Cybersecurity News & Trends – 02-26-21

/0 Comments/in /by

This week, SonicWall was recognized as one of the coolest network security companies of 2021. Less cool: a huge spate of cyberattacks targeting the NSA, hospitals, universities, airlines, IT companies and even Apple’s new M1 silicon.

SonicWall in the News

The 20 Coolest Network Security Companies of 2021: The Security 100 — CRN

  • SonicWall was included on CRN’s list of the 20 Coolest Network Security Companies.

The Top 6 Enterprise VPNs To Use in 2021 — TechRepublic

  • SonicWall’s Global VPN Client is cited as one of the top VPNs for enterprises.

Experts Blast SMBs’ “Head In The Sand” Approach To Cyber Security — IT PRO

  • From failing to patch exposed VPNs to meeting ransom demands, businesses are playing a role in fueling the threat landscape.

Industry News

Hackers Tied to Russia’s GRU Targeted the US Grid for Years, Researchers Warn — Wired

  • A Sandworm-adjacent group has successfully breached U.S. critical infrastructure a handful of times, according to new findings from the security firm Dragos.

COVID pandemic causes spike in cyberattacks against hospitals, medical companies — ZDNet

  • IBM says attack rates have doubled against medical entities since the pandemic began.

After Russian Cyberattack, Looking for Answers and Debating Retaliation — The New York Times

  • Key senators and corporate executives warned that the “scope and scale” of the SolarWinds attack were unclear, and that the attack might still be ongoing.

LazyScripter hackers target airlines with remote access trojans — Bleeping Computer

  • Security researchers believe they uncovered activity belonging to a previously unidentified actor fitting the description of an advanced persistent threat (APT).

10K Targeted in Phishing Attacks Spoofing FedEx, DHL Express — Dark Reading

  • The two campaigns aimed to steal victims’ business email account credentials by posing as the shipping companies.

NASA and the FAA were also breached by the SolarWinds hackers — Bleeping Computer

  • NASA and the U.S. Federal Aviation Administration (FAA) have reportedly also been compromised by the nation-state hackers behind the SolarWinds supply-chain attack.

Ransomware: Sharp rise in attacks against universities as learning goes online — ZDNet

  • Higher education is struggling with ransomware attacks, with gangs seeing an easy target in institutions busy making the switch to remote operations.

Finnish IT Giant Hit with Ransomware Cyberattack — Threat Post

  • A major Finnish IT provider has been hit with ransomware, forcing the company to turn off some services and infrastructure while it takes recovery measures.

Chinese spyware code was copied from America’s NSA: researchers — The Wall Street Journal

  • Chinese spies used code first developed by the U.S. National Security Agency to support their hacking operations — another example of how malicious software developed by governments can boomerang against their creators.

Malware monsters target Apple’s M1 silicon with ‘Silver Sparrow’ — The Register

  • U.S. security consultancy Red Canary says it’s found macOS malware written specifically for the shiny new M1 silicon that Apple created to power its post-Intel Macs.

Global Accellion data breaches linked to Clop ransomware gang — Bleeping Computer

  • Financially motivated hacker groups combined multiple zero-day vulnerabilities and a new web shell to breach up to 100 companies using Accellion’s legacy File Transfer Appliance.

In Case You Missed It

Critical remote code execution flaw in VMware is being actively exploited

/in /by

A critical remote code execution vulnerability has been reported in VMware’s vSphere/vCenter. The vulnerability is due to improper validation of paths in an uploaded tarball. A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted request to the target server. Successful exploitation can result in code execution in the context of the target process.

CVE-2021-21972:

vCenter Server is the centralized management utility for VMware and is used to manage virtual machines.  The vulnerability is reported in the vRealize Operations (vrop) plugin that comes with the default installation of vCenter. This plugin allows unauthorized file upload and fails to validate the paths provided in the uploaded tarball. An unauthenticated, remote attacker could exploit this vulnerability by uploading a specially crafted file to a vulnerable vCenter Server endpoint that is publicly accessible over port 443. Successful exploitation of this vulnerability would result in an attacker gaining unrestricted RCE privileges on the underlying operating system that hosts vCenter Server.

