Cyber Security News & Trends

Each week, SonicWall collects the cyber security industry’s most compelling, trending and important interviews, media and news stories — just for you.


SonicWall Spotlight

SonicWall Firewalls Named A 2018 Gartner Peer Insights Customers’ Choice – SonicWall Blog

  • With 122 reviews and a 4.3 rating, SonicWall is recognized as a 2018 Gartner Peer Insights Customers’ Choice for Unified Threat Management, reflecting commitment to partners and customers in providing top-tier cyber security solutions, along with an exceptional customer experience to support it.

SonicWall NSa Series Wins Cybersecurity Breakthrough Award as Best Firewall Solution – SonicWall Blog

  • This recognition brings SonicWall to a total of 42 industry honors so far in 2018.

SonicWall CEO Bill Conner On Cybersecurity Trends CEOs Should Know – Chief Executive Magazine

  • SonicWall CEO Bill Conner talks about the cybersecurity trends that CEOs should be paying attention to in this profile by Chief Executive Magazine.

ChannelPro Weekly Podcast: Episode #089 – Mimeographs Are Extinct. Are You? – Channelpro Podcast

  • SonicWall TZ500 Wireless-AC Gen 6 Firewall is the tech pick of the week.

Cyber Security News

Uber Settles Data Breach Investigation for $148 Million – NYTimes

  • In 2016, not wanting to expose a leak, Uber paid big money to a hacker who had gained access to 600,000 driver’s names and license numbers.

Pennsylvania Senate Democrats paid $700,000 to recover from ransomware attack – ZDNet

After falling victim to a ransomware attack, Pennsylvania Senate Democrats refused to pay the $30,000 ransomware demand, opting instead to pay over $700,000 to Microsoft to rebuild its IT infrastructure.

President Trump Unveils America’s First Cybersecurity Strategy in 15 Years – The White House

  • The White House has announced a new National Cyber Strategy that they are calling the first Cybersecurity Strategy in 15 years.

Some Credential-Stuffing Botnets Don’t Care About Being Noticed Any More – The Register (UK)

  • The “low and slow” covert method of malicious logins previously employed has been replaced by some bots with pure volume; one US credit union saw almost 9 thousand attempts per hour.

Qualcomm Accuses Apple of Stealing Its Secrets to Help Intel – Reuters

  • It’s a long-running patent drama but Qualcomm have filed papers against Apple saying they used Qualcomm software and log files without permission to “improve the sub-par performance of Intel’s chipsets.”

In Case You Missed It

Most exploited vulnerabilities in this month

SonicWall Threat Research Lab has observed the vulnerabilities that are actively being exploited from the beginning of this month. Please find below the list of vulnerabilities, vendor advisory information  and the SonicWall signatures to protect against these exploits 

CVE-2017-11882 | Microsoft Office EQNEDT32 Stack Buffer Overflow

This is a stack buffer overflow vulnerability in Microsoft Office. The vulnerability is due to incorrect handling of embedded Equation Editor OLE objects in Office documents. A remote attacker could exploit this vulnerability by enticing a user to open a specially crafted file. Successful exploitation could lead to arbitrary code execution under the context of the currently logged on user.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882

GAV: 21982  Malformed.doc.MP.10
GAV: 4094 JScript.Doc_229

CVE-2017-0147 | Microsoft Windows SMB Server SMBv1 CVE-2017-0147 Information Disclosure

This is an information disclosure vulnerability in the SMBv1 component of Microsoft Windows SMB server. The vulnerability is due to improper handling of SMBv1 requests. A remote, unauthenticated attacker could exploit this vulnerability by sending crafted SMB messages to a target server. Successful exploitation could result in the disclosure of sensitive information from the target server

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0147

GAV Cloud ID: 55251134 WannaCrypt

CVE-2010-2568 | Microsoft Windows LNK File Code Execution

This exists in Microsoft Windows that may allow execution of arbitrary code on the target machine. The vulnerability is due to a design weakness in Windows Shell which incorrectly parses shortcuts in such a way that malicious code may be executed when the crafted file is opened either manually or automatically with Windows Explorer. This can be most likely exploited through removable drives containing malicious LNK files, especially on systems that have AutoPlay enabled.

