Meet the New SonicWall NSA 2650 Next-Gen Firewall – Where Faster Meets More Secure

/0 Comments/in /by

Today I am excited to share the new addition to SonicWall’s NSA product family of Next-Generation Firewalls, the NSA 2650.  Three key trends form the design drivers for the new NSA 2650

  1. Wireless Devices Explosion – The demand for increased bandwidth from wireless networks is constantly on the rise with the growing number of wireless devices used per person. The wireless industry is going through waves of transformation (pun-intended) to support the requirement for more bandwidth. With the latest 802.11ac Wave 2 wireless standards opening the door for multi-gig WiFi performance there is a strong need for switches and firewalls that connect to wireless access points to support these faster speeds without increasing the cost to the network infrastructure.
  2. Multi-gig Campus Requirements – Campus/branch networks require technology trend adoption without adding significant costs to the network infrastructure. For example, switches and firewalls supporting wireless access points must be able to do so with existing the Cat5e/Cat6 cabling infrastructure.
  3. Encrypted Traffic Surge – The trend towards Secure Sockets Layer/Transport Layer Security (SSL/TLS) encryption has been on the rise for several years. Articles on the use of SSL/TLS encryption typically indicate that a little over 50% of all web traffic is now encrypted and that percentage is expected to continue growing. At SonicWall, data gathered by our Capture Labs Threat Research team shows the percentage to be a little higher, around 62%. We found that as web traffic grew throughout 2016, so did SSL/TLS encryption, from 5.3 trillion web connections in 2015 to 7.3 trillion in 2016. As vendors such as Google, Facebook, Twitter and others continue to move to HTTPS, we expect the use of HTTPS to increase. So, organizations now require a secure platform to protect their network from the sophisticated encrypted threats that evade the traditional security mechanisms. 

The NSA 2650 firewall is aimed at campus and branch networks that must secure their environments against the growing number of threats looking for new ways to burrow into networks. The new NSA 2650 firewall is the first branch and campus firewall to deliver automated real-time breach detection and prevention, as well as TLS/SSL decryption and inspection, over multi-gigabit wired and 802.11ac Wave 2 wireless networks. The SonicWall NSA 2650 represents the continuing evolution of SonicWall’s vision for a deeper level of network security without a performance penalty. More than simply a replacement for its predecessor, the NSA 2600, the NSA 2650 addresses the growing trends in web encryption and mobility by delivering a solution that meets the need for high-speed threat prevention.

The NSA 2650 is a 1U-device powered by four cores that provide the processing power necessary to support the compute-intensive deep packet inspection services such as:

  • Intrusion Prevention
  • Anti-Virus
  • Anti-Spyware
  • TLS/SSL inspection and decryption
  • Application Visualization
  • Application Control, Botnet detection
  • Geo-IP identification
  • Anti-Spam
  • User Identification and Advanced Threat Protection

Real-Time Inspection of SSL and TLS Attacks:

Unlike competing firewalls that perform well only with unencrypted connections, the NSA 2650 is built to support the need for more TLS/SSL inspection connections. The NSA 2650 features an unmatched number of encrypted web connections, up to 12,000 and performs deep packet inspection on each connection after first decrypting the traffic.

To protect against more advanced threats such as unknown and zero-day attacks that are concealed in encrypted web traffic, the NSA 2650 utilizes Capture, SonicWall’s cloud-based multi-engine sandboxing service that runs on the firewall. Suspicious files are sent to the award-winning SonicWall Capture service for analysis before rendering a verdict.

The NSA 2650 is a high-port density firewall that features 4×2.5-GbE SFP, 4×2.5-GbE, and 12×1-GbE interfaces with a dedicated management port. In addition to the multi-gigabit ports, high-speed processors and robust onboard memory, the NSA 2650 includes additional hardware enhancements that make it the ideal NGFW for mid-sized organization and distributed enterprises. An optional second power supply is available in case of failure for added redundancy. To help with scalability, the NSA 2650 includes two expansion slots. One is pre-populated with a 16 GB storage module to support features including logging, reporting, last signature update, backup and restores and more. The second slot provides flexibility to add future feature and physical capability expansion. Expandable in the future with additional modules, this versatile, high-port density firewall platform has the capacity to evolve through firmware updates to keep ahead of threats such as ransomware and intrusions.

