How to Stop Fileless Malware

/0 Comments/in /by

In 2017, SonicWall Capture Labs discovered 56 million new forms of malware from across the globe. Threat actors are constantly creating updates to known versions of malware to get past defenses that rely on identifying malware (i.e., signatures). The forms of security that stop malware and ransomware based on signatures are only effective if they can identify the strain.

Since malware authors don’t want to continually update their code and have attacks in flight fail, they often resort to creating fileless malware as a highly effective alternative.

What is fileless malware?

Fileless malware has been around for some time, but has dramatically increased in popularity the last few years. These malware leverage on-system tools such as PowerShell, macros (like in Microsoft Word and Excel), Windows Management Instrumentation or other on-system scripting functionality to propagate, execute and perform whatever tasks it was developed to perform.

The problem for the business

One of the reasons fileless malware is so powerful is that security products cannot just block the systems or software that these are utilizing. For example, if a security admin blocked PowerShell, many IT maintenance tasks would be terminated. This makes it impossible for signature-based security solutions to detect or prevent it because the low footprint and the absence of files to scan.

How can SonicWall stop fileless malware?

The key is not to look at the file but, instead, look at how it behaves when it runs on the endpoint. This is effective because although there is a large and increasing number of malware variants, they operate in very similar ways. This is similar to how we educate our children to avoid people based on behavior instead of showing them a list of mug shots every time they leave home.

SonicWall Capture Client, powered by SentinelOne, is a next-generation antivirus endpoint protection platform that uses multiple engines, including static and behavioral AI, to stop malware before, during and even after execution. It also offers the ability to roll back an endpoint to a state before the malware got on to or activated on the system.

In the face of fileless malware, the full behavioral monitoring approach is amazing at detecting and preventing this type of attack because it is agnostic to the attack vector.

How does it work?

SonicWall actively monitors all activities on the agent side at the kernel level to differentiate between malicious and benign activities. Once Capture Client detects malicious activity, it can effectively mitigate an attack and, if needed, roll back any damage, allowing the user to work on a clean device.

Conclusion

Ultimately, adversaries will always take the shortest path to compromise endpoints to ensure the highest return with the least amount of effort. Fileless malware is quickly becoming one of the most popular ways to do so. It is not enough to just block essential operations like PowerShell.

You need anti-virus software that fully monitors the behavior of a system to prevent attacks utilizing exploits, macro documents, exploit kits, PowerShell, PowerSploit and zero-days vulnerabilities locally and without dependence to network connectivity.

To learn more, download the in-depth data sheet, “SonicWall Capture Client powered by SentinelOne.”

Webinar: Stop Fileless Malware with SonicWall Capture Client

Join SonicWall and SentinelOne cyber security experts to learn how to stay safe from advanced cyber threats like fileless malware.

WATCH NOW

Cyber Security News & Trends – 04-13-18

/0 Comments/in /by

Each week, SonicWall collects the cyber security industry’s most compelling, trending and important interviews, media and news stories — just for you.

SonicWall Spotlight

Ransomware Tops Malicious Attack Charts  BBC

  • SonicWall President and CEO Bill Conner talks about the growing concern of ransomware attacks as numbers indicate a growing number of attacks on the UK’s SMBs.

EXCLUSIVE: Britain Facing Cyber War as Online Attacks Soar by 300%  Daily Express

  • In an exclusive interview with The Daily Express’ John Ingham, SonicWall President and CEO Bill Conner discusses the 300 percent increase in UK cyber attacks, compared to a 151 percent increase worldwide.

Cyber Security News

Imagine You’re Having a CT Scan and Malware Alters the Radiation Levels  The Register

  • As memories of last May’s WannaCry cyber attack fade, the healthcare sector and Britain’s NHS are still deep in learning.

Privacy Imported: US Weighs EU-Style Regulations to Protect Your Data    CNET

  • Congressional hearings with Facebook’s Mark Zuckerberg get lawmakers talking about regulations for internet companies’ collection and use of consumer data.

Company Insiders Behind 1 in 4 Data Breaches – Study    The Register

  • From The Register’s report on the annual Verizon Threat Report.

Researchers Unearth New Malware Designed to Make ATMs Spew Out Cash  Gizmodo

  • Researchers have recently discovered a new kind of “jackpotting” malware — the sole purpose of which is forcing ATMs to spit out huge volumes of cash.

