Red Hat JBoss Application Server insecure deserialization vulnerability

/in /by

The JBoss Enterprise Application Platform is a subscription-based/open-source Java EE-based application server runtime platform used for building, deploying, and hosting highly-transactional Java applications and services.

Written by Java, the EAP supports a feature called serialization, which allows Java objects to be packed into a byte stream, and be deserializing by another Java application (such as applet). The methods of writeObject()/writeExternal() and readObject()/readExternal() from Serializable interface are used for serializing and deserializing.

An insecure deserialization vulnerability exists in Red Hat JBoss Application Server. When an URI starts with “/invoker/readonly”, it will be handled by a class called ReadOnlyAccessFilter inside http-invoker.sar, more specifically, by the function doFilter(). However, the deserializing process failed to do validation on the object. That allows an attacker could include malicious data to call an exploitable library in the code path, triggering a remote code execution vulnerability. A successful attack will lead to arbitrary code execution in the security context of the root/system user.

 public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)   throws IOException, ServletException {   HttpServletRequest httpRequest = (HttpServletRequest)request;   Principal user = httpRequest.getUserPrincipal();   if ((user == null) && (this.readOnlyContext != null))   {     ServletInputStream sis = request.getInputStream();     ObjectInputStream ois = new ObjectInputStream(sis);     MarshalledInvocation mi = null;     try 	{ 		//Deserialization without filtering 		mi = (MarshalledInvocation)ois.readObject();      }     catch (ClassNotFoundException e)     {       throw new ServletException("Failed to read MarshalledInvocation", e);     }     request.setAttribute("MarshalledInvocation", mi);

SonicWall Capture Labs Threat Research team has developed the following signature to identify and stop the attacks:

  • IPS 13104: Red Hat JBoss Application Server Insecure Deserialization

Why GDPR Makes it Urgent to Scan Encrypted Traffic for Data Loss

/0 Comments/in /by

“Inspect every packet, every time.”

This has been my advice to any network admin or business owner for many years.  This is equally important in regards to encrypted traffic.  Much of the Internet has become encrypted, meaning that it can only be perused and accessed over HTTPS.  While this rightly includes traffic such as online banking and financial sites, it also now includes webmail, social media, online streaming video, music and even search engines.

While encryption of the Internet enables online privacy, it has also opened a new threat vector for hackers and criminals to hide malicious content.  If you encrypt the whole Internet, you encrypt all the threats traversing it.

The painful truth is that the vast majority of networks (including governments, international enterprises, educational, medical and consumer networks) have yet to implement a security solution capable of inspecting the encrypted traffic.  If you cannot inspect it, you can not protect it.  With over 80 percent of Internet traffic now encrypted, this has become an open pipeline for attacks.  More than 67 percent of all malware attacks are still delivered via email.  Guess what? That email is most often encrypted via HTTPS.

Inspecting encrypted traffic is paramount in preventing threats such as viruses, exploits, spyware and ransomware. Numerous articles, findings, testimonials and forensic analyses of recent breaches (such as at the IRS, OPM, JPMorgan Chase, Home Depot, Target and Equifax) focused on threat prevention. They reported that varying degrees of security had not been deployed or utilized, alerts were missed, traffic went uninspected, or updates and patches were not applied.  In some breaches, there were financial penalties for failing to protect end-user data, such as providing credit monitoring services for consumers, refunds for past services, or government-levied fines.

However, another critical reason to inspect encrypted traffic was rarely discussed. Yet, in six months, that reason will have incredible legal and financial implications that many are underestimating.  That reason is data loss.  And while organizations have sought to increase their threat prevention, only minor attention has been applied to data loss prevention (DLP).  Well, that is about to change drastically.

On May 25, 2018, the European Union General Data Protection Regulation (GDPR) goes into effect.  While this is an EU regulation, it will play a tremendous role in the ways data protection is controlled worldwide.  The following is an excerpt from the GDPR:

Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g. […] violating the core of Privacy by Design concepts[….] It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.

Pay close attention to that last line, especially if you are a cloud provider or consumer.  Any organization that hosts or processes data for citizens of an EU member country will be held accountable to this regulation. Make no mistake, countries outside of the EU, including the USA, are in the process of enacting similar legislations.

While threat prevention should always be a cornerstone in any network security architecture, data loss prevention will now be as well.  For example, one may have a decent anti-malware client and other solutions for threat prevention, but what is in place to prevent a staff member unwillingly or willingly executing an application that uploads confidential end user data like credit card numbers, address, phone numbers, or other personally identifiable information?  What is in place today to stop someone from accidentally or willingly “dragging and dropping” a PDF containing personally identifiable information (PII) to a public FTP Server, or uploading it to their personal webmail?  Remember: all of these connections are now encrypted.

