Category: Security

It has been less than 11 months since the launch of Sophos Managed Threat Response, our 24/7 human-led threat hunting, detection, and response service.

Our performance in that time is proof that our strategy of fusing technology, people, and process to act as an extension of organizations’ security and IT teams is a winning one. And we’re just getting started.

It gives me immense pride to announce that we have just surpassed 1,000 customers defended by Sophos MTR, underlining the profound need for security expertise across all verticals, industries, and sectors.

Against the chaotic backdrop of social and economic pressures brought on by the pandemic, those in the IT profession have continued to achieve the seemingly impossible: do more with less, in isolation.

Supporting remote workforces to achieve their goals both effectively and safely is a monumental task. Before this pandemic, there was already a global shortage of skilled cybersecurity professionals: an estimated workforce gap of 4.07 million. Securing an organization has never been a trivial matter, and the current climate has only worsened the impact of this shortage.

As a leader in cybersecurity across endpoint, network, and cloud, we are incredibly fortunate. Where most organizations struggle to both hire and retain security professionals, we are resilient to these struggles due to the sheer scale at which we operate.

When our staff walk over to the (albeit now virtual) water cooler, they talk security with other security people. When they’re in need of guidance, they can talk directly with industry veterans and experts within MTR, SophosLabs, and across our whole organization.

When they’re looking for a new challenge, that challenge already exists within our various research, development, and service groups, as well as within the diversity of our customer landscape. It’s an environment that attracts and hones the best operators in the industry, and that provides a virtuous circle of optimizations between technology and those human operators.

It is an honor to be afforded the trust and responsibility to assist in defending so many organizations across the globe in such a short space of time. This is an important milestone for us, one that enables us to protect more customers than ever in an ever-more effective fashion. But our achievement to date is just the beginning.

– JL

Hi XG Community!

We’ve released a new build of XG Firewall 17.5 MR14-1 (17.5.14.714). Initially, the firmware will be available by manual download from the Licensing Portal. We will gradually release the firmware via auto-update to customers.

Please visit the following link for more information regarding the upgrade process: Sophos XG Firewall: How to upgrade the firmware.

Note: The upgrade from version 17.5 MR14-1 (17.5.14.714) to 18.0 will follow soon.

• In the previous build of v17.5 MR14, we observed an issue with websites not working after the upgrade if admin has configured a policy to block or warn “Executable Files”. This new build resolves that specific issue.

Issues Resolved in 17.5 MR14-1 (17.5.14.714)

• NC-62619 [Web] Some websites not working after upgrade to v17.5 MR14 if admin has configured a policy to block or warn “Executable Files”.

Issues Resolved in the older release of 17.5 MR14 (17.5.14.714)

• Provides CLI option to disable captcha authentication separately for the webadmin and user portal either globally (including WAN zone) or only on the VPN zone. Also resolves captcha authentication issue for IPv6 on LAN zone
• Provides updated Geoip mapping database
• NC-59129 [Authentication] Authentication Failed due to SSL VPN (MAC BINDING) – Logging does not carry any information for the cause.
• NC-51919 [Firewall] Appliance is getting auto rebooted with Kernel dumps intermittently
• NC-52429 [Firewall] Web admin access lost for 10+ minutes after HA fail-over in case of DNAT policy configured with FQDN
• NC-58339 [Firewall] Local ACL Exception rule doesn’t work if Any-Any drop firewall rule is created
• NC-59063 [Firmware Management] Remove expired CAs from SFOS
• NC-53173 [IPsec] Intermittent connection interruption to local XG IP after IPsec rekeying, when we have conflicting left and right subnets
• NC-58091 [IPsec] Sporadically unable to connect SA’s on IKEv2 S2S Tunnel
• NC-58983 [IPsec] Intermittently incorrect IKE_SA proposal combination is being sent by XG during IKE_SA rekeying.
• NC-59440 [IPsec] IPsec tunnel not getting reinitiated after PPPoE reconnect
• NC-59071 [IPsec] IPsec S2S VPN tunnels partially connected or gets disconnected (Charon shows dead status)
• NC-46109 [RED] No proper forwarding if bridging 3 or more RED s2s tunnels on an XG
• NC-60854 [RED] Red S2S tunnel static routes disappear on firmware update
• NC-60162 [Reporting] Internal Server Error for Web admin or user portal on XEN virtual platform
• NC-30728 [SSLVPN] Compression settings not applied for IPv4 and IPv6 (SSLVPN remote access). Basically configuration settings for comp-lzo attribute are incorrect in the ovpn file.
• NC-59080 [SSLVPN] Performance improvements in SSLVPN (Site to Site)
• NC-59626 [SSLVPN] SSLVPN in busy state : HA
• NC-59970 [SSLVPN] All the SSL VPN Live connected users get disconnected when admin change the group of one SSL VPN connected user
• NC-58165 [Static Routing] Geoip db update
• NC-59932 [UI Framework] Unable to login to user portal or web admin console using Internet Explorer 11
• NC-61956 [UI Framework] WebAdmin Console/User Portal not accessible after 17.5 MR13 upgrade because space in certificate name
• NC-56821 [Up2Date Client] SSLVPN client downloading with the 0KB in HA
• NC-50274 [Web] Unable to block .bat files
• NC-50710 [Web] Username is not showing up in the captive portal when the user logged in while using custom HTML template

