Take Control of Your Network During the Holiday Shopping Season

/0 Comments/in /by

It’s the holiday season and that means we’re all busy with fun activities. Take online shopping for example. Many of us will do it between Black Friday and New Year’s, even for just a little while. Some of us do it at work. When employees spend time shopping online during work hours it presents challenges for any organization. Perhaps the three biggest challenges are network security, employee productivity and bandwidth consumption.

How popular is online shopping? Last year, data from the National Retail Federation (NRF) revealed that retail holiday buying increased 4.1% to just over $600 billion. Much of that shopping was done online. This year the NRF is forecasting retail sales of $630 billion, up 3.7% over 2014. According to an NRF survey almost half of all holiday shopping, whether it’s making a purchase or merely browsing, will again be done online this year. Let’s take a look at the impact this has on organizations and the steps you can take to overcome the challenges online shopping poses.

Network security

  • Malware – Employees who shop online at work inadvertently create opportunities for malicious attacks directed at your network and your organization. The most common threats are viruses, worms, Trojans and spyware.
  • Phishing – Phishing is an email fraud method in which the perpetrator sends out a legitimate-looking email in an attempt to gather personal and financial information from unsuspecting recipients.
  • Malicious advertising – Commonly referred to as “malvertising,” this threat uses online advertising to spread malware which can then capture information such as credit card and social security numbers from infected machines.

Employee productivity

  • The big drain – With workers bringing their own smartphones and tablets into the office, we’re seeing an increased blurring of the line between work life and personal life as employees exercise more freedom to use these devices for personal activities such as online shopping during work hours. When they’re shopping on company time it means they’re not working so their productivity has decreased.

Bandwidth consumption

  • Disappearing bandwidth – With about half of your employees shopping online during the holidays, the bandwidth available to critical applications on your network is going to disappear. Therefore, it’s critical to prevent vital bandwidth from being consumed by non-productive web use.

While you can’t completely eliminate threats to your network, drops in productivity and misuse of valuable bandwidth, there are measures you can take that are well within the reach of your organization simply by practicing good digital hygiene. Here are five things your organization can do to reduce the risks of a successful attack while maintaining productivity levels and conserving bandwidth.

  1. Help employees learn how to avoid malvertising and recognize phishing emails. Be on the lookout for suspicious emails and links, especially those requesting sensitive information.
  2. Educate employees to use different passwords for every account. Establish policies for strong passwords such as guidelines regarding password length, the use of special characters and periodic expiration, and reduce the number of passwords through single sign-on.
  3. Because many attacks are based on known vulnerabilities in browsers including Internet Explorer, as well as in plug-ins and common apps, it’s critical to apply updates and patches promptly and reliably. They will contain fixes that can block exploits.
  4. Make sure you install an intrusion prevention system and gateway anti-malware technology on your network. They add important layers of protection by blocking Trojans, viruses, and other malware before they reach the company network. They can also detect and block communications between malware inside the network and the cybercriminal’s server on the outside.
  5. Take back control of your network by limiting the use of your bandwidth to business-related activities. There are several technologies available such as content and URL filtering that can be used to prevent employees from visiting websites dedicated to shopping and other non-productive topics. Also, application control provides the tools to restrict the use of applications such as social media to employees who have a business reason to use them.

SonicWall offers a complete range industry-leading next-generation firewalls that secure your network from threats and give you the controls to keep employee productivity high and bandwidth focused on business-critical applications. To learn more about how these solutions can help you during the holiday shopping season and beyond, please visit our website.

Microsoft Security Bulletin Coverage (December 8, 2015)

/in /by

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of December 8, 2015. A list of issues reported, along with Dell SonicWALL coverage information are as follows:

