New NIST Cybersecurity Policy Provides Guidance, Opportunities for SMBs

/0 Comments/in , /by

Small- and medium-sized business (SMB) are often one of the segments most targeted by cybercriminals. Now, SMBs are backed by legislation signed by U.S. President Trump and unanimously supported by Congress.

On Aug. 14, President Trump signed into law the new NIST Small Business Cybersecurity Act. The new policy “requires the Commerce Department’s National Institute of Standards and Technology (NIST) to develop and disseminate resources for small businesses to help reduce their cybersecurity risks.”

The legislation was proposed by U.S. Senators Brian Schatz (D-Hawai‘i) and James Risch (R-Idaho). This new policy is a follow-on effort to the Cybersecurity Enhancement Act of 2014, which was the catalyst for the NIST Cybersecurity Framework.

“As businesses rely more and more on the internet to run efficiently and reach more customers, they will continue to be vulnerable to cyberattacks. But while big businesses have the resources to protect themselves, small businesses do not, and that’s exactly what makes them an easy target for hackers,” said Senator Schatz, lead Democrat on the Commerce Subcommittee on Communications, Technology, Innovation, and the Internet, in an official statement. “With this bill set to become law, small businesses will now have the tools to firm up their cybersecurity infrastructure and fight online attacks.”

Per the NIST Small Business Cybersecurity Act (S. 770), within the next year the acting director of NIST, collaborating with the leaders of appropriate federal agencies, must provide cybersecurity “guidelines, tools, best practices, standards, and methodologies” to SMBs that are:

  • Technology-neutral
  • Based on international standards to the extent possible
  • Able to vary with the nature and size of the implementing small business and the sensitivity of the data collected or stored on the information systems
  • Consistent with the national cybersecurity awareness and education program under the Cybersecurity Enhancement Act of 2014
  • Deployed in practical applications and proven via real-world use cases

The law follows the structure presented by U.S. Rep. Dan Webster (R-Florida) and passed by the House of Representatives. He originally presented the bill to the U.S. House Science, Space, and Technology Committee in March 2017.

SonicWall President and CEO Bill Conner also was instrumental in helping form the groundwork for U.S. cybersecurity laws. In 2009, Conner worked with U.S. Senator Jay Rockefeller (D-West Virginia) and other security-conscious leaders on the Cybersecurity Act of 2010 (S.773). And while the proposal was not enacted by Congress in March 2010, it served as a critical framework to today’s modern policies. Rockefeller was eventually the sponsor of the aforementioned Cybersecurity Enhancement Act of 2014 (S.1353), which became law in December 2014.

SMBs Highly Targeted by Cybercriminals, Threat Actors

According to a recent SMB study by ESG, 46 percent of SMB decision-makers said security incidents resulted in lost productivity in their small- or medium-sized business. Some 37 percent were affected by disruption of a business process or processes.

“Criminals target SMBs to extort money or steal valuable data, while nation states use small businesses as a beachhead for attacking connected partners,” wrote ESG senior principal analyst Jon Oltsik for CSO.

In fact, in July 2018 alone, the average SonicWall customer faced escalated volumes of ransomware attacks, encrypted threats and new malware variants.

  • 2,164 malware attacks (28 percent increase from July 2017)
  • 81 ransomware attacks (43 percent increase)
  • 143 encrypted threats
  • 13 phishing attacks each day
  • 1,413 new malware variants discovered by Capture Advanced Threat Protection (ATP) service with RTDMI each day

“Criminals target SMBs to extort money or steal valuable data, while nation states use small businesses as a beachhead for attacking connected partners,” wrote ESG senior principal analyst Jon Oltsik for CSO.

Leverage NIST Policy, Frameworks

While SMBs await guidance from the new NIST Small Business Cybersecurity Act, they can leverage best practices from the NIST Cybersecurity Framework, which helps organizations of all sizes leverage best practices to better safeguard their networks, data and applications from cyberattacks.

At a high level, the framework is broken down into three components — Implementation Tiers, Framework Core and Profiles — that each include additional subcategories and objectives. Use these key NIST resources to familiarize your organization to the framework:

Applying Cybersecurity Designed for SMBs

The NIST framework provides a solid foundation to improve an SMB’s security posture. But the technology behind it is critically important to achieving a safe outcome. SonicWall, for instance, is the No. 2 cybersecurity vendor in the SMB space, according to Gartner’s Market Share: Unified Threat Management (SMB Multifunction Firewalls), Worldwide, 2017 report.

With more than 26 years of defending SMBs from cyberattacks, SonicWall has polished and refined cost-effective, end-to-end cybersecurity solutions. These solutions are tailored specifically for small- and medium-sized businesses and can be further customized to meet the needs of specific security or business objectives. A sound, end-to-end SMB cybersecurity should include:

For example, the SonicWall TZ series of NGFWs is the perfect balance of performance, value and security efficacy for SMBs, and delivers access to the SonicWall Capture ATP sandbox services and Real-Time Deep Memory Inspection.TM This integrated combo protects your organization from zero-day attacks, malicious PDFs and Microsoft Office files, and even chip-based Spectre, Foreshadow and Meltdown exploits.

