We’ve released Sophos Firewall Manager SFM 17.1 MR3. Initially, the firmware will be available by manual download from the Licensing Portal. We will gradually release the firmware via auto-update to customers.
NCCC-9988 [SFM] SFM authentication bypass
NCCC-10011 [SFM] Unable to activate the SFM device
Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services. Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.
We are thrilled to announce that Intercept X received a 100% total accuracy rating in the enterprise, SMB, and consumer protection tests by SE Labs.
Whether you are protecting your employees at work, or them and their families at home, you will get outstanding protection with Intercept X technology.
The world’s best endpoint protection
Intercept X is the strongest endpoint security on the market, delivering more advanced protection in one solution than anything else out there.
Deep learning AI excels at detecting and neutralizing threats that have never been seen before. Anti-ransomware protection blocks malicious encryption processes and returns affected files to safe, unencrypted states. Advanced defenses against fileless, memory-based attacks keep your organization safe against the latest obfuscated, script-based threats.
Intercept X also includes options for Endpoint Detection and Response (EDR), so you can perform detailed threat hunting and IT security operations hygiene across your endpoints and servers, and a managed service (MTR) that gives you access to a team of Sophos cybersecurity specialists that will hunt threats and take appropriate action on your behalf.
Constant innovation
Our team of cybersecurity experts are constantly enhancing the powerful features in Intercept X. This year alone we’ve incorporated:
AMSI protection – enhanced protection against fileless attacks, such as obfuscated PowerShell scripts
Intrusion Prevention System – protects devices against network-based attacks (currently in early access)
EFSGuard, CTFGuard, and more
Try Intercept X for free
Testing the powerful features in Intercept X couldn’t be more straightforward. Take a free 30 day trial, or if you’d like to learn more head over to Sophos.com.
For a limited time, Sophos customers can add Sophos Home edition at no addition cost.
To view the detailed results from SE Labs: Enterprise | SMB | Consumer
Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services. Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.
In what has become a tradition, the second Tuesday of every month Microsoft releases security updates to Windows and other products. This month’s release fixes a total of 114 vulnerabilities, among which 17 are classified as Critical, and 93 as Important.
A total of 28 potential remote code execution (RCE) vulnerabilities have been fixed in Windows web components (such as the Edge or Internet Explorer browsers, or the ChakraCore Javascript engine), the Jet engine, and some Office components. Moreover, 56 local privilege escapation (LPE) bugs were also fixed, in the Windows kernel (mostly in Win32k, DirectX, or GDI) and also in some Windows services (such as Push Notification, Windows Error Reporting, and BITS).
As usual all the additional details can be found in the Security Update Guide Release Notes and users can download patches manually from the Microsoft Security Update Catalog.
Adobe usually times its updates to coincide with Microsoft, and this month release saw 21 bugs patched, all in their Acrobat Reader. With a criticality set as “Important,” all the bugs fixed classify as memory corruption vulnerabilities (null pointer, out-of-bound read, use-after-free) which can potentially lead to code execution on this victim’s host simply by opening a PDF document.
SophosLabs has investigated some of the more interesting vulnerabilities Microsoft fixed this month. Here are some highlights.
The graphic layers of Windows span many complex technologies, and therefore make up a huge attack surface. Attackers frequently look at these subsystems for vulnerabilities. This month, Microsoft fixed a total of 10 vulnerabilities affecting these core components, with risks going from simple kernel information leaks, up to local Elevation of Privilege (EoP).
One of the EoP vulnerabilities that stands out the most this month is CVE-2020-1054. This bug describes an out-of-bound write found in the syscall win32k!NtDrawIconEx, which is responsible for drawing an icon into a specific handle of device context (HDC). Due to its very nature, any unprivileged Win32 application can invoke such a syscall, and therefore potentially elevate to SYSTEM.
In any case, one must bear in mind that, in order to be exploited, those bugs require access to a Windows graphical session, and also need to be able to execute code.