In Case You Missed It

Upcoming Events & Webinars

April 16-20
RSA Conference
San Francisco
Moscone Center
Booth 4115, North Hall

April 25
Webinar
11 a.m. PDT
Stop Fileless Malware with SonicWall Capture Client
> Register Now

Is Your Firewall Ready for the IoT Era? The 3 Tough Questions to Ask

/0 Comments/in /by

My wife was out of the country recently, so I took the opportunity to nudge our house a little further into the 21st century by installing a Nest thermostat. It won’t solve my family’s disagreements about the temperature, but it’s a cool gadget that makes me feel like I’m modernizing a house that was built well into the last century.

The thermostat is just one of many smart devices on the market that connects to the internet and your local network — whether that’s at home, the office or your business. In this case, it’s connecting via Wi-Fi to my home firewall, so I know it’s secure.

But is that the case for all the Internet of Things (IoT) devices out there? The number of connected “things” that need to be secured continues to grow — cars, TVs, watches, wearables, refrigerators, security cameras. And these are just a few examples.

By the end of 2018, statistics research company Statista expects the installed base of IoT devices to exceed 23 billion, increasing to almost 31 billion in 2020. That’s a whole lot things that can connect to your organization’s network, and it doesn’t include all the PCs, laptops and phones we use daily. Some connect to a firewall or router through an Ethernet cable, while others connect over wireless. Whether they’re tethered or not, more connected devices means more risk.

To help secure the flow of traffic across networks, organizations have increasingly been turning to the use of Transport Layer Security and Secure Sockets Layer (TLS/SSL) encryption.

In fact, SonicWall recently noted in its 2018 Cyber Threat Report that almost 70 percent of connections are now encrypted. Like sales of IoT devices, the number of HTTP sessions continues to climb. While this is generally a good thing, cyber criminals are also using encryption to hide their attacks.

How to secure IoT devices connecting to my network

So, what steps can you take to make sure all your devices can connect securely to your organization’s network? Here are three questions you should address:

  1. Can my firewall decrypt and scan encrypted traffic for threats?
    As I mentioned earlier, the use of encryption is growing both for good and malicious purposes. More and more, we’re seeing cyber criminals hiding their malware and ransomware attacks in encrypted sessions, so you need to make sure your firewall can apply deep packet inspection (DPI) to HTTPS connections, such as DPI-SSL.
  2. Can my firewall support deep packet inspection across all my connected devices?
    Someone told me the other day that very soon each person will have an average of 13 connected devices. That’s a lot of potential devices connecting to your network. Now think of all the encrypted web sessions each device might have. You need to make sure your firewall can support all of them while securing each from advanced cyber attacks. Having only a high number of stateful packet inspection connections doesn’t cut it any more. Today, it’s about supporting more deep packet inspection connections.
  3. Can my firewall enable secure high-speed wireless?
    OK, this one sounds simple. Everyone says they provide high-speed wireless. But are you sure? The latest wireless standard is 802.11ac Wave 2, which promises multi-gigabit Wi-Fi to support bandwidth-intensive apps. Access points with a physical connection to the firewall should have a port capable of supporting these faster speeds. So should the firewall. Using a 1-GbE port creates a bottleneck on the firewall, while 5-GbE and 10-GbE ports are overkill. Having a 2.5-GbE port makes for a good fit.

SonicWall NSa next-generation firewalls

If you’re not sure you can answer “Yes” to these three questions about your current firewall it may be time to revisit your security strategy. One solution you should look at is the SonicWall NSa series.

We’ve recently introduced several new models for mid-sized networks and distributed enterprises with remote and branch sites. The new NSa 3650, NSa 4650 and NSa 5650 join the NSa 2650, which SonicWall released last September. All four models deliver the automated real-time breach detection and prevention today’s organizations need.

NSa Series

SonicWall NSa next-generation firewalls now include NSa 3650, 4650 and 5650 offerings.

Here are a few of the key features the NSa series offers:

  • Cloud-based, on-box threat protection – Staying ahead of sophisticated attacks requires a more modern approach that heavily leverages security intelligence in the cloud. NSa series next-generation firewalls integrate two advanced security technologies — our patent-pending Real-Time Deep Memory InspectionTM and patented Reassembly-Free Deep Packet Inspection‚ which deliver cloud-based, on-box threat protection.
  • High connection count – The NSa series enables a very high number of deep packet inspection (DPI) and deep packet inspection of TLS/SSL-encrypted (DPI-SSL) connections.
  • High port density – The NSa series provides high port density, ranging from 20 physical ports on the NSa 2650 up to 28 on the NSa This high port density enables more devices to connect directly to the firewall without the need for a switch.
  • 5-GbE ports – NSa series firewalls include multiple 2.5-GbE interfaces, an industry first for firewalls. The 2.5-GbE interfaces enable faster wired throughput speeds while also supporting the requirements for 802.11ac Wave 2 wireless access points including the SonicWall SonicWave series of 802.11ac Wave 2 indoor and outdoor access points.
  • 10-GbE ports – NSa series firewalls (except NSa 2650) also include multiple 10-GbE interfaces to support faster data rates for the delivery of bandwidth-intensive applications over longer distances.
  • Onboard storage – Each NSa series firewall includes a pre-populated storage module ranging from 16 GB on the NSa 2650 up to 64 GB on the NSa The storage enables support for various features including logging, reporting, last signature update, backup and restore and more.

Even if you answered “Yes” to some or all of the questions, it’s still a good idea to see if you’re getting the most from your firewall. Learn more about the SonicWall NSa series, and how you can get high-speed wired and wireless security across all your connections, encrypted and unencrypted.

Microsoft Security Bulletin Coverage for April 2018

/in /by

Description

SonicWall has analyzed and addressed Microsoft’s security advisories for the month of April 2018. A list of issues reported, along with SonicWall coverage information are as follows:

Microsoft Coverages:

  • CVE-2018-0870 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0887 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0890 Active Directory Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0892 Microsoft Edge Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0920 Microsoft Excel Remote Code Execution Vulnerability
    SPY:5124 Malformed-File xls.MP.60
  • CVE-2018-0950 Microsoft Office Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0956 HTTP.sys Denial of Service Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0957 Hyper-V Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0959 Hyper-V Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0960 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0963 Windows Kernel Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0964 Hyper-V Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0966 Device Guard Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0967 Windows SNMP Service Denial of Service Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0968 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0969 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0970 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0971 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0972 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0973 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0974 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0975 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0976 Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0979 Chakra Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0980 Chakra Scripting Engine Memory Corruption Vulnerability
    IPS:13282 Chakra Scripting Engine Memory Corruption Vulnerability (APR 18) 1
  • CVE-2018-0981 Scripting Engine Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0986 Microsoft Malware Protection Engine Remote Code Execution Vulnerability
    SPY:5123 Malformed-File rar.MP
  • CVE-2018-0987 Scripting Engine Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0988 Scripting Engine Memory Corruption Vulnerability
    IPS:13283 Scripting Engine Memory Corruption Vulnerability (APR 18) 1
  • CVE-2018-0989 Scripting Engine Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0990 Chakra Scripting Engine Memory Corruption Vulnerability
    SPY:5125 Malformed-File html.MP.74
  • CVE-2018-0991 Internet Explorer Memory Corruption Vulnerability
    SPY:5125 Malformed-File html.MP.74
  • CVE-2018-0993 Chakra Scripting Engine Memory Corruption Vulnerability
    IPS:13284 Chakra Scripting Engine Memory Corruption Vulnerability (APR 18) 2
  • CVE-2018-0994 Chakra Scripting Engine Memory Corruption Vulnerability
    SPY:3894 Malformed-File html.MP.73
  • CVE-2018-0995 Chakra Scripting Engine Memory Corruption Vulnerability
    IPS:13281 Internet Explorer Memory Corruption Vulnerability (APR 18) 1
  • CVE-2018-0996 Scripting Engine Memory Corruption Vulnerability
    IPS:7645 HTTP Client Shellcode Exploit 88
  • CVE-2018-0997 Internet Explorer Memory Corruption Vulnerability
    SPY:3894 Malformed-File html.MP.73
  • CVE-2018-0998 Microsoft Edge Information Disclosure Vulnerability
    SPY:4699 Malformed-File pdf.MP.304
  • CVE-2018-1000 Scripting Engine Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-1001 Scripting Engine Memory Corruption Vulnerability
    IPS:7645 HTTP Client Shellcode Exploit 88
  • CVE-2018-1003 Microsoft JET Database Engine Remote Code Execution Vulnerability
    SPY:1745 Malformed-File xls.MP.58
  • CVE-2018-1004 Windows VBScript Engine Remote Code Execution Vulnerability
    IPS:11663 Scripting Engine Memory Corruption Vulnerability (MS16-063) 1
  • CVE-2018-1005 Microsoft SharePoint Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-1008 OpenType Font Driver Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-1009 Microsoft DirectX Graphics Kernel Subsystem Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-1010 Microsoft Graphics Remote Code Execution Vulnerability
    SPY:1754 Malformed-File ttf.MP.20
  • CVE-2018-1011 Microsoft Excel Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-1012 Microsoft Graphics Remote Code Execution Vulnerability
    SPY:1755 Malformed-File ttf.MP.21
  • CVE-2018-1013 Microsoft Graphics Remote Code Execution Vulnerability
    SPY:5121 Malformed-File ttf.MP.24
  • CVE-2018-1014 Microsoft SharePoint Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-1015 Microsoft Graphics Remote Code Execution Vulnerability
    SPY:5122 Malformed-File ttf.MP.25
  • CVE-2018-1016 Microsoft Graphics Remote Code Execution Vulnerability
    SPY:4792 Malformed-File ttf.MP.23
  • CVE-2018-1018 Internet Explorer Memory Corruption Vulnerability
    IPS:13281 Internet Explorer Memory Corruption Vulnerability (APR 18) 1
  • CVE-2018-1019 Chakra Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-1020 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-1023 Microsoft Browser Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-1026 Microsoft Office Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-1027 Microsoft Excel Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-1028 Microsoft Office Graphics Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-1029 Microsoft Excel Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-1030 Microsoft Office Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-1032 Microsoft SharePoint Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-1034 Microsoft SharePoint Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-1037 Microsoft Visual Studio Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-8116 Microsoft Graphics Component Denial of Service Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-8117 Microsoft Wireless Keyboard 850 Security Feature Bypass Vulnerability
    There are no known exploits in the wild.