For organizations that want to take it a step further, the SonicWall NSa series of firewall appliances were given a ‘Recommended’ rating by NSS Labs in a 2018 group test. SonicWall topped offerings from Barracuda Networks, Check Point, Cisco, Forcepoint, Palo Alto Networks, Sophos and WatchGuard in both security efficacy and total cost of ownership.

Contact SonicWall to build or enhance your cybersecurity posture for true end-to-end protection from today’s most malicious cyberattacks, online threats and even the latest Foreshadow exploits.

SonicWall solutions are available to SMBs through our vast channel of local security solution providers, many of which are SMBs themselves. In fact, many SonicWall SecureFirst Partners even provide security-as-a-service (SECaaS) offerings to ensure it’s easy and cost-effective for SMBs to protect their business from advanced cyberattacks.

 

Upgrade Your Firewall for Free

Are you a SonicWall customer who needs to stop the latest attacks? Take advantage of our ‘3 & Free’ program to get the latest in SonicWall next-generation firewall technology — for free. To upgrade, contact your dedicated SecureFirst Partner or begin your upgrade process via the button below.

BEGIN UPGRADE

Report: Business Email Compromise (BEC) Now A $12.5 Billion Scam

/0 Comments/in /by

Email continues to be the top vector used by cybercriminals, and business email compromise (BEC) is gaining traction as one of the preferred types of email attacks.

BEC attacks do not contain any malware and can easily bypass traditional email security solutions. For cybercriminals, there is no need to invest in highly sophisticated and evasive malware. Instead, they engage in extensive social engineering activities to gain information on their potential targets and craft personalized messages.

What makes these attacks dangerous is that the email usernames and passwords of corporate executives are easily available to cybercriminals on the dark web, presumably due to data breaches of third-party websites or applications.

“Through 2023, business compromise attacks will be persistent and evasive, leading to large financial fraud losses for enterprises and data breaches for healthcare and government organizations,” says Gartner in their recent report, Fighting Phishing – 2020 Foresight 2020.

What is Business Email Compromise?

BEC attacks spoof trusted domains, imitate brands and/or mimic corporate identities. In many cases, the emails appear from a legitimate or trusted sender, or from the company CEO typically asking for wire transfers.

According to the FBI, BEC is defined as a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. This is a very real and growing issue. The FBI has put up a public service announcement saying that BEC is a $12.5 billion scam.

Types of BEC or Email Fraud

Email has been around since the 1960s and the current internet standard for email communication —  Simple Mail Transfer Protocol (SMTP) — was not designed to authenticate senders and verify the integrity of received messages. Therefore, it’s easy to fake or “spoof” the source of an email. This weak sender identification will continue to present opportunities for creative attacks.

For example, here is a screenshot of a recent spoofing email that I encountered. The messaging seemingly originated from my colleague. The displayed sender’s name invokes an immediate recognition for the recipient. But a closer examination of the sender’s domain reveals the suspicious nature of the email.

Now, let’s look at the different types of spoofing techniques a threat actor might use to initiate an attack:

Display Name Spoofing
This is the most common form of BEC attack. In this case, a cybercriminal tries to impersonate a legitimate employee, typically an executive, in order to trick the recipient into taking an action. The domain used could be from a free email service such as Gmail.

Domain Name Spoofing
This includes either spoofing the sender’s “Mail From” to match that of the recipient’s domain in the message envelope, or using a legitimate domain in the “Mail From” value but using a fraudulent “Reply-To” domain in the message header.

Cousin Domain or Lookalike Domain Spoofing
This type of attack relies on creating visual confusion for the recipient. This typically involves using sister domains such as “.ORG” or “.NET” instead of “.COM,” or swapping out characters, such as the numeral “0” for the letter “O,” an uppercase “I” for a lowercase “L.” This is also sometimes referred to as typosquatting.

Compromised Email Account or Account Take Over (ATO)
This is carried out by compromising legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds or data theft.

Best Practices for Stopping BEC Attacks

Concerned your organization could fall prey to business email compromise? Here are some email security best practices that you can implement to protect against sophisticated BEC attacks.

  1. Block fraudulent emails by deploying Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM) and Domain-Based Message Authentication, Reporting and Conformance (DMARC) capabilities.
  2. Enable multi-factor authentication and require regular password changes to stop attacks from compromised accounts.
  3. Establish approval processes for wire transfers.
  4. Deliver periodic user-awareness training for a people-centric approach to combat email attacks.

