ECCENTRIC BANDWAGON, DPRK

/in /by

Overview:

SonicWall Capture Labs Threat Research Team recently found a new sample and activity for:
ECCENTRIC BANDWAGON, DPRK.

The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. North Korea, is officially named the Democratic People’s Republic of Korea (DPRK) as a country in East Asia constituting the northern part of the Korean Peninsula. North Korean group definitions are known to have significant overlap, and the name Lazarus Group is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea.

ECCENTRIC BANDWAGON, one of the new Remote Access Trojans (RAT) was created by HIDDEN COBRA.

The details behind the use of these remote tools are believed to be used in highly targeted attacks against financial, engineering, government, and non-governmental organisations.

All ECCENTRIC BANDWAGON variants consist of a primary DLL file that, when executed, uses three separate files for screen shots, systems logs, and key logs. Some variants will encrypt these files using RC4, while others include basic clean-up functionality that will attempt to remove log files once ECCENTRIC BANDWAGON has finished executing.

Sample, Static Information:

Dynamic Information:

Key-logging Artifacts:

Clipboard Capture:

Directory Removal and Clean-up:

Strings Set 01:

Strings Set 02:

Supported Systems:

  • Windows 10
  • Windows 8.1
  • Windows 8.0
  • Windows 7
  • Windows Vista

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: EccentricBandwagon.N (Trojan)

Appendix:

Sample SHA256 Hash: c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec

Cybersecurity News & Trends – 09-04-20

/0 Comments/in /by

This week, teenage hackers and nation-state attackers made trouble worldwide.

SonicWall Spotlight

SonicWall TZ 600 POE — SC Magazine

  • SC Media takes a close look at the TZ 600 POE and awards it top marks.

Why Small Businesses Must Deal With Emerging Cybersecurity Threats — Entrepreneur

  • Cybercriminals are counting on small businesses to be less protected — and they’re often right.

Surging CMS attacks keep SQL Injections On The Radar During The Next Normal — Help Net Security

  • Cyberattacks have risen during the pandemic, leaving businesses to wonder whether things will settle down when COVID-19 begins to wane, or if the increase in attacks is here to stay.

Cybersecurity News

Teenager arrested in cyberattacks on Miami-Dade schools — The Washington Times

  • A 16-year-old student has been arrested for orchestrating a series of network outages and cyberattacks during the first week of school in Florida’s largest district.

Microsoft Defender can ironically be used to download malware — Bleeping Computer

  • A recent update to Windows 10’s Microsoft Defender antivirus solution ironically allows it to download malware and other files to a Windows computer.

Twitter Hack May Have Had Another Mastermind: A 16-Year-Old — The New York Times

  • A Massachusetts teenager appears to have played a significant role in the July 15 Twitter attack, investigators and fellow hackers said.

Chinese Hackers Targeted European Officials in Phishing Campaign — Bloomberg

  • Chinese nation-state hackers launched a phishing campaign against European government officials, diplomats, non-profits and other organizations to gather intelligence about global economies reeling from the pandemic.

Minister: New Zealand Enduring Wave of Cyberattacks — Security Week

  • According to the Associated Press, tracking down the perpetrators will be extremely difficult, as the distributed denial of service attacks are being routed through thousands of computers.

Federal agencies deny seeing attacks on voting infrastructure — The Hill

  • The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have denied seeing any reports of attacks on voting infrastructure, following the publication of a report on potential Russian election interference.

The FBI Botched Its DNC Hack Warning in 2016—but Says It Won’t Next Time — Wired

  • Facing looming election threats and a ransomware epidemic, the bureau says it has revamped its process for warning hacking victims.

The accidental notary: Apple approves notorious malware to run on Macs — Ars Technica

  • Newfangled malware protection gives users a false sense of security, critics say, making it potentially worse than nothing at all.

Attackers abuse Google DNS over HTTPS to download malware — Bleeping Computer

  • More details have emerged on a malware sample that uses Google DNS over HTTPS to retrieve the stage 2 malicious payload.