With the NSA 2650, SonicWall yet again adds a ground-breaking security product to its portfolio. Combined with new 802.11ac Wave 2 SonicWave wireless access points, SonicWall creates a high-speed wireless network security solution that provides wireless users with an enhanced mobile experience.

Our latest firmware release, SonicOS 6.5, has more than 60 new features, and provides support for NSA 2650 hardware platform where faster meets more secure without any compromise on performance to all traffic including encrypted traffic.

Test drive the new NSA 2650 on SonicWall live demo: https://livedemo.sonicwall.com

VIEW LIVE DEMO

Microsoft .NET Framework Remote Code Execution

/in /by

Microsoft .net Framework is prone to a critical remote code execution vulnerability. When the WSDL parser is handling the data from a certain crafted document file, the IsValidUrl improperly handles the checking procedure, and allows malicious URLs to pass the validation, eventually causes a code injection vulnerability. By exploiting this vulnerability, a remote attacker could execute arbitrary code as the administrator.

This vulnerability is triggered in the WSDL parser.cs in the System.Runtime.Remoting package. (http://referencesource.microsoft.com/#System.Runtime.Remoting/metadata/wsdlparser.cs) The IsValidUrl has been called to validate the user provided URL. This function will automatically add “//base.ConfigureProxy(this.GetType(),” string after detecting the first URL, to nullify the later part of the URL.


Figure 1: The vulnerable function

However, if the data contains CRLF, the later part of the URL will not be commented. If the method System.Diagnostics.Process.Start is in the injected code, the code will be compiled by .net framework and eventually delivers to the dll and executable.


Figure 2: The exploit code

The exploit of this vulnerability is already in the wild. SonicWall IPS team has developed the following signatures to identify and stop the attacks:

  • IPS 12980: Microsoft .NET Framework Remote Code Execution (SEP 17) 1
  • IPS 12982: Microsoft .NET Framework Remote Code Execution (SEP 17) 2
  • IPS 12983: Microsoft .NET Framework Remote Code Execution (SEP 17) 3

SonicWall Delivers More Speed, Security Across Entire Portfolio

/0 Comments/in /by

New SonicWall NSA 2650 Firewall, and SonicWave Access Points Take Security, Speed and Analytics to Elite Levels

Defending your business is job No. 1. But with so many vectors and end points, it’s an arduous challenge to identify and mitigate known and unknown threats across multiple locations, networks and endpoints — particularly as the need for wireless and mobile access scales to untold heights.

It’s this amalgamation of technology that makes SonicWall’s latest announcement so intriguing. It’s not another product. It’s not just a new service. It’s not only a refined dashboard and interface.

The innovation here is keenly focused on integrating each of these advanced “ingredients” into a powerful platform that helps businesses automate real-time breach detection and prevention while exceeding speed and performance expectations.

An ‘Absolutely Superb’ Firewall

If you missed the announcement, “SonicWall Turbocharges Innovation with Unprecedented Delivery of New Wireless, Mobile and Wired Network Security Products,” this platform approach is central to how SonicWall proactively defends its end customers.

In fact, we allowed customers to beta test the new products in real-world situations. The feedback was resounding, particularly for the new SonicWall NSA 2650 firewall and our range of new SonicWall SonicWave access points, which deliver elite speeds via the 802.11ac Wave 2 standard.

“The new NSA 2650 is an absolutely superb product,” said Dr. Michael Breen, Dean of Arts at Mary Immaculate College. “In my opinion, the speed and level of security is unparalleled in its class. It gives us the throughput to conduct deep packet inspection (DPI) of encrypted traffic without costing us any loss of performance.”

The NSA 2650 firewall enables threat prevention over 2.5 gigabit Ethernet wired and 802.11ac Wave 2 wireless networks, supports twice the number of DPI connections and offers 12,000 DPI SSL connections, an increase of 12X.

“Protecting sensitive information and preventing security breaches is paramount,” said Breen. “Our network contains highly private student information and we must conform to EU GDPR (European Union General Data Protection Regulation) protocols. We see over a thousand suspect probes at our gateway every week from eastern Europe. We need to lock down access to only authorized users. We’re also concerned with threats hidden in an increasingly high proportion of encrypted traffic.”

SonicOS Goes Modern

There’s nothing like a fresh UI. Our teams have worked tirelessly to re-envision everything about our popular operating system, SonicOS. Featuring more than 50 improvements and enhancements — not to mention a modern look and feel — SonicOS 6.5 is the biggest customer-driven release in company history.

