Do You Trust Endpoints That Go Shopping?

/0 Comments/in , /by

We are midway through the shopping season this year and already online retail shopping is having record sales. According to Adobe, final numbers indicate that Black Friday surpassed estimates, with $3.34 billion – 21.6 percent growth, year-over-year. Mobile accounted for $1.2 billion, a 33 percent increase from the year before.

Gartner predicts that 70 percent of mobile employees will use their personal smart devices to conduct work by 2018.

These are two seemingly disparate trends but what do they mean for organizations and their cyber security posture?

In another blog, my colleague Scott Grebe explored the security risks that arise when employees are shopping online at work within the corporate network. In this blog, we’ll explore the security risks that arise when employees shop online outside the corporate network.

Organizations are increasingly embracing BYOD for its obvious advantages, but this gives rise to a key gap in the security posture: How do you secure smartphones, tablets and laptops when they leave the confines of your corporate cyber security infrastructure? CSOs must make sure that the right security solutions and policies are implemented to close this gap.

Recent high profile data breaches have put cyber security under the spotlight and organizations have invested in best-of-breed solutions and deployed their defense-in-depth strategy to mitigate today’s advanced threats. Solutions such as next-generation firewall, Intrusion Prevention Systems (IPS), sandboxing and email security are in place to protect against zero-day malware and ransomware, thus making it significantly difficult for the majority of hackers to penetrate. No points for guessing where these threat actors will target next – smartphones, tablets, laptops or even home computers that employees use for remote work. According to McAfee Labs 2016 Threats Predictions report: If attackers really want to get at your data, but find themselves blocked at every attempt against the corporate data center, then the relatively insecure home systems of the employees become the next logical target.”

Employees are spending more time shopping online using a work-supplied or personal device. The next time an employee connects to a public Wi-Fi network to do a price check on a deal, or just uses his/her relatively insecure home network to shop, it could expose the organization’s network. Just last week, it was revealed that 1 million Google accounts were compromised by Android malware. Hundreds of counterfeit retail apps were discovered in Apple’s App Store. A seemingly innocuous app or even a rogue SMS text would suffice to comprise the device and, just like the trojan horse, the device would be given entry into the corporate network.

It is difficult to control the shopping mania that infects everyone around this time of the year, but organizations can leverage the security solutions that are already deployed to better protect the endpoints even when they are remote. SonicWall’s Secure Mobile Access (SMA) solution provides access security to complement your network security, by delivering secure access to users from anywhere and from any device. With SMA, organizations can protect their corporate network every time employees go online by following certain best practices:

  • For trusted laptops and desktops, use the redirect-all mode on the SSL-VPN solution to drive all traffic through the corporate security infrastructure.
  • For untrusted BYO devices, educate employees to use features such as browser-based clientless access to remote desktops for secure browsing.
  • For mobile devices, configure policies to allow access only to whitelisted apps.

Further, when these endpoint re-enter the corporate network, SMA interrogates the device and performs health checks to permit access or to quarantine for remediation. By implementing these best practices, organizations can leverage their corporate infrastructure such as next-gen firewall with SonicWall Capture sandboxing technology, bringing security anywhere employees’ devices go. Ready or not, mobile workers and BYOD are here to stay.

To learn more on how SMA can protect the corporate networks from “trusted” and “untrusted” endpoints, download and read our executive brief.

Download Executive Brief

Memcached integer overflow CVE-2016-8704 (Dec 9, 2016)

/in /by

Memcached is a Free & open source, high-performance, distributed memory object caching system.

An integer overflow flaw, leading to a heap-based buffer overflow, was found in the memcached binary protocol (CVE-2016-8704). An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code. An integer overflow can be triggered by issuing a command that appends or prepends data to an existing key-value pair.

SonicWALL Threat Research Team has researched this vulnerability and released following signature to protect their customers.

  • IPS 12508: Memcached process_bin_append_prepend Integer Overflow

Persian Lockscreen Android malware borrows heavily from online tutorials (December 8, 2016)

/in /by

Online tutorials are extremely helpful when it comes to understanding something specific, be it changing the oil in a car or figuring out why the network for a Linux server is not working. But at times an online tutorial can be used for nefarious purposes as described in this blog entry.

