Trendmicro : Phishing Attacks and Ransomware

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about schemes used in phishing and other email-based attacks. Also, learn how ransomware continues to make a significant impact in the threat landscape.

Read on:

New Report Finds 25% of Phishing Attacks Circumvent Office 365 Security

As email remains to be a common infection vector because of how easily it can be abused, attackers continue to take advantage of it by crafting threats that are persistent in nature and massive in number.

New Twist in the Stuxnet Story

What a newly discovered missing link to Stuxnet and the now-revived Flame cyber espionage malware add to the narrative of the epic cyber-physical attack.

Cybersecurity Proposal Pits Cyber Pros Against Campaign Finance Hawks

A Federal Election Commission proposal aims to help presidential and congressional campaigns steer clear of hacking operations by allowing nonprofits to provide cybersecurity free of charge.

New Sextortion Scheme Demands Payment in Bitcoin Cash

Trend Micro researchers uncovered a sextortion scheme targeting Italian-speaking users. Based on IP lookups of the spam emails’ senders, they appear to have been sent via the Gamut spam botnet.

This Free Tool Lets You Test Your Hacker Defenses

Organizations will be able to test their ability to deter hackers and cyberattacks with a free new tool designed by experts at the UK’s National Cyber Security Centre to prepare them against online threats including malware, phishing and other malicious activities.

Ransomware Hits County Offices, Knocks The Weather Channel Offline

On April 18, the systems of The Weather Channel in Atlanta, Georgia, were infected by ransomware, disrupting the channel’s live broadcast for 90 minutes.

Hacker Finds He Can Remotely Kill Car Engines After Breaking Into GPS Tracking Apps

A hacker broke into thousands of accounts belonging to users of two GPS tracker apps, giving him the ability to monitor the locations of tens of thousands of vehicles and even turn off the engines for some of them while they were in motion.

Uncovering CVE-2019-0232: A Remote Code Execution Vulnerability in Apache Tomcat

Trend Micro delves deeper into this vulnerability by expounding on what it is, how it can be exploited, and how it can be addressed.

Hacker Dumps Thousands of Sensitive Mexican Embassy Documents Online

A hacker stole thousands of documents related to the inner workings of the Mexican embassy in Guatemala and posted them online.

Cybersecurity: UK Could Build an Automatic National Defense System, Says GCHQ Chief

The UK could one day create a national cyber-defense system built on sharing real-time cybersecurity information between intelligence agencies and business, the head of the UK’s Government Communications Headquarters said at CYBERUK 19.

Do you think the new hacker defenses tool will decrease the number of cyber-attacks targeted at organizations and public sectors? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

source:
https://blog.trendmicro.com/this-week-in-security-news-phishing-attacks-and-ransomware/

Trendmicro : Keep Your Smart Home Safe

Keep Your Smart Home Safe: Here’s What You Can Do Today to Secure Your Products

The Internet of Things (IoT) is transforming the way we live, work and play. You can find it in the fitness trackers you might be wearing to monitor step count and heart rate. Or the car you may be driving. But more than anywhere else, you’ll see IoT at home in an increasing array of gadgets: from voice-activated smart speakers to internet-connected baby monitors.

It’s estimated that 14.2 billion connected “things” like these are in use globally in 2019, which will rise to 25 billion in a couple of years’ time. There’s just one problem: if not properly secured, they could present hackers with new opportunities to sneak into your smart home through the cyber-front door.

So what are the risks—and how can you protect your home?

Governments take action

First, some good news: as consumers’ homes fill with ever-greater numbers of smart gadgets, governments are aware of the growing risks of cyber-attacks. In the US, California is leading the way with new legislation designed to force manufacturers to improve the security of their products. SB-327introduces minimum requirements such as forcing each user to set a unique device password the first time they connect.

Following hot on the heels of the Golden State is the federal government. Introduced in March, the bipartisan Internet of Things (IoT) Cybersecurity Improvement Act of 2019 doesn’t cover all IoT makers, only ones which sell products to the government. However, it is hoped that the law will have a knock-on effect with the wider industry, encouraging other manufacturers to raise their standards.

