5 Cyberattack Vectors for MSSP to Mitigate in Healthcare

/in , /by

It’s no secret that healthcare continues to be one of the most targeted industries for cybercriminals. Healthcare providers store and maintain some of the most valuable data and the appetite for fraudulent claims or fake prescription medications is insatiable.

Despite all of the regulations, there are still fewer watchdogs overseeing healthcare. For many providers, cyber security hasn’t been a priority until very recently.

With more and more organizations reaching out to cyber security experts for assistance, it’s more important than ever that managed security services providers (MSSPs) understand the healthcare industry so that they can tailor solutions aimed at improving the security posture of healthcare providers.

Inside Users Present the Greatest Threat

According to a 2018 survey of cyber security professionals conducted by HIMSS, over 60 percent of threat actors are internal users within a healthcare organization. Email phishing and spear-phishing attempts are aimed at tricking users into providing credentials or access to information for cybercriminals. Negligent insiders, who have access to trusted information, can facilitate data breaches or cyber incidents while trying to be helpful.

In addition to systematically monitoring and protecting infrastructure components, MSSPs need to consider a multi-faceted campaign that creates a cyber security awareness culture within healthcare organizations. This campaign should include template policies and procedures for organizations to adopt, regular and routine training efforts, and human penetration-testing.

From a systematic perspective, it’s important to have tools that will do everything possible to mitigate cyberattacks. Tools like next-generation email security to block potential phishing or spear phishing attempts; endpoint security solutions to monitor behavior through heuristic-based techniques; and internal network routing through a next-generation firewall to perform deep packet inspection (DPI) on any information transgressing the network — especially if it’s encrypted.

Mobile Devices Open Large Attack Surfaces

Mobile devices have changed the way that we do just about everything. And the same is true for the manner in which healthcare conducts business.

To enable mobility and on-demand access, many electronic health record (EHR) applications have specific apps that create avenues for mobile devices to access portions of the EHR software. The widespread adoption of mobile devices and BYOD trends are pushing healthcare to adapt new business models and workflows. Cyber risk mitigation must be a priority as momentum continues to build.

MSSPs need to pay very careful attention to the access that mobile devices have to the EHR application, whether hosted on-premise or in the cloud. For more protection, implement a mobile device management (MDM) solution if the organization doesn’t already have one.

IoT Leaves Many Healthcare Providers at Risk

The Internet of Things (IoT) is bringing connectivity and statistical information to providers in near real-time while offering incredible convenience to the patient. Even wearable devices have immense capabilities to monitor chronic illnesses, such as heart disease, diabetes and hypertension. With these devices comes an incredible opportunity for hackers and immense threat for healthcare providers.

IoT devices tend to have weaker protections than typical computers. Many IoT devices do not receive software or firmware updates in any sort of regular cadence even though all of them are connected to the internet. There are so many manufacturers of IoT devices, and they are distributed through so many channels. There are no standards or controls regarding passwords, encryption or chain of command tracking capabilities to see who has handled the device.

If it’s feasible for the organization, totally isolate any IoT-connected devices to a secure inside network not connected to the internet (i.e., air gapped).

Encryption for Data at Rest Is Critical

For healthcare providers, it’s equally important to have a strong encryption for both data at rest and data in transit. Encryption for data at rest includes ensuring the software managing PHI doesn’t have a really weak single key that could unlock everyone’s PHI. If at all possible, records should be encrypted with unique keys so that a potentially exposed key doesn’t open the door to everyone’s information.

Attacks Are Hiding within Encrypted Traffic

MSSPs serving healthcare organizations need to realize that there is not one layer of defense that they should rely on. That said, perhaps the most important layer is the firewall.

A next-generation firewall, with DPI capabilities, is a critical component to securing a healthcare network. Even internal traffic transgressing the network should be routed through the firewall to prevent any potential malicious traffic from proliferating the entire LAN and to log transactions.

As much as possible, isolate medical devices and software applications that host PHI inside a secure network zone and protect that zone with an internal DPI-capable firewall that will only allow access to authorized services and IP addresses.

About ProviNET

ProviNET is a SonicWall SecureFirst Gold Partner. For nearly three decades, ProviNET has delivered trusted technology solutions for healthcare organizations. Whether it’s a single project or full-time onsite work, ProviNET designs and implements customized solutions so healthcare organizations can focus on core services.

