Posts

Catching Cerber Ransomware

Since the release of SonicWall Capture Advanced Threat Protection (Capture ATP) in August 2016 on SonicWall firewalls, we have seen a lot of unique behavior from authors of malicious code, namely ransomware.

Up until Christmas 2016, Locky received a lot of attention from security firms but then took a backseat during the holiday season. One thing I noticed around that time was that a ransomware variant called Cerber would actually be one of the more persistent pups in the litter.  I started seeing Cerber show up on Capture ATP’s daily reports and wanted to understand why we were still catching this on the sandbox instead of the firewall.

In short, we were catching this on the firewall because SonicWall’s Capture Labs research team was creating a large amount of signatures for Cerber, but what I was seeing were “updated” versions of Cerber being caught in the wild; as many as two versions a day.  This was done to get around Cerber signatures created to stop older versions of itself. To make things more interesting, these Cerber variants were utilizing seven different tactics to evade detection.

The image above is a snippet of a very long report that partly shows what Cerber wants to do. Did you notice the seven different evasion tactics?  Malware did not do this in the past; at least one that I remember fondly. In that past, the security industry was really trying to get the upper hand with the “explosive growth” of malicious code that was being authored and wanted to use virtual environments to run and test code.  About five years ago, the industry introduced the network sandbox to the market and it was a hit, because we now had a tool where we could run potentially malicious code in an isolated environment to see if we could white or blacklist it.

So, do you think that attackers folded up their laptops and found real jobs? Nope, they learned how to evade them, the real essence of what a hacker truly is. If you read third-party reports on network sandboxing, you will read skeptical and bearish reports about its effectiveness and ability to evade a sandbox at a medium difficulty. When you see the image above, you have to believe that the reports are real and Cerber’s evasion tactics rank up there with some of the best I have seen recently; truly an advanced persistent threat. So why am I able to show this to you? Although it is evading other sandboxes, it is not able to get past ours. But how?

In short, we leverage Capture ATP, a multi-engine sandbox that first runs suspicious code through a set of pre-filters that analyzes the code and compares it against a real-time list to see if anyone we collaborate with knows about it.  This step eliminates a lot of newly minted malware within milliseconds; almost at the same speed as lightning strikes the Earth.

After that, the code will go through a parallel set of engines that will help us determine what a new batch of code wants to do from the application, to the OS, to the software that resides on the hardware. We run it through real-time deep memory inspection, virtualized sandboxing, hypervisor level analysis and full-system emulation. Naturally, when we get to this point it does take a little time but it’s worth it.

Simple Tips for Network Sanity: Patch Tuesday, Exploit Wednesday and Uninstall Thursday

Today I’d like to talk a little bit about our partnership with Microsoft and patch management. In a previous life I was a network/sysadmin. A brief description of that role was “If it has a blinking light on it, I am responsible for it,” which meant on most days I felt like I was living in the middle of a sci-fi movie, surrounded by demanding technology.

When you live in a hair-on-fire environment like that, keeping up with Microsoft patches can be painful. You can set them to automatically download and install and you should be good, that is unless the patch breaks something or even worse – it breaks everything.

When you have business-critical applications that are legacy or just plain old, patching can break them. If that app in question is the bread and butter of the business, patching can bring down the entire company. On the other hand, not patching for known vulnerabilities can be just as bad, if not worse.

There is an old saying: Patch Tuesday, Exploit Wednesday, and Uninstall Thursday.  Microsoft normally releases patches on the second Tuesday of the month, so Exploit Wednesday is when the cyber criminals have analyzed the details from Tuesday and deliver code to exploit the systems that haven’t been updated. Uninstall Thursday is the day you finally figure out that it was the Tuesday patch that broke your mission-critical system and you need to uninstall it to get things back to normal.

To say it is a Catch-22 would be an understatement. How do you stop the insanity? We, SonicWall, have partnered with Microsoft in a program call MAPP. Microsoft gives us  advance knowledge of what will be patched prior to Tuesday so that we have signatures in place to protect our customers who just can’t patch on Tuesday.

Should you patch on Tuesday? Yes, you should absolutely patch on Tuesday or any other day Microsoft releases a patch. But if there are times you just can’t, we can help protect you until you can. Assisting with patches is one of the many little things we have been doing quietly in the background for years that most people are unaware of. Now you know we have you covered when you are stuck in this Catch-22. The biggest take away is that you should patch. I can’t stress that enough: patch, patch, patch! But if you can’t, know that we are already behind the scenes, helping to keep your network safe.

