Posts

Cybersecurity News & Trends

This week, the U.S. government brought up cybersecurity legislation, while the U.S. judicial system handed down cybercriminal incarceration.


SonicWall Spotlight

Hackers used ransomware to take over parts of UC San Francisco’s network and extorted $1.14million in exchange for returning access to their files — Daily Mail

  • UC San Francisco hasn’t said what files were affected nor how the ransomware entered the system, but the FBI has opened an investigation into the incident.

Sonicwall Lands In Ireland, Expands Channel Partner Strategy — SonicWall Press Release

  • SonicWall today announced that it has appointed Tristan Bateup as country manager for Ireland.

UCSF pays $1 million ransom to recover medical school data from hackers — The Mercury News

  • The UCSF School of Medicine was the third targeted by cyberattacks in the past two months, but a spokesperson said the attack did not affect patient care or ongoing COVID-19 research.

Cybersecurity News

Russian Criminal Group Finds New Target: Americans Working at Home — The New York Times

  • A hacking group calling itself Evil Corp., indicted in December, has shown up in corporate networks with sophisticated ransomware. American officials worry election infrastructure could be next.

How COVID-19 changed Cyber Command’s ‘Cyber Flag’ exercise — Cyberscoop

  • This year, U.S. Cyber Command convened with allied countries for what appeared to be a straightforward simulation of an attack against a European airbase — but then a global pandemic changed all the rules.

Russian cybercriminal gets 9 years for online fraud website — The Washington Times

  • A Russian computer hacker who facilitated $20 million in credit card fraud and ran a sophisticated clearinghouse for international cybercriminals was sentenced Friday to nine years in prison.

Lawmakers introduce legislation to establish national cybersecurity director — The Hill

  • A bipartisan group of lawmakers has introduced legislation in the House that would establish a national cybersecurity director to lead government efforts on cybersecurity.

DDoS botnet coder gets 13 months in prison — ZDNet

  • Kenneth Schuchman, known as Nexus Zeta, created multiple DDoS botnets, including Satori, Okiru, Masuta, and Fbot/Tsunami.

An embattled group of leakers picks up the WikiLeaks mantle — Ars Technica

  • DDoSecrets was banned from Twitter after releasing what they claim is the largest-ever cache of hacked U.S. police data, a leak some say positions the group as the heir apparent of WikiLeaks’ early, idealistic mission.

Senators move to boost state and local cybersecurity as part of annual defense bill — The Hill

  • A group of Senate Democrats on Monday introduced as part of the annual National Defense Authorization Act (NDAA) a measure that would strengthen cybersecurity protections for states vulnerable to malicious cyberattacks.

U.S. FCC issues final orders declaring Huawei, ZTE national security threats — Reuters

  • The FCC has formally designated China’s Huawei Technologies Co and ZTE Corp as posing threats to national security, barring U.S. firms from tapping an $8.3 billion government fund to purchase equipment from the companies.

Schools Already Struggled With Cybersecurity. Then Came Covid-19 — Wired

  • A lack of dedicated funding and resources made it hard to keep data secure — and that was before classes moved almost entirely online.

Things that happen every four years: Olympic Games, presidential elections, and now new Mac ransomware — The Register

  • Known as EvilQuest, the brand-new strain of Mac ransomware was spotted spreading via Russian piracy and torrent sites.

DDoS Attacks Jump 542% from Q4 2019 to Q1 2020 — Dark Reading

  • The shift to remote work and heavy reliance on online services has driven an increase in attacks intended to overwhelm ISPs.

Tax software used by Chinese bank clients installs GoldenSpy backdoor — SC Magazine

  • A tax software program installed by business clients of an unidentified Chinese bank was trojanized with malware that installs a backdoor granting attackers system-level privileges, researchers warn.

In Case You Missed It

Cybersecurity News & Trends

This week, SonicWall launched its new SD-Branch capabilities and multi-gigabit SonicWall Switches, bringing cost-effective simplicity and centralized management to the hyperdistributed era.


SonicWall Spotlight

Sonicwall Advances Network Edge Security, Adds Multi-Gigabit Switch Series, Easy-To-Manage SD-Branch Capabilities — SonicWall Press Release

  • To simplify security deployment, management and visibility for organizations with growing branch footprints, SonicWall is introducing new secure SD-Branch capabilities and a complete line of new multi-gigabit switches to cost-effectively scale and manage remote or branch locations.

SonicWall Adds Multi-Gigabit Switches to SD-Branch Portfolio — DevOps.com

  • Dmitriy Ayrapetov, vice president of platform architecture for SonicWall, talks about the new SonicWall Switches and SD-Branch capabilities, and how they centralize management of remote offices.