ProviNET’s tight-knit group of experienced, industry-certified personnel are focused on customer satisfaction. They are a reputable organization, fulfilling immediate IT needs and helping plan for tomorrow. They are ready to put their extensive knowledge to work for healthcare, developing strategies and solving challenges with the latest technology.

To learn more about ProviNET, please visit www.provinet.com.

Microsoft Security Bulletin Coverage for July 2018

/in /by

SonicWall Capture Labs Threats Research Team has analyzed and addressed Microsoft’s security advisories for the month of July 2018. A list of issues reported, along with SonicWall coverage information are as follows:

CVE-2018-0949 Internet Explorer Security Feature Bypass Vulnerability
IPS : 13412 Internet Explorer Security Feature Bypass Vulnerability (JUL 18)
CVE-2018-8125 Chakra Scripting Engine Memory Corruption Vulnerability
IPS : 13418 Chakra Scripting Engine Memory Corruption Vulnerability (JUL 18)
CVE-2018-8171 ASP.NET Core Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2018-8172 Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8202 .NET Framework Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8206 Windows FTP Server Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2018-8222 Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2018-8232 Microsoft Macro Assembler Tampering Vulnerability
There are no known exploits in the wild.
CVE-2018-8238 Skype for Business and Lync Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2018-8242 Scripting Engine Memory Corruption Vulnerability
13414Scripting Engine Memory Corruption Vulnerability (JUL 18) 4
CVE-2018-8260 .NET Framework Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8262 Microsoft Edge Memory Corruption Vulnerability
IPS : 13415 Microsoft Edge Memory Corruption Vulnerability (JUL 18) 1
CVE-2018-8274 Microsoft Edge Memory Corruption Vulnerability
IPS : 13417 Microsoft Edge Memory Corruption Vulnerability (JUL 18) 2
CVE-2018-8275 Scripting Engine Memory Corruption Vulnerability
IPS : 13416 Scripting Engine Memory Corruption Vulnerability (JUL 18) 5
CVE-2018-8276 Scripting Engine Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2018-8278 Microsoft Edge Spoofing Vulnerability
IPS : 13419Microsoft Edge Spoofing Vulnerability (JUL 18)
CVE-2018-8279 Scripting Engine Memory Corruption Vulnerability
IPS : 13420Microsoft Edge Memory Corruption Vulnerability (JUL 18) 3
CVE-2018-8280 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2018-8281 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8282 Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8283 Scripting Engine Memory Corruption Vulnerability
IPS : 13421 Scripting Engine Memory Corruption Vulnerability (JUL 18) 6
CVE-2018-8284 .NET Framework Remote Code Injection Vulnerability
There are no known exploits in the wild.
CVE-2018-8286 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2018-8287 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2018-8288 Scripting Engine Memory Corruption Vulnerability
IPS : 13422 Scripting Engine Memory Corruption Vulnerability (JUL 18) 7
CVE-2018-8289 Microsoft Edge Information Disclosure Vulnerability
IPS : 13423 Microsoft Edge Information Disclosure Vulnerability (JUL 18) 3
CVE-2018-8290 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2018-8291 Scripting Engine Memory Corruption Vulnerability
IPS : 13407 Scripting Engine Memory Corruption Vulnerability (JUL 18) 1
CVE-2018-8294 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2018-8296 Scripting Engine Memory Corruption Vulnerability
IPS : 13410 Scripting Engine Memory Corruption Vulnerability (JUL 18) 3
CVE-2018-8297 Microsoft Edge Information Disclosure Vulnerability
IPS : 13408 Microsoft Edge Information Disclosure Vulnerability (JUL 18) 1
CVE-2018-8298 Scripting Engine Memory Corruption Vulnerability
IPS : 13409 Scripting Engine Memory Corruption Vulnerability (JUL 18) 2
CVE-2018-8299 Microsoft SharePoint Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8300 Microsoft SharePoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8301 Microsoft Edge Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2018-8304 Windows DNSAPI Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2018-8305 Windows Mail Client Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8306 Microsoft Wireless Display Adapter Command Injection Vulnerability
There are no known exploits in the wild.
CVE-2018-8307 WordPad Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2018-8308 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8309 Windows Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2018-8310 Microsoft Office Tampering Vulnerability
There are no known exploits in the wild.
CVE-2018-8311 Remote Code Execution Vulnerability in Skype For Business and Lync
There are no known exploits in the wild.
CVE-2018-8312 Microsoft Access Remote Code Execution Use After Free Vulnerability
There are no known exploits in the wild.
CVE-2018-8313 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8314 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8319 MSR JavaScript Cryptography Library Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2018-8323 Microsoft SharePoint Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8324 Microsoft Edge Information Disclosure Vulnerability
IPS : 13411 Microsoft Edge Information Disclosure Vulnerability (JUL 18) 2
CVE-2018-8325 Microsoft Edge Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8326 Open Source Customization for Active Directory Federation Services XSS Vulnerability
There are no known exploits in the wild.
CVE-2018-8327 PowerShell Editor Services Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8356 .NET Framework Security Feature Bypass Vulnerability
There are no known exploits in the wild.