SonicWall Threats Research Team came across an Android Lockscreen malware with an adware component. The simplistic code gave an impression that this malware might be a test malware or something created as part of a learning experience. The reason for this simplistic code became clear after few Google searches of the code, but first let’s explore the malware’s behavior.

Infection Cycle

The malware requests for the following permissions:

  • Receive boot completed
  • System alert window
  • Vibrate
  • Internet
  • Access coarse location

This malware has the app name :@erfanandroid and package name:virus.mobile.com, clearly subtlety is not this author’s strong suit.

Upon running this app the entire screen is enveloped by a lockscreen with an image that is associated with Anonymous – the international network of activist and hacktivist entities. The victim is locked out from using the phone as pressing the navigation buttons do not help, nothing apart from the lockscreen shown below is visible:

In the background this malware runs a service called VirusService which ensures that the malware is constantly running.

One of the basic instincts of a victim post infection is to restart the device and to uninstall the malware. To ensure that the malware runs automatically whenever the phone starts, there is a receiver that listens to boot_completed broadcast signal. This receiver in turn activates the VirusService mentioned above thereby activating the malware as soon as the phone starts and locks out the user.

Adware component

The malware contains an additional adware component – Adad – a mobile advertisement network which operates in Persian speaking countries. Adad is advertised as the preferred advertising platform for Cafebazaar apps source. Cafebazaar in turn is a popular Iranian Google appstore.

We did not see any ads getting displayed on Bazaar or while using other apps, the adware component does not look to be fully implemented.

Coming back to the part about online tutorials, we did some online search with regards to this malware and we reached an unexpected place. We landed on a blog post which described how to create an Android lockscreen malware.

The simplistic code of this lockscreen malware can be explained by the fact that most of it was copied from the source material – this git repository. As we can see the codes are more or less the same. The only differences are in places where Persian code is inserted and the additional adware component that is part of this malware.

Based on these two factors we can say this malware is targeted to affect a specific region.

Knowledge itself is not evil, it can be used for good. But in the wrong hands it can be used in a very immoral way. The blog author most likely created the tutorial with good intentions, but it was sadly used in a wrong way.

SonicWALL provides protection against this threat via the following signatures:

  • AndroidOS.PersianLockscreen.VA (Trojan)
  • AndroidOS.PersianLockscreen.JV (Trojan)

SonicWall’s Capture Advanced Threat Protection Wins 2016 CRN Products of the Year Award

/0 Comments/in , /by

There’s no question companies are being more proactive in their network security approach than ever before. We’ve made substantial gains as an industry, in terms of cybersecurity education and adoption rates across businesses of all sizes. But when major technology companies with multi-layered security programs are still falling victim to breaches year after year, it points to a different problem altogether – that even accepted security best practices can sometimes leave gaps.

It’s this simple and unavoidable truth that drives SonicWall to continue innovating to stay one step ahead of cyber attackers. And there isn’t a better example of this innovation than our cloud-based Capture Advanced Threat Protection Service.

In recent years, many companies have begun incorporating threat detection systems to protect against network attacks. These systems typically rely on a single-engine sandbox, which each vendor sets up to detect threats in a specified way, for example by scanning memory or cache. As you can imagine, this approach leaves security blind spots – cybercriminals only need to know which type of detection is being used to evade it. Even technology analysts have been at a loss for a simple solution, often suggesting customers leverage advanced threat protection from multiple vendors at once in the hopes of covering their bases.

Our team of product engineers recognized that for an advanced threat protection solution to truly stop unknown and zero-day attacks, it would need to address two weaknesses inherent in existing products: First, it would need to use a multi-engine, cloud-based sandboxing approach. Second, to take protection to the next level, the product would need to provide simple, automated remediation. This year, that innovative idea came to fruition as Capture, which was eagerly embraced by our enterprise users and has since become the hallmark of SonicWall’s offering.

Today, we are thrilled to announce that Capture has been recognized as the winner of the 2016 CRN Products of the Year Award for Customer Demand in the Security Network category.

