New beta adds IRM controls for DLP to help protect sensitive content in documents

What’s changing 

You can now automatically restrict the ability to download, print, and copy sensitive documents through data loss prevention (DLP) rules. These new DLP-driven information rights management (IRM) controls, currently available in beta, will make it more difficult for users to make copies of documents that might expose sensitive content. 

G Suite DLP rules already enabled admins to limit the sharing of documents directly. However, users could make copies of documents by printing it, copying it to unmanaged locations, or downloading it to physical media. These copies were not subject to the same sharing controls, increasing the risk of that content being exposed. 

Who’s impacted 

Admins and end users 

Why it’s important 

The new IRM controls will help ensure that only a single version of sensitive documents exists, and therefore that company DLP policies will help protect it. This could help reduce the potential for accidental or intentional exposure of sensitive content in documents. It also reduces the need for end-users to recognize and manually adjust the IRM settings for files, creating a more scalable and automated process to protect your organization’s content. 

Additional details 

Admin setting for IRM in the DLP rule creation workflow 

When you’re creating or editing a DLP rule, there will be a new option: “Beta: Disable download, print, and copy for commenters and viewers.” If selected, this will prevent downloading, printing, and copying of the document unless the user has editor or owner permissions. Note that this is only available as part of our new Drive DLP system. 

Admins can add IRM controls to DLP rules 

Users will see new notifications on affected files 

Document editors and owners will see a new note when in the settings section of the sharing screen, as pictured below. Users with view or comment access will not be able to download, copy, or print the document—these options will be greyed out for them. Note that this only places limits on “viewer” or “commenter” roles within Drive. 

Document owners and editors will see a new note when they try to share the document 

Document viewers and commenters will have print, download, and copy options greyed out 

Getting started 

  • Admins: This feature will be OFF by default and can be enabled as part of new and existing DLP rules. Visit the Help Center to learn more about how to create new DLP rules and see FAQs about the Drive DLP IRM beta. 
  • End users: There is no end user setting for this feature. 

Rollout pace 

  • This feature is available now for all users. 

Availability 

  • Available to G Suite Enterprise, G Suite Enterprise for Education, G Suite for Education, and G Suite Enterprise Essentials customers 
  • Not available to G Suite Basic, G Suite Business, and G Suite for Nonprofits, and G Suite Essentials customers 

Resources 

Roadmap 


[ad_2]

Net Universe offers all Google devices with worldwide Delivery Services.
Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/google.
You can visit our Shop Online

 

Emotet’s return is the canary in the coal mine – Sophos News

In the past week, we’ve observed that one of the most prevalent, widely-distributed malware families in the world has reawakened after a prolonged absence. Emotet, the ubiquitous botnet that arrives in the guise of any of a thousand different bogus email messages, never really went away when it suddenly stopped appearing in our internal records and feeds of spam emails in February.

The sudden disappearance of the malware gave rise to a lot of rumors that the creators had been arrested, or contracted COVID-19, or simply had retired and planned to live the good life on the Black Sea coast. But these theories were squashed on July 17th, when we saw a new wave of Emotet attacks swing back into action.

Senior threat researcher and manager of the Abingdon, UK detection team, Richard Cohen, wrote this about its resurgence last week.

We’ve talked a lot about Emotet in the past, including showing its malware ecosystem, and providing a series of deep-dive 101s, not forgetting showing the authors venting their frustration at Sophos. But then in February 2020, Emotet ceased production – its botnets stopped activity, and the waves of spam campaigns went silent. This isn’t the first time it’s vanished off the radar, only to rise again months later – and that’s exactly what we saw again last Friday.

Unfortunately, Emotet is not merely a tool for thievery, but the botnet acts as a delivery mechanism for other malware, walking it through firewall over the encrypted channels it creates, bypassing network-based defenses.

As a result, we’ve investigated many, many cases in which a large-scale ransomware infection began as the result of this simple but effective Trojan lying undetected for a period of time, before the infected computer was used as a staging area for a larger attack against the company or organization on whose network it insinuated itself.

