Cyber Security News & Trends – 08-23-19

/0 Comments/in /by

This week, smart cities are exposed, side-channel attacks are explained, and Texas reels from coordinated ransomware attacks.

SonicWall Spotlight

Side-Channel Attacks: Cyber Warfare’s New Battleground – Security Boulevard

  • SonicWall CEO Bill Conner pens a piece for Security Boulevard discussing the current, complex state of the cybersecurity landscape. He examines how side-channel attacks and malware cocktails have emerged as some of the most potent threats and recommends layered cyberdefenses along with emergent AI-based solutions.

Podcast: Cloud Application Security Is Your Gateway to Cloud Confidence – RedZone Podcast

  • Shannon Emmons, Senior Product Manager at SonicWall, is interviewed on the RedZone podcast discussing why a holistic approach to cloud application security solutions must be followed to tackle modern cloud cyberthreats.

Hackers Breach 20 Texas Government Agencies in Ransomware Cyber Attack – Dallas News

  • At least 20 government agencies in Texas were affected by a coordinated ransomware attack late last week and Dallas News quotes SonicWall CEO Bill Conner on the issue. SonicWall also digs deep into the ransomware figures and this story on our blog.

SonicWall Evolves as a Company Offering a Full Suite of Integrated Security Solutions – VARIndia

  • SonicWall Country Director Debasish Mukherjee is interviewed by VARIndia. He talks about the newest SonicWall tech updates, where the company is headed in the Indian market, and the SonicWall SecureFirst Partner Program.

Cybersecurity News

Into the Breach: Why We’re Seeing a Sharp Rise in GDPR Violations – ITProPortal

  • It’s a year since GDPR was made law and reported violations are going up rather than down. IT Pro Portal argues that this is to be expected as we are currently in a transitional time as companies get used to the legislation.

Cybersecurity Challenges for Smart Cities: Key Issues and Top Threats – HelpNetSecurity

  • Smart city development projects include an array of interconnected, interdependent digital infrastructure networks. A recent report by ABI Research has found that the current cybersecurity spending on these networks is way below what would be required to keep them safe and this is an ever-growing risk to smart city development if the issue is not addressed.

Data Breaches Expose 4.1 Billion Records in First Six Months of 2019 – Forbes

  • Just eight breaches have been responsible for 3.2 billion of the 4.1 billion records exposed so far in 2019. While the majority of breaches have scored very low on severity scales the sheer number of people affected by them is adding up fast.

The Year-Long Rash of Supply Chain Attacks Against Open Source Is Getting Worse – Ars Technica

  • The surge in supply chain attacks hitting open source software over the past year shows few signs of abating. Open source software is seen as low-hanging fruit by cyberattackers, in part because many don’t enforce good authentication methods like multi-factor authentication, and also because the potential of having a backdoored app on a huge number of systems is too big a payoff to resist.

Open Source-Based Ransomware Targets Fortnite Players – SecurityWeek

  • A new ransomware that specifically targets Fortnite players has been discovered by security researchers who have dubbed it “Syrk.” The basis for this ransomware is the well-known Hidden-Cry open-source malware.
And Finally

Employees Connect Nuclear Plant to the Internet so They Can Mine Cryptocurrency – ZDNet

  • The Ukranian Secret Service is investigating an incident where nuclear power plant employees near Yuzhnoukrainsk connected the internal network of their power station to the internet in order to mine for cryptocurrency.

In Case You Missed It

Ransomware Infects 23 Texas Government Agencies

/2 Comments/in /by

The Texas Department of Information Resources (DIR) announced that 20-plus state agencies have been infected by ransomware.

In an Aug. 17 update, DIR stated that “the evidence gathered indicates the attacks came from one single threat actor” and “investigations into the origin of this attack are ongoing; however, response and recovery are the priority at this time.”

“Ransomware is not going to subside anytime soon,” said SonicWall President and CEO Bill Conner. “It’s too easy to demand and receive ransom payment without the risks associated with traditional data exfiltration. Until organizations are serious about ransomware protection, these types of wide-reaching ransomware attacks will, unfortunately, continue.”

According to ZDnet, the “infection is blamed on strain of ransomware known only as the .JSE ransomware.”

