NTP Daemon decodearr Function Buffer Overflow

/in /by

Description

Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks. In operation since before 1985, NTP is one of the oldest Internet protocols in current use. NTP’s has a native application implementation, ntpq, which can be accessed from command line.

A stack overflow vulnerability is reported in ntpq. Because the request parse function decodearr() failed to validate the size of request parameters, an attacker could overwrite the stack content with controllable content. A successful attack could lead to an arbitrary code execution on the target server with the privilege of the service application.

The format of the NTP message data has been specified in rfc1305:

Leap Indicator: 2 bits
Version Number: 3 bits
Mode: 3 bits Message Mode
Response Bit: 1 Bit (0x0/0x01 for requests/responses)
Error Bit: 1 Bit
More Bit: 1 Bit
Operation Code: 5 bits
Sequence: 16 bits
Status: 16 bits
Association ID: 16 bits
Offset: 16 bits
Count: 16 bits
Data: key-value format data

The data section is represented in the following format:

key = value1 value2 .... valueN (array of values)

When handling the request’s data section, the function decodearr() used a 80 bytes fixed length buffer, which is a local variable allocated in stack. If the request is longer than 79 bytes (as shown in the figure below), a typical stack overflow will occur.

SonicWall Capture Labs Threat Research team has developed the following signature to identify and stop the attacks:

  • IPS 13276: NTP Daemon decodearr Function Buffer Overflow

UDPoS malware spotted in the wild

/in /by

Description

The SonicWall Capture Labs Threat Research Team observed a new POS malware Called UDPOS [UDPOS.A].

UDPOS is a newly-discovered malware that preys upon credit card payment systems. UDPoS uses DNS tunneling to exfiltrate the data from the system.

Infection Cycle:

The Malware adds the following files to the system:

  • Malware.exe
    • C:\WINDOWS\system32\LogMeInUpdService\hdwid.dat [Machine ID]
    • C:\WINDOWS\system32\LogMeInUpdService\sinf.dat [Process Name Logs ]
    • C:\WINDOWS\system32\LogMeInUpdService\[Rndom Number].dat [ Track Data ]
    • C:\WINDOWS\system32\LogMeInUpdService\infobat.bat [ Net Commands ]
    • %Userprofile%\Local Settings\Temp\7ZSfx000.cmd [ Wipe Commands ]

Once the computer is compromised, the malware creates a new system service to maintain persistence and then launches a component to monitor for sensitive payment card data.

The malware adds the following keys to the Windows registry to ensure persistence upon reboot:

The malware uses a basic encryption and encoding method to obfuscate various strings such as the C&C server, filenames, and process names to evade detection.

The malware terminates itself if it detects the presence of antivirus software or if debugger is presents on the infected system.

The Malware retrieves a list of running processes; the malware is responsible for scraping the memory of current processes on the infected machine for credit card information periodically. The malware tries to Enumerate Credit Card Data from POS Software with following API functions:

The malware logs POS process name into sinf.dat file:

The malware generates random identifier for the target machine and saves into hdwid.dat file:

Once it locates payment card data, the Malware makes one HTTP request to determine the infected system’s external IP address.

Once the public IP is acquired, the malware tries to verify Credit Cards numbers and then sends track 1 and track 2 credit card data in encrypted format to one of the given C&C Servers based on DNS Traffic format such as following example:

Sonicwall Capture Labs provides protection against this threat via the following signature:

  • GAV: UDPOS.A (Trojan)

Top 7 Wireless Best Practices for Better Wi-Fi Coverage & User Experiences

/0 Comments/in /by

Many of us face slow Wi-Fi and connectivity issues on wireless networks. Just the other day, I was in a café having coffee and browsing the internet. Suddenly, my connectivity dropped. I tried to reconnect, but the signal strength was too low. In the end, I gave up.

I am sure you have faced the same issue. Usually, at this point, you might blame the wireless network and question the capability of the access point (AP). But did you know often this is not the case? Mostly, the AP is not to blame. Connectivity problems arise due to improper designing and planning of the wireless network. Below are some of the best practices that you can follow to provide the best user experience from your wireless network.

