Malicious VBA macro uses CLSID to create Shell object

/in /by

The SonicWall Capture Labs Threat Research Team has observed that Snake KeyLogger malware is being distributed using malicious word documents. The sample in distribution is using CLSID for WScript.Shell object creation rather than the name which is usually seen.

Infection Cycle

Upon opening the document, the user is displayed instructions to enable content as shown below:


Fig-1: Word Document

Shell Object creation:
This sample creates an instance of WScript.Shell object using CLSID. A CLSID is a globally unique identifier that identifies a COM class object.

CLSID’s that corresponds to Shell Object:

  • {72C24DD5-D70A-438B-8A42-98424B88AFB8}
  • {F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}

The Shell Object instance  is used to execute the PS command to download Snake Keylogger


Fig-2: VBA Macro present in document

 The Powershell command is transferred in obfuscated form as the content of word document:


Fig-3: Obfuscated PowerShell

De-Obfuscated PowerShell command shows it has AMSI bypass technique for Windows 10 systems. This is done to conceal AMSI bypassing technique and the next stage malware download URLs used in the script as seen after de-obfuscation


Fig-4: De-Obfuscated Powershell

Powershell code has embedded URLs from where the payload is downloaded. This sample uses the bit.ly URL shorten service and the target URL is “hxxp://qadir[.]tickfa[.]ir/ID3/0RIG0000000.jpg”. The payload, a windows executable file is stored as “0RIG0000000.jpg” on the remote host and belongs to SnakeKeylogger.

Payload Analysis:

The payload is a compiled .Net file and its basic information is shown below:


Fig-5: Details of PE file

The downloaded file contains an encrypted PE file in resource, which is decrypted using AES – ECB mode and loaded into memory. Decyrption Key is SHA256 of hardcoded bytes present in the sample.


Fig-6: Decryption routine

Persistence:

Sample copies itself to startup folder as driver.exe.

  • %appdata%\Microsoft\Windows\Start Menu\Programs\Startup\drivers.exe

Sonicwall Capture ATP provides protection from this threat as shown below:


Fig-7: Capture ATP report

Indicators Of Compromise:

SHA256

  • 706f441b1e5b188f4373c6b680ea2c2b50ab81c2163bdaf690b3ec224581b8fb — Malicious Document File
  • 81b94fd7902d516f81fa99c090180e431b1e389e2ccd418fa2d0b3105d98fad9 — Downloaded Executable File

Network Connections:

  • bit[.]ly/2ZJ9xRc
  • qadir[.]tickfa[.]ir/ID3/0RIG0000000.jpg

Files:

  • %temp%\czxdpfb.exe
  • %appdata%\Microsoft\Windows\Start Menu\Programs\Startup\drivers.exe

 

Cybersecurity News & Trends – 04-16-21

/0 Comments/in /by

This week utilities were under attack, as an Iran nuclear plant and a Kansas water facility both faced sabotage attempts.

SonicWall in the News

Internet of Things Malware Attacks Increase by 152% in North America in 2020, Other Continents also Witness a Significant Spike — Digital Information World

  • This article features data from SonicWall’s recent 2021 Cyber Threat Report, with a focus on the increase in IoT and malware attacks.

Video: 10 Minute IT Jams – SonicWall VP on the cybersecurity lessons learned from the last 12 months — Security Brief Asia

  • SonicWall’s vice president of regional sales – APAC, Debasish Mukherjee, discusses cybersecurity lessons learned from the pandemic.

Why some jobseekers have turned to cyber crime during the pandemic — ComputerWeekly

  • ComputerWeekly spoke with SonicWall EMEA Vice-President Terry Greer-King about cybercriminal activity during the pandemic.

‘Boundless Cybersecurity’: How SonicWall is helping to uncover unknown threats — Intelligent CISO

  • Intelligent CISO interviewed Osca St. Marthe, SonicWall’s executive director of sales engineering for EMEA, about the company’s boundless security model.

Remote Work Sparking Rise in Cybersecurity Threats, HTSA Told — Consumer Electronics Daily

  • SonicWall Solutions Architect Rick Meder was quoted in reference to the 2021 Cyber Threat Report.

Industry News

U.S. House committee approves blueprint for Big Tech crackdown — Reuters

  • The U.S. House of Representatives Judiciary Committee has formally approved a report accusing Big Tech companies of buying or crushing smaller firms, Rep. David Cicilline’s (D-R.I.) office said in a statement Thursday.

NSA, FBI, DHS expose Russian intelligence hacking tradecraft — Cyberscoop

  • The U.S. government warned the private sector that Russian government hackers are actively exploiting vulnerabilities to target U.S. companies and the defense industrial base.

