Cyber Security News & Trends – 05-03-19

/0 Comments/in /by

This week, SonicWall CEO Bill Conner is interviewed by on Federal Tech Talk, the potential of a 5G future is considered, and more details emerge about the Citrix data breach.

SonicWall Spotlight

Federal Tech Talk’ Hosts SonicWall CEO Bill Conner to Examine Cybercriminal Strategies that Threaten Federal Agencies – SonicWall Blog

  • SonicWall CEO Bill Conner joins John Gilroy on Federal Tech Talk, a radio show and podcast on the Federal News Network. They discuss emerging cyber threats including attacks over non-standard ports, encrypted threats and malicious PDFs and Office files.

SonicWall Reports Dramatic Rise in Fraudulent PDF Files in Q1 2019 – Tech Observer (India)

  • With SonicWall Capture Labs researchers releasing details on the growth of fraudulent PDFs and Office files, SonicWall’s Debasish Mukherjee talks to Tech Observer about how Real-Time Deep Memory Inspection (RTDMI) can detect new malware almost instantly.

Cyber Security News

Cybersecurity: The Key Lessons of the Triton Malware Cyberattack You Need to Learn – ZDNet

  • The Triton malware attack of 2017 was unsuccessful but still managed to shut down industrial operations at a critical infrastructure firm in the Middle East. ZDNet explore how real-world physical security problems intersected with cyber security problems and allowed a cyberattack to go very far before being caught.

P2P Weakness Exposes Millions of IoT Devices – Krebs on Security

  • Peer-to-peer communications software iLnkP2P includes several critical security flaws that leaves millions of Webcams, baby monitors and more open to a cyberattack.

The Terrifying Potential of the 5G Network – The New Yorker

  • While some claim 5G technology will usher in a fourth industrial revolution, there’s a worry that such a huge change could have disastrous effects and policymakers may not be taking the cyber security concerns seriously enough.

“Denial of Service” Attack Caused Grid Cyber Disruption: DOE – E&E News

  • A “cyber event” interrupted power grid operations in the western United States on March 5 of this year. Initially details on what happened were scarce but it has now been confirmed that a denial-of-service (DDOS) attack occurred against an unnamed energy company.

Putin Signs Law to Isolate Russian Internet – Financial Times

  • Russian president Vladimir Putin signed a law that will allow the Kremlin to disconnect Russia from the global internet. Critics are casting it as an attempt to curb free speech or internal dissent within Russia, but the Kremlin says the law is a cyber security safeguard that would allow the Russian internet to continue running in the event of a hostile cyberattack on its infrastructure.

DC Metro Vulnerable to Cybersecurity Attacks, Says Inspector General – The Hill

  • The Washington D.C. Metro has vowed to hire experts to help with cyber security vulnerabilities present in its current systems.

Hackers Lurked in Citrix Systems for Six Months – ZDNet

  • The FBI has become involved in an ongoing investigation into an “intermittent” but long-lasting data breach at Citrix. Information on what data was accessed by hackers is not yet known but it is possible that the data stolen includes names, Social Security numbers, and financial information.

Financial Data for Multiple Companies Dumped Online in Failed Extortion Bid – Dark Reading

  • 516GBs of potentially sensitive stolen data was dumped online after German digital infrastructure service provider Citycopy refused to pay up in an attempted cyber-extortion attempt. The data dump has not been verified or fully examined yet, but the would-be extortionists claim it includes “financial and private information on all clients include VAG, Ericsson, Leica, MAN, Toshiba, UniCredit, and British Telecom (BT).”

Docker Hub Breach Hits 190,000 Accounts – SecurityWeek

  • Docker Hub, the world’s largest library and community for container images, suffered a data breach with 5% of users affected. Usernames and hashed passwords were accessible. Docker says the company breach has now been sealed and that they are working to ensure it cannot happen again.

In Case You Missed It

Beginning of new malicious campaign through fake apps targeting Indian android users

/in /by

SonicWall Capture Labs Threats Research Team identified few fake apps that have a worm-like spreading capability via WhatsApp messages. These applications were not seen to be present on the Play Store, based on our analysis these apps spread via WhatsApp messages or from third party app stores.

