Category: Sonicwall

The Worst Cyberattacks and Data Breaches of 2019

Put your email address in the have i been pwned? website and see what results you get. How secure do you feel? By 2020, it’s safe to assume that most people with an online presence have had a least some of their Personally Identifiable Information (PII) compromised in a data breach.

SonicWall has been tracking and reporting on major data breaches throughout 2019 and we’ve compiled a list of not necessarily the biggest cyberattacks and data breaches of 2019, but the ones with the worst overall impact, giving us insight into the direction cyberattacks are heading in 2020.

Notable cyberattacks of 2019

Quest Diagnostics

Breaches that result in the loss of medical data can be damaging due to the possibility of highly personal information being released, whether that data is medical records themselves or identifiable data like Social Security numbers that could aid a cybercriminal in carrying out identity theft, or even blackmail. With this in mind, 2019 unfortunately set breach records in this category, with the biggest single breach likely being Quest Diagnostics, where 11.9 million patients were affected. Data taken included credit card numbers, medical information and personally identifiable data but, small consolation prize, lab results were not included.

Fortnite

The gaming industry is now bigger than both the entire music industry and Hollywood combined, making it a prime target for cybercriminals. It should come as no surprise then that cyberattackers would aim squarely for one of the biggest games on the planet.

In January 2019, a vulnerability found in Fortnite’s login system allowed hackers to impersonate real players, including viewing chat logs and other in-game details. More worryingly, the vulnerability allowed malicious users to purchase in-game currency using credit cards on file. This currency could then be siphoned off to other, legitimate, accounts — essentially money-laundering.

It is unclear how many accounts were affected, but considering there were over 80 million people logging in to Fortnite a week at the time the vulnerability was discovered, the number of players impacted is potentially huge. The vulnerability was quickly fixed but a class-action lawsuit was launched in August, the same month that a known exploit in Fortnite was used to install ransomware.

The Fortnite vulnerabilities serve as a warning to gamers and the wider gaming industry: you are a target.

US Customs and Border Protection

When U.S. Customs and Border Protection officials announced in June that a federal subcontractor had been hacked, 100,000 global travelers joined the ranks of people who have had their personal information and photos exposed. The hack included a large cache of images of car license plates, often including the face of the driver. The incident stands out as one of the more distinctive cyberattacks on U.S. public institutions in 2019, a year in which the most high-profile attacks were a rash of ransomware attacks on Texas government agencies that temporarily brought the state’s municipal infrastructure to a standstill.

Capital One

Over 100 million Americans and 6 million Canadians were affected by the Capital One data breach, where the data taken stretched from 2019 all the way back to 2005. Names, addresses, ZIP codes/postal codes, phone numbers, email addresses, dates of birth and self-reported income were taken in most cases. In addition, 140,000 Social Security numbers, 80,000 linked bank account numbers and 1 million Canadian Social Insurance numbers were all stolen. One estimate of the damage to the financial giant put the cost of the data breach at more than $300 million.

Facebook

As one of the most ubiquitous and data-packed websites on the internet, Facebook is under constant scrutiny. In April and September of 2019, two privacy breaches were discovered that exposed the personal information of around 2 million Facebook users, including phone numbers and passwords. Neither of these events were related to a cyberattack, however, and they were both discovered by security researchers looking for vulnerabilities in the Facebook web architecture. In December, Facebook again made the headlines when security expert Bob Diachenko discovered an exposed database containing names, phone numbers and Facebook IDs of more than 267 million Facebook users. In this case, the data was already posted to a hacker forum for download before the internet service provider could take action and remove access.

Magecart

Magecart makes our list as one of the most widely-distributed malware attacks in 2019. A recent count of active Magecart infections claims the malware is affecting over 18,000 website hosts, remarkable considering it’s an infection that’s been around in one form or another for nearly a decade. Magecart is a supply-chain attacker than hijacks the digital cart-system on websites when users make orders, stealing financial information as the order is processed. Major breaches caused by Magecart in 2019 included British Airways, Ticketmaster UK, Newegg.com and even the Sesame Street store.

