IoT Devices: If You Connect It, Protect It

/0 Comments/in /by

7 “Smart” Steps to secure and protect your Home Network

A refrigerator that tells you there was a power outage — and whether it lasted long enough to spoil your food. Doorbells show you who’s at the door and allow you to communicate with them from across the country. Home medical devices that can collect data and transmit it directly to your doctor.

Present in countless applications, smart devices have revolutionized the way we live and work. Smart devices are a subset of a larger group of internet-connected products known as IoT (Internet of Things) devices. These devices can be controlled remotely, usually through a smartphone app or webpage, and send and receive data without human intervention.

In the 20 years since the term got wide usage, the number and scope of IoT devices have grown tremendously. According to Security Today, from 2018 through 2020, IoT devices jumped from 7 billion to 31 billion, with 127 new IoT devices coming online each second.

By 2020, IoT technology is expected to be present in the designs of 95% of new electronics products. And over the next five years, the number of connected devices is forecasted to climb to 41.6 billion and generate a mind-boggling 79.4 ZB of data (for reference, the entirety of the World Wide Web, as it existed in 2009, was estimated to be less than a half a ZB.)

Smart devices introduce conveniences unthinkable a decade ago. But unfortunately, they also bring a new set of risks that could endanger your privacy and your data, your other devices, and even other connected networks.

For starters, there’s currently no standard for securing IoT devices — companies are free to put as much or as little security in their products as they want. Even when vulnerabilities are discovered, many devices are not updated because their cost is too low, or there is no way to update them. When are updates are available, they’re never pushed out, or customers never hear about them. In all, IoT devices are open to wide exploitation.

However, there are several other risks related to the way people use these devices. Many users believe they don’t have the time or expertise to secure their IoT devices adequately — and that, because they’re not a large business or high-profile individual, they’re unlikely to be targeted.

But work statistics since COVID-19 has changed all that. According to Global Workplace Analytics, 25-30% of the American workforce now works from home. That means cybercriminals increasingly see remote employees’ home networks — especially poorly secured IoT devices that connect to them — as a back door to compromise corporate networks with lower chances of detection.

According to the mid-year update to the SonicWall 2021 Cyber Threat Report, cybercriminals have taken advantage of the increasingly distributed data landscapes. Not only have they increased the frequency of their attacks, but they’ve also expanded how they attack. As a result, ransomware attacks sharply rose to 304.6 million in 2020, up 62% over 2019. And the attacks increased to 226.3 million through May of 2021 — up 116% year-to-date over 2020.

While you can’t necessarily avoid being targeted, you can significantly decrease your odds of compromise by taking these 7 “smart” steps for better cybersecurity:

  1. Safeguard Your Router. By default, Routers are accessible with a simple password like “admin” — or no password — and are easily accessible to cybercriminals. Another risk flag is when users do not change the default Wi-Fi network name (or SSID), thus revealing the brand of the router. All a would-be hacker has to do is search default settings. Ditching the default settings go a long way toward increasing security.
  2. Stay Up to Date. Many devices offer the option to receive updates for firmware, vulnerability/bug fixes and more automatically. If this option is not enabled by default, turn it on. In cases where you must perform updates manually, make a note on your calendar to remind you to check for them regularly.
  3. Buy from the Best. Stick with companies known for prioritizing security in their offerings. These established brands are also more likely to push updates and patch vulnerabilities.
  4. Be Password Savvy. Password protection is significantly less effective when you use the same email and password combo for multiple accounts. If any of these accounts are breached, you’ve put your entire online existence at risk — and in the case of IoT devices connected to corporate networks, your company’s existence is at risk as well. With the advent of password managers, which assign a different password for each account and remember them for you, there’s no excuse to be lazy with credential hygiene.
  5. Leverage Two-Factor Authentication. With two-factor authentication (2FA), you’re offered the security of the traditional credential-based sign-in, plus an added layer of protection in the form of a code that is sent to a separate device and must be entered into the original app. With 2FA, even if the login credentials are compromised, the account won’t be accessible unless the attacker also has access to the secondary device.
  6. Divide and Conquer. Many popular routers provide a feature to create a secondary guest Wi-Fi access to your router. The guest Wi-Fi feature allows internet access without granting access to the full home network (and your computers, hard drives, etc.). Use Guest settings to isolate less-secure Wi-Fi connected smart home devices (and the malware that might infect them).
  7. Do I Need This? No matter how secure a smart device is, it can never match the safety and privacy of a non-internet-enabled device. Before purchasing a new smart device, ask yourself if the increased risk is worth adding convenience and features. If you’re likely to use the smart features only occasionally or not at all, opt for the non-smart device.

The network of connections created by the Internet of Things creates opportunities and challenges for individuals and businesses. SonicWall encourages everyone to be smart about smart devices and assume the responsibility of maintaining the health of their home network. Cybersecurity is everyone’s business. By being diligent, we can ensure the security of our home networks and anywhere else our connections may take us.

