Cybersecurity News & Trends – 10-08-21

/0 Comments/in /by

It been a big news week as conversations about the Mid-Year Update to the 2021 SonicWall Cyber Threat Report, the Boundless Cybersecurity Model, and the 30th Anniversary filled up pages. SonicWall got a big boost from a story about a new ransom disclosure bill when the co-sponsoring senators (Warren and Ross) mentioned data from the Threat Report in their press releases. In industry news, MIT designs a cybersecurity fire drill, “urgently needed rules” fail to impress and Facebook is crystal clear: outage was not a hack.

SonicWall in the News

New Bill Would Require Ransom Disclosure Within 48 Hours

U.S. Senators Warren and Ross have introduced legislation requiring ransomware victims to report payments within 48 hours of the transaction. Warren and Ross cited figures from SonicWall’s Mid-Year Update to the 2021 SonicWall Cyber Threat Report noting that ransomware attacks rose 62% worldwide between 2019 and 2020 and 158% in North America.

 

Warren Drafts’ Ransom Disclosure Act’ as Ransomware Attacks Increase

Be In Crypto (USA): The legislation proposes that victims of ransomware attacks in the U.S. file an incident report within 48 hours of payment. The bill’s co-sponsors used data from the Mid-Year Update to the SonicWall 2021 Cyber Threat Report.

 

In The Face of More Lethal Attacks, A New Cyberdefense.

BYTE (Spain): The article notes that 2021 has already been a record year for cybercrime, and there is still a quarter to go. The article describes the cybercrime landscape by citing data from SonicWall’s Mid-Year Update to the 2021 SonicWall Cyber Threat Report.

 

Egnyte Expands Ransomware Protection and Adds Ransomware Recovery

ChannelProNetwork (Blog): Citing 304.7 million ransomware attacks in the first half of 2021 as reported by the Mid-Year Update to the 2021 SonicWall Cyber Threat Report. The author describes methods for recovery from ransomware attacks.

 

SonicWall Is Geared Up with the Boundless Cybersecurity Model to Address the New Business Normal

VARIndia (India): The article includes commentary from SonicWall’s Debasish Mukherjee, VP Regional Sales, APAC, about SonicWall’s role in helping companies and organizations transition. Debasish comments that the current era of the ‘anytime, anywhere business’ is forever changing the shape of the I.T. and business landscape.

 

5 Key Cybersecurity Trends to Know, for 2021

The Clinton Courier: The author describes significant trends for cybersecurity this year based on Mid-Year Update to the 2021 SonicWall Cyber Threat Report.

 

Celebrating 30 years, SONICWALL, the leader in CYBERSECURITY

TechFeedThai (Thailand): SonicWall Solution Provider Cybersecurity for SMBs and Large Enterprises Celebrates 30 years since its inception in August 1991. The story also announces an offer by a regional SonicWall product distributor to perform threat assessments for local businesses.

 

Why Email is Your Biggest Cybersecurity Threat

ACE IT (blog): According to SonicWall, email remains a primary way people share information, with over 320 emails sent per day. In addition, the blog notes that through the massive shift to work-from-home, email became “the most extensive channel for all forms of phishing and ransomware attacks.”

 

MSPs: Ransomware Is Your Wake-Up Call to Deliver Non-Negotiable and Comprehensive Security

MSP Insights: Noting that ransomware attacks are only becoming more prevalent, more dangerous, and more costly, the report cites ransomware attacks increased 158% in North America last year, from the Mid-Year Update to the 2021 SonicWall Cyber Threat Report.

 

Cybersecurity Report: Record 304.7 million Ransomware Attacks

vTechio Blog: Quoting SonicWall’s Mid-Year Update to the 2021 SonicWall Cyber Threat Report: the number of attacks eclipses 2020 global totals in just six months. With this data, the writers explain, it’s clear that cybercrime has reached a new and unsettling paradigm.

 

Cybersecurity – Attack and Defense Strategies

Packt: Promoting the Second Edition of a book, the publisher notes “32.7 million IoT attacks” from the Mid-Year Update to the 2021 SonicWall Cyber Threat Report as an example of the current threat landscape. They also note that malware leveraged during an IoT-related attack infects routers and can facilitate data theft.

Industry News

What Happened to Facebook, Instagram, & WhatsApp?

Krebbs on Security: Earlier this week, Facebook (with Instagram, WhatsApp) suffered a massive outage that lasted almost seven hours. While many news organizations speculated that attackers hacked Facebook, Krebbs Report suggested “something inside Facebook” triggered a company-wide revocation of vital digital records that point computers and other devices to Facebook’s assigned resources. Reportedly, during the early part of the outage, employees on-premises could not use passcodes and electronic I.D. badges. Krebbs also speculated that the company’s Border Gateway Protocol (BGP) was affected. The BGP is a chunk of code that Internet Service Providers worldwide share for routing traffic through the complex array of Internet Protocol addresses. On Wednesday, details about the outage appeared to confirm reporting from Krebbs. Also, in the face of rising concerns about cybersecurity, Facebook is crystal clear that the hours-long outage had nothing to do with hackers.

 

Cyberattack Fire Drills: Is Your Company Prepared?

Harvard Business Review: Preparing for the unexpected is much easier said than done. In the case of cyberattacks, many companies have vulnerabilities that they don’t know about. Many organizations can benefit from instituting fire drills and exercises that test a company’s response plan for a cybersecurity catastrophe. Drills can reveal gaps in security, response plans, and employees’ familiarity with their roles. Research for this article was supported by the Cybersecurity at MIT Sloan consortium and Boston Consulting Group.

 

Cybersecurity Budgets for Industrial Control Systems and Operational Tech Increasing

ZDNet: Nozomi Networks and the SANS Institute released a survey that revealed companies had invested more in cybersecurity to protect industrial control systems (ICS). Of 480 responses, 47% reported that their cybersecurity budgets increased over the past two years, 32% said there had been no change, and 15% said they had at least one cybersecurity event in the last 12 months. 

