Microsoft Security Bulletin Coverage for July 2017

/in /by

SonicWall has analyzed and addressed Microsoft’s security advisories for the month of July, 2017. A list of issues reported, along with SonicWall coverage information are as follows:

Microsoft Coverage

  • CVE-2017-0170 Windows Performance Monitor Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-0243 Microsoft Office Remote Code Execution Vulnerability
    spy:1522 Malformed-File doc.MP.45

  • CVE-2017-8463 Windows Explorer Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8467 Win32k Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8486 Win32k Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8495 Kerberos SNAME Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8501 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8502 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8556 Microsoft Graphics Component Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8557 Windows System Information Console Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8559 Microsoft Exchange Cross-Site Scripting Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8560 Microsoft Exchange Cross-Site Scripting Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8561 Windows Kernel Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8562 Windows ALPC Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8563 Windows Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8564 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8565 Windows PowerShell Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8566 Windows IME Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8569 SharePoint Server XSS Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8570 Office Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8571 Office Outlook Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8572 Office Outlook Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8573 Microsoft Graphics Component Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8574 Microsoft Graphics Component Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8577 Win32k Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8578 Win32k Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8580 Win32k Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8581 Win32k Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8582 Asp.Net Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8584 Hololens Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8585 .NET Denial of Service Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8587 Windows Explorer Denial of Service Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8588 WordPad Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8589 Windows Search Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8590 Windows CLFS Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8592 Microsoft Browser Security Feature Bypass
    ips:12885 Microsoft Browser Security Feature Bypass (JUL 17)

  • CVE-2017-8594 Internet Explorer Memory Corruption Vulnerability
    ips:12886 Internet Explorer Memory Corruption Vulnerability (JUL 17)

  • CVE-2017-8595 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8596 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8598 Scripting Engine Memory Corruption Vulnerability
    ips:12887 Scripting Engine Memory Corruption Vulnerability (JUL 17) 1

  • CVE-2017-8599 Microsoft Edge Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8601 Scripting Engine Memory Corruption Vulnerability
    ips:12888 Scripting Engine Memory Corruption Vulnerability (JUL 17) 2

  • CVE-2017-8602 Microsoft Browser Spoofing Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8603 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8604 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8605 Scripting Engine Memory Corruption Vulnerability
    ips:12889 Scripting Engine Memory Corruption Vulnerability (JUL 17) 3

  • CVE-2017-8606 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8607 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8608 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8609 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8610 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8611 Microsoft Edge Spoofing Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8617 Microsoft Edge Remote Code Execution Vulnerability
    ips:12890 Microsoft Edge Remote Code Execut
    ion Vulnerability (JUL 17) 1

  • CVE-2017-8618 Internet Explorer Remote Code Execution Vulnerability
    ips:12892 Internet Explorer Remote Code Execution Vulnerability (JUL 17) 1

  • CVE-2017-8619 Microsoft Edge Remote Code Execution Vulnerability
    ips:12891 Microsoft Edge Remote Code Execution Vulnerability (JUL 17) 2

  • CVE-2017-8621 Microsoft Exchange Open Redirect Vulnerability
    There are no known exploits in the wild.

Adobe Coverage

APSB17-21 Security updates for Adobe Flash Player:

  • CVE-2017-3080 
    spy:1526 Malformed-File dll.MP.1

  • CVE-2017-3099 
    spy:1527 Malformed-File swf.MP.570

  • CVE-2017-3100 
    spy:1528 Malformed-File swf.MP.571

Petya 2.0? Or PetWrap? Or NotPetya? Is This the New Normal in Cyber Security?

/0 Comments/in /by

Updated July 6, 2017, 11:51 AM PT

When the latest massive global cyber attack first hit on June 27, the security community observed that the payload behavior closely matched Petya ransomware, which emerged back in 2016, so we initially called this a variant. However, SonicWall Capture Labs researchers confirmed that this is definitely not Petya ransomware. In fact, it masquerades as ransomware but there is no boot sector decryption capability, so in reality this is a wiper-like attack which is generally used as a cyber weapon for targeted system destruction. At this point, the malware is being referred to as  NotPetya, ExPetr, Nyetya, PetWrap or GoldenEye.