Fortunately, you can easily apply data loss prevention rules on all SonicWall firewalls to inspect encrypted traffic and prevent data loss.  By leveraging incredibly powerful Deep Packet Inspection of SSL/TLS Encrypted Traffic (DPI-SSL), and applying keywords or phrases defined using Regular Express (RegEx), SonicWall firewalls are able to inspect all encrypted communications for PII in real time. Should an application, system, or employee attempt to upload PII, the SonicWall firewall can detect it, block the upload, and provide incident reporting of the event. That is how you can inspect every packet, every time. That is how you prevent the breach.

Download our “Best Practices for Stopping Encrypted Threats” to help you prevent that breach.

View Tech Brief

HPE Intelligent Management Center arbitrary file upload vulnerability

/in /by

HPE Intelligent Management Center (IMC) is a popular management system designed to integrate the management of devices, services and users. It provides features and functions that are designed for comprehensive management of the network infrastructure. An arbitrary file upload vulnerability exists in the HPE Intelligent Management Center. The server application that handling the file upload fails to filter the file extension when handling certain HTTP request, causing a arbitrary file upload vulnerability. An attacker could send a crafted HTTP POST request to the server url, uploading malicious scripts and execute them under the privilege of the server process.

HPE IMC’s server side is based on the Java servlets. Such servlets include one called FileUploadServlet, which supports the upload of XML files. It is mapped to the following URL:

https://:8443/imc/flexFileUpload

This interface and a method called doPost() will handle the HTTP parameters and execute the file uploading logic. The POST parameter “name” determines the filename on the server side. However, the code doesn’t check the file extension carries in this parameter. An attacker could send a malicious request to the server application, renaming the file to a server side executable format, such as jsp or jspx, and get a webshell.

 String fileName = s + "/" + URLDecoder.decode(item.getFieldName(), "UTF-8"); log.debug("flex UploadFileName:" + fileName);  //Rename the uploaded file without any filtering File file = new File(fileName); if (log.isDebugEnabled()) {     log.debug("FileItem :" + item.getName() + "size:" + item.getSize() + "isInMemory:" + item.isInMemory());     log.debug("FileInfo:uploadFileName:" + file.getAbsolutePath()); }

SonicWall Capture Labs Threat Research team has developed the following signature to identify and stop the attacks:

  • IPS 13056: HPE Intelligent Management Center Arbitrary File Upload

Catch the Latest Malware with Capture Advanced Threat Protection

/0 Comments/in /by

Now that Halloween is over and your coworkers are bringing in the extra candy they don’t want, let’s look back at the last quarter’s results from SonicWall Capture Advanced Threat Protection (ATP) network sandbox service. Grab the candy corn and let’s crunch some data. Note: terms in italics below are defined in the glossary at the bottom to help newbies.

63,432 new threats discovered using the network sandbox over the course of three months on customer networks.

30.6% of threats that were found through static filtering. Translation- less than a third of these threats were new to us, but not to someone among the 50+ scanners we compare against.

69.4% of threats that were found through dynamic filtering. Translation- there is nearly a 70% chance SonicWall will find new malware and develop protections against it faster than anyone else.

.16% of all  files sent to the sandbox were malicious. Translation- SonicWall can find the needle in the haystack.

72% of files were processed in under 5 seconds. Translation- Capture ATP is fast!

60% increase in the number of Capture ATP customers that sent files for analysis over the past quarter. Translation – more people supplying potential threat data gives us a wider net to catch the latest threats, making it easier to protect you. Double translation – the community helps to protect the community.

20% of all new malware were found in documents (.docx & .pdf specifically) on many days throughout the quarter. Translation – Attackers put more attention to getting you to open malicious documents. Double Translation – educate your employees to not open suspicious attachments in email or found online.

I hope this helps you understand the importance of using a network sandbox, namely Capture ATP, the winner of CRN’s Network Security Product of the Year 2016 by customer demand. To learn more please review our Tech Brief: SonicWall Capture Threat Assessment or contact us with more information.

PS – I wrote a simple glossary of sandboxing terms for you to reference in case you are new to this. If you want more terms added to this, find me on Twitter and send me a note.