The Halfway Point: How Cybercrime Has Impacted Government in 2021

/0 Comments/in , /by

In August, the bipartisan U.S. Senate Committee on Homeland Security and Government Affairs released an update on the state of cybersecurity among federal agencies. The report, “Federal Cybersecurity: America’s Data Still at Risk,” noted that, even two years after a similar 2019 report revealed glaring cybersecurity shortcomings, there were still countless areas of concern.

Cybercriminals have always had an incentive to launch cyberattacks on the federal government, such as obtaining national secrets, disrupting a country’s operations at the highest possible level, and influencing politics. But now that they’ve been put on notice — twice — that launching a successful cyberattack might be far easier than they imagined, it’s no wonder we’ve seen attacks on federal, state and local governments rise at a pace far exceeding other industries.

Ransomware

As reported in the mid-year update to the 2021 SonicWall Cyber Threat Report, ransomware for the first half of 2021 increased an unprecedented 151% overall. But the increase in attacks for federal, state and local governments was actually much higher.

In the first half of 2020, there were 4.4 million attacks against government customers. During the same period in 2021, that number had risen to 44.6 million — a staggering 917% increase, the largest jump of any industry examined by SonicWall. 

As if having government data encrypted wasn’t bad enough, many of these attacks employed a tactic known as double extortion in order to increase the likelihood the targets would pay. In such attacks, cybercriminals exfiltrate large quantities of data before encrypting files and issuing a ransom demand. Then, they use the threat of releasing this sensitive data as a sort of “insurance policy” in case the target has followed best practices such as keeping up-to-date backups, etc.

One such incident, in April 2021, targeted the Washington, D.C., police department. In this attack, the ransomware group threatened to share data about informants and other such sensitive information with local gangs if the department failed to pay the ransom demand.

A similar attack targeted the Illinois Attorney General’s Office. In February 2021, a state audit had warned the office that it lacked adequate cybersecurity protections. But the department failed to heed the recommendations, and two months later a ransomware group launched a double extortion attack, with some of the stolen data eventually posted online.

Cybercriminals have since evolved the malicious tactic to triple extortion, where payment is demanded from customers, partners and other third parties.

The number of ransomware attempts per customer remained far higher for government than for any other industry.

Cryptojacking

Very few cryptojacking incidents made the headlines in 2021. This is unsurprising for a couple of reasons: first of all, anyone targeting the federal government is likely to find much more profit in demanding ransom or stealing data than in mining cryptocurrency. Secondly, illegal mining’s impact on the government in 2021 hasn’t been nearly as newsworthy as government’s impact on mining. (In fact, bans on mining in China, Iran and elsewhere are largely cited as one of the reasons cryptocurrency prices fell from their record highs in April.)

Still, the numbers don’t lie, and according to SonicWall’s threat data for the first six months of 2021, the volume of attacks on federal, state and local governments isn’t just up — it’s way up.

Across all industries, the number of cryptojacking attacks in the first half of 2021 rose 23% year to date. But for government customers, cryptojacking attack volume rose a whopping 329%.

IoT Attacks

In August, CISA issued an advisory about a public report detailing vulnerabilities in multiple real-time operating systems (RTOS). Known as “BadAlloc,” the report details a number of vulnerabilities in IoT devices that affect “a variety of sectors for every aerospace, robotics [and] rail industrial control system,” according to Vincent Sritapan, Cyber Quality Service Management Office Chief at CISA.

Unfortunately, attacks on similar systems have already been occurring. In February, an attacker took control of the Oldsmar, Fla., water supply, increasing the amount of sodium hydroxide, or lye, in the water to 110 times normal levels.

SonicWall threat research data indicates that IoT attacks on federal, state and local governments are rising — but the good news is that they seem to be rising more slowly than attacks as a whole. While the number of IoT attacks recorded overall in the first half of 2021 rose 59% year over year, for government customers, attack volume rose only 17% — not good news, per se, but better than it could be considering this attack type’s potential for disruption.

While it’s too early to say what the second half of 2021 will hold for government customers, a lot of it will depend on how federal, state and local governments and agencies respond to warnings like the one issued in August. If we see renewed efforts among these organizations to adhere to cybersecurity best practices, some of these trends may begin to slow or even reverse.

Otherwise, we’re likely to see an increase in the sorts of attacks that have dominated headlines recently, as cybercriminals increasingly shift to targeting the biggest game of all.

In the meantime, you can access all of SonicWall’s first-half threat data — including location-specific information and data on other industries and threat types — by downloading the mid-year update to the 2021 SonicWall Cyber Threat Report.

Lockbit 2.0, the ransomware behind the Accenture breach

/in /by

Lockbit ransomware has been around since 2019 but recently released an updated version called Lockbit 2.0. It is another ransomware-as-a-service (RaaS) which is a subscription based model allowing partners to use a full-featured already developed ransomware app ready to carry an attack. On their website, they boast their 2.0 version as being the fastest encryption software as well as the fastest upload of stolen data amongst myriads of many other popular ransomwares, all while highlighting the many features of this ransomware.

Recently, there were reports of targeted attacks with Accenture being the latest prominent victim of this ransomware. For non-payment, Lockbit has started leaking their data on their website to the public.

