SonicWall’s Bob VanKirk, HoJin Kim & David Bankemper Earn 2022 CRN Channel Chief Recognition

/0 Comments/in , /by

SonicWall is thrilled to share that CRN has named three of its sales leaders to the 2022 Channel Chiefs list: Bob VanKirk, HoJin Kim and David Bankemper. CRN’s annual Channel Chiefs project identifies top IT channel vendor executives who continually demonstrate expertise, influence and innovation in channel leadership.

“CRN’s 2022 Channel Chiefs recognition is given exclusively to the foremost channel executives who consistently design, promote, and execute effective partner programs and strategies,” said Blaine Raddon, CEO of The Channel Company. “We’re thrilled to recognize the tireless work and unwavering commitment these honorees put into fostering outstanding business innovation and building strong partner programs to drive channel engagement and success.”

As Chief Revenue Officer for SonicWall, Bob VanKirk is responsible for driving top-line sales across SonicWall’s global distribution network and oversees the teams, strategy and execution related to SonicWall’s global partner success.

HoJin Kim, Vice President, Worldwide Channels for SonicWall, is responsible for driving the development of SonicWall’s global channel efforts. He leads the implementation of the company’s modern channel strategy to build a sustainable competitive advantage for SonicWall’s partners.

David Bankemper is the Senior Director, Channel Sales for SonicWall and has helped to guide continued investment in and adoption of SonicWall’s MSSP program. David is also responsible for ensuring that SonicWall’s channel partners have the products, tools, incentives and training to profitably deliver cost-effective solutions to their customers.

“It is an amazing feat to have three employees from the same organization recognized by CRN as Channel Chief honorees,” said SonicWall President and CEO Bill Conner. “SonicWall is proud to be a 100% channel company and having three people recognized speaks to the caliber of program SonicWall has built over its 30-year existence.”

The 2022 Channel Chiefs are prominent leaders who have influenced the IT channel with cutting-edge strategies, programs and partnerships. All honorees are selected by CRN’s editorial staff based on their dedication, industry prestige, and exceptional accomplishments as channel advocates. SonicWall has been consistently included in recent CRN awards including Executive of the Year, Women of the Channel and Channel Chief and Rising Female Stars.

CRN’s 2022 Channel Chiefs list will be featured in the February 2022 issue of CRN Magazine and online at www.CRN.com/ChannelChiefs.

Cybersecurity News & Trends – 02-04-22

/0 Comments/in /by

There’s an extraordinary strong turnout for SonicWall’s upcoming Boundless 2022 global virtual partner experience. SonicWall is also attracting attention for the recent launch of Gen 7 Next Generation Firewalls (NGFWs). In industry news, the US and Europe brace for cyber-attacks in the shadow of the Ukraine crisis, News Corp hit by the “China Nexus,” one-man attack team crashes North Korea’s internet, and the drop in breaches in 2020 “doesn’t reflect reality.”

SonicWall News

Strong Turnout for Boundless 2022 – The Global Virtual Partner Experience

SonicWall is seeing an extraordinarily strong registration turnout for its recently unveiled Boundless 2022, virtual international marquee partner event. The annual events allow partners to hear first-hand about SonicWall’s technology vision and product investments, and gain a deeper understanding of the company’s customer commitments from executives. This year, the event will also feature appearances from a legendary celebrity duo. The event is scheduled for Feb. 23 & 24. Visit this page for registration.

DCC launches SonicWall Gen 7 firewall appliances – taking the fight against cyber attacks

ITWeb: Official SonicWall distributor Drive Control Corporation (DCC) has announced the immediate availability of the newest additions to the company’s high-performance firewall offering, the Generation 7 Network Security platform services (NSsp) and Network Security Appliance (NSa) series.

SonicWall Answers the Call with New NGFWs

ARN-IDG: The big news is that SonicWall recently launched 17 new Gen-7 NGFWs in less than 18 months. So, whether you’re a small business or a large enterprise in your home or the cloud, you’ll benefit from the NGFWs that offer security, control, and visibility for an effective cybersecurity posture.