CRN Products of the Year Award

CRN is a key IT industry publication for value-added resellers and technology solution providers. The publication hosts an annual call for entries to recognize companies that introduced the year’s most innovative and groundbreaking tech solutions. To win top honors in its category, Capture was evaluated on its ability to transform the tech industry by:

  • reducing production costs
  • increasing worker productivity
  • improving ease of use and money saved for both providers and consumers

Capture not only takes an innovative approach to solving these challenges, it’s proved supremely effective at protecting our customers’ networks against the ever-evolving and intensifying threat landscape. In 2015, our threat research team observed a 73% increase in unique malware samples collected over the previous year. Most of these threats were targeted, evasive and zero-day attacks found across computing systems and devices. Capture was able to detect and halt even advanced, layered attacks by combining the different protection approaches single-sandbox vendors use into one, multi-engine service. So far, the results have been remarkable:

  • stopped 7,300 newly developed malware infections in the past three months
  • stopped 1,400 zero-day attacks
  • provided a two-second mean processing time for files, with 82.8 percent of all files being processed in under five seconds
  • exceeded expected adoption rate on firewalls, including double the expected adoption rate on higher-end firewalls

Now we are honored to receive the CRN 2016 Products of the Year Award, as it is a gratifying reflection on the hard work and innovative thinking of countless SonicWall team members. And as we head into 2017 as a standalone brand, we remain just as dedicated as ever to continue this innovation to create a more secure world for our clients.

What started as a problem that no one in the industry knew how to solve has now become a market-leading, award-winning threat protection solution, keeping businesses safer around the globe. In a few short months, Capture has become a shining example of the opportunity that motivates us as innovators and industry leaders every day – when we put our knowledge and resources to work, we can play a meaningful role in enabling businesses to worry less and achieve more.

To learn more, visit the SonicWall Capture Advanced Threat Protection Service.

Download our latest Sandboxing Solution Brief

Network Time Protocol Daemon (NTPD) DoS Vulnerability (Dec 2, 2016)

/in /by

The Network Time Protocol daemon (NTPD) is prone to a DoS vulnerability CVE-2016-7434. A remote, authenticated attacker can exploit this vulnerability by sending a crafted packet to the target service. A successful attack could cause NTPD service to crash.

The NTP protocol is designed to synchronize the clocks of computers over a network. It is maintained by ntp.org, and widely used in server operating systems, routers and infrastructure devices.

To perform routine NTP control and monitoring functions in comprehensive network-management environments, the NTP control message is introduced. The NTP control message has the following format:

  • NTP Control Message header
  • Version Number: 3-bit integer indicating the NTP version number, currently (3).
  • Mode: 3-bit integer indicating the mode. It must have the value 6, indicating an NTP control message.
  • Response Bit: Set to zero for commands, one for responses.
  • Error Bit: Set to zero for normal response, one for error response.
  • More Bit: Set to zero for last fragment, one for all others.
  • Operation Code: 5-bit integer specifying the command function.
  • Sequence: 16-bit Sequence number of the command or response
  • Status: 16-bit Status of the system
  • Association ID: 16-bit ID of a valid association
  • Offset: 16-bit Offset of the first byte in the Data field (Must be 0x0 for requests)
  • Count: 16-bit Length of the Data field (N)
  • Data: Message data for the command or response
  • Padding: Zero padding
  • Authenticator: Optional authenticator information

The OP code is represented by a 5-bits integer. To be more specified, the values are:

0 = reserved
1 = read status command/response
2 = read variables command/response
3 = write variables command/response
4 = read clock variables command/response
5 = write clock variables command/response
6 = set trap address/port command/response
7 = trap response
8-31 = reserved

The vulnerability could be triggered on a certain type of message, the “MRU List” request. When the OPCode is set to 0x0A, the data section should be in a key-value format containing the information for the request.

When handling this kind request, a function read_mru_list() will be called in order to parse the key-value format Data section. And in this function, a sub function ctl_getitem() will be called to get value for corresponding key. If the key has no value, this function will return NULL.

However, in the read_mru_list() function, the return value is assigned to be a char* pointer, and will be parsed to other functions as a parameter. Afterwards, a NULL pointer exception will occur, causing the service crash.

