eWeek Goes 1-on-1 with SonicWall CEO Bill Conner

/0 Comments/in /by

Bill Conner has a plan for SonicWall. And he’s already ahead of it.

In a recent interview with eWeek, the SonicWall CEO provided high-level perspective on not only where SonicWall is and how it got here, but also where it’s going in the future. It was a candid, one-on-one conversation that really lets the industry get to know SonicWall as a company.

“Everything comes through some kind of a network … where we think the market is going is really going to be about automated, real-time breach detection and prevention,” said Conner.

Announced in May 2018, SonicWall financially separated from Quest with oversubscribed investment interest and unprecedented growth in the last six quarters. This success is less than two years removed from Francisco Partner’s purchase of SonicWall from Dell.

“We still have Dell as a partner, and as an OEM, and still do a great deal of business with them,” Conner told eWeek. “We also have business that has nothing to do with Dell.”

Conner walked eWeek through the last 10 months of fast-moving growth for SonicWall, which included 12 new products that featured updates to trusted firewalls, introduced new virtual firewall offerings and unveiled the SonicWall Capture Cloud Platform.

Conner stressed that all of the development into defending endpoints, email and other areas of vulnerability does not mean that SonicWall is diverging from its true nature, which is primarily that of a network security company. SonicWall is simply expanding the breadth of its cyber security portfolio to deliver more cost-effective, real-time protection to customers and partners.

“One of the big questions when I came in was, ‘Is the brand going to be alive?’” said Conner. “Then there were questions about our roadmap and ability to deliver … Now our vision, that I started talking about six quarters ago, is starting to be real.”

This fiscal year SonicWall also added over 24,000 SecureFirst partner organizations, a 60 percent year-over-year increase, while closing $530 million in partner deal registrations. Since the start of 2018, SonicWall has collected 27 cybersecurity industry accolades, most recently being named the Editor’s Choice Security Company of the Year by Cyber Defense Magazine.

Report: Low Confidence in Stopping Business Email Compromise (BEC), CEO Fraud

/in /by

Email is the primary tool for business communications and it’s used across the globe by organizations of all sizes. So, it’s no surprise that email is also today’s No. 1 threat vector for cyberattacks.

The cyber threat landscape has evolved to a great extent. Today, email attacks are highly targeted and cybercriminals engage in extensive social engineering activities to learn information about their targets in order to craft personalized emails.

Such targeted and sophisticated phishing attacks have a higher success rate than mass campaigns. Users implicitly trust a familiar name or email with personal information. These email may contain malicious attachments, weaponized URLs to deliver malicious payloads, phishing websites with fake login pages to steal login credentials, or malware-less email that seeks confidential information or a wire transfer.

With the changing threat landscape, coupled with the lack of human and financial resources to keep pace, organizations find themselves as susceptible targets for email-based attacks, such as spear-phishing and CEO fraud/business email compromise (BEC).

To that end, SonicWall recently worked with the Osterman Research and surveyed organizations to understand:

  • What are the top concerns for IT security decision-makers?
  • Why are cyberattacks succeeding?
  • How do you evaluate your current security posture?

Some of the key survey findings include:

  • Cyber threats are becoming more sophisticated as well-financed cybercriminal gangs develop improved variants of malware and social-engineering attacks. The perceived effectiveness of current security solutions is not improving – or is actually getting worse – for many organizations.
  • Most decision-makers have little confidence that their security infrastructure can adequately address infections on mobile devices, CEO fraud/BEC and preventing user’s personal devices from introducing malware into the corporate network.
  • To address the worsening threat landscape, security spending at mid-sized and large organizations will increase by an average of seven percent in 2018 compared to 2017.

The white paper also discusses the level of confidence that security professionals have in defending against these advanced threats. For example, 58 percent of those surveyed believe that their current solutions to eliminate malware before it reaches end users are either “very good” or “excellent,” and 55 percent believe that their ability to protect users from ransomware is this effective.

Unfortunately, things get worse from there: fewer than half of respondents believe their ability to block phishing attempts from end-users, eliminate account takeover attempts before they reach senior executives, and protect sensitive data is either “very good” or “excellent.”