Adobe Flash (APSB18-24 ) and Adobe Reader (APSB18-21) Coverage :

CVE-2018-5007 Arbitrary Code Execution
ASPY: 5192 Malformed-File swf.MP.595
CVE-2018-5008 Information Disclosure
ASPY: 5189 Malformed-File swf.MP.594

CVE-2018-5028 Heap Overflow
ASPY : 5188 Malformed-File xps.MP.5
CVE-2018-5040 Heap Overflow
ASPY : 5184 Malformed-File pdf.MP.317
CVE-2018-5052 Heap Overflow
ASPY : 5185 Malformed-File pdf.MP.318
CVE-2018-5061 Out-of-bounds read
ASPY : 5186 Malformed-File emf.MP.63
CVE-2018-12789 Out-of-bounds read
ASPY : 5187 Malformed-File emf.MP.64

Ransomware Surges, Encrypted Threats Reach Record Highs in First Half of 2018

/0 Comments/in /by

To ensure organizations are aware of the latest cybercriminal attack behavior, today SonicWall published a mid-year update to the 2018 SonicWall Cyber Threat Report.

“The cyber arms race is moving faster than ever with bigger consequences for enterprises, government agencies, educational and financial institutions, and organizations in targeted verticals,” said SonicWall CEO Bill Conner in the official announcement.

Cyber threat intelligence is a key weapon in organizations’ fight against criminal organizations within the fast-moving cyber arms race. The mid-year update outlines key cyberattack trends and real-world threat data, including:

Data for the annual SonicWall Cyber Threat Report is gathered by the SonicWall Capture Threat Network, which sources information from global devices and resources including more than 1 million security sensors in nearly 200 countries and territories.

“SonicWall has been using machine learning to collect, analyze and leverage cyber threat data since the ‘90s,” said Conner. “This commitment to innovation and emerging technology is part of the foundation that helps deliver actionable threat intelligence, security efficacy and automated real-time bread detection and prevention to our global partners and customers.”

Get the Mid-Year Update

Dive into the latest cybersecurity trends and threat intelligence from SonicWall Capture Labs. The mid-year update to the 2018 SonicWall Cyber Threat Report explores how quickly the cyber threat landscape has evolved in just a few months.

GET THE UPDATE

6 Reasons to Switch to SonicWall Capture Client from Sophos Intercept X

/0 Comments/in /by

While Sophos claims to be a leading next-generation antivirus solution, are they really able to protect your organization’s endpoints — not to mention the rest of your network ­— in today’s threat landscape?

SonicWall Capture Client, powered by SentinelOne, was designed to deliver stronger security with better functionality against ransomware and other advanced cyberattacks. Explore these six key reasons to switch to SonicWall Capture Client:

  1. Certified for business.
    Although Sophos Intercept X is recommended by NSS Labs, it is not certified by OPSWAT and AV-Test. SentinelOne, the core engine within Capture Client, is also recommended by NSS Labs and has certifications for OPSWAT and has AV-Test certifications for corporate use. Capture Client is also compliant with HIPAA and PCI mandates.
  2. True machine learning.
    Sophos only leverages machine learning as code executes on a system. In contrast, Capture Client applies machine learning before, during and after execution to reduce the risk of compromise to your endpoints, thereby better protecting your business.
  3. Real remediation.
    Sophos Intercept X relies on the Sophos Cleaner to restore potentially encrypted files. Not only can it be bypassed, but it is limited to using 60 MB of cache to save up to 70 “business” file types. Capture Client creates shadow copies of your data, which does not discriminate on size or file type. Capture Client rollback capabilities revert the impact of a malware attack, leaving the device clean and allowing the user to continue working — all without any risk of further damage.
  4. Firewall synergies.
    Although Sophos Endpoint Protection is closely linked to their next-generation firewall, this integration is lacking on Intercept X. Capture Client goes beyond the endpoint and has built-in synergies with SonicWall next-generation firewalls (NGFW). Although not required, when combined with a SonicWall next-generation firewall, it can enforce use of the client and redirect non-Capture Client users to a download page to update the endpoint.
  5. Easy digital certificate management.
    With more than 5 percent of malware using SSL/TLS encryption today, the inspection of encrypted traffic is vital. Sophos firewalls have limited SSL/TLS decryption capabilities, nor do they offer automated re-signing certificate distribution. Capture Client makes it easy to install and manage re-signing digital certificates required for SSL/TLS decryption, inspection and re-encryption.
  6. Better roadmap.
    In September 2018, SonicWall will add network sandboxing. Capture Client will be able to route suspicious files to the award-winning, multi-engine Capture Advanced Threat Protection (ATP) cloud sandbox service to more forcibly examine code in ways an endpoint can’t (e.g., fast- forward malware into the future). Administrators will be able to query known verdicts for the hashes of their suspicious files without having to upload them for analysis.