ChakraCore, the JavaScript engine that powers the Edge web browser, suffers from multiple memory corruption vulnerabilities.
If successfully exploited, these vulns could allow a remote attacker to execute code on the targeted host with the current user’s privilege simply by exposing a carefully crafted web page and either wait for a victim (or forcing them) to visit the page though XSS, CSRF, or OpenRedirect web vulnerabilities—or even through social engineering tricks.
Several vulnerabilities were also found in Internet Explorer 11 and VB scripting engine. Such vulnerabilities could also be exploited successfully as they rely on old (in some cases, unsupported) technologies, and cannot benefit from the protections modern browsers offer users.
Windows services are a great avenue for bugs, particularly (but not only) filesystem bugs – most notably by abusing symbolic links and junctions. As they require high privileges to run, successful exploitation of Windows services usually result in privilege escalation.
This month, Microsoft issued fixes for Windows services, such as:
Connected User Experiences and Telemetry Service
Background Intelligent Transfer Service (BITS)
Push Notifications
Printing
have also been targeted, and their vulnerabilities fixed in the April, 2020 Patch Tuesday. Many more bugs in Windows services were fixed this month, any of which could have potentially resulted in EoP. However, the company provided us with no technical details.
Although no vulnerability was reported as exploited in the wild, many vulnerabilities are rated as very likely to be exploited. Therefore, the simple precaution principle would dictate to patch as soon as possible, which is, regardless of any other layer of protection, always the best remediation.
How is Sophos responding to these threats?
Here is a list of protection released by SophosLabs in response to this advisory to complement any existing protection and generic exploit mitigation capabilities in our products.
How long does it take to have Sophos detection in place?
We aim to add detection to critical issues based on the type and nature of the vulnerabilities as soon as possible. In many cases, existing detections will catch exploit attempts without the need for updates.
What if the vulnerability/0-day you’re looking for is not listed here?
If we haven’t released an update for a specific exploit, the most likely reason is that we did not receive the data that shows how the exploit works in the real world. As many of this month’s exploits were crafted in a lab and have not been seen in the wild, nobody has enough information (yet) about how criminals would, hypothetically, exploit any given vulnerability. If or when we receive information about real attacks, we will create new detections, as needed.
Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services. Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.
Stories of organizations crippled by ransomware regularly dominate the IT news headlines, and accounts of six- and seven-figure ransom demands are commonplace. But, do the news stories tell the full story?
To understand the reality behind the headlines, Sophos commissioned an independent survey of 5,000 IT managers across 26 countries. The findings provide brand new insight into what actually happens once ransomware hits. Be prepared to be surprised.
The 2020 ransomware reality
The survey provides fresh new insight into the experiences of organizations hit by ransomware, including:
Almost three quarters of ransomware attacks result in the data being encrypted. 51% of organizations were hit by ransomware in the last year. The criminals succeeded in encrypting the data in 73% of these attacks.
26% of victims whose data was encrypted got their data back by paying the ransom. A further 1% paid the ransom but didn’t get their data back. Overall, 95% of organizations that paid the ransom had their data restored.
94% of organizations whose data was encrypted got it back. More than twice as many got it back via backups (56%) than by paying the ransom (26%).
Paying the ransom doubles the cost of dealing with a ransomware attack. The average cost to rectify the impacts of the most recent ransomware attack (considering downtime, people time, device cost, network cost, lost opportunity, ransom paid etc.) is US$732,520 for organizations that don’t pay the ransom, rising to US$1,448,458 for organizations that do pay.
Despite the headlines, the public sector is less affected by ransomware than the private. 45% of public sector organizations were hit by ransomware last year, compared to a global average of 51%, and a high of 60% in the media, leisure, and entertainment industries.
One in five organizations has a major hole in their cybersecurity insurance. 84% of respondents have cybersecurity insurance, but only 64% have insurance that covers ransomware.