Glossary of terms:

Network Sandbox: An isolated environment where suspicious code can be run to completion to see what it wants to do. If your firewall doesn’t know the file, it will be sent to the sandbox for analysis.

Block until Verdict: A feature of the Capture ATP sandboxing service that blocks a file until a determination of the file can produce a verdict. If it’s malware, the file is dropped and can’t enter the network. If it’s good, a verdict for the hash of the file is stored and, if anyone tries to upload the file to our service, that verdict will be supplied within milliseconds to the user.

Hash (AKA: cryptographic hash): A cryptographic code to identify code (e.g., malware) across the community of researchers. Instead of storing malware and comparing new files against samples, the file is converted to a hash and compared against a database of known good and bad hashes. For example, the phrase “SonicWall Capture ATP stops ransomware” translates into “13d55c187dbd760e8aef8d25754d8aacadc60d8b”.

Once a new file is encountered, hashed, and doesn’t match a known hash, it is sent to the sandbox for analysis.

Static Filtering: A way of filtering out results of a file before taking it to time-consuming dynamic analysis. SonicWall static filtering compares new files against a database of shared malware hashes from over 50 anti-virus scanners.

Dynamic Filtering: The method of processing a file to see what it wants to do. SonicWall’s dynamic processing features three engines in parallel to find the most evasive malware. We use virtualized sandboxing, hypervisor-level analysis, and full-system analysis to uncover the most difficult forms of malware, including Cerber.

View Tech Brief

Letgo Infostealer actively spreading in the wild.

/in /by

The SonicWall Capture Labs Threat Research Team observed reports of a new variant family of Letgo Malware [Letgo.A] actively spreading in the wild.

The Malware gathers confidential information from the computer such as login details, passwords; financial information sends it to its own C&C Server.

Infection Cycle:

The Malware adds the following files to the system:

  • Malware.exe

    • %systemroot%Fonts22.bat [ Batch File ]

    • %systemroot%Fonts6.vbs [ VB Script File ]

    • %systemroot%FontsExit.exe

      • Responsible for running Command on target machine.

    • %systemroot%FontsLetGo.exe [Service ServiceTshcwt]

      • Install Service on target machine.

    • %systemroot%FontsFaker.exe [Service ServicetyfdYEw]

    • %systemroot%Fontsrestart.reg [ Registry files ]

    • %systemroot%FontsSoul.exe

      • Responsible for sending data to C&C server.

The Malware adds the following keys to the Windows registry to ensure persistence upon reboot:

Once the computer is compromised, the malware copies its own executable file to Systemroot folder and runs following commands:

A user’s data can be very valuable for an attacker, thereby more data translates to more profit. The main goal of this malware is to get as much user data as possible.

The Malware performs user land hooks for the following functions:

Command and Control (C&C) Traffic

Letgo.A performs C&C communication over port 443. The malware sends a victim’s system information

to its own C&C server via following format, here are some examples:

SonicWall Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Letgo.A (Trojan)

  • GAV Cloud Id: 59515096) UWtrojan (Trojan)

Spam campaign roundup: Thanksgiving weekend edition

/in /by

Everyone is gearing up for the Thanksgiving weekend. While consumers take advantage of retailers’ pre-Black Friday deals which have started earlier and earlier in recent years, cybercriminals are also trying to get an early leg-up on the holiday shopping.

The SonicWall Capture Labs Threat Research Team has observed that this year is no different. Cybercriminals are shopping for your personal data as more consumers turn to online shopping. The statistics we have gathered for this year indicates that users who shop on Amazon online has more than doubled as compared to last year.

The spam emails we have seen have a common theme of trying to lure consumers to click on the links and provide their personal information in exchange for early access to dooorbuster deals or a chance to redeem rewards for cash and gift cards from popular retailers.

The following are some of the common email subjects:

  • Amazon Early Black Friday Giveaway
  • Check out Walgreens Early Black Friday Bonus.
  • BLACK FRIDAY PRE-SALE Now! Get FREE DELIVERY Up To 80% Off On All UGG Order
  • Your Sams Club black friday member points: Get yours
  • Get your black friday Sams Club member reward #58246103

These emails are pretending to come from popular retailers like Amazon, promising cash rewards. The link referenced on the email will often take you to a website different from the actual retailer’s website. The consumer will then be asked to enter their personal information and to participate in a number of “offers” often costing money in fees or subscriptions without the guarantee of ever receiving the products and services or the free cash reward at the end of the process.

