Microsoft Security Bulletin Coverage for August 2021

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of August 2021. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2021-26432 Windows Services for NFS ONCRPC XDR Driver Remote Code Execution Vulnerability
IPS 2045: Windows NFS Remote Code Execution (CVE-2021-26432)

CVE-2021-34480 Scripting Engine Memory Corruption Vulnerability
IPS 2044: Scripting Engine Memory Corruption Vulnerability (CVE-2021-34480)

CVE-2021-34535 Remote Desktop Client Remote Code Execution Vulnerability
ASPY 207: Malformed-File exe.MP.197

CVE-2021-36948 Windows Update Medic Service Elevation of Privilege Vulnerability
ASPY 208: Malformed-File exe.MP.198

The following vulnerabilities do not have exploits in the wild :
CVE-2021-26423 .NET Core and Visual Studio Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-26424 Windows TCP/IP Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-26425 Windows Event Tracing Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26426 Windows User Account Profile Picture Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26428 Azure Sphere Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-26429 Azure Sphere Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26430 Azure Sphere Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-26431 Windows Recovery Environment Agent Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26433 Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-33762 Azure CycleCloud Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34471 Microsoft Windows Defender Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34478 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34483 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34484 Windows User Profile Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34485 .NET Core and Visual Studio Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-34486 Windows Event Tracing Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34487 Windows Event Tracing Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34524 Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34530 Windows Graphics Component Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34532 ASP.NET Core and Visual Studio Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-34533 Windows Graphics Component Font Parsing Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34534 Windows MSHTML Platform Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34536 Storage Spaces Controller Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34537 Windows Bluetooth Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-36926 Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-36927 Windows Digital TV Tuner device registration application Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-36932 Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-36933 Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-36936 Windows Print Spooler Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-36937 Windows Media MPEG-4 Video Decoder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-36938 Windows Cryptographic Primitives Library Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-36940 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-36941 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-36942 Windows LSA Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-36943 Azure CycleCloud Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-36945 Windows 10 Update Assistant Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-36946 Microsoft Dynamics Business Central Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2021-36947 Windows Print Spooler Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-36949 Microsoft Azure Active Directory Connect Authentication Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-36950 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
There are no known exploits in the wild.

The Top 12 Cybersecurity Books – Recommendations from SonicWall Leadership and Employees

/0 Comments/in /by

In celebration of National Book Lover’s Day, we polled SonicWall leadership and employees for the all-time standout cybersecurity books. Here’s what they recommend.

Cybercrime headlines have become a regular fixture in the daily news. As we connect to the internet for everything from work and school to social interactions, cybercriminals have taken advantage of a widening pool of potential targets.

According to the latest data in the Mid-Year Update to the 2021 SonicWall Cyber Threat Report, ransomware attacks were up 151% year to date through June 2021. In fact, SonicWall Capture Labs threat researchers recorded more ransomware attacks during the first half of 2021 than all over 2020.

As a result, cybersecurity has grown from a dedicated technology industry to a general interest topic. That’s why we’ve put together a list of cybersecurity books that everyone should — and can — read. From our employees’ responses, we’ve crafted a list of books that share wisdom gained from real-life experiences and threat research, all while providing a highly entertaining read.

