Cyber Security News & Trends

This week, the Zombieland vulnerability leads to a patching frenzy, a global cybercrime gang is shutdown, and a GDPR update.

SonicWall Spotlight

Intel MDS ‘Zombieload’ Vulnerability Software Patch List for MSSPs – MSSPAlert

  • “Zombieload” is a recently discovered vulnerability open to side-channel attacks that affects all Intel processors manufactured since 2011. MSSPAlert quote SonicWall CEO Bill Conner on how it could be used to “pick locks” in highly secure data centers. SonicWall RTDMI technology can discover and block side channel attacks in real-time.

Creating a Culture of Resilience – New Statesman (UK)

  • The New Statesman uses the 2019 SonicWall Cyber Threat Report to review the threat landscape and, noting how cybersecurity is often “bolted onto products as an afterthought,” explains how and why a culture of cyber resilience will have to be built.

Cyber Security News

Russian Government Sites Leak Passport and Personal Data for 2.25 Million Users – ZDNet

  • An investigation into Russian government websites and user portals has found that over 2.25 million Russian citizens had their personal information, including insurance and passport details, left easily accessible online.

GDPR: Europe Counts 65,000 Data Breach Notifications so Far – BankInfoSecurity

  • European privacy authorities have received nearly 65,000 data breach notifications since the EU’s new privacy law went into full effect, with over $63 million in fines issued so far.

Rattled by Cyberattacks, Hospitals Push Device Makers to Improve Security – Wall Street Journal

  • Nervous U.S. hospitals are pressing medical-device makers to improve the cyberdefenses of internet-connected infusion pumps, biopsy imaging tables and other health-care products after being rattled by a rise in cyberattack reports in other hospitals.

Bluetooth Harvester Signals Hacking Group’s Growing Interest in Mobile – Ars Technica

  • ScarCruft, a Korean-speaking advanced persistent threat group, has launched a malware that steals Bluetooth-device information. It is likely that the malware is targeting intelligence and diplomatic agencies for political purposes.

Microsoft Warns Wormable Windows Bug Could Lead to Another WannaCry – Ars Technica

  • Microsoft is warning that the internet could see another exploit of the magnitude of WannaCry unless a high-severity vulnerability is patched. Such is the level of fear that patches for the no-longer supported Windows 2003 and XP have been issued. The vulnerability has not yet been exploited but, due to its low complexity, once the details are known an attack will likely be developed and launched very quickly.

Global Hackers Are Thwarted by FBI, Europe in $100 Million Heist – Bloomberg

  • U.S. and European law enforcement officials have dismantled a “highly specialized and international criminal network” in an operation that has been ongoing since 2016. The members of the group pooled their technical skills together online to craft and circulate malware that attempted to steal around $100 million from thousands of businesses.

Microsoft Office 365: Change These Settings or Risk Getting Hacked, Warns US Govt – ZDNet

  • The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has posted its advice for organizations using Microsoft Office 365. Its major request is that administrators at organizations turn on the many security features, like multi-factor authentication, that are not automatically enabled by default.

In Case You Missed It

Non-Standard Ports Are Under Cyberattack

If you like watching superhero movies, at some point you’ll hear characters talk about protecting their identities through anonymity. With the exception of Iron Man, hiding their true identities provides superheroes with a form of protection. Network security is similar in this respect.

‘Security through obscurity’ is a phrase that’s received both praise and criticism. If you drive your car on side streets instead of the freeway to avoid potential accidents, does that make you safer? Can you get to where you need to go as efficiently? It’s possible, but it doesn’t mean you can evade bad things forever.

Difference between standard and non-standard ports

Firewall ports are assigned by the Internet Assigned Numbers Authority (IANA) to serve specific purposes or services.

While there are over 40,000 registered ports, only a handful are commonly used. They are the ‘standard’ ports. For example, HTTP (web pages) uses port 80, HTTPS (websites that use encryption) uses port 443 and SMTP (email) uses port 25.

Firewalls configured to listen on these ports are available to receive traffic. Cybercriminals know this too, so most of their attacks target the commonly used ports. Of course, companies typically fortify these ports against threats.

In response to the barrage of attacks aimed at standard ports, some organizations have turned to using ‘non-standard’ ports for their services. A non-standard port is one that is used for a purpose other than its default assignment. Using port 8080 instead of port 80 for web traffic is one example.

This is the ‘security through obscurity’ strategy. While it may keep cybercriminals confused for a while, it’s not a long-term security solution. Also, it can make connecting to your web server more difficult for users because their browser is pre-configured to use port 80.

Attacks on non-standard ports

Data in the 2019 SonicWall Cyber Threat Report indicates that the number of attacks directed at non-standard ports has grown. In 2017, SonicWall found that over 17.7% of malware attacks came over non-standard ports.

In comparison, that number was 19.2% in 2018, an increase of 8.7 percent. December 2018 alone hit an even higher number at 23%.

How do I protect non-standard ports?

