RTF exploits in the wild

/in /by
SonicWall Threat Research lab is seeing a huge volume of RTF exploits with embedded OLE objects exploiting the Microsoft vulnerabilities (CVE-2017-11882  &  CVE-2017-0199 ). CVE-2017-11882 is because of incorrect handling of embedded Equation Editor OLE objects in Office documents and  CVE-2017-0199  is due to incorrect parsing of embedded OLE2Link objects. Successful exploitation in both the cases can lead to arbitrary code execution under the context of the host.

Infection cycle:

This gets started by sending phishing campaign to the target user either with an attachment or a link to a compromised website hosting the malicious document. Malicious document can either be a Word or PDF  with embedded (.rtf) Rich Text Format file.  Upon launching the main document, embedded .rtf file which actually exploits the above mentioned vulnerabilities get exported & executed. When .rtf file is done exploiting, control returns to the attacker’s specified address where the shell code is present. When shell code gets executed, it brings down the payload from the remote server and execute it on the compromised machine. We see many variants of final payloads getting delivered through these exploits and upon execution they create a reverse shell and give the attacker control over the host.

 

Trend Graph:

The trend line below shows how this attack is being used in the wild today:

 

Prevalence Map:

This can be mitigated by using the up-to-date software with all the security patches. Enable protected view for office documents and do not allow editing of RTF files.  Review carefully before editing or doing anything that requires Protected View to be disabled.

SonicWALL Threat Research Lab provides protection against this threat via the following signatures

  • GAV: 23807  CVE2017-11882.BJ_2
  • SPY: 5164 Malformed-File pdf.MP.316

Xorist Ransomware Created From Free Construction Kit

/in /by

The Sonicwall Capture Labs Threats Research team have been recently tracking malware deriving from Ransomware construction kits. Xorist, is one such ransomware where a kit is provided and an attacker can configure various features such as message text, file extension of encrypted files, encryption algorithm, unlock password etc.  The attackers charge 0.8 BTC (around $4953 USD at the time of writing) for file recovery.

Infection Cycle:

Upon infection, the Trojan encrypts files on the system and appends the following file extension to their filenames:

  • PAY_IN_MAXIM_24_HOURS_OR_ALL_YOUR_FILES_WILL_BE_PERMANENTLY_DELETED_PLEASE_BE_REZONABLE _you_have_only_1_single_chance_YOU_NEED_TO_PURCHASE_THE_DECRYPTOR_FROM_US_FAST_AND_URGENT

It places the following file in every directory containing encrypted files:

  • HOW TO DECRYPT FILES.txt

HOW TO DECRYPT FILES.txt contains the following message:

We were able to obtain a copy of the construction kit.  Ironically we also obtained a copy that was infected with the very same ransomware.  The user interface contains various customization options:

Configuration options include:

    • File extensions to target for encryption
    • File extension text to append to encrypted files
    • Decryption password
    • Wallpaper to show on desktop background
    • Icon for the malware executable file
    • Autorun at startup
    • Encryption algorithm to use (XOR/TEA)
    • Ransom note text
    • File recovery password attempts
    • UPX file packing

The bitcoin address (3KxEZKjS4ifAHhX2o1fq9tERkAshSgA4hg) appears to have collected some funds from prior victims:

We reached out to repair_data@scryptmail.com and received the following reply.   Although 0.8 BTC is stated in the ransom note, the file recovery fee appears to be negotiable.  The deadline however, is tight:

Sonicwall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Xorist.RSM_3 (Trojan)
  • GAV: Xorist.RSM_4 (Trojan)
  • GAV: Xorist.EJ_4 (Trojan)

Cyber Security News & Trends – 06-22-18

/0 Comments/in /by

Each week, SonicWall collects the cyber security industry’s most compelling, trending and important interviews, media and news stories — just for you.

SonicWall Spotlight

Cloud Encryption Market: Security to Remain Primary Factor for Adoption of Cloud Encryption — Tech You n Me

  • This article reviews the cloud encryption market and how key players like SonicWall are releasing innovative new products, like the company’s range of cloud security products that includes the SonicWall Cloud Analytics application for deep security data analysis and automated breach detection.