  1. The Smartest Person in the Room
    2021, Christian Espinosa
    Christian Espinosa has poured his experience as an IT engineer and company CEO into this book with a fresh approach to cybersecurity. The book is detailed with business management insights and guidance for strategic planning. It is designed to help executives and managers solve the weakest link in cybersecurity: people. According to Espinosa, high intelligence and talent lose meaning when companies lack effective communication, intelligence and self-confidence, leaving organizations weak and vulnerable to exploitation. Espinosa outlines a seven-step methodology for turning a company’s greatest weakness into robust defense against the most common cyberthreats.
  2. Practical Cyber Security for Extremely Busy People
    2020, Daniel Farber Huang
    A guidebook written in concise, easily consumed sections designed to help individuals take actional steps to protect themselves, their families and their careers from cyber threats and online exploitation. Learn how to prevent companies from tracking your online movements, secure your online bank accounts and prevent identity theft. This book makes personal cybersecurity less intimidating and more efficient for any internet user.
  3. Cybersecurity and Cyberwar: What Everyone Needs to Know
    2014, P.W. Singer, Allan Friedman
    New York Times best-selling author P. W. Singer and renowned security expert Allan Friedman give us a simple and informative resource for deciphering our ongoing problems with cybersecurity. The narrative is wrapped around several essential questions: how cybersecurity works, why it matters and what we can do to help it along. The narrative is well-illustrated, with excellent stories and anecdotes that offer important and entertaining points about major players in cybersecurity.
  4. Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon
    2015, by Kim Zetter
    Kim Zetter is an investigative journalist who is well-known for her coverage of cybersecurity and national security issues. While this book is a bit older, it builds a case for the identity of the creator of Stuxnet and how the malware was used to sabotage Iran’s nuclear production infrastructure. In addition, the book illustrates how the malware went on to trigger a new age of warfare and threat. Finally, Zetter goes beyond the history of hacking attacks and makes several predictions about new threats we face.
  5. Social Engineering: The Science of Human Hacking
    2018, Christopher Hadnagy
    Written by Christopher Hadnagy, an IT educator and entrepreneur, Social Engineering illustrates how ‘social’ hackers think. Hadnagy points out that it’s much easier to trick someone into sharing their passwords than to exert the brute force necessary to hack into a system. This book examines social hackers’ psychological tactics and tricks to steal identities, commit fraud, and gain access to even the largest and most well-protected enterprise computer systems.
  6. The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age
    2018, by David E. Sanger
    Written by New York Times national security correspondent David Sanger, The Perfect Weapon describes the confluence between cyberweapons and geopolitics. Sanger summarizes how hacking tools have transformed into cheap weapons utilized by democracies, despots, and terrorists alike and used virtually anonymously. Sanger reminds us that two American presidents — Bush and Obama — showed the world how it is done by launching the first massive state attack to destroy Iran’s nuclear centrifuges. Yet, ironically, America and its allies were badly unprepared when other state actors tuned the very same weapons against them. This book should be on everyone’s list because it illustrates “the perils of technological revolution, where everyone is a target.”
  7. Cult of the Dead Cow
    2019, Joseph Menn
    Author Joseph Menn describes his life as a teenage member of a hacker’s ‘club’ with a weird name. Menn explains the group’s genesis, how they worked, a few of their exploits, and how they became the country’s oldest and most respected ethical hacking group. According to Menn, the group coined the word “hacktivism” to force large corporations to rethink security protocols and protections for personal data. As of the book’s publication, the group and its followers are still engaged in hacktivism against misinformation and promoting security measures that help make personal data safer.
  8. Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers
    2019, Andy Greenberg
    Author Andy Greenberg, a senior editor for WIRED magazine, writes a riveting narrative about a series of devastating cyberattacks that span three years (from 2014 to 2017) that started with utility companies in the U.S. and Europe and NATO administrative offices. The attacks resumed with a well-known deployment of malware known as NotPetya that paralyzed global corporations, railways, postal services, hospitals and did about $10 billion in damage. At the time, it was an unprecedented and the most destructive cyberattack the world had seen. Greenberg’s examination explores the realities of state-sponsored cyberattacks and still-relevant insights on the implications of a new type of global warfare.
  9. The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats
    2019, by Richard A. Clarke, Robert K. Knake
    The Fifth Domain is written by two former U.S. presidential cybersecurity officials, Richard Clarke and Robert Knake. The authors open by listing the four known domains of warfare —land, air, sea, and space — adding the fifth domain: cyberspace. Next, they offer detailed profiles of several high-profile attacks and the lessons learned. Finally, the deeper dive gives us technical details about system resiliency that corporations and organizations can adopt to keep them out of trouble.
  10. Cyber Warfare – Truths, Tactics & Strategies
    2020, Dr. Chase Cunningham, foreword by Gregory J. Touhill
    This book clearly and plainly defines strategies and tactics for cybersecurity. Written by retired chief U.S. Navy cryptologist and cyber forensic analyst Dr. Chase Cunningham, the book is a quick read and easily digestible despite some of the high-level technical narratives. Readers gain an understanding of the tactics that threat adversaries use in the modern distributed IT world. Dr. Cunningham also dives into emerging cybersecurity issues such as machine learning, artificial intelligence, and deep fakes.
  11. Tribe of Hackers: Security Leaders
    2020, Marcus J. Carey and Jennifer Jin
    This volume is one of four books under the “Tribe of Hackers” title, written for people who want to work and succeed in the expanding field of information security. One of the series’ best editions, the book focuses on leadership training specifically for cybersecurity in a collection of essays written by non-corporate global thinkers from the field. Published by Wyle, a publisher that specializes in nonfiction business instructionals, this book and the companion series is a great way to kick off a career or grow an existing one.
  12. Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker
    2012, Kevin Mitnick
    Ghost in the Wires is a thrilling true story of intrigue, suspense, and unbelievable escapes — and a portrait of a visionary who forced the authorities to rethink the way they pursued him, and forced companies to rethink the way they protect their most sensitive information.

Honorable Mention

It may not be a book about cybersecurity, but we cannot end this list without mentioning this upcoming release from Colonel Chris Hadfield.

Colonel Hadfield left a lasting impression on SonicWall employees globally when he kicked off the global Boundless 2020 virtual partner conference last August. Hadfield is set to release The Apollo Murders, a fictional account of three astronauts in a tiny spaceship, a quarter million miles from home, in October 2021. His debut thriller, The Apollo Murders is a high-stakes thriller unlike any other. Hadfield captures the fierce G-forces of launch, the frozen loneliness of space, and the fear of holding on to the outside of a spacecraft orbiting the Earth at 17,000 miles per hour as only someone who has experienced all of these things in real life can.

Cybersecurity News & Trends – 08-06-21

/0 Comments/in /by

This week, the tectonic Mid-Year Update to the 2021 SonicWall Cyber Threat Report continued to reverberate in the press, while SonicWall President and CEO Bill Conner finds himself selected for two CRN leadership lists. In other news, hackers hit Microsoft and diplomats, a Joint Cyber Defense Collaborative goes active, U.S. Senators’ “horror show,” the U.S. State Department (and other agencies) get low scores for cybersecurity, and Swisslog’s “Swiss cheese” problem.

SonicWall in the News

How remote work raises the risks of cyberattacks — Axios

  • SonicWall’s Mid-Year Update to the 2021 Cyber Threat Report continues to feature prominently in the press. Axios noted that as the pandemic drove more of the American workforce into remote offices, cyberattacks increased. The story cited stats from the report: Between 2019 and 2020, ransomware cyberattacks rose 62% worldwide and 158% in North America.

How remote work raises the risk of cyber and ransomware attacks— Yahoo! News

  • SonicWall’s Mid-Year Update to the 2021 Cyber Threat Report also appeared in Yahoo! News. The story highlighted the mention of stats from the FBI that observed a 20% rise in cyberattacks between 2019 and 2020. Also, from the report, the collective cost of ransomware attacks reported to the bureau rose more than 200% in 2020 to roughly $29.1 million.