Cybersecurity insurance pays the ransom. For those organizations that have insurance against ransomware, 94% of the time when the ransom is paid to get the data back, it’s the insurance company that pays.
Most successful ransomware attacks include data in the public cloud. 59% of attacks where the data was encrypted involved data in the public cloud. While it’s likely that respondents took a broad interpretation of public cloud, including cloud-based services such as Google Drive and Dropbox and cloud backup such as Veeam, it’s clear that cybercriminals are targeting data wherever it stored.
For the details behind these headlines, read The State of Ransomware 2020 report.
Sophos Intercept X: Protection against ransomware
Ransomware actors combine sophisticated attack techniques with hands-on hacking. Sophos Intercept X endpoint protection gives you the advanced protection technologies you need to disrupt the whole attack chain, including:
Encryption rollback. CryptoGuard technology blocks the unauthorized encryption of files and rolls them back to their safe state in seconds.
Exploit protection. Deny attackers by blocking the exploits and techniques used to distribute malware, steal credentials, and escape detection.
AI-powered threat protection. Artificial intelligence detects both known and unknown malware without relying on signatures
Start an instant online demo to see how Intercept X works in a full environment. You’ll be up and running in less than a minute.
Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services. Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.
It’s been a year since the Maze ransomware gang began its rise to notoriety. Previously identified as “ChaCha ransomware” (a name taken from stream cipher used by the malware to encrypt files, the Maze “brand” was first affixed to the ransomware in May of 2019.
Initial samples of Maze were tied to fake websites loaded with exploit kits. Since then, Maze has been delivered by multiple means: exploit kits, spam emails, and—as the group’s operations have become more targeted—Remote Desktop Protocol attacks and other network exploitation.
But aside from the gang’s adjustments in initial compromise approaches, the Maze group has risen in prominence largely because of its extortion tactics: following through on threats of public exposure of victims’ data in public “dumps” of victims’ stolen data, and offering victim data on cybercrime forums if no payment is made.
While Maze did not invent the data-theft/extortion racket, it was among the first ransomware operations to use data theft as a way of twisting the arms of victims to pay up. The Maze gang has made public exposure central to their “brand” identity, and actively seeks attention from press and researchers to promote their brand—and make it easy for victims who might hesitate to pay them to find out their reputation.
Stepping into the spotlight
Maze rose to greater attention in October of 2019, when the ransomware’s operators launched a massive spam campaign that masqueraded as messages from government agencies. One campaign sent messages claiming to be from Germany’s Bundeszentralamt fur Steuern (Ministry of Finance), while another posed as a tax message from Italy’s Agencia Entrate (Internal Revenue Service).
The Italian version of the attack claimed to be instructions to avoid being designated as tax cheats, with further details in the attached file VERDI.doc—described as an “interactive tool”, a ploy to trick the user to enable Visual Basic for Applications (VBA) macros. When macros were enabled, the scripts within the document downloaded the Maze ransomware to %TEMP% folder, and then executed it.
The fake email sent by Maze’s operators to Italian targets.The attachment, VERDI.doc
Since then, Maze ransomware has gained notice largely from stealing and publishing victims’ data as a means to coerce payment. While threatening to expose victims’ data has long been part of ransomware operators’ playbook, Maze was among the first to follow through on such a threat in a public fashion—starting with the November 2019 exposure of data from Allied Universal.
Maze is not alone in adopting this tactic. REvil/Sodinokibi began releasing data at about the same time as Maze; the DoppelPaymer and Clop ransomware rings have followed suit, and LockBit has added threats of data exposure to its ransom note. But the Maze “team” was the first to go as far as to engage news media to draw attention to its victims, going as far as to include a “press release” on their website.
Fame and fortune
Maze’s operators seek attention in many ways, in an effort to spread their reputation—and increase the likelihood that their “clients” (as they call their victims) pay quickly. Name recognition is important to them, even as they remain anonymous. One way they seek attention through their provocation of security researchers.