 

Senators Introduce Bill to Strengthen Federal Cybersecurity After Attacks

The Hill: A bipartisan bill was introduced in the U.S. Senate last Monday stipulating overhaul and improvement for federal cybersecurity policy. The legislation aims at the Federal Information Security Modernization Act, signed into law in 2014, and clarifies reporting requirements for federal agencies if hackers successfully target them.

 

New’ Urgently Needed’ Cybersecurity Rules for Pipelines Draw Mixed Reviews

Last July, the U.S. Transportation Security Administration issued “urgently needed” emergency rules to strengthen the cybersecurity of the nation’s most essential energy pipelines. The effort followed the Colonial Pipeline shut down earlier this year sparked massive fuel shortages and gasoline panic-buying. The regulations recognize that voluntary compliance is not working. However, according to industry officials and some analysts, TSA administrators wrote the new rules in such a way that implementing them could hamper pipeline reliability.

 

Why Today’s Cybersecurity Threats Are More Dangerous

With greater complexity and interdependence among networked digital systems, attackers have even more opportunities to conduct widespread damage. The report identifies unsecured Internet of Things (IoT) devices as the “big hairy monster under the bed” while noting that, in many cases, the barriers to cybercrime are low.

In Case You Missed It

 

The State of Cybersecurity Funding for State and Local Government

/0 Comments/in /by

Congress recognizes a national cybersecurity crisis. SonicWall has a plan to help state and local governments with proposals and procurement.

With dozens of high-profile cybersecurity attacks still fresh in everyone’s mind, U.S. Senate negotiators are hard at work to show taxpayers they can deliver a solution. The recent $1.2 trillion infrastructure proposal passed by the U.S. House of Representatives authorizes $2 billion in new cybersecurity programs, including a $1 billion grant program for cybersecurity initiatives especially set aside for state and local government.

The initiative is entirely understandable given the range and scope of threats facing Americans today. The ransomware attack last May on Colonial Pipeline offered a chilling view of one possible future. Policy-makers are anxious to avoid repeating an episode that triggered regional gasoline shortages and panic-buying that lasted several days.

However, the cyberattacks on business threw the covers off greater dangers that nearly all levels of government now face. In the widely cited and quoted Mid-Year Update to the 2021 SonicWall Cyber Threat Report, government agencies and departments experienced three times more attacks in the first half of 2021 than in all of 2020. By June of this year, federal, state and local governments saw 10 times more ransomware activity than business.

Congress Jumps into Cybersecurity

Given the magnitude of enormous threats from hacker gangs and state-sponsored teams, the move certainly made a lot of sense. But politics being politics, the proposal still must get through the House, where it faces a long road to approval.

Speaker of the House Nancy Pelosi and many members of the House have declared that they will vote on the measure after the Senate passes an even more ambitious $3.5 trillion social policy bill this fall. The process will likely place the infrastructure bill and the cybersecurity initiative on hold for months.

Before the infrastructure bill’s passing, the White House budget proposal for 2022 outlined $58.4 billion for IT funding, including $9.8 billion specified for cybersecurity initiatives for civilian agencies.

While the National Defense Authorization Act (NDAA) Conference Committee has not finalized defense-related budgeting for 2022, it does pick up from last year’s budget, which established the office of the National Cyber Director. In addition, it allows up to $6 billion in discretionary funding, which, according to some capitol observers, could find its way into state and local government IT projects, especially if the infrastructure bill stalls in Congress.

The American Rescue Plan

While the discussion about infrastructure captures all the attention, state and local governments have already started tapping into other funding sources to help shore up their cybersecurity. In March 2021, the American Rescue Plan Act (ARPA) was signed into law. Designed as a means to bridge funding gaps for state, local and tribal governments hammered by the COVID pandemic, the law provides $350 billion in total funding.

It is important to keep in mind that these funds do not come with specific guidelines. State and local government applicants may use this kind of funding for just about anything they want. For example, funds can be invested in water, sewer or their IT security infrastructure.

According to an assessment on ARPA funding by the Brookings Institute, “funding for state and local governments appears to be incredibly flexible, and therefore even more supportive of innovative recovery solutions.”

These funds will be disbursed over the next three years, with many state, municipal and county agencies applying the funds to bridge budget gaps caused by revenue shortfalls during COVID-19. Meanwhile, the anecdotes are filtering in, emphasizing the nightmare scenarios of a security breach because of outdated firewalls and software.

Some funding will go to IT security. But, of course, the question will be how much is enough for the interim until bigger and deeper funding resources are made available.

SonicWall Has a Plan

SonicWall has a long history of working with federal, state, local governments and agencies. SonicWall understands the complexities of the network and how each user in a department may require specific user access. The SonicWall Boundless Cybersecurity model provides the performance and security that allows each agency the elasticity needed in today’s new normal.

SonicWall also bring solutions for hyper-distributed networks, where everyone is remote, mobile, and potentially unsecure, along with the traditional campus cybersecurity network needs.

In addition, the Boundless Cybersecurity model offers seamless protection against the most evasive and crippling cyberattacks like ransomware, IoT, encrypted threats and malware.

SonicWall works closely with all parties to help decipher the often-complicated procurement rules and sort out funding guidelines. We’re out there, in the field, assisting city, county and state agencies; we can share best practices when it comes to assessing the procurement process, right down to grant-writing.

In addition, SonicWall works closely with government procurement, and IT teams to determine their risk profile and build out a security solution for their current and future needs.