Like WannaCry, this latest attack propagates using EternalBlue, one of the exploits that was leaked from the NSA back in April, which has led to comparisons between the two. The origins are still in dispute, but our position is that regardless of whether it is a cyber crime or a state sanctioned attack, the capacity to inflict not only financial but also brand and operational damage to organizations around the world is enormous.

What we see is that the cyber arms race continues to evolve. If I were to boil this down to its essence, cyber criminals are combining exploits and attacks in creative ways that are not necessarily brand new, but can be tweaked and combined in new ways to create very effective attacks. Like mixing cocktails, the ingredients are all well known, but the exact mix is completely new.

SonicWall Capture Labs confirmed in a SonicAlert issued on June 27 that customers had been protected from this cyber attack through both our intrusion prevention service as well as the SonicWall Capture network sandbox prior to the attack. Gateway AV signatures were also added after we analyzed the payload to detect and protect against the modified ransomware. Stay tuned for more updates from SonicWall as this situation unfolds.

What the attack looks like:

Petya Lock Screen

Petya Payment Screen

Information for SonicWall customers

SonicWall provides protection from this latest attack in a variety of ways for customers with both next-generation firewalls and email security solutions. Here is a breakdown of the protection details.

SonicWall Intrusion Prevention Service – prevents propagation of known malware

  • Existing protection against the NSA EternalBlue exploit of the SMB1 protocol, originally deployed to our firewalls in April 2017, continues to be effective at blocking the malware propagation.
  • No new signatures necessary.

SonicWall Gateway Anti-Virus Service blocks known malware at the gateway

  • We released new signatures to cover the modified payload on June 27. The following have been pushed to all firewalls.
    • GAV: GoldenEye.A_5 (Trojan)
    • GAV: WisdomEyes.A_2 (Trojan)
    • GAV: GoldenEye.A_4 (Trojan)
    • GAV: Petya.A_8 (Trojan)
    • GAV: Petya.AA (Trojan)

SonicWall Capture ATP Network Sandbox Service

  • Detects unknown zero-day malware
  • Capture customers had protection at time zero since the multi-engine sandbox detected the modified Petya payload.
  • Any customers using our Block until Verdict feature was protected in the case that the attack came in through a method other than EternalBlue.

SonicWall Email Security

The best defense against modern malware attacks includes:

  • SonicWall next-generation firewalls with gateway anti-virus and intrusion prevention services
  • SonicWall Capture ATP, our multi-engine cloud sandbox that is designed to address the 1% of new attacks that have not been seen before
  • SonicWall’s Deep Learning Algorithm, which learns from over 1,000,000 sensors deployed around the globe, with the ability to push out real-time updates within minutes. Deep learning is helping us with the speed of detection and identification as well as the ability to create protection and push to the Capture Threat Network.
  • Because more than 50% of malware is encrypted, as a best practice, always deploy SonicWall Deep Packet Inspection of all SSL/TLS (DPI SSL) traffic. This will enable your SonicWall security services to identify and block all known ransomware attacks.
  • SonicWall Email Security which uses malware signatures to block email-borne threats that are often used to deliver malware. It is estimated that 65% of all ransomware attacks happen through phishing emails, so this also needs to be a major focus when giving security awareness training.
  • Customers should activate SonicWall Content Filtering Service to block communication with malicious URLs and domains, which work similar to the way botnet filtering disrupts C&C communication.
  • Apply the latest Windows patches provided by Microsoft, especially the MS17-0170 patch.
  • Block incoming requests to ports 135, 139, and 445 on your Windows firewall. Also disable SMBv1 on Windows machines.
  • Train your users to shut off their computer if they suspect a malware infection.
  • And it is always a good idea to maintain current backups of all critical data to allow recovery in the event of a ransomware event.
DOWNLOAD TECH BRIEF

Wannacry copycat rampant on Android ecosystem

/in /by

Ransomware has been the buzzword in recent times, this subject has exploded over the last few weeks ever since we saw the ransomware epidemic – WannaCry. It is of little surprise that many are trying to capitalize on Wannacry’s popularity. SonicWall Threats Research team received reports of one such copycat ransomware for Android.