Looking to 2020

As demonstrated throughout 2019, “cyberattack” and “data breach” are broad terms covering a huge range of activities, from poorly maintained databases found exposed online to well-oiled criminal enterprises selling their capabilities as a service. The data indicates that these events are not going to go away any time soon and cybersecurity needs to continue to be a top priority for businesses and organizations everywhere.

As 2020 starts and tensions between the U.S. and Iran have ratcheted up to a fever pitch, security researchers are highlighting the likelihood of cyberwarfare increasingly being used as an instrument of foreign policy. From disrupting elections to attacks on power grids and ransomware attacks targeting government agencies, cybersecurity is firmly establishing itself as the central concern for organizations everywhere.

SonicWall protects organizations from cyberattacks

The growing complexity of attack tactics and increasing areas of vulnerability mean that security professionals can no longer view insider threats and traditional phishing attacks as the primary attack vector for data compromise. Every organization needs to have a layered, defense-in-depth approach, something SonicWall can help with through our automated real-time breach detection and prevention platform.

Some general best practices include:

  • Ensure your cybersecurity strategy is scaled across wired, wireless, cloud and mobile networks, where applicable
  • Leverage next-generation firewalls to mitigate advanced cyber threats
  • Layer cybersecurity controls with cloud sandboxing, such as SonicWall Capture ATP
  • Secure your data in the cloud protect SaaS environments using SonicWall Cloud App Security
  • Deploy email security controls to help identify and block phishing attempts
  • Map network data to understand what’s most valuable

There’s no question that our list of the worst cyberattacks and data breaches of 2019 tell a dismal story of a rapidly expanding cyber threat landscape. However, by assessing your business’s cybersecurity strategy, ensuring you have a layered approach in place, and improving overall security behavior, it’s possible to protect your business from most data breaches.

 

Source :
https://blog.sonicwall.com/en-us/2020/01/worst-cyberattacks-and-data-breaches-of-2019/

Spear-Phishing Attacks Targeting Office 365 Users, SaaS Applications

Over the course of the last 15 years, cyber threats have gone from urban myths and corporate ghost stories to as mainstream as carjackings and burglaries. There isn’t a business owner of a small restaurant chain or a CEO of a Fortune 500 company who doesn’t think about the fallout of being breached.

I’m not here to tell you how the threats are getting more sophisticated, or how state-sponsored hacker groups are getting more and more funding; you already know that. But what I do want to share with you is something that I’m seeing daily. Targeted threats that you may have already witnessed and, unfortunately, been personally a victim of or know someone who has: Spear-phishing.

Are you an Office 365 user? Do you have customers who are Office 365 users? Are you a managed security service provider (MSSP) that administrators Office 365 for your clients? You probably need a solution that applies effective Office 365 security capabilities and controls.

With close to 200 million global users, Office 365 is a target — a big target. And spear-phishing attempts are good. Really good. Recently, Forbes ran a summary of the threat. Alarmingly, today’s most advanced spear-phishing attempts look like they come from your CFO, boss or trusted vendor. They provide credibility to the target and, many times, users take the bait. Money gets wired. Access to accounts are provided. Confidential information is exposed.

Traditional email security isn’t enough protection. Out-of-the-box, cloud-native security services aren’t enough protection. A lean, effective and modern Office 365 security or SaaS security solution is required.

How to stop spear-phishing attacks, advanced cyber threats

SonicWall Cloud App Security (CAS) combines advanced security for Office 365, G Suite and other top SaaS applications to protect users and data within cloud applications, including email, messaging, file sharing and file storage. This approach delivers advanced threat protection against targeted email threats like phishing attacks, business email compromise, zero-day threats, data loss and account takeovers.

CAS also seamlessly integrates with sanctioned SaaS applications using native APIs. This helps organizations deploy email security and CASB functionalities that are critical to protecting the SaaS landscape and ensure consistent policies across cloud applications being used.

