- Our teams are hard at work on the next version of Sophos Mobile. Here's a preview of the coming features you can to look forward to. Sophos Mobile 9.7 will be available for Sophos Central, Sophos Mobile on-premises, and Sophos Mobile-as-a-Service customers.
- Click Start Settings Control Panel. Click 'Add/Remove Programs'. The 'Currently installed programs' list in the 'Add or Remove Programs' tool lists all of the Windows-compatible programs that have an uninstall program or feature. Remove a controlled application using a specific application uninstaller.
- Spots telltale virus behaviors and uses the extensive SophosLabs databases to constantly protect your PC from viruses, malware, trojans, worms, bots, unwanted applications, ransomware, and more.
- Chief Human Resources Officer. Chief Product Officer. Michael Valentine. Chief Revenue Officer. Chief Information Officer. This site uses cookies to improve site functionality, for.
With ever increasing network congestion, having the tools to optimize your important business applications is becoming increasingly important.
In order to improve the emotional intelligence of Sophos's UK sales team, we designed a bespoke two-day charisma workshop to meet Sophos's particular business goals. Every member of the UK sales team attended and this was followed up with three individual coaching sessions, held over a number of months, for every member of the team.
In this third in a series of articles on making the most of the great new features in XG Firewall v18, we're going to focus on the tools available to you to optimize your important business application traffic using the new Xstream Network Flow FastPath and the new SD-WAN Policy Based Routing options.
Xstream FastPath Application Acceleration
In our last two articles, we covered the Xstream architecture and the new DPI engine as well as the new TLS Inspection in XG Firewall v18. The Network Flow FastPath is another key component of the new Xstream architecture and provides application acceleration for trusted traffic.
The Network Flow FastPath can direct trusted traffic that doesn't require security scanning into the fast lane through the system. This not only minimizes latency and accelerates that application traffic through the firewall, it also has the added benefit of not engaging the DPI engine and TLS inspection resources for traffic that doesn't require inspection.
This frees up those resources for traffic that actually needs it – creating added performance headroom in the process.
How it works
Initially, all traffic flows are processed by the Firewall stack and passed to the DPI engine for further identification. Once an application traffic flow is determined to be 'trusted', the Network Flow FastPath is directed to handle the packet flow directly and shuttle the packets through on the FastPath, bypassing the DPI engine.
Traffic can be accelerated onto the Network Flow FastPath in two ways:
- Automatically: If the application matches a Server Name Indication (SNI) from SophosLabs for traffic that is considered trustworthy and tamper proof such as video and audio streaming services (Netflix, Spotify, Pandora, etc.), secure updates fetched directly from within the application (from Microsoft, Apple, Adobe, Sophos, etc.) or VoIP and other streaming protocols (such as SIP, FIX, RDP, etc.)
- Policy: If there is a firewall rule associated with that specific application traffic that accelerates it onto the FastPath by not flagging it for security scanning.
You might be wondering, when would it make sense to accelerate application traffic on the FastPath, or in other words, what can be trusted? Traffic such as streaming media that is not active code-based is a perfect example of traffic that can be trusted.
Due to the streaming structure of the traffic and how it's reassembled for playback, it's not possible to inject malware into this kind of traffic flow making it an ideal candidate for FastPath acceleration. This type of traffic includes all popular streaming services such as Netflix and Spotify, but also VoIP and collaboration applications such as Zoom, GotoMeeting, Skype for Business, Microsoft Teams Calls, and others.
And of course, these communication and collaboration applications are among the most important in any business, which makes them ideal for FastPath acceleration.
Applications that enable users to download updates or files, are NOT good candidates for FastPath acceleration as files can obviously contain active code and be malicious. In general, in the interest of security, never create a FastPath rule for general web browsing or file sharing sites or applications.
