bounds read error, culminating in the abrupt termination of the server.

Triggering the Problem:

  • The target must be running a vulnerable version of the software.
  • The attacker must have network access to the vulnerable software.

Triggering Conditions:

  The process begins when the attacker issues a request to establish a connection with the server. Once the server responds affirmatively to this request, a vulnerability is exposed. It is at this point that the attacker exploits the flaw by dispatching a Type 13 message containing an unusually expansive “Length of data” field. This action triggers the vulnerability, potentially compromising the system.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • Rockwell Automation ThinManager ThinServer Synchronization Protocol

  Attack Packet:
  

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 4020 Rockwell Automation ThinServer Integer Overflow

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Applying the vendor-supplied patch to eliminate this vulnerability.
    • Filtering traffic based on the signature above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Cybersecurity News & Trends – 09-01-2023

/0 Comments/in /by

September is here, which means the great pumpkin spice drought has finally come to an end. Unfortunately, there’s been no such drought in cybercrime. Be sure to read our Mid-Year Update to the 2023 Cyber Threat Report for the latest trends and details on all things concerning cyber threats.

In industry news, PC Magazine covered the FBI’s huge takedown of the Qakbot botnet. Bleeping Computer had the lowdown on the cyber incident at the University of Michigan. Tech Crunch provided details on the massive data breach at Forever 21. Dark Reading broke down a major vulnerability in Openfire’s enterprise messaging application.

Remember to keep your passwords close and your eyes peeled – cybersecurity is everyone’s responsibility.

SonicWall News

SonicWall Promotes Michelle Ragusa-McBain To Global Channel Chief

CRN, SonicWall News: SonicWall has promoted Michelle Ragusa-McBain to head its sizable global partner organization, just months after hiring the channel veteran as its North America channel chief. Looking ahead, SonicWall is planning to roll out a “soft launch” of its revamped SecureFirst Partner Program in September, with a full global launch of the new program planned for February 2024, Ragusa-McBain told CRN.

SonicWall Promotes Cisco Vet to Global Channel Leader

Channel Futures, SonicWall News: SonicWall has promoted Michelle Ragusa-McBain to vice president and global channel leader. She joined SonicWall as vice president and North America channel leader in May. A key theme for SonicWall’s channel strategy is embracing an outside-in approach to crafting its strategy and executing with partners. What that means is we’re listening to our partners and customers more than ever before, rather than operating in a vacuum and telling you what you need.

Ransomware Attacks Skyrocket in Q2 2023

Infosecurity Magazine, SonicWall News: “Ransomware attacks surged by 74% in Q2 2023 compared to the first three months of the year, a new report has found.

The 2023 SonicWall Mid-Year Cyber Threat Report observed two “very unbalanced quarters” regarding the volume of ransomware attacks so far this year. SonicWall Capture Labs Threat Researchers recorded 51.2 million attacks in Q1 2023, representing the smallest number of attacks since Q4 2019.”

How Bitcoin Swings Helped Drive an Almost Nin-fold Surge in Cryptojacking attacks in Europe

DL News, SonicWall News: Cryptojacking attacks skyrocketed when Bitcoin prices fell, and could be the overture to something worse, according to SonicWall researchers. These attacks turn victims’ computers into unknowing crypto mining rigs. Bitcoin reached a $68,000 high in November 2021 before crashing down to as low as just above $16,000 in 2022. It currently hovers around $30,000.

Cryptojacking attacks surge 399% globally as threat actors diversify tactics

ITPro, SonicWall News: Security experts have issued a warning over a significant increase in cryptojacking attacks as threat actors seek to ‘diversify’ their tactics. The volume of cryptojacking attacks surged by 788% in Europe during the first half of the year, with attacks in North America also rising by 345%.

