Hafnium Uses Zero-Day Vulnerabilities Against Microsoft Exchange: What to Do Next

/0 Comments/in /by

While the industry is still reeling from the impacts of the SolarWinds Orion supply-chain attack, another salvo has been launched at the already burnt-out response teams.

Researchers at DEVCORE discovered and reported several vulnerabilities in Microsoft Exchange Server software, dating back to Server 2010, that when chained together result in pre-authentication remote code execution capabilities.

If you have an on-prem Microsoft Exchange Server, patching it and ensuring that your system has not been compromised should be your absolute top priority.

“Microsoft has detected multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks,” Microsoft stated in a real-time blog used to communicate mitigation steps. “In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers, which enabled access to email accounts and allowed installation of additional malware to facilitate long-term access to victim environments.”

According to Microsoft, Hafnium exploited these vulnerabilities to gain initial access, then “deployed web shells on the compromised server. Web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise.”

How do I prevent Exchange Server attacks?

First, immediately patch your Exchange Server. Even though Exchange Server 2010 is in End of Life (EOL), Microsoft also released a “Defense in Depth” update for Exchange Server 2010.

To protect customers, SonicWall released four IPS signatures to defend against potential attacks that exploit the outlined vulnerabilities:

  • IPS: 15418 WEB-ATTACKS Microsoft Exchange Server Remote Code Execution (CVE-2021-26857)
  • IPS: 15419 WEB-ATTACKS Microsoft Exchange Server Remote Code Execution (CVE-2021-26855) 1
  • IPS: 15420 WEB-ATTACKS Microsoft Exchange Server Remote Code Execution (CVE-2021-26855) 2
  • IPS: 15421 WEB-ATTACKS Microsoft Exchange Server Remote Code Execution 1

To be effective, server-side DPI-SSL must be enabled for incoming traffic in order to intercept these attacks, since they’re inside of HTTPs traffic. The following KB article provides step-by-step guidance on configuring DPI-SSL capabilities: How To Configure Server DPI-SSL.

You may also enable Geo-IP blocking on the firewall to restrict traffic to your geographic region only, although you should not rely on this measure since Geo-boundaries can be easily bypassed by attackers staging attacks from VPN or TOR services.

Who is Hafnium, and why are the Exchange Server vulnerabilities so critical?

While RCE vulnerabilities are always of top concern, what’s worse is that there’s an ongoing mass exploitation campaign underway, which may result in network persistence by attackers. The group behind the mass exploitation is dubbed Hafnium and is believed to be operating out of China.

The vulnerabilities are so concerning, government officials were warning of the ramifications.

“This is a significant vulnerability that could have far-reaching impacts,” said U.S. White House Press Secretary Jen Psaki during a March 5 briefing. “First and foremost, this is an active threat. And as the National Security Advisor tweeted last night (below), everyone running these servers — government, private sector, academia — needs to act now to patch them … We are concerned that there are a large number of victims and are working with our partners to understand the scope of this.”

While the breach has impacted an estimated 60,000 victims worldwide so far, threat actors also appear to have found a way to automate the attack process, allowing them to target a massive number of victims in a very short period of time.

Fake Covid-19 vaccine-related information found spreading malware

/in /by

As Covid-19 vaccinations happen across the country, cybercriminals are riding the wave again using social engineering tactics purporting to be vaccine-related information to spread malware and steal user information. The Sonicwall Capture Labs Research team has analyzed a malicious PDF befittingly named “Adenovirus vector.pdf” which pertains to one of the viral vectors used in some late-stage COVID-19 vaccine trials according to the CDC website.

Infection Cycle:

The files comes as a PDF possibly via spam as an email attachment using the following filename:

  • Adenovirus vector.pdf

Once executed, the victim is presented with a fake “I’m not a Robot” Captcha which when clicked will redirect to a malicious website.

One redirect leads to seemingly unending redirects to a slew of ad websites.