Richard goes on to write:

Emotet’s fundamental MO hasn’t changed, as you can see from Microsoft Security Intelligence’s tweets. And the protection SophosLabs has been building against different stages of these attacks remains strong.

These defenses work remarkably well. In fact, they work so well that the malware’s creators added a small plaintext note to the source code letting us know just how much they appreciate Sophos’ efforts at combatting their infections.

Thanks, you too

Others appear to be getting into the fight as well. For a short period of time over the past weekend, some researchers observed that payloads being accessed by Emotet had been replaced with animated GIFs on the compromised, legitimate servers the threat actor prefers to use for hosting payloads. To be sure, it was an interesting play, but ultimately futile, since the Emotet gang can read the tea leaves and see when they aren’t getting the result they intended.

The most recent versions of Emotet’s malicious Office documents use Apple’s iOS as an excuse to convince you to enable scripted content. Don’t do it!

Regardless of the outcome, the Emotet gang has not changed their same, fundamental playbook they’ve followed for years. If you receive an email from an unknown source, or unexpectedly from a known source, with a Microsoft Office file attached, be extremely careful about opening it. In a related vein, if you receive an email that tells you to download such a file attachment in order to receive some sort of invoice or statement, be extremely suspicious.

In either case, check with the sender (if they are known to you) to ensure the file is legitimate before you open it. And if the document prompts you to enable advanced features like scripting, that’s a huge red flag you should not ignore.

Detection

Sophos products detect Emotet or its components or payloads under a number of malware definitions:

  • Mal/DocDl-K & Mal/DocDl-L on the initial document downloaders
  • AMSI/Exec-P on the behaviour of those downloaders
  • ML/PE-A from Deep Learning on the executable payloads
  • CXmal/Emotet-C on those payloads seen in their malicious context
  • HPmal/Emotet-D on the behaviour of those payloads
  • We also have Troj/Emotet-CJW for Friday’s wave of polymorphic payloads.

Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services.
Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.

Set the default meeting length for Google Calendar events in your domain

What’s changing

We’re adding a new setting in the Admin console where you can define the default Calendar meeting length for users in your domain. Previously, the default of 60 minutes could only be changed from a user’s individual Calendar settings. Now, admins can set a new default length for all of their users.

Who’s impacted

Admins and end users

Why you’d use it

You can make your organization more efficient by selecting the default meeting length that makes the most sense for your employees’ time and room usage.

How to get started

Admins: This new setting’s default value will remain at the standard 60 minutes unless admins take action to change it. Default meeting lengths can be customized at the organizational unit (OU) or domain level. Visit the Help Center to learn more about setting the default duration for events in your organization.

Rollout pace

Availability

  • Available to G Suite Business, G Suite Enterprise, G Suite Enterprise for Education and G Suite for Education customers
  • Not available to G Suite Essentials, G Suite Enterprise Essentials, G Suite Basic and G Suite for Nonprofits customers

Resources


[ad_2]

Net Universe offers all Google devices with worldwide Delivery Services.
Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/google.
You can visit our Shop Online

 

Full-disk encryption is the first line of defense – Sophos News

Increased remote working makes it more important than ever to secure computers and the data on them. With the huge number of laptops that are lost, misplaced, or stolen every day, a crucial first line of defense for devices is full-disk encryption.

With full disk encryption rolled out, admins can ensure sensitive company data can’t be accessed, even if a device falls into the wrong hands. And while disk encryption has long been a vital component of device security, it has also frequently been associated with complexity and admin overhead. Setting up and maintaining servers, dealing with encryption keys, and helping users who’ve forgotten their credentials all takes time and effort.

Hassle-free encryption

With Sophos Central Device Encryption, we focus on making device encryption intuitive and hassle-free. There’s no server to install, and encryption is enabled in a handful of clicks. Sophos Central Device Encryption uses the same core agent as Intercept X, meaning existing Sophos customers have no additional agent to deploy and can start encrypting computers in mere minutes.