SonicWall: Ransomware Declines Further As Attackers ‘Pivot’ Their Tactics

CRN, SonicWall News: Ransomware continued to lose favor among malicious actors during the first half of 2023, but overall intrusions increased as some attackers switched focus to other types of threats, according to newly released SonicWall data. In the cybersecurity vendor’s report on the first six months of the year, ransomware attack volume dropped 41 percent from the same period a year earlier, the report released Wednesday shows.

Evolving Threats – Evolved Strategy

ITVoice, SonicWall News: The ever-evolving cybersecurity landscape is rapidly changing, and businesses must change with it. The massively expanding, distributed IT reality is creating an unprecedented explosion of exposure points for sophisticated cybercriminals and threat actors to exploit.

Britain’s Biggest Hospital Held To Ransom

Cyber Security Intelligence, SonicWall News: SonicWall expert Spencer Starkey said “The healthcare sector continues to be a prime target for malicious actors as evidenced by the recent attack on Barts Health NHS Trust. Not only does this attack risk the potential for exposed patient data, but any significant IT issue that halts patient care poses an immediate threat to life.”

Hackers claim breach is the ‘biggest ever’ in NHS history

Silicon Republic, SonicWall News: Spencer Starkey, vice-president of EMEA at cybersecurity company SonicWall, said that the healthcare sector continues to be a “prime target” for hackers globally. “Not only does this attack risk the potential for exposed patient data, but any significant IT issue that halts patient care poses an immediate threat to life,” said Starkey, referring to the Barts Health cyberattack. The ramifications of an attack on the healthcare sector can be disastrous and it’s important to place the utmost amount of time, money and efforts on securing it.

How to Reach Compliance with HIPAA

TrendMicro, SonicWall News: According to the 2022 SonicWall Cyber Threat Report, healthcare continued a large spike in malware in 2021, at 121%. While the largest jump in IoT malware attacks belonged to healthcare, which saw a 71% year-over-year increase. To shed light on the significance malware can carry, it’s important to look at how recent breaches could’ve been circumvented by abiding to the HIPAA rules and safeguards.

Why Attackers Love to Target IoT Devices

VentureBeat, SonicWall News: Malicious objects were blocked on more than 40% of OT systems. SonicWall Capture Labs threat researchers recorded 112.3 million instances of IoT malware in 2022, an 87% increase over 2021.

Industry News

FBI Circulates Uninstaller to Dismantle Qakbot Botnet

Qakbot, which is a Trojan intended to steal bank account information, has been in circulation since 2008. This week, the United States Justice Department and the FBI announced the success of an operation in which they seized control over the Qakbot servers and forced the botnet to send out an uninstaller that removed the program from infected computers. Agents involved in the investigation said the botnet was controlling some 700,000 computers, 200,000 of which were in the U.S. This is a major blow to cybercrime since Qakbot was so widespread and had been around for such a long time. This probably isn’t the absolute end of the malware, but it’s dealt an incredibly hefty blow to it. Not only did Qakbot work to steal bank account information, but it also operated as a botnet. The creators of Qakbot would sell access to the infected computers to other cybercriminal groups. In a YouTube video announcing the operation’s success, FBI director Christopher Wray stated, “The FBI neutralized this far-reaching, criminal supply chain, cutting it off at the knees.” Qakbot has been linked to some of the most notorious ransomware gangs in the world such as Lockbit, Conti, Black Basta, Royal, Revil and more. The losses suffered by victims of Qakbot are thought to be in the hundreds of millions of dollars. The fight against cybercrime is never-ending, but this is a victory worth celebrating.

Cyberattack Forces University of Michigan to Shut Down Network

The University of Michigan, home to some 30,000 staff and 51,000 students, was forced to shut down all of its network services this week to deal with a cybersecurity incident. The incident took place the day before classes were set to start back for the fall semester. The university had to shut down multiple services including Google, Canvas, Wolverine Access and email services. Since disconnecting, many services have now been restored, including Zoom, Adobe Cloud, Dropbox, Slack, Google and Canvas. The U of M is working with law enforcement and external cybersecurity experts to get to the bottom of the incident, but so far, more information hasn’t become available.