Infection cycle:

Upon execution of the ransomware, it disables all running security programs and any other means that could permit system recovery. It spawns a cmd exe to run the following commands:

  • vssadmin delete shadows /all /quiet
  • wmic SHADOWCOPY /nointeractive
  •  wmic shadowcopy delete
  •  wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  •  wbadmin DELETE SYSTEMSTATEBACKUP
  •  wbadmin delete catalog -quiet
  •  wevtutil cl system
  •  wevtutil cl security
  •  wevtutil cl application
  •  bcdedit /set {default} recoveryenabled No

It then proceeds to encrypt the victim’s files. All encrypted files bear the lockbit icon and a .lockbit file extension.

It changes the wallpaper with instructions on how to recover the files as well as adding a text file in every directory where files have been encrypted.

On reboot, the victim can’t miss the ransom note because it also adds a run key in the registry which loads an hta file that has the same instructions on how to get the victim’s files back.

  • Key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • Name: {2C5F9FCC-F266-43F6-BFD7-838DAE269E11}
  • Data: %Desktop%\Lockbit_Ransomware.hta

It then proceeds to delete itself and no copy of the ransomware nor its components is left in the victim machine.

On Lockbit’s website, there are quite a few victims whose data have already been leaked to the public while others still have some days left to submit payment before facing the same consequence.

 

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Lockbit.RSM_2 (Trojan)
  • GAV: Lockbit.RSM_3 (Trojan)
  • GAV: Lockbit.RSM_4 (Trojan)

This threat is also detected by SonicWall Capture ATP with Real-Time Deep Memory Inspection (RTDMI) and the Capture Client endpoint solutions.

Cybersecurity News & Trends – 09-03-21

/0 Comments/in /by

The Mid-Year Update to the 2021 SonicWall Cyber Threat Report continues to circulate through global news, and SonicWall rises to the status of an “admired brand.” In industry news, uncomfortable questions about U.S. cyber-intelligence methods, Autodesk’s admission, FIN7 hackers on the move, how Australia got hammered by hackers, and a Colorado man sues U.K. parents of hackers for a 3-year-old cryptocurrency hack.

SonicWall in the News

The Hybrid Workplace: The Next Frontier of Cyber Security — CPO Magazine

  • This story covers the aftermath of a REvil Kaseya attack. Thousands of business leaders are calculating their losses and cost of recovery, now dubbed the “worst ransomware attack on record.” The story cites the Mid-Year Update to the 2021 SonicWall Cyber Threat Report as a key source for the sharp rise of attacks via Microsoft Office documents that rose by 176% in 2020.

Ransomware threats explode in first-half 2021 — Frontier Enterprise

The Tech Industry Is Marching Ahead With These Admired Brands — Mybrandbook.com

  • A report that assesses the importance of “admired” brands in tech recounts SonicWall’s origins as a private company headquartered in Silicon Valley to a significant brand in cybersecurity with more than 1 million active security solutions trusted by more than 500,000 organizations in more than 215 countries.

Industry News

Hacker kids’ parents sued over $780k of stolen cryptocurrency — P.C. Gamer

  • In January of 2018, Colorado resident Andrew Schober was relieved of 16.4 bitcoin, worth around $780,000 in today’s market, by unknown hackers. Schober hired private investigators to track down the hack to two UK-based computer science students then minors. He’s now suing the parents of the two he believes hacked his account and stole his cash.

SolarWinds hackers targeted Autodesk in latest confirmed fallout from cyber-espionage campaign — CyberScoop

  • The list of victims keeps growing of the hackers (believed to be Russian) who breached a U.S. federal contractor. The hackers, it is believed, collected intelligence from all over the federal government. Autodesk filed an SEC disclosure to its investors that the hackers compromised one of its servers.

Juniper Breach Mystery Starts to Clear With New Details on Hackers and U.S. Role — Bloomberg

  • Days before Christmas in 2015, Juniper Networks Inc. alerted users that it had been breached. Five years later, the hackers have not been publicly identified, and no victims from the hack have surfaced. This brings the uncomfortable question about the methods U.S. intelligence agencies use to monitor hackers.

FIN7 Hackers Using Windows 11 Themed Documents to Drop Javascript Backdoor — The Hacker News

  • Spear-phishing campaigns leveraging weaponized Windows 11 Alpha-themed Word documents with Visual Basic macros. The macros inject malicious payloads, including a JavaScript implant that attacks a U.S.-based point-of-sale (PoS) service provider.

How Hackers Hammered Australia After China Ties Turned Sour — Bloomberg

  • A few days after Prime Minister Scott Morrison called for an independent international probe into the origins of the coronavirus, Chinese bots swarmed onto Australian government networks. It was April 2020. Bloomberg brings the incident to light in this week’s article.  

Regulators Tighten Scrutiny of Data Breach Disclosures — The Wall Street Journal

  • Lawyers warn that companies must pay closer attention to what they say after hackers strike, as regulators crack down on inaccurate disclosures and Congress debates mandatory reporting of cybersecurity breaches.

Biden administration establishes program to recruit tech professionals to serve in government — The Hill

  • The Biden administration announced it was establishing a program to recruit and train people to serve in digital positions within the federal government and address the COVID-19 pandemic and cybersecurity concerns.