Seven Factors To Consider When Evaluating Endpoint Protection Solutions — MSSP Alert

  • Attackers are getting craftier when infiltrating secure environments. SonicWall’s Vishnu Chandra Pandey offers several ways to know whether your endpoint protection solution will be able to keep up.

Boundless Cybersecurity for the New Work Reality — SC Magazine

  • With the widespread adoption of remote work, we’ve moved into a hyperdistributed IT landscape. SonicWall’s Terry Greer-King explains how Boundless Cybersecurity can help businesses survive this new business normal.

Cybersecurity News

Ransomware: Hackers took just three days to find this fake industrial network and fill it with malware — ZDNet

  • Researchers set up a tempting honeypot to monitor how cybercriminals would exploit it. Then it came under attack.

Fake Black Lives Matter voting campaign spreads Trickbot malware — Bleeping Computer

  • A phishing email campaign asking you to vote anonymously about Black Lives Matter is spreading the TrickBot information-stealing malware.

Rate of Ransomware Attacks in Healthcare Slows in H1 2020 — Dark Reading

  • A lower number of ransomware attacks on healthcare entities suggests many threat groups are indeed avoiding targeting them during the current pandemic. But the lull may be short-lived.

Encryption Utility Firm Accused of Bundling Malware Functions in Product — Threat Post

  • A legally registered Italian company is selling what it claims is a legitimate encryption utility, but the service it provides has been a common denominator in thousands of attacks over the past year.

Vulnerability in Plug-and-Play Protocol Puts Billions of Devices at Risk — Dark Reading

  • “CallStranger” flaw in UPnP allows attackers to launch DDoS attacks and scan internal ports, security researcher says.

Environmentalists Targeted Exxon Mobil. Then Hackers Targeted Them. — The New York Times

  • Federal prosecutors are investigating a global hacker-for-hire operation that sent phishing emails to environmental groups, along with thousands of individuals and hundreds of institutions around the world.

Valak malware gets new plugin to steal Outlook login credentials — Bleeping Computer

  • A new module discovered by researchers suggests the authors of the Valak information stealer are increasingly focusing on stealing email credentials.

Amid Pandemic and Upheaval, New Cyberthreats to the Presidential Election — The New York Times

  • Fear of the coronavirus is speeding up efforts to allow voting from home, but some of them pose security risks and may make it easier for Vladimir Putin or others to hack the vote.

NATO Condemns Cyberattacks Against COVID-19 Responders — Security Week

  • Over the past couple of months, there has been a surge in attacks targeting those who work in response to the pandemic, prompting NATO to publicly condemn the malicious cyber-activities directed against COVID-19 responders.

In Case You Missed It

Cybersecurity News & Trends

This week, cybersecurity news was thrust into the fray, with clashes between scammers and vigilante hackers, between conspiracy theorists and cell-phone towers, and between REvil and a number of high-profile celebrities.


SonicWall Spotlight

DeskFlix: SonicWall channel director on COVID-19 cybersecurity challenges — CRN UK

  • Mike Awford discusses the ways SonicWall has supported partners through the migration to remote working.

EasyJet Hack: Passenger Data Could be Sold on Dark Web After Major Cyber Attack, Experts Warn — The Independent

  • Based on similar attacks in the past, SonicWall’s VP EMEA Terry Greer-King discusses what could happen to customers’ data once it hits the Dark Web.

SonicWall Capture Labs Threat Research Teams Uncovers New Variant of Raccoon Stealer — CXO Today

  • SonicWall has reported a new variant of Raccoon stealer malware, version 1.5, which has been used in a malicious COVID-19 campaign.

Cybersecurity News

ShinyHunters Is a Hacking Group on a Data Breach Spree — Wired

  • In May, ShinyHunters began selling 200 million stolen records from over a dozen companies … and they claim this is just Stage 1.

Beware of phishing emails urging for a LogMeIn security update — Help-Net Security

  • The email appears to be legitimate correspondence from LogMeIn, including company logo, spoofed sender identity and a link that appears legitimate.

Vigilante hackers target scammers with ransomware, DDoS attacks — Bleeping Computer

  • A hacker has been taking justice into their own hands by targeting “scam” companies with ransomware and denial of service attacks.

Tech Chiefs Press Cloud Suppliers for Consistency on Security Data — The Wall Street Journal

  • Each cloud company offers its own process on cybersecurity and governance, creating added work for customers.