  • Perform a site survey before installing access points

Before deploying your AP, it is critical you understand your environment and the type of deployment you require. Would you prefer coverage over density, or vice versa? To ensure the café scenario doesn’t happen, plan your network based on density. This ensures you are prepared for data traffic during peak hours on your wireless network.

Performing a site survey before deploying your wireless network can help with determining how many access points are required, and what type of coverage you can expect with your APs. Advanced site survey tools, such as SonicWall’s Wi-Fi Planner, will be able to predict the coverage automatically. This tool also lets you choose the coverage zones, and identifies what type of obstacles and areas are present in your location.

Wifi Planner

SonicWall’s Wi-Fi Planner uses heat maps to help you accurately design a dense, secure and reliable wireless environment.

  • Before plugging in your AP, check if it requires 802.3af or 802.3at

It is essential to check the power compliance of your AP before connecting it to your network. The maximum power from an 802.3af source is 15.4W, whereas 802.3at is 50W. If you are plugging an 802.3af-complaint AP into an 802.3at power source, make sure that your power supply is backward compatible with 802.3af devices. If not, your AP could be fried.

  • Max AP power does not mean max performance

Blasting your AP at full power does not ensure maximum performance. While it would showcase more coverage, the user experience may be impacted.

Think about two people in a room. They are in close proximity to each other, trying to have a conversation, and both of them are screaming at the top of their voices at the same time. Neither of the two would be able to understand each other and carry out a meaningful conversation. Similarly, based on your environment, it is essential to tweak the transmit power of the AP.

  • AP mounting is critical for ubiquitous coverage

APs are built to work in certain use cases or environments. For instance, an indoor, integrated-antenna AP is designed to work as a ceiling-mount AP in spaces like indoor office environments. This is because the APs with integrated, omni-directional antennas have a 360 degree radiation pattern. Much like the sun radiating rays, the omni-directional access points radiate RF signals. Barriers like walls, concrete and metal partitions can cause RF blockage.

  • Use 20 MHz or 40 MHz channels for high-density deployments

For high-density deployments, it is essential to choose lower channel widths, such as 20 MHz and 40 MHz. With 80MHz channels, there are just five non-overlapping channels, while for 160 MHz, there are only two non-overlapping channels. This makes it hard to deploy the higher channel widths without causing co-channel interference. Higher channel widths are ideal for low-density, high-performance requirements.

  • Deploy indoor APs every 60 feet for high-density deployments

APs should be deployed based upon your coverage or density requirements. For high-density, high-bandwidth requirements, deploy your APs every 60 feet. Make sure your Received Signal Strength Indicator (RSSI) stays above -65 dBm. Up to -65 dBm is recommended for VOIP and streaming.

  • Disable lower data rates

Based on your coverage design, it is advisable to turn off lower data rates below 24 Mbps. This ensures that the AP and client do not communicate at, say, 6 Mbps, which could result in low performance and lead to a poor user experience.

To learn more about wireless networking best practices, read our solution brief, “Best Practices for Wired, Wireless and Mobile Security.”

Read Solution Brief

A New Cyber Security Certification: SonicWall Network Security Administrator Course

/0 Comments/in /by

SonicWall has spent the last 12 months deeply focused on training and enablement for our partners, customers and employees. Based on student feedback and market requirements, the company’s Education Services Organization is introducing the SonicWall Network Security Administrator (SNSA) course; a completely new training course and certification exam that will replace the Network Security Basic Administration (NSBA) class.

The SNSA training curriculum is designed to teach students specific SonicWall network security technology. The course will provide students with the skills to successfully implement and configure SonicWall firewall appliances and security services.

Improvements included with SNSA:

  • Two days of instructor-led classroom training, with 80 percent hands-on labs and 20 percent lecture
  • Six hours of online learning modules, which may be completed before or after the classroom portion
  • Based on the recently released SonicOS 6.5 firmware
  • Generic network security theory is removed and provided in supplemental training material

Consistent SonicWall training across the globe

To support the launch of the SNSA course, SonicWall Education Services is also launching a new Authorized Training Partner (ATP) strategy to enhance consistency in the delivery of training content and guidance. This new strategy encompasses:

  • Coverage provided by three global strategic training partners, augmented by key regional partners
  • Global fulfillment of materials and virtual labs via a single strategic training partner
  • Price adaptation to fit local-market currencies and demand
  • SonicWall global ATP managers to ensure content, delivery and lab experience are consistent worldwide
  • Proctoring service to ensure certification authenticity for both students and sponsoring partners

What happened to Network Security Basic Administration (NSBA)?