The best defense against cyberattacks targeting services across both standard and non-standard ports is to have a layered security strategy.

Using ‘security through obscurity’ is just one layer. Relying on it too heavily, however, won’t provide the level of security you need. It may help against port scans, but it won’t stop cyberattacks that are more focused.

You’ll also want to take some other actions, such as changing passwords frequently, using two-factor authentication, and applying patches and updates. And, you’ll want to use a firewall that can analyze specific artifacts instead of all traffic (i.e., proxy-based approach).

Cyber Security News & Trends

This week, SonicWall CEO Bill Conner is interviewed by SC Magazine, a Zero-Day vulnerability travelled around the world without ever being disclosed publicly, and Facebook are working to prevent election meddling in Europe.

SonicWall Spotlight

In Focus: SonicWall CEO Bill Conner – SC Magazine

  • SonicWall CEO Bill Conner joins Illena Armstrong of SC Magazine in an exclusive video interview. They discuss what companies are missing in the global cyber arms race, the non-traditional points of entry where the threats are emerging and what steps an organization can take to secure its infrastructure.

Cyber Security News

The Strange Journey of an NSA Zero-Day into Multiple Enemies’ Hands – Wired

  • Wired tell the story of an NSA-discovered zero-day vulnerability that made its way around the globe over several years; first intercepted by China, then stolen by hackers before being picked up by North Korea and Russia, all without being publicly disclosed.

Facebook Opens a Command Post to Thwart Election Meddling in Europe – New York Times

  • After the harsh criticism it faced following the 2016 US election Facebook has opened a “command post” in Ireland charged with preventing any meddling in the upcoming European election.

Hackers Steal Over $40 Million Worth of Bitcoin From One of the World’s Largest Cryptocurrency Exchanges – CNBC

  • Over $40 million worth of bitcoin has been stolen from Binance, one of the world’s largest cryptocurrency exchanges, in a “large scale security breach.” The well-organized attack managed to bypass the security checks and exited over 7,000 bitcoin, about 2% of total holdings.

Cybersecurity Jobs Abound. No Experience Required. – Wall Street Journal

  • Large tech companies are scrambling to hire hundreds of thousands of corporate hackers to defend their networks and data, pursuing workers without traditional four-year degrees or formal experience.

How to Close the Critical Cybersecurity Talent Gap – Dark Reading

  • “If we don’t change our ways, the gap will keep getting worse.” Dark Reading commentator Thomas Weithman calls for “outside-the-box thinking” to bridge the cybersecurity talent gap, suggesting introducing cybersecurity curriculum in K-12 courses and setting up programs to allow people in a similar industry to retrain.

Russian Cyberspies Are Using One Hell of a Clever Microsoft Exchange Backdoor – ZDNet

  • An email backdoor named LightNeuron that integrates directly with Microsoft Exchange is being called “one of the most complex backdoors ever spotted.” Despite being in use since 2014 it has avoided detection until very recently.

Amazon Hit by Extensive Fraud With Hackers Siphoning Merchant Funds – Bloomberg

  • A court filing has revealed that Amazon believes it was the victim of a “serious” online attack between May and October 2018. Hackers accessed around 100 seller accounts and funneled cash from loans or sales into their own bank accounts.

TRON Critical Security Flaw Could Break the Entire Blockchain – ZDNet

  • A critical vulnerability with a “high” severity rate has been found in the TRON network’s TRX cryptocurrency. If exploited the vulnerability could render the entire network unusable.

Without Strong Cybersecurity, Backdoors Will Remain Open – Silicon Republic

  • Former Europol Executive Director John O’Mahony is warning that not enough companies and individuals have “even adequate cybersecurity” in place to prevent bad actors exploiting backdoors in their networks.

In Case You Missed It

L’apocalisse del cryptojacking: La disfatta dei Quattro Cavalieri del cryptomining

Nonostante le fluttuazioni dei prezzi del bitcoin e delle altre criptovalute, il cryptojacking continua ad essere una grave minaccia – spesso sottovalutata – per le grandi aziende, le PMI ed il consumatore in genere.

Il tipo più subdolo di queste minacce è costituito dal cryptomining tramite browser, nel quale le forme più diffuse di malware cercano di trasformare i dispositivi in mining bot di criptovalute a tempo pieno denominato cryptojacker.

Per cercare di farvi capire in che cosa consiste questa minaccia, vi presento una sintesi dei miei classici insegnamenti sull’argomento, prendendomi la libertà di enfatizzare la situazione. Se ritenete che l’avanzata del cryptojacking sia stata un’apocalisse come credono alcuni di coloro che ne sono rimasti vittima, i Quattro Cavalieri costituiscono altrettante minacce per i vostri endpoint e le vostre aziende:

  • Cavallo bianco: L’energia consumata e sprecata
  • Cavallo rosso: La perdita di produttività dovuta alle risorse limitate
  • Cavallo nero: I danni che possono provocare al sistema
  • Cavallo verdastro: Implicazioni di sicurezza dovute alle vulnerabilità introdotte

Diversamente dal ransomware, che è pensato per essere visibile (per richiedere il pagamento), il lavoro del cryptojacker si svolge in modo invisibile dietro le quinte (anche se il diagramma delle prestazioni della CPU o la ventola del dispositivo possono indicare un’attività anomala).

