Sophos Cloud Optix – See which of your Amazon Web Services and Microsoft Azure hosts are protected by Sophos – and check their security health – in Cloud Optix. Also, see XG Firewalls on AWS in the Cloud Optix network visualization. Sophos Cloud Optix is launching late December 2020. Sophos has released following detection signatures to address the critical SMB vulnerability (CVE-2020-0796) in our network firewall IPS products. Please note that Sophos may release additional detections for these or other vulnerabilities in the future. Signatures 2302022 and 2301958 are supported by all versions of the Sophos IPS products.

– July 8, 2020 – According to The State of Cloud Security 2020, a global survey from next-generation cybersecurity leader Sophos, nearly three quarters (70%) of organizations experienced a public cloud security incident in the last year – including ransomware and other malware (50%), exposed data (29%), compromised accounts (25%), and cryptojacking (17%). EMEA Sophos Central Academy 2020 - Attend 10+ sessions and you will be conferred a 'participation certificat'e from Sophos Central Academy! - Monday, August 5, 2019 - Location TBD.

OXFORD, United Kingdom, April 21, 2021 (GLOBE NEWSWIRE) -- Sophos, a global leader in next-generation cybersecurity, today unveiled new XGS Series firewall appliances with unrivaled performance and advanced protection against cyberattacks. The new appliances feature industry-best Transport Layer Security (TLS) inspection, including native support for TLS 1.3, that is up to five times faster than other models available on the market today.

“Sophos Firewall XGS Series appliances represent the most significant hardware upgrade that we have ever released and introduce unmatched detection, protection and speed,” said Dan Schiappa, chief product officer at Sophos. “Security teams can no longer afford to overlook encrypted traffic for fear of breaking something or hurting performance – there’s too much at risk. We’ve completely redesigned the Sophos Firewall hardware to handle the modern encrypted internet. Security teams now have the ability to easily inspect encrypted traffic and shine light on what was once a black hole, and they can confidently do so without compromising on performance.”

Cybercriminals Increasingly Using TLS to Avoid Detection
Sophos today also published new research, “Nearly Half of Malware Now Use TLS to Conceal Communications,” identifying a surge in cybercriminals using TLS in their attacks. The increasingly popular tactic is used by adversaries to encrypt and encapsulate the content of malicious communications to avoid detection as they carry out attacks.

In fact, 45% of malware detected by Sophos from January through March 2021 used TLS to conceal malicious communications. That’s a staggering rise from the 23% Sophos reported in early 2020. Sophos has also seen an increase in the use of TLS to carry out ransomware attacks in the past year, particularly with manually-deployed ransomware. The majority of malicious TLS traffic that Sophos has detected includes initial-compromise malware, such as loaders, droppers and document-based installers like BazarLoader, GoDrop and ZLoader.

“TLS has undoubtably changed the privacy of internet communications for the better, but for all the good it’s done, it’s also made it much easier for attackers to download and install malicious modules and exfiltrate stolen data – right under the noses of IT security teams and most security technologies,” said Schiappa. “Attackers are taking advantage of TLS-protected web and cloud services for malware delivery and for command and control. Their initial compromise malware is simply the advance guard for major attacks, as they’re setting up camp for the heavy artillery that follows, like ransomware.”

Accelerating Threat Protection
Powered by Sophos Firewall’s Xstream architecture, XGS Series appliances deliver the industry’s best zero-day threat protection, identifying and stopping the most advanced known and potential threats – including ransomware. Protection is fueled by powerful threat intelligence, available only through SophosLabs Intelix and based on petabytes of SophosLabs threat data. Suspicious files are safely detonated in SophosLabs Intelix virtual environments as well as subjected to in-depth static analysis for additional detection coverage and intelligence gathering.

New Xstream flow processors within the appliances automatically accelerate trusted traffic, such as software as a service (SaaS), software-defined wide-area network (SD-WAN) and cloud applications, providing maximum headroom for traffic requiring TLS and deep packet inspection. This greatly reduces latency and improves overall performance for important business applications, particularly those using real-time data. The Xstream flow processors are software programmable, allowing Sophos to offload additional traffic in the future. The flexibility to enhance and adapt connectivity on the hardware itself further protects customers’ hardware investment.