In most cases, vCenter is available only to users having access to the internal networks. According to Shodan, however, more than 6000 Center servers are exposed online and vulnerable to an attack.

Bad Packets observed mass scanning activity for CVE-2021-21972, searching for vulnerable vCenter servers.

According to Sans Internet Storm Center, attack activity for port 443 has significantly increased over the last few days. Attackers are likely to be scanning for vulnerable vCenter servers.

 

Fix:

The affected vCenter Server plugin for vROPs is available in all default installations.

Impacted product versions:

  • 7.0 prior to 7.0 U1c
  • 6.7 prior to 6.7 U3l
  • 6.5 prior to 6.5 U3n

Upgrade to one of the patched versions 7.0 U1c or 6.7 U3l or 6.5 U3n. If upgrading is not feasible, follow the KB workarounds KB82374 to disable the vulnerable plugin.

Find VMware security advisory here

SonicWall Capture Labs Threat Research team provides protection against this vulnerability with the following signatures.

IPS: 15403 VMware vCenter Server VMSA-2021-0002 Remote Code Execution (Linux)
IPS: 15404 VMware vCenter Server VMSA-2021-0002 Remote Code Execution (Windows)
IPS: 15406 VMware vCenter Server vropspluginui Access
IPS: 15408 VMware vCenter Server VMSA-2021-0002 Remote Code Execution 3
IPS: 15409 VMware vCenter Server VMSA-2021-0002 Remote Code Execution 4
IPS: 15410 VMware vCenter Server VMSA-2021-0002 Remote Code Execution 5
IPS: 15411 VMware vCenter Server VMSA-2021-0002 Remote Code Execution 6
IPS: 15412 VMware vCenter Server VMSA-2021-0002 Remote Code Execution 7

Parasite ransomware targeting French users actively spreading in the wild

/in /by

The SonicWall Capture Labs Threat Research team observed reports of a new variant family of Parasite ransomware actively spreading in the wild.

The Parasite ransomware encrypts the victim’s files with a strong encryption algorithm until the victim pays a fee to get them back.

The ransomware targeting French speaking users and designed for very specific region.

Infection Cycle:

The ransomware adds the following files to the system:

  • Malware.exe
    • %App.path%\ [Filename]. Parasite

Once the computer is compromised, the ransomware runs the following commands:

When Parasite is started it will create and assign a unique ID number to the victim then scan all local drives for data files to encrypt.

When encrypting files it will use the AES encryption algorithm and only encrypt those files that match the following extensions:

txt ,doc ,docx ,xls ,xlsx ,ppt ,pptx ,odt ,jpeg ,png ,csv ,sql ,mdb ,sln ,php ,asp ,aspx ,html ,xml ,psd ,rar ,wma ,avi ,wmv ,d3dbsp ,zip ,sie ,sum ,ibank ,qdf ,gdb ,tax ,pkpass ,bkp ,qic ,bkf ,sidn ,sidd ,mddata ,itl ,itdb ,icxs ,hvpl ,hplg ,hkdb ,mdbackup ,syncdb ,gho ,cas ,svg ,map ,wmo ,itm ,fos ,mov ,vdf ,ztmp ,sis ,sid ,ncf ,menu ,layout ,dmp ,blob ,esm ,vcf ,vtf ,dazip ,fpk ,mlx ,iwd ,vpk ,tor ,psk ,rim ,fsh ,ntl ,arch00 ,lvl ,snx ,cfr ,vpp_pc ,lrf ,mcmeta ,vfs0 ,mpqge ,kdb ,dba ,rofl ,hkx ,bar ,upk ,das ,iwi ,litemod ,asset ,forge ,ltx ,bsa ,apk ,sav ,lbf ,slm ,bik ,epk ,rgss3a ,pak ,big ,wallet ,wotreplay ,xxx ,desc ,flv ,css ,pfx  ,wav ,bin ,conf ,ico ,jfif

The ransomware encrypts all the files and appends the [.Parasite] extension onto each encrypted file’s filename.