Some emails are more blantant about asking for your bank account information in exchange for instant “holiday cash” like this example below:

We have seen scamsters attack other platforms as well to capitalize on the Black Friday/Thanksgiving shopping season. We reported recently in a blog about an Android app that is using the name Amazon but hiding the remote access tool DroidJack under its hood. Since many shoppers download and user apps that are related to shopping and deals this season, malware writers are trying all avenues to spread their malicious creations and target unsuspecting shoppers.

We urge our users to always be vigilant and cautious with any unsolicited email and to avoid providing any personal information, particularly if you are not certain of the source.

Sonicwall Capture Labs and Email Security services constantly monitor and provide protection against such malicious spam and phishing threats.

Strategic Re-routing with Equal-Cost Multi-Path (ECMP) – New in SonicOS 6.5 for Firewalls

/0 Comments/in /by

As intranet networks grow and evolve over time, often duplicate, or even multiple, paths are created to reach a destination. As these paths evolve and get more complex, they can result in failed links. Interior Gateway Protocols provide fast re-routing around these failed links using link-state algorithms, such as Open Shortest Path First (OSPF) and Intermediate System to Intermediate System (IS-IS). Enterprise networks deploy OSPF much more often. However, I have seen carrier networks who prefer IS-IS, especially when acquiring other networks’ addresses.

Link-state algorithms do an excellent job of fast re-routing inside their areas due to their detection of link failure, and due to each Layer 3 device having a topology of their intra-area network.  (Outside of that intra-area, the networks require more of a distance vector routing protocol. But that is for another blog).  Link-state algorithms also give us the ability to take into consideration speed of links or costing when determining the best path.  This comes in handy when doing prefix evaluation, but it also can give us the ability to have multiple equal-cost paths to a destination.

Equal-Cost Multi-Path (ECMP), which is supported in SonicOS 6.5 for SonicWall’s next-gen firewalls, is an egress routing method used when you have multiple interfaces pointing to a destination. Equal cost routes are added to the connection cache for session setup. As sessions are created, SonicWall hashes the packet 5-tuple in the TCP header to decide which path the session will egress to the next hop.  A 5-tuple is comprised of a source IP address, source port number, destination IP address, destination port number and the TCP protocol. Do not confuse this with per-packet load-balancing. That was tried many years ago, and caused out-of-sequence packets. Large packets followed by smaller packets would egress faster, and would break applications, despite being part of the TCP specifications. This is why you want to have sessions stay on the interface, as opposed to multiplexing packets over the interfaces you have configured with ECMP.

So, what do you want to look out for when designing a network with ECMP?

First off, who is your downstream neighbors, and how are they configured? I mentioned how ECMP is an egress routing method. Typically, you would use ECMP when you are not connecting multiple interfaces to the same devices. The connections are not 1:1 from Device A to Device B, but rather Device A to Device B/C/D, etc. You would use some type of link aggregation for this design.

If your downstream device is a session-aware device, such as a firewall, it may see the source prefix and report that it has detected IP Spoofing. This is due to the arrival of a packet from a source that is not consistent with the routing table. For example, if the firewall expects 1.1.1.1 should come from X4, but instead sees it on X3, it would report IP Spoofing.

Two other scenarios could also trigger an IP Spoofing message in the firewall log that drops the session. One is if you have a router and are performing Reverse Path Forwarding checking to create a loop-free multi-cast network. Another is if are truly looking for malicious spoofed-source IP addresses.

Another possible scenario I’ve seen before is where, after the hashing of the 5-tuple has occurred, the balance of sessions puts the sessions on one interface.  It’s the result of another ECMP hash that has been performed on the 5-tuple prior to receiving those sessions. Since the hash calculation has already been performed, and the device has been given one set of sessions that were derived from the hash value, when we hash again they have the same value, hence, they land on the same interface. A quick fix is to have the upstream device modify the 5-tuple down to four. This lets the downstream device have a different value on the TCP header.

Ultimately, if you account for these potential issues, ECMP offers a great way to utilize multiple paths in a dynamic network and maximize investment in your infrastructure.

This is just one of the 60 new features in SonicOS 6.5 for all of SonicWall next-gen firewalls. Want to learn more? Check out a new video on SonicOS 6.5.

Upgrade Today

Take Steps to Minimize the Impact Black Friday and Cyber Monday Online Shopping Poses to Your Network

/0 Comments/in /by

Now that Halloween has passed and Thanksgiving is on the near-term horizon, the holiday shopping season is kicking in. Almost as soon as the trick-or-treating ended the Black Friday ads starting pouring into my email box. This season some of the major retailers are announcing their Black Friday deals early even though they won’t be available for purchase until Thanksgiving. Of course most of us can’t resist peeking to see what we can get for less. According to a survey by the National Retail Federation (NRF), over half of holiday shoppers start their research in October or earlier. More than one-third will make a purchase in November, most likely during the period between Black Friday and Cyber Monday.