‘UltraRank’ Gang Sells Card Data It Steals — Bank Info Security

  • A cybercriminal gang that has spent five years planting malicious JavaScript code in order to steal payment card data from hundreds of e-commerce websites also takes the unusual step of selling the data on its own.

Hackers Attack Norway’s Parliament — Security Week

  • Norway’s parliament said Tuesday it had been the target of a “vast” cyberattack that allowed hackers to access the some lawmakers’ emails.

In Case You Missed It

New SonicWall Solutions: Engineered for the New Normal

/0 Comments/in /by

Over the past three-and-a-half years since SonicWall separated from Dell, it has been our mission to radically change how SonicWall does business, supports its customers and develops solutions for the workplace of the future. We logged thousands of hours interviewing customers of all sizes, from all over the world. We also conducted hundreds of security reviews within several key business models, such as distributed enterprises, universities, primary educational institutions and retail, as well as federal, state/provincial, and local government agencies.

Our solution roadmap over the past three years was built around a future where a mostly mobile workforce used a variety of internal and cloud-native applications. But even we could not anticipate the speed at which this transition was going to happen. When shelter-in-place orders were mandated across the world and employees began working from home 100% of the time, we knew we had the right solutions in development for our customers. These solutions furthered our commitment to Boundless Cybersecurity: Launched earlier this year, the Boundless Cybersecurity model offers our customers ways to know the unknown and gain unified visibility and control, all while delivering disruptive economics to help reconcile IT sprawl with fixed budgets and headcount. These needs have only increased since the start of the pandemic.

With this in mind, we launched a series of new products in August that was focused on large and distributed enterprises. Let me share some details on what we announced:

  • New Generation Seven SonicOS Operating System — Built from the ground up as a completely new operating system, SonicOS 7 offers a cleaner UI to make management training quicker and easier. Underpinning this improved interface is the new X86 Linux-based architecture, which strengthens security and allows us to develop a platform faster to adjust to changing customer demands. Although SonicWall Next-Generation Firewalls (NGFWs) are the most secure (as judged by numbers of vulnerabilities), this change will strengthen our customer’s confidence in choosing a security partner.
  • The Generation Seven SonicOSX Operating System — Like SonicOS (without the “X”), this platform is built on a new X86 Linux-based architecture — the difference is that SonicOSX was designed for our high-end NGFWs such as the NSsp. This new OS enables the NGFW to support a true multi-instance architecture, allowing customers to provide tenants with dedicated resources to enable supporting unique configurations and software versions. It also features Unified Policy, which combines Layer Three through Seven rules into a single rule base for an easier and more intuitive configuration.
  • New Generation Seven TZ 570 & 670 NGFW — The TZ 570 and 670 are the first firewalls in desktop form factor to offer multi-gigabit (5/10G) interfaces with threat prevention speeds of up to 2.5 Gbps. Built on SonicOS 7, these new TZ Series firewalls are designed for integration with the new SonicWall Switches, while also offering Zero-Touch Deployment, TLS 1.3 and 5G support. With higher VPN capacity, our customers can better serve remote employees who connect to smaller offices.
  • New NSsp 15700 NGFW — Designed for MSSPs and large enterprises, this firewall is powered by SonicOSX 7 and offers improved UI, Unified Policy, multi-instance architecture and more to make life easier for IT admins. With its 82 Gbps threat prevention throughput, it’s designed to be extremely fast compared to similarly priced firewalls on the market. Despite offering high-end features — such as greater throughput and true multi-instance capabilities that eliminate problems associated with traditional multitenancy architecture—the NSsp 15700 doesn’t sacrifice SonicWall’s commitment to helping our customers bridge the budget gap. The NSsp 15700 doesn’t charge for multiple instances or for threat protection software on the second device in an HA pair setting — a configuration which represents 90% of all seen deployments. This makes the NSsp 15700 at least 45% less expensive over a five-year period than the second less-expensive NGFW in its class.
  • SonicWall Network Security Manager (NSM) 2.0 SaaS — As NGFW deployments grew in size and scope, our customers began asking for better firewall management across the largest distributed enterprises. The SonicWall NSM 2.0 SaaS was designed to better control, manage, and monitor tens of thousands of network security devices — including firewalls, managed switches and secure wireless access points — from anywhere via a simple cloud interface. As the SonicWall universe of solutions grows, so must the manageability of this ecosystem. NSM 2.0 does just that.
  • Capture Security appliance (CSa) 1000 — Since we launched Capture Advanced Threat Protection (Capture ATP) in 2016 and Real-Time Deep Memory Inspection (RTDMI) in 2019, we have built up our largest customer base for advanced threat protection. Despite its success as a cloud-based malware detection and prevention platform, Capture ATP cannot be used by some customers for regional and internal compliance reasons. We built CSa 1000 using the memory-based RTDMI engine and a new UI to help our compliance-restricted customers and those who have latency concerns to accurately and quickly detect, stop and report on new threats.

