Posts

Botnets Targeting Obsolete Software

Overview: This is not a disclosure of a new vulnerability in SonicWall software. Customers with the current SonicWall Global Management System (GMS) 8.2 and above have nothing to worry about. The reported vulnerability relates to an old version of GMS (8.1), which was replaced in December 2016. Customers with GMS 8.1 and earlier releases should patch, per SonicWall guidance, as they are running out-of-support software. Best practice is to deploy a SonicWall next-generation firewall (NGFW) or a web application firewall (WAF) in front of GMS and other web servers to protect against such attacks. Look for global third-party validation on protection effectiveness, such as the 2018 NSS Labs NGFW Group Test. After rigorous testing, SonicWall firewalls earned the NSS Labs coveted ‘Recommended’ rating five times.


On Sept. 9, Palo Alto Networks Unit 42 published a blog post highlighting a developing trend of botnets picking up publicly known CVE exploits and weaponizing them against enterprise infrastructure. This marks a change in the botnet authors’ tactics from targeting consumer-grade routers and IP cameras to searching for higher-profile enterprise targets to harness additional endpoints for DDoS attacks.

The first botnet, Mirai, targeted the Apache Struts vulnerability from early 2017, which affects web servers around the world. On March 6, 2017, SonicWall provided protection against the Apache Struts vulnerability with the Intrusion Prevention Service (IPS) on the NGFW line, rolling out protection to all firewalls with licensed IPS service.

The second botnet highlighted in the Palo Alto Networks post, Gafgyt, picked up the Metasploit code for an XML-RPC vulnerability for an obsolete version of SonicWall GMS (8.1) central management software, which was replaced by GMS 8.2 in December 2016.

The bottom line: the reported botnet attack is misguided and presents no threat to SonicWall GMS in production since December 2016.

Implementing Cybersecurity Best Practices

Current SonicWall GMS users are not at risk. However, there are broader lessons here for the industry and business owners:

  • Take End-of-Life and End-of-Support announcements seriously and update proactively. They become a compliance and security risk for critical systems and compromise an enterprise’s compliance and governance posture.
  • Security best practices dictate that you never expose a web server directly to the internet without a NGFW or WAF deployed in front.
  • A security layer between the internet and critical enterprise infrastructure, like web servers or centralized firewall management, provides the ability to virtually patch zero-day vulnerabilities and exploits while working out a sensible patching strategy. For example, a SonicWall NGFW with Intrusion Prevention or a SonicWall WAF can easily handle this task.

Using Third-Party Validation

The blog post does, however, underscore the rapidly-evolving nature of today’s threat landscape, evidenced by the mixing of malware and exploits to create new malware cocktails, and the need to use the latest and most effective security solutions to protect against them.

When selecting a product to protect your critical infrastructure, go beyond listening to vendor claims and look at globally recognized independent testing, such as the NSS Labs NGFW report, to validate security efficacy. Items that you should consider when selecting a security product for the modern threat landscape:

  1. NSS Labs specifically tests for protection on non-standard ports (not just 80/443, for example) because malware often uses non-standard ports to bypass traffic inspection. Products that lack inspection on non-standard ports are blind to many malware attacks, and are easily fooled into missing dangerous traffic and allowing malware and exploits to sail right through.

2018 NSS Labs NGFW Group Test Report — Evasion Resistance

2018 NSS Labs Next Generation Firewall Security Value MapTM (SVM)

  1. Evaluate your NGFW on security efficacy, and how it deals with malware cocktails, such as the recently exposed Intel-based, processor-level vulnerabilities like Spectre, Meltdown and Foreshadow.
  • SonicWall patented and patent-pending Real-Time Deep Memory Inspection (RTDMITM) technology is proven to catch chip/processor attacks through its unique approach to real-time memory inspection.
  • SonicWall RTDMI protection can also be applied to mitigate malicious PDFs, Microsoft Office documents and executables. The focus on PDF and Office document protection is especially important. Attacks are shifting into this delivery mechanism as browsers clamped down on Flash and Java content, drying up a fertile area of exploit and malware delivery. For example, RTDMI discovered more than 12,300 never-before-seen attack variants in the first half of 2018 alone.
  • The SonicWall Capture Client endpoint suite plugs into the RTDMI engine to offer the same protection for users that are outside a protected network.

 

The Bottom Line

The reported botnet attack is misguided and presents no threat to SonicWall GMS in production since December 2016.

New NIST Cybersecurity Policy Provides Guidance, Opportunities for SMBs

Small- and medium-sized business (SMB) are often one of the segments most targeted by cybercriminals. Now, SMBs are backed by legislation signed by U.S. President Trump and unanimously supported by Congress.

