New PDF Fraud Campaign Spotlights Shifting Cybercriminal Phishing Tactics

/6 Comments/in /by

PDF cyberattacks are nothing new. They are, however, growing in volume, deception, sophistication and are now used as vehicles to modernize phishing campaigns.

SonicWall Capture Labs Threat Researchers announced a substantial increase of malicious or fraudulent PDF files. These fraud campaigns take advantage of recipients’ trust in PDF files as a “safe” file format that is widely used and relied upon for business operations.

In March 2019 alone, SonicWall Real-Time Deep Memory Inspection (RTDMI™) discovered more than 73,000 new PDF-based attacks. In comparison, we found 47,000 new attack variants in PDF files in all of 2018.

“Increasingly, email, Office documents and PDFs are the vehicle of choice for malware and fraud in the cyber landscape,” said SonicWall President and CEO Bill Conner in the official announcement. “SonicWall Capture ATP with its RTDMI technology is at the forefront of catching new cyberattacks that elude traditional security sandbox technology.”

Last year, RTDMI identified over 74,000 never-before-seen cyberattacks, a number that has already been surpassed in the first quarter of 2019 with more than 173,000 new variants detected.

In March, the patent-pending technology identified over 83,000 unique, never-before-seen malicious events, of which over 67,000 were PDFs linked to scammers and more than 5,500 were PDFs with direct links to other malware.

Since 2017, Capture ATP with RTDMI has discovered increasing volumes of new threats leveraging PDFs and Office files.

Most traditional security controls cannot identify and mitigate malware hidden in PDF file types, greatly increasing the success of the payload. This increase implies a growing, widespread and effective strategy against small- and medium-sized businesses, enterprises and government agencies.

That’s where SonicWall RTDMI is unique. The technology analyzes documents dynamically via proprietary exploit detection technology, along with static inspection, to detect many malicious document categories, including PDFs, Office files, and a wide range of scripts and executables.

PDF malware attacks: A technical autopsy

SonicWall Capture Labs threat researchers dissected specific paths these fraudulent PDF campaigns take victims to infect them with malware.

In one example (see image below), Capture Labs cross-referenced a malicious file, at the time of detection, with popular collaboration tools from VirusTotal and ReversingLabs. No results were found, indicating the effectiveness of the RTDMI engine.

Targets of the scam email campaigns receive malicious documents from businesses luring victims with PDF files that are made to look deceivingly realistic with misleading links to fraudulent pages. The proposed “business offer” within the PDF is enticing to recipients, often promising free and profitable opportunities with just the click of a link.

Pictured below, the victim is sent to a fraudulent landing page masquerading as a legitimate money-making offer.

SonicWall hypothesizes that by using PDFs as delivery vehicles within their phishing campaigns, attackers are attempting to circumvent email security spam filters and next-generation firewalls — a core reason RTDMI is finding so many new malicious PDFs.

What does this PDF fraud campaign mean?

PDFs are becoming a very attractive tool for cybercriminals. Whether or not these are new attacks — or we are just developing the ability to detect them with RTDMI — the volume indicates that they are a serious problem for SMBs, enterprises, governments and organizations across a wide range of industries.

What’s the motive?

While SonicWall data doesn’t help us understand motivation, it does show that the amount of malicious, PDF-related activity is on the rise. We believe that this is happening for a variety of reasons, including:

  • Better awareness. Users have learned that executables sent to them are potential dangerous and could contain viruses, so they are more hesitant to click .exe files, forcing attackers to try new techniques.
  • Deprecation of Flash. Adobe Flash was a key attack vector in the past, but has been deprecated and will be completely end of life in 2020. So, attackers’ ability to use Flash exploits have been greatly reduced, forcing them to change tactics.
  • Must-trust files. Businesses move fast. Users are under constant pressure and don’t have the time, experience or know-how to vet every file type that hits their inbox. As such, users make assumptions that trusted file types (e.g., PDFs, Office files) used daily are, for the most part, safe. So, users are more likely to read and click links within them without considering the source or ramifications.