MS15-124 Cumulative Security Update for Internet Explorer

  • CVE-2015-6083 Internet Explorer Memory Corruption Vulnerability
    IPS: 11316 “Internet Explorer Memory Corruption Vulnerability (MS15-124) 1”
  • CVE-2015-6134 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6135 Scripting Engine Information Disclosure Vulnerability
    IPS: 11317 “Microsoft Scripting Engine Information Disclosure Vulnerability (MS15-124) “
  • CVE-2015-6136 Scripting Engine Memory Corruption Vulnerability
    IPS: 11324 “Microsoft Scripting Engine Memory Corruption Vulnerability (MS15-124) “
  • CVE-2015-6138 Internet Explorer XSS Filter Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6139 Microsoft Browser Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6140 Microsoft Browser Memory Corruption Vulnerability
    IPS: 11325 “Microsoft Browser Memory Corruption Vulnerability (MS15-124) 1 “
  • CVE-2015-6141 Internet Explorer Memory Corruption Vulnerability
    IPS: 7645 “HTTP Client Shellcode Exploit 88 “
  • CVE-2015-6142 Microsoft Browser Memory Corruption Vulnerability
    IPS: 11326 “Microsoft Browser Memory Corruption Vulnerability (MS15-124) 2”
  • CVE-2015-6143 Internet Explorer Memory Corruption Vulnerability
    IPS: 11318 “Internet Explorer Memory Corruption Vulnerability (MS15-124) 3”
  • CVE-2015-6144 Microsoft Browser XSS Filter Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6145 Internet Explorer Memory Corruption Vulnerability
    IPS: 3930 “Internet Explorer Memory Corruption Vulnerability (MS15-124) 2”
  • CVE-2015-6146 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6147 Internet Explorer Memory Corruption Vulnerability
    IPS: 11319 “Internet Explorer Memory Corruption Vulnerability (MS15-124) 4”
  • CVE-2015-6148 Microsoft Browser Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6149 Internet Explorer Memory Corruption Vulnerability
    IPS: 7645 “HTTP Client Shellcode Exploit 88 “
  • CVE-2015-6150 Internet Explorer Memory Corruption Vulnerability
    IPS: 11320 “Internet Explorer Memory Corruption Vulnerability (MS15-112) 1”
  • CVE-2015-6151 Microsoft Browser Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6152 Internet Explorer Memory Corruption Vulnerability
    IPS: 11321 “Internet Explorer Memory Corruption Vulnerability (MS15-124) 6”
  • CVE-2015-6153 Microsoft Browser Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6154 Microsoft Browser Memory Corruption Vulnerability
    GAV: “Malformed.html.TL.265”
  • CVE-2015-6155 Microsoft Browser Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6156 Internet Explorer Memory Corruption Vulnerability
    IPS: 11322 “Internet Explorer Memory Corruption Vulnerability (MS15-124) 7”
  • CVE-2015-6157 Internet Explorer Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6158 Microsoft Browser Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6159 Microsoft Browser Memory Corruption Vulnerability
    IPS: 11330 “Microsoft Browser Memory Corruption Vulnerability (MS15-124) 3”
  • CVE-2015-6160 Internet Explorer Memory Corruption Vulnerability
    IPS: 11323 “Internet Explorer Memory Corruption Vulnerability (MS15-124) 8”
  • CVE-2015-6161 Microsoft Browser ASLR Bypass
    There are no known exploits in the wild.
  • CVE-2015-6162 Internet Explorer Memory Corruption V
    ulnerability
    There are no known exploits in the wild.
  • CVE-2015-6158 Microsoft Browser Memory Corruption Vulnerability
    There are no known exploits in the wild.

MS15-125 Cumulative Security Update for Microsoft Edge

  • CVE-2015-6139 Microsoft Browser Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6140 Microsoft Browser Memory Corruption Vulnerability
    IPS: 11325 “Microsoft Browser Memory Corruption Vulnerability (MS15-124) 1 “
  • CVE-2015-6142 Microsoft Browser Memory Corruption Vulnerability
    IPS: 11326 “Microsoft Browser Memory Corruption Vulnerability (MS15-124) 2”
  • CVE-2015-6148 Microsoft Browser Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6151 Microsoft Browser Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6153 Microsoft Browser Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6154 Microsoft Browser Memory Corruption Vulnerability
    GAV: “Malformed.html.TL.265”
  • CVE-2015-6155 Microsoft Browser Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6158 Microsoft Browser Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6159 Microsoft Browser Memory Corruption Vulnerability
    IPS: 11330 “Microsoft Browser Memory Corruption Vulnerability (MS15-124) 3”
  • CVE-2015-6168 Microsoft Edge Memory Corruption Vulnerability
    IPS: 11328 “Microsoft Edge Memory Corruption Vulnerability (MS15-125) “
  • CVE-2015-6169 Microsoft Edge Spoofing Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6170 Microsoft Edge Elevation of Privilege Vulnerability
    IPS: 11329 “Microsoft Edge Elevation of Privilege Vulnerability (MS15-125) “
  • CVE-2015-6176 Microsoft Edge XSS Filter Bypass Vulnerability
    There are no known exploits in the wild.

MS15-126 Cumulative Security Update for Jscript and VBScript to Address Remote Code Execution

  • CVE-2015-6135 Scripting Engine Information Disclosure Vulnerability
    IPS: 11317 “Microsoft Scripting Engine Information Disclosure Vulnerability (MS15-124) “
  • CVE-2015-6136 Scripting Engine Memory Corruption Vulnerability
    IPS: 11324 “Microsoft Scripting Engine Memory Corruption Vulnerability (MS15-124) “

MS15-127 Security Update for Microsoft Windows DNS to Address Remote Code Execution

  • CVE-2015-6125 Windows DNS Use After Free Vulnerability
    There are no known exploits in the wild.

MS15-128 Security Updates for Microsoft Graphics Component to Address Remote Code Execution

  • CVE-2015-6106 Graphics Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6107 Graphics Memory Corruption vulnerability
    SPY: 4276 “Malformed-File doc.MP.30”
  • CVE-2015-6108 Graphics Memory Corruption vulnerability
    There are no known exploits in the wild.