How to Stop Email Spoofing

Whether it’s CEO fraud, forged emails, business email compromise (BEC), impostor emails or impersonation attacks, all email spoofing attacks present a dangerous risk to organizations. Review the solution brief to gain four key best practices to help mitigate the email spoofing attacks that impact your business.

GET THE BRIEF

SonicWall Email Security Wins Coveted 2018 CRN Annual Report Card (ARC) Award

/0 Comments/in /by

Once again, SonicWall Email Security has been recognized at the top of its class for protecting the No. 1 threat vector: email. The solution was named the overall winner by sweeping the 2018 CRN Annual Report Card (ARC) email security category.

The solution has won three prestigious security awards to date in 2018. This is a testament toward the innovation and effort the SonicWall team has invested the last 18 months in key focus areas: advanced threat protection, administrative ease, product support and channel enablement.

“An ARC award is one of the industry’s most prestigious honors. It symbolizes a vendor’s dedication to delivering high quality and innovative product and program offerings to their channel partners,” said Bob Skelley, CEO, The Channel Company. “CRN’s Annual Report Card provides solution providers with the rare opportunity to offer their invaluable insight on vendors’ products and services, as well as their partner programs. As a result, the technology suppliers are equipped with actionable feedback to bolster their efforts to remain the best-of-the-best.”

The Annual Report Card summarizes results from a comprehensive survey that details solution provider satisfaction across product innovation, support and partnership for hardware, services and software vendors. The vendors with the highest ratings are named to the prestigious Annual Report Card list of winners and celebrated as best-in-class by their partners.

The results also provide the IT vendor community with valuable feedback — directly from their solution providers — that can be used to refine product offerings, enhance support and improve communication with partners.

This year’s group of honorees was selected from the results of an in-depth, invitation-only survey by The Channel Company’s research team. More than 3,000 solution providers were asked to evaluate their satisfaction with more than 65 vendor partners in 24 major product categories.

SonicWall Email Security is a multi-layer solution that protects organizations against advanced email threats such as targeted phishing attacks, ransomware and business email compromise. The key capabilities include:

  • Real-time threat intelligence feeds from over 1 million security sensors deployed globally and delivered through the SonicWall Capture Cloud Platform.
  • Dynamic scanning of suspicious email attachments and embedded URLs using the award-winning, multi-engine SonicWall Capture Advanced Threat Protection (ATP) sandbox service with Real-Time Deep Memory Inspection (RTDMITM).
  • Anti-phishing technology uses a combination of methodologies such as machine learning, heuristics, reputation and content analysis.
  • Powerful antispam and antivirus engines to protect against known malware and spam.

The solution can be deployed as hardened physical appliances, robust virtual appliances or a resilient cloud email security service. And whether an organization uses on-premises email servers or cloud services, such as Microsoft Office 365 or Google G Suite, SonicWall’s solution delivers best-in-class threat protection through seamless and simple integrations.

Given that email continues to be a top attack vector in the cyber arms race, SonicWall is committed to enhancing the solution to better protect its users from advanced email threats.

The 2018 Annual Report Card results can be viewed online at www.crn.com/arc.

Ramnit delivers XMRig Monero Miner

/in /by

The SonicWall Capture Labs Threat Research Team have come across a variant of the Ramnit trojan dropping a Monero Cryptocurrency miner onto the infected system.   As cryptocurrency prices continue to drop (at the current time of writing), malware authors are still betting on its future success as they steal CPU resources in order to generate long term profits.

Infection Cycle:

The Trojan drops the following files on the infected system:

  • explores.exe [Detected as: GAV: XMRig.XMR_3 (Trojan)]
  • cresc.log
  • can.log
  • AutoRunApp.vbs
  • <originalfilename>Srv.exe [Detected as: GAV: Ramnit.XMR (Trojan)]

explores.exe and the original Ramnit trojan executable file contain the following metadata:

   

 

AutoRunApp.vbs contains the following autorun script:

 

can.log and cresc.log both contain the following log data.  This file is populated with mining job info and stats when mining is in progress:

 

explores.exe can be seen using considerable cpu power whilst mining is in progress:

 

Mining transaction data can be seen between the miner (explores.exe) and the mining pool at mine.ppxxmr.com:

Sonicwall Capture Labs provides protection against this threat via the following signatures:

  • GAV: XMRig.XMR_3 (Trojan)
  • GAV: CoinMiner.MN_3 (Trojan)
  • GAV: CoinMiner.MON (Trojan)
  • GAV: Ramnit.Z (Trojan)
  • GAV: Ramnit.MN (Trojan)

Cyber Security News & Trends – 08-17-18

/0 Comments/in /by

Each week, SonicWall collects the cyber security industry’s most compelling, trending and important interviews, media and news stories — just for you.

SonicWall Spotlight

New post for PNC’s former CCOPittsburg Biz Journals (US)

  • SonicWall CMO David Chamberlin is featured for his recent appointment to the company following his position as PNC’s former CCO in Pittsburg, Penn.