To then asking the victim to download a malicious software called “Security Helper” extension.

And scare the user to thinking that his system is infected by displaying fake scan results which purports to be from some well-known Antivirus vendors like McAfee and Norton with links on how to “fix” the problem and purchase protection which leads to another dubious website.

  

These fake security pop ups will not stop because malicious websites were added in the browser’s “allow” list which allows it to send these notifications.

It comes as no surprise that cybercriminals take advantage of current events such as the pandemic and the vaccine rollout to spread malware. Therefore we urge our users to only get vaccine-related information and services from trusted websites or sources and to exercise caution when downloading software from unfamiliar websites.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Malagent.N_107 (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Cybersecurity News & Trends – 03-12-21

/0 Comments/in /by

This week saw breaches on more than two dozen U.K. schools and universities, thousands of security cameras, Microsoft Exchange servers, and even hacking forums themselves.

SonicWall in the News

Ryuk Ransomware Is Now More Dangerous Than Ever. Here’s Why — Toolbox

  • Ryuk, which has set organizations back by $150 million over the past three years, has acquired new capabilities that allow it to propagate across connected networks and systems, including those that are inactive or powered off.

Microsoft Cloud App Security Aims To Expand Your Defenses — TechTarget

  • Data center security tools have little control over the plethora of SaaS apps used in the enterprise. A Microsoft offering attempts to bridge that gap to ward off threats.

Industry News

UPDATE: Hackers Breach Thousands of Security Cameras, Exposing Tesla, Jails, Hospitals — Bloomberg

  • A group of hackers say they breached a massive trove of security camera data collected by Silicon Valley startup Verkada, Inc., gaining access to live feeds of 150,000 surveillance cameras inside hospitals, companies, police departments, prisons and schools.

Researchers Show First Side-Channel Attack Against Apple M1 Chips — Security Week

  • Researchers have demonstrated that attackers could launch browser-based side-channel attacks that do not require JavaScript, and they’ve tested the method on a wide range of platforms, including devices that use Apple’s new M1 chip.

It’s Open Season for Microsoft Exchange Server Hacks — Wired

  • A patch for the Exchange vulnerabilities China exploited has been released. Now criminal groups are going to reverse engineer it — if they haven’t already.

Dark Web Markets for Stolen Data See Banner Sales — Threat Post

  • Despite an explosion in the sheer amount of stolen data available on the Dark Web, the value of personal information is holding steady, according to the 2021 Dark Web price index from Privacy Affairs.

EU Sets 2030 Goals to Secure Tech Sovereignty From U.S., Asia — Bloomberg

  • The European Union outlined its digital goals for the next decade, including plans to develop and manufacture the world’s most advanced semiconductors by 2030 in an effort to reduce reliance on foreign companies.

A Basic Timeline of the Exchange Mass-Hack — Krebs on Security

  • Brian Krebs breaks down the Microsoft Exchange attack timeline.

GandCrab ransomware affiliate arrested for phishing attacks — Bleeping Computer

  • A suspected GandCrab ransomware operator was arrested in South Korea for using phishing emails to infect victims.

University of the Highlands and Islands shuts down campuses as it deals with ‘ongoing cyber incident’ — The Register

  • In a message to students and staff, the institution, which spans 13 locations across the northernmost part of the UK, warned that “most services” – including its Brightspace virtual learning environment – were affected.

A new type of supply-chain attack with serious consequences is flourishing — Ars Technica

  • New dependency confusion attacks take aim at Microsoft, Amazon, Slack, Lyft and Zillow.

Watchdog Warns of Weak Cybersecurity in DOD Weapons Contracts — Bloomberg

  • A government watchdog warned that the U.S. military has failed to adequately include cybersecurity provisions in contracts for acquiring weapons systems. … “Some contracts we reviewed had no cybersecurity requirements when they were awarded, with vague requirements added later.”

Cyberattack shuts down online learning at 15 UK schools — ZDNet

  • The cyberattack also took email, phone and website communication offline.