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-046

IPS: 13508 LNK File HTTP Download 2

CVE-2017-8570 | Microsoft Office Remote Code Execution Vulnerability

This is a remote code execution vulnerability in Microsoft Office. The vulnerability is due to incorrect handling of embedded OLE objects in Office documents. A remote attacker could exploit this vulnerability by enticing a user to open a specially crafted file. Successful exploitation could lead to arbitrary code execution under the context of the currently logged on user. 

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8570

GAV: 32260 JScript.RTF_4

CVE-2013-3346 | Adobe Acrobat Reader ToolButton Use After Free

A use after free vulnerability exists in Adobe Acrobat and Reader. The vulnerability is due to an error in the handling of callback functions associated with ToolButton objects. A remote attacker can exploit this vulnerability by enticing the user to open a specially crafted file. Successful exploitation could result in arbitrary code execution in the context of the currently affected user.

http://www.adobe.com/support/security/bulletins/apsb13-15.html

IPS: 6207 HTTP Client Shellcode Exploit 42

CVE-2010-2883 | Adobe Acrobat and Reader CoolType.dll Stack Buffer Overflow

A code execution vulnerability exists in Adobe Acrobat and Reader. The vulnerability is due to a stack-based buffer overflow error within the CoolType.dll module when handling PDF files containing TTF fonts. Remote attackers could exploit this vulnerability by enticing target users to open a malicious PDF document. Successful exploitation would result in arbitrary code execution in the context of the logged on user.

http://www.adobe.com/support/security/advisories/apsa10-02.html

GAV– 43643 Malformed.pdf.MT.2

CVE-2015-1641| Microsoft Office Component CVE-2015-1641 Use After Free

This is a remote code execution vulnerability in Microsoft Office. The vulnerability is due to improper manipulation of objects in memory while parsing specially crafted Office files. A remote attacker can exploit this vulnerability by enticing a user open a maliciously crafted Office file. Successful exploitation could result in code execution in the context of the affected user.

https://technet.microsoft.com/en-us/library/security/ms15-033.aspx

GAV: 43643 Malformed.pdf.MT.2

CVE-2018-8174 | Microsoft Windows VBScript Engine CVE-2018-8174 Use After Free

A memory corruption vulnerability exists in the Microsoft Windows VBScript engine. The vulnerability is due to the way that the VBScript engine handles certain objects in memory.
A remote attacker can exploit this vulnerability by enticing a user to open a crafted web page using Internet Explorer or a crafted Microsoft Office document.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8174

IPS: 4604 HTTP Client Shellcode Exploit 1

CVE-2018-8120 | Win32k Elevation of Privilege Vulnerability

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. This affects Win32k, Windows, Windows Kernel, Windows Common Log File System Driver, DirectX Graphics Kernel & Windows Image. A local, authenticated attacker could exploit these vulnerabilities by running a maliciously crafted application on the target system. Successful exploitation allows the attacker elevate their privileges to an administrative level on the target.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8120

GAV Cloud Id: 66194921 Btrojan Exploit

The risk posed by these vulnerabilities can be mitigated by upgrading to the latest non-vulnerable version

LockBkdr ransomware spotted in the wild.

The SonicWall Capture Labs Threat Research Team observed reports of a new variant family of LockBkdr [LockCrypt.BKR] actively spreading in the wild.

LockBkdr encrypts the victims files with a strong encryption algorithm until the victim pays a fee to get them back.