Explore the five key reasons CAS may be able to protect your organization from spear-phishing and other advanced attacks.

  • CAS delivers next-gen security for Office 365, protecting email, data and user credentials from advanced threats (including advanced phishing) while ensuring compliance in the cloud
  • Monitor SaaS accounts for IOCs, such data leakage, account takeover, business email compromise (BEC) and fraud attempts
  • Block malware propagation in malicious email attachments and files, whether they are at-rest or traversing a SaaS environment, internally or cloud-to-cloud
  • Prevent data breaches using machine learning and/or AI-based user profiling and behavior analytics for incident detections and automated responses
  • Leverage Shadow IT to monitor cloud usage in real time, and set policies to block unsanctioned applications

In my over 10 years of observing various attacks and sitting in rooms with customers (not mine, fortunately) who have been breached, I can tell you that you don’t want it ever to be you or your customers. This threat is having more success than any I’ve seen — and they are very recent.

For more information, contact a SonicWall cybersecurity expert or explore the CAS solution in detail.

 

Source :
https://blog.sonicwall.com/en-us/2020/01/spear-phishing-attacks-targeting-office-365-users-saas-applications/

Smarter Cybersecurity: How SecOps Can Simplify Security Management, Oversight & Real-Time Decision-Making

Organizations continue to be alarmed by how easily cybercriminals can circumvent security defenses as malware, ransomware, cryptojacking and phishing attacks make headline news.

In addition, security operations lack visibility and awareness of unsafe network and user activities, network traffic irregularities, and unusual data access and utilization. This exacerbates the situation and creates a dangerous condition where security teams are too late or unable to:

  • Respond to security alerts or incidents at the speed and accuracy they need
  • Conduct thorough and effective investigations
  • Find answers fast enough to take corrective actions

Through close engagements with our top channel partners and key customers, SonicWall learned and understood these challenges first-hand. And through that collaboration, SonicWall developed and introduced the SonicWall Capture Security Center and two powerful risk management tools ­— Analytics and Risk Meters — to help customers solve these difficult problems.

Govern, comply and manage risk

The Capture Security Center is grounded on three core objectives:

‘Govern Centrally’ focuses on improving operational efficiencies and reducing overhead, while ‘Compliance’ and ‘Risk Management’ concentrate on the business value. These core objectives are interdependent as each leverages a common set of information, processes and technologies that help SecOps establish and deliver a strong, federated security defense and response services at the core of their security program.

Work faster and smarter — with less effort

Capture Security Center is a cloud solution organizations use to avoid operational overhead associated with software and hardware installation, upgrades and maintenance. This solution provides SecOps teams secure single sign-on (SSO) access to license, provision and manage their entire SonicWall security suite, including networkwirelessendpointemailmobile and cloud security products and services.

Think of it as a high-productivity tool that provides authorized users access to all available security services based on their role and access rules. The command console is assessible from any location and from any web-enabled PC. Once signed in, users are automatically granted access to everything — and are able do everything securely — using one cloud app.

The different tiles (shown below) are exactly what you’ll see when you log in to your Capture Security Center account. Users can easily navigate between tenants presented on the left panel and, on the right panel, manage any licensed cloud services registered to that tenant.

Available in January 2020, Capture Security Center version 1.8 adds capabilities for security teams to:

Study risks and threats in real time with real-world data

SonicWall Risk Meters is a threat monitoring and risk-rating tool we’ve integrated into the Capture Security Center. The tool is available to all SonicWall Capture Security Center customers at no additional cost.

Risk Meters, shown below, gives a direct line of sight into the cyberattacks affecting your security posture. Threat vectors are represented by colored arrows while threat types are shown as icons.

Clicking on an icon pops up an information panel that provides a detailed description of the threat. A tenant drop-down list allows you to view threat metrics at the tenant level. Visibility into the attacks targeting various defense layers helps guide your response to where immediate defensive actions are needed for a specific environment.

The first defense layer captures attacks blocked by the firewallsCapture Advanced Threat Protection (ATP) sandbox and WAF.

