Cybersecurity News & Trends – 06-08-18

/0 Comments/in /by

Each week, SonicWall collects the cyber security industry’s most compelling, trending and important interviews, media and news stories — just for you.

SonicWall Spotlight

Galix Becomes SonicWall’s First Ever Platinum Partner in Africa IT News Africa

  • Galix, an IT services, infrastructure management and compliance company, has become the first ever African partner to receive SonicWall’s Platinum Partner status.

SonicWall Looks Beyond Firewalls to Bolster Cyber-Security eWeek

  • eWeek sits down with SonicWall CEO Bill Conner at RSA to discuss the company’s progress toward becoming a financially and operationally independent company in a written article and accompanying video interview.

Cyber Security News

US-North Korea Summit News Used as Lure in New Malware Campaign Dark Reading

  • North Korea’s Group 123, an advanced persistent threat actor responsible for several major malicious campaigns in recent years, is believed to be behind new malware activity targeting users in South Korea.

Researcher Finds Login Info for 92 Million MyHeritage Users on Private Server SC Magazine

  • A file named myheritage discovered on an outside private server contained the email addresses and hashed passwords of more than 92 million MyHeritage customers, the genealogy and DNA testing company’s CISO said.

Here’s a Transaction Transamerica Regrets: Transgressors Swipe Retirees’ Personal Info The Register

  • Financial house Transamerica has admitted hackers swiped some of its customers’ sensitive personal information, including social security numbers.

Ukraine Says Prevented Cyber Attack on NATO Country Embassy Reuters

  • Ukraine’s state security service (SBU) prevented a cyber attack on the embassy of a NATO country in Kiev, it said in a statement on Tuesday, without specifying which one.

Mich. County Official Falls for Phishing Scam, Quits The Detroit News

  • An official in a small Michigan county has resigned after being tricked into wiring $50,000 to an overseas bank account.

In Case You Missed It

Sudden spike in Slempo samples observed for Android (June 7, 2018)

/in /by

Code leak of a popular malware can be both a good as well as a bad thing. Positive aspect of a code leak is that security researchers get to learn more about the malware and come up with solutions to better protect from it. However a negative thing is that malicious actors do the same and they modify this code to create more strains of this malware. Same behavior is often observed in the Android malware space where the source of a malware can be traced to a leaked code of a popular malware in the recent or far past.

SonicWall Capture Labs Threat Research Team observed a sudden surge in a particular malware family that goes by different names – Slempo, Acecard, GM bot, SlemBunk. The source of this malware can be traced back to GM Bot whose source code got leaked in December 2015. The source code has been hosted for research purposes and can be found easily by both researchers and malicious malware writers.

The spike

Over the past few days we observed a rise in samples belonging to the Slempo campaign. Even though the numbers are not very high, its worth noting that new samples were circulating for a few days following which the numbers have fallen down again:

The graph shows a classic wave pattern, where samples spread in high numbers for a small period of time and then die out slowly.

Revisiting Slempo

The earliest Slempo sample can be traced back to late 2014 and over the years the samples have not shown a big change in terms of their functionality. The main objectives of this threat still remains the same:

  • Steal sensitive device related data from the infected device
  • Target certain apps and steal their credentials
  • Accept and execute commands from the attacker via SMS messages
  • Steal Credit Card number of the victim

Samples belonging to the Slempo campaign are essentially tasked with stealing login credentials from the infected device. The targets are hardcoded in the apk:

Upon infecting the victim device, the app requests for device admin privileges. This allows the apps to gain access to sensitive data on the device and also makes it difficult to remove the app if the user suspects anything malicious:

Sensitive information pertaining to the device is sent to the attacker, including the names of most used apps:

When the victim opens a targeted app he sees a fake login page, upon entering the details the credentials are sent to the attacker. Below is an instance when we opened Facebook on an infected device, a fake overlay was added on top of the Facebook app which requests for the credentials:

If the victim does not suspect anything and enters the credentials, they are sent to the attacker:

A look back in time

We compared the new Slempo samples with few samples from 2014 and 2015. Here are a few observations:

  • The developer names are the same – 123 and Android
  • The code structure is the same:

  • Majority of Slempo samples spread using the same set of package names:
    • MX Codec Pack
    • Adobe Flash Player
    • Flash Player
  • Most of the hardcoded target apps still remain the same:
    • Westpack
    • Commbank
    • Facebook
    • Twitter
    • StGeorge
  • We saw a component which shows an overlay for Credit Card information in majority of the new samples that were spreading for the past few days. This component did not appear as frequently in the samples from the past. A good reason may be that a large number of malware presently target Credit card numbers from the victims, maybe Slempo writers want a piece of this pie a well. Once the victim opens Google Play Store app the Credit Card overlay shows up. Without entering this information the victim wont be able to use the Play Store:

The reason behind the sudden spike of Slempo samples is not clear at the moment. It is possible that new additions to the feature set of Slempo might be on the way.

