Emotet Malware spreading via IRS theme based spam email

/in /by

SonicWall RTDMI engine detected an archive attachment consisting of malicious word documents inside of spam email appearing to be from the IRS department. Similar spams were observed during the month of July this year as well. But at that time the spam email contains a malicious word document as an attachment whereas this time the attachment is an archive with malicious word document inside the archive. Information about these fresh attacks was not available in any of the popular threat intelligence sharing portals like the VirusTotal and the ReversingLabs.


Fig-1: Virustotal results of the malicious file

The email attachment is named as one of the following:

  • Tax Return Transcript.doc.zip
  • Wage and Income Transcript.doc.zip
  • Verification of Non-filing Letter.doc.zip

Upon extracting the archive, one can observe two Microsoft Word documents which are same but with different names. One file name will be in IRS_[8-10 random digits]_[mmddyyyy].doc format and another file will have the name of the archive as shown in the below image.


Fig-2: Archive contents

On opening the document, it will ask the user to Enable Editing and Enable content, in order to execute the macro code which downloads the payload by launching PowerShell command.


Fig-3: Word document

The payload belonging to Emotet family is being delivered at the time of analysis.

Indicators of Compromise (IOC):

  • fbed00352b18a633f6da8a6fc255905bdccee62d1b3731206bf73bf01c2388a2 : Archive
  • 149da2a8074796bc5f3c9dcfe139082df1b60d5ac5e18095a10d5b5359664157 : Word document
  • hxxp://albuthi.com/RUBhR7
  • hxxp://abbasiwelfaretrust.org/1yTfF
  • hxxp://aadityainc.com/jadEM
  • hxxp://www.firststpauls.org/rU4L9
  • hxxp://www.galaxyla.com/pXXRHEQK
  • 23974dc955970ae56fd21b938ed1937fe52790313eee12ed8d30203e8d9efb58 : Emotet Malware

Hashes of similar malicious attachments:

  • 2b572ea00fced178b6c8c516e4569725cb4eea95f6d1128f22266d1552e66440
  • 76b252a5a5416aedcbacd81f2b4a93ba7be4d2ce1c2f3cdfeb556cd37dd47823
  • 8bb0262c39e986298e5be134e3b0ebf1b4044b21002f844bb05b7dbe4d93b8f7
  • f6dab997b23045242e2f28fbc076efbd48ed2c778b13a7d7cf3c9a15f2b4721b

Capture ATP report for this file:

Top 7 Cybersecurity Tips Anyone Can Use at Home

/0 Comments/in /by

Cybersecurity is not just a topic for enterprises, businesses and government agencies. Home users are just as vulnerable to malicious cyberattacks. As October is National Cyber Security Awareness Month (NSCAM), it’s important that home users are routinely educated about online safety. To help, we’ve compiled a list of our top seven cybersecurity tips that anybody can apply in their home.

  1. Password Use

    Passwords are your first line of defense online and yet it is the first area where many of us fail. Who hasn’t written a password down on a Post-it note at some point? Here are the basic dos and don’ts of password usage:

    • Do not use the same password across multiple accounts. (We know you do this. Stop it. Now.)
    • Do use strong passwords. Password123 is not a good password. Neither is monkey. Or your cat’s name. In fact, don’t use any of these Top 100 Passwords.
    • Do not share your passwords.
    • Do use a password manager.
    • Do change default passwords. Many smart devices that connect to your network, such as baby monitors, printers or thermostats, may have default passwords.
  1. Safe Online Shopping
    Who doesn’t love to shop from the comfort of their own home? In a couple of clicks you can compare products and prices from multiple retailers, have products delivered to your home in a matter of hours and you can do all this while wearing your pajamas.Here’s how you can safe while shopping online:

    • Look for the padlock or https: Reputable websites use technologies such as SSL (Secure Sockets Layer) that encrypt data during transmission. Look for the little padlock in the address bar or a URL that starts with “https” instead of “http,” as the “s” stands for “secure.”
    • When shopping on online marketplaces like eBay, be sure to check seller reviews and reputation level before deciding to buy a product. New accounts or accounts with comments accusing the seller of being a scammer or posting fraudulent listings should be red flags.
    • Avoid shopping while using public computers or public Wi-Fi.
    • Use a credit card or payment option with online fraud protection.
  1. Recognizing Phishing Emails
    Phishing emails look like legitimate company emails and are designed to steal your information. They usually contain a link to a website that will ask for your login credentials, personal information or financial details. These websites are clever fakes designed to take your information and pass it back to the cybercrooks behind the scam.

    In general, if you are not expecting an email from that company, you should be suspicious. Other tell-tale signs of phishing emails are as follows:

    • The email is not addressed to your full name. It will use generic terms like “Dear Customer.”
    • The email contains grammatical or spelling errors.
    • The email asks for personal information.
    • The email contains urgent or threatening language.

    If you think you have received a phishing email, do not click on any links or open any attachments. To be sure, log directly into your relevant account to check for updates or messages or contact the company directly through their website.

    Take our Phishing Quiz to see if you are able to identify phishing emails.

  1. Check Your Financial Statements
    Be sure to monitor your bank accounts and credit card statements for suspicious activity on a weekly basis. If you spot something unfamiliar or see transactions that you are not aware of, it could be a sign that you are compromised.