The second defense layer reveals attacks targeting your SaaS appliances and email environments.

The third defense layer shows threats attacking your users’ devices. The DEFCON and Shield Level ratings displayed at the top-right corner provide the computed risk scores based on existing defense layers. Scores are adjusted as you toggle to activate or deactivate available services.

Taking this a step further, Risk Meters gains several important improvements in Capture Security Center 1.8. A new control panel presents users with customization functionalities to run analysis on a variety of threat data.

This new feature allows for experimenting “what-if” simulations at a more granular level to see how the risk score dynamically changes when sub-components of certain layer or multiple layers are added or removed.

Up until this release, risk scores were calculated based solely on security services from SonicWall. To give a more accurate account of customer security environments, CSC now factors in all security controls when calculating the risk scores, including non-SonicWall services.

The Risk Meters Control Panel allows users to configure and weigh third-party security controls into the calculated risk scores. Users can now review trends of different threat types and then compare them against regional and global averages to help identify which threat vectors to focus on and where to prepare their defenses.

Transforming threat data into decisions, decisions into actions

In conjunction with Capture Security Center 1.8, SonicWall releases Analytics 2.5 to introduce a new user-based analytics and reporting function to helps security teams visualize and conduct investigations into users’ actions and application and data usage.

Security teams can monitor or drill-down into the security data for more details about the user network traffic, access and connections, and what applications are being used and websites are frequently visited.

Also, security teams can investigate attacks that target a certain group of users and bandwidth costs associated with resource utilization to determine if policy-tuning or added configurations are needed to reduce their risk profile or optimize network performance.

About the SonicWall Capture Security Center

Capture Security Center is a scalable cloud security management system that’s a built-in and ready-to-use component of your SonicWall product or service. It features single-sign-on and ‘single-pane-of-glass’ management. It integrates the functionality of the Capture Cloud Platform to deliver robust security management, analytics and real-time threat intelligence for your entire portfolio of network, email, endpoint, mobile and cloud security resources.

Capture Security Center delivers a valuable team resource to help organizations control assets and defend entire networks from cyberattacks. Unify and synchronize updates and support, monitor security risks and fulfill regulatory compliance — all with greater clarity, precision and speed.

source :
https://blog.sonicwall.com/en-us/2019/12/smarter-cybersecurity-how-secops-can-simplify-security-management/

How to Protect Multi-Cloud Environments with a Virtual Firewall

Virtualization technology is powering a momentous revolution in today’s modern data centers and clouds, leading to designs that are commonly a mix of private, public and hybrid cloud computing environments.

International Data Corporation (IDC) research predicts that more than 90% of organizations will have some portion of their applications or infrastructure running in the cloud by the end of 2024.

As multi-cloud migration happens and organizations embrace technologies, such as containers, network virtualization must expand to adequately secure highly dynamic environments ranging from public clouds to private clouds to data centers. Otherwise, organizations face the risks of visibility blind spots and control challenges.

To circumvent this, organizations are implementing cloud security solutions that operate together and are easily managed. The benefits of cloud computing are well-known and significant. However, so are the security challenges, exemplified by the many recent high-profile data breaches. Whether stored in a physical data center or in a public, private or hybrid cloud, your data is the hacker’s goal.

Securing the cloud introduces a range of challenges, including a lack of network traffic visibility, unpredictable security functionality and the struggle to keep pace with the rate of change commonly found in cloud computing environments. To be efficacious, organizations need a cloud security solution that:

  • Identifies and controls network traffic within the cloud based on identity, not the ports and protocols they may use.
  • Stops malware from gaining access to and moving laterally within the cloud.
  • Determines who should be allowed to use the applications, and grants access based on need and credentials.
  • Streamlines deployment and gets a new instance up and running with a click. You do not want to configure each virtual firewall, since that is time-consuming. Ideally, you have a pre-defined configuration pushed to the device and it is up and running.
  • Cost-effectively replaces expensive WAN connection technologies, such as MPLS, with secure SD-WAN.
  • Simplifies administration and minimizes the security policy delay as virtual machines (VM) are added, removed or moved within the cloud environment.