Sophos provides unique and intuitive dashboard visibility of TLS traffic and inspection issues, and security administrators can add exceptions for problematic streams with one click. Performance is also optimized out of the box with an extensive set of rules that are updated and maintained by SophosLabs to exclude safe traffic from inspection.

Sophos Firewall XGS Series appliances and firmware are easily managed on the cloud-based Sophos Central platform alongside Sophos’ entire portfolio of next-generation cybersecurity solutions. Solutions share threat intelligence and automatically respond to security incidents through Sophos’ unique synchronized security approach. Integration with Sophos Managed Threat Response (MTR) further boosts protection with human analysis for 24/7 fully managed threat detection and response.

Availability
Sophos Firewall XGS Series desktop and most 1U rackmount appliances are available for immediate purchase exclusively through Sophos’ global channel of partners and managed service providers (MSPs). These models are ideally suited for small, medium and distributed organizations as an all-in-one network security solution with a strong price to performance ratio and diverse add-on connectivity options. Additional models designed for enterprise edge environments requiring maximum throughput for more complex network configurations will be available in the coming weeks. Simplified licensing includes bundled protection with enhanced support.

What Analysts and Channel Partners Say
“Firewall appliances are evolving to secure newer use cases, including cloud and the sudden shift to a growing remote workforce,” said Frank Dickson, program vice president at IDC. “The elegance of Sophos Firewall’s Xstream dual processor architecture approach is its ability to accelerate trusted traffic from so-called ‘elephant flows’— large media streams, VoIP traffic and even cloud applications — to then leverage the general purpose CPU to perform appropriate resource-intensive processes, such as deep packet inspection and TLS inspection. The result is an adaptable network appliance designed to provide protection while meeting changing and accelerating business demands across a variety of use cases.”

“The new XGS Series firewall appliances are screaming fast with rock solid, unbreakable stability. We captured an immediate increase in performance that doubled our throughput, which completely blew us away. Sophos Firewall has always been industry best, but the XGS Series appliances are revolutionary and beyond compare with cutting-edge innovation that’s years ahead of other offerings,” said Sam Heard, president at Data Integrity Services. “Sophos Firewall provides the protection our customers need as they increasingly move business critical applications to the cloud and adopt zero trust technologies. It’s a win-win for channel partners, who further benefit with tremendous growth opportunities to cross and up-sell across the entire suite of Sophos solutions and services.”

“Sophos is raising the bar and pushing the cybersecurity industry forward at warp speed with its new XGS Series appliances, which are nothing short of amazing,” said Karen Greer, CEO at Secure Content Technologies. “Appliance installation is incredibly simple, and within minutes I could hear our technician yelling through the wall, ‘wow, this is fast!’ Sophos Firewall is effortlessly managed on Sophos Central, making it exponentially easier to secure and manage diverse and complex customer environments. Knowing that Sophos Firewall automatically shares threat intelligence with other solutions on the platform through Sophos’ synchronized security heartbeat feature is game changing, giving us complete confidence and peace of mind that our customers are protected – even the most evasive threats don’t stand a chance at getting by.”

Additional Resources

• Read the Naked Security article, “When Cryptography Attacks – How TLS Helps Malware to Hide in Plain Sight”
• Watch the video, TLS Encryption Explained, to see how attackers are using TLS encryption to commit cybercrime
• Learn how SystemBC and Agent Tesla use TLS
• Learn how Sophos Firewall protects against Hafnium
• Read Sophos’ 2021 Threat Report to learn more about cybersecurity trends
• Read the latest security news and views on Sophos‘ award-winning news website Naked Security and on Sophos News
• Connect with Sophos on Twitter, LinkedIn, Facebook, Spiceworks, and YouTube