What is the impact of the PDF fraud campaigns?

This is very difficult to determine. In the 2019 SonicWall Cyber Threat Report, Capture Labs reported that 34% of the new attack variants found by Capture ATP were either PDF or Office files — a figure that had grown from 13% since the last half of 2017. This data implies that this attack vector is growing, is widespread and is an effective strategy.

Who is behind this?

While attribution is difficult, SonicWall believes the latest spike in malicious PDF activity is Russian-based because of the use of many .ru top-level domains leveraged across analyzed campaigns.

How to stop cyberattacks that use PDF and Office files

  • Force attacks to reveal intentions. SonicWall RTDMI operates in parallel with the SonicWall Capture ATP sandbox service to quickly get a verdict on any suspicious piece of code as it operates in memory, including malicious PDFs and Office files.
  • Protect the most common attack vectors. Another important layer of defense against malicious PDFs is email security. SonicWall offers cloudhosted and on-premises email security solutions. SonicWall leverages advanced security controls to examine files, senders, domains and URLs to look for malicious activity.
  • Make training a policy. Improve awareness by implementing employee training protocols to ensure users know how to examine PDF and Office file attachments carefully before opening or clicking unknown links.
  • Use endpoint protection. SonicWall recommends using advanced endpoint security, such as Capture Client powered by SentinelOne, to constantly monitor the behavior of a system to scout for malicious behavior, including PDF attacks.

Stopping PDF Attacks: 5 Ways Users & Organizations Can Work Together

/0 Comments/in /by

Leveraging malicious PDFs is a great tactic for threat actors because the file format and file readers have a long history of exposed and, later, patched flaws.

Because of the useful, dynamic features included in the document format, it’s reasonable to assume further flaws will be exposed and exploited by adversaries; these attacks may not go away for some time. Furthermore, there’s no way for the average user to diagnose a benign or malicious PDF as it opens.

Since the average SonicWall customer will see nearly 5,500 phishing and social engineering attacks targeting their users each year, it’s vital to remain vigilant about the dangers of PDFs and deploy advanced security to prevent attacks.

Why are malicious PDFs being used in cyberattacks?

In many kinds of malicious PDF attacks, the PDF reader itself contains a vulnerability or flaw that allows a file to execute malicious code. Remember, PDF readers aren’t just applications like Adobe Reader and Adobe Acrobat. Most web browsers contain a built-in PDF reader engine that can also be targeted.

In other cases, attackers might leverage AcroForms or XFA Forms, which are scripting technologies used in PDF creation that were intended to add useful, interactive features to a standard PDF document. To the average person, a malicious PDF looks like another innocent document and they have no idea that it is executing code. According to Adobe, “One of the easiest and most powerful ways to customize PDF files is by using JavaScript.”

If you are a threat actor reading this, you are well versed in the above. And your victims are not. If you are an administrator responsible for keeping threats out and their damage to a minimum, it’s time to take some necessary precautions.

Stop PDF attacks with user-side prevention

First, there are a couple of things users can do to help reduce exposure to PDF-based attacks. Most readers and browsers will have some form of JavaScript control that will require adjustment.

  • Change you preferences. In Adobe Acrobat Reader DC, for example, you can disable Acrobat JavaScript in the preferences to help manage access to URLs.
  • Customize controls. Similarly, with a bit of effort, users can also customize how Windows handles NTLM authentication.

While these mitigations are “nice to have” and certainly worth considering, these features were added, just like Microsoft Office Macros, to improve usability and productivity. Therefore, be sure that you’re not disabling functionality that is an important part of your own or your organization’s workflow.

Stop PDF attacks with company-wide protections

Thankfully, SonicWall technology can quickly decode PDFs to see what the malware wants to really do, such as contact malicious domains or steal credentials. Here are three key ways organizations can limit exposure to PDF-based attacks.