Securing the cloud with SonicWall NSv virtual firewalls

Recently, SonicWall announced a new firmware, SonicOS 6.5.4, on its virtual firewall platforms to provide feature parity with its hardware firewall platform.

SonicWall Network Security virtual (NSv) firewalls now support secure SD-WAN, Zero-Touch Deployment, DNS security, Restful API and many more features that help solve the aforementioned problems.

SonicWall NSv firewalls help security teams reduce different types of security risks and vulnerabilities, which can cause serious disruption to business-critical services and operations.

With full-featured security tools and services, including reassembly-free deep packet inspection (RFDPI), security controls and networking services equivalent to what a SonicWall physical firewall provides, NSv effectively shields all critical components of your private/public cloud environments.

NSv is easily deployed and provisioned in a multi-tenant virtual environment, typically between virtual networks (VN). This allows it to capture communications and data exchanges between VMs for automated breach prevention, while establishing stringent access control measures for data confidentiality and VM safety and integrity.

Security threats (such as cross-virtual-machine or side-channel attacks and common network-based intrusions and application and protocol vulnerabilities) are neutralized successfully through SonicWall’s comprehensive suite of security services.

All VM traffic is subjected to multiple threat analysis engines, including intrusion prevention, gateway anti-virus and anti-spyware, cloud anti-virus, botnet filtering, application control and the Capture Advanced Threat Protection (ATP) multi-engine sandbox.

Soruce :
https://blog.sonicwall.com/en-us/2019/10/how-to-protect-multi-cloud-environments-with-a-virtual-firewall/

Mid-Year Update: 2019 SonicWall Cyber Threat Report

It’s almost cliché at this point, but the cyber arms race — and respective cybersecurity controls and technology — moves at an alarming pace.

For this reason, SonicWall Capture Labs threat researchers never stop investigating, analyzing and exploring new threat trends, tactics, strategies and attacks. They publish most of their findings — the data they can share publicly, anyway — in the annual SonicWall Cyber Threat Report.

But to ensure the industry and public are able to stay abreast of the quickly shifting threat landscape, the team offers a complementary mid-year update to the 2019 SonicWall Cyber Threat ReportDownload the exclusive report to explore the stories, behaviors and trends that are shaping 2019 — as they are happening.

Malware volume dips in first half

In 2018, global malware volume hit a record-breaking 10.52 billion attacks, the most ever recorded by SonicWall Capture Labs threat researchers.

Fortunately, during the first six months of 2019, that trend slowed — at least somewhat. SonicWall recorded 4.8 billion* malware attacks, a 20% drop compared to the same time period last year.

Ransomware rising

Did you think ransomware was an outdated tactic? The latest 2019 data proves otherwise. Despite overall declines in malware volume, ransomware continues to pay dividends for cybercriminals.

All told, global ransomware volume reached 110.9 million for the first half of 2019, a 15% year-to-date increase. The exclusive mid-year update outlines which countries followed this trend and which were victimized by an increase in ransomware attacks.

Attacks against non-standard ports still a concern

As defined in the full 2019 SonicWall Cyber Threat Report, a ‘non-standard’ port means a service running on a port other than its default assignment, usually as defined by the IANA port numbers registry.

For the first half of 2019, 13% of all malware attacks came via non-standard ports, a slight dip due to below-normal activity in January (8%) and February (11%).

Encrypted threats intensify

In 2018, SonicWall logged more than 2.8 million encrypted threats, which was already a 27% jump over the previous year. Through the first six months of 2019, SonicWall has registered a 76% year-to-date increase.

Machine learning, multi-engine sandboxes evolving to ‘must-have’ security

So far in 2019, the multi-engine SonicWall Capture Advanced Threat Protection (ATP) cloud sandbox has exposed 194,171 new malware variants — a pace of 1,078 new variant discoveries each day of the year.