Bangkok Airways hit by LockBit ransomware attack, loses lots data after refusing to pay — The Register

  • Bangkok Airways has revealed it was the victim of a cyberattack from ransomware group LockBit on August 23, resulting in the publishing of stolen data.

LockFile Ransomware Uses Never-Before Seen Encryption to Avoid Detection — Threat Post 

  • Researchers from Sophos discovered the emerging threat in July, which exploits the ProxyShell vulnerabilities in Microsoft Exchange servers to attack systems.

Initial Access Broker use, stolen account sales spike in cloud service cyberattacks — ZDNet

  • On Tuesday, Lacework published its 2021 Cloud Threat Report vol.2, outlining how today’s cybercriminals are attempting to cut out some of the legwork involved in campaigns against cloud service providers.

Cyberattackers are now quietly selling off their victim’s internet bandwidth — ZDNet

  • Another intrusion with a twist: attackers use “proxyware” to target their victim’s internet connection and generate illicit revenue.

Cybercriminal sells tool to hide malware in AMD, NVIDIA GPUs — Bleeping Computer

  • Cybercriminals are making strides towards malware attacks that execute code from the graphics processing unit (GPU) of a compromised system.

Boston Public Library discloses cyberattack, system-wide technical outage — Bleeping Computer

  • The Boston Public Library (BPL) has disclosed today that its network was hit by a cyberattack on Wednesday, leading to a system-wide technical outage. 

U.S. Justice Department Introduces Cyber Fellowship Program — Security Week

  • The program will train selected attorneys on emerging national security and criminal cyber threats and how to fight them. The trainees will be rotating department components focused on cyber defense, such as the Criminal Division, the U.S. Attorneys’ Offices, and the National Security Division. 

Researchers, cybersecurity agency urge action by Microsoft cloud database users — Reuters

  • On Saturday, researchers who discovered a massive flaw in the central databases stored in Microsoft Corp’s Azure cloud platform urged all users to change their digital access keys, not just the 3,300 the company notified this week.

Bangkok Airways apologizes for passport info breach as LockBit ransomware group threatens data leak — ZDNet

  • The company said that it discovered a “cybersecurity attack which resulted in unauthorized and unlawful access to its information system” on August 23.

In Case You Missed It

Centreon hostGroupDependency.php SQL Injection Vulnerability

/in /by

Overview:

  Centreon is an open source IT monitoring solution. Centreon open source solution is the foundation for the Centreon EMS software suite which offers additional licensed modules. Centreon open source solution includes integration tools for IT Operations Management production environment.

  An SQL Injection vulnerability has been reported in the Centreon Web Application. The vulnerability is due to incorrect input validation in hostGroupDependency.php.

  A remote, authenticated attacker could exploit this vulnerability by sending a maliciously crafted request to the server. A successful attack may result in arbitrary SQL command execution against the database on the target server.

CVE Reference:

  This vulnerability has not been assigned a Common Vulnerabilities and Exposures (CVE) identifier.

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C).

  Base score is 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is high.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.2 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  A user with admin privileges can manage the notification settings for a host group on the “Configuration”->”Notification”->”Host Groups” page in the Centreon web interface. When clicking a host group on the web page, a request will be submitted to the “/centreon/main.get.php” endpoint as shown in an example below:

  

  In the request above, the parameter “p” contains a topology_page number (e.g. 60408 in the above example) which is used by Centreon application to locate the correspondent PHP file to handle this request. The mappings of a topology_page number and its correspondent PHP file is defined in the insertTopology.sql. For the topology_page number 60408 in the “p” request parameter, the corresponding PHP file to handle this request is:

  

  The hostGroupDependency.php is relevant to the vulnerability in this report.

  An SQL injection vulnerability exists in the Centreon web application. The vulnerability is due to a lack of input validation on the dep_id request parameter in the hostGroupDependency.php. When receiving a request submitted to “main.get.php” endpoint, the main.get.php will check the “p” request parameter value. If the value is 60408, it will route the request to hostGroupDependency.php. The hostGroupDependency.php will read the dep_id request parameter value and then check the “o” request parameter value. If “o” parameter value is the character “c”, “w” or “a”, it will call formHostGroupDependency.php to process this request. In formHostGroupDependency.php, it will first check if the “o” parameter is “c” or “w” and if yes, it will construct a SQL statement by appending the dep_id parameter value. Then, it will execute the SQL statement to query the “dependency” table in the database.

  However, the formHostGroupDependency.php does not sanitize the dep_id parameter before appending it to the SQL statement. A malicious user is therefore able to directly manipulate the Centreon database by embedding arbitrary SQL commands within the dep_id parameter in the HTTP requests. For example, an attacker may utilize the “;” character (or its URL-encoded equivalent) in a HTTP request to terminate a SQL statement with a malicious create table command, as shown below:

  

  A remote, authenticated attacker could exploit this vulnerability by sending a maliciously crafted request to the server. A successful attack may result in arbitrary SQL command execution at the database on the target server, potentially leading to the execution of arbitrary code in the security context as root.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The attacker must have network connectivity to the affected ports.
  • The attacker must authenticate to the target system.