Both my team and I strongly believe these latest releases will help you better secure your network and make managing it a lot easier. I encourage you to read and review our website for more information on these solutions. Moving forward through the second half of 2020, we have many exciting new offerings for you, including our first release of Zero-Trust Network Access (ZTNA) solution that gives SonicWall customers the ability to comply with the Secure Access Service Edge (SASE) architecture. Stay tuned for more groundbreaking solutions from SonicWall.

Kind Regards,

Atul

Jackpot ransomware actively spreading in the wild

/in /by

The SonicWall Capture Labs threat research team observed reports of a new variant family of Jackpot ransomware [Jackpot.RSM] actively spreading in the wild.

The Jackpot ransomware encrypts the victim’s files with a strong encryption algorithm until the victim pays a fee to get them back.

Infection Cycle:

The ransomware adds the following files to the system:

  • Malware.exe
    • %App.path%\ [Name]. < .Coin >
    • %App.path%\ payment request.txt > recovery instruction

Once the computer is compromised, the ransomware runs the following commands:

The ransomware encrypts all the files and appends the Coin extension onto each encrypted file’s filename.

After encrypting all personal documents, the ransomware shows the following picture containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

SonicWall Capture Labs threat research team provides protection against this threat via the following signature:

  • GAV: JACKPOT.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Your Email DLP Just Got Better and More Secure

/0 Comments/in /by

These days, all types of business communications are done via email — so employees cannot sacrifice the mobility, reliability and economy of their inboxes. From contract information to the latest sales reports, it is imperative that email data remain confidential. A single wrong click can give away top-secret company information, broadcast private financial statements or expose sensitive negotiations.

CAS Data Loss Prevention (DLP) policies for Office 365 Email now include an automated workflow that allows emails violating an enabled CAS DLP policy to be encrypted before being sent, using the existing Microsoft Office 365 Encryption service included in several of the Microsoft 365 and Office 365 Enterprise bundles.

What is email encryption, and how does Microsoft 365 use it?

Encryption is the process by which information is encoded so that only an authorized recipient can decode and consume the information. Microsoft/Office 365 uses encryption in two ways: in the service, and as a customer control. Encryption is used in the Microsoft 365 service by default; you don’t have to configure anything. For example, Microsoft 365 uses Transport Layer Security (TLS) to encrypt the connection, or session, between two servers.

There are different ways to embed customer control in a workflow; below is one example.

Here’s how email encryption typically works:

  • If the encryption process is not automatic, the user selects the “Encrypt” option in Outlook.
  • The message is encrypted, or transformed from plain text into unreadable ciphertext, either on the sender’s machine or by a central server while the message is in transit.
  • The message remains in ciphertext while it’s in transit in order to protect it from being read if it is intercepted.
  • Once the message reaches its destination, the message is transformed back into readable plain text in one of two ways:
    • The recipient’s machine uses a key to decrypt the message, or
    • A central server decrypts the message on behalf of the recipient, after validating the recipient’s identity.

How does SonicWall Cloud App Security help?