Negli ultimi due anni gli autori di ransomware hanno cambiato marcia, nel senso di un maggiore ricorso al cryptojacking, poiché l’efficacia turbativa del ransomware e il ritorno sull’investimento diminuiscono man mano che lo stesso finisce sui canali di scansione pubblici come VirusTotal.

Come tutti coloro che gestiscono un’attività decisamente redditizia, i cibercriminali devono trovare sempre nuovi metodi per realizzare i loro obiettivi finanziari. Il cryptojacking viene utilizzato esattamente per tale scopo.

Ad aprile del 2018 SonicWall ha iniziato a tenere sotto controllo le tendenze del cryptojacking, soprattutto l’uso di Coinhive nel malware. Nel corso dell’anno abbiamo visto che il cryptojacking ha avuto alti e bassi. Durante tale periodo SonicWall ha registrato circa 60 milioni di attacchi di cryptojacking, di cui 13,1 milioni nel solo mese di settembre 2018. Come è stato pubblicato nel Rapporto SonicWall 2019 sulle ciberminacce, il volume degli attacchi è calato nell’ultimo trimestre del 2018.

Attacchi di cryptojacking a livello globale da aprile a settembre del 2018

L’attrattiva del cryptomining

Le operazioni di cryptomining sono diventate sempre più diffuse, tanto da rappresentare circa la metà dei consumi mondiali di energia elettrica. Nonostante le notevoli oscillazioni di prezzo, circa il 60% del costo delle attività legittime di mining dei bitcoin è costituito dalla bolletta energetica. In effetti, al momento della redazione di queste, il prezzo di un bitcoin è inferiore al costo delle sue legittime attività di mining.

Con simili costi e rischi zero rispetto a dover acquistare e mantenere le apparecchiature, i cibercriminali sono fortemente incentivati a generare criptovalute utilizzando risorse altrui. Infettare 10 macchine con un cryptominer può produrre guadagni netti fino a 100 dollari al giorno, per cui la sfida per i cryptojacker è triplice:

  1. Individuare gli obiettivi, vale a dire organizzazioni che dispongono di numerosi dispositivi sulla stessa rete, soprattutto scuole e università.
  2. Infettare il maggior numero di macchine possibile.
  3. Restare nascosti più a lungo possibile (diversamente dal ransomware, con modalità più simili al malware tradizionale).

I cryptojacker utilizzano tecniche simili a quelle del malware per intrufolarsi negli endpoint: download drive-by, campagne di phishing, sfruttamento delle vulnerabilità dei browser e plugin dei browser, per citarne solo qualcuno. E, ovviamente, fanno affidamento sull’anello debole della catena, le persone, sfruttando tecniche di social engineering.

Come si fa a sapere se si è vittime dei cryptominer?

I cryptominer sono interessati a sfruttare la potenza di elaborazione delle loro vittime ed i cryptojacker devono trovare il giusto equilibrio tra anonimato e profitti. Di quante risorse della vostra CPU si impossesseranno dipende dai loro obiettivi.

Se sottraggono meno potenza diventa più difficile per gli utenti ignari accorgersi di loro. Rubarne di più fa crescere i prodotti. In entrambi i casi le prestazioni ne risentono, ma se la soglia è abbastanza bassa potrebbe essere difficile distinguere tra un miner e un software legittimo.

Gli amministratori aziendali possono tenere conto dei processi sconosciuti nei loro ambienti, mentre gli utenti finali in Windows dovrebbero far girare un Sysinternals Process Explorer per vedere che cosa c’è in esecuzione. Per la stessa ragione gli utenti Linux e macOS dovrebbero tenere sotto controllo rispettivamente l’uso del System Monitor e dell’Activity Monitor.

Come difendersi dai cryptominer

Il primo passo per difendersi dai cryptominer consiste nel bloccare questo tipo di malware sul gateway, tramite firewall o email security (sicurezza perimetrale), che è uno dei metodi più efficaci per sventare le minacce note basate su file.

Poiché si tende a riutilizzare vecchio codice, un altro primo semplice passo consisteva anche nello stanare cryptojacker come Coinhive. Ma a febbraio del 2019, Coinhive ha reso noto pubblicamente che avrebbe cessato l’attività l’8 marzo. I responsabili hanno dichiarato che “non era più conveniente economicamente” continuare il servizio e che l’attività aveva fortemente risentito del crollo delle criptovalute.