Foreshadow Vulnerability (L1TF) Introduces New Risks to Intel Processors  — SonicWall Blog

  • Foreshadow, the latest vulnerability to hit microprocessors, comes from the same family as Spectre. SonicWall customers with Capture Advanced Threat Protection (ATP) sandbox service activated are protected.

Cyber Security News

NIST Small Business Cybersecurity Act Becomes Law – Security Week

  • U.S. President Donald Trump signed the NIST Small Business Cybersecurity Act into law on Tuesday (August 14, 2018). It requires NIST to “disseminate clear and concise resources to help small business concerns identify, assess, manage, and reduce their cybersecurity risks.”

Foreshadow and Intel SGX software attestation: ‘The whole trust model collapses’ – The Register

  • In the wake of yet another collection of Intel bugs, The Register had the chance to speak to Foreshadow co-discoverer and University of Adelaide and Data61 researcher Dr Yuval Yarom about its impact.

The state of cybersecurity at small organizations – CSO Online

  • A research survey of 400 cybersecurity professionals in small organizations, found that SMBs are being compromised due to human error, ignorance and apathy.

U.S. investor sues AT&T for $224 million over loss of cryptocurrency – Reuters

  • U.S. entrepreneur and cryptocurrency investor Michael Terpin filed a $224 million lawsuit on Wednesday against telecommunications company AT&T, accusing it of fraud and gross negligence in connection with the theft of digital currency tokens from his personal account.

Cryptojacking attacks: One in three organizations say they’ve been hit with mining malware – ZDNet

  • Almost a third of organizations say they’ve been hit by cryptojacking attacks in the last month, as cyber criminals continue their attempts to push malware designed to secretly use processing power to generate cryptocurrency.

Hundreds of Netflix, HBO, DirecTV and Hulu credentials for sale on dark web – SC Magazine

  • Hundreds of stolen Netflix, HBO, DirecTV and Hulu accounts found at an average price of $8.81, less than the cost of a monthly subscription for most of the services which range from $7.99 per month for Hulu’s lowest tier plan to $15 per month for HBO Go.

FBI Warns of Cyber Extortion Scam – Dark Reading

  • Extortion is a very old crime that’s being given new life in the cyber world. A recent public service announcement from the FBI warns computer users to be on the lookout for threats that use stolen information to tailor extortion demands to specific email addresses.

In Case You Missed It

Foreshadow Vulnerability (L1TF) Introduces New Risks to Intel Processors

/0 Comments/in /by

A group of 10 threat researchers have disclosed a trio of new Spectre-based vulnerabilities that affect Intel chipsets. Named Foreshadow, the threats leverage a CPU design feature called speculative execution to defeat security controls used by Intel SGX (Software Guard eXtensions) processors.

“At its core, Foreshadow abuses a speculative execution bug in modern Intel processors, on top of which we develop a novel exploitation methodology to reliably leak plaintext enclave secrets from the CPU cache,” the research team published in its 18-page report Aug. 14.

The vulnerabilities are categorized as L1 Terminal Faults (L1TF). Intel published an overview, impact and mitigation guidance, and issued CVEs for each attack:

The research team found that Foreshadow abuses the same processor vulnerability as the Meltdown exploit, in which an attacker can leverage results of unauthorized memory accesses in transient out-of-order instructions before they are rolled back.

Conversely, Foreshadow uses a different attack model. Its goal is to “compromise state-of-the-art intra-address space enclave protection domains that are not covered by recently deployed kernel page table isolation defenses.”

“Once again, relentless researchers are demonstrating that cybercriminals can use the very architecture of processor chips to gain access to sensitive and often highly valued information,” said SonicWall President and CEO Bill Conner. “Like its predecessors Meltdown and Spectre, Foreshadow is attacking processor, memory and cache functions to extract sought after information. Once gained, side-channels can then be used to ‘pick locks’ within highly secured personal computers or even third-party clouds undetected.”

 

Does SonicWall protect customers from Foreshadow?

Yes. If a customer has the Capture Advanced Threat Protection (ATP) sandbox service activated, they are protected from current and future file-based Foreshadow exploits, as well as other chip-based exploits, via SonicWall’s patent-pended Real-Time Deep Memory Inspection (RTDMITM) technology.

“Fortunately, prior to Meltdown and Spectre being made public in January 2018, the SonicWall team was already developing Real-Time Deep Memory Inspection (RTDMITM) technology, which proactively protects customers against these very types of processor-based exploits, as well as PDF and Office exploits never before seen,” said Conner.

RTDMI is capable of detecting Foreshadow because RTDMI detection operates at the CPU instruction level and has full visibility into the code as the attack is taking place. This allows RTDMI to detect specific instruction permutations that lead to an attack.