Infection Cycle

The app requests for the following permissions during installation:

  • Read external storage
  • Internet
  • Get tasks
  • com.android.launcher.permission.read settings
  • Read logs
  • Access wifi state
  • Wake lock
  • Set wallpaper
  • Access network state
  • Read phone state
  • Modify audio settings
  • Mount unmount filesystems
  • Change configuration
  • Write external storage

Upon installation the app disappears from the app drawer, but a new icon is visible with the name lycorisradiata – which is the name of a plant red spider lilly. This however is not a new app, it’s the same malicious app with a different app icon.

The malicious app changes the wallpaper of the device, below are few wallpapers that we saw. They dont seem to be connected in any special way:

The malware starts attaching an extension at the end of files, like other popular ransomwares for Windows machines. During our analysis it attached the following string:

Below we can see the code calculating the string to be attached:

The ransomware shows a warning message if we open a different app i.e. push the ransomware in the background. The message warns the user that the files will be removed if the application is quit, this is a fear tactic used by the malware into coaxing the victim to pay the ransom.

The ransomware begins encrypting files on the system using AES and it is careful in avoiding system files. Ultimately we see the same screen layout that was used by Wannacry to cover the entire screen.

As a ransom the apps in this campaign ask for either 20 or 40 RMB (1RMB approx 0.15 dollars). It accepts the following payment methods:

  • QQ chat
  • Alipay
  • WeChat


This is clearly an effort to utilize the popularity of Wannacry to scare the victims into paying the ransom.

Interesting points

  • The malware requests for ransom in RMB
  • The malware opens a connection to biaozhunshijian.51240.com which essentially shows the current time in Beijing
  • The malware accepts payments in the form of QQ, Alipay and WeChat – all these three apps are highly popular in China
  • The above points hint at this campaign’s target and the possible source from where these malicious apps arise
  • There is a function deleteDirWihtFile which has checks in place to avoid files and directories with the following names:
    • android
    • com.
    • miad
    • baidunetdisk
    • download
    • dcim

Overall this ransomware is trying to utilize the popularity of Wannacry for its own goals. It tries to scare the victims into paying a ransom by using the popular Wannacry lockscreen. By using non-crypto currency for its payments the authors are taking a risk of getting tracked down. Coupled with the fact that the ransom demanded is not very high, it looks like the authors are trying to make a quick buck.

Can Wannacry infect Android devices ?
In the current state – NO. Wannacry used a specific windows exploit that can affect only windows systems. However people are still recovering from the effects of Wannacry, so scare tactics – like the one used in this malware – are expected.

SonicWALL provides protection against multiple versions of this threat via the following signature:

  • GAV: AndroidOS.Wannaclone.PK (Trojan)

Locky, Then WannaCry, Now Petya. Is This The New Normal in Cyber Security?

/0 Comments/in /by

Updated June 28, 2017

As I type this, news reports continue to roll in about yet the latest massive global ransomware attack. This time, the payload appears to be a ransomware called Petya. SonicWall Capture Labs identified the original Petya variants in 2016. However, this time it appears to be delivered by Eternal Blue, one of the exploits that was leaked from the NSA back in April. This is the same exploit that was used in the WannaCry attack.

Infected systems will initially display a flashing skull, followed by a lock screen:

Once again, the cyber arms race continues to evolve. If I were to boil this down to its essence, what we are now seeing is that cyber criminals are combining exploits and attacks in creative ways that are not necessarily new, but still quite effective. Like mixing cocktails, the ingredients are all well known, but the exact mix can be completely new.

Attack details: SonicWall customers are protected

Today, June 27, SonicWall Capture Labs began tracking a high number of Petya ransomware attacks against SonicWall customers. Petya as a malware payload is not new. In fact, we reported in the 2017 Annual SonicWall Threat Report that it was second only to Locky in the number of infections we noted last year. The good news for SonicWall customers that are using our security services is that we have had signatures for certain variants of Petya since March 2016. Then, in April 2017 Capture Labs analyzed and released protection for the Eternal Blue exploit that Shadow Brokers leaked from the NSA. Also, on June 27, the Capture Labs Threat Research Team issued a new alert with multiple signatures protecting customers from the new Petya Ransomware Family.