 

To manually install the upgrade, you can download the firmware from the Licensing Portal. Please refer to Sophos XG Firewall: How to upgrade the firmware.

In June, Google updated its developer policies, adding new directives to how apps must inform consumers about the true terms and cost of subscription-based apps licensed through the Android Play Store. These changes address some of the issues that characterize apps we refer to as fleeceware.

In previous coverage of fleeceware, we showed examples of app subscription sign-up pages that had been designed to make it hard to read the terms of the app subscription. The new Google-issued rules are designed to address some forms of deceptive marketing display copy, but they also have some loopholes that permit other behavior some might consider unscrupulous.

The new terms and conditions for developers who wish to distribute their app through the official Play Store require their publishers to comply with the following directives:

• Describe which parts of an app require a subscription.
• Users of the app must be allowed to unsubscribe without impediment.
• Have full transparency with the subscription cost and the billing period.
• Display the terms visually clearly, human readable in size and color.

As of the publication of this article, the policy has been in place for roughly two months. Of course, we were able to find some developers who hadn’t fully implemented the changes to their app that the platform required. Some of the app publishers subsequently released policy-compliant apps, but Google removed a few from the Play Store, too.

Some of the policy violations shown on these screens include: the absence of a dismiss button; billing details and terms are very small and printed on a very light font that makes it almost unreadable.

Fleeceware’s new tricks

Unfortunately, we’ve found a lot of apps that appear to violate these new policies. Here are a few different grifts:

Blind Sub

When we ran samples of these apps, many of the apps prompt the user to immediately start the subscription, using a button labeled ‘Try FOR Free’ or ‘Start Free’ — before displaying the complete billing details, or giving users a way to find out what they are before starting the subscription.

Call it a blind subscription: All you know is, you’ve signed up, but not for how long or how much. According to Google, “the offer emphasizes the free trial, and users may not understand that they will automatically be charged at the end of the trial.” Publishers aren’t allowed to do this anymore, but some still try.

Spam Sub

There’s a few free trial versions of apps we tried recently that displayed the screens shown below, among others. This led down an interesting rabbit hole to something we’ll call a spam subscription. You sign up once, and find yourself subscribed to a bunch of different apps as the fleeceware apps advertise one another.

Users sometimes unknowingly subscribe to hundreds of dollars worth of app subscriptions by clicking buttons like these.

In one such instance (the Photo collage & Grid photo editor app above) the offer consists solely of the highly informative  ‘Try For Free (3 days trial)’ and…nothing else. Neither billing details nor frequency was forthcoming until you might find out it could cost you $200 a year.

Termoflauging

This fleeceware-adjacent policy violation is about the use of tricks to visually conceal the terms & conditions. While not exclusive to fleeceware, some apps that charge a subscription still display the costs or important terms literally in grey fonts on a white background, or using incredibly tiny fonts that virtually blend into the background of the subscription solicitation on a mobile device. In so doing, the publishers perform the letter, but not the spirit, of the rules – they display the full subscription details in a way that the eye trying to read it just naturally wants to glaze over.

On top of the visual impediments, in some cases the provided information is just misleading. But more often than not, it’s just shockingly accurate. The Montage app (below) displays the following terms on its solicitation page:

3 Days Free. Then $89.99/week. Cancel at anytime

This was the finest of fine print, in an almost imperceptible wisp of a font that almost looked like a horizontal line in the advertisement

Price is still a problem

Unlike some fleeceware apps which blatantly violate Google policies, some apps have adapted to changes. They have tweaked some buttons and the text used for its description. But they still charge very high subscription prices, like the $89.99 per week app shown above, Montage.