For the last 10 years, SonicWall offered a series of technical certification courses to its partners, customers and employees. The core certification training was focused on foundational understanding of network security, particularly basic administration found in the SonicWall Network Security Basic Administration (NSBA) course.

With a focus on training network security administrators, NSBA provided students with a broad overview of network security technology and the skills needed to configure and administer a basic SonicWall firewall appliance.

While this course satisfied initial learning objectives, student feedback indicated the content was not sufficient to meet the needs of deeper skillsets (e.g., installation, management and troubleshooting). Students left the course feeling they needed additional in-depth technical training and expertise.

In addition, due to a widespread number of ATPs around the world, student experience varied by geography and instructor. The changes to the course and the improvement of the ATP strategy ensure SonicWall will deliver best-in-class technical training to its partners and customers.

For individuals who completed the NSBA exam and hold a current CSSA certification, SonicWall will continue to acknowledge these important certifications through March 2020. Students wishing to re-certify an expiring CSSA certification will, however, be required to complete the new SNSA course and certification.

To enroll in the new SNSA program, students may access the newly launched external SonicWall University site.

SonicWall Security Certification Courses

SonicWall offers other training and certification courses to support the needs of our partners, customers and employees. These include:

Network Security Advanced Administration (NSAA) Course

Designed to further enhance an individual’s network security technical skills, the NSAA course is available to students who have achieved either the CSSA or the SNSA certification.

This two-day, instructor-led course provides students with the latest information on application control, bandwidth management, troubleshooting and advanced networking. Completion of this course prepares students to complete the Certified SonicWall Security Professional (CSSP) certification exam.

Secure Mobile Access Basic Administration (SMABA) Course

The SMABA course provides students with the technical skills necessary to administer and manage SonicWall Secure Mobile Access (SMA) appliances.

The SMABA course covers the use of Appliance Management Control to provide secure access — to any application from any network — based on secure authentication and authorization policies. Completion of this course prepares students for the Certified SonicWall Security Administration (CSSA-SMABA) certification exam.

Secure Mobile Access Advanced Administration (SMAAA) Course

Recommended for engineers or administrators of SonicWall SMA devices installed in larger networks, the SMAAA course provides students with in-depth technical training covering deployment options, authentication and authorization policies and troubleshooting.

Completion of this course prepares students for the Certified SonicWall Security Professional (CSSP-SMAAA) certification exam.

Encrypted Cyber Attacks: Real Data Unveils Hidden Danger within SSL, TLS Traffic

/0 Comments/in /by

Since the shocking announcement of serious Meltdown and Spectre vulnerabilities in early 2018, we have yet to hear of a mega-breach that would signal the start of another vicious hacking year.

Has it been luck? Are our network security defenses stronger? Or are current hacks hiding their efforts? Whatever the situation, the expectations from lessons learned in historical security events are that hacking tools will evolve and new threat vectors will emerge — year after year.

To help organizations gain confidence to make informed decisions and take calculated security actions against the latest cyber attacks, SonicWall shares its threat findings in the recently published 2018 Cyber Threat Report.

The report focuses on the ongoing battle of innovations and advancements between cybercriminals and security industries. The detailed threat information was gathered, recorded, researched and analyzed by the SonicWall Capture Labs research team so you can easily follow what’s happening in the threat landscape.

Today, we’ll underscore our observations on the good and bad of SSL/TLS-encrypted web traffic and respective encrypted threats.

The cyber battle inside encrypted traffic

For five straight years of monitoring and reporting on encrypted traffic trends, SonicWall continues to record strong growth in SSL/TLS-encrypted web connections, with a 24 percent increase over 2016. This increase accounted for 68 percent of overall web connections in 2017.

We believe the rise was attributed to the growing use of secured cloud applications and websites. Again, use of SSL/TLS encryption continues to be trending in the right direction. Companies securing websites and cloud services, to create safer web interactions, is a win for internet users and security teams.