Adobe Coverages:

APSB18-08:

  • CVE-2018-4932
    Spy:1765 Malformed-File swf.MP.583
  • CVE-2018-4933
    Spy:1776 Malformed-File html.MP.75
  • CVE-2018-4934
    Spy:1787 Malformed-File swf.MP.584
  • CVE-2018-4935
    Spy:2145 Malformed-File swf.MP.585
  • CVE-2018-4936
    Spy:2146 Malformed-File swf.MP.586
  • CVE-2018-4937
    Spy:2147 Malformed-File swf.MP.587

Protect Web Applications Running Private, Public or Hybrid Cloud Environments

/0 Comments/in /by

With the number of attempted web attacks ranging up to millions over the course a year, you need to ensure web application security. You need a solution that protects both your public and internal web properties.

Why you need a web application firewall

Today’s businesses strive to provide the highest possible service experience and engagement through different types of interactive web applications and user-friendly mobile applications. Over half of the world population uses the internet. Ninety three percent of them now go online, and perhaps stay online longer, using their mobile devices as opposed to their computers.

With the addition of the Internet-of-Things (IoT), we have now added tens of billions of devices already connected, communicating and exchanging data through web and mobile applications today — from TVs, digital wearables, cars, gaming consoles and vending units, to all sorts of smart appliances. This makes web applications more critical now than ever before. You need keep them all online and safe.

What makes a good web application firewall?

An ideal   solution requires a comprehensive foundation for application security, data leak prevention, performance and management. With most web servers vulnerable to a wide spectrum of web-based exploits, you need a dynamic web application firewall to provide continuous real-time protection for web properties, whether they are hosted on-premises or in the public cloud. A best-practices WAF solution requires feature-rich web security tools and services to keep web properties safe, undisrupted and in peak performance every single day.

SonicWall Web Application Firewall

Our award-winning solutions give you a defense-in-depth strategy to protect your web applications running in private, public or hybrid cloud environments. It offers you a complete, out-of-box compliance solution for application-centric security that is easy to manage and deploy.

The SonicWall WAF series arms you with advanced web security tools and services to protect your data and web properties against modern, web-based threats. It applies deep packet inspection of Layer 7 web traffic against a regularly updated database of known signatures, denies access upon detecting web application threats and redirects users to an explanatory error page.

In addition, the SonicWall WAF baselines regular web application usage and behavior, and identifies anomalies that may be indicative of attempts to compromise the application, steal data and/or cause a denial of service (DoS).

SonicWall WAF employs a combination of signature-based and application profiling deep-packet inspection, and high-performance, real-time intrusion scanning engine, to dynamically defend against evolving threats, as outlined by the Open Web Application Security Project (OWASP), as well as more advanced web application threats like denial-of-service (DoS) attacks and context-aware exploits.  Moreover, it learns, interrogates and baselines regular web application usage behaviors and identifies anomalies that may indicate attempts to compromise the application, steal data and/or cause a denial of service.