But it’s not only the US that is making moves to safeguard IoT users. The UK in May introduced a proposed new law designed to force manufacturers to adhere to key security requirements, covering things like unique passwords and security updates. In addition, retailers will only be allowed to sell devices with a clear label telling consumers how secure they are.

While Trend Micro welcomes any government moves to make smart home gadgets more secure, the truth is that it will take a while for these laws to take effect—and even longer for them to have an impact on the firms designing and building our connected devices. The US federal proposal will require a separate standards body to hunker down and draw up its requirements first, which could take months. There’s also a risk that when new laws take effect, the hackers will simply move on to use new tactics not legislated for.

That’s why consumers must act now to secure their smart home. Below we list some of the key threats and how to take action.

What’s the problem?

The more smart gadgets there are in your home, the greater the number of potential targets for hackers. Devices could be hijacked if attackers manage to guess or crack the passwords protecting them, or exploit flaws in the underlying software (firmware) that runs them.

This is made easier because some devices don’t require a user to install a password; they simply run with an easy-to-guess factory default. Many manufacturers also don’t issue regular updates (patches) either, or if they do, it’s hard for users to find out about and install them. And unlike your laptop/desktop and mobile devices, these IoT endpoints are typically too small to install AV on, further exposing them.

Finally, it’s not just the devices themselves that are at risk, but also the complex, underlying automation systems that link them together behind the scenes. This complexity creates gaps that bad guys are adept at exploiting.

So, to simplify, there are three main threat vectors facing home networks:

	1) Physical danger

Devices could be remotely controlled by attackers to surveil the family. For example, by hijacking feeds from smart security cameras, or other sensors around the house such as smart door and window locks, burglars could work out when the property is empty. They could even remotely unlock doors or windows, if these are internet-connected — for example by cloning the owner’s voice and playing commands via your home assistant.

Cases have been reported in the past of hackers remotely monitoring smart homes. In one incident, a baby monitor was hacked and used to broadcast threats to the parents; while more extensive hacks of home security cameras have had their video content streamed online.

	2) Data loss and malware

These same devices are also a potential gateway into the home network, which could allow hackers to grab passwords for your key online accounts like banking and email. Any data they collect on you can be sold on the dark web and used for future identity fraud. The router is in many ways the digital gateway to your smart home — the place where all your internet traffic passes through. That makes it particularly vulnerable to these kinds of attack. As well as data theft, hackers could be looking to spread malware such as ransomware and banking trojans.

One major router threat spotted in 2018 was VPNFilter—information-stealing malware which infected at least half a million routers globally by exploiting vulnerabilities in the devices.

	3) Hijacked devices become botnets

In another scenario, your smart home gadgets and router are hijacked and remotely controlled not to install ransomware or steal data from your family, but to use in attacks on others. Typically, they become part of a botnet of controlled machines which are programmed to do the bidding of the hackers. This could range from launching denial-of-service (DoS) attacks on businesses to illegally mining for crypto-currency.

The most famous example of this kind of attack came in 2016, when the Mirai campaign managed to hijack tens of thousands of IoT devices by scanning for any exposed to the internet and protected only with factory default passwords. In an infamous attack, it managed to take out a key online provider, resulting in outages at some of the biggest sites on the internet, including Twitter and Netflix.

What to do next

All that said, there are some simple steps you can take today to help reduce your exposure to IoT threats. It should begin with taking time out to understand how your devices work. Are they password protected? How are they updated? Are they running unnecessary services which may expose them to attackers? A bit of research before you buy and install them will also go a long way to keeping you safe.

Here are a few best practice tips to get you started:

Change factory default passwords to strong and unique credentials.
Switch on two-factor authentication for even more log-in protection, if offered.
Regularly check for firmware updates and apply as soon as they’re available. This may require you to visit the manufacturer’s website from time-to-time.
Use WPA2 on your routers for encrypted Wi-Fi.
Disable UPnP and any remote management features.
Set up a guest network on your router, which will help protect your main network, its devices and data, from network worms and other malware inadvertently introduced by guests.
Protect your computers and smartphones with AV and only download legitimate smart home apps.