Sophos XG vs SonicWall NS: Top NGFWs Compared eSecurity Planet

  • In an article detailing the strengths and weaknesses of top vendor next-generation firewalls (NGFWs), the SonicWall NSA is featured in comparison to the Sophos XG.

Cyber Security News

How a Few People Took Equifax to Small Claims Court Over Its Data Breach and Won The New York Times

  • After 145 million Americans’ financial information was exposed last year, some of them won cases against the credit reporting agency in local courts.

Script Kiddie Goes From ‘Bitcoin Baron’ to ‘Lockup Lodger’ After DDoSing 911 Systems The Register

  • Randall Charles Tucker was given a 20-month sentence Tuesday after pleading guilty earlier this year to one count of felony intentional damage to a protected computer. He had faced as many as 41 months.

New Phishing Scam Reels In Netflix Users To TLS-Certified Sites — Threat Post

  • Researchers are warning of a new Netflix phishing scam that leads victims to sites with valid Transport Layer Security (TLS) certificates.

Korean Cryptocurrency Exchange Bithumb Loses More Than $30 Million in Hack The Wall Street Journal

  • Seoul-based bitcoin exchange Bithumb said Wednesday it had lost over $30 million as the result of being hacked, the second cyberattack in two weeks to hit a major South Korean cryptocurrency exchange as safety concerns hamper the industry and weigh on prices.

This New Windows Malware Wants to Add Your PC to a Botnet – or Worse ZDNet

  • Dubbed Mylobot after a researcher’s pet dog, the origins of the malware and its delivery method are currently unknown, but it appears to have a connection to Locky ransomware – one of last year’s most prolific forms of malware.

China-Based Hackers Breached Satellite, Defense Firms: Study The Hill

  • China-based hackers infiltrated satellite operators, defense contractors and telecommunications companies in the U.S. and southeast Asia, according to researchers at Symantec Corp.

In Case You Missed It

Should I Become an MSSP? 13 Considerations from MSP Expo

/0 Comments/in /by

With the cyber security skills gap being a point of contention for closing in on five years now, the managed security services provider (MSSP) industry has responded in kind.

In fact, Gartner predicted that 40 percent of all managed security services contracts will be bundled with other security services and IT outsourcing projects by 2020.

But the fact is, not every IT vendor, distributor or value-added reseller (VAR) is cut out to be an MSSP. For each MSSP that truly adds value in protecting their customers, there are others that fall short of what the cyber security industry — and prospective customers — requires.

I recently attended the MSP Expo in Las Vegas, Nev., to participate on an engaging panel of cyber security experts, including Guy Cunningham, VP of Channel Sales and Alliances at EventTracker; Jonathan Morgan, Director of Security Operations and Development at Area 1 Security; and DV Dronamraju, Managing Director at InfoSecEnforcer.com.

While we were able to collectively field and discuss many of the day’s top questions, I felt it prudent to republish these topics to help a broader audience of existing and future MSSPs.

What should business customers be most concerned about relative to cybersecurity, and why?

It’s rapidly changing threat landscape. For instance, we are seeing crypto-jacking this year as a new cyber threat. And while ransomware volume was somewhat down in 2017, new threat intelligence already shows a massive 299 percent year-to-date increase in 2018. So, the landscape continues to be agile and cybercriminals are diligent in seeking out new ways to impact organizations.

What can MSPs do to protect their customers from cyberattacks?

It’s important to consistently employ basic best practices: patching, updates, segmentation, etc. For MSP/MSSPs, the reality is that customers need help with this. So, developing services that take care of the basics is a great place to start. From there, you can scale your services and offerings to enhance their security postures.

Phishing is the root cause of data breaches and financial losses. How do anti-phishing solutions work?

They’re valuable in a variety of ways, but most email security solutions revolve around maturing the hygiene capabilities of corporate email platforms. Whether deployed on-premise or in the cloud, email security should automatically protect inboxes against links and attachments that are commonly used in phishing attacks.

More advanced offerings will use URL filtering and integrate with cloud sandboxes for protecting against known and unknown malware attacks. So, I believe strongly that we need to work to get advanced email security solutions more widely adopted in the market. Hygiene solutions, which most people think of when they hear security, just isn’t good enough anymore.

