SonicWall Protects Customers from the Latest Massive WannaCry Ransomware Attack
First, if you are a SonicWall customer and you are using our Gateway Anti-Virus, Intrusion Prevention service, and Capture Advanced Threat Protection then your SonicWall firewall has been protecting your network from WannaCry ransomware and the worm that spreads it since 17 April, 2017. Since the release of the first version of the code, we have identified several new variants and have released additional counter measures. We will continue to update this blog as our Capture Labs research team uncovers more information and as additional protection is automatically rolled out to our customers’ firewalls.
This massive ransomware attack became infamous by shutting down a number of hospitals in the UK’s National Health Service (NHS) system and thus preventing patients from receiving critical care. The attack hit over 100 countries across the world with an untold number of victims. WannaCry is a combination of a Trojan/ransomware and a worm that leverages an SMB file sharing protocol exploit named EternalBlue. The Shadow Brokers leaked EternalBlue in April 2017 as part of a bigger dump of NSA developed exploits. This exploit affects various versions of Microsoft Windows operating systems, including a number of versions that are in end-of-life status. Although Microsoft released a large number of patches on March 14 to address this vulnerability, the attack remains dangerous as many organizations have not applied the patch.
The first version of the worm/ransomware package had a kill switch that was accidently used to disable the worm feature which slowed its advance on Friday, 12 May 2017. However, new variants are appearing in the wild without this weakness. While the first version of the worm code can no longer spread the ransomware code, systems encrypted by WannaCry 1.0 will remain encrypted. Unfortunately, there is no known decryption method to recover files affected by WannaCry without paying cyber criminals (which is not advised).
Since Friday, 12 May 2017, SonicWall’s Capture Labs released six new signatures to block all known versions of WannaCry. It is also worth noting that SonicWall security services on the firewall have built-in protections against the many components of this code, ranging from blocking contact with WannaCry Command and Control (C&C) servers to blocking attempts at exploitation of any unpatched SMB Microsoft vulnerabilities (such as EternalBlue).
SonicWall Capture Labs analyzed the EternalBlue attack in mid-April immediately after the Shadow Brokers file dump and rolled out protection for all SonicWall firewall customers well in advance of the first public attack. All known versions of this exploit can be blocked from SonicWall protected networks via active next-generation firewall security services.
As a SonicWall customer, ensure that your next-generation firewall has an active Gateway Security subscription to receive automatic real-time protection from known ransomware attacks such as WannaCry. Gateway Security includes Gateway Anti-virus (GAV), Intrusion Prevention (IPS), Botnet Filtering, and Application Control. This set of technology has signatures against WannaCry (part of GAV), protections against vulnerabilities outlined in Microsoft’s security bulletin MS17-010 (part of IPS), and it blocks communication with the C&C servers where WannaCry’s payload comes from (part of botnet filtering).
Since SonicWall Email Security uses the same signatures/definitions as Gateway Security, we can effectively block the emails that deliver the initial route to infection. Ensure all email security services are also up to date to block malicious emails. Since 65% of all ransomware attacks happen through phishing emails, this needs to be a major focus when giving security awareness training. Additionally, customers with SonicWall Content Filtering Service should activate it to block communication with malicious URLs and domains, which works in a similar way Botnet filtering disrupts C&C communication.
As a best practice always deploy Deep Packet Inspection of all SSL/TLS (DPI-SSL) traffic since more than 50% of malware is encrypted. This will enable your SonicWall security services to identify and block all known ransomware attacks. Enabling DPI-SSL also allows the firewall to examine and send unknown files to SonicWall Capture Advanced Threat Protection for multi-engine processing to discover and stop unknown ransomware variants.
The party behind this attack has already released several variations of this attack for which we have established protections in place (see above). To ensure you are safe from newly developed updates and similar copycat attacks, first apply the Windows patch provided by Microsoft listed in the resources section. Second, apply Capture Advanced Threat Protection (Capture ATP), SonicWall’s multi-engine network sandbox, to examine suspicious files coming into your network to discover and stop the latest threats just as we did with Cerber ransomware. Enable the service’s block until verdict feature to analyze all files at the gateway to eliminate malware before it can enter your network. Additionally, Capture Labs will continue to email customers Sonic Alerts on new threats.