Initial Observations

During installation, these fake apps request following permissions:

  • ACCESS_COARSE_LOCATION
  • INTERNET
  • READ_CONTACTS
  • READ_PHONE_STATE
  • READ_SMS
  • SEND_SMS
  • WRITE_EXTERNAL_STORAGE
  • ACCESS_NETWORK_STATE
  • ACCESS_WIFI_STATE
  • READ_EXTERNAL_STORAGE

These applications use the icons, images and initial functionality of popular Indian Android applications namely Jio and Paytm. These factors indicate that this campaign is mainly targeting applications used in the Indian market with attractive promotional offers.

Below images show the applications post installation on the device:

As can be seen below, the navigation buttons on the top left corner in these apps are disabled (not clickable).

Functionality

Once installed the user is shown offers in the form of a popup. To avail the promotional offer, the user need to provide a 10 digit mobile number. Legitimate applications usually validate the user mobile number via either OTP or some other mechanism. On the contrary, these applications do not even care to validate the mobile number. The app accepts the number and direct the user to follow process to avail the offers.

In the background, the app sends user’s device information like location, IMEI number, Service provider, device manufacturer name to a remote server (hxxp://global.appnext.com). This data is used later to display advertisements.

Spreading capability

To increase distribution, the app requests the user to share download link over WhatsApp to at-least 10 of the contacts

On clicking the “SHARE ON WHATSAPP” button, below message is sent to the contacts chosen by the user. Fake App (Jio or Paytm offer) download link is also present in the message.

Even in the absence of WhatsApp on the user’s device, the share count could be reduced to zero by clicking the “SHARE ON WHATSAPP” button as shown below:

After the count approaches zero, the user is displayed congratulatory message and informed about the steps remaining to avail the offer.

The offer now appears to be a distant dream when the user is asked to click on advertisements. To monetize, random advertisements are displayed in the web browser, which keep changing at regular intervals.

The back navigation button is rendered non-functional. The user has to either kill the app or press the home button to come out of the application.

Few Indicators to identify fake apps

  • Look and feel of the app is similar to the actual JIO and Paytm applications but none of the controls in the application work. (Navigation bar on top left corner is disabled)
  • Lack of user input validation.
  • Inappropriate use of messaging apps like WhatsApp.
  • Enable the Unknown Sources setting to install the app.

 

SonicWALL Capture Labs provide protection against this threat via the following signature(s):  

  • AndroidOS.FakeAd

Indicators of compromise:   

op.voiice.a4g.anew.new4gvoicev – 7091d3b58d9680ab257ba328048d1e4142bbbade4e424062a1ed6af26b92005b

bhadva.chromva.jio4goffers – 7fb502ce2f6c8edcd4a801eeee4393c2b27d4988a7e1261df98facc7c72868ed

op.voiice.a4g.anew.new4gvoicev – 8c393609732d6f8cf2e10a75aebed11f3a869791461469a9a9927f8a77be94ed

bab.navi.newnavi – 9c574a77979532eb36c602b73cab9c627c79af38f9331736beba59a82d984d81

bhadva.chromva.jio4goffers – 991b4ded04820306eb59e3086c967e7473b5f547b0a0c1003ca3347a84b4bef6

bhadva.chromva.jio4goffers – d3d8a1505549d876dbf95df8b00f623cd3074873231b3374a7dd7812de8ecc06

sdffn.bobl.offerva.myjio_offers – daa7b780e7a2be97378f16376e89e9adc34e7cebb3a1d1e95f82e654a88bd83a

Dragonblood Vulnerability: Is your WiFi secure?

/1 Comment/in /by

It’s Game of Thrones season! And anything to do with dragons reminds me of GoT. The Dragonblood vulnerability recently exposed weak security of the WPA3 standard. It was just a year ago that KRACK exposed weaknesses in the WPA2 standard. In response, a stronger successor to WPA2 was announced by the Wi-Fi Alliance: WPA3.