Industry News

Brace for Russian Cyber Attacks as Ukraine Crisis Continues

Reuters, CNN, New York Times: Britain’s National Cyber Security Centre (NCSC), a part of the GCHQ eavesdropping intelligence agency, warned large organizations (enterprises, service providers) to bolster their cyber security resilience amid the deepening tensions over Ukraine. The consensus among cybersecurity advisors points to a long-term struggle between established industrialized democracies versus rising rivals such as China and Russia. The target is the post-Cold War era where military, technology and economic dominance is to be thoroughly challenged. Some observers, including the US and Europe, believe that attackers who hit Ukrainian government websites earlier this month left the chilling warning, “be afraid and expect the worst.” The message, they say, was aimed at the west. According to CNN, the FBI asks US businesses to report an uptick in Russian hacking threats — the latest effort to prepare for potential Russian cyberattacks on US organizations amid Russia’s troop buildup on Ukraine’s border. New York Times reported that the US dispatched cybersecurity experts to NATO to prepare allies to deter, and perhaps disrupt, Russian cyberattacks on Ukraine and brace for the possibility that sanctions on Moscow could lead to a wave of retaliatory cyberattacks on Europe and the United States.

News Corp hit by cyberattack with suspected link to China

The Hill: News Corp. said Friday it was the victim of a cyberattack likely to benefit the Chinese government and that the intrusion targeted its businesses, including the New York Post, Dow Jones and others. The company detailed the scope of the attack in an email to employees and listed it on a filing with the Securities and Exchange Commission (SEC), where the company said a preliminary analysis pointed to a foreign government targeting one of its third-party, cloud-based systems. The cybersecurity firm Mandiant, investigating the attack, said that assessments point to a “China nexus.”

Oil terminals disrupted after European ports hit by cyberattack

Euronews: Port facilities in Belgium, Germany, and the Netherlands have been targeted by a large-scale cyberattack, authorities say. Officials say the hack began several days ago and has primarily disrupted operations at oil terminals, preventing tankers from delivering energy supplies. In addition, German judicial authorities say they have launched an investigation into suspected “extortion” of oil operators amid soaring energy prices. The cyberattack hit Hamburg — a significant port city in northern Germany — and at least six oil terminals in Belgium and the Netherlands.

How a US hacker took down North Korea’s internet in a revenge cyber-attack

WION: The blame for North Korea’s persistent internet failures does not lie with the United States Cyber Command or any other state-sponsored hacker organization. It was the work of an American man, who sat in his living room night after night, watching Alien movies and munching on spicy corn snacks — while working on a personal project. The project involved periodically walking over to his home office to check on the progress of the programs he was running to disrupt an entire country’s internet. North Korean spies hacked an independent hacker who goes by the handle P4x just over a year ago.

Apple says antitrust bills could cause ‘millions of Americans’ to suffer malware attacks

CNBC: Apple warned lawmakers on Tuesday that antitrust bills being considered in the Senate would increase the risk of security breaches for iPhone users. The reason, Apple explains, is that they may be forced to allow “sideloading” — a process where users can download apps outside the App Store. Apple’s pushback reflects growing concern from the iPhone maker about the American Innovation and Choice Online Act and the Open App Markets Act, both of which are scheduled to be considered this week.

Data breach numbers may not be declining, but reporting them is getting slower

TechRepublic: A study released by Flashpoint and Risk-Based Security found two startling facts: Its report of a drop in the total number of breaches is likely erroneous, and the time it takes for an organization to report. A breach has increased to the highest levels since 2014. Much of what Flashpoint and RBS found was similar to other reports on the topic: Healthcare was a leading target, ransomware is more popular than ever, and billions of records were stolen. One of the more interesting data points that the report covers is its reported 5% drop in the total number of breaches between 2020 and 2021, which analysts say doesn’t reflect reality. In fact, as reported by the NASDAQ news division, the number of data breaches at corporations was up more than 68% in 2021, beating the previous record, set in 2017, by 23% according to the 16th annual Data Breach Report conducted by the Identity Theft Resource Center located in El Cajon, CA.

In Case You Missed It

EmbedThis GoAhead Web Server CGI RCE

/in /by

Overview:

  EmbedThis GoAhead is a popular compact web server intended and optimized for embedded devices. Despite its small size, the server supports HTTP/1.1, CGI handler among others.

  An unrestricted file upload vulnerability has been reported in EmbedThis GoAhead Web Server. The vulnerability is due to improper validation of user form variables passed to the file upload filter.