After encrypting all personal documents, the ransomware shows the following text file containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

The ransomware shows different message for French speaking targets:

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Parasite.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Cybersecurity News & Trends – 02-19-21

/0 Comments/in /by

This week was a good one for the rule of law, as a number of cybercriminals involved in ransomware, phishing and cryptocurrency theft were brought to justice.

SonicWall in the News

2021 Channel Chiefs: Robert (Bob) VanKirk — CRN

  • Robert (Bob) VanKirk has been named one of CRN’s Channel Chiefs for 2021.

2021 Channel Chiefs: HoJin Kim — CRN

  • HoJin Kim has been named one of CRN’s Channel Chiefs for 2021.

2021 Channel Chiefs: David Bankemper — CRN

  • David Bankemper has been named one of CRN’s Channel Chiefs for 2021.

Industry News

North Korea Turning to Cryptocurrency Schemes in Global Heists, U.S. Says — The Wall Street Journal

  • The U.S. Justice Department has charged North Koreans hackers in wide-ranging scheme that includes attempts to steal $1.3 billion for Pyongyang.

Nigerian man sentenced 10 years for $11 million phishing scam — Cyberscoop

  • The sentence comes as the cost of email scams continues to rise, plaguing U.S. businesses.

Cred-stealing trojan harvests logins from Chromium browsers, Outlook and more, warns Cisco Talos — The Register

  • A credential-stealing trojan is capable of lifting your login details from the Chrome browser, Microsoft’s Outlook and instant messengers.

NIST hints at upgrades to its system for scoring a phish’s deceptiveness — SC Magazine

  • Officials from the National Institute of Standards and Technology (NIST) this week teased future improvements to its “Phish Scale,” which helps companies determine whether phishing emails are hard or easy for their employees to detect.

Egregor Arrests a Blow, but Ransomware Will Likely Bounce Back — Dark Reading

  • Similar to previous ransomware takedowns, this disruption to the ransomware-as-a-service model will likely be short-lived, security experts say.

SolarWinds attack hit 100 companies and took months of planning, says White House — ZDNet

  • The White House warns the SolarWinds attack was more than espionage, because the private sector targets could lead to follow-up attacks.

Senate Intel leader demands answers on Florida water treatment center breach — The Hill

  • Sen. Mark Warner (D-Va.) has demanded answers regarding the investigation into the recent attempt to breach and poison the water supply in a Florida city.

Rising healthcare breaches driven by hacking and unsecured servers — Bleeping Computer

  • 2020 was a bad year for healthcare organizations in the U.S., which had to deal with record-high cybersecurity incidents on the backdrop of the COVID-19 pandemic.

Bitcoin hits new record of $50,000 — BBC

  • The cryptocurrency, which was created by an unknown inventor, has risen about 72% this year.

270 addresses are responsible for 55% of all cryptocurrency money laundering — ZDNet

  • Most cryptocurrency money laundering is concentrated in a few online services, opening the door for law-enforcement actions.

Microsoft asks government to stay out of its cyber attack response in Australia — ZDNet

  • Government intervention would result in a “Fog of War,” further complicating any attempt to mitigate cyberattack response, the company said.

France’s cyber-agency says Centreon IT management software sabotaged by Russian Sandworm — The Register

  • Web hosts were infiltrated for up to three years in an attack that somewhat resembles the SolarWinds breach.

100+ Financial Services Firms Targeted in Ransom DDoS Attacks in 2020 — Dark Reading

  • Consumer banks, exchanges, payment firms and card-issuing companies around the globe were among those hit.

Microsoft: SolarWinds attack took more than 1,000 engineers to create — ZDNet

  • Microsoft reckons that the huge attack on security vendors and more took the combined power of at least 1,000 engineers to create.

In Case You Missed It

Discord services misused to host malware including Android bankers

/in /by

Discord is a digital distribution platform geared towards building communities. But malware authors are misusing this as a medium to host malicious applications, these hosted applications can be accessed and downloaded even without having an account on Discord.