MS15-129 Security Update for Silverlight to Address Remote Code Execution

  • CVE-2015-6114 Microsoft Silverlight Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6165 Microsoft Silverlight Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6166 Microsoft Silverlight RCE Vulnerability
    There are no known exploits in the wild.

MS15-130 Security Update for Microsoft Uniscribe to Address Remote Code Execution

  • CVE-2015-6130 Windows Integer Underflow Vulnerability
    SPY: 3223 “Malformed-File ttf.MP.7”

MS15-131 Security Update for Microsoft Office to Address Remote Code Execution

  • CVE-2015-6040 Microsoft Office Me
    mory Corruption Vulnerability
    SPY: 3226 “Malformed-File xls.MP.51”
  • CVE-2015-6118 Microsoft Office Memory Corruption Vulnerability
    SPY: 1007 “Malformed-File doc.MP.33”
  • CVE-2015-6122 Microsoft Office Memory Corruption Vulnerability
    SPY: 3224 “Malformed-File xls.MP.50”
  • CVE-2015-6124 Microsoft Office Memory Corruption Vulnerability
    SPY: 3225 ” Malformed-File doc.MP.35″
  • CVE-2015-6172 Microsoft Office RCE Vulnerability
    SPY: 3863 ” KeywordFind.B Installer”
  • CVE-2015-6177 Microsoft Office Memory Corruption Vulnerability
    SPY: 1008 ” Malformed-File xls.MP.49″

MS15-132 Security Update for Microsoft Windows to Address Remote Code Execution

  • CVE-2015-6128 Windows library loading elevation of privilege vulnerability
    SPY: 1010 ” Malformed-File doc.MP.34″
  • CVE-2015-6177 Windows library loading elevation of privilege vulnerability
    SPY: 1011 ” Malformed-File ppsx.MP.1″
  • CVE-2015-6177 Windows library loading elevation of privilege vulnerability
    SPY: 2345 ” Malformed-File ppt.MP.4″

MS15-133 Security Update for Windows PGM to Address Elevation of Privilege

  • CVE-2015-6126 Windows PGM UAF Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

MS15-134 Security Update for Windows Media Center to Address Remote Code Execution

  • CVE-2015-6127 Windows Media Center Information Disclosure Vulnerability
    IPS: 11327 ” Windows Media Center Information Disclosure Vulnerability”
  • CVE-2015-6131 Media Center Library parsing RCE vulnerability
    There are no known exploits in the wild.

MS15-135 Security Update for Windows Kernel-Mode Drivers to Address Elevation of Privilege

  • CVE-2015-6171 Windows Kernel Memory Elevation of Privilege Vulnerability
    This is a local Vulnerability
  • CVE-2015-6173 Windows Kernel Memory Elevation of Privilege Vulnerability
    This is a local Vulnerability
  • CVE-2015-6174 Windows Kernel Memory Elevation of Privilege Vulnerability
    This is a local Vulnerability
  • CVE-2015-6175 Windows Kernel Memory Elevation of Privilege Vulnerability
    This is a local Vulnerability

Holiday Shopping Season: Increased Online Shopping and Increased Malicious Email Threats (Dec 4, 2015)

/in /by

Holiday Shopping Season: Increased Online Shopping and Increased Malicious Email Threats

In this SonicAlert we will briefly discuss the seasonal increase in online shopping, and some of the types of malicious email campaigns that are taking advantage of the flurry of online shopping at this time of the year.

The two charts shown below show the network traffic patterns for Amazon Web traffic (www.amazon.com) during the month of November for 2014, and 2015. In the charts you can see an slight increase on the day or two before Thanksgiving Day–Thursday, November 27, 2014, and Thursday, November 26, 2015. Also, you can see a huge spike on the corresponding Cyber Mondays, December 1st, 2014, and November 30th, 2015, respectively.

Amazon.com HTTP Traffic Hits for the days of November 2014
Amazon.com HTTP Traffic Hits for the days of November 2014

Amazon.com HTTP Traffic Hits for the days of November 2015

The increase in shopping at this time of year creates an opportunity for cyber criminals to take advantage of consumers looking for deals, as well as people who have ordered goods online and are expecting packages in the postal service.

Phishing Emails

Phishing emails are emails that use social engineering to deceive users into believing that the email is coming from a legitimate source with whom the recipient already established a relationship of trust. The email will try to entice the recipient to click on a link in the email which will take the useer to a website that appears to be owned and operated by the trusted entity. The goal of the phishing scam is to acquire the real login credentials, and other personally identifying information (PII) like credit card numbers, Social Security numbers (SSNs), birth dates, etc., anything that will allow the theif to gain access to the users’ online accounts, bank accounts, etc. Campaigns we have seen during past Holiday seasons include fraudulent emails appearing to be from sites like Amazon.com, U.S.P.S., FedEx, and other companies involved in holiday commerce. A typical malicious email will be from a domain like customer_service@amazon.com–0123-xyz.malicious-site.com, and contain a message about a free gift card, or an order confirmation request, or shipment tracking links. These links go to the attacker’s domain, malicious-site.com, and not amazon.com.