Three Top Russian Cybercrime Forums Hacked — Krebs on Security

  • Over the past few weeks, three of the longest running and most venerated Russian-language forums, which serve thousands of experienced cybercriminals, have been hacked. In two of the intrusions, the attackers made off with the forums’ user databases, including email and Internet addresses and hashed passwords.

Ongoing phishing attacks target US brokers with fake FINRA audits — Bleeping Computer

  • The U.S. Financial Industry Regulatory Authority (FINRA) has issued a regulatory notice warning U.S. brokerage firms and brokers of an ongoing phishing campaign using fake compliance audit alerts to harvest information.

Business Apps Spoofed in 45% of Impersonation Attacks — Dark Reading

  • Business-related applications like those from Microsoft, Zoom and DocuSign are most often impersonated in brand phishing attacks.

Three New Malware Strains Linked to SolarWinds Hackers — Security Week

  • The malware, named GoldMax, GoldFinder and Sibot, has been used to maintain persistence and for other “very specific” actions.

In Case You Missed It

Microsoft Security Bulletin Coverage for March 2021

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of March 2021. A list of issues reported, along with SonicWall coverage information are as follows:

CVE-2021-24095 DirectX Elevation of Privilege Vulnerability
ASPY 5907: Malformed-File exe.MP.131

CVE-2021-26411 Internet Explorer Memory Corruption Vulnerability
IPS 15430: Internet Explorer Memory Corruption Vulnerability (CVE-2021-26411)

CVE-2021-26855 Microsoft Exchange Server Remote Code Execution Vulnerability
IPS 15420: Microsoft Exchange Server Remote Code Execution ( CVE-2021-26855) 2

CVE-2021-26857 Microsoft Exchange Server Remote Code Execution Vulnerability
ASPY 158: Malformed-File xml.MP.4

CVE-2021-26863 Windows Win32k Elevation of Privilege Vulnerability
ASPY 160: Malformed-File exe.MP.171

CVE-2021-26868 Windows Graphics Component Elevation of Privilege Vulnerability
ASPY 161: Malformed-File exe.MP.172

CVE-2021-26877 Windows DNS Server Remote Code Execution Vulnerability
IPS 15434: Windows DNS Server Remote Code Execution (CVE-2021-26877)

CVE-2021-26897 Windows DNS Server Remote Code Execution Vulnerability
IPS 15435: Windows DNS Server Remote Code Execution (CVE-2021-26897)

CVE-2021-27076 Microsoft SharePoint Server Remote Code Execution Vulnerability
ASPY 162: Malformed-File exe.MP.173

CVE-2021-27077 Windows Win32k Elevation of Privilege Vulnerability
ASPY 163: Malformed-File ex.MP.174

CVE-2021-27065 Microsoft Exchange Server Remote Code Execution Vulnerability
IPS 15421: Microsoft Exchange Server Remote Code Execution 1

CVE-2021-27078 Microsoft Exchange Server Remote Code Execution Vulnerability
IPS 15421: Microsoft Exchange Server Remote Code Execution 1