539,000 Customers Affected by Forever 21 Data Breach

Mall-staple Forever 21 suffered a data breach earlier this year that’s affected more than half a million customers. The hacking began in January 2023 and lasted for over three months. The threat actors obtained sensitive information such as data on current and former employees. The stolen data included the names, dates of birth, bank account info, Social Security numbers and healthcare information of the employees. Forever 21 released a statement saying, “Forever 21 has taken steps to help assure that the unauthorized third party no longer has access to the data.” Folks at Tech Crunch speculated that this could imply Forever 21 paid the hacker in exchange for the deletion of the stolen data. If that were the case, there’s no way to trust that the cybercriminals actually deleted the data. This is the second major breach at Forever 21, the first coming in 2017 with a massive theft of credit card numbers. Only time will tell the true ramifications for the employees whose data was stolen.

Kinsing Threat Group Targets Openfire Cloud Servers

A vulnerability in Openfire’s enterprise messaging application is being exploited by the Kinsing hacker gang. The vulnerability, tracked as CVE-2023-32315, is being used by the gang to create fake admin users in Openfire cloud servers that are then used by the group to take full control of the instance. Once they have access, they upload malware and a cryptominer to the servers. Security researchers have tallied over 1,000 attacks utilizing this vulnerability in the past two months. The researchers actually created an Openfire server intended to be used as a honeypot in July. It was attacked almost immediately, and they were able to track 91% of the attacks back to the Kinsing hacker gang. Dark Reading ran a Shodan search that showed over 6,000 internet-connected Openfire servers and found that 984 of those were vulnerable to the flaw. The researchers are asking any organization using Openfire servers to check their systems for vulnerabilities and patch them accordingly.

SonicWall Blog

Elevate Your Network with The Ultimate 3 & Free Promotion – Michelle Ragusa-McBain

Why Education is the New Cybercrime Epicenter – Amber Wolff

How SonicWall Offers High Availability at the Lowest Price – Tiju Cherian

Cryptojacking Continues Crushing Records – Amber Wolff

Why Should You Choose SonicWall’s NSsp Firewalls? – Tiju Cherian

Utilize APIs to Scale Your MySonicWall Operation – Chandan Kumar Singh

First-Half 2023 Threat Intelligence: Tracking Cybercriminals Into the Shadows – Amber Wolff

If It’s Easy, It’s TZ – Tiju Cherian

Sonic Boom: Getting to Know the New SonicWall – Michelle Ragusa-McBain

SonicWall’s Traci McCulley Orr Honored as a Talent100 Leader – Bret Fitzgerald

3 & Free Promotion: How to Upgrade to a Gen 7 NSsp Firewall for Free – Michelle Ragusa-McBain

Monthly Firewall Services Option for Simplicity and Scalability – Sorosh Faqiri

Monitoring and Controlling Internet Usage with Productivity Reports – Ashutosh Maheshwari

Elevate Your Network with The Ultimate 3 & Free Promotion

/0 Comments/in , /by

As businesses of all sizes navigate the complexities of the modern cybersecurity landscape, finding the right firewall solution at the right price is critical to a successful IT strategy. Malware is a serious threat with serious consequences to your organization and its reputation — especially with ransomware gangs and other cybercriminals lying in wait for an opportunity to attack your network, steal your data and sow chaos within your organization.

You need a firewall appliance that can quickly detect and stop malware in real time, before it causes any damage.

Why ‘3 & Free’ is the Ultimate in Savings

The limited-time SonicWall 3 & Free NGFW promotion is a cost-efficient and painless way for new or existing customers to upgrade to the latest NGFW while getting an incredible service package at an unbeatable price.

In-line image that shows why ‘3 & Free’ provides the ultimate in savings for our customers.

Don’t miss out on this jaw-dropping offer: From now until December 31, 2023, you can get a free SonicWall NGFW when you buy our 3-Year Essential Protection Service Suite (EPSS) and upgrade or trade in your current competitor device or SonicWall legacy appliance.