IoT malware volume doubled YTD

The speed and ferocity in which IoT devices are being compromised to deliver malware payloads is alarming. In the first half of 2019, SonicWall Capture Labs threat researchers have already recorded 13.5 million IoT attacks, which outpaces the first two quarters of last year.

Bitcoin run keeping cryptojacking in play

Late 2018 data showed cryptojacking on the decline. But with the surging values of both bitcoin and Monero, cryptojacking rebounded in 2019. Cryptojacking volume hit 52.7 million for the first six months of the year.

How do cybercurrency prices influence cryptojacking volume? The exclusive mid-year update looks deeper into the numbers.

 

Source
https://blog.sonicwall.com/en-us/2019/07/mid-year-update-2019-sonicwall-cyber-threat-report/

Windows Server 2008 End of Support: Are you Prepared?

On July 14th, 2015, Microsoft’s widely deployed Windows Server 2003 reached end of life after nearly 12 years of support. For millions of enterprise servers, this meant the end of security updates, leaving the door open to serious security risks. Now, we are fast approaching the end of life of another server operating system – Windows Server 2008 and Server 2008 R2, which will soon reach end of support on January 14, 2020.

Nevertheless, many enterprises still rely on Windows Server 2008 for core business functions such as Directory Server, File Server, DNS Server, and Email Server. Organizations depend on these workloads for critical business applications and to support their internal services like Active Directory, File Sharing, and hosting internal websites.

What does this mean for you?

End of support for an operating system like Windows Server 2008 introduces major challenges for organizations who are running their workloads on the platform. While a small number may be ready to fully migrate to a new system or to the cloud, the reality is that most organizations aren’t able to migrate this quickly due to time, budgetary, or technical constraints. Looking back at Windows Server 2003, even nine months after the official EOS, 42% of organizations indicated they would still be using Windows Server 2003 for 6 months or more, while the remaining 58% were still in the process of migrating off of Windows Server 2003 (Osterman Research, April 2016). The same is likely to occur with the Server 2008 EOS, meaning many critical applications will continue to reside on Windows Server 2008 for the next few years, despite the greatly increased security risks.

What are the risks?

The end of support means organizations must prepare to deal with missing security updates, compliance issues, defending against malware, as well as other non-security bugs. You will no longer receive patches for security issues, or notifications of new vulnerabilities affecting your systems. With constant discovery of new vulnerabilities and exploits – 1,450 0days disclosed by the ZDI in 2018 alone – it’s all but guaranteed that we will see additions to the more than 1300+ vulnerabilities faced by Windows Server 2008. The lack of notifications to help monitor and measure the risk associated with new vulnerabilities can leave a large security gap.

This was the case for many organizations in the wake of the 2017 global WannaCry ransomware attack, which affected over 230,000 systems worldwide, specifically leveraging the EternalBlue exploit present in older Windows operating systems. While Microsoft did provide a patch for this, many weren’t able to apply the patches in time due to the difficulty involved in patching older systems.

What can security and IT teams do?

The most obvious solution is to migrate to a newer platform, whether that’s on-premise or using a cloud infrastructure-as-a-service offering such as AWS, Azure, or Google Cloud.

However, we know many organizations will either delay migration or leave a portion of their workloads running in a Windows Server 2008 environment for the foreseeable future. Hackers are aware of this behavior, and often view out-of-support servers as an easy target for attacks. Security teams need to assess the risk involved with leaving company data on those servers, and whether or not the data is secure by itself. If not, you need to ensure you have the right protection in place to detect and stop attacks and meet compliance on your Windows Server 2008 environment.

How can Trend Micro help?

Trend Micro Deep Security delivers powerful, automated protection that can be used to secure applications and workloads across new and end of support systems. Deep Security’s capabilities include host-based intrusion prevention, which will automatically shield workloads from new vulnerabilities, applying an immediate ‘virtual patch’ to secure the system until an official patch is rolled out – or in the case of EOS systems – for the foreseeable future.