While investigating an Android banker, the Sonicwall Capture Labs Research team observed that it was hosted on Discord server cdn.discordapp.com. Further investigations revealed that this server is hosting/communicating (at the time of writing this blog) with a large number of malicious applications. We observed the following types of malicious apps in connection with this server:

  • Android apks
  • Executables
  • Compresses RAR’s

Below is a Virustotal Graph for this observation:

 

 

We analyzed few Android apps which share similar functionality and obfuscation measures designed to hide their true functionality from automated security scanners.

In both cases the Main activity mentioned in the AndroidManifest.xml file is not present in the decompiled code of the app. This indicates that most likely a separate dex file might be dropped on the system which contains decrypted code which gets invoked:

 

Upon execution the apps request for Accessibility Services, until the permission is granted the request screen keeps showing up intermittently:

 

The malware contains obfuscated code, not providing much information about its functionality:

 

However when the malware runs on the device, it drops a .json file in the FOLDERNAME. This is a .dex file in reality as indicated by the initial file header:

 

Upon renaming the file and opening it in a .dex file viewer like Jadx we can see readable code, there is junk code along with legible code. We can finally see the Main Activity class that is specified in the Manifest file which was previously unknown:

 

The malware is capable of accepting and executing the following commands:

  • grabbing_lockpattern
  • run_record_audio
  • run_socks5
  • update_inject
  • stop_socks5
  • rat_connect
  • change_url_connect
  • request_permission
  • clean_cache
  • change_url_recover
  • send_mailing_sms
  • run_admin_device
  • access_notifications
  • url
  • ussd
  • sms_mailing_phonebook
  • get_data_logs
  • get_all_permission
  • grabbing_google_authenticator2
  • notification
  • grabbing_pass_gmail
  • remove_app
  • remove_bot
  • send_sms
  • run_app
  • call_forward
  • patch_update

This malware is yet another good example that shows the dangers of granting Accessibility Service to an application. If the permissions is not granted a malware may keep requesting for this permission, this is a tell-tale sign that something is not right.

Android malware occupies a small slice among the myriad malicious apps hosted on Discord. There have been conversations about malware being hosted on Discord for a while but the issue still appears to persist.

 

SonicWall Capture Labs provide protection against this threat with the following signatures:

  • AndroidOS.Obfuscated.ST (Trojan)
  • AndroidOS.Banker.CM (Trojan)

 

Indicators of Compromise (IOC’s):

  • e8a0b4aa368473a5a0d1183fb79e127b
  • 2e87bd0a77bfdf78ff50634b0ec1c7ae

Attackers actively targeting vulnerable Netgear DGN devices

/in /by

SonicWall Capture Labs threat research team observed attacks exploiting an old vulnerability in Netgear DGN devices . Netgear produces networking hardware for consumers, businesses, and service providers. Netgear DGN are ADSL+ Modem Router that provide customers with an easy and secure way to set up a wireless home network with fast access to the Internet over a high-speed digital subscriber line.

Netgear DGN1000 and DGN2200 devices are prone to a remote authentication-bypass vulnerability. Remote attackers can exploit this issue to bypass the authentication mechanism and execute commands within the context of affected devices with elevated privileges.

NETGEAR DGN Devices Remote Command Execution Vulnerability

Below are some examples of exploits in the wild

The vulnerable device doesn’t check authentication for URLs containing the “currentsetting.htm” substring, so the following URL can be accessed without authentication.

http://<velnerable-device-ip>/setup.cgi?currentsetting.htm=1

The “setup.cgi” page can then be abused to execute arbitrary commands.

Lets take the following example

The URL leverages the “syscmd” function of the “setup.cgi” script to execute arbitrary commands. The attacker connects to malicious domain to downloads malicious file and saves it in the tmp directory to execute.

Following versions are vulnerable:
NetGear DGN1000 running firmware prior to version 1.1.00.48
Netgear DGN2200 v1

This vulnerability is patched.

SonicWall Capture Labs provides protection against this threat via following signature

IPS 13034: NETGEAR DGN Devices Remote Command Execution

Threat Graph
Signature hits for 13034 for past week.