About Sophos
As a worldwide leader in next-generation cybersecurity, Sophos protects more than 400,000 organizations of all sizes in more than 150 countries from today’s most advanced cyber threats. Powered by SophosLabs – a global threat intelligence and data science team – Sophos’ cloud-native and AI-powered solutions secure endpoints (laptops, servers and mobile devices) and networks against evolving cyberattack techniques, including ransomware, malware, exploits, data exfiltration, active-adversary breaches, phishing, and more. Sophos Central, a cloud-native management platform, integrates Sophos’ entire portfolio of next-generation products, including the Intercept X endpoint solution and the XG next-generation firewall, into a single “synchronized security” system accessible through a set of APIs. Sophos has been driving a transition to next-generation cybersecurity, leveraging advanced capabilities in cloud, machine learning, APIs, automation, managed threat response, and more, to deliver enterprise-grade protection to any size organization. Sophos sells its products and services exclusively through a global channel of more than 53,000 partners and managed service providers (MSPs). Sophos also makes its innovative commercial technologies available to consumers via Sophos Home. The company is headquartered in Oxford, U.K. More information is available at www.sophos.com.

Contact Information:
Hanah Johnson: sophos@marchcomms.com

Photos accompanying this announcement are available at
https://www.globenewswire.com/NewsRoom/AttachmentNg/d584b28f-7216-48dd-a0ca-f93f49e1ed3b

The operators of Ryuk ransomware are at it again. After a long period of quiet, we identified a new spam campaign linked to the Ryuk actors—part of a new wave of attacks. And in late September, Sophos’ Managed Threat Response team assisted an organization in mitigating a Ryuk attack—providing insight into how the Ryuk actors’ tools, techniques and practices have evolved. The attack is part of a recent wave of Ryuk incidents tied to recent phishing campaigns.

First spotted in August of 2018, the Ryuk gang gained notoriety in 2019, demanding multi-million-dollar ransoms from companies, hospitals, and local governments. In the process, the operators of the ransomware pulled in over $61 million just in the US, according to figures from the Federal Bureau of Investigation. And that’s just what was reported—other estimates place Ryuk’s take in 2019 in the hundreds of millions of dollars.

Starting around the beginning of the worldwide COVID-19 pandemic, we saw a lull in Ryuk activity. There was speculation that the Ryuk actors had moved on to a rebranded version of the ransomware, called Conti. The campaign and attack we investigated was interesting both because it marked the return of Ryuk with some minor modifications, but also showed an evolution of the tools used to compromise targeted networks and deploy the ransomware.

Sophos Central Academy 2020

The attack was also notable because of how quickly the attacks can move from initial compromise to ransomware deployment. Within three and a half hours of a target opening a phishing email attachment, attackers were already conducting network reconnaissance. Within a day, they had gained access to a domain controller, and were in the early stages of an attempt to deploy ransomware.

The attackers were persistent as well. As attempts to launch the attack failed, the Ryuk actors attempted multiple times over the next week to install new malware and ransomware, including renewed phishing attempts to re-establish a foothold. Before the attack had concluded, over 90 servers and other systems were involved in the attack, though ransomware was blocked from full execution.

Let the wrong one in

The attack began on the afternoon of Tuesday. September 22. Multiple employees of the targeted company had received highly-targeted phishing emails:

From: Alex Collins [spoofed external email address]

To: [targeted individual]

Subject: Re: [target surname] about debit

Please call me back till 2 PM, i will be in [company name] office till 2 PM.

[Target surname], because of [company name]head office request #96-9/23 [linked to remote file], i will process additional 3,582 from your payroll account.

[Target first name], call me back when you will be available to confirm that all is correct.

Here is a copy of your statement in PDF[linked to remote file].

Alex Collins

[Company name] outsource specialist

The link, served up through the mail delivery service Sendgrid, redirected to a malicious document hosted on docs.google.com. The email was tagged with external sender warnings by the company’s mail software. And multiple instances of the malicious attachment were detected and blocked.

But one employee clicked on the link in the email that afternoon. The user opened the document and enabled its content, allowing the document to execute print_document.exe—a malicious executable identified as Buer Loader. Buer Loader is a modular malware-as-a-service downloader, introduced on underground forums for sale in August of 2019. It provides a web panel-managed malware distribution service; each downloader build sold for $350, with add-on modules and download address target changes billed separately.