Texas is hardly the first state to be the victim of coordinated attacks against municipalities. The last 12 months have seen ransomware attacks bring city services to a halt, including those in Arizona, Florida, Georgia, Indiana, Maryland, Nevada, New York and more.

Ransomware escalates again

Ransomware continues to be one of the most lucrative cyberattack options for criminals. According to the mid-year update of the 2019 SonicWall Cyber Threat Report, ransomware volume raced to 110.9 million in the first half of 2019 — 15% year-to-date increase over 2018.

Exclusive SonicWall data highlights an escalation in ransomware-as-a-service (RaaS) and open-source malware kits in the first half of 2019. As more RaaS and open-source options are available, the volume and ferocity of ransomware attacks will only increase.

RaaS is no different than any legitimate cloud-hosted service used by businesses every day. Instead of buying software, criminals subscribe to a service delivery model to reduce CapEx, always have the latest ransomware offerings, gain predictable pricing and receive support. While there are only so many bona fide malware authors creating new ransomware, these services will ensure cybercriminals have plenty of variants to purchase or obtain freely on the Dark Web.

Podcast: Cloud Application Security Is Your Gateway to Cloud Confidence

/2 Comments/in /by

The number of attack vectors cybercriminals can abuse to infiltrate your network grows by the day. The challenge is exasperated when you introduce approved third-party cloud applications, not to mention the untold number of shadow IT apps being used inside an organization.

It’s a fast-evolving vulnerability gap that requires proven cloud application security solutions. To expand on the subject, SonicWall senior product manager Shannon Emmons joined Bill Murphy on his latest RedZone Podcast, “Cloud Application Security Is Your Gateway to Cloud Confidence.

Murphy and Emmons address why default SaaS application security controls are simply not enough, regaining visibility and control of your SaaS email and apps while taking a wholistic approach, how to protect account takeovers from insider threats and compromised credentials and more.

“As customers make their migration to cloud, security is often an afterthought,” said Emmons. “Particularly when you look at things like Box, Dropbox or some ad hoc ‘app of the day’, somebody needed it at that point of time and now they’ve used it. Your IT staff may know, or they may not know, and you now may have company data out there you don’t know about that’s now at risk of breach or data exfiltration.”

LISTEN TO THE PODCAST

Cloud Application Security Is Your Gateway to Cloud Confidence

CIOs are challenged to choose a SaaS platform or service that secures Office 365, OneDrive, Box, Dropbox, G-suite, Salesforce and more in order to properly protect data leaving their organization and stored within the cloud.

“If you’re using multiple SaaS apps — something like the Office 365 suite, Box or Dropbox and eventually Slack and Salesforce — in most cases organizations are managing those policies, that data and threat space differently,” she said. “Some people assume that the cloud service providers are responsible for protecting them from threats, but they’re not and they’ll call it out in their contracts. It’s never in big, red print.”

Murphy is a world-renowned IT security expert dedicated to your success as an IT business leader. A prolific thinker and communicator, Murphy publishes educational articles, podcasts and innovative ideas regularly in the RedZone Technologies blog, and hosts the long-running CIO Innovation Forum Community, which helps IT executives share expertise with peers, build professional relationships, learn about new developments and expand leadership skills.

About Shannon Emmons

Shannon Emmons is a senior product manager at SonicWall. She focuses on protecting SaaS email with data compiled from more than 1 million sensors around the globe to defend against today’s most sophisticated cyber threats.

A 16-year cybersecurity veteran, Shannon is a customer-focused product leader who has been CISSP-certified for 13 years.

Education institution website unknowingly serving new variant of Phobos

/in /by

The SonicWall Capture Labs Threat Research Team observed reports of a new variant of the Phobos ransomware trojan being served via a blog on a major education institution.  A publicly accessible listing of one of the blogs subdirectories shows that the Phobos malware executable file had been recently uploaded.  Phobos, a combination of both the CrySiS and Dharma ransomware families has been in operation since mid-December 2018.  We have chosen to keep the identity of the website anonymous.

The issue was reported on Twitter:

The directory listing for the website shows the presence of the malware:

The malware was publicly accessible on the website for just over 2 weeks.  It is now inaccessible.

