Posts

2019 SonicWall Cyber Threat Report: Unmasking Threats That Target Enterprises, Governments & SMBs

The launch of the annual SonicWall Cyber Threat Report always reminds us why we’re in this business.

Our engineers and threat researchers dedicate months to the project in order to shed light on how people, businesses and organizations online are affected by cybercrime.

What they found is telling. Across the board, cyberattacks are up. Criminals aren’t relenting. Hackers and nefarious groups are pushing attacks to greater levels of volume and sophistication. And the 2019 SonicWall Cyber Threat Report outlines how they’re doing it and at what scale.

To understand the fast-changing cyber arms race, download the complimentary 2019 SonicWall Cyber Threat Report. The unification, analysis and visualization of cyber threats will empower you and your organization to fight back with more authority, determination and veracity than ever before. So, let’s take a look at what’s included.

Malware Volume Still Climbing

In 2016, the industry witnessed a decline in malware volume. Since then, malware attacks have increased 33.4 percent. Globally, SonicWall recorded 10.52 billion malware attacks in 2018 — the most ever logged by the company.

UK, India Harden Against Ransomware

SonicWall Capture Lab threat researchers found that ransomware was up in just about every geographic region but two: the U.K. and India. The report outlines where ransomware volume shifted, and which regions were impacted most by the change.

Dangerous Memory Threats, Side-Channel Attacks Identified Early

The report explores how SonicWall Real-Time Deep Memory InspectionTM (RTDMI) mitigates dangerous side-channel attacks utilizing patent-pending technology. Side-channels are the fundamental vehicle used to exploit and exfiltrate data from processor vulnerabilities, such as Foreshadow, PortSmash, Meltdown, Spectre and Spoiler.

Malicious PDFs & Office Files Beating Legacy Security Controls

Cybercriminals are weaponizing PDFs and Office documents to help malware circumvent traditional firewalls and even some modern day network defenses. SonicWall reports how this change is affecting traditional malware delivery.

Attacks Against Non-Standard Ports

Ports 80 and 443 are standard ports for web traffic, so they are where many firewalls focus their protection. In response, cybercriminals are targeting a range of non-standard ports to ensure their payloads can be deployed undetected in a target environment. The problem? Organizations aren’t safeguarding this vector, leaving attacks unchecked.

IoT Attacks Escalating

There’s a deluge of Internet of Things (IOT) devices rushed to market without proper security controls. In fact, SonicWall found a 217.5 percent year-over-year increase in the number of IoT attacks.

Encrypted Attacks Growing Steady

The growth in encrypted traffic is coinciding with more attacks being cloaked by TLS/SSL encryption. More than 2.8 million attacks were encrypted in 2018, a 27 percent increase over 2017.

The Rise & Fall of Cryptojacking

In 2018, cryptojacking diminished nearly as fast is it appeared. SonicWall recorded tens of millions of cryptojacking attacks globally between April and December. The volume peaked in September, but has been on a steady decline since. Was cryptojacking a fad or is more on the way?

Global Phishing Volume Down, Attacks More Targeted

As businesses get better at blocking email attacks and ensuring employees can spot and delete suspicious emails, attackers are shifting tactics. They’re reducing overall attack volume and launching more targeted phishing campaigns. In 2018, SonicWall recorded 26 million phishing attacks worldwide, a 4.1 percent drop from 2017.

Advanced Endpoint Detection & Response (EDR) Comes to Capture Client 2.0

Endpoint protection has evolved well past simple antivirus (AV) monitoring. Today’s endpoints require consistent and proactive investigation and mitigation of suspicious files or behavior.

With the release of SonicWall Capture Client 2.0, organizations gain active control of endpoint health with advanced Endpoint Detection and Response (EDR) capabilities.

With EDR capabilities in place, SonicWall Capture Client empowers administrators to track threat origins and intended destinations, kill or quarantine as necessary, and “roll back” endpoints to a last-known good state in cases of infection or compromise.

Capture Client now also enables organizations to mitigate malware and clean endpoints without manually pulling them offline to conduct forensic analysis and/or reimage the device — as is typically required with legacy AV solutions.