The Challengers Power List— Forbes India

  • SonicWall’s own Debasish Mukherjee, VP of Regional Sales, APAC, was featured in a discussion about how businesses have faced pandemic challenges head-on and helped their companies grow. Mukherjee goes into detail on how SonicWall bridges cybersecurity gaps for enterprises, governments, and SMBs.

The Top 25 I.T. Innovators Of 2021— CRN

  • Bill Conner, President and CEO of SonicWall, was named to CRN’s Top 25 Innovators of 2021 list for his work evolving SonicWall beyond the firewall to deliver security for the endpoint, email and cloud. He also helped develop Cloud Edge Secure Access to allow customers to control and protect network access to managed and unmanaged devices based on identity, location and device parameters.”

The Top 100 Executives Of 2021— CRN

  • Bill Conner, President CEO of SonicWall, also found himself on CRN’s Top 100 Executives for 2021. CRN honors leaders who are setting the pace for the rest of the I.T. industry.

Industry News

Microsoft Exchange Used to Hack Diplomats Before 2021 Breach— Bloomberg

  • Late last year, while investigating the hack of an Italian retailer, researchers at the Los Angeles-based cybersecurity company Resecurity stumbled across five gigabytes of stolen data squirreled away on a cloud storage platform. During the previous three and half years, hackers stole the data from foreign ministries and energy companies by hacking their on-premises Microsoft Exchange servers.

U.S. Taps Amazon, Google, Microsoft, Others to Help Fight Ransomware, Cyber Threats— The Wall Street Journal

  • The U.S. launched the Joint Cyber Defense Collaborative and tapped Amazon, Google, Microsoft, and other companies to help combat ransomware and other cyberthreats. The creation of the joint initiative follows massive cyberattacks on critical U.S. infrastructure. “This will uniquely bring people together in peacetime so that we can plan for how we’re going to respond in wartime,” says Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency.

Senators highlight national security threats from China during rare public hearing— The Hill

  • The Senate Intelligence Committee held a rare public hearing earlier this week to stress the increased threats posed by mainland Chinese hackers to U.S. national security, U.S. companies, and intellectual property. One top senator described the situation as a “horror show.” According to the committee, the threats include Chinese cyberattacks against U.S. companies and critical organizations that resulted in the theft of billions of dollars in U.S. intellectual property.

A US official explains why the White House decided not to ban ransomware payments— The Hill

  • The Biden administration backed away from banning ransomware payments after meetings with the private sector and cybersecurity experts. According to reports, experts and business leaders helped shift that view following high-profile hacks against Colonial Pipeline, JBS, and Kaseya, a Florida-based IT firm.

New Hacking Group Shows Similarities to Gang That Attacked Colonial Pipeline— The Wall Street Journal

  • Cyberthreat investigators say that a new hacking group recently emerged with similar techniques used by a group that successfully hacked the Colonial Pipeline Co. earlier this year. The new group, named BlackMatter, has cryptocurrency wallets and ransomware strains similar to those used by the former group.

Ransomware Gangs and the Name Game Distraction — Krebs on Security

  • Brian Krebs takes a deep dive into notable ransom gang reinventions over the past five years. “Reinvention is a basic survival skill in the cybercrime business,” says Krebs. “Among the oldest tricks in the book is to fake one’s demise or retirement and invent a new identity.”

Energy group ERG reports minor disruptions after ransomware attack — Bleeping Computer

  • This week, ERG, an Italian energy company, reported that it experienced “only a few minor disruptions” to its information and communications technology infrastructure following a ransomware attack on its systems.

The State Department and 3 other U.S. agencies earn a D for cybersecurity — Ars Technica

  • Cybersecurity at eight federal agencies is so poor that four of them earned D grades, three got Cs, and only one received a B in a report issued Tuesday by a U.S. Senate Committee. This report comes two years after another damning cybersecurity report. Again, auditors find that little has improved.

Nearly 450K patients impacted by Orlando Family Physicians phishing attack— S.C. Magazine

  • Orlando Family Physicians (OFP) recently notified 447,426 patients that their data was potentially compromised during a successful phishing attack in April. The breach tally makes the OFP incident among the ten largest reported in U.S. health care this year.

Supply chain attacks are getting worse, and you are not ready for them— ZDNet

  • The European Union Agency for Cybersecurity (ENISA) analyzed 24% supply chain attacks and warned that current defenses against threats are insufficient. The ENISA report focused on advanced persistent threat (APT) supply chain attacks, noting that the coding was not very advanced, the planning and staging were complex.

White House cyber chief backs new federal bureau to track threats — The Hill

  • On Monday, National Cyber Director Chris Inglis made a case for establishing an office within the Department of Homeland Security (DHS) to track and analyze cybersecurity incidents to ensure that the country has an early warning system to understand attack vectors and targets.

FTC’s right-to-repair ruling is a small step for security researchers, giant leap for DIY hackers— Cyberscoop

  • The Federal Trade Commission recently voted unanimously to enforce rules against manufacturers who make it difficult for consumers to fix their own devices. Unfortunately, while a significant win for the “right-to-repair” movement for consumer advocates and owners of devices, this move is also a big win for hackers.