What kind of margins do email security solutions offer for MSSPs?

While there are many variables in play here, an MSSP could expect a margin of 10-15 percent for an email security product, or 30-50 percent margins if you provide email security as a service.

Since more than 89 percent of breaches have a financial or espionage motive, how are companies supposed to protect their intellectual property?

At a basic level, organizations should map their data so they know what’s most valuable and requires the most security. Depending on what’s being protected, consider using industry compliance guidelines (e.g., PCI, HIPAA, GDPR, etc.) as a baseline, but understand that compliance does not equal automatic security.

From there, layered strategies should include everything from network security firewalls, endpoint protection, secure email and even protection for remote access workers.

What do Security Information and Event Management (SIEM) solutions do, and why are they important? Aren’t they expensive to buy and difficult to operate?

Anybody who has ever used a SIEM will tell you, much like many cyber security tools, it will depend on the investment — time, staff, technology and resources – you put into it.

At the core, SIEMs help organizations correlate event logs (e.g., endpoint protection,  threat intelligence, user information, etc.) to search for patterns based on defined rules. They then provide a correlated output that flags potential risks or threats. They are extremely powerful and give organizations the ability to tune and customize rules for their specific environment(s).

But you have to know what you’re doing. And you have to have strong security engineers to get the most out of a SIEM.

Operationally, some MSSPs leverage a centralized SIEM model (i.e., all customer data flows through a single SIEM), where other MSSPs rely on a decentralized model that leverages whatever SIEM each customer already has in place. In both MSSPs and enterprises, SIEMs are typically used by Tier 1 security operations center (SOC) analysts to monitor alerts and identify events in real time.

How can MSSPs use artificial intelligence and automation to detect threats, trigger alerts, troubleshoot and address security situations?

The reality is that building your own artificial intelligence (AI) capabilities is probably not realistic unless you are a very, very large MSSP. So, ideally, you want to rely on the AI already built in to security products to help you identify and block cyberattacks to protect customers.

For example, SonicWall engineered very smart AI that we integrate into the real-time engines that power our Capture Advanced Threat Protection (ATP) sandbox capabilities. This can allow you to leverage AI without the overhead and complexity of building it yourself.  Then you can use an intelligent SIEM to help make sense of the logs and alerts.

Finding and/or developing cyber security talent can be a challenge. There seems to be a constant shortage of affordable, qualified cyber security practitioners. What do MSPs need in terms of technical, sales and support talent?

The key here is retaining the talent that you train. Companies like SonicWall provide entire platforms to train people — both internal staff and partners — on cyber security best practices, products and emerging threat trends. We call it SonicWall University. Our SecureFirst partners can leverage this platform to train their employees, significantly improving value for their customers. It’s best to consistently use engaging tools to train people and then build a culture that makes them want to stay.

How can MSPs provide enhanced security without adding complexity and overhead?

In a way, MSSPs are supposed to take away the complexity and overhead. We talk a lot today about getting the basics right and the transition from MSP to MSSP. Complex, enterprise-class MSSPs have lots of money, but if you are making the transition from MSP, start with taking the burden of the basics off the customer.

Make sure security devices are installed correctly, patched and have good policies. Make sure good endpoint security is deployed and managed. Provide useful reporting so customers know how well they’re doing. Removing the complexity from the customers is absolutely critical to success.

How does compliance figure in to being an MSSP?

This is massively important. A lot of mid-market MSSPs focus almost exclusively on a vertical. We see healthcare-focused MSSP or others targeting financial services (e.g., PCI). Compliance regulations drive need, so focusing on a vertical is definitely an option — particularly for MSSPs that can’t quite scale to solve all security challenges across an untold number of industries.

But especially if you are just starting in the MSSP space, trying to solve all compliance needs is a tough challenge. So, pick your spots when it comes to compliance.

How can MSSPs protect themselves from financial ruin and lost reputation if their customers do experience an outage or breach?

Good question. But the short answer is you have to indemnify yourself. And also have some level of insurance. And make sure your service-level agreements (SLA) make sense.