“SonicWall products have always been very good, but the new SonicOS 6.5 is a giant step forward,” said Greg Thomas, owner of ComLogic, a SonicWall partner. “SonicWall is clearly visionary, not just in protection, but in analytics and usability as well. The new UI is fresh, relevant and easy to use.”

The most apparent change you’ll notice is the slimmed navigation, which now places emphasis on three of the most important functionalities: Monitor, Investigate and Manage.

“The biggest thing you’ll notice is that we’ve moved the navigation around,” said SonicWall senior UX and product design lead Tara Kelly. “We’ve done this to separate all the tasks that you need to do in three macro categories. This takes what used to be a giant menu on the left-hand side and breaks them down into smaller, bite-sized tasks.”

SonicOS offers all the standard features and capabilities you’d expect in easy, convenient locations. This includes everything from logs, reports and tools to upgrades, connectivity breakouts, systems setups and security configurations.

We will have more on SonicOS 6.5 in the future, including detailed overviews and walkthroughs.

Real-Time Analytics for Firewalls & Access Points

Each and every administrator, architect, analyst and cyber security pro wants to make better decisions faster. We want to be confident, smarter and decisive. Unfortunately, we don’t always have actionable data when we need it. In many cases, we have too much data that’s unorganized and unusable.

The new SonicWall Cloud Analytics application will help solve this everyday challenge. The intelligence-drive engine features real-time data presented in a structured, meaningful, actionable and easily consumable manner. You’ll be able to monitor, record, analyze and report security data for deep forensic analysis across multiple SonicWall firewalls and SonicWave wireless access points.

Our goal is to truly empower security teams, analysts, auditors, boards, C-suites and stakeholders to discover, interpret, prioritize and take appropriate defensive actions against both known and unknown cyberattacks or threats. Smarter decisions faster.

An extension of the recently introduced SonicWall Cloud Global Management System (GMS), SonicWall Cloud Analytics provides extensive drill-down investigative and forensic capabilities for deep security data analysis, including traffic, applications, threats, and user behavior and activities.

SonicWall SonicWave Is New Standard for Wireless Speed

As the number of applications and data-heavy services grow, so do speed demands. Based on the high-performance Wave 2 802.11ac standard, the new SonicWave access points couple speed, reliability, range, consistency and security into a single, cost-effective appliance.

Wave 2 represents the evolution from the Wave 1 802.11ac standard, which is fairly common in both enterprise and consumer environments. It operates on the 5 Ghz band and can deliver speeds up to 1.3 Gbps.

In contrast, Wave 2 supports multiple users, multiple inputs and multiple outputs (MU-MIMO) and is able to deliver speeds that exceed 3 Gbps. For this reason, the new SonicWave access points feature 4×4 MU-MIMO technology for best-in-class Wi-Fi performance, range and reliability.

“The new SonicWave access points blew me away,” says Spencomp Solutions security specialist Dominic Valois. “The new SonicWave line presents us with a great offering for our customers. With Wave 2 support and 2.5 GbE ports, we can provide larger business sites and campuses with better streaming and bandwidth for hundreds of wireless devices.”

The sentiment from Valois was echoed by Greg Thomas, the owner of ComLogic, a SonicWall partner based in Denver, Colo.

“The 2.5 GbE ports on both the NSA 2650 and SonicWave access points can handle the increasing congestion,” said Thomas. “You can easily position the SonicWave access points for best cellular reception, either for failover or percentage of use.”

Protecting the Mobile Workforce

When employees are on the road, they require secure access to the same systems and applications they trust when on Wi-Fi or wired networks in the office. Not only must access be available anywhere, anytime and on any device, speed and security cannot be compromised.

This truth was the precipitous behind the new SonicWall Secure Mobile Access (SMA) 12.1, which helps enable access to business-critical internal and external apps for employees and partners.

For remote users, vendors and third-party contractors, SMA 12.1 provides policy- enforced secure access to email, file servers and corporate applications using federated single sign-on (SSO) to both cloud and on-premise resources from authenticated devices.

In addition to SSL encryption of sensitive user sessions, SMA provides an additional layer of security by scanning all remote file uploads with the SonicWall Capture Advanced Threat Protection (ATP) service. This helps ensure remote users have the same level of protection from zero-day threats when they are on the road as they have in the office.