Contents of the LockBkdr ransomware

Infection Cycle:

The Ransomware adds the following files to the system:

  • Malware.exe
    • %App.path%\ [File Name] .BDKR
    • C:\Windows\searchfiles.exe [ Copy of malware ]
    • %Userprofile\Desktop %\ How To Restore Files.txt
      • Instruction for recovery

The Ransomware adds the following keys to the Windows registry to ensure persistence upon reboot:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Searchfiles
    • C:\Windows\searchfiles.exe

Once the computer is compromised, the Ransomware copies its own executable into %Systemroot% folder and runs the following commands:

LockBkdr retrieves list of running processes and terminates every process other than certain system processes such as the following list:

The Ransomware encrypts all the files and appends the .BDKR extension onto each encrypted file’s filename.

After encrypting all personal documents the Ransomware shows the following webpage containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: LockCrypt.BKR (Trojan)

SonicWall Firewalls Honored, Named A 2018 Gartner Peer Insights Customers’ Choice for Unified Threat Management (UTM), Worldwide

The SonicWall mission — defending organizations in a fast-moving cyber arms race — is only possible because of the commitment and loyalty of our partners and customers.

Gartner peerinsights customers' choice 2018For what we believe is that reason, SonicWall is pleased to have been recognized as a 2018 Gartner Peer Insights Customers’ Choice for Unified Threat Management (UTM), Worldwide.

“The Gartner Peer Insights Customers’ Choice is a recognition of vendors in this market by verified end-user professionals, taking into account both the number of reviews and the overall user ratings,” Gartner said in the official announcement.

To ensure fair evaluation, Gartner maintains rigorous criteria for recognizing vendors with a high customer satisfaction rate. For this distinction, a vendor must have a minimum of 50 published reviews with an average overall rating of 4.2 stars or higher. SonicWall received 122 reviews and a 4.3 rating for Unified Threat Management firewalls as of September 24, 2018. Here are a few snippets from SonicWall reviews provided by real-world customers that contributed to the distinction:

  • “Predominantly, the system is fantastic for our business model and has fantastic capabilities to address site level security.” — Network & Security Manager, Finance
  • “Excellent firewall for a small to medium size business.” — System Administrator
  • “SonicWall is our go-to for security hardware products.” — Project Manager, Services Industry
  • “The ease of use is where the SonicWall OS stands out. As long as you’re familiar with firewall concepts, you’ll be up and running in no time with the TZ [firewall] series. Support is strong and knowledgeable. I felt very comfortable having them hands-on in our production firewall.” — Sr. Network Engineer, Services Industry

Peer Insights is an online platform of ratings and reviews of IT software and services that are written and read by IT professionals and technology decision-makers. The goal is to help IT leaders make more insightful purchase decisions and help technology providers improve their products by receiving objective, unbiased feedback from their customers. Gartner Peer Insights includes more than 70,000 verified reviews in more than 200 markets.

SonicWall Named ‘Challenger’ in Gartner Magic Quadrant for Unified Threat Management

Complementing the Peer Insights Customers’ Choice selection, SonicWall was also named a ‘Challenger’ in the 2018 Gartner Magic Quadrant for Unified Threat Management (SMB Multifunction Firewalls).

Supported by new products and capabilities, including Capture Security CenterCapture Client endpoint protection and SonicWall NSv virtual firewalls, SonicWall continues a consistent trajectory to the upper right. Gartner highlighted the SonicWall Capture Advanced Threat Protection (ATP) sandbox service, along with the innovative Real-Time Deep Memory InspectionTM technology, as a key market differentiator.

In support of the Peer Insights Customers’ Choice selection, the Gartner MQ found that that “channel partners and surveyed customers demonstrate high satisfaction with hardware throughput, quality and ease of configuration.”

The Gartner Peer Insights Customers’ Choice logo is a trademark and service mark of Gartner, Inc., and/or its affiliates, and is used herein with permission. All rights reserved. Gartner Peer Insights Customers’ Choice constitute the subjective opinions of individual end-user reviews, ratings, and data applied against a documented methodology; they neither represent the views of, nor constitute an endorsement by, Gartner or its affiliates.

The Evolution of Next-Generation Antivirus for Stronger Malware Defense

Threat detection has evolved from static to dynamic behavioral analysis to detect-threatening behavior. Comprehensive layers of defense, properly placed within the network and the endpoint, provide the best and most efficient detection and response capabilities to match today’s evolving threats.