Protect Endpoints from Employee Mishaps with Web Threat Protection

For years, SonicWall’s Content Filtering options have been used by schools, small and medium businesses, and enterprises to either block people from malicious web content (e.g., phishing sites) or productivity-killing sites (e.g., social media), as well as manage the bandwidth an application receives.

A portion of this technology, called Web Threat Protection, is now in Capture Client 2.0. This feature utilizes the Content Filtering Service to block access to millions of known malicious URLs, domains and IP addresses. This helps prevent phishing email attacks, malicious downloads (e.g., ransomware) or other online threats.

Web Threat Protection gives admins another layer of security and helps avoid the cleanup of infections and/or the need to “roll back” the PC to a last known healthy state.

Shrink Attack Surface Area with Endpoint Device Control

Did you know in a recent Google social experiment that 45 percent of “lost” USB keys were plugged into devices by the people who found them?

Dropping infected USB drives in a work area (e.g., coffee shop, company parking lot, lobby) has always been respected as a very effective attack on companies. In fact, many retail outlets have point-of-sale (POS) systems with exposed USB ports that make it easier to infect networks from many locations.

To better prevent infected devices like USBs from connecting to endpoints, Capture Client Device Control can lock out unknown or suspicious devices. Admins have the ability to block endpoint access to unknown devices until they are approved, or whitelist clean devices, like printers and removable storage, to narrow the threat plane.

Endpoint Protection Licensing Better for Partners, Customers

SonicWall has done more than just improve the stability and functionality of the client. We’ve also spent the past year working with a global network of partners and customers to create better business practices behind the client.

Due to increased demand, we are proud to announce that our competitive conversion SKUs will live as an indefinite program that certified SonicWall Partners can use. This will enable customers to get three years of coverage for the price of two when switching from a competitive product.

SonicWall is also doing away with pack SKUs that people formerly ordered (and still supported) in favor of banded SKUs coming in March 2019. These ordering bands allow a partner to order the exact number of licenses required, at the appropriate discount, for their volume. These bands start at five seats and offer eight sets of volume discounts that go up to 10,000 or more seats.

Tech Brief: Roll Back the Impact of Ransomware

Capture Client Advanced enables quick, automated recovery without having to manually restore from backups or create new system images. Download the full tech brief to explore how Capture Client rollback helps optimize business continuity, reduce financial impact and shorten the mean time to repair.

Bill Conner: How the UK Is Taking Malware Seriously

Bill Conner sat down with Information Age editor Nick Ismail to discuss global malware attack statistics, cross-border cybersecurity collaboration, the increasing need to inspect PDFs and Microsoft Office documents, and how all impact the dynamic U.K. political landscape.

Though malware attack data shows an increase in global attacks, the U.K. has experienced a decrease in these attacks following the WannaCry ransomware strain in previous years.

Conner sees this as a positive change for the U.K. and stated via Information Age, “you guys were all over it” following the WannaCry attack and “most of the vendors in the U.K. and their customers put solutions in place to protect against multiple family variants of ransomware.”

While this is a positive change for the U.K., there is still work to be done globally and Conner says regardless of the often divided political climate, “there’s a good foundation for cyber collaboration across borders.”

“Right now, we need to focus on those PDFs and Office (files), the things you run in your business every day, because they can be exploited for IP and monetary gain. And you can’t even see it.”

Bill Conner
SonicWall President & CEO

In addition to urging governments to look toward political collaboration to tighten cybersecurity globally, Conner explained the majority of this change will come through the dedication of law enforcement.

“Law enforcement sharing is better than political sharing at the moment,” Conner told Information Age. “Public institutions, private organizations and different governments have got to collaborate. But, above all, we’ve got to have dedicated cyber law enforcement.”

While a global cybersecurity strategy may be down the road, Conner says there are places to focus on now to best secure governments, enterprises and SMBs.

What does Conner recommend an organization focus their cybersecurity strategy on?

“What I’m telling governments and enterprises is to forget side-channel exploits for the moment,” he said. “Right now, we need to focus on those PDFs and Office (files), the things you run in your business every day.”