    Report potential fraud to your bank as soon as possible by calling your bank directly and asking to be connected to the fraud department.

  1. Ransomware 101
    Do you have files on your computer that you care about? Maybe your photos from the last five years? An extensive music library? Copies of resumes, address books, course work or other documentation?

    Do you have a backup of all of that data? You should.

    Ransomware is a type of malware that infects your computer, locking files or restricting your access to the infected systems. Ransomware attacks attempt to extort money by displaying an alert to victims, typically demanding that a ransom be paid in order to restore access to your system or files.

    It’s not just businesses that are targeted by ransomware creators. In fact, home users are often an easier target as most have no data backups, a lack of awareness and little to no cyber security education.

    It all happens in a matter of seconds. You’ve clicked a link in an email or downloaded a malicious document. In a few seconds, all their data will be encrypted and they’ll have just a few days to pay hundreds of dollars to get it back. Unless you have a backup.

    So, how can you protect yourself against ransomware attacks? Here are our top 5 tips:

    • Don’t store important data only on your PC.
    • Have one or two different backups of your data. Use an external hard drive or a cloud offering.
    • Keep your operating system, virus protection and software up to date, including the latest security updates.
    • Don’t open attachments or click on links in suspicious emails. Even if you know the sender, if it doesn’t feel right, delete it.
    • Consider using an ad-blocker to avoid the threat of malicious ads.
  1. Wi-Fi Usage
    Stay safe on public Wi-Fi. In general, don’t interact with websites that require your financial or personal details while you are using public Wi-Fi. Those activities are best kept on secure home networks.
    If you are using public Wi-Fi, avoid unsecured Wi-Fi signals and, where possible, connect using a virtual private network (VPN)
  1. Stop Clicking. (or Recognizing Common Scams.)
    Did you receive an email from your bank asking you to log in and provide your Social Security number or date of birth in order to resolve an issue on your account? Don’t click it.

    PayPal emailed you warning that your account was suspended temporarily and provided you a link to update your account details? Don’t click it.

    Yay! Someone sent you a gift card out of the blue! Just log in to redeem it! Don’t click it.

    There are a lot of scams out there. But you don’t need to live in fear online as many of them follow a similar pattern and can be avoided with a few safe practices. In general, if someone is offering you something for free, you should approach with suspicion and caution. For your financial or commercial accounts, do not click on links in emails, instead go to the official website and log in directly to your account to check for updates.

    And check out the FBI’s list of Common Fraud Schemes.

About Cybersecurity Awareness Month

The 15th annual National Cybersecurity Awareness Month (NCSAM) highlights user awareness among consumers, students/academia and business. NCSAM 2018 addresses specific challenges and identifies opportunities for behavioral change. It aims to remind everyone that protecting the internet is “Our Shared Responsibility.”

In addition, NCSAM 2018 will shine a spotlight on the critical need to build a strong, cyber secure workforce to help ensure families, communities, businesses and the country’s infrastructure are better protected through four key themes:

  • Oct 1-5: Make Your Home a Haven for Online Safety
  • Oct 8-12: Millions of Rewarding Jobs: Educating for a Career in Cybersecurity
  • Oct 15-19: It’s Everyone’s Job to Ensure Online Safety at Work
  • Oct 22-26: Safeguarding the Nation’s Critical Infrastructure

Learn more at StaySafeOnline.org.

Protecting What’s Important: How to Keep Your Family Safe from Online Threats

/0 Comments/in /by

Online threats come in many forms. Depending on what’s most important to you dictates your online behavior and your diligence for practicing online safety.

For families, protecting the identities and well-being of children is a top priority. A single person may be more concerned about social engineering or account takeover. An older couple may be worried about ransomware locking sensitive or valuable information.

Like businesses, individuals and families should use a layered approach of security controls and technology management to defend against online threats. Implement the below best practices to help protect what’s most important.

Safeguarding Children Online

First and foremost, the safety of children is top of mind for any parent. While you may trust your child, far too many people lurk online waiting to compromise children or their identities.

On social media alone, almost one out of four 8- to 11-year-olds and three out of four 12- to 15-year-olds have a profile. By age 15, 83 percent of children have their own smartphone. By that same age, nearly 99 percent are online at least 21 hours each week. That’s a lot of surface area to protect. And an almost impossible task without the child being taught to continually exercise online awareness.

“Many of today’s parents didn’t grow up in the age of hyper-connectivity, so they aren’t always quite sure how to properly educate their children about cyberawareness without invading too much of their privacy,” said Dr. Chase Cunningham, a cybersecurity industry analyst and co-founder of The Cynja, a cybersecurity education and awareness organization that designs technology and graphic novels to illustrate the importance of online safety to children.

“Many of today’s parents didn’t grow up in the age of hyper-connectivity, so they aren’t always quite sure how to properly educate their children about cyberawareness without invading too much of their privacy.”

Dr. Chase Cunningham
Cybersecurity Analyst & Co-Founder of The Cynja

Cunningham, a retired U.S. Navy chief with more than 19 years’ experience in cyberforensic and cyberanalytic operations, has made protecting children online a personal priority.

