Posts

Bill Conner: How the UK Is Taking Malware Seriously

Bill Conner sat down with Information Age editor Nick Ismail to discuss global malware attack statistics, cross-border cybersecurity collaboration, the increasing need to inspect PDFs and Microsoft Office documents, and how all impact the dynamic U.K. political landscape.

Though malware attack data shows an increase in global attacks, the U.K. has experienced a decrease in these attacks following the WannaCry ransomware strain in previous years.

Conner sees this as a positive change for the U.K. and stated via Information Age, “you guys were all over it” following the WannaCry attack and “most of the vendors in the U.K. and their customers put solutions in place to protect against multiple family variants of ransomware.”

While this is a positive change for the U.K., there is still work to be done globally and Conner says regardless of the often divided political climate, “there’s a good foundation for cyber collaboration across borders.”

“Right now, we need to focus on those PDFs and Office (files), the things you run in your business every day, because they can be exploited for IP and monetary gain. And you can’t even see it.”

Bill Conner
SonicWall President & CEO

In addition to urging governments to look toward political collaboration to tighten cybersecurity globally, Conner explained the majority of this change will come through the dedication of law enforcement.

“Law enforcement sharing is better than political sharing at the moment,” Conner told Information Age. “Public institutions, private organizations and different governments have got to collaborate. But, above all, we’ve got to have dedicated cyber law enforcement.”

While a global cybersecurity strategy may be down the road, Conner says there are places to focus on now to best secure governments, enterprises and SMBs.

What does Conner recommend an organization focus their cybersecurity strategy on?

“What I’m telling governments and enterprises is to forget side-channel exploits for the moment,” he said. “Right now, we need to focus on those PDFs and Office (files), the things you run in your business every day.”

One of the ways to mitigate these specific malware threats requires advanced technology, like SonicWall Capture Advanced Threat Protection (ATP) with SonicWall Real-Time Deep Memory Inspection (RTDMI™), to inspect and mitigate attacks in memory.

Read the rest of Conner’s recommendations and predictions in his interview with Information Age.

Capturing the World’s Latest Malware so You Can Fear Less

If anyone ever needs proof on how effective SonicWall Capture Labs is, look back to the WannaCry ransomware attack in May 2017, and just last week the NotPetya malware. In contrast to over 250,000 endpoints compromised in over 150 countries, SonicWall customers with active security subscriptions were largely unaffected.

Why were they unaffected?

Our customers were protected because SonicWall had identified and created signatures for all exploits of the SMB vulnerability, as well as early versions of WannaCry, weeks in advance. Any of our customers with active Gateway Anti-virus and Intrusion Prevention System (GAV/IPS) services received those signatures automatically, and thereby blocked this ransomware variant and the worm that spread it across the globe. This was possible because SonicWall Capture Labs gathers millions of samples of malware in order to protect our customers from the latest threats.

In 2016, SonicWall’s Capture Labs Threat Research processed over 60 million unique pieces of malware that were previously unknown to us.  This included versions of polymorphic malware, newly developed malicious code and zero-day attacks. The result of this work created countless signatures and other countermeasures that protected our customers from the latest attacks across our product portfolio.

So where does SonicWall get all of these malware samples?

With over 1 million sensors placed around the world, our Capture Labs Research Team receives the largest amount of data from real customer traffic. Our SonicWall Capture Advanced Threat Protection (ATP) Service is a network sandbox that runs suspicious code to find unknown malicious code. Business networks will encounter an average of 28 new, zero-day versions of malware over a calendar year, Capture ATP is designed specifically to prevent this.

In addition, SonicWall participate in numerous industry collaboration efforts such as the Microsoft MAPP program so our researchers receive new verified threats before the public. We also actively engage in numerous international threat research communities and freelance researchers so our in-house team possesses samples of uncommon attacks and vulnerabilities.

Read this eBook to learn how to protect against ransomware with a multi-layer threat elimination chain to stop known and discover unknown malicious code targeting your organization.

Don’t Be Fooled by the Calm After the WannaCry Chaos: Continuously Toughen Your Security

Some consider WannaCry to be the first-ever, self-propagating ransomware attack to wreak havoc across the globe. The chaos that followed is yet another harsh wake-up for many, in a situation far too familiar.  Only this time, the victims are new, the infection spreads more rapidly, the effects are far-reaching and the headlines are bigger.  I am sure you may be feeling overwhelmed with the ongoing news coverage of the EternalBlue exploit, WannaCry ransomware and Adylkuzz malware this past week.   Let us recap a few important observations to help us avoid a replay of history.