What kind of security guarantees/SLAs should an MSSP offer?

This is a very broad topic and also very dependent on the services being offered. The key for the market is that you are selling to match up the SLAs in a way you know you can hit. Take response times for rule changes, for example. You can’t promise you’ll have them done in 30 minutes, 24/7, if you don’t have people on staff around the clock.

How can MSSPs differentiate their security offerings in the marketplace?

We touched on this a bit with the challenge of removing complexity for the customer. Strive to make the entire experience transparent and frictionless.

One of my SonicWall colleagues, Conrad Bell, actually penned an outstanding strategy, “Inside the Modern MSSP,” for MSSP Alert. It outlines how proactive MSSPs are adopting bundled, end-to-end approaches for simplifying cyber security for their customers.

Become a SonicWall MSSP Partner

Are you interested in expanding your security offerings? SonicWall offers the dedicated SecureFirst MSSP Partner Program to help you expand your portfolio to include a full range of flexible managed security services built on SonicWall’s robust security platform.

The SonicWall SecureFirst MSSP program offers training, enablement, support and financial benefits designed to help SecureFirst Partners grow their managed security business.

Build your MSSP offerings by implementing SonicWall MSS blueprints, or work with SonicWall to create customized MSS offerings leveraging your existing managed services expertise.

Cyber Security News & Trends

/0 Comments/in /by

Each week, SonicWall collects the cyber security industry’s most compelling, trending and important interviews, media and news stories — just for you.

SonicWall Spotlight

CEO Spotlight- Bill Conner, SonicWall 1080 KRLD Radio

  • Bill Conner and David Johnson sit down and discuss SonicWall’s momentum, attack vectors threatening business and what’s happening in cybersecurity today on David’s CEO Spotlight radio segment.

Brightstar is the first SonicWall MSSP in India CRN.in

  • The recent SonicWall and Brightstar India partnership news continues to garner coverage featuring the launch of Security as a Service (SeCaaS) in the region.

“Digital Infrastructure Is Critical In Transforming a City and Creating a Sustainable Smart Ecosystem” BWSmart Cities

  • SonicWall’s Debasish Mukherjee, Country Manager India & SAARC, explains how crucial digital infrastructure is in transforming the cities of the future and how the role of new-age trends — like IoT, cloud and machine learning — drive the growth of the network security market.

Cyber Security News

Intel Chip Flaw: Math Unit May Spill Crypto Secrets to Apps–Modern Linux, Windows, BSDs Immune The Register

  • A security flaw within Intel Core and Xeon processors can be potentially exploited to swipe sensitive data from the chips’ math processing units.

U.S. warns World Cup attendees of Russian hacking risks The Washington Times

  • World Cup attendees risk having their personal data compromised by hackers, state-sponsored or otherwise, the head of the U.S. National Counterintelligence and Security Center warned ahead of the annual soccer tournament starting in Russia this week.

Luckymouse Threat Group Strikes National Data Center to Exploit Government Website ZDNet

  • Researchers say the Chinese threat actors behind the campaign aimed to compromise government resources.

UK Watchdog Issues $330K Fine for Yahoo’s 2014 Data Breach Tech Crunch

  • Another fallout from the massive Yahoo data breach that dates back to 2014: The UK’s data watchdog issued a £250,000 (about $334,000 USD) penalty for violations of the Data Protection Act 1998.

FBI Announces Arrrest of 74 Email Fraudsters ZDNet

  • Police have carried out a worldwide wave of arrests that have seen 74 people detained and over $16 million in purloined funds seized by suspected whalers or business email compromise (BEC) fraudsters.

Hackers Target Payment Transfer System at Chile’s Biggest Bank, ‘Take $10M’  — The Register

  • Banco de Chile has become the latest victim in a string of cyberattacks targeting the payment transfer systems of banks. Hackers reportedly used a variant of the complex KillDisk wiper malware to distract attention before targeting systems linked to the SWIFT inter-bank transfer network.

In Case You Missed It

How to Evaluate & Compare Antivirus Solutions

/0 Comments/in /by

When evaluating a change in how you secure your network, you need to look beyond the upper-right quadrant.