We’ve learned a lot throughout the years; below are some best practices and unique considerations:

  1. Recognize and address your increased cybersecurity risks from all aspects of your network. SonicWall can help you uncover hidden dangers with high-level analytics and reporting.
  2. Create and maintain robust data policies and procedures. Network management and policy management tools are built into SonicWall Network Security Manager. NSM gives IT teams the power to govern centrally, meet compliance rules and regulations, and manage risks as they emerge.
  3. Seek automated real-time breach detection and prevention. SonicWall offers automated TLS inspection, patented Real-Time Deep Memory Inspection (RTDMI), Reassembly-Free Deep Packet Inspection (RFDPI) and Capture ATP cloud-based multi-engine sandboxing. Alternatively, we also provide Capture Security Appliance (CSA) on-premises advanced threat detection and Cloud App Security for Office 365 and G Suite applications.
  4. Plan a layered approach to cybersecurity. For example, SonicWall solutions offer ‘end-to-end’ layers of protection, detection and inspection. Our portfolio provides firewalls, switches, secure mobile access, Wi-Fi, email security, cloud application security, endpoint security and control — all orchestrated within a consolidated Network Security Manager through a single pane of glass.
  5. Get everyone on board. The best cybersecurity implementation starts with total buy-in from everyone in the organization. Your network security is strengthened when everyone complies with security measures and recognizes that their security depends on their actions and behavior.
  6. Demand the correct certifications from your vendors. SonicWall meets S. federal governmental certification and interoperability requirements, e.g., NIST, FIPS 140-2, CSfC, Common Criteria, DoDIN APL, USGv6 and NSA CNSA Suite B.

Our goal is to help governments dive into the work of protecting public assets and communities with Boundless Cybersecurity. For more information, visit www.sonicwall.com.

OpenLDAP slapd Integer Underflow Vulnerability

/in /by

Overview:

  OpenLDAP is an open-source implementation of the Lightweight Directory Access Protocol (LDAP) service. On a default installation, the OpenLDAP server uses TCP port 389 for communication. The OpenLDAP server has a modular architecture where the OpenLDAP server daemon, slapd, can be configured as a frontend, a backend or as an overlay. A frontend server typically listens on a TCP port and manages connections. Backend servers can either store the Directory data using one of various available engines (e.g. back-bdb for using BerkeleyDB, backldif for using LDIF text files), or act as a proxy server for other data storage systems (e.g. back-ldap for proxying to other LDAP servers, back-sql for talking to arbitrary SQL databases, back-passwd to use Unix system passwd and group data), or as a dynamic backend that generates data on the fly.

  A denial-of-service vulnerabilities has been reported in the slapd of OpenLDAP. The vulnerability is due to improper input validation in controls in LDAP search requests.

  A remote attacker can exploit the vulnerability by sending a crafted query to the target OpenLDAP server. Successful exploitation could cause integer underflow which leads to denial of service condition.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2020-36221, dated 2021-01-25.

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 4.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C).

  Base score is 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is none.
    • Impact of this vulnerability on data integrity is none.
    • Impact of this vulnerability on data availability is low.
  Temporal score is 4.8 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  An integer underflow vulnerability exists in the OpenLDAP daemon, slapd. When slapd receives an incoming SearchRequest message including a valuesReturnFilter control with attributeCertificateExactMatch assertion, it calls a function serialNumberAndIssuerSerialPretty() to normalize the string value in matchValue. Before the normalization, it will call a function serialNumberAndIssuerSerialCheck() to validate the syntax of the string. According to the implementation, a valid syntax of the string should be like follows:

  The order of the serialNumber and issuer does not matter for the validation. The validations include checking minimum length of the assertionValue or matchValue, the first and last characters are “{” and “}”, the existence of key words such as “issuer” and “serialNumber” etc. However, the validation of “{” and “}” logic is mistakenly implemented as follows:

  Therefore, if the assertionValue or matchValue only starts with “{” or ends with “}” will bypass the validation. Also, the vulnerable function has an internal variable of type “unsigned long” to record the remaining length of the assertionValue or matchValue for validation. During the process of the validation, the variable will be decreased until 0. Since the vulnerable function does not validate that the last character is “}”, it failed to decrement the variable correctly. When the last character of the assertionValue or matchValue is ‘”‘, there is a chance that the length variable will be decremented beyond zero which effectively translates to a large positive value for an unsigned long integer (integer underflow). Then, the variable will be used in a loop as the upper bound for the loop counter, leading to an out-of-bound read violation.

  Note that the filter part of a LDAP SearchRequest message can be used to reproduce this vulnerability too, since it also has an extensibleMatch field with the type of MatchingRuleAssertion. If the MatchingRuleId is set with OID “2.5.13.45”, the time string in the matchValue field will be parsed by the vulnerable function serialNumberAndIssuerSerialCheck() too.

  A remote attacker can exploit this vulnerability by sending a crafted SearchRequest message with a Filter that contains an crafted matchValue. Successful exploitation will result in the slapd process terminating abnormally.

Triggering the Problem:

  The server must have the vulnerable product installed and running.

  • The attacker must be able to send an LDAP SearchRequest to the target.

Triggering Conditions:

  The attacker sends a crafted SearchRequest. The server will processes this request, the vulnerability is triggered.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • LDAP, over port 389/TCP
    • LDAPS, over port 636/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 2084 OpenLDAP slapd serialNumberAndIssuerCheck Integer Underflow 1

  • IPS: 2093 OpenLDAP slapd serialNumberAndIssuerCheck Integer Underflow 2

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Filtering attack traffic using the signatures above.
    • Allowing only trusted authenticated users to Bind to the server.
    • Applying the vendor provided patch.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Cybersecurity News & Trends – 10-01-21

/2 Comments/in /by

SonicWall’s Mid-Year Update to the 2021 SonicWall Cyber Threat Report comes back into the news cycle, and Terry Greer-King, VP of EMEA Sales at SonicWall, describes how AI-powered cybersecurity is setting the pace as threats evolve in real-time. In industry news, China bans crypto trading in the latest sign of growing frustration with the crypto community, and more hackers turn to cryptojacking to expand their enterprises. Then, there’s an ongoing struggle to hire cybersecurity personnel for governments, Neiman-Marcus customer database is breached, $311 million awarded for IT and cybersecurity, and Yahoo builds a culture. And separately, October is Cybersecurity Awareness Month – #BeCyberSmart

SonicWall in the News

Cybersecurity – Attack and Defense Strategies

Packt: Promoting the Second Edition of a book, the publisher notes “32.7 million IoT attacks” from the Mid-Year Update to the 2021 SonicWall Cyber Threat Report as an example of the current threat landscape. They also note that malware leveraged during an IoT-related attack infects routers and can facilitate data theft.