Nonostante ciò, SonicWall prevede che vi saranno sempre nuove varianti e nuove tecniche di cryptojacking per colmare il vuoto. Il cryptojacking potrebbe ancora diventare uno dei metodi preferiti per i cibercriminali per il fatto di essere nascosto; i danni limitati e indiretti per le vittime ne diminuiscono la possibilità di essere scoperto e prolungano il tempo durante il quale gli attacchi andati a buon fine producono benefìci.

Se il ceppo del malware è sconosciuto (nuovo o aggiornato), è in grado di superare i filtri statici del perimetro di sicurezza. Se un file è sconosciuto, viene reindirizzato ad una sandbox per la verifica della sua natura.

L’ambiente sandbox Capture Advanced Threat Protection (ATP) multi-engine di SonicWall è stato progettato espressamente per identificare e bloccare malware evasivo in grado di ingannare un engine ma non gli altri.

Se un endpoint non si trova dietro a questa configurazione tipica (ad esempio, se sta effettuando il roaming all’aeroporto o in albergo), si deve installare un prodotto di sicurezza endpoint che comprende la funzione di rilevamento comportamentale.

I cryptominer possono agire nei browser o essere consegnati tramite attacchi senza file, per cui le soluzioni tradizionali preinstallate sui computer non sono in gradi di vederli.

Gli antivirus di tipo comportamentale come SonicWall Capture Client sono in grado di rilevare se il sistema intende effettuare il mining delle valute e quindi interrompere il funzionamento. Gli amministratori possono facilmente mettere in quarantena e cancellare il malware o, se si tratta di qualcosa in grado di danneggiare i file di sistema, riportare quest’ultimo all’ultima configurazione funzionante prima che venisse eseguito il malware.

Abbinando tutta una serie di difese perimetrali all’analisi comportamentale le organizzazioni possono contrastare le nuove forme di malware, indipendentemente da quelle che sono le loro tendenze o finalità.

Cryptojacking Apocalypse: Defeating the Four Horsemen of Cryptomining

Despite price fluctuations of bitcoin and other cryptocurrencies, cryptojacking remains a serious — and often hidden — threat to businesses, SMBs and everyday consumers.

And the most covert of these threats is cryptomining via the browser, where popular forms of malware attempt to turn your device into a full-time cryptocurrency mining bot called a cryptojacker.

To help you creatively understand this trend, let me summon my classical training and be a little hyperbolic. If you see the cryptojacking wave as an apocalypse like some of their victims do, the Four Horsemen would be the four threats to your endpoint or business:

  • The White Horse: The energy it consumes or wastes
  • The Red Horse: The loss to productivity due to limited resources
  • The Black Horse: The damage it can do to a system
  • The Pale Horse: Security implications due to created vulnerabilities

Unlike ransomware that wants to be found (to ask for payment), a cryptojacker’s job is to run invisibly in the background (although your CPU performance graph or device’s fan may indicate something is not normal).

Ransomware authors have switched gears over the past two years to use cryptojacking more, because a ransomware strain’s effectiveness and ROI diminish as soon as it ends up on public feeds like VirusTotal.

Like anyone else running a highly profitable business, cybercriminals need to constantly find new ways to fulfill their financial targets. Cryptojacking is being used to solve that challenge.

In April 2018, SonicWall started tracking cryptojacking trends, namely the use of Coinhive in malware. Over the course of the year, we saw cryptojacking ebb and flow. In that time, SonicWall recorded nearly 60 million cryptojacking attacks, with as many as 13.1 million in September 2018. As published in the 2019 SonicWall Cyber Threat Report, volume dipped across the final quarter of 2018.

Global Cryptojacking Attacks | April-September 2018

The lure of cryptomining

Cryptomining operations have become increasingly popular, now consuming almost half a percent of the world’s electricity consumption. Despite the wild swings in price, roughly 60% of the cost of legitimately mining bitcoin is the energy consumption. In fact, at the time of writing, the price of a bitcoin is worth less than the cost of mining it legitimately.

With such costs and zero risk as compared to buying and maintaining equipment, cybercriminals have strong incentives to generate cryptocurrency with someone else’s resources. Infecting 10 machines with a cryptominer could net up to $100/day, so the challenge for cryptojackers is three-fold:

  1. Find targets, namely organizations with a lot of devices on the same network, especially schools or universities.
  2. Infect as many machines as possible.
  3. Stay hidden for as long as possible (unlike ransomware and more akin to traditional malware).

Cryptojackers use similar techniques as malware to sneak on to an endpoint: drive-by downloads, phishing campaigns, in-browser vulnerabilities and browser plugins, to name a few. And, of course, they rely on the weakest link — the people — via social engineering techniques.

Am I infected by cryptominers?

Cryptominers are interested in your processing power and cryptojackers have to trade stealth against profit. How much of your CPU resources they take depends on their objectives.

Siphoning less power makes it harder for unsuspecting users to notice. Stealing more increases their profits. In either case, there will be a performance impact, but if the threshold is low enough it could be a challenge to distinguish the miner from legitimate software.