When you have a Microsoft 365/Office 365 bundle that includes Office 365 Message Encryption (OME) and CAS Advanced package, CAS can automatically encrypt emails that violate configured DLP policies.  When you configure your CAS Office 365 Email DLP policy workflow to use the “Encrypted by Microsoft” action, an appropriate Exchange Online mail flow rule is created automatically. Using CAS’s “Protect (inline) mode, emails are intercepted and evaluated against the selected DLP policy rules. When an outgoing email matches a DLP rule, SonicWall Cloud App Security automatically encrypts the email before it is allowed to be sent externally. With the embedded workflow, the admin can manage the DLP content in a much more efficient manner without any extra overhead — once the CAS policy is triggered, the mail is encrypted and delivered to recipient.

End-user email if a DLP workflow is invoked (Below)

Always stay updated

Once you’ve enabled the DLP workflow, outgoing emails that have been encrypted by the policy can be easily located under the Events pane. Selecting the event itself allows you to drill down into the Security Event details with the History visibly stating, “Encrypted by Microsoft.” There are various filters available to examine the available events more closely in case suspicious activity needs to be investigated.

Many cloud providers encrypt their servers to defend against outside threats, but don’t follow the information once it’s been shared or sent externally. That information can be copied, emailed and opened by anyone once it leaves your environment. With the introduction of this new workflow in SonicWall Cloud App Security, sensitive emails and file attachments can be automatically encrypted, preventing unauthorized access to your sensitive information outside of your environment.

Cloud App Security’s DLP workflow leverages your existing Office 365 Message Encryption (OME) services. This protects your sensitive emails, reducing the need for multiple encryption services and providers, and helps you manage costs by using services you’ve already paid for. Protecting sensitive information and saving money? Sounds like a total win to me!

Darkside ransomware targets large corporations. Charges up to $2M.

/in /by

The SonicWall Capture Labs threat research team have observed a new family of ransomware called Darkside.   The operators of this ransomware primarily target large corporations.  Recently, a Canadian land developer and home builder, Brookfield Residential has been hit with Darkside ransomware.  In this case, the operators have not just encrypted data, but have stolen it and threatened to publish the company’s data online if it does not pay up.  Darkside has been around since early August and its operators have been launching multiple customized attacks towards known high revenue companies.  The operators charge between $200,000 and $2M for file decryption.  It has been reported that the operators have already obtained over $1M since the start of their campaign.

 

Infection Cycle:

 

When running the malware the following User Account Control dialog is shown:

 

Files on the system are encrypted and given a “ehre.eb2e8d90″ extension.  A file named README.eb2e8d90.TXT is copied into all directories containing encrypted files.

 

README.eb2e8d90.TXT contains the following message:

 

As the malware is aimed at large corporations, the message states that over 100GB of data has been uploaded to the operators.  However, we did not observe any data being uploaded during our analysis.

 

The link provided in the ransom message leads to the following page hosted on a server on tOr:

 

Upon entering the key provided in the message, the following page is displayed:

 

$2 Million in crypto is demanded for file decryption.  It is interesting to note that in addition to Bitcoin, Monero is offered as a valid paymenet method.  Compared to Bitcoin, Monero is used significantly less by ransomware operators.  However, one of Monero’s key features is its untraceability.  We expect to see an increase in malware operators using cryptocurrency of this nature.

 

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Darkside.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Cybersecurity News & Trends

/0 Comments/in /by

This week, SonicWall experts feature on three podcasts discussing Boundless Cybersecurity, the Mid-Year Update to the 2020 SonicWall Cyber Threat Report, and the future of work in the age of Covid-19.

SonicWall Spotlight

Podcast: Cybersecurity for the Post-Covid New Normal of Work – Harvard Business School

  • Harvard Business School Professor Joe Fuller talks with SonicWall CEO Bill Conner as part of their Managing the Future of Work project. Bill and Joe discuss how 2020 has changed the cybersecurity landscape with Covid 19 forcing much of the workforce to work from home.

Tech Chat Episode 72: Boundless Cybersecurity and Ease of Use – Enterprise Management 360

  • SonicWall’s Terry Greer-King makes the case for Boundless Cybersecurity on the Tech Chat podcast.