If you’d like to see for yourself the difference Capture Client makes over a limited and aging endpoint solution, contact us or ask your SonicWall partner representative for a one-month trial. Existing customers can log in to MySonicWall to begin the trial today.

 

Ready to ditch Sophos?

Strengthen your security posture today. Switch now and receive up to 30 percent* off of SonicWall Capture Client endpoint protection. It’s the smart, cost-effective approach for extending security to endpoints that exist outside of the network.

LEARN MORE

Fake Fortnite apps target Android gamers

/in /by

Popularity of the free-to-play shooter game Fortnite has been nothing less than a phenomenon. The number of Fortnite players as of June 2018 is recorded at a staggering 125 million. Fortnite is available on popular platforms – Windows, Mac, Playstation, Xbox and mobile devices. But when we say mobile devices, in this case, we mean Apple devices. Yes, Fortnite is currently not available for Android as shown on both Google Playstore and the official Epic website below:

However according to uploaders on Youtube, Fortnite can be installed on Android devices just fine:

SonicWall Threats Research Team observed a number of fake Fortnite apps that claim to be Fortnite for Android but end up fooling the victims into installing third party apps for the benefit of the scammers.

We highlight few popular scams in circulation right now that use Fortnite as their cash cow:

Scam I: Get verified

This scam is probably the most popular one right now that involves Youtube. There have been a flurry of videos that claim to show instructions to install and run Fortnite on Android. The scam works as follows:

  • Step I: Youtubers create videos showing how they can download, install and play Fortnite on Android devices. They add a link in their videos from where the fake Fortnite apps can be downloaded:

<

  • Step II: After installing the app and running it the victim is greeted with logos, images and videos which are copied straight from the official game. This is very critical as it cements the victim’s belief that this app may actually be real:
  • Step III: The victim is informed that some sort of mobile verification is needed before the game can be played:
  • Step IV: On clicking “OK” a link opens where the victim is asked to install an app. The link and app changes based on the scam but a legitimately clean app (which is usually available on Google Play) is asked to be installed on the device. The victim installs this app with the belief that after this step he will be able to play Fortnite.
  • Step V: When the victim returns back to the fake app, all he gets is an empty screen and is left wondering if he did something wrong. Most of the victims may try the previous step once more to try and “rectify” what they did wrong or they may try a different Youtube video thereby propagating the scam.

Scam II: App update

The initial step of this scam are similar to the one described above (Step I). The difference is what happens once the fake app runs on the device.

  • Step II: Once the app runs it displays a screen stating that an update is needed, however shady terms are listed at the bottom where a user needs to scroll down.
  • Step III: Both update and skip buttons move us forward and we begin seeing advertisements, also an update gets downloaded in the background:
  • Step IV: Just like the previous scam, a legitimate app gets installed on the device:

In our case the fake Fortnite app installed Fortnite Battle Death but in reality it installed a legitimate game called Battle Death Combat:

But where is Fortnite ?? Anywhere but here…

Scam III: V-Bucks

V-Bucks are virtual in-game currency which can be used to purchase customization for a player character. These can be purchased online at legitimate places but in V-Bucks scammers saw an avenue for spreading their malicious schemes. The Playstore is littered with apps that promise free V-Bucks but are just another scam:

One such app entices the user to do something for the author/creator in exchange of V-Bucks, for instance follow a certain Twitch channel. But after doing so just displays a congratulatory message:

Another V-Bucks app has a little more depth. It requests for the Fortnite username of the user and puts up a show wherein fake V-Bucks are “calculated”:

The next screen asks the user to rate the current app and then claim the V-Bucks.  When the user tries to claim the reward he is just transferred to either a survey scam or a website that tries to fish for emails or phone numbers. Either way this part of the scam is interested in the user’s data:

Although not malicious (as of now) these apps certainly trick users and seep sensitive data from them.