NBA’s Houston Rockets Face Cyber-Attack by Ransomware Group — Bloomberg

  • The NBA’s Houston Rockets are investigating a cyberattack against their networks from a relatively new ransomware group claiming to have stolen internal business data.

 IBM Uncovers More Attacks Against COVID-19 Vaccine Supply Chain — Bloomberg

  • A hacking campaign detected by IBM last year targeting organizations involved in the manufacturing, transportation and storage of COVID-19 vaccines is now thought to have targeted more than 40 companies in 14 countries.

Iran nuclear attack: Mystery surrounds nuclear sabotage at Natanz — BBC

  • Within hours of Iran proudly announcing the launch of its latest centrifuges at its site in Natanz, a power blackout damaged some of the machines.

Bitcoin hits record before landmark Coinbase listing on Nasdaq — Reuters

  • Bitcoin hit a record of $62,741 on Tuesday, extending its 2021 rally to new heights a day before the listing of Coinbase shares in the U.S.

100M More IoT Devices Are Exposed—and They Won’t Be the Last — Wired

  • The “Name: Wreck” flaws in TCP/IP are the latest in a series of vulnerabilities with global implications.

QBot malware is back replacing IcedID in malspam campaigns — Bleeping Computer

  • Malware distributors are rotating payloads once again, switching between trojans that in many cases serve as an intermediary stage in a longer infection chain.

Cybersecurity: Victims are spotting cyberattacks much more quickly – but there’s a catch — ZDNet

  • Cybercriminals are spending less time inside networks before they’re discovered. But that’s partly because when hackers deploy ransomware, they don’t stay hidden for long.

Small Kansas water utility system hacking highlights risks — The Washington Times

  • A former Kansas utility worker has been charged with remotely tampering with a public water system’s cleaning procedures, highlighting the difficulty smaller utilities face in protecting against hackers.

Biden budget request calls for major investments in cybersecurity, emerging technologies — The Hill

  • President Biden called for over $1.3 billion in cybersecurity funds, along with major investments in emerging technologies such as quantum computing and artificial intelligence, as part of his proposed budget request sent to Congress.

Financial industry preps for proposal that would require 36-hour breach notification — Cyberscoop

  • A proposal would mandate that financial firms report more kinds of cyber incidents to regulators within 36 hours.

Joker malware infects over 500,000 Huawei Android devices — Bleeping Computer

  • More than 500,000 Huawei users have downloaded from the company’s official Android store applications infected with Joker malware that subscribes to premium mobile services.

In Case You Missed It

Ransomware uses Discord for C2 communications

/in /by

The Sonicwall Capture Labs Research team has observed another ransomware being circulated in the wild recently. To maintain communications with the compromised system this ransomware uses Discord’s built in webhooks function. Discord is much more than just a text and voice communication platform geared towards gamers. Discord offers an open API where one can create guilds or servers and channels. A webhook is the easiest way to automate posting messages to a channel. It is basically a URL which you can send a message to which in turn posts that message to a specified channel. Using a legitimate platform to send and receive communications from perfectly disguises a malicious network activity as valid in an attempt to bypass security applications. That’s why Discord has been favored by cybercriminals lately to aid in their malicious doings.

Infection Cycle:

This ransomware arrives as an executable using the following icon:

Upon execution, it drops the following files in the %temp% directory:

  • %temp%/*random*/*random*/aescrypt.exe – used for encrypting files
  • %temp%/*random*/*random*/DiscordSendWebhook.exe – used to send communication out
  • %temp%/*random*/*random*/1A1C.bat – the main script
  • %temp%/kill.bat – script to kill task manager

It then spawns cmd to run scripts via the command prompt and let everything happen in the background without the victim’s knowledge.

It creates a copy of itself and adds it to Startup. It then deletes all volume shadow copies to ensure that the victim will not be able to restore files and the entire system after the ransomware encryption.

  • copy /b /y %0 “%appdata%\Microsoft\Windows\Start Menu\Programs\Startup”
  • wmic shadowcopy delete
  • vssadmin delete shadows /all /quiet

It then adds the following system policies through the registry to ensure uninterrupted execution by disabling Windows prompts for consent before running a program, disabling ctrl+alt+del keys, disabling task manager and swapping mouse buttons:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v “PromptOnSecureDesktop” /t REG_DWORD /d “0” /f
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v “ConsentPromptBehaviorAdmin” /t REG_DWORD /d “0” /f
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v “EnableLUA” /t REG_DWORD /d “1” /f
  • HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layout /v “Scancode Map” /t REG_BINARY /d “00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000” /f /reg:64 > nul
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v “DisableTaskMgr” /t REG_DWORD /d “1” /f > nul
  • HKCU\Control Panel\Mouse /v SwapMouseButtons /t REG_SZ /d “1” /f > nul

It then uses the Discord webhook functionality to send a message to the following Discord guild

It then also kills all known web browsers that might be currently running on the system.