Dell SonicWALL is providing protection from malicious emails with Email Security and Gateway Anti-Virus (GAV) solutions. Multiple GAV signatures have been created to protect customers. The following are some of the types of email attachments we are seeing, and the GAV signatures that are detecting them:

Subject Filename Detection/Prevention
Added security to your debit card Verify.html GAV: Phish.A_31 (Trojan)
DHL Delivery Parcel dispatch notification DHL Line Express tracking.html GAV: Phish.A_28 (Trojan)
Payment Confirmation Swift Download_Payment-Copy.html.html GAV: Phish.AL (Trojan)
Code:[******* **.****] Refund On Pending ! Refund-Form.html GAV: Phish.A_18 (Trojan)

Trojan Emails

Trojan emails are emails that have malicious files as attachments to the email. Trojan emails can come from trusted sources, like your friends, or acquaintances–people from whom you have received (incident-free) emails in the past, or from unknown sources. These trojan file attachments appear to be legitimate documents and files, eg. xls, doc, exe, js, html, but they contain malicious code–macros, exploit code, shellcode, process injection code, or other malware that can take control of the unpatched program software that opens them, or even take over your unpatched operating system (rootkits). The malicious code then goes on to replicate the attack campaign by getting control of your email accounts and spamming out malicious emails to your contacts from you.

Subject Filename Detection/Prevention
Track Your Shipment DHL Shipping Document DHL Shipment Notification DHL001895.exe GAV: Injector.C_42 (Trojan)
Shipment Tender Notice SID ********** 1454136866784532.exe GAV: FileLocker.A_52 (Virus)
Invoices facture_37854634_181115.exe GAV: Kryptik.D_33 (Trojan)
November Invoice INV-**** from Eye on Books Invoice INV-9771.xls GAV: Downloader.AN_6 (Trojan)

How to Stay Safe

An important skill to stay safe online is how to identify fraudulent domain names used in malicious links in emails. Scammers will usually try to deceive end users by disguising the true second-level domain, by prepending legitimate, familiar names to the beginning of hostnames. Appearing to come from a legitimate sources, the malicious email will contain links to sites that host exploit code with the hope that the user have unpatched systems and vulnerable web browsers, and the goal of compromising the user’s system. Other attack vectors come directly in email attachments–word docs, executables, and other infected files.

Best practices for avoiding email scams

  • Never click on links in emails without thinking about it carefully.
  • Authenticate the sender: Is the sender truly who they say they are? Do I recognize and trust the sender?
  • Educate end users on how to hover over links in emails to identify the real domain name in the email from address, as well as in any links in the email body.
  • If there is any doubt about the authenticity of this domain name? Taking the example above, customer_service@amazon.com–0123-xyz.malicious-site.com. Is this domain in the sender’s email address, malicious-site.com, owned by Amazon or by someone else? (The easiest way is just to go to amazon.com and take care of any notifications or required actions by first logging-in to the site directly, rather than clicking on links in emails.
  • For users that are unable to identify domain names in links and email addresses, advise them never to click on a link sent in an email, but rather to open the site in a browser by typing manually in the address bar to ensure that they are going to the legitimate site.
  • Always report suspicious emails to your Security Administrator, or directly to the site being spoofed. If in doubt, ask before clicking.
  • Never open file attachments from unknown/untrusted sources.
  • Stay up-to-date with software patches for Operating Systems, web browsers and all other software on the computer.
  • Install and keep up-to-date host-based, and network-based Gateway Anti-Virus, and Intrusion Detection systems.

Data stealing trojan posing as a Text document (December 4, 2015)

/in /by

The Dell SonicWall Threats Research team has received reports of a data stealing Trojan posing as a text document. Upon execution, the trojan downloads more malware onto the infected machine and also steals information from the system.

Infection Cycle:

The Trojan uses the following icon:

Figure 1: Trojan purports to be a Text document

It copies itself at the following location.

  • C:WINDOWSTempsample.exe – detected as GAV:MalAgent.H_4203 (Trojan)

The Trojan downloads 7qr.exe (which is a goodware but can be used in malicious campaigns).
The trojan injects into the Mozilla firefox:

It opens a firefox browser connecting to noticias.uol.com.br.

