Resist the Lure of Amazon Spear Phishing

/0 Comments/in , /by

Let’s be real: Approximately everyone and their grandma buy things on Amazon. Amazon became the world’s largest retailer in 2019, and its branding is recognized around the globe. But this widespread popularity can bring with it other, less desirable consequences.

Due to its ubiquity, Amazon is one of the most mimicked companies in email phishing. Because so many people use Amazon, the hackers can create a phishing template and use it many times, simply substituting pertinent personal information based on the target. And since most potential targets will at least have an Amazon account, if not be current users, the odds that the phish will prompt action are much greater.

While these phishing attempts take many forms, in the example below, the attackers have spoofed an order confirmation from the Amazon website. The hope is that this confirmation will attract the target’s attention and raise alarm that someone has made an unauthorized purchase.

Despite being an imperfect attempt — the logo is wrong, plus there are grammatical errors — the hallmarks of spear phishing are still present. These attempts are more sophisticated (and thus more dangerous) than standard phishing attempts because the hackers have taken the time to learn about their target, and in turn use this information to craft more convincing lures. Here, the information being leveraged is a name and address, but in reality can be just about anything that could make the attempt seem more authentic.

In this case, the hackers have prompted the target to call a number and report unfamiliar transactions in multiple places on the email, even highlighting this call-to-action to make it pop. (Because this is only a portion of the full email, it is only visible once.)

Calling the number will connect the target with hackers, who will attempt to trick the caller into thinking they are from Amazon Support. If the ruse is successful, the hackers will try to get the victim to reveal personal credentials or other information that could be used to further exploit them.

As attacks like this continue to succeed, they will only get more plentiful. While it’s important that all employees know how to spot a phish, with these sorts of attacks becoming more sophisticated every day, this is no longer a reliable first line of defense.

By implementing solutions such as SonicWall Cloud App Security (CAS) or SonicWall Email Security, you can stop these sorts of attempts from reaching the inbox in the first place — and prevent the data theft, ransomware and more that can result from a successful spear phish. To learn more about how to harden your business against spear phishing attempts, contact us.

Already a Record-Breaking Year for Ransomware, 2021 May Just Be Warming Up

/0 Comments/in /by

We live in a nation preoccupied with the setting of new records. But while many records are newsworthy, not all of this news is good news. Two examples that have recently made headlines: the mid-June heatwave that has shattered temperature records all over the American West, and the unprecedented wave of ransomware attacks currently torching networks … well, just about everywhere.

“Through May, SonicWall recorded 226.3 million ransomware attacks, a 116% year-to-date increase over 2020, indicating cybercriminals’ rapidly evolving and highly profitable attack tactics,” said SonicWall President and CEO Bill Conner. “In fact, May 2021 was victim to the highest number of ransomware attacks we have ever recorded.”

Increases in ransomware attacks were recorded even in countries that had already been struggling with comparatively large amounts of ransomware, such as the U.S. and the U.K., which saw ransomware attacks spike 149% and 69%, respectively.

Since the beginning of the year, it seems that 2020’s perfect storm for cybercrime in general, and ransomware in particular, has only grown in intensity. On the heels of its late 2020 performance, itself record-breaking, Bitcoin continued thundering on into 2021, reaching a new high in each of the first four months of this year.

Around the world, fortunes were being made on cryptocurrency. And ransomware, its barriers to entry lower than ever due to readily available hacking tools and platforms such as Discord, attracted an increasing number of cybercriminals looking for a quick, easy way to obtain the bitcoin that could make their fortunes.

Unfortunately, in this storm, victims are finding that lightning strikes the same place twice with frightening regularity. Companies eager to move past increasingly sophisticated and debilitating ransomware attacks, and often sheltered by high-dollar ransomware insurance policies, too often pay the ransom — only to be targeted again shortly after.

According to ZDNet, roughly eight in 10 organizations that paid ransom demands were subsequently attacked again, with nearly half of these victims saying they believe the second attack was perpetrated by the same criminals as the first.

And these criminals are continuing their shift toward soft targets, including hospitals, utilities, schools and government agencies. In early March, Broward County School District in Fort Lauderdale, Fla., set its own record when it received a $40 million ransom demand — the highest ever for an educational institution.

And in May, the Colonial Pipeline ransomware attack brought one of the nation’s largest fuel transportation networks to a standstill for nearly a week, leading to fuel shortages and panic buying.