On Aug. 14, President Trump signed into law the new NIST Small Business Cybersecurity Act. The new policy “requires the Commerce Department’s National Institute of Standards and Technology (NIST) to develop and disseminate resources for small businesses to help reduce their cybersecurity risks.”

The legislation was proposed by U.S. Senators Brian Schatz (D-Hawai‘i) and James Risch (R-Idaho). This new policy is a follow-on effort to the Cybersecurity Enhancement Act of 2014, which was the catalyst for the NIST Cybersecurity Framework.

“As businesses rely more and more on the internet to run efficiently and reach more customers, they will continue to be vulnerable to cyberattacks. But while big businesses have the resources to protect themselves, small businesses do not, and that’s exactly what makes them an easy target for hackers,” said Senator Schatz, lead Democrat on the Commerce Subcommittee on Communications, Technology, Innovation, and the Internet, in an official statement. “With this bill set to become law, small businesses will now have the tools to firm up their cybersecurity infrastructure and fight online attacks.”

Per the NIST Small Business Cybersecurity Act (S. 770), within the next year the acting director of NIST, collaborating with the leaders of appropriate federal agencies, must provide cybersecurity “guidelines, tools, best practices, standards, and methodologies” to SMBs that are:

  • Technology-neutral
  • Based on international standards to the extent possible
  • Able to vary with the nature and size of the implementing small business and the sensitivity of the data collected or stored on the information systems
  • Consistent with the national cybersecurity awareness and education program under the Cybersecurity Enhancement Act of 2014
  • Deployed in practical applications and proven via real-world use cases

The law follows the structure presented by U.S. Rep. Dan Webster (R-Florida) and passed by the House of Representatives. He originally presented the bill to the U.S. House Science, Space, and Technology Committee in March 2017.

SonicWall President and CEO Bill Conner also was instrumental in helping form the groundwork for U.S. cybersecurity laws. In 2009, Conner worked with U.S. Senator Jay Rockefeller (D-West Virginia) and other security-conscious leaders on the Cybersecurity Act of 2010 (S.773). And while the proposal was not enacted by Congress in March 2010, it served as a critical framework to today’s modern policies. Rockefeller was eventually the sponsor of the aforementioned Cybersecurity Enhancement Act of 2014 (S.1353), which became law in December 2014.

SMBs Highly Targeted by Cybercriminals, Threat Actors

According to a recent SMB study by ESG, 46 percent of SMB decision-makers said security incidents resulted in lost productivity in their small- or medium-sized business. Some 37 percent were affected by disruption of a business process or processes.

“Criminals target SMBs to extort money or steal valuable data, while nation states use small businesses as a beachhead for attacking connected partners,” wrote ESG senior principal analyst Jon Oltsik for CSO.

In fact, in July 2018 alone, the average SonicWall customer faced escalated volumes of ransomware attacks, encrypted threats and new malware variants.

  • 2,164 malware attacks (28 percent increase from July 2017)
  • 81 ransomware attacks (43 percent increase)
  • 143 encrypted threats
  • 13 phishing attacks each day
  • 1,413 new malware variants discovered by Capture Advanced Threat Protection (ATP) service with RTDMI each day

“Criminals target SMBs to extort money or steal valuable data, while nation states use small businesses as a beachhead for attacking connected partners,” wrote ESG senior principal analyst Jon Oltsik for CSO.

Leverage NIST Policy, Frameworks

While SMBs await guidance from the new NIST Small Business Cybersecurity Act, they can leverage best practices from the NIST Cybersecurity Framework, which helps organizations of all sizes leverage best practices to better safeguard their networks, data and applications from cyberattacks.

At a high level, the framework is broken down into three components — Implementation Tiers, Framework Core and Profiles — that each include additional subcategories and objectives. Use these key NIST resources to familiarize your organization to the framework:

Applying Cybersecurity Designed for SMBs

The NIST framework provides a solid foundation to improve an SMB’s security posture. But the technology behind it is critically important to achieving a safe outcome. SonicWall, for instance, is the No. 2 cybersecurity vendor in the SMB space, according to Gartner’s Market Share: Unified Threat Management (SMB Multifunction Firewalls), Worldwide, 2017 report.