Next, it adds two scheduled tasks to ensure that one instance of malware runs every time a user logs on and another every 5 days.

Upon successful encryption of files, the malware sends another message via webhook to its Discord channel with the system info and IDs to help identify this victim’s machine.

Then, it creates 100 copies of Pay2Decrypt1-100.txt files with the information of how to decrypt the files.

This ransomware appends .lck to all encrypted files. It even manages to encrypt its own aescrypt.exe and DiscordWebhook.exe.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Pay2Decrypt.RSM

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

Understanding the Difference Between Azure Firewall Services and SonicWall NSv

/0 Comments/in /by

The firewall market has always been full of options, with a number of vendors each offering a variety of models. This is truer today than ever, with cybersecurity companies now developing firewalls for the cloud — for example, the Microsoft Azure Firewall and the SonicWall NSv.

If you’re curious about the differences between the two, you’re not alone. To help shed some light, we’ve put together a short guide on which product is best in which situation, and why you’d pick one over the other.

Microsoft Azure Firewall

Before Azure Firewall, there were Azure Network Security Groups (NSG). NSGs are often auto-generated when deploying a new compute resource. NSGs serve the same purpose as access lists on routers and switches, but they directly pre-empt critical resources. Unlike old style access lists, NSGs are stateful filters: for convenience, rules only have to be written in the client-to-server direction. NSGs offer similar features to firewalls of the late 90s, sufficient for basic packet filtering.

The Azure Firewall itself is primarily a stateful packet filter. Packet filters, regardless of whether they’re stateful or stateless, have no visibility into the actual data stream that is transported over the network. They have become much less effective, as virtually everything on the Internet uses port 80 (HTTP) and 443 (HTTPS) today. They also miss application identification and decoding.

With the introduction of Azure Firewall, Microsoft appeared to monetize on NSGs, but added only a small bit of new functionality — for example, rudimentary application-layer rules and Network Address Translation (NAT). Application-layer rules in Azure Firewall can ONLY filter web traffic by URL name by looking into the application layer’s HTML header, and for encrypted traffic by doing a reverse name lookup.

This is, by firewall standards, less than a percent of what a NGFW like the SonicWall NSv can do. Deep packet inspection is one of the core requirements for getting visibility to encrypted data. TLS 1.3 is partially supported on Azure Firewall. The TLS tunnel from client to the firewall is based on TLS 1.2.

The user can enable intrusion prevention services, but Microsoft does not provide many details on this service. Microsoft neither reveals the number of signatures supported, nor discloses how often these signatures are updated. There is no sandbox or in-memory analysis of zero-day threats.

Moreover, Network Address Translations normally allow for the mapping of any part of source/destination IP and source/destination ports. Azure natively supports the one-to-one mapping of private IPs to public IPs. Beyond that, Azure Firewall only adds the mapping of destination ports, which has very limited use in reality because most services run over port 80 and 443 and do not accept different ports. Other NAT combinations are often used to merge networks of trade partners, but corporate acquisitions are not supported.

Managing and reporting tend to be problematic in the Azure Firewall. NSGs can generate traffic logs, but you need a third party to review them. This is mostly useful for debugging. Azure Firewall has a monitoring resource, but it only gives you an overview — meaning it’s not useful for audits or troubleshooting.

Managing Azure Firewall is very similar to managing NSG and must be done via typical Azure settings management. Once you set it, you cannot change it.

You may be used to the quirks of Azure user interface, but imagine using it to manage a large rulebase with groups, nested objects and the need to periodically clean it up while you grow it — for example, changing the names of objects. This is close to impossible with Azure Firewall. Plus, Azure Policy does not offer any structured policy elements, such as object-based rule creation or nested objects.

SonicWall NSv Series Virtual Firewall

SonicWall’s NSv Series virtual firewall provides all the security advantages of a physical firewall with the operational and economic benefits of virtualization — including system scalability and agility, speed of system provisioning, simple management and cost reduction.

Modern firewalls such as the NSv Series, also known as next-generation firewalls (NGFWs), offer application-layer filtering on top of stateful socket filtering. Instead of just filtering out some traffic going to TCP ports 80 or 443 — the two ports utilized by almost all internet traffic — you can filter on the actual traffic flowing over these ports and distinguish between legitimate traffic and malware.

NSv delivers full-featured security tools to shield all critical components of the private/public cloud environments from resource misuse attacks, cross-virtual-machine attacks, side-channel attacks, and common network-based exploits and threats. With infrastructure support for reliable distributed clustering and scaling, the SonicWall NSv Series ensures system resiliency, operational uptime, service delivery and availability, and conformance to regulatory requirements.