By the way, the Montage app displays wallpapers, changing the phone background image to something new, for $360 a month. More car payment than subscription. How many grande lattes with an extra shot are you willing to buy someone else, per day, just so they can provide you with fresh new background images? Three? Six?

Google’s Play Store policies for subscription-based apps restrict a wide range of behavior, one behavior it doesn’t restrict is how much an app subscription can or should cost. There is an upper limit on how much apps can charge; In the United States, that number is $400, and in many countries the maximum is set in the local currency at a roughly eqivalent value, but there’s a loophole. The rule doesn’t specify the duration of the subscription that can charge that maximum amount. Is it $400 a year, $400 a month, or $400 a week? Any developer can take advantage of this loophole to charge you hundreds of dollars per week.

As an aside, it was interesting to discover that, in eight countries, Google’s maximum allowable subscription charge was one or another form of “1337” – a number with geek-cred significance.

Apple changed its app store review guidelines recently, and added additional restrictions that effectively bans apps that come with, in Apple’s words, irrationally high prices. In summary, Apple informs its developer audience:

And while pricing is up to you, we won’t distribute apps and in-app purchase items that are clear rip-offs. We’ll reject expensive apps that try to cheat users with irrationally high prices.

We have not come across any such policies for Google play store. When we reported Google about these high-priced apps, a Google spokesperson told us “subscription costs are set at the discretion of the developer.”

Among the list of apps we reported to Google, the company declined to take action on all but a few, and in those cases, the apps changed how they display the free trial description and terms, removing the only violations. Publishers, at their discretion, may charge unconscionably high subscription prices so long as they abide by these anti-deceptive practices in their promotions.

We understand it’s difficult to provide a fixed price for a app service, but when the app is subjected to review, surely reviewers can easily separate a dodgy looking photo editor charging $90 per week from a reputable developer charging a fair price for an app with professional or premium features.

These screens come from different-but-oddly-similar wallpaper apps which all charge the oddly specific $89.99 per week. The publisher who has done this also tweaked the button text so it reads Start Subscribe, and the fine print text is the same, too (with hyphenation and spacing goofs): “3 Day-Free Trial,  then$89.99/week. Cancel at any time”

Netflix charges $16 per month for its premium service. These wallpaper apps cost the same as 22.5 Netflix subscriptions per month. The description may have some details in fine print, but vulnerable users like kids and the elderly are more susceptible to a grift like this, and more likely to lose some money.

Getting more aggressive

We’ve noticed some apps have moved the screen that solicits the user to sign up for a trial subscription to be triggered at different times, and unusually, not when the app first starts up. The delay may serve a role in ingratiating the app to the user.

Some apps require you to watch an ad – usually a video – before they allow the user to access some features. That’s fair enough, but we experienced glitchy behavior: the app would repeatedly display the subscription solicitation page when you try to access any features at all, or if you try to navigate away from watching an ad.

In the example below, several horoscope apps are trying to sign up subscriptions worth more than $70 per week – not when you press the subscribe button, but when you press the ‘back’ button on your phone. This app claims to have a ‘core technology’ that, somehow, leads to improved horoscope outcomes.

No matter how sophisticated the horoscope technology, charging users of a horoscope app in the range of $300 a month is unethical. Allowing these apps on the Play Store undermines the trust users feel towards the subscription model for apps as a whole.

Many legitimate developers use the subscription model to license their mobile apps. For a while, there were more fleeceware subscription apps in app stores than legitimate subscription apps, but that has been slowly changing. However, if the abuse of the subscription model continues unabated, it may cease to be a viable business model for legitimate developers to want to be involved in, because the user’s whole experience could be tainted by their interaction with fleeceware.

The consumer friendly improvements made by both Apple and Google since we began reporting on fleeceware apps  have been good, but there is still room for improvement. Both Google’s and Apple’s store platforms have control over the entire life cycle of the app, including subscription collection, and payment processing and reconciliation. But these stores’ biggest problem right now seems to be the lack of control over pricing. A video editor or a horoscope charging hundreds of dollars for temporary access seems…irresponsible.

After the user uninstalls fleeceware apps , they get emailed information about unsubscribing from the subscription. Perhaps app stores could directly unsubscribe the user automatically for any recently uninstalled apps, instead of making the user manually doing it.