Under the hood, we leverage Windows BitLocker and macOS FileVault technology to do the heavy lifting when it comes to encrypting and decrypting data on the disk. With these technologies being integrated deeply into each operating system, performance and security is first-class.

Encryption Dashboard

Demonstrate compliance

As a part of compliance requirements, companies often need to verify which computers in the organization are encrypted. The cloud-based Sophos Central Admin console provides great visibility into device status, including which disks are encrypted and the last time a device checked in. The next version of Central Device Encryption adds a new Encryption Status report, further drilling down into device encryption status, making it even easier to help demonstrate compliance across the organization.

Fast recovery

An important consideration with disk encryption is how users will regain access to their devices if they forget their credentials. The Sophos Central Self-Service Portal lets users retrieve their own recovery keys without needing to contact the IT helpdesk. Users get back up and running faster, and IT teams have fewer tickets to deal with.

Device Encryption

Sophos Central Device Encryption

The shift towards remote working makes full disk encryption more important than ever. Sophos Central Device Encryption makes it a breeze to deploy and manage devices with full disk encryption. Head over to Sophos.com to find out more and to sign up for a free trial.

Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services.
Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.

Zoho Campaigns meets Bigin: Getting more out of email marketing and CRM

Getting more out of email marketing and CRM

Two of the biggest challenges modern small businesses face are organizing and nurturing their contacts. Fortunately, there are software solutions for each of these problems. 

Zoho Campaigns, an email marketing software solution, lets you engage with your contacts through wide-reaching, automated email campaigns. However, how do you get the contact details into Campaigns in the first place?

 This is where CRM (Customer Relationship Management) software comes into play. A good CRM software solution will allow you to easily input visitor information into a database and track interactions with them so you know how likely they are to engage with your business on some level, whether it’s simply downloading a how-to ebook or actually purchasing your goods or services.

If you’re already familiar with CRM, you’ll know that the downside of these services is that they usually come with a price tag that is often too large for small businesses.

That’s why Zoho CRM created Bigin, a lightweight—but still robust—CRM solution for small businesses to more easily manage customer relations.

Even better, we’re proud to announce that Campaigns now seamlessly integrates with Bigin, so you can both track contacts and send them personalized email campaigns with the least amount of effort.

To see how this integration can help your small business, let’s look at an example. Stacy owns a book store and meticulously maintains her contacts using her compact CRM, Bigin. Though she has a lot of contact information at her fingertips, she isn’t sure how to use it to increase her sales. When Jim, one of her vendors, arrives to deliver stationery to the store, she mentions her predicament. Jim recommends trying Campaigns, which he has been using to send automated, personalized emails to his own contacts. With this new integration, Stacy can easily transfer her Bigin contacts into Campaigns and quickly segment them so she sends the most relevant content to the right recipients, increasing the likelihood of a sale.

If you’re like Stacy and looking to extend your email relations with your contacts in CRM, this new integration makes life much simpler.

Zoho Campaigns integrates with Bigin by Zoho CRM

As a small business owner, whether you’re managing day-to-day customer-related activities or setting up email campaigns for better reach and brand recognition, connecting your CRM and email marketing tools can make a huge difference.

Zoho Campaigns’s integration with Bigin means all contacts in the latter can be synced to your Zoho Campaigns account to: 

  • Send contacts personalized and effective emails for further nurturing

  • Activate workflows that trigger responses specifically related to the actions of your email recipients.

  • Understand your contacts’ psyche and target them with the right content at the right time using automated workflows.

Based on your business needs, you can sync your contacts periodically or immediately from Bigin to your Zoho Campaigns account. By doing this, you can reach all your contacts via email and effectively build contact networks.

Moreover, suppose you run a store with online services as well, just like Stacy or Jim, you can cater to your ecommerce customers by connecting it to your Zoho Campaigns account to send onboarding emails, nurturing and re-engagement emails, and customer retention emails. Also, integrating your Campaigns account with Zoho applications like Meeting, Backstage, etc. and other third-party day-to-day usage applications like Unbounce, Wistia, and many more will help in better efficiency and productivity.

