Inside the Capital One Data Breach: What Went Wrong

/1 Comment/in /by

In one of the biggest data breaches publicly disclosed, Capital One revealed that a hacker gained access to personal information from 106 million credit card applicants and customers in the United States and Canada.

Capital One’s breach disclosure comes after Equifax recently agreed to pay up to $700 million to federal and state agencies to settle litigation around a 2017 data breach that affected 147 million people.

“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” said Richard D. Fairbank, Chairman and CEO in a public statement. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”

According to Capital One, beyond the credit card application data, the individual also obtained portions of credit card customer data, including:

  • Customer status data (e.g., credit scores, credit limits, balances, payment history, contact information)
  • Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018

No bank account numbers or Social Security numbers were compromised, other than:

  • About 140,000 Social Security numbers of credit card customers
  • About 80,000 linked bank account numbers of our secured credit card customers

The intrusion allegedly occurred through a “misconfigured web application firewall that enabled access to the data.” Capital One immediately fixed the configuration vulnerability that the individual exploited and promptly began working with federal law enforcement.

“Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual,” said a statement from Capital One.

Capital One expects to spend between $100 million and $150 million on customer notifications, credit monitoring, technology costs and legal support associated with the breach in 2019 alone, according to CRN.

How can you prevent such a breach using SonicWall WAF?

The SonicWall web application firewall supports OWASP Top 10 and PCI DSS compliance, providing protection against malicious injection and cross-site scripting attacks, credit card and Social Security number theft, cookie tampering and cross-site request forgery.

SonicWall WAF offers Information Disclosure Protection, a data loss prevention technique that ensures that sensitive information, such as credit card numbers and Social Security numbers, are not leaked. SonicWall WAF also provides strong authentication mechanisms (i.e., two-factor or multifactor authentication) and facilitates seamless configuration/deployment through admin friendly management API.

To ensure your SonicWall is properly configured, please refer to the our in-depth administration guide and the SonicWall WAF settings resource.

Black Hat USA 2019: SonicWall Heads to Vegas

/1 Comment/in /by

Black Hat USA 2019 is almost here. And it wouldn’t be a cybersecurity event without the SonicWall crew in attendance.

Can you believe this “little” show is now in its 22nd year? Started in 1997, the Black Hat Briefings grew from a one-show enterprise in Las Vegas to a global event. Today, Black Hat Briefings and Trainings bring together the world’s top cybersecurity researchers, vendors, experts and trainers for annual events in the U.S., Europe and Asia.

This year, SonicWall will be live at Booth 1310. Join SonicWall’s Brook Chelmo, Srudi Dineshan, Rob Krug, Ed Gradek, Ken Dang and Bobby Cornwell to discuss the latest in cybersecurity, advanced threats, wireless security and more. The group will have a live demo every 30 minutes.

Their sessions will also dive into specific use cases around firewall management, shadow IT, endpoint protection, customized threat intelligence and cloud-based Wi-Fi management.

SonicWall at Black Hat USA 2019

Booth 1310

Aug. 7-8 | Mandalay Bay Convention Center

Where to register for Black Hat USA 2019

Once you’re at the Mandalay Bay Convention Center for Black Hat USA 2019, event registration will be located on Level 1 of the Bayside Foyer.

The best giveaways: socks, retro headphones and more

The SonicWall crew will be in the booth August 7-8 to help you reserve your spot for each of the sessions. They’ll also be ready to reward your participation with some of the best swag in Vegas, including the limited ‘SOC in Box’ giveaway and JLab Audio Rewind wireless retro headphones.

Black Hat resources

Before you head to Las Vegas, be sure to explore and review available resources to help plan for your trip. This is especially true for first-time attendees. The event has a lot going on and you don’t want to waste a full day just getting your bearings.

Wind River VxWorks and URGENT/11: Patch Now

/0 Comments/in /by

Notice: SonicWall physical firewall appliances running certain versions of SonicOS utilize third-party TCP/IP code for remote management that contain vulnerabilities named URGENT/11. At this time, there is no indication that the discovered vulnerabilities are being exploited in the wild, however:

SonicWall STRONGLY advises to apply the SonicOS patch immediately. Patches are available for all recent SonicOS versions. Detailed instructions are provided in the Security Advisory.