Recommendations for SonicWall customers

As a SonicWall customer, ensure that your next-generation firewall has a current active Gateway Security subscription, in order to receive automatic real-time protection from known ransomware attacks such as Petya. Gateway Security includes Gateway Anti-virus (GAV), Intrusion Prevention (IPS), Botnet Filtering, and Application Control. This set of technology:

  • Includes signatures against Petya (part of GAV)
  • Protects against vulnerabilities outlined in Microsoft’s security bulletin MS17-010 (part of IPS)

Since SonicWall Email Security uses the same signatures and definitions as Gateway Security, we can block the emails that deliver the initial route to infection. To block malicious emails, ensure all Email Security services are up to date. Since 65% of all ransomware attacks happen through phishing emails, this also needs to be a major focus when giving security awareness training. Additionally, customers with SonicWall Content Filtering Service should activate it to block communication with malicious URLs and domains, which work similar to the way botnet filtering disrupts C&C communication.

Because more than 50% of malware is encrypted, as a best practice, always deploy SonicWall Deep Packet Inspection of all SSL/TLS (DPI SSL) traffic. This will enable your SonicWall security services to identify and block all known ransomware attacks. Enabling DPI SSL also allows the firewall to examine and send unknown files to the SonicWall Capture Advanced Threat Protection (ATP) service for multi-engine sandbox analysis. We recommend that you deploy Capture ATP in order to discover and stop unknown ransomware variants. Because of the rapid proliferation of malware variants, SonicWall leverages deep learning algorithms to provide automated protection against both known and zero-day threats. The combination of the SonicWall Capture Threat Network and SonicWall Capture ATP sandboxing provides the best defense against newly emerging hybrid attacks such as Petya. As always, we strongly recommend that you also apply the Windows patch provided by Microsoft to protect against the Shadow Brokers leaked exploits as well.  And it is always a good idea to maintain current backups of all critical data to allow recovery in the event of a ransomware event.

DOWNLOAD TECHBRIEF

The Not Petya Ransomware Spreading Worldwide

/in /by

There is a new ransomware family have been observed in the wild which is called the Not Petya Ransomware. It was originally identified as Petya family because both have the behavior replacing boot drive’s Master Boot Record (MBR) with a malicious loader. However there are multiple novelties in the new Not Petya ransomware compared to Petya, such as taking use of the NSA EternalBlue exploits similar as previous WannaCry ransomware.

Infection Cycle

1. Upon the execution of the malware, it first setup the shutdown of the system and related tasks:

2. Then, it goes through the local network looking for targets:

3. Any existing IP will be checked for the SMB service and infected if possible

3.5 The following code shows the SMB requests with path IP/ADMIN$ will be sent to detected local computer:

4. After the set time, MBR is replaced followed by a system reboot. Below shows the fake system repair message, which is similar to previous Petya version:

5. The victim is required to pay for the decryption:

5.5 The bitcoin address is found to be hardcoded into the malware:

6. According the code, Windows Management Instrumentation Command-line (WMIC) interface has been used:

A bitcoin address accepting the payment has been identified in the exploit. There are total of 34 transactions have been seen worth of more than 8,600 USD as the time of this SonicAlert is released. The exact transaction can be found here. However it has been reported the Email address was blocked around noon today, which means the payment might not help to decrypt the victim’s infected computers.

With further analysis, we found the malware code wipes the beginning sectors on the hard drive except MBR before save them anywhere, which render the machine unrecoverable. However, the files in the system are encrypted and recoverable, but only recoverable by knowledgeable professional with the decryption key.

Full Code Walkthrough

The first thing it does is to provide itself necessary permissions and then checks the running processes to create a key (using a xor based algorithm on each process name) if the key matches certain values then it would later perform or not perform some actions. Means if looks for some process names which if found would make the malware not perform some actions. Next it checks if the dll file is installed already in windows folder. If installed the sample would not do anything further. Next it infects the raw disk.

Disk infection:

First overwrites 0x200 bytes after the first sector from the logical drive c:. This is where the Volumn Boot Record is present which is more than 1 sector. Hence the 2nd sector of the VBR is gone. The system cannot recover. Then based on the results of the running processes found earlier it proceeds to infect the MBR. It creates a buffer of 60 random bytes using crypto apis and then use each of these bytes as index to select from another hard coded list of characters to generate the personal installation key displayed on the boot screen by the infected MBR. Because the above algorithm is going to generate completely random personal installation key there is no way the attacker would be able to find out how to decrypt from that information.