Best practices when integrating Zoho Campaigns with Bigin

Map fields to craft personalized emails

To create personalized emails, you’ll need contact data. When you create sync between Bigin and Campaigns accounts, ensure you map the right information necessary to send personalized emails—for example, email address, company details, and region.

Map fields to craft personalized emails

Send response data back to Bigin 

Once your emails are sent, Zoho Campaigns allows you to identify contacts who’ve clicked and opened your emails in the reports section. Push this data back to Bigin so that your sales team can further follow-up with your contacts to improve the likelihood of conversion.

Send response data back to Bigin

There you go! There will be a phase II of this integration, and we’ll reach out again when that is ready. But before that, let us know your thoughts in the comments below. Also, for more information regarding the integration setup, click here.

Still have doubts? No worries—let us know in comments and we will get back to you!

Net Universe offers all Zoho subscritpions and consultant services with worldwide Delivery Services.
Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/zoho.

Monitor and analyze data better with Custom Home Tabs

Dashboards are the best way to make sense of the recruitment data your company generates and turn it into actionable intelligence. Seeing streams of information interact and influence each other will help you visualize the bigger picture. A well-made dashboard will help you start your day methodically as you’ll be able to systematically track and manage your day-to-day tasks.

The Home Tab of Zoho Recruit gives you a quick glance at the progress of all your hiring activities. It contains components from different modules, such as Candidates, Job Openings, Interviews, and more. One look at the Home Tab components will tell you how your hiring initiatives are faring.

In addition to indicating the progress of your hiring activities, the Home Tab also serves as a great place to organize your day’s work as well as the work of your teams

Building a role-based Home Tab

Using Zoho Recruit’s highly customizable Home Tab, you can build role-based dashboards for your users. You can provide users with full visibility into the essential areas of your hiring process. Each role has different access permissions to your company’s hiring information, enabling users to stay focused on their part of the hiring process.

Coupled with a customizable dashboard, this lets you lay out data visually and provide your users with actionable insights.

A dashboard built for you

One of the most important things a hiring manager needs is visibility of the current hiring pipeline. This dashboard provides a detailed breakdown of what stages jobs are at, how many candidates are at each stage, and where your candidates are applying from.

Get a bird’s-eye view of your hiring process and track the progress of each job opening with Zoho Recruit’s Customizable Home Tab. Add dashboards, custom views, and special reports to your Home Tab, and make your hiring process a cut above the rest.

Components Used

Candidates by Source

The Candidates by Source component helps you understand where your best candidates are coming from. This provides you with valuable insights into how candidates are finding your jobs.

Candidate Pipeline Report

The Candidate Pipeline Report allows you to visualize your hiring process across time and know what stage of your recruitment pipeline your candidates are in. You can then plan your recruitment strategy accordingly.

Jobs Opening Status Report

The Job Opening Status Report details the progress that has been made on active job openings. This is done by grouping jobs by their status and comparing them with the number of associated candidates who also have that same status.

Open Job Openings View

The Open Job Openings view helps you stay updated with a list of open jobs and their details. Combined with the other components, this lets you view your progress and assign priorities.

Hiring Pipeline

The Hiring Pipeline component shows you how many candidates are distributed across each stage in your hiring pipeline for every active job.

This dashboard was built with a generic hiring process in mind. Now, think of how much more you’ll be able to add to this if you customized Zoho Recruit to fit your unique hiring process.

Get started today!

If you have any questions or comments, you can reach us at [email protected] or leave a comment below!

Net Universe offers all Zoho subscritpions and consultant services with worldwide Delivery Services.
Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/zoho.

Sophos Firewall Manager SFM 17.1 MR4 Released – Release Notes & News – XG Firewall

Hi XG Community!

We’ve released Sophos Firewall Manager SFM 17.1 MR4. Initially, the firmware will be available by manual download from the Licensing Portal. We will gradually release the firmware via auto-update to customers.

