CVE-2020-17530: Apache struts vulnerability exploited in the wild

/in /by

SonicWall Capture Labs Threat Research team has observed hackers actively targeting the recent remote code execution vulnerability in the Apache Struts framework.

This vulnerability is due to insufficient input validation, leading to a forced double OGNL evaluation when evaluating raw user input. A remote attacker could exploit this vulnerability by sending a crafted request to the target server. Successful exploitation will allow an attacker to execute arbitrary code with the privileges of the server.

Apache Struts:

Apache Struts is a modern Java framework that uses the Model, View, Controller (MVC) architecture for building enterprise-ready web applications.

Model – The central component, which manages the data, logic, and rules of the application.

View – Presents information to the user, sometimes allowing multiple views of the same information.

Controller – Accepts input and converts it to commands for the model or view.

 

Object-Graph Navigation Language (OGNL) is an open-source expression language for Java, which, while using simpler expressions than the full range of those supported by the Java language, allows getting and setting propertiesproperties as well as execution of methods of Java classes.

OGNL uses Java reflection and inspection to address the Object Graph of the runtime application. This allows the program to change behavior based on the state of the object graph instead of relying on compile-time settings. It also allows changes to the object graph.

Due to its ability to create or change executable code, OGNL is capable of introducing critical security flaws to any framework that uses it.

Vulnerability | CVE-2020-17530 :

The OGNL context map is initialized with the mitigating controls that enforce the validations for accessing
packages, classes, and their normally private/ or protected methods/fields. These controls are defined by an instance
of the SecurityMemberAccess class. Similarly, by leveraging introspection via the BeanMap instance, private
properties of the SecurityMemberAccess instance can be accessed and modified. Most importantly excludedClasses and excludedPackageNames containing the set of excluded classes and package names
respectively can be cleared and thus effectively disabling every class and package access restriction.

An attacker is therefore able to completely disable all OGNL expression mitigation controls related to package and
class access. Arbitrary code execution can eventually be realized by invoking suitable methods from previously disallowed classes, for example, Execute.exec() method from “freemarker.template.utility package”.

Exploit:

SonicWall observed the below exploit request in which the BeanMap instance has been leveraged to access and modify the member access and set excludedClasses and excludedPackageNames to empty. One of the disallowed classes “Execute” from the “freemarker.template.utility” package that gives FreeMarker the ability to execute external commands is called to download and execute a malicious file.

Successful exploitation results in the execution of malicious payload “ssa” with the privileges of the server.

Trend Chart:

IPS hits for the signature “14514” in the last 40 days.

SonicWall Capture Labs Threat Research team protects against this exploit with the following signature:

IPS: 14514 Apache Struts OGNL Wildcard Remote Code Execution 8

Problem:

Some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.

Affected Products:

Apache Software Foundation Struts 2.0.0 through 2.5.25

Fix:

Avoid using forced OGNL evaluation on untrusted user input, and/or upgrade to Struts 2.5.26, which checks to ensure that expression evaluation won’t lead to the double evaluation.

IOC (Attacker IP’s):

45.146.164.15
67.202.216.194
209.141.33.226
183.57.18.186
167.98.184.6
34.227.121.223
65.124.187.154
107.152.127.190
74.120.44.66
70.98.52.141
144.121.77.34
162.43.198.100
24.173.20.130
192.0.100.121
203.199.72.210
70.102.106.66
34.205.208.125
52.17.98.131
64.19.77.134
205.250.171.58
207.99.76.20
208.105.178.30
64.39.99.230
184.71.110.118
64.39.99.197
64.39.99.246
54.88.149.100
69.193.159.2
204.141.21.156
61.160.215.21
50.239.218.222
71.164.82.98
64.141.27.66
68.118.118.226
128.177.30.162
107.130.178.41
209.141.61.233
64.39.111.60
138.197.142.180
62.8.108.89
64.139.53.114
38.140.141.210
10.100.6.180
24.103.47.50
91.216.32.25
216.235.247.146
50.202.87.195
196.46.54.18
64.39.99.70
64.39.99.13
64.39.99.74
172.30.131.7
64.39.108.132
64.39.99.58
216.171.185.30
64.39.99.69
64.39.99.213
192.168.21.220
64.39.99.252
64.39.99.65
64.39.99.251
198.46.104.42
64.39.108.51
209.53.168.82
64.39.99.61
64.39.99.93
154.59.121.145
207.207.37.172
64.39.99.247
50.235.254.58
64.39.99.233
74.62.85.138
64.39.99.226
187.44.110.185
64.39.99.243
64.39.108.47
64.39.99.210
204.186.244.226
64.39.99.94
23.30.178.61
64.39.108.38
203.71.63.9
64.39.99.92
154.59.121.144
81.82.218.18
96.66.66.65
64.39.99.112
64.39.99.17
64.39.99.235
64.39.99.52
167.98.182.132
64.39.99.64
64.39.99.231
64.39.108.129
192.248.233.26
91.216.32.24
172.31.48.102
118.163.176.200
204.14.69.210
161.11.129.109

Cybersecurity News & Trends – 12-18-20

/0 Comments/in /by

This week, the massive SolarWinds breach made headlines around the world, but that doesn’t mean other hackers took a holiday.