  • Implement advanced email security. The first line of defense against malicious PDFs is email security. SonicWall offers cloud, hosted and on-premises email security solutions. SonicWall leverages advanced security controls to examine files, senders, domains and URLs to look for malicious activity.
  • Use endpoint protection. SonicWall recommends using advanced endpoint security, such as Capture Client powered by SentinelOne, to constantly monitor the behavior of a system to scout for malicious behavior. Capture Client stops threats before they execute and has great EDR capabilities to stop them as they do, see where they came from, and remediation steps, such as rollback in case they fully do.
  • Identify new threats. One thing that separates SonicWall from the rest is our patent-pending Real-Time Deep Memory InspectionTM (RTDMI). RTDMI operates in parallel with the SonicWall Capture Advanced Threat Protection (ATP) sandbox service. This is just one of our parallel engines in the sandboxing environment that gives us the ability to quickly get a verdict on any suspicious piece of code as it operates in memory, including malicious PDFs and Office files.

Malicious PDFs will be around for the foreseeable future, but through advanced security and good end-user awareness, your company will be better suited to prevent attacks.

For a more technical view on this, I recommend reading Philip Stokes’ blog from SentinelOne that inspired and supplied part of the content for this story. I also recommend watching our on-demand webinar, “Best Practices for Protecting Against Phishing, Ransomware and Email Fraud.”

‘Chase & Capture’: The Chertoff Group Hosts SonicWall CEO Bill Conner on Latest Podcast

/1 Comment/in /by

You’ve hopefully read the 2019 SonicWall Cyber Threat Report from cover to cover. Now you can hear the insights directly from SonicWall President and CEO Bill Conner.

The Chertoff Group hosted Conner on Insights & Intelligence, the D.C.-based firm’s podcast that encourages dialogue about security, technology and policy.

Conner was joined by Chertoff Group Principal Katie Montgomery as they explored the fast-moving cyber arms race in the newest episode, “Chase & Capture: Inside the Tactical Advances between Cybercriminals and the Security Industry.” The episode provides key context about the cyber intelligence published in the 2019 SonicWall Cyber Threat Report.

“This report is a foundation for seeing what’s happening in the cyber arms race,” said Conner. “We learned how to fight by air, land and sea, but the new digital frontier is where the next threats are.”

During the 25-minute podcast, the pair discussed a number of emerging and critical cybersecurity trends and topics, including the:

  • Ebb and flow of cybercriminal strategy
  • Impact of IoT on cybersecurity
  • Machine learning and artificial intelligence
  • Never-before-seen cyber threats
  • Drop in ransomware volume in the U.K.
  • Growing importance of federal policy
  • Lurking repercussions of processor threats
  • Use of PDF and Office files to circumvent traditional security controls

The Insights & Intelligence podcast is available via Google Play, Spotify, Apple and at www.chertoffgroup.com/podcasts.

About the ‘Intelligence & Insights’ Podcast

Listen to the best and brightest in security share their unique insights and perspectives around the changing nature of risk by downloading episodes of Insights & Intelligence, a Chertoff Group podcast. Hosted by Katy Montgomery, Insights & Intelligence explores the impact of security, technology and policy on today’s risk management decisions and how to create more resilient environments for today’s constantly changing world.

Mar-a-Lago Malware Event: A Study in What NOT to do With Unknown USB Keys

/0 Comments/in /by

It’s troubling when the world of politics and IT security share headlines.

But on March 30, a Chinese national named Yujing Zhang walked into President Trump’s private resort, Mar-a-Lago, with a suspicious USB key and other electronic gear.

To everyone’s surprise (because you should never do this), a Secret Service member plugged the USB drive device into his work computer and noticed visible changes on the screen to confirm the strong possibility of malware. She was arrested by Security Service. Upon a search of the trespasser’s hotel room, nine more USB keys were found along with other gear.

Hacking 101: The “Lost” USB key

Dropping USB keys in sensitive locations is a valid attack method, and the accused trespasser may just have been trying to do this. This story falls in line with similar attacks on engineers and executives traveling in China.

It has been considered a best practice when in China on business to bring a “burner” laptop that is returned to IT to be reformatted. In many noted cases, unattended laptops in conference or hotel rooms have been infected via USB keys awaiting return to the home network.