The WannaCry crisis was unlike any previous zero-day vulnerabilities and exploits that caused massive cyber-attacks in previous years. The major difference in this event is that there were early warning signs portending this sort of cyber-attacks through a series of leaks by the Shadow Broker, an unidentified hacking entity responsible for putting stolen U.S. National Security Agency (NSA) hacking secrets in the hands of nefarious actors, both foreign and domestic, looking to do us harm. Since the forthcoming threat was public knowledge and organization had ample time to mitigate the risk, why was WannaCry still able to achieve the level of success that it did? The reasons are quite simple and common with most organizations today.

1. Take care of the basics

Winston Churchill once remarked, “We live in the most thoughtless of ages. Every day headlines and short views.” Although the wisdom in these words was uttered many years ago, it seems as though we have yet to change our ways with respect to repeating poor cyber hygiene patterns. There are data security experts who have suggested that poor cyber-hygiene has caused as much as 80% of security incidents. Whether this figure is accurate or not, it is certain that the WannaCry and Adylkuzz attacks are the latest examples to support this statistic. Because of unpatched Microsoft’s Windows systems, victim organizations have allowed a broadly publicized and easily preventable exploit and ransomware to move into their environments simply because some of the most basic security measures were either not established or followed.

To avoid repeating this sort of mistake, organizations must understand that taking care of the basics means standing between being likely breached and likely avoiding one. Therefore, instituting a zero-tolerance policy to patch every system and device in the environment must never be an option. Putting in place auditable workflows and technology that can programmatically check and perform security updates without the need for manual intervention will help organizations move towards a more proactive defense posture.

2. Security staffing an unsolved problem

What we are seeing right now is a serious talent shortage in the security employment industry. Hiring good, affordable security professionals is a huge concern for many organizations across all industries. When organizations do not have adequate security staff or are unable to fill positions, they do not have the capacity necessary to proactively identify and remediate risk areas at the speed needed to avoid a security event like WannaCry. This common, unsolved problem manifests itself with most organizations, especially during major cyber events.

Many of the most significant issues organizations have in common today include the lack of understanding and visibility of:

  • What and where are the at-risk assets
  • Who and where are the at-risk users
  • What and where are the at-risk systems and devices
  • What are the risks and threats to focus on
  • What a proper security response plan looks like are

3. Lack the right tools in place

We have a situation today where exploit kits and ransomware are leveraging SSL/TLS encrypted traffic predominately for evading detection. A recent Ponemon Institute study reported that 62% of respondents say their organizations do not currently decrypt and inspect web traffic. However, the real concern is the fact that half of those respondents, who disclosed they were victims of a cyberattack in the preceding 12 months, claimed attacks leveraged SSL traffic to evade detection. So why is that?

The reasons provided in the same Ponemon study revealed that for those organizations that are not inspecting encrypted traffic:

  • 47% of the respondents said lack of enabling security tools was the top reason
  • 45% divulged that they do not have sufficient resources
  • 45% said they have overwhelming concerns about performance degradation.

Encrypted attacks threatening mobile devices, endpoint systems and data center resources and applications are on the rise. As we move towards an all-encrypted internet, organizations no longer have a choice whether to establish a security model that can decrypt and inspect encrypted traffic to stop hidden threats.

To learn more, here are two relevant informational pieces written by my colleagues on the WannaCry ransomware event that I highly recommend you to read. They offer additional perspectives and insights that can help you solve these security issues and be readily prepared for the next wave of cyber-attacks.

  1. WannaCry Ransomware Attack – It’s a Tragedy: What’s Next for Your Network? by Rob Krug, Solution Architect, Security
  2. SonicWall Protects Customers from the Latest Massive WannaCry Ransomware Attack by Brook Chelmo, Sr. Product Marketing Manager

When the chaos over WannaCry calms, the big question becomes, will you move on from this historic event with the lessons we’ve learned? Your answer is crucial since it will determine if the next major incident yields a more readied response from your organization.

Footnote: Ponemon Study,  Uncovering Hidden Threats within Encrypted Traffic, 2016

SonicWall Protects Customers from the Latest Massive WannaCry Ransomware Attack

Note: This blog was updated on Monday, May 15.

First, if you are a SonicWall customer and you are using our Gateway Anti-Virus, Intrusion Prevention service, and Capture Advanced Threat Protection then your SonicWall firewall has been protecting your network from WannaCry ransomware and the worm that spreads it since 17 April, 2017. Since the release of the first version of the code, we have identified several new variants and have released additional counter measures. We will continue to update this blog as our Capture Labs research team uncovers more information and as additional protection is automatically rolled out to our customers’ firewalls.

Here’s more:

The Attack

This massive ransomware attack became infamous by shutting down a number of hospitals in the UK’s National Health Service (NHS) system and thus preventing patients from receiving critical care. The attack hit over 100 countries across the world with an untold number of victims. WannaCry is a combination of a Trojan/ransomware and a worm that leverages an SMB file sharing protocol exploit named EternalBlue. The Shadow Brokers leaked EternalBlue in April 2017 as part of a bigger dump of NSA developed exploits. This exploit affects various versions of Microsoft Windows operating systems, including a number of versions that are in end-of-life status. Although Microsoft released a large number of patches on March 14 to address this vulnerability, the attack remains dangerous as many organizations have not applied the patch.

