Is Your Firewall Scanning SSL-Encrypted Traffic

/0 Comments/in /by

If your firewall isn’t scanning SSL-encrypted traffic, then your network isn’t as safe as you think.

Some reports indicate that by the end of 2016 two-thirds of all traffic on the internet will be encrypted. In fact, the 2015 SonicWall Security Annual Threat Report discovered a 109% between January 2014 and January 2015. Are you prepared? Most network administrators may not even know a majority of the traffic that is moving in and out of their network is encrypted and this traffic could be a potential source for malware to enter their network or even worse, allow known intrusions to be exploited.

As we’ve seen this year, more sites with advertisements that are not hosted or controlled locally are being used to spread malware. Therefore, this allows hackers to exploit those vulnerable end-point systems. With more websites and search engines leveraging encryption, it’s possible that users who are going to legitimate websites or doing legitimate searches are more exposed to these types of attacks because the edge security device does not have the capability to decrypt, scan and determine if something harmful is embedded in the encrypted payload.

As the Internet landscape continues to evolve so too do the security requirements. If you’re using an older Stateful Packet Inspection or UTM appliance that does not have the ability to decrypt SSL encrypted traffic, it could leave your network and users exposed.

Here are some things network administrators should consider when choosing a product that will support SSL decryption to be included as part of their overall security feature set.

  • Does my current firewall have the ability to decrypt and scan SSL-encrypted traffic?
  • What is the performance penalty if I enable this on my current firewall solution?
  • Is the SSL decryption required for outgoing connections from endpoints only?
  • Are there requirements for server-side SSL decryption?
  • How flexible is the control over which sites (e.g. banking) are not subject to SSL decryption?
  • Do I have a way to distribute the certificates easily for all device and OS types?

If SSL decryption is not something you have included as part of your overall security strategy, it should be. With more and more encrypted data moving in and out of your network, the possibility that you will be exposed is growing. As part of the overall SonicWall security strategy, DPI-SSL is a feature available on all next-generation firewall products including the powerful and scalable SonicWall NSA Series appliances.

Picture of SonicWall NSA models stacked on top of each other

To learn more about the robust security offering from SonicWall review the following eBook: Achieve deeper network security and application control:

DOWNLOAD EBOOK

Abaddon POS malware targets PoS terminals

/in /by

The Dell Sonicwall Threats Research team observed reports of a new POS family named GAV: Abaddon.POS actively spreading in the wild. Abaddon POS malware typically has the capability such as scraping memory to retrieve Credit Card Data during its scan.

Infection Cycle:

Md5:

  • 5bf979f90307bac11d13be3031e4c6f9 Detected as GAV: Abaddon.POS (Trojan)

The Trojan adds the following keys to the Windows registry to ensure persistence upon reboot:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

    • Chrome”=”%Userprofile%Malware.exe

Abaddon POS retrieves a list of running processes; the malware is responsible for scraping the memory of current processes on the infected machine for credit card information periodically.

The malware tries to Enumerate Credit Card Data from POS Software. The hackers use the following API functions such as:

  • CreateToolhelp32Snapshot

  • Process32First

  • Process32Next

  • OpenProcess

Here is an example of scraping the memory by malware:

The malware tries to verify Credit Cards and then sends this information in encrypted format to one of the given C&C Servers such as following domains:

  • 91.234.34.44

  • 50.7.138.138

  • 149.154.64.167

  • 5.8.60.23

  • 176.114.0.165

Command and Control (C&C) Traffic

Abaddon POS performs C&C communication over port 20970.

The malware sends your Credit Card information to its own C&C server via following format, here are some examples:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Abaddon.POS

  • GAV: Abaddon.POS_2

Here is a list of samples we identified:

  • 0c77886a3ea42b75fcd860d4d97e72c5

  • 1c02f2f3fa15cc6a472119389d25983e

  • 1c2a757c63ee418135e89cc8ef0d6e63

  • 2b3704e0acbcbc265d0d08502a9bf373

  • 3a7ac0c907b2c406ab480d4ed2f18161

  • 3f71031ce8ecb0f48847ccb8be86a5fe

  • 47e5c290f3f443cca027aa344cbf194f

  • 4b86cbb2e9f195bef3770d877206068d

  • 54f1cda856ae921846e27f6d7cc3d795

  • 6ee164908a94a881032d0649e2bd2505

  • 6f7fabeb9ce76a1d52dbf5a40cbc74e8

  • 77f124332a17b3ef6c0b6a799ad0c888

  • 7b7ffdd46d1f7ccea146fd9d5a2412ae

  • 7c69dc17977b3431ff15c1ae5927ed0d

  • 7eddbf17a3d1e398621194b0f22402a7

  • 885829081f91c6baf458166c3f42e281

  • 89a19ccb91977d8b1a020f580083d014

  • 8d6d7a7d77215370d733bda57ef029f4

  • 8df542e35225e0708cd2b3fe5e18ac79

  • 9320175f8af07503a2b2eb4d057bac07

  • 9b340ac013c052ffb2beb29d26009a24

  • a1d1ba04f3cb2cc6372b5986fadb1b9f

  • a3ea1a008619687bdfef08d2af83f548

  • a53d8212a47bf25eeca87c1e27042686

  • a7a666ab9548fd1f0a8eb8050d8ca483

  • a9cc6736e573ad9e77359062e88114e2

  • aaac35389c9be79c67c4f5c4c630e5d5

  • b3a057f55a8fa2aad5b8d212a42b4a88

  • bcf271e83c964eb1fd89e6f1a7b7a62f

  • c42f20e2a68b8829b52b8399b7b33bf2

  • d785592932323f6ddaa121bcdcbceba0

  • e08aeb0bfcbae33b851af9f8be413111

  • e92254f9ce7d6f45e907e77de146ef37

  • ec322598eec364a755b5aea70d2a2da8

  • 5bf979f90307bac11d13be3031e4c6f9

  • a168fef5d5a3851383946814f15d96a7

  • a55843235cd8e36c7e254c5c05662a5b

  • 1c19494385cb21b7e18252b5abd104f6

  • 2b58f7cb4df18509a743226064b30675

  • 752dcae6eb492263608a06489546098f

  • 976275965fcf19a98da824b1959500c1

  • 227e6b1f3e66f00a4fc683d4f39da904

  • 8ca1278e2821fd2dd19c28725f754577

  • ac03e0e9f70136adede78872e45f6182

  • 12cd4df2264624578919596371edee81

  • 317f9c57f7983e2608d5b2f00db954ff

  • f63e0a7ca8349e02342c502157ec485d

  • 0900582ba65c70a421b5d21d4ed21f16

  • 4b0db5398f02dae5315f0baff1475807

  • 703f492b2624899ec47b929f65265bbb

  • 5e33b1273b2e2d4cd0986b9873ab4bc4

  • d11c4a4f76b2bea502b80229a83c30bc

  • e50edb61e796c6ead88cac53719e2d00

  • dc1a975e20eca705c6c78dc24f1290b5

  • 6a6977ea317f0240a3dacc0753257518

  • 5e06563f6303eab10c3cd46f0fd5c2d6

  • 7ef654cdc7c2b54772400e26eb292caf

  • 946be7ddd511ff9f49b5073896346eab

NTP Daemon Vulnerabilities (Nov 19, 2015)

/in /by

NTP is a protocol designed to synchronize the clocks of computers over a network. The NTP Project produces a reference implementation of the NTP protocol and implementation documentation through a largely volunteer effort. NTP uses a hierarchical, semi-layered system of time sources. Each level of this hierarchy is termed a “stratum” and is assigned a number starting with zero at the top.

The NTP Project conducts Research and Development in NTP and produces the Official Reference Implementation of NTP along with the Implementation Documentation. A few weeks ago, ntp-4.2.8p4 was released which fixed multiple vulnerabilities.

Dell SonicWALL has released several IPS signatures to detect and block exploitation attempts targeting the vulnerabilities.

  • Sid:11276 “NTP Daemon Arbitrary File Overwrite”, which addresses CVE-2015-7703

    • Description: If ntpd is configured to allow for remote configuration, and if the (possibly spoofed) source IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password, it’s possible for an attacker to use the “pidfile” or “driftfile” directives to potentially overwrite other files.