Go Faster, Go Safer

If you’d like to learn more about the new security products and services that deliver unprecedented speed and security, please explore the dedicated product pages and resources:

Ready to make the jump to one of the new products or services? SonicWall is ready to help. If you don’t have a SonicWall partner, or are unsure, please contact SonicWall directly. We always welcome new members to the SonicWall family.

Contact Sales

Ransomware asking for nudes instead of bitcoins

/in /by

The SonicWall Capture Labs Threat Research team receives reports of ransomware daily and new strains seem to pop up everyday. This week we analyzed this malware called NRansom. But unlike most of the ransomwares we have seen in the past, NRansom is asking its victim to send nude pictures instead of demanding payment in cryptocurrency.

Infection Cycle:

Upon execution, it drops the following files in the temp directory:

  • %temp%/***.tmp/nransom.exe [Detected as GAV: NRansom.RSM (Trojan) ]
  • %temp%/***.tmp/Interop.WMPLib.dll (non-malicious file: Windows Media Player control library)
  • %temp%/***.tmp/AxInterop.WMPLib.dl (non-malicious file: Windows Media Player control library)
  • %temp%/***.tmp/Tools/your-mom-gay.mp3 (non malicious audio file)

It then spawns cmd.exe to execute nransom.exe file:

What is unique about this ransomware is that it demands the victim to send at least 10 nude pictures in exchange for an unlock code.

We found that it plays the audio file that it created in the temp directory in a loop. It is the music called Frolic by the artist, Luciano Michelini.

Although during our analysis, this malware did not really encrypt any of the files in the machine, so it appears to be a hoax.

Nevertheless, because of the prevalence of these types of malware attacks, we still strongly urge our users to back up their files regularly.

SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: NRansom.RSM (Trojan)

"OptionBleed" memory disclosure vulnerability in Apache

/in /by

A memory disclosure vulnerability “Optionbleed” was reported on the Apache Server. This vulnerability is caused by a use-after-free bug in the httpd application. A remote attacker can send a certain crafted HTTP OPTIONS request and reveal small chunks of server memory, causing sensitive information leakage.

The cause of this vulnerability is on the .htaccess configuration file. When the Limited directive is set for a user for a HTTP method that is not globally registered in the server, then a memory corruption vulnerability is triggered. According to Hanno Bock, discoverer of this vulnerability. Below is one example of the memory leak:

 Allow: ,GET,,,POST,OPTIONS,HEAD,, Allow: POST,OPTIONS,,HEAD,:09:44 GMT Allow: GET,HEAD,OPTIONS,,HEAD,,HEAD,,HEAD,, HEAD,,HEAD,,HEAD,,HEAD,POST,,HEAD,, HEAD,!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" Allow: GET,HEAD,OPTIONS,=write HTTP/1.0,HEAD,,HEAD,POST,,HEAD,TRACE

The leaked data looks quite similar to the critical vulnerability “HeartBleed” on the OpenSSL Library in Apr 2014, although the data chunck is much smaller than HeartBleed’s 64kb. Also there is no way to distinguish normal and attack traffic, makes this attack hard to detect.

A massive on the Alaxa top 1 million websites shows that 466 servers has misconfigured the .htaccess file and sent back odd responses with an Allow header containing what appeared to be corrupted data.

Apache has officially released patches for this vulnerability:

  • https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch
  • https://blog.fuzzing-project.org/uploads/apache-2.2-optionsbleed-backport.patch

Now Apache server will deny the new methods appeared in .htaccess file.

We recommend Apache users upgrade their server with the latest patch as soon as possible, and also check the LIMIT section under the .htaccess to prevent the vulnerability. SonicWall has also developed the following signature to identify and stop the attacks:

  • App Control 12986: “HTTP Protocol — OPTIONS”

Instructions on configuring the SonicWall App Control feature: https://www.sonicwall.com/en-us/support/knowledge-base/170505381440321

References:

  1. Optionsbleed – HTTP OPTIONS method can leak Apache’s server memory, https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html

SonicWall Announces Channel Partner Award Winners at APJ Partner Summit 2017

/0 Comments/in , /by

Last week, SonicWall hosted over fifty enthusiastic partners across 14 countries at our Asia Pacific and Japan Partner Summit. Phuket with its lush and leafy surroundings and dramatic beach sunsets proved a popular location for our APJ Partner conference. Our purpose was to clearly articulate the vision for SonicWall as we build our solutions and capabilities to fight in an era of unprecedented cyber security challenges. And we cannot do this alone, it’s the combined effort of our products and our partners’ services that allow for our customers to be protected.