 

Ransomware-as-a-Service: Handy Services for your Friendly Neighborhood Cybercriminals

OneLogin: Did you know that cybercriminals can pay for a service to spread and manage ransomware attacks? Well, they can. And, in fact, it is called Ransomware-as-a-Service (RaaS). According to the Mid-Year Update to the 2021 SonicWall Cyber Threat Report, 304.7 million ransomware attempted attacks in the first six months of 2021.

 

The Top Ransomware Threats Aren’t Who You Think

Threat Post: Move over REvil, Ragnar Locker, BlackMatter, Conti et al.: Three lesser-known gangs account for the vast majority of ransomware attacks in the US and globally. The report mentions the Mid-Year Update to the 2021 SonicWall Cyber Threat Report as the source for a list of emerging ransomware threats in the first half of 2021.

 

Cryptocurrencies and telecommuting: fertile ground for cybercrime

Digis MAK: Ransomware threats to supply chains have rapidly escalated the list of concerns for businesses and governments in the wake of the pandemic. The story cites the Mid-Year Update to the 2021 SonicWall Cyber Threat Report, mentioning that in the first six months of this year, the security firm SonicWall recorded a volume of 304 million attacks, a number never seen before.

 

AI-powered cyber-security leads the pack

TEISS (UK): Terry Greer-King at SonicWall describes how AI-powered cyber-security is setting the pace as threats evolve in real-time. With a record-breaking year for ransomware, AI-powered cybersecurity could come at no better time. Citing the Mid-Year Update to the 2021 SonicWall Cyber Threat Report, the story mentions that in the first half of 2021, ransomware attacks skyrocketed to 304.7 million, smashing 2020’s total number of attacks (304.6 million) in just six months — a 151% year-over-year increase.

 

Ransomware victims need to warn of attack? Who investigates? 

Play Crazy Game (Brazil): Cyberattacks reached a record in the first half of 2021 worldwide. Brazil is the 5th biggest threat target, citing 9 million attempted attacks from the Mid-Year Update to the 2021 SonicWall Cyber Threat Report.

Industry News

China’s Regulators Ban Crypto Trading and Mining, Sending Bitcoin Tumbling

Reuters: Late last week, a new headline reverberated through the global cryptocurrency community: China declared all cryptocurrency transactions illegal. As the story gained steam, Bitcoin (BTC) and other cryptocurrencies fell sharply in trading. However, they then quickly recovered even as Chinese brokers like Huobi Global ceased account registrations for new users from mainland China. But the story does not end there. The US Department of Treasury previously announced strict sanctions against cryptocurrency exchange SUEX to allow ransomware transactions. While the two actions do not appear to be coordinated, they reveal growing frustration among governments over the lack of centralized controls and rules for cryptocurrency trades. According to the Treasury Department, ransomware payments in 2020 topped $400 million worldwide, more than four times their level in 2019. Thanks to hackers, the world of cryptocurrency – which savors its independence from regulation – will feel increasing pressure to regulate or face more actions such as those witnessed by China and the US.

 

States at a disadvantage in the race to recruit cybersecurity pros

Associated Press: Hiring people with strong cybersecurity skills into government security programs is difficult when the best that some agencies can offer are unpaid internships as a part of their candidate recruitment programs. Employment agencies working in the field estimate that state and local governments need to fill 9,000 cybersecurity jobs, with the footnote that the actual need total is probably much higher. The Department of Homeland Security recently acknowledged 2,000 job vacancies in newly formed cybersecurity task forces. The story from AP notes that salaries from government agency positions are often significantly lower than what is offered in the private sector.

 

Why Cryptomining Malware Is a Harbinger of Future Attacks

Dark Reading: With cryptocurrency values soaring, more and more organized hackers are jumping into cryptojacking to increase cashflows. They still rely on the same methods of injecting malware into victims’ networks and computers, but the risk of getting caught is very low. Many cryptojackers rely on behavior: most of their victims usually do not notice the installation of their tiny payload of malware, let alone the CPU cycles that are siphoned off to engage cryptomining. In addition, the effort to maintain the hack is far less risky for the hacker than ransomware or other types of breaches. The opinion here conforms with different views – as cryptocurrency valuation rises, the number of cryptojackers will also rise.

 

Cybersecurity Breach Affects More Than 4 Million Neiman Marcus Customers

CBS Dallas: Neiman Marcus Group, based in Dallas, TX, said in a news release that a security breach exposed personal information from 4.6 million customers, including contact details, payment card numbers, gift card numbers, usernames and passwords.

 

Four agencies win $311M to Modernize IT, Cybersecurity

Federal News Network: The first tranche of cybersecurity modernization awards worth about $311 million was awarded to four agencies for six projects. Funding is from the $1 billion that Congress specified in the Technology Modernization Fund earlier this year.

 

How Yahoo Built a Culture of Cybersecurity

Harvard Business Review: Yahoo studied employee responses to simulations to better understand how to make them take cybersecurity seriously. To make meaningful change, managers should take three key steps:

  1. They must identify critical employee behaviors.
  2. Managers must measure behaviors transparently.
  3. Managers must use awareness to explain why something is important.

Telling your employees that they should do something isn’t enough to inspire meaningful change. Just ask anyone who has ever watched a cybersecurity awareness video. While the videos do a good job of instructing employees to be mindful of data security, the videos seldom lead to a wholesale change in behavior. This article relates closely with another from HBR: Cyberattacks are Inevitable. Is Your Company Prepared?