Finally, phishing emails are the most common delivery mechanism for ransomware. It is possible that future variants of this ransomware will be delivered via emails. SonicWall’s email security solution uses Advanced Reputation Management (ARM) to inspect not only the sender IP but also the message content, embedded URLs and attachments. In addition, make sure you enable SPF, DKIM and DMARC advanced email authentication to identify and block spoofed emails and protect from spam and phishing attacks. For the best possible protection against such attacks, deploy SonicWall’s email security solution with Capture ATP service to inspect every email attachment in a multi-engine sandbox environment.
For more information or to schedule a free business security evaluation contact The Client Server @ 239.495.8702.
New Report Warns In-App Purchase Scams Are on the Rise
Google said it was investigating an email scam winding its way through inboxes across the country and had disabled the accounts responsible for the spam. The scheme emerged Wednesday afternoon, when spammers dispatched malicious email, appearing to come from people the recipients knew, beckoning them to click on what appeared to be a shared Google document. Recipients who clicked on the links were prompted to give the sender access to their Google contact lists and Google Drive. In the process, victims allowed spammers to raid their contact lists and send even more email. “We are investigating a phishing email that appears as Google Docs,” Google said statement posted on Twitter. “We encourage you to not click through and report as phishing within Gmail.” It is not clear who created the spam email or how many people it has affected. In a second statement, on Wednesday evening, Google said that it had disabled the accounts responsible for the spam, updated its systems to block it and was working on ways to prevent such an attack from recurring.
If you receive suspicious email, here are some tips:
1. Do not click, even when the email is from your mother.
Even when you receive links from trusted contacts, be careful what you click. Spammers, cybercriminals and, increasingly, nation-state spies are resorting to basic email attacks, known as spear phishing, which bait victims into clicking on links that download malicious software, or lure them into turning over their user names and passwords. A quarter of phishing attacks studied last year by Verizon were found to be nation-state spies trying to gain entry into their target’s inboxes, up from the 9 percent of attacks reported in 2016. In this case, the malicious emails all appeared to come from a contact, but were actually from the address “firstname.lastname@example.org” with recipients BCCed.
2. Turn on multifactor authentication.
Google and most other email, social media and banking services offer customers the ability to turn on multifactor authentication. Use it. When you log in from an unrecognized computer, the service will prompt you to enter a one-time code texted to your phone. It is the most basic way to prevent hackers from breaking into your accounts with a stolen password.
Bottom of Form
3. Shut it down.
If you accidentally clicked on the Google phishing attack and gave spammers third-party access to your Google account, you can revoke their access by following these steps:
Go to https://myaccount.google.com/permissions
Revoke access to “Google Docs” (the app will have access to contacts and drive).
4. Change your passwords ... again.
If you’ve been phished, change your passwords to something you have never used before. Ideally, your passwords should be long and should not be words that could be found in a dictionary. The first things hackers do when breaking into a site is use computer programs that will try every word in the dictionary. Your email account is a ripe target for hackers because your inbox is the key to resetting the passwords of, and potentially breaking into, dozens of other accounts. Make your password long and distinctive. Security specialists advise creating anagrams based on song lyrics, movie quotations or sayings. For example, “The Godfather” movie quotation “Leave the gun. Take the cannoli,” becomes LtG,tTcannol1.
5. Report it.
Report any phishing attacks to Google by clicking the downward arrow at the top right of your inbox and selecting “Report Phishing.” Companies count on those reports to investigate such scams and stop them.
Posted on the New York Times, brought to you by The Client Server, Inc.
ARE YOU READY?
Email Attack Hits Google: What to Do if You Clicked
Call Us at 239-495-8702
Update regarding WannaCry Ransomware Outbreak
Dear Valued Patrons,
We are following news reports today of a ransomware strain that has – so far – hit 74 countries around the globe. Intermedia systems and services are protected against this vulnerability, but you should be aware that your own systems may be at risk.
Intermedia recommends the following actions to our customers and partners:
Immediately update both desktop and Windows systems with the Microsoft patch MS17-010
Notify your users to be extra cautious right now – even clicking on a suspicious attachment could instigate a ransomware attack
Backup files with SecuriSync® now to allow quick recovery in the event you do fall victim to a ransomware attack
If you currently use SecuriSync, you can configure it to backup all your desktop files as well as Windows file servers. In the event of a ransomware attack, you will be able to roll back your files to an unencrypted state.