  • Sid:11225 “NTP Daemon Assertion Failure DoS”, which addresses CVE-2015-7855

    • Description: If ntpd is fed a crafted mode 6 or mode 7 packet containing an unusually long data value where a network address is expected, the decodenetnum() function will abort with an assertion failure instead of simply returning a failure condition.

  • Sid:11240 “NTP Daemon Crypto-NAK Authentication Bypass 1” and
    Sid:11254 “NTP Daemon Crypto-NAK Authentication Bypass 2”, which address CVE-2015-7871

    • Description: Crypto-NAK packets can be used to cause ntpd to accept time from unauthenticated ephemeral symmetric peers by bypassing the authentication required to mobilize peer associations. This vulnerability appears to have been introduced in ntp-4.2.5p186 when the code handling mobilization of new passive symmetric associations was refactored.

The most critical one in the above list is the crypto-NAK bug. Administrators are urged to upgrade ntpd to the latest version to protect their servers.

Six CyberSecurity Tips for the Holiday Season

/0 Comments/in /by

The holiday shopping season is also a big season for cyber-criminals to breach high-traffic retailers. Forecasting from trends I have seen over the past 18 months, here are six security tips on how to protect your retail business. These often-overlooked recommendations are not limited to the holiday season, and you can implement them at any time:

1. Know what is connected to your network. Do you allow employees to use their personal devices to connect to your network? A favored penetration path is through unprotected devices that come on the network. First off, insist that everyone has current antivirus software loaded on their devices. Moreover, use a firewall that knows what is on your network, can enforce which applications people can access, and provide a high level of granularity to restrict access to non-productive applications (or sub-applications, such as games on Facebook).

2. Update your software. During 2015, numerous security updates were pushed to customers of browsers, operating systems, plug-ins and applications. Often overlooked during the year, software updates are the easiest way for cyber-criminals to compromise your network, commonly through outdated applications. This drafty window into your business can be easily shut. Before the holiday season gets under way, have your PC users spend an hour at the end of the day to update software (it often requires a reboot) and make sure your apps (especially Java) are up to date. Encourage users to do this monthly, insist on it quarterly.

3. Change your passwords. While you may not have been enforcing a change in passwords to access your network on a regular basis, it is a fast and easy way to close the door on insider-initiated breaches. Over the past year, employees have come and gone. Changing the password provides an opportunity to start out fresh. But now the problem becomes remembering the new password. One technique is to use a personally memorable passphrase that only you would know. If you feel you must write the password down, secure it in a locked drawer with limited access. You might be surprised how many make the dangerous mistake of writing it down on a sticky note placed on a computer.

4. Prepare for ransomware. Going by recent trends, there is an increasing chance that someone will get into your system, encrypt your data and bring your business to a halt unless you pay a ransom. Be ready. Make a backup daily (start today), and test regularly to make sure that you can easily recover your data off the network. If you do get hit, you then have a baseline to go back to, so you can keep your business going.

5. Secure your WiFi. WiFi can improve shopper experience and help retain customers. But do you know if your WiFi is secure? Is your wireless circuit set up to isolate your business traffic from your guest traffic? If not, consider turning off WiFi until it is secured. It is too easy to compromise a network through an insecure WiFi connection.

6. Isolate your POS. Speaking of isolation, make sure your POS system is isolated from the rest of your network traffic. That way, you close another door on cyber-thieves.

There is plenty more that can be done, but the holiday season may preclude additional immediate activities. My recommendation is to set a date after the holidays to review your security position and plan for improvements in 2016. Ask others who operate retail stores what they are doing. Or talk to a security specialist like those we have a SonicWall. They can help you build a roadmap to better security.

If you want to learn more about how to protect yourself from threats that have emerged as the internet grows, I encourage you to read our ebook: “How to prevent security breaches in your retail network.” It goes deeper into retail security and will help you to become savvier when you evaluate your security posture.