Shopping for gifts is typically a fun experience whether we do it in the stores or online. The latter continues to in grow popularity as we become more confident making our purchasing decisions on mobile devices. In a PwC survey 84 percent of respondents said they would spend at least some of their shopping time online. That’s a pretty high number. We can expect this trend to continue, which has implications for every organization.

Online shopping in the workplace poses potential risks for organizations, especially around the holidays. Cyber criminals know that we’ll be spending time shopping online so they’re more aggressive when it comes to launching spam and phishing attacks. Have you been receiving more emails lately about special offers such as a big sale or a new credit card? If you did make a purchase and you’re having the item delivered you’ll get an email on the delivery status. You may also be receiving holiday e-cards. Are you certain the email or e-card is legitimate? How about the website that you’re directed to? Open any of these, click on a link to go to a website where you’re asked to provide login credentials or financial information and you could be exposing your organization and yourself to potential threats such as ransomware. It doesn’t matter if your employees are connected over a wired, wireless or mobile network.

Securing your organization’s network and the data that travels across it from threats is a big concern. It’s not the only one, however. We know that during the holiday season employees will be spending work time researching and purchasing gifts online, which means their productivity will take a hit. In addition, these activities can consume large amounts of network bandwidth that would otherwise be used for business-critical applications. So do other holiday-related activities such as streaming promotional videos and holiday music. With the growing use of personal devices in the workplace the line between our professional and home lives has blurred. Employees often feel that if they’re using their own device, engaging in online shopping and other activities at the office isn’t an issue. The problem is, the device is often connected to the corporate network which introduces risk.

Look, no one wants to ruin the holiday spirit, so completely eliminating online shopping, watching videos and listening to music at work probably isn’t realistic. However there are steps can you take to minimize the impact these activities have on your organization. For example:

  • Warn employees to be wary of emails from sources they don’t recognize
  • If they do open an email, think twice about clicking on links
  • Establish a policy for strong passwords and consider 2-factor authentication
  • Utilize security technologies such as intrusion prevention and anti-malware to create multiple layers of protection
  • Make sure you have a next-generation firewall than can decrypt and inspect TLS/SSL-encrypted traffic

Why is this last point important? Increasingly cyber criminals are using encryption to hide their attacks and legacy firewalls aren’t able to decrypt HTTPS traffic and scan it for threats. In our 2017 Annual Threat Report we found that over 60% of web traffic is now encrypted. Firewalls that can’t inspect encrypted traffic leave organizations susceptible to ransomware attacks and other threats.

If you’re unsure whether your current firewall can detect threats hidden in encrypted traffic, SonicWall can help. Our next-generations firewalls provide protection from threats hidden in encrypted traffic. Visit our website to learn more about comprehensive threat prevention at multi-gigabit speeds.

Microsoft Security Bulletin Coverage for November 2017

/in /by

SonicWall Capture Labs Threat Research teamhas analyzed and addressed Microsoft’s security advisories for the month of November, 2017. A list of issues reported, along with SonicWall coverage information are as follows:

Microsoft Coverages

  • CVE-2017-11768 Windows Media Player Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11770 .NET CORE Denial Of Service Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11788 Windows Search Denial of Service Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11791 Scripting Engine Information Disclosure Vulnerability
    IPS:13065 Scripting Engine Memory Corruption Vulnerability (Nov 17) 9

  • CVE-2017-11803 Microsoft Edge Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11827 Microsoft Browser Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11830 Device Guard Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11831 Windows Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11832 Windows EOT Font Engine Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11833 Microsoft Edge Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11834 Scripting Engine Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11835 Windows EOT Font Engine Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11836 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11837 Scripting Engine Memory Corruption Vulnerability
    IPS:13066 Scripting Engine Memory Corruption Vulnerability (Nov 17) 5

  • CVE-2017-11838 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11839 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11840 Scripting Engine Memory Corruption Vulnerability
    IPS:13067 Scripting Engine Memory Corruption Vulnerability (Nov 17) 6

  • CVE-2017-11841 Scripting Engine Memory Corruption Vulnerability
    IPS:13068 Scripting Engine Memory Corruption Vulnerability (Nov 17) 7