  A remote, unauthenticated attacker could exploit this vulnerability by sending a malicious request to the server. Successful exploitation could lead to arbitrary code execution under the security context of the server process.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-42342.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 9.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 9.0 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  A remote code execution vulnerability exists in EmbedThis GoAhead. Variables supplied through the multipart/form-data content processing are added using websSetVar(), which does not prefix the variable name or set the arg value. Other areas of code use a wrapper function, addFormVars(), for this purpose. The function cgiHandler() attempts to blacklist certain variable names, but uses the strim() function with a null value for the set parameter, returning a null value and preventing any of the values included in the blacklist from matching. Without the arg value set, the variables are used as environment variables verbatim in the spawned process. This vulnerability is due to an incomplete fix for CVE-2017-17562.

  Exploitation of this vulnerability does not misuse the interface, which makes detecting illegitimate variables not possible. However, the CVE was opened for the specific exploitation path of using the LD_PRELOAD environment variable to point to a supplied shared object ELF file to run arbitrary code stored in the .init section. This can either send the data after the multipart/form-data content and use the CGI standard input file from the proc directory or the dev directory, or by uploading the file in a multipart/form-data payload and using the temporary filename. Other “LD_” prefixed environment variables may also be used to affect CGI behaviour.

  Incomplete Fix CVE-2017-17562

Triggering the Problem:

  • The target must have a vulnerable version of the product installed and running.
  • The target product must have been compiled with the ME_GOAHEAD_UPLOAD and ME_GOAHEAD_CGI flags.
  • The target path must be configured to handle CGI requests.
  • The target must support loading ELF shared objects.
  • The target loader must honor the LD_PRELOAD environment variable.
  • The attacker must have network connectivity to the vulnerable application.

Triggering Conditions:

  The attacker sends a crafted HTTP POST request to the target server. The body contains the LD_PRELOAD variable and an embedded ELF shared object. The vulnerability is triggered when the target server processes the request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 6178 EmbedThis GoAhead File Upload Filter Remote Code Execution

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Applying the vendor-supplied patch to eliminate this vulnerability.
    • Filtering attack traffic using the signature above.
    • Compiling the software with either the ME_GOAHEAD_UPLOAD or ME_GOAHEAD_CGI flags disabled.
    • Remove all CGI binaries.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Argos 2.0 ransomware threat actor gives up decryption key

/in /by

The Sonicwall threat research team have recently seen reports of ransomware called Argos 2.0.  The ransomware works like most others, encrypting files and demanding payment in bitcoin for file recovery.  However, reverse engineering the malware is trivial and the decryption key is easily obtainable.  In addition to this, the attacker is also willing to give out the decryption key for no payment.

 

Infection Cycle:

 

Upon infection, @argosd3crypter.exe is spawned and can be seen running in the background:

 

Files on the system are encrypted.  After this, the following image is displayed on the screen:

 

The following files are dropped on to the system:

  • C:\Ransom.png (as seen above)
  • C:\@argosd3crypter.exe [Detected as: GAV: Argos.RSM (Trojan)]

 

The malware is written in C# and is trivial to decompile:

 

It has code that reports the infection to the attacker via Discord:

 

The core decryption function can be seen in the source:

 

The hardcoded decryption key can be easily seen in the decompiled code along with target directories:

 

Entering this key results in the following message:

 

We also contacted BigFrankND#4978 on Discord and were able to freely obtain the decryption key.

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Argos.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Don’t Let Global Supply Chain Issues Impact Your Security

/0 Comments/in , , , , , , /by

Switch to SonicWall and secure your environment today without supply chain delays.

Every so often, we get clear examples of why it pays to be prepared. But, as the pandemic continues to impact the global workforce, it also reveals how interconnected and fragile the global supply chain can be.

A recent survey found that 75% of companies have had negative or strongly negative impacts on their businesses due to disruption from the COVID-19 pandemic. Especially vulnerable and consequential in this tale has been the computer chips shortage and its effect on security vendors. Many firms do not have the product in their inventory to meet their customers’ demands. To remedy these problems, vendors are trying many approaches, ranging from delaying upgrades, upselling more expensive products, cutting functionalities to outright EOL-ing (End-Of-Life) some products.

In the pantheon of cybersecurity, such delays can be catastrophic. As ransomware gangs roam global networks seemingly unopposed, shortages and supply disruptions impose a full range of unpleasant experiences, from uncertainty to total disruption of their network security expansion plans. The situation is increasingly problematic as delays expose networks to unnecessary risk as attackers take advantage of known and fixable gaps in security. Network managers understand, but who can blame them for seeking out more reliable sources?