In Case You Missed It

 

AtomSilo hits large Brazilian company in $1M double extortion scheme

/in /by

The SonicWall Capture Labs threat research team has observed a continued increase in ransomware used in double extortion schemes.  The operators of ransomware known as AtomSilo have recently infiltrated a Brazilian pharmaceutical company.  The malware installed has encrypted their files and obtained 900GB of very sensitive scientific data and even immigration and contact information of its employees.  A $500,000 ransom is offered for 48 hours.  After this, the ransom is increased to $1M in Bitcoin.  Failure to pay will result in the sensitive data being released to the public.

 

Infection Cycle:

 

Upon infection of the ransomware component, files on the system are encrypted.  Each encrypted file is given a “.ATOMSILO” file extension.

After encryption, the following message is brought up on the infected machine’s desktop:

 

The following files are dropped on to the system:

  • README-FILE-{machine name}-{random 10 digit number}.hta (in directories with encrypted files)

 

The tOr web address (http://mhdehvkomeabau7gsetnsrhkfign4jgnx3wajth5yb5h6kvzbd72wlqd.onion) leads to the following page that is hosted by the operators:

 

The “LIST LEAK” button shows a company that is in the process of being extorted by the operators:

 

The “GO TO POST” button brings up a page that shows a summary of the data that has been obtained by the attackers:

 

This page is very long and contains samples of the sensitive data that has been obtained:

 

The leak also includes company financial data and employee contact information:

 

We reached out to the email address (arvato@atomsilo.com) provided in the ransom note and received the following response:

 

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: AtomSilo.A (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

 

SonicWall Continues to Rack Up Awards, CRN Recognizes Another Rising Channel Star

/0 Comments/in /by

SonicWall continues its collection of industry-recognized awards. The company’s director of solutions engineers, Wayne Wilkening, added to CRN’s 100 People You Don’t Know But Should for 2021. Every year, this CRN list honors the people working tirelessly behind the scenes to support not only their partners, but the broader channel ecosystem, as well.

“I’ve long since had a passion for security and networking fields, and SonicWall has given me the opportunity to immerse myself in both,” said Wilkening. “Taking this journey with our customers and loyal partners has allowed me to solve new problems every day while building lasting relationships across North America. It’s great to be recognized for what I love to do.”

Wilkening is a SonicWall staple, having been at the company for almost two decades. He plays a vital role in helping enable, manage and mentor his team of pre-sales channel and territory engineers across the United States and Canada.

“There are truly talented folks who make game-changing, creative and strategic decisions every day behind the scenes,” said Blaine Raddon, CEO of The Channel Company. “With the 100 People You Don’t Know But Should, we are excited to shine a light on this exceptional group and honor them for their remarkably important work on behalf of their partners and their contributions to the IT channel at large.”

The CRN editorial team compiles the list each year to bring well-deserved attention to the best and brightest who may not be as visible or well-known as some channel executives, but whose roles are just as important. The selections are based on feedback from leading solution providers and industry executives.

SonicWall, founder of the award-winning SecureFirst partner program and SonicWall University, is celebrating its 30-year anniversary in 2021. The company has grown to include more than 17,000 channel partners worldwide and provides them with more training, tools and rewards than ever before.

Cybersecurity News & Trends – 09-24-21

/0 Comments/in /by

SonicWall is in the news in Europe this week, with announcements about a support center in Romania and SonicWall’s country manager, Sergio Martinez, participating in regional discussions about cybersecurity. The FBI reportedly held onto a vital encryption key for three weeks before handing it to victims tops our industry news list. Plus, recent research reveals that multi-party breaches cause 26-times more damage than single-party breaches, SUEX is sanctioned, Biden and hackers debate “critical,” seven countries are being spoofed, and TinyTurla weighs in for big damage. 

SonicWall in the News

SonicWall to open customer support centre in Romania

  • Telecompaper (NL): US cyber-security specialist SonicWall is in the process of opening a technical support centre in Romania, writes local paper Ziarul Financiar citing SonicWall sales director for Southeast Europe, Cosmin Vilcu. According to the news outlet, the operation has already recruited staff and begun regional marketing activities.

European recovery funds: a good way to improve corporate cybersecurity

  • Dealer World (Spain): Sergio Martínez, our country manager, participated in a special issue about the European recovery funds: “The rain comes, the European rain in the form of millions. Millions that will allow many companies to improve deficit aspects to be more competitive. Will cybersecurity be one of them?

SonicWall continues to expand its offering to combat cyberattacks

  • Director TIC.es (Spain): In an interview with Sergio Martínez, SonicWall’s country manager, the publication discusses the layered security promoted by SonicWall based on a comprehensive portfolio of solutions. Martinez explains the latest developments in SonicWall’s offer, including its new generation of firewalls and solutions for secure access and protecting credentials.

IBM Launches New Lto-9 Tape Drives with More Density, Performance And Resiliency

  • TiBahia (Portugal): IBM is launching tape drives that give systems more resilience to cyberattack. Additionally, the company has repeatedly cited the Mid-Year Update to the 2021 SonicWall Cyber Threat Report as an example of the marketplace’s need for such products. In this release, they cite the Threat Report, noting ransomware is one of the costlier types of breaches, with an average cost of $4.62M per breach and one of the most common.

Industry News

FBI Held Back Ransomware Decryption Key from Businesses to Run Operation Targeting Hackers

  • Washington Post: After a devastating ransomware attack this summer, the FBI’s investigations uncovered the digital key needed to unlock maliciously encrypted computer systems. However, the FBI held onto the digital key for almost three weeks, knowing that the attack hobbled the computers of hundreds of businesses and institutions. According to the report, investigators discovered the digital key through access to servers operated by the Russia-based cybercrime gang behind the attack. Deploying the digital key immediately could have helped the victims, including schools and hospitals, avoid what analysts estimate was millions of dollars in recovery costs.