“The guessed-at branch can cause data to be loaded into the cache, for example (or, conversely, it can push other data out of the cache),” explained Ars Technica technology editor Peter Bright. “These microarchitectural disturbances can be detected and measured — loading data from memory is quicker if it’s already in the cache.”

To be successful, cache timing must be “measured” by the attack or it can’t know what is or is not cached. This required measurement is detected by RTDMI and the attack is mitigated.

In addition, RTDMI can also detect this attack via its “Meltdown-style” exploit detection logic since user-level process will try to access privileged address space during attack execution.

Notice

SonicWall customers with the Capture Advanced Threat Protection (ATP) sandbox service activated are NOT vulnerable to file-based Foreshadow processor exploits.

How does Foreshadow impact my business, data or applications?

According to Intel’s official L1TF guidance, each variety of L1TF could potentially allow unauthorized disclosure of information residing in the SGX enclaves, areas of memory protected by the processor.

While no current real-world exploits are known, it’s imperative that organizations running virtual or cloud infrastructure, as well as those with sensitive workloads, apply microcode updates released by Intel (linked below) immediately. Meanwhile, SonicWall Capture Labs will continue to monitor the malware landscape in case these proofs of concept are weaponized.

“This class of attack is something that will not dissipate,” said Conner. “Instead, attackers will only seek to benefit from the plethora of malware strains available to them that they can formulate like malware cocktails to divert outdated technologies, security standards and tactics. SonicWall will continue to innovate and develop our threat detection and prevention arsenal so our customers can mitigate even the most historical of threats.”

What is speculative execution?

Speculative execution takes place when processors execute specific instructions ahead of time (as an optimization technique) before it is known that these instructions actually need to be executed. In conjunction with various branch-prediction algorithms, speculative execution enables significant improvement in processor performance.

What is L1 Terminal Fault?

Intel refers to a specific flaw that enables this class of speculative execution side-channel vulnerabilities as “L1 Terminal Fault” (L1TF). The flaw lies in permissions checking code terminating too soon when certain parts of the memory are (maliciously) marked in a certain manner.  For more information, please see Intel’s official definition and explanation of the L1TF vulnerability.

Are chips from other vendors at risk?

According to the research team, only Intel chips are affected by Foreshadow at this time.

What is Real-Time Deep Memory Inspection (RTDMI)?

RTDMI technology identifies and mitigates the most insidious cyber threats, including memory-based attacks. RTDMI proactively detects and blocks unknown mass-market malware — including malicious PDFs and attacks leveraging Microsoft Office documents — via deep memory inspection in real time.

“Our Capture Labs team has performed malware reverse-engineering and utilized machine learning for more than 20 years,” said Conner. “This research led to the development of RTDMI, which arms organizations to eliminate some of the biggest security challenges of all magnitudes, which now includes Foreshadow, as well as Meltdown and Spectre.”

RTDMI is a core multi-technology detection capability included in the SonicWall Capture ATP sandbox service. RTDMI identifies and blocks malware that may not exhibit any detectable malicious behavior or hides its weaponry via encryption.

To learn more, download the complimentary RTDMI solution brief.

How do I protect against Foreshadow vulnerability?

Please consult Intel’s official guidance and FAQ. To defend your organization against future processor-based attacks, including Foreshadow, Spectre and Meltdown, deploy a SonicWall next-generation firewall with an active Capture ATP sandbox license.

For small- and medium-sized businesses (SMB), also follow upcoming guidance provided via the new NIST Small Business Cybersecurity Act, which was signed into law on Aug. 14. The new policy “requires the Commerce Department’s National Institute of Standards and Technology to develop and disseminate resources for small businesses to help reduce their cybersecurity risks.”

NIST also offers a cybersecurity framework to help organizations of all sizes leverage best practices to better safeguard their networks, data and applications from cyberattacks.

Stop Memory-Based Attacks with Capture ATP

To mitigate file-based processor vulnerabilities like Meltdown, Spectre and Foreshadow, activate the Capture Advanced Threat Protection service with RTDMI. The multi-engine cloud sandbox proactively detects and blocks unknown mass-market malware and memory-based exploits like Foreshadow.

EXPLORE CAPTURE ATP

July 2018 Cyber Threat Intelligence: Malware, Ransomware Attack Volume Still Climbing

/0 Comments/in /by

Just a month removed from the mid-year update to the 2018 SonicWall Cyber Threat Report, the cyber threat landscape continues its volatile pace.

Analyzing the team’s most recent data, SonicWall Capture Labs threat researchers are recording year-to-date increases for global malware, ransomware, TLS/SSL encrypted attacks and intrusion attempts.

In addition, the SonicWall Capture Advanced Threat Protection sandbox, with Real-Time Deep Memory Inspection (RTDMITM), discovered an average of 1,413 new malware variants per day in July.