  • CVE-2017-11842 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11843 Scripting Engine Memory Corruption Vulnerability
    IPS:13069 Scripting Engine Memory Corruption Vulnerability (Nov 17) 8

  • CVE-2017-11844 Microsoft Edge Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11845 Microsoft Edge Memory Corruption Vulnerability

    SPY:1616 Malformed-File html.MP.66

  • CVE-2017-11846 Scripting Engine Memory Corruption Vulnerability
    IPS:12784 Scripting Engine Memory Corruption Vulnerability (MAY 17) 4

  • CVE-2017-11847 Windows Kernel Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11848 Internet Explorer Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11849 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11850 Microsoft Graphics Component Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11851 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11852 Windows GDI Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11853 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11854 Microsoft Word Memory Corruption Vulnerability
    SPY:1614 Malformed-File rtf.MP.21

  • CVE-2017-11855 Internet Explorer Memory Corruption Vulnerability
    IPS:13071 Internet Explorer Memory Corruption Vulnerability (NOV 17) 1

  • CVE-2017-11856 Internet Explorer Memory Corruption Vulnerability
    IPS:13072 Internet Explorer Memory Corruption Vulnerability (NOV 17) 2

  • CVE-2017-11858 Scripting Engine Memory Corruption Vulnerability
    IPS:13059 Scripting Engine Memory Corruption Vulnerability (Nov 17) 1

  • CVE-2017-11861 Scripting Engine Memory Corruption Vulnerability
    IPS:13060 Scripting Engine Memory Corruption Vulnerability (Nov 17) 2

  • CVE-2017-11862 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11863 Microsoft Edge Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11866 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11869 Scripting Engine Memory Corruption Vulnerability
    IPS:13062 Scripting Engine Memory Corruption Vulnerability (Nov 17) 3

  • CVE-2017-11870 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11871 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11872 Microsoft Edge Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11873 Scripting Engine Memory Corruption Vulnerability
    IPS:13063 Scripting Engine Memory Corruption Vulnerability (Nov 17) 4

  • CVE-2017-11874 Microsoft Edge Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11876 Microsoft Project Server Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11877 Microsoft Excel Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11878 Microsoft Excel Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11879 ASP.NET Core Elevation Of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11880 Windows Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11882 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.
    CVE-2017-11884 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8700 ASP.NET Core Information Disclosure Vulnerability
    There are no known exploits in the wild.

Phishing Threats – How to Identify and Avoid Targeted Email Attacks

/0 Comments/in /by

Phishing threats have been around for years. By now anyone can easily detect a fake email, right?

Wrong. How confident are you that you wouldn’t divulge your password, credit card info or online identity? Here is a quick refresher on phishing threats and what you can do to protect yourself.

What is Phishing?

As you may already know, phishing threats involve malicious emails that attempt to get you to disclose your personably identifiable information (PII) to compromise your personal identity or corporate data.

Hackers create emails that look like official communications from familiar companies. These are sent to millions of unsuspecting addresses in hopes that someone will follow the links and share sensitive information that the hackers can exploit. These phishing emails employ a variety of techniques.

How to Spot Phishing Attacks

The best way to protect yourself from phishing threats is to recognize and avoid these common phishing tactics:

  • Generic greetings: The opening lines of phishing emails are often very vague and general in nature.
  • Typos or Poor Grammar: A poorly written email is less likely to have come from a legitimate company. In addition, do not be tricked if the email happens to include a legitimate-looking logo.
  • Urgency: Phishing emails often sound alarmist, trying to scare you into taking action (and sharing your information) immediately.
  • Fake Links: Phishing emails routinely obscure the URL addresses, and instead take you to an unsecured site where your sensitive data is solicited. To see exactly where a link will take you, simply hover over it. If in doubt, don’t click it. Instead, open a new browser session and manually enter the address (i.e., don’t copy and paste) you want to visit.
  • Attachments: Delivered via email attachments, malware that is executed (i.e., the attachment is opened) allows a hacker to exploit vulnerabilities on your computer Never open an attachment unless you are sure it is legitimate, safe and expected. Be cautious with any unexpected invoices from companies you’re not familiar with, as attachments might contain malware that installs upon opening.
  • Spoofed Sender: Makes it easier for a hacker to impersonate someone you’d normally trust (e.g., coworker, bank, government agency)

Take the Phishing IQ Test

Interested in seeing how well you are at telling the difference between a legitimate website and one that is a phishing attempt? Take the SonicWall Phishing IQ Test to find out.

TAKE A PHISHING QUIZ