The PoC exploit is already in the wild at http://dumpco.re/cve-2016-7434/ .The official patch is issued in the ntp-4.2.8p9 update.

SonicWALL provides protection against this threat via the following signatures:

  • 12506 EXPLOIT Network Time Protocol Daemon read_mru_list Denial of Service

Huge wave of Locky Ransomware spread via Javascript spam (Feb 19th, 2016)

/in /by

The Dell Sonicwall Threats Research team have come across a new ransomware family called Locky. Ransomware is still on the rise and is showing no signs of stopping anytime soon. As predicted, the Dell Sonicwall Threats Research Team have seen an increase in new ransomware malware families and ransomware targeted at large corporations. It has even made recent headline news with the story of US hospital having to pay up $17,000 in bitcoins in order to recover critical files. our analysts identified the malicious executable as being associated with ransomware as a service (RaaS). Threat actors can configure these types of executables to encrypt various files found on an infected system. The RaaS provider then takes a portion of the ransom paid by victims as payment. Ransomware is an increasingly lucrative business and the Locky variant is yet another malware family trying to cash in on a growing criminal market.

Infection Cycle:

The Trojan is spread via email spam using a javascript attachment. The scripts are polymorphic. Each copy [Detected as GAV: JS.Camelot.A (Trojan)] is uniquely obfuscated using words from the english dictionary:

The script downloads the Locky ransomware executable file and runs it:

The Locky Trojan executable file uses the following icon:

The Trojan makes the following DNS queries:

      wblejsfob.pw
      cgavqeodnop.it
      kqlxtqptsmys.in
      pvwinlrmwvccuo.eu
      sso.anbtr.com

The Trojan adds the following files to the filesystem:

  • %USERPROFILE%Cookies_Locky_recover_instructions.txt
  • %USERPROFILE%Desktop_Locky_recover_instructions.bmp
  • %USERPROFILE%Desktop_Locky_recover_instructions.txt

The Trojan encrypts various user created files on the system and sends the encryption keys to a remote key storage server:

It then causes the following two messages to be displayed on the desktop:

The links above lead to a page hosted on the TOR anonymity network. The page instructs the user on how to make a payment in bitcoins to restore their files:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Locky.A (Trojan)
  • GAV: JS.Camelot.A (Trojan)

Why is Ransomware Still Around?

/0 Comments/in , /by

Ransomware is an advanced form of malware that attempts to get users to pay a fee or spoofed fine in order to regain access to their device or files.  The simplest version will place an image on one’s screen claiming the user downloaded illegal content or is using pirated software and will demand the payment of a fine or be arrested.  Other versions like Cryptowall or Cryptolocker will actually encrypt all the files on a computer and demand payment in trade for the key to decrypt the files… with some not delivering what they promised. First arriving on the scene in 2005 as an Eastern European threat, it grew into a global attack by the end of 2013.

To help put ransomware into perspective, look at the organizations that have already been hit by an attack.  Most people don’t report these types of things but others have.  The City of Detroit was hit with a ransom of $800K… and didn’t pay.  An entire hospital district was hit in nine different locations and had to pay out. Ransomware authors are seeing a payday and you can expect them to continue until it is no longer profitable.  They are sending their code in email, packaging it in files and also placing it on the internet hoping to lure people in with free content or to pull a bait and switch move that could cost a business dearly.

Security organizations have been working tirelessly to stop this attack by building in mechanisms to stop unauthorized encryption as well creating signatures to stop known attacks for this group of malware.  In the chart below you’ll see SonicWall next-generation firewalls blocked nearly 90 Million ransomware attempts in May 2016 alone.  These happy stats are the result of the hundreds of ransomware signatures actively stopping this attack. So after years of battling ransomware, why is it still an issue?  With such a great rate of success from security vendors, why haven’t attackers given up the fight?

Despite our success, you have to keep mind that signatures only work for the things we know about.  We know all the various variants of Locky, Tescrypt, Crowti, and others, but they evolve and change to better evade the defenses of security technologies.  The mission for a firewall vendor is to rapidly create new signatures for all of the ransomware variants before any new iterations can victimize businesses.  SonicWALL has been doing this using a mix of people and technology but now we have a new tool customers can use that can stop brand new ransomware versions (and all other malware variants) called SonicWall Capture ATP.