For years, SonicWall offered endpoint protection utilizing traditional antivirus (AV) capabilities. It relied on what is known as static analysis. The word “static” is just like it sounds. Traditional antivirus used static lists of hashes, signatures, behavioral rules and heuristics to discover viruses, malware and potentially unwanted programs (PUPs). It scanned these static artifacts across the entire operating system and mounted filesystems for retroactive detection of malicious artifacts through scheduled scanning.

Traditional antivirus focuses on pre-process execution prevention. Meaning, all the scanning mechanisms are primarily designed to prevent the execution of malicious binaries. If we go back 20 years, this approach was very effective at blocking the majority of malware, and many antivirus companies capitalized on their execution prevention approaches.

As that technology waned, the provider we had for traditional antivirus discontinued their legacy antivirus solution and SonicWall sought new and more effective alternatives.

Traditional Defenses Fail to Match the Threat

In the past, attackers, determined to beat antivirus engines, focused much of their attention on hiding their activities. At first, the goal of the attacker was to package their executables into archive formats.

Some threat actors utilized multi-layer packaging (for example, placing an executable into a zip then placing the zip into another compression archive such as arj or rar formats). Traditional antivirus engines responded to this by leveraging file analysis and unpacking functions to scan binaries included within them.

Threat actors then figured out ways to leverage documents and spreadsheets, especially Microsoft Word or Excel, which allowed embedded macros which gave way to the “macro virus.”

Antivirus vendors had to become document macro experts, and Microsoft got wise and disabled macros by default in their documents (requiring user enablement). But cybercriminals didn’t stop there. They continued to evolve the way they used content to infect systems.

Fast forward to today. Threat actors now utilize so many varieties of techniques to hide themselves from static analysis engines, the advent of the sandbox detection engine became popular.

I often use an analogy to explain a malware sandbox. It’s akin to a petri dish in biology where a lab technician or doctor examines a germ in a dish and watches its growth and behavior using a microscope.

Behavioral Sandbox Analysis

Sandbox technologies allow for detection by monitoring malware behavior within virtual or emulated operating systems. The sandboxes run and extract malware behavior within these monitored operating system to investigate their motives. As sandboxing became more prevalent, threat actors redesigned their malware to hide themselves through sandbox evasion techniques.

This led SonicWall to develop advanced real-time memory monitoring to detect malware designed to evade sandbox technology. Today, SonicWall uses a multitude of capabilities — coupled with patent-pending Real-Time Deep Memory Inspection (RTDMITM) — to identify and mitigate malware more effectively than competing solutions.

SonicWall Automated Real-Time Breach Prevention & Detection

The Endpoint Evolves, Shares Intelligence

Next comes the endpoint. As we know, most enterprises and small businesses are mobile today. Therefore, a comprehensive defense against malware and compliance must protect remote users and devices as they mobilize beyond an organization’s safe perimeter. This places an emphasis in combining both network security and endpoint security.

Years ago, I wrote research at Gartner about the gaps in the market. There was a critical need to bridge network, endpoint and other adjacent devices together into a shared intelligence and orchestrated fabric. I called it “Intelligence Aware Security Controls (IASC).”

The core concept of IASC is that an orchestration fabric must exist between different security technology controls. This ensures that each control is aware of a detection event and other shared telemetry so that every security control can take that information and automatically respond to threats that emerge across the fabric.

So, for example, a botnet threat detection at the edge of the network can inform firewalls that are deployed deeper in the datacenter to adjust policies according to the threat emerging in the environment.

As Tomer Weingarten, CEO of SentinelOne said, “Legacy antivirus is simply no match for today’s sophisticated file-based malware, which proliferates much faster than new signatures can be created.”

Limitations of Legacy Antivirus (AV) Technology

To better understand the difference between legacy antivirus (AV) and next-generation antivirus (NGAV), we should know the advantages and unique features of NGAV over legacy signature-based AV solutions. Below are four primary limitations of legacy offerings.