If you would like more information on how to get started with SecuriSync, or a free business security evaluation please contact The Client Server at 239.495.8702.
The Client Server
2017 Women in Technology Award Winner
Congratulations to Ms. Wendi Fowler, President and CEO of The Client Server, for winning the 2017 Women in Technology Award. #SWFRTP
Thank you Southwest Florida Regional Technology Partnership.
Apple prides itself on the App Store, pointing to its impressive and ever-growing number of titles, and even more impressive revenue stream for the company and its worldwide developer community — however a new report seeks to shed light on a concerning trend among some nefarious app developers, whose titles appear to advertise must-have services for iPhone and iPad owners, but are in reality just fraudulent attempts to clean your clock.
In his article titled How to Make $80,000 Per Month on the App Store, which was recently published by Medium, Johnny Lin describes how he uncovered a trend by which these developers have been able to create and publish ostensibly legitimate titles that promise useful services, but by exploiting the App Store’s inbuilt search algorithms, only seek to generate thousands of dollars in revenue at the expense of unwitting customers.
“I scrolled down the list in the Productivity category and saw apps from well-known companies like Dropbox, Evernote, and Microsoft,” Lin said. “But what’s this? The #10 Top Grossing Productivity app was an app called Mobile protection :Clean & Security VPN.” Noting the myriad of inconsistencies in the app’s title, such as text capitalization errors, misplaced colon, and the conceptual nonsensicality of ‘Clean & Security VPN’, Lin went on to attest how he was almost certain the app was there due to a bug in the App Store’s ranking algorithms.
“So I checked Sensor Tower for an estimate of the app’s revenue which showed… $80,000 per month?? That couldn’t possibly be right. Now I was really curious,” Lin said. Wanting to know more about the app and why it was there, Lin downloaded and ran the title, at which point he says he was prompted to initiate a “free trial” for a so-called iOS virus scanner. Once he tapped on the free trial offer, that all-too-familiar Touch ID authentication prompt followed, warning Lin that “You will pay $99.99 for a 7-day subscription starting Jun 9, 2017.” (Worth noting is that due to Apple’s strict rules and provisions for individual apps, iOS does not actually require anti-virus software of any kind.)
“It suddenly made a lot of sense how this app generates $80,000 a month,” Lin said, noting specifically how a $400 per month subscription would only require the app to scam 200 people each month to generate $960,000 per year in revenue, of which Apple would take a 30% cut ($288,000 per year) from just this one app.
Lin explained that while Apple’s app submission and approval process is particularly stringent, some deadbeat developers are still able to exploit the App Store’s search ads due to their inherent lack of approval or filtering process. He dug a bit deeper and discovered additional titles just like the ‘Mobile protection :Clean & Security VPN’, which suggests there may be a burgeoning trend among these types of apps showing up on the App Store’s Top Grossing app lists.
By Troy Thompson
Published June 12, 2017
We are writing to inform all Microsoft® Office users of a new zero-day attack that installs malware onto fully patched systems running Microsoft's operating system via an Office vulnerability. We recommend refraining from sending or opening any Word documents via email. Microsoft Office has a feature called “Protected View” that is enabled by default; however, you should double check your settings to make sure that this feature is turned on.
If you do open a Word document and see this pop up, it's a pretty good indicator that something is wrong. In addition to being highly suspicious of any Word document that arrives in an email, there are a few other things we'd recommend that you consider: - Warn your users, and let them know of the heightened risk related to this attack right now, so they'll be better prepared if they receive an email with one of these attachments.
Consider sharing documents through SecuriSync® instead, which can mitigate the risk. Within your email filtering solution, such as Intermedia Email Protection, consider temporarily putting a policy in place to block Word documents, just until Microsoft releases the patch. If you are managing your systems with Active Directory®, consider: Temporarily enabling the Group Policy Object (GPO) that disallows editing of flagged files. This means users will just have read-only protected view for any documents that Microsoft recognizes as unsafe. Within Trust Center, enable the GPO that uses File Block to block .rtf files, not even allowing for them to be opened in “Protected View”.
There is currently no patch for this bug, however Microsoft is expected to release a fix within its next round of security updates tomorrow. Be on the lookout for communications from Microsoft around this matter. Sincerely, Ryan Barrett, VP of Security & Privacy, Intermedia
Copyright © The Client Server, Inc.. All rights reserved