SonicWall in the News

The 25 Hottest Edge Security Companies: 2020 Edge Computing 100 — CRN

  • SonicWall was recognized in CRN’s 2020 Edge Computing 100 list for its new SD-Branch and Cloud Edge Secure Access solutions.

Cyberattack ‘Leaves UK Infrastructure Exposed for Month’ — Newsweek

  • SonicWall President and CEO Bill Conner, who in recent years has advised the U.K. and U.S. governments on how best they can protect critical national assets from cybercrime, said the hackers appeared to be motivated by geopolitical control.

Cases of Cyber Ransomware Rising During COVID Pandemic — MSN

SonicWall Capture Labs Threat Research Team Warns of Egregor Ransomware Attacks — SME Channels

  • SonicWall Capture Labs Threat Research team warns that Egregor Ransomware attacks — which steal system information and banking and online account credentials, as well as deploy keyloggers and remote backdoors — will likely intensify.

SolarWinds Supply Chain Attack Led to FireEye, US Government Breaches — SDxCentral

  • Bill’s commentary on the U.S. Treasury hack was featured in an SDxCentral article about recent data breaches.

SonicWall Seeks The Bliss of The Predictable — ChannelPro Network

  • ChannelPro Network shared a feature on SonicWall’s SecureFirst Partner Program for its ChannelBeat column.

Industry News

SolarWinds Breach Potentially Gave Hackers ‘God Access’: Ex-White House Official — Newsweek

  • The SolarWinds breach potentially gave hackers “God access” or a “God door” to computer systems using the companies OrionIT software, a former White House official has warned.

FireEye, Microsoft create kill switch for SolarWinds backdoor — Bleeping Computer

  • Microsoft, FireEye and GoDaddy have collaborated to create a kill switch for the SolarWinds Sunburst backdoor that forces the malware to terminate itself.

Little-Known SolarWinds Gets Scrutiny Over Hack, Stock Sales — Security Week

  • The revelation that elite cyber spies spent months exploiting SolarWinds’ software to peer into computer networks has put many of its high-profile customers on high alert — and it’s raising questions about whether company insiders knew of its security vulnerabilities as its biggest investors sold off stock.

Russia’s Hacking Frenzy Is a Reckoning — Wired

  • Despite years of warning, the U.S. still has no good answer for the sort of “supply chain” attack that has left Washington stunned.

Malicious Domain in SolarWinds Hack Turned into ‘Killswitch’ — Krebs on Security

  • A key malicious domain name used to control computer systems compromised via the months-long breach at SolarWinds was commandeered by security experts and used as a “killswitch” designed to turn the sprawling cybercrime operation against itself.

Schiff calls for ‘urgent’ work to defend nation in the wake of massive cyberattack — The Hill

  • House Intelligence Committee Chairman Adam Schiff, D-Calif., on Wednesday called on Congress to undertake “urgent work” to defend critical networks in the wake of a massive cyber espionage attack on the U.S. government.

FBI says DoppelPaymer ransomware gang is harassing victims who refuse to pay — ZDNet

  • FBI says the ransomware group has been calling victims and threatening to send individuals to their homes if they don’t pay the ransom.

“Evil mobile emulator farms” used to steal millions from US and EU banks — Ars Technica

  • Researchers from IBM Trusteer say they’ve uncovered a massive fraud operation that used a network of mobile device emulators to drain millions of dollars from online bank accounts in just days.

EU unveils revamp of cybersecurity rules days after hack — The Washington Times

  • The EU unveiled plans to revamp its dated cybersecurity rules, just days after data on a new coronavirus vaccine was unlawfully accessed in a hack attack on the European Medicines Agency.

45 million medical scans from hospitals all over the world left exposed online for anyone to view – some servers were laced with malware — The Register

  • CybelAngel, which sells a digital risk protection platform, reported not only was the sensitive personal information unsecured, but cybercriminals had also accessed those servers and poisoned them with apparent malware.

