Posts

Catching Cerber Ransomware

Since the release of SonicWall Capture Advanced Threat Protection (Capture ATP) in August 2016 on SonicWall firewalls, we have seen a lot of unique behavior from authors of malicious code, namely ransomware.  Up until Christmas 2016, Locky received a lot of attention from security firms but then took a backseat during the holiday season.  One thing I noticed around that time was that a ransomware variant called Cerber would actually be one of the more persistent pups in the litter.  I started seeing Cerber show up on Capture ATP’s daily reports and wanted to understand why we were still catching this on the sandbox instead of the firewall.

In short, we were catching this on the firewall because our GRID network was creating a large amount of signatures for Cerber, but what I was seeing were “updated” versions of Cerber being caught in the wild; as many as two versions a day.  This was done to get around Cerber signatures created to stop older versions of itself. To make things more interesting, these Cerber variants were utilizing seven different tactics to evade detection.

The image above is a snippet of a very long report that partly shows what Cerber wants to do.  Did you notice the seven different evasion tactics?  Malware did not do this in the past; at least one that I remember fondly.  In that past, the security industry was really trying to get the upper hand with the “explosive growth” of malicious code that was being authored and wanted to use virtual environments to run and test code.  About five years ago, the industry introduced the network sandbox to the market and it was a hit, because we now had a tool where we could run potentially malicious code in an isolated environment to see if we could white or blacklist it.

So, do you think that hackers folded up their laptops and found real jobs?  Nope, they learned how to evade them, the real essence of what a hacker truly is.  If you read third-party reports on network sandboxing, you will read skeptical and bearish reports about its effectiveness and ability to evade a sandbox at a medium difficulty.  When you see the image above, you have to believe that the reports are real and Cerber’s evasion tactics rank up there with some of the best I have seen recently; truly an advanced persistent threat. So why am I able to show this to you?  Although it is evading other sandboxes, it is not able to get past ours.  But how?

In short, we leverage a multi-engine sandbox that first runs suspicious code through a set of pre-filters that analyzes the code and compares it against a real-time list to see if anyone we collaborate with knows about it.  This step eliminates a lot of newly minted malware within milliseconds; almost at the same speed as lightning strikes the Earth.

After that, the code will go through a parallel set of engines that will help us determine what a new batch of code wants to do from the application, to the OS, to the software that resides on the hardware.  We run it through virtualized sandboxing, hypervisor level analysis and full-system emulation.  Naturally, when we get to this point it does take a little time but it’s worth it.  Look at the image below. This is a screen shot that was actually taken by Capture ATP so we can see what your desktop would look like if you didn’t have this level of protection.

Simple Tips for Network Sanity: Patch Tuesday, Exploit Wednesday and Uninstall Thursday

Today I’d like to talk a little bit about our partnership with Microsoft and patch management. In a previous life I was a network/sysadmin. A brief description of that role was “If it has a blinking light on it, I am responsible for it,” which meant on most days I felt like I was living in the middle of a sci-fi movie, surrounded by demanding technology.

When you live in a hair-on-fire environment like that, keeping up with Microsoft patches can be painful. You can set them to automatically download and install and you should be good, that is unless the patch breaks something or even worse – it breaks everything.

When you have business-critical applications that are legacy or just plain old, patching can break them. If that app in question is the bread and butter of the business, patching can bring down the entire company. On the other hand, not patching for known vulnerabilities can be just as bad, if not worse.

There is an old saying: Patch Tuesday, Exploit Wednesday, and Uninstall Thursday.  Microsoft normally releases patches on the second Tuesday of the month, so Exploit Wednesday is when the cyber criminals have analyzed the details from Tuesday and deliver code to exploit the systems that haven’t been updated. Uninstall Thursday is the day you finally figure out that it was the Tuesday patch that broke your mission-critical system and you need to uninstall it to get things back to normal.

To say it is a Catch-22 would be an understatement. How do you stop the insanity? We, SonicWall, have partnered with Microsoft in a program call MAPP. Microsoft gives us  advance knowledge of what will be patched prior to Tuesday so that we have signatures in place to protect our customers who just can’t patch on Tuesday.

Should you patch on Tuesday? Yes, you should absolutely patch on Tuesday or any other day Microsoft releases a patch. But if there are times you just can’t, we can help protect you until you can. Assisting with patches is one of the many little things we have been doing quietly in the background for years that most people are unaware of. Now you know we have you covered when you are stuck in this Catch-22. The biggest take away is that you should patch. I can’t stress that enough: patch, patch, patch! But if you can’t, know that we are already behind the scenes, helping to keep your network safe.

Visit SonicWall GRID Threat Network for MAPP bulletins.

For the Security Advisories for MAPP, you can click here.