SonicWALL Capture Labs provides protection against this threat via the following signature:

  • GAV: AndroidOS.Slempo.SPY (Trojan)

eWeek Goes 1-on-1 with SonicWall CEO Bill Conner

/0 Comments/in /by

Bill Conner has a plan for SonicWall. And he’s already ahead of it.

In a recent interview with eWeek, the SonicWall CEO provided high-level perspective on not only where SonicWall is and how it got here, but also where it’s going in the future. It was a candid, one-on-one conversation that really lets the industry get to know SonicWall as a company.

“Everything comes through some kind of a network … where we think the market is going is really going to be about automated, real-time breach detection and prevention,” said Conner.

Announced in May 2018, SonicWall financially separated from Quest with oversubscribed investment interest and unprecedented growth in the last six quarters. This success is less than two years removed from Francisco Partner’s purchase of SonicWall from Dell.

“We still have Dell as a partner, and as an OEM, and still do a great deal of business with them,” Conner told eWeek. “We also have business that has nothing to do with Dell.”

Conner walked eWeek through the last 10 months of fast-moving growth for SonicWall, which included 12 new products that featured updates to trusted firewalls, introduced new virtual firewall offerings and unveiled the SonicWall Capture Cloud Platform.

Conner stressed that all of the development into defending endpoints, email and other areas of vulnerability does not mean that SonicWall is diverging from its true nature, which is primarily that of a network security company. SonicWall is simply expanding the breadth of its cyber security portfolio to deliver more cost-effective, real-time protection to customers and partners.

“One of the big questions when I came in was, ‘Is the brand going to be alive?’” said Conner. “Then there were questions about our roadmap and ability to deliver … Now our vision, that I started talking about six quarters ago, is starting to be real.”

This fiscal year SonicWall also added over 24,000 SecureFirst partner organizations, a 60 percent year-over-year increase, while closing $530 million in partner deal registrations. Since the start of 2018, SonicWall has collected 27 cybersecurity industry accolades, most recently being named the Editor’s Choice Security Company of the Year by Cyber Defense Magazine.

Report: Low Confidence in Stopping Business Email Compromise (BEC), CEO Fraud

/in /by

Email is the primary tool for business communications and it’s used across the globe by organizations of all sizes. So, it’s no surprise that email is also today’s No. 1 threat vector for cyberattacks.

The cyber threat landscape has evolved to a great extent. Today, email attacks are highly targeted and cybercriminals engage in extensive social engineering activities to learn information about their targets in order to craft personalized emails.

Such targeted and sophisticated phishing attacks have a higher success rate than mass campaigns. Users implicitly trust a familiar name or email with personal information. These email may contain malicious attachments, weaponized URLs to deliver malicious payloads, phishing websites with fake login pages to steal login credentials, or malware-less email that seeks confidential information or a wire transfer.

With the changing threat landscape, coupled with the lack of human and financial resources to keep pace, organizations find themselves as susceptible targets for email-based attacks, such as spear-phishing and CEO fraud/business email compromise (BEC).

To that end, SonicWall recently worked with the Osterman Research and surveyed organizations to understand:

  • What are the top concerns for IT security decision-makers?
  • Why are cyberattacks succeeding?
  • How do you evaluate your current security posture?

Some of the key survey findings include:

  • Cyber threats are becoming more sophisticated as well-financed cybercriminal gangs develop improved variants of malware and social-engineering attacks. The perceived effectiveness of current security solutions is not improving – or is actually getting worse – for many organizations.
  • Most decision-makers have little confidence that their security infrastructure can adequately address infections on mobile devices, CEO fraud/BEC and preventing user’s personal devices from introducing malware into the corporate network.
  • To address the worsening threat landscape, security spending at mid-sized and large organizations will increase by an average of seven percent in 2018 compared to 2017.

The white paper also discusses the level of confidence that security professionals have in defending against these advanced threats. For example, 58 percent of those surveyed believe that their current solutions to eliminate malware before it reaches end users are either “very good” or “excellent,” and 55 percent believe that their ability to protect users from ransomware is this effective.