Deep Security also helps monitor for system changes with real-time integrity monitoring and application control, and will secure your workloads with anti-malware, powered by the Trend Micro Smart Protection Network’s global threat intelligence. Deep Security’s broad platform and infrastructure support allows you to seamlessly deploy security across your physical, virtualized, cloud, and containerized workloads, and protecting your end of life systems throughout and beyond your migration.

Learn how easy it is to deploy virtual patching to secure your enterprise and address patching issues.

 

Source
https://blog.trendmicro.com/windows-server-2008-end-of-support-are-you-prepared/

Sonicwall : Cryptojacking Apocalypse – Defeating the Four Horsemen of Cryptomining

Despite price fluctuations of bitcoin and other cryptocurrencies, cryptojacking remains a serious — and often hidden — threat to businesses, SMBs and everyday consumers.

And the most covert of these threats is cryptomining via the browser, where popular forms of malware attempt to turn your device into a full-time cryptocurrency mining bot called a cryptojacker.

To help you creatively understand this trend, let me summon my classical training and be a little hyperbolic. If you see the cryptojacking wave as an apocalypse like some of their victims do, the Four Horsemen would be the four threats to your endpoint or business:

  • The White Horse: The energy it consumes or wastes
  • The Red Horse: The loss to productivity due to limited resources
  • The Black Horse: The damage it can do to a system
  • The Pale Horse: Security implications due to created vulnerabilities

Unlike ransomware that wants to be found (to ask for payment), a cryptojacker’s job is to run invisibly in the background (although your CPU performance graph or device’s fan may indicate something is not normal).

Ransomware authors have switched gears over the past two years to use cryptojacking more, because a ransomware strain’s effectiveness and ROI diminish as soon as it ends up on public feeds like VirusTotal.

Like anyone else running a highly profitable business, cybercriminals need to constantly find new ways to fulfill their financial targets. Cryptojacking is being used to solve that challenge.

In April 2018, SonicWall started tracking cryptojacking trends, namely the use of Coinhive in malware. Over the course of the year, we saw cryptojacking ebb and flow. In that time, SonicWall recorded nearly 60 million cryptojacking attacks, with as many as 13.1 million in September 2018. As published in the 2019 SonicWall Cyber Threat Report, volume dipped across the final quarter of 2018.

Global Cryptojacking Attacks | April-September 2018

The lure of cryptomining

Cryptomining operations have become increasingly popular, now consuming almost half a percent of the world’s electricity consumption. Despite the wild swings in price, roughly 60% of the cost of legitimately mining bitcoin is the energy consumption. In fact, at the time of writing, the price of a bitcoin is worth less than the cost of mining it legitimately.

With such costs and zero risk as compared to buying and maintaining equipment, cybercriminals have strong incentives to generate cryptocurrency with someone else’s resources. Infecting 10 machines with a cryptominer could net up to $100/day, so the challenge for cryptojackers is three-fold:

  1. Find targets, namely organizations with a lot of devices on the same network, especially schools or universities.
  2. Infect as many machines as possible.
  3. Stay hidden for as long as possible (unlike ransomware and more akin to traditional malware).

Cryptojackers use similar techniques as malware to sneak on to an endpoint: drive-by downloads, phishing campaigns, in-browser vulnerabilities and browser plugins, to name a few. And, of course, they rely on the weakest link — the people — via social engineering techniques.

Am I infected by cryptominers?

Cryptominers are interested in your processing power and cryptojackers have to trade stealth against profit. How much of your CPU resources they take depends on their objectives.

Siphoning less power makes it harder for unsuspecting users to notice. Stealing more increases their profits. In either case, there will be a performance impact, but if the threshold is low enough it could be a challenge to distinguish the miner from legitimate software.

Enterprise administrators may look for unknown processes in their environment, and end users on Windows should spawn a Sysinternals Process Explorer to see what they are running. Linux and macOS users should investigate using System Monitor and Activity Monitor, respectively, for the same reason.