With more than 26 years of defending SMBs from cyberattacks, SonicWall has polished and refined cost-effective, end-to-end cybersecurity solutions. These solutions are tailored specifically for small- and medium-sized businesses and can be further customized to meet the needs of specific security or business objectives. A sound, end-to-end SMB cybersecurity should include:

For example, the SonicWall TZ series of NGFWs is the perfect balance of performance, value and security efficacy for SMBs, and delivers access to the SonicWall Capture ATP sandbox services and Real-Time Deep Memory Inspection.TM This integrated combo protects your organization from zero-day attacks, malicious PDFs and Microsoft Office files, and even chip-based Spectre, Foreshadow and Meltdown exploits.

For organizations that want to take it a step further, the SonicWall NSa series of firewall appliances were given a ‘Recommended’ rating by NSS Labs in a 2018 group test. SonicWall topped offerings from Barracuda Networks, Check Point, Cisco, Forcepoint, Palo Alto Networks, Sophos and WatchGuard in both security efficacy and total cost of ownership.

Contact SonicWall to build or enhance your cybersecurity posture for true end-to-end protection from today’s most malicious cyberattacks, online threats and even the latest Foreshadow exploits.

SonicWall solutions are available to SMBs through our vast channel of local security solution providers, many of which are SMBs themselves. In fact, many SonicWall SecureFirst Partners even provide security-as-a-service (SECaaS) offerings to ensure it’s easy and cost-effective for SMBs to protect their business from advanced cyberattacks.

 

Upgrade Your Firewall for Free

Are you a SonicWall customer who needs to stop the latest attacks? Take advantage of our ‘3 & Free’ program to get the latest in SonicWall next-generation firewall technology — for free. To upgrade, contact your dedicated SecureFirst Partner or begin your upgrade process via the button below.

IoT & Mobile Threats: What Does 2017 Tell Us About 2018?

“SPARTANS! Ready your breakfast and eat hearty. For tonight, WE DINE IN HELL!!”

Remember this passionate line by King Leonidas from the movie “300”? We are at the brink of another war — the modern cyber arms race. You need to gear up and be prepared for the thousands of malicious “arrows” that shoot down on you.

This cyber arms race is aimed against governments, businesses and individuals alike, and it’s comprised of different types and forms of cyber attacks. These attacks grow more sophisticated each year, with over 12,500 new Common Vulnerabilities and Exposures (CVE) reported in 2017 — 78 percent of which were related to network attacks.

It’s critical we learn from the past experiences — successes and failures. So, what can 2017 teach us to be better prepared in 2018? Let’s first look at the hard data.

According to the 2018 SonicWall Cyber Threat Report, SonicWall Capture Labs detected 184 million ransomware attacks and a 101.2 percent increase in new ransomware variants from more than 1 million sensors across more than 200 countries. The increase in new variations signifies a shift in attack strategies.

In addition, SonicWall Capture Labs logged 9.32 billion malware attacks. Network attacks using encryption tactics are also on the rise. Without the ability to inspect such traffic, an average organization would have missed over 900 file-based attacks per year hidden by SSL/TLS encryption.

IoT attacks loom

Internet of Things (IoT) threats and memory attacks are also impending challenges that we face across wired and wireless solutions. According to Gartner, by 2020, IoT technology will be in 95 percent of electronics for new product designs.

Recently, Spiceworks performed a survey that resulted in IoT devices being the most vulnerable to Wi-Fi attacks. This makes IoT and chip processors the emerging battlegrounds. IoT was also a big target as “smart” (pun intended) hardware is not updated regularly and is often physically located in unknown or hard-to-reach places, leading to memory attacks and vulnerabilities.

IoT ransomware attacks are alone on the rise and gain control of a device’s functionality. While many of the IoT devices may not hold any valuable data, there is a risk for owners or individuals to be held at ransom for personal data. Gartner also predicts, through 2022, half of all security budgets for IoT will go to fault remediation, recalls and safety failures rather than protection.

There are many smart devices and IoT devices in the market that connect over Wi-Fi, such as cameras, personal and TVs. Imagine an attack on your personal privacy and a hacker gaining control over your device. Distributed Denial of Service (DDoS) attacks still remain a major threat to these devices. Each compromised device can send up to 30 million packets per second to the target, creating an IoT powered botnet.