  • NCCC-6178 [SFM] Export>Device List is generating empty file in SFM 17.0
  • NCCC-7654 [SFM] Web Filter logs port detail mismatch in XG Firewall and SFM Events Viewer> device logs
  • NCCC-8698 [SFM] SFM not respecting time zone when scheduling firmware update
  • NCCC-9493 [SFM] XXE + SSRF via CSRF bypass in SFM
  • NCCC-9997 [SFM] SFM pre-auth XXE vulnerability
  • NCCC-9913 [SFM-SCFM] Template forward compatibility status is ‘Not applicable’ for older version of SF 17.5 after releasing SF 17.5 MR10

Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services.
Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.

ProLock ransomware gives you the first 8 kilobytes of decryption for free – Sophos News

As organizations were scrambling to deal with the lockdowns associated with the global COVID-19 pandemic, a new wave of ransomware attacks began. The ransomware,  called ProLock, is a successor to PwndLocker, a ransomware strain that emerged late in 2019.

PwndLocker’s distribution was short-lived, primarily because it was discovered that the keys needed to decrypt files could be recovered from the malware itself without paying a ransom. The retooled ProLock ransomware, which emerged in March, resulted in the opposite problem:  in May, the Federal Bureau of Investigation issued an alert warning that victims who had paid the ransom demanded by ProLock’s operators had received a faulty decryptor that corrupted files it “decrypted.”

The faulty debugging may be connected to the unusual way in which ProLock encrypts files: it skips files smaller than 8,192 bytes, and starts encrypting larger files after the first 8,192 bytes. The result is files that are partially readable, and partially encrypted.

Sophos initially encountered ProLock when it was caught  by Intercept X’s CryptoGuard component on a customer network in mid-March. The malware uses a Powershell-based dropper that extracts Windows executable code from an accompanying graphics file—or at least, a file with a graphics format extension. And all of its malicious activities are concealed within legitimate Windows processes.

According to the FBI “flash”, victims of ProLock have included healthcare organizations, government agencies, financial institutions, and retailers.  Victims are directed to contact the ProLock operators through a Tor-based ( .onion) web portal or a ProtonMail email address. Following the current trend in ransomware set by Maze, ReVil, and other established extortion operations, the ProLock actors “instruct victims to pay the ransom in several days, threatening to release the victims’ data on social media and public websites,” the FBI reports.

Picking the locks

ProLock has gained access to  victims’ networks in several ways, with some leveraging third-party exploitation. In May, Oleg Skulkin, Senior Digital Forensics Analyst at Group-IB, told BleepingComputer that evidence he had uncovered showed some ProLock victims were infected through scripts executed by the QakBot banking trojan.

The FBI also cited Qakbot as one of ProLock’s means of initial access, as well as phishing emails and improperly configured Remote Desktop Protocol (RDP) servers, and remote access connections over RDP with stolen user credentials.  The earliest detection of ProLock by Sophos was on a customer’s compromised server, most likely through an exploit of a Remote Desktop Protocol connection.

The ProLock actors use their access to conduct some network reconnaissance, as well as to potentially steal data before launching their ransomware attack. They then use the stolen or compromised credentials, built-in Windows tools and scripts to propagate the ransomware across the network.

When the time came to release the ransomware, we found in the case we analyzed that four files were dropped onto targeted systems, downloaded from a remote server (IP addresses are in the Indicators of Compromise file posted to SophosLabs’ GitHub).

C:ProgramDataWinMgr.bmp
C:ProgramDataWinMgr.xml
C:ProgramDataclean.bat
C:ProgramDatarun.bat

Chain of destruction

ProLock malware depends on Windows batch scripts, the Windows Task Scheduler (through the schtasks.exe command line utility) and PowerShell to launch its attack.

The ransomware chain is set off with the execution of run.bat, which creates a scheduled Windows task to execute clean.bat using the contents of WinMgr.xml to configure the task. When it is launched by the scheduler, clean.bat executes a base64-encoded PowerShell script that extracts the ProLock executable file encoded into the image file WinMgr.bmp, loads it into memory, and executes it—passing parameters that control the encryption. (When executed without the Powershell script, the executable runs—but doesn’t encrypt any files.)