PwnedPiper vulns have potential to turn Swisslog’s PTS hospital products into “Swiss cheese,” says Armis — The Register

  • An investigation by security experts at Armis discovered severe vulnerabilities in Swisslog PTS hospital products used by 80% of U.S. hospitals. Security problems were so bad that analysts said that they had the potential to turn Swisslog’s products into “Swiss cheese.”  Among the vulnerabilities that were uncovered: hardcoded passwords, unencrypted connections, and unauthenticated firmware updates. Patches have been released.

In Case You Missed It

Advantech R-SeeNet ping.php Command Injection Vulnerability

/in /by

Overview:

  Advantech R-SeeNet is a monitoring application that runs on a server and its job is to collect information from the routers, store it, process it and present it to a network administrator. R-SeeNet consists of two parts: R-SeeNet server and R-SeeNet PHP web-based application. R-SeeNet server is the non-visible part responsible for querying the routers and gathering information. The application also stores the recorded information into a MySQL database. R-SeeNet PHP web-based application is responsible to show both individual statistics and also whole network status.

  A command injection vulnerability has been reported in Advantech R-SeeNet. The vulnerability is due to insufficient validation of the parameter in ping.php.

  A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted request to the target system. Successful exploitation could result in arbitrary command execution in the security context of web server on the target server.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-21805.

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 9.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:U/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 9.4 (E:P/RL:U/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is unavailable.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  R-SeeNet web application server can send ping packets to other devices and get their status when receiving a request to the “ping.php” endpoint as below:

  

  Where the hostname parameter value contains the IP address or host name of a remote device.

  A command injection vulnerability exists in the Advantech R-SeeNet. When processing the request submitted to the ping.php endpoint, ping.php will first check if it is running on Windows platform. If not, it will construct a ping command-line string as below:

  ping -c 5 -s 64 -t 64 hostname

  Where the hostname is the value of the hostname request parameter. Then, it will use the PHP popen() function to execute the constructed ping command-line string and read its output.

  However, the ping.php does not sanitize the hostname parameter before using it to construct the ping commandline string. An attacker can submit a malicious command embedded in the value of the hostname parameter to the target server. The malicious command will then be appended to the constructed ping command line string. This could allow for the execution of arbitrary commands on the underlying system when ping.php calls PHP popen() to run the ping command-line string.

  A remote, unauthenticated attacker can exploit the vulnerability by sending crafted requests to the server. Successful exploitation could result in arbitrary command execution with web server privileges on the target server.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The attacker must have network connectivity to the affected ports.

Triggering Conditions:

  The attacker sends an HTTP request containing maliciously crafted parameters to the target server. The vulnerability is triggered when the server processes the request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP, over port 80/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 15657 Advantech R-SeeNet ping.php Command Injection 1

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Blocking the affected ports from external network access if they are not required.
    • Filtering traffic based on the signature above.
  The vendor has not released any advisory regarding this vulnerability.

SonicWall Earns Another Perfect Score from ICSA Labs for Q2

/0 Comments/in /by

Cybercrime has been on the rise for more than a year now — and lately, it seems to be picking up steam. As we detailed in the mid-year update to the 2021 SonicWall Cyber Threat Report, ransomware hit record highs in the first half of 2021, rising an unprecedented 151% year-to-date. Other forms of threat, such as cryptojacking and IoT malware attacks, have also continued to climb.

With cybercriminals growing in strength, number and sophistication, the real-world validation that comes with third-party certification is more important than ever. That’s why we’re pleased to announce that SonicWall Capture Advanced Threat Protection (ATP) received a 100% score from ICSA Labs for Q2 2021 — the second perfect score earned by SonicWall’s multi-engine cloud sandbox service in a row, and the sixth consecutive certification for Capture ATP overall.

Capture ATP uses patented Real-Time Deep Memory InspectionTM (RTDMI) technology to catch the most advanced and unknown malware faster than traditional behavior-based sandboxing methods — all with fewer false positives. The results of the most recent testing cycle are a testament to this effectiveness: Capture ATP detected 100% of new and little-known threats without issuing a single false positive.

During 33 days of comprehensive and continuous evaluation, SonicWall Capture ATP was subjected to 1,144 total test runs, which included 544 malicious samples — 216 of them four hours old or less.

Not only did Capture ATP identify all these malicious samples, it did not incorrectly flag any of the 600 innocuous apps that were also included in the test runs. According to the report, “On 33 of 33 days during the Q2 2021 test cycle, SonicWall Capture ATP was 100% effective.”

These results are just one indication of the potential found within Capture ATP’s machine-learning capabilities. Capture ATP’s RTDMI technology continually grows faster, more vigilant and more intelligent. According to SonicWall Capture Labs, each year since its introduction, RTDMI has identified significantly more threats than the previous year: in the first six months of 2021, it identified 54% more never-before-seen threats than it did the first half of 2020.

The full ICSA Labs report can be downloaded here. To learn more about SonicWall Capture ATP with RTDMI, visit our website.

What is ICSA Advanced Threat Defense Testing?

Standard ICSA Labs Advanced Threat Defense (ATD) testing evaluates vendor solutions designed to detect new threats that traditional security products miss. In testing, ICSA delivers malicious threats with the primary threat vectors that lead to enterprise breaches according to Verizon’s Data Breach Investigations Report. The test cycles evaluate how effectively vendor ATD solutions detect these unknown and little-known threats while minimizing false positives.

SonicWall President and CEO Bill Conner Recognized on CRN’s 2021 Top 100 Executives List

/0 Comments/in /by

Olympic athletes are not the only ones being recognized for their hard work and commitment this summer. CRN has once again named SonicWall President and CEO Bill Conner to its 2021 Top 100 Executives list and honored him in the Top 25 IT Innovators of 2021 sub-category.