Cell-tower attacks by idiots who claim 5G spreads COVID-19 reportedly hit US — Ars Technica

  • Wireless telecom providers are being warned to boost security as 5G conspiracy theorists ramp up attacks on cell towers and telecommunications workers.

Microsoft warns of ‘massive’ phishing attack pushing legit RAT — Bleeping Computer

  • Microsoft is warning of an ongoing COVID-19 themed phishing campaign that spreads via malicious Excel attachments.

Supercomputers hacked across Europe to mine cryptocurrency — ZDNet

  • Multiple supercomputers across Europe have been shut down to investigate cryptocurrency mining malware infections.

Microsoft opens up coronavirus threat data to the public — Cyberscoop

  • Microsoft has announced plans to make threat intelligence it collected on COVID-19-related hacking campaigns public.

NetWalker adjusts ransomware operation to only target enterprise — Bleeping Computer

  • NetWalker ransomware group is moving away from phishing for malware distribution and has adopted a network-intrusion model focusing on huge businesses only.

REvil Ransomware found buyer for Trump data, now targeting Madonna — Bleeping Computer

  • After breaching a prominent law firm, the REvil ransomware group is holding the personal information of high-profile celebrities for ransom.

In Case You Missed It

Cybersecurity News & Trends

This week, hackers continued to capitalize on the COVID-19 pandemic, targeting the healthcare industry, oil companies and remote workers.


SonicWall Spotlight

Czech Cyber Officials Warn Of Serious Threat To Health Care Sector – Cyberscoop

  • Cybersecurity authorities in the Czech Republic have warned of an “extensive campaign of cyberattacks” on IT systems and health care facilities. At least one of the malicious files in the Czech advisory is part of a batch of code used in a remote access hacking tool, which SonicWall reported last month.

SonicWall Boundless Cybersecurity Platform for Remote Working – CRN

  • SonicWall’s new Boundless Cybersecurity model is designed to protect and mobilize large enterprises, small- and medium-sized businesses, and government agencies from the risks of a remote workforce.

2,000 Coronavirus Scammers Taken Offline in NCSC Phishing Crackdown – Experts Reaction –  Information Security Buzz

  • The UK’s National Cyber Security Centre, along with the City of London Police and several other government agencies, has launched a ‘Suspicious email reporting service’ for members of the public to alert the authorities to potential cyber-attacks.

Cybersecurity News

Hacking against corporations surges as workers take computers home – Reuters

  • Hackers are targeting remote workers, particularly in highly impacted areas where users’ confusion and anxiety makes them more susceptible to phishing.

FBI enlists internet domain registries in fight against coronavirus scams – Cyberscoop

  • Ongoing cooperation between the government and technology companies has resulted in the removal of hundreds of fraudulent websites that included “coronavirus,” “covid19” and related phrases in their names.

Creative Skype phishing campaign uses Google’s .app gTLD – Bleeping Computer

  • Attackers have deployed a phishing campaign against remote workers using Skype, luring them with emails that mimic notifications from the service.

Hackers Target Top Officials at World Health Organization – Bloomberg

  • The WHO’s security team has been the target of an increasing number of attempted cyber-attacks since mid-March. According to officials, WHO itself has not been hacked, but employee passwords have leaked through other websites.

Hackers Target Oil Companies as Prices Plunge – Wired

  • Espionage hackers have commenced a sophisticated spear-phishing campaign concentrated on U.S.-based energy companies. The goal: install a notorious trojan to siphon their most sensitive communications and data.

Virtual army rising up to protect healthcare groups from hackers – The Hill

  • A new network of white hat hackers—made up of more than 1,400 volunteers in 76 countries, from sectors including information security, telecommunications and law enforcement—has banded together under the name COVID-19 CTI League to help protect the healthcare industry. 

Apple iPhone May Be Vulnerable to Email Hack – The Wall Street Journal

  • Sophisticated hackers may be attacking Apple iPhones by exploiting a previously unknown flaw in the smartphone’s email software.

Customer complaint phishing pushes network hacking malware – Bleeping Computer

  • A new phishing campaign is targeting remote employees, using fake customer complaints to install a backdoor that will compromise the corporate network.

Hackers Can Exfiltrate Data From Air-Gapped Computers Via Fan Vibrations – Security Week

  • With the use of new malware and a smartphone, researcher Mordechai Guri was able to exfiltrate data from air-gapped computers using vibrations from the machines’ internal fans.

 


In Case You Missed It

Cybersecurity News & Trends

This week, SonicWall brings Boundless Cybersecurity to the remote workforce; Emotet, Ryuk and Trickbot deliver a 1-2-3 punch; and hackers use Apple for phishing bait.