Enterprise administrators may look for unknown processes in their environment, and end users on Windows should spawn a Sysinternals Process Explorer to see what they are running. Linux and macOS users should investigate using System Monitor and Activity Monitor, respectively, for the same reason.

How to defend against cryptominers

The first step in defending against cryptominers is to stop this type of malware at the gateway, either through firewalls or email security (perimeter security), which is one of the best ways to scrub out known file-based threats.

Since people like to reuse old code, catching cryptojackers like Coinhive was also a simple first step. But in February 2019, Coinhive publicly announced it was ceasing operations March 8. The service stated that it wasn’t “economically viable anymore” and that the “crash” impacted the business severely.

Despite this news, SonicWall predicts there will still be a surge in new cryptojacking variants and techniques to fill the void. Cryptojacking could still become a favorite method for malicious actors because of its concealment; low and indirect damage to victims reduces chances of exposure and extends the valuable lifespan of a successful attack.

If the malware strain is unknown (new or updated), then it will bypass static filters in perimeter security. If a file is unknown, it will be routed to a sandbox to inspect the nature of the file.

The multi-engine SonicWall Capture Advanced Threat Protection (ATP) sandbox environment is designed to identify and stop evasive malware that may evade one engine but not the others.

If you have an endpoint not behind this typical set up (e.g., it’s roaming at the airport or hotel), you need to deploy an endpoint security product that includes behavioral detection.

Cryptominers can operate in the browser or be delivered through a fileless attack, so the legacy solutions you get free with a computer are blind to it.

A behavioral-based antivirus like SonicWall Capture Client would detect that the system wants to mine coins and then shut down the operation. An administrator can easily quarantine and delete the malware or, in the case of something that does damage to system files, roll the system back to the last known good state before the malware executed.

By combining a mixture of perimeter defenses and behavioral analysis, organizations can fight the newest forms of malware no matter what the trend or intent is.

Cyber Security News & Trends

This week, SonicWall CEO Bill Conner is interviewed by on Federal Tech Talk, the potential of a 5G future is considered, and more details emerge about the Citrix data breach.

SonicWall Spotlight

Federal Tech Talk’ Hosts SonicWall CEO Bill Conner to Examine Cybercriminal Strategies that Threaten Federal Agencies – SonicWall Blog

  • SonicWall CEO Bill Conner joins John Gilroy on Federal Tech Talk, a radio show and podcast on the Federal News Network. They discuss emerging cyber threats including attacks over non-standard ports, encrypted threats and malicious PDFs and Office files.

SonicWall Reports Dramatic Rise in Fraudulent PDF Files in Q1 2019 – Tech Observer (India)

  • With SonicWall Capture Labs researchers releasing details on the growth of fraudulent PDFs and Office files, SonicWall’s Debasish Mukherjee talks to Tech Observer about how Real-Time Deep Memory Inspection (RTDMI) can detect new malware almost instantly.

Cyber Security News

Cybersecurity: The Key Lessons of the Triton Malware Cyberattack You Need to Learn – ZDNet

  • The Triton malware attack of 2017 was unsuccessful but still managed to shut down industrial operations at a critical infrastructure firm in the Middle East. ZDNet explore how real-world physical security problems intersected with cyber security problems and allowed a cyberattack to go very far before being caught.

P2P Weakness Exposes Millions of IoT Devices – Krebs on Security

  • Peer-to-peer communications software iLnkP2P includes several critical security flaws that leaves millions of Webcams, baby monitors and more open to a cyberattack.

The Terrifying Potential of the 5G Network – The New Yorker

  • While some claim 5G technology will usher in a fourth industrial revolution, there’s a worry that such a huge change could have disastrous effects and policymakers may not be taking the cyber security concerns seriously enough.

“Denial of Service” Attack Caused Grid Cyber Disruption: DOE – E&E News

  • A “cyber event” interrupted power grid operations in the western United States on March 5 of this year. Initially details on what happened were scarce but it has now been confirmed that a denial-of-service (DDOS) attack occurred against an unnamed energy company.

Putin Signs Law to Isolate Russian Internet – Financial Times

  • Russian president Vladimir Putin signed a law that will allow the Kremlin to disconnect Russia from the global internet. Critics are casting it as an attempt to curb free speech or internal dissent within Russia, but the Kremlin says the law is a cyber security safeguard that would allow the Russian internet to continue running in the event of a hostile cyberattack on its infrastructure.

DC Metro Vulnerable to Cybersecurity Attacks, Says Inspector General – The Hill

  • The Washington D.C. Metro has vowed to hire experts to help with cyber security vulnerabilities present in its current systems.

Hackers Lurked in Citrix Systems for Six Months – ZDNet

  • The FBI has become involved in an ongoing investigation into an “intermittent” but long-lasting data breach at Citrix. Information on what data was accessed by hackers is not yet known but it is possible that the data stolen includes names, Social Security numbers, and financial information.