Want to report fleeceware apps ?

Have you spotted fleeceware app on Google Play store or iOS App store that you would like to report to us, then please email our Labs team with a link to the fleeceware app.

Last but not least, be wary of apps that have short trial and high costs. If you want to unsubscribe from an app trial, please follow the instructions provided by Apple for iOS users or by Google for Android users.

Want to know about fleeceware apps ?

We will be talking about fleeceware apps in detail at the Virus Bulletin  security conference this fall. The VB conference is virtual and is free to register this year, and includes other great talks from our industry friends.

Some of the fleeceware we found on the Play Store includes:

Package name	Subscription charge	Revenue*
com.photoconverter.fileconverter.jpegconverter	$249.99/€224.99/year	$8k
com.recoverydeleted.recoveryphoto.photobackup	$249.99/€224.99/year	$60k
com.screenrecorder.gamerecorder.screenrecording	$249.99/€224.99/year	$10k
com.photogridmixer.instagrid	$229.99/€219.99/year	$5k
com.compressvideo.videoextractor	$229.99/€219.99/year	$10k
com.smartsearch.imagessearch	$229.99/€219.99/year	$30k
com.emmcs.wallpapper	$89.99/week	$20k
com.wallpaper.work.application	$89.99/week	$30k
com.gametris.wallpaper.application	$89.99/week	$30k
com.tell.shortvideo	$89.99/week	$10k
com.csxykk.fontmoji	$89.99/week	$40k
com.video.magician	$89.99/week	$30k
com.el2020xstar.xstar	$89.99/week	$10k
com.dev.palmistryastrology	$69.99/week	$5k
com.dev.furturescope	$69.99/week	$90k
com.fortunemirror	$69.99/week	$20k
com.itools.prankcallfreelite	$44.99/year	$5k
com.isocial.fakechat	$45.99/year	$5k
com.old.me	$94.99/year	$5k
com.myreplica.celebritylikeme.pro	$12.99/€10.99/week	$5k
com.nineteen.pokeradar	Pay per install	–
com.pokemongo.ivgocalculator	Buggy app	–
com.hy.gscanner	$79.99/year	$5k

 

Hi All,

Here are the release notes for the recent minor updates to Sophos Central Firewall Reporting.

Updates and Improvements

• Central Firewall Reporting Advanced: Save Reports as Templates.  Central Firewall Reporting Advanced lets you save custom report templates.
  • First, configure a report with the columns and layout you want. Then save it in your template library for quick access whenever you need to run it.
• Central Firewall Reporting Advanced: License transfer workflow enhancements make it easier to understand how to manage your CFR Advanced licenses.

Issues Resolved

• CFR-811 [UI] column width expand issue & table raw line break while resizing the window
• CFR-944 [UI] Unable to scroll through log view and the log viewer becomes blank after resizing the browser window
• CFR-839 [Licensing] During transfer, devices list displays the last transferred device name instead of “Select a Device”
• CFR-695 [Licensing] When a user double clicks on “Remove and delete all data” on licensing UI, 500 internal server error is triggered

Customer profile: A non-profit organization based in the USA, with approximately 1,000 devices.

 The Sophos Managed Threat Response (MTR) team provides customers with swift, human-led responses to the nastiest threats and most sophisticated adversaries.

The hunt begins

This case started with an email from a brand-new MTR customer. The customer had just heard that a third-party vendor they work with had been hit by ransomware and was worried they might also be affected.

The MTR team immediately picked up their request, opened a new case, and initiated a threat hunt. Within 15 minutes they were highly confident that there was no ransomware in the customer’s environment.

But the team did find something suspicious. Very recently, a script had been detected and blocked by the customer’s Sophos endpoint protection software.

What was odd was that it was in JavaScript which is typically used by websites to make them interactive. However, this detection wasn’t coming from a web browser – it was coming from the command line.

And it was obfuscated: someone didn’t want it to be read by human eyes.

Diving deeper

We sent the script to SophosLabs, our threat research and intelligence team, to get a deeper analysis of this script and what it was trying to do. Within minutes, SophosLabs began sharing actionable intelligence:

• The script was a downloader. It would have tried to download a malicious payload hosted at a URL. A search across network traffic data reveals the URL was never connected.
• The downloader script would have attempted to make a scheduled task.