SonicWall Spotlight

SonicWall Introduces Boundless Cyber Security Platform – Information Age

  • Boundless Cybersecurity aims to address a growing cybersecurity business gap and the complexity of securing remote workers compared to those working at company headquarters.

SonicWall: More Than 21,500 SecureFirst Partners Worldwide – MSSP Alert

  • SonicWall adds 1,100 SecureFirst partner in February and unveils a Boundless Cybersecurity model to protect mobile and remote workers against cyberthreats.

How to protect yourself against online COVID-19 scammers – Security Watch Info

  • As the COVID-19 pandemic continues to dominate the news cycle, cybercriminals are capitalizing on fear, stress and people’s desire for answers to gain access to personal information.

Cybersecurity News

North Korea hacking threatens U.S., other countries, international financial system: U.S. State Department – Reuters

  • The FBI joined the U.S. Departments of State, Treasury and Homeland Security in issuing an advisory about North Korean cyberthreats, warning the financial sector is particularly at risk.

Czechs Warn Hackers Are Preparing Cyber Attacks on Hospitals – Bloomberg

  • According to the Czech National Cyber and Information Security Agency, a campaign of cyberattacks on the country’s hospitals is expected in the coming days, Bloomberg reports.

The Pentagon Hasn’t Fixed Basic Cybersecurity Blind Spots – Wired

  • Five years ago, the Department of Defense set dozens of security hygiene goals. A new report finds that it has abandoned or lost track of most of them.

FBI warns of ongoing COVID-19 scams targeting govt, health care – Bleeping Computer

  • The U.S. Federal Bureau of Investigation has warned government agencies and health care organizations of ongoing BEC schemes exploiting the COVID-19 pandemic, as well as an overall increase in cryptocurrency and health care fraud scam activity targeting consumers.

The secret behind “unkillable” Android backdoor called xHelper has been revealed – Ars Technica

Emotet, Ryuk, TrickBot: ‘Loader-Ransomware-Banker Trifecta’ – Bank Info Security

  • The “loader-ransomware-banker” trifecta—Emotet, Ryuk and Trickbot—is stronger than the sum of its parts, causing millions of dollars in damages over the past few years.

Someone is passing around Valorant beta keys that are actually malware – Cyberscoop

  • Gamers hoping to access a closed beta for the video game Valorant are receiving keylogger software instead, as hackers attempt to capitalize on the hype surrounding the upcoming Riot Games release.

Apple Is Top Pick for Brand Phishing Attempts – Dark Reading

  • Have you received a suspicious-looking email purporting to be from Apple? You aren’t alone—10% of all brand phishing attempts in the first quarter of 2020 used the Apple brand in an attempt to deceive recipients.

In Case You Missed It

Cybersecurity News & Trends

This week, while remote workers and hospitals alike struggled to adjust to the new realities brought by the COVID-19 pandemic, hackers looked to exploit the upheaval for ill-gotten profit.


SonicWall Spotlight

There’s now COVID-19 malware that will wipe your PC and rewrite your MBR – ZDNet

  • Amidst the COVID-19 pandemic, some malware authors are releasing coronavirus-themed malware that destroys infected systems by either wiping files or rewriting a computer’s master boot record (MBR). The first of the MBR-rewriters was discovered by security researcher MalwareHunterTeam, as detailed in a report from SonicWall this week.

Cyber Security Threats Loom Large as Employees Work Remotely – The Week

  • According to SonicWall’s Capture Labs Threat Research Team, the risks of engaging with any coronavirus app—some of which purport to track infections or point to a vaccine—is very high, as hackers target newly minted remote workers in general, and those concerned about the virus in particular.

SonicWall Research Team Flags off 5 Top Cyberattacks in Times of COVID-19 Pandemic – CXO Today

  • The rise in employees working from home due to the COVID-19 pandemic is requiring that businesses provide employees secure access to remote infrastructure, networks and devices—and help safeguard against opportunistic cybercriminals preying on this new pool of remote workers.

Cybersecurity News

Marriott International Confirms Data Breach of Guest Information – Intelligent CISO

  • Terry Greer-King, VP EMEA at SonicWall, commented on the breach: “The Information Commissioner’s Office’s £99 million fine for Marriott in 2019 for a breach of GDPR was supposed to create much-needed reform on how the company processes and secures data. It appears that certain lessons are yet to be learned.”