When we say we are a 100 percent channel company, it’s not a claim we take lightly. We are reliant on our partners and their commitment to work with us and be the trusted advisors for their customers.  Keeping up with the cyber threats is difficult, but especially so with smaller and mid-enterprise businesses where there is a limitation on the level of investment and ability to source dedicated IT security and networking resources. Partners are key to helping to impart both their knowledge, expertise and experience to help these organizations have the most effective security practices and solutions. Allowing the current distractions and disruptions in business caused by very prevalent threats such as ransomware and other forms of cyber-attack vectors, to be prevented in real-time.

We enlisted some of our key SonicWall executives to brief our partners on what we have been working on to deliver on our vision; including the focus and investment in enabling, educating and incentivizing our partners through the SecureFirst Partner Program. Our SVP of Global Sales and Chief Revenue Officer, Steve Pataky detailed some of the results we’ve seen to date since the launch of SecureFirst, including the number of newly signed partners, the uptake and utilization of SonicWall University’s role-based courses, and increase in adoption of Capture Advanced Threat Protection (ATP) Services to provide a stronger level of protection to customers.

Dmitriy Ayrapetov, Executive Director of Global Product Management detailed our product and solutions road-map for the next two quarters – giving the partners a sneak preview into what is going to be launched into the market over the coming quarters to strengthen our existing portfolio. Gary Staff, Director of Global Services brought fresh insight into partner service opportunities that will be available to our partners to deliver even more value to their customers. And Keith Trottier, Vice President of Global Client Services and Support exemplified the steps SonicWall has taken to improve our customer and technical support, and how we are working to further refine and extend our capabilities.

To me, one of the best parts of the APJ Partner Summit was the Partner Advisory Break-Out sessions run to garner feedback on several key topics to ensure we are listening to the partners and what they are experiencing on the front line. This keeps us in sync with their needs, brings fresh ideas to the table and makes us accountable to ensure that working with SonicWall is helping them solve their customer problems and be impactful to their own success.

Our APJ Partner Summit concluded with an awards evening to recognize those partners who exemplify commitment to the SonicWall SecureFirst program and achieved substantial sales growth over the last year leveraging our full solutions portfolio. The awards highlighted partner excellence for Distribution, Channel Partners, and Emerging Partners.

I’d like to extend congratulations to the following winners:

Country/Region Awards Winners:

APJ Award Winners:

Events such as these are always a great reminder of the mutual success we share with our security partners, and the together we are working to protect our mutual customers from known and unknown adversaries.

The feedback we received from our partners reaffirmed that there is a clear need to allow IT to move away from being an obstacle to the business to becoming an enabler, with technologies that protect from threats, but still provide easy access for all workers, especially those who are mobile or remote.

A huge thank you to all our partners who participated – we have listened, and we will strive to continue building stronger partnerships.

Network Sandboxing Takes On Malware, More than 26,000 New Strands Identified in August

/0 Comments/in /by

Malware never sleeps. Threat actors and criminal organizations are relentless in testing, optimizing and deploying exploit kits that target businesses and organizations across the globe. August 2017 was no different.

In fact, the month presented SonicWall’s network sandbox, Capture Advanced Threat Protection (ATP), with a few milestones.

First, the Capture ATP service celebrated its first anniversary protecting customer systems across the globe. Second, according to some sources, it surpassed install base figures of some of our competitors. Finally, the service also broke its own record for the number of new forms of malware it discovered and stopped on our customer networks.

How many? 26,438 to be exact!

This means that nearly 26,500 forms of malware — ranging from ransomware, to other Trojans, to Malvertising — were never seen by SonicWall before this month. Out of this, a little more than 7,100 were identified by one of the numerous anti-virus sources we work with. But over 19,300 were never seen by anyone and this includes a strong list of over 50 vendors including some very large names.

On top of this, last year we cataloged 60 million new forms of malware in order to prevent a patient-zero situation among the customer base. But despite our round-the-clock vigilance, there will always be a customer out there who will find something before we do.

To better eliminate this type of rare event, we created the industry’s first multi-engine network sandbox that can block until verdict, which means a customer can elect to have all unknown files blocked at the gateway until SonicWall can vet the code.

By combining the power of hypervisor-level analysis, full-system emulation and virtualized sandboxing, we have been very successful at finding some of the most evasive forms of ransomware in history, such as Cerber.