It is easy to run to analyst graphs and pick a few cyber security solutions that etch closest to the top right. But is that the right path of exploration for your organization? Did these evaluations consider the factors most important to you and your security objectives?

Comparing endpoint protection platforms (EPP), commonly referred to as antivirus (AV) solutions, is no different. For example, SonicWall Capture Client features an antivirus engine (powered by SentinelOne) that scores very high in NSS Labs 2018 results. But there is always more to consider.

So, how do you decide who and what to evaluate? Outside of a good balance between detection versus false positives, organizations should consider:

  • Costs
  • Built-in synergies with other security services and appliances
  • Ability to stop cyberattacks before the execute
  • Inspection of encrypted traffic
  • Ease of remediation

To complement NSS Labs research, SonicWall is providing exclusive access to the Gartner paper, “Understand the Relative Importance of AV Testing in EPP Product Selection.” This resource will help guide your organization as you sift through the benefits, capabilities and performance of top endpoint protection and antivirus solutions.

Within the paper, Gartner breaks down the concepts of advanced endpoint protection into four core components:

  1. Prevention
  2. Detection
  3. Response
  4. Prediction

To learn more, download the full Gartner report, “Understand the Relative Importance of AV Testing in EPP Product Selection.”

Get the Complete Gartner Paper

Deciding on the endpoint solution that’s right for your organization is a complex undertaking. To help guide your path, download the exclusive Gartner paper, “Understand the Relative Importance of AV Testing in EPP Product Selection,” compliments of SonicWall.

Get the Report

May 2018: Cyberattack Volume Continues to Rise, Ransomware Attempts Jump 299 Percent

/0 Comments/in /by

The very latest cyber threat intelligence for May 2018 depicts increases in a number of attack areas, particularly when comparing against 2017 cyber threat data. Through May 2018, the SonicWall Capture Labs threat researches have recorded:

Global Cyberattacks — May 2018

  • 2 million malware attacks (64 percent year-over-year increase)
  • 9 million ransomware attacks (78 percent year-over-year increase)
  • 238,828 encrypted threats (142 percent year-over-year increase)

Global Cyberattacks — Year to Date

  • 5 billion malware attacks (128 percent increase )
  • 2 million ransomware attacks (299 percent increase)
  • 2 million encrypted threats (283 percent increase)

To put these numbers in a more practical light, it’s helpful to break them down by customer. In May 2018 alone, the average SonicWall customer faced:

  • 2,302 malware attacks (56 percent year-over-year increase)
  • 62 ransomware attacks (69 percent year-over-year increase)
  • Almost 94 encrypted threats
  • Over 14 phishing attacks per day

With each passing month, cybercriminals continue to perpetrate cyberattacks at an ever-accelerating rate. It is interesting to note that although encrypted traffic is actually down slightly when compared with last year, encrypted threats have more than doubled. This points to cybercriminals who are more aware of the efficacy of encrypting their attacks.

In addition, phishing attacks have increased by almost 40 percent since last month. To better educate your end users and follow secure email best practices, use the phishing IQ test to increase their suspicions when opening emails, particularly from unknown senders.

As the cyber war continues between threat actors and security professionals, arming your organization with the latest cyber threat intelligence is critical to implementing or improving a sound security posture. As long as vulnerabilities exist, there are threat actors working to exploit them.

Find Threat Metrics When You Need Them

Would you like to keep up-to-date on threat metrics, security news and worldwide cyberattacks? The SonicWall Security Center has all of this and more.

VISIT THE SECURITY CENTER

Microsoft Security Bulletin Coverage for June 2018

/in /by

SonicWall Capture Labs Threats Research Team has analyzed and addressed Microsoft’s security advisories for the month of June 2018. A list of issues reported, along with SonicWall coverage information are as follows:

  • CVE-2018-0871 Microsoft Edge Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0978 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0982 Windows Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-1036 NTFS Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-1040 Windows Code Integrity Module Denial of Service Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-8110 Microsoft Edge Memory Corruption Vulnerability
    IPS : 13373 Microsoft Edge Memory Corruption Vulnerability (JUN 18) 2
  • CVE-2018-8111 Microsoft Edge Memory Corruption Vulnerability
    IPS : 13374 Microsoft Edge Memory Corruption Vulnerability (JUN 18) 3
  • CVE-2018-8113 Internet Explorer Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-8121 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-8140 Cortana Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-8169 HIDParser Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-8175 WEBDAV Denial of Service Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-8201 Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-8205 Windows Denial of Service Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-8207 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-8208 Windows Desktop Bridge Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-8209 Windows Wireless Network Profile Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-8210 Windows Remote Code Execution Vulnerability
    ASPY : 5178 Malformed-File wim.MP.1
  • CVE-2018-8211 Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-8212 Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-8213 Windows Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-8214 Windows Desktop Bridge Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-8215 Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-8216 Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-8217 Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-8218 Windows Hyper-V Denial of Service Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-8219 Hypervisor Code Integrity Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-8221 Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-8224 Windows Kernel Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-8225 Windows DNSAPI Remote Code Execution Vulnerability
    IPS : 13378 Windows DNSAPI Remote Code Execution (JUN 18)
  • CVE-2018-8226 HTTP.sys Denial of Service Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-8227 Chakra Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-8229 Chakra Scripting Engine Memory Corruption Vulnerability
    IPS : 13377 Chakra Scripting Engine Memory Corruption Vulnerability (JUN 18) 1
  • CVE-2018-8231 HTTP Protocol Stack Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-8233 Win32k Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-8234 Microsoft Edge Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-8235 Microsoft Edge Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-8236 Microsoft Edge Memory Corruption Vulnerability
    IPS : 13371 Microsoft Edge Memory Corruption Vulnerability (JUN 18)
  • CVE-2018-8239 Windows GDI Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-8243 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-8244 Microsoft Outlook Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-8245 Microsoft Office Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-8246 Microsoft Excel Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-8247 Microsoft Office Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-8248 Microsoft Excel Remote Code Execution Vulnerability
    ASPY : 5177 Malformed-File rtf.MP.25
  • CVE-2018-8249 Internet Explorer Memory Corruption Vulnerability
    IPS : 13372 Internet Explorer Memory Corruption Vulnerability (JUN 18) 1
  • CVE-2018-8251 Media Foundation Memory Corruption Vulnerability
    IPS : 13375 Microsoft Edge Memory Corruption Vulnerability (JUN 18) 4
  • CVE-2018-8252 Microsoft SharePoint Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-8254 Microsoft SharePoint Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-8267 Scripting Engine Memory Corruption Vulnerability
    IPS: 13376 Scripting Engine Memory Corruption Vulnerability (Jun 18) 1

Adobe Flash (APSB18-19 ) Coverage :

  • CVE-2018-4945 Arbitrary Code Execution
    ASPY : 5172 Malformed-File swf.MP.591
  • CVE-2018-5000 Information Disclosure
    ASPY : 5173 Malformed-File swf.MP.592
  • CVE-2018-5001 Information Disclosure
    ASPY : 5174 Malformed-File swf.MP.593
  • CVE-2018-5002 Arbitrary Code Execution
    ASPY : 5171 Malformed-File swf.MP.590

GAV : 16696 CVE-2018-5002
GAV : 16701 CVE-2018-5002_2

BitPaymer Ransomware actively spreading in the wild.

/in /by

The SonicWall Capture Labs Threat Research Team observed reports of a new variant family of BitPaymer Ransomware [BitPaymer.RSM] actively spreading in the wild.

BitPaymer Ransomware encrypts the victims files with a strong encryption algorithm until the victim pays a fee to get them back.

Contents of the dropper for BitPaymer ransomware

Infection Cycle:

The Ransomware adds the following files to the system:

  • Malware.exe
    • %Temp%\[Random].cmd
      • executable Commands
    • %AppData%\Roaming\[Random].bin
      • Executable dropper File
    • %App.path%\ [File Name].readme_txt
      • Instruction for recovery

Once the computer is compromised, the Ransomware copies its own executable into %Appdata% folder runs the following commands:

The Ransomware encrypts all the files and appends the .Locked extension onto each encrypted file’s filename.