Visit SonicWall GRID Threat Network for MAPP bulletins.

For the Security Advisories for MAPP, you can click here.

Critical Business Threats: Ransomware and Employee Online Shopping

According to a recent PWC survey, 54 percent of respondents buy products online every month. And millions of employees shopped online yesterday with their work devices on business networks. The critical business threat: Will any of your business computers or networks get infected with malware when employees make personal online purchases?

We believe so, and our SonicWall Global Response Intelligent Defense (GRID) network research backs this up.

Good News: Chip Cards Are Working

Research gathered through the SonicWall GRID Network indicates that the new chip-and-sign credit cards and point of sale (POS) systems are more effective than legacy technologies in detecting and blocking breaches. After big data breaches at retailers like Target and Home Depot, many retailers upgraded to chip-based POS systems.

Whenever new malware is discovered, we create a software signature set that is automatically propagated to all of our customers’ firewalls, to help keep their systems safe from attack. In 2014, before the new chip cards and POS systems, our team released 14 new POS-related malware signature sets.

In 2015, this number decreased to nine new POS malware signature sets. And in 2016 to-date, after the broad adoption of chip-based cards and readers, we have only had to release a single new signature.

Bad News: SPAM Is Now a Huge Business Threat

As POS systems have become harder to hack, the bad guys are looking for more efficient ways to steal online. Falling back on the tried and true email-based phishing attacks, personal shopping phishing emails are now a real threat to your business systems and networks.

Our email security research team observes that SPAM email usually increases in volume significantly during Cyber Week, starting the week before Black Friday, then drops off after Cyber Monday. Our numbers show a dramatic 2x increase in SPAM this year from 2015. In the run-up to Thanksgiving and Black Friday we saw 110 percent growth, increasing to 143 percent growth through Cyber Monday.

One of our SPAM honeypots collected the following data for Cyber Week:

  • Average number of SPAM messages 2015: 33,725 a day
  • Average number of SPAM messages 2016: 82,888 a day

More Bad News: Ransomware Targets Businesses

Increasingly we are finding that if malware makes it into your business network, it will be ransomware. First released in 1989, ransomware can infect your system and lock out users from accessing devices or files. When the victim pays a ransom (usually electronic money or bitcoins) the device can be unlocked by the hackers. Needless to say, ransomware can put your business-critical data and systems at risk.

Network Security Must-Haves

Online shopping will only continue to grow, especially over holidays, so it’s important to be proactive to keep your business systems protected. Along with monitoring employee access and updating policies, here are some must-haves.

  • Ensure your firewall is next-generation with content filtering on, including encryption scanning and packet filters; your goal is to monitor and inspect all incoming data and stop ransomware
  • Consider a cloud-based protection service like our Capture Advanced Threat Protection Service; a good one will speed up your response time, leverage the power of multiple engines to stop zero-day attacks, and automate remediation
  • Manage network bandwidth to limit or stop streaming; streaming is one of the easiest ways to let malware in
  • We strongly recommend EV SSL certificates for every external business website
  • Vet your SSL certificates and sources, to ensure they are publicly rooted and aren’t bringing in malware from the dark web
  • Audit your SSL certificates regularly to ensure they are up to date
  • It goes without saying but back up your data regularly; if ransomware does infect your network you will need to quickly access business-critical data

Online Shopping Safety for Consumers

  • If you don’t have one yet, upgrade to a chip-based credit card
  • Always look for an EV SSL certified logo on sites you shop
  • Use mobile devices (tablets or phones) and shop with store apps from businesses you know and trust; these apps are vetted and tested
  • Avoid shopping on sites with a Windows-based laptop; Windows is the most targeted operating system (OS) for hackers
  • Remain on the site until you complete a transaction; don’t follow redirects
  • Stay current with the latest OS software updates on your devices so you have the latest security patches; always update from the trusted site of the software provider, not a third-party site or a pop up
  • Update your apps regularly, especially ones that you provide sensitive data to: credit card numbers, banking and health information
  • Create complex, hard-to-crack passwords and keep them in a secure place
  • Change your passwords often and keep them hidden ­– not on sticky notes on your computer