SonicWall provides the patched versions of SonicOS at no charge, including for customers not currently covered by an active support contract. SonicWall also recommends updating to the latest SonicOS release (6.5.4.4), which provides firewall capabilities to help protect other devices vulnerable to URGENT/11.

Wind River VxWorks and URGENT/11 vulnerabilities

Security researchers at Armis have discovered and responsibly disclosed 11 vulnerabilities in the TCP/IP stack of Wind River’s VxWorks real-time operating system, which is utilized by millions of devices around the world, as well as in space, on Mars and in certain versions of SonicOS. The Wind River VxWorks TCP/IP stack, named IPNET, contains vulnerabilities that have been given the name “URGENT/11.”  The one material vulnerability type that impacted SonicOS is addressed by the patch releases.

Unmanageable & un-patchable: The Wild West of IoT

Wind River VxWorks is a real-time operating system that is widely used in IoT and embedded applications, such as networking, telecom, automotive, medical, industrial, consumer electronics, aerospace and beyond.

While firewalls are charged with protecting perimeters of organizations, they are actively managed and monitored devices, frequently from a central location. For every firewall, there is a human who wakes up each morning with a question, “Is my firewall working? Is it up to date?” Within days of an update becoming available, these humans schedule a maintenance window and close the security gap.

However, for the overwhelming majority of other devices connected or exposed to the internet, there is no such human, and the number of these IoT devices is larger than that of firewalls by several orders of magnitude. It is this multitude of connected devices that are not actively managed or patched that poses an iceberg-like risk to the internet.

Vulnerabilities are eventually discovered for even the best software, and the security of the internet and the online ecosystem relies on the ability to roll out and deploy the fixes.

In the mid-year update to the 2019 SonicWall Cyber Threat Report, SonicWall Capture Labs threat researchers have already logged 13.5 million IoT attacks, which outpaces the first two quarters of 2018 by 54.6%.

This reality is taking hold in the minds not only of security practitioners, but also of government regulators, as the hundreds of millions of IoT devices are found to be vulnerable and remain unpatched.

This is one of the risky underbellies of the internet, led by the explosion of IoT devices, including consumer-grade devices that are frequently deployed at the edge of the internet and then forgotten for a decade. IoT’s broad reach should reverberate through several industries as a wakeup call.

‘Never stop patching’

The weaponization of published vulnerabilities against old software serves as an important reminder that customers should never procrastinate software updates, which are one of the most important steps you can take to secure your infrastructure against today’s rapidly-evolving threat landscape.

Do not ignore them or put them off. Patch now. And never stop patching.

Exim email servers are still under attack

/in /by

Exim remote command execution vulnerability has been exploited in the wild since June. This week, Security researchers have observed that Exim vulnerability (CVE-2019-10149) is being exploited to install a new Watchbog Linux malware variant.  After successful exploitation, Watchbog will download and execute cryptocurrency miner payload on the compromised servers.  As per Shodan search from today, there are over 1.5 million unpatched Exim servers that are vulnerable to this attack. SonicWall Capture Labs Threat Research team continues to observe attempts to exploit this vulnerability.

Exim
Exim is a mail transfer agent (MTA) used on Unix-like operating systems. It contains implementations of SMTP server for incoming messages as well ,as a SMTP ( Simple Mail Transfer Protocol) or LMTP ( Local Mail Transfer Protocol ) client for outgoing emails.
SMTP
SMTP is a connection-oriented, text-based protocol in which a mail sender communicates with a mail receiver by issuing command strings and supplying necessary data over a Transmission Control Protocol (TCP) connection. An SMTP session consists of commands originated by an SMTP client (the initiating agent) and corresponding responses from the SMTP server (the listening agent) so that the session is opened, and session parameters are exchanged.

An SMTP transaction consists of the follwing three command/reply sequences:

1. MAIL command, to identify the sender, to establish the return address or bounce-address.
2. RCPT command, to establish a recipient of the message. This command can be issued multiple times, one for each recipient.
3. DATA command, to give the mail data and finally the end of mail data indicator confirming the transaction.

SMTP Mail Transaction:

CVE-2019-10149:

A command injection vulnerability has been reported in Exim. This is due to insufficient sanitization of recipient email addresses, whether the recipient is local or remote. In the vulnerable versions, local part of the receipt address is sent as input to the expand_string() method without enough validation. A remote attacker can exploit this vulnerability by attempting to send an email to a crafted recipient on the target server. Successful exploitation results in the execution of arbitrary commands as the root user.