Finally, some best practices that decision-makers must consider to protect against these advanced threats are:

  • Deploy a multi-layer approach for email security
  • View security holistically from cloud services to endpoint, with end-to-end monitoring
  • Train all users, including senior executives
  • Use adequate threat intelligence
  • Establish detailed and thorough policies

Get the In-Depth Osterman Report

Download the exclusive Osterman white paper, “Best Practices for Protection Against Phishing, Ransomware and Email Fraud,” compliments of SonicWall. The paper explores issues that security professionals face, how to evaluate your current security posture and best practices to consider implementing for sound email security.

DOWNLOAD THE PAPER

Ramnit keeps coming back

/in /by
SonicWall has been observing a new variant of Ramnit lately. Ramnit a persistent VBScript worm first appeared around 2010, known for spreading aggressively by self-replicating & injecting into other processes, executables, dll & html files. To give some history, Ramnit use compromised websites to host malicious VBScript to infect users visiting those pages.  Ramnit botnet infrastructure caught lot of attention & it has been taken down in a major attempt.

 

Infection Cycle:

Using social engineering attacks or phishing email campaign, payload file can be delivered to users. Upon launching the file, it executes VBScript & drops the malicious executable “svchost.exe” that replicates & injects itself  into the system files & processes. Later it opens a back door and connect to a C&C server to steal information from the compromised computer.

 

Although the file extension is .html, its header & format has been crafted to look like a PDF to evade from detection. PDF static analyzer would fail to parse VBScript stream content and
dynamic analysis would not help either as PDF do not support VBScript.
As shown below, malicious VBScript is appended after the PDF content
Upon launching the file in IE, activex warning pops up in the newer versions of IE. 
VBScript in the html page gets executed after allowing activex. It then creates svchost.exe, drops it into the user %Temp% directory and finally runs it from the same path.
svchost.exe creates more executable files “Desktoplayer.exe” & “DesktoplayerSrv.exe”
It starts looking for html files in the system and infect them by appending the malicious VBScript to it.
svchost.exe running from the %Temp% location, changes the system registry entries, spawns the process “chrome.exe” & later injects itself into it.
Malicious svchost.exe running under the spawned process “chrome.exe”
When the system is compromised, it connects to C2C server fget-career.com, which has previously involved in Ramnit campaigns.
Find below the activity of Ramnit in PDF format

SonicWALL Threat Lab provides protection against this threat via the following signature:

  • Ramnit.VBS.Dropper

Ransomware possibly being used to teach "Ethical" hacking

/in /by

Ransomware has been so rampant that we receive multiple different variants daily. The SonicWall Capture Labs Threat Research Team has recently received a sample of the Jigsaw ransomware and at first glance is not different from any other ransomware. We have been tracking and analyzing this ransomware since we first spotted it in 2016. This newer sample however appears to have added a functionality to communicate to a remote command and control server. We also noticed that this build could have possibly been used as a school project which one might find odd considering how ransomware continues to be lucrative, albeit unethical, business. Are we teaching how to create your own ransomware in school nowadays?

Infection Cycle:

This ransomware arrives in the system pretending to be a PDF file using the following icon:

Upon execution, it copies itself to the following directories as firefox.exe and drpbx.exe:

  • %Appdata%/Frfx/firefox.exe
  • %Appdata%/Drpbx/drpbx.exe

It then sends information such as username and computer name to a remote server:

It then proceeds to encrypt files in the victim’s machine and appends a “.fun” file extension to all encrypted files.

It also creates a file named EncrypteFileList.txt in the root directory that has the list of all files that has been encrypted.

It then displays an image of the fictional character, Jigsaw, reminiscent of the horror movie Saw with the warning and instructions on how to pay the ransom.

It also adds a run key in the registry to ensure persistence in an event of a system reboot.

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run  firefox.exe %Appdata%\Frfx\firefox.exe

Upon further analysis, we also noted references to compiler debugging information in its strings which suggests that this ransomware might have been used as a project for the 6th semester of “Ethical Hacking.”

We are split on “ethics” in terms of the use of this program. Does promoting its use supports this kind of behavior and ultimately makes it even more of a threat for everyone?

Because of the prevalence of these types of malware attacks, we urge our users to back up their files regularly.

SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: Jigsaw.RSM_16 (Trojan)

Cybersecurity News & Trends – 06-01-18

/0 Comments/in , /by

Each week, SonicWall collects the cyber security industry’s most compelling, trending and important interviews, media and news stories — just for you.