How Trend Micro can help

Trend Micro is here to offer you peace-of-mind when it comes to protecting your smart home. The first step is diagnostic: download our Housecall™ for Home Networks tool to check your network. It will run a comprehensive scan on all your smart home gadgets, highlighting any vulnerabilities and other risks, and providing helpful advice for keeping your network and devices secure.

Next up, install Trend Micro Home Network Security (HNS) for comprehensive protection on all your home devices. It blocks dangerous file downloads and malicious websites, protects your personal/financial data from theft, and will keep ransomware, phishing and other threats at bay. HNS provides instant threat notifications, lets you disconnect any unwanted devices from your network, and offers full control over your devices from your Android or iOS smartphone with the paired HNS monitoring app.

Watch our Trend Micro Home Network Security videos to find out more about how HNS helps protect your network.

Source:
https://blog.trendmicro.com/keep-your-smart-home-safe-heres-what-you-can-do-today-to-secure-your-products/

OpenDns setup on IOS 11 devices

This Knowledge Base article will show you how to set up your IOS device in order to use OpenDNS.

Note:

These instructions only work for Wi-Fi connections because iOS does not allow you to change the DNS servers when connected to cellular networks. Also, the changes are network specific, so you'll need to change the DNS servers every time you connect to a new wireless network. The good news is that iOS remembers the settings, so you won't have to repeat these changes whenever you reconnect to a known network.

Also, this works the same on all iOS devices.

Changing your IOS device DNS settings:

From the IOS device home screen, tap Settings.
Tap Wi-Fi, ensure it is enabled and your wireless network is connected.
Click the symbol next to your wireless network, as shown below.
The screen shown below appears. Tap the Configure DNS field.
Ensure Manual is selected and delete the current DNS servers by tapping on the symbol.
Tap Add Server and enter OpenDNS resolvers 208.67.222.222. Repeat this process to add another DNS server as follows 208.67.220.220, as shown below.
Tap Save to exit the menu.

That's it! You've updated your IOS device DNS servers!

source:
https://support.opendns.com/hc/en-us/articles/228008947-IOS-11-Configuration-for-OpenDNS