Triggering Conditions:

  The attacker authenticates and then sends an HTTP request containing maliciously crafted parameters to the target server. The vulnerability is triggered when the request is processed by the target server.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP, over port 80/TCP
    • HTTPS, over port 443/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 15666 Centreon main.get.php SQL Injection
  • IPS: 15674 Centreon main.get.php SQL Injection 2

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Blocking the affected ports from external network access if they are not required.
    • Filtering traffic based on the signature above.
    • Upgrading the product to a non-vulnerable version.
  The vendor has released an advisory regarding this vulnerability:
  Vendor Advisory

Elevating SonicWall to the Cloud

/0 Comments/in /by

If the cloud were human, it would say veni, vidi, vici!

One can argue whether “the cloud” is still just a buzzword … whether it’s real or just another person’s computer … whether it’s a journey or a destination. But regardless of our conclusions, the cloud has arrived, the cloud is in vogue, and the cloud is here to stay.

Cloud is enabling a fundamental technology shift that, in many ways, shakes up how we live both our digital and our physical lives. SonicWall believes the purpose of any technology is to solve problems, and the cloud is no different.

That’s why we’re leveraging cloud technology as much as possible. We’re using the cloud to make our customers more secure and, at the same time, we’re also building our portfolio to secure data in the cloud.

As you can see in the visual below, we already have many products and solutions that take advantage of the cloud. They not only use cloud-native components — they’re also delivered from the cloud. Capture ATP, our threat detection capture technology that includes patented Real-Time Deep Memory Inspection (RTDMI™), is delivered to all SonicWall security products via the cloud.

All our central management solutions, such as Network Security Manager (NSM), Wireless Network Manager (WNM), Capture Client (CC) Management Console, etc., use cloud-native architecture. They can scale and manage tens and thousands of individual units.

Our single-pane-of-glass management solution, SonicWall Capture Security Center (CSC), is entirely cloud-native and cloud-delivered. We expect CSC to become not only the visualization and reporting tool, but also the threat detection and response tool for SonicWall partners and customers (more on that in the future).

But our work isn’t limited to the use of cloud technology for development and delivery. In the last few years, SonicWall has introduced and updated solutions such as our virtual firewall (NSv) and Secure Mobile Access (SMA) to secure data and access in the cloud. We offer cloud-delivered Hosted Email Security (HES) that secures the cloud email services such as Microsoft Office365 and Google GSuite.

We’ve also been developing new solutions specifically for the cloud, such as Cloud App Security (CAS) and Cloud Edge Secure Access, that help you secure your users and data in the cloud. Cloud Edge Secure Access represents our entry into the ZTNA/SASE world, which involves delivering multiple networking and security capabilities from the cloud.

While all solutions mentioned above are already available, we are currently working on future SonicWall product lines, which will be cloud-delivered and offer greater in-cloud security.

To learn more about SonicWall solutions designed to utilize or secure the cloud, visit our products page. This journey is going to be exciting. Stay tuned!

How Cybercrime Impacted Education in 2021

/0 Comments/in , /by

According to a report in The Journal, as of early August, more than 60% of parents were hesitant to send their children back to school this fall due to a large uptick in pediatric COVID-19 cases. As we have seen since, many of these fears were well-founded, as schools in Texas, Georgia, Florida, Tennessee and elsewhere have been forced to close almost as quickly as they opened due to widespread exposures, quarantines and staff shortages.

This unpredictable and ever-shifting education landscape has wreaked havoc on a back-to-school season that was once expected to herald a return to normalcy. But unfortunately for school leadership and IT administrators already dealing with a learning environment subject to change from day to day, this level of upheaval and uncertainty has historically been compounded by another crisis: cybercrime.

Toward the beginning of the pandemic, attacks on K-12 schools and higher education began rising as hackers realized that schools were frequently both overwhelmed and underprotected.

“K-12 institutions have limited resources to dedicate to network defense, leaving them vulnerable to cyberattacks,” the FBI warned in an alert sent in late June 2020.

It’s been more than a year since that initial report — enough time to collect the sort of data needed for an apples-to-apples comparison of 2020 and 2021. Unfortunately, as reported in the mid-year update to the 2021 SonicWall Cyber Threat Report, even as schools have reopened, any expected reprieve has remained elusive. Almost every type of cyberthreat against education has continued to rise drastically in the first half of 2021, painting a frightening picture of what might lie ahead as our K-12 and higher-education institutions face increasing challenges.

Ransomware

In April 2021, Broward County Public School District, one of the largest in the U.S., received a ransom demand of $40 million, the second-highest to date. To help ensure they received payment, the criminals threatened to publish student and employee data online — an increasingly popular tactic among cybercriminals known as “double extortion.”

But while this may be an extreme example, it represents a trend of increasingly audacious demands on schools. And as more schools show a willingness to pay at least something, the number of attacks has begun to rise even faster.

In the first half of 2020, SonicWall threat researchers recorded 1.4 million ransomware attacks on K-12 and higher education institutions. By the first half of 2021, this number had risen to 10.1 million — an increase of 615%.

As observed by SonicWall, education was top vertical targeted by ransomware in three of the first six months of 2021.