Infection Cycle:

The trojan uses the following icon:

Upon initial infection, the malware can be seen running in the process list and using considerable CPU resources as it encrypts files in the background:

It encrypts files on the system and appends “.id[{file id value}].[2172998725@qq.com].banjo” to their filenames.  eg.

mynotes.txt.id[78B73C19-2288].[2172998725@qq.com].banjo.  The previous variant uses a .Phobos extension.

It drops the following files onto the system:

  • info.txt (to desktop and shared drives)
  • info.hta (to desktop and shared drives)
  • %PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup\mur187.exe

info.txt contains the following message:

info.hta contains the following page.  Multiple instances of the page are displayed on the desktop after the initial encryption phase.  Any subsequent new files that are created on the system are also instantly encrypted.  This page is almost identical to that of Dharma and CrySiS ransomware:

Unlike the previous variant, there is no Phobos branding on the help page.  The email address has also changed.  We speculate that this variant has been created by the same group propogating CrySiS and Dharma ransomware.

We reached out to 2172998725@qq.com to ask how to retrieve files but received no reply.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Phobos.BN (Trojan)
  • GAV: Phobos.RSM_2 (Trojan)
  • GAV: Phobos.RSM_3 (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Wormable vulnerabilities in Windows Remote Desktop Services

/in /by

Microsoft patched new wormable vulnerabilities in Windows Remote desktop Services on August 13th.
Following is the description and coverage:
CVE-2019-1181
A remote code execution vulnerability exists in Remote Desktop formerly known as Terminal Services, when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka ‘Remote Desktop Services Remote Code Execution Vulnerability’.
CVE-2019-1182
A remote code execution vulnerability exists in Remote Desktop Services, formerly known as Terminal Services ; when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka ‘Remote Desktop Services Remote Code Execution Vulnerability’

CVE-2019-1224 and CVE-2019-1225
An information disclosure vulnerability exists when the Windows RDP server improperly discloses the contents of its memory, aka ‘Remote Desktop Protocol Server Information Disclosure Vulnerability

SonicWall Capture Labs Threat Research Team has analyzed and addressed these vulnerabilities with following signatures.
IPS 14356 : Windows Remote Desktop Services Remote Code Execution (AUG 19) 1
IPS 14357 : Windows Remote Desktop Services Remote Code Execution (AUG 19) 2
IPS 14354 : Remote Desktop Protocol Server Information Disclosure Vulnerability (AUG 19) 1

Cyber Security News & Trends – 08-16-19

/0 Comments/in /by

This week, vote for SonicWall in the computer security awards, an update on the Capital One data breach suspect, and GDPR is an identity thief’s dream.

SonicWall Spotlight

2019 Computing Security Awards – Vote for SonicWall

  • SonicWall are nominated in the following categories:Anti-Malware Solution of the Year – SonicWall Capture Client
    New Hardware Solution of the Year – SonicWall TZ Series
    SME Security Solution of the Year – SonicWall TZ Series

Vote today!

The Top 25 Enterprise IT Innovators of 2019CRN

  • SonicWall CEO Bill Conner is named as one of CRN’s top 25 Enterprise IT innovators of 2019 with SonicWall Cloud App Security 2.0 names as one of the reasons behind the recognition.

Forget Panic Rooms and Alarms, State-of-the-Art Security Is Now Insanely High-Tech—and Nearly Invisible – Robb Report

  • Luxury lifestyle magazine Robb Report takes a look at the most up to date home and business security systems that money can buy, from residential surveillance systems installed by private security firms to the best business firewalls like those offered by SonicWall.

Best Security Hardware – Gold Medal – ChannelPro Network

Cybersecurity News

Virtually All Polled Enterprises Say They’ll Use SD-WAN in Next Two Years. Do You Know What It Is? Let Us Fill You In – The Register

  • With IDC’s Software-Defined WAN Survey published in April this year estimating that 95 per cent of enterprises expect to use SD-WAN technology within the next two years, and almost half already using it in one form or another, The Register take a look at the key SD-WAN considerations in 2019.