Firewall Rules in XG Firewall v18
Firewall rules in XG Firewall v18 are very similar in their construction to previous releases, making migrations easy. This video provides a great in-depth look at firewall and NAT rule configuration in XG Firewall v18:
We will cover NAT rules in a future article in this series but today, let's review how to create a firewall rule to accelerate trusted traffic on the FastPath. It couldn't be more straightforward and intuitive: simply identify the destination application networks (FQDNs) or services…
And select 'None' for Security Features and do not select any of the check boxes. This will ensure that traffic will be accelerated on the FastPath and not redirected through the DPI engine for unnecessary security scanning.
Then check that FastPath acceleration is enabled under Advanced threat > Advanced threat protection as shown below (it should be set by default). Cvtf honda motor. It's that easy!
Application SD-WAN Policy Based Routing
Another new and improved capability in XG Firewall v18 is SD-WAN Policy Based Routing (PBR). Just as you want your important business application's path through the firewall optimized and accelerated on the FastPath, you may also want to ensure your application's path to the cloud or a branch office is similarly optimized. That's where SD-WAN PBR comes in.
XG Firewall v18 adds user, group, and application-based traffic selection criteria to XG Firewall's SD-WAN routing configuration. This allows you to route important business application traffic out a preferred ISP WAN link or a branch office VPN connection while less important traffic utilizes a different route.
This video provides a great overview of how to take advantage of the new SD-WAN PBR capabilities in XG Firewall v18 for application optimization, and SD-WAN routing.
Synchronized SD-WAN
XG Firewall v18 has evolved SD-WAN further with the introduction of Synchronized SD-WAN, a new Sophos Synchronized Security feature that offers additional benefits with SD-WAN application routing. Synchronized SD-WAN leverages the added clarity and reliability of application identification that comes with the sharing of Synchronized Application Control information between Sophos-managed endpoints and XG Firewall.
Synchronized Application Control can positively identify 100% of all networked applications, including evasive, encrypted, obscure, and custom applications and now these previously unidentified applications can also be added to SD-WAN routing policies. This provides a level of application routing control and reliability that other firewalls can't match.
Here's a summary of the resources available to help you make the most of the new features in XG Firewall v18, including application FastPath acceleration and SD-WAN Policy Routing:
If you're new to Sophos XG Firewall, learn more about the great benefits and features XG Firewall can deliver to your network.
A recent incident with a new Sophos Managed Threat Response (MTR) customer has raised questions about the Mount Locker ransomware group and the relationship it has with Astro Locker Team.
A ransomware detection for Mount Locker kicked the MTR team into gear and what they found was surprising. The first detection made it clear what the team was dealing with: rundll32 executing locker_64.dll – Mount Locker ransomware.
MTR moved quickly to stop the attack on unsecured devices and ensure the ransomware group was banished from the organization's network. Throughout the incident all evidence – from the tactics, techniques, and procedures (TTPs) used, to the files involved, and even the ransom note left behind – pointed to this being the work of the Mount Locker group.
However, something odd happened when the investigators followed the link included in the ransom note. Upon following the TOR link, MTR investigators were presented with a chat directly with the 'support' team for the ransomware who introduced themselves as the 'AstroLocker Team' and also the 'Astro Locker Team.'
Following up on this new lead, an MTR expert found the Astro Locker leak site and, while there was no listing there for the impacted organization of this case, other interesting links surfaced.
When comparing the Astro Locker leak site to the Mount Locker leak site, investigators noted that all five of the organizations listed on the Astro Locker site were also listed as victims on the Mount Locker site. Digging in further, the size of the data leaks on all five matched and shared some of the same links to the leaked data.
Looking at the matching links more closely, Sophos experts noticed one last connection: some of the leaked data linked on the Mount Locker site was being hosted on the Astro Locker onion site: http[:]//anewset****.onion
Sophos Items Not Accessible
While it is unclear what the relationship is between Mount Locker and Astro Locker, defenders should consider both when dealing with a ransomware attack.