One of the ways to mitigate these specific malware threats requires advanced technology, like SonicWall Capture Advanced Threat Protection (ATP) with SonicWall Real-Time Deep Memory Inspection (RTDMI™), to inspect and mitigate attacks in memory.

Read the rest of Conner’s recommendations and predictions in his interview with Information Age.

2018 Holiday Cyber Threat Data: Final Analysis Shows Big Ransomware Spikes in US, UK

It’s no secret that consumers flock to online retailers during the holiday shopping season between Thanksgiving and the New Year.

Last month, SonicWall provided deep cyber threat data for the nine-day window that included Black Friday and Cyber Monday in the U.S. Over this specific period, SonicWall Capture Labs threat researchers found that SonicWall customers faced 91 million malware attacks (34 percent decrease over 2017) and 889,933 ransomware attacks (432 percent increase over 2017).

But cyberattacks are hardly static. And they definitely don’t cease once Cyber Monday comes and goes. For this reason, SonicWall collected and analyzed threat data from the full December holiday shopping season to complement its Cyber Week threat analysis.

In the U.S., ransomware and phishing volume more than doubled compared to 2017, while malware was slightly down. In December alone, SonicWall Capture Labs threat researchers recorded:

  • 2.7 million ransomware attacks (up 177 percent)
  • 276.4 million malware attacks (down 27 percent from 2017)
  • 797,607 phishing attacks (up 116 percent)

In the U.K., ransomware spiked four-fold while malware and phishing attacks were relatively flat. For December, SonicWall Capture Labs logged:

  • 527,734 ransomware attacks (up 432 percent)
  • 52.1 million malware attacks (down 2 percent from 2017
  • 30,740 phishing attacks (no increase over 2017)

SonicWall will soon publish additional global December cyber threat data across all attack types, including encrypted threats, intrusion attempts and web application attacks.

Real-Time Threat Intelligence with SonicWall Capture Security Center

SonicWall cyber threat intelligence is available in the SonicWall Capture Security Center, which provides a graphical view of the worldwide attacks over the last 24 hours, countries being attacked and geographic attack origins.

The SonicWall Capture Security Center provides actionable cyber threat intelligence to help organizations identify the types of attacks they need to be concerned about so they can design and test their security posture ensure their networks, data, applications and customers are properly protected.

Exclusive Video: SonicWall CEO Bill Conner & CTO John Gmuender

SonicWall President and CEO Bill Conner and CTO John Gmuender walk you through the current cyber threat landscape, explore the importance of automated real-time breach detection and prevention, and address how to mitigate today’s most modern cyberattacks.

5 Tips to Keep You Cybersecure During Holiday Travel

The holiday season is one of the busiest times of the year for travel, which means it’s also one of the most vulnerable times of the year for travelers’ belongings, including sensitive personal data.

Those looking forward to spending time away from the office and relaxing with friends and family are likely making plans to secure their belongings at home, but what about securing devices and data?

Year-to-date attack data through November 2018 shows an increase in attacks across nearly all forms of cybercrime, including increases in intrusion attempts, encrypted threats, and malware attacks.

Below are some simple ways to consider protecting your cyber assets and have peace of mind during a well-earned holiday break.

  1. Lock Devices Down
    While traveling, lock all your mobile devices (smartphones, laptops, and tablets) via fingerprint ID, facial recognition, or a PIN number. This will be the first line of defense against a security breach in the event that any of your devices have been momentarily misplaced or forgotten.
  2. Minimize Location Sharing
    We get it! You want to share the fun memories from your trip with your friends and family on social media. However, excessive sharing, especially sharing of location data, creates a security threat at home.If you’re sharing a photo on a boat or at the Eiffel Tower, it’s easy for a criminal to determine you’re not at home or in your hotel room, which leaves your personal property left behind vulnerable to theft of breach. If you must share location data, wait until after you have returned home to geotag that selfie from your trip.
  3. Bring Your Own Cords and Power Adapters
    Cyber criminals have the ability to install malware in public places such as airport kiosks and USB charging stations. If you are unable to find a secure area to charge your devices or you are unsure of the safety of the charging area, power your device down prior to plugging it in.
  4. Disable Auto-Connect
    Most phones have a setting that allows a device to automatically connect to saved or open Wi-Fi networks. This feature is convenient when used at home, but can leave your device vulnerable to threat actors accessing these features for man-in-the-middle attacks.Disable the auto-connect features on your devices and wipe saved network SSIDs from the device prior to your trip to avoid exploitation.
  5. Be Cautious of Public Wi-Fi
    Free Wi-Fi access can often be found at coffee shops and in hotel lobbies as a convenience to travelers, but unencrypted Wi-Fi networks should be avoided. Before you connect to a new Wi-Fi source, ask for information regarding the location’s protocol and if you must use a public Wi-Fi connection, be extra cautious.Use a VPN to log in to your work networks and avoid accessing personal accounts or sensitive data while connected to a public Wi-Fi source.