The WAF series gives you economy-of-scale benefits of virtualization. You can deploy it as a virtual appliance in private clouds based on VMWare or Microsoft Hyper-V; or in AWS or Microsoft Azure public cloud environments. This gives you all the security advantages of a physical WAF with the operational and economic benefits of virtualization, including system scalability and agility, speed of system provisioning, simple management and cost reduction.

Acceleration features include load balancing, content caching, compression and connection multiplexing to improve performance of protected websites, and significantly reduce transactional costs. A robust dashboard gives you an easy-to-use, web-based management interface featuring status page overview of all monitoring and blocking activities, such as signature database status information and threats detected and prevented since boot-up.

The is available in four models that represent their inspection capacities and can be deployed on a broad range of public cloud, private cloud and virtualized deployment use cases.

To learn more about protecting web applications, explore our latest solution brief, “Best Practices for Web Application Firewall.”

New Virtual Firewalls: SonicWall NSv Provides Robust Security for Public, Private or Hybrid Cloud Environments

/0 Comments/in /by

To keep pace with innovations and modernize data center operations and services, businesses are embracing today’s application-centric, virtualized world. Virtualization and cloud can cut costs and increase efficiency and operational agility.

Four common pitfalls of modern virtual environments

However, advantages in savings and efficiency must be weighed against applying constrained budgets to prevent potential damages due to growing threats and common pitfalls. Vulnerabilities within virtual environments are well-documented. New ones are discovered regularly that yield serious security implications and challenges. Common IT challenges in securing virtualized environments include:

  1. Monitoring and securing traffic between virtual machines
  2. Managing policy change across virtual environments
  3. Tracking and controlling the sprawl of virtual machines
  4. Protecting virtualized assets in public cloud environments

What you need in a next-generation virtual firewall

To best capitalize on virtualization trends, you should operationalize the complete virtualization of computing, networking, storage and security in a systematic way. Implement a new approach for selecting an appropriate and effective next-generation virtual firewall solution. You should explore new virtual security solutions that go beyond legacy approaches and technologies. Plus, solution components must be tightly integrated to deliver application services safely, efficiently and in a scalable manner.

A next-generation virtual firewall must offer all the security advantages of your physical firewall, along with the operational and economic benefits of virtualization. These include system scalability and agility, speed of system provisioning, simple management and cost reduction.

Introducing the SonicWall NSv virtual firewall series

The new SonicWall NSv virtual firewall series offers you all the security advantages of a physical firewall with the operational and economic benefits of virtualization. With full-featured security tools and services including Reassembly-Free Deep Packet Inspection (RFDPI), security controls and networking services equivalent to what a SonicWall physical firewall provides, NSv effectively shields all critical components of your private and public cloud environments.

NSv is easily deployed and provisioned in a multi-tenant virtual environment, typically between virtual networks (VN). This allows it to capture communications and data exchanges between virtual machines (VM) for automated breach prevention, while establishing stringent access control measures for data confidentiality and VMs safety and integrity.

The NSv Series also includes infrastructure support for high availability and scaling to fulfill any Software-Defined Data Center (SDDC) scalability and availability requirements. NSv virtual firewalls help ensure:

  • System resiliency
  • Operational uptime
  • Service delivery and availability
  • Conformance to regulatory requirements

Security threats, such as cross-virtual-machine or side-channel attacks and common network-based intrusions and application and protocol vulnerabilities, are neutralized successfully through SonicWall’s comprehensive suite of security inspection services.

All VM traffic is subjected to multiple threat analysis engines, including intrusion prevention, gateway anti-virus and anti-spyware, cloud anti-virus, botnet filtering, application control and Capture Advanced Threat Protection multi-engine sandboxing.

The NSv Series is available in multiple virtual flavors carefully packaged for broad range of virtualized and cloud deployment use cases. Delivering multi-gigabit threat prevention and encrypted traffic inspection performance, the NSv Series can adapt to capacity-level increases and ensure VN safety and application workloads and data assets are available as well as secure.

Segmentation security

With NSv segment-based security capabilities, NSv can apply an integrated set of dynamic, enforceable barriers to advanced threats. By applying security policies to the inside of the VN, segmentation can be configured to organize network resources into different segments, and allow or restrict traffic between those segments. This way, access to critical internal resources can be strictly controlled.

NSv can then automatically enforce segmentation restrictions based upon dynamic criteria, such as user identity credentials, geo-IP location and the security stature of mobile endpoints.

For extended security, NSv is also capable of integrating multi-gigabit network switching into its security segment policy and enforcement. It directs segment policy to traffic at switching points throughout the network, and globally manages segment security enforcement from a single pane of glass.