In fact, at one point in 2017, SonicWall Capture Labs was recording more than 62,000 IoT Reaper hits each day. Considering there could be an estimated 6 billion mobile devices in circulation by 2020, it wouldn’t be totally surprising if the next wave of ransomware targets mobile devices,

How to secure wired, wireless and mobile networks

It is critical to secure your network, both from a wireless and wired perspective. Total end-to-end security is the key to prevent such attacks from happening in the first place. To survive this cyber war, you can follow certain best practices to ensure your protection:

  • Layer security across your wired, wireless, mobile and cloud network
  • Deploy next-gen firewalls that can provide real-time intrusion detection and mitigation
  • Patch your firewalls and endpoint devices to the latest firmware
  • Secure your IoT devices to prevent device tampering and unauthorized access
  • Educate your employees on the best practices
  • Change default login and passwords across your devices

SonicWall solutions include next-generation firewalls, 802.11ac Wave 2 access points, secure mobile access appliances and the Capture Advanced Threat Protection (ATP) cloud sandbox service, all of which combine to provide an effective zero-day threat protection ecosystem.

To protect customers against the increasing dangers of zero-day threats, SonicWall’s cloud-based Capture ATP service detects and blocks advanced threats at the gateway until a verdict is returned. In addition, Capture ATP also monitors memory-based exploits via Real-Time Deep Memory InspectionTM (RTDMI). With innovative SonicWall solutions, rest assured your IoT and mobile devices are protected for the cyberwar.

Download the 2018 SonicWall Cyber Threat Report

The cyber arms race is a challenge we face together. And it’s the core reason we’re committed to passing our findings, intelligence, analysis and research to the global public via the SonicWall 2018 Cyber Threat Report.

READ THE FULL REPORT

RSA Conference 2018: SonicWall is Hot

Fresh off of April’s massive SonicWall Capture Cloud Platform launch, SonicWall has been featured in a pair of CRN articles highlighting the hottest products at RSA Conference 2018.

The SonicWall Capture Cloud Platform is lauded in CRN’s “10 Hot New Cloud Security Products Announced at RSA 2018” listing. CRN recaps the platform’s ability to integrate security, management, analytics and real-time threat intelligence across SonicWall’s portfolio of network, email, mobile and cloud security products.

Complementing that accolade, a pair of new SonicWall products were listed in the “20 Hot New Security Products Announced at RSA 2018” category. The new SonicWall NSv virtual firewall (slide 7) and SonicWall Capture Client (slide 12) endpoint protection were showcased.

SonicWall Capture Client is a unified endpoint offering with multiple protection capabilities. With a next-generation malware protection engine powered by SentinelOne, Capture Client delivers advanced threat protection techniques, such as machine learning and system rollback.

SonicWall Network Security virtual (NSv) firewalls protect all critical components of your private/public cloud environment from resource misuse attacks, cross virtual machine attacks, side channel attacks and common network-based exploits and threats. It captures traffic between virtual machines (VM) and networks for automated breach prevention and establishes access control measures for data confidentiality and ensures VMs safety and integrity.

Did WannaCry Perpetrators Ever Get Their Ransom?

Cyber criminals prefer to receive ransom in the cyber currency Bitcoin because it is anonymous. The truth is “sort of.” Let’s take a closer look at how Bitcoins work, and how the WannaCry perpetrators, possibly the Lazarus Group, want to be paid.

Bitcoins are different from fiat currencies because, with Bitcoins, no actual coins or bills exist, not even digital ones. With a fiat currency like the dollar, money is represented by actual coins and bills that can be physically stored. Depending on how you pay, your transaction is not recorded or, more often, either recorded anonymously or via an account number, such as a credit card number.

In any case, the number of coins and bills, either in actual money that you have on your hand, or what is recorded on your bank account, are decreased. With Bitcoins, you only have the transaction. Transactions are always public, and can be viewed by anyone. That is right: public, anyone. Anybody can see that money was paid from your account to that of WannaCry. Though, what is different from fiat currencies is that the actual ownership of an account is not necessarily know to anyone. It can be completely anonymous. This is a bit similar to a Swiss number account.

Let’s summarize this, the ownership of an account in Bitcoin may or may not be known to anyone, or generally public. The transaction, however, is always public. Bitcoin tracks transactions in so called Blocks that are linked in a Blockchain. In order to find out how much money somebody has, a “wallet” application would have to browse through the entire Blockchain and select out any transaction that involves the owner’s account number(s).

Different from fiat currencies, though, with Bitcoin, account numbers are free and one can have an endless amount of them. If somebody wants to be completely anonymous, they would use a new account number for every single transaction. Wallet or Account software would make it easy to keep track of them.