Financial Data for Multiple Companies Dumped Online in Failed Extortion Bid – Dark Reading

  • 516GBs of potentially sensitive stolen data was dumped online after German digital infrastructure service provider Citycopy refused to pay up in an attempted cyber-extortion attempt. The data dump has not been verified or fully examined yet, but the would-be extortionists claim it includes “financial and private information on all clients include VAG, Ericsson, Leica, MAN, Toshiba, UniCredit, and British Telecom (BT).”

Docker Hub Breach Hits 190,000 Accounts – SecurityWeek

  • Docker Hub, the world’s largest library and community for container images, suffered a data breach with 5% of users affected. Usernames and hashed passwords were accessible. Docker says the company breach has now been sealed and that they are working to ensure it cannot happen again.

In Case You Missed It

Dragonblood Vulnerability: Is your WiFi secure?

It’s Game of Thrones season! And anything to do with dragons reminds me of GoT. The Dragonblood vulnerability recently exposed weak security of the WPA3 standard. It was just a year ago that KRACK exposed weaknesses in the WPA2 standard. In response, a stronger successor to WPA2 was announced by the Wi-Fi Alliance: WPA3.

But, was this really a strong successor as it was perceived? Apparently, no.

WPA3 incorporated Simultaneous Authentication of Equals (SAE) handshake, which was a huge improvement over WPA2 as it prevents dictionary attacks. The family of SAE handshakes is referred to as Dragonfly. This handshake is susceptible to password-partitioning attacks, which resemble dictionary attacks and leverages side-channel leaks to recover network passwords.

According to the researchers Vanhoef and Ronen, who published the paper on this vulnerability, WPA3 is affected by serious design flaws that could have been avoided with feedback from industry experts about secure WiFi. Among these flaws is the fact that WPA3 failed to introduce any new protocols, rather it only instructs which existing protocols should be supported.

WPA3 background

WPA3 made enhancements over WPA2 using the latest security methods, disallowing outdated legacy protocols and implementing the use of Protected Management Frames (PMF). It was designed with two types of networks in mind: protection for home networks with WPA3-Personal and for enterprise networks with WPA3-Enterprise.

WPA3-Personal provides increased network password protection, while WPA3-Enterprise provides higher security protocols for enterprise networks. In WPA3-Personal networks, the SAE handshake is the replacement for Pre-Shared Key (PSK) in WPA2-Personal networks. WPA3 includes natural password selection, ease of use and forward secrecy.

What is the Dragonfly handshake?

WPA3-Personal mandates the support of SAE handshakes, which is a balanced Password Authentication Key Exchange where two endpoints (AP and AP, or AP and client) store passwords in clear text. The input for the SAE handshake is a pre-shared secret and the output is a high-entropy Pairwise Master Key. After this execution, a four-way handshake takes place to generate a Pairwise Transient Key.

6 ways Dragonblood affects your wireless network

  1. Denial of Service (DoS) attack. WPA3’s anti-clogging mechanism that is supposed to prevent DoS attacks does not prevent it. Hence, this can bring down access points and cause disruption on your networks.
  2. Downgrade attack. WPA3’s transition mode is susceptible to dictionary attacks. In this mode, a WPA3-capable access point can accept connections from both WPA2 and WPA3 client devices. If an attacker uses a man-in-the-middle attack to modify the beacons of a WPA3-capable access point to fool the client into thinking it is a WPA2 access point, during the four-way WPA2 handshake the client detects the anomaly and aborts the transmission. However, enough frames are sent during the handshake that the attacker can pull off a dictionary attack. In addition, the researchers also discovered “implementation-specific downgrade attacks when a client improperly auto-connects to a previously used WPA3-only network.”
  3. SAE group negotiation attack. Client devices can prioritize groups in SAE handshake according to 802.11 specifications. With SAE, when a client connects to an access point it includes the desired group in the commit frame and this process continues. “Unfortunately, there is no mechanism that detects if someone interfered with this process. This makes it trivial to force the client into using a different group: simply forge a commit frame that indicates the AP does not support the currently selected group.” This results in a downgrade attack. This method can also be used to perform upgrade attacks.
  4. Timing-based side-channel attacks. SAE handshake is susceptible to timing attacks that leak password information, which could later be used in password-partitioning attacks leading to the recovery of the victim’s password.
  5. Cache-based side-channel attacks. SAE is further susceptible to vulnerabilities in the implementation of its algorithms, which could be leveraged in password-partitioning attacks leading to the recovery of the victim’s password.
  6. EAP-PWD. Affects the Extensible Authentication Protocol (EAP) that is supported in WPA2 and WPA standards. The researchers also “discovered serious bugs in most products that implement EAP-pwd. These allow an adversary to impersonate any user, and thereby access the Wi-Fi network, without knowing the user’s password.”

How to protect against Dragonblood

The Dragonblood vulnerability can be fixed with software patches. While the Wi-Fi Alliance is communicating guidelines to vendors, ensure that your network is always patched with the latest security updates from wireless device manufacturers. In combination, use strong passwords on your networks.