  • Frequent updates. Traditional AV solutions require frequent (i.e., daily or weekly) updates of their signature databases to protect against the latest threats. This approach doesn’t scale well. In 2017 alone, SonicWall collected more than 56 million unique malware samples.
  • Invasive disk scans. Traditional AV solutions recommend recurring disk scans to ensure threats did not get in. These recurring scans are a big source of frustration for end users, as productivity is impacted during lengthy scans.
  • Cloud dependency. Traditional AV solutions are reliant on cloud connectivity for best protection. Signature databases have grown so large that it is no longer possible to push the entire database to the device. So, they keep the vast majority of signatures in the cloud and only push the most prevalent signatures to the agent.
  • Remote risk. In cases where end-users work in cafés, airports, hotels and other commercial facilities, the Wi-Fi provider is supported by ad revenues and encourage users to download the host’s tools (i.e., adware) for free connectivity. These tools or the Wi-Fi access point can easily block access to the AV cloud, which poses a huge security risk.

Switching to Real-time, Behavior-focused Endpoint Protection

Considering these limitations, there is a need for viable replacement of legacy AV solutions. For this reason, SonicWall partnered with SentinelOne to deliver a best-in-class NGAV and malware protection solution: SonicWall Capture Client.

SonicWall Capture Client is a unified endpoint offering with multiple protection capabilities. With a next-generation malware protection engine powered by SentinelOne, Capture Client applies advanced threat protection techniques, such as machine learning, network sandbox integration and system rollback. Capture Client uses automated intelligence to adapt and detect new strains of malware through advanced behavior analytics.

SonicWall Capture Client was a direct response to multiple market trends.

  • First, there has been a detection and response focus, which is why SentinelOne offers our customers the ability to detect and then select the response in workflows (along with a malware storyline).
  • Second, devices going mobile and outside the perimeter meant that backhauling traffic to a network device was not satisfying customers who wanted low latency network traffic for their mobile users (and, frankly, the extra bandwidth costs that go along with it).
  • Third, because of all the evasion techniques that attackers use, a real-time behavioral engine is preferred over a static analysis engine to detect advanced attacks.
  • Fourth, the Capture Client SentinelOne threat detection module’s deep file inspection engine sometimes detects low confidence or “suspicious” files or activities. In these low confidence scenarios, Capture Client engages the advanced sandbox analysis of RTDMI to deliver a much deeper analysis and verdict about the suspicious file/activity.

One crucial feature of the latest Capture Client solution is the ability to record all the behaviors of an attack and the processes involved on an endpoint into an attack storyline — essential for security operations detection, triage and response efforts.

By listening to the market and focusing on the four key points above, SonicWall delivered best-in-class protection for endpoints, and another important milestone in SonicWall’s mission to provide automated, real-time breach detection and prevention.

SonicWall Capture Client combines multiple technologies to provide the most efficient and effective defense against threat actors. The solution should be paired with a defense-in-depth security strategy across all the key layers of transport, including email, network and endpoints.

SonicWall NSa Series Wins Cybersecurity Breakthrough Award as Best Firewall Solution

The CyberSecurity Breakthrough Awards named the SonicWall NSa the best next-generation firewall solution of 2018. The CyberSecurity Breakthrough Awards is an independent organization that recognizes the top companies, technologies and products in the global information security market. SonicWall has won 42 industry honors so far in 2018.

This year alone, SonicWall introduced seven new next-generation NSa firewall models: NSa 3650, 4650, 5650 6650, 9250, 9450 and 9650. The NSa series works in conjunction with the SonicWall Capture Cloud Platform as part of an end-to-end security solution that delivers integrated cloud-scale management to protect networks, email, endpoints, mobile and remote users.

CyberSecurity Breakthrough judges are experienced senior-level cybersecurity professionals who have personally worked within the information security space, including journalists, analysts and technology executives with experience in a range of information security positions and perspectives. From successful technology startups to veteran industry leaders, the panel of judges brings a balanced perspective of evaluation for the award nominations.