Next it reads the MBR, xor it with 0x7. It would later write this xored MBR at sector 34. It also attempts to check if any partition’s LBA (its start location on disk) is less than 40 (0x28) to find out if it has enough space to write its own MBR code. However this checking code is faulty and it ends up checking if only the last partition. It then overwrites 0-24, 32, 33 and 34 sectors. 0-24 sectors contains its MBR code, 32 contains the bitcoin address and the random personal identification key, 33 sector contains all bytes with 0x7 and 34 sector contains the xored original MBR. If somehow the MBR infection fails then it attempts to write junk on the MBR.

Mimikatz: Next if retrieves the mimikatz from its own embedded resource and drops it as a temp file in temp dir. It creates a NamedPipe from a GUID and passes the name of the pipe as parameter to the Mimikatz process it creates next.

Mimikatz provides all the username/password combinations it can find like this:

Here username and password found Sagar and SonicWall separated by ‘:’. After this is received through the named pipe it searches from the ‘:’ separator and writes down all the usernames and passwords. It would use both PSEXEC and WMI later with these credentials to infect other systems over the network. It then nulls out the mimikatz on temp dir.

Next it would drop the embedded PSExec as ‘dllhost.dat’ in the windows directory.

Use of PSExec and WMI: For lateral propagation it enumerates all the ip addresses on the local network and attempts to access the admin$ share on that remote system using the username, password found by mimikatz.

If it can access the share it would drop a copy of itself on the remote machine windows directory. Then it would first try to run the copy.

First it attempts PSExec. With command line like:

C:windowsdllhost.dat \ -accepteula -s -d C:WindowsSystem32rundll32.exe “C:Windows“,#1

If this does not succeed then it attempts wmic with command line as:

C:windowswbemwmic.exe /node:”” /user:”” /password:”” process call create “C:WindowsSystem32rundll32.exe “C:Windows” #1

According to the above code analysis, the code in these sample does not resemble at all the code in the original Petya ransomware. The only similarity is MBR infection behavior. Thus we can conclude that this is likely the work of someone other than people associated with Petya family of ransomware.

Prevention

To proactively prevent from being attacked by this malware or mitigate the damage, please:

  1. Keep your computer with the latest patch, especially apply Microsoft Windows security update MS17-010.
  2. Enable the Windows Firewall to block incoming requests to ports 135, 139, and 445.
  3. Disable SMBv1 in Windows https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and-windows.
  4. Segment your network into multiple network section especially in the company network environment.
  5. Switch off your computer when you see the fake CHKDSK screen to mitigate the damage.
  6. Do not pay the ransom. Firstly the Email has been
    blocked by the Email provider Posteo, so your payment message will not be delivered. Secondly according to further analysis the exploit code cannot recover your computer.

SonicWall Detection

SonicWall threat research team has researched on the new Not Petya malware and developed the following GAV signatures:

  • GAV: GoldenEye.A_5 (Trojan)
  • GAV: WisdomEyes.A_2 (Trojan)
  • GAV: GoldenEye.A_4 (Trojan)
  • GAV: Petya.A_8 (Trojan)
  • GAV: Petya.AA (Trojan)

SonicWall threat research team has also deployed multiple IPS signature in April/May 2017 detecting EternalBlue or MS17-010 vulnerabilities which are proactively blocking the new Not Petya Ransomware:

  • 12700 Windows SMB Remote Code Execution (MS17-010) 1
  • 12792 Windows SMB Remote Code Execution (MS17-010) 2
  • 12794 Windows SMB Remote Code Execution (MS17-010) 3
  • 12800 Windows SMB Remote Code Execution (MS17-010) 4
  • 12814 Windows SMB Remote Code Execution (MS17-010) 5
  • 12849 Windows SMB Remote Code Execution (MS17-010) 6

SonicWall Capture ATP service also detects the malware binaries associated with this threat.