In my next blog, I’ll explain in greater detail how SonicWall Capture works. In the meantime, you might want to read our e-book, How ransomware can hold your business hostage.

Read the article

Ransomware attack resulted to free train rides over the holiday weekend (Nov 30, 2016)

/in /by

Over the holiday weekend, the San Francisco Municipal Transportation Agency became a victim to a ransomware attack. It locked up the Muni’s public transportation ticket machines resulting to free rides on trains and city buses. It was reported that the ransomware demanded $73,000 in exchange for giving back Muni’s data but the transporation agency avoided paying the ransom and was able to restore its systems back.

According to reports, the ransomware extortion message was visible at multiple Muni train station booths that said “You Hacked, ALL Data Ecnrypted.” It also gave an email address (cryptom27@yandex.com) which was seen tied to a ransomware family known as HDDCryptor.

Like another ransomware called Petya which we wrote about here, HDDCryptor is another variant the rewrites the computer’s master boot record boot sectors and locks out the victim from their computer.

Infection Cycle:

Upon execution, this Trojan drops the following files in this location:

  • %SYSTEMROOT%DC22dcinst.exe – DiskCryptor component (non-malicious)
  • %SYSTEMROOT%DC22dcrypt.exe – DiskCryptor component (non-malicious)
  • %SYSTEMROOT%DC22dcrypt.sys – DiskCryptor component (non-malicious)
  • %SYSTEMROOT%DC22dcapi.dll – DiskCryptor component (non-malicious)
  • %SYSTEMROOT%DC22dccon.exe – DiskCryptor component (non-malicious)
  • %SYSTEMROOT%DC22 netpass.exe – Network Password Recovery tool (non-malicious)
  • %SYSTEMROOT%DC22mount.exe [Detected as GAV: HDDCryptor.MB (Trojan)]

It registers a service named “DefragmentService.” It uses the Network Password Recovery utility from NirSoft to gather all shared drive information and saves that data into a file %SYSTEMROOT%DC22 netpass.txt. It also uses the command “net use” to display all information about the computer’s shared resource and network connections. This data is then saved to %SYSTEMROOT%DC22 netuse.txt. It also adds a new user account with the username “mythbusters” and password “123456” using the “net user” command.

Executing the netpass.exe file individually brings up the UI of this freeware.

It then spawns mount.exe to start hard drive encryption. Mount.exe uses the information in netuse.txt and netpass.txt to enumerate shared drives, mount on the drives and start the encryption.

The ransomware uses the open source encryption tool named DiskCryptor which supports AES, Twofish and Serpent encryption algorithms.

All the activities that this Trojan has executed are logged into a file as it happens – %SYSTEMROOT%DC22log_file.txt.

Because of the prevalence of these types of malware attacks, we urge our users to back up their files regularly.

SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: HDDCryptor.MB (Trojan)

Critical Business Threats: Ransomware and Employee Online Shopping

/0 Comments/in /by

According to a recent PWC survey, 54 percent of respondents buy products online every month. And millions of employees shopped online yesterday with their work devices on business networks. The critical business threat: Will any of your business computers or networks get infected with malware when employees make personal online purchases?

We believe so, and our SonicWall Global Response Intelligent Defense (GRID) network research backs this up.

Good News: Chip Cards Are Working

Research gathered through the SonicWall GRID Network indicates that the new chip-and-sign credit cards and point of sale (POS) systems are more effective than legacy technologies in detecting and blocking breaches. After big data breaches at retailers like Target and Home Depot, many retailers upgraded to chip-based POS systems.

Whenever new malware is discovered, we create a software signature set that is automatically propagated to all of our customers’ firewalls, to help keep their systems safe from attack. In 2014, before the new chip cards and POS systems, our team released 14 new POS-related malware signature sets.

In 2015, this number decreased to nine new POS malware signature sets. And in 2016 to-date, after the broad adoption of chip-based cards and readers, we have only had to release a single new signature.

Bad News: SPAM Is Now a Huge Business Threat

As POS systems have become harder to hack, the bad guys are looking for more efficient ways to steal online. Falling back on the tried and true email-based phishing attacks, personal shopping phishing emails are now a real threat to your business systems and networks.