The Capital One Breach Suspect May Have Stolen Data From at Least 30 Other Companies and SchoolsBusiness Insider

  • Prosecutors of the Capital One data breach allege the suspect stole data on more than 30 entities, including private companies and schools, as well as 100 million Capital One customers.

Security Warning for Software Developers: You Are Now Prime Targets for Phishing Attacks – ZDNet

  • A new study has found that cybercriminals are increasingly targeting software developers in the hopes of landing administrator privileges on a network. With professional networks like LinkedIn providing would-be hackers with personal information they can easily harvest they are able to craft convincing looking phishing emails that may even fool the technology savvy.

Crossrider Adware Still Causing Unwanted Mac Browser Redirects – Security Boulevard

  • Addressing the myth that Mac’s cannot get a virus Security Boulevard investigate a new variant of the Crossrider malware currently infecting Apple systems. The risk isn’t just an infection from annoying but relatively benign adware, but that it may morph into something more dangerous.

‘It Is Absurd.’ Data Breaches Show It’s Time to Rethink How We Use Social Security Numbers, Experts Say – Time

  • Unchanging Social Security numbers that were never intended to be used as identification are described as an ‘absurd’ idea in a world where data is regularly being stolen and released online. ID cards that use Blockchain technology is one of several solutions proposed to deal with identity theft in the modern age.

And Finally

Talk About Unintended Consequences: GDPR Is an Identity Thief’s Dream Ticket to Europeans’ Data – The Register

  • A student attending Black Hat 2019 explains how he gamed GDPR privacy laws to allow him access to a huge amount of personal data, the very kind of data the laws are designed to protect.

In Case You Missed It

Webinar: Prep Your Business to Face 2019’s Most Advanced Cyber Threats

/1 Comment/in /by

Cyber threat intelligence is a must-have component for any security-conscious organizations. And for those who couldn’t get enough of the mid-year update to the 2019 SonicWall Cyber Threat Report, SonicWall security experts hosted an exclusive webinar to go inside the exclusive threat data, ask questions about the threat landscape and offer best practices for improving your security posture.

This edition, “Prep Your Business to Face 2019’s Most Advanced Cyber Threats,” was hosted by Brook Chelmo, a charismatic storyteller who will help you make sense of the numbers. Watch the exclusive on-demand webinar to gain a better understanding of what’s at stake. You’ll explore:

About Brook Chelmo

Brook handles all product marketing responsibilities for SonicWall security services and serves as SonicWall’s ransomware tsar.

Fascinated in the growth of consumer internet, Brook dabbled in grey-hat hacking in the mid to late ‘90s while also working and volunteering in many non-profit organizations. After spending the better part of a decade adventuring and supporting organizations around the globe, he ventured into the evolving world of storage and security. He serves humanity by teaching security best practices, promoting and developing technology.

Microsoft Security Bulletin Coverage for August 2019

/in /by

SonicWall Capture Labs Threat Research Team has analyzed and addressed Microsoft’s security advisories for the month of August 2019. A list of issues reported, along with SonicWall coverage information are as follows:

CVE-2019-0714 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.

CVE-2019-0715 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.

CVE-2019-0716 Windows Denial of Service Vulnerability
There are no known exploits in the wild.

CVE-2019-0717 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.

CVE-2019-0718 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.

CVE-2019-0720 Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-0723 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.

CVE-2019-0736 Windows DHCP Client Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-0965 Windows Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1030 Microsoft Edge Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1057 MS XML Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1078 Microsoft Graphics Component Information Disclosure Vulnerability
ASPY 5601:Malformed-File exe.MP.91

CVE-2019-1131 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.

CVE-2019-1133 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.

CVE-2019-1139 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 14344:Chakra Scripting Engine Memory Corruption Vulnerability (AUG 19) 3

CVE-2019-1140 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 14345:Chakra Scripting Engine Memory Corruption Vulnerability (AUG 19) 4

CVE-2019-1141 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 14346:Chakra Scripting Engine Memory Corruption Vulnerability (AUG 19) 5

CVE-2019-1143 Windows Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1144 Microsoft Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1145 Microsoft Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1146 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1147 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1148 Microsoft Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1149 Microsoft Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1150 Microsoft Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1151 Microsoft Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1152 Microsoft Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1153 Microsoft Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1154 Windows Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1155 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1156 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1157 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1158 Windows Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1159 Windows Kernel Elevation of Privilege Vulnerability
ASPY 5608:Malformed-File exe.MP.97

CVE-2019-1160 Azure DevOps Server Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1161 Microsoft Defender Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1162 Windows ALPC Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1163 Windows File Signature Security Feature Bypass Vulnerability
There are no known exploits in the wild.