Following vulnerabilities do not have exploits in the wild :
CVE-2021-1640 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1729 Windows Update Stack Setup Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-21300 Git for Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-24089 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-24090 Windows Error Reporting Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-24104 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-24107 Windows Event Tracing Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-24108 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-24110 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-26412 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-26854 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-26858 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-26859 Microsoft Power BI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-26860 Windows App-V Overlay Filter Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26861 Windows Graphics Component Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-26862 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26864 Windows Virtual Registry Provider Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26865 Windows Container Execution Agent Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26866 Windows Update Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26867 Windows Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-26869 Windows ActiveX Installer Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-26870 Windows Projected File System Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26871 Windows WalletService Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26872 Windows Event Tracing Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26873 Windows User Profile Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26874 Windows Overlay Filter Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26875 Windows Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26876 OpenType Font Parsing Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-26878 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26879 Windows NAT Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-26880 Storage Spaces Controller Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26881 Microsoft Windows Media Foundation Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-26882 Remote Access API Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26884 Windows Media Photo Codec Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-26885 Windows WalletService Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26886 User Profile Service Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-26887 Microsoft Windows Folder Redirection Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26889 Windows Update Stack Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26890 Application Virtualization Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-26891 Windows Container Execution Agent Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26892 Windows Extensible Firmware Interface Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-26893 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-26894 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-26895 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-26896 Windows DNS Server Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-26898 Windows Event Tracing Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26899 Windows UPnP Device Host Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26900 Windows Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26901 Windows Event Tracing Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26902 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27047 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27048 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27049 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27050 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27051 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27052 Microsoft SharePoint Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-27053 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27054 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27055 Microsoft Visio Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-27056 Microsoft PowerPoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27057 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27058 Microsoft Office ClickToRun Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27059 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27060 Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27061 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27062 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27063 Windows DNS Server Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-27066 Windows Admin Center Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-27070 Windows 10 Update Assistant Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-27074 Azure Sphere Unsigned Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27075 Azure Virtual Machine Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-27080 Azure Sphere Unsigned Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27081 Visual Studio Code ESLint Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27082 Quantum Development Kit for Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27083 Remote Development Extension for Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27084 Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27085 Internet Explorer Remote Code Execution Vulnerability
There are no known exploits in the wild.

8t_Dropper, RoyalRoad

/in /by

Overview:

SonicWall Capture Labs Threat Research Team recently found a new sample for 8t_Dropper aka RoyalRoad. Royal Road is a tool shared by many targeted attack groups believed to belong to China. The sample below locates and downloads passwords using SQL queries into your current browsers stored database. (Google Chrome, Firefox, Thunderbird)

Threat Actor(s) Involved: Hellsing, Ice Fog, Pirate Panda, RANCOR, TA428, Tick, Tonto Team, Karma Panda

MITRE ATT&CK Information:

ID: T1055
Sub-techniques: T1055.001, T1055.002, T1055.003, T1055.004, T1055.005, T1055.008, T1055.009, T1055.011, T1055.012, T1055.013, T1055.014
Tactics: Defense Evasion, Privilege Escalation
Platforms: Linux, Windows, macOS
Data Sources: API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Defense Bypassed: Anti-virus, Application control
CAPEC ID: CAPEC-640

Sample, Static Information:

Checking for a valid PE File, red highlights will form within each PE member, if invalid data is found within the PE File. This sample passes, this check.

Entropy of sample:

First Stage, Dropper, Dynamic Information:

A List/Table of the shell coders function calls in IDA Pro, disassembled:

This trick is used a lot in malware, (Call+5), disassembled:

Shellcode Function Calls Disassembled in x32 Debug:

Encrypted Buffer:

Decrypted Buffer:

Dropped DLL:

Encryption used in DLL:

NSS Info:

NSS Overview:

NSS Decompiled

SQL Functions Decompiled:

(SQL Query) – Thunderbird Password Captures:

(SQL Query) – Google Chrome Password Captures:

Supported Systems:

  • Windows 10
  • Windows 8.1
  • Windows 8.0
  • Windows 7
  • Windows Vista

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: 8t_Dropper.A (Trojan)

Appendix:

Sample SHA256 Hash: 859443a72a9a9f53e3810efbddc79c68a243fcba0c52957c0a37846384477133

CRITICAL REMOTE CODE EXECUTION FLAWS IN MICROSOFT EXCHANGE ARE BEING ACTIVELY EXPLOITED

/in /by

The SonicWall Capture Labs Threat Research team has received reports that threat actors are actively exploiting the following Microsoft Exchange vulnerabilities:

  • CVE-2021-26855
  • CVE-2021-26857
  • CVE-2021-26858
  • CVE-2021-27065

These vulnerabilities allow the attackers access to emails found in the Exchange Servers, which could include sensitive or personal data.