“The bombardment of ransomware attacks is forcing organizations into a constant state of defense rather than an offensive stance,” Conner said. “And as the tidal wave of ransomware attacks continues to crush company after company, there is a lot of speculation on how to keep individual organizations safe, but no real consensus on how to move forward when it comes to combating ransomware as a whole.

“Law enforcement agencies and political figures continue to voice opinions that constantly contradict each other on how best to fight adversaries that know no boundaries, do not adhere to international laws and are far from the charitable operators they claim to be,” Conner said. “The volume of targeted attacks on government organizations and enterprises that impact civilians, countries and the global economy will not end without a change in approach.”

But many countries — particularly those that have been hardest hit by ransomware, such as the U.S. and the U.K. — are mobilizing to fight back. With ransomware attacks now elevated to a matter of national security, increased funding for fighting cybercrime and penalties at the national level for countries that harbor ransomware groups could finally begin to turn the tide.

To find out which areas have been most impacted by 2021’s record ransomware — and whether the current flood of ransomware will rise to set new records in June and beyond — stay tuned for the mid-year update to the 2021 SonicWall Cyber Threat Report, coming in July 2021.

 

Cybersecurity News & Trends

/0 Comments/in /by

This week SonicWall announced that it had recorded a staggering 116% increase during the first 5 months of 2021 over the same period last year — with May notching more ransomware attacks than any other single month on record.

SonicWall in the News

Ransomware Attack Roiled Meat Giant JBS, Then Spilled Over to Farmers and Restaurants — The Wall Street Journal

  • During a recent supply chain attack, plants were closed, the prices of beef and pork climbed, and farmers sought new buyers for their livestock.

Mastercard Foundation gives $1.3 billion to boost vaccinations in Africa — PBS Newshour

  • The 2021 SonicWall Cyber Threat Report data was referenced in the PBS Newshour segment regarding the Mastercard Foundation’s donation to fund vaccinations in Africa.

World leaders target cyber threats — The Financial Times

  • The clean energy company Invenergy said it had been hacked but did not intend to pay any ransom after Russia-linked hacking group REvil threatened to leak embarrassing details about its billionaire chief executive.

Ransomware Gangs Say This Makes You a Target — SDx Central

  • Maor pointed to an RSA Conference session titled “Two Weeks With a Russian Ransomware Cell” by SonicWall Senior Product Strategist Brook Chelmo, in which Russian attackers gave Chelmo tips on how to avoid being attacked.

Why Is Ransomware on the Rise? — The Markup

  • “During the first five months of this year, the company tracked a 116 percent increase in ransomware attempts compared to the same period in 2020, and the 62.3 million attacks it detected this May were the most it has ever recorded in a single month,” said Dmitriy Ayrapetov, vice president of platform architecture for SonicWall.

Industry News

Digital ad industry accused of huge data breach — The BBC

  • The Irish Council for Civil Liberties is suing a branch of the Interactive Advertising Bureau (IAB) and others over what it describes as “the world’s largest data breach.”

Ukraine arrests Clop ransomware gang members, seizes servers — Bleeping Computer

  • Ukrainian law enforcement arrested cybercriminals associated with the Clop ransomware gang and shut down infrastructure used in attacks targeting victims worldwide since at least 2019.

‘That horse has left the barn’: Secret Service official says ransom payments have fueled hacking sprees — Cyberscoop

  • “We’re in this boat we’re in now because over the last several years, people have paid the ransom,” Stephen Nix, assistant to the Special Agent in Charge at the U.S. Secret Service, said.

Most firms face second ransomware attack after paying off first — ZDNet

  • Some 80% of businesses that choose to pay to regain access to their encrypted systems experience a subsequent ransomware attack, and 46% of those believe the second attack was instigated by the same attackers.

VPN Attacks Surged in First Quarter — Dark Reading 

  • Attacks against virtual private network products surged dramatically in the first quarter of 2021 as threat actors tried to take advantage of previously disclosed vulnerabilities that organizations had not patched.

Audi, Volkswagen data breach affects 3.3 million customers — Bleeping Computer

  • Audi and Volkswagen have suffered a data breach affecting 3.3 million customers after a vendor exposed unsecured data on the internet.

Burgeoning ransomware gang Avaddon appears to shut down, mysteriously — Cyberscoop

  • The operators left no explanation for why they might have done so, and they’re letting their remaining victims off the hook. Avaddon sent Bleeping Computer 2,934 decryption keys, after which the security firm Emsisoft produced a free, public decryption tool.