Not all Security Vendors Are Impacted Equally by Shortages

The fact is, not all security vendors are impacted at the same level. Some had the foresight to manage the situation mitigating the risk and effect of global shortages and delays. For SonicWall, we got busy working diligently to minimize disruptions and maintain a robust product supply. At the earliest signs of shortages, we started working with our partners to strategically manage our supply positions. Collaborating diligently with our suppliers, we identified crucial parts and increased our supply in anticipation of a strong rebound. As a result, SonicWall is fulfilling 95% of orders within three days of receiving them.

Benjamin Franklin wrote, “By failing to prepare, you are preparing to fail.” We’ve taken that adage to heart by working closely with our suppliers to identify shortages in the supply chain and redesigned our solutions to take advantage of more readily available parts without sacrificing the quality or durability of our products. These preparatory efforts were well worth it, given the severity of the chip shortage that persists. Having successfully met global challenges in the supply chain allows us to respond to our customer needs more readily with the solutions they need.

The Rewards of Being Prepared

By being prepared, we acted on our customer’s behalf. The reward for all our work is a strong inventory of products, while many of our competitors struggle to fill theirs. If your current security vendor is giving you excuses and can’t offer you the solution you need in a timely manner, it is time to talk to SonicWall. We are ready to deliver the products you need and work with you to implement them now.

Contact Us for more information.

Cybersecurity News & Trends – 01-28-22

/0 Comments/in /by

SonicWall hits industry news with the unveiling of the Boundless 2022 global virtual partner experience, hosted by a legendary celebrity duo – learn more. In general news, Microsoft discloses hackers are using device registration to attack enterprises, and they’re also going after your Instagram accounts. In addition, the talent gap in cybersecurity is widening, SBA announced $3 million in grants for small business cybersecurity development, and cybersecurity is broken (but Dark Reading has ideas how to fix it).

Industry News

Register Now for Boundless 2022 – The Global Virtual Partner Experience

Reinforcing ongoing commitment to its partners and customers, SonicWall unveiled Boundless 2022, a virtual international marquee partner event, Feb. 23 & 24. Boundless 2022 will allow attending partners to hear first-hand about SonicWall’s technology vision product investments and gain a deeper understanding of the company’s customer commitment from SonicWall executives. It will also include an appearance from a legendary celebrity duo.

Hackers Using Device Registration Trick to Attack Enterprises with Lateral Phishing

The Hacker News: Microsoft has disclosed details of a large-scale, multi-phase phishing campaign that uses stolen credentials to register devices on a victim’s network to propagate spam emails further and widen the infection pool. The tech giant said the attacks manifested through accounts not secured using multi-factor authentication (MFA). Without MFA, attackers could take advantage of the target’s bring-your-own-device (BYOD) policy to introduce their own rogue devices using the pilfered credentials.

Hackers Hijacking Instagram Accounts Of Companies And Influencers, Demanding Ransom

ZDNet: Hackers are hijacking the Instagram accounts of companies and influencers with huge followings in a new phishing campaign identified by Secureworks. In October, the cybersecurity company said it discovered the effort, finding hackers taking over prominent accounts and demanding a ransom. The people behind the attack start by sending a message pretending to be Instagram, notifying Instagram users of a purported instance of copyright infringement. A link in the message takes victims to a website controlled by hackers. From there, the user is asked to enter their Instagram login information, giving the attackers full access to their accounts.

Cybersecurity Is Broken

Dark Reading: One significant development in the threat landscape is the corporatization of hacking. As with any burgeoning industry, hacking groups have implemented more organization to their structure to scale up. Plus, malware has gotten “smarter,” variants proliferate, and attackers take advantage of the distributed workforce. But the biggest impediments to better cybersecurity, say the authors, is that we stop conceptualizing cybersecurity as a wall and cease our reactive approach for tamping down attacks. Instead, companies need a security stack; efficiently layered to disrupt as many attack methods as possible.

The Widening Cybersecurity Talent Gap

Forbes: Over the past few years, one issue has remained prevalent and will continue to be as we head into 2022: a cybersecurity workforce shortage and talent gap. This is becoming a more recognizable problem as companies come to grips with the reality of cyberattacks, crime and the havoc they’re bringing on their victims. But, unfortunately, these aren’t just big names covered by the media; they’re businesses next door that might’ve already become a statistic of cybercrime.