Sonicwall Zero Touch Deployment Firewall

SonicWall® Zero-Touch
Deployment Guide
March 2019
SonicWall network security appliances are Zero-Touch enabled. Zero-Touch makes
it easy to register your unit and add it to SonicWall Capture Security Center or
SonicWall GMS On-Premise for management and reporting. This document
describes the Zero-Touch deployment process.
Topics:
• Deploying with Zero-Touch (CSC Management)
• Deploying with Zero-Touch (GMS On-Premise)
Deploying with Zero-Touch (CSC Management)
1) Register:
• Point your browser to https://cloud.sonicwall.com and log into your MySonicWall account or create an
account.
• In Capture Security Center, click the mySonicWall tile to launch the MySonicWall Dashboard.
• Click the Add Product button to launch the QUICK REGISTER dialog and then type in the serial
number of your SonicWall appliance. Click Confirm.
You can find the serial number and authentication code on the shipping box or appliance label.
• In the REGISTER A PRODUCT dialog, fill in the Friendly name and Authentication code, and select the
Tenant Name. By default, all products are placed under SonicWall Products Tenant.
• Click Register.
2) Enable Zero-Touch and CSC Management and Reporting:
• MySonicWall recognizes your appliance model and displays the Zero Touch option. Enable Zero Touch
and then click Register again. A success message is displayed to indicate Zero-Touch readiness.
• In MySonicWall, navigate to Product Management > My Products, select the appliance, and click the Try
button to enable the license for CSC Management and Reporting (if not enabled already). A success
message displays.
3) Connect and Power On:
• For a wireless appliance, connect the antennas.
NOTE: The appliance must be able to obtain an IP address via DHCP from the WAN connection or ISP
modem. If you need to use a static IP address, refer to the Quick Start Guide for your appliance.
SonicWall Zero-Touch
Deployment Guide
2
• Connect the X1 interface to your WAN network.
• Power on the unit.
CSC Management automatically acquires the unit (it can take up to 30 minutes for initial acquisition). Once the
unit is acquired, you can begin management.
To view the status of your appliance:
• In MySonicWall, pull down the curtain for Capture Security Center.
• Using the same Tenant as you selected during registration, click the Management tile.
• Click the appliance serial number or friendly name under DEVICE MANAGER to display its status.
Getting the Latest Firmware for the Firewall
1 In Capture Security Center, click the mySonicWall tile.
2 Navigate to Resources & Support > My Downloads and select your product firmware from the Product
Type drop-down menu.
3 Click the link for the firmware you want and save the file to a location on your computer.
4 Pull down the curtain for Capture Security Center.
5 Using the same Tenant as you selected during registration, click the Management tile.
6 In DEVICE MANAGER, click on the appliance in the left pane.
7 In the center pane, go to the Register/Upgrades > Firmware Upgrade page.
8 Click the Choose File button to select the firmware you just downloaded, then click Upgrade from Local
File.
SonicWall Zero-Touch
Deployment Guide
3
Deploying with Zero-Touch (GMS On-Premise)
1) Register:
• Log into your MySonicWall account or create an account at www.mysonicwall.com.
• Click the Add Product button to launch the QUICK REGISTER dialog and then type in the serial
number of your SonicWall appliance. Click Confirm.
You can find the serial number and authentication code on the shipping box or appliance label.
• In the REGISTER A PRODUCT dialog, fill in the Friendly name and Authentication code, and select the
Tenant Name. By default, all products are placed under SonicWall Products Tenant.
• Click Register.
2) Enable Zero-Touch:
• MySonicWall recognizes your appliance model and displays the Zero Touch option. Enable Zero Touch.
• Select the desired GMS Public IP from the GMS Server Public IP/FQDN drop-down list. The ZeroTouch
Agent Public IP/FQDN field is populated with the associated IP address.
• Click Register.
3) Connect and Power On:
• For a wireless appliance, connect the antennas.
• Connect the X1 interface to your WAN network.
PREREQUISITE: GMS 8.7 or higher is required. Be sure that your GMS system is Zero-Touch enabled. Refer
to the knowledge base article at:
https://www.sonicwall.com/support/knowledge-base/?sol_id=190205183052590
IMPORTANT: Verify that both of these IP addresses are the same as those you configured during
the prerequisite process.
NOTE: The appliance must be able to obtain an IP address via DHCP from the WAN connection or ISP
modem. If you need to use a static IP address, refer to the Quick Start Guide for your appliance.
SonicWall Zero-Touch
Deployment Guide
4
• Power on the unit.
GMS automatically acquires the unit (it can take up to 30 minutes for initial acquisition). Once the unit is
acquired, you can begin management.
To view the status of your appliance:
• Log into GMS and navigate to the FIREWALL view.
• Click on the appliance in the left pane to display the status.
Getting the Latest Firmware for the Firewall
1 In a web browser, navigate to www.mysonicwall.com.
2 Navigate to Resources & Support > My Downloads and select your product firmware from the Product
Type drop-down menu.
3 Click the link for the firmware you want and save the file to a location on your computer.
4 In GMS, navigate to the FIREWALL view and click on the appliance in the left pane.
5 In the center pane, go to the Manage > Register/Upgrades > Firmware Upgrade page.
6 Click the Choose File button to select the firmware you just downloaded, then click Upgrade from Local
File.
SonicWall Zero-Touch
Deployment Guide
5
SonicWall Support
Technical support is available to customers who have purchased SonicWall products with a valid maintenance
contract and to customers who have trial versions.
The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a
day, 365 days a year. To access the Support Portal, go to https://www.sonicwall.com/support.
The Support Portal enables you to:
• View knowledge base articles and technical documentation
• View video tutorials
• Access MySonicWall
• Learn about SonicWall professional services
• Review SonicWall Support services and warranty information
• Register for training and certification
• Request technical support or customer service
To contact SonicWall Support, visit https://www.sonicwall.com/support/contact-support.

Source:
https://www.sonicwall.com/support/technical-documentation/zero-touch-deployment-guide.pdf

Attackers Use Legacy IMAP Protocol to Bypass Multifactor Authentication in Cloud Accounts, Leading to Internal Phishing and BEC

Threats to cloud-based applications have been growing, and passwords — the traditional method used to secure accounts — are often no longer enough to protect users from the dangers that they potentially face. The need for more comprehensive security in cloud-based applications has led to vendors offering multifactor authentication (MFA) as an integral feature of their products and services. By using MFA, users limit the risk that an attacker will gain control of their accounts by spreading authentication across multiple devices.