Microsoft: New malware can infect over 30K Windows PCs a day — Bleeping Computer

  • Microsoft has warned of an ongoing campaign pushing Adrozek, a new browser hijacking and credential-stealing malware which, at its peak, was able to take over more than 30,000 devices every day.

Massive Subway UK phishing attack is pushing TrickBot malware — Bleeping Computer

  • A massive phishing campaign pretending to be a Subway order confirmation has been spotted distributing the notorious TrickBot malware.

This new ransomware is growing in strength and could become a major threat warn researchers — ZDNet

  • The group behind MountLocker ransomware are “clearly just warming up,” researchers say.

In Case You Missed It

Mobef ransomware actively spreading in the wild

/in /by

The SonicWall Capture Labs Threat Research team observed reports of a new variant family of Mobef ransomware actively spreading in the wild.

The Mobef ransomware encrypts the victim’s files with a strong encryption algorithm just for fun.

Infection Cycle:

The ransomware adds the following files to the system:

  • Malware.exe
    • %App.path%\ IMPORTANT.README
    • %App.path%\ SECRET.KEYFILE

Once the computer is compromised, the ransomware runs the following commands:

When Mobef is started it will create and assign a unique ID number to the victim then scan all local drives for data files to encrypt.

When encrypting files it will use the AES encryption algorithm and only encrypt those files that match the following extensions:

mp3, mp4, jpe, jpg, kdc, mdb, mdf, mef, mrw, nef, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, rwl, srf, srw, wb2, wpd, wps, xlk, nrw, odb, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, xls, xlsb, xlsm, xlsx, pef, pem, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf.

Here is an example:

The ransomware encrypts all the without changing their extension filename.

After encrypting all personal documents, the ransomware shows the following image containing a message reporting that the computer has been encrypted just for fun.

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Mobef.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Massive Supply-Chain Attack Targets SolarWinds Orion Platform

/0 Comments/in /by

As many as 300,000 businesses, organizations and government agencies could be at risk of compromise due to an attack exploiting vulnerabilities in SolarWinds’ Orion products. The threat actor behind the attack is believed to be APT29 (aka Cozy Bear), which primarily leverages a malware called SUNBURST to conduct a global supply-chain attack against the SolarWinds Orion platform, an enterprise-grade IT monitoring solution.

SolarWinds confirmed the attack and has been providing routine updates to the situation.

According to Reuters, sources say the breaches are connected to a broad campaign that also involved the recently disclosed hack on U.S. cybersecurity company FireEye, whose customers include both government and commercial entities.

On Dec. 13, the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) confirmed that malicious threat actors have been and are actively exploiting these vulnerabilities. Determining that the exploitation of SolarWinds products “poses an unacceptable risk,” CISA has issued an emergency directive instructing all federal agencies to disconnect affected devices immediately.

“Treat all hosts monitored by the SolarWinds Orion monitoring software as compromised by threat actors and assume that further persistence mechanisms have been deployed,” the directive stated.

Both SolarWinds and the CISA strongly suggest that organizations using SolarWinds Orion verify the version they’re running and upgrade immediately, if required.

According to SolarWinds, its federal customers include all branches of the U.S. military, the Pentagon, the State Department, the National Security Agency, the Department of Justice and the Office of the President of the United States.

But its customer list also includes more than 425 of the U.S. Fortune 500, the top 10 U.S. telecom companies and the top five U.S. accounting firms. SonicWall has confirmed it is not using a vulnerable SolarWinds Orion product and is not impacted by this threat.

What is SUNBURST?

FireEye says these attacks have already been observed worldwide, targeting government entities, technology companies, telecoms and consulting firms in North America, Europe, Asia and the Middle East — and it expects there are additional victims across other industries and countries.

The threat actor leverages a malware commonly called SUNBURST in what’s known as a manual supply-chain attack.

According to FireEye, the threat actor was able to hide malicious code in software updates provided to Orion customers, and through these trojanized updates, gain a foothold in the network through which to gain elevated credentials. Once the group has gained initial access, the company said, it uses various techniques to disguise their operations as they move laterally and exfiltrate data.

Which SolarWinds customers are impacted?

SolarWinds has asked impacted customers using Orion versions 2019.4 through 2020.2 HF1 to immediately upgrade to 2019.4 HF 6 or 2020.2.1 HF 1.

An additional hotfix release, 2020.2.1 HF2, is anticipated to be made available on Dec. 15 that will both replace the compromised component and provide several additional security enhancements. Please visit www.solarwinds.com/securityadvisory for more information about your Orion upgrade options.