Cyber Version of ‘Justice League’ Launches to Fight COVID-19 Related Hacks – Dark Reading

  • A group of cybersecurity experts from around the world—including from companies like Microsoft and Okta—have teamed to help organizations fight COVID-19-related hacking and phishing attacks, Dark Reading reports.

Hackers ‘Without Conscience’ Demand Ransom from Health Providers – Bloomberg

  • Bloomberg’s Ryan Gallagher reports on threats targeting the healthcare industry as healthcare providers deal with the massive influx of patients afflicted with COVID-19. Experts around the world are warning that hackers could keep doctors from vital patient data by encrypting records.

FBI warns Zoom, teleconference meetings vulnerable to hijacking – Cyberscoop

  • The warning comes after reports that Zoom—which is also under fire for leaking personal information to strangers and illegally selling user data to Facebook—isn’t securing communications as advertised.

Tech Giants Prepared for 2016-Style Meddling. But the Threat Has Changed. – The Wall Street Journal

  • The chairman of Huawei Technologies warned the U.S. to expect countermeasures from the Chinese government if it further restricts the technology giant’s access to suppliers, as the company’s profit last year grew at the slowest pace in three years.

Banking Malware Spreading via COVID-19 Relief Payment Phishing – Bleeping Computer

  • The Zeus Sphinx banking Trojan has recently resurfaced after a three years hiatus as part of a coronavirus-themed phishing campaign, one of many launched as hackers race to take advantage of the current pandemic.

FBI re-sends alert about supply chain attacks for the third time in three months – ZDNet

  • The FBI says a group state-sponsored hackers are now targeting the healthcare industry, which is currently grappling with the COVID-19 outbreak.

In Case You Missed It

Black Friday Cyberattacks: Businesses Face Surge of Malware, Ransomware on U.S. Shopping Holiday

Cyber Monday and Black Friday are the proverbial holiday shopping seasons for cybercriminals and their strategic cyberattacks, including malware, ransomware and phishing attacks. Eager online shoppers are hurried to fill holiday dreams — often at the detriment of cybersecurity best practices and common sense.

According to Adobe Analytics, consumers spent $7.4 billion online during this year’s Black Friday event, up $1.2 billion over 2018. Those numbers jumped for Cyber Monday, where retailers collected $9.4 billion in online sales on the frantic shopping holiday.

That kind of volume — in terms of both people and dollars — makes for a lucrative target for the modern cybercriminal. In 2018, SonicWall Capture Labs threat researchers discovered a spike in ransomware attacks during the Black Friday and Cyber Monday shopping events, as well as a 45% jump in phishing attacks.

Black Friday and Cyber Monday in 2019 resulted in much of the same. SonicWall Capture Labs threat researchers recorded* a double-digit malware spike (63%) in the U.S. between the eight-day holiday shopping window from Nov. 25 to Dec. 2.

  • 129.3 million malware attacks (63% increase over 2018)
  • 639,355 ransomware attacks (14% decrease over 2018)
  • 51% increase in phishing attacks on Black Friday (compared to the average day in 2019)

Cyber Monday attacks dips, Black Friday takes the hit

Cybercriminals weren’t waiting until Cyber Monday to launch their campaigns, either. In the U.S., both malware (130%) and ransomware attacks (69%) were up on Black Friday compared to 2018. This trend continued on Cyber Sunday with increases in malware (107%) and ransomware (9%).

Interestingly, ransomware attacks were down on Cyber Monday (-41%) and Small Business Saturday (-55%), resulting in an overall 14% decrease in U.S. ransomware attacks during the eight-day shopping window.

Malicious Android apps spotted during Black Friday

It’s no secret that much of holiday shopping is done on mobile apps. Busy online shoppers often leverage mobile apps that keep track of deals, provide discount coupons and offer the convenience of skipping long lines at shopping malls.

To diversify their attack strategies, cybercriminals and malware writers use this opportunity to spread malware under the guise of shopping and deal-related apps — particularly during this eight-day Thanksgiving holiday shopping window.

In the past few weeks alone, SonicWall Capture Labs threat researchers observed a number of malicious Android apps that use the shopping theme to trick users into downloading and installing these apps.

One of the more notable malicious apps is this Amazon Shopping Hack, which is tied to a range of survey scams that attempt to steal user data and sensitive information.

Name: Amazon Shopping Hack
Package: com.amazon.mShop.android.shopping.hack
SHA: fa87b95eead4d43b2ca4b6d8c945db082b4886b395b3c3731dee9b7c19344bfa

After execution, this app shows a human verification page to continue using this app. This “verification” essentially leads to survey-related scams that attempt to extract sensitive user information, such as email address, credit card details, address, etc.