Multi-party breaches cause 26-times the financial damage of the worst single-party breach

  • ZDNet: The researchers found that when a ripple event triggers a loss of income, it can lead to losses of $36 million per event. RiskRecon, a Mastercard company, and the Cyentia Institute released a study on Tuesday showing that some multi-party data breaches cause 26-times the financial damage of the worst single-party breach. The researchers used Advisen Cyber Loss Database to investigate cybersecurity incidents since 2008. They report that nearly 900 multi-party breach incidents have been recorded in the database, with 147 newly uncovered “ripple incidents” across the entire data set, with 108 occurring within the last three years.

US Sanctions Crypto Exchange Accused of Catering to Ransomware Criminals

  • Wall Street Journal: The Biden administration blacklisted a Russian-owned cryptocurrency exchange – SUEX OTC – for allegedly helping launder ransomware payments. This is a genuinely unprecedented action meant to deter future cyber-extortion attacks by disrupting their primary means of profit. By targeting a digital currency platform, the Treasury Department is also renewing its warning to the private sector that businesses risk high penalties and fines for paying ransoms and – more importantly – that the Department is watching.

Biden Cybersecurity Leaders Back Incident Reporting Legislation As ‘Absolutely Critical’

  • Senior Biden administration officials are backing congressional efforts to enact new cyber incident reporting requirements for critical infrastructure operators and other companies, as well as other measures to entrench further the Cybersecurity and Infrastructure Security Agency (CISA) at the center of the civilian executive branch’s digital security apparatus. CISA Director Jen Easterly said that incident reporting is “absolutely critical” and called CISA’s “superpower” its ability to share cyberthreat information across agencies and critical infrastructure sectors.

After Biden Warning, Hackers Define ‘Critical’ as They See Fit

  • Bloomberg: After a furious run of ransomware attacks in the first half of the year, President Joe Biden in July warned his Russian counterpart, Vladimir Putin, that Russia-based hacking groups should steer clear of 16 critical sectors of the US economy. But if a recent attack on a grain cooperative in Iowa is any indication, apparently hackers will define what should be considered “critical.”

Alaskan health department still struggling to recover after ‘nation-state sponsored’ cyberattack

  • CNN: Alaska is still dealing with the fallout of a hack. Many of their systems are offline after foreign government-backed hackers breached the department in May, a spokesperson told CNN on Monday. As the department continued to warn Alaskans that hackers might have stolen their personal data, the department’s spokesperson declined to comment on which foreign government was behind the intrusions or their motives. However, Alaskan officials now say that hackers exploited a vulnerability in the health department’s website to access department data. The hackers may have accessed Alaskans’ Social Security numbers and health and financial information.

Republican Governors Association email server breached by state hackers

  •  Bleeping Computer: The Republican Governors Association (RGA) revealed in data breach notification letters sent last week that its servers were breached during an extensive Microsoft Exchange hacking campaign that hit organizations worldwide in March 2021. This attack follows a breach on Synnex back in July, a network management contractor for the Republican National Committee (RNC).

BlackMatter Ransomware Has Infected Marketron’s Marketing Services

  • Cyber Intel: The BlackMatter ransomware group targeted Marketron, a cloud-based revenue and traffic management tools supplier. The company has a customer base of over 6,000 and reportedly manages about $5 billion in advertising revenue per year. This was the second ransomware attack by BlackMatter in so many days. Another one involved a ransom of $5.9 million when this group attacked the NEW Cooperative United States Farmers organization.

Epik data breach impacts 15 million users, including non-customers

  • Ars Technica: Epik has now confirmed that an “unauthorized intrusion” did, in fact, occur into its systems. The announcement follows last week’s incident of hacktivist collective Anonymous leaking 180 GB of data stolen from online service provider Epik. To mock the company’s initial response to the data breach claims, Anonymous had altered Epik’s official knowledge base, as reported by Ars.

TinyTurla: New Malware by Russian Turla

  • Cyware: According to Cisco Talos, TinyTurla is a previously unknown malware backdoor from the Turla APT group, in use since at least 2020. The malware got the attention of researchers when it targeted Afghanistan before the Taliban’s recent takeover of the government. Now, it is suspected in recent attacks against the U.S., Germany, and other countries.

Ongoing Phishing Campaign Targets APAC, EMEA Governments

  •  Security Week: Government departments in at least seven countries in the Asia-Pacific (APAC) and Europe, the Middle East and Africa (EMEA) regions have been targeted in a phishing campaign that has been ongoing since spring 2020. The attacks appear to be focused on credential harvesting. During the first half of 2020, operators transferred the phishing domains used as part of the campaign to their current host. In addition, investigators have found at least 15 active “spoofing” pages, posing as various ministries within the targeted country’s governments, including energy, finance, and foreign affairs departments. The spoofed pages target Belarus, Georgia, Kyrgyzstan, Pakistan, Turkmenistan, Ukraine, and Uzbekistan. Other pages posed as the Pakistan Navy, the Main Intelligence Directorate of Ukraine, and the Mail.ru email service.

In Case You Missed It

Buffalo routers path traversal vulnerability

/in /by

SonicWall Capture Labs threat research team observed attacks exploiting vulnerability in Buffalo routers.

Buffalo company builds quality storage, networking, and other technology-related solutions. Their network attached storage (NAS) devices, many with scale-as-you-go options, are installed with pre-tested hard drives that eliminate the hassle of sourcing and testing drives, saving you time and money. Buffalo also builds Wireless Router which is a high speed, open source dual band solution, and is ideal for creating a high speed 11ac wireless home network. A path traversal vulnerability exists in web interface of certain firmware versions of these routers.

Vulnerability | CVE-2021-20090

A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder by manipulating variables that reference files with dot-dot-slash sequences. A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote attackers to bypass authentication. Successful exploitation of this vulnerability could allow an attacker to access pages that would otherwise require authentication. An unauthenticated attacker could gain access to sensitive information, including valid request tokens, which could be used to make requests to alter router settings.