With a new SonicWall NGFW equipped with our Essential Protection Service Suite (EPSS), you’ll have the industry-leading protection your organization needs to stay safe in the constantly evolving threat environment, including defense against advanced malware, ransomware, encrypted threats, viruses, spyware, zero-day exploits and so much more. You can rest assured that your data, devices and users are secure.

What Sets This Deal Apart

This promotion is right-sized for every business, providing not only the best opportunity to get a free next-gen firewall appliance, but also get the absolute best service and technology. And the savings continue even after you’ve deployed your new solution: Third-party testing by the Tolly Group compared SonicWall to Fortinet and found that the SonicWall solution has significantly lower 3-year TCO.

Our comprehensive EPSS package includes:

  • Capture Advanced Threat Protection (ATP) with our patented RTDMI™
  • Gateway Anti-Virus
  • Anti-Spyware
  • Comprehensive Anti-Spam
  • Content Filtering Service (CFS)
  • Application Control
  • Intrusion Prevention Services
  • 24×7 support including firmware

SonicWall’s Capture ATP is our award-winning cloud-based sandbox that uses multiple engines to scan and block the most advanced threats before they can infect your network. It offers industry-leading threat protection and simplified management.

One of the key features of Capture ATP is our patented Real-Time Deep Memory Inspection (RTDMI™) technology, which is a powerful tool that can detect and stop known and unknown threats in real-time. RTDMI utilizes a combination of memory inspection, CPU instruction tracking and machine learning to analyze the characteristics and behaviors of suspicious files and processes. Unlike traditional sandboxes, RTDMI can catch threats that don’t exhibit any malicious behavior or that use encryption techniques to conceal their malicious code.

With Capture ATP, you also gain the superior performance of our most advanced and user-friendly operating system ever — SonicOS7. SonicOS7 has been redesigned from scratch to be more agile, flexible and intuitive than any of its predecessors. It offers enhanced security, visibility and control over your network.

Cybersecurity News & Trends – 08-25-2023

/0 Comments/in /by

We’re heading into the final week of August, and it’s been an exciting month here at SonicWall. If you haven’t already given it a read, be sure to check out our Mid-Year Update to the 2023 Cyber Threat Report.

In industry news, Dark Reading covered increasing ransomware numbers and a lawsuit that could have far-reaching implications for software makers. Bleeping Computer had the lowdown on North Korea’s Lazarus gang preparing to offload over $40 million in crypto assets. Tech Crunch provided new details on the data breach at Tesla.

Remember to keep your passwords close and your eyes peeled – cybersecurity is everyone’s responsibility.

SonicWall News

SonicWall Promotes Michelle Ragusa-McBain To Global Channel Chief

CRN, SonicWall News: SonicWall has promoted Michelle Ragusa-McBain to head its sizable global partner organization, just months after hiring the channel veteran as its North America channel chief. Looking ahead, SonicWall is planning to roll out a “soft launch” of its revamped SecureFirst Partner Program in September, with a full global launch of the new program planned for February 2024, Ragusa-McBain told CRN.

SonicWall Promotes Cisco Vet to Global Channel Leader

Channel Futures, SonicWall News: SonicWall has promoted Michelle Ragusa-McBain to vice president and global channel leader. She joined SonicWall as vice president and North America channel leader in May. A key theme for SonicWall’s channel strategy is embracing an outside-in approach to crafting its strategy and executing with partners. What that means is we’re listening to our partners and customers more than ever before, rather than operating in a vacuum and telling you what you need.

Ransomware Attacks Skyrocket in Q2 2023

Infosecurity Magazine, SonicWall News: “Ransomware attacks surged by 74% in Q2 2023 compared to the first three months of the year, a new report has found.

The 2023 SonicWall Mid-Year Cyber Threat Report observed two “very unbalanced quarters” regarding the volume of ransomware attacks so far this year. SonicWall Capture Labs Threat Researchers recorded 51.2 million attacks in Q1 2023, representing the smallest number of attacks since Q4 2019.”