DOWNLOAD EBOOK

SonicWall Firewall As A Service Offers New GMS Infrastructure

/0 Comments/in /by

Today, customers are looking for more security and insight into the traffic on their network, without the burden of managing it on their own. Increasingly managed service providers (MSPs) are being asked to deliver network perimeter protection. Meeting this demand, SonicWall Firewall as a Service (FWaaS) now offers new SonicWall Global Management Systems (GMS) as a Cloud managed services. Immediately available from SonicWall are three unique options of the Global Management System Infrastructure solution: Monitoring, Monitoring and Reporting and Fully Managed. The undeniable benefits of all of these choices is that each lower upfront costs through the monthly subscription pricing. Customers also gain enterprise-level network security to defend against the relentless global threats and malware attacks without having to worry about maintenance or support. These solutions simplify customer management and deployment of SonicWall products. These new offerings will be provided by Solutions Granted Inc. and Western NRG, Inc., our selected infrastructure providers.

SonicWall Security’s Firewall-As-as-Service bundle includes a  SonicWall next-generation firewall appliance, Total Secure/Comprehensive Gateway Security Software (CGSS) and SonicWall Global Management System (GMS). What is new is that we are giving you more options on where and how to run the SonicWall GMS, allowing you to rapidly deploy and centrally manage the SonicWall next-gen firewall. This highly effective system provides real-time monitoring and alerts, along with comprehensive policy and compliance reporting in a solution that can easily be deployed as a hosted solution.

Option number one provides GMS infrastructure with monitoring. Option number two delivers more comprehensive security with both monitoring and reporting. With these 2 options the Managed Service Provider (MSP) will run GMS and is responsible for the workload, but uses the SonicWall GMS infrastructure. The value is to eliminate the cost of the GMS infrastructure, with a monthly price instead of an upfront cost, scaling over time to accommodate growth.

The third and most comprehensive option consists of a fully managed GMS instance and execution of the managed firewall service for the VAR/MSP. The value of this service is a VAR can now participate without being an MSP. With this option you sell the service, but the delivery of that service is handled by the new SonicWall GMS managed services offerings. This expands your business as a VAR. These options all complement and extend SonicWall security products and services provider, while optimizing your business security, managing growth and easing the administrative burdens.

We invite you to tune in for a live webcast on how the new offerings in the FWaaS partner program will help you increase your sales on, Thursday Nov. 5, 2015 at 11 a.m. Pacific/2 pm Eastern.

register for webcast

Meet us in-person at the upcoming IT Nation 2015 conference, Nov. 11 – 13, 2015 at the Hyatt Regency in Orlando, where SonicWall Security Solutions experts will demonstrate our SonicWall Firewall-as-a-Service (FWaaS) and SonicWall Global Systems Management next week.

Microsoft Security Bulletin Coverage (November 10, 2015)

/in /by

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of November 10, 2015. A list of issues reported, along with Dell SonicWALL coverage information are as follows:

MS15-112 Cumulative Security Update for Internet Explorer

  • CVE-2015-2427 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6064 Microsoft Browser Memory Corruption Vulnerability
    IPS: 11260 “Internet Explorer Memory Corruption Vulnerability (MS15-112) 5”
  • CVE-2015-6065 Internet Explorer Memory Corruption Vulnerability
    IPS: 6041 “IInternet Explorer Memory Corruption Vulnerability (MS10-071) 1”
  • CVE-2015-6066 Internet Explorer Memory Corruption Vulnerability
    IPS: 11261 “Internet Explorer Memory Corruption Vulnerability (MS15-112) 6”
  • CVE-2015-6068 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6069 Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6070 Internet Explorer Memory Corruption Vulnerability
    IPS: 11262 “Internet Explorer Memory Corruption Vulnerability (MS15-112) 7”
  • CVE-2015-6071 Internet Explorer Memory Corruption Vulnerability
    IPS: 11263 “Internet Explorer Memory Corruption Vulnerability (MS15-112) 8”
  • CVE-2015-6072 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6073 Microsoft Browser Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6074 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6075 Internet Explorer Memory Corruption Vulnerability
    IPS: 11264 “Internet Explorer Memory Corruption Vulnerability (MS15-112) 9”
  • CVE-2015-6076 Internet Explorer Memory Corruption Vulnerability
    IPS: 11265 “Internet Explorer Memory Corruption Vulnerability (MS15-112) 10”
  • CVE-2015-6077 Internet Explorer Memory Corruption Vulnerability
    IPS: 6395 “Client Application Shellcode Exploit 23”
  • CVE-2015-6078 Microsoft Browser Memory Corruption Vulnerability
    IPS: 11266 “Internet Explorer Memory Corruption Vulnerability (MS15-112) 11”
  • CVE-2015-6079 Internet Explorer Memory Corruption Vulnerability
    IPS: 11267 “Internet Explorer Memory Corruption Vulnerability (MS15-112) 12”
  • CVE-2015-6080 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6081 Internet Explorer Memory Corruption Vulnerability
    IPS: 11243 “Internet Explorer Memory Corruption Vulnerability (MS15-112) 1”
  • CVE-2015-6082 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6084 Internet Explorer Memory Corruption Vulnerability
    IPS: 11244 “Internet Explorer Memory Corruption Vulnerability (MS15-112) 2”
  • CVE-2015-6085 Internet Explorer Memory Corruption Vulnerability
    IPS: 11245 “Internet Explorer Memory Corruption Vulnerability (MS15-112) 3”
  • CVE-2015-6086 Internet Explorer Information Disclosure Vulnerability
    IPS: 11256 “Internet Explorer Information Disclosure Vulnerability (MS15-112) 1”
  • CVE-2015-6087 Internet Explorer Memory Corruption Vulnerability
    IPS: 11255 “Internet Explorer Memory Corruption Vulnerability (MS15-112) 4”
  • CVE-2015-6088 Microsoft Browser ASLR Bypass
    There are no known exploits in the wild.
  • CVE-2015-6089 Scripting Engine Memory Corruption Vulnerability
    IPS: 11257 “Scripting Engine Memory Corruption Vulnerability (MS15-112) 1”

MS15-113 Cumulative Security Update for Microsoft Edge

  • CVE-2015-6064 Microsoft Browser Memory Corruption Vulnerability
    IPS: 11260 “Internet Explorer Memory Corruption Vulnerability (MS15-112) 5”
  • CVE-2015-6073 Microsoft Browser Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6078 Microsoft Browser Memory Corruption Vulnerabi
    lity
    IPS: 11266 “Internet Explorer Memory Corruption Vulnerability (MS15-112) 11”
  • CVE-2015-6088 Microsoft Browser ASLR Bypass
    There are no known exploits in the wild.

MS15-114 Security Update for Windows Journal to Address Remote Code Execution

  • CVE-2015-6097 Windows Journal Heap Overflow Vulnerability
    SPY: 3215 “Malformed-File jnt.MP.8”

MS15-115 Security Update for Microsoft Windows to Address Remote Code Execution

  • CVE-2015-6100 Windows Kernel Memory Elevation of Privilege Vulnerability
    This is a local Vulnerability
  • CVE-2015-6101 Windows Kernel Memory Elevation of Privilege Vulnerability
    This is a local Vulnerability
  • CVE-2015-6102 Windows Kernel Memory Information Disclosure Vulnerability
    This is a local Vulnerability
  • CVE-2015-6103 Windows Graphics Memory Remote Code Execution Vulnerability
    IPS: 3218 “HP Data Protector Remote Code Execution 3”
  • CVE-2015-6104 Windows Graphics Memory Remote Code Execution Vulnerability
    IPS: 3219 “Active WebCam — Remote Camera Request”
  • CVE-2015-6109 Windows Kernel Memory Information Disclosure Vulnerability
    This is a local Vulnerability
  • CVE-2015-6113 Windows Kernel Security Feature Bypass Vulnerability
    This is a local Vulnerability

MS15-116 Security Updates for Microsoft Office to Address Remote Code Execution

  • CVE-2015-2503 Microsoft Office Elevation of Privilege Vulnerability
    This is a local Vulnerability
  • CVE-2015-6038 Microsoft Office Memory Corruption Vulnerability
    IPS: 11258 “Malformed Excel Document 1”
  • CVE-2015-6091 Microsoft Office Memory Corruption Vulnerability
    SPY: 3213 “Malformed-File doc.MP.31”
  • CVE-2015-6092 Microsoft Office Memory Corruption Vulnerability
    SPY: 3214 “Malformed-File doc.MP.32”
  • CVE-2015-6093 Microsoft Office Memory Corruption Vulnerability
    SPY: 3216 “Malformed-File docx.MP.8”
  • CVE-2015-6094 Microsoft Office Memory Corruption Vulnerability
    SPY: 3217 “Malformed-File xlsb.MP.1”