The malware contacts the following domains:

  • 74.63.197.237:80
  • 127.0.0.1:1032
  • conteudo2.uol.com.br:80 (200.147.68.19)
  • jsuol.com.br:80 (200.147.67.192)
  • stc.uol.com:443 (200.221.7.100)
  • e6845.dscb1.akamaiedge.net:80 (23.5.245.163)
  • cache.uol.com.br:80 (200.147.4.50)
  • 255.255.255.255:59981
  • tm.jsuol.com.br:80 (200.221.2.196)
  • cache.uol.com.br:80 (200.221.7.95)
  • jsuol.com.br:80 (200.221.2.85)
  • pix-geo.revsci.net:80 (64.94.116.164)
  • partnerad.l.doubleclick.net:80 (74.125.239.154)
  • thumb.mais.uol.com.br:80 (200.147.100.21)
  • tm.ipv6uol.com.br:443 (200.221.2.83)
  • partnerad.l.doubleclick.net:80 (74.125.239.141)
  • t5.dynad.net:80 (200.147.166.105)
  • d.tailtarget.com:80 (173.193.67.11)
  • pagead-googlehosted.l.google.com:80 (216.58.192.33)
  • adclient.siga.uol.com.br:80 (200.147.15.208)
  • uol.com.br.112.2o7.net:80 (66.235.139.152)
  • partnerad.l.doubleclick.net:443 (216.58.192.34)
  • a1294.w20.akamai.net:80 (205.169.30.211)
  • s.dynad.net:80 (200.147.166.107)

Once the 7z files are downloaded, it writes them to the C:DOCUME~1AdminLOCALS~1Temp folder and extracts them to C:compu92 using 7qr.exe.
The downloaded 7z file is encrypted and it is copied over to contains the following files:

The malware extracts Lb891b.cpl in the folder C:compu92. This modifies the user account settings with full access to modify the system.

Overall, this Trojan is capable of downloading additional malware into the victim’s machine. It can also send sensitive information out to a remote server.We urge our users to always be vigilant and cautious with any unsolicited attachments specially if you are not certain of the source.

Dell SonicWALL Gateway AntiVirus and Intrusion Prevention provides protection against this threat with the following signatures:

  • GAV:MalAgent.H_4203 (Trojan)

Spam campaign roundup: The Thanksgiving Day Edition (Nov 25, 2015)

/in /by

Savvy shoppers are in search of the best deals this time of the year. Black Friday is the day after the Thanksgiving Day in the United States and is regarded as the kickoff of the holiday shopping season that extends until Cyber Monday. Recently, this shopping extravaganza is extended for a longer period of time and retailers offer deep discounts even weeks ahead of Black Friday. This is a perfect opportunity for the cyber criminals to lure consumers with unsolicited advertisements for products which often lead to fraud, phishing and even malware.

Over the past week, the Dell SonicWALL threats research team has been following a steady growth in Black Friday and Thanksgiving related spam emails as seen below:

As the Thanksgiving weekend approaches, we have been receiving an increasing amount of holiday related spam emails. These emails have a common theme of trying to lure consumers to click on the links and provide their personal information in exchange for access to special offers and deep discounts. The following are some of the most common email subjects:

  • Let your Smartphone find your parked car, Thanksgiving special on Wednesday, November 25, 2015.
  • Get your 1K Black Friday Visa Gift Card!
  • [Thanksgiving Insane Discount Today] 1 Ink Saves You 85% on Printer Ink Today w/ $0 Shipping Right Now
  • Thanksgiving Sale Start! All Site Up 70% OFF Discount Now
  • Re: Amazon Prime wants to give you a Thanksgiving Reward
  • Claim your Walmart $50 Thanksgiving reward, No.13055738
  • Redeem your CVS Thanksgiving Points by 11/26/2015
  • Complete Listings of Black Friday Furniture Sales
  • re: Skip All Lines This Black Friday…
  • Cyber Monday Home Warranty Sale!
  • Amazon wants to give you a Cyber Monday Reward
  • reply: Your Personalized Black Friday Deals From Amzn Products Up To 95% Off?…

Some of the spam emails purport to be from retailers and they claim that the users received a gift card.

The links on the emails will take users to a spam site which is part of the same affiliate marketing scheme that we have seen in the past. Some of them claim to come from popular department stores promising gift cards or coupons, that when clicked would take you to a URL different from the real merchant’s website but has the merchant’s branding. They will try to convince users to sign up for different offers while these scammers earn commissions for each successful subscription.

We urge our users to always be vigilant and cautious with any unsolicited email and to avoid providing any personal information, particularly if you are not certain of the source.

Dell SonicWALL Gateway Antivirus monitors and provides constant protection against such malicious threats.

The Evolution of Defense-in-Depth

/0 Comments/in /by

This post was written by Dan Cole.

As enterprises continue to shore up their defenses in anticipation of the next breach, it’s understood by many security professionals that it’s not a matter of if it happens, but when. And when it does, how soon they would know before the attack has completed its cycle.