Globally, the SonicWall Capture Threat Network, which includes more than 1 million sensors across the world, recorded the following 2018 year-to-date attack data through July 2018:

  • 6,904,296,364 malware attacks (88 percent increase from 2017)
  • 2,216,944,063,598 intrusion attempts (59 percent increase)
  • 215,722,623 ransomware attacks (187 percent increase)
  • 1,730,987 encrypted threats (80 percent increase)

In July 2018 alone, the average SonicWall customer faced:

  • 2,164 malware attacks (28 percent increase from July 2017)
  • 81 ransomware attacks (43 percent increase)
  • 143 encrypted threats
  • 13 phishing attacks each day
  • 1,413 new malware variants discovered by Capture ATP with RTDMI each day

The SonicWall Capture Security Center displays a 70 percent year-over-year increase in ransomware attacks.

SonicWall cyber threat intelligence is available in the SonicWall Security Center, which provides a graphical view of the worldwide attacks over the last 24 hours, countries being attacked and geographic attack origins. This view illustrates the pace and speed of the cyber arms race.

The resource provides actionable cyber threat intelligence to help organizations identify the types of attacks they need to be concerned about so they can design and test their security posture ensure their networks, data, applications and customers are properly protected.

 

Get the Mid-Year Update

Dive into the latest cybersecurity trends and threat intelligence from SonicWall Capture Labs. The mid-year update to the 2018 SonicWall Cyber Threat Report explores how quickly the cyber threat landscape has evolved in just a few months.

GET THE UPDATE

Upgrade Your SonicWall Next-Generation Firewall with ‘3 & Free’ Program

/0 Comments/in /by

Some good things should never end.

One of the most successful promotions in company history, SonicWall’s ‘3 & Free’ incentive is now a permanent component of our Customer Loyalty program.

In an escalated cyber threat landscape, it’s more important than ever to ensure your organization’s networks, data and applications are protected against today’s most malicious cyberattacks, including the most recent Foreshadow processor exploits. In fact, in July 2018 alone, the average SonicWall customer faced:

  • 2,164 malware attacks (28 percent increase from July 2017)
  • 81 ransomware attacks (43 percent increase)
  • 143 encrypted threats
  • 13 phishing attacks each day
  • 1,413 new malware variants discovered each day by SonicWall Capture Advanced Threat Protection (ATP) sandbox with Real-Time Deep Memory InspectionTM

When you upgrade your SonicWall hardware you gain the latest in next-generation firewall (NGFW) technology and access to the SonicWall Capture Advanced Threat Protection (ATP) service. It’s a cloud-based, multi-engine sandbox that stops both known and unknown cyberattacks from critically impacting your business.

What is the SonicWall ‘3 & Free’ Program?


Once a limited-time promotion, the SonicWall ‘3 & Free’ is now a mainstay offering to loyal SonicWall customers. It’s an easy, cost-effective way for customers to upgrade to the very latest SonicWall next-generation firewall appliance for free.

Eligible customers may receive a complimentary NGFW appliance by purchasing a bundle that includes a three-year subscription of the SonicWall Advanced Gateway Security Suite from their authorized SonicWall SecureFirst partner.

This security suite includes everything you need to stay protected against today’s modern attacks, including ransomware, encrypted threats, zero-day attacks and processor-based exploits. It offers:

  • Capture Advanced Threat Protection (ATP) sandbox
  • Gateway Anti-Virus and Anti-Spyware
  • Intrusion Prevention Service
  • Application Control
  • Content Filtering Service
  • 24×7 Support

SonicWall’s exclusive security subscription service also includes SonicWall Real-Time Deep Memory Inspection (RTDMI). A patent-pending technology, RTDMI™ enables Capture ATP to detect and block malware that does not exhibit any malicious behavior or hides weaponry via encryption. This protects your organization from zero-day attacks, malicious PDFs and Microsoft Office files, and even chip-based Spectre, Foreshadow and Meltdown exploits.

Upgrade Your SonicWall Firewall

Ready to upgrade? Take advantage of our ‘3 & Free’ program to get the latest in SonicWall next-generation firewall technology — for free. To upgrade, contact your dedicated SecureFirst Partner or begin your upgrade process via the button below.

BEGIN UPGRADE

Microsoft Security Update August 2018

/in /by

Zero day CVE’s in the wild:

Find below the two zero day CVE’s for which SonicWall has provided protection with the specified signatures

CVE-2018-8414 Windows Shell Remote Code Execution Vulnerability

This is publicly known and being exploited in the wild.  Windows safe file formats have been abused by attackers for running malicious shell commands. Remote code execution can be achieved with minimal to no user interaction.

GAV: 15756 DeepLink.B_3

CVE-2018-8373 Internet Explorer Memory Corruption Vulnerability

A memory corruption vulnerability exists in the Microsoft Windows VBScript engine due to incorrect handling of a dynamic Array variable. A remote attacker can exploit this vulnerability by enticing a user to open a crafted web page using Internet Explorer or a crafted Microsoft Office document.