How Bitcoin Swings Helped Drive an Almost Nin-fold Surge in Cryptojacking attacks in Europe

DL News, SonicWall News: Cryptojacking attacks skyrocketed when Bitcoin prices fell, and could be the overture to something worse, according to SonicWall researchers. These attacks turn victims’ computers into unknowing crypto mining rigs. Bitcoin reached a $68,000 high in November 2021 before crashing down to as low as just above $16,000 in 2022. It currently hovers around $30,000.

Cryptojacking attacks surge 399% globally as threat actors diversify tactics

ITPro, SonicWall News: Security experts have issued a warning over a significant increase in cryptojacking attacks as threat actors seek to ‘diversify’ their tactics. The volume of cryptojacking attacks surged by 788% in Europe during the first half of the year, with attacks in North America also rising by 345%.

SonicWall: Ransomware Declines Further As Attackers ‘Pivot’ Their Tactics

CRN, SonicWall News: Ransomware continued to lose favor among malicious actors during the first half of 2023, but overall intrusions increased as some attackers switched focus to other types of threats, according to newly released SonicWall data. In the cybersecurity vendor’s report on the first six months of the year, ransomware attack volume dropped 41 percent from the same period a year earlier, the report released Wednesday shows.

Evolving Threats – Evolved Strategy

ITVoice, SonicWall News: The ever-evolving cybersecurity landscape is rapidly changing, and businesses must change with it. The massively expanding, distributed IT reality is creating an unprecedented explosion of exposure points for sophisticated cybercriminals and threat actors to exploit.

Britain’s Biggest Hospital Held To Ransom

Cyber Security Intelligence, SonicWall News: SonicWall expert Spencer Starkey said “The healthcare sector continues to be a prime target for malicious actors as evidenced by the recent attack on Barts Health NHS Trust. Not only does this attack risk the potential for exposed patient data, but any significant IT issue that halts patient care poses an immediate threat to life.”

Hackers claim breach is the ‘biggest ever’ in NHS history

Silicon Republic, SonicWall News: Spencer Starkey, vice-president of EMEA at cybersecurity company SonicWall, said that the healthcare sector continues to be a “prime target” for hackers globally. “Not only does this attack risk the potential for exposed patient data, but any significant IT issue that halts patient care poses an immediate threat to life,” said Starkey, referring to the Barts Health cyberattack. The ramifications of an attack on the healthcare sector can be disastrous and it’s important to place the utmost amount of time, money and efforts on securing it.

How to Reach Compliance with HIPAA

TrendMicro, SonicWall News: According to the 2022 SonicWall Cyber Threat Report, healthcare continued a large spike in malware in 2021, at 121%. While the largest jump in IoT malware attacks belonged to healthcare, which saw a 71% year-over-year increase. To shed light on the significance malware can carry, it’s important to look at how recent breaches could’ve been circumvented by abiding to the HIPAA rules and safeguards.

Why Attackers Love to Target IoT Devices

VentureBeat, SonicWall News: Malicious objects were blocked on more than 40% of OT systems. SonicWall Capture Labs threat researchers recorded 112.3 million instances of IoT malware in 2022, an 87% increase over 2021.

Industry News

Ransomware on the Rise

A security consulting group sounded the alarm about a ransomware resurgence happening right now. In July, the group found that data from 502 breaches was posted to various leak sites. That’s a 150% increase from July 2022. Many factors have led to this increase, but the group noted that it has a lot to do with the rise of more easily exploited vulnerabilities like we’ve seen with the breach of MOVEit’s file transfer tool. On top of that, the average time a ransomware group waits to strike once they infiltrate a company has shrunk by nearly 50% since 2022 from nine days down to five. The group found that a majority of these new attacks are targeting the industrial sector, which is a sector that has as a whole been spending less on cybersecurity over the past few years. Much of the increase can be attributed to the Cl0p ransomware gang, which has been responsible for three times the amount of data leaks as the second most successful group, Lockbit 3.0. Our recently released Mid-Year Update to the 2023 Cyber Threat Report indicated a ransomware rebound may be in the works, and this data seems to support that. Only time will tell if the trend continues into the remainder of the year.