IoT Attacks

When students and teachers made the shift to online learning in early 2020, they introduced millions of new devices to the network, widening the attack surface considerably.

Mirroring the trends we saw among organizations as a whole, IoT attacks rose over the course of 2020, as cybercriminals recognized an opportunity to access unprotected or inadequately protected networks.

While IoT attacks in general rose 59% in the first half of 2021 over the same time period in 2020, those in education saw an even larger jump, despite the fact that many students had returned to in-person classes. Among schools and colleges, IoT attacks rose 78% year-to-date — a gap we may see continue to widen if more students are sent home for remote learning.

Cryptojacking

In April 2021, Washington educational organizations discovered that they’d been hit by a cryptojacking attack dating back to at least February. Given what was happening in the crypto market at the time, the timing was unsurprising: Cryptojacking is largely tied to the price of cryptocurrency, and in early 2021, cryptocurrency was soaring to record highs.

But in late spring, amid warnings of increased tax enforcement on cryptocurrency earnings and news of mining bans in China and elsewhere, the prices of cryptocurrency — and cryptojacking — crashed hard.

For schools, which saw a mind-boggling 1,917% increase in the number of cryptojacking attacks in the first half of 2021 over the first half of 2020 (versus a 23% increase among organizations as a whole), this was welcome news. But with the prices of most cryptocurrencies continuing to rebound, it’s possible we could see a sustained rise, rather than a drop, once the data from the second half of 2021 is in.

In March 2021, the K-12 Security Information Exchange and the K-12 Cybersecurity Resource Center released a report stating, “The 2020 calendar year saw a record-breaking number of publicly-disclosed school cyber incidents,” with many of these incidents “resulting in school closures, millions of dollars of stolen taxpayer dollars, and student data breaches directly linked to identity theft and credit fraud.”

Unfortunately, as the data from the first half of 2021 shows, attacks on K-12 and higher education institutions have only risen since then. While government programs such as the CARES Act, ARP and more will certainly help, unless we see sustained investment in cybersecurity in the coming years, K-12 and higher education will likely continue to be targeted.

Celebrating Three Decades of Employee Excellence

/0 Comments/in /by

When Sonic Systems entered the firewall market in 1996, the company had fewer than 40 employees. Today, the company we now know as SonicWall employs more than 1,600 people in 37 countries.

There are a number of unique benefits for choosing a career at SonicWall, including having the chance to work on the cutting edge of cybersecurity. But while a great cybersecurity portfolio can attract top talent, it takes good leadership and a great corporate culture to keep them.

As we interviewed our employees in celebration of our 30th anniversary, four factors repeatedly emerged as integral to SonicWall’s culture: Opportunity, Family, Diversity and Philanthropy.

Opportunity

“At SonicWall, each of our people can advance their careers through hands-on experience and constant learning while receiving highly competitive compensation and rewards,” SonicWall Chief Administrative Officer Matt Neiderman said.

Ruby W., a SonicWall sales engineer (SE), agreed, citing her willingness to learn as key to both her career development and her ability to continue providing higher levels of customer service.

“Learn as much as you can: Security is ever-changing and you have to change, learn and grow with it,” Ruby said. “Keep up with the changing technology and teach your customers — they will appreciate you and trust you even more.”

Ruby was one of several employees who appreciated that their roles offered opportunities to hone their craft among groups of like-minded individuals. Another was Graphic Designer Mike B., who joined SonicWall in 2019.

“My experience at SonicWall has helped me develop as a designer and improved my career as a whole,” Mike said. “The team is the most skilled and professional group of individuals. Everyone is positive and focused on improving the company’s performance.”

This positive, team-oriented philosophy provides an environment ideally suited for helping employees succeed.

“My favorite thing about SonicWall is that everyone is dedicated to our Boundless Cybersecurity mission. This shared vision results in an amazing collaborative environment where everyone can make an impact,” said Terri O., VP of Marketing.

Family

Even among newer employees, many reported that the tight-knit environment felt more like a family than a group of co-workers.

“We have a good mix of hard-edged accountability and a warm, fuzzy, family-like atmosphere in our company,” said Senior Technical Lead John L.

This view wasn’t limited to just one or two departments, however. Social Media Manager Jamie L. credited her coworkers with creating an environment conducive to both professional and personal growth.

“I have loved my experience at SonicWall. It feels like a big family,” Jamie said. “Everyone that I have come into contact with is kind and willing to help me further my knowledge and help me grow.”

While employees enjoy SonicWall’s close-knit atmosphere, they also expressed appreciation for family-friendly policies such as flexible hours and remote work.

“Over the years, we have watched not only employees grow, but also their families. We all work very hard, but it’s knowing that my SonicWall family is behind me every day that makes it all worthwhile,” Sarah C., VP of Human Resources, said.

This support extends far beyond the daily 9-5. Several employees said their SonicWall family had been there to celebrate things like weddings or the arrival of a new baby, and had also lent their support during life’s challenges.

“A huge standout for me was when my son was diagnosed with cancer,” Tiffany H., Sr. Manager, Inside Sales, said. “I came back to the office and everyone was wearing green (the color for lymphoma) to show me that they were there to support me and my family.”