“It’s important to connect with kids in ways that are comfortable, engaging and effective,” said Cunningham. “While that’s certainly a daunting task, I feel the use of different media and technology — apps, characters, stories — is the smart complement to sound parental oversite. Parents should strike the right balance that works for their family and the specific behavior of their children.”

To get started, many government, non-profit organizations and tech companies provide valuable tools and resources to help empower parents to educate their children on various online threats, including sexual predators, cyberbullying, identity theft, malware prevention and more. Explore these quick-start resources:

Parental Controls, Oversite

While third-party technology are powerful tools, parental management is still key in safeguarding children from cyber threats. Parents need access to all applications, contacts and websites their children use to communicate with large communities or unknown users — no matter how innocent or benign they appear.

Unfortunately, predators lurk everywhere kids spend time, so a certain level of strict oversite is necessary until children gain better awareness. For example, popular console games like Fortnite are being infiltrated by adults posing as children to maliciously connect with minors. The UK Child Exploitation and Online Protection (CEOP) organization even issued a warning to parents about this type of threat.

The concern spans all apps and sites. Cases involving apps like Snapchat, Instagram and WhatsApp are rampant. While the list evolves by the week, parents should routinely monitor the apps — particularly what’s new or trending — kids use to communicate online. This includes:

Snapchat Facebook Twitch
Instagram Twitter Mixer
Yubo Telegram Musical.ly
Bumble WhatsApp TikTok
YouTube Sarahah Reddit
Kik Whisper Tumblr

While policy-makers and app developers alike are doing more to control and protect underage users, data and privacy, parents should still be the primary line of defense for protecting their kids. Use this general guidance from the FBI to help safeguard children online.

Monitor your children’s use of the internet (and connected mobile apps) Remind kids to only add people they know in real life
Tell your kids why it’s so important not to disclose personal information online Encourage kids to choose appropriate usernames
Check your kids’ profiles and what they post online Talk to your kids about creating strong passwords
Explain to your kids that once images are posted online they lose control of them and can never get them back Ask your kids about the people they are communicating with online
Restrict your kids from posting photos or personally identifying information (PII) without first gaining your consent Make it a rule with your kids that they can never give out personal information or meet anyone in person without your prior knowledge and consent
Instruct your kids to use privacy settings to restrict access to profiles Educate yourself on the websites, software and apps that your child uses; start with the list above

‘Never Stop Patching’

Inside the home, it’s best to assign a primary manager of laptops, mobile phones and IoT devices (e.g., streaming boxes, consoles, security cameras, appliances) to ensure they are routinely updated and patched. Memorize it like a movie quote: “Never stop patching.”

Consistent patching — particularly on computers and mobile devices — is one of the most proven methods of mitigating cyberattacks. It’s for this reason that zero-day threats (i.e., not previously seen before) are the most dangerous to individuals and organizations alike. Real-time solutions, such as the multi-engine Capture Advanced Threat Protection sandbox service can identify and block known and unknown cyberattacks.

While patching hardware like routers, web cams and wireless access points isn’t always so straightforward, manufacturers and developers like Google, Microsoft and Apple have made patching a fairly common, easy-to-do practice. It’s so common, in fact, that Microsoft’s monthly patch update is unofficially named “Patch Tuesday.” The pseudo tradition has been in practice since 2003.

In many cases, operating systems have an “automatic update” option to further simplify the process. It is particularly important to protect your consumer devices and sensitive data from malware and ransomware.

Globally, the SonicWall Capture Threat Network, which includes more than 1 million sensors across the world, recorded 7.8 billion malware attacks (70 percent increase from 2017) and 238.9 million ransomware attacks (108 percent increase) year to date in 2018.

Proactive Password Management

If patching is the No. 1 best practice, proper password creation and management is No. 1B. Two-factor authentication has helped offset the use of weak passwords, but far too many people still reuse passwords across sites, services and applications. Even if they properly used strong passwords, continued re-use leaves users vulnerable to attack.

Many free and paid password management solutions include options specifically for families. The top include Dashlane, 1Password and LastPass. While they each offer basic encrypted password creation and management, many feature tools for safely sharing passwords between authorized family members.

“Cybercriminals take advantage of people with poor password health to gain access to sensitive personal and payment information,” said Dashlane’s Eitan Katz in ‘Your Password Health Is the Key to Protecting Your Digital Identity.’ “The best way to prevent these online attacks and ensure that only you have access to your private data is to create complex, unique passwords for each account, and to change passwords that are compromised in a breach or hack immediately.”

More proactive password management services will analyze password health, suggest passwords that should be replaced, and even alert users to breached sites where they may hold an account.

Be Suspicious of Unknown Email

Even though learning how to stop phishing attacks is getting easier, email remains the No. 1 threat vector for cybercriminals. It’s the easiest and most successful approach for cybercriminals to deliver their payload to unsuspecting users or organizations.

Families may not often invest in business-grade secure email solutions, but they should practice consistent awareness about phishing email threats and email hygiene. Is your family aware of the latest email attacks? Take the SonicWall Phishing IQ Test to find out.