When I worked for a well-known company in Mountain View, California, it was common to hear of people throwing USB keys at our lobby doors from the street; some of these I personally found. Every time I go to a retail checkout stand and see an exposed point-of-sale (POS) monitor, I look for exposed USB ports and think of that experience.

In the absence of a publicly released statement from the accused about her intentions with the keys at Mar-a-Lago, IT researchers expect she would try to insert them in a network-connected PC or drop in an employee-only part of the compound to minimize exposure.

According to a study with Google and the universities of Illinois and Michigan, 45% of people who found nearly 300 USB keys plugged them in to their personal devices to either “find the owner” or were just curious.

In another study, 60% of dropped keys found their way into U.S. Government computers. Additionally, eight out of 15 Western Australian government agencies “fell victim” to a similar test. Reasons aside, people insert and inspect these devices at the risk to personal devices or corporate networks.

How do you stop USB attacks?

The first step is education. Do something physical to make an impact. Put a garbage can in the lobby with a sign that says, “Place Found USBs Here.” But, please, take a picture and tag me (@BRChelmo) if you do.

The second step is the use of device control capabilities within an endpoint security solution that stops unknown USB keys from connecting to the endpoint.

With SonicWall Capture Client, for example, administrators can create customized policies for known and unknown USB devices. For instance, they could allow all mice and keyboards, but block unknown USB keys while allowing approved or registered ones.

If you do not have this option, you need to ensure your endpoint solution can stop malware based on behavior, not signatures. The malware found on USB sticks will often not be categorized by your vendor or VirusTotal.

This is why behavior-based anti-malware defense is important. According to the 2019 SonicWall Threat Report, 45 million new forms of malware were identified and blocked. A good part of this number was found via customer submissions to our sandboxing service called Capture ATP, which blocks suspicious code and files until a verdict is found.

In the case of Capture Client, the AI engine is always scouting for malicious behavior. As for the Secret Service member who activated the drive, Capture Client would have either stopped it before or during its execution. If the code on the key would have created system changes, the remediation capabilities would allow the agency to roll back that PC to its last-known good state. The administrator would have been notified of the event via an alert to quickly take action. This level of control is an absolutely critically layer of a sound security posture.

If you’d like to learn more about stopping advanced attacks that hit the endpoint, please watch this recent webcast, “Can You Stop These Two Endpoint Threat Vectors?”

Cyber Security News & Trends – 04-12-19

/0 Comments/in /by

This week, SonicWall named one of the 10 coolest IoT security vendors, Health Care has a huge cybersecurity problem, and LockerGoga is spreading fast.

SonicWall Spotlight

2019 Internet of Things 50: 10 Coolest IoT Security Vendors – CRN

  • CRN name SonicWall as one of the 10 coolest IoT security vendors of 2019.

A Closer Look at LockerGoga, the Ransomware Crippling Industrial Giants – Verdict (UK)

How K–12 Schools Can Use Next-Generation Content Filtering to Keep Students Safe – EdTech Magazine

  • EdTech magazine looks at the evolving content filtering services available for K-12 schools. With older services no longer supplying adequate security and often over-blocking content, they recommend modern granular tools like SonicWall’s Content Filtering Services (CFS) which allows multiple, customized policies and categories.

Cyber Security News

Health Care’s Huge Cybersecurity Problem – The Verge

  • With health care increasingly relying on internet connected devices many hospitals simply do not have adequate cybersecurity plans in place. The Verge investigates the risks to the healthcare system posed by cyberattacks, including already successful implementations of WannaCry and NotPetya.

Yahoo Strikes $117.5 Million Data Breach Settlement After Earlier Accord Rejected – Reuters

  • Yahoo strikes a revised settlement with millions of people whose email addresses and other personal information were stolen in the largest data breach in history. The new settlement includes at least $55 million for victims’ out-of-pocket expenses and other costs, $24 million for two years of credit monitoring, up to $30 million for legal fees, and up to $8.5 million for other expenses.