Cyber Threats in the Time of Corona – Ping Podcast – Episode 27 – Firewalls.com

  • SonicWall’s Brook Chelmo guests on the latest episode of Firewalls.com’s Ping podcast, discussing the Mid-Year Update to the 2020 SonicWall Cyber Threat Report.

SonicWall Wins ChannelPro Reader’s Choice Award – SonicWall blog

  • SonicWall has been named the Bronze Winner in the “Best Security Hardware Vendor” category of the 2020 ChannelPro Readers’ Choice Awards. This is the fourth year running that SonicWall has placed in the top three for this category.

Batelco Partners with SonicWall to Launch Integrated Security Solutions for SMEs – ITP.net

Cybersecurity News

University of Utah Pays $450K to Stop Cyberattack on Servers – Washington Times

  • Following a ransomware attack on its computer servers, the University of Utah paid extortionists almost half a million dollars. The University states that it paid the ransom “as a proactive and preventive step” to prevent the data being leaked rather than to access the data.

Three Charged With Leaking Movies as Part of Global Piracy Ring – New York Times

  • Three men are facing federal charges of involvement in an international piracy ring known as the Sparks Group, a global-spanning movie and television show pirate group.

Group of Unskilled Iranian Hackers Behind Recent Attacks With Dharma Ransomware – ZDNet

  • A group of Iranian cyberattackers described as “newbie hackers” has been targeting companies located in Russia, Japan, China and India.

Cyber Attack Halts New Zealand Stock Market for Third Straight Day – SecurityWeek

  • The New Zealand exchange (NZX) had to halt trading as a result of DDoS cyberattacks three days in a row. A spokesman for the NZX said they would not be commenting on the origins of the attacks, “given the nature of the issues”.

Federal Cyber Agency Releases Strategy to Secure 5G Networks – The Hill

  • The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has released a strategy to defend U.S. 5G networks against cyberthreats. The  five “strategic initiatives” to secure the buildout of 5G systems include development standards and supply chain threat awareness.

In Case You Missed It

Advantech WebAccess NMS Arbitrary File Upload Vulnerability is being exploited

/in /by

Advantech WebAccess/NMS is a web browser-based software package for networking management systems (NMS). It is designed with SNMP and ICMP communication standards for managing all Ethernet-Enabled Advantech products and third-parties devices. NMS can bring users an easy-to-use platform to monitor and manage networking remotely. Advantech WebAccess/NMS platform runs on top of the Apache webserver

Vulnerability | CVE-2020-10621

One of the services provided by Advantech WebAccess NMS enables users to upload a config file to the server and then instructs devices to restore their configuration with this uploaded config file. The service is requested via an HTTP request which places the uploaded file and several parameters in the format of multipart/form-data. The request is handled in the class ConfigRestoreAction via the following Request-URI:

/SCMS/web/access/ConfigRestoreAction.action

An arbitrary file upload vulnerability exists in the Advantech WebAccess NMS. This is due to the lack of sanitation on the “cfgfile” parameter in the ConfigRestoreAction class. When receiving the request submitted to the “ConfigRestoreAction.action” endpoint, the execute() method of the ConfigRestoreAction class is called to handle the request.  The input parameter “cfgfile” is not sanitized before applying it to create the destination file path in the application installation directory. The destination file path could point to any location on the NMS server, which leads to arbitrary file upload conditions.

In the below request, the attacker posts an HTTP request with a malicious file and crafted parameters to the vulnerable server.

POST /SCMS/web/access/ConfigRestoreAction.action?cfgfile=<crafted input> HTTP/1.1

A remote, unauthenticated attacker can exploit this vulnerability by submitting a crafted request to the target server. Successful exploitation could lead to arbitrary file upload and, in the worst case, code execution condition under the security context of the system.

Trend Chart:

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 15119 Advantech WebAccess ConfigRestoreAction Arbitrary File Upload

Affected Products:

Advantech WebAccess/NMS versions prior to 3.0.2 are affected by this vulnerability.

 

All it Takes is One Click!