NSv is available for VMware ESXi, and also runs for lab use on VMware Workstation and VMware Fusion, Hyper-V, KVM, AWS and Azure. You will find the same features on the virtual and cloud versions as you find on the appliances, including Deep Packet Inspection (DPI) and Gateway Anti-Virus (GAV), with real-time cloud support and our award-winning, patented RTDMI™ in-memory scanner, which captures dormant malware and zero-day threats. NSv is rated by the independent NetSecOPEN as one of the most effective next-generation firewalls on the market.

General Features NSv Azure NSG Azure FW
Stateful packet filtering
Zone based security X
Protection of multiple networks X X
Socket based security X X X
CIDR and port range definitions X X X
Custom Protocol ID X
Address groups X X
Service groups X
Object Nesting X
FQDN X preview
Deny vs Discard X
Scalability X X
Flow logs IPFIX
Syslog
Inside VM		 Azure storage Azure storage
Event Hub
Network Address Translation
Basic Static NAT X X X
Port Address Translation X X
Basic Dynamic Address Translation X X X
Surgical NAT combination X
Next-generation security services
App Control X
Gateway Anti Virus (GAV) X
Intrusion Detection and Prevention (IPS) X X (basic)
Anti Spyware X
Anti Spam X
Content Filtering X
URL filtering X X
Botnet X
Malicious URLs X
Geo Fencing X
Inspection of encrypted traffic X (SSL and SSH)
SSL Server offloading X
Sandboxing X
RTDMI and 0-day threats X
Networking Features
VPN X
OSPF and BGP X
SD-WAN X
Reporting
Log Analytics NSv NSM Third party Azure Monitor
Bandwidth logging IPFIX Syslog Inside VM Azure storage

In addition, the SonicWall NSv Series offers three major features that take NGFWs into the 21st century. SonicWall NSv has the ability to intercept, decode, inspect and reencode encrypted traffic so that an intruder cannot evade the firewall altogether (DPI-SSL). It also features the ability not just to classify known traffic into good or malicious, but also to detonate and test unknown traffic in real-time in a safe sandbox environment (Capture ATP). Finally, with RTDMI, it has the ability to analyze malicious software that lays undetected and dormant until some trigger activates it.

These three features cover a large percentage of today’s malware — malware for which traditional signature-based filters such as the Azure Firewall are not effective.

NSv can also terminate VPN tunnels, either to a physical office, vendor or work-from-home employee, or within the cloud. In addition, NSv is a fully functional security router. Besides standard dynamic routing protocols, it also offers smart routing according to traffic content and congestion.

As far as reporting and analytics, NSv is the clear winner. In addition of a clean and easy to operate WebUI, SonicWall NSv offers highly scalable rule management, monitoring and analytics via cloud-based SonicWall NSM, managing hundreds or thousands of instances.

In short, Azure Firewall offers the sort of functionality you can find on a $100, big-box-purchased broadband router. It offers none of the many features that you find on an enterprise firewall — and for that matter, not a lot of valuable functionality over free NSGs.

Do yourself a favor: Save your organization some money and look at an actual cloud-based firewall. If you are familiar with managing enterprise firewalls, the SonicWall NSv is an instinctive choice for a cloud firewall.

Clear and Present Danger: Why Cybersecurity is More Critical than Ever

/0 Comments/in /by

As the world began battling a once-in-a-century pandemic in 2020, global companies were caught grossly underprepared for what followed. With remote working and digital tech becoming the default, companies scrambled to adjust, which exposed severe technological vulnerabilities that threatened business continuity.

Cybersecurity has become one of the biggest challenges facing businesses around the world today. The pandemic has set into motion a wave of cybersecurity incidents, the ripples of which are still being felt a year into this so-called “new normal.” As outlined in the 2021 SonicWall Cyber Threat Report:

  • By March 2020, cyberattacks across the world doubled.
  • In June, mobile phishing increased by 37%.
  • During the same month, an unidentified European bank became the target of an 809 million packet-per-second DDoS attack — the largest to hit any network.
  • In July, the Twitter accounts of several high-profile individuals, including Joe Biden, Barack Obama, Bill Gates and Elon Musk, were hacked to scam Bitcoin from followers.
  • In September, cybercriminals threatened thousands of global organizations across a variety of industries with DDoS attacks unless they paid a ransom within six days.
  • December 2020 saw the infamous SolarWinds intrusion, which industry pundits say had the most significant impact of any cyberattack in American history.