Cybersecurity Testing Exercise for EU Elections – Government Europa

  • The European Parliament has deployed a series of cybersecurity tests in anticipation of the European elections in May aiming to test the efficacy of crisis response protocols and explore new ways of detecting and preventing online cyberattacks.

Largest Leak in History: Email Data Breach Exposes Over Two Billion Personal Records – CPO Magazine

  • Estimates for the volume of records exposed in the recent Verifications.io data breach have climbed from initial reports of 763 million records to a little over two billion records, setting a new world record.

Norsk Hydro Repairs Systems and Investigates After Ransomware Attack – Wall Street Journal

  • Norwegian aluminum and energy company Norsk Hydro confirmed a LockerGoga ransomware attack in March crippled the company’s global operations.

Dragonblood Vulnerabilities Disclosed in WiFi WPA3 Standard – ZDNet

  • The security researchers who previously disclosed the 2017 KRACK attack on the WiFi WPA2 standard have now released details on a group of vulnerabilities on WiFi WPA3, dubbing them “Dragonblood”.

In Case You Missed It

Protected: RTDMI DETECTS A MASSIVE PDF CAMPAIGN SPREADING IN RUSSIAN LANGUAGE

/in /by

This content is password protected. To view it please enter your password below:

Analyzing Gretel A7 Android device for pre-installed malware – Part II

/in /by

SonicWall Capture Labs Threats Research Team investigated the sample mentioned in the story that came up on Reddit. We blogged about it recently and to investigate further we ordered a Gretel A7 device and analyzed it to verify the presence of pre-installed malware.

A brief about /system/

Pre-installed apps on an Android devices are present in /system/app/ or /system/priv-app/ folders and are usually referred to as ‘system apps’. Apps present in these folders cannot be removed by the user as they do not have access to these folders. Another reason why apps installed from device manufacturers – typically referred to as ‘bloatware’ – is typically seen in one of these folders.

Pre-installed malware is also found in these folders thereby hiding their presence from the user and making it extremely difficult to remove them using conventional means.

Analysis on the actual Gretel Device

We extracted a list of all the apps present on the device, a total of 117 (including system apps). The malicious adware discussed in our previous blog on Gretel devices was not present in this list of installed apps for our device. Based on our analysis we verify that the adware mentioned in the previous blog was not a case of pre-installed malware.

However we wanted to verify if there were any other pre-installed malicious apps on our device. We paid close attention to apps present in the system folders as this is usually a good place to hide pre-installed malware. After a preliminary analysis of apps present in the system folder the apps below showed some malicious indicators which prompted us to analyze them further:

  • com.android.service stored as /system/priv-app/com.android.service-9002_0711/com.android.service-9002_0711.apk
  • com.ibingo.launcher3 stored as /system/priv-app/Launcher3_G_yisheng_A47_201705191558/Launcher3_G_yisheng_A47_201705191558.apk

Suspicious Network Activity

We kept an eye on the network activity on our device for a few days without installing any new apps, this helped us understand if the device exhibits any suspicious signs without any interference from a user’s side (in terms of new apps installed). The following network activities stood out during an observation period of 7 days:

 

The device brand and model number were sent in the packet above along with the package name responsible for this network activity – com.ibingo.launcher3

 

We observed network communication to the host alter.sbingo.net.cn as shown above, in one case IMEI number is leaked which is sensitive data for a device. VirusTotal investigation for this domain showed that this is connected with a number of apks with malicious detection on VT:

VirusTotal gave us a number of related sub-domains for sbingo.net.cn and the ones listed below have connected apks with malicious detection on VT:

  1. uistorefee.sbingo.net.cn
  2. download.sbingo.net.cn
  3. 1906.sbingo.net.cn
  4. alter.sbingo.net.cn
  5. uistorebtz.sbingo.net.cn
  6. app.sbingo.net.cn
  7. cdnuistore2.sbingo.net.cn

After observing these packets we analyzed the installed app com.ibingo.launcher3 which is essentially the launcher used in Gretel A7 devices. Upon analyzing and running this app on a different device we observed the same network activity as shown above. We feel there are some suspicious indicators for this app and it leaks the IMEI of the device on which this app is installed.