 

Fig: Snapshot of the code snippet 

Local Exploitation:
The utility expand_string() in the above shown code recognizes the “${run{<command> <args>}}” specified as input, and because new->address is the recipient of the mail that is being delivered, a local attacker can simply send a mail to “${run{…}}@localhost” and execute arbitrary commands, as root.

 

Remote Exploitation (Non-default configuration):
The above exploitation method doesn’t work remotely as the Exim’s default configuration requires the local part of the recipient’s address (the part that precedes the @ sign) to be the name of a local user when requests come from the remote server.
But in various non-default configurations this vulnerability can be exploited remotely say If the “verify = recipient” ACL that checks the local part of the recipient’s address to be the name of a local user was removed manually by an administrator or If Exim was configured to recognize special tags like “+” in the recipient’s address then a remote attacker can simply use the local exploitation method i.e RCPT TO “local_user+${run{…}}@localhost” instead of local_user@localhost.

 

Remote Exploitation (Default Configuration):
Another elaborate way specified in the vulnerability report that allows remote exploitation in the Exim’s default configuration. If the attacker can set up a malicious email server on a domain they control and place the malicious string expansion in the local portion of the sender’s address and send a message with a valid recipient but crafted to bounce back to the attacker controlled email server. In order to make the outgoing message from Exim server fail i.e to set RECIP_FAIL_TIMEOUT, the attacker controlled server can very slowly send a long SMTP response over a 7 day period and finally send a response such as a 550 error to cause the outgoing message to be “frozen” by Exim. On the next scheduled queue run, Exim will then attempt to deliver the bounce message once again but because the message is older than the default permitted age for frozen messages, process_recipients is set to RECIP_FAIL_TIMEOUT, and the malicious string specified in the sender address is then expanded by the expand_string() utility and executed as root.

Trend Chart:

The below graph shows how this vulnerability has been actively exploited.
   Fig: IPS hits for the sig ID 14240 in the last 40 days
Majority of the exploit attempts come from the IP address “89.248.171.57”.  Exim users have also reported online that they have been hacked by this attacker. This attacker is still actively looking for vulnerable Exim servers.

Fix:

Exim version 4.87 to 4.91 is vulnerable by default. This vulnerability is fixed in version 4.92.

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 14240 Exim deliver_message Remote Command Execution 1
IPS: 14241 Exim deliver_message Remote Command Execution 2
IPS: 14242 Exim deliver_message Remote Command Execution 3
IPS: 14243 Exim deliver_message Remote Command Execution 4

Metamorfo Banking Trojan spotted using Avast Utility

/in /by

The SonicWall Capture Labs Threat Research Team has spotted Metamorfo malware known to distribute banking Trojans using a legitimate tool by Avast, a popular security product. The malware arrives as a seemingly harmless Adobe installer and to evade detection it uses a renamed copy of the Avast memory dumping tool to load its malicious components.

Infection cycle:

The Trojan arrives as a windows installer database, MSI file.

It uses the following file properties pretending to be an Adobe Acrobat Reader installer.

 

Upon execution, it displays a fake splash window that makes the victim believe that Adobe Reader is being installed.

This installer has an embedded objuscated javascript code that when decoded reveals its intention.

It downloads a fake image file, with a PNG extension  which is in fact a ZIP archive containing additional components.

The archive is then unpacked into the %APPDATA% directory  which contains the following files:

  • %APPDATA%/yDnKLM.exe – non-malicious renamed AVDump32.exe utility from Avast
  • %APPDATA%/yDnKLM.dmp – malicious file detected as GAV: Metamorfo.BZ_2 (Trojan)
  • %APPDATA%/dbghelp.dll – malicious file detected as GAV: Metamorfo.BZ_ (Trojan)
  • %APPDATA%/ ssleay64.dll – malicious file detected as GAV: Metamorfo.BZ_3 (Trojan)
  • %APPDATA%/borlndmm.dll – non-malicious Borland Memory Manager library
  • %APPDATA%/libeay32.dll – non-malicious OpenSSL library
  • %APPDATA%/ ssleay32.dll – non-malicious OpenSSL library

The installer will then invoke a system reboot. Upon successful reboot it launches the legitimate Avast file to load the malicious dbghelp.dll library and then subsequently loads another non-malicious program, windows media player to load the malicious .dmp file.