CVE-2019-1164 Windows Kernel Elevation of Privilege Vulnerability
ASPY 5602:Malformed-File exe.MP.92

CVE-2019-1168 Microsoft Windows p2pimsvc Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1169 Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1170 Windows NTFS Elevation of Privilege Vulnerability
ASPY 5603:Malformed-File exe.MP.93

CVE-2019-1171 SymCrypt Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1172 Windows Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1173 Windows Elevation of Privilege Vulnerability
ASPY 5604:Malformed-File exe.MP.94

CVE-2019-1174 Windows Elevation of Privilege Vulnerability
ASPY 5605:Malformed-File exe.MP.95

CVE-2019-1175 Windows Elevation of Privilege Vulnerability
ASPY 5606:Malformed-File exe.MP.96

CVE-2019-1176 DirectX Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1177 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1178 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1179 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1180 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1181 Remote Desktop Services Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1182 Remote Desktop Services Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1183 Windows VBScript Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1184 Windows Elevation of Privilege Vulnerability
ASPY 5607:Malformed-File dll.MP.5

CVE-2019-1185 Windows Subsystem for Linux Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1186 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1187 XmlLite Runtime Denial of Service Vulnerability
There are no known exploits in the wild.

CVE-2019-1188 LNK Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1190 Windows Image Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1192 Microsoft Browsers Security Feature Bypass Vulnerability
There are no known exploits in the wild.

CVE-2019-1193 Microsoft Browser Memory Corruption Vulnerability
There are no known exploits in the wild.

CVE-2019-1194 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.

CVE-2019-1195 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 14340:Chakra Scripting Engine Memory Corruption Vulnerability (AUG 19) 1

CVE-2019-1196 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 14341:Chakra Scripting Engine Memory Corruption Vulnerability (AUG 19) 2

CVE-2019-1197 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 14340:Chakra Scripting Engine Memory Corruption Vulnerability (AUG 19) 1

CVE-2019-1198 Microsoft Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1199 Microsoft Outlook Memory Corruption Vulnerability
IPS 14342:Microsoft Outlook Memory Corruption Vulnerability (AUG 19) 1

CVE-2019-1200 Microsoft Outlook Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1201 Microsoft Word Remote Code Execution Vulnerability
ASPY 5600:Malformed-File doc.MP.47

CVE-2019-1202 Microsoft SharePoint Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1203 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.

CVE-2019-1204 Microsoft Outlook Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1205 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1206 Windows DHCP Server Denial of Service Vulnerability
There are no known exploits in the wild.

CVE-2019-1211 Git for Visual Studio Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1212 Windows DHCP Server Denial of Service Vulnerability
There are no known exploits in the wild.

CVE-2019-1213 Windows DHCP Server Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1218 Outlook iOS Spoofing Vulnerability
There are no known exploits in the wild.

CVE-2019-1222 Remote Desktop Services Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1223 Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability
There are no known exploits in the wild.

CVE-2019-1224 Remote Desktop Protocol Server Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1225 Remote Desktop Protocol Server Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1226 Remote Desktop Services Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1227 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1228 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1229 Dynamics On-Premise Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-9506 Encryption Key Negotiation of Bluetooth Vulnerability
There are no known exploits in the wild.

CVE-2019-9511 HTTP/2 Server Denial of Service Vulnerability
There are no known exploits in the wild.

CVE-2019-9512 HTTP/2 Server Denial of Service Vulnerability
There are no known exploits in the wild.

CVE-2019-9513 HTTP/2 Server Denial of Service Vulnerability
There are no known exploits in the wild.

CVE-2019-9514 HTTP/2 Server Denial of Service Vulnerability
There are no known exploits in the wild.

CVE-2019-9518 HTTP/2 Server Denial of Service Vulnerability
There are no known exploits in the wild.