 

statistics.flurrydata.com was contacted regularly during our analysis with packets similar to the one listed above. VirusTotal investigation gave us three related sub-domains for flurrydata.com:

  1. statistics.flurrydata.com
  2. developer.flurrydata.com
  3. analyze.flurrydata.com

VirusTotal Relations showed statistics.flurrydata.com connected to a number of malicious apk files:

Also, we observed this domain was listed under a Mobile Ad Tracker tool on Github.

 

We saw another communication with a domain where the IMEI of our test device was leaked as shown above.

App analysis – com.android.service

We analysed the app com.android.service which was mentioned earlier, the following permissions are used by this app:

  • Access network state
  • Receive boot completed
  • Wake lock
  • Read external storage
  • Write external storage
  • Internet
  • Read phone state
  • Access wifi state
  • System alert window
  • Package usage stats
  • Install packages
  • Delete packages
  • Access fine location
  • Get tasks

There are a few dangerous permissions used by this app and it can have major implications on the device if misused:

  • Install and Delete packages – The app can secretly download and install apps on the device, delete other apps as well
  • System alert window – This can be used to how content on top of other apps, bankers and adware use this permission heavily

On execution the app reported to the domain iwtiger.com with the date and time of execution and the device model which is stored in a variable interestingly named pid:

Then it downloaded an apk from static.iwtiger whose package name is com.iwtiger.plugin.activity17 in its app_dex folder

The apk com.android.service contains code similar to code present in a Github repository about dynamic loading of an apk:

Play Protect to the rescue

During our analysis we saw the Google Play Protect notification about com.android.service being dangerous. Even though our Gretel device shipped with pre-installed malware, this threat was cleaned by Play Protect. When we tried to install this threat on a test Nexus device it was protected there as well:

Researching before buying a device

During our research we saw multiple stories where users have posted about their concerns regarding presence of malicious apps in Gretel devices:

This highlights the importance of taking time to research about a device before purchasing it. The Android ecosystem is very dynamic, malicious apps and domains are often cleaned and the current state may be different from what was observed in the past.

Closing Thoughts

Overall during our analysis period of almost a week we saw suspicious network communication through our test device, IMEI data was also leaked in a few instances which raises a cause of concern. One of the system application has the dangerous permission to install and delete package and we saw it use these permissions where an apk file gets downloaded and executed via dynamic loading technique.

We did not see the adware that we analyzed in our previous blog on our Gretel A7 device, however we did see a number of suspicious pre-installed applications and suspicious network activity during our time analyzing this device. One such app was marked as malicious by Google Play Protect.

In some reported cases advertisements were seen after a number of days of purchasing the device, we did not see any advertisements but our analysis period was considerably short so we will keep an eye on our Gretel A7 device for any suspicious activity for the next few days to come and update our blog accordingly.

SonicWALL Capture Labs provides protection against this threat via the following signatures:

  • AndroidOS.Gretel.SRV
  • AndroidOS.Gretel.DYN

Indicators of compromise:

  • com.android.service – 8a8a2f1c13d0d57186bc343af96abe87
  • com.ibingo.launcher37dda8481973cec79416c9aa94d2176bc

Microsoft Security Bulletin Coverage for April 2019

/in /by

SonicWall Capture Labs Threat Research Team has analyzed and addressed Microsoft’s security advisories for the month of April 2019. A list of issues reported, along with SonicWall coverage information are as follows:

CVE-2019-0685 Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-0688 Windows TCP/IP Information Disclosure Vulnerability
ASPY 5456:Malformed-File exe.MP.66
CVE-2019-0730 Windows Elevation of Privilege Vulnerability
ASPY 5457:Malformed-File exe.MP.67
CVE-2019-0731 Windows Elevation of Privilege Vulnerability
ASPY 5458:Malformed-File exe.MP.68
CVE-2019-0732 Windows Security Feature Bypass Vulnerability
ASPY 5459:Malformed-File exe.MP.69
CVE-2019-0735 Windows CSRSS Elevation of Privilege Vulnerability
ASPY 5460:Malformed-File exe.MP.70
CVE-2019-0739 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2019-0752 Scripting Engine Memory Corruption Vulnerability
IPS 14132:Scripting Engine Memory Corruption Vulnerability (APR 19) 1
CVE-2019-0753 Scripting Engine Memory Corruption Vulnerability
IPS 14133:Scripting Engine Memory Corruption Vulnerability (APR 19) 2
CVE-2019-0764 Microsoft Browsers Tampering Vulnerability
There are no known exploits in the wild.
CVE-2019-0786 SMB Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-0790 MS XML Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0791 MS XML Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0792 MS XML Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0793 MS XML Remote Code Execution Vulnerability
IPS 14134:MS XML Remote Code Execution Vulnerability (APR 19)
CVE-2019-0794 OLE Automation Remote Code Execution Vulnerability
ASPY 5462:Malformed-File vbs.MP.1
CVE-2019-0795 MS XML Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0796 Windows Elevation of Privilege Vulnerability
ASPY 5461:Malformed-File exe.MP.71
CVE-2019-0801 Office Remote Code Execution Vulnerability
IPS 14124:Microsoft Office Remote Code Execution (APR 19) 1
CVE-2019-0802 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0803 Win32k Elevation of Privilege Vulnerability
ASPY 5453:Malformed-File dll.MP.4
CVE-2019-0805 Windows Elevation of Privilege Vulnerability
ASPY 5454:Malformed-File exe.MP.65
CVE-2019-0806 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 14136:Chakra Scripting Engine Memory Corruption Vulnerability (APR 19) 3
CVE-2019-0810 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 14137:Chakra Scripting Engine Memory Corruption Vulnerability (APR 19) 4
CVE-2019-0812 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2019-0813 Windows Admin Center Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-0814 Win32k Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0815 ASP.NET Core Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2019-0817 Microsoft Exchange Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2019-0822 Microsoft Graphics Components Remote Code Execution Vulnerability
ASPY 5455:Malformed-File ppt.MP.9
CVE-2019-0823 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0824 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0825 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0826 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0827 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0828 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0829 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2019-0830 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2019-0831 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2019-0833 Microsoft Edge Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0835 Microsoft Scripting Engine Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0836 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-0837 DirectX Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0838 Windows Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0839 Windows Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0840 Windows Kernel Information Disclosure Vulnerability
ASPY 5451:Malformed-File exe.MP.63
CVE-2019-0841 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-0842 Windows VBScript Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0844 Windows Kernel Information Disclosure Vulnerability
ASPY 5451:Malformed-File exe.MP.63
CVE-2019-0845 Windows IOleCvt Interface Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0846 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0847 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0848 Win32k Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0849 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0851 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0853 GDI+ Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0856 Windows Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0857 Team Foundation Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2019-0858 Microsoft Exchange Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2019-0859 Win32k Elevation of Privilege Vulnerability
ASPY 5452:Malformed-File exe.MP.64
CVE-2019-0860 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 14128:Chakra Scripting Engine Memory Corruption Vulnerability (APR 19) 1
CVE-2019-0861 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 14129:Chakra Scripting Engine Memory Corruption Vulnerability (APR 19) 2
CVE-2019-0862 Windows VBScript Engine Remote Code Execution Vulnerability
IPS 14130:VBScript Engine Remote Code Execution Vulnerability (APR 19) 1
CVE-2019-0866 Team Foundation Server Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2019-0867 Team Foundation Server Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2019-0868 Team Foundation Server Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2019-0869 Team Foundation Server HTML Injection Vulnerability
There are no known exploits in the wild.
CVE-2019-0870 Team Foundation Server Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2019-0871 Team Foundation Server Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2019-0874 Team Foundation Server Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2019-0875 Azure DevOps Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-0876 Open Enclave SDK Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0877 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0879 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.

Protected: RTDMI detects a massive PDF campaign spreading in Russian language

/in /by

This content is password protected. To view it please enter your password below:

RTDMI Evolving with Machine Learning to Stop ‘Never-Before-Seen’ Cyberattacks

/1 Comment/in , /by

If I asked you, “How many new forms of malware did SonicWall discover last year?” What would be your response?