 

IoCs
112.30.110.51
113.118.133.39
115.50.245.72
117.242.208.60
119.123.239.63

Quick check on shodan shows vulnerable devices

A phishing campaign uses morse code to hide malicious URL

/in /by

Obfuscation is a commonly used technique by malware authors to render their code unreadable to prevent easy interpretation of the program that might give clues on their intent or behavior. This week, the Sonicwall Capture Labs Research team has analyzed a phishing email attachment that uses morse code to hide malicious scripts and URLs within the file.

Infection Cycle

The malicious file comes as a spam email attachment pretending to be an invoice and uses the following filename:

  • <random>_invoice<random>.xlsx.html

It pretends to be an excel spreadsheet and upon execution it displays a fake session timeout error message for Office365 which then requires you to login and type in your password. This login information is sent to a remote server and the user is then redirected to a page with another fake error message.

This html file uses morse code to hide malicious URLs within the file.

It uses javascript to map the alpha-numeric characters to the dots and dashes in morse code. The decoded value is a hex string which further decodes to another nested script which loads another javascript hosted on a remote server.

These two URLs are the main files for this phishing campaign. The first one loads a css file as shown below.

While the second loads the main html page with the icons, images used and fake session time out message display prompting the user to login. This html page shows the remote server where stolen login information are then sent once the user types in his login information.

The remote server tanikawashuntaro dot com appears to be a compromised legitimate website.

We urge our users to always be vigilant and cautious with any unsolicited email and to avoid providing any personal information, particularly if you are not certain of the source.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Morse.PH (Trojan)

Three SonicWall Executives Named to Annual CRN 2021 Channel Chiefs List

/0 Comments/in /by

Three SonicWall channel team leaders have been recognized as a 2021 CRN Channel Chief. Bob VanKirk, HoJin Kim and David Bankemper made the annual list with Kim ranking in the top 25. The prestigious list recognizes leading IT channel vendor executives who continually demonstrate outstanding leadership, influence, innovation and growth.

“CRN’s 2021 Channel Chiefs list includes the industry’s biggest channel evangelists, a group of individuals who work tirelessly on behalf of their partners and drive growth through the development of strong partner programs and innovative business strategies that help bring business-critical solutions to market,” said Blaine Raddon, CEO of The Channel Company. “The Channel Company is proud to recognize these channel influencers and looks forward to following their continued success.”

HoJin Kim, Vice President, Worldwide Channels for SonicWall, is responsible for driving the design, development and deployment of SonicWall’s global channel efforts. He leads the implementation of the company’s modern channel strategy to build a sustainable competitive advantage for both SonicWall and its partners.

“If the pandemic has taught us anything, it’s that things can change very quickly,” said SVP and Chief Revenue Officer Bob VanKirk, who is responsible for all SonicWall revenue streams and driving continued revenue growth. “What we’ve seen in our business, and with our partners, is that we’re both successful when we stay close to the relationships that matter most. That could be the relationships we have with our customers or our vendors. In 2021, that’s going to be even more important. The more we understand our customers’ business needs, the better we will be at using technology to address those needs and finding partners that can help us be successful.”

Prior to his current role, VanKirk was tasked with increasing top-line revenue across SonicWall’s global regions as SVP of Strategic Sales and was responsible for implementing direct customer touch across strategic accounts and key verticals such as the U.S. federal government, retail, state and local government, and education.

This year’s Channel Chief listing is the second for SonicWall Vice President of Channel Sales David Bankemper, who is an active member of the GTDC Advisory Council and the Channel Leadership Forum.

The 2021 Channel Chiefs are prominent leaders who have influenced the IT channel with cutting-edge strategies, programs and partnerships. All honorees are selected by CRN’s editorial staff based on their dedication, industry prestige, and exceptional accomplishments as channel advocates.

CRN’s 2021 Channel Chiefs list will be featured in the February 2021 issue of CRN Magazine and online at www.CRN.com/ChannelChiefs.