The first version of the worm/ransomware package had a kill switch that was accidently used to disable the worm feature which slowed its advance on Friday, 12 May 2017. However, new variants are appearing in the wild without this weakness. While the first version of the worm code can no longer spread the ransomware code, systems encrypted by WannaCry 1.0 will remain encrypted. Unfortunately, there is no known decryption method to recover files affected by WannaCry without paying cyber criminals (which is not advised).

Since Friday, 12 May 2017, SonicWall’s Capture Labs released six new signatures to block all known versions of WannaCry.  It is also worth noting that SonicWall security services on the firewall have built-in protections against the many components of this code, ranging from blocking contact with WannaCry Command and Control (C&C) servers to blocking attempts at exploitation of any unpatched SMB Microsoft vulnerabilities (such as EternalBlue).

WannaCry Ransomware

The Protection

SonicWall Capture Labs analyzed the EternalBlue attack in mid-April immediately after the Shadow Brokers file dump and rolled out protection for all SonicWall firewall customers well in advance of the first public attack.  All known versions of this exploit can be blocked from SonicWall protected networks via active next-generation firewall security services.

As a SonicWall customer, ensure that your next-generation firewall has an active Gateway Security subscription to receive automatic real-time protection from known ransomware attacks such as WannaCry. Gateway Security includes Gateway Anti-virus (GAV), Intrusion Prevention (IPS), Botnet Filtering, and Application Control. This set of technology has signatures against WannaCry (part of GAV), protections against vulnerabilities outlined in Microsoft’s security bulletin MS17-010 (part of IPS), and it blocks communication with the C&C servers where WannaCry’s payload comes from (part of botnet filtering).

Since SonicWall Email Security uses the same signatures/definitions as Gateway Security, we can effectively block the emails that deliver the initial route to infection. Ensure all email security services are also up to date to block malicious emails.  Since 65% of all ransomware attacks happen through phishing emails, this needs to be a major focus when giving security awareness training. Additionally, customers with SonicWall Content Filtering Service should activate it to block communication with malicious URLs and domains, which works in a similar way Botnet filtering disrupts C&C communication.

As a best practice always deploy Deep Packet Inspection of all SSL/TLS (DPI-SSL) traffic since more than 50% of malware is encrypted. This will enable your SonicWall security services to identify and block all known ransomware attacks. Enabling DPI-SSL also allows the firewall to examine and send unknown files to SonicWall Capture Advanced Threat Protection for multi-engine processing to discover and stop unknown ransomware variants.

View our webpage to learn more on how SonicWall protects against ransomware.

WannaCrypt Signatures

The most recent list of GAV/IPS signatures against EternalBlue and WannaCrypt as of 14 May 2017 at 11:45 AM PST

What’s Next

The party behind this attack has already released several variations of this attack for which we have established protections in place (see above). To ensure you are safe from newly developed updates and similar copycat attacks, first apply the Windows patch provided by Microsoft listed in the resources section.  Second, apply Capture Advanced Threat Protection (Capture ATP), SonicWall’s multi-engine network sandbox, to examine suspicious files coming into your network to discover and stop the latest threats just as we did with Cerber ransomware. Enable the service’s block until verdict feature to analyze all files at the gateway to eliminate malware before it can enter your network. Additionally, Capture Labs will continue to email customers Sonic Alerts on new threats.

Finally, phishing emails are the most common delivery mechanism for ransomware. It is possible that future variants of this ransomware will be delivered via emails. SonicWall’s email security solution uses Advanced Reputation Management (ARM) to inspect not only the sender IP but also the message content, embedded URLs and attachments. In addition, make sure you enable SPF, DKIM and DMARC advanced email authentication to identify and block spoofed emails and protect from spam and phishing attacks. For the best possible protection against such attacks, deploy SonicWall’s email security solution with Capture ATP service to inspect every email attachment in a multi-engine sandbox environment.

Apart from SonicWall security protections in place (listed above), as a best practice we recommend to disallow or block inbound SMB traffic (TCP 445, UDP ports 137-138, and TCP 139) and RDP traffic coming  from the internet on edge-facing Firewalls. If such access is required, implement secure remote access solutions like IPsec or SSL-VPN with proper authentication mechanisms in place.

Apply vulnerability patches on servers and PCs as recommended in Microsoft MS17-010 bulletin (listed above and below), disable SMBv1 communication (limit access via SMBv2/v3), as well as monitor for any suspicious activity on TCP 445.

Resources