A portion of the base64-encoded script embedded into “clean.bat.”
A portion of the decoded script that invokes the code from the file WinMgr.bmp
A screenshot of WinMgr.bmp, the “graphics file” that carries the barely-concealed ProLock malware payload. (Note the “noise” of steganography in the upper right hand corner.)

The usual suspects

One of the ProLock samples we examined hides some of its contents with a self-modifying section of code, which conceals text strings and other elements from analysis. As is common in malware development, the ProLock program is deliberately set not to allow debugging, to make it more difficult for researchers to run it in a controlled fashion.

ProLock descrambles a section of obfuscated code upon execution.
A before-and-after look at the ProLock binary’s self-modifying code.

The malware decodes the  self-modifying section, imports DLLs  and sets up the  functions it will use. Then it launches a new thread and puts the first thread to sleep—an anti-analysis trick.

The malware traverses the registry looking for security policy settings that might cause trouble. For some reason, it switches some of Internet Explorer’s security policy settings, turning off the mapping of Universal Naming Convention paths to IE’s “Intranet” zone and turning on automatic intranet mapping. (The list of registry changes is included in the indicators of compromise file on SophosLabs’ Github here.) Then it starts  hunting for applications and services that might get in the way of total data destruction.

Using a function call to Windows’  CreateToolhelp32snapshot.dll, the malware  takes a snapshot of all running processes, and begins checking them against a list (which can be found here on SophosLabs’ GitHub), shutting down the ones that match the list with Windows’ taskkill.exe utility (through a ShellExecuteA function call). The processes include common desktop applications (including Microsoft Office applications), databases, the Firefox browser and Thunderbird mail client, and a number of security software components. These sorts of processes are stopped by ransomware in order to make sure no user files are locked open—allowing the malware to encrypt them without resistance.

Then, using net.exe, the ransomware code attempts to shut down a list of more than 150 services associated with enterprise applications, security software, and backups. (A full list of the processes and services targeted by the ransomware is posted on SophosLabs’ GitHub here.) Again, the goal is to prevent anything from interfering when the encryption begins. These service shutdown commands are issued with Windows’ net.exe utility.

Next, to prevent local file recovery, ProLock deletes the “shadow copy” of local files by executing the following commands to vssadmin.exe (Windows’ Volume Shadow Copy Service):

delete shadows /all /quiet
resize shadowstorage /for=c: /on=c: /maxsize=401MB
resize shadowstorage /for=c: /on=c: /maxsize=unbounded

All of this effort is extremely noisy, and processor intensive. And then the disk-intensive part begins.

Semi-random mayhem

With all of the guards out of the way, the ransomware begins to check what media is mounted and traverses the directory structure of any local or network-mapped drives. It skips over executable files (including .php files for websites), and leaves applications intact. All of this malicious activity is executed through the powershell.exe process.

As it reads each file, it checks the length. If the file is under 8,192 bytes (0x2000 in hexidecimal), it skips the file. Otherwise, it begins encrypting the file, starting after the 8,192nd byte. After encrypting a file, the extension .prolock is appended to its file name (for example, a_very_large_text_file.txt becomes a_very_large_text_file.txt.prolock.)

A file listing of a directory after ProLock, sorted by file size, shows files under 8 kb untouched.
A comparison of a file before (right) and after (left) ProLock encryption.

As the malware finishes the encryption of the contents of each folder, it writes a file to the folder named [HOW TO RECOVER FILES].TXT. This contains the ransom note.

When all the folders have been traversed, the ransomware sounds the system alert tone, and drops a ransom note on the desktop.

The ProLock ransom note. The text is hard-coded into the malware, so the site and victim “ID” would have to be changed at build time.

The ransom note itself is hard-coded into the ransomware as a text string—including the .onion website address and the victim’s “user ID”. In fact, across the ProLock samples we examined, the ransom notes were exactly the same, including the “user ID”—despite other differences in the code. Given that these samples came from separate sources, that would suggest that multiple ProLock victims were given the same “user ID,” which wouldn’t matter in any case because of the targeted way ProLock is deployed.