MS15-117 Security Update for NDIS to Address Elevation of Privilege

  • CVE-2015-6098 Windows Kernel Memory Corruption Vulnerability
    This is a local Vulnerability

MS15-118 Security Update for .NET Framework to Address Elevation of Privilege

  • CVE-2015-6096 .NET Information Disclosure Vulnerability
    GAV “Malformed.svg.MP.1”
  • CVE-2015-6099 .NET Elevation of Privilege Vulnerability
    IPS “Cross-Site Scripting (XSS) Attack signatures”
  • CVE-2015-6115 .NET ASLR Bypass
    This is a local Vulnerability

MS15-119 Security Update for Winsock to Address Elevation of Privilege

  • CVE-2015-2478 Winsock Elevation of Privilege Vulnerability
    This is a local Vulnerability

MS15-120 Security Update for IPSec to Address Denial of Service

  • CVE-2015-6111 Windows IPSec Denial of Service Vulnerability
    There are no known exploits in the wild.

MS15-121 Security Update for Schannel to Address Spoofing

  • CVE-2015-6112 Schannel TLS Triple Handshake Vulnerability
    There are no known exploits in the wild.

MS15-122 Security Update for Kerberos to Address Security Feature Bypass

  • CVE-2015-6095 Windows Kerberos Security Feature Bypass
    There are no known exploits in the wild.

MS15-123 Security Update for Skype for Business and Microsoft Lync to Address Information Disclosure

  • CVE-2015-6061 Server Input Validation Security Feature Bypass Vulnerability
    There are no known exploits in the wild.

Active Android malware campaign steals Credit Card and Banking related information from infected devices (November 5, 2015)

/in /by

Dell SonicWALL Threats Research Team discovered a new Android campaign that aims at stealing Credit Card and Banking related information from infected devices. Malicious apks (Android packages) that are part of this campaign use the official Google Playstore as a conduit to trick victims into entering their Credit Card information, this data is then silently passed onto the attacker. The malicious apks monitor the activity of a few hardcoded apps and try to steal the login information which is then passed to the attacker. Most of these targeted apps are Financial in nature thereby elevating the potency of this threat.

The malicious apps have additional functionality of remotely executing commands that are received via SMS messages as well as transferring device related data to the attackers. This further increases the amount of personal information that can be extracted from the victims.

Infection Cycle

During our analysis we observed a lot of similarities between the malicious apks that are part of this campaign. The permissions requested by each apk during installation is identical:

  • Write Settings
  • Get Tasks
  • Access Network State
  • Internet
  • Send SMS
  • Vibrate
  • Wake Lock
  • Read Contacts
  • Change Component Enabled State
  • Read Phone State

Once installed the malicious apk appears in the app drawer and requests for device administrator privileges. Upon gaining these privileges the app vanishes from the app drawer but still continues to function in the background. The below image illustrates this behavior for one particular apk from this campaign:

Then each malware starts capturing device related information and transmits this to its respective hardcoded server present in the code. The following information is sent as a POST request:

  • Device IMEI
  • Country
  • Android OS version
  • Device model
  • Applications installed – These are picked up from the /data/data folder of the device

Every malware in this campaign has a service named GPService running in the background. The sole objective of this service is to monitor the current activity running on the screen:

Stealing Credit Card information via Google Play

When the victim opens Google Playstore, after a brief moment he sees a screen prompt asking for credit card information. Normally the credit card information prompt is displayed when a user tries to buy a paid app on the Playstore, but in this case the victim sees a prompt a few seconds after he opens the Playstore. In reality this prompt comes from the malicious app as it identifies that the Playstore is opened via GPService. It can be seen in the image below that the credit card prompt is actually coming from the malicious app and not the Playstore but for the victim the transition is seamless:

The fake prompt does not go away even if the victim clicks the Back button, it stays on the screen thereby becoming an annoyance. The Google Play Store app has seen a lot of changes/updates from its inception, for a layman it might appear that credit card information on the opening screen is one of the new updates to the Play Store. It is possible that a victim may enter his credit card information considering this possibility or just to get rid of the prompt out of sheer annoyance. Once the credit card information is entered it is silently transmitted to the attacker’s server as expected:

Stealing Banking credentials

We observed every apk in this campaign to target certain apps that involve credit card expenditures, majority of these were mobile Banking applications. Similar to using Google Play as a medium, the malicious apk monitors the activity of certain hardcoded apps:

Once the victim opens a targeted app (Commonwealth Bank app in this case) the malicious apk shows its own spoofed login screen:

The malicious app sticks with the basic Black and Yellow theme of the legitimate banking app but someone careful enough can spot differences between the two experiences.

We have a few additional observations regarding this campaign:

  • None of the apps we analyzed are currently present on the Official Google Play Store which is good
  • Apart from the package names,hardcoded server addresses and target apps, there is very little change in the code structure
  • We observed the following hardcoded applications that are targeted to be spoofed apart from Google Play:

  • The malicious apps are installed with the names and icons of famous apps to further add to their legitimacy
  • Based on Virustotal data these apps seem to be fairly new with the oldest one being a month and few weeks old:

  • Most of the malicious applications we analyzed were in English apart from one that was in French
  • The banking related component did not work correctly for some apps, this indicates that the campaign is still evolving and we can expect more modules to be added in future

Overall this campaign aims at extracting Credit Card and Banking data from its victims. It is not very widespread as of now but considering the number of targeted apps this campaign can gain momentum in the long run.

Dell SonicWALL provides protection against multiple versions of this threat via the following signatures:

  • GAV: AndroidOS.CStealer (Trojan)
  • GAV: AndroidOS.CStealer_2 (Trojan)
  • IPS: Credit Card Information Stealing Android App Traffic

Squid SSL-DoS

/in /by

Squid is a popular open-source caching and forwarding proxy. It can used in a variety of ways; one of which is a feature called ‘bump’. There’s a denial-of-service (DoS) vulnerability in Squid’s ‘bump feature that occurs due to a failure to properly validate input. A specially crafted client or server ‘hello’ message can trigger this unauthenticated DoS vulnerability.

Squid provides a SSL-bump feature to allow man-in-the-middle SSL connections. It happens specifically when the ‘hello’ message has extension length that’s greater than 32767. The variable that stores this length is an unsigned short. Thus when a number larger than 32767 is provided, extension’s value decreases in size. This leads to an infinite loop, high CPU utilization and eventually a denial-of-service due to exhaustion.

    Dell Sonicwall has following signature that protects our customers from this attack

  • IPS 11239 : Squid SSL-DoS

Cryptowall 4.0 emerges with new features (Nov 6, 2015)

/in /by

Ransomware which holds personal files on a victim’s device as hostage in exchange for a hefty fine has shown no signs of slowing down in the past few years. Cryptolocker started this trend that soon spawned threats that used the same modus operandi. One of the Cryptolocker splinter clones is CryptoWall that was first discovered in 2014 and continues to evolve with its latest version being 4.0.

Infection Cycle

Cryptowall 4.0 uses spam as its primary infection vector. The samples we received purported to be a resume just like previous versions. It arrives as a javascript file which when executed downloads another malicious executable into the temp directory. It is highly likely that the distribution of Cryptowall will happen through exploit kits in the near future.

It then connects to different domains and sends encrypted data.

adrive62.com myshop.lk parsimaj.com 19bee88.com mabawamathare.org thegingod.com arvixeshared.com eurodir.ru abstractdns.com yahoosupportaustralia.com salamasisters.org lexcheep.com mycampusjuice.com flexiblepestsolutions.com royalsboostersgbball.com textmart.in alltimefacts.com shrisaisales.in frc-pr.com abelindia.com

It then encrypts the files in the victim’s machine and also drops a PNG file HELP_YOUR_FILES.PNG to all the directories where encrypted files are found.

It drops a copy of HELP_YOUR_FILES.PNG along with HELP_YOUR_FILES.TXT and HELP_YOUR_FILES.HTML in the Startup directory.

The infection cycle ends with displaying instructions on how to pay the ransom and decrypt the victim’s files.