The malicious files have the ability to steal user information by accessing computer name and keystrokes and to connect to a remote server, submit files, invoke mouse clicks, execute commands.

During our analysis the malicious ssleay64.dll was not loaded.

Sonicwall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Metamorfo.BZ_4(Trojan)
  • GAV: Metamorfo.BZ_5(Trojan)
  • GAV: Metamorfo.BZ_6 (Trojan)
  • GAV: Downloader.MSI (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Cyber Security News & Trends – 07-26-19

/0 Comments/in /by

This week, SonicWall releases a mid-year update to the 2019 SonicWall Cyber Threat Report, hackers breach the FSB, and Johannesburg hit by ransomware.

SonicWall Spotlight

SonicWall 2019 Mid-Year Threat Report Shows Worldwide Malware Decrease of 20%, Rise in Ransomware-as-a-Service, IOT Attacks and Cryptojacking – SonicWall Press Release

  • SonicWall refreshes its data from the first months of 2019 for the Cyber Threat Report Mid-Year Update. The Cyber Threat Report provides insights into the cybersecurity industry’s top threats and trends, major finds include:
    • Ransomware volume up 15% globally year to date
    • Encrypted threats spike 76%
    • IoT malware attacks up 55%
    • Malware attacks across non-standard ports dips to 13%
    • With bitcoin value spiking, cryptojacking volume up 9%

SonicWall CEO on McAfee IPO Rumours and Symantec’s Possible Sale – CRN ChannelWeb

  • Channel Web interviews SonicWall CEO Bill Conner discussing business and government reactions to changes to the cybersecurity industry where the threat landscape which is “is getting very, very real.”

UK Ransomware Attacks Soar 195% – Malware Cocktails Proliferate – CBROnline

Cybersecurity News

NSA Launches Cybersecurity Directorate – NextGov

  • The National Security Agency has announced the launch of a new division aimed at defending the country’s national security infrastructure from digital attacks. The Cybersecurity Directorate will bring the agency’s foreign intelligence and cyber operations together under the same roof.

Hackers Breach FSB Contractor, Expose Tor Deanonymization Project and More – ZDNet

  • A contractor for the FSB, Russia’s national intelligence service, has been hacked with over 7.5 terabytes of data taken. Information exposed includes data on secret developments like a Tor deanonymization project and the ability to disconnect the Russian internet from the rest of the world.

Two Charged With Terrorism Over Bulgaria’s Biggest Data Breach: Lawyer – Reuters

  • Police raided the offices of cybersecurity firm Tad Group following last month’s cyberattack and data breach in which personal data for nearly every adult Bulgarian was stolen. Two workers have been charged with terrorism, both deny wrongdoing.

Louisiana Governor Declares State Emergency After Local Ransomware Outbreak– ZDNet

  • Following a series of cyberattacks on school districts Louisiana Governor John Bel Edwards declared a cybersecurity state of emergency. This is only the second time a state has declared a state of emergency over cybersecurity, the first being Colorado in February 2018.

Facebook to Pay $100 Million SEC Fine Over Cambridge Data Use – Bloomberg

  • Facebook has agreed to pay $100 million in a U.S. Securities and Exchange Commission settlement over the Cambridge Analytica scandal. In the settlement Facebook refuse to admit or deny any wrongdoing.

Ransomware hits Johannesburg electricity supply – BBC

  • Johannesburg’s City Power has been the latest high-profile victim of a ransomware attack with more than a quarter of a million people affected. The City of Johannesburg says no customer data has been compromised.

And finally:

UK, EU Police Pilot Scheme to Give Wayward Teen Hackers White Hats – ZDNet

  • A new UK and EU scheme called “Hack_Right” is currently being trialled. The scheme is aimed at staging interventions for teenagers who are involved in hacking, encouraging them to change their behavior rather than punishing them with jail time or fines.

In Case You Missed It

Mid-Year Update: 2019 SonicWall Cyber Threat Report

/9 Comments/in /by

It’s almost cliché at this point, but the cyber arms race — and respective cybersecurity controls and technology — moves at an alarming pace.