But, was this really a strong successor as it was perceived? Apparently, no.

WPA3 incorporated Simultaneous Authentication of Equals (SAE) handshake, which was a huge improvement over WPA2 as it prevents dictionary attacks. The family of SAE handshakes is referred to as Dragonfly. This handshake is susceptible to password-partitioning attacks, which resemble dictionary attacks and leverages side-channel leaks to recover network passwords.

According to the researchers Vanhoef and Ronen, who published the paper on this vulnerability, WPA3 is affected by serious design flaws that could have been avoided with feedback from industry experts about secure WiFi. Among these flaws is the fact that WPA3 failed to introduce any new protocols, rather it only instructs which existing protocols should be supported.

WPA3 background

WPA3 made enhancements over WPA2 using the latest security methods, disallowing outdated legacy protocols and implementing the use of Protected Management Frames (PMF). It was designed with two types of networks in mind: protection for home networks with WPA3-Personal and for enterprise networks with WPA3-Enterprise.

WPA3-Personal provides increased network password protection, while WPA3-Enterprise provides higher security protocols for enterprise networks. In WPA3-Personal networks, the SAE handshake is the replacement for Pre-Shared Key (PSK) in WPA2-Personal networks. WPA3 includes natural password selection, ease of use and forward secrecy.

What is the Dragonfly handshake?

WPA3-Personal mandates the support of SAE handshakes, which is a balanced Password Authentication Key Exchange where two endpoints (AP and AP, or AP and client) store passwords in clear text. The input for the SAE handshake is a pre-shared secret and the output is a high-entropy Pairwise Master Key. After this execution, a four-way handshake takes place to generate a Pairwise Transient Key.

6 ways Dragonblood affects your wireless network

  1. Denial of Service (DoS) attack. WPA3’s anti-clogging mechanism that is supposed to prevent DoS attacks does not prevent it. Hence, this can bring down access points and cause disruption on your networks.
  2. Downgrade attack. WPA3’s transition mode is susceptible to dictionary attacks. In this mode, a WPA3-capable access point can accept connections from both WPA2 and WPA3 client devices. If an attacker uses a man-in-the-middle attack to modify the beacons of a WPA3-capable access point to fool the client into thinking it is a WPA2 access point, during the four-way WPA2 handshake the client detects the anomaly and aborts the transmission. However, enough frames are sent during the handshake that the attacker can pull off a dictionary attack. In addition, the researchers also discovered “implementation-specific downgrade attacks when a client improperly auto-connects to a previously used WPA3-only network.”
  3. SAE group negotiation attack. Client devices can prioritize groups in SAE handshake according to 802.11 specifications. With SAE, when a client connects to an access point it includes the desired group in the commit frame and this process continues. “Unfortunately, there is no mechanism that detects if someone interfered with this process. This makes it trivial to force the client into using a different group: simply forge a commit frame that indicates the AP does not support the currently selected group.” This results in a downgrade attack. This method can also be used to perform upgrade attacks.
  4. Timing-based side-channel attacks. SAE handshake is susceptible to timing attacks that leak password information, which could later be used in password-partitioning attacks leading to the recovery of the victim’s password.
  5. Cache-based side-channel attacks. SAE is further susceptible to vulnerabilities in the implementation of its algorithms, which could be leveraged in password-partitioning attacks leading to the recovery of the victim’s password.
  6. EAP-PWD. Affects the Extensible Authentication Protocol (EAP) that is supported in WPA2 and WPA standards. The researchers also “discovered serious bugs in most products that implement EAP-pwd. These allow an adversary to impersonate any user, and thereby access the Wi-Fi network, without knowing the user’s password.”

How to protect against Dragonblood

The Dragonblood vulnerability can be fixed with software patches. While the Wi-Fi Alliance is communicating guidelines to vendors, ensure that your network is always patched with the latest security updates from wireless device manufacturers. In combination, use strong passwords on your networks.

Does the Dragonblood vulnerability affect SonicWave wireless access points?