WannaCry made use of only three hard-coded account numbers:

Why didn’t WannaCry use a new account number for every instance of WannaCrypt0r to be installed? The answer might be: because in order to get the money from a Bitcoin account, one has to first generate the account number/private key pair, AND be in possession of the private key. Without the private key, they could not get their money: if the private key is being generated within WannaCrypt0r it would need to be communicated reliably where the hostage takers would have real-time access to it. That would give the perpetrators away. If the keys are generated somewhere in the cloud, the communication of private keys may be disguised in some layers of Darknet labyrinth, but it would be easy to shut them down by taking the key servers offline which would be easy to sniff. Also using hundreds or thousands of account numbers would not make it necessarily significantly more difficult for security experts to track payments.

The bigger question how can the perpetrators associate payment with a specific instance of WannaCry. With a uniquely generated account number that might be easy. But there does not appear any way to link the two, other than manually via the Contact Us button in WannaCrypt0r. In fact, the function of the Check Payment appears dubious at best. Supposedly, it is supposed to fetch the private key, but there is no public record of anybody ever having received it. The question is whether it actually works.

How would the perpetrators get the money after people paid ransom? Good question. Since transactions are public, we would know the account numbers to which the money is being transferred. In order to exchange the BTC into a fiat currency, the perpetrators would need to go to an exchange that are more and more government regulated. While a small-scale thug might slip through, the likelihood that a group of Lazarus’ size would stay anonymous is small. The WannaCry perpetrators also could exchange their account numbers for different ones in so called Mixer services as well in Account or Wallet services. Again, a small time thief might stay anonymous, but not when the NSA and every other state actor is after you.

In short, it is very possible that the WannaCry perpetrators never get their money. However, at the same time it is very possible that you never get the key either to recover your files. Even worse, your organization will be on the public record for having paid the extortionists, something which is not good publicity.

For so many reasons it is not a good idea to ever pay ransom, but specifically in the case of WannaCry is practically pointless.

DPI-SSL: What Keeps You Up at Night? Protect More. Fear Less.

If you have been in this industry for more than a few years, you have probably heard the sales pitch, “What keeps you up at night?” It’s a typical sales tactic to elicit an emotional response to threats that seem to be out of your control. It’s designed to draw you out, start a conversation, and ultimately, prey on your fears.

We have enough security issues to concentrate on without having to prey on fears.  That is one of the reasons I never liked this sales pitch. I have always felt it is better to address the challenges facing network security and do what we can to face those threats.

Growing up in Santa Cruz California, I learned to swim in the ocean with some pretty scary waves.  If you did not see a wave coming, you would get swamped by the wave.  But if you faced the wave and dove under it, the threat was mitigated.  If we do not see the threats in network security, we too can be swamped. For this same reason, we must look into encrypted packets to mitigate those threats.  We cannot face what we do not see.

The SonicWall 2017 Annual Threat Report shows that over half the mechanisms delivering malware utilized encryption to mask the threats.  The threat actors who create malware know that if they encrypt their payload, the odds of end system infection are very high while intrusion detection is low.  As far as effort to create an encrypted session than a standard, plain-text session, is minimal.  So, there is little extra work to create encrypted payloads while the reward is large.

In the last few months, there have been some tests and claims from well-respected Web Browser vendors making the claim that Security Devices doing Deep Packet Inspection (DPI) of encrypted packets weaken security. Their testing showed that many security product vendors deploying ‘Man in The Middle’ tactics to de-crypt and re-encrypt packets for the inspection, re-encrypted with a lower quality of encryption.  This effectively did weaken security, and by doing so, drew the conclusion that security devices performing DPI-SSL weaken your protection.

This position is understandable, however, SonicWall takes this opportunity to actually increase security by hardening HTTPS encryption when weaker cyphers or invalid certificates are presented.

Workstations and end systems do a very good job of updating browsers, checking for revoked certificates and supporting strong encryption methods. But there are many times in which we find the same is not true for hosted sites that contain many servers but have limited IT resources. Encryption methods get depreciated, but these often to not get updated and within the server negotiation of Transportation Layer Security (TLS) session, older and outdated methods still exist today. Secure Sockets Layer 1, 2 and 3 protocols are no longer recommended for sensitive data and should not be used.

The SonicWall next-generation firewall can detect when a server is presenting these weak encryption methods and block session initiation. Of course, there are times when this is not desirable. In that case, we also have the ability to let these connections establish. When I am confronted with incidents where TLS is not supported from a host that contains sensitive data, I have been successful in reaching out to that organization and letting them know they are not complying with Transport Layer best practices.

When networks are breached, sometimes the only time you find out is when these compromised devices “phone home.”  In doing so they will use encryption.  Trojans, malware, and botnets leverage Command and Control Centers for updates and orders.  They use non-standard ports and are not typically web connections. SonicWall is not dependent on port numbers or browsers but all ports. Every packet in each direction is inspected, securing your network.