To offset these upcoming threats, perimeter security experts have been doubling up on their defense solutions, layering security from the very edge of their perimeter (Firewalls, IPS, NGFW) to the deep core and asset point (end point software, application firewalls, etc.) of their IT infrastructure. This was done to not only prevent a breach, but to buy time for organizations to respond to such attacks. As I described in my earlier blog, Defense-in-Depth is very much like a “Castle” approach in building your IT security infrastructure.

But much like the castle illustrated here, by building such defense mechanisms chasms are inadvertently created. Translating this to the cyber realm the chasms represent the response time between and during ongoing attacks.

Now on the flip side of the coin, as cyber warfare incorporates both offense and defense strategies. The offense approach, which is structured and labeled by the military (as most things are) as the Kill chain. Simply put the Kill chain, from a military model perspective includes the following:

  • Target identification
  • Force dispatch to target
  • Decision and order to attack the target
  • Destruction of the target

By adapting this structured approach, Lockheed Martin coined the term Cyber Kill Chain model, like Defense in Depth, yet the opposing approach which is to attack an IT infrastructure. The perspective of the hacker if you will.

These steps include but are not limited to the following:

  • Reconnaissance
  • Weaponization
  • Delivery
  • Exploitation
  • Installation
  • Command and Control
  • Actions on Objective

Today, attackers who have successfully penetrated classic Defense in Depth models, have leveraged an adaptation of the Cyber Kill Chain. So what’s the delta? What do IT experts need to incorporate into their defense strategy to help mitigate against such advanced attack approaches?

Defense in Depth with Intelligence

As discussed earlier one of the biggest challenges with the classic defense in depth approach is the inadvertent chasms that are created. These chasms are essentially people, process, and product related.

In larger enterprises there are multiple IT departments, with various responsibilities regulated based on assets managed. Network engineers may not necessary know or communicate to the security engineers. Although aspirations are to insure that process’s followed are global and relevant to all IT infrastructure touch points, in reality they are rarely followed. Lastly, products that are purchased and then deployed into the Enterprise are usually incompatible with each other, resulting in a differing log languages and management structures.

Although the people and process are valid challenges and problems that will need to be tackled, my responsibility as a product manager of the Network Security Products for SonicWall Security will be to insure that the chasms of product compatibility with adjacent security technologies are closed. The initiatives launched with our Connected Security vision will help in understanding these challenges better, as we ourselves being part of the SonicWall technology family need to bring various disparate technologies together to build a solution that will work for not only our customers but for ourselves (at SonicWall ).

One of the biggest challenges and approaches to minimizing this divide is by building a security communication framework in which all of our products can communicate using a common language. With this ability we would be able to make our products and other devices within our customer’s security infrastructure to respond and alert intelligently, minimizing the intervals between the attack cycles incorporated in the Kill Chain model.

As we and our customers continue to shore up our security infrastructure for the next generation of cyberattacks, the existing Defense in Depth model will need to be adapted and upgraded with intelligence. With intelligence we will be helping our customers in addressing the chasms within their castle.

Download white paper

Increase Your Network Security and Control Through Segmentation

/0 Comments/in /by

When you think about securing down a network using a next-generation firewall, in most cases the process immediately goes from the Internet to the local area network (LAN). This may be a good way of thinking if you only have hard wired desktop clients. However what if the network includes servers that need inbound access from the Internet or a wireless network? What steps can you take to protect a network that’s a little more sophisticated?

Let’s look at an example of a small network where the user has a few desktop clients connected to the physical LAN, wireless clients and a storage server. For this specific use case the network segmentation is set up in the following way. The LAN network has all of the desktop clients, a wireless LAN (WLAN) network for the wireless clients and a de-militarized zone (DMZ) where the storage server is connected.

From the LAN, clients are allowed to get to the Internet, but access to the other network segments is blocked. This includes the default policy to block all incoming access from the WAN or Internet.

For the wireless users, they can get to the internet but are blocked from accessing any of the other network segments. In order for the wireless users to access other network segments they must authenticate to the firewall. Once authenticated, each wireless user can gain access to the other network segments as needed. This was done to increase security from the WLAN and prevent unauthorized access to the other network segments.

Finally, on the storage server segment, the default policy is to block access to all other network segments. This is done to ensure that if the storage server was to become compromised by a vulnerability to its software it would not allow a hacker gain access or malware to spread to other network segments on the LAN or WLAN. For WAN access, all traffic is blocked, although a specific set of ports is allowed to provide the ability to automatically update the software on the storage server.

Now you may look at this and be thinking this is overkill for such a small network. However being in the security industry for the past 15 years and educating partners and customers on proper network designed I figured it would only benefit my own network security by implementing a security design that limits access between network segments.

While I’m not saying that all networks need to have this level of complexity, it is a good idea to think about network segmentation and not put all connected devices on a single segment just because it’s easy. The network segmentation will help to control traffic not only north and south, but also provide controls for traffic going east and west between network segments.