The SonicWall Cyber Threat Report for 2021 also highlights key cybersecurity trends from 2020: While malware attacks went down by 43% (perhaps due to limited visibility as the global workforce worked remotely), this drop coincided with record or near-record highs in other forms of attack. For instance, ransomware increased by a staggering 63% over 2019, intrusion attempts increased by 20% compared to 2019 (year-over-year attacks in Europe quadrupled), and IoT malware skyrocketed by a whopping 66%.

Research by Bain & Company near the end of 2019 found that executives at several corporations overrate their cybersecurity effectiveness and lack the strategic capabilities essential for a robust posture, with only 25% of companies following cybersecurity best practices. Given these findings, the exponential increase in cyberattacks once COVID-19 hit should come as little surprise.

Asia, a Fertile Ground for Cybersecurity Breaches

Even before the novel coronavirus disrupted businesses, only a handful of organizations, particularly in Asia and India, had the robust cybersecurity capabilities required to combat growing attacks. The pandemic has invariably expanded that risk multifold, given the shift in work patterns and operating models. The region is rife for cybercriminals to thrive (some reports suggest that Asia is 80% more likely to be targeted by hackers) due to poor cybersecurity awareness, growing cross-border data transfers, weak regulations and low cybersecurity investment.

Yet another report suggests that India witnessed the second-highest number of cyberattacks in Asia-Pacific in 2020 (second only to Japan), and accounted for 7% of all cyberattacks seen in the region.

And the data from the 2021 Cyber Threat Report supports these findings. For example, while Europe saw an average of 21% more encrypted attacks in 2020, in Asia, year-over-year totals increased by a mammoth 151%. Ransomware, too, saw a mind-boggling 455% spike in Asia.

Besides the lack of IT security-related awareness and limited budgets, the skill gap in the cybersecurity domain is another impediment faced by businesses in the region. And this gap continues to widen, with many cybersecurity experts constrained by the lack of career development and training offered to them and little strategic planning by organizations when it comes to cybersecurity.

The Road Ahead

Building a robust, viable cybersecurity system takes more than technology. It also demands long-term commitment and developing an array of strategic capabilities. While companies rolled out remote working security measures that included VPNs, endpoint protection and advanced authentication, they could not fully mitigate the inherent weaknesses in WFH models.

It is vital to continue ongoing measures such as continuously evaluating and adjusting technology standards, providing security awareness training to employees, and maintaining a security baseline for WFH. It is also essential for businesses to reassess and stay on top of their security capabilities as they modify operations for the post-pandemic world.

Over time, the cybersecurity business gap will continue to grow, threats will become more oblique, and skilled staff will be increasingly harder to find. It is vital for businesses to bridge the gap now, lest they fall victim to a cyberattack. Knowledge and business insights from assessing research and trends can alert you to the threats out there, but to become a truly robust and secure organization, cybersecurity should be a central pillar of your IT strategy supported by solutions that can identify and prevent sophisticated threats.

Microsoft Security Bulletin Coverage for April 2021

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of April 2021. A list of issues reported, along with SonicWall coverage information are as follows:

CVE-2021-28310 Win32k Elevation of Privilege Vulnerability
ASPY 173 Malformed-File exe.MP.175

CVE-2021-28324 Windows SMB Information Disclosure Vulnerability
ASPY 175 Malformed-File exe.MP.178

CVE-2021-28325 Windows SMB Information Disclosure Vulnerability
ASPY 176 Malformed-File exe.MP.179

CVE-2021-28442 Windows TCP/IP Information Disclosure Vulnerability
ASPY 174 Malformed-File exe.MP.177

Following vulnerabilities do not have exploits in the wild :