By combining the research from SonicWall’s Capture Labs, which place their signatures in SonicWall’s Gateway Security (and other places like Email Security for example) and Capture ATP, customers can stop known and unknown forms of malware. It is the latter group that causes the most fits for security professionals and gives end users with good technology something to brag about.

Since February we’ve seen a large increase in the new malware Capture ATP catches. This momentum stems from an ever-expanding customer base, but also a large rise in the percentage of malicious files that are out there. Here are some key facts:

  • Since February 2017, we’ve seen an increase of 524 percent in the new forms of malware discovered
  • In August 2017, the percentage of malicious files found was .22 percent, which is up from .14 percent
  • We made improvements in our performance and saw that 71.5 percent of all files were processed with a verdict in under 5 seconds

Is network sandboxing right for you? Based on our data, the average Capture ATP customer is on pace to detect and stop 30 new forms of malware within a year.

To learn more about the power of network sandboxing, I encourage you to read this executive brief: Why Network Sandboxing is Required to Stop Ransomware.

READ EXECUTIVE BRIEF

Android Mazarbot spreads via phishing pages for Raiffeisen Bank

/in /by

SonicWall Capture Labs Threat Research team observed yet another Android malware campaign that targets a bank , this time the target being Raiffeisen Bank. This campaign uses the Android banking trojan MazarBot – which first made its appearance in 2016 – to infect the victim’s device. This malware has capabilities of executing a number of hard-coded commands which are focused on stealing the victim’s personal information.

Infection Cycle – Stage I

The victim receives a spam email requesting him to enter the Raiffeisen banking login credentials. The credentials are stolen and sent to the attacker if the user is not careful enough and trusts the fake webpage to be authentic. The next page requests the victim to install an Android security app related to Raiffeisen, which is essentially Mazarbot in disguise. The app was hosted on the following URL which has now been taken down:

hxxp://banking.raiffeisen.at.updateid0891203.pw/download.php

Infection Cycle – Stage II

The malware app requests for the following permissions during installation:

  • change network state
  • uses policy force lock
  • bluetooth
  • internet
  • access fine location
  • send sms
  • write sms
  • access network state
  • write external storage
  • get package size
  • read external storage
  • receive boot completed
  • vibrate
  • call phone
  • write settings
  • read phone state
  • read sms
  • battery stats
  • access wifi state
  • wake lock
  • change wifi state
  • receive sms
  • read contacts
  • use sip

Upon execution the malware requests for Device Administrative privileges:

We analyzed a couple of malicious samples belonging to this campaign, the code in each one of them follows different format. However every sample shares a common trait – the code is confusing to follow because of jumbled class and variable names:

There are a number of hardcoded commands in these samples, for one such sample the malware masquerades these commands in the code by appending **83Y**:

De-obfuscating this part of the code reveals a number of hardcoded commands indicating that this malware follows a bot structure, some of the interesting findings are as follows:

  • aT = a(“Bot is not able to run that command”);

    • Grab device related information

  • bc = a(“get_packages”);
  • bd = a(“get_device_model”);
  • be = a(“get_os_ver”);
  • bf = a(“get_number”);
  • bg = a(“get_operator”);
  • bh = a(“get_imei”);
  • bi = a(“get_country”);
  • bj = a(“get_contacts”);
  • bk = a(“get_language”);
  • dj = a(“imei”);
  • dl = a(“getSimOperatorName”);
  • dm = a(“getNetworkOperatorName”);

    • Capture Credit Card related information

  • bn = a(“mastercard”);
  • bo = a(“visa”);
  • bp = a(“amex”);
  • bq = a(“Incorrect credit card number”);
  • cf = a(“send_card_number”);
  • cg = a(“number”);
  • ch = a(“month”);
  • ci = a(“year”);
  • cj = a(“cvc”)

    • Monitor specific apps

  • ck = a(“com.paypal.android.p2pmobile”); – Paypal
  • cl = a(“com.android.vending”); – Google Play

    • Capture SMS messages related commands

  • cV = a(“base_sms_intercept”);
  • cW = a(“createFromPdu”);
  • cX = a(“processIncomingMessages”);
  • dk = a(“getMessageBody”);

    • Tamper contacts detail

  • cS = a(“UploadContactsRequest”);
  • cT = a(“inject_id”);
  • cU = a(“body”);