The annual list honors the passionate and hard-working technology executives who are supporting, growing and redefining the IT channel. These executives have demonstrated their commitment to the channel and proved themselves as exemplary leaders through their innovative channel-focused strategies and initiatives.

“The SonicWall channel is the heartbeat of our company that has propelled us forward for the last 30 years,” said Conner. “We have been 100% driven by the channel since our founding, and it is our mission to thank those partners by providing them with the technology, tools and support they need in order for them to achieve success and bypass their goals.”

CRN’s Top 100 Executives list acknowledges the tech visionaries who are blazing new trails within the larger IT space. It honors executives across four sub-categories: the 25 Most Influential Executives, Top 25 Channel Sales Leaders, Top 25 Innovators and Top 25 Disruptors, each with its own set of strengths that impact the IT channel.

“New technology trends, such as the shift to remote work, cloud computing, SaaS, and IoT, have forced companies to rapidly adapt to an IT landscape that gets more complex by the day,” said Blaine Raddon, CEO of The Channel Company. “However, with IT executives like those featured on our CRN 2021 Top 100 Executives list leading the charge, those same companies are better equipped to tackle modern IT challenges. These leaders have demonstrated an unceasing commitment to business growth and IT innovation, and I have no doubt they’ll continue to do so as new challenges arise.”

Founded in 1991, SonicWall first sought to onboard top resellers, VARs and system integrators that focused on providing high quality, affordable inter-networking solutions to small- to medium-sized businesses (SMB) and educational institutions. Today, SonicWall has grown to more than 17,000 channel partners worldwide.

SonicWall is credited for building the award-winning SecureFirst partner program in 2016 that grew 500% in one year as partners around the world were re-introduced to products and comprehensive offerings.

For more information on how to become a SonicWall partner visit, www.sonicwall.com/partners/become-a-partner.

3S Smart Software Solutions CoDeSys Vulnerability

/in /by

Overview:

  3S Smart Software Solutions CoDeSys is an IEC 61131-compliant PLC program development environment for multiple programming languages. CoDeSys supports PLC devices from over 250 device manufacturers. The CoDeSys Gateway Server is a service which facilitates enumeration, programming and interaction over TCP with devices, which themselves do not feature network connectivity.

  A stack buffer overflow vulnerability exists in 3S Smart Software CoDeSys. The vulnerability is due to insufficient boundary checking when parsing requests and allows overflowing a stack buffer with an overly long string.

  A remote unauthenticated attacker could exploit this vulnerability by sending crafted requests to the vulnerable service on ports 1211/TCP and 1210/TCP. Successful exploitation could result in code execution with SYSTEM privileges. Unsuccessful attack attempts could cause the affected service to terminate abnormally, causing a denial of service (DoS) condition.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2012-4708.

Common Vulnerability Scoring System (CVSS):

  Base score is 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C), based on the following metrics:
    • Access vector is network.
    • Level of authentication required is none.
    • Impact of this vulnerability on data confidentiality is complete.
    • Impact of this vulnerability on data integrity is complete.
    • Impact of this vulnerability on data availability is complete.
  Temporal score is 7.4 (E:U/RL:OF/RC:C), based on the following metrics:
    • The exploitability level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  While the IEC 61131 specification is not publicly available, The following general structure of the file service related requests are (Opcodes 0x04,0x06 and 0x03F1), sent to the Gateway Server over the ports TCP/1211 and TCP/1210:

  All multi-byte integers are in little-endian byte order.

  An opcode 0x06 request, GS_PUT_File, can be used to upload a file to the base directory on a CoDeSys server. The contents of the file is sent in the FileContent field of an opcode 0x06 request. If the request is for a Filename that already exists on the server, the contents of the existing file will be replaced by the new contents sent within the request.

  A stack buffer overflow vulnerability exists in 3S CoDeSys Gateway Server. The vulnerability is due to insufficient validation of the length of the Filename string within opcode 0x04, 0x06 and 0x03F1 requests. The vulnerable code appends the user-controlled Filename to the base directory string “C:\WINDOWS\Gateway Files” and then copies the whole path string to a one of the three size stack buffers. Depending on the opcode of the request, the vulnerable code uses a stack buffer with the following sizes:

    • 0x1c0 (448) bytes for the opcode 0x03F1.
    • 0x128 (296) bytes for the opcode 0x06.
    • 0x210 (528) bytes for the opcode 0x04.

  The vulnerable function uses 36 (0x24) bytes of the allocated space for other purposes. Providing an overly long Filename overflows the stack buffer overwriting other data on the stack, including the return address and the SEH.

  A remote, unauthenticated attacker can exploit this vulnerability by sending a malicious opcode 0x04, 0x06 and 0x03F1 request to a vulnerable server. Successful exploitation would allow the attacker to execute arbitrary code in the security context of the affected service, which is SYSTEM. If the attack fails, the service may terminate abnormally, leading to a denial-of-service condition.

Triggering the Problem:

  The target host must have the vulnerable version of the software installed and running.

  • The attacker must have network connectivity to the target server.