No. This vulnerability does not affect SonicWall wireless access points. The SonicWave access points provide superior wireless security and a dedicated third radio for security scanning. Advanced security services like the Capture Advanced Threat Protection (ATP) sandbox and Content Filtering Service (CFS) can be performed by the APs, even when they are untethered from the firewalls. It gives you the ultimate flexibility to manage wireless from the cloud or via the firewalls — without compromising security.

NanoCore RAT delivered through phishing campaigns

/in /by

SonicWall Capture Labs Threat Research team has observed a huge phishing campaign that spreads NanoCore Remote Access Trojan (RAT) through malicious attachments.

As with many other attacks, this campaign starts with a phishing email that distributes the malicious ISO malware as an email attachment.  ISO file is named to look like an image file and the contents of the email messages vary but spoofed to look like it’s coming from one of its vendors and encourages user to open the attached file.

ISO:

An ISO file (referred as an ISO image) is an archive file that contains all the information that would be written to an optical disc. ISO files are commonly used to create a backup of a CD or DVD. They’re also very useful for distributing large programs over the internet as an ISO image can handily contain all of a program’s files in a single file.

ISO file is used in this attack as many email gateway scanners don’t scan ISO file attachments properly. This may be due to the fact that ISO’s tend to be larger in size. In the past, third party software utility is required to open an ISO file, but modern versions of Windows (Win 8 & later) feature a native ISO mounting tool. Opening an ISO is now as simple as double-clicking the file. This increases the chances of the target opening the file. All the ISO files observed in this campaign are of size 1-2MB.

EXE:

The executable file “SKMBT#2019-04.exe” embedded within ISO, is shown below.

AutoIt:

The malicious payload presented as a single exe file, is actually an AutoIt Interpreter with the AutoIt compiled script embedded into it as a resource. Analyzing the file using PEStudio tells that it’s an AutoIt Compiled script.

Using Exe2Aut tool, we successfully retrieved the AutoIt source code from the compiled script but it is heavily obfuscated. Find below  the snippet from the AutoIt source code.

NanoCore RAT:

String “NanoCore.ClientPluginHost” that belong to NanoCore RAT is found in the memory.

NanoCore is one of the most sophisticated RAT (Remote Access Trojan ) out there. This malicious program uses NanoCore’s plugins to take control of victims machine.

Behavior:

Upon execution, it exhibits the following behavior.

  • Anti-debugging:

It exits with an error dialogue if debugger is present.

  • DNS Lookup

It performs the DNS lookup for “billionscome1.duckdns.org” and establishes connection with the server 191.101.150.90. Most of the similar malicious programs used in the campaign perform DNS queries to *.duckdns.org.

  • Files Written:

It creates a copy of itself  and drops it into the AppData directory along with a malicious VBS script.

Later, it creates an entry in the Windows startup directory for persistence. Files under the startup directory execute automatically after every boot up. “ghsdgfsdghfsfsd.url” is written into the startup directory. It is actually a shortcut file that links to the executable file “dfgdjfhdjhfdhdjf.exe” created in the previous step.

  • Schedule Tasks:

Then, it schedules a task using the following command. This task is called “NAT monitor”.

"schtasks.exe" /create /f /tn "NAT Monitor" /xml "C:\Users\gaya3\AppData\Local\Temp\tmpB400.tmp"<

The NAT monitor task is made to run “Regasm.exe” and not “natmon.exe”.

  • Process Hallowing:

Regasm is a Windows command-line utility that’s used to register .NET Component Object Model (COM) assemblies. It’s digitally signed by Microsoft. Adversaries use Regasm.exe to proxy execution of code through a trusted Windows utility. This is done to bypass process white-listing and evade detection

This malware starts Regasm.exe process in the suspended state with CreateProcessA(0x4 CREATE_SUSPENDED process creation flag).  It retrieves the path to itself and passes it as an argument to the process hollowing function. Process hollowing function replaces Regasm content with the malicious executable and resumes execution.  Now the execution of the malicious code is masked under a legitimate process , as the path points to legitimate process “C:\Windows\Microsoft.Net\Framework\v2.0.50727\RegAsm.exe”.