The judges have earned a reputation for fairness and credibility, and are committed to determining the break through nominations for each award category, which includes:

In 2017, SonicWall was named the Cybersecurity Breakthrough Overall Cybersecurity Company of the Year. More than 2,000 nominations from over 12 different countries throughout the world competed for the honor.

How MSSPs & Artificial Intelligence Can Mitigate Zero-Day Threats

So, here’s the problem: unknown zero-day threats are just that — unknown. You have no way (besides historical experience) to predict the next vulnerability avenue that will be exploited. You, therefore, don’t know what will need patching or what extra security layer needs injecting. This ultimately leads to a forecast-costing dilemma as you cannot predict the man hours involved.

The other quandary faced when tackling complex targeted zero days is the skills gap. Staffing a security operations center (SOC) with highly skilled cybersecurity professionals comes at a cost and only becomes profitable with economies of scale that a large customer base brings.

Coupled with the shortage of skilled cybersecurity professionals in the open market, how can you get your SOC off the ground? Could artificial intelligence (AI) level the playing field?

Machine Learning Reality Check

Machine learning and behavioral analytics continue to grow and become synonymous with zero-day threat protection. Is this all hype or is it the new reality? The truth is, it is both.

There is a lot of hype, but for good reason: AI works. Big data is needed to see the behaviors and therein the anomalies or outright nefarious activities that human oversight would mostly fail to catch. Delivered as a layered security approach, AI is the only way to truly protect against modern cyber warfare, but not all AI is deterministic and herein lies the hidden cost to your bottom line.

AI-based analysis tools that provide forensics are very powerful, but the horse has bolted by the time they are used. This approach is akin to intrusion detection systems (IDS) versus intrusion prevention systems (IPS). The former are great for retrospective audits, but what is the cleanup cost? This usage of behavioral analysis AI solely for detection is not MSSP-friendly. What you need is automated, real-time breach detection and prevention. Prevention is key.

So, how do you create an effective prevention technology? You need security layers that filter the malware noise, so each can be more efficient at its detection and prevention function than the last. That means signature-based solutions are still necessary. In fact, they are as important as ever as one of the first layers of defense in your arsenal (content filtering comes in at the top spot).

By SonicWall metrics, the ever-growing bombardment of attacks the average network faces stands at 1,200-plus per day (check out the mid-year update to the 2018 SonicWall Cyber Threat Report for more details).

When you do the math, it’s easy to see that with millions of active firewalls, it’s not practical to perform deep analysis on every payload. For the best results, you must efficiently fingerprint and filter everything that has gone before.

Aren’t All Sandboxes Basically the Same?

Only by understanding the behavior of the application and watching what it’s attempting to do, can you uncover malicious intent and criminal action. The best environment to do this is a sandbox, but no SOC manpower in the world could accomplish this with humans at scale. In order to be effective, you must turn to AI.

AI understands the big data coming from behavioral analysis. It can adapt the discovery approach to uncover threats that try to hide and, once determined as malicious, can fingerprint the payload via signature, turning a zero day into a known threat. It is the speed of propagation of this new, known signature to the protection appliances participating in the mesh protection network that drives the efficiencies to discover more threats.

Also, it’s the size of the mesh network catchment area that allows you the largest overall service area of attaches, which helps your AI quickly learn from the largest sample data set.

Luckily, SonicWall has you covered on all these fronts. With more than 1 million sensors deployed across 215 territories and countries, SonicWall has one of the largest global footprint of active firewalls. Plus, the cloud-based, multi-engine SonicWall Capture Advanced Threat Protection (ATP) sandbox service discovers and stops unknown, zero-day attacks, such as ransomware, at the gateway with automated remediation.

Our recent introduction of the patent-pending Real-Time Deep Memory Inspection (RTDMITM) technology, which inspects memory in real time, can detect and prevent chip vulnerability attaches such as Spectre, Meltdown and Foreshadow. It’s included with every Capture ATP activation.