Diversity

SonicWall employees may all be working together toward a shared goal, but their varied experiences mean that each person brings to bear their own unique contribution. SonicWall has long focused on fostering an inclusive and equitable environment, and this begins with the recruiting and hiring processes.

“We are committed to hiring people from diverse backgrounds and cultures and providing each member of our team meaningful opportunities to contribute to the success of the company,” Neiderman said.

As a result, there is no “typical SonicWall employee” — the company prides itself on both bringing together a diverse group of employees in each of its offices, and on celebrating the different beliefs and values of all its employees.

For decades, SonicWall employees and their families have enjoyed celebrating holidays from across the world, as well as participating in special events with music, food, games, costumes, contests and more.

Due to SonicWall’s global presence, some roles offer an opportunity to experience other cultures more directly.

“I have enjoyed the travel opportunities I have been afforded during my time here at SonicWall,” said Technical Support Sr. Advisor David W. “I’ve been to India and South Korea to complete training and to support major customer deployments. Most of all, I really enjoy learning about different cultures and working with people from diverse backgrounds.”

Sr. Test Principal Engineer Keith C. agreed. “I love SonicWall’s diversity and the opportunity to work with people from all over the world,” he said.

Philanthropy

Senior Director of Demand Generation Diane W. summed up SonicWall’s approach to giving as such: “SonicWall thinks globally and acts locally.”

SonicWall offers employees several opportunities throughout the year to help make their communities a better place. Each December, offices support a local charity with donations — for example, the SonicWall headquarters in Milpitas, Calif., donates to the Second Harvest of Silicon Valley, while the Dallas office supports the North Texas Food Bank.

But while many of our charitable endeavors are built around the idea of “helping out at home,” employees are always willing to answer the call when disaster strikes — regardless of where it occurs.

In spring 2021, for example, India experienced a massive wave of severe COVID-19 infections. During this time of widespread suffering and loss of life, SonicWall employees worldwide came together with donations to help ease the hardship of both fellow employees and the area as a whole.

… and in return, Loyalty

“Our decades of working with channel partners to deliver scalable security solutions means that we are big enough to deliver cutting-edge and cost-effective technology, but small enough to never forget the value of the people behind our success,” Neiderman said.

This is reflected in the number of SonicWall employees who choose to spend their career at SonicWall. Out of 1,600 employees, there are 130 who have been with the company for 10-15 years, 67 employees who have spent 16-20 years working for SonicWall, and 16 who have spent over a fifth of a century with us.

During our 30th anniversary celebration, SonicWall wants to take the opportunity to thank our employees for their hard work and their dedication, but most of all, for their loyalty: Whether it’s your second day or your 20th year, your continued efforts at helping safeguard the world’s networks from cybercrime have helped make SonicWall the company it is today, and your contributions will continue to drive improvements on every front over the next 30 years.

SonicWall NSsp 15700 vs. Fortinet FG 3600E

/0 Comments/in /by

Choosing between two leading enterprise firewalls

Legacy cybersecurity solutions are no match for today’s hyper-distributed businesses. Safeguarding against modern threats requires stronger secure gateways capable of protecting a radically redefined perimeter. To stay ahead of the evolving threats, it’s time for security professionals to embrace modern Next-Generation Firewalls (NGFW).

The firewalls of today are vastly more agile, more capable, and more powerful than when the technology debuted 20 years ago. But not all firewalls are created equal — they come in different form factors, network interfaces and security packages. These packages may or may not include services such as IPS, application control, content filtering, anti-malware, DNS security and cloud management. To further complicate matters, there are enough firewall vendors in the market today that it can be difficult for the average customer to choose the right solution for their environment.

In March 2021, SonicWall commissioned Tolly Group to compare SonicWall NSa 2700 with the Fortinet FG 100F — and their report showed the NSa 2700 is a better choice for medium enterprises. Then, in July 2021, Tolly Group compared the price and performance of two firewalls designed for larger enterprises — SonicWall’s NSsp 15700 to the Fortinet FG 3600E. The two firewalls have a similar form factor and are comparable from a single appliance price point.

When choosing the right security solution, there are three key considerations: price, performance and protection. The ideal choice is the device that costs the least while providing similar performance and a comparable or better feature set than the alternative. Tolly used the published numbers and prices from both vendors to calculate the Total Cost of Ownership (TCO) for a 3-year, High-Availability appliance model with comparable security features. The full report is here. Here are a few of the key findings:

SonicWall’s three-year TCO is less than half that of Fortinet

This report compares SonicWall’s NSsp 15700 Total Secure Essential Edition with Fortinet FG-3600E Unified Threat Protection, both configured in HA mode. The SonicWall solution has a significantly lower TCO mainly because SonicWall does not require the purchase of a firewall license for the second unit. At $885,000, the Fortinet FG 3600E 3-year TCO is more than two times the $440,200 price of the SonicWall NSsp 15700 (see Figure 1).

SonicWall’s advertised threat prevention throughput is more than 2.5 times that of Fortinet

When looking at product data sheets, it’s not uncommon to be overwhelmed with multiple performance numbers. When evaluating a security appliance, you should look for performance numbers that will most closely replicate how you will use the solution in your environment. In the case of a firewall, that number is usually threat protection/prevention with most security features turned on.