'In recent incidents where Sophos experts investigated and neutralized an active Mount Locker attack, we noticed various techniques that suggest these attackers are not as sophisticated as other ransomware groups like Ryuk, REvil and DoppelPaymer,' Peter Mackenzie, manager of Sophos' Rapid Response team said. 'It is possible that the Mount Locker group wants to rebrand themselves to create a new and more professional image, or it could be an attempt to kickstart a true ransomware-as-a-service program. Regardless, if any organizations become a victim of ‘Astro Locker' in the future, they should investigate the TTPs of both Mount Locker and Astro Locker.'
Ransomware relationships and branding
It is known that Ragnar Locker is affiliated with Mount Locker in some way but doesn't appear to be part of the Mount Locker ransomware-as-a-service (RaaS). Although Ragnar is the more skilled ransomware group and the two groups don't overlap in TTPs or malware, Mackenzie said it was possible there were 'back end' services being shared, including access to target networks.
The connection between Mount Locker and Astro Locker is clearer insofar as they both use Mount Locker ransomware, the same ransom note, and share some TTPs, such as using services to execute commands and batch scripts. Creating scheduled tasks called ‘updater' and ‘regsvr32' as well as hiding some of their files in the same location: C:UsersMusic.
Astro Locker:
Service Name: PrpOJqmErkoJtAAg – random 16-character string
Service File Name: %COMSPEC% /C echo whoami ^> %SYSTEMDRIVE%WINDOWSTempFaUocMGJjmCAbJMr.txt > WINDOWSTempuxvbnnSkrkOMnsJg.bat & %COMSPEC% /C start %COMSPEC% /C
Scheduled Task Name: updater
Action: regsvr32.exe /i C:Program FilesGoogleDrivewininit64.dll
In this third in a series of articles on making the most of the great new features in XG Firewall v18, we're going to focus on the tools available to you to optimize your important business application traffic using the new Xstream Network Flow FastPath and the new SD-WAN Policy Based Routing options.
Xstream FastPath Application Acceleration
In our last two articles, we covered the Xstream architecture and the new DPI engine as well as the new TLS Inspection in XG Firewall v18. The Network Flow FastPath is another key component of the new Xstream architecture and provides application acceleration for trusted traffic.
The Network Flow FastPath can direct trusted traffic that doesn't require security scanning into the fast lane through the system. This not only minimizes latency and accelerates that application traffic through the firewall, it also has the added benefit of not engaging the DPI engine and TLS inspection resources for traffic that doesn't require inspection.
This frees up those resources for traffic that actually needs it – creating added performance headroom in the process.
How it works
Initially, all traffic flows are processed by the Firewall stack and passed to the DPI engine for further identification. Once an application traffic flow is determined to be 'trusted', the Network Flow FastPath is directed to handle the packet flow directly and shuttle the packets through on the FastPath, bypassing the DPI engine.
Traffic can be accelerated onto the Network Flow FastPath in two ways:
- Automatically: If the application matches a Server Name Indication (SNI) from SophosLabs for traffic that is considered trustworthy and tamper proof such as video and audio streaming services (Netflix, Spotify, Pandora, etc.), secure updates fetched directly from within the application (from Microsoft, Apple, Adobe, Sophos, etc.) or VoIP and other streaming protocols (such as SIP, FIX, RDP, etc.)
- Policy: If there is a firewall rule associated with that specific application traffic that accelerates it onto the FastPath by not flagging it for security scanning.
You might be wondering, when would it make sense to accelerate application traffic on the FastPath, or in other words, what can be trusted? Traffic such as streaming media that is not active code-based is a perfect example of traffic that can be trusted.
Due to the streaming structure of the traffic and how it's reassembled for playback, it's not possible to inject malware into this kind of traffic flow making it an ideal candidate for FastPath acceleration. This type of traffic includes all popular streaming services such as Netflix and Spotify, but also VoIP and collaboration applications such as Zoom, GotoMeeting, Skype for Business, Microsoft Teams Calls, and others.
And of course, these communication and collaboration applications are among the most important in any business, which makes them ideal for FastPath acceleration.
Applications that enable users to download updates or files, are NOT good candidates for FastPath acceleration as files can obviously contain active code and be malicious. In general, in the interest of security, never create a FastPath rule for general web browsing or file sharing sites or applications.