Microsoft Security Bulletin Coverage for February 2021

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of February 2021. A list of issues reported, along with SonicWall coverage information are as follows:

CVE-2021-1698 Windows Win32k Elevation of Privilege Vulnerability
ASPY 5907:Malformed-File exe.MP.131

CVE-2021-1732 Windows Win32k Elevation of Privilege Vulnerability
ASPY 149:Malformed-File exe.MP.170

CVE-2021-24072 Microsoft SharePoint Server Remote Code Execution Vulnerability
IPS 15383:Microsoft SharePoint Server Remote Code Execution (CVE-2021-24072)

CVE-2021-24074 Windows TCP/IP Remote Code Execution Vulnerability
IPS 15379:Windows TCP/IP Remote Code Execution (CVE-2021-24074)

CVE-2021-24078 Windows DNS Server Remote Code Execution Vulnerability
IPS 15380:Windows DNS Server Remote Code Execution (CVE-2021-24078)

CVE-2021-24086 Windows TCP/IP Denial of Service Vulnerability
IPS 15377:Windows TCP/IP DoS (CVE-2021-24086)

CVE-2021-24094 Windows TCP/IP Remote Code Execution Vulnerability
IPS 15378:Windows TCP/IP Remote Code Execution (CVE-2021-24094)

Adobe Coverage

CVE-2021-21017 Heap-based Buffer Overflow Vulnerability
ASPY 500 :Malformed-File pdf.MP.428
CVE-2021-21037 Path Traversal Vulnerability
ASPY 501 :Malformed-File pdf.MP.429
CVE-2021-21060 Improper Input Validation Vulnerability
ASPY 502 Malformed-File jpg.MP.18

Following vulnerabilities do not have exploits in the wild :
CVE-2021-1639 Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-1721 .NET Core and Visual Studio Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-1722 Windows Fax Service Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-1724 Microsoft Dynamics Business Central Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2021-1726 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-1727 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1728 System Center Operations Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1730 Microsoft Exchange Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-1731 PFX Encryption Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-1733 Sysinternals PsExec Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1734 Windows Remote Procedure Call Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-24066 Microsoft SharePoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-24067 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-24068 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-24069 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-24070 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-24071 Microsoft SharePoint Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-24073 Skype for Business and Lync Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-24075 Windows Network File System Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-24076 Microsoft Windows VMSwitch Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-24077 Windows Fax Service Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-24079 Windows Backup Engine Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-24080 Windows Trust Verification API Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-24081 Microsoft Windows Codecs Library Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-24082 Microsoft.PowerShell.Utility Module WDAC Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-24083 Windows Address Book Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-24084 Windows Mobile Device Management Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-24085 Microsoft Exchange Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-24087 Azure IoT CLI extension Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-24088 Windows Local Spooler Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-24091 Windows Camera Codec Pack Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-24092 Microsoft Defender Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-24093 Windows Graphics Component Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-24096 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-24098 Windows Console Driver Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-24099 Skype for Business and Lync Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-24100 Microsoft Edge for Android Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-24101 Microsoft Dataverse Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-24102 Windows Event Tracing Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-24103 Windows Event Tracing Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-24105 Package Managers Configurations Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-24106 Windows DirectX Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-24109 Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-24111 .NET Framework Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-24112 .NET Core for Linux Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-24114 Microsoft Teams iOS Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-25195 Windows PKU2U Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26700 Visual Studio Code npm-script Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-26701 .NET Core and Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.

Cukiesi, a Paradise ransomware variant demands over $50k for file retrieval

/in /by

The SonicWall Capture Labs threat research team has observed reports of a variant of Paradise ransomware called Cukiesi.  This ransomware family has been around since early 2018 and is reported to have originated from Russia.  The ransom demand is quite steep at 1.5 BTC ($55k at the time of writing this alert) and it is speculated that it is aimed at large organisations rather than the average home PC user.

 

Infection Cycle:

 

Upon infection, files on the system are encrypted and given a “_cU_{<6 alphanumeric char>}Cukiesi” extension to their filenames:

 

nooode.txt is dropped into all directories where files were encrypted.  It contains the following ransom message:

 

We reached out to the email addresses provided in the ransom note and had the following conversation with the operator:

 

The protonmail address had been deactivated but we received a response from the tutanota.com email address:

 

The ransom amount appears to be negotiable but at the time of writing this alert we were unsuccessful:

 

We are still awaiting a reply.

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Cukiesi.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.