Triple indemnity

As with other targeted ransomware attacks, ProLock’s encryption of files should be considered just the final act in the attack. The attackers need to have gained administrative credentials to spread the malware, which means that they’ve had largely unfettered access to victims’ data. While we’ve seen no direct evidence thus far of data theft, the tools used to gain access by ProLock’s actors give them wide access to network resources and data. And it’s possible that other malware (such as QakBot) has also taken root—malware that ProLock would leave untouched.

Even if victims pay, there’s the chance (thanks to the broken decryptor) that data will be lost or made more expensive to recover. Bringing in the expertise of a ransomware response team may be required to recover.

There are several concrete steps that organizations can take to prevent these types of attacks. Protecting remote network access is key to stopping these types of targeted attacks, by putting RDP access behind a virtual private network and using multi-factor authentication for remote access. As with all ransomware threats, maintaining offline backups and malware protection for both desktops and servers also hardens defenses against attacks like ProLock. And up-to-date endpoint protection tools (such as Intercept X and CryptoGuard) can be effective in blunting attacks that get past other defenses, or at least minimizing the damage done by an intrusion.

Sophos now blocks variants of ProLock as Troj/Agent-BEKP and Troj/Ransom-FVU,  and through heuristic analysis by Sophos ML, as well as through CryptoGuard.

Acknowledgements

SophosLabs wishes to acknowledge  the contributions of Hajnalka Kópé , Anand Aijan, Andrew Brandt,  Rahul Dugar,  and Gabor Szappanos.

Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services.
Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.

Stop ProLock ransomware with three layers of protection from Intercept X – Sophos News

ProLock ransomware emerged on the threat scene in March, a retooled and rebranded version of PwndLocker.

As SophosLabs reveals in its detailed analysis, while ProLock ransomware gives you the first eight kilobytes of decryption for free, it can still cause significant business disruption and economic damage.

Protect against ProLock with Sophos Intercept X

Intercept X gives you multiple layers of protection against ProLock, keeping the data on your endpoints and servers safe:

  • CryptoGuard identifies and rolls back the unauthorized encryption of files. In fact, Sophos first detected ProLock when CryptoGuard caught it on a customer network
  • Deep learning identifies and blocks ProLock without signatures
  • Signatures block variants of ProLock either as Troj/Agent-BEKP or Malware/Generic-S

If you’re running Sophos Intercept X you can relax knowing that you are automatically protected against ProLock, as all three of the above features are enabled by default in our recommended settings.

(If you’re not yet running Intercept X and want to give it a try, visit the web page to learn more and start a no-obligation free trial.)

To check that you have CryptoGuard and Deep Learning enabled:

  • Open your Sophos Central Admin console and select Endpoint Protection in the left-hand menu
  • Select Policies
  • Review the list of threat protection policies already created
  • Toggle the buttons to make any necessary changes
Review your threat protection policies to check protection capabilities are enabled.

Endpoint protection and firewall best practices to block ransomware

51% of IT managers surveyed for our recent State of Ransomware 2020 report said their organization was hit by ransomware last year, and that cybercriminals succeeded in encrypting data in 73% of incidents.

With stats like these it’s worth taking the time to ensure all your ransomware defenses are up-to-date.

The earliest detection of ProLock by Sophos was traced to a compromised server, most likely through an exploit of a Remote Desktop Protocol (RDP).

Putting RDP access behind a virtual private network and using multi-factor authentication for remote access are just a couple of the best practices we recommend to reduce your ransomware risk.

For additional best practices, take a look at our guides Endpoint Protection Best Practices to Block Ransomware and Firewall Best Practices to Block Ransomware.

Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services.
Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.

Making the most of XG Firewall v18 – Part 2 – Sophos News

Network traffic encryption levels continue to steadily increase. In the last year, the percentage of pages loaded over HTTPS as reported by Google has increased from 82% to 87% on the Windows platform. It’s even higher on Macs at 93%. At this rate, we are not far away from a 100% TLS-encrypted Internet.