SonicWall helps mitigate malicious activity against SolarWinds Orion

SonicWall Capture Labs threat researchers have investigated the vulnerability and published four Intrusion Prevention Signatures (IPS) that identify malicious activity against affected SolarWinds Orion versions, and two additional application notifications that detect and notify administrators if an organization has SolarWinds Orion deployed within its network. These signatures are applied automatically to SonicWall firewalls with active security subscriptions:

  • 15292: BACKDOOR SolarWinds Supply Chain Malware Activity 1
  • 15293: BACKDOOR SolarWinds Supply Chain Malware Activity 2
  • 15294: BACKDOOR SolarWinds Supply Chain Malware Activity 3
  • 15295: BACKDOOR SolarWinds Supply Chain Malware Activity 4
  • 15296: BUSINESS-APPS SolarWinds Orion (API Activity)
  • 2014: BUSINESS-APPS SolarWinds Orion (Update Activity)

SonicWall products and real-time security services can help organizations identify SUNBURST malware and other attacks against vulnerable SolarWinds Orion versions.

To verify you have the latest SonicWall IPS, please follow the steps in this knowledgebase (KB) article: https://www.sonicwall.com/support/knowledge-base/detailed-information-on-intrusion-prevention-signature-ips-signature-ids/170505742887527/

SolarWinds Orion Vulnerability

/in /by

Updated January 15, 2021

The U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) have confirmed that malicious threat actors have been and are actively exploiting vulnerabilities in SolarWinds Orion products, specifically affected versions 2019.4 through 2020.2.1 HF1.

 

The threat actor primarily leverages a malware commonly known as SUNBURST to conduct a global supply-chain attack against the SolarWinds Orion platform. SolarWinds Orion is an enterprise-grade IT monitoring solution.

 

This malware was seen being distributed as part of SolarWinds Orion software updates from March 2020.  As part of the software update, this malware comes in the form of a dynamic linked library (DLL) that was digitally signed by SolarWinds.  Once loaded by legitimate SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe, this malware is capable of transferring data, file execution, system profiling, rebooting and more.

 

Apart from being digitally signed, this malware employed other evasion tactics.  These include employing Teardrop, which is a memory only dropper, to deploy a customized Cobalt Strike beacon.  It also encoded strings such as domain names, user-agents, registry keys and others.

 

A few of the notable encoded strings are as follows:

  • 583da945-62af-10e8-4902-a8f205c72b2e -> This is the name of a named pipe which will be used as a mutex to avoid multiple instances of the malware from running.
  • avsvmcloud[.]com -> one of the domain names this malware connects to.
  • SolarWindsOrionImprovementClient/3.0.0.382 -> the User-Agent field the malware will use during HTTP communication to the C&C Server

 

The Command & Control traffic is also difficult to detect as it was designed to mimic legitimate SolarWinds API calls.  Unlike other botnet malware which connects to their C&Cs in a regular basis, SUNBURST only communicates to the malicious server once every 12 to 14 days.

 

SolarWinds has confirmed the attack and has asked impacted customers using Orion to immediately upgrade to 2019.4 HF 6 or 2020.2.1 HF 1. Please visit www.solarwinds.com/securityadvisory for more information about your Orion upgrade options.

 

Both SolarWinds and the CISA strongly suggest that organizations using SolarWinds Orion verify the version they’re running and upgrade immediately, if required.

 

SonicWall Capture Labs threat researchers have investigated the vulnerability and published multiple signatures in different categories that identify malicious activity against affected SolarWinds Orion versions. It includes application identification signatures that detect if an organization has SolarWinds Orion deployed within its network; malicious domain signatures; malicious IPs; malware such as Sunburst, Supernova and Teardrop. These signatures are applied automatically to SonicWall firewalls with active security subscriptions.

Application signatures – identify SolarWinds Orion applications:

  • 15296: BUSINESS-APPS SolarWinds Orion (API Activity)
  • 2014: BUSINESS-APPS SolarWinds Orion (Update Activity)

IPS signatures – identify malicious domains:

  • 15292: SolarWinds Supply Chain Malware Activity 1
  • 15293: SolarWinds Supply Chain Malware Activity 2
  • 15294: SolarWinds Supply Chain Malware Activity 3
  • 15295: SolarWinds Supply Chain Malware Activity 4
  • 15298: SolarWinds Supply Chain Malware Activity 5
  • 15299: SolarWinds Supply Chain Malware Activity 6
  • 15300: SolarWinds Supply Chain Malware Activity 7
  • 15301: SolarWinds Supply Chain Malware Activity 8
  • 15302: SolarWinds Supply Chain Malware Activity 9
  • 15303: SolarWinds Supply Chain Malware Activity 10
  • 15308: SolarWinds Supply Chain Malware Activity 11
  • 15309: SolarWinds Supply Chain Malware Activity 12
  • 15310: SolarWinds Supply Chain Malware Activity 13
  • 15311: SolarWinds Supply Chain Malware Activity 14
  • 15312: SolarWinds Supply Chain Malware Activity 15
  • 15313: SolarWinds Supply Chain Malware Activity 16
  • 15314: SolarWinds Supply Chain Malware Activity 17
  • 15315: SolarWinds Supply Chain Malware Activity 18
  • 15316: SolarWinds Supply Chain Malware Activity 19
  • 15317: SolarWinds Supply Chain Malware Activity 20

GAV signatures – identify malwares: [Updated on Jan 14]

Sunburst – Backdoor malware that has been trojanized into multiple SolarWinds Orion update versions.

  • SunBurst.A (Trojan) IOC:d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600
  • SolarWinds.DL (Trojan), IOC:ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
  • SunBurst.A_1 (Trojan), IOC:32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
  • SunBurst.A_2 (Trojan), IOC:ad2fbf4add71f61173975989d1a18395afb8538ed889012b9d2e21c19e98bbd1
  • SunBurst.A_3 (Trojan), IOC:019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134

Supernova – a webshell planted in the code of the Orion network and applications monitoring platform and enabled adversaries to run arbitrary code on machines running the trojanized versions of the software.

  • Injector.DN_35 (Trojan) IOC:c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71
  • Supernova.A_1 (Trojan), IOC:1c96021ac8cb52173e762f6b008fb4c6e5ef113e6baa4e2cf4848e88c61d9700

Teardrop – a memory only dropper that runs as a service

  • Teardrop.B (Trojan), IOC:6e4050c6a2d2e5e49606d96dd2922da480f2e0c70082cc7e54449a7dc0d20f8d

Domain Blacklist: [Updated on Jan 15]

  • avsvmcloud.com
  • digitalcollege.org
  • freescanonline.com
  • deftsecurity.com
  • thedoccloud.com
  • virtualdataserver.com
  • incomeupdate.com
  • databasegalore.com
  • panhardware.com

 

SonicWall products and real-time security services can help organizations identify and mitigate SUNBURST malware and other attacks against vulnerable SolarWinds Orion versions.

 

To verify you have the latest SonicWall Intrusion Prevention Signatures (IPS), please follow the steps in this knowledgebase (KB) article: https://www.sonicwall.com/support/knowledge-base/detailed-information-on-intrusion-prevention-signature-ips-signature-ids/170505742887527/

 

Cybersecurity News & Trends – 12-11-20

/0 Comments/in /by

This week, cybersecurity news moved to the federal level as nation-state hacking and international cybersecurity cooperation made headlines.

SonicWall in the News

SonicWall Wins Six Prestigious Awards In The 15th Annual Network Product Guide’s 2020 IT World Awards — SonicWall Press Release

  • SonicWall has swept six industry awards at the 15th Annual Network Product Guide’s 2020 IT World Awards, including the coveted Grand Trophy distinction for having exhibited overall excellence in diverse categories.

An Outside View of Cybersecurity ‘Inside the Beltway’ — Federal News Network

  • Federal News Network shared a podcast interview with SonicWall President and CEO Bill Conner on the persistent threats impacting the federal space and how ransomware and IoT will impact federal IT systems moving forward.

FDA Approval Is Not The Only Vaccine Challenge — Industry Week

  • Bill Conner explains how cybercriminals could impact the vaccine supply chain if a successful attack is to occur, and what organizations need to do to defend themselves.

Healthcare in Crisis: Diagnosing Cybersecurity Shortcomings in Unprecedented Times — Threatpost

  • The pandemic’s unprecedented impact on healthcare lay bare the gaping holes in the healthcare industry’s cybersecurity defenses — and security experts say the fallout will impact the healthcare industry well into 2021.

Industry News

Russian hackers hide Zebrocy malware in virtual disk images — Bleeping Computer

  • Russian-speaking hackers behind Zebrocy malware have changed their technique and are now packing the threats in virtual hard drives (VHD) to avoid detection.

Ransomware gangs are getting faster at encrypting networks. That will make them harder to stop — ZDNet

  • The window for finding attackers on your network before ransomware is deployed is getting much smaller.

Russia’s FireEye Hack Is a Statement—but Not a Catastrophe — Wired

  • The cybersecurity firm has acknowledged that it has itself been the victim of a breach — and that the attackers made off with some of its offensive tools.