The developers of Maze often drop the names of researchers into strings contained within ransomware binaries or the “packers” that deliver them. For instance, Maze’s authors frequently put researchers’ names in the filenames or file paths for the program database (.pdb) file generated during development.
References to the Twitter account of researcher Michael Gillespie, the antivirus company Emisoft, and researcher Marcus Hutchins in the PDB path of one Maze binary sample, along with other meaningless strings.
The Maze authors have put names into the .pdb filename and path so frequently that it seems they may be running out of ideas about what to call them:
Sometimes, the Maze authors leave provocative messages to researchers within strings in the code itself. Often these strings have no function, though occasionally they’re used as “kill switches” that shut down the malware’s execution.
The Maze team’s provocation of researchers extends into its presence in web forums. On one board, the Maze team uses the account name “Kremez”, after prominent ransomware researcher Vitali Kremez, to post links to dumps of data from companies that failed to pay.
A web board post by the Maze team, using the account name “Kremez.”
But the main platform used to promote the Maze brand is the Maze team’s websites—one specifically for its victims, and another to communicate with the world at large (and encourage victims publicly to pay up).
“Keeping the world safe”
The web panel for victims features the ring’s ironic slogan, “Maze team: Keeping the World safe.”
Victims arriving at the site after following the URL in the ransom note are asked to provide the file DECRYPT-FILES.txt dropped by the ransomware, which contains the identification number assigned to the victim.
Once they’ve identified themselves, victims can upload three files for decryption as proof that the Maze crew can truly restore their data. (Only image files are supported, so no real critical data can be recovered for free.)
The site also provides a chat window, so the victim can communicate with the Maze team’s customer support representatives, who are standing by to answer any questions and negotiate a payment.
Aside from the private web panel provided to victims, the Maze group also maintains a “news” site (hosted both on Tor and on the public Internet) that hosts samples of stolen data for companies that have recently been hit by the ransomware, as well as “full dumps” of data from some companies that failed to negotiate a payment.
The site’s main page is currently a ”press release” dated April 17, 2020. It is really a message to victims, explaining all the bad things that will happen if they ignore Maze’s ransom demand and do not contact them about payment.
They assure “clients” that they honor their side of any agreement and delete stolen data, as their reputation is important to them to conduct business. And they claim to be ready to cut a deal for those hurt by the COVID-19 induced global economic downturn.
In the past, the Maze group has withdrawn data posted to its site due to extenuating circumstances, such as when the group backed off blackmail demands against the City of Pensacola following the shooting of two members of the US Navy at the naval air station there. And in March, the Maze team announced that it would stop attacks on medical organizations until the COVID-19 pandemic “stabilizes.”
In the most recent “press release” (dated April 17, 2020), the operators of Maze wrote:
We are living in the same reality as you are. That’s why we prefer to work under the arrangements and we are ready for compromise. But only with those partners who can understand what is reputation and what are the real consequences of private data loss.
Evasion and anti-analysis in the Maze main binary
Maze ransomware is mostly written in C++. However, it heavily uses pure assembly with control flow obfuscation This obfuscation includes:
Unconditional jumps that use combinations of conditional jump commands, such as putting a jz (jump if zero) instruction directly after a jnz (jump if not zero) instruction to the same location.
Jumps into the middle of instructions;
Instructions that point to strings within the .text section of the binary as a return address.
Necessary API names are hashed, and compared with the hash of the DLL function names, then the matched functions are resolved dynamically with the usual LoadLibrary and GetProcAddress functions.
The Maze team is very proud of their main binary’s code obfuscation—in a message in the text of the malware’s binary, they challenged researchers to write an IDAPython script to deobfuscate it. On May 1, Crowdstrike’s Shaun Hurley published a report showing just such a deobfuscation in detail.