Scam IV – Droidjack

These are straight-up malicious apps that are disguised as Fortnite apps. They show no pretense whatsoever and contain malicious code that infects the device. Currently, we observed Droidjack infested apps – which has been covered earlier in our blogs.

We can expect other malicious apps to trojanize themselves as Fortnite in the near future.

Notable mention – Fortnite guides and tips

These are apps that contain few pages of tips and tricks for Fortnite, they may contain ads but are generally not malicious. Their sole purpose is to get installs from the users:

Why Fortnite?

The main reason for using Fortnite is its popularity – Scammers and malware writers constantly target trending apps as their cover for spreading malicious apps. Another reason is that Fortnite is not available on Android at the moment but its available for Apple devices. This creates a void for Android users which leads some eager gamers to try alternative routes thereby committing the mistake of installing apps from untrustworthy sources.

What do they gain from these scams?

Different scams serve different purpose, here are a few insights:

  • Verification related scams – These scams require the victims to install specific legitimate apps, when these apps are downloaded it gives the referrers (the scammers in this case) money. Its a win-win for both scammers and app developers
  • The role of Youtubers – A lot of these scams are spreading via download links mentioned in YouTube video descriptions. App developers or companies offer Youtubers monetary benefits to promote their apps. A popular Youtuber can easily reach their audience with videos as YouTube is easily accessible these days
  • V-Bucks scams – These apps usually demand the victims to rate the apps as one of the steps in earning V-Bucks. As a result these apps have been rated highly by a large number of users:

However as time passes and the realization of the scam sets in, many users have given it a negative rating:

  • DroidJack is one example where the app is completely malicious by nature without showing any pretense. We can expect more malicious apps that use Fortnite logo, name and images

Who are the likely targets?

  • In case of the current Fortnite scams the prime targets are Android gamers as Fortnite is available on other platforms leaving Android gamers waiting for the official app. The long wait causes some people to take desperate measures and search for alternate ways to install Fortnite
  • Some of the scams require the victims to perform a certain task – that may be install other apps, run a particular app for a specified time – in exchange of virtual currency. This needs sufficient time and the motivation to earn virtual currency – younger gamers fit this description in most cases. Mobile phones are very accessible these days and younger users may not have the money to buy virtual currency by themselves and they may not be too eager to research about these apps, the need for instant gratification takes over and they fall victim to such scams
Scammers and malware writers will continue to use popular and trending topics as a cover to hide their apps. It is best to stay informed and practice safe browsing habits to stay away from such scams. We urge our users to install official apps only from the Google Play store and be informed about what apps are available for which platforms.

Sonicwall Capture Labs provides protection against this threat with the following signatures:

  • AndroidOS.Fortnite.AN
  • AndroidOS.DroidJack.MA_2

Appendix

The following are a few websites which host fake Fortnite apk’s. These are commonly present in the description of YouTube videos:

  • Domain – hxxps://fortnitemobile.club/
  • App link – hxxps://fortnitemobile.club/img/Fortnite%20Android.apk
  • Domain – hxxp://fortniteapk.fun
  • App link – hxxps://fortniteapk.fun/Fortnite.v4.0.Patch.Android.apk

The following are a few Fortnite apps containing the “get verified” scam:

  • 1f85475a71a1f0c08719fa76ac022307
  • 7a49c43612e09c7603b83ae5deedf618

The following are a few Fortnite apps with DroidJack component:

  • 62accd897ce6408ad8fb14eda9d21d0b
  • c11552a4b5d4caa8eef6662393b8938a

The following are a few Fortnite apps with “V-Bucks” scam:

  • 93f21cb14377e384b81beac6697fe380
  • 84a7042d86680e6c66cfd7472636eb86

The following are a few Fortnite guide/maps apps:

  • 91375ac120845b1ecb0f729fed1523dc
  • ca60539ef3c629036708b7aa5c05b486

Few interesting observations:

  • There are a large number of apps with the package name com.anizz14, a number of these apps are set to masquerade other popular apps:

  • DroidJack component has been added in a number of apps that masquerade other popular apps, we have already covered an instance where this component was added in an app meant to look like SuperMario for Android:

CVE-2018-1111 Network Manager command injection vulnerability

/in /by

SonicWall Threat Research Lab is seeing attempts to exploit the CVE-2018-1111 vulnerability – An OS command injection flaw in the Red Hat NetworkManager integration script included in its DHCP package. This is due to improper validation of DHCP responses by the Network Manager. Red Hat NetworkManager that’s shipped by default with Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier are vulnerable to this flaw. A remote attacker could exploit this vulnerability by sending a malicious DHCP response to a vulnerable target.  