Triggering Conditions:

  An attacker connects to the server and sends a crafted request containing a malicious Filename to the target host. The vulnerability is triggered when the affected product parses the malicious request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • 3S Smart Software Solutions CoDeSys Gateway Server Protocol, over port 1210/TCP
    • 3S Smart Software Solutions CoDeSys Gateway Server Protocol, over port 1211/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 4888 CODESYS Gateway Server Buffer Overflow 1

Remediation Details:

  Listed below are a number of actions that may be taken in order to minimize or eliminate the risks:
    • Upgrade to a non-vulnerable version of the product.
    • Restrict network access to the vulnerable ports to trusted hosts only.
    • Filter attack traffic using the IPS signature above.
  The vendor has released a security patch that mitigates this vulnerability (requires customer login):
  Vendor Advisory

Cybersecurity News & Trends – 07-30-21

/0 Comments/in /by

This week, the Mid-Year Update to the 20201 SonicWall Cyber Threat Report shook up a lot of people with the headline “304.7 million ransomware attacks eclipse 2020.” That’s a 151% increase, year-over-year. In other news, “Wipers” in the Middle East, Emma Willard, UC San Diego, rebranded hacker groups, fake Microsoft 11 installers, the sinister case of Plugwalkjoe, and flirty aerobics instructors.

SonicWall in the News

Record 304.7 Million Ransomware Attacks Eclipse 2020 Global Total in Just 6 Months SonicWall Press

  • Straight off the Mid-Year Update to the 2021 SonicWall Cyber Threat Report: high-profile attacks against established technology and infrastructure are now more prevalent than ever. Through the first half of 2021, SonicWall recorded global ransomware volume of 304.7 million, surpassing 2020’s full-year total (304.6 million) — a 151% year-to-date increase. If that doesn’t rock your boat, keep in mind that just about every business sector is targeted.

Over 300 million ransomware attacks recorded in first half of 2021, claims study Tech Digest

  • The cyberthreat quote of the week came from SonicWall President and CEO Bill Conner: “In a year driven by anxiety and uncertainty, cybercriminals have continued to accelerate attacks against innocent people and vulnerable institutions. This latest data shows that sophisticated threat actors are tirelessly adapting their tactics and embracing ransomware to reap financial gain and sow discord…”

Fresh data shows a 600% rise in education-related cybercrime FENews

  • This publication focused on data from SonicWall Capture Labs that shows a 615% rise in ransomware – just on education alone! Threat researchers also recorded alarming ransomware spikes across other key verticals, including government (917%), healthcare (594%) and retail (264%).

Record 304.7 Million Ransomware Attacks Eclipse 2020 Global Total in Just 6 Months IT Supply Chain

  • Data from the Mid-Year Update to the 2021 SonicWall Cyber Threat Report revealed that 2021 ransomware numbers “eclipse” all of 2020 global attacks.

SonicWall: Record 304.7 Million Ransomware Attacks Eclipse 2020 Global Total in Just 6 Months VM Blog

  • Writers here focused on the fact that data from the Mid-Year Update to the 2021 SonicWall Cyber Threat Report shows the sharp rise in the number of ransomware attacks was achieved in just 6 months.

SonicWall makes the move to Globalization Partners to help grow global team WhaTech

  • Noting SonicWall’s 30-year history, writers here point out a Globalization Partners solution to hire talent around the world.

Teleworking: how much risk is there for your Company security Dealer World

  • SonicWall’s Sergio Martínez participated in a special issue about teleworking and cybersecurity.

Industry News

Researchers Link Mysterious ‘MeteorExpress’ Wiper to Iranian Train Cyberattack Security Week

  • Security researchers at SentinelOne stumbled upon a hitherto unknown data-wiping malware that was part of a disruptive cyberattack against Iran’s train system earlier this month. “Wipers,” as they are euphemistically called, are the most destructive of all malware types. The genre logs most of its attacks in the Middle East, with the 2012 Shamoon attacks against Saudi Aramco being the most prominent example.

New York’s Emma Willard School suffers ransomware attack Edscoop

  • Following a 615% rise in ransomware targeting education this year, leaders at the prodigious Emma Willard School in Troy, NY are reeling from a recent cyberattack. They’re still identifying the extent of the attack but said that some employee Social Security numbers and financial information were stolen, according to a letter obtained by the Times-Union.

As Cyberattacks Surge, Security Start-Ups Reap the Rewards The New York Times

  • Responding to the severe uptick in cyberattacks, investors have poured $12.2 billion into cybersecurity companies so far this year, nearly $2 billion more than the total for all of 2020.

UC San Diego Health discloses data breach after phishing attack Bleeping Computer

  • UC San Diego Health, one of nation’s highest ranked hospitals, and a leading academic medical school, disclosed that they discovered a data breach that compromised some employees’ email accounts that may have revealed personal information of patients, employees, and students. The breach occurred between December 2, 2020, and April 8, 2021, and was the result of a phishing attack.

Scammers are using fake Microsoft 11 installers to spread malwareCyberscoop

  • Security firm Kaspersky issued warnings that hackers are circulating fake installers to people who are eager to get their hands on the Microsoft operating system update due this fall.

Cyber insurance rates fail to match catastrophe riskReuters

  • Rising prices of insurance against cyberattacks fail to take account of the potential catastrophic effects of a widespread attack, Chubb Ltd. CEO Evan Greenberg said on Wednesday. Chubb is a major underwriter for various insurance for business.

Justice Department officials urge Congress to pass ransomware notification law – The Hill

  • U.S. Justice Department officials came out in strong support of legislation requiring companies to report ransomware attacks and other severe data breaches to federal authorities. But DOJ also says that Congress should hold the brakes on banning ransomware payments.

PlugwalkJoe Does the Perp Walk – Krebs on Security

  • Brian Krebs takes a closer look at the “sinister criminal charges” in the indictment of Joseph O’Connor (aka “PlugwalkJoe”) that revealed a subculture where young men turned to sextortion, SIM swapping, and death threats to seize control of social media accounts.