Several of the Maze samples we’ve analyzed contain “kill” switches, which when triggered result in the malware not encrypting files. Many of these are there just to grab the attention of researchers, either to send some message or (as mentioned earlier) to name researchers that they know have been examining their code.
Researcher Vitali Kremez’s name is used here as a killswitch filename (C:\2433\kremez), along with a threatening message to another researcher in the binary text.Another killswitch setting taunts a company that did not pay Maze’s ransom.
There are also some samples that can be run with more meaningful, functional switches, such as:
–nomutex which allow to run multiple instances;
–logging turns on detailed console output, which logs each file encrypted, the time required to do so, and some error messages;
–noshares turns off encryption of network shares;
–path specifies a folder to be encrypted.
Output from the Maze binary with the –logging switch passed at startup.
Aside from the obfuscation, the Maze main binary’s authors applied a number of anti-analysis techniques to the malware. It checks debugging environment in multiple ways. In addition to using the IsDebuggerPresent API and PEB.BeingDebuggedFlag check , the Maze main binary contains hardcoded hashes of the names for known analysis processes, including procmon.exe, procmon64.exe, x32dbg.exe, x64dbg.exe, ollydbg.exe, procexp.exe, and procexp64.exe. The code enumerates the running processes present, checks processes’ names against the hashed list, and terminates itself if any are detected.
Setting up shop and phoning home
The Maze binary creates persistence by adding itself to Windows’ autorun registry. And it uses a mutex to ensure that another instance of Maze doesn’t execute (unless it’s a sample that has been executed with the –nomutex switch).
As with most ransomware, it deletes shadow copies with the Windows Management Instrumentation command line utility WMIC.exe. The binary also uses the WMI interface to query for antivirus information, executing the Windows Management Instrumentation Query Language (WQL) command “Select * from AntiVirusProduct” within WMI namespace rootSecurityCenter2.
The ransomware collects information about the computer and its user, including information about the system drives, operating system version, default language setting, username, and computer name. As with some other ransomware, Maze will terminate without encrypting files if certain languages are detected (such as those used in Commonwealth of Independent States nations).
Information about the local network its target is connected is also gathered by the malware, by creating a null session connection and enumerating network resources. It tries to find out the role of that the current machine in the network, in order to reuse it in the extortion—Maze varies the amount of the ransom depending on whether the target is a home computer, or a workstation or server on a corporate network.
This information is exfiltrated back to the command and control server using a standard port 80 HTTP POST method, connecting using Windows’ socket library, WS2_32.dll. The URI path is created from a hard-coded string list to building up the URI path.
The malware sends information including the username, drive information, drive free space, language, antivirus product present, and OS version back to the server.
Dear User, I’ve encrypted your files
Maze uses RSA and ChaCha20 stream cipher encryption to lock victims’ files. The malware generates an RSA key pair, which is in turn encrypted using the main RSA public key embedded in the malware. As it traverses the file system to encrypt files, it skips the following directories:
\Program Files
\Windows
\Games\
\Tor Browser\
\ProgramData\
\cache2\entries\
\Low\Content.IE5\
\User Data\Default\Cache\
\All Users
\IETldCache\
\Local Settings\
\AppData\Local
AhnLab
{0AFACED1-E828-11D1-9187-B532F1E9575D}
Maze also doesn’t encrypt .lnk, .exe, .sys, and .dll files, and specifically avoids the following files:
DECRYPT-FILES.txt (the file dropped with the victim’s ID code)
inf
ini
ini
dat
db
bak
dat.log
db
bin
The ransom note, on the altered desktop.
At the end of the encryption, a desktop wallpaper .bmp is dropped—and a voice message is played:
“Alert! *User* Alert! Dear *User*, Your files have been encrypted…”
Both the wallpaper and the voice message are stored in text forms within the binary. The background text is converted to bmp with the use of the DrawTextW and GetDIBits APIs, and is dropped as 000.bmp and set to the wallpaper. The voice message is created using the Microsoft Speech API with the default voice and default audio. Just before playing the message, Before the speech, it uses the operating system’s Beep function to be sure to catch the attention of the victim.