SonicWall Spotlight

Cybersecurity 500 List, 2018 Edition Cybersecurity Ventures

  • SonicWall is announced as #36 on Cybersecurity Ventures Cybersecurity 500: 2018 Edition List which includes the world’s hottest and most innovative cybersecurity companies to watch in 2018.

British Businesses Facing Cyber Ransom Demands of up to £200,000 The Daily Telegraph

  • Cyber criminals are arming themselves with “malware cocktails”, expertly blended using old variants of malicious computer code. The new viruses are more potent than their predecessors because they have adapted to companies’ cyber defenses, like a digital version of antibiotic-resistant superbugs.

Securing Your Journey to Success With Innovation and Security: SonicWall Silicon Review

  • Recently announced as one of the 10 Best Security Companies in 2018, SonicWall is featured in an editorial highlighting the company’s history and success with CEO Bill Conner at the forefront.

10 Best Security Companies in 2018 Silicon Review

  • SonicWall is announced as one of the 10 Best Security Companies in 2018.

Cyber Security News

Cybercriminals on Average Have Seven-Day Window of Opportunity to Attack SC Magazine

  • Once a vulnerability is announced, the average attacker has a seven-day window of opportunity to exploit the flaw before a defender is even aware they are vulnerable, according to report from Tenable.

Deadly Attacks Feared as Hackers Target Industrial Sites The Hill

  • The hacking threat to critical infrastructure in the United States and beyond is growing larger, with nation states and other malicious actors looking to gain a foothold in sensitive technologies to conduct espionage and potentially stage disruptive or destructive attacks.

U.S. Judge Dismisses Kaspersky Suits to Overturn Government Ban Reuters

  • A U.S. federal judge on Wednesday dismissed two lawsuits by Moscow-based Kaspersky Lab that sought to overturn bans on the use of the security software maker’s products in U.S. government networks.

BackSwap Banking Malware Bypasses Browser Protections With Clever Technique SC Magazine

  • A new banking malware called BackSwap has replaced tricky conventional browser injections with a simpler browser manipulation technique.

Over 5K Gas Station Tank Gauges Sit Exposed on the Public Net Dark Reading

  • It’s been three years since researchers first discovered automated tank gauges (ATGs) at some 5,000 US gas stations exposed on the public Internet without password protection, and a recent scan found 5,635 locations were vulnerable to the same issue.

In Case You Missed It

Upcoming Webinars & Events

June 4
Webinar
1 a.m. PDT
Technical Deep Dive – Securing Office 365 with SonicWall Email Security
> Register Now

Frequently Asked Questions: The E-rate Program

/0 Comments/in /by

While we’ve explained the ins and outs of the E-rate program during the five-part SonicWall E-rate Fear Less series, we wanted to use the final episode to explore the common questions about the E-rate program itself and how SonicWall cyber security solutions may be funded via the program.

Episode Five: E-rate Fear Less Series Q&A

Holly Davis interviews SonicWall software business development director John Mullen.

The final video in our five-part series explores these common E-rate program questions:

  • Why SonicWall for the K12 Environment?
  • What is SonicWall Capture ATP?
  • Why would SonicWall Capture ATP sandboxing be necessary for K12?
  • What is SonicWall SECaaS?
  • Does E-rate fund firewalls in their entirety?
  • Is Capture ATP funded by the E-rate program?
  • Is SECaaS funded by the E-rate program?
  • How do I get started with the E-rate program?
  • Where can we find additional resources about the E-rate program?

What technology is eligible for funding the E-rate program?

To help offset funding and staffing shortages, the U.S. Department of Education and the FCC launched the E-rate program, which helps make telecommunications and information services more affordable for schools, campuses, districts and libraries.

The E-rate program is operated by Universal Service Administration Company (USAC), which has a core focus of providing underfunded verticals the access to affordable technology and security services. This includes schools, libraries, rural healthcare organizations and more.

USAC provides a yearly Eligible Services List (ESL), which outlines which types of products and services can be procured via E-rate program discounts.

SonicWall and E-rate

With the most comprehensive channel program in the industry, combined with additional E-rate discounts, SonicWall and our partners are best positioned to meet the needs of K12 customers and help them take full advantage of the funding E-rate provides for securing their networks.