At SonicWall, the mantra of automated, real-time breach detection and prevention is fundamental to our security portfolio. It is how our partners drive predictable operational expenditures in the most challenging security environments. Only via connected solutions, utilizing shared intelligence, can you protect against all cyber threat vectors.


A version of this story originally appeared on MSSP Alert and was republished with permission.

Major attempt to exploit XML-RPC remote code injection vulnerability is observed

SonicWall Threat Research Lab has recently observed a huge spike in detection for the XML-RPC remote code injection. ~100,000 hits observed in the last few days attempting to exploit ~3000 servers behind the SonicWall Firewalls. All these attacks originate from the IP address <96.68.165.185> targeting servers in different countries.

XML-RPC?

XML-RPC is a remote procedure call (RPC) protocol which uses XML to encode its calls and HTTP as a transport mechanism. It allows software running on different operating systems and running in different environments to make procedure calls over the Internet. XML-RPC also refers to the use of XML for remote procedure call. It’s written in PHP, also known as PHPXMLRPC. WordPress, Drupal & many other open source content management systems support XML-RPC.

Vulnerability:

XML-RPC for PHP is affected by a remote code-injection vulnerability. Pear XML_RPC version 1.3.0 and earlier and PHP XMLRPC version 1.1 and earlier, are vulnerable to PHP remote code injection. The XML parser will pass the data in XML elements to PHP eval() without sanitizing the user input. Lack of parameter filtering allows a remote attacker to execute arbitrary code in the context of the web server.

Exploit:

The attacker sends the below XML data in the HTTP POST to the vulnerable server. The XML element <name> contains the PHP command injection. XML-RPC will pass the XML elements to PHP eval() without validating the user input. Upon execution, PHP command drops a malicious script to the tmp directory & modifies the file permission to allow execution.

Fig: 1 xml data with PHP command injection 

 

The uploaded malicious php can be a backdoor. It allows the  attacker to execute malicious shell commands by sending a GET request to http:///evil.php?cmd=id.

Fig: 2 evil.php (php web-shell) 

 

XML-RPC is also widely being used in brute force attacks to gain access to a website.  If you don’t need XML-RPC, it’s wise to disable it.  If you would like to continue using XML-RPC, add more security by turning on only certain elements of XML-RPC.

 

Sonicwall Threat Research Lab provides protection against this exploit with the following signatures:

  • IPS 8014 PEAR XML_RPC Remote Code Execution
  • IPS 13240 PHP XMLRPC Remote Code Execution
  • IPS 10497 WordPress XMLRPC DoS
  • IPS 10433 WordPress XMLRPC Ping Back
  • IPS 5220 Drupal core XML-RPC DoS 1
  • IPS 5506 Drupal core XML-RPC DoS 2
  • WAF 1685: XML-RPC Remote Code Injection

Trend Graph:

Find below the hits & the heat map that SonicWall has observed in the past few days for the IPS XML-RPC signature

Fig: 3 Daily hits for the ips signature # 8014

 

Fig: 4 Heat map for the ips signature # 8014

 

Vigilante malware removes cryptominers from the infected device

SonicWall CaptureLabs Threats Research Team observed an interesting Android malware that acts an an anti-hero. Upon infecting a mobile device, it checks for the presence of specific cryptominers and removes the miner infection from the device and saves the day … or does it ?

The complete infection cycle can be summarized in two stages as below:

Stage I

Once the malware infects a device it downloads the first stage of the attack payload from one of the following two sources as of now:

  1. hxxp://188.209.52.142/w
  2. hxxp://188.209.52.142/c

This script performs the following tasks:

  1. Check the architecture of the infected system and download the second stage of the attack using wget or curl commands
  2. Give appropriate permissions to the second stage and executes it on the device
  3. Remove the file downloaded for the second stage and uninstall an app with package name com.ufo.miner which is a miner similar to ADB miner that we blogged about in the past

Stage II

Apart from the above mentioned miner, the malware seeks the presence of other miners as well. It performs device forensics via:

  • Checking the contents of the memory region for a particular process via /proc/<pid>/maps
  • Checking the folders on the device for specific files that are present when a crypto miner infects a system:
    • /data/local/tmp/smi
    • /data/local/tmp/rig
    • /data/local/tmp/trinity

 

 

 

 

The malware created a hidden file on the device named .HqMBksnBExR82Ja with its contents simply being – ’“”.