However, while MFA provides an additional layer of security for protecting account access, it’s not a fool-proof feature. For example, a recent study from Proofpoint examined brute-force attacks against user accounts in major cloud services. The attacks reportedly took advantage of legacy email protocols, phishing, and credential dumps to bypass MFA.

Notably, attackers were able to abuse legacy protocols — most commonly the IMAP authentication protocol — to bypass even multifactor authentication. The study noted that the IMAP protocol can be abused under certain situations, such as when users employ third-party email clients that do not have modern authentication support. IMAP abuse can also be performed in two other cases: when the targets do not implement applications passwords and when it is done against shared email accounts where IMAP is not blocked and/or MFA cannot be used. The report also said these attacks can often go undetected, instead looking like failed logins rather than external attempts. Threat actors use these accounts as entry points into the system, after which lateral movement is carried out via internal phishing and BEC to expand their reach within the organization.

The six-month study saw over 72 percent of cloud tenants being targeted at least once by attackers, while 40 percent had at least one compromised account within their system. Even more concerning, 15 out of every 10,000 active user accounts were successfully breached. Hijacked servers and routers were used as the main attack platforms, with the network devices gaining access to approximately one new tenant every 2.5 days during a 50-day period.

Roughly 60 percent of the tenants involved in the study that were using Microsoft Office 365 and G Suite were targeted with the password-spraying attacks via IMAP, and 25 percent fell victim to a successful breach.

As more companies across industries adopt cloud-based services, it’s expected that cybercriminals will go after accounts for cloud-based platforms. Once an account has been compromised, whether through hacking or brute force, the account could be used to communicate with executives and their staff. Internal BEC emails could trick the targets into transferring funds and personal or corporate data or downloading malicious files. Compromised email accounts, for example, had been found replying to email threads to deliver malware. These BEC attempts can be difficult to detect given that they come from legitimate (though compromised) email accounts.

A feature such as MFA is only one part of an effective multilayered security implementation. Organizations looking to boost their security can start with these best practices:

Passwords still have a role to play as a component of multifactor authentication. Ensure that users have passwords that are strong and regularly changed to stay protected from brute-force attacks. This could mean includes using at least 12 characters with a mix of upper and lowercase letters, numbers, and special characters. Ask users to avoid common or easily-guessable passwords or passwords that show obvious information such as names or birthdates.
Educate employees on how to identify phishing attacks. Common indicators that an email is a phishing attempt include suspicious-looking email addresses and the presence of misspellings and typographical errors.
Furthermore, attackers often try to make their phishing attempts as convincing as possible. Thus, users should avoid giving out personal and company information unless they are absolutely certain that the person or group they are communicating with is legitimate.

Given that cybercriminals use compromised accounts and internal BEC emails, organizations should also consider the use of security solutions designed to combat the growing threat. Trend Micro’s existing BEC protection uses AI, including expert rules and machine learning to analyze email behavior and intention. The new and innovative Writing Style DNA technology goes further by using machine learning to recognize the DNA of an executive’s writing style based on past written emails. Designed for high-profile users who are prone to being spoofed, Writing Style DNA technology can detect forged emails when the writing style of an email does not match that of the supposed sender. The technology is used by Trend Micro™ Cloud App Security™ and ScanMail™ Suite for Microsoft® Exchange™ solutions to cross-match the email content’s writing style to the sender’s by taking into account the following criteria: capital letters, short words, punctuation marks, function words, word repeats, distinct words, sentence length, and blank lines, among 7,000 other writing characteristics.

Source
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/attackers-use-legacy-imap-protocol-to-bypass-multifactor-authentication-in-cloud-accounts-leading-to-internal-phishing-and-bec

Easier Wi-Fi Planning, Security and Management from the Cloud

Wi-Fi access is ubiquitous, but it’s not always easy to plan, deploy, secure and manage, especially for distributed businesses and enterprises.

SonicWall believes there’s an easier approach. Our product teams have revamped our Wi-Fi management solutions with innovation at its foundation. Top-of-mind during the entire process, our focus was on evolving our Wi-Fi technology in four key areas: security, performance, simplicity and intuitiveness.