CVE-2021-26413 Windows Installer Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-26415 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26416 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-26417 Windows Overlay Filter Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-27064 Visual Studio Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-27067 Azure DevOps Server and Team Foundation Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-27072 Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-27079 Windows Media Photo Codec Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-27086 Windows Services and Controller App Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-27088 Windows Event Tracing Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-27089 Microsoft Internet Messaging API Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27090 Windows Secure Kernel Mode Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-27091 RPC Endpoint Mapper Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-27092 Azure AD Web Sign-in Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-27093 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-27094 Windows Early Launch Antimalware Driver Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-27095 Windows Media Video Decoder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27096 NTFS Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-28309 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-28311 Windows Application Compatibility Cache Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-28312 Windows NTFS Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-28313 Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-28314 Windows Hyper-V Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-28315 Windows Media Video Decoder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28316 Windows WLAN AutoConfig Service Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-28317 Microsoft Windows Codecs Library Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-28318 Windows GDI+ Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-28319 Windows TCP/IP Driver Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-28320 Windows Resource Manager PSM Service Extension Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-28321 Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-28322 Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-28323 Windows DNS Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-28326 Windows AppX Deployment Server Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-28327 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28328 Windows DNS Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-28329 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28330 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28331 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28332 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28333 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28334 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28335 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28336 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28337 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28338 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28339 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28340 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28341 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28342 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28343 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28344 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28345 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28346 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28347 Windows Speech Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-28348 Windows GDI+ Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28349 Windows GDI+ Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28350 Windows GDI+ Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28351 Windows Speech Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-28352 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28353 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28354 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28355 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28356 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28357 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28358 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28434 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28435 Windows Event Tracing Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-28436 Windows Speech Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-28437 Windows Installer Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-28438 Windows Console Driver Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-28439 Windows TCP/IP Driver Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-28440 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-28441 Windows Hyper-V Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-28443 Windows Console Driver Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-28444 Windows Hyper-V Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-28445 Windows Network File System Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28446 Windows Portmapping Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-28447 Windows Early Launch Antimalware Driver Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-28448 Visual Studio Code Kubernetes Tools Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28449 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28450 Microsoft SharePoint Denial of Service Update
There are no known exploits in the wild.
CVE-2021-28451 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28452 Microsoft Outlook Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2021-28453 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28454 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28456 Microsoft Excel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-28457 Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28458 Azure ms-rest-nodeauth Library Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-28459 Azure DevOps Server and Team Foundation Services Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-28460 Azure Sphere Unsigned Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28464 VP9 Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28466 Raw Image Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28468 Raw Image Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28469 Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28470 Visual Studio Code GitHub Pull Requests and Issues Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28471 Remote Development Extension for Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28472 Visual Studio Code Maven for Java Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28473 Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28475 Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28477 Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28480 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28481 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28482 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28483 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.

Emotet and Trickbot: The Battle of the Botnets

/0 Comments/in /by

Emotet began as a banking trojan in 2014 — but from this inauspicious start, it grew to become “the world’s most dangerous malware” according to Europol, and one of the Cybersecurity and Infrastructure Security Agency’s “most prevalent ongoing threats.”

The botnet earned its reputation in a number of ways.

  • It was strikingly common. By 2021, Emotet was involved in one-third of malware attacks.
  • It was resilient. The botnet was capable of spreading laterally once it had gotten access to just a small number of devices in a network.
  • It was targeted. One Emotet module collected a portion of each email in a victim’s inbox, enabling highly targeted phishing attempts capable of replying to and quoting legitimate emails.
  • It was automated. Once it gained control of a device, it distributed itself to the user’s contacts and attempted to brute force its way onto any other devices connected over the same network.

And in many cases, it was just the beginning. In the SonicWall 2021 Cyber Threat Report, we detailed the meteoric rise of Ryuk ransomware. While Ryuk is certainly formidable in its own right (see rapid growth in graph below), a key to its swift success was the leg up it received in the form of Emotet. Emotet was offered for hire to Ryuk operators, who used access already established by Emotet to deploy the ransomware upon networks of those deemed valuable targets.

To compare it to crime in the physical space, consider a group of burglars with plans to rob a bank. What would be easier: finding a way to break in themselves, or hiring someone on the inside to simply leave a door open?

The End of Emotet

But in the end, it was Emotet’s success and versatility that led to its downfall. In response to the rampant proliferation of the botnet, law-enforcement agencies from at least eight different countries formed a multinational organization with the goal of disrupting it and taking it down.

In January 2021, law enforcement and judicial authorities succeeded in gaining control of the servers used by Emotet. Then, they replaced the Emotet malware on these servers with a harmless file created by law enforcement. By preventing new devices from downloading the malware, the spread of Emotet to additional targets was halted.

While this disruption will likely prevent a number of infections — some costing more than a million dollars to mitigate — in the short term, the long-term impact remains much less clear.

As Fernando Ruiz, Europol’s European Cybercrime Centre head of operations, told ZDNet, “We expect it will have an impact because we’re removing one of the main droppers in the market. For sure there will be a gap that other criminals will try to fill, but for a bit of time, this will have a positive impact on cybersecurity.”

History Repeating

It’s possible that, in a best-case scenario, this disruption will eliminate Emotet for good, and have a long-term positive effect on the amount of malware going forward.

For an idea of how a worst-case scenario might play out, however, we only have to look back about six months — to none other than the rumored Emotet heir apparent, Trickbot.

Since its development in late 2016, the operators of Trickbot have successfully infected over a million devices globally. As with Emotet, there are a variety of factors that contribute to make Trickbot an oversized threat, including its ever-evolving modular capabilities, ability to infect IoT devices and its proficiency at stealing information.

But it was Trickbot’s potential to deploy ransomware or DDoS attacks in advance of the 2020 U.S. presidential election that presented the most pressing danger.