SonicWall NSA Next-Gen Firewall Series

With the SonicWall firewalls it’s possible to create a wide variety of segments using either physical or logical interfaces or the internal wireless radio if available. Once an interface is defined, you can then apply a zone classification such as LAN, DMZ, WLAN or custom, and from there apply policies to control access between the various segments and limit unauthorized access. For increased security you can also apply authentication requirements as well. To learn more about how SonicWall next-generation firewalls can help secure your network read the “Achieve Deeper Network Security and Control” white paper.

REGISTER NOW FOR WEBCAST

Is Your Firewall Scanning SSL-Encrypted Traffic

/0 Comments/in /by

If your firewall isn’t scanning SSL-encrypted traffic, then your network isn’t as safe as you think.

Some reports indicate that by the end of 2016 two-thirds of all traffic on the internet will be encrypted. In fact, the 2015 SonicWall Security Annual Threat Report discovered a 109% between January 2014 and January 2015. Are you prepared? Most network administrators may not even know a majority of the traffic that is moving in and out of their network is encrypted and this traffic could be a potential source for malware to enter their network or even worse, allow known intrusions to be exploited.

As we’ve seen this year, more sites with advertisements that are not hosted or controlled locally are being used to spread malware. Therefore, this allows hackers to exploit those vulnerable end-point systems. With more websites and search engines leveraging encryption, it’s possible that users who are going to legitimate websites or doing legitimate searches are more exposed to these types of attacks because the edge security device does not have the capability to decrypt, scan and determine if something harmful is embedded in the encrypted payload.

As the Internet landscape continues to evolve so too do the security requirements. If you’re using an older Stateful Packet Inspection or UTM appliance that does not have the ability to decrypt SSL encrypted traffic, it could leave your network and users exposed.

Here are some things network administrators should consider when choosing a product that will support SSL decryption to be included as part of their overall security feature set.

  • Does my current firewall have the ability to decrypt and scan SSL-encrypted traffic?
  • What is the performance penalty if I enable this on my current firewall solution?
  • Is the SSL decryption required for outgoing connections from endpoints only?
  • Are there requirements for server-side SSL decryption?
  • How flexible is the control over which sites (e.g. banking) are not subject to SSL decryption?
  • Do I have a way to distribute the certificates easily for all device and OS types?

If SSL decryption is not something you have included as part of your overall security strategy, it should be. With more and more encrypted data moving in and out of your network, the possibility that you will be exposed is growing. As part of the overall SonicWall security strategy, DPI-SSL is a feature available on all next-generation firewall products including the powerful and scalable SonicWall NSA Series appliances.

Picture of SonicWall NSA models stacked on top of each other

To learn more about the robust security offering from SonicWall review the following eBook: Achieve deeper network security and application control:

DOWNLOAD EBOOK

Abaddon POS malware targets PoS terminals

/in /by

The Dell Sonicwall Threats Research team observed reports of a new POS family named GAV: Abaddon.POS actively spreading in the wild. Abaddon POS malware typically has the capability such as scraping memory to retrieve Credit Card Data during its scan.

Infection Cycle:

Md5:

  • 5bf979f90307bac11d13be3031e4c6f9 Detected as GAV: Abaddon.POS (Trojan)

The Trojan adds the following keys to the Windows registry to ensure persistence upon reboot:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

    • Chrome”=”%Userprofile%Malware.exe

Abaddon POS retrieves a list of running processes; the malware is responsible for scraping the memory of current processes on the infected machine for credit card information periodically.

The malware tries to Enumerate Credit Card Data from POS Software. The hackers use the following API functions such as:

  • CreateToolhelp32Snapshot

  • Process32First

  • Process32Next

  • OpenProcess

Here is an example of scraping the memory by malware:

The malware tries to verify Credit Cards and then sends this information in encrypted format to one of the given C&C Servers such as following domains:

  • 91.234.34.44

  • 50.7.138.138

  • 149.154.64.167

  • 5.8.60.23

  • 176.114.0.165

Command and Control (C&C) Traffic

Abaddon POS performs C&C communication over port 20970.

The malware sends your Credit Card information to its own C&C server via following format, here are some examples:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Abaddon.POS

  • GAV: Abaddon.POS_2

Here is a list of samples we identified:

  • 0c77886a3ea42b75fcd860d4d97e72c5

  • 1c02f2f3fa15cc6a472119389d25983e

  • 1c2a757c63ee418135e89cc8ef0d6e63

  • 2b3704e0acbcbc265d0d08502a9bf373

  • 3a7ac0c907b2c406ab480d4ed2f18161

  • 3f71031ce8ecb0f48847ccb8be86a5fe

  • 47e5c290f3f443cca027aa344cbf194f

  • 4b86cbb2e9f195bef3770d877206068d

  • 54f1cda856ae921846e27f6d7cc3d795

  • 6ee164908a94a881032d0649e2bd2505

  • 6f7fabeb9ce76a1d52dbf5a40cbc74e8

  • 77f124332a17b3ef6c0b6a799ad0c888

  • 7b7ffdd46d1f7ccea146fd9d5a2412ae

  • 7c69dc17977b3431ff15c1ae5927ed0d

  • 7eddbf17a3d1e398621194b0f22402a7

  • 885829081f91c6baf458166c3f42e281

  • 89a19ccb91977d8b1a020f580083d014

  • 8d6d7a7d77215370d733bda57ef029f4

  • 8df542e35225e0708cd2b3fe5e18ac79

  • 9320175f8af07503a2b2eb4d057bac07

  • 9b340ac013c052ffb2beb29d26009a24

  • a1d1ba04f3cb2cc6372b5986fadb1b9f

  • a3ea1a008619687bdfef08d2af83f548

  • a53d8212a47bf25eeca87c1e27042686

  • a7a666ab9548fd1f0a8eb8050d8ca483

  • a9cc6736e573ad9e77359062e88114e2

  • aaac35389c9be79c67c4f5c4c630e5d5

  • b3a057f55a8fa2aad5b8d212a42b4a88

  • bcf271e83c964eb1fd89e6f1a7b7a62f

  • c42f20e2a68b8829b52b8399b7b33bf2

  • d785592932323f6ddaa121bcdcbceba0

  • e08aeb0bfcbae33b851af9f8be413111

  • e92254f9ce7d6f45e907e77de146ef37

  • ec322598eec364a755b5aea70d2a2da8

  • 5bf979f90307bac11d13be3031e4c6f9

  • a168fef5d5a3851383946814f15d96a7

  • a55843235cd8e36c7e254c5c05662a5b

  • 1c19494385cb21b7e18252b5abd104f6

  • 2b58f7cb4df18509a743226064b30675

  • 752dcae6eb492263608a06489546098f

  • 976275965fcf19a98da824b1959500c1

  • 227e6b1f3e66f00a4fc683d4f39da904

  • 8ca1278e2821fd2dd19c28725f754577

  • ac03e0e9f70136adede78872e45f6182

  • 12cd4df2264624578919596371edee81

  • 317f9c57f7983e2608d5b2f00db954ff

  • f63e0a7ca8349e02342c502157ec485d

  • 0900582ba65c70a421b5d21d4ed21f16

  • 4b0db5398f02dae5315f0baff1475807

  • 703f492b2624899ec47b929f65265bbb

  • 5e33b1273b2e2d4cd0986b9873ab4bc4

  • d11c4a4f76b2bea502b80229a83c30bc

  • e50edb61e796c6ead88cac53719e2d00

  • dc1a975e20eca705c6c78dc24f1290b5

  • 6a6977ea317f0240a3dacc0753257518

  • 5e06563f6303eab10c3cd46f0fd5c2d6

  • 7ef654cdc7c2b54772400e26eb292caf

  • 946be7ddd511ff9f49b5073896346eab

NTP Daemon Vulnerabilities (Nov 19, 2015)

/in /by

NTP is a protocol designed to synchronize the clocks of computers over a network. The NTP Project produces a reference implementation of the NTP protocol and implementation documentation through a largely volunteer effort. NTP uses a hierarchical, semi-layered system of time sources. Each level of this hierarchy is termed a “stratum” and is assigned a number starting with zero at the top.

The NTP Project conducts Research and Development in NTP and produces the Official Reference Implementation of NTP along with the Implementation Documentation. A few weeks ago, ntp-4.2.8p4 was released which fixed multiple vulnerabilities.

Dell SonicWALL has released several IPS signatures to detect and block exploitation attempts targeting the vulnerabilities.

  • Sid:11276 “NTP Daemon Arbitrary File Overwrite”, which addresses CVE-2015-7703

    • Description: If ntpd is configured to allow for remote configuration, and if the (possibly spoofed) source IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password, it’s possible for an attacker to use the “pidfile” or “driftfile” directives to potentially overwrite other files.

  • Sid:11225 “NTP Daemon Assertion Failure DoS”, which addresses CVE-2015-7855

    • Description: If ntpd is fed a crafted mode 6 or mode 7 packet containing an unusually long data value where a network address is expected, the decodenetnum() function will abort with an assertion failure instead of simply returning a failure condition.

  • Sid:11240 “NTP Daemon Crypto-NAK Authentication Bypass 1” and
    Sid:11254 “NTP Daemon Crypto-NAK Authentication Bypass 2”, which address CVE-2015-7871

    • Description: Crypto-NAK packets can be used to cause ntpd to accept time from unauthenticated ephemeral symmetric peers by bypassing the authentication required to mobilize peer associations. This vulnerability appears to have been introduced in ntp-4.2.5p186 when the code handling mobilization of new passive symmetric associations was refactored.

The most critical one in the above list is the crypto-NAK bug. Administrators are urged to upgrade ntpd to the latest version to protect their servers.