Since segments are only as effective as the security that can be enforced between them, NSv applies intrusion prevention service (IPS) to scan incoming and outgoing traffic on the VLAN segment to enhance security for internal network traffic. For each segment, it enforces a full range of security services on multiple interfaces based on enforceable policy.

Governs centrally

NSv deployments are centrally managed using both on premise with SonicWall GMS, and with SonicWall Capture Security Center, an open, scalable cloud security management, monitoring, reporting and analytics software that is delivered as a cost-effective service offering.

The SonicWall Capture Security Center gives the ultimate in visibility, agility and capacity to govern the entire SonicWall virtual and physical firewall ecosystem with greater clarity, precision, and speed — all from a single-pane-of-glass.

For more information, visit our NSv web page, and watch the video below.

RSA Conference 2018: Songs for the Way

/0 Comments/in /by

RSA Conference 2018 is fast approaching and we are pulling out all the stops to prepare. Our SonicWall team is looking forward to joining the attendees, thought leaders and keynotes in San Francisco for five days of sharing new approaches to cyber security, discussing the latest technology, and interacting with top security leaders and pioneers. Ready to take advantage of all the opportunities available at RSA, including the hands-on sessions, keynotes, and informal gatherings to tap into a smart, forward-thinking global community? We have just the way to get started.

Cyber security is always priority No. 1. But, with our automated, real-time breach detection and prevention platform watching over us, we do sometimes find unconventional ways to have fun — like creating a Spotify playlist.

Here’s a collection of tunes to get you in the zone and ready to experience all RSA Conference 2018 has to offer.

Mood: We selected a playlist that’s eclectic, unexpected and quirky, with thematic influence from technology, security, new media and California vibes. Each track is curated to get your gears turning and ready for full immersion at #RSAC.

Standout favorites:

“Technologic” – Daft Punk

No RSA Conference playlist would be complete without an appearance by French duo Daft Punk. This track’s heavy dance beat with electronically transposed voice chants is an iconic dance anthem that brings upbeat high energy to our picks.

“Somebody’s Watching Me” – Rockwell

This classic 1980’s chart-topper is another favorite of the SonicWall team. The world of firewalls and network security is wrought with constant online threats, and nobody knows how to identify and stop these threats better than SonicWall. Somebody is always watching you. There is no privacy. And it’s not a dream.

“Pocket Calculator” – Kraftwerk

Kraftwerk’s entire Computer World album could have made this list, but we decided to keep only the best tracks for our list. The album deals with the themes of the rise of computers within society, but the song’s addictively cheerful beat and looping vocals has the SonicWall team particularly enchanted.

“Robots” – Flight of the Conchords

The charming quirk of Flight of the Conchords is often overlooked and underrated. This eccentric track from the Kiwi folk duo is not only one of the favorite references in our office, it also presents some comical commentary on the world of new technology. We especially love the binary code breakdown in the middle of the track.

Are you now in the proper frame of mind? Visit our RSA preview to get a glimpse of what you can expect from SonicWall at the event. We’ll see you at the Moscone Center.

This Android Monero miner demands admin privileges

/in /by

Description

Crypto miners have been rampant on Android devices for the last few months. Compared to ransomwares, crypto miners are believed to be more lucrative in terms of the quick revenue they generate. Sonicwall Capture Labs Threats Research Team observed yet another malicious crypto Monero miner threat for Android devices that mines Monero coins in the background without the victim’s knowledge.

Infection Cycle:

The app uses the following permissions:

  • Internet
  • Read phone state
  • Access network state
  • Receive boot completed
  • Wake lock
  • Write external storage

The app does not show an icon in the app drawer upon installation. Once the app starts it requests for device administrator privileges:

If the privileges are not granted, the malware repeatedly pops the screen requesting admin access until they are granted:

Upon getting the desired privileges the app starts mining Monero coins in the background. No indications of this activity are shown to the victim, meanwhile CPU usage almost reaches 100% utilization:

The miner components can be seen in the lib folder:

Smartphones typically heat up if CPU intensive tasks are continuously performed for a longer duration. One such CPU intensive task is mining, recently we observed a number of Android malware that use the processing power of the infected device for mining cryptocurrency. We have covered miner malware for Android in our blogs in the recent past:

This malware is difficult to get rid of if administrator rights are granted to it upon infection:

We found the below hardcoded mining addresses in the samples we analyzed:

  • 49Bq2bFsvJFAe11SgAZQZjZRn6rE2CXHz4tkoomgx4pZhkJVSUmUHT4ixRWdGX8z2cgJeftiyTEK1U1DW7mEZS8E4dF5hkn
  • 43QGgipcHvNLBX3nunZLwVQpF6VbobmGcQKzXzQ5xMfJgzfRBzfXcJHX1tUHcKPm9bcjubrzKqTm69JbQSL4B3f6E3mNCbU

More details for the above wallets can be seen on supportxmr.com, few snippets are as below:

    • 49Bq2bFsvJFAe11SgAZQZjZRn6rE2CXHz4tkoomgx4pZhkJVSUmUHT4ixRWdGX8z2cgJeftiyTEK1U1DW7mEZS8E4dF5hkn

 

  • 43QGgipcHvNLBX3nunZLwVQpF6VbobmGcQKzXzQ5xMfJgzfRBzfXcJHX1tUHcKPm9bcjubrzKqTm69JbQSL4B3f6E3mNCbU

Currently Monero (XMR) trades for $167.05 per XMR as of April 10, 2018.

Any kind of malware on a mobile device is dangerous but miners are more so than others for a simple reason – they can break the device. Smartphones in today’s age compact a lot of technology in a small package, this does not leave enough room for it to cool down under heavy load. Crypto miners are dangerous for the same reason, they put a huge processing load on the device. Crypto miners with device admin privileges can potentially lock-out the user while mining coins until the phone breaks. We urge our readers to be vigilant while installing apps on their devices.


Sonicwall Capture Labs provides protection against this threat with the following signature:

  • GAV: AndroidOS.Monerominer.MNR_2 (Trojan)

Following are MD5’s few samples from this threat:

  • 1efa8e98f208a44a6f310c790e112b7e
  • 5177d220030ddf813b5bb05928c86585
  • 73415fbf16952894e0620b40766d9e2f
  • ef161923c7a6f99d134467ca21e34410
  • 530bd6c95c3a79c04f49880a44c348db
  • a765d2829b80d812b321c663d8d8320e
  • 642bef4824d549ac56520657a1868913
  • a13126ed31b3a7982133ff57e6f9676d
  • e24a0d6b17a9dbf0456bbf4bb93adb25
  • a0f776e61cf4ddc55c28051583fbb28e
  • ef161923c7a6f99d134467ca21e34410
  • c18f39c4b09e542926d728195b88e418
  • 659909c20269c630372eac4878e679ca
  • fffb8d51838af6bb742e84b8b16239bb

 

SonicWall Capture Cloud Platform Ushers in New Era of Threat Intelligence, Connectivity and Automation

/0 Comments/in , , /by

SonicWall’s mission is to help organizations protect themselves from the growing number of cyber attacks in the fast-moving threat landscape.

There are many schools of thought on how this is best accomplished. And much of this depends on the wares of a particular vendor. But I’ve made it a priority that SonicWall helps defend networks and data in a manner that is automated, layered, intelligent, easy to use and cost-effective.

Today marks a monumental milestone in that focused effort.

This morning we proudly introduced the SonicWall Capture Cloud Platform, which tightly integrates security, management, analytics and real-time threat intelligence across our full portfolio of network, email, mobile and cloud security products. This launch includes:

  • New SonicWall Network Security Virtual (NSv) Firewalls
  • New SonicWall Web Application Firewall (WAF)
  • New SonicWall Capture Client Endpoint Protection
  • Updated SonicWall Network Security Appliance (NSa) Firewalls
  • Updated SonicOS 6.5.1

The significance of the unified and connected Capture Cloud Platform is highlighted by the escalating threat landscape. In the first quarter of 2018 alone, the average SonicWall customer faced 7,739 malware attacks, a year-over-year increase of 151 percent; 335 of these attacks were hidden using SSL/TLS encryption.

The SonicWall Capture Cloud Platform also identified more than 49,800 new attack variants in the first quarter, with the new SonicWall Real-Time Deep Memory InspectionTM (RTDMI) identifying 3,500 never-before-seen variants.Capture Cloud PlatformThe numbers are alarming. The threats continue to grow. And it’s the reason I promise that SonicWall teams around the world are dedicated to ensure our customers are protected from today’s most malicious cyber threats — both known and unknown.

Here’s a helpful rundown of the new products we are proud to announce today under the SonicWall Capture Cloud Platform:

New NSv Virtual Firewalls

SonicWall Network Security virtual (NSv) firewalls protect all critical components of private and public cloud environments. SonicWall NSv virtual firewalls deliver the security advantages of a physical firewall with the operational and economic benefits of virtualization, including system scalability and agility, speed of system provisioning, simple management and cost reduction.