Unfortunately, things get worse from there: fewer than half of respondents believe their ability to block phishing attempts from end-users, eliminate account takeover attempts before they reach senior executives, and protect sensitive data is either “very good” or “excellent.”

Finally, some best practices that decision-makers must consider to protect against these advanced threats are:

  • Deploy a multi-layer approach for email security
  • View security holistically from cloud services to endpoint, with end-to-end monitoring
  • Train all users, including senior executives
  • Use adequate threat intelligence
  • Establish detailed and thorough policies

Get the In-Depth Osterman Report

Download the exclusive Osterman white paper, “Best Practices for Protection Against Phishing, Ransomware and Email Fraud,” compliments of SonicWall. The paper explores issues that security professionals face, how to evaluate your current security posture and best practices to consider implementing for sound email security.

DOWNLOAD THE PAPER

Ramnit keeps coming back

/in /by
SonicWall has been observing a new variant of Ramnit lately. Ramnit a persistent VBScript worm first appeared around 2010, known for spreading aggressively by self-replicating & injecting into other processes, executables, dll & html files. To give some history, Ramnit use compromised websites to host malicious VBScript to infect users visiting those pages.  Ramnit botnet infrastructure caught lot of attention & it has been taken down in a major attempt.

 

Infection Cycle:

Using social engineering attacks or phishing email campaign, payload file can be delivered to users. Upon launching the file, it executes VBScript & drops the malicious executable “svchost.exe” that replicates & injects itself  into the system files & processes. Later it opens a back door and connect to a C&C server to steal information from the compromised computer.

 

Although the file extension is .html, its header & format has been crafted to look like a PDF to evade from detection. PDF static analyzer would fail to parse VBScript stream content and
dynamic analysis would not help either as PDF do not support VBScript.
As shown below, malicious VBScript is appended after the PDF content
Upon launching the file in IE, activex warning pops up in the newer versions of IE. 
VBScript in the html page gets executed after allowing activex. It then creates svchost.exe, drops it into the user %Temp% directory and finally runs it from the same path.
svchost.exe creates more executable files “Desktoplayer.exe” & “DesktoplayerSrv.exe”
It starts looking for html files in the system and infect them by appending the malicious VBScript to it.
svchost.exe running from the %Temp% location, changes the system registry entries, spawns the process “chrome.exe” & later injects itself into it.
Malicious svchost.exe running under the spawned process “chrome.exe”
When the system is compromised, it connects to C2C server fget-career.com, which has previously involved in Ramnit campaigns.
Find below the activity of Ramnit in PDF format

SonicWALL Threat Lab provides protection against this threat via the following signature:

  • Ramnit.VBS.Dropper

Ransomware possibly being used to teach "Ethical" hacking

/in /by

Ransomware has been so rampant that we receive multiple different variants daily. The SonicWall Capture Labs Threat Research Team has recently received a sample of the Jigsaw ransomware and at first glance is not different from any other ransomware. We have been tracking and analyzing this ransomware since we first spotted it in 2016. This newer sample however appears to have added a functionality to communicate to a remote command and control server. We also noticed that this build could have possibly been used as a school project which one might find odd considering how ransomware continues to be lucrative, albeit unethical, business. Are we teaching how to create your own ransomware in school nowadays?

Infection Cycle:

This ransomware arrives in the system pretending to be a PDF file using the following icon:

Upon execution, it copies itself to the following directories as firefox.exe and drpbx.exe:

  • %Appdata%/Frfx/firefox.exe
  • %Appdata%/Drpbx/drpbx.exe

It then sends information such as username and computer name to a remote server:

It then proceeds to encrypt files in the victim’s machine and appends a “.fun” file extension to all encrypted files.

It also creates a file named EncrypteFileList.txt in the root directory that has the list of all files that has been encrypted.

It then displays an image of the fictional character, Jigsaw, reminiscent of the horror movie Saw with the warning and instructions on how to pay the ransom.

It also adds a run key in the registry to ensure persistence in an event of a system reboot.

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run  firefox.exe %Appdata%\Frfx\firefox.exe

Upon further analysis, we also noted references to compiler debugging information in its strings which suggests that this ransomware might have been used as a project for the 6th semester of “Ethical Hacking.”

We are split on “ethics” in terms of the use of this program. Does promoting its use supports this kind of behavior and ultimately makes it even more of a threat for everyone?

Because of the prevalence of these types of malware attacks, we urge our users to back up their files regularly.

SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: Jigsaw.RSM_16 (Trojan)

Cybersecurity News & Trends – 06-01-18

/0 Comments/in , /by

Each week, SonicWall collects the cyber security industry’s most compelling, trending and important interviews, media and news stories — just for you.

SonicWall Spotlight

Cybersecurity 500 List, 2018 Edition Cybersecurity Ventures

  • SonicWall is announced as #36 on Cybersecurity Ventures Cybersecurity 500: 2018 Edition List which includes the world’s hottest and most innovative cybersecurity companies to watch in 2018.

British Businesses Facing Cyber Ransom Demands of up to £200,000 The Daily Telegraph

  • Cyber criminals are arming themselves with “malware cocktails”, expertly blended using old variants of malicious computer code. The new viruses are more potent than their predecessors because they have adapted to companies’ cyber defenses, like a digital version of antibiotic-resistant superbugs.

Securing Your Journey to Success With Innovation and Security: SonicWall Silicon Review

  • Recently announced as one of the 10 Best Security Companies in 2018, SonicWall is featured in an editorial highlighting the company’s history and success with CEO Bill Conner at the forefront.

10 Best Security Companies in 2018 Silicon Review

  • SonicWall is announced as one of the 10 Best Security Companies in 2018.

Cyber Security News

Cybercriminals on Average Have Seven-Day Window of Opportunity to Attack SC Magazine

  • Once a vulnerability is announced, the average attacker has a seven-day window of opportunity to exploit the flaw before a defender is even aware they are vulnerable, according to report from Tenable.

Deadly Attacks Feared as Hackers Target Industrial Sites The Hill

  • The hacking threat to critical infrastructure in the United States and beyond is growing larger, with nation states and other malicious actors looking to gain a foothold in sensitive technologies to conduct espionage and potentially stage disruptive or destructive attacks.

U.S. Judge Dismisses Kaspersky Suits to Overturn Government Ban Reuters

  • A U.S. federal judge on Wednesday dismissed two lawsuits by Moscow-based Kaspersky Lab that sought to overturn bans on the use of the security software maker’s products in U.S. government networks.

BackSwap Banking Malware Bypasses Browser Protections With Clever Technique SC Magazine

  • A new banking malware called BackSwap has replaced tricky conventional browser injections with a simpler browser manipulation technique.

Over 5K Gas Station Tank Gauges Sit Exposed on the Public Net Dark Reading

  • It’s been three years since researchers first discovered automated tank gauges (ATGs) at some 5,000 US gas stations exposed on the public Internet without password protection, and a recent scan found 5,635 locations were vulnerable to the same issue.

In Case You Missed It

Upcoming Webinars & Events

June 4
Webinar
1 a.m. PDT
Technical Deep Dive – Securing Office 365 with SonicWall Email Security
> Register Now

Frequently Asked Questions: The E-rate Program

/0 Comments/in /by

While we’ve explained the ins and outs of the E-rate program during the five-part SonicWall E-rate Fear Less series, we wanted to use the final episode to explore the common questions about the E-rate program itself and how SonicWall cyber security solutions may be funded via the program.

Episode Five: E-rate Fear Less Series Q&A

Holly Davis interviews SonicWall software business development director John Mullen.

The final video in our five-part series explores these common E-rate program questions:

  • Why SonicWall for the K12 Environment?
  • What is SonicWall Capture ATP?
  • Why would SonicWall Capture ATP sandboxing be necessary for K12?
  • What is SonicWall SECaaS?
  • Does E-rate fund firewalls in their entirety?
  • Is Capture ATP funded by the E-rate program?
  • Is SECaaS funded by the E-rate program?
  • How do I get started with the E-rate program?
  • Where can we find additional resources about the E-rate program?

What technology is eligible for funding the E-rate program?

To help offset funding and staffing shortages, the U.S. Department of Education and the FCC launched the E-rate program, which helps make telecommunications and information services more affordable for schools, campuses, districts and libraries.

The E-rate program is operated by Universal Service Administration Company (USAC), which has a core focus of providing underfunded verticals the access to affordable technology and security services. This includes schools, libraries, rural healthcare organizations and more.

USAC provides a yearly Eligible Services List (ESL), which outlines which types of products and services can be procured via E-rate program discounts.

SonicWall and E-rate

With the most comprehensive channel program in the industry, combined with additional E-rate discounts, SonicWall and our partners are best positioned to meet the needs of K12 customers and help them take full advantage of the funding E-rate provides for securing their networks.