Be Smarter on Wi-Fi

There’s nothing more comforting than connecting to Wi-Fi when you’re on the go. It’s an addicting and predictable behavior that cybercriminals feast upon. When remote (e.g., airport, mall, coffee shop), always think three times before connecting to unknown wireless networks. Follow these best practices for ensuring safe connectivity when mobile:

Turn off “auto connect” features in your phone’s settings
Avoid free or unsecured Wi-Fi signals altogether
Look for spoofed Wi-Fi names similar to the location you’re visiting
If you must connect, use a virtual private network (VPN)

Most of this guidance has been focused on user behavior, but deploying wireless security at home — even if it’s right out of the box from your ISP — is also recommended. Users comfortable with advanced controls can also take additional steps:

Change SSID (Wi-Fi) name and default password
Create separate secure wireless network for friends and guests
Hide network(s) altogether
Limit the power and range of the wireless signal
Monitor connected devices through router’s management dashboard; revoke access to unknown or suspicious devices
Limit the types of devices connected to your network; does your dog’s water dish really need access to the internet?

About Cybersecurity Awareness Month

The 15th annual National Cybersecurity Awareness Month (NCSAM) highlights user awareness among consumers, students/academia and business. NCSAM 2018 addresses specific challenges and identifies opportunities for behavioral change. It aims to remind everyone that protecting the internet is “Our Shared Responsibility.”

In addition, NCSAM 2018 will shine a spotlight on the critical need to build a strong, cyber secure workforce to help ensure families, communities, businesses and the country’s infrastructure are better protected through four key themes:

  • Oct 1-5: Make Your Home a Haven for Online Safety
  • Oct 8-12: Millions of Rewarding Jobs: Educating for a Career in Cybersecurity
  • Oct 15-19: It’s Everyone’s Job to Ensure Online Safety at Work
  • Oct 22-26: Safeguarding the Nation’s Critical Infrastructure

Learn more at StaySafeOnline.org.

Cyber Security News & Trends – 09-28-18

/0 Comments/in /by

Each week, SonicWall collects the cyber security industry’s most compelling, trending and important interviews, media and news stories — just for you.

SonicWall Spotlight

SonicWall Firewalls Named A 2018 Gartner Peer Insights Customers’ Choice – SonicWall Blog

  • With 122 reviews and a 4.3 rating, SonicWall is recognized as a 2018 Gartner Peer Insights Customers’ Choice for Unified Threat Management, reflecting commitment to partners and customers in providing top-tier cyber security solutions, along with an exceptional customer experience to support it.

SonicWall NSa Series Wins Cybersecurity Breakthrough Award as Best Firewall Solution – SonicWall Blog

  • This recognition brings SonicWall to a total of 42 industry honors so far in 2018.

SonicWall CEO Bill Conner On Cybersecurity Trends CEOs Should Know – Chief Executive Magazine

  • SonicWall CEO Bill Conner talks about the cybersecurity trends that CEOs should be paying attention to in this profile by Chief Executive Magazine.

ChannelPro Weekly Podcast: Episode #089 – Mimeographs Are Extinct. Are You? – Channelpro Podcast

  • SonicWall TZ500 Wireless-AC Gen 6 Firewall is the tech pick of the week.

Cyber Security News

Uber Settles Data Breach Investigation for $148 Million – NYTimes

  • In 2016, not wanting to expose a leak, Uber paid big money to a hacker who had gained access to 600,000 driver’s names and license numbers.

Pennsylvania Senate Democrats paid $700,000 to recover from ransomware attack – ZDNet

After falling victim to a ransomware attack, Pennsylvania Senate Democrats refused to pay the $30,000 ransomware demand, opting instead to pay over $700,000 to Microsoft to rebuild its IT infrastructure.

President Trump Unveils America’s First Cybersecurity Strategy in 15 Years – The White House

  • The White House has announced a new National Cyber Strategy that they are calling the first Cybersecurity Strategy in 15 years.

Some Credential-Stuffing Botnets Don’t Care About Being Noticed Any More – The Register (UK)

  • The “low and slow” covert method of malicious logins previously employed has been replaced by some bots with pure volume; one US credit union saw almost 9 thousand attempts per hour.

Qualcomm Accuses Apple of Stealing Its Secrets to Help Intel – Reuters

  • It’s a long-running patent drama but Qualcomm have filed papers against Apple saying they used Qualcomm software and log files without permission to “improve the sub-par performance of Intel’s chipsets.”

In Case You Missed It

Most exploited vulnerabilities in this month

/in /by

SonicWall Threat Research Lab has observed the vulnerabilities that are actively being exploited from the beginning of this month. Please find below the list of vulnerabilities, vendor advisory information  and the SonicWall signatures to protect against these exploits 

CVE-2017-11882 | Microsoft Office EQNEDT32 Stack Buffer Overflow

This is a stack buffer overflow vulnerability in Microsoft Office. The vulnerability is due to incorrect handling of embedded Equation Editor OLE objects in Office documents. A remote attacker could exploit this vulnerability by enticing a user to open a specially crafted file. Successful exploitation could lead to arbitrary code execution under the context of the currently logged on user.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882

GAV: 21982  Malformed.doc.MP.10
GAV: 4094 JScript.Doc_229

CVE-2017-0147 | Microsoft Windows SMB Server SMBv1 CVE-2017-0147 Information Disclosure

This is an information disclosure vulnerability in the SMBv1 component of Microsoft Windows SMB server. The vulnerability is due to improper handling of SMBv1 requests. A remote, unauthenticated attacker could exploit this vulnerability by sending crafted SMB messages to a target server. Successful exploitation could result in the disclosure of sensitive information from the target server

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0147

GAV Cloud ID: 55251134 WannaCrypt

CVE-2010-2568 | Microsoft Windows LNK File Code Execution

This exists in Microsoft Windows that may allow execution of arbitrary code on the target machine. The vulnerability is due to a design weakness in Windows Shell which incorrectly parses shortcuts in such a way that malicious code may be executed when the crafted file is opened either manually or automatically with Windows Explorer. This can be most likely exploited through removable drives containing malicious LNK files, especially on systems that have AutoPlay enabled.