The following are some of the changes we observed with the newest version of CryptoWall:

  • Ransom Note – It drops the instructions in different file formats (txt, png, html) whereas previously it only dropped an html file, they claimed that this was to provide victims with more avenues to read the instructions because antivirus solutions are known to remove the html files. Also this time the victim sees files named as HELP_YOUR_FILES whereas for Cryptowall 3.0 files were named as HELP_DECRYPT
  • File Encryption – It encrypts filenames along with its data

Below are some of the similarities with the previous versions:

  • Tor – The new version still utilizes Tor as a medium to point victims to ransom payment instructions
  • Infection mechanism – The infection vector remains the same across different versions of Cryptowall
  • Payment/Decryption Instruction – This version still provides URLs for victims to send payments to, accepts bitcoins and demands that the payments be made within a specified time limit

Below are the URLs provided where the victim can complete the payment and receive the decryption key:

  • 3wzn5p2yiumh7akj.partnersinvestpayto.com
  • 3wzn5p2yiumh7akj.marketcryptopartners.com
  • 3wzn5p2yiumh7akj.forkinvestpay.com
  • 3wzn5p2yiumh7akj.effectwaytopay.com

Dell SonicWALL provides protection against this threat via the following signatures:

  • GAV: JSCript.Crypto.RES (Trojan)
  • GAV: CryptoWall.B (Trojan)

Retailers Are Jumping on the Wi-Fi Bandwagon

/0 Comments/in /by

The other day I went clothes shopping at the mall with my 12-year-old son, an experience that’s usually painful for both of us. While he was deciding between “straight leg” and “skinny leg” pants I spent my time looking at the surrounding shops in the mall. Some were smaller, independently-owned stores while others were part of larger retail chains. They’re all selling something which means they all need to protect the data they receive from customer transactions.

While I don’t really understand the need for skinny leg pants, I do know that there are a ton of stores in the malls. The ones that are successful find ways to differentiate themselves from the competition. They also learn how to make doing business easier. The use of wireless is a good example. Free WiFi is a cool thing. I can keep up on email, surf the web and text my wife about my shopping experience right from the store without using up my valuable data plan. As a shopper, I like that.

From the store’s perspective, wireless serves multiple functions. For one, it’s a potential source of customer retention. According to an EarthLink Holdings Corp. study, 27.5 percent of retailers reported increased customer loyalty due to in-store WiFi. Having free WiFi available also makes it easier for customers to get product information and make purchases. In a press release late last year Gap, Inc. said, “Now, you can just take out your smartphone and shop straight from the fitting room, browse customer reviews or just jump online for fun. It’s now easier to access with free customer Wi-Fi.” What’s more, retail businesses that provide free WiFi also see an increase in customer foot traffic, time spent on premises and spending based on a 2014 Devicescape-commissioned survey by iGR. This is all good news for retailers who’ve jumped on the in-store WiFi bandwagon.

Providing free WiFi doesn’t come without some effort however. Service providers are upping the bandwidth available to businesses and WiFi speeds have increased significantly thanks to 802.11ac, both of which make for a better user experience. That’s great, and it means wireless speed is often not an issue any longer. Securing the network from threats still is though. Retailers who don’t deploy a network security solution such as a firewall to protect their WiFi (and wired) network face a number of potential risks including stolen customer and company data, financial loss and damaged reputation. There have been plenty of examples in the news of major retailers who have been experienced each of these. Were they hacked over a WiFi network? Probably not. However it’s a very real possibility. In addition to providing essential protection from viruses, spyware, intrusions and other threats, firewalls enable retailers to separate, or segment, customer internet access from employee network access over the wireless network. This ensures that the retailer’s internal network is safe from any threats customers may have on downloaded onto their personal WiFi devices. At the same time, employees have secure access to internal resources they need.

In the end, after much deliberation my son went with the skinny leg pants. I had a good in-store WiFi experience and the retailer made another sale knowing its network was safe from a wireless attack. The next time you’re at the shopping mall check to see if you can find the store’s wireless access point. Odds are the shop is providing free WiFi to its customers. If you’re a retailer looking for information on a wireless network security solution, see the  SonicWall TZ Series and  SonicPoint Series.

DOWNLOAD EBOOK