For this reason, SonicWall Capture Labs threat researchers never stop investigating, analyzing and exploring new threat trends, tactics, strategies and attacks. They publish most of their findings — the data they can share publicly, anyway — in the annual SonicWall Cyber Threat Report.

But to ensure the industry and public are able to stay abreast of the quickly shifting threat landscape, the team offers a complementary mid-year update to the 2019 SonicWall Cyber Threat Report. Download the exclusive report to explore the stories, behaviors and trends that are shaping 2019 — as they are happening.

Malware volume dips in first half

In 2018, global malware volume hit a record-breaking 10.52 billion attacks, the most ever recorded by SonicWall Capture Labs threat researchers.

Fortunately, during the first six months of 2019, that trend slowed — at least somewhat. SonicWall recorded 4.8 billion* malware attacks, a 20% drop compared to the same time period last year.

Ransomware rising

Did you think ransomware was an outdated tactic? The latest 2019 data proves otherwise. Despite overall declines in malware volume, ransomware continues to pay dividends for cybercriminals.

All told, global ransomware volume reached 110.9 million for the first half of 2019, a 15% year-to-date increase. The exclusive mid-year update outlines which countries followed this trend and which were victimized by an increase in ransomware attacks.

Attacks against non-standard ports still a concern

As defined in the full 2019 SonicWall Cyber Threat Report, a ‘non-standard’ port means a service running on a port other than its default assignment, usually as defined by the IANA port numbers registry.

For the first half of 2019, 13% of all malware attacks came via non-standard ports, a slight dip due to below-normal activity in January (8%) and February (11%).

Encrypted threats intensify

In 2018, SonicWall logged more than 2.8 million encrypted threats, which was already a 27% jump over the previous year. Through the first six months of 2019, SonicWall has registered a 76% year-to-date increase.

Machine learning, multi-engine sandboxes evolving to ‘must-have’ security

So far in 2019, the multi-engine SonicWall Capture Advanced Threat Protection (ATP) cloud sandbox has exposed 194,171 new malware variants — a pace of 1,078 new variant discoveries each day of the year.

IoT malware volume doubled YTD

The speed and ferocity in which IoT devices are being compromised to deliver malware payloads is alarming. In the first half of 2019, SonicWall Capture Labs threat researchers have already recorded 13.5 million IoT attacks, which outpaces the first two quarters of last year.

Bitcoin run keeping cryptojacking in play

Late 2018 data showed cryptojacking on the decline. But with the surging values of both bitcoin and Monero, cryptojacking rebounded in 2019. Cryptojacking volume hit 52.7 million for the first six months of the year.

How do cybercurrency prices influence cryptojacking volume? The exclusive mid-year update looks deeper into the numbers.

SkyStars ransomware, variant of BlackMoon banking trojan encrypts with no recovery note

/in /by

The SonicWall Capture Labs Threat Research Team observed reports of a variant of the BlackMoon banking trojan called SkyStars.  BlackMoon was originally designed to steal user credentials from various South Korean banking institutions.  In addition to data theft, the authors later added ransomware capability.  This SkyStars ransomware component seems to be in early development.

Infection Cycle:

The Trojan uses the following icon:

 

The trojan executable file contains the following metadata:

 

Upon execution, files are indiscriminentely encrypted on the system.  The malware does not appear to have a list of preferred file types.  Encrypted files are given a .SKYSTARS extension.  The malware does not display a ransom note and no payment method for file recovery is presented to the victim.

 

After a period of 5 minutes, the following messagebox is displayed:

 

Analysis of the executable file reveals the following strings:

 

 

 

Like most ransomware, the trojan contains functionality to write a ransom note to a file and display it to the victim.  Although the code below is present in the malware it was not executed during our analysis:

 

During runtime analysis we were able to locate the encryption function used to encrypt files.  The reverse algorithm of this function may be the only possibly way to recover files:

 

The malware executable file contains strings that refer to BlackMoon, a known banking trojan.  This suggests that the malware is a variant of BlackMoon with added ransomware capability:

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: SkyStars.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

Ursnif – Spreading via malicious Office files

/in /by

SonicWall Capture Labs Threat Research Team identified a new wave of malicious Office files in use to distribute Banking Trojan belonging to the Ursnif family. It has been observed that MS-Word files containing VBA Macro code are used to download a text file which contains a series of lines that are decrypted into Portable Executable(PE) file.