Cybercrime is Trending up During the Holiday Season

For the 2018 holiday shopping season, SonicWall Capture Labs threat researchers collected data over the nine-day Thanksgiving holiday shopping window and observed a staggering increase in cyberattacks, including a 432 percent increase in ransomware and a 45 percent increase in phishing attacks.

LIVE WORLDWIDE ATTACK MAP

Visit the SonicWall Security Center to see live data including attack trends, types, and volume across the world. Knowing what attacks are most likely to target your organization can help improve your security posture and provide actionable cyber threat intelligence.

3 Ways to Prevent Cryptominers from Stealing Your Processing Power

Visiting a website is no longer what it used to be.

Despite this hilarious Imgur post, there is a different trend you may not have noticed: cryptomining via the browser. Many news and procrastination (e.g., BuzzFeed) websites add dozens of trackers to monetize the experience.

However, some sites may also use your browser to mine cryptocurrencies (e.g., bitcoin, Ethereum or Monero) for their own financial gain. The mining stops once you leave, but there is a popular new form of malware that attempts to turn your device into a full-time cryptocurrency mining bot called a cryptojacker. Cryptojacking’s threat to your endpoint or business is based on three things:

  • The energy it consumes or wastes
  • The damage it can do to a system
  • The loss to productivity due to limited resources.

Unlike ransomware that wants to be found (to ask for payment), a cryptojacker’s job is to run invisibly in the background although your CPU performance graph or device’s fan may indicate something is not normal.

Despite our vigilance and knowledge of the warning signs, a report from the Ponemon Institute stated the average length of time for an organization to discover malware or a data breach in 2017 was 191 days.

Ransomware authors have switched gears over the past two years to use cryptojacking more, because a ransomware strain’s effectiveness and ROI diminish as soon as it ends up on public feeds like VirusTotal. Like anyone else running a highly profitable business, cybercriminals need to constantly find new ways to fulfill their financial targets. Cryptojacking may solve that.

For example, the Apple App Store briefly carried a version of a free app called ‘Calendar 2’ that mined Monero cryptocurrency while open. It reportedly made $2,000 in two days before it was pulled from the App Store.

The Lure of Cryptomining

Cryptomining operations have become increasingly popular, now consuming almost half a percent of the world’s electricity consumption. Despite the wild swings in price, roughly 60 percent of the cost of legitimately mining bitcoin is the energy consumption. In fact, at the time of writing, the price of a bitcoin is worth less than the cost of mining it legitimately.

With such costs and zero risk as compared to buying and maintaining equipment, cybercriminals have strong incentives to generate cryptocurrency with someone else’s resources. Infecting 10 machines with a cryptominer could net up to $100/day, so the challenge for cryptojackers is three-fold:

  1. Find targets, namely organizations with a lot of devices on the same network, especially schools or universities.
  2. Infect as many machines as possible.
  3. Unlike ransomware, and more akin to traditional malware, stay hidden for as long as possible.

Cryptojackers use similar techniques as malware to sneak on to an endpoint: drive-by downloads, phishing campaigns, in-browser vulnerabilities and browser plugins, to name a few. And, of course, they rely on the weakest link — the people — via social engineering techniques.

How to Know if You are Infected by Cryptominers

Cryptominers are interested in your processing power, and cryptojackers have to trade off stealth against profit. How much of your CPU resources they take depends on their objectives.