Norwegian police implicate Fancy Bear in parliament hack, describe ‘brute forcing’ of email accounts — Cyberscoop

  • In their accusation of Russian involvement in an August cyberattack on Norwegian parliament, authorities have implicated the same notorious group accused of interfering in the 2016 U.S. election.

Critical Flaws in Millions of IoT Devices May Never Get Fixed — Wired

  • Amnesia:33 is the latest in a long line of vulnerabilities that affect countless embedded devices.

Credit card stealing malware bundles backdoor for easy reinstall — Bleeping Computer

  • An almost-impossible-to-remove malware, programmed to automatically activate on Black Friday, was deployed on multiple Magento-powered online stores.

The EU is making overtures about cybersecurity collaboration under Biden — Cyberscoop

  • European Union members convened in an effort to take stock of the U.S. presidential election and plan how to best jumpstart cooperation with the incoming Biden administration on matters including cybersecurity.

U.S. National Security Agency warns of Russian hacking against VMware products — Reuters

  • A new cybersecurity alert from the U.S. National Security Agency warns that Russian “state-sponsored” hackers are actively exploiting a software vulnerability in multiple products made by cloud computing company VMware Inc.

Iranian Hackers Access Unprotected ICS at Israeli Water Facility — Security Week

  • A group of Iranian hackers recently posted a video showing how they managed to access an industrial control system at a water facility in Israel.

Man Pleads Guilty to Role in Malware Protection Scam — Security Week

  • A man has pleaded guilty to his role in a computer protection services scam that cheated victims out of nearly $1 million by misleading them into believing that malware had been detected on their computers.

U.S. and Australia to develop shared cyberattack training platform — Bleeping Computer

  • The U.S. and Australia have signed a first-ever bilateral agreement that allows the U.S. Cyber Command and Australia’s Information Warfare Division to jointly develop and share a virtual cyber training platform.

Android apps with millions of downloads are vulnerable to serious attacks — Ars Technica

  • Android apps with hundreds of millions of downloads are vulnerable to attacks that allow malicious apps to steal contacts, login credentials, private messages and other sensitive information.

Home Offices Face Bigger Cyber Threat, Biden Top Economist Warns — Bloomberg

  • Brian Deese, chosen by Biden to lead the National Economic Council, said in an interview broadcast Wednesday, “The risk of operating from home offices in terms of cyberattacks is exponentially greater.”

In Case You Missed It

Breach of FireEye Offensive Tools

/in /by

On December 8, 2020, Cyber Security Firm FireEye disclosed an incident that resulted in theft of their offensive security tools (OSTs) used by their Red-Team to test the security posture of their customers.

Some of these tools look like the well-known offensive framework Cobalt Strike. This is evident in the naming convention used by FireEye,

In response to the breach, FireEye has provided Red Team tools countermeasures which are available on Github. These countermeasures include rules in multiple languages such as Snort, Yara, ClamAV, and HXIOC. Since none of these tools leverage 0-day vulnerability, FireEye also provided a listing of CVEs used by these tools.

An important aspect for preventing the usage of these red teaming tools in your environment is to address the vulnerabilities which are known to exploit.

SonicWall Capture Labs Threat Research team provides protection against the list of CVEs shown above as well as the Beacon tool used by FireEye Red-Team with the following signatures

IPS:14422 Pulse Connect Secure Information Disclosure
IPS:15143 Windows Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472) 1
IPS:15156 Windows Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472) 2
IPS:15158 Windows Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472) 3
IPS:15185 Windows Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472) 4
IPS:15081 Fortinet SSL VPN Web Portal Directory Traversal
IPS:13910 Adobe ColdFusion Arbitrary File Upload 1
IPS:14689 Microsoft SharePoint Remote Code Execution (FEB 19)
IPS:14225 Remote Desktop Services Remote Code Execution (MAY 19)
IPS:14725 Citrix NetScaler ADC/Gateway Directory Traversal 2
IPS:14886 ManageEngine Desktop Central Insecure Deserialization
IPS:14826 Microsoft Exchange Server Remote Code Execution (CVE-2020-0688)
IPS:14888 Microsoft Exchange Server Remote Code Execution (CVE-2020-0688) 2
IPS:14889 Microsoft Exchange Server Remote Code Execution (CVE-2020-0688) 3
IPS:14890 Microsoft Exchange Server Remote Code Execution (CVE-2020-0688) 4
IPS:11556 Win32k Elevation of Privilege (MS16-039) 2
IPS:2007 FireEye RUBEUS nonce 2 TCP
IPS:2009 FireEye RUBEUS nonce 2 UDP
IPS:15285 FireEye BEACON CSBundle USAToday Server
IPS:15286 FireEye RUBEUS Process
IPS:15287 FireEye GORAT Build ID
IPS:15288 FireEye BEACON CSBundle Original Stager