SSL/TLS Use Increased

Despite the security advantages provided by SSL/TLS encryption, SonicWall collected real-world empirical evidence on cyber attacks executed inside of SSL/TLS-encrypted web sessions.

Using full-year data samples from a subset of SonicWall firewalls with active Deep Packet Inspection of SSL (DPI-SSL) service in 2017, we observed that an average of nearly 5 percent of all file-based malware propagation attempts used SSL/TLS encryption to avoid detection.

SonicWall Capture Labs also found, on average, 60 file-based malware propagation attempts per SonicWall firewall each day. Without the ability to inspect encrypted traffic, the typical organization would have missed over 900 file-based attacks per year hidden by SSL/TLS encryption. Remember, it takes only a single miss to create severe damage to an organization.

How to stop encrypted cyber attacks

Organizations can easily block attacks within SSL/TLS web connections. However, many have not activated existing security features — like DPI-SSL — to do so.

If you choose not to inspect encrypted traffic — or if your firewall is limited in its ability to do so — you are truly missing a critical value of your firewall.

It is possible for organizations to enjoy the security benefits of SSL/TLS encryption without providing a hidden tunnel for attackers. Here are some helpful guidelines:

  1. Understand what’s at risk. If you haven’t conducted a security audit recently, complete a comprehensive analysis to identify your risks and needs.
  2. Build a defense. Upgrade to a capable, extensible next-generation firewall (NGFW) with integrated IPS security services and DPI-SSL design that can scale performance to support future growth.
  3. Evaluate and improve. Update your security policies to defend against a broader array of threat vectors and establish multiple security defense methods to respond to both HTTP and HTTPS attacks.
  4. Create awareness. Train your staff continually to be aware of the dangers of social media, social engineering and suspicious websites and downloads, as well as various spam and phishing scams in personal and business email accounts. Start with this Phishing IQ test.
  5. Inspect digital certificates. Inform users never to accept a self-signed, non-valid certificate from unknown applications.
  6. Keep it current. Make sure all your software is up to date. This will help protect your organization from older SSL exploits that have already been neutralized.

The growth of SSL/TLS encryption can and will be a positive security trend for the global community, but it will remain a channel for malicious activity until companies recognize and address the risks.

By investing in updated solutions, and enabling SSL/TLS inspection capabilities, organizations can have the best of security and performance at the same time.

Download the 2018 SonicWall Cyber Threat Report

The cyber arms race is a challenge we face together. And it’s the core reason we’re committed to passing our findings, intelligence, analysis and research to the global public via the SonicWall 2018 Cyber Threat Report.

READ THE FULL REPORT

Linux Cryptominer Trojan Hiding Within an Image File

/in /by

Description

Because of the cryptocurrency market’s significant growth in the past couple of years, everyone wants a piece of that pie. Ransomare is still the most popular way for cybercriminals to generate that cryptocurrency income, but these days it seems that everything from personal computers to mobile devices and servers are all being targeted as possible hosts for secretly mining cryptocurrency. This week the SonicWall Capture Labs Threat Research Team has received reports of a malware purporting to be an image file but drops a cryptominer for Linux.

Infection cycle:

At first look, this file appears to be harmless. It displays this image when executed:

And also has a standard header for a PNG file:

Upon more thorough inspection, towards the end of that PNG format we find a standard file format for an executable file – ELF.

Extracting this executable file we find that it is a XMRig Monero cryptocurrency miner.

Its main function is to mine Monero from crypto-pool.fr using this address as shown below.

This type of attack is so prevalent that we have seen a steady increase in detection with this specific Gateway Antivirus signature in the past 40 days.

Sonicwall Capture Labs provide protection against this threat with the following signature:

  • GAV: CoinMiner.AEO (Trojan)

 

2018 CRN Channel Madness Tournament Is Here: Vote Steve Pataky!

/0 Comments/in /by

Updated: 3/22/2018

Steve Pataky

It’s that time of the year again when we start to eagerly peruse the bracket for the CRN Channel Madness Tournament of Chiefs. You can vote for 32 excellent candidates, each with unique qualities that make them worthy of Channel Madness greatness. The competitors have been picked from four different camps: Infrastructure, Cloud, Hardware, and Security.