Ferrlock Ransomware actively spreading in the wild

/in /by

The SonicWall Capture Labs Threat Research Team observed reports of a new variant family of Ferrlock ransomware [Ferrlock.RSM] actively spreading in the wild.

The FERRLOCK ransomware encrypts the victim’s files with a strong encryption algorithm until the victim pays a fee to get them back.

Infection Cycle:

The ransomware adds the following files to the system:

  • Malware.exe
    • % App.path%\!=How_recovery_files=!.txt
      • Instruction for recovery
    • %App.path%\ [Name]. yoba

Once the computer is compromised, the ransomware runs the following commands:

The ransomware encrypts all the files and appends the [.yoba]  extension onto each encrypted file’s filename.

After encrypting all personal documents, the ransomware shows the following text file containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Ferrlock.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

Ransomware-as-a-Service, Open-Source Malware Fueling Attack Spikes in 2019

/5 Comments/in /by




Ransomware is too lucrative to fade away. Its brilliance is in its simplicity. And shifting trends make it easier than ever to leverage in cybercriminal activity.

As each passing day presents us with a new ransomware victim, we can clearly see that ransomware is here to stay — and businesses and organizations should invest now to protect their brand, networks, data and customers.

According to the mid-year update of the 2019 SonicWall Cyber Threat Report, ransomware volume raced to 110.9 million in the first half of 2019 — a 15% year-to-date increase over 2018.

The most alarming ransomware data was sourced from the U.K. After enjoying a 59% decline in ransomware in 2018, the region saw ransomware volume jump 195% year-to-date for the first half of the year.

RaaS, open-source malware on the rise

But it’s not just about volume. Globally, cybercriminals continue to pivot toward new tactics. Exclusive SonicWall data highlights an escalation in ransomware-as-a-service (RaaS) and open-source malware kits in the first half of 2019.

Cerber has long been one of the most powerful and damaging ransomware families in use. This is primarily because it is available as a service offering for low monthly prices.

Other ransomware — like HiddenTear and Cryptojoker — are available via open-source kits. This means that criminals with very basic coding skills can grab an open-source malware and customize it to meet their objectives. In many cases, this changes the core of the malware and helps it evade signature-only security controls (e.g., antivirus, unsupported firewalls).

In June 2019 alone, SonicWall Capture Labs threat researchers logged more than 3 million hits by the Cerber.G_5 RaaS signature alone.

FY 2018 1H 2019
Family Volume Type Family Volume Type
Cerber 101.6 Million RaaS Cerber 39.5 Million RaaS
BadRabbit 7.8 Million Custom Gandcrab 4.0 Million RaaS
Dharma 7.3 Million Custom HiddenTear 4.0 Million Open Source
LockyCrypt 6.1 Million Custom CryptoJoker 2.4 Million Open Source
CryptoJoker 5.6 Million Open Source Locky 1.8 Million Custom
Locky 2.4 Million Custom Dharma 1.5 Million Custom
Petya 1.9 Million Custom

As more RaaS and open-source options are available, the volume and ferocity of ransomware attacks will only increase. While there are only so many bona fide malware authors creating new ransomware, these services will ensure cybercriminals have plenty of variants to purchase or obtain freely on the Dark Web.

What is ransomware as a service (RaaS)?

Ransomware as a service, or RaaS, is no different than any legitimate cloud-hosted service used by businesses every day. Instead of buying software, you subscribe to a service delivery model to reduce CapEx, always have the latest offerings, gain predictable pricing and receive support.

Legitimate or note not, business models always have to tackle the method of distribution. Will they sell directly to end users, through a channel of distributors or a mix of both?

The same holds true with ransomware developers. Many are electing to take their successful code and sell it as a kit, which eliminates many risks and the hard work of distribution — all the while collecting a cut of the prize.

BleepingComputer offered an informative breakdown on how a typical payment model would work.

“Unlike most ransomware-as-a-service offerings, in order to become an affiliate a would-be criminal has to pay to join a particular membership package,” BleepingComputer wrote. “These packages range from $90 USD, where the affiliate earns 85% of the ransom payments, to $300 and $600 packages where the affiliates keep all of the revenue and gets extra perks such as Salsa20 encryption, different ransomware variants, and different payment cryptocurrency options.”