Haron and BlackMatter are the latest groups to crash the ransomware party – Ars Technica

  • New groups – or rebranded old ones – are rising just as the number of high-severity ransomware attacks ratchet up.

FBI reveals top targeted vulnerabilities of the last two years – Bleeping Computer

  • Recommended read: A joint security advisory by cybersecurity agencies from the US, the UK, and Australia reveals the top 30 most targeted security vulnerabilities of the last two years.

Top FBI official advises Congress against banning ransomware payments – The Hill

  • Bryan Vorndran, the assistant director of the FBI’s Cyber Division advised members of the Senate Judiciary Committee against banning payments for ransomware attacks.

Praying Mantis Threat Group Targeting US Firms in Sophisticated Attacks – Dark Reading

  • Group’s advanced memory-resident attacks similar to those employed in sustained campaign against Australian companies and government last year, security vendor says.

In Case You Missed It

Latest Cyber Threat Intelligence Shows Ransomware Skyrocketing

/0 Comments/in , /by

2021 has already been a record-setting year for cybercrime — and it’s only halfway over. While high-profile attacks such as Colonial Pipeline and Kaseya continue making headlines, businesses of all sizes, across all industries, are noting an increase in cybercrime.

Part of this increase can be attributed to new ransomware techniques, soaring cryptocurrency prices and the continued rise in IoT devices. But a big factor continues to be today’s shifting and distributed IT landscape, which has proven a uniquely enticing environment for launching a variety of attacks.

“In a year driven by anxiety and uncertainty, cybercriminals have continued to accelerate attacks against innocent people and vulnerable institutions,” SonicWall President and CEO Bill Conner said in the official announcement. “The latest data shows that sophisticated threat actors are tirelessly adapting their tactics and embracing ransomware to reap financial gain and sow discord.”

This data, collected by SonicWall Capture Labs threat researchers over the first six months of 2021, is now available in the Mid-Year Update to the 2021 SonicWall Cyber Threat Report —  which arms organizations with actionable threat intelligence to safeguard workforces in today’s business reality. Here are some of the highlights:

Ransomware Continues its Record-Shattering Run

Ransomware was already high going into 2021, but it’s up significantly since then, with attacks increasing a staggering 151% over the first half of last year. April, May and June each saw levels high enough to hit all-time records, and attacks are showing no sign of slowing down. By June 30, SonicWall had recorded 304.7 million ransomware attacks globally — more than the 304.6 million we saw over the entire year of 2020.

RTDMI™ Reaches New Heights

The bad news: Cyberattacks are getting more effective. The good news: Defense methods are getting better too, and in the case of SonicWall’s patented Real-Time Deep Memory Inspection™ (RTDMI), they’re improving dramatically. Included with the Capture Advanced Threat Protection sandbox service, this technology discovered 185,945 never-before-seen malware variants in the first half of 2021, a 54% year-to-date increase. By leveraging machine learning, RTDMI has become highly effective at identifying new and advanced threats, contributing to a perfect score in the last two cycles of ICSA Advanced Threat Defense (ATD) testing.

IoT Attacks Jump 59%

With the number of IoT devices projected to rise from 13.8 billion today to 30.9 billion in 2025 — and with security standards remaining shockingly lax — cybercriminals are increasingly focusing on IoT attacks. In the first half of 2021, SonicWall threat researchers recorded 32.2 million IoT malware attempts, a jump of 59% year to date.

Cryptojacking Continues to Climb

Cryptojacking continues to defy reports of its demise: In the first six months of 2021, SonicWall saw 51.1 million cryptojacking attempts, a 23% year-to-date increase. This increase was particularly pronounced in Europe, where 248% more cryptojacking attempts were recorded in the first half of 2021 than the first six months of 2020.

Malware Falls by Nearly a Quarter

So far in 2021, malware has fallen 22% year to date, as the decline of “spray-and-pray” malware continues to impact overall volume. With the speed and magnitude of changes impacting the threat landscape — from the preferred methods of attack to who’s being targeted — it’s never been more important to stay updated on the risks of today … or prepare for the risks of tomorrow.

“With remote working still widespread, businesses continue to be highly exposed to risk, and criminals are acutely aware of uncertainty across the cyber landscape,” Conner said. “It’s crucial that organizations move toward a modern Boundless Cybersecurity approach to protect against both known and unknown threats, particularly when everyone is more remote, more mobile and less secure than ever.”

 

Cybersecurity News & Trends – 07-23-21

/0 Comments/in /by

This week, the SonicWall Threat Report, Microsoft vs Chinese hackers, Israeli hack tools, a $10 million reward, and more zero-days than we really want to hear about. Also, railroad hacks in Iran and UK, indictments for Chinese hacking group, Apple’s “five-alarm fire,” and Microsoft’s battle against “homoglyphs.”

SonicWall in the News

IBM Adds Enhanced Data Protection to FlashSystem to Help Thwart Cyberattacks — AI-Thority

  • IBM cites data from SonicWall’s annual threat report in an announcement about enhancements to their FlashSytem data protection. One bit of data that got everyone’s attention: ransomware attacks rose to 304.6 million in 2020, up 62% over 2019, mainly due to the highly distributed workforces caused by the pandemic.