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-046

IPS: 13508 LNK File HTTP Download 2

CVE-2017-8570 | Microsoft Office Remote Code Execution Vulnerability

This is a remote code execution vulnerability in Microsoft Office. The vulnerability is due to incorrect handling of embedded OLE objects in Office documents. A remote attacker could exploit this vulnerability by enticing a user to open a specially crafted file. Successful exploitation could lead to arbitrary code execution under the context of the currently logged on user. 

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8570

GAV: 32260 JScript.RTF_4

CVE-2013-3346 | Adobe Acrobat Reader ToolButton Use After Free

A use after free vulnerability exists in Adobe Acrobat and Reader. The vulnerability is due to an error in the handling of callback functions associated with ToolButton objects. A remote attacker can exploit this vulnerability by enticing the user to open a specially crafted file. Successful exploitation could result in arbitrary code execution in the context of the currently affected user.

http://www.adobe.com/support/security/bulletins/apsb13-15.html

IPS: 6207 HTTP Client Shellcode Exploit 42

CVE-2010-2883 | Adobe Acrobat and Reader CoolType.dll Stack Buffer Overflow

A code execution vulnerability exists in Adobe Acrobat and Reader. The vulnerability is due to a stack-based buffer overflow error within the CoolType.dll module when handling PDF files containing TTF fonts. Remote attackers could exploit this vulnerability by enticing target users to open a malicious PDF document. Successful exploitation would result in arbitrary code execution in the context of the logged on user.

http://www.adobe.com/support/security/advisories/apsa10-02.html

GAV– 43643 Malformed.pdf.MT.2

CVE-2015-1641| Microsoft Office Component CVE-2015-1641 Use After Free

This is a remote code execution vulnerability in Microsoft Office. The vulnerability is due to improper manipulation of objects in memory while parsing specially crafted Office files. A remote attacker can exploit this vulnerability by enticing a user open a maliciously crafted Office file. Successful exploitation could result in code execution in the context of the affected user.

https://technet.microsoft.com/en-us/library/security/ms15-033.aspx

GAV: 43643 Malformed.pdf.MT.2

CVE-2018-8174 | Microsoft Windows VBScript Engine CVE-2018-8174 Use After Free

A memory corruption vulnerability exists in the Microsoft Windows VBScript engine. The vulnerability is due to the way that the VBScript engine handles certain objects in memory.
A remote attacker can exploit this vulnerability by enticing a user to open a crafted web page using Internet Explorer or a crafted Microsoft Office document.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8174

IPS: 4604 HTTP Client Shellcode Exploit 1

CVE-2018-8120 | Win32k Elevation of Privilege Vulnerability

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. This affects Win32k, Windows, Windows Kernel, Windows Common Log File System Driver, DirectX Graphics Kernel & Windows Image. A local, authenticated attacker could exploit these vulnerabilities by running a maliciously crafted application on the target system. Successful exploitation allows the attacker elevate their privileges to an administrative level on the target.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8120

GAV Cloud Id: 66194921 Btrojan Exploit

The risk posed by these vulnerabilities can be mitigated by upgrading to the latest non-vulnerable version

LockBkdr ransomware spotted in the wild.

/in /by

The SonicWall Capture Labs Threat Research Team observed reports of a new variant family of LockBkdr [LockCrypt.BKR] actively spreading in the wild.

LockBkdr encrypts the victims files with a strong encryption algorithm until the victim pays a fee to get them back.

Contents of the LockBkdr ransomware

Infection Cycle:

The Ransomware adds the following files to the system:

  • Malware.exe
    • %App.path%\ [File Name] .BDKR
    • C:\Windows\searchfiles.exe [ Copy of malware ]
    • %Userprofile\Desktop %\ How To Restore Files.txt
      • Instruction for recovery

The Ransomware adds the following keys to the Windows registry to ensure persistence upon reboot:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Searchfiles
    • C:\Windows\searchfiles.exe

Once the computer is compromised, the Ransomware copies its own executable into %Systemroot% folder and runs the following commands:

LockBkdr retrieves list of running processes and terminates every process other than certain system processes such as the following list:

The Ransomware encrypts all the files and appends the .BDKR extension onto each encrypted file’s filename.

After encrypting all personal documents the Ransomware shows the following webpage containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: LockCrypt.BKR (Trojan)

SonicWall Firewalls Honored, Named A 2018 Gartner Peer Insights Customers’ Choice for Unified Threat Management (UTM), Worldwide

/0 Comments/in , /by

The SonicWall mission — defending organizations in a fast-moving cyber arms race — is only possible because of the commitment and loyalty of our partners and customers.