One of the domains contacted by this app during execution is mobverify.com. A quick search about this domain revealed a number of other survey related pages:

The mobverify.com domain is associated with a number of malevolent apps, survey scam links and malicious executables. During analysis, we observed a GET request to mobverify.com, which downloads a json file containing a list of different survey scams:

For additional examples of malicious Android apps, please review the in-depth findings of the Capture Labs threat team: Malicious Android Apps Observed During Thanksgiving Season 2019.

Intelligence for this report was sourced from real-world data gathered by the SonicWall Capture Threat Network, which securely monitors and collects information from global devices and resources including more than 1 million security sensors in nearly 215 countries and territories.


* As a best practice, SonicWall routinely optimizes its methodologies for data collection, analysis and reporting. This includes improvements to data cleansing, changes in data sources and consolidation of threat feeds. Figures published in previous reports may have been adjusted across different time periods, regions or industries.

Cyber Security News & Trends

This week, SonicWall strengthens MSSP security offerings, cyberthreats to the upcoming census, and the end of decade lists begin.


SonicWall Spotlight

SonicWall Strengthens MSSP Security Offerings, Simplifies Account Management, Product Registration, Licensing Control. – SonicWall Press Release

553: Opening a Spin-off’s Liberated Growth Chapter – CFO Thought Leader podcast

  • How do you take a business unit, extract it, and set it up to be a running company on its own, all within one year? SonicWall CFO Ravi Chopra sits down with the CFO Thought Leader podcast and explains exactly how he did it with SonicWall. He also discusses his career path, his experiences in the dot com crash, and how he learns from his mentors.

Cybersecurity Should Be the Core Pillar of Any Modern Digital Hospital: Dmitriy Ayrapetov – The Economic Times of India

  • SonicWall’s Dmitriy Ayapetov is interviewed talking about the impact of cyberattacks on the health industry – with ransomware attacks growing and the rise of the Cloud and Internet of Things devices leading to potentially many new entry points for a cybercriminal, he stresses the need for greater cybersecurity awareness.

Cybersecurity News

Black Friday UK: Just One in 20 Discounts Are Genuine, Research Finds – The Guardian (UK)

  • Research by consumer group Which? Has found that the majority of Black Friday deals are sold at the same price or cheaper throughout the year. SonicWall figures on ransomware are also referred to, highlighting the increase in cyberattacks around the Black Friday period.

Special Report: 2020 U.S. Census Plagued by Hacking Threats, Cost Overruns – Reuters

  • An in-depth investigation into the upcoming 2020 US census has found that despite a major technology overhaul, fears of hacking attempts are running high and a lack of adequate training and understanding of cybersecurity risks internally is not helping.

Report Highlights Nation-State Cyberthreats Facing SMBs in 2020 – Tech Republic

  • A new survey of over 1000 cybersecurity officials working at SMBs has found that more than 60% of respondents intend to increase their cybersecurity budgets next year due to growing fears of cyberattacks from both at home and abroad, especially during the upcoming elections.

India Plans Security Audit of WhatsApp After Hacking Attempt – Reuters

  • The Indian government is pushing for a security audit of WhatsApp after revelations emerged last month that spyware inserted by surveillance groups allowed access to the phones of roughly 1400 users.

44 Million Microsoft Users Reused Passwords in the First Three Months of 2019 – ZDNet

  • Microsoft has completed an audit of their accounts and found that 44 million people are still using usernames and passwords that were leaked online in 2019. A forced password reset has been enacted to help solve the problem.

FBI Issues Smart TV Cybersecurity Warning – Infosecurity Magazine

  • The Federal Bureau of Investigation has issued a warning to holiday shoppers over the cyber-risks an unsecured smart TV might pose to a household. Default passwords should be changed, and a familiarization of all connection options is recommended at a bare minimum.
And Finally

A Decade of Malware: Top Botnets of the 2010s – ZDNet

  • It’s the end of a decade, and with it comes the lists! ZDNet round up some of the biggest, in both size and infamy, botnets that hit throughout the 2010s, including those old favorites, Emotet, Trickbot, and Dridex.

In Case You Missed It

Meeting a Russian Ransomware Cell

Ransomware is one of the most notorious and effective types of cyberattacks in the last decade. And I had the opportunity to go inside the minds that operate a real-world ransomware cell.

It starts with the young leader — nicknamed “Twig” — of a Russian ransomware cell. After two weeks of chatting through a secure channel, what I found was very interesting.