Affected Products:

Microsoft Exchange Server 2013, 2016 and 2019 are affected by these vulnerabilities. Users should apply the updates as soon as possible.  Microsoft has also released a “Defense in Depth” update for Exchange Server 2010.

On March 2, 2021, SonicWall Capture Labs Threat Research team released the following signatures to protect against such attacks:

IPS: 15418 WEB-ATTACKS Microsoft Exchange Server Remote Code Execution (CVE-2021-26857)
IPS: 15419 WEB-ATTACKS Microsoft Exchange Server Remote Code Execution ( CVE-2021-26855) 1
IPS: 15420 WEB-ATTACKS Microsoft Exchange Server Remote Code Execution ( CVE-2021-26855) 2
IPS: 15421 WEB-ATTACKS Microsoft Exchange Server Remote Code Execution 1

It is also recommended that DPI-SSL be enabled.  The following articles describe how to configure DPI-SSL:
https://www.sonicwall.com/support/knowledge-base/how-can-i-configure-client-dpi-ssl/170505885674291/
https://www.sonicwall.com/support/knowledge-base/how-to-configure-server-dpi-ssl/170505900099021/

Lotus ransomware charges 1 BTC ($49K USD). Multi PC discount possible

/in /by

The SonicWall Capture Labs threat research team has observed reports of a variant from the Crysis/Dharma ransomware family called Lotus.  The operators of this malware charge 1 BTC ($49K USD at the time of writing this alert) for file recovery.  However, the price appears to be negotiable after a conversation with the malware operator.

 

Infection Cycle:

 

Upon infection, the malware can be seen using the built-in mshta program to display the ransom message:

 

Files on the system are encrypted and the following extension is appended to their file names:

.id-E625BDD2.[paymei@cock.li].LOTUS

 

The following ransom message is displayed on the desktop:

 

The following files are dropped on to the system:

  • MANUAL.txt (in every directory containing encrypted files)
  • %APPDATA%\Roaming\{original malware file name} [Detected as: GAV: Lotus.RSM (Trojan)]
  • %APPDATA%\Roaming\Info.hta (contains message shown above)
  • %APPDATA%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta (contains message shown above)

 

MANUAL.txt contains the following text:

 

We reached out to the supplied emails and had the following conversation with the ransomware operator:

 

The operator asks how many pc’s we would like to recover.  This leads us to believe that the malware is aimed at large organizations:

 

We see if we can negotiate further if we have multiple infected PC’s:

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Lotus.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Excel with misleading macrosheet name spreading Zloader

/in /by

SonicWall Capture Labs Threats Research team has been observing modifications in the techniques being used to distribute ZLoader using MS-Excel file. It all began around Jan 2020, when the first campaign was seen using XLM macro instead of the commonly used VBA macro. Since then, we have observed significant improvements like addition of evasion and sandbox bypassing techniques through XLM macro as already described in our previous blog.

This variant uses OOXML format based MS-Excel file. In the OOXML format based MS-Excel file, usually the XLM macro sheets are stored inside “macrosheets”  folder. The sheets are named either “Sheet<digit>.xml” or “intlsheet<digit>.xml”.  This variant uses a completely different folder and file name to store macro sheet. The macro sheet and folder are named “foto.png” and “bioxr” respectively, as shown in the below image:


Fig-1: XLM MacroSheet

Engines looking for macro sheets specifically inside “macrosheets” folder might fail to identify these files as XLM based Macro files. After careful inspection of the “workbook.xml.rels” file, we found that both the folder and the file name for the macro sheet are misleading as shown below:


Fig-2: workbook.xml.rels

Sample Analysis:

Upon opening the file, the user is displayed instructions to enable macro as shown below:


Fig-3: Excel File

The sample contains two sheets, one is a hidden macro sheet. It has a defined name “Aut0_Open”, which enables macro execution as soon as the file is opened. Font size in the sheet is kept small ( “2”) to inhibit reading of the content.