In this second in a series of articles on making the most of the great new features in XG Firewall v18, we’re going to specifically focus on resources available to you in order to make the most of the new Xstream TLS 1.3 inspection solution in XG Firewall v18.

Xstream TLS inspection

In our last article, we covered the Xstream architecture and the new Xstream DPI engine in XG Firewall v18.  The new TLS inspection solution is a key component of the new architecture and provides decryption for TLS/SSL-encrypted traffic with native support for the latest TLS 1.3 standard.

With most traffic flows transiting the firewall now encrypted, TLS inspection is absolutely critical to opening up this enormous blind spot to enable the firewall to do its job and inspect content coming into the network.  As we will discuss in our next article in the series, the DPI engine can be extremely effective at identifying new zero-day variants of ransomware and other threats, but only if it’s able to inspect the traffic unencrypted.

How it works

Encrypted traffic flows destined to be examined by the new DPI engine are passed to the TLS inspection engine for decrypt before being inspected. After inspection, the flow is re-encrypted and sent on to its destination. If you’re interested in learning more about how TLS encryption and inspection works, and why it’s important, I suggest reviewing these two great assets on the topic:

The new Xstream TLS inspection engine in XG Firewall v18 offers a number of compelling benefits that make it the ideal solution for today’s modern encrypted internet:

  • High performance –with high connection capacity
  • Unmatched visibility into encrypted traffic flows and surfacing errors
  • Easy tools to deal with errors and handle exceptions with just a few clicks
  • Support for TLS 1.3 without downgrading
  • Support for all modern cipher suites with robust certificate validation
  • Inspection of all traffic, being application and port agnostic
  • Powerful and flexible policy tools, enabling the perfect balance of performance, privacy, and protection

Getting started with TLS inspection

As we mentioned in the last article, taking advantage of the new TLS inspection engine in XG Firewall v18 is super easy. It essentially requires checking one box in your firewall to activate it and then creating a rule on the new SSL/TLS Inspection Rules tab as shown below.

For a quick five-minute overview of how to create your own SSL/TLS inspection rules, watch this short how-to video:

For a detailed explanation and step by step guide for creating SSL/TLS inspection rules and decryption profiles, check out the online documentation:

It is recommended that you start gradually with TLS encryption, with a limited sub-estate of your network or a few test systems. This will allow you to build your expertise with the new TLS inspection solution and explore the new rules, logging, reporting, and error-handling options.

Not all applications and servers fully and properly support TLS inspection, so watch the Control Center for errors and take advantage of the convenient built-in tools to exclude problematic sites or services. Your XG Firewall comes with two pre-packaged TLS inspection rules out of the box that make exclusions easy. By default, they exclude trusted domains known to be incompatible with TLS decryption such as iCloud, some Microsoft domains, and others. You can easily customize these rules directly through the widget on the Control Center as issues arise, or through updating those exclusion rules directly.

The new widget on the Control Center provides at-a-glance insights into your encrypted traffic flows and any issues.
Drill down to identify the cause of issues and fix them with just a few clicks.

Once you’re comfortable with the DPI engine and TLS inspection, we recommend applying it more broadly across your network. When you’re ready for broader TLS inspection and wish to push the CA certificate out to more systems, we recommend using the wizard built into the Microsoft Active Directory Group Policy Management tools to make this task quick and easy.

As you roll out TLS inspection more broadly, carefully monitor your firewall system performance metrics to ensure your hardware is not a bottleneck. While the Xstream architecture in XG Firewall v18 offers tremendous performance gains for TLS inspection, going from inspecting 0% of encrypted traffic to 80-90% of your TLS traffic may have an impact on performance depending on your firewall’s normal load.

If your firewall could benefit from some extra headroom, consider a hardware refresh to a current higher-capacity model. You definitely don’t want to risk NOT inspecting TLS traffic given the rate at which hackers and attackers are utilizing this enormous blind spot to their advantage.

Here’s a summary of the resources available to help you make the most of the new features in XG Firewall v18, including Xstream TLS inspection:

Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services.
Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.