Once poisoned, RegAsm.exe can be used to establish connection to the C2C server, install keylogger/ mouselogger and other elements to steal users credentials and perform financial transactions from the same computer of the client.

  • Keystroke Logging :

It captures all the user keystroke information and writes it into an encrypted file called “KB_28549343.dat”

It also contains functionality to simulate keystroke presses, it may perform financial transactions with the stolen credentials from the same computer.

VT Graph:

VirusTotal threat intelligence graph of this campaign is shown below. 1000’s of similar malicious files with different file hashes observed in this campaign.

 

Threat Graph:

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

GAV: 19486 Autoit.OLS
GAV: 2376 NanoBot.DN

SonicWall Capture Advanced Threat Protection (ATP) with RTDMI provides protection against this threat.

Hashes:

Email:
5b1fbbc99e01b8df2de401992bc463b35dcec53432145577fe71c0df5c757c6a
7194eb641b50af49885bb412a08f182ed3b6cde9b43a424db4654937564c38e2

ISO:
2d8fb4fb3d92f7f3fe6d599939afe8efcdf2ce5c045118d35ff016f27a1b16a4
1fb34c5ded3432f601680795e3942673ac55a0c89513a31f45e238ed773ab8e4

Exe:
49c2fe6ba8646341b6ecd869daf6fd8dfa0b522d20996f2321006d8a74d30ab6
4d76a57be034e6bae437b5c06c216cf7131d8db1e69ff6cfa881c38aabdb2818

C2C:
*.duckdns.org

‘Federal Tech Talk’ Hosts SonicWall CEO Bill Conner to Examine Cybercriminal Strategies that Threaten Federal Agencies

/2 Comments/in , /by

During a recent trip to Washington D.C., SonicWall CEO Bill Conner stopped by Federal News Networks studios to join John Gilroy on Federal Tech Talk.

The pair took to the airwaves (and podcast) to focus on emerging cyber threats that impact enterprises, SMBs and federal agencies alike. Atop the list were attacks over non-standard ports, encrypted threats and malicious PDFs and Office files.

“What’s alarming on this one, these new techniques are evading traditional security sandboxes,” Conner told Gilroy on the show.

In mid-April, SonicWall announced new threat data that highlights the growing volume of PDF fraud campaigns. In all of 2018, the SonicWall Capture Advanced Threat Protection (ATP) sandbox discovered more than 47,000 new attack variants in PDF files. In March 2019 alone, the sandbox found more than 73,000 PDF-based attacks.

“It’s incredibly aggressive in terms of the volume. It’s also very evasive,” said Conner on the broadcast. “If you click on that PDF, it might not hit you immediately. It might be delayed before it activates itself. The alarming piece in this city (Washington D.C) — for the Feds — is that it is emanating out of Russia.”

The compelling 40-minute segment, which is available via podcast, also explored the growing volume of IoT attacks, fileless malware and other evolving exploits.

“It’s a cyber arms race,” said Conner. “As many good guys as we have coding to block it and stop it, you’ve got an equal number of bad guys on the other side looking for architecture or feature holes trying to get around [security controls].”

About Federal Tech Talk

Federal Tech Talk looks at the world of high technology in the federal government. Host John Gilroy of The Oakmont Group speaks the language of federal CISOs, CIOs and CTOs, and gets into the specifics for government IT systems integrators. John covers the latest government initiatives and technology news for the federal IT manager and government contractor.

DOWNLOAD PODCAST

SadComputer ransomware gives victims only 5 minutes to pay up

/in /by

The SonicWall Capture Labs Threat Research Team have received reports of ransomware that appears to be in early development called SadComputer.  Although the malware only gives its victim 5 minutes to pay, it also provides a way to recover the files without paying the ransom.  We speculate that this variant is part of an early development release as the attackers seem to have provided a Bitcoin address that they do not control.  The malware does however, permanently delete files after the time expires.