SBA Announces $3 Million in Grants for Small Business Development

Small Business Trends: The Small Business Administration (SBA) has announced $3 million in new funding for state governments to assist emerging small businesses in developing their cyber security infrastructure. The new funding will help create a safer cyber environment for small businesses by giving them the proper training and tools to help make them less prone to potentially crippling cyberattacks. The funding is part of the Cybersecurity for Small Business Pilot Program, offered through the Office of Entrepreneurial Development.

APTs Quiet Ahead of Beijing Games, But Financially Motivated Hackers Are Lurking

Cyberscoop: State-sponsored hacking groups have been uncharacteristically quiet, leading up to the Olympics next month in Beijing. Researchers say there’s one big reason why: No one wants to get on the wrong side of China. Advanced persistent threat (APT) groups from Iran and Russia, while unlikely to attack China or the games, probably will use the event as a chance to spy on countries considered adversarial, researchers say. Potential avenues for surveillance include unique mobile SIM cards offered to foreign athletes to avoid the Chinese firewall and the MY2022 Olympic Games app all attendees must install.

Hackers Steal $80 Million In Cryptocurrency From The Qubit Defi Platform

The Verge: Qubit Finance, a decentralized finance (Defi) platform, has become the latest victim of a high-value theft, with hackers stealing around $80 million in cryptocurrency on Thursday. The value of cryptocurrency stolen makes this the largest hack of 2022 so far. Qubit Finance acknowledged the hack in an incident report published through Medium. According to the report, the hack occurred at around 5 PM ET on the evening of January 27th. Qubit provides a service known as a “bridge” between different blockchains, effectively meaning that deposits made in one cryptocurrency can be withdrawn in another. For example, Qubit Finance operates a bridge between Ethereum and the Binance Smart Chain (BSC) network.

Despite Attacks, Companies Leave Vast Amounts of Sensitive Data Unprotected

ProPublica: Companies leave data exposed online with little or no security, says Pompompurin, a pseudonymous hacker who posted millions of stolen records. The hacker then cited the attacks on RaidForums, a discussion board popular with cybercriminals seeking personal data. Pompompurin told ProPublica that he often doesn’t need to do much hacking to get his hands on sensitive personal data. Many times, it’s left in cloud storage folders available to anyone with internet access. Pompompurin said he scans the web for such unguarded material and then leaks it on RaidForums “because I can and it’s fun.”

Ransomware Hackers Have a New Tactic: They Call You Directly

NBC News: Wayne didn’t know his son’s school district had been hacked — its files stolen and computers locked up and held for ransom — until last fall when the hackers started emailing him directly with garbled threats. “We hold control on the network several months, so we had a ton of time to carefully study, exfiltrate the data and prepare attack,” said one of the three emails he received. If his son’s district, the Allen Independent School District in the Dallas suburbs, didn’t pay up, all its files, including information on him and his son, “would be released in the dark market.” It was a credible threat. Ransomware hackers frequently leak files of organizations that don’t meet their demands and have littered the dark web with school children’s personal information.

In Case You Missed It

Oracle MySQL Server InnoDB Memcached Vulnerability

/in /by

Overview:

  MySQL is a popular open-source implementation of a relational database that supports the Structured Query Language (SQL) for querying and updating stored data. Communication with the database occurs using the MySQL protocol. As with other database implementations, MySQL supports a number of database storage engines, with InnoDB as the default backend.

  A buffer overflow vulnerability has been reported in Oracle MySQL. The vulnerability exists in the InnoDB memcached plugin component.

  A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted packet to the vulnerable server. Successful exploitation will allow an attacker to execute arbitrary code in the context of the application.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-2429.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 6.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C).

  Base score is 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is low.
    • Impact of this vulnerability on data integrity is low.
    • Impact of this vulnerability on data availability is low.
  Temporal score is 6.4 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  A heap buffer overflow vulnerability exists in MySQL InnoDB-memcached plugin when it is handling the incoming get command. This is performed in the innodb_get() function. When there was “@@store_name” notation inside a get command, the vulnerable function will execute the code branch to switch tables. During the implementation, it will retrieve the schema (db_schema) and table (db_table) information using the supplied store_name, and build the table_name by following format string (depending on Windows platform or not):

  %s\%s

  or

  %s/%s

  For the above example, when the memcached server received a get command as “get @@aaa”, the table_name will be built as “ts1\tab1”. Then, this table_name will be copied into a heap buffer with fixed size of 16384. If there were multiple “@@store_name” notations in one get command, all generated table_name will be copied into this buffer in order. However, the vulnerable function failed to validate the total length of these table_name strings and this could result in the said heap buffer overflowed.