Above signatures shows us a huge spike recently exploiting MS17-10 vulnerabilities, which including the SMB traffic that the new Not Petya Ransomware generating:

Last updated on June 29, 2017

Is Your K-12 Network Ready to Innovate More? Learn How SonicWall Blocks Ransomware and Encrypted Threats at ISTE 2017

/0 Comments/in /by

Every day our children, teachers and administrators log into the network at school. How can you ensure the data travelling across that network is secure from hidden threats and attacks such as ransomware? With SonicWall next-gen firewalls and DPI SSL inspection technology, IT administrators can find threats hidden in encrypted web traffic that cybercriminals don’t want you to discover across your K-12 network. This week at ISTE 2017, SonicWall will highlight its automated real-time breach prevention solution, how to leverage our SonicWall Security as-a-Service option, and showcase the advantages eRate offers for upgrading network security. Visit us in booth 2357 from June 26-28 at The Henry B. Gonzalez Convention Center. Your K-12 school district’s security solution needs to perform with x-ray vision by inspecting encrypted traffic to block and detect ransomware attacks with SonicWall Capture ATP. Over 25 years, SonicWall has been protecting school networks around the world. St. Dominic’s School for Girls is one that has been able to innovate more with SonicWall next-gen firewalls.

“SonicWall NGFW has lived up to its promises. We feel very well protected and have not experienced any security breaches or content filtering issues.” – Harry van der Burgt, IT Manager St Dominic’s School for Girls

Let’s take a look at securing your school’s network traffic.

Over time, HTTPS has replaced HTTP as the means to secure web traffic. Along the way there have been some inflection points that have spurred on this transition such as when Google announced it would enable HTTPS search for all logged-in users who visit google.com. More recently, Google began using HTTPS as a ranking signal. Other vendors including YouTube, Twitter and Facebook have also made the switch. If you read articles on the use of Secure Sockets Layer/Transport Layer Security (SSL/TLS) encryption the latest numbers typically indicate that a little over 50% of all web traffic is now encrypted and that percentage is expected to continue growing. At SonicWall, data gathered by our Capture Threat Network shows the percentage to be a little higher, around 62%. We found that as web traffic grew throughout 2016, so did SSL/TLS encryption, from 5.3 trillion web connections in 2015 to 7.3 trillion in 2016. Like others, we also expect the use of HTTPS to increase.

Given the growing trend toward HTTPS and its use by hackers to steal information, it makes sense to have a security solution in place that can decrypt and scan SSL/TLS-encrypted traffic for threats. Not every school does, however, especially smaller ones. According to Gartner’s Magic Quadrant for Unified Threat Management (UTM) from August 2016, the research and advisory company estimates that “Less than 10% of SMB organizations decrypt HTTPS on their UTM firewall. This means that 90% of the SMB organizations relying on UTM for web security are blind to the more advanced threats that use HTTPS for transport.”

In his blog titled, “DPI-SSL: What Keeps You Up at Night?” my colleague Paul Leets states, “We must look into encrypted packets to mitigate those threats.” And he’s right. We need to be able to “see” into encrypted traffic in order to identify threats and eliminate them before they get into the network. And it needs to be done in real time. We call this automated breach prevention and it’s what our lineup of next-generation firewalls delivers. To learn more about automated breach prevention and how SonicWall next-generation firewalls decrypt SSL/TLS-encrypted traffic and scan for and eliminate threats without latency, visit the “Encrypted Threats” page on our website.

In addition to uncovering encrypted threats, K-12 schools are risk for ransomware attacks. To help protect school networks against the increasing dangers of advanced persistent threats (APTs), SonicWall Capture will be available to demo at ISTE 2017. This cloud-based sandboxing service – available on both firewalls and email security solutions – scans potentially malicious unknown files until a verdict can be reached. This solution is built on multi-layered sandboxing technologies that use both system emulation and virtualization techniques to detect more threats than competitors’ single engine solutions. Customers immediately benefit from fast response times, high security effectiveness and reduced total cost of ownership.