Gartner peerinsights customers' choice 2018For what we believe is that reason, SonicWall is pleased to have been recognized as a 2018 Gartner Peer Insights Customers’ Choice for Unified Threat Management (UTM), Worldwide.

“The Gartner Peer Insights Customers’ Choice is a recognition of vendors in this market by verified end-user professionals, taking into account both the number of reviews and the overall user ratings,” Gartner said in the official announcement.

To ensure fair evaluation, Gartner maintains rigorous criteria for recognizing vendors with a high customer satisfaction rate. For this distinction, a vendor must have a minimum of 50 published reviews with an average overall rating of 4.2 stars or higher. SonicWall received 122 reviews and a 4.3 rating for Unified Threat Management firewalls as of September 24, 2018. Here are a few snippets from SonicWall reviews provided by real-world customers that contributed to the distinction:

  • “Predominantly, the system is fantastic for our business model and has fantastic capabilities to address site level security.” — Network & Security Manager, Finance
  • “Excellent firewall for a small to medium size business.” — System Administrator
  • “SonicWall is our go-to for security hardware products.” — Project Manager, Services Industry
  • “The ease of use is where the SonicWall OS stands out. As long as you’re familiar with firewall concepts, you’ll be up and running in no time with the TZ [firewall] series. Support is strong and knowledgeable. I felt very comfortable having them hands-on in our production firewall.” — Sr. Network Engineer, Services Industry

Peer Insights is an online platform of ratings and reviews of IT software and services that are written and read by IT professionals and technology decision-makers. The goal is to help IT leaders make more insightful purchase decisions and help technology providers improve their products by receiving objective, unbiased feedback from their customers. Gartner Peer Insights includes more than 70,000 verified reviews in more than 200 markets.

SonicWall Named ‘Challenger’ in Gartner Magic Quadrant for Unified Threat Management

Complementing the Peer Insights Customers’ Choice selection, SonicWall was also named a ‘Challenger’ in the 2018 Gartner Magic Quadrant for Unified Threat Management (SMB Multifunction Firewalls).

Supported by new products and capabilities, including Capture Security CenterCapture Client endpoint protection and SonicWall NSv virtual firewalls, SonicWall continues a consistent trajectory to the upper right. Gartner highlighted the SonicWall Capture Advanced Threat Protection (ATP) sandbox service, along with the innovative Real-Time Deep Memory InspectionTM technology, as a key market differentiator.

In support of the Peer Insights Customers’ Choice selection, the Gartner MQ found that that “channel partners and surveyed customers demonstrate high satisfaction with hardware throughput, quality and ease of configuration.”

The Gartner Peer Insights Customers’ Choice logo is a trademark and service mark of Gartner, Inc., and/or its affiliates, and is used herein with permission. All rights reserved. Gartner Peer Insights Customers’ Choice constitute the subjective opinions of individual end-user reviews, ratings, and data applied against a documented methodology; they neither represent the views of, nor constitute an endorsement by, Gartner or its affiliates.

The Evolution of Next-Generation Antivirus for Stronger Malware Defense

/0 Comments/in /by

Threat detection has evolved from static to dynamic behavioral analysis to detect-threatening behavior. Comprehensive layers of defense, properly placed within the network and the endpoint, provide the best and most efficient detection and response capabilities to match today’s evolving threats.

For years, SonicWall offered endpoint protection utilizing traditional antivirus (AV) capabilities. It relied on what is known as static analysis. The word “static” is just like it sounds. Traditional antivirus used static lists of hashes, signatures, behavioral rules and heuristics to discover viruses, malware and potentially unwanted programs (PUPs). It scanned these static artifacts across the entire operating system and mounted filesystems for retroactive detection of malicious artifacts through scheduled scanning.

Traditional antivirus focuses on pre-process execution prevention. Meaning, all the scanning mechanisms are primarily designed to prevent the execution of malicious binaries. If we go back 20 years, this approach was very effective at blocking the majority of malware, and many antivirus companies capitalized on their execution prevention approaches.

As that technology waned, the provider we had for traditional antivirus discontinued their legacy antivirus solution and SonicWall sought new and more effective alternatives.

Traditional Defenses Fail to Match the Threat

In the past, attackers, determined to beat antivirus engines, focused much of their attention on hiding their activities. At first, the goal of the attacker was to package their executables into archive formats.

Some threat actors utilized multi-layer packaging (for example, placing an executable into a zip then placing the zip into another compression archive such as arj or rar formats). Traditional antivirus engines responded to this by leveraging file analysis and unpacking functions to scan binaries included within them.

Threat actors then figured out ways to leverage documents and spreadsheets, especially Microsoft Word or Excel, which allowed embedded macros which gave way to the “macro virus.”

Antivirus vendors had to become document macro experts, and Microsoft got wise and disabled macros by default in their documents (requiring user enablement). But cybercriminals didn’t stop there. They continued to evolve the way they used content to infect systems.

Fast forward to today. Threat actors now utilize so many varieties of techniques to hide themselves from static analysis engines, the advent of the sandbox detection engine became popular.