When I pose this question to audiences around the world, the most common guess is 8,000. People are often shocked when they hear that SonicWall discovered 45 million new malware variants in 2018, as reported in the 2019 SonicWall Cyber Threat Report.

The SonicWall Capture Labs threat research team was established in the mid-‘90s to catalog and build defenses for the massive volume of malware they would find each year. Because our threat researchers process more than 100,000 malware samples a day, they have to work smart, not hard. This is why SonicWall Capture Labs developed technology using machine learning to discover and identify new malware. And it continues to evolve each day.

How Automation, Machine Learning Stops New Malware

Released to the public in 2016, the SonicWall Capture Advanced Threat Protection (ATP) sandbox service was designed to mitigate millions of new forms of malware that attempt to circumvent traditional network defenses via evasion tactics. It was built as a multi-engine architecture in order to present the malicious code different environments to detonate within. In 2018, this technology found nearly 400,000 brand new forms of malware, much of which came from customer submissions.

In order to make determinations happen faster with better accuracy, the team developed Real-Time Deep Memory InspectionTM (RTDMI), a patent-pending technology that allows malware to go straight to memory and extract the payload within the 100-nanosecond window it is exposed. The 2019 SonicWall Cyber Threat Report also mapped how the engine discovered nearly 75,000 ‘never-before-seen’ threats in 2018 alone — despite being released (at no additional cost to Capture ATP customers) in February 2018.

‘Never-Before-Seen’ Attacks Discovered by RTDMI in 2018

Image source: 2019 SonicWall Cyber Threat Report

Using proprietary machine learning capabilities, RTDMI has become more and more efficient at identifying and mitigating cyberattacks never seen by anyone in the cybersecurity industry. Since July 2018, the technology’s machine learning capabilities caught more undetectable cyberattacks in every month except one. In January 2019, this figure eclipsed 17,000 and continues to rise in 2019.

Year of the Processor Vulnerability

Much like how Heartbleed and other vulnerabilities in cryptographic libraries introduced researchers and attackers to a new battleground in 2014, so were the numerous announcements of vulnerabilities affecting processors in 2018.

Since these theoretical (currently) attacks operate in memory, RTDMI is well positioned to discover and stop these attacks from happening. By applying the information on how a theoretical attack would work to the machine learning engine, RTDMI was able to identify a Spectre attack within 30 days. Shortly thereafter, it was hardened for Meltdown. With each new processor vulnerability discovered (e.g., Foreshadow, PortSmash), it took RTDMI less and less time to harden against the attack.

Then, in March 2019, while much of the security world was at RSA Conference 2019 in San Francisco, the Spoiler vulnerability was announced. With the maturity found within RTDMI, it took the engine literally no time at all to identify if the vulnerability was being exploited.

Although we have yet to see these side-channel attacks in the wild, RTDMI is primed for the fight and even if there is a new vulnerability announced tomorrow with the ability to weaponize it, this layer of defense is ready to identify and block side-channel attacks against processor vulnerabilities.

Image source: 2019 SonicWall Cyber Threat Report

Scouting for New Technology

Now, if you are not a SonicWall customer yet and are evaluating solutions to stop unknown and ‘never-before-seen’ attacks (i.e., zero-day threats), ask your prospective vendors how they do against these types of attacks. Ask how they did on Day 1 of the WannaCry crisis. As for the volume of attacks their solutions are finding, ask for evidence the solution works in a real-world situation, not just as a proof of concept (POC) in a lab.

If you are a customer, Capture ATP, which includes RTDMI, is available as an add-on purchase within many of our offerings from the firewall, to email, to the wireless access point. You read that correctly: right on the access point.

We believe in the technology so much that we place it in everything to protect your networks and endpoints, such as laptops and IoT devices. This is why large enterprises, school districts, SMBs, retail giants, carrier networks and service providers, and government offices and agencies trust this technology to safeguard their networks, data and users every day.