SonicWall Sweeps Six Industry Awards, Including Grand Trophy, at Network Product Guide 2020 IT World Awards

/0 Comments/in /by

On the heels of a banner year, marked by the introduction of the Boundless Cybersecurity model and an unprecedented number of new product launches, SonicWall is pleased to announce it has won six prestigious awards in the 15th annual Network Product Guide’s 2020 IT World Awards event:

  • SonicWall GRAND TROPHY WINNER
  • Enterprise Network Firewalls: GOLD WINNER, NSsp 15700
  • Firewalls: SILVER WINNER, TZ570/670
  • Information Security and Risk Management: BRONZE WINNER, SonicWall Network Security Manager
  • Security Hardware: GOLD WINNER, SonicWall Capture Security appliance 1000
  • Unified or Integrated Security: GOLD WINNER, SonicOSX 7

Based on its demonstration of overall excellence in a range of categories, as well as the quality of its entry submissions and content, SonicWall was awarded the coveted Grand Trophy distinction. This excellence was reflected in the latest SonicWall releases, from SonicOSX7 and the growing lineup of firewalls running it, to improvements in Network Security Manager (NSM) and the introduction of our brand-new Capture Security appliance (CSa) technology.

SonicOSX 7 took home the gold for its revolutionary architecture, which was designed to enable the latest features necessary for modern enterprises. These include Unified Policy, which combines Layer Three through Seven rules into a single rule base for an easier and more intuitive configuration, along with support for a true multi-instance architecture, which allows customers to provide tenants with dedicated resources to enable support for unique configurations and software versions.

The introduction of true multi-instance architecture is essential for our high-end Next-Generation Firewall (NGFW) line and helps distinguish it in the enterprise firewall market. This capability, as well as its comparative price/performance, port density and the availability of 100GbE ports are just some of the features that propelled the NSsp 15700 to the top, earning it a Gold award in Enterprise Network Firewalls category.

Our November product launch introduced a full Gen 7 TZ Series refresh — but only the TZ570 and TZ670 were ready to be judged by the submission deadline. With only two models in the line, the Gen 7 TZ line still won a Silver award for Firewalls.

(It’s worth noting that the NSa 2700 NGFW was also part of the November launch, and was released after the window for review. As the natural successor to the NSa 2650 — which was named “Best UTM” in early 2020 by SC Awards Magazine — we expect the NSa 2700 to start winning similar awards in the future.)

To complement our firewalls and help maintain compliance for those who can’t use Capture Advanced Threat Prevention (Capture ATP) for unknown malware detection, we created CSa 1000, which uses the memory-based RTDMI engine and features an improved UI. Network Products Guide was able to review the benefits that the on-premise CSa 1000 brings to compliance-sensitive customers that need advanced threat detection technology, and they proudly awarded it the gold medal for security hardware.

As SonicWall introduced greater and stronger capabilities and a growing number of security options, our customers began requesting a way to improve firewall management across even the largest and most distributed enterprises. The SonicWall NSM 2.0 SaaS was designed to better control, manage and monitor tens of thousands of network security devices — including firewalls, managed switches and secure wireless access points — from anywhere via a simple cloud interface. Network Product Guide recognized SonicWall’s ability to effectively manage this ecosystem by awarding it the Bronze award for Information Security and Risk Management.

If you would like to talk with our team about these solution sets and how they can work together to build a better security ecosystem for you, email our team. In the meantime, if you’d like to see how SonicWall solutions are used in real life, I recommend reading our solution brief, “Securing Smart Cities Over Distributed Networks.”

An Android stealer with a multitude of spyware capabilities

/in /by

SonicWall Threats Research team came across an Android spyware that steals sensitive user information and sends it to the attacker. The app has a plethora of functionalities that are centered towards stealing information from the device. However a more concerning element of the malware is that all the stolen information is transmitted over an unsecured http channel.