I often use an analogy to explain a malware sandbox. It’s akin to a petri dish in biology where a lab technician or doctor examines a germ in a dish and watches its growth and behavior using a microscope.

Behavioral Sandbox Analysis

Sandbox technologies allow for detection by monitoring malware behavior within virtual or emulated operating systems. The sandboxes run and extract malware behavior within these monitored operating system to investigate their motives. As sandboxing became more prevalent, threat actors redesigned their malware to hide themselves through sandbox evasion techniques.

This led SonicWall to develop advanced real-time memory monitoring to detect malware designed to evade sandbox technology. Today, SonicWall uses a multitude of capabilities — coupled with patent-pending Real-Time Deep Memory Inspection (RTDMITM) — to identify and mitigate malware more effectively than competing solutions.

SonicWall Automated Real-Time Breach Prevention & Detection

The Endpoint Evolves, Shares Intelligence

Next comes the endpoint. As we know, most enterprises and small businesses are mobile today. Therefore, a comprehensive defense against malware and compliance must protect remote users and devices as they mobilize beyond an organization’s safe perimeter. This places an emphasis in combining both network security and endpoint security.

Years ago, I wrote research at Gartner about the gaps in the market. There was a critical need to bridge network, endpoint and other adjacent devices together into a shared intelligence and orchestrated fabric. I called it “Intelligence Aware Security Controls (IASC).”

The core concept of IASC is that an orchestration fabric must exist between different security technology controls. This ensures that each control is aware of a detection event and other shared telemetry so that every security control can take that information and automatically respond to threats that emerge across the fabric.

So, for example, a botnet threat detection at the edge of the network can inform firewalls that are deployed deeper in the datacenter to adjust policies according to the threat emerging in the environment.

As Tomer Weingarten, CEO of SentinelOne said, “Legacy antivirus is simply no match for today’s sophisticated file-based malware, which proliferates much faster than new signatures can be created.”

Limitations of Legacy Antivirus (AV) Technology

To better understand the difference between legacy antivirus (AV) and next-generation antivirus (NGAV), we should know the advantages and unique features of NGAV over legacy signature-based AV solutions. Below are four primary limitations of legacy offerings.

  • Frequent updates. Traditional AV solutions require frequent (i.e., daily or weekly) updates of their signature databases to protect against the latest threats. This approach doesn’t scale well. In 2017 alone, SonicWall collected more than 56 million unique malware samples.
  • Invasive disk scans. Traditional AV solutions recommend recurring disk scans to ensure threats did not get in. These recurring scans are a big source of frustration for end users, as productivity is impacted during lengthy scans.
  • Cloud dependency. Traditional AV solutions are reliant on cloud connectivity for best protection. Signature databases have grown so large that it is no longer possible to push the entire database to the device. So, they keep the vast majority of signatures in the cloud and only push the most prevalent signatures to the agent.
  • Remote risk. In cases where end-users work in cafés, airports, hotels and other commercial facilities, the Wi-Fi provider is supported by ad revenues and encourage users to download the host’s tools (i.e., adware) for free connectivity. These tools or the Wi-Fi access point can easily block access to the AV cloud, which poses a huge security risk.

Switching to Real-time, Behavior-focused Endpoint Protection

Considering these limitations, there is a need for viable replacement of legacy AV solutions. For this reason, SonicWall partnered with SentinelOne to deliver a best-in-class NGAV and malware protection solution: SonicWall Capture Client.

SonicWall Capture Client is a unified endpoint offering with multiple protection capabilities. With a next-generation malware protection engine powered by SentinelOne, Capture Client applies advanced threat protection techniques, such as machine learning, network sandbox integration and system rollback. Capture Client uses automated intelligence to adapt and detect new strains of malware through advanced behavior analytics.

SonicWall Capture Client was a direct response to multiple market trends.

  • First, there has been a detection and response focus, which is why SentinelOne offers our customers the ability to detect and then select the response in workflows (along with a malware storyline).
  • Second, devices going mobile and outside the perimeter meant that backhauling traffic to a network device was not satisfying customers who wanted low latency network traffic for their mobile users (and, frankly, the extra bandwidth costs that go along with it).
  • Third, because of all the evasion techniques that attackers use, a real-time behavioral engine is preferred over a static analysis engine to detect advanced attacks.
  • Fourth, the Capture Client SentinelOne threat detection module’s deep file inspection engine sometimes detects low confidence or “suspicious” files or activities. In these low confidence scenarios, Capture Client engages the advanced sandbox analysis of RTDMI to deliver a much deeper analysis and verdict about the suspicious file/activity.

One crucial feature of the latest Capture Client solution is the ability to record all the behaviors of an attack and the processes involved on an endpoint into an attack storyline — essential for security operations detection, triage and response efforts.

By listening to the market and focusing on the four key points above, SonicWall delivered best-in-class protection for endpoints, and another important milestone in SonicWall’s mission to provide automated, real-time breach detection and prevention.

SonicWall Capture Client combines multiple technologies to provide the most efficient and effective defense against threat actors. The solution should be paired with a defense-in-depth security strategy across all the key layers of transport, including email, network and endpoints.