Through its global channel of more than 24,000 technology partners, SonicWall is actively involved in helping K12 education organizations cost-effectively obtain and deploy network security solutions. SonicWall provides a broad array of E-rate-eligible products and services, including firewalls and turnkey Security-as-a-Service solutions.

If you are an eligible K12 organization, please contact your preferred SonicWall reseller for information on E-rate benefits and discounts, or visit the SonicWall E-rate page for information, tools and guidance.

New Cyber Threat Intelligence Shows Growing Malware Volume, Encrypted Attacks

/in /by

The latest cyberattack data from SonicWall shows increases across the board for global malware, ransomware, TLS/SSL encrypted attacks and intrusion attempts.

Highlighting these new findings, the SonicWall Capture Advanced Threat Protection sandbox, with Real-Time Deep Memory Inspection (RTDMITM), discovered 1,099 new malware variants each day in April.

This cyber threat intelligence, which is available in the SonicWall Security Center, maps the behavior of cybercriminals and the tactics they employ to breach the networks of businesses and organizations across the world.

Globally, the SonicWall Capture Threat Network, which includes more than 1 million sensors across the world, recorded the following 2018 year-to-date attack data:

  • 4,050,797,027 malware attacks (152 percent increase from 2017)
  • 1,233,667,979,688 intrusion attempts (67 percent increase)
  • 132,266,265 ransomware attacks (426 percent increase)
  • 914,975 instances of malware using SSL/TLS encryption (351 percent increase)

Breaking this down to the customer level, in April 2018 alone, the average SonicWall customer faced:

  • 2,254 malware attacks (95 percent increase from April 2017)
  • 78 ransomware attacks (343 percent increase)
  • 73 encrypted threats
  • 10 phishing attacks each day

1,099 new malware variants discovered by Capture ATP each day

Stop cyberattacks in memory

Included with Capture ATP, SonicWall’s patent-pending RTDMI technology catches more malware than behavior-based sandboxing methods, with a lower false positive rate. In 2018, RTDMI has discovered more than 5,000 never-before-seen malware variants — attacks likely missed by competing signature-based offerings.

First announced in February 2018, RTDMI technology is used by the SonicWall Capture Cloud Platform to identify and mitigate even the most insidious cyber threats, including memory-based attacks. RTDMI proactively detects and blocks unknown mass-market malware — including malicious PDFs and attacks leveraging Microsoft Office documents — via deep memory inspection in real time.

The 2018 SonicWall Cyber Threat Report advises that cybercriminals will continue to leverage users’ trust in PDFs and Microsoft Office applications (which represented five of the top 10 attacked applications of 2017). Because of obfuscation techniques, many legacy firewalls and anti-virus solutions are unable to effectively identify and mitigate PDFs or Microsoft Office file types that contain malicious content.

 

Exploit for PDF vulnerability CVE-2018-4990 exists in the wild

/in /by

An out-of-bounds read vulnerability has been recently reported in the JPEG2000 component of the Adobe Acrobat Reader. This vulnerability is due to lack of validation while processing the embedded JPEG2000 image in the PDF document. JPEG image can be manipulated to cause out-of-bounds read and eventually arbitrary free as those addresses get freed by the caller.  The embedded JavaScript in the PDF makes use of the JPEG image object to cause arbitrary free and later utilize heap spray techniques to read and write into the memory.

Lets look into the PDF that exploits the above mentioned vulnerability.

Using pdf-parser, we see an embedded JPEG image object inside of the field button Button1.

 

 

 And an embedded JavaScript that gets into action when launched the PDF document. Lets decompress  & extract the JavaScript for further analysis.

 

 

The below JavaScript allocates & frees large array buffers that way it has reference to the freed address space. Later it triggers the out of read bug by calling into the Button1 object which allocates into the previously freed slot & eventually free up pointers that attacker needs to carry out the attack. Later heap spray technique is being utilized to read & write into the memory.

 

 

The below stack trace is retrieved by enabling gflags.exe with page heap & user mode stack. Crash occurred due to access violation as JP2KLib.dll (JPEG2000 component) is trying to free memory that doesn’t belong to it.

 

It locates the base address of the dll, builds the rop chain with the given offsets, sprays them into the heap to redirect the execution flow to the arbitrary code in the heap.

 

A remote attacker could exploit this vulnerability by enticing a user to open a PDF document with a crafted JPEG image & an embedded JavaScript that allows arbitrary code execution in the context of the application.

This can be mitigated by upgrading to the latest non-vulnerable version of the software or by disabling JavaScript in the Adobe Acrobat Reader.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • CVE-2018-4990