Does the Dragonblood vulnerability affect SonicWave wireless access points?

No. This vulnerability does not affect SonicWall wireless access points. The SonicWave access points provide superior wireless security and a dedicated third radio for security scanning. Advanced security services like the Capture Advanced Threat Protection (ATP) sandbox and Content Filtering Service (CFS) can be performed by the APs, even when they are untethered from the firewalls. It gives you the ultimate flexibility to manage wireless from the cloud or via the firewalls — without compromising security.

‘Federal Tech Talk’ Hosts SonicWall CEO Bill Conner to Examine Cybercriminal Strategies that Threaten Federal Agencies

During a recent trip to Washington D.C., SonicWall CEO Bill Conner stopped by Federal News Networks studios to join John Gilroy on Federal Tech Talk.

The pair took to the airwaves (and podcast) to focus on emerging cyber threats that impact enterprises, SMBs and federal agencies alike. Atop the list were attacks over non-standard ports, encrypted threats and malicious PDFs and Office files.

“What’s alarming on this one, these new techniques are evading traditional security sandboxes,” Conner told Gilroy on the show.

In mid-April, SonicWall announced new threat data that highlights the growing volume of PDF fraud campaigns. In all of 2018, the SonicWall Capture Advanced Threat Protection (ATP) sandbox discovered more than 47,000 new attack variants in PDF files. In March 2019 alone, the sandbox found more than 73,000 PDF-based attacks.

“It’s incredibly aggressive in terms of the volume. It’s also very evasive,” said Conner on the broadcast. “If you click on that PDF, it might not hit you immediately. It might be delayed before it activates itself. The alarming piece in this city (Washington D.C) — for the Feds — is that it is emanating out of Russia.”

The compelling 40-minute segment, which is available via podcast, also explored the growing volume of IoT attacks, fileless malware and other evolving exploits.

“It’s a cyber arms race,” said Conner. “As many good guys as we have coding to block it and stop it, you’ve got an equal number of bad guys on the other side looking for architecture or feature holes trying to get around [security controls].”

About Federal Tech Talk

Federal Tech Talk looks at the world of high technology in the federal government. Host John Gilroy of The Oakmont Group speaks the language of federal CISOs, CIOs and CTOs, and gets into the specifics for government IT systems integrators. John covers the latest government initiatives and technology news for the federal IT manager and government contractor.

Cyber Security News & Trends

This week, SonicWall’s recent PDF and Office cyberattack findings back up investigative reporting, a “secure” WhatsApp replacement is anything but, and vulnerabilities in the Internet of Things continue to create headlines.

SonicWall Spotlight

The Growing Partnership Between Russia’s Government and Cybercriminals – 60 Minutes

  • In a new investigative report, CBS examines evidence of increasingly blurred lines between Russia intelligence agencies and the criminal exploits of notorious cybercriminals like Evgeniy Bogachev, better known as the hacker “slavik” and “lucky12345”. The report further supports SonicWall’s recent findings of escalating PDF and Office document-based attacks likely originating from Russia.

Cyber Threat Report: Over 10 Billion Attacks of Various Types Recorded in 2018 – Business Review

  • Business Review reflect on the figures from the 2019 SonicWall Cyber Threat Report and the recently revealed data on the rise of dangerous PDF files.

PDF: The Vehicle of Choice for Malware and Fraud – HelpNet Security

Cyber Security News

How Nest, Designed to Keep Intruders out of People’s Homes, Effectively Allowed Hackers to Get In – Washington Post

  • Internet connected devices, like Google’s Nest family, struggle striking the right balance between making devices very secure and making them easy to use. If too much friction is put in place for security reasons, then brands risks turning potential users off.

FBI: Cybercriminals Set New Record in 2018 by Causing More Than $2.7 Billion in Reported Losses – Washington Times

  • The FBI’s Internet Crime Complaint Center have released their annual report, detailing an almost doubling of financial losses caused by cybercrime in 2018.

Bug in French Government’s WhatsApp Replacement Let Anyone Join ÉLysée Chats – Ars Technica

  • A “secure” messaging app launched by the French government was hacked almost immediately upon release.

An Inside Look at How Credential Stuffing Operations Work – ZDNet

  • ZDNet dig deep into the world of cybercrime to explain how credential stuffing works, detailing both the tools and methods used, but also its place in the criminal economy.

Unauthorized Party Muscles Its Way Into Bodybuilding.Com’s Systems – SC Magazine

  • revealed that it suffered a data breach in February 2019 leaving exposed a trove of data, including the real names, email addresses, physical addresses and phone numbers. Stored financial information beyond partial card numbers was not exposed.

Hacker Finds He Can Remotely Kill Car Engines After Breaking Into GPS Tracking Apps – Motherboard

  • A hacker broke into the accounts of thousands of GPS trackers and claims that “with one touch, I can stop these vehicles engines.” He says that he has carried out this hack to raise awareness of the poor security on the GPS apps.