  Memcached Get Data

Triggering the Problem:

  • The target host must have a vulnerable version of the affected product installed and running.
  • The target product must have the InnoDB-memcached plugin enabled.
  • The attacker must have the means to deliver crafted packets to the target service.

Triggering Conditions:

  The attacker sends a malicious Memcached get request to the target server. The vulnerability is triggered when the server processes the malicious request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • Memcache, over port 11211/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 3109 MySQL InnoDB Memcached Plugin DoS

Remediation Details:

  Listed actions that may be taken in order to mitigate or eliminate the risks associated with this vulnerability.
    • Limit access to the database to allow trusted users only.
    • Restrict remote connections to trusted hosts only.
    • Filter attack traffic using the signature above.
    • Upgrade the vulnerable product to a non-vulnerable version.
  The vendor, Oracle, has released the following advisory regarding this vulnerability
  Vendor Advisory

Unpacking the U.S. Cybersecurity Executive Order

/0 Comments/in , /by

Amid the 2021 wave of frequent, high-profile ransomware attacks on U.S. organizations, the White House issued its “Executive Order on Improving the Nation’s Cybersecurity.” Section 3 of the order states:

The federal government must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS) and Platform as a Service (PaaS); centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and invest in both technology and personnel to match these modernization goals.”

There are several important implications in this section that will have lasting impact on the cybersecurity industry as a whole.

Zero Trust Architecture

The Zero Trust cybersecurity model implements the elusive concept of “never trust, always verify.” While the concept has been around for longer than most practitioners realize, the recent uptick in cybercrime and the responding push by various security analysts and vendors has put the idea back in the spotlight.

The executive order directs government agencies to move towards a Zero Trust model, but the effects will be much further reaching. As government agencies rush to implement Zero Trust, enterprises working with these agencies are expected to follow suit to protect both the government and their own infrastructure. This will accelerate the already-in-progress shift to Zero Trust security.

Unfortunately, malicious actors don’t discriminate between federal agencies and the private sector. Whether your organization is a small business trying to get off the ground or an established one with millions of dollars’ worth of federal government contracts, it’s essential for it to follow the best practices and implement Zero Trust Network Access (ZTNA).

A Move Towards the Cloud

I remember when as-a-service cloud solutions were first introduced. Most vendors had two sets of offerings — one in the cloud and another in the form of an appliance for government agencies that were cloud averse. Those days are long gone: Today many cloud providers have their own government-sanctioned, FedRamp-compliant cloud solutions.

This executive order is asking the federal government to embrace and implement cloud XaaS solutions, be it SaaS, IaaS or PaaS. Due to federal regulations, government agencies were the last holdouts to cloud transformation, and this order is removing that hurdle.

Whether your organization is using cloud services like AWS, Azure or Google Cloud, or is running its own private cloud, it is important to plan and implement security guard rails in your architecture from the beginning.

Centralized Management

Note that the order is asking for a centralized and streamlined access to analytics. While this is not directly mandated in the order, this screams cloud delivered management services. After all, what better way to centralize and streamline access to a resource than by putting it on the cloud? However, there are many pitfalls associated with this approach.

IT Supply Chain: A Word of Caution

The recent pandemic has shown how interconnected the global supply chain really is. We are seeing delays and increased costs in everything from electronic chips to bicycle parts. Security admins should also consider the interdependencies of security in their IT supply chain.

Recent high-profile attacks like that on SolarWinds reiterated the old adage that any system is only as strong as its weakest link. Many multinational enterprises were impacted because they were using SolarWinds’ technology. Malicious actors infiltrated the supply chain of SolarWinds and inserted a backdoor into their product. When customers downloaded the Trojan Horse installation packages from SolarWinds, it gave hackers access to the partners’ environment. This was a sophisticated attack: the cybercriminals even randomized their code in order to bypass the traditional scanners looking for known indicators of compromise (IOC).