The rise of ransomware: the multibillion-pound hacking industry where no one is safeThe Metro

  • If cybercrime was a country, it would be the world’s third largest in terms of GDP, according to Cybersecurity Ventures. This year, the total cost to the global economy is predicted to top $6 trillion (£4 trillion). SonicWall’s 2021 Threat Report was also included: 304.5 million ransomware attacks in total in 2020 – up 62% over 2019 – and the deluge of attacks shows no signs of slowing down.

The three best ways to neutralize Ransomware attacks – TEK Deeps

  • The question of your company or organization facing a ransomware attack is not an “if” but rather “when.” Most likely, you may have already faced several. SonicWall’s annual threat report was part of this story too, citing through May of 2021, a reported 226.3 ransomware attacks, up 116% year to date over 2020.

Industry News

Tulsa warns of data breach after Conti ransomware leaks police citations — Bleeping Computer

  • The city of Tulsa, Okla., is warning residents that their personal data may have been exposed after a ransomware gang published police citations online.

Saudi Aramco data breach sees 1 TB stolen data for sale — Bleeping Computer

  • Attackers stole 1 TB of proprietary data belonging to Saudi Aramco and are selling it on the darknet. The Saudi Arabian Oil Company, better known as Saudi Aramco, is one of the world’s largest public petroleum and natural gas companies. The sales price of the data, albeit negotiable, is set at $5 million.

Details Emerge on Iranian Railroad Cyberattack — Security Week

  • More details about the cyberattack on Iran’s railroad system emerged over the weekend. On July 9, Iran International reported that a system-wide disruption of Iran’s railroads was probably due to a cyberattack, citing the Revolutionary Guard-backed FARS news agency. Now it appears that the attackers had penetrated the system at least a month earlier.

Northern’s ticket machines hit by ransomware cyberattack BBC

The US Formally Accuses China of Hacking Microsoft – The New York Times

  • To bolster the accusations, the Biden administration may organize a broad group of allies to condemn Beijing for global cyberattacks. However, most analysts believe that such an effort will probably stop short of taking concrete punitive steps against China.

The US indicts members of the Chinese-backed hacking group APT40 – Bleeping Computer

  • The US Department of Justice (DOJ) indicted four members of the Chinese state-sponsored hacking group known as APT40 for hacking various companies, universities, and government entities in the US and worldwide between 2011 and 2018.

$10 million rewards bolster White House anti-ransomware bid – Associated Press

  • The State Department will offer rewards up to $10 million for information leading to identifying anyone engaged in a foreign state-sanctioned malicious cyber activity, including ransomware attacks, against critical US infrastructure. In addition, a task force set up by the White House will coordinate efforts to stem the rise of ransomware.

Israeli Spyware Vendor’s Windows Zero-days Caught in the Wild Vice News

  • Cyber-sleuths from digital rights watchdog Citizen Lab recently released a study that reveals government hackers from several countries are using spyware made by Candiru, an Israeli-based spyware vendor, to target victims all over the world. The spyware leverages two unknown Windows vulnerabilities for zero-day exploitation. As far as we know, this is the first time anyone has published an analysis of Candiru’s malware with targeted individuals.

Google: Annoying LinkedIn Networkers are Russian Hackers Spreading Zero-day – Vice News

  • As if we can’t get enough of zero-days, Google’s Threat Analysis Group published a new report that offers details about several hacking campaigns that leverage a series of zero-day exploits. A quick read shows that there are several reasons for the uptick in zero-day incidents. For one, the industry is getting better at detecting and disclosing attacks. For another, cyber-criminals are taking full advantage of vulnerabilities while they still can.

Fighting an emerging cybercrime trend Microsoft

  • Microsoft’s Digital Crimes Unit (DCU) recently secured another court order to take down malicious infrastructure used by cybercriminals. They filed the case to target the use of “homoglyph” ­– imposter domains – used in an increasing number of attacks. A judge in the Eastern District of Virginia issued a court order requiring domain registrars to disable service on malicious domains used to impersonate Microsoft customers and commit fraud.

Law Firm for Ford, Pfizer, Exxon Discloses Ransomware AttackDark Reading

  • Campbell Conroy & O’Neil, a major law firm based in Boston, MA, reported an attack that compromised personal data, including Social Security numbers, passport numbers, and payment card data for some individuals. The firm discovered unusual activity on its network earlier this year. An investigation revealed its network was hit with ransomware and prompted Campbell to hire third-party forensics investigators to determine the information affected.

Apple’s iPhone has a “five-alarm fire” security problem with iMessage Business Insider

  • Apple’s iPhone isn’t as secure as Apple says it is according to this report from Amnesty International. The quote that caught our eye: “Apple has a MAJOR blinking red five-alarm-fire problem with iMessage security,” said Bill Marczak, a senior research fellow at Citizen Lab. The threat is related to a tool called Pegasus, created by NSO Group.

Microsoft to acquire cybersecurity firm RiskIQ as cyberthreats mount CNN

  • Microsoft on Monday announced that it is buying cybersecurity firm RiskIQ to help companies better protect themselves from the unique risks created by remote work and relying on cloud computing amid “the increasing sophistication and frequency of cyberattacks.” RiskIQ’s software allows organizations to monitor their entire networks — including operations running on various cloud providers.

IT provider for real estate, finance, insurance downed by ransomwareThe Register

  • Cloudstar, a Florida-based company IT provider, announced that it suffered a “highly sophisticated ransomware attack” that forced it to take down the vast majority of its services. A critical flaw in a Cloudflare service said to be used by 12.7 percent of all websites could have been hijacked by a malicious user-controlled package to compromise a good number of web pages. The company said it was negotiating with the crooks that infected its computers.

In Case You Missed It