Infection Cycle:

Upon running the executable file the following dialogs are displayed:

 

 

The following text is displayed on the top left of the screen:

 

The trojan encrypts files on the system and appends “.sad” to their filenames.  After the 5 minute timer expires, the encrypted files are permanently deleted.

The trojan adds the following files to the system:

  • %USERPROFILE%\Desktop\sadcomputer_note.txt
  • %USERPROFILE%\Documents\sadcomputer_note.txt
  • %USERPROFILE%\Music\sadcomputer_note.txt
  • %USERPROFILE%\Pictures\sadcomputer_note.txt
  • %USERPROFILE%\Pictures\Camera Roll\sadcomputer_note.txt
  • %USERPROFILE%\Pictures\Saved Pictures\sadcomputer_note.txt
  • %USERPROFILE%\Videos\sadcomputer_note.txt
  • %APPDATA%\Roaming\SadComputer\SadComputer\1.0.0.0\recover (empty file)
  • %APPDATA%\Roaming\SadComputer\SadComputer\1.0.0.0\time

The trojan adds the following key to the registry:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <machine name> “<original run path>”

sadcomputer_note.txt contains the following text:

Q: What Happend to my computer?
A: Your Files Have Been Encrypted.

Q: How Do i restore the files?
A: You need to use bitcoin to restore the files.

Q: Can i use other methods?
A: Yes. You can use Paypal.

Q: How can i trust?
A: We dont cheat users. We restore the files.

Pressing “Enter Code” or “Check” in the dialog shown above produces the following dialog:

Providing any random email address for the “E-Mail Address:” field brings up the following dialog:

Using the code provided results in the files being recovered.

The ransom note says that the victim must pay in Bitcoin for file recovery but does not provide an amount to pay.  The bitcoin address (1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2) is from the donation page of Tails, a project that sets out to provide an anonymous, privacy oriented operating system:

SonicWALL Capture Labs provides protection against this threat via the following signatures:

  • GAV: Sadcomputer.RSM (Trojan)

Also, this threat is detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

Cyber Security News & Trends – 04-26-19

/0 Comments/in /by

This week, SonicWall’s recent PDF and Office cyberattack findings back up investigative reporting, a “secure” WhatsApp replacement is anything but, and vulnerabilities in the Internet of Things continue to create headlines.

SonicWall Spotlight

The Growing Partnership Between Russia’s Government and Cybercriminals – 60 Minutes

  • In a new investigative report, CBS examines evidence of increasingly blurred lines between Russia intelligence agencies and the criminal exploits of notorious cybercriminals like Evgeniy Bogachev, better known as the hacker “slavik” and “lucky12345”. The report further supports SonicWall’s recent findings of escalating PDF and Office document-based attacks likely originating from Russia.

Cyber Threat Report: Over 10 Billion Attacks of Various Types Recorded in 2018 – Business Review

  • Business Review reflect on the figures from the 2019 SonicWall Cyber Threat Report and the recently revealed data on the rise of dangerous PDF files.

PDF: The Vehicle of Choice for Malware and Fraud – HelpNet Security

Cyber Security News

How Nest, Designed to Keep Intruders out of People’s Homes, Effectively Allowed Hackers to Get In – Washington Post

  • Internet connected devices, like Google’s Nest family, struggle striking the right balance between making devices very secure and making them easy to use. If too much friction is put in place for security reasons, then brands risks turning potential users off.

FBI: Cybercriminals Set New Record in 2018 by Causing More Than $2.7 Billion in Reported Losses – Washington Times

  • The FBI’s Internet Crime Complaint Center have released their annual report, detailing an almost doubling of financial losses caused by cybercrime in 2018.

Bug in French Government’s WhatsApp Replacement Let Anyone Join ÉLysée Chats – Ars Technica

  • A “secure” messaging app launched by the French government was hacked almost immediately upon release.

An Inside Look at How Credential Stuffing Operations Work – ZDNet

  • ZDNet dig deep into the world of cybercrime to explain how credential stuffing works, detailing both the tools and methods used, but also its place in the criminal economy.