    • Check if the malware is being run on a virtual environment/debugger

  • es = a(“isDeb”);
  • et = a(“generic”);
  • eu = a(“unknown”);
  • ev = a(“google_sdk”);
  • ew = a(“Emulator”);
  • ex = a(“Android SDK built for x86”);
  • ey = a(“Genymotion”);
  • ez = a(“sdk”);
  • eA = a(“sdk_x86”);
  • eB = a(“vbox86p”);
  • eC = a(“golfdish”);
  • eD = a(“ranchu”);
  • eE = a(“android|emergency calls only|fakecarrier”);
  • eF = a(“Debug”);
  • eG = a(“ugger”);
  • bB = a(“screen_lock”);

Overall this campaign uses phishing pages for Raiffeisen Bank to spread its infection. It focuses on stealing sensitive user related information which is stored on the infected device. It is likely that this campaign spreads via other phishing webpages belonging to other banks/establishments.

SonicWall Capture Labs Threat Research team provides protection against this threat via the following signatures:

  • GAV: AndroidOS.Banker.RF (Trojan)
  • GAV: AndroidOS.Banker.TN (Trojan)

Microsoft Security Bulletin Coverage for September 2017

/in /by

SonicWall has analyzed and addressed Microsoft’s security advisories for the month of September, 2017. A list of issues reported, along with SonicWall coverage information are as follows:

Microsoft Coverage

  • CVE-2017-0161 NetBIOS Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11761 Microsoft Exchange Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11764 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11766 Microsoft Edge Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8567 Microsoft Office Remote Code Execution
    There are no known exploits in the wild.
  • CVE-2017-8597 Microsoft Edge Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8628 Microsoft Bluetooth Driver Spoofing Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8629 Microsoft SharePoint XSS Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8630 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8631 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8632 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8643 Microsoft Edge Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8648 Microsoft Edge Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8649 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8660 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8675 Win32k Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8676 Windows GDI+ Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8677 Win32k Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8678 Win32k Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8679 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8680 Win32k Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8681 Win32k Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8682 Win32k Graphics Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8683 Win32k Graphics Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8684 Windows GDI+ Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8685 Windows GDI+ Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8686 Windows DHCP Server Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8687 Win32k Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8688 Windows GDI+ Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8692 Uniscribe Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8695 Graphics Component Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8696 Microsoft Graphics Component Remote Code Execution
    There are no known exploits in the wild.
  • CVE-2017-8699 Windows Shell Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8702 Windows Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8704 Hyper-V Denial of Service Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8706 Hyper-V Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8707 Hyper-V Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8708 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8709 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8710 Windows Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8711 Hyper-V Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8712 Hyper-V Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8713 Hyper-V Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8714 Remote Desktop Virtual Host Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8716 Windows Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8719 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8720 Win32k Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8723 Microsoft Edge Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8724 Microsoft Edge Spoofing Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8725 Microsoft Office Publisher Remote Code Execution
    There are no known exploits in the wild.
  • CVE-2017-8728 Microsoft PDF Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8729 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8731 Microsoft Edge Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8733 Internet Explorer Spoofing Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8734 Microsoft Edge Memory Corruption Vulnerability
    ips:12977
     Microsoft Edge Memory Corruption Vulnerability (SEP 17) 1

  • CVE-2017-8735 Microsoft Edge Spoofing Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8736 Microsoft Browser Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8737 Microsoft PDF Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8738 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8739 Scripting Engine Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8740 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8741 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8742 PowerPoint Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8743 PowerPoint Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8744 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8745 Microsoft SharePoint Cross Site Scripting Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8746 Device Guard Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8747 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8748 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8749 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8750 Microsoft Browser Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8751 Microsoft Edge Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8752 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8753 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8754 Microsoft Edge Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8755 Microsoft Edge Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8756 Microsoft Edge Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8757 Microsoft Edge Remote Code Execution Vulnerability
    ips:12978 Microsoft Edge Remote Code Execution Vulnerability (SEP 17) 1

  • CVE-2017-8758 Microsoft Exchange Cross-Site Scripting Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8759 .NET Framework Remote Code Execution Vulnerability
    ips:12980 .NET Framework Remote Code Execution Vulnerability (Sep 17)

  • CVE-2017-9417 Broadcom BCM43xx Remote Code Execution Vulnerability
    There are no known exploits in the wild.