The next time someone comes into your office and asks you, “What keeps you up at night,” don’t fall into this fear trap.  With SonicWall, sleep sound.  Protect More and Fear Less.

SonicWall Protects Customers from the Latest Massive WannaCry Ransomware Attack

Note: This blog was updated on Monday, May 15.

First, if you are a SonicWall customer and you are using our Gateway Anti-Virus, Intrusion Prevention service, and Capture Advanced Threat Protection then your SonicWall firewall has been protecting your network from WannaCry ransomware and the worm that spreads it since 17 April, 2017. Since the release of the first version of the code, we have identified several new variants and have released additional counter measures. We will continue to update this blog as our Capture Labs research team uncovers more information and as additional protection is automatically rolled out to our customers’ firewalls.

Here’s more:

The Attack

This massive ransomware attack became infamous by shutting down a number of hospitals in the UK’s National Health Service (NHS) system and thus preventing patients from receiving critical care. The attack hit over 100 countries across the world with an untold number of victims. WannaCry is a combination of a Trojan/ransomware and a worm that leverages an SMB file sharing protocol exploit named EternalBlue. The Shadow Brokers leaked EternalBlue in April 2017 as part of a bigger dump of NSA developed exploits. This exploit affects various versions of Microsoft Windows operating systems, including a number of versions that are in end-of-life status. Although Microsoft released a large number of patches on March 14 to address this vulnerability, the attack remains dangerous as many organizations have not applied the patch.

The first version of the worm/ransomware package had a kill switch that was accidently used to disable the worm feature which slowed its advance on Friday, 12 May 2017. However, new variants are appearing in the wild without this weakness. While the first version of the worm code can no longer spread the ransomware code, systems encrypted by WannaCry 1.0 will remain encrypted. Unfortunately, there is no known decryption method to recover files affected by WannaCry without paying cyber criminals (which is not advised).

Since Friday, 12 May 2017, SonicWall’s Capture Labs released six new signatures to block all known versions of WannaCry.  It is also worth noting that SonicWall security services on the firewall have built-in protections against the many components of this code, ranging from blocking contact with WannaCry Command and Control (C&C) servers to blocking attempts at exploitation of any unpatched SMB Microsoft vulnerabilities (such as EternalBlue).

WannaCry Ransomware

The Protection

SonicWall Capture Labs analyzed the EternalBlue attack in mid-April immediately after the Shadow Brokers file dump and rolled out protection for all SonicWall firewall customers well in advance of the first public attack.  All known versions of this exploit can be blocked from SonicWall protected networks via active next-generation firewall security services.

As a SonicWall customer, ensure that your next-generation firewall has an active Gateway Security subscription to receive automatic real-time protection from known ransomware attacks such as WannaCry. Gateway Security includes Gateway Anti-virus (GAV), Intrusion Prevention (IPS), Botnet Filtering, and Application Control. This set of technology has signatures against WannaCry (part of GAV), protections against vulnerabilities outlined in Microsoft’s security bulletin MS17-010 (part of IPS), and it blocks communication with the C&C servers where WannaCry’s payload comes from (part of botnet filtering).

Since SonicWall Email Security uses the same signatures/definitions as Gateway Security, we can effectively block the emails that deliver the initial route to infection. Ensure all email security services are also up to date to block malicious emails.  Since 65% of all ransomware attacks happen through phishing emails, this needs to be a major focus when giving security awareness training. Additionally, customers with SonicWall Content Filtering Service should activate it to block communication with malicious URLs and domains, which works in a similar way Botnet filtering disrupts C&C communication.

As a best practice always deploy Deep Packet Inspection of all SSL/TLS (DPI-SSL) traffic since more than 50% of malware is encrypted. This will enable your SonicWall security services to identify and block all known ransomware attacks. Enabling DPI-SSL also allows the firewall to examine and send unknown files to SonicWall Capture Advanced Threat Protection for multi-engine processing to discover and stop unknown ransomware variants.

View our webpage to learn more on how SonicWall protects against ransomware.

WannaCrypt Signatures

The most recent list of GAV/IPS signatures against EternalBlue and WannaCrypt as of 14 May 2017 at 11:45 AM PST

What’s Next

The party behind this attack has already released several variations of this attack for which we have established protections in place (see above). To ensure you are safe from newly developed updates and similar copycat attacks, first apply the Windows patch provided by Microsoft listed in the resources section.  Second, apply Capture Advanced Threat Protection (Capture ATP), SonicWall’s multi-engine network sandbox, to examine suspicious files coming into your network to discover and stop the latest threats just as we did with Cerber ransomware. Enable the service’s block until verdict feature to analyze all files at the gateway to eliminate malware before it can enter your network. Additionally, Capture Labs will continue to email customers Sonic Alerts on new threats.