Fig-4: hidden macro sheet

Upon execution of XLM macro, payload belonging to Zloader family is downloaded and saved as C:\<random>\<random>\ServApi.exe

SonicWall Capture ATP protects against this threat as shown below:


Fig-5: Capture Report

 

Indicators of Compromise:

SHA256 of malicious Excel Files:

  • 12047db782ec585e6c577248607f504869d166077ee33a4d455a66370ea6f9b4
  • 189735e1fde7511cd9cedfb317f544971411691192c25ca36147998e492753d7
  • 18d1cc06d96c741e0c21c1ceea194f37ca5941264cc0a26d89cba8e09c132485
  • 18e6f2976642ca37a4e81358ea8da608b5d34a50b1954d0c3041e902ae23e192
  • 18f33627843309fdef93e7edc7c24c856912d19a9622c2647165247e1aa16386
  • 1a03a110254fe594cb08e5db44b5dd7d00ebedf5bf6944e2aff7807195b7bff6
  • 1b29453e458e36c8b8b17371d4cb254a7cea4f1b035dc2d308e75ca1829766f3
  • 20af190130ad3ac40a01df57341929d968616ef717bc9e691308ccaf4f41a683
  • 211eb2bbaf1e1dcadd3f10c6c77ff2243f8690b1cd9f9dd5218d48d1b4edd02e
  • 224b3303d4f32bc71fa3322d9385d004293459ed74885179178d04c880dbf6f8
  • 2335e54b766bf5dc2a9078b995a4878ff350aa39d83ef7eabe77433c5c26e998

Network Connection:

  • safedot[.]digital
    • Domain registred on 25-Feb-2021

Files:

  • C:\<random>\<random>\ServApi.exe

 

Cybersecurity News & Trends – 03-05-21

/0 Comments/in /by

This week, Gab got breached, Ryuk got stronger, and AOL users got phished.

SonicWall in the News

2021 Cyber Security Global Excellence Awards Winners — Globee Business Awards

  • SonicWall swept the Globee Business Awards, bringing home the Grand Trophy, along with nine other gold, silver and bronze honors.

Ransomware Has Changed In A Very Dramatic Way In The Past Two Years: SonicWall CEO — ET Tech

  • Bill Conner discusses the rise of nation states as primary threat actors and how that changes the conversation around country of origin marketing of cybersecurity products.

SonicWall CEO Bill Conner on His Journey in the Digital and Cybersecurity Space — YourStory

  • Bill Conner details his three-decade journey in the tech and enterprise sector and his role in helping governments, municipalities and others with the security of the COVID-19 vaccine distribution process.

Industry News

Gab’s CTO Introduced a Critical Vulnerability to the Site — Wired

  • A review of the open-source code shows an account under the executive’s name made a mistake that could lead to the kind of breach reported this weekend.

Why Global Power Grids Are Still So Vulnerable to Cyber Attacks — Bloomberg

  • More than five years after massive cyberattacks left a quarter of a million Ukrainians without electricity, the world’s power grids have become even more vulnerable to hackers.

Wray hints at federal response to SolarWinds hack — The Hill

FBI Director Christopher Wray hinted at the planned federal response to what has become known as the SolarWinds attack, stressing that confronting foreign attacks in cyberspace would be a “long, hard slog.”

China’s new cyber tactic: targeting critical infrastructure — SC Magazine

  • A newly discovered threat group breached India’s power infrastructure, marking the first time a Chinese government-linked cyber actor has emerged as a significant threat against another nation’s critical infrastructure.

Bitcoin at ‘tipping point,’ Citi says as price surges — Reuters

  • Bitcoin rose nearly 7%, with Citi saying the most popular cryptocurrency was at a “tipping point” and could become the preferred currency for international trade.

Government watchdog finds federal cybersecurity has ‘regressed’ in recent years — The Hill

  • Federal cybersecurity has “regressed” since 2019 due to factors including the lack of centralized cyber leadership at the White House, the Government Accountability Office (GAO) said in a report released Tuesday.