Through its global channel of more than 24,000 technology partners, SonicWall is actively involved in helping K12 education organizations cost-effectively obtain and deploy network security solutions. SonicWall provides a broad array of E-rate-eligible products and services, including firewalls and turnkey Security-as-a-Service solutions.

If you are an eligible K12 organization, please contact your preferred SonicWall reseller for information on E-rate benefits and discounts, or visit the SonicWall E-rate page for information, tools and guidance.

New Cyber Threat Intelligence Shows Growing Malware Volume, Encrypted Attacks

/in /by

The latest cyberattack data from SonicWall shows increases across the board for global malware, ransomware, TLS/SSL encrypted attacks and intrusion attempts.

Highlighting these new findings, the SonicWall Capture Advanced Threat Protection sandbox, with Real-Time Deep Memory Inspection (RTDMITM), discovered 1,099 new malware variants each day in April.

This cyber threat intelligence, which is available in the SonicWall Security Center, maps the behavior of cybercriminals and the tactics they employ to breach the networks of businesses and organizations across the world.

Globally, the SonicWall Capture Threat Network, which includes more than 1 million sensors across the world, recorded the following 2018 year-to-date attack data:

  • 4,050,797,027 malware attacks (152 percent increase from 2017)
  • 1,233,667,979,688 intrusion attempts (67 percent increase)
  • 132,266,265 ransomware attacks (426 percent increase)
  • 914,975 instances of malware using SSL/TLS encryption (351 percent increase)

Breaking this down to the customer level, in April 2018 alone, the average SonicWall customer faced:

  • 2,254 malware attacks (95 percent increase from April 2017)
  • 78 ransomware attacks (343 percent increase)
  • 73 encrypted threats
  • 10 phishing attacks each day

1,099 new malware variants discovered by Capture ATP each day

Stop cyberattacks in memory

Included with Capture ATP, SonicWall’s patent-pending RTDMI technology catches more malware than behavior-based sandboxing methods, with a lower false positive rate. In 2018, RTDMI has discovered more than 5,000 never-before-seen malware variants — attacks likely missed by competing signature-based offerings.

First announced in February 2018, RTDMI technology is used by the SonicWall Capture Cloud Platform to identify and mitigate even the most insidious cyber threats, including memory-based attacks. RTDMI proactively detects and blocks unknown mass-market malware — including malicious PDFs and attacks leveraging Microsoft Office documents — via deep memory inspection in real time.

The 2018 SonicWall Cyber Threat Report advises that cybercriminals will continue to leverage users’ trust in PDFs and Microsoft Office applications (which represented five of the top 10 attacked applications of 2017). Because of obfuscation techniques, many legacy firewalls and anti-virus solutions are unable to effectively identify and mitigate PDFs or Microsoft Office file types that contain malicious content.

 

Exploit for PDF vulnerability CVE-2018-4990 exists in the wild

/in /by

An out-of-bounds read vulnerability has been recently reported in the JPEG2000 component of the Adobe Acrobat Reader. This vulnerability is due to lack of validation while processing the embedded JPEG2000 image in the PDF document. JPEG image can be manipulated to cause out-of-bounds read and eventually arbitrary free as those addresses get freed by the caller.  The embedded JavaScript in the PDF makes use of the JPEG image object to cause arbitrary free and later utilize heap spray techniques to read and write into the memory.

Lets look into the PDF that exploits the above mentioned vulnerability.

Using pdf-parser, we see an embedded JPEG image object inside of the field button Button1.

 

 

 And an embedded JavaScript that gets into action when launched the PDF document. Lets decompress  & extract the JavaScript for further analysis.

 

 

The below JavaScript allocates & frees large array buffers that way it has reference to the freed address space. Later it triggers the out of read bug by calling into the Button1 object which allocates into the previously freed slot & eventually free up pointers that attacker needs to carry out the attack. Later heap spray technique is being utilized to read & write into the memory.

 

 

The below stack trace is retrieved by enabling gflags.exe with page heap & user mode stack. Crash occurred due to access violation as JP2KLib.dll (JPEG2000 component) is trying to free memory that doesn’t belong to it.

 

It locates the base address of the dll, builds the rop chain with the given offsets, sprays them into the heap to redirect the execution flow to the arbitrary code in the heap.

 

A remote attacker could exploit this vulnerability by enticing a user to open a PDF document with a crafted JPEG image & an embedded JavaScript that allows arbitrary code execution in the context of the application.