Finally, phishing emails are the most common delivery mechanism for ransomware. It is possible that future variants of this ransomware will be delivered via emails. SonicWall’s email security solution uses Advanced Reputation Management (ARM) to inspect not only the sender IP but also the message content, embedded URLs and attachments. In addition, make sure you enable SPF, DKIM and DMARC advanced email authentication to identify and block spoofed emails and protect from spam and phishing attacks. For the best possible protection against such attacks, deploy SonicWall’s email security solution with Capture ATP service to inspect every email attachment in a multi-engine sandbox environment.

Apart from SonicWall security protections in place (listed above), as a best practice we recommend to disallow or block inbound SMB traffic (TCP 445, UDP ports 137-138, and TCP 139) and RDP traffic coming  from the internet on edge-facing Firewalls. If such access is required, implement secure remote access solutions like IPsec or SSL-VPN with proper authentication mechanisms in place.

Apply vulnerability patches on servers and PCs as recommended in Microsoft MS17-010 bulletin (listed above and below), disable SMBv1 communication (limit access via SMBv2/v3), as well as monitor for any suspicious activity on TCP 445.

Resources

CeBIT 2017: Real-Time Breach Prevention with SonicWall, Your Partner in Cybersecurity

Join SonicWall at CeBIT 2017 on the 20-24th of March, in Hannover, Germany.

With “Experience the Digital Transformation” as this year’s theme, IT Security will be at the forefront of the visitors’ agenda, alongside other leading-edge technologies, such as artificial intelligence, humanoid robots and applications of virtual reality. But security can’t be an afterthought! It’s at the core of everything organizations do. Without it, they can’t grow, can’t move forward and can’t innovate. Without effective security, too often, organizations default to inaction, to not moving forward. And they will have no choice but to say NO to their digital transformation.

The explosion of advanced threats is rendering legacy network security solutions obsolete. Ransomware, zero-day threats, encrypted malware and other attacks expose organizations to breaches that threaten business viability and compliance requirements. This creates the need for a new breed of network security solutions that deliver more than just breach detection. Organizations require breach prevention capable of handling threats delivered by any vehicle including web and email, over encrypted or unencrypted traffic, across any network including wired and wireless, and for not only PCs but tablets, smartphones and IoT devices.

As an exhibitor in Hall 6, Stand E03, SonicWall with five of its German partners – Data_Sec, Tarador, Die Netz-Werker, Pallas and Synexus – will demonstrate cutting-edge network security solutions that enable our customers to stay ahead of cybercriminals in the continually evolving cyber arms race, allowing them to embrace their digital transformation whilst meeting their compliance requirements.

Speaking of which, the General Data Protection Regulation – GDPR – goes into effect in May 2018. It will affect companies of all sizes, in all regions, and in all industries, who holds EU citizen personal information. Victims of a data breach when the GDPR goes into effect risk significant fine (up to 20 million euros or four percent of their global revenues), and loss of reputation, that could bring the business to its knees. So don’t put off early consideration of GDPR: the scale, complexity, cost and business criticality of GDPR means that it will take some a long time for most companies to achieve full compliance…Start now if you haven’t done so.

SonicWall’s on-site presentations (we will have more than 45 exciting presentations), demos (including live hacking sessions), and experts will empower you and your organization’s networks to overcome numerous crimes targeting weak spots in your network. You will definitely want to see a demo of our award-winning multi-engine sandbox, SonicWall Capture ATP, which scans network traffic to prevent zero-day and advanced threats. We will show how we can block unknown files until Capture reaches a verdict, which is made possible by a highly effective multi-engine sandbox. Near real-time verdicts are rendered by our highly efficient GRID cloud threat network. Our next-gen firewalls also detect malware using SSL or TLS encryption to cloak malicious behavior, C&C communication and exfiltration.

Because email is a constant target for attacks we will showcase our revolutionary technology for email security that now integrates with our award-winning Capture Advanced Threat Protection (ATP) Service. SonicWall’s Email Security solutions allow you to deploy a next-gen solution to protect email files, stop phishing and block ransomware. Don’t miss out the opportunity to speak to our experts, and learn how you can block spoofed email and zero-day attacks with our hosted service or our on premise enterprise email security solutions.