The vulnerability exists due to a list of folders which fall under a “bypass list” for authentication. One such folder is images . The exploit looks like this

The attacker is able to bypass authentication through path traversal. The attacker uses POST request to access and modify the configuration of the attacked device. The attacker then downloads and executes malicious script from attacker controlled server .

Following versions are vulnerable:

  • WSR-2533DHPL2 firmware version <= 1.02
  • WSR-2533DHP3 firmware version <= 1.24

The Vendor advisory is here.

SonicWall Capture Labs provides protection against this threat via following signatures:

      • IPS 15659:Buffalo Routers Configuration File Injection
      • GAV: Shell.LOL

Threat Graph

IoCs
212.192.241.87
054320be2622f7d62eb6d1b19ba119d0a81cb9336018d49d9f0647706442ae8f

Living in the Wild West of the IoT

/0 Comments/in /by

What started as a siloed technology called IoT (Internet of Things) has now evolved into a complete ecosystem for automation to make our everyday life simpler and more productive. The signs are everywhere as the adoption skyrockets. All industries are rushing headlong with smart “things” – smart cities, smart homes, smart cars, smart drones, and smart appliances.

By 2025, Statista forecasts that there will be more than 75 billion Internet of Things (IoT) connected IoT devices in use. This would be a nearly threefold increase from the IoT installed base in 2019. The original estimate from 2018 was 23 billion and 31 billion in 2020. See what I mean by “the trajectory goes up like a rocket?”.

IoT and its associated automation bring a very compelling value once you had tried it. My own experience is with the smart home side of things. However, the industrial and enterprise side of IoT are even more pervasive, and innovative. Thanks to the Artificial Intelligence technology that are often tightly coupled.

Let me give you an example of how home automation has simplified my life. I started with a smart thermostat that monitors peak usage cost, and a smart irrigation system that can auto-dial water usage based on the weather. But the most compelling value comes from the humblest smart switches that turn legacy home devices on and off based on preprogrammed parameters.

The race has driven the cost to $4 a pop. Who wouldn’t find it compelling?

Before long, I have a gang of 20 smart switches invaded my home. Is IoT really a blessing?

Well, it is indeed as long as you put safety precautions around it. Otherwise, it can be a curse. According to the SonicWall Threat Report, it is the second most common attack after ransomware.

What makes the IoT devices so vulnerable is the fact the lack of security foundation. Let’s take a look at the smart switch vendors. At $4 a pop, they must rely on open source and unhardened firmware. Once released, it will never patch even when a vulnerability is discovered. Bringing these IoT devices into your environment is like putting a Trojan horse!

The security issue is so dire and the specter of IoT attacks continuing to explode exponentially, many legislative bodies opted to consider legislation strengthening cybersecurity on these IoT devices during the first half of 2021, including UK, US, Australia.

Governments are now involved. Yes, these are not private entities that usually coax the adoption of security measures through standards or best practices. IoT is indeed the new Wild West.

Shouldn’t you also be prepared?

How to secure IoT devices connecting to my network?

So, what steps can you take to make sure all your IoT devices can connect securely to your organization’s network? Here are three questions you should address:

  1. Can my firewall decrypt and scan encrypted traffic for threats?
    The use of encryption is growing both for good and malicious purposes. More and more, we’re seeing cybercriminals hiding their malware and ransomware attacks in encrypted sessions, so you need to make sure your firewall can apply deep packet inspection (DPI) to HTTPS connections, such as DPI-SSL.
  2. Can my firewall support deep packet inspection across all my connected devices?
    Now think of all the encrypted web sessions each IoT device might have. You need to make sure your firewall can support all of them while securing each from advanced cyberattacks. Having only a high number of stateful packet inspection connections doesn’t cut it anymore. Today, it’s about supporting more deep packet inspection connections.
  3. Can my firewall enable secure high-speed wireless?
    OK, this one sounds simple. Everyone says they provide high-speed wireless. But are you sure? The latest wireless standard is 802.11ac Wave 2, which promises multi-gigabit Wi-Fi to support bandwidth-intensive apps. Access points with a physical connection to the firewall should have a port capable of supporting these faster speeds. So should the firewall. Using a 1-GbE port creates a bottleneck on the firewall, while 5-GbE and 10-GbE ports are overkill. Having a 2.5-GbE port makes for a good fit.

So, What’s Next?

VIEW ON-DEMAND WEBCAST

Cybersecurity News & Trends – 09-17-21

/0 Comments/in /by

While the Mid-Year Update to the 2021 SonicWall Cyber Threat Report continues to be recognized as an authoritative source of statistics, the company was also noted in an education piece and a product review for the SonicWall SWS12 switch. In industry news, discussions on launching security for commercial maritime, employees bypassing “inconvenient” security measures, the Nigerian aviation industry is grounded, cyberattackers hit with crypto-sanctions, and OMIGOD is getting more guidance.

SonicWall in the News

The weak points where hackers could hijack the supply chain — The Grocer (U.K.)

  • Like many businesses, the food system runs online – and, increasingly, many operations are from the homes of its workers. Consequently, the industry faces an increasing risk of cyberattack. This vertical market news outlet references the Mid-Year Update to the 2021 SonicWall Cyber Threat Report and SonicWall’s V.P. of Platform Architecture, Dmitriy Ayrapetov, to analyze increasing attacks on the U.K. food supply chain.

IT security for schools: New requirements. Limited resources. Unused funding — All About Security (DACH)

  • Schools have adopted more network mobility, but now they face greater cyberthreats. This report explores SonicWall solutions for schools. It outlines the challenges schools are confronted with in everyday life and how SonicWall can help.

Between blackboard and tablet: IT security in schools — All About Security (DACH)

  • To deliver safe classroom and distance learning experiences, schools need to secure wireless networks, cloud apps, and endpoints while stretching budgets through grants. This report also includes an invitation for readers to participate in an upcoming webinar for educators.

Why open source isn’t free: Support as a best practice — IBM (U.S.)