With the volume of cyber attacks increasing in intensity and sophistication, many of our education customers have taken advantage of SonicWall Security-as-a-Service. Our expertly trained partners deliver SonicWall next-gen firewalls to you, so your school network can benefit from the following:

  • Outsourced network security to an experienced security provider
  • Have your Security as-a-Service solution expertly configured by SonicWall-certified engineers
  • Predictable monthly service fee with no upfront costs
  • Next-gen firewall, gateway anti-malware, intrusion prevention, content filtering and Capture.

SonicWall solutions for education deliver real-time breach prevention along with secure remote access that enables your school district to realize and promise of technologically advanced learning environments. Join the team onsite at the booth 2357 including our partner, Securematics. Do more and Fear Less.

DOWNLOAD WHITEPAPER

Master Ransomware nets $168K so far!

/in /by

The SonicWall Threats Research team has been monitoring a ransomware threat known as Master Ransomware. This ransomware is a variant of BTCWare. The operation of this ransomware is very simple and follows the classic extortion tactic: encrypt files and demand a ransom to get them back. The important thing to note however, is that there is now a rising trend for ransomware to charge even more money for file decryption. In this case, 1 BTC (currently $2701 USD) is required for file decryption.

Infection Cycle:

Upon infection, the Trojan displays the following text on the desktop background:

It also displays the following text file:

The Trojan adds the following key to the registry:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun DECRYPTINFO %AppData%Roaming#_RESTORE_FILES_#!.inf

The Trojan traverses all directories on the system and encrypts files in those directories. It leaves #_RESTORE_FILES_#!.inf in each directory and renames each encrypted file to {original filename}.master. This directory traversal includes any attached network drives and attached external media storage.

It also drops #_RESTORE_FILES_#!.inf onto the desktop:

#_RESTORE_FILES_#!.inf contains a unique ID and instructs the user to send an email with this ID to crypthelp@qq.com in order to receive instructions to decrypt files.

We followed these instructions and received the following email:

The email instructs the user to send 1 BTC ($2701 USD at the time of writing) to 1HAvKnunqW8xPjEwRYJjMeYnA5sPCyBvAB.

Although this ransomware is very simple, its operators have been very successful and have netted 62.2 BTC so far. This amounts to $168,000 at the time of writing this alert:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Master.RSM (Trojan)
  • GAV: Master.RSM_2 (Trojan)

Live exploits intercepted for CVE-2017-0143

/in /by

The SonicWall threat research team has intercepted a number of live exploit attacks of the CVE-2017-0143 (MS17-010) in the past few weeks. These exploits triggered a vulnerability on Windows SMB service which improperly handles the Trans command. A successful attack could expose the target host’s kernel memory and eventually execute arbitrary code.

In general, the exploits send a SMB transaction command, which is used for communicate with mailslots (one-way inter-process communication) and named pipes. And then followed by a TRANS_PEEK_NMPIPE subcommand to trigger the kernel memory disclosure vulnerability.

The attack network flow can be decribed as followed:

  1. A Tree Connect request sends from attacker to the server’s IPC$.
  2. After server approved, the attacker requests opening the “lsarpc” file.
  3. The server will respond with the FID of “lsarpc” file.

  4. The attacker binds to the file’s interface, sends a large request to trigger the vulnerability. And then a TRANS_PEEK_NMPIPE subcommand.

  5. The vulnerability will be triggered, server responds with the kernel memory contents.

The SonicWall threat research team has developed the following signature to protect our customers from this vulnerability:

  • IPS 12849: Windows SMB Remote Code Execution (MS17-010) 6

Enemy at the Corporate Gate: Why Email Security is More Crucial Than Ever with Dell and SonicWall

/0 Comments/in /by

Note: This is guest blog post by Bryan Chester, Vice President of North America Partner Software and Imaging Sales at Dell.

Email has long been acknowledged as a business critical application. However, it can expose your organization to devastating sabotage by offering hackers an easily accessible vehicle to exploit vulnerabilities in your organization’s network security.

There are a multitude of repercussions if email-based threats such as ransomware, phishing, or viruses make it into your email servers and users’ inboxes.  Given today’s complex threats, it is crucial that organizations deploy a multi-layered security solution that includes dedicated, leading edge email protection.

Even with the knowledge of that threat, it is becoming increasingly difficult to accurately detect all of the bad emails without creating a bottleneck and dampening your employee productivity. This is especially true for emails containing attachments.