Today’s ever-growing number of connected devices by mobile workers and vendors requires organizations to rethink their needs for IoT security. SonicWall’s access security and network segmentation delivers the right level of access to your mobile workers and reduces the threat surface. Right network segmentation is required for critical business apps and data to ensure better protection. With our Secure Mobile Access solutions, you can define granular access policies, enforce multi-factor authentication and monitor all activities for compliance.

Start securing your digital transformation with SonicWall, Stand E03 in Hall 6, where you will be able to experience first-hand how SonicWall next-gen firewalls, access security and email security offer the power to be competitive and fearless.

We are looking forward to seeing you soon. Bis Bald as they say in Germany!

Before you go, be sure to download our threat report.

Understand the Risks Online Shopping During Black Friday Poses to Your Network

As I was driving home the other day one of my children spotted a house with old Halloween decorations on it. With the holidays coming, it’s a good reminder of the potential impact they can have on an organization. Black Friday, Cyber Monday and the weekend in between kick off the unofficial holiday shopping season which goes until the end of the year. Add in Thanksgiving and we’re looking at a lengthy period of consumer shopping, much of which is done online.

Let’s take a look at some of the numbers to put this into perspective. According to the National Retail Federation (NRF), in 2015:

  • Holiday sales increased 3% to over $625B
  • Seven in 10 retailers reported an increase in their overall holiday sales revenue
  • 81% saw an increase in online sales
  • Mobile, including both phones and tablets, accounted for 30.4% of online sales
  • Black Friday had the highest sales revenue for 68% of retailers, regardless of channel, while Cyber Monday saw the highest online/mobile sales

The expectation for 2016 is similar – higher sales and an increase in the use of mobile devices for online shopping which is great news for retailers. Interestingly, despite the growth in mobile transactions, the NRF found that online purchases using desktops still brought in the highest transaction size during the 2015 holiday season. Either way, there continues to be a transition toward online purchasing even when consumers collect their items at the store.

In an earlier blog I touched on three potential impacts online shopping by employees during Black Friday and other holidays can have on organizations – loss of productivity, bandwidth consumption and network security. Let’s take a closer look at the affect it can have on security.

No matter the device they use – desktop computer, laptop, tablet or smartphone – anytime employees shop online at work over the corporate network it introduces risk. Inadvertently downloading malware from websites, even those that are known to be legitimate sites, is a very real danger. Hackers are continually finding new ways to develop more sophisticated versions of threats such as viruses, worms, and Trojans that can evade detection. One tactic they use to deliver these threats is phishing emails which lure recipients into clicking on a link in an email that appears to be legitimate. Once the employee complies, the malware is downloaded onto the device and it can spread throughout a network. Phishing emails are very popular during the holidays, often disguised as retailer promotions. According to a Prosper Insights & Analytics Post-Holiday Consumer Survey, 24% of respondents said they visited a website they shopped on last holiday season through an email promotion. Clearly hackers have learned that email promotions are popular with online shoppers.

Another threat you’re likely to hear more about during the holiday season is ransomware. This attack uses malware that denies access to data or systems unless the victim pays a ransom to the cybercriminal. Without access to files, data or entire systems most organizations can’t function. Some victims pay the ransom and if only a few systems are affected the cost can be manageable. But imagine the price if you have hundreds or even thousands of networked devices. It’s enough to put some organizations out of business.

Whether we like it or not, employees will use the devices available to them to shop online during Black Friday and other holidays. When they do it from the office or store, most likely they will use your organization’s network to connect to the Internet and this introduces risk. Fortunately there are steps every organization can take to secure their network and protect themselves and their customers from threats like phishing attacks and ransomware during the holiday online buying season. Deploying a SonicWall next-generation firewall with our Capture Advanced Threat Protection service stops unknown and zero-day threats before they can enter your network.

If you would like to learn more about the threats online shopping at work poses to security, bandwidth and productivity, download and read our executive brief, “How Black Friday puts your network at risk.”  

Download Executive Brief

Infographic: 300 Companies Defend Their Data from Zero-Day Threats with SonicWall Capture

To understand how SonicWall Capture Advanced Threat Protection Service (ATP) protects the average company we looked at the data for 300 networks. SonicWall Capture ATP examines suspicious code and files to discover never-before-seen zero-day attacks.  So, in one day, how many of these new variants did Capture find?  See the infographic below to see what you could be up against without it. Read more about SonicWall Capture in my earlier blog: We are Sparta; the Battle to Defend Our Data From Invaders. Already a fan of SonicWall Capture? Share the infographic with your followers.

Infographic on zero-day threats