Malicious Office file will appear as shown below:


Fig-1: Office Word File

Infection Cycle:

Upon opening the malicious document file, a message is displayed to the user informing that this document is protected and to click on Enable Editing followed by Enable content.

Once the content is enabled, the malicious macro is executed to show a user form titled “loading” and Internet Explorer is launched in the background to download the file pointed by a URL stored in the tag part of userform. Once the download is completed, the PE file belonging to Ursnif family is decrypted from the downloaded data.

Hardcoded URL stored in a tag part of UserForm and decryption routine are shown below:


Fig-2: Macro code in Office File

The downloaded text file is shown below:

Unlike other variants of Ursnif which we have observed in the past to be targeting victims from Italy, this variant does not have any country-specific restriction.

SonicWall Capture Labs provides protection against this threat via the following signatures:

GAV: MalAgent.U1 (Trojan)
GAV: MalAgent.U2 (Trojan)
GAV: MalAgent.U3 (Trojan)
GAV: MalAgent.U4 (Trojan)

Indicators of Compromise:

SHA 256 of Malicious Office documents

  • 055a79019b845a5ef31678f61e833baba3a1c3a523c9dcc469844e1c918fb4e4
  • f153fcc4ba561076d8888daef7aaf33d0e5db896bc10b34e88050cd58bf8f815
  • a1266f4e1fc41a0afd4e92f6d115225d08675ca51e4488f41737c92d1993ee62
  • 7274ab5123232de647243124c37bfe9f5933388a60466d747bdb0890c85a9d00
  • bfab47e4cc1646f73d7fc53a04434f4271e1cf1eefa194134ce9eefcf88a1835
  • 8f0b54655c755aded44b6a3ee7e242c8414d4422148a3121463ec7a3022fb106
  • 4812d242bda392ffa6b3a81c9246cf5ca8ea80f8168ac5ecb64c35f0232f9ccb
  • af37eab60a51b7e9328922ca10d2a09f0190e0d08cf88e5aa7b8d98e35a85fc1
  • 8b97586f552394b004151a7834c4badf30985c4ad8f34ea7bbc7711bbf951ec4
  • 675f02bcd6d4d7c46e7dad56601bec29f9fa6a94e084b2d5ac6446cd1d504cc7
  • f3daadac20beefe70c6c3168b79f403a6925b3d17e21bcda825d6481d8f4d310
  • 44508372cf497abfb7c879c8fead8429435a9dc002b2bbbc18e5c62de054e7c7
  • c2aec04535d95b6310a7be2df7856631f5804ba4fe1c1a4bcb7aeb5c3079018d

Network Connections:

  • http://195.1[removed]3.159/local_file.php
  • http://765hg56.m[removed]ergraff.com/gate.php
  • http://2t6u7r.m[removed]ye.com/gate.php
  • http://776fdf.m[removed]yenholm.com/gate.php

Payload SHA 256:

  • 6f4f4b2f1ef0493075d635beae94565cf6dc6437ce5a69e9ddaa9b5a7405a333

Payload Network connection:

  • http://api[.]fiho[.]at/index.htm

 

CVE-2019-0859 exploits active in the wild

/in /by

The SonicWall Capture Labs Threat Research observed CVE-2019-0859 being actively exploited in the wild.

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2019-0859 is a Use-After-Free vulnerability in the CreateWindowEx function. The exploit uses this vulnerability to elevate privilege and run shellcode.

 

The above code is used to execute arbitrary shellcode.

The injected shellcode payload (stored in $var_code) creates a named pipe. Any data read from the named pipe is executed directly as shellcode.

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

ASPY 5452: Malformed-File exe.MP.64

This threat is detected pro-actively by Capture ATP w/RTDMI

Threat Graph:

IOC:

eea10d513ae0c33248484105355a25f80dc9b4f1cfd9e735e447a6f7fd52b569

9f9ea63ad90da73185ff84378844902bf5ce8af0f1b9c8895775697822652d4f

772392b04d05f4b219c20daafa9f2edf727f51ab09c9796e5cdfb4916432bb66

1dfc83d5bc38b88623d54103aa58a2c08b494bc0d0d1098e857dde87f0be0616