IoT: An Internet of Threats? — Maddyness (U.K.)

How Nonprofits Can Defend Against Ransomware Attacks — BizTech (U.S.)

Hybrid working: six steps to managing cybersecurity and data privacy risks — Raconteur (U.K.)

  • As pandemic restrictions are eased and staff head back to the office, many will want to continue working from home for part of the week, raising cybersecurity concerns for employers. According to the Mid-Year Update to the 2021 SonicWall Cyber Threat Report, there was a 65% year-on-year increase globally in ransomware attacks.

Using Power over Ethernet to Support Connected Devices — Ed Tech

  • The SonicWall SWS12 switch is mentioned to “handles [PoE management] by adding deep power management to the suite of standard networking configuration options.” This is a good thing. The switch can provide up to 130 watts of power spread across ten ports, and each port can supply up to 30 watts of power.

IBM ships new LTO 9 Tape Drives with greater density, performance, and resiliency — IBM (U.S.)

  • IBM is launching tape drives that give systems more resilience to cyberattack. Additionally, the company has repeatedly cited the Mid-Year Update to the 2021 SonicWall Cyber Threat Report as an example of the marketplace’s need for such products. In this release, they cite the Threat Report, noting ransomware is one of the costlier types of breaches, with an average cost of $4.62M per breach and one of the most common.

Industry News

We Cannot Afford to Wait to Bolster Maritime Cybersecurity — Nextgov

  • This article summarizes the reality of cloud-connected businesses and industries and the cyberthreats they face. With the increased dependence of offshore activities on cyber-enabled systems, the author points out that maritime operations need more secure cybersecurity infrastructure at sea.

New Cybersecurity Challenges as Workers Commonly Bypass Inconvenient Measures — CPO Magazine

  • Working from home blurs lines between personal spaces and corporate security. And this may be why, in a recent survey conducted by Hewlett-Packard’s Wolf Security Division, a surprising 30% of remote workers under the age of 24 who claim that they circumvent or ignore certain corporate security policies when they get in the way of getting work done.

How cyber resilience will reshape cybersecurity – TechRadar

  • Businesses are operating in a world with myriad cybersecurity risks, but many are caught underprepared because they have not developed cyber resilience despite the headlines. The question, therefore, is how do businesses recognize resilience in cybersecurity?

Cryptocurrency launchpad hit by $3 million supply chain attack – Ars Technica

  • SushiSwap’s chief technology officer says a software supply chain attack has hit the company’s MISO platform. The report goes on to point out that an “anonymous contractor” with the GitHub handle AristoK3 and access to the project’s code repository had pushed a malicious code commit that was distributed on the platform’s front end.

Cyberattacks against the aviation industry linked to Nigerian threat actor – ZDNet

  • The investigation began after a Microsoft tweet concerning AsyncRAT. Researchers revealed a lengthy campaign against the aviation sector, starting with an analysis of a Trojan by Microsoft. The operator of the campaign reportedly used email spoofing to pretend to be legitimate organizations in these industries.

U.S. to Target Crypto-Ransomware Payments With Sanctions – The Wall Street Journal

  • The Biden administration hopes to disrupt the digital finance infrastructure that facilitates ransomware cyberattacks, a national security threat traced to Russia. According to people familiar with the matter, sanctions are among an array of actions, making it harder for hackers to use digital currency to profit from ransomware attacks.

FTC warns health apps to notify consumers impacted by data breaches – The Hill

  • The Federal Trade Commission (FTC) voted 3-2 Wednesday that a decade-old rule on health data breaches applies to apps that handle sensitive health information, warning these companies to comply. In addition, the FTC’s new policy statement will clarify the agency’s 2009 Health Breach Notification Rule.

FBI and CISA warn of state hackers exploiting critical Zoho bug – Bleeping Computer

  • TODAY, the FBI, CISA, and the Coast Guard Cyber Command (CGCYBER) warned that state-backed advanced persistent threat (APT) groups are actively exploiting a critical flaw in a Zoho single sign-on and password management solution since early August 2021. Zoho’s customer list includes “three out of five Fortune 500 companies,” including Apple, Intel, Nike, PayPal, HBO, etc.

Mirai Botnet Starts Exploiting OMIGOD Flaw as Microsoft Issues More Guidance – Security Week

  • Microsoft on Thursday published additional guidance on addressing recently disclosed vulnerabilities in the Open Management Infrastructure (OMI) framework, along with new protections to resolve the bugs within affected Azure Virtual Machine (V.M.) management extensions.

Ransomware attackers targeted app developers with malicious Office docs, says Microsoft – ZDNet

  • Hackers linked to ransomware deployments used a recently discovered flaw to target application developers. Microsoft reports how it recently saw hackers exploiting a dangerous remote code execution vulnerability in Internet Explorer through rigged Office documents and targeted developers.

Customer Care Giant TTEC Hit By Ransomware – Krebs on Security

  • TTEC, a company used by some of the world’s largest brands to help manage customer support and sales online and over the phone, is dealing with disruptions from a network security incident resulting from a ransomware attack by Ragnar Locker an aggressive ransomware group.

Free REvil ransomware master decrypter released for past victims – Bleeping Computer

  • A free master decryptor for the REvil ransomware operation has been released, allowing all victims encrypted before the gang disappeared to recover their files for free. Bitdefender created the REvil master decryptor in collaboration with a law enforcement partner.

Email scammers posed as DOT officials in phishing messages focused on $1 trillion bill – Cyberscoop

  • Shortly after Congress took action on a $1 trillion infrastructure bill, hackers posing as U.S. Researchers say that Transportation Department officials offered fake project bid opportunities to seduce companies into handing over Microsoft credentials.

Ransomware encrypts South Africa’s entire Dept of Justice network – Bleeping Computer

  • The justice ministry of the South African government is working on restoring its operations after a recent ransomware attack encrypted all its systems, making all electronic services unavailable both internally and to the public.

In Case You Missed It