How to defend against cryptominers

The first step in defending against cryptominers is to stop this type of malware at the gateway, either through firewalls or email security (perimeter security), which is one of the best ways to scrub out known file-based threats.

Since people like to reuse old code, catching cryptojackers like Coinhive was also a simple first step. But in February 2019, Coinhive publicly announced it was ceasing operations March 8. The service stated that it wasn’t “economically viable anymore” and that the “crash” impacted the business severely.

Despite this news, SonicWall predicts there will still be a surge in new cryptojacking variants and techniques to fill the void. Cryptojacking could still become a favorite method for malicious actors because of its concealment; low and indirect damage to victims reduces chances of exposure and extends the valuable lifespan of a successful attack.

If the malware strain is unknown (new or updated), then it will bypass static filters in perimeter security. If a file is unknown, it will be routed to a sandbox to inspect the nature of the file.

The multi-engine SonicWall Capture Advanced Threat Protection (ATP) sandbox environment is designed to identify and stop evasive malware that may evade one engine but not the others.

If you have an endpoint not behind this typical set up (e.g., it’s roaming at the airport or hotel), you need to deploy an endpoint security product that includes behavioral detection.

Cryptominers can operate in the browser or be delivered through a fileless attack, so the legacy solutions you get free with a computer are blind to it.

A behavioral-based antivirus like SonicWall Capture Client would detect that the system wants to mine coins and then shut down the operation. An administrator can easily quarantine and delete the malware or, in the case of something that does damage to system files, roll the system back to the last known good state before the malware executed.

By combining a mixture of perimeter defenses and behavioral analysis, organizations can fight the newest forms of malware no matter what the trend or intent is.

Source:
https://blog.sonicwall.com/en-us/2019/05/cryptojacking-apocalypse-defeating-the-four-horsemen-of-cryptomining/

Sonicwall : 4 Ways the WhatsApp Exploit Could Use Employees to Infiltrate Your Network

The recent WhatsApp breach was very sophisticated and clever in the manner it was delivered. And that should be expected considering who was reported as being behind the zero-day attack against the popular messaging application.

But the attack against the WhatsApp app is not just a concern for its millions of global customers. There’s a very real and imminent threat to businesses and enterprises, too.

For example, let’s assume one of your employees has WhatsApp installed on their device and it is subsequently compromised via the latest WhatsApp exploit. In many situations, this employee will, at some point, connect their device to the corporate network.

This legitimate access could be via VPN, cloud applications (e.g., Office 365, Dropbox, etc.), corporate Wi-Fi or, my personal “favorite,” plugging the device into the USB port of a corporate laptop so the phone can charge. Understanding how and where users connect to the corporate network is critical.

In most cases, organizations can’t prevent personal BYOD phones from being compromised — particularly when outside the network perimeter. They can, however, protect the network from exploits delivered via the compromised phone. Here are the four most common ways the WhatsApp vulnerability could be leveraged to infiltrate a corporate network and, more importantly, how SonicWall can prevent it:

  1. Via VPN. If an employee connects to corporate over VPN, SonicWall, for example, would be the endpoint where they establish the VPN Threat prevention (e.g., firewallsCapture ATP) and access control (e.g., Secure Mobile Access) would prevent the WhatsApp breach from spreading any further than the compromised phone.
  2. Via Wi-Fi. In this scenario, next-generation firewalls and secure wireless access points should be in place to inspect all internal traffic and prevent the exploit from going further than the phone.
  3. Via compromised credentials. Because the WhatsApp exploit enabled attackers to steal credentials to cloud services and apps, organizations with Cloud Access Security Broker (CASB) solutions, like SonicWall Cloud App Security, would mitigate account takeovers (ATO), unauthorized access and any related data leakage.
  4. Via USB port. Users often forget that a powered USB port on their laptop is an entry point for attackers — even when doing something as innocent as charging a phone. A sound endpoint protection solution (see diagram), such as Capture Client, would monitor the connection to the laptop and inspect any malicious activity attempting to leverage the USB port to deliver malware payloads.