SonicWall Capture ATP Stands Up Against Malware Test

What would happen if you gathered five days of newly discovered malware and unleashed it upon an end-point protected by SonicWall?

I have been working with SonicWall firewalls for 10 years, and I was beta testing SonicWall Capture as part of my role here as an escalation engineer. Since we are big believers in drinking our own champagne, I was testing on my home network. I logged in and stared at it for days but it just did nothing. I was starting to get concerned. Did it just not work? Was there a bug? I was sure it was configured properly, but still – nothing. Then I realized I was not downloading anything malicious enough to trigger it. My wife does Facebook and the banking I hangout on sites like blog.sonicwall.com. The cat does hop on the keyboard at times but other than that, we’re not downloading much malware.

I hatched a plan to download as much malware as possible. I scoured the internet and found a python script that did exactly this. It was a bit broken and I had to hack it up a bit to make it work, but in no time I was downloading thousands of potential viruses at a time. Super excited, I logged back in and navigated to the Capture feature and found that it actually did something: it analyzed two files and tagged them as clean.

This was making me sad, so I started digging a little deeper. After combing through the logs, I determined that the vast majority of what I was trying to download was being caught by all the other security services. As an example, some of the files were hosted on known botnets so they were blocked by the botnet filter before they even had a chance to hit the Capture engine. I turned off all the security things and ran my script again.

Once again, I logged into Capture with my fingers crossed and lo and behold, this thing was lit up like a Christmas tree. “OK so now I know it works,” I thought to myself. Next, I dug around a little bit and once I was satisfied, I shut my script down. Every time I tested a new firmware version I fired up the script to verify that it worked and then shut it down again.

A few weeks ago I was running the script, putting SonicWall Capture Advanced Threat Protection (ATP) through a rigorous test and I showed a few people, who showed a few other people, who thought it would be a good idea to show it to you guys.  The result of that is this video with an awesome introduction by my buddy Brook Chelmo, SonicWall Capture’s senior product marketing manager. Brook is great at explaining all the bits and pieces that make this work. Just watch the video and you’ll see what I mean.

[embedyt] http://www.youtube.com/watch?v=vzSJtuLwiIA&width=600&height=400[/embedyt]

In order for us to get the maximum number of malicious files, we turned off several safety mechanisms (e.g. botnet filtering) on the SonicWall next-gen firewall management console and ran a python script that pulled potential malware from a number of sites. The results were outstanding, and we identified a number of pieces of malware that were previously unknown to us and that would not have been caught without SonicWall Capture ATP.

Learn how SonicWall Capture ATP Service eliminates malware through the technology chain from the internet to the end-point. This is a security service you can purchase for your SonicWall next-gen firewall. Although most of the potential malware was stopped by SonicWall Gateway Anti-Virus (because it was known to us), a handful of malicious code was discovered by the SonicWall Capture ATP network sandbox.  The video above dives into the reports generated for malware discovered in sandbox pre-filtering, as well as SonicWall Capture ATP’s multi-engine processing.

Critical Business Threats: Ransomware and Employee Online Shopping

According to a recent PWC survey, 54 percent of respondents buy products online every month. And millions of employees shopped online yesterday with their work devices on business networks. The critical business threat: Will any of your business computers or networks get infected with malware when employees make personal online purchases?

We believe so, and our SonicWall Global Response Intelligent Defense (GRID) network research backs this up.

Good News: Chip Cards Are Working

Research gathered through the SonicWall GRID Network indicates that the new chip-and-sign credit cards and point of sale (POS) systems are more effective than legacy technologies in detecting and blocking breaches. After big data breaches at retailers like Target and Home Depot, many retailers upgraded to chip-based POS systems.

Whenever new malware is discovered, we create a software signature set that is automatically propagated to all of our customers’ firewalls, to help keep their systems safe from attack. In 2014, before the new chip cards and POS systems, our team released 14 new POS-related malware signature sets.

In 2015, this number decreased to nine new POS malware signature sets. And in 2016 to-date, after the broad adoption of chip-based cards and readers, we have only had to release a single new signature.

Bad News: SPAM Is Now a Huge Business Threat

As POS systems have become harder to hack, the bad guys are looking for more efficient ways to steal online. Falling back on the tried and true email-based phishing attacks, personal shopping phishing emails are now a real threat to your business systems and networks.

Our email security research team observes that SPAM email usually increases in volume significantly during Cyber Week, starting the week before Black Friday, then drops off after Cyber Monday. Our numbers show a dramatic 2x increase in SPAM this year from 2015. In the run-up to Thanksgiving and Black Friday we saw 110 percent growth, increasing to 143 percent growth through Cyber Monday.