/0 Comments/in /by

Have you ever found yourself wondering whether you should click a URL you received in an email? Thinking, “Where does the URL really go? Is it safe for me to access, or is there malware or a fake login page on the other end?”

You don’t have to wonder anymore — SonicWall is excited to announce that Cloud App Security now provides even more URL protection straight out of the box. In addition to pre-delivery email URL analysis, Cloud App Security now includes Click-Time Protection to block URL access to sites that were initially benign but are now malicious.

Attacks evolve with each passing day, and differentiating a legitimate link from a malicious link is a constant challenge. Attackers attempt to evade detection by using compromised servers that appear benign until after the message has been delivered. But with Click-Time Protection, you get an additional layer of safety. Each and every time a user clicks on a URL received in email, it is analyzed, and access is blocked if that website is found to be malicious.

Secure Mail in Transit

“You can’t be what you can’t see” is a simple way to explain how SonicWall Cloud App Security helps you secure your inbox. Virtual inline protection analyzes URLs contained in emails before they’re delivered to the user’s mailbox. URLs found to be malicious are blocked, never getting to the user. URLs that are benign at delivery will now be replaced with a SonicWall URL. When anyone clicks that link, SonicWall will test the site before redirecting it to the user.

SonicWall Cloud App Security provides Pre-Inbox and Post-Delivery solutions and protects against ever-increasing zero-day malware and malicious sites. Then it goes one step further, scanning emails across the company and retracting any other email that might be affected by the same threat.

Behind the Scenes: How We Protect Users

Regardless of whether you’re securing a few users or a few thousand users, the configuration options are simple and easy to manage. SonicWall Cloud App Security’s Click-Time Protection offers the flexibility to configure policy for all users, specific users, or a group, and provides three actions to choose from:

  1. Do nothing: Trust the user’s judgment and allow access to the site.
  2. Block: Prevent the user from visiting the site when the URL is found to be malicious.
  3. Warn: Notify if malicious, but allow the user to choose to proceed to the site.

Once Click-Time Protection has been enabled and policies are set, all links contained in incoming emails are replaced with SonicWall links. When the user clicks on a link, it triggers an immediate scan of the target site. If it is determined to be benign, the user continues without interruption. If it is determined to be malicious, the user is sent to a warning page. The user may be provided a link to the malicious page based on the policy and group he has been assigned to by the admin.

Enhanced Visibility — Analysis and investigation

Encountering a threat and obtaining forensic details of that threat are two separate actions that SonicWall’s Cloud App Security seamlessly stitches together without losing the essence or any details in translation. Each stage of the Click-Time Protection process is recorded for investigation and auditing purposes, from the original URL substitution event to the result of the time-of-click scan. Each step is logged and can be readily accessed based on the threat type. The events are grouped together so the activity can be easily understood.

Completing the Security Loop

The addition of Click-Time Protection to SonicWall Cloud App Security bolsters post-delivery protection, making our advanced anti-phishing technology even more robust. SonicWall Cloud App Security delivers next-gen security for SaaS applications, protecting email, data and user credentials from advanced threats while ensuring compliance in the cloud. SonicWall Cloud App Security also provides API-based security for software as a service (SaaS), delivering visibility, data security, advanced threat protection and compliance — all with low TCO, minimal deployment overhead and a seamless user experience.

To learn more about SonicWall Cloud App Security, click here.

SonicWall Wins ChannelPro Reader’s Choice Award

/0 Comments/in /by

SonicWall has been named the Bronze Winner in the “Best Security Hardware Vendor” category of the 2020 ChannelPro Readers’ Choice Awards.

The ChannelPro Network provides targeted business and technology information for IT channel partners who serve small and midsize businesses. Winners were chosen by a self-selected panel of ChannelPro Network online visitors and magazine readers, who participated by casting their votes for the most SMB- and partner-friendly products, technologies, services, programs, and professional organizations in the IT channel today.

More than 1,500 votes were collected between March 3 and May 8, with the winners announced earlier this month. This marks the fourth consecutive year that SonicWall has placed in the top three for this category, and we’d like to thank ChannelPro voters for their continued loyalty and support.