In the latest version of the ransom note, the Maze crew leaves a “friendly” warning for the IT support staff of the victim organization:
Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services. Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.
In the current situation of social distancing, record percentages of employees working from home have added complexities to securing the workforce. In fact, many of our customers have expressed that the actual distribution of YubiKeys to remote, individual employees is a real challenge. To help fix this issue, we are excited to release our second YubiEnterprise Services offering today: YubiEnterprise Delivery.
With YubiEnterprise Delivery, US and Canada-based organizations can ship YubiKeys directly to employees, partners, and contractors in more than 30 countries across the US, Canada, and Europe. Delivery requests can be entered online via the YubiEnterprise console individually, in bulk through a CSV file upload, or programmatically through an API. Leveraging the API option enables IT administrators to fully automate the distribution of keys as part of the user onboarding and allows for integration with in-house service catalogs like ServiceNow.
While Yubico takes care of the shipping logistics and simplifies YubiKey distribution, enterprises can focus on what matters – securing the workforce. Whether your organization has experienced an uptick in remote workers, has scarce IT resources, or has hiring surges throughout the year, YubiEnterprise Delivery makes it easy to quickly distribute YubiKeys to employees no matter their location.
For Remote Workers
IT administrators can experience cost-effective, turnkey shipping and tracking capabilities, with YubiKey delivery directly to employees’ doorsteps.
For Limited IT Teams
Typically, IT teams are stretched thin managing the many business-critical applications that keep an organization running. By simplifying delivery, distribution, and management of inventory, organizations can operate efficiently without hindering security or productivity.
For Seasonal Hiring
Managing security logistics and inventory has its challenges when hiring activities increase during specific times of the year. With the combination of YubiEnterprise Subscription and Delivery, Yubico customers have the flexibility to accommodate hiring surges and focus on the busy season ahead.
With YubiEnterprise Subscription, organizations can seamlessly add users midterm to existing subscriptions. Benefits also include the ability to replace or upgrade 25% of your user subscription with new YubiKeys, which can be leveraged to accommodate employee churn, lost keys, or support an influx of seasonal workers. With these options, added users can quickly receive YubiKeys via YubiEnterprise Delivery.
If you’re looking for an easy, flexible solution to improve your organization’s security landscape, let YubiEnterprise Services own the logistical difficulties. Work with your Yubico sales representative to set up your YubiEnterprise Delivery console with your YubiKey order today.
For a limited time only, any qualifying Yubico customer that purchases a 3-year YubiEnterprise Subscription with prepayment before June 26, 2020 will be eligible for free YubiEnterprise Delivery shipments within the US and Canada until September 30, 2020.
For terms and conditions, as well as YubiEnterprise Delivery pricing details please visit our YubiEnterprise Services page.
To learn more about the business advantages of YubiEnterprise Services, view the on-demand webinar, YubiEnterprise Services: Hardware Authenticators as a Service.
In 2019 alone cyberattacks cost the the healthcare industry $4 billion, making it the worst ever year for data breaches.
If healthcare organizations are to gain ground on modern cyber threats, they must follow certain key security strategies to build much needed cyber resilience.
Here are five security prescriptions to keep the industry healthy:
1. Embrace the zero trust security model
A recent report shows that in the healthcare sector more breaches are caused by internal than external threats. This can be attributed to human error, lapsed security oversight, or intentional abuse of privilege access to sensitive data and systems.
By implementing a zero trust approach, healthcare organizations can introduce granular controls on network traffic. This takes away the opportunity for modern attackers and internal rogue users to leverage attacks and gain access to sensitive personal health information (PHI) while remaining under the radar.