Unauthorized Party Muscles Its Way Into Bodybuilding.Com’s Systems – SC Magazine

  • Bodybuilding.com revealed that it suffered a data breach in February 2019 leaving exposed a trove of data, including the real names, email addresses, physical addresses and phone numbers. Stored financial information beyond partial card numbers was not exposed.

Hacker Finds He Can Remotely Kill Car Engines After Breaking Into GPS Tracking Apps – Motherboard

  • A hacker broke into the accounts of thousands of GPS trackers and claims that “with one touch, I can stop these vehicles engines.” He says that he has carried out this hack to raise awareness of the poor security on the GPS apps.

Cybersecurity: UK Could Build an Automatic National Defence System, Says GCHQ Chief – ZDNet

  • Following a recent UK cybersecurity survey suggesting that only 15% of people say they know how to protect themselves online, the head of the GCHQ in the UK has called for cybersecurity responsibility not to be dependent on individuals but shared by governments, ISPs and businesses.

In Case You Missed It

What to Look for in a CASB Solution

/0 Comments/in , /by

Virtually every organization across major verticals — K-12 and higher education, financial services, retail and hospitality, and government — is undertaking digital transformation endeavors. And this includes migrating applications and data to the cloud.

When organizations do choose to adopt cloud technologies, software-as-a-service (SaaS) is the most popular choice according to a Gartner forecast for public cloud adoption. This is evident in the number of SaaS applications a typical organization uses. According IDG, 73% of organizations have at least one application in the cloud and another 17% plan to do so in the next 12 months.

2018 Cloud Computing Survey

73% of organizations have at least one application in the cloud and another 17% plan to do so in the next 12 months.
IDG

The adoption of SaaS applications brings about new security challenges for IT teams and increases attack surfaces for cybercriminals. The main use case for SaaS security is data protection. How do you protect your corporate data when you no longer have full control of the infrastructure or lack visibility into who can access that data and from which device/location?

The need to address this challenge created a new market segment in 2011 called Cloud Access Security Brokers (CASBs) or Cloud Security Gateways (CSGs). The CASB market segment is one of the fastest growing in information security with Gartner estimating a growth rate of 46% CAGR from 2017 to 2022.

Today, cloud security is not just about limiting or securing access to cloud applications. Cloud security is a shared responsibility where the organization that consumes cloud services is responsible for protecting sensitive data within their SaaS tenants. In fact, according to Gartner, “Through 2022, at least 95% of cloud security failures will be the customer’s fault.”

What is CASB?

At a high level, CASB solutions typically deliver the following four functionalities:

  1. Visibility. Enable cloud discovery to shed light on cloud application usage and shadow IT activities.
  2. Data security. Secure the corporate data uploaded or hosted in the cloud by enabling data loss prevention (DLP) and monitor user activity.
  3. Threat protection. Identify anomalous user behavior and provide anti-malware and sandboxing capabilities to protect against threats in the cloud.
  4. Compliance. Empower organizations with auditing and reporting tools to demonstrate compliance, especially in regulated industries.

CASB: The evolution of cloud security

The early CASB solutions were geared toward large enterprises that were early adopters of cloud services. These solutions required sophisticated on-premise deployments that proxied all traffic (either forward or reverse proxy) to enforce inline policies for cloud usage.

This proxy-mode CASB approach is sometimes known to introduce latency and/or cause breakage in application functionality, creating a bad user experience. In fact, it’s why Microsoft recommends against using proxy-based solutions when securing Office 365.

The next generation of CASB solutions take advantage of the API-based architecture that SaaS platforms are built on. API-mode CASB is the only way to provide complete visibility into SaaS environments.

API-based CASBs are easy to deploy and provide the most coverage for SaaS security use cases across sanctioned IT, shadow IT, managed devices and unmanaged devices (BYOD).

On-Demand Webinar with Guest Michael Osterman

Need more security and control for your cloud applications? View this joint on-demand webinar, “Securing Your SaaS Landscape,” with Osterman Research principal analyst Michael Osterman, to explore the major concerns and issues organizations have with SaaS adoption, what to look for in a CASB solution and an overview of SonicWall Cloud App Security.