This can be mitigated by upgrading to the latest non-vulnerable version of the software or by disabling JavaScript in the Adobe Acrobat Reader.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • CVE-2018-4990

Sigrun 1.0 Ramsomware spotted (May 25 2018)

/in /by

The SonicWall Capture Labs Threat Research Team have observed reports of ransomware named Sigrun, after the Norse mythological figure.  As expected, this Trojan encrypts files and demands a ransom for recovery.  To lighten the mood it attempts to play Vivaldi’s The Four Seasons in the background.

 

Infection Cycle:

Upon infection, the Trojan immediately encrypts files on the system.  Encrypted files are given a .sigrun extension.  The following files are dropped into all directories containing encrypted files:

    • RESTORE-SIGRUN.html
    • RESTORE-SIGRUN.txt

RESTORE-SIGRUN.html is displayed and contains the following ransom note :

 

The HTML page also contains code to play Vivaldi’s The Four Seasons in the background:

 

RESTORE-SIGRUN.txt contains the following message:

image-invert

 

We reached out to sigrun_decryptor@protonmail.ch and received the following message:

 

However the $500 ransom quickly grew to 1 BTC ($7550 at the time of writing) in an email received the following day.  Additionally, a threat is made to increase the ransom to 2 BTC if not paid within 24 hours:

 

It seems that the operators may have been successful.  The transaction history of the supplied bitcoin address 1XPYJt98eZDcPfLd57ysaGbc7Lp7pBnFr shows 18 transactions totaling 3.56 BTC so far.  The history also suggests that some form of the malware may have been in effect as early as March 2018:

 

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Sigrun.RSM (Trojan)

Cyber Security News & Trends – 05-25-18

/0 Comments/in /by

Each week, SonicWall collects the cyber security industry’s most compelling, trending and important interviews, media and news stories — just for you.

SonicWall Spotlight

Real-Time Cyber Threat Intelligence Is More Critical Than Ever Forbes

  • SonicWall CEO Bill Conner discusses the importance of organizations utilizing real-time cyber threat intelligence as the cybersecurity landscape grows increasingly dangerous.

SonicWall Splits from Quest, Surpasses Financial Objectives Dark Reading

  • Dark Reading breaks down SonicWall’s recent momentum announcement, touching on the company’s newfound financial and operational independence, as well as innovations on the partner and customer front

SonicWall Boasts 60% YOY Partner Deal-Registration Increase Channel Partners

  • Due to SonicWall’s recent announcement, the company is featured for its success in the channel with the SecureFirst program which enabled partner deal registrations to hit a year-over-year increase of 60 percent.

Cyber Security News

VPNFilter Malware With Bricking Capabilities Poses Major Threat After Infecting 500,000+ Networking Devices SC Magazine

  • A potentially highly-destructive malware is estimated to have infected at least 500,000 networking devices in at least 54 countries since as far back as 2016, in what could be the prelude to a massive attack potentially capable of cutting off the internet from hundreds of thousands around the world.

U.S. Launches Criminal Probe into Bitcoin Price Manipulation Bloomberg

  • The Justice Department has opened a criminal probe into whether traders are manipulating the price of Bitcoin and other digital currencies, dramatically ratcheting up U.S. scrutiny of red-hot markets that critics say are rife with misconduct, according to four people familiar with the matter.

UK Threatens to Name and Shame State Backers of Cyber-attacks The Guardian

  • In a speech referring to Russian and North Korean “campaigns of intrusion”, Jeremy Wright QC called for international sanctions to be applied against countries that exploit cyberspace for illegal purposes.

Cyber Amendments to Watch in the House’s Defense Authorization Bill Nextgov

  • The House Rules Committee is considering more than a dozen cyber-focused amendments to the National Defense Authorization Act, a must-pass policy bill.

Intel Responds to Spectre-Like Flaw in CPUs Threat Post

  • Intel acknowledged that its processors are vulnerable to another dangerous speculative execution side channel flaw that could give attackers unauthorized read access to memory.

In Case You Missed It

Upcoming Webinars & Events

May 30
Webinar
11 a.m. PDT
Identify and Stop Malware in the Quickest and Most Accurate Way Possible
> Register Now

June 4
Webinar
1 a.m. PDT
Technical Deep Dive – Securing Office 365 with SonicWall Email Security
> Register Now