Firewall Rules in XG Firewall v18
Firewall rules in XG Firewall v18 are very similar in their construction to previous releases, making migrations easy. This video provides a great in-depth look at firewall and NAT rule configuration in XG Firewall v18:
We will cover NAT rules in a future article in this series but today, let's review how to create a firewall rule to accelerate trusted traffic on the FastPath. It couldn't be more straightforward and intuitive: simply identify the destination application networks (FQDNs) or services…
And select 'None' for Security Features and do not select any of the check boxes. This will ensure that traffic will be accelerated on the FastPath and not redirected through the DPI engine for unnecessary security scanning.
Then check that FastPath acceleration is enabled under Advanced threat > Advanced threat protection as shown below (it should be set by default). Cvtf honda motor. It's that easy!
Application SD-WAN Policy Based Routing
Another new and improved capability in XG Firewall v18 is SD-WAN Policy Based Routing (PBR). Just as you want your important business application's path through the firewall optimized and accelerated on the FastPath, you may also want to ensure your application's path to the cloud or a branch office is similarly optimized. That's where SD-WAN PBR comes in.
XG Firewall v18 adds user, group, and application-based traffic selection criteria to XG Firewall's SD-WAN routing configuration. This allows you to route important business application traffic out a preferred ISP WAN link or a branch office VPN connection while less important traffic utilizes a different route.
This video provides a great overview of how to take advantage of the new SD-WAN PBR capabilities in XG Firewall v18 for application optimization, and SD-WAN routing.
Synchronized SD-WAN
XG Firewall v18 has evolved SD-WAN further with the introduction of Synchronized SD-WAN, a new Sophos Synchronized Security feature that offers additional benefits with SD-WAN application routing. Synchronized SD-WAN leverages the added clarity and reliability of application identification that comes with the sharing of Synchronized Application Control information between Sophos-managed endpoints and XG Firewall.
Synchronized Application Control can positively identify 100% of all networked applications, including evasive, encrypted, obscure, and custom applications and now these previously unidentified applications can also be added to SD-WAN routing policies. This provides a level of application routing control and reliability that other firewalls can't match.
Here's a summary of the resources available to help you make the most of the new features in XG Firewall v18, including application FastPath acceleration and SD-WAN Policy Routing:
If you're new to Sophos XG Firewall, learn more about the great benefits and features XG Firewall can deliver to your network.
A recent incident with a new Sophos Managed Threat Response (MTR) customer has raised questions about the Mount Locker ransomware group and the relationship it has with Astro Locker Team.
A ransomware detection for Mount Locker kicked the MTR team into gear and what they found was surprising. The first detection made it clear what the team was dealing with: rundll32 executing locker_64.dll – Mount Locker ransomware.
MTR moved quickly to stop the attack on unsecured devices and ensure the ransomware group was banished from the organization's network. Throughout the incident all evidence – from the tactics, techniques, and procedures (TTPs) used, to the files involved, and even the ransom note left behind – pointed to this being the work of the Mount Locker group.
However, something odd happened when the investigators followed the link included in the ransom note. Upon following the TOR link, MTR investigators were presented with a chat directly with the 'support' team for the ransomware who introduced themselves as the 'AstroLocker Team' and also the 'Astro Locker Team.'
Following up on this new lead, an MTR expert found the Astro Locker leak site and, while there was no listing there for the impacted organization of this case, other interesting links surfaced.
When comparing the Astro Locker leak site to the Mount Locker leak site, investigators noted that all five of the organizations listed on the Astro Locker site were also listed as victims on the Mount Locker site. Digging in further, the size of the data leaks on all five matched and shared some of the same links to the leaked data.
Looking at the matching links more closely, Sophos experts noticed one last connection: some of the leaked data linked on the Mount Locker site was being hosted on the Astro Locker onion site: http[:]//anewset****.onion
Sophos Items Not Accessible
While it is unclear what the relationship is between Mount Locker and Astro Locker, defenders should consider both when dealing with a ransomware attack.