After encrypting all personal documents the Ransomware shows the following webpage containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

We have been monitoring varying hits over the past few days for the signature that blocks this threat:

Sonicwall Capture Labs provides protection against this threat via the following signature:

  • GAV: BitPaymer.RSM (Trojan)

"Double Kill", CVE-2018-8174

/in /by

Vulnerability Info:

A zero day exploit was discovered in the Microsoft VBScript engine around the middle of April called “Double Kill”. The (RCE) Remote Code Execution vulnerability is labeled as a (UAF) Use-After-Free memory corruption bug. Weaponizing this exploit using arbitrary code could gain the attacker the same user rights as the current user. The vulnerability was given the CVE-ID of (CVE-2018-8174).

 

Other Vulnerabilities Being Used:

CVE-2018-8174 isn’t the only Windows vulnerability being reported and used in the wild. Attackers are also exploiting Microsoft Office documents with the “OLE Autolink Object Exploit” (CVE-2017-0199, considered Stage 1) to send out requests to remote servers for new and exciting payloads aka (Stage 2 Packages). Once the victim receives (Stage 1) the initial malicious Microsoft Word document will visit a remote server to pull down another type of file (Stage 2) with either the “Content-Type” of “application/hta” or “text/scriptlet” that will use the exploit (CVE-2018-8174) to trigger the next stage of the infection chain. Lets trace through the first stage together.

 

CVE-2017-0199 Walk-through:

Following (Stage 1): b48ddad351dd16e4b24f3909c53c8901, the Microsoft Office (.rtf) document. The file leverages (CVE-2017-0199), lets dump the (Nesting Levels) with our favorite .rtf application:

From the output above we can peer inside the following objects 311, 314, 317, 320, 321 and 322. Using a few basic YARA signatures to search for ( http & RTF_Object ) strings we can check each object of interest. We see the following output:

Item 317 shows the following data:

Item 311 shows the following data:

When we peer inside one of the other items say, item 320. We will see the following (Unicode) data. Directly above this (Unicode) data at location (0x14C0) we will see what is considered to be the shellcode to execute the url in this data. However, we will not cover the shellcode at this time.

The following GET Request would look like:

We could follow this into (Stage 2) next. However, You can see from the technique we used above. Sometimes you have to fish around until you find the correct object that has the web link and shellcode. This would be an example script for (Stage 2). It normally would also have a “HTTP” header from the remote server with it:

Exploit Kits Being Used:

With the “Double Kill” exploit weaponized and the code being built into RIG EK, corporate organizations that haven’t patched (CVE-2018-8174) will be vulnerable to the attackers delivery methods. Weaponized source code has also been seen in the ThreadKit, an exploit builder that can be used to create weaponized Microsoft Office Documents. It’s accessible to cyber criminals with little technical expertise (script kiddies). The Double Kill exploit option is said to be for purchase at or around $400 dollars a download online. An exploit kit lures victims to a malicious website and infects them through the browser; this one lets attackers create weaponized Microsoft Office documents that can be distributed however the attacker wants.

 

CVE-2018-8174 Walk-through:

The code below exploits the VBScript vulnerability by using the deprecated method Class_Terminate(). The code will overload the Class_Terminate() method being destroyed. The Class_Terminate() method adds a reference, that VBScriptClass:Release() fails to check. Resulting in a (UAF) Use-After-Free vulnerability when the added reference is accessed.

Note that the Pageheap must be enabled in order to trigger the crash in a stable manner. We do this by running gflags.exe with the command ( gflags /i iexplorer.exe +ust +hpa ). Once the command is executed we can now show a proof of concept that has been tested on Windows 7 inside iexplorer.exe below:

 

Trend Graph:

The trend line below shows how this attack is being used in the wild today:

 

Updates and Micro-Patches:

The flaw exists in all versions of Windows, Microsoft has already released a patch back in May. Users are reporting Windows 7 updates are causing networking issues. The network issues may cause some users to decide not to update their computers which would leave them open to attack. On Tuesday June 12th, Microsoft will release another patch. There is a good chance that an update will be released for Windows 7 users.

 

Detection & Classification:

SonicWALL Threat Lab Research Team provides protection against this threat via the following signature:

  • IPS: 4601 HTTP Client Shellcode Exploit 1