On social media, some cybersecurity firms like to portray him in black hoodies with leather gloves and a backdrop of matrix-style digits. They namedrop buzzwords like advanced-generation V attacks and other trumped up terms, which could be more fitting for nation-state attacks, but this isn’t the case with most hacking groups.

Carrying out successful ransomware attacks typically only requires a mixture of scripts, common vulnerabilities, brute-force efforts, bad IT policies at target organizations, and generations of frustration between eastern and western politics.

MINDHUNTER

On-Demand Webinar: My Two-Week Conversation with a Ransomware Cell

Join SonicWall security expert Brook Chelmo as he gives you an inside look into the human-side of a modern ransomware cell, their advice on how to stop them from infiltrating your organization, encrypting your endpoints, and spreading to other drives and segments of your network.

How does a ransomware attack work?

The number of organizations and verticals targeted each week, including the demands they make on the compromised device(s), are all private. Twig, however, is open to saying that their attack style is generally through spear-fishing and port-scanning for common vulnerabilities.

Twig’s favorite ports are “5900 and 5901 which are open and unpassworded.” Together, these two ports rank as the 19th most scanned port. These ports are used by virtual network computing (VNC) for desktop-sharing and remote-control application for Linux and Windows machines.

Over the years, several vulnerabilities related to these ports have allowed attackers to bypass authentication and gain access to the system. If Twig can get in, then your participation isn’t even required to activate the ransomware script (e.g., enable macros on a malicious Word document received in email). In fact, SonicWall research shows that anywhere between 17% and 20% of all malware attacks come through non-standard ports.

While Twigs scripts are pinging a range of IP addresses for vulnerabilities, he runs a PHP script alongside unnamed services that spam targets to gain remote access to their systems.

HILDACRYPT, for example, uses file extensions that are not normally scanned, such as .vbox, to evade inspection and detection by firewalls or email security services. Once access has been granted, he will log in after-hours and run a batch file through PsExec throughout the entire network to make it “go boom.”

Or, in less dramatic words, to “make Hilda run on the entire network.” It’s the same headache caused by the likes of WannaCry, NotPetya and SamSam ransomware strands, the infamous attack wave from three years ago. Since admins tend to have access to multiple drives — and sometimes read/write ability on endpoints via access manager roles — exploiting them is critical to mission success.

“If Twig can get in, then your participation isn’t even required to activate the ransomware script.”

Once systems are compromised, they don’t exfiltrate the files and sell the data like some do. They just set the demand and wait.

Initially, they asked victims to watch the Hilda series on Netflix (yes, really), join their Discord server for support, then pay the stated ransom amount in bitcoin (a popular way to couch the demand).

What can you do to stop ransomware attacks?

First of all, Twig says to “use proper passwords” for ransomware protection. He said many passwords are either written by the ‘crazy or the lazy.’ Most of them are too simple and are often guessed by his scripts. His favorite story was when he found a password to be two quotation marks. I guess the administrator thought it was too simple to guess. Well, he was wrong and had to pay for it.

Second, he said “write your programs in a real programing language.” He said that real programmers write in C or C++, and that Java or PHP is for the lazy and stupid (an opinion not shared by all professional programmers).

When he sees programs written in Java, he feels he is dealing with a non-qualified individual and, therefore, an easy target. It is also worth noting that some security professionals advise not to program in C when it comes to security.

Third, he casts shade on Americans and tech workers over the age of 35 either because of his belief in their lack of modern skills or energy to do the job properly. He says organizations should hire qualified people who can both code and understand security. If he was in charge of hiring at your company, and didn’t discriminate by age or nationality, he would hire people who hold qualifications in C or C++ and have the energy to follow security best practices.

Misconfigured firewalls leave doors open for ransomware attacks

Finally, Twig points out that misconfigured firewalls are his best friend. In fact, he has strong opinions for some firewall makers that enable him “to uninstall [the firewall] from the computer.” In the case of network firewalls, misconfigurations are easily done and can be one’s downfall. It happens more than you think.

In the case of endpoint firewalls, end-users should be under the principle of least privilege (POLP), which means they will have just enough rights to do their job and without the ability to modify their endpoints. In 2016, Microsoft reported that 94% of critical vulnerabilities can be mitigated by removing administrative rights from users.

Four ways SonicWall stops ransomware attacks

Stopping ransomware attacks isn’t always easy. A conversation with Twig makes that apparent. But he also highlights that if you follow best practices and implement security across different layers, ransomware attacks won’t be nearly as successful. Leverage the four key ways SonicWall helps organizations block ransomware attacks — automatically and in real time.