On paper, those sound obvious. But we wanted to be sure the execution matched the vision — to remove all the complexity without impacting the end-user experience. The outcome of this effort is four new SonicWall wireless solutions:

SonicWall WiFi Cloud Manager
SonicWall SonicWave 200 Series Wireless Access Points
SonicWiFi Mobile App
SonicWall WiFi Planner

Intuitive wireless management for the next era

One of the constant nightmares for network admins is an unmanageable network. As your network expands, policies change and threats increase, it is often difficult to keep pace.

Discovering an outage only after it has happened — or malware after it has creeped into your network — is disastrous. SonicWall arms you with the right tool to gain insights into your network to keep pace with changing network requirements.

SonicWall WiFi Cloud Manager is an intuitive, scalable and centralized Wi-Fi network management system suitable for networks of any size. With simplified management, wireless analytics is richer and easily accessible from anywhere with an internet connection. The cloud-based management solution is designed to be user-friendly and resilient while simplifying access, control and troubleshooting capabilities.

With a fresh UI, WiFi Cloud Manager can be accessed via SonicWall Capture Security Center to deliver powerful features and simplified onboarding via the cloud from a single pane of glass. Centralized visibility and control over SonicWall’s wired and wireless networking hardware reduces complexity and the need for costly overlay management systems. It also can be deployed across multiple regions for greater network visibility into disturbed enterprises.

For network admins on the go, SonicWall introduces SonicWiFi mobile app to set up and monitor your network. Easily onboard your APs and setup mesh with this app. It is available on iOS and Android.

Advanced wireless security — with or without a firewall

Organizations, big and small, need secure wireless solutions for extending connectivity to employees, customers and guests. The new SonicWave 200 series wireless access points deliver enterprise-level performance and security with the range and reliability of 802.11ac Wave 2 technology at an affordable price.

Built on industry-leading next-gen security, these APs features a dedicated third radio for security scanning. In fact, advanced security features like Content Filtering Service (CFS) and the Capture Advanced Threat Protection (ATP) sandbox service can be performed on the AP itself, enabling organizations to mitigate cyberattacks even where firewalls aren’t deployed.

_{SonicWave 200 access points are available in three options, including 231c for indoor, 231o for outdoor and 224w for wall-mount requirements.}

Manage dozens or even thousands of SonicWave wireless access points from anywhere you have an internet connection via the cloud or through the firewalls, providing you ultimate flexibility.

The SonicWall WiFi Cloud Manager provides you a single-pane-of-glass view of your entire wireless network. SonicWave access points also support SonicWall Zero-Touch Deployment, which allows the access points to be automatically identified and registered. SonicWiFi mobile app also lets you set up, manage and keep track of your network.

SonicWave access points leverage mesh technology to negate complexity from wireless expansion, especially at remote or distributed locations. Mesh networks are easy to set up, effortless to expand, and require fewer cables and less manpower to deploy, reducing installation costs. The new push-and-snap mounting bracket further adds to the ease of installation.

Easily plan, deploy your wireless networks

IT administrators often hear complaints about unreliable Wi-Fi connectivity leading to poor user experiences. This is mostly because Wi-Fi networks are not designed correctly to begin with. AP placements could be wrong, there may be radio frequency barriers or there simply isn’t enough capacity and coverage.

SonicWall WiFi Planner is a simple, easy-to-use, advanced wireless site survey tool that enables you to optimally design and deploy a wireless network for enhanced wireless user experience.

This tool lets you customize your settings per your surroundings and requirements to obtain maximum coverage with the fewest number of access points. You can prevent interference in your deployment on a best-effort basis through auto-channel assignment.

With a cloud-based UI, you also have the flexibility to collaborate with global teams. It is ideal for new access point deployments or to ensure excellent coverage in your wireless network. Available at no added cost, SonicWall WiFi Planner is accessible through WiFi Cloud Manager.
Together, these products deliver a powerful wireless solution, paving way for the next era of wireless security. Welcome to the future of wireless security.

Source
https://blog.sonicwall.com/en-us/2019/02/easier-wi-fi-planning-security-management-from-the-cloud/