The Dynamic Host Configuration Protocol (DHCP) is a network management protocol that issues DHCP requests to fetch network configurations such as IP address, Gateway, DNS servers and more. DHCP is implemented with two UDP port numbers (67 & 68). Port 67 is the destination port of a server and 68 is used by the client. A single DHCP transaction consists of several DHCP messages exchanged between the DHCP client and DHCP server.

When a Network Manager receives a DHCP response with option records, DHCP client package provided by Red Hat for the NetworkManager component tries to read DHCP Option data for each of the record using the script and evaluates it to set the necessary environment variables. As the Option data is not properly sanitized, supplied arguments  such as shell commands result in arbitrary command execution. Hence an attacker with a malicious DHCP server can spoof DHCP responses to vulnerable DHCP clients to execute arbitrary shell commands with root privileges.

Trend Graph:

The trend line below shows how this vulnerability is being exploited today

SonicWALL Threat Research Lab provides protection against this exploit via the following signatures

IPS 13354: Suspicious DHCP Traffic 6
IPS 13355: UDP Application Shellcode Exploit 5

Cyber Security News & Trends – 07-06-18

/0 Comments/in /by

Each week, SonicWall collects the cyber security industry’s most compelling, trending and important interviews, media and news stories — just for you.

SonicWall Spotlight

Breaking down SonicWall’s 12 new features for mid-tier enterprises — TechRepublic

  • Following the release of SonicWall’s latest product news, TechRepublic provides an overview of the features released. This article concludes that the new mid-tier offerings make SonicWall an option for companies of any sector and size.

Review: SonicWall TZ400 Provides Local Governments with Deep, Frontline Protection – StateTech

  • SonicWall’s firewall appliance is a strong choice for state and local governments watching the bottom line.

Cyber Security News

Sophos shares tank as revenues slow – UK Investor Magazine

  • Shares in cyber security group Sophos fall by a fifth as growth slows. The company’s shares fell by more than 20% as it said billings growth – an indicator of future revenues – in the three months to the end of June had slowed to just 6pc, or 2pc when adjusted for foreign currency changes.

New Virus Decides If Your Computer Good for Mining or Ransomware — The Hacker News

  • Researchers at Kaspersky Labs have discovered a new variant of Rakhni ransomware family, which has now been upgraded to include cryptocurrency mining capability as well.

Macro-based malware campaign replaces desktop and Quick Launch shortcuts to install backdoor — SC Magazine

  • Researchers have uncovered an unusual malicious macro-based malware campaign that effectively modifies infected users’ shortcut files so that they secretly download a backdoor program.

Trump nominates former Energy official to lead Homeland Security tech research arm — The Hill

  • President Trump announces that he is tapping William Bryan, an Army veteran and former Department of Energy official, to lead the Department of Homeland Security’s technology research and development arm.

Adidas Reports Data Breach — The Wall Street Journal

  • Adidas warned late on Thursday that hackers may have lifted customer data from its US website.

In Case You Missed It

SonicWall Wins 7 New Awards, Bringing 2018 Total to Over 30

/0 Comments/in /by

SonicWall is proud to announce it has garnered seven awards, including three from the Network Products Guide IT World Awards, two from the Globee Awards, and one each from the PR World Awards and the CEO World Awards.

With these seven new accolades, SonicWall has earned more than 30 awards so far in 2018.

First from the Network Products Guide IT World Awards is a gold award in the ‘Firewalls’ category for the SonicWall NSA 2650 firewall. The SonicWall NSa 2650 is a next-generation firewall that delivers high-speed threat prevention over thousands of encrypted and unencrypted connections to mid-sized organizations and distributed enterprises.


SonicWall also won silver in the ‘Managed Security Services’ category for the SonicWall Global Cloud Management System, or Cloud GMS. Cloud GMS is a web-based management and reporting application that provides centralized management and high-performance reporting for the SonicWall family of firewalls.


Rounding out the three from Network Products Guide, SonicWall earned silver in the ‘Email, Security and Management’ category for SonicWall Email Security 9.1. SonicWall Email Security is a multi-layer solution dedicated to combating emerging threats. It protects organizations from outside attacks with effective virus, zombie, phishing and spam blockers, leveraging multiple threat-detection techniques.