It deletes the ELF file (linux executable) from the disk once it is executed:

Since the malware executes an ELF file (linux executable) there is no easy way for the user to determine if this file is running on the device. As shown below, the code runs on the system using a long alphanumeric process name:

Even though it appears that the malware cleans the system from previously installed cryptominers it is doing so without the user’s permission thereby violating the security model of Android. It is likely that the malware is cleaning up the system and making room for something more potent and damaging that may surface in the near future. Regardless, apps that perform dangerous/suspicious actions in the background without informing the user cannot be trusted.

It is advisable to keep our Android devices up-to-date with latest security patches and always ensure that Google Play Protect is running on the device as it provides an added layer of security by periodically scanning the device for malicious threats.

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: AndroidOS.Fbot.ST1 (Trojan)
  • GAV: AndroidOS.Fbot.ST2 (Trojan)
  • GAV: AndroidOS.Fbot.ST2_2 (Trojan)

Indicators Of Compromise (IOC):

  • c480feeb89bd9e63940c079124ee20f8 – Script from hxxp://188.209.52.142/c
  • c33b06c762d2240771cc748f5d8f09c3 – Script from hxxp://188.209.52.142/w
  • 99a8afcf640f65dda77646623d38f182 – fbot.mipsel
  • c4d306820f08692ac527c7ec27adb858- fbot.aarch64
  • 156d9b75df8efa4eb20fe79d90aadabd – fbot.arm7
  • cae2ddcac530bd13d8cb562422f59c35 – fbot.x86
  • 2143c9125908a7283ef5b1152ff78d66 – fbot.x86_64

Cyber Security News & Trends

Each week, SonicWall collects the cyber security industry’s most compelling, trending and important interviews, media and news stories — just for you.


SonicWall Spotlight

Business Live – BBC

  • SonicWall CEO Bill Conner appears live discussing cybersecurity on the flagship BBC business program.

Security Success in 2018 and Beyond – Channelnomics

  • SonicWall is a winner in the 2018 Channelnomics Security Awards for the Best Security Partner Program

SonicWall CEO rallies partners to fend off non-standard ports threat – Computer Weekly

  • At the PEAK 2018 event in London, SonicWall CEO Bill Conner takes time to talk to Computer Weekly about the growth in cyberattacks through non-standard ports and what SonicWall is doing to defeat them.

Cyber Security News

“Lawful intercept” Pegasus spyware found deployed in 45 countriesZDNet

  • New research data shows that the malware that can be found in both IOS and Android devices has been deployed by governmental regimes worldwide.

The Cyberthreats That Most Worry Election OfficialsThe Wall Street Journal

  • States and counties are busy preparing for the upcoming elections with drills and simulations of potential cyberattacks. The Wall Street Journal documents some of the biggest cyberthreats and what is being done to prevent them.

Equifax IT staff had to rerun hackers’ database queries to work out what was nicked The Register (UK)

  • An auditor’s report recently made public exposes in detail the number of avoidable missteps that led to the hack of Equifax in May to July 2017.

Hackers peddle thousands of air miles on the Dark Web for pocket moneyZDNet

  • Over on the Dark Web cyberattackers are undercutting the market with cheap frequent flyer miles, including 100,000 British Airwaves air miles for sale for as little as $144.

New Defense cyber strategy gives military power on preventative cyberattacksThe Hill

  • The US cyber defense strategy is moving increasingly towards an aggressive stance, with attack being the best form of defense.

There’s a song about cybersecurity from the Chinese governmentAbacus News

  • China celebrates Cybersecurity Week by releasing a patriotic song praising their digital defenses.

In Case You Missed It