2. Improve cyber wellness against ransomware threats
Ransomware is a devastating weapon in the hands of cybercriminals targeting healthcare, accounting for over 70% of malware outbreaks in the sector.
Such attacks have brought healthcare operations to a grinding halt, paralyzed connected medical devices and systems, and encrypted healthcare records to render them inaccessible by caregivers.
Sophos not only provides industry-leading anti-ransomware security but also tracks ransomware development with rigorous research from SophosLabs. Sophos Intercept X with EDR, and Sophos XG Firewall work together to disrupt and stop advanced ransomware attacks.
3. Get around the skills shortage
Lack of personnel with the appropriate cybersecurity knowledge and expertise is one of the major challenges for healthcare service providers. This is especially a headache for those who don’t have a full-time, in-house security expert.
For healthcare organizations lacking cybersecurity resources Sophos offers the Managed Threat Response (MTR) service. The service provides effective monitoring and continuous risk assessment, as well as a 24/7 dedicated team of experts.
Our solution goes beyond just alerts, it provides real incident response against threats, ensuring the risk is identified, contained, and that corrective action gets taken immediately.
4. Cover blind spots in your digital transformation efforts
Transacting information between patients, caregivers, insurance agencies, and other stakeholders should be seamless and secure. Software-defined networking (SD-WAN), with its flexible architecture, has emerged as a new favorite among healthcare organizations to meet these requirements.
It’s crucial to provide reliable and secure access to classified healthcare data at a time when many hospitals are adopting new technologies like network-connected medical devices, telehealth, and medical apps such as picture archiving and communication systems (PACS).
Sophos, with its latest XG Firewall and SD-RED devices, makes it possible to achieve SD-WAN connectivity in line with your security and continuity goals.
5. Promote cyber awareness
Another major concern for healthcare organisation is the lack of cybersecurity education and poor data privacy awareness among employees.
Having the right cybersecurity culture is important to help reduce healthcare’s high susceptibility to a wide range of sophisticated cyberattacks.
Healthcare organizations should consider running regular awareness campaigns to make their employees, partners, and vendors more aware of the latest cybersecurity scams and phishing tactics, and thus be better prepared to take the right action when they encounter malware or phishing.
With Sophos Phish Threat, IT security teams can simulate security and compliance phishing attacks with a just few clicks, and provide automated, on-the-spot training to healthcare employees as necessary.
Additional reading
Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services. Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.
After recent hotfixes to address the SQL injection vulnerability and password reset for the XG Firewall/SFOS (Refer KBA135412), this hotfix HF051220.1 adds a CLI option to change configuration based on previous administrator actions:
1) You can now disable captcha for the webadmin and user portal when they are exposed on the VPN zone.
Captcha authentication serves as an extra security defense against scripted automated login attempts.
As an additional security measure, a Captcha has been added to the XG Firewall admin and user portals on the WAN and VPN zones. It is enabled for all devices running v17.x and v18.x, except for XG85/XG85w devices. Any Cyberoam device that has upgraded to the XG Firewall firmware will not implement Captcha.
This hotfix provides CLI configuration for the same: console> system captcha_authentication_VPN enable/disable/show
In case, VPN has been configured as site-to-site IPSec with remote network configuration as “ANY”, you will also need to add an IPsec route to turn off captcha for specific VPN host/network.
Example:
console> system ipsec_route add host <50.50.50.1> tunnelname <mytunnel>
console> system ipsec_route add net <10.10.10.0/255.255.255.0> tunnelname <mytunnel>
2) You can now turn off mandatory password reset pop-up
As an additional security measure related to vulnerability CVE-2020-12271, the password reset is shown only on an XG Firewall that was identified as impacted. For more information see KBA135412.
If you have already changed passwords since 2200 UTC on April 25, 2020, for the administrator and any users with administrator privilege, you may want to turn off this mandatory password reset.