Cybersecurity: UK Could Build an Automatic National Defence System, Says GCHQ Chief – ZDNet

  • Following a recent UK cybersecurity survey suggesting that only 15% of people say they know how to protect themselves online, the head of the GCHQ in the UK has called for cybersecurity responsibility not to be dependent on individuals but shared by governments, ISPs and businesses.

In Case You Missed It

What to Look for in a CASB Solution

Virtually every organization across major verticals — K-12 and higher education, financial services, retail and hospitality, and government — is undertaking digital transformation endeavors. And this includes migrating applications and data to the cloud.

When organizations do choose to adopt cloud technologies, software-as-a-service (SaaS) is the most popular choice according to a Gartner forecast for public cloud adoption. This is evident in the number of SaaS applications a typical organization uses. According IDG, 73% of organizations have at least one application in the cloud and another 17% plan to do so in the next 12 months.

2018 Cloud Computing Survey

73% of organizations have at least one application in the cloud and another 17% plan to do so in the next 12 months.

The adoption of SaaS applications brings about new security challenges for IT teams and increases attack surfaces for cybercriminals. The main use case for SaaS security is data protection. How do you protect your corporate data when you no longer have full control of the infrastructure or lack visibility into who can access that data and from which device/location?

The need to address this challenge created a new market segment in 2011 called Cloud Access Security Brokers (CASBs) or Cloud Security Gateways (CSGs). The CASB market segment is one of the fastest growing in information security with Gartner estimating a growth rate of 46% CAGR from 2017 to 2022.

Today, cloud security is not just about limiting or securing access to cloud applications. Cloud security is a shared responsibility where the organization that consumes cloud services is responsible for protecting sensitive data within their SaaS tenants. In fact, according to Gartner, “Through 2022, at least 95% of cloud security failures will be the customer’s fault.”

What is CASB?

At a high level, CASB solutions typically deliver the following four functionalities:

  1. Visibility. Enable cloud discovery to shed light on cloud application usage and shadow IT activities.
  2. Data security. Secure the corporate data uploaded or hosted in the cloud by enabling data loss prevention (DLP) and monitor user activity.
  3. Threat protection. Identify anomalous user behavior and provide anti-malware and sandboxing capabilities to protect against threats in the cloud.
  4. Compliance. Empower organizations with auditing and reporting tools to demonstrate compliance, especially in regulated industries.

CASB: The evolution of cloud security

The early CASB solutions were geared toward large enterprises that were early adopters of cloud services. These solutions required sophisticated on-premise deployments that proxied all traffic (either forward or reverse proxy) to enforce inline policies for cloud usage.

This proxy-mode CASB approach is sometimes known to introduce latency and/or cause breakage in application functionality, creating a bad user experience. In fact, it’s why Microsoft recommends against using proxy-based solutions when securing Office 365.

The next generation of CASB solutions take advantage of the API-based architecture that SaaS platforms are built on. API-mode CASB is the only way to provide complete visibility into SaaS environments.

API-based CASBs are easy to deploy and provide the most coverage for SaaS security use cases across sanctioned IT, shadow IT, managed devices and unmanaged devices (BYOD).

On-Demand Webinar with Guest Michael Osterman

Need more security and control for your cloud applications? View this joint on-demand webinar, “Securing Your SaaS Landscape,” with Osterman Research principal analyst Michael Osterman, to explore the major concerns and issues organizations have with SaaS adoption, what to look for in a CASB solution and an overview of SonicWall Cloud App Security.

CASB protects Office 365 deployments

According to the Cybersecurity Insiders 2018 Cloud Security Report, the most popular SaaS app used by organizations of all sizes is Microsoft Office 365.

Many associate Office 365 to email because it’s the most used app within the Office 365 suite. So, when CISOs and IT directors begin migrating on-premise mailboxes to Exchange Online, the default response is to extend the incumbent Secure Email Gateway (SEG) or Mail Transfer Agent (MTA). This approach to secure cloud email creates two significant blind spots:

  1. Causing security gaps. Does not protect other apps within Office 365, so it becomes a point solution that is focused on securing only email.
  2. Missing internal threats. Does not scan internal Office 365 emails, which is becoming increasingly relevant in the current threat landscape with credential compromises and account takeovers.

To address these blind spots, you need to buy an add-on service (to scan internal email) from your email security provider (if they offer one) and deploy a CASB to protect the data residing in OneDrive and SharePoint Online. That’s one more point solution that IT directors need to add to their budget, and IT administrators need to deploy, get trained and manage.

Full-featured CASB solution: SonicWall Cloud App Security

When you view cloud email as a SaaS app, it makes sense that a CASB solution should protect data and provide visibility even if that data is in the form of email messages.

That’s why SonicWall Cloud App Security leverages APIs to directly integrate to SaaS platforms and combine both data security and email security to provide complete protection for SaaS in a single solution. The CASB solution can be implemented in minutes without the need for any on-premise appliances or software installations.