Far-Right Platform Gab Has Been Hacked—Including Private Data — Wired

  • The transparency group DDoSecrets says it will make the 70 GB of passwords, private posts and more available to researchers, journalists and social scientists.

Google: Bad bots are on the attack, and your defence plan is probably wrong — ZDNet

  • Bot attacks are on the rise as businesses move online due to the pandemic.

Beware: AOL phishing email states your account will be closed — Bleeping Computer

  • An AOL mail phishing campaign is underway to steal users’ login name and password by warning recipients that their account is about to be closed.

Ryuk ransomware now self-spreads to other Windows LAN devices — Bleeping Computer

  • A new Ryuk ransomware variant with worm-like capabilities allowing it to spread to other devices on victims’ local networks has been discovered.

SolarWinds Hack Pits Microsoft Against Dell, IBM Over How Companies Store Data — The New York Times

  • Microsoft argues the cloud offers more protection; rivals point to firms’ need to hold and access their information on-premises.

Bitcoin set for worst week since March as riskier assets sold off — Reuters

  • Bitcoin was headed on Friday for its worst week since March as a rout in global bond markets sent yields flying and sparked a sell-off in riskier assets.

In Case You Missed It

SonicWall NSa 2700 vs. Fortinet FortiGate 100F

/0 Comments/in /by

Which one is right for me?

Next-generation firewalls (NGFWs) are getting more powerful as vendors add more and more features to them. There’s no doubt that today’s NGFWs are far more sophisticated and capable than even those released just a few years ago. As vendors add new functionalities such as IPS, application control, content filtering, anti-malware, DNS security, and cloud management, it has become harder for average customer to find the right solution for their environment.

SonicWall commissioned Tolly Group to compare the price and performance of SonicWall’s recently released NSa 2700 to the Fortinet FG 100F. The two firewalls have similar form factor and are comparable from single appliance price point. Tolly used the published numbers and prices from both vendors to calculate the Total Cost of Ownership (TCO) for a 3-year, High-Availability appliance model with comparable security features. The full report is here.

When calculating TCO, there are three key considerations: price, protection and performance. The ideal solution will cost least while providing equivalent or, ideally, better protection and functionality. Here are a few of the report’s key findings:

SonicWall’s 3-year TCO is less than two-thirds that of Fortinet

This report compares SonicWall’s NSa 2700 Total Secure Advanced Edition with Fortinet FG-100F Unified Threat Protection, both configured in HA mode. The SonicWall solution has a significantly lower 3-year TCO of $11,002, due to it not charging for the second unit’s licensing. This puts it significantly below Fortinet’s total cost of ownership of $16,520.

SonicWall’s advertised threat protection throughput is 3x that of Fortinet

When looking at product data sheets, it is not uncommon to be overwhelmed with multiple performance numbers. When evaluating a security appliance, you should look for performance numbers that will most closely replicate how you will use the solution in your environment. In the case of a firewall, that number is usually Threat Protection/Prevention when most security features are turned on.

While the two firewalls have similar form factor and price per appliance, SonicWall’s solution offers 3.0 Gbps threat prevention throughput, compared to Fortinet’s 1 Gbps.

SonicWall has a dramatically lower cost per Gbps for threat protection

At the end of the day, what is most important to an organization is how much they have to spend to protect their environment. For a firewall, that measure is commonly referred to as the cost of threat prevention/protection and is calculated by dividing the TCO by throughput.

SonicWall’s solution has a cost of $3,667 for each Gbps of traffic it protects. Fortinet’s number is $16,520. That is 4.5x the cost of SonicWall.

Conclusion

When evaluating any security solution, it is important to compare apples to apples. You should obtain and compare the total cost of ownership for 3 to 5 years as opposed to looking at list prices. It is also crucial to look at the right performance numbers, as opposed to just the highest number that vendors offer in their data sheets.