Unfortunately, one of the downsides of moving to the cloud is the dependency on other vendors’ infrastructure and security practices. This issue becomes even more relevant as the cloud infrastructure becomes more complex and interconnected.

Security admins would be wise to audit their partner infrastructure, especially XaaS ones, to ensure that they are not inadvertently integrating with a vulnerable environment.

Cybersecurity News & Trends – 01-21-22

/0 Comments/in /by

In industry news, a new business survey explores why employees violate cybersecurity policies designed to keep their businesses safe. Also, there’s a lot of reporting on how the US power grid has improved, but experts say they still need stronger cybersecurity. In other news, the International Red Cross organization suffered a breach, Crypto.com says hackers stole more than $30 million in Bitcoin and Ethereum, cryptocurrency values take a sharp dive as Russia explores a complete ban on crypto mining and trading, and the CISA is urging US organizations to prepare for data-wiping attacks similar with what hit Ukraine last week.

Industry News

Research: Why Employees Violate Cybersecurity Policies

Harvard Business Review: Many organizations have focused their security investments on technological solutions in the face of increasingly common (and costly) cyberattacks. However, as many consultants and experts know, attackers also rely on some insider (an employee or other member) knowingly or unknowingly allowing a bad actor into secure areas. What is behind these acts that can tear down even the most advanced security solutions? HBR published a recent study that suggests that most intentional policy breaches stem not from some malicious desire to cause harm but rather from the perception that following the rules would impede employees’ ability to get their work done effectively. Therefore, under heat for productivity, employees are more likely to violate security policies on days when they are more stressed out. The study they cite suggests that high-stress levels can reduce people’s tolerance for following rules that seem to get in the way of doing their jobs. In light of these findings, the authors suggest how organizations should rethink their approach to cybersecurity and implement policies that address the fundamental, underlying factors creating vulnerabilities.

Biden’s Cybersecurity Policies Praised Despite the Persistence Of Ransomware

NBC News: From Russian cyberespionage to attacks on crucial supply chains, the Biden administration has had no shortage of cybersecurity challenges to face. While ransomware was a rapidly escalating problem before Biden took office, it became undeniable last year. Hackers, often operating with seeming impunity within Russia, extorted US hospitals and schools, a major oil pipeline company and the country’s largest beef distributor. Experts say a year later, the Biden administration has done a decent job with cybersecurity policy, filling crucial roles and hardening the country’s infrastructure cybersecurity. But they also warn that ransomware hackers will likely continue to target Americans and that Congress hasn’t helped the country’s security as much as it could.

US Power Grids Need Stronger Cybersecurity

Bloomberg: According to the country’s top energy regulator, the US power grids need to boost their cyber defenses to find hackers faster to keep them from gaining control over operations. According to a notice issued Thursday, the Federal Energy Regulatory Commission is proposing to develop standards to monitor devices or equipment on bulk power systems. The proposed standards would seek to find hackers lurking within networks instead of current efforts that use a perimeter defense that focuses on trying to keep attackers out of sensitive networks. A massive breach using software from Texas-based SolarWinds Corp. in 2020 is one example of how attackers can bypass such defenses through trusted vendors.

Indonesia C.Bank Says Ransomware Attack Did Not Impact Services

Reuters: Indonesia’s central bank said on Thursday that it had been attacked last month by ransomware, but the risk from the attack had been mitigated and did not affect its public services.

Albuquerque Public Schools (APS) Resolves Effect of Ransomware Attack

APS News: The cyberattack that forced a two-day cancellation of classes last week at Albuquerque Public Schools was the victim of a ransomware event in which there was some extortion demand. But APS officials are not saying what was demanded nor whether they negotiated with the attackers.

International Red Cross: Supply Chain Data Breach Hit 500K People

InfoSecurity: The International Committee of the Red Cross (ICRC) has revealed a significant data breach that compromised the personal details of over 515,000 “highly vulnerable” victims. The data was stolen from a Swiss contractor that stores the information on behalf of the global humanitarian organization headquartered in Geneva.

Data Breach Customer Relations: What NOT To Do

InformationWeek: Some companies try to keep a data breach relatively quiet by following only the minimum legal requirements and hoping it will blow over. From experience, say experts, it’s much more likely to blow up than blow over. This article looks at some “bad behaviors” that managers may want to avoid.