SonicWall NSa Series Wins Cybersecurity Breakthrough Award as Best Firewall Solution

/0 Comments/in /by

The CyberSecurity Breakthrough Awards named the SonicWall NSa the best next-generation firewall solution of 2018. The CyberSecurity Breakthrough Awards is an independent organization that recognizes the top companies, technologies and products in the global information security market. SonicWall has won 42 industry honors so far in 2018.

This year alone, SonicWall introduced seven new next-generation NSa firewall models: NSa 3650, 4650, 5650 6650, 9250, 9450 and 9650. The NSa series works in conjunction with the SonicWall Capture Cloud Platform as part of an end-to-end security solution that delivers integrated cloud-scale management to protect networks, email, endpoints, mobile and remote users.

CyberSecurity Breakthrough judges are experienced senior-level cybersecurity professionals who have personally worked within the information security space, including journalists, analysts and technology executives with experience in a range of information security positions and perspectives. From successful technology startups to veteran industry leaders, the panel of judges brings a balanced perspective of evaluation for the award nominations.

The judges have earned a reputation for fairness and credibility, and are committed to determining the break through nominations for each award category, which includes:

In 2017, SonicWall was named the Cybersecurity Breakthrough Overall Cybersecurity Company of the Year. More than 2,000 nominations from over 12 different countries throughout the world competed for the honor.

How MSSPs & Artificial Intelligence Can Mitigate Zero-Day Threats

/0 Comments/in /by

So, here’s the problem: unknown zero-day threats are just that — unknown. You have no way (besides historical experience) to predict the next vulnerability avenue that will be exploited. You, therefore, don’t know what will need patching or what extra security layer needs injecting. This ultimately leads to a forecast-costing dilemma as you cannot predict the man hours involved.

The other quandary faced when tackling complex targeted zero days is the skills gap. Staffing a security operations center (SOC) with highly skilled cybersecurity professionals comes at a cost and only becomes profitable with economies of scale that a large customer base brings.

Coupled with the shortage of skilled cybersecurity professionals in the open market, how can you get your SOC off the ground? Could artificial intelligence (AI) level the playing field?

Machine Learning Reality Check

Machine learning and behavioral analytics continue to grow and become synonymous with zero-day threat protection. Is this all hype or is it the new reality? The truth is, it is both.

There is a lot of hype, but for good reason: AI works. Big data is needed to see the behaviors and therein the anomalies or outright nefarious activities that human oversight would mostly fail to catch. Delivered as a layered security approach, AI is the only way to truly protect against modern cyber warfare, but not all AI is deterministic and herein lies the hidden cost to your bottom line.

AI-based analysis tools that provide forensics are very powerful, but the horse has bolted by the time they are used. This approach is akin to intrusion detection systems (IDS) versus intrusion prevention systems (IPS). The former are great for retrospective audits, but what is the cleanup cost? This usage of behavioral analysis AI solely for detection is not MSSP-friendly. What you need is automated, real-time breach detection and prevention. Prevention is key.

So, how do you create an effective prevention technology? You need security layers that filter the malware noise, so each can be more efficient at its detection and prevention function than the last. That means signature-based solutions are still necessary. In fact, they are as important as ever as one of the first layers of defense in your arsenal (content filtering comes in at the top spot).

By SonicWall metrics, the ever-growing bombardment of attacks the average network faces stands at 1,200-plus per day (check out the mid-year update to the 2018 SonicWall Cyber Threat Report for more details).

When you do the math, it’s easy to see that with millions of active firewalls, it’s not practical to perform deep analysis on every payload. For the best results, you must efficiently fingerprint and filter everything that has gone before.

Aren’t All Sandboxes Basically the Same?

Only by understanding the behavior of the application and watching what it’s attempting to do, can you uncover malicious intent and criminal action. The best environment to do this is a sandbox, but no SOC manpower in the world could accomplish this with humans at scale. In order to be effective, you must turn to AI.

AI understands the big data coming from behavioral analysis. It can adapt the discovery approach to uncover threats that try to hide and, once determined as malicious, can fingerprint the payload via signature, turning a zero day into a known threat. It is the speed of propagation of this new, known signature to the protection appliances participating in the mesh protection network that drives the efficiencies to discover more threats.

Also, it’s the size of the mesh network catchment area that allows you the largest overall service area of attaches, which helps your AI quickly learn from the largest sample data set.

Luckily, SonicWall has you covered on all these fronts. With more than 1 million sensors deployed across 215 territories and countries, SonicWall has one of the largest global footprint of active firewalls. Plus, the cloud-based, multi-engine SonicWall Capture Advanced Threat Protection (ATP) sandbox service discovers and stops unknown, zero-day attacks, such as ransomware, at the gateway with automated remediation.

Our recent introduction of the patent-pending Real-Time Deep Memory Inspection (RTDMITM) technology, which inspects memory in real time, can detect and prevent chip vulnerability attaches such as Spectre, Meltdown and Foreshadow. It’s included with every Capture ATP activation.

At SonicWall, the mantra of automated, real-time breach detection and prevention is fundamental to our security portfolio. It is how our partners drive predictable operational expenditures in the most challenging security environments. Only via connected solutions, utilizing shared intelligence, can you protect against all cyber threat vectors.

A version of this story originally appeared on MSSP Alert and was republished with permission.