Representing SonicWall in the Security division is Steve Pataky, SVP and Chief Revenue Officer. A relative veteran of Channel Madness — he was part of last year’s Tournament of Chiefs bracket as well — Steve is poised to be a favorite in this year’s competition. Keep this page open on an available browser tab to follow the round-by-round coverage.

Round 1: Pataky takes down Palo Alto Networks

A deep, genuine thank you to everyone who participated in the 2018 CRN Channel Madness Tournament. With your consistent and loyal support, we’re thrilled to announce that Pataky was victorious in Round 1, toppling Palo Alto Networks’ Ron Myers with 76 percent of the vote.

Round 2: Pataky to face McAfee channel veteran

The bracket only gets tougher from here. In Round 2, Pataky is matched against a long-time security veteran, McAfee’s Ken McCray. Round 2 voting will remain open until Tuesday, March 27, at 12 p.m. EDT. There is no limit on the number of votes you may submit, so please continue your gracious support.

 

Vote Now

Why Vote for Steve Pataky?

Steve brings vast experience in the channel field and great results from his stellar leadership. Under his watch partner growth numbers have quintupled and over 7,700 new technology and services providers have joined the SonicWall SecureFirst partner program. He oversaw the launch of the Partner Enabled Services Program which effectively equips partners to deliver specialized security services. In addition, Steve was instrumental in the design and launch of SonicWall University, a revolutionary educational platform that is designed to keep partners at the forefront of today’s cybersecurity threats and solutions.

About the CRN Channel Madness Tournament

CRN’s Channel Madness Tournament of Chiefs is a chance to pit some of the industries finest against each other in a bracket-style competition to see who will emerge victorious. The Tournament kicks off on March 15th but before that take the chance to submit your own prediction bracket for a chance to join the action early.

SonicWall Sweeps 8 Honors at 2018 Info Security Products Guide Global Excellence Awards

/0 Comments/in /by

SonicWall announced today that Info Security Products Guide, the industry’s leading information security research and advisory guide, named the company Grand Trophy winners in their 2018 Info Security Product Guide Global Excellence Awards. SonicWall received a total of eight awards for ISPG’s 2018 awards program, including Gold in the CEO of the Year and Security Marketing Team of the Year categories.  

These prestigious global awards recognize cyber security and information technology vendors with advanced, ground-breaking products, solutions and services that help set the bar higher for others in all areas of security. We are proud that more than 40 judges, from a global spectrum of industry voices, recognized SonicWall and awarded honors in every category in which it was considered.

Here’s the full list of SonicWall’s 2018 ISPG Global Excellence Awards:

  • Grand Trophy Winners: SonicWall
  • CEO of the Year (500-2,499 Employees): Gold Winner, Bill Conner
  • Security Marketing Team of the Year: Gold Winner, SonicWall, Bob VanKirk and Team
  • Customer Service Department of the Year: Bronze Winner, SonicWall, Keith Trottier
  • BYOD Security: Silver Winner, SonicWall Secure Mobile Access
  • Email Security and Management: Silver Winner, SonicWall Email Security
  • Firewalls: Silver Winner, SonicWall NSA 2650
  • Network Security and Management: Bronze Winner, SonicWall Cloud Global Management

About Info Security Product Guide’s Global Excellence Awards

Info Security Products Guide sponsors the Global Excellence Awards and plays a vital role in keeping end-users informed of the choices they can make when it comes to protecting their digital resources and assets.

View the complete list of Info Security Products Guide Global Excellence Awards winners, and follow us on Twitter or Facebook to be the first to know about all of SonicWall’s big announcements and exciting honors.

Cyber Threat Map: SonicWall Security Center Delivers Real-Time Cyber Attack Data

/1 Comment/in /by

Cyber security professionals exist in an increasingly complex world. As the cyber threat landscape evolves, a new cyber arms race has emerged that places organizations and their security solutions in the crosshairs of a growing global criminal industry.

Cyber criminals are increasingly turning to highly effective advanced cyber weapons, such as ransomware, infostealers, IoT exploits and TLS/SSL encrypted attacks, to target organizations of all sizes around the world.