'In recent incidents where Sophos experts investigated and neutralized an active Mount Locker attack, we noticed various techniques that suggest these attackers are not as sophisticated as other ransomware groups like Ryuk, REvil and DoppelPaymer,' Peter Mackenzie, manager of Sophos' Rapid Response team said. 'It is possible that the Mount Locker group wants to rebrand themselves to create a new and more professional image, or it could be an attempt to kickstart a true ransomware-as-a-service program. Regardless, if any organizations become a victim of ‘Astro Locker' in the future, they should investigate the TTPs of both Mount Locker and Astro Locker.'
Ransomware relationships and branding
It is known that Ragnar Locker is affiliated with Mount Locker in some way but doesn't appear to be part of the Mount Locker ransomware-as-a-service (RaaS). Although Ragnar is the more skilled ransomware group and the two groups don't overlap in TTPs or malware, Mackenzie said it was possible there were 'back end' services being shared, including access to target networks.
The connection between Mount Locker and Astro Locker is clearer insofar as they both use Mount Locker ransomware, the same ransom note, and share some TTPs, such as using services to execute commands and batch scripts. Creating scheduled tasks called ‘updater' and ‘regsvr32' as well as hiding some of their files in the same location: C:UsersMusic.
Astro Locker:
Service Name: PrpOJqmErkoJtAAg – random 16-character string
Service File Name: %COMSPEC% /C echo whoami ^> %SYSTEMDRIVE%WINDOWSTempFaUocMGJjmCAbJMr.txt > WINDOWSTempuxvbnnSkrkOMnsJg.bat & %COMSPEC% /C start %COMSPEC% /C
Scheduled Task Name: updater
Action: regsvr32.exe /i C:Program FilesGoogleDrivewininit64.dll
Mount Locker:
Service Name: xGGXJTFBQlzNTVTT
Service File Name: %COMSPEC% /C echo whoami ^> ZSYSTEMDRIVE%WINDOWSTemppkLneFsUyHywlUwZ.txt > WINDOWSTempsloKuaTCIYlTTPwM.bat & %COMSPEC% /C start %COMSPEC% /C WINDOWSTempsloKuaTCIYlTTPwM.bat
Scheduled Task Name: updater
Action: C:UsersAppDataLocalGoogleChromeUser DataFileTypePoliciesarchs64.dll
'A few outside sources that have noticed the connection between Mount Locker and Astro Locker and suggested it may be a close affiliate relationship. Mount Locker has been reported to be running RaaS, but it has never been clear how many affiliates were in the program,' said Mackenzie. 'Astro Locker, as a significant branded group to be part of a Mount Locker RaaS, could imply Mount Locker is attempting to speed up a transition to becoming a RaaS, or it could even be that the Mount Locker group is using the Astro name to pretend they have a big new affiliate.
'Branding is a powerful force for ransomware groups,' Mackenzie added. 'Good branding can come from a single threat group being skilled at hitting high value targets and avoiding detection – such as DoppelPaymer – or by running a successful RaaS network – like Sodinokibi or Egregor. Powerful branding with ransomware groups can strike fear in targets and lead to a higher likelihood of payouts.
'Mount Locker has proven itself as a less sophisticated ransomware group, so a pivot to an affiliate program might be a way to create a new brand and move up the hierarchy of threat groups.'
IOCs
Mount Locker/Astro Locker ransomware, on its own, is unable to bypass the CryptoGuard feature of Sophos Intercept X; Our endpoint products may detect components under one or more of the following definitions: Troj/Ransom-GFR and Malware/Generic-S. Network protection products like the Sophos XG firewall can also block the malicious C2 addresses to prevent the malware from retrieving its payloads and completing the infection process.
IoCs relating to these threats can be found on the SophosLabs Github.
Sophos Terms Of Use
Special thanks to John Carlo Adriano, Colin Cowie, Blake Bowdoin, Jordon Carpenter, and Peter Mackenzie for their efforts in detecting, investigating, and responding to these threats.