IPS: 13465 Scripting Engine Memory Corruption Vulnerability (AUG 18) 3

Critical & Important vulnerabilities:

Find below the other critical & important vulnerabilities for which SonicWall has provided protection with the specified signatures:

CVE-2018-8266 Chakra Scripting Engine Memory Corruption Vulnerability
IPS: 13463 Chakra Scripting Engine Memory Corruption Vulnerability (AUG 18) 1
CVE-2018-8344 Microsoft Graphics Remote Code Execution Vulnerability
IPS: 13464 Microsoft Graphics Remote Code Execution Vulnerability (AUG 18)
CVE-2018-8345 LNK Remote Code Execution Vulnerability
SPY: 5225 Malformed-File lnk.MP.3
CVE-2018-8353 Scripting Engine Memory Corruption Vulnerability
IPS: 13458 Scripting Engine Memory Corruption Vulnerability (AUG 18) 1
CVE-2018-8355 Chakra Scripting Engine Memory Corruption Vulnerability
IPS: 13454 Scripting Engine Memory Corruption Vulnerability (AUG 18) 2
CVE-2018-8371 Internet Explorer Memory Corruption Vulnerability
IPS: 11663 Scripting Engine Memory Corruption Vulnerability 1
CVE-2018-8372 Chakra Scripting Engine Memory Corruption Vulnerability
IPS: 13454 Scripting Engine Memory Corruption Vulnerability (AUG 18) 1
CVE-2018-8376 Microsoft PowerPoint Remote Code Exectuion Vulnerability
SPY: 5221 Malformed-File pps.MP.2
CVE-2018-8379 Microsoft Excel Remote Code Execution Vulnerability
IPS: 13456 Microsoft Excel Remote Code Execution (AUG 18)
CVE-2018-8383 Microsoft Edge Spoofing Vulnerability
IPS: 13455 Microsoft Edge Spoofing Vulnerability (AUG 18)
CVE-2018-8384 Chakra Scripting Engine Memory Corruption Vulnerability
IPS: 13459 Chakra Scripting Engine Memory Corruption Vulnerability (AUG 18) 3
CVE-2018-8387 Microsoft Edge Memory Corruption Vulnerability
IPS: 13460 Microsoft Edge Memory Corruption Vulnerability (AUG 18)
CVE-2018-8389 Internet Explorer Memory Corruption Vulnerability
IPS: 13461 Internet Explorer Memory Corruption Vulnerability (AUG 18)
CVE-2018-8403 Microsoft Browser Memory Corruption Vulnerability
IPS: 13462 Microsoft Browser Memory Corruption Vulnerability (AUG 18)
CVE-2018-8401 DirectX Graphics Kernel Elevation of Privilege Vulnerability
GAV: CVE-2018-8401 (Exploit)
CVE-2018-8404 Win32k Elevation of Privilege Vulnerability
GAV: CVE-2018-8404 (Exploit)
CVE-2018-8405 DirectX Graphics Kernel Elevation of Privilege Vulnerability
GAV: CVE-2018-8405 (Exploit)
CVE-2018-8406 DirectX Graphics Kernel Elevation of Privilege Vulnerability
GAV: CVE-2018-8406 (Exploit)

Find below the additional vulnerabilities that are not active or publicly known. SonicWall may release signatures as vulnerability information becomes available:

CVE-2018-0952 Diagnostic Hub Standard Collector Elevation Of Privilege Vulnerability
CVE-2018-8200 Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
CVE-2018-8204 Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
CVE-2018-8253 Cortana Elevation of Privilege Vulnerability
CVE-2018-8273 Microsoft SQL Server Remote Code Execution Vulnerability
CVE-2018-8302 Microsoft Exchange Memory Corruption Vulnerability
CVE-2018-8316 Internet Explorer Remote Code Execution Vulnerability
CVE-2018-8338 Windows DHCP Server Remote Code Execution Vulnerability
CVE-2018-8339 Windows Installer Elevation of Privilege Vulnerability
CVE-2018-8340 ADFS Security Feature Bypass Vulnerability
CVE-2018-8341 Windows Kernel Information Disclosure Vulnerability
CVE-2018-8342 Windows NDIS Elevation of Privilege Vulnerability
CVE-2018-8343 Windows NDIS Elevation of Privilege Vulnerability
CVE-2018-8346 LNK Remote Code Execution Vulnerability
CVE-2018-8347 Windows Kernel Elevation of Privilege Vulnerability
CVE-2018-8348 Windows Kernel Information Disclosure Vulnerability
CVE-2018-8349 Microsoft COM for Windows Remote Code Execution Vulnerability
CVE-2018-8350 Windows PDF Remote Code Execution Vulnerability
CVE-2018-8351 Microsoft Edge Information Disclosure Vulnerability
CVE-2018-8357 Internet Explorer Elevation of Privilege Vulnerability
CVE-2018-8358 Microsoft Edge Information Disclosure Vulnerability
CVE-2018-8359 Scripting Engine Information Disclosure Vulnerability
CVE-2018-8360 .NET Framework Information Disclosure Vulnerability
CVE-2018-8370 Microsoft Edge Information Disclosure Vulnerability
CVE-2018-8374 Microsoft Exchange Elevation of Privilege Vulnerability
CVE-2018-8377 Microsoft Edge Memory Corruption Vulnerability
CVE-2018-8378 Microsoft Office Information Disclosure Vulnerability
CVE-2018-8380 Chakra Scripting Engine Memory Corruption Vulnerability
CVE-2018-8381 Chakra Scripting Engine Memory Corruption Vulnerability
CVE-2018-8382 Microsoft Excel Information Disclosure Vulnerability
CVE-2018-8385 Scripting Engine Memory Corruption Vulnerability
CVE-2018-8388 Microsoft Edge Elevation of Privilege Vulnerability
CVE-2018-8390 Scripting Engine Memory Corruption Vulnerability
CVE-2018-8394 Windows GDI Information Disclosure Vulnerability
CVE-2018-8395 Microsoft Edge Spoofing Vulnerability
CVE-2018-8396 Windows GDI Information Disclosure Vulnerability
CVE-2018-8397 GDI+ Remote Code Execution Vulnerability
CVE-2018-8398 Windows GDI Information Disclosure Vulnerability
CVE-2018-8399 Win32k Elevation of Privilege Vulnerability
CVE-2018-8400 DirectX Graphics Kernel Elevation of Privilege Vulnerability
CVE-2018-8412 Microsoft (MAU) Office Elevation of Privilege Vulnerability

Adobe Flash Security Bulletin APSB18-25

CVE-2018-12824  Out-of-bounds read
SPY: 5219 Malformed-File swf.MP.223
CVE-2018-12825  Security bypass
SPY: 5223 Malformed-File swf.MP.225
CVE-2018-12826  Out-of-bounds read
SPY: 5222 Malformed-File swf.MP.224
CVE-2018-12827  Out-of-bounds read
SPY: 5224 Malformed-File swf.MP.226
CVE-2018-12828 Use of a component with a known vulnerability

Adobe Reader Security Bulletin APSB18-29

CVE-2018-12799 Untrusted pointer dereference
SPY: 5220 malformed-File pdf.MP.319
CVE-2018-12808 Out-of-bounds write

Jenkins CI server at Risk: High risk vulnerability

/in /by

Jenkins is an open source build automation tool written in Java. It is the most widely used tool for Continuous Integration (CI) & Continuous Delivery (CD). It offers hundreds of plugins to support software build development, deployment & test automation process. Jenkins CI server runs on servlet containers such as Apache Tomcat. It supports various version control software such as subversion, Git, CVS, Perforce etc.

A serious policy bypass vulnerability has been reported in Jenkins CI server (CVE-2018-1999001). This is due to insufficient validation of login requests by Jenkins instance. A remote attacker could exploit this vulnerability by sending a crafted HTTP request to a vulnerable Jenkins CI server. Successful exploitation causes Jenkins to revert to default settings granting administrator access to anonymous users

CVE-2018-1999001 : 

Unauthenticated users could provide maliciously crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. This configuration file contains basic configuration of Jenkins, including the selected security realm and authorization strategy. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.

Root configuration file: JENKINS_HOME\config.xml

[ This contains basic configuration of the Jenkins instance. ]

User Configuration file: JENKINS_HOME\users\<username>\config.xml

[This contains user information such as the users password and role.]

When an user attempts to login Jenkins web interface, the following HTTP POST request is sent to the Jenkins instance:

Upon receiving the login request, Jenkins instance calls getOrCreate() function. getOrCreate()  checks if the current path to the user’s config.xml file contains any unsanitized directory traversal character. If unsanitized directory traversal character is found, the config.xml file is moved to a different file path in order to fix another vulnerability.

Fig:1 code snippet from User.java in Jenkins

If a user attempts to login with an username “..”, config file path will become JENKINS_HOME\users\..\config.xml  i.e JENKINS_HOME\config.xml.  ‘If’ statement unsanitizedLegacyConfigFile exists & contains bad characters passed. As a result,  Jenkins instance moves the config.xml to a different path JENKINS_HOME/$002e$002e/config.xml. When Jenkins get restarted without config.xml in the home directory, it reverts to default settings allowing administrator access to anonymous users

Patch:
SonicWall has observed attackers leveraging this vector. We strongly recommend all customers to update the Jenkins to version 2.133
Find below the Security advisory from Jenkins:

https://jenkins.io/security/advisory/2018-07-18/#SECURITY-897

Sonicwall Threat Research Lab provides protection against this exploit with the following signature:

  • IPS: Jenkins CI Server Authentication Bypass