Siphoning less power makes it harder for unsuspecting users to notice. Stealing more increases their profits. In either case, there will be a performance impact, but if the threshold is low enough it could be a challenge to distinguish the miner from legitimate software.

Enterprise administrators may look for unknown processes in their environment, and end users on Windows should spawn a Sysinternals Process Explorer to see what they are running. Linux and macOS users should investigate using System Monitor and Activity Monitor, respectively, for the same reason.

How to Defend Against Cryptominers

The first step in defending against cryptominers is to stop this type of malware at the gateway, either through firewalls or email security (perimeter security), which is one of the best ways to scrub out known file-based threats. Since people like to reuse old code, catching cryptojackers like CoinHive can be a simple first step.

If the malware strain is unknown (new or updated), then it will bypass static filters in perimeter security. If a file is unknown, it will be routed to a sandbox to inspect the nature of the file.

In the case of SonicWall Capture ATP, the multi-engine sandbox environment is designed to identify and stop evasive malware that may evade one engine but not the others.

If you have an endpoint not behind this typical set up (e.g., it’s roaming at the airport or hotel), you need to deploy an endpoint security product that includes behavioral detection.

Cryptominers can operate in the browser or be delivered through a fileless attack, so the legacy solutions you get free with a computer are blind to it.

A behavioral-based antivirus like SonicWall Capture Client would detect that the system wants to mine coins and then shut down the operation. An administrator can easily quarantine and delete the malware or, in the case of something that does damage to system files, roll the system back to the last known good state before the malware executed.

By combining a mixture of perimeter defenses and behavioral analysis, organizations can fight the newest forms of malware no matter what the trend or intent is.

To learn more about how you can defend your organization from these threats I recommend reading this white paper, “Best Practices for Protection Against Phishing, Ransomware and Email Fraud.”

September 2018 Cyber Threat Data: Ransomware Threats Double Monthly, Encrypted Threats Still Growing

We’re into October and based on this year’s reports so far, the threat landscape is continuing to evolve and change as the global cyber arms race grows.

Phishing attacks continue to trend downwards, with September data showing the volume of attacks down 92 percent compared to the same time last year. The reasons for this decline are not 100 percent clear, but may be partly attributed to increased awareness as people are becoming more adept at identifying phony websites and sharing information about common scams.

While phishing is still a threat, particularly as the holiday season approaches, it appears that cyber criminals are continuing to favor attacks involving malware, ransomware, TLS/SSL encrypted attacks and intrusion attempts. SonicWall Capture Advanced Threat Protection sandbox, with Real-Time Deep Memory Inspection (RTDMITM), has discovered 27,680 new attack variants this year, further evidence that cyber criminals are pursuing more sophisticated and coordinated methods of attack.

Globally, the SonicWall Capture Threat Network, which includes more than 1 million sensors across the world, recorded the following 2018 year-to-date attack data through September 2018:

  • 8.5 billion malware attacks (54 percent increase from 2017)
  • 2.9 trillion intrusion attempts (49 percent increase)
  • 262.4 million ransomware attacks (108 percent increase)
  • 1.9 million encrypted threats (56 percent increase)

In September 2018 alone, the average SonicWall customer faced:

  • 1,662 malware attacks (24 percent decrease from July 2017)
  • 791,015 intrusion attempts (19 percent increase)
  • 56 ransomware attacks (99 percent increase)
  • 70.9 encrypted threats (61 percent decrease)
  • 10 phishing attacks each day (92 percent decrease)

 SonicWall Capture Security Center

SonicWall cyber threat intelligence is available in the SonicWall Security Center, which provides a graphical view of the worldwide attacks over the last 24 hours, countries being attacked and geographic attack origins. This view illustrates the pace and speed of the cyber arms race.

The resource provides actionable cyber threat intelligence to help organizations identify the types of attacks they need to be concerned about so they can design and test their security posture ensure their networks, data, applications and customers are properly protected.

Get the Mid-Year Update

Dive into the latest cybersecurity trends and threat intelligence from SonicWall Capture Labs. The mid-year update to the 2018 SonicWall Cyber Threat Report explores how quickly the cyber threat landscape has evolved in just a few months.