Search This Blog

Showing posts with label Firewall. Show all posts

SonicWall Breached via Zero-Day Flaw

 

SonicWall revealed on Friday night that, highly sophisticated threat actors assaulted its internal systems by abusing a probable zero-day flaw on the organization's secure remote access products. 

The Milpitas, Calif.- based platform security vendor said the undermined NetExtender VPN customer and SMB-situated Secure Mobile Access (SMA) 100 series items are utilized to give workers and clients remote access to internal resources. The SMA 1000 series is not susceptible to this assault and uses customers different from NetExtender, as indicated by SonicWall. 

SonicWall declined to respond to questions concerning whether the assault on its internal systems was done by the same threat actor who for quite a long time infused pernicious code into the SolarWinds Orion network monitoring tool. 

The organization, notwithstanding, noticed that it's seen a “dramatic surge” in cyberattacks against firms that give basic infrastructure and security controls to governments and organizations. The organization said it is giving relief suggestions to its channel accomplices and clients. Multi-factor authentication should be enabled on all SonicWall SMA, firewall and MySonicWall accounts, as indicated by SonicWall. 

Products compromised in the SonicWall break include: the NetExtender VPN customer variant 10.x (released in 2020) used to associate with SMA 100 series appliances and SonicWall firewalls; as well as SonicWall's SMA rendition 10.x running on SMA 200, SMA 210, SMA 400, SMA 410 physical appliances and the SMA 500v virtual appliance. SonicWall accomplices and clients utilizing the SMA 100 series ought to either utilize a firewall to just permit SSL-VPN connections with the SMA appliance from known/whitelisted IPs or configure whitelist access on the SMA straightforwardly itself, as per the organization. 

For firewalls with SSN-VPN access utilizing the undermined variant of the NetExtender VPN customer, accomplices and clients ought to either impair NetExtender access to the firewalls or limit access to clients and administrators through an allow list/whitelist for their public IPs, as per SonicWall. 

The networking gadget creator, whose items are regularly used to secure access to corporate networks, presently turns into the fourth security vendor to disclose a security breach in the course of recent months after FireEye, Microsoft, and Malwarebytes. Each of the three previous organizations was breached during the SolarWinds production network assault. CrowdStrike said it was targeted in the SolarWinds hack also, however, the assault didn't succeed.

City of Cornelia Witnessed Fourth Ransomware Attack

                   

It seems like now the city of Cornelia has gotten quite used to the horrors of ransomware attacks as on Saturday, they witnessed their 4th ransomware attack within the last 2 years, the City Manager Donald Anderson on Tuesday. A day after Christmas eve, on the pleasant morning of the 26th of December 2020 the city of Cornelia got their Christmas gift as a malware attack. Experts say that this may not be the last incident but it is a part of the aggravated trend that the city may witness in the near future. 

Though the city has spent almost $ 30,000 for the upgradation of the firewall after the last attack that happened in September 2019 for better shielding of the system, still the hackers were able to take over the state’s administration and the data system offline.  

In a statement, the city’s manager said that they have “anticipated such situations in and out with abundance of caution”, moreover they have also “taken down our network while we investigate the situation and restore our data.” The aforementioned situation, owing to its gravity, is not only being monitored by officials from the state, but experts from outside have also stepped in to investigate the matter. 

According to Anderson the local services of the city like the emergency phone lines, garbage pickups and the utility work, etc, are not disturbed at all and are functioning properly. The email services and the city hall phones are also operating under normal conditions. However, since the city’s software data system is down, the employees and the natives are in a stalemate condition as they can neither lookup for the bill balances nor can accept any sort of credit card payments for the city services.  

Though the majority of the city functionalities are unaffected by this attack, still the operators behind the ransomware attack were able to incapacitate the newly installed water treatment plant of the city of Cornelia.  

“According to them the business model of those behind the ransomware is typically NOT to profit off of selling the personal information of the city employees or our citizens on the internet – it is to extract a payment from the city .” Anderson further added. Meanwhile, the city officials denied disclosing any further information and asked for cooperation and support from the city natives, telling them to stay patient and keep their calm until things are being resolved. 

The Cowlitz County PUD fall prey to a cyber attack in the United States


According to a recent inquiry conducted by the Wall Street Journal last week, the Cowlitz County PUD is amid more than 12 businesses that fell prey to a fresh cyber attack in the United States. Alice Dietz, spokesperson, Cowlitz County PUD, on Wednesday, authenticated that the company's firewall prevented the only corrupt e-mail that attackers transmitted. "We have pride in our Cybersecurity staff. We remain to achieve effective cyber safety standards. This is a classic instance of how serious Cowlitz County PUD is for its security," said Dietz in a statement.


No customer complaints regarding the attacks have appeared yet. The attackers that are still unidentified tried to download viruses on business networks across America using fraud e-mails. When the receivers open these phishing emails, the malware gets entry into the user's computer. The virus that was sent to businesses is called "Lookback." This malware lets attackers seize charge of target’s networks and take data. Very rare users at each business were attacked. The hackers checked the utility firms before launching the attack.

"We are unaware of the employee that was targeted nor do we know the contents of the emails," says Dietz. "Experts recognized a couple of times in July and August when attackers had sent phishing e-mails," reports the Washington Journal. Dietz further continues that their company only got a mail in August. The malicious email was blocked by the company's firewall protection. "Our staff was not aware of the "Lookback," it only surfaced when the FBI looked into the issue. However, the FBI research didn't find any malicious emails in the company's data system," Cowlitz County PUD GM Gary Huhta told the Washington Journal.

"The hackers forgot classifying data on victims shortly revealed on in a Hong Kong server," cyber-security experts described to the Washington Journal. "The company's safety mode itself obstructs e-mails from abroad," Dietz reported to The Daily News Businesses across the United States were attacked. "Another Washington business that was attacked was Klickitat County PUD, says the Washington Journal." The cyberattack was initially discovered by experts at Proofpoint, a Silicon Valley cyber safety firm.

Imperva Firewall Breached: Users API keys, SSL Certificates Exposed



Imperva, a leading security vendor, disclosed a security breach which exposed API keys, SSL certificates, scrambled passwords and email addresses for a subset of its customers using the Cloud Web Application Firewall (WAF) product.

Previously known as, Incapsula, the Cloud WAF examines the incoming requests into applications and obstructs any kind of malicious activity.

The breach was made known to the California based firm by a third party on August 20 and the details of the disclosure are yet to be made public.

In conversation with the Threatpost, Chris Morales, Head of Security Analytics at Vectra, said, “Losing SSL certificates and API access to an enterprise network is concerning. Secure web gateways, firewalls, intrusion detection, and prevention systems, and data loss prevention (DLP) products all perform some form of SSL intercept and decryption to perform DPI,”

“While we often point to lack of maturity of security operations or misconfiguration of cloud systems as to why a company would miss an attack, it is even more unfortunate when a security vendor who builds a cloud security product is compromised that should have the skills and capabilities to detect and respond to cyberattacks,” He further told.

Referencing from the writings of CEO, Chris Hylen, “We want to be very clear that this data exposure is limited to our Cloud WAF product… Elements of our Incapsula customer database through September 15, 2017, were exposed. These included: email addresses; hashed and salted passwords. And for a subset of the Incapsula customers through September 15, 2017: API keys and customer-provided SSL certificates.”

Assuring the users, he told, “We continue to investigate this incident around the clock and have stood up a global, cross-functional team.”

As a remedial measure, Imperva brought into force password resets and 90-day password expiration for the product which notably is a key component of the company's leading application security solution.