  • Deploy a firewall and keep security services active. Firewall vendors like SonicWall are now security platform providers that protect the traffic to and from branches (SD-WAN), and examine traffic through the firewall with gateway antivirus to stop known versions of malware. It’s also smart to leverage Intrusion Prevention Services (IPS) to identify known communication patterns within malware and stop what it wants to do, like travel laterally to other drives or networks. The combination of gateway security and IPS was critical in stopping WannaCry ransomware attacks for SonicWall customers on Day 1.
  • Block unknown ransomware with a sandbox. However, all of the updated versions of the strain that came after Version 1 were blocked automatically by the Capture Advanced Threat Protection (ATP) sandbox (if the other ransomware variants were found by a customer before SonicWall could create a definition/signature to block it on firewalls and email security).
  • Protect your inbox. To make it even more difficult to attack your network or users, use secure email solutions to block spoofed emails and examine attachments within all email to look for malware. Email is still highly effective at getting malware exploits onto your network.
  • Secure your endpoints. Finally, protect your endpoints with a next-generation anti-virus (NGAV) For example, Capture Client will help stop intrusions and ransomware attacks from initiating. Even if a ransomware strain did execute, Capture Client would give the administrator the ability to roll back the damage to a previously known clean state.

For the full story on my chats with Twig, I urge you to attend my upcoming webinar, “Mindhunter: My Two-Week Conversation with a Ransomware Cell.”

Cyber Security News & Trends

This week, SonicWall partners with Etisalat Digital and appears at GITEX Technology Week 2019. Meanwhile, several governmental level warnings about cyberthreats are issued, and the Magecart group chalks up another successful month.


SonicWall Spotlight

SonicWall, Etisalat Digital Partnership Delivers Network Security in Bundle Offer to SMBs – SonicWall Press Release

  • Etisalat Digital is now offering SonicWall technology in its ‘Business Quick Start’ SMB bundle that provides businesses with telco-grade network security devices and a zero-touch feature, making installation less than one hour. SonicWall and Etisalat celebrated this news with a ceremony at GITEX Tech Week.

SonicWall at GITEX Tech Week 2019 – Tahawultech.com

  • GITEX Technology Week, the biggest tech show in the Middle East, North Africa and South Asia, took place this week at the Dubai World Trade Centre. SonicWall showcased its networking and security solutions including our powerful Capture ATP with RTDMI technology. At the show, SonicWall’s Michael Berg was kept busy with interviews at outlets like Tahawultech and ChatterBoxPRE.

5 Steps to Deploy Fast, Secure WiFi in K-12 Schools – MSSPAlert

  • Schools and school districts connecting to the internet via Wi-Fi is par for the course in 2010; SonicWall’s Srudi Dineshan lists five ways K-12 schools can protect themselves from cyber threats.

Cybersecurity News

In the Last 10 Months, 140 Local Governments, Police Stations and Hospitals Have Been Held Hostage by Ransomware Attacks – CNN

  • With ransomware increasingly recognized as much more than a niche concern, CNN has created an accessible article with video and text intended to introduce the malware method and execution to a wider audience.

White-Hat Hacks Muhstik Ransomware Gang and Releases Decryption Keys – ZDNet

  • A frustrated hacker, annoyed after being caught by a successful ransomware attack, analyzed the ransomware software and successfully infiltrated the online database connected to the database. As a result, he has now released a free decryption method for anyone else caught by the same ransomware.

Copycat Coders Create ‘Vulnerable’ Apps – BBC News

  • A new study has found that developers who take shortcuts by copying and pasting code are leaving applications with security holes. Code chunks with no purpose have been found to be riddled with obsolete commands that could be taken advantage of by a hacker who recognized the programming.

EU Warns of 5G Cybersecurity Risks, Stops Short of Singling out China – Reuters

  • The European Union had issued a warning about the risk of increased cyberattacks by state-backed entities, especially with the advent of next-gen 5G mobile and Internet of Things objects.

NIST is Hunting for Tech to Secure the Energy Sector’s Network – NextGov

  • With the thoughts of a nationwide cyberattack on the power grid growing in people’s minds, the National Institute of Standards and Technology is seeking input from tech and cyber experts on how to secure the countless internet-connected devices that could be used as a way in to the network.
And Finally:

Magecart Attack on eCommerce Platform Hits Thousands of Online Shops – SecurityWeek

  • Everyone’s least favorite online card skimming group Magecart has continued its hacking spree with another successful campaign on online retailers. In the past month the group has been found to be active on over 3 thousand online stores, including the Sesame Street Live online store.

In Case You Missed It