To help organizations protect their networks and sensitive data from advanced cyber attacks, SonicWall developed a next-generation Automated Real-Time Breach Detection and Prevention Platform. Over a decade ago, SonicWall Capture Labs threat researchers pioneered the use of machine learning for threat research and cyber protection.

Complementing the platform, SonicWall is unlocking the power of the SonicWall Capture Labs Threat Network data for our customers, partners and the greater industry via the modern SonicWall Security Center.

What is the SonicWall Security Center?

The SonicWall Security Center provides a graphical view of the worldwide attacks over the last 24 hours, countries being attacked and geographic attack origins. This view illustrates the pace and speed of the cyber arms race. Even more important is the actionable data found on the Capture Labs Threat Metrics pages.

Sonicwall Security Center Worldwide Attacks

On these interactive pages, cyber threat meters show telemetry data that empower you to take action to better protect your organization. For example, the dashboard below shows that worldwide malware attack attempts are up 139 percent in February 2018 over February 2017.

Sonicwall Security Center Worldwide Attacks

In this example, SonicWall Security Center threat metrics state that the number of malware attacks increased from 0.42 billion to 1.0 billion, and that the attacks are largely coming from IP addresses in the United States, followed by China. The Security Center includes regional drilldowns for North America, Europe and Asia to give deeper insight for organizations around the globe.

This level of detail is available not only for malware attacks, but also for intrusion attempts, ransomware, encrypted traffic, https encrypted malware, new threats discovered by Capture Advanced Threat Protection and spam/phishing activity.

With this tool, we aim to provide actionable cyber threat intelligence to help you identify the types of attacks you need to be concerned about so you can design and test your security posture to make sure that your organization is properly protected.

Cyber security news, trends and analysis

The final section on the SonicWall Security Center is Security News. On this page, the Capture Labs team publishes research and analysis on the latest security threats, attacks, vulnerabilities and more — as it’s happening. When the next big cyber attack occurs, this will be the go-to source for information not only for the SonicWall community, but for the greater cyber security industry as well.

Sonicwall Security Center Worldwide Attacks

SonicWall threat intelligence and cyber attack data

SonicWall uses deep-learning algorithms to analyze data, classify attacks and block known malware before it can infect a network. Unknown files are sent to Capture Advanced Threat Protection service for automated analysis using a variety of techniques, including hypervisor analysis, emulation, virtualization and our patent-pending Real-Time Deep Memory Inspection.TM

The information we obtain on unknown threats is then combined with the billions of telemetry data points that Capture Labs gathers from the million-plus firewalls, email security appliances and endpoint clients used by our customers.

 

Red Hat JBoss Data Grid Insecure Deserialization Vulnerability

/in /by

Red Hat JBoss Data Grid is an in-memory datastore solution. The client application of this software has integrated the Infinispan Hot Rod client library.

A deserialization vulnerability exists in the Red Hat JBoss Data Grid. As the Hot Rod client library failed to add proper filtering before deserializing an arbitrary class, an arbitrary object could be serialized by this library. An attacker could inject a malicious serialized object via the cache, and execute arbitrary code with the privilege of the client application.

Object serialization is a feature supported by Java, which allows an object to be loaded via a binary stream, making them portable. This feature also causes security risks as hackers may load malicious object via a controllable object in deserialization. A common practice is enabling a whitelist before the application retrieve the object.

In the Hot Rod client library, however, in the version 7.1.0, the code lacks of necessary whitelisting of the object class. And in 7.1.1, the filtering could still be bypassed by using the River Marshalling Protocol:

In class org.infinispan.client.hotrod.marshall.MarshallerUtil:

In class org.infinispan.commons.marshall.jboss.AbstractJBossMarshaller:

The patch 7.1.2 for Red Hat JBoss Data Grid version is already available here. Also SonicWall Capture Labs Threat Research team has developed the following signature to identify and stop the attacks:

  • IPS 13248: Red Hat JBoss Data Grid Insecure Deserialization

Reference:

  1. Infinispan open sourced library : http://grepcode.com/file/repo1.maven.org/maven2/org.infinispan/infinispan-client-hotrod/
  1. Red Hat JBoss Data Grid 7.1.2 security update : https://dl.packetstormsecurity.net/1802-advisories/RHSA-2018-0294-01.txt