> Go to NSv Virtual Firewalls

New Web Application Firewalls

The new SonicWall Web Application Firewall (WAF) delivers defense-in-depth capabilities to protect web applications running in private, public or hybrid cloud environments.

The SonicWall WAF behavior-based detection engine learns, interrogates and baselines regular web application usage behaviors and identifies anomalies that may be indicative of attempts to compromise the application, steal data and/or cause a denial-of-service.

> Go to SonicWall WAFs

New SonicWall Capture Client

The new SonicWall Capture Client extends an organization’s ability to defend endpoint devices that connect and interact with its networks, applications and data.

Capture Client is a unified client platform that delivers multiple endpoint protection capabilities, including next-generation malware protection and support for visibility into encrypted traffic. It leverages layered protection technologies, comprehensive reporting and enforcement for endpoint protection, and also offers critical ‘rollback’ capabilities via SentinelOne integration.

> Go to Capture Client

New SonicWall NSa Firewalls

The new SonicWall NSa 3650, 4650 and 5650 next-generation firewalls continue the evolution of SonicWall’s vision for a deeper level of network security without a performance penalty.

Built on a multi-core hardware architecture featuring 10-GbE and 2.5-GbE interfaces, the NSa series scales to meet the performance demands of mid-sized networks, branch offices and distributed enterprises.

> Go to NSa Firewalls

Each day this week we’ll do an in-depth review of the above and how each can be leveraged to better protection your organization, networks, data and customers.

RTDMI Expanded to Protect Organizations from Malicious PDFs, Office Files

Complementing the major Capture Cloud Platform announcement, we also announced new Real-Time Deep Memory InspectionTM capabilities that protect businesses and users from memory-based attacks and zero-day malware, including malicious PDFs and Microsoft Office documents.

Since January 1, 2018, RTDMITM has identified more than 3,500 never-before-seen attack variants. First announced in February 2018, RTDMI technology is used by the SonicWall Capture Cloud Platform to identify and mitigate even the most insidious cyber threats, including memory-based attacks.

RTDMI is already operational for SonicWall customers with active subscriptions to SonicWall Capture ATP sandbox service and SonicWall Email Security solutions.

> Read the Press Release

ee Real-Time Threat Intelligence

Did you know you can improve your security posture by knowing what attacks are most likely to target your organization? Visit the SonicWall Security Center to see the latest attack trends, types and volume across the world.

VISIT THE SECURITY CENTER

SonicWall Named 85th Common Vulnerabilities and Exposures (CVE) Numbering Authority (CNA)

/0 Comments/in /by

SonicWall has recently been named the 85th Common Vulnerabilities and Exposures (CVE) Numbering Authority (CNA) by the MITRE Corporation, an international not-for-profit security institute.

What does this mean for SonicWall and the cyber security world at large? SonicWall has a new way to contribute to cyber security education and defense. The purpose of the CVE program is to provide a method and consortium for identifying vulnerabilities in a standardized manner.

SonicWall now has the authority to identify unique vulnerabilities within its products by issuing CVE IDs, publicly disclose vulnerabilities that have been newly identified, assign an ID, release vulnerability information without pre-publishing, and notify customers of other product vulnerabilities within the CNA’s program.

“This program takes us one step closer to reaching the transparency security administrators need in order to make swift and educated decisions when it comes to threat protection,” said SonicWall Chief Operating Officer Atul Dhablania in an official announcement. “SonicWall looks forward to working with MITRE in a collaborative effort to expand the arsenal of information needed to properly equip those who are being targeted or looking to strengthen their security posture.”

On a larger scale, the program is effective because an entire network of certified organizations works together, with the backing of numerous researchers and support personnel, to identify and stay ahead of emerging threats.

CVE Numbering Authorities (CNAs) are organizations that operate under the auspices of the CVE program to assign new CVE IDs to emerging vulnerabilities that affect devices and products within their scope.

The program is voluntary but the benefits are substantial, among them the opportunity to disclose a vulnerability with an already assigned CVE ID, the ability to control disclosure of vulnerability info without pre-publishing, and the notification of vulnerabilities for products within a CNAs scope by researchers who request a CVE ID from the CNA.

Becoming a part of the CVE program is a chance to not only connect to a vast network of organizations working to identify cyber threats, but also to contribute to the effort as a whole.