One of our SPAM honeypots collected the following data for Cyber Week:

  • Average number of SPAM messages 2015: 33,725 a day
  • Average number of SPAM messages 2016: 82,888 a day

More Bad News: Ransomware Targets Businesses

Increasingly we are finding that if malware makes it into your business network, it will be ransomware. First released in 1989, ransomware can infect your system and lock out users from accessing devices or files. When the victim pays a ransom (usually electronic money or bitcoins) the device can be unlocked by the hackers. Needless to say, ransomware can put your business-critical data and systems at risk.

Network Security Must-Haves

Online shopping will only continue to grow, especially over holidays, so it’s important to be proactive to keep your business systems protected. Along with monitoring employee access and updating policies, here are some must-haves.

  • Ensure your firewall is next-generation with content filtering on, including encryption scanning and packet filters; your goal is to monitor and inspect all incoming data and stop ransomware
  • Consider a cloud-based protection service like our Capture Advanced Threat Protection Service; a good one will speed up your response time, leverage the power of multiple engines to stop zero-day attacks, and automate remediation
  • Manage network bandwidth to limit or stop streaming; streaming is one of the easiest ways to let malware in
  • We strongly recommend EV SSL certificates for every external business website
  • Vet your SSL certificates and sources, to ensure they are publicly rooted and aren’t bringing in malware from the dark web
  • Audit your SSL certificates regularly to ensure they are up to date
  • It goes without saying but back up your data regularly; if ransomware does infect your network you will need to quickly access business-critical data

Online Shopping Safety for Consumers

  • If you don’t have one yet, upgrade to a chip-based credit card
  • Always look for an EV SSL certified logo on sites you shop
  • Use mobile devices (tablets or phones) and shop with store apps from businesses you know and trust; these apps are vetted and tested
  • Avoid shopping on sites with a Windows-based laptop; Windows is the most targeted operating system (OS) for hackers
  • Remain on the site until you complete a transaction; don’t follow redirects
  • Stay current with the latest OS software updates on your devices so you have the latest security patches; always update from the trusted site of the software provider, not a third-party site or a pop up
  • Update your apps regularly, especially ones that you provide sensitive data to: credit card numbers, banking and health information
  • Create complex, hard-to-crack passwords and keep them in a secure place
  • Change your passwords often and keep them hidden ­– not on sticky notes on your computer

Higher Education Makes Cybersecurity a High Priority – Are You Prepared?

Digital natives predominantly compose the student body at today’s education institutions, and technological advancements have created unprecedented opportunities for personalized learning. BYOD and other emerging technologies have allowed school districts, colleges, and universities to become more effective, inclusive, and collaborative.

With the proliferation of devices now on the network, however, IT administrators are now faced with the enormous task of empowering end-users to capitalize on the benefits of increased mobility and connectivity, while also ensuring the integrity of the organization’s network and data. In our current threat environment, it is more critical than ever that schools, colleges and universities develop an overarching, end-to-end security approach that aligns with the institution’s mission.

A recent SonicWall survey, conducted in partnership with the Center for Digital Education, targeted higher education IT professionals, including executives (CIO, CISO, VP of IT, etc.), IT Directors and network managers to assess the state of network security on college campuses. A key takeaway from the study, however unsurprising, is that 73 percent of respondents rank cybersecurity high or very high among their institution’s technology priorities.

Just as cybersecurity has become a priority across industry and government, higher education institutions are shining a brighter spotlight on security – and for good reason. While educational institutions rank their ability to detect and block cyber attacks relatively high, with 65 percent citing their abilities as good or excellent, only 17 percent indicate that they have not experienced a network breach/incident in the past year. This statistic is indicative of the fact that cyber threats are continuing to increase in both frequency and sophistication in every industry.

In response to the growing threat of data breaches, 77 percent of survey respondents indicate they expect to spend more on network security in the next 12 months and 63 percent expect to spend more on secure access to data and applications. This is an encouraging statistic, as it reflects increased awareness around the need to strengthen security and mitigate risk.

In our hyper-connected world, a strong security posture is a strategic investment for education at all levels. IT administrators and decision makers across the education industry need to address the continually growing role of technology on campus by implementing end-to-end security solutions that protect all data and endpoints, old and new. Holistic, end-to-end security that utilizes identity access management, next-gen firewalls, endpoint security and efficient patch management allows school districts, colleges and universities to confidently and securely offer the benefits of increased mobility and other IT advances to their faculty and students.

For more details from the survey, view the on-demand webcast “Network Security in Education: The changing landscape of campus data security.” In this November 2015 webinar, Larry Padgett of the School District of Palm Beach County reviews how his district – the 10th largest in the United States — is leveraging people, processes, and SonicWall next-generation firewalls to protect a network serving 189,000 students and staff in nearly 200 sites. SonicWall Security’s Ken Dang joins Larry in this Education Dive webinar.