Hoping to prevent a large-scale disturbance in the democratic process, Microsoft obtained a court order allowing it to shut down Trickbot’s operations. In a joint effort with global telecommunications companies, Microsoft was able to disable Trickbot’s infrastructure, taking down new servers that Trickbot was attempting to use as replacements almost as soon as they went online. The actual operation itself took less than a week, and by October 18, 2020, the vast majority of Trickbot’s critical infrastructure had been disabled.

While the takedown was a success in terms of preventing election tampering, this respite wasn’t long-lived: By the time the U.S. Electoral College held its confirmation vote in December, Trickbot was already showing signs of a resurgence. A new version was spotted that included upgraded means of evading detection, along with other features. And in January, ZDNet reported a malware campaign that “has the hallmarks of previous Trickbot activity.”

Will Emotet take a similar path and come roaring back to life? We don’t know yet, but with so much money to be made, it certainly isn’t out of the realm of possibility.

In the meantime, the takedown of Emotet in early 2021 seems to be fueling the ongoing resurgence in Trickbot, which is rising to fill the void left behind.

Until both are gone for good, the best protection against botnets like Emotet and Trickbot is a sound and proven security posture, frequent software and firmware updates, and comprehensive cybersecurity awareness. The latter includes everyday vigilance and adherence to best practices, along with staying up to date on current trends in cybercrime.

For more on Ryuk, Emotet and other malware, download the 2021 SonicWall Cyber Threat Report.

SSRF, vRealize Operations Manager API

/in /by

Overview:

  VMware vRealize Operations Manager delivers intelligent operations management with application-to-storage visibility across physical, virtual, and cloud infrastructures. CVE-2021-21975 is an unauthenticated server-side request forgery (SSRF) vulnerability in VMware vRealize Operations API. The vulnerability was privately reported to VMware. Patches and Workarounds are available to address the vulnerability in impacted VMware products below. VMware has evaluated this issue to be of ‘Important’ severity with a maximum CVSSv3 base score of 8.6.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-21975

Common Vulnerability Scoring System (CVSS):

  Base 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C):
    • Access vector is NETWORK
    • Access complexity is LOW
    • Level of authentication required is NONE
    • Impact of this vulnerability on data confidentiality is COMPLETE
    • Impact of this vulnerability on data integrity is COMPLETE
    • Impact of this vulnerability on data availability is COMPLETE
  Temporal 7.8 (E:POC/RL:OF/RC:C):
    • The exploitability level of this vulnerability is PROOF OF CONCEPT
    • The remediation level of this vulnerability is OFFICIAL FIX
    • The report confidence level of this vulnerability is CONFIRMED

Attack Behavior & Chain Reaction:

  Performs a Server Side Request Forgery attack to steal administrative credentials.

Triggering the Vulnerability:

  One of the REST API URIs vRealize Operations Manager supports is “/casa/nodes/thumbprints”, which is accessible without authentication due to the configuration in the casa-security-context.xml file:
  (sec:http pattern=”/nodes/thumbprints” security=’none’)

  On the server end, a function called getNodesThumbprints() is called to handle API request on the above URI. The HTTP payload for this request is an address array in JSON format, such as:
  [“127.0.0.1:443”]

  The vulnerability is due to a lack of sanitization of the incoming HTTP requests. When the server receives an HTTP POST request to the URI “/casa/nodes/thumbprints”, the vulnerable function getNodesThumbprints() will try to get the address array from the HTTP data payload and send HTTP request on URI “/casa/node/thumbprint” to these addresses.

  If a URI was provided in the address value of the array, then the “/casa/node/thumbprint” will be appended on the
URI to send. For example, if following HTTP data payload was sent:
  [“test.com:443/test/”]

  Then the function getNodesThumbprints() will send URI “/test/casa/node/thumbprint” to test.com:443. Therefore, the attackers cannot fully control the URI for the forgery requests. It is noted that for versions before VMware vRealize Operations Manager 8.3, the server will send credential of account “maintenanceAdmin” in the Authorization header of the HTTP request.

  A remote attacker could exploit the vulnerability by sending a crafted request to target server. Successful exploitation could result in stealing of administrative credentials in some versions of VMware vRealize Operations Manager.

Post Data:

Affected products:

  vRealize Operations Manager
  • 7.0.0
  • 7.5.0
  • 8.0.0, 8.0.1
  • 8.1.0, 8.1.1
  • 8.2.0
  • 8.3.0
  VMware Cloud Foundation (vROps)
  • 3.x
  • 4.x
  vRealize Suite Lifecycle Manager (vROps)
  • 8.x

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 15487 VMware vRealize Operations Manager API SSRF

Remediation Details:

  • The file /usr/lib/vmware-casa/casa-webapp/logs/casa.log is of particular interest for tracking suspicious requests.
  • KB83210
  • KB83095
  • KB83094
  • KB83093
  • KB82367
  • KB83287

  Click -> Knowledge Base Search

Appendix – Discovered By:

  Egor Dimitrenko of Positive Technologies reported this vulnerability.