Top 3 Small-Business Cyber Threats That Many Businesses Still Haven’t Heard Of

Inc Magazine: A study released Wednesday from the San Diego-based CyberCatch, a cybersecurity platform provider focusing on small and mid-size businesses, reveals that more than 30 percent of US small businesses have weak points that bad actors can exploit. Moreover, fraudsters tend to set their sights on small businesses since smaller companies usually have weaker security safeguards than those at larger companies. Some of the vulnerabilities that the survey named as “unknown” to small businesses include “spoofing,” “clickjacking,” and “sniffing.”

Crypto.Com Says Hackers Stole More Than $30 Million In Bitcoin And Ethereum

CBS News: The cryptocurrency exchange Crypto.com, known for its viral commercial starring Matt Damon as well as its recent $700 million deal to rename the Staples Center in Los Angeles as Crypto.com Arena, said the hackers managed to bypass its two-factor authentication system and withdraw the funds from 483 customer accounts, according to a statement the Singapore-based crypto exchange posted Thursday on its corporate blog.

Crypto-Exposed Stocks Sink Amid Bitcoin’s Decline, Broader Market Rout

CoinDesk: Stock declines come as prices for Bitcoin have dropped almost 11% in the past 24 hours, trading below $40,000 for the first time in months. Crypto watchers note that as bitcoins, in general, are getting hammered, crypto miners are seeing their revenues fall sharply. They also point out the double-whammy as Bloomberg, and other outlets reported that Russia’s central bank is proposing a complete ban on crypto mining and trading.

CISA Urges US Orgs to Prepare For Data-Wiping Cyberattacks

Bleeping Computer: US organizations are getting another warning to strengthen their cybersecurity defenses. This time, the CISA is concerned about recent data-wiping attacks that targeted Ukrainian government agencies and corporate entities. Several major entities suffered coordinated cyberattacks where hackers defaced websites and distributed data-wiping malware that corrupted data and rendered Windows devices inoperable. Sources believe that the attackers likely conducted the website defacements using a vulnerability in the OctoberCMS platform. Ukrainian authorities are also investigating what role Log4j vulnerabilities and stolen credentials may have played in the attacks. The message: update your security and keep a watchful eye on all activity.

In Case You Missed It

Traces of an Android malware yet again lead to a Github repository

/in /by

SonicWall Threats Research team identified yet another Github repository that might have been used to create and release an Android malware in the wild, this time its AndroRAT.

Specifics for the sample that was identified in the wild:

  • MD5: f1d83d43b21478c349f2ee515aef4271
  • Application Name: Google Service Framework
  • Package Name: com.IiIiIiIi.IiIiIiIiIiIiiIIIIiIiI

 

Using this repository a malicious app can be configured with the following options:

 

We created a test app using this repository and compared the code of both the applications. The code looks identical:

The application identified was created with the following options as can be seen from the config class:

 

The application requests for a number of permissions, some of them are capable of accessing sensitive user information:

  • Receive_boot_completed
  • Wake_lock
  • Camera
  • Read_external_storage
  • Write_external_storage
  • Read_sms
  • Access_fine_location
  • Access_coarse_location
  • Read_call_log
  • Record_audio
  • System_alert_window

 

This gives a taste of the components in this malware. The  application contains a multitude of malicious functionalities and is capable of accepting commands from the attacker, some of them are listed below:

  • exit
  • camList
  • takepic
  • shell
  • getClipData
  • deviceInfo
  • help
  • clear
  • getSimDetails
  • getIP
  • vibrate
  • getSMS
  • getLocation
  • startAudio
  • stopAudio
  • startVideo
  • stopVideo
  • getCallLogs
  • getMACAddress

Commands are visible in the code as shown:

 

We configured a test AndroRAT sample to understand how this malware works further. Configuring and listening for incoming connections quickly gave a shell once the malware was executed on the infected device:

 

Commands can now be executed on the infected device:

For instance, running ‘deviceInfo’ gave us details of the infected device:

 

Overall this threat is a potent spyware and Remote Access Tool  (RAT). Though its features are limited, considerable personally identifiable information (PII) can be extracted from an infected device. The fact that this RAT is freely available on Github is a cause of concern.

 

Sonicwall Capture Labs provides protection against this threat using the signature listed below:

  • AndroidOS.Androrat.PN

 

Indicators of Compromise:

  • f1d83d43b21478c349f2ee515aef4271