So what can you do to protect your environment at an email level while not slowing down your critical business processes? Dell and SonicWall can help you answer that question.

SonicWall Email Security leverages multiple patented SonicWall threat detection techniques and a unique worldwide attack identification and monitoring network. This next-generation SonicWall Email Security solution protects your organization from today’s most advanced email threats.

SonicWall Email Security includes the cloud-based Capture ATP (Advanced Threat Protection) service that can scan a broad range of email attachment types, analyze them in a multi-engine sandbox, and block dangerous files or emails before they reach your network. Email Security with Capture ATP gives you a highly effective and responsive defense against email threats, all at a low TCO.

SonicWall Email Security features include:

  • Advanced Threat Protection: Integrates Capture cloud-based sandboxing technology for detection of zero-day threats such as ransomware, for fine-grained inspection of SMTP traffic
  • Next-generation Email Protection: Incorporates anti-spam, anti-virus and anti-spoofing functionalities to not only detect and prevent spam and other unwanted email, but also scan email messages and attachments for ransomware, Trojan horses, worms and other types of malicious content.
  • Improved Office 365 Support: Enhances security for multi-tenant environments by providing a method for ensured, mapped delivery of emails for SonicWall Hosted Email Security environments
  • Updated Line of Appliances: Refreshes SonicWall’s line of Email Security Appliances (hardware and virtual options), helping customers to better face threats delivered by email.
  • Encryption Protection: Supports not only SMTP Authentication, but also the encryption service feature enables any email containing protected data to be automatically encrypted, routed for approval or archived.
  • Policy and Compliance Management: Enables an administrator to enact policies that filter messages and their contents as they enter or exit the organization. This allows organizations to meet regulatory requirements based on government legislation, industry standards or corporate governance activities.
  • To learn more download the SonicWall Email Security 9.0 data sheet or view a live demo of the SonicWall Email Security Solution to see all of the latest enhancements.

Reach out to your Dell and SonicWall contacts today to learn more about how SonicWall Email Security can protect your organization by scanning all inbound and outbound email content and attachments for sensitive data, all while delivering real-time protection from spam, phishing, viruses, malicious URLs, spoofing, Denial of Service (DoS), and a myriad of other unknown and sometimes unimaginable attacks.

Attackers use EternalBlue exploit to enroll Adylkuzz mining botnet

/in /by

The SonicWall Threats Research team observed reports of a new variant family cryptocurrency miner Adylkuzz [GAV: Adylkuzz.A and Adylkuzz.B] actively spreading in the wild.

At the time of this article, the malware does not have the capability to exploit (MS17-010) vulnerability to exploit the target machine and propagate on its own. Attackers separately exploit the vulnerability by scanning target machine IPs/ports using a third-party tools and installing the Adylkuzz malware on the target system.

Infection Cycle:

The Malware adds the following files to the system:

  • Malware.exe

    • %windir%Fontswuauser.exe

The Trojan adds the following service to the Windows to ensure persistence upon reboot:

Once the computer is compromised, the malware copies its own executable file to %windir%Fonts folder and downloads Adylkuzz miner.

Upon successful exploit the malware runs the following commands on the target machine to stop any SMB communication to avoid further infection by similar threats such as WannaCry ransomware.

The malware running following commands to kill some apps on the target system such as following:

The Malware injects an API table as shown below:

The malware installs the cryptocurrency miner Adylkuzz on the target machine as shown below:

Command and Control (C&C) Traffic

The Malware performs C&C communication over TCP and UDP ports. The malware sends your system UID to its own C&C server via following format, here are some examples:

We have been monitoring varying hits over the past few days for the signature that blocks this threat:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Adylkuzz.A (Trojan)

  • GAV: Adylkuzz.B (Trojan)

  • GAV: Adylkuzz.B_2 (Trojan)

  • GAV: Adylkuzz.B_3 (Trojan)

  • GAV: Adylkuzz.B_4 (Trojan)

  • GAV: Adylkuzz.B_5 (Trojan)

  • GAV: Adylkuzz.B_6 (Trojan)

  • GAV: Adylkuzz.B_7 (Trojan)