Uniwinnicrypt ransomware charges over $550k for file recovery

/in /by

The SonicWall Capture Labs threat research team have been tracking a ransomware family named Uniwinnicrypt.  This malware is aimed at large corporations and the operators charge over $550k USD in crypto (Monero and Bitcoin) for file recovery.  A custom chat site hosted on the tOr network is provided by the operators for negotiations with their victims.  However, conversations between the victims and operators are publicly accessible.

 

Infection cycle:

 

Upon infection, code is injected into grpconv.exe, iexpress.exe or write.exe.  This code performs the encryption of files on the system:

 

The extension “.uniwinnicrypt” is appended to all encrypted files.

 

HOW_FIX_FILES.htm is dropped into all directories where files were encrypted.  It contains the following message:

 

The tOr link leads to the following page:

 

After entering the requested information, the following existing conversation between a victim (not us) and the operator can be seen:

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Uniwinnicrypt.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Cybersecurity News & Trends – 04-09-21

/0 Comments/in /by

This week, educational institutions around the world found themselves the target of malware, as lawmakers faced pressure to increase protection for schools and universities.

SonicWall in the News

Keeping Tabs on IoT Security — Enterprise IT News

  • SonicWall Vice President of Regional Sales (APAC) Debasish Mukherjee was interviewed on the recent 2021 Cyber Threat Report.

Logically Buys MSSP Company, Sets Sights on $100M — TechTarget: SearchITChannel

  • This article mentions SonicWall’s strategic alliance with MSSP company Cerdant.

Industry News

European Institutions Were Targeted in a Cyberattack Last Week — Bloomberg

  • A spokesperson for the commission said that a number of EU bodies “experienced an IT security incident in their IT infrastructure.”

China Creates Its Own Digital Currency, a First for Major Economy — The Wall Street Journal

  • A cyber yuan stands to give Beijing power to track spending in real time. It also could soften the bite of U.S. sanctions.

US DoD Launches Vuln Disclosure Program for Contractor Networks — Security Week

  • The U.S. Department of Defense announced the launch of a new vulnerability disclosure program to identify vulnerabilities in Defense Industrial Base contractor networks.

Ransomware Hits TU Dublin and National College of Ireland — Bleeping Computer

  • The National College of Ireland is working on restoring IT services after being hit by a ransomware attack that forced the college to take IT systems offline.

FBI, CISA Warn Fortinet FortiOS Vulnerabilities Are Being Actively Exploited — ZDNet

  • APT groups are suspected of harnessing three bugs, two critical, for data exfiltration purposes.

University of California Victim of Ransomware Attack — The Hill

  • The university said in a statement that it — along with several other government agencies, private companies and other schools — has been involved in an attack involving Accellion, a secure file transfer company.

Malicious Cheats for Call of Duty: Warzone Are Circulating Online — Ars Technica

  • Activision said that a popular cheating site was circulating a fake cheat for “Call of Duty: Warzone” that contained a dropper, a type of backdoor that installs specific pieces of malware.

Malware Attack is Preventing Car Inspections in Eight U.S. States — Bleeping Computer

  • A malware attack on emissions testing company Applus Technologies is preventing vehicle inspections in Connecticut, Georgia, Idaho, Illinois, Massachusetts, Utah and Wisconsin.

As Ransomware Stalks the Manufacturing Sector, Victims Are Still Keeping Quiet — Cyberscoop

  • While competition from companies with cheap labor has long been an economic concern for U.S. manufacturers, cyberattacks have crept gradually into the equation.

Lawmakers Urge Education Department to Take Action to Defend Schools from Cyber Threats — The Washington Times

  • Representatives urged the Department of Education to prioritize protecting K-12 institutions from cyberattacks, which have shot up in the past year as classes moved increasingly online.

Feds Say Man Broke Into Public Water System and Shut Down Safety Processes — Ars Technica

  • The indictment underscores the potential for remote intrusions to have fatal consequences.

Ransomware Gang Wanted $40 Million in Florida Schools Cyberattack — Bleeping Computer

  • Fueled by large payments from victims, ransomware gangs have started to demand ridiculous ransoms from organizations that cannot afford them.

U.S. DOJ: Phishing Attacks Use Vaccine Surveys to Steal Personal Info — Bleeping Computer

  • The U.S. Department of Justice warned of phishing attacks using fake post-vaccine surveys to steal money or trick people into handing over their personal information.

In Case You Missed It