While we couldn’t find any evidence of this task being created, we did find another suspicious-looking scheduled task that would run a different script.

This new script would attempt to find two files with the file extension .zzz and join them together into a .exe. It would then run this .exe, delete the scheduled task, delete the .zzz files, and finally delete the script.

This scheduled task was waiting to do its job but the files it was waiting for never appeared.

Situation resolved

The picture was clear. The suspect scripts and tasks belong to a variant of a banking trojan and information stealer known as Qbot. And had been running undetected on a device in the customer’s network for a very long time.

The criminals behind Qbot were trying to orchestrate the download of an update as two .zzz files in order to evade perimeter defenses, and then join them together once on the inside.

Unlucky for Qbot, we caught this process in the act.

As the customer had authorized Sophos to respond on their behalf, we cleaned up the Qbot infection, and informed the customer of what we had discovered.

The whole investigation, from the initial customer email to final clean up, took just 2 hours 6 minutes.

The customer was able to relax knowing that they hadn’t been affected by ransomware and that a historic banking malware had been fully removed.

And as this story shows, while ransomware is often the threat that is front of mind, it’s important to also be alert to the attacks that prefer to hide in the shadows.

Learn more

For more information on the Sophos MTR service visit our website or speak with a Sophos representative.

If you prefer to conduct your own threat hunts Sophos EDR gives you the tools you need for advanced threat hunting and IT security operations hygiene. Start a 30-day no obligation trial today.

Anyone who’s tried to configure network address translation (NAT) rules knows how challenging this can be. But it doesn’t have to be.

Sophos XG Firewall includes an all-new powerful but intuitive NAT capability for source NAT (SNAT), destination NAT (DNAT), and other network translation tasks that actually makes NAT easy.

The new NAT rules are found on the Rules and Policies Screen.

There are a few different types of address translation tasks that are covered by the new NAT rules in XG Firewall v18:

• Source network address translation (SNAT) translates internal private IP addresses to a public IP address, dramatically reducing the consumption of public IP addresses, which have now been exhausted.
• Destination network address translation (DNAT) or port forwarding is commonly used to publish a service located on the private network to the publicly accessible IP address. Port address translation or PAT is a subset of DNAT that translates private IP addresses to the public IP address via port numbers.
• NAT hairpinning, or loopback, or NAT reflection is a combination of address translation that permits access of a service via the public IP address from inside the private network, thus facilitating two-way communication via the public IP address and simplifying domain name resolution.

NAT migration from previous versions

Those familiar with NAT in previous versions of XG Firewall will know SNAT was bound to firewall rules and DNAT was combined with WAF in creating business application rules.  In XG Firewall v18, all NAT rules are now together in the new NAT rules tab, providing much better visibility and a more intuitive set of tools to build more powerful and flexible NAT rules.  Linked NAT and firewall rules are still supported for those who prefer that model, but we strongly encourage you to explore the benefits of the new NAT rule scheme and the tools provided.

In order to maintain compatibility, when you upgrade to v18 from previous versions of XG Firewall, you will find several NAT rules have been created automatically.  In fact, there will be one new SNAT rule created and linked to each firewall rule that was previously using masquerading (MASQ), and one DNAT rule for each business application rule.

Depending on your previous NAT utilization and firewall rule structure, many of the SNAT rules for LAN to WAN traffic may now be redundant.  The firewall is unable to consolidate these rules automatically to ensure compatibility, but you can certainly consolidate them manually.

Simply delete any unnecessary, redundant NAT rules as long as you have one matching rule at the bottom of the rule list that will catch all firewall matching criteria necessary.  Take advantage of the new filter and sort options available to help with migration housekeeping by looking at all linked NAT rules that were created during migration.

Making the most of NAT in XG Firewall v18

The new NAT capabilities are both powerful and easy to use.  For example, creating a port forwarding or DNAT rule has never been easier, thanks to the new server access assistant wizard.

You just need to provide a few vital pieces of information such as the internal host, the services, and the external access criteria, and the wizard will take care of the rest, creating the necessary NAT rules for you.

To learn more about how to make the most of the new NAT rules in XG Firewall v18, watch this helpful how-to video, which is also conveniently linked right from the top of the NAT rules screen in the product.

Here’s a summary of the resources available to help you make the most of the new features in XG Firewall v18, including the new zero-day threat protection capabilities:

If you’re new to Sophos XG Firewall, learn more about the great benefits and features XG Firewall can deliver to your network.