Lawsuit Calls for More Accountability for Software Makers Amid MOVEit Breaches

Progress Software, the makers of the MOVEit file transfer tool, are the subject of a class-action lawsuit following the massive MOVEit breaches that began earlier this year. The lawsuit claims Progress Software breached its contracts and was negligent. The attacks have affected small organizations and billion-dollar organizations like Shell and British Airways alike. The lawsuit alleges Progress didn’t “properly secure and safeguard personally identifiable information” and has exposed plaintiffs to an ongoing risk of identity theft, not to mention financial costs and losses of time and productivity. If the lawsuit goes in favor of the plaintiffs, it could set a precedent to hold software developers accountable for the security of their applications in the event of major supply-chain breaches such as this. A spokesperson from MOVEit relayed that Progress will not comment on the pending litigation.

Tesla Data Breach Revealed to be Inside Job

Tesla has released a statement saying two former employees are responsible for a data breach that affected over 75,000 Tesla employees. Tesla’s data privacy officer, Steven Elentukh, said that the former employees violated Tesla’s IT security and data protection policies by sharing the data. The data contains loads of information on the 75,000 employees including names, addresses, phone numbers, Social Security numbers and employment records. The two employees in question handed the data over to a German newspaper, but the newspaper assured Tesla that it would not publish the data or misuse it. The information was 100 gigabytes in total and included customer bank details, production secrets and customer complaints alongside the employee data. The German newspaper said Tesla owner Elon Musk’s Social Security number was also included in the leak. Tesla has filed lawsuits against the former employees, and their electronic devices have been seized.

Lazarus Gang Preparing to Offload $41 Million in Stolen Crypto

The FBI has been tracking the movement of bitcoin stolen by the North Korean Lazarus gang and has narrowed it down to six cryptocurrency wallets. In total, it appears the group has moved 1,580 bitcoins to the six wallets. A recent report found that North Korean state hacker groups have been responsible for the theft of more than $2 billion in crypto over the past five years. More recently, the notorious Lazarus gang has been linked to a breach on Axie Infinity that holds the crown for the largest crypto heist of all time which saw the hackers make off with a whopping $620 million worth of Ethereum. On Tuesday, the FBI released a statement saying, “The FBI will continue to expose and combat the DPRK’s use of illicit activities—including cybercrime and virtual currency theft—to generate revenue for the regime.” They also urged anyone with information on the state-backed hacking groups to contact their local FBI field office with information.

SonicWall Blog

Why Education is the New Cybercrime Epicenter – Amber Wolff

How SonicWall Offers High Availability at the Lowest Price – Tiju Cherian

Cryptojacking Continues Crushing Records – Amber Wolff

Why Should You Choose SonicWall’s NSsp Firewalls? – Tiju Cherian

Utilize APIs to Scale Your MySonicWall Operation – Chandan Kumar Singh

First-Half 2023 Threat Intelligence: Tracking Cybercriminals Into the Shadows – Amber Wolff

If It’s Easy, It’s TZ – Tiju Cherian

Sonic Boom: Getting to Know the New SonicWall – Michelle Ragusa-McBain

SonicWall’s Traci McCulley Orr Honored as a Talent100 Leader – Bret Fitzgerald

3 & Free Promotion: How to Upgrade to a Gen 7 NSsp Firewall for Free – Michelle Ragusa-McBain

Monthly Firewall Services Option for Simplicity and Scalability – Sorosh Faqiri

Monitoring and Controlling Internet Usage with Productivity Reports – Ashutosh Maheshwari

SonicWall NSM 2.3.5 Brings Enhanced Alerting Capabilities – Suriti Singh