While the two firewalls have similar form factor and price per appliance, SonicWall’s solution offers 80 Gbps threat prevention throughput, compared to Fortinet’s 30 Gbps.

SonicWall has a dramatically lower price-to-performance ratio

At the end of the day, what is most important to an organization is how much they have to spend to protect their environment while maximizing performance. For a firewall, that measure is commonly referred to as the price-to-performance ratio and is calculated by dividing the TCO by the relevant performance benchmark.

As detailed in Table 1, the cost of protecting each gigabit per second of network traffic for Fortinet ($29,500) is 5.5 times higher than SonicWall ($5,368).

Conclusion

Firewalls have different pricing, packages, performance, bells and whistles, which can make it difficult to choose between them. Given that a firewall purchase is a long-term investment, it is important to obtain and compare the three- to five-year total cost of ownership as opposed to just looking at list prices. It is clear that SonicWall firewalls, including both the NSa 2700 for medium enterprises and the NSsp 15700 for large enterprises, outperform comparable Fortinet firewalls at a lower total cost of ownership.

Nagios XI Configwizards Command Injection Vulnerability

/in /by

Overview:

  Nagios is an open source host, service and network monitoring program. The product’s functionality is implemented through a number of server-side programs primarily written in PHP with a backend database running MariaDB, a drop-in replacement for Musk. The majority of these programs can be accessed only after successful authentication is performed with the underlying webserver. Nagios XI is a paid version of Nagios which offers greater functionality and performance such as enhanced dashboards, graphs and backend database support compared with Nagios.

  A command injection vulnerability has been reported in Nagios XI. The vulnerability is due to insufficient input validation of the requests submitted to the Windowswmi.inc.php.

  A remote authenticated attacker can exploit this vulnerability by sending a crafted request to the server. Successful exploitation could result in arbitrary command execution with privileges of the web server on the target system.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-25296.

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 6.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C).

  Base score is 7.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is low.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is low.
    • Impact of this vulnerability on data integrity is low.
    • Impact of this vulnerability on data availability is low.
  Temporal score is 6.7 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  Nagios XI facilitates the management of the tasks to monitor new devices, services, and applications via the Configuration Wizards feature. Configuration wizards includes a set of modules which make it easy for end-users to setup monitor tasks for various services or hosts on a user-friendly interface without needing to understand how Nagios XI works in the backend. Configuration wizards include several modules which are installed by default in Nagios XI installation. The “Windows WMI” module is one of these default modules and relevant to this report. The Configuration Wizards feature can be accessed via the Request-URI

    /url_root/config/monitoringwizard.php

  where url_root is the url root of the Nagios XI application.

  A command injection vulnerability exists in Nagios XI. When processing the requests submitted to the monitoringwizard.php endpoint, the monitoringwizard.php will check if the value of the wizard request parameter is “windowswmi”. If yes, it will call the function windowswmi_configwizard_func() in the windowswmi.inc.php to process the request. The windowswmi_configwizard_func() creates command-line strings which will invoke the program check_wmi_plus.pl to perform various monitoring tasks. The check_wmi_plus.pl provides several command-line arguments. One of them is the “forcetruncateoutput” argument, which limits the length of output printed by the check_wmi_plus.pl. The windowswmi_configwizard_func() will check if the plugin_output_len request parameter exists in the HTTP request. If yes, it will apply the plugin_output_len value to the construction of the check_wmi_plus.pl command-line string as its “forcetruncateoutput” argument, like the command-line string shown below:

    check_wmi_plus.pl ...... --forcetruncateoutput plugin_output_len

  where plugin_output_len is the value of the plugin_output_len request parameter.

  Then, windowswmi_configwizard_func() will run the constructed check_wmi_plus.pl command-line string by PHP exec() function.

  However, windowswmi_configwizard_func() does not sanitize the plugin_output_len parameter value before applying it to the command-line string. An attacker can include command injection characters in the value of the plugin_output_len parameter which are then included in the constructed command line string. This allows for the execution of arbitrary commands on the underlying system when windowswmi_configwizard_func() calls PHP exec() to run the command-line string.

  A remote, authenticated attacker can exploit this vulnerability by sending a crafted request to the target server. Successful exploitation results in the execution of arbitrary commands as the apache user.

Triggering the Problem:

  The target system must have the vulnerable product installed and running.
    • The attacker must have network connectivity to the affected ports.
    • The attacker must authenticate to the target system.

Triggering Conditions:

  The attacker authenticates and then sends an HTTP request containing maliciously crafted parameters to the target server. The vulnerability is triggered when the server processes the request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP, over port 80/TCP
    • HTTPS, over port 443/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 15480 Nagios XI monitoringwizard.php Command Injection 1
  • IPS: 15668 Nagios XI monitoringwizard.php Command Injection 2

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Blocking the affected ports from external network access if they are not required.
    • Filtering traffic based on the signature above.
    • Upgrading the product to a non-vulnerable version.
  The vendor has released a patch (5.8.0) regarding this vulnerability:
  Vendor Advisory