In addition to the awards from Network Products Guide, SonicWall also garnered a silver award in the ‘PR Achievement of the Year’ category from the PR World Awards for the launch of the 2018 SonicWall Cyber Threat Report. The annual report is the go-to source for cyber threat intelligence, industry analysis and cyber security guidance for the global cyber arms race.

The launch of the 2018 SonicWall Cyber Threat Report also took home gold in the ‘Public Relations Achievement of the Year’ from the Globee Awards. The team also earned a silver in the Globee Awards in the ‘Product Management/Development Team of the Year’ for the team led by SonicWall COO Atul Dhablania.

Finally, SonicWall CEO Bill Conner won silver in the ‘CEO Excellence of the Year’ award for organizations with 500-2,499 employees.

Inside the Cloud Sandbox: How Capture Advanced Threat Protection (ATP) Works

/in /by

Last year, SonicWall discovered and created protections for more than 56 million new forms of malware.  Because it takes time to create and roll out hundreds of thousands of protections each day, something must be done to discover and stop unknown malware, namely zero-day attacks.

The answer is Capture Advanced Threat Protection (ATP), a cloud sandbox and a core part of the SonicWall Capture Cloud Platform. In order to stop new cyberattacks, this isolated environment — independent from your network — runs suspicious files to understand their objectives.

Because of its effectiveness, SonicWall makes it available on our firewalls, email security solutions, Secure Mobile Access (SMA) and Capture Client Advanced endpoint protection solutions. Each of these use Capture ATP in different ways:

  • For firewalls: In the case of the firewall, a broad range of file types are sent over if they are greylisted, which means 1) they have not been convicted by Gateway Antivirus (blacklisted) and 2) were not previously seen by the firewall in question (whitelisted).
  • For email security: Similarly, email security will automatically send unknown files arriving via email to Capture ATP for analysis before sending them along to inboxes.
  • For mobile access: If someone tries to upload a file to a shared drive (a common malicious attack vector), SMA will test the file to ensure it is clean before being accessible by others in the organization.
  • For endpoint protection: Last, Capture Client is an antivirus solution that continuously monitors the behavior of a system. Since it is common for malware to utilize evasion techniques (such as timing delays), sending suspicious files to Capture ATP is an intelligent way of eliminating malware before it executes.

Now that we have covered a bit of context, we’ll now explain how it works once one of these solution sets has either automatically sent a suspicious file to Capture ATP or an administrator has manually submitted a file for analysis.

Step One: Verdict Check

At the time of writing, the Capture ATP sandbox service receives over 1.5 million requests to test suspicious files each business day.

The first stop for these files is a verdict check. SonicWall summarizes each file (sent via encryption) it sees as a hash and retains a verdict for that hash indefinitely and does not save your files. By keeping a verdict for each hash (for each file), we are able to quickly send a conviction or acquittal back to the submitting solution or administrator within milliseconds. Of the millions of submissions SonicWall sees each week, only around 45 percent are unique, so this step is vital.

Step Two: Community Check

If we have never seen a file before it doesn’t mean someone else hasn’t. We check for convictions for the file’s hash against a pool of over 60 virus scanners to see if they found this file to be malicious.

Note: SonicWall doesn’t send your files to anyone for analysis.

Step Three: Dynamic Processing

If we haven’t seen it before (verdict check) and no one else has seen it before (community check), we run it through multiple engines simultaneously. This is where the fun begins, because we can do so many unique things with the code that a firewall or an endpoint can’t, such as fast-forward it to look for timing delays or break it apart in memory and examine the sequences.

Capture ATP was designed to be a multi-engine environment because of the common use of evasion tactics used in malware. Academically, the concept of a sandbox is easy to grasp, but once you understand their inner workings you can design code to slip past what they check for or not activate if you sense that the code is not on a normal system.

Getting past one sandbox is moderately difficult. Evading multiple engines, which in turn have multiple ways to find malware, should be nearly impossible.

In order to find the most evasive malware, Capture ATP runs code with hypervisor-level analysis, full-system emulation, virtualization and with SonicWall’s patent-pending Real-Time Deep Memory Inspection (RTDMITM). This is done to see what code wants to do from the application, to the OS, and down to the firmware.

In an ideal world, every piece of malware we find would be detected by all technologies in use, but that is not always the case. Just remember my old adage, “Security doesn’t exist, only speed bumps.” Just like the Great Wall of China was eventually by passed by the Mongol horde, so are digital defenses by digital threats.