In this case, upon execution, the Buer Loader malware dropped qoipozincyusury.exe, a Cobalt Strike “beacon,” along with other malware files. Cobalt Strike’s beacon, originally designed for attacker emulation and penetration testing, is a modular attack tool that can perform a wide range of tasks, providing access to operating system features and establishing a covert command and control channel within the compromised network.

Over the next hour and a half, additional Cobalt Strike beacons were detected on the initially compromised system. The attackers were then able to successfully establish a foothold on the targeted workstation for reconnaissance and to hunt for credentials.

A few hours later, the Ryuk actors’ reconnaissance of the network began. The following commands were run on the initially infected system:

• C:WINDOWSsystem32cmd.exe /C whoami /groups (accessing list of AD groups the local user is in)
• C:WINDOWSsystem32cmd.exe /C nltest /domain_trusts /all_trusts (returns a list of all trusted domains)
• C:WINDOWSsystem32cmd.exe /C net group “enterprise admins” /domain (returns a list of members of the “enterprise admins” group for the domain)
• C:WINDOWSsystem32net1 group “domain admins” /domain (the same, but a list of the group “domain admins”)
• C:WINDOWSsystem32cmd.exe /C net localgroup administrators (returns a list of administrators for the local machine)
• C:WINDOWSsystem32cmd.exe /C ipconfig (returns the network configuration)
• C:WINDOWSsystem32cmd.exe /C nltest /dclist:[target company domain name] (returns names of the domain controllers for the company domain name)
• C:WINDOWSsystem32cmd.exe /C nltest /dclist:[target company name] (the same, but checking for domain controllers using the company name as the domain name)

Forward lateral

Using this data, by Wednesday morning the actors had obtained administrative credentials and had connected to a domain controller, where they performed a data dump of Active Directory details. This was most likely accomplished through the use of SharpHound, a Microsoft C#-based data “injestor” tool for BloodHound (an open-source Active Directory analysis tool used to identify attack paths in AD environments). A data dump from the tool was written to a user directory for the compromised domain administrator account on the domain server itself.

Another Cobalt Strike executable was loaded and launched a few hours later. That was followed immediately by the installation of a Cobalt Strike service on the domain controller using the domain administrator credentials obtained earlier. The service was a chained Server Message Block listener, allowing Cobalt Strike commands to be passed to the server and other computers on the network. Using Windows Management Interface, the attackers remotely executed a new Cobalt Strike beacon on the same server.

In short order, other malicious services were created on two other servers using the same admin credentials, using Windows Management Instrumentation from the initially compromised PC. One of the services configured was an encoded PowerShell command creating yet another Cobalt communications pipe.

The actors continued to perform reconnaissance activities from the initially infected desktop, executing commands trying to identify potential targets for further lateral movement. Many of these repeated previous commands. The nltest command was used in an attempt to retrieve data from domain controllers on other domains within the enterprise Active Directory tree. Other commands pinged specific servers, attempting to gain IP addresses. The actors also checked against all mapped network shares connected to the workstation and used WMI to check for active Remote Desktop sessions on another domain controller within the Active Directory tree.

Setting the trap

Late Wednesday afternoon—less than a day after the victim’s click on the phish— the Ryuk actors began preparations to launch their ransomware. Using the beachhead on the initially compromised PC, the attackers used RDP to connect to the domain controller with the admin credentials obtained the day before. A folder named C:Perflogsgrub.info.test2 – Copy was dropped on the domain controller— a name consistent with a set of tools deployed in previous Ryuk attacks. A few hours later, the attackers ran an encoded PowerShell command that, accessing Active Directory data, generated a dump file called ALLWindows.csv, containing login, domain controller and operating system data for Windows computers on the network.

Next, the SystemBC malicious proxy was deployed on the domain controller. SystemBC is a SOCKS5 proxy used to conceal malware traffic that shares code and forensic markers with other malware from the Trickbot family. The malware installed itself (as itvs.exe), and created a scheduled job for the malware, using the old Windows task scheduler format in a file named itvs.job—in order to maintain persistence.