WATCH NOW

CASB protects Office 365 deployments

According to the Cybersecurity Insiders 2018 Cloud Security Report, the most popular SaaS app used by organizations of all sizes is Microsoft Office 365.

Many associate Office 365 to email because it’s the most used app within the Office 365 suite. So, when CISOs and IT directors begin migrating on-premise mailboxes to Exchange Online, the default response is to extend the incumbent Secure Email Gateway (SEG) or Mail Transfer Agent (MTA). This approach to secure cloud email creates two significant blind spots:

  1. Causing security gaps. Does not protect other apps within Office 365, so it becomes a point solution that is focused on securing only email.
  2. Missing internal threats. Does not scan internal Office 365 emails, which is becoming increasingly relevant in the current threat landscape with credential compromises and account takeovers.

To address these blind spots, you need to buy an add-on service (to scan internal email) from your email security provider (if they offer one) and deploy a CASB to protect the data residing in OneDrive and SharePoint Online. That’s one more point solution that IT directors need to add to their budget, and IT administrators need to deploy, get trained and manage.

Full-featured CASB solution: SonicWall Cloud App Security

When you view cloud email as a SaaS app, it makes sense that a CASB solution should protect data and provide visibility even if that data is in the form of email messages.

That’s why SonicWall Cloud App Security leverages APIs to directly integrate to SaaS platforms and combine both data security and email security to provide complete protection for SaaS in a single solution. The CASB solution can be implemented in minutes without the need for any on-premise appliances or software installations.

Mongo-Lock Ransomware

/in /by

Overview:

SonicWall Capture Labs Threat Research Team, recently found, MongoLock ransomware. MongoLock tries to remove files, along with formatting drives using special commands through “cmd” and targets databases with weak security settings. MongoLock will drop a ransom note in the form of a “warning.txt” using notepad or as an entry inside any database it may find on the system. This is a new form of MongoLock ransomware that is actively being used in the wild today with a global reach. The ransom note is asking for 0.1 BTC to a specified Bitcoin wallet. A picture of the ransom note is below:

Sample Static Information:

Unpacked Hash Information:

Entropy and Packer Information:

Now that we know what the packer and protector information is we can start to unpack it below.

Unpacking The Sample:

Unpacking this sample is trivial because CFF Explorer allows us to click just a single button to unpack it.

Once you unpack the sample with CFF Explorer press “Save As” to save the unpacked sample. The new hash information now looks like the following:

RDG tells us that the unpacked sample has traces from aPLib compression and it’s using IsDebuggerPresent().

The following crypto signatures were found, Base64, CryptCreateHash, CryptEncrypt, CryptGenRandom, CryptHashData.

Ransom Note:

A long static ransom string is checked, then written to a warning file.

A glimpse into how they write the warning:

Directory List:

SHGetFolderPathW API is a deprecated API. This API gets the path of a folder identified by a CSIDL value.

Removal of Directories and Files:

Formatting:

The string, : /fs:ntfs /q /y will be updated with “format”, a drive letter and “cmd” will be called upon to execute the formatting of your drives.

Supported Systems:

The sample was tested and debugged on (x86) – 32 Bit, Windows 7 Professional.

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: MongoLock.A

Phobos Ransomware actively spreading in the wild

/in /by

The SonicWall Capture Labs Threat Research Team observed reports of a new variant family of Phobos ransomware [Phobos.RSM] actively spreading in the wild.

The Phobos ransomware encrypts the victim’s files with a strong encryption algorithm until the victim pays a fee to get them back.

Contents of the Phobos ransomware

Infection Cycle:

The ransomware adds the following files to the system:

  • Malware.exe
    • %App.path%\ info.hta
    • %Userprofile\Desktop %\ info.txt
      • Instruction for recovery
    • %App.path%\ [File Name]. Phobos

Once the computer is compromised, the ransomware runs the following commands:

The ransomware encrypts all the files and appends the [.Phobos]  extension onto each encrypted file’s filename.

After encrypting all personal documents, the ransomware shows the following htm file containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Phobos.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.