The Results

It is after this three-step process that we help deliver clean traffic to endpoints, inboxes, shared drives and servers and ensure endpoints stay secure by eliminating threats before they activate. By applying signature-based defenses in front of behavior-based defenses, we are able to protect the world against an onslaught of cyberattacks.

A good real-world example was the initial set of WannaCry attacks. The ransomware attack became famous for taking out 16 NHS hospitals in the UK (secured by a competitor).

However, the NHS sites protected by SonicWall were running without disruption from the attack. We stopped this attack three weeks in advance because our Capture Labs research team created protections against the SMB vulnerability and the WannaCry variant they found in the wild.

So, when the attacks started, they were stopped by internal defenses (e.g., firewalls). But what about Versions 2, 3, 16 or 18, etc.? These were discovered and stopped by Capture ATP.

To better understand how Capture ATP is protecting organizations against attacks like Meltdown, please read our solution brief on Real-Time Deep Memory Inspection.

PowerShell script in a PDF launch action command dropping trojans

/in /by
SonicWall Threat Research lab  is observing a fresh wave of PDF’s with a launch action command that runs PowerShell script to download a remote payload and execute it on the targeted device. Remote servers are still active in  delivering payloads.

 

Dynamic Data Exchange (DDE) is one of the methods that Windows provide for transferring data between office applications. Users get notified through prompts before executing DDE commands. However It doesn’t stop malicious payloads from getting into the machine if unaware users click ‘Allow’.  DDE has been leveraged by attackers to perform malicious code execution on the targeted device without requiring macros enabled & they have had great success in carrying out DDE attacks in office documents to drop exploits, trojans & malwares. As part of the Microsoft Tuesday Security patch, Microsoft has shipped an Office update that disables the DDE feature in Word applications. Similar to DDE, PDF has an option \Launch action to launch an application or a command to run executable.

 

Infection cycle:

In an email phishing campaign, attacker can send the crafted PDF document as email attachment to the targeted user. The file should be convincing for the user to disable the protected mode and click through additional prompts to allow commands to get executed. After execution, it brings down malicious payload from the remote server and executes it.

 

Sha256 hashes:

The below are the Sha256 hashes of the PDF exploits that we have seen in the past few days.
All of them have PDF instruction ‘OpenAction’ to be performed when the document gets viewed. and within ‘OpenAction’, it contains ‘Launch’ action  to run  the application cmd.exe or PowerShell.exe. PowerShell can be executed directly or it can be passed as an argument to cmd.exe. PowersShell can also be used to run commands that are encoded with Base64.

 

  • 72dc3d631e4b831f231aaa503fcbe3b197822f8cb09d8fbd4d1d653d8d94765c
  • caedcc3365e786e991c3d01abcdfd3e75f68cc866c545b6c3903fd7882dd3736

  • 518630ec59c1c41ef486c6f89d3a531f4580628f34a99bcfc18884a85bd7117c

 

In this file, PowerShell.exe is in mixed case & the script has been obfuscated with base64 encoding to evade from static detection.
Find below the decoded PowerShell command:

  • 81d0ef59803776b054a1fd220dfb19db31a4c50c633bb79371d8602b0cfe2ce2

  • 5614bd2d19c948c883d0fbef8f6af1953872244b5c892c21e1f58a43050b4fd9

 

Payload Servers:

Find below some of the payload URL’s that we see. Looks like the attacker is taking advantage of the compromised WordPress websites to host the malicious payloads.

 

  • hxxp://operationships.com/wp-content/themes/twentyfourteen/car/SERVER1.exe’
  • hxxp://www.mozambiquecomputers.com/css/fbet.exe,
  • hxxp://operationships.com/wp-content/themes/twentyfourteen/move/bin.exe
  • hxxp://kaigo-taxi.tokyo/wp-content/themes/spacious/moon/PO.exe
  • hxxp://funrunfunclimb.com/wp-content/themes/gaukingo/coo/server.exe

 

Launching the pdf in Foxit reader triggers the launch command
PowerShell script gets the malicious payload through HTTP request

Trend Graph:

The trend line below shows how this attack is being used today:

 

 

SonicWALL Capture ATP (Advanced Threat Protection), a cloud-based multi-engine dynamic sandbox analysis provides protection against this attack

 

 

SonicWALL Threat Research Lab provides protection against this threat via the following signature

SPY: 2177 PDF-POS