Infection Cycle

Details of the sample analyzed:

  • MD5:5c698417916ab2a9df1d577507be5725
  • App Name: 19금 틱톡 (19 gold tiktok)
  • Package Name: com.yjx.callservice

Upon installation the app is visible in the app drawer as follows:

Upon execution the app starts communicating with the attacker using the hardcoded IP 116.193.152.176:7788. The communication happens over http which indicates that any user information sent to the user is done so over an unsecured channel. One of the first things done by the app is creating a unique id for the infected device, this id is saved in the shared_prefs file locally and then shared with the attacker to report the initial infection. This is performed using a POST request to addNewUser as shown below:

The malware then sends the following data from the infected device:

  • Contacts on the device are sent to addContactes (notice the spelling error):

  • Apps installed are sent to addAppes (another spelling mistake):

 

There are additional interesting API requests present in the code that highlight the features and capabilities of this malware:

  • addNewAccount
  • addNewCallloges
  • addNewLocation
  • addNewSmses
  • getAllBlackList
  • editUserMobileNetwork
  • findCall
  • getRealPhone
  • getAllIncoming
  • uploadFile

 

Functionalities in the code

The malware is capable of communicating with the attacker using webSocket. The malware can execute the following functionality based on the code received via webSockets:

  • take_photo

  • start_record

There are additional traces in the code which reveal more functionality of the malware. It is capable of the following:

  • Steal all the SMS on the device:

  • Steal the call logs from the device:

  • Steal all contacts:

  • Get all apps installed on the device, we saw this functionality being used via network communication earlier:

 

Additional investigation

  • A network graph of the attacker’s domain reveals two additional apps that communicate with it:

 

  • The two apk’s related to this campaign have similar functionality. Below are the MD5’s:
    • e8509b2a57423a1b4b2d8bcf33973974
    • b67d42100440dd6c03b56da2c71b5130

 

  • The hardcoded attacker’s  domain opens a login page. As mentioned before this happens over http, as a result any sensitive information can be further snooped by someone else:

 

  • Following hardcoded information is present in the code:

Attacker server IP:

Gmail credentials:

QQ chat id:

Overall this malware is geared towards stealing sensitive user information from an infected device. The log messages and text present in the code is Korean, additionally the language used on the attacker’s server login is Korean as well.

 

SonicWall Capture Labs provide protection against this threat with the following signature:

  • Banker.SP (Trojan)

Indicators of Compromise (IOC’s):

  • 5c698417916ab2a9df1d577507be5725
  • e8509b2a57423a1b4b2d8bcf33973974
  • b67d42100440dd6c03b56da2c71b5130

 

 

Microsoft Security Bulletin Coverage for December 2020

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of December 2020. A list of issues reported, along with SonicWall coverage information are as follows:

CVE-2020-17096 Windows NTFS Remote Code Execution Vulnerability
ASPY 136:Malformed-File dll.MP.6

CVE-2020-17121 Microsoft SharePoint Remote Code Execution Vulnerability
ASPY 135:Malformed-File cab.MP.2

CVE-2020-17140 Windows SMB Information Disclosure Vulnerability
IPS 15284 Windows SMBv2 Information Disclosure (CVE-2020-17140)

CVE-2020-17144 Microsoft Exchange Remote Code Execution Vulnerability
ASPY 134:Malformed-File exe.MP.167

CVE-2020-17152 Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability
IPS 15283:Microsoft Dynamics 365 Remote Code Execution Vulnerability

CVE-2020-17158 Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability
IPS 15283:Microsoft Dynamics 365 Remote Code Execution Vulnerability

Following vulnerabilities do not have exploits in the wild :
CVE-2020-16958 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16959 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16960 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16961 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16962 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16963 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16964 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16971 Azure SDK for Java Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-16996 Kerberos Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-17002 Azure SDK for C Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-17089 Microsoft SharePoint Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17092 Windows Network Connections Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17094 Windows Error Reporting Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17095 Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17097 Windows Digital Media Receiver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17098 Windows GDI+ Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17099 Windows Lock Screen Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-17103 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17115 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-17117 Microsoft Exchange Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17118 Microsoft SharePoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17119 Microsoft Outlook Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17120 Microsoft SharePoint Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17122 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17123 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17124 Microsoft PowerPoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17125 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17126 Microsoft Excel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17127 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17128 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17129 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17130 Microsoft Excel Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-17131 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-17132 Microsoft Exchange Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17133 Microsoft Dynamics Business Central/NAV Information Disclosure
There are no known exploits in the wild.
CVE-2020-17134 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17135 Azure DevOps Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-17136 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17137 DirectX Graphics Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17138 Windows Error Reporting Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17139 Windows Overlay Filter Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-17141 Microsoft Exchange Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17142 Microsoft Exchange Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17143 Microsoft Exchange Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17145 Azure DevOps Server and Team Foundation Services Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-17147 Dynamics CRM Webclient Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-17148 Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17150 Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17153 Microsoft Edge for Android Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-17156 Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17159 Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17160 Azure Sphere Security Feature Bypass Vulnerability
There are no known exploits in the wild.