This hotfix provides CLI configuration for the same: console> system mandatory_password_reset disable/show
All supported versions: v17.0, v17.1, v17.5 and v18 GA
Firmware version on XG Firewall webadmin control center will show “HF051220.1” appended. Example – “SFOS 18.0.0 GA-Build379.HF051220.1”
If you have disabled “Allow automatic installation of hotfixes”, please reference the following KBA for instructions on how to apply the required hotfix: https://community.sophos.com/kb/en-us/135415
Note: Customers managing XG Firewalls with either Sophos Firewall Manager (SFM) or Central Firewall Manager (CFM) need to verify each firewall has an active connection with firewall management to receive critical updates. These steps are not required for Sophos Central managed devices.
Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services. Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.
A new ransomware variant dubbed “ColdLock” has emerged in Taiwan where it’s having a devastating effect on impacted organizations.
Fortunately, Sophos Intercept X gives the cold shoulder to ColdLock, blocking the attack before it can hold you hostage.
Stop ColdLock with Intercept X
ColdLock is a file-less attack. It runs from a PowerShell script where the ransomware code is directly loaded into memory and then executed, all without writing an executable file to the disk.
Intercept X is packed with technologies that protect your organization from ColdLock and other ransomware variants:
Exploit protection stops the techniques used in file-less, malware-less, and exploit-based attacks.
CryptoGuard technology stops the unauthorized encryption of files by ransomware, rolling any impacted files back to their original state.
The deep learning engine uses cutting-edge machine learning to identify and block never-before-seen ransomware before it executes.
Credential Theft stops privilege escalation, preventing hackers from moving round your system
Plus, the built-in EDR tools give you detailed insight into what happened, so you can see where the threat got in, what it touched, and when it was blocked.
See Intercept X in action
Try out the demo!
Log in to our fully populated demo environment to try Intercept X for yourself. No obligation, no waiting, no set up. Just a ready-to-go demo.
Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services. Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.
The CRN Mobile 100 is the definitive list of the top mobile devices, security and device management, software, and mobile app development platform vendors in the market today.
We are delighted to announce that Sophos Mobile has been featured in the 25 coolest mobile device management and security products of the 2020 Mobile 100 list.
Bob Skelley, CEO of The Channel Company said of the recognition:
The vendors featured on CRN’s 2020 Mobile 100 list support companies with the mobility services and protection they need to compete in today’s market. On behalf of our entire team, I want to congratulate these elite companies for their commitment to bringing innovative and secure products to their customers.
The mobile and remote workforce has never been as critical as it is in 2020 – though not for the reasons one would have expected coming into the year. The arrival of the COVID-19 pandemic has led to a massive increase in remote workers and has put mobility-focused products front-and-centre for countless businesses.
With more people working remotely, the use of mobile devices for work has increased quite significantly. This brings several considerations for IT teams trying to balance security and productivity.
The container-only management capabilities in Sophos Mobile let you control corporate content in the Sophos Secure Email and Sophos Secure Workspace apps without requiring management of the mobile device itself. This is ideal for Bring Your Own Device (BYOD) scenarios when you need to protect and control business email and data without intruding on users’ privacy.
In other words, it is the perfect working from home solution!
According to a recent survey of 3,100 IT Managers, 10% of all threats are discovered on mobile devices. Sophos Mobile includes Intercept X for Mobile, which protects devices against malware, network attacks and malicious web traffic. Intercept X for mobile also includes easy to use security tools right at your fingertips, like the Authenticator, Password Safe, Secure QR Code Scanner, and Privacy Advisor.
Setup is as simple as downloading the app from your relevant app store and then enrolling your device via the ‘Corporate Management’ section. You can even use the app without corporate management for free to protect your personal mobile devices. Give it a go today!
See our Sophos Mobile Data Sheet and comprehensive Help Document for more information and general configuration steps for Sophos Mobile & Intercept X for Mobile.
Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services. Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Cookie settingsACCEPT
Privacy & Cookies Policy
Privacy Overview
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