Our email security research team observes that SPAM email usually increases in volume significantly during Cyber Week, starting the week before Black Friday, then drops off after Cyber Monday. Our numbers show a dramatic 2x increase in SPAM this year from 2015. In the run-up to Thanksgiving and Black Friday we saw 110 percent growth, increasing to 143 percent growth through Cyber Monday.

One of our SPAM honeypots collected the following data for Cyber Week:

  • Average number of SPAM messages 2015: 33,725 a day
  • Average number of SPAM messages 2016: 82,888 a day

More Bad News: Ransomware Targets Businesses

Increasingly we are finding that if malware makes it into your business network, it will be ransomware. First released in 1989, ransomware can infect your system and lock out users from accessing devices or files. When the victim pays a ransom (usually electronic money or bitcoins) the device can be unlocked by the hackers. Needless to say, ransomware can put your business-critical data and systems at risk.

Network Security Must-Haves

Online shopping will only continue to grow, especially over holidays, so it’s important to be proactive to keep your business systems protected. Along with monitoring employee access and updating policies, here are some must-haves.

  • Ensure your firewall is next-generation with content filtering on, including encryption scanning and packet filters; your goal is to monitor and inspect all incoming data and stop ransomware
  • Consider a cloud-based protection service like our Capture Advanced Threat Protection Service; a good one will speed up your response time, leverage the power of multiple engines to stop zero-day attacks, and automate remediation
  • Manage network bandwidth to limit or stop streaming; streaming is one of the easiest ways to let malware in
  • We strongly recommend EV SSL certificates for every external business website
  • Vet your SSL certificates and sources, to ensure they are publicly rooted and aren’t bringing in malware from the dark web
  • Audit your SSL certificates regularly to ensure they are up to date
  • It goes without saying but back up your data regularly; if ransomware does infect your network you will need to quickly access business-critical data

Online Shopping Safety for Consumers

  • If you don’t have one yet, upgrade to a chip-based credit card
  • Always look for an EV SSL certified logo on sites you shop
  • Use mobile devices (tablets or phones) and shop with store apps from businesses you know and trust; these apps are vetted and tested
  • Avoid shopping on sites with a Windows-based laptop; Windows is the most targeted operating system (OS) for hackers
  • Remain on the site until you complete a transaction; don’t follow redirects
  • Stay current with the latest OS software updates on your devices so you have the latest security patches; always update from the trusted site of the software provider, not a third-party site or a pop up
  • Update your apps regularly, especially ones that you provide sensitive data to: credit card numbers, banking and health information
  • Create complex, hard-to-crack passwords and keep them in a secure place
  • Change your passwords often and keep them hidden ­– not on sticky notes on your computer

Cerber ransom payment doubles (Nov 23, 2016)

/in /by

The Cerber Ransomware continues to spread and generate income for its operators. We have covered this Ransomware family in a previous SonicALERT back in August but it has since evolved and some details about its internal operations and presentation have changed. For example, a new information page is used and the ransom has now doubled in value from $500 to $1000 since August. This increase in price is a strong indicator of past success.

Infection Cycle:

The latest variant of this trojan uses the following icon:

The Trojan makes the following DNS requests:

  • vyohacxzoue32vvk.3sc3f8.bid
  • btc.blockr.io

The Trojan adds the following files to the filesystem:

  • %SYSTEMROOT%README.hta (ransom information page)
  • %USERPROFILE%Local SettingsTempREADME.hta (ransom information page)

It then encrypts various files on the filesystem and renames them to {10 random alphanumeric characters}.9d4b. It copies README.hta to every directory that contains the newly encrypted files.

It displays the following information on the desktop background:

The links lead to a website located on tOR network:

The Trojan reports its infection to a remote C&C/key server:

It checks the status of the supplied bitcoin address that requires funding to verify payment:

Upon inspecting the transaction activity of the bitcoin address we can see that it is still generating income at the time of writing this alert . It has generated the equivalent of almost $21,000 for its operators so far. This is not the only bitcoin address used. We have observed other bitcoin addresses being used to pay the required ransom:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Cerber.HM (Trojan)