A PowerShell script loaded into the grub.info.test folder on the domain controller was executed next. This script, Get.DataInfo.ps1 , scans the network and provides an output of which systems are active. It also checks which AV is running on the system.

The Ryuk actors used a number of methods to attempt to spread files to additional servers, including file shares, WMI, and Remote Desktop Protocol clipboard transfer. WMI was used to attempt to execute GetDataInfo.ps1 against yet another server.

Failure to launch

Thursday morning, the attackers spread and launched Ryuk. This version of Ryuk had no substantial changes from earlier versions we’ve seen in terms of core functionality, but Ryuk’s developers did add more obfuscation to the code to evade memory-based detections of the malware.

The organizational backup server was among the first targeted. When Ryuk was detected and stopped on the backup server, the attackers used the icacls command to modify access control, giving them full control of all the system folders on the server.

They then deployed GMER, a “rootkit detector” tool:

GMER is frequently used by ransomware actors to find and shut down hidden processes, and to shut down antivirus software protecting the server. The Ryuk attackers did this, and then they tried again. Ryuk ransomware was redeployed and re-launched three more times in short order, attempting to overwhelm remaining defenses on the backup server.

Ransom notes were dropped in the folders hosting the ransomware, but no files were encrypted.

In total, Ryuk was executed in attacks launched from over 40 compromised systems,but was repeatedly blocked by Sophos Intercept X. By noon on Thursday, the ransomware portion of the attack had been thwarted. But the attackers weren’t done trying—and weren’t off the network yet.

On Friday, defenders deployed a block across the domains affected by the attack for the SystemBC RAT. The next day, the attackers attempted to activate another SOCKS proxy on the still-compromised domain controller. And additional Ryuk deployments were detected over the following week—along with additional phishing attempts and attempts to deploy Cobalt Strike.

Lessons learned

The tactics exhibited by the Ryuk actors in this attack demonstrate a solid shift away from the malware that had been the basis of most Ryuk attacks last year (Emotet and Trickbot). The Ryuk gang shifted from one malware-as-a-service provider (Emotet) to another (Buer Loader), and has apparently replaced Trickbot with more hands-on-keyboard exploitation tools—Cobalt Strike, Bloodhound, and GMER, among them—and built-in Windows scripting and administrative tools to move laterally within the network. And the attackers are quick to change tactics as opportunities to exploit local network infrastructure emerge—in another recent attack Sophos responded to this month, the Ryuk actors also used Windows Global Policy Objects deployed from the domain controller to spread ransomware. And other recent attacks have used another Trickbot-connected backdoor known as Bazar.

The variety of tools being used, including off-the-shelf and open-source attack tools, and the volume and speed of attacks is indicative of an evolution in the Ryuk gang’s operational skills. Cobalt Strike’s “offensive security” suite is a favorite tool of both state-sponsored and criminal actors, because of its relative ease of use and broad functionality, and its wide availability—“cracked” versions of the commercially-licensed software are readily purchased in underground forums. And the software provides actors with a ready-made toolkit for exploitation, lateral movement, and many of the other tasks required to steal data, escalate the compromise and launch ransomware attacks without requiring purpose-made malware.

While this attack happened quickly, the persistence of the attacks following the initial failure of Ryuk to encrypt data demonstrate that the Ryuk actors—like many ransomware attackers—are slow to unlatch their jaws, and can persist for long periods of time once they’ve moved laterally within the network and can establish additional backdoors. The attack also shows that Remote Desktop Protocol can be dangerous even when it is inside the firewall.

Sophos Conference 2020

IOCs for this attack are posted on the SophosLabs GitHub here.

Sophos 2020 Review

SophosLabs would like to acknowledge the contributions of Peter Mackenzie, Elida Leite, Syed Shahram and Bill Kearney of the MTR team, and Anand Aijan, Sivagnanam Gn, and Suraj Mundalik of SophosLabs to this report.