Adobe Coverage

  • CVE-2017-11281 Adobe Flash Player Memory Corruption Vulnerability 
    spy:1572 Malformed-File mp4.MP.2

  • CVE-2017-11281 Adobe Flash Player Memory Corruption Vulnerability 
    spy:1573 Malformed-File mp4.MP.3

  • CVE-2017-11282 Adobe Flash Player Memory Corruption Vulnerability 
    spy:1574 Malformed-File swf.MP.573

7 Email Security Best Practices for Office 365 in the Cloud

/0 Comments/in /by

Cloud applications are not quickly approaching — they’re here. As organizations strive to manage costs and resources, solutions that are affordable, scalable and functionally robust are most appealing. Cloud applications promise to deliver this and more. For these reasons, adoption is accelerating.

Microsoft is at the forefront of the cloud application wave. Their Office 365 service enables workplace collaboration with not only a core email application, but also many popular Microsoft Office apps.  However, Office 365’s potential for open exchange of information also makes it a prime target for hackers.

Migrating To Cloud Services While Ensuring Security

Well-informed organizations are keenly aware that modern emerging threats exploit email as the primary mechanism for delivering their payload, and thus are evaluating more leading-edge security solutions. Targeted, coordinated attacks, data leaks and email-borne threats (including ransomware, phishing and spam attacks) all threaten cloud-based email services, such as Office 365.

Although Office 365 does include some security measures, prudent organizations recognize the need to reinforce these elementary security controls. According to Gartner, “By 2018, 40% of Office 365 deployments will rely on third-party tools to fill gaps in security and compliance, which is a major increase from less than 10% in 2015.”

Furthermore, leading industry analysts, including Gartner and IDC, recommend reinforcing Office 365 by integrating third-party email security solutions that, at a minimum, provide the following essential components:

  1. Advanced threat protection: Most anti-virus solutions are signature-based, and therefore ineffective against advanced threats such as ransomware. A sandbox environment is required to detect and prevent ransomware and zero-day attacks before they even reach your network.
  2. Known threat protection: For effective security against attacks leveraging known malware, we recommend using multiple virus detection engines to scan email messages and attachments for viruses, Trojans, worms and other types of malicious content.
  3. Phishing protection: Phishing campaigns have emerged as the method of choice for delivering ransomware. Proper mitigation requires an email security solution that incorporates advanced analysis of an email’s subject, body and attachment by leveraging a sandbox environment.
  4. Fraud protection: Hackers utilize advanced tactics such as spear phishing, whaling and CEO fraud to solicit for personally identifiable information (PII), or to carry out fraud by impersonating emails from within the organization. Granular configurations for email settings, including SPF (Sender Policy Framework), DKIM (Domain Keys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting and Conformance). These can help prevent illegitimate messages from entering your organization.
  5. Spam protection: To ensure spam does not clog inboxes and network resources, your organization needs an email security solution that leverages multiple methods of detecting spam and other unwanted email, including using specific allowed and blocked lists of people, domains and mailing lists; and the ability to enable third-party blocked lists.
  6. Advanced Reputation Management (ARM): A collaboration of multiple, cross-verified SonicWall Capture Threat Network sources, including SonicWall Advanced Content Management (ACM), provides dynamic, up-to-date analysis of email component reputations.
  7. Data loss prevention: An organization’s most sensitive communications require the utmost protection. The best measure is to encrypt sensitive emails and attachments using a service that works in tandem with email security.

How Sonicwall Hosted Email Security For Office 365 Can Assist

SonicWall Hosted Email Security (HES) is a multi-layer defense service that integrates with SonicWall Capture Advance Threat Protection (ATP), delivering fine-grained and user-transparent inspection of SMTP-based traffic to block zero-day threats.

SonicWall HES also includes advanced compliance scanning, management and optional email encryption, to prevent confidential data leaks, regulatory violations and to ensure the secure exchange of sensitive data.

With SonicWall HES, no additional client software is necessary. In addition, the service includes DMARC, a powerful email authentication method that helps identify spoofed mail, reducing advanced phishing attacks.

SonicWall HES enhances Office 365 using a multi-layer defense approach for industry-leading protection against advanced threats delivered via email. It also delivers superior anti-phishing, anti-spoofing, anti-spam, multi-engine AV and data loss prevention (DLP) for comprehensive protection.

Embrace The Cloud

Don’t let threat actors, criminals and nefarious organizations ruin the benefits your organization receives from workplace collaboration. Once integrated into Microsoft Office 365, SonicWall HES provides unparalleled breach prevention capabilities that defend against advanced threats originating from emails.

To learn more about how SonicWall HES protects your organization and enhances Microsoft Office 365, read more via the Tech Brief: Click here.

Download Solutions Brief