McDonald’s Hit by Data Breach — The Wall Street Journal 

  • The hack exposed some U.S. business information and customer data in South Korea and Taiwan, the company said.

Network security firm COO charged with medical center cyberattack — Bleeping Computer

  • The former chief operating officer of Securolytics, a network security company providing services for the health care industry, was charged with allegedly conducting a cyberattack.

EA source code stolen by hacker claiming to sell it online — Ars Technica

  • Game maker Electronic Arts is responding to the theft of gigabytes of private data by hackers who breached its internet-connected networks.

Justice Department, international law enforcement disrupt major marketplace for cybercriminals — Cyberscoop

  • DOJ worked with international law enforcement to take down an online marketplace, Slilpp, offering stolen login credentials.

A Mystery Malware Stole 26 Million Passwords From Windows PCs — Wired

  • The credentials were part of a trove containing 1.2 terabytes of sensitive data extracted between 2018 and 2020.

In Case You Missed It

Introducing the Updated SonicWall Network Security Administrator (SNSA) for SonicOS 7 Course —Jerry Avila
SonicWall’s Bill Conner Talks Ransomware on the Radio — Lindsey Lockhart
Infiltrate, Adapt, Repeat: A Look at Tomorrow’s Malware Landscape — Brook Chelmo
Join us for the 2021 SonicWall Partner Virtual Roadshow — David Bankemper
Capture Client 3.6 Launch Brings Key Features — Brook Chelmo

AndroidBot malware with obfuscation and multiple capabilities spreading in the wild

/in /by

SonicWall Threats Research team observed an AndroidBot malware that contains multiple obfuscation layers that hides the hardcoded URLs and malicious code. Similar to a number of Android malware, this malware drops the dex file during execution that contains malicious code.

Sample details

At the time of writing this blog, this sample is hosted on the following link:

Infection Cycle

The app requests for a number of permissions, below are a few risky ones:

  • android.permission.CALL_PHONE
  • android.permission.CAPTURE_VIDEO_OUTPUT
  • android.permission.DISABLE_KEYGUARD
  • android.permission.READ_CONTACTS
  • android.permission.READ_SMS
  • android.permission.RECEIVE_BOOT_COMPLETED
  • android.permission.RECEIVE_SMS
  • android.permission.REORDER_TASKS
  • android.permission.REQUEST_DELETE_PACKAGES
  • android.permission.REQUEST_INSTALL_PACKAGES
  • android.permission.SEND_SMS
  • android.permission.SYSTEM_ALERT_WINDOW
  • android.permission.WRITE_EXTERNAL_STORAGE
  • android.permission.WRITE_SMS

 

Upon installation and execution the application requests for accessibility permissions, once granted the application gains the ability to execute its malicious components:

 

The main class listed in the Manifest.xml file is not present in the decompiled codebase:

 

The malware drops a file – agAzJPYW.dex – during execution which is actually the dex file that contains malicious code.:

 

This dex file contains the main activity which is listed in the original manifest.xml file:

 

The malware obfuscates the strings present in the code to deter security researchers from analyzing the malware and automated tools from identifying suspicious strings in the code:

 

However, the decryption routine is also present in the code which can be used to decode the strings:

 

Decoded string:

 

We identified several interesting bits when the strings were decoded:

 

 

 

Capabilities

This bot is capable of performing a series of malicious/dangerous actions on an infected device, some of them include:

  • Show custom notifications
  • Screencast/screencapture
  • TeamViewer execution
  • Read, write and send messages
  • Extract information about running processes
  • Extract information about the device
  • Load URLs
  • Receive messages via Fire Cloud Messaging (FCM)
  • Install and remove applications
  • Subscribe to premium messaging services
  • Check if emulator is present

 

Hardcoded URLs

The class BotConfigs contained an interesting string titled Admin URL. Upon deobfuscation we got the string – http://das37rwa5cyfkb7o.onion/api/mirrors. After a series of layers we ultimately obtained a login page on the link newspotheres.xyz:

 

Based on the hardcoded url’s obtained in the code we created a VirusTotal Graph as shown below:

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • AndroidOS.AndroidBot.DX

 

Indicators of Compromise (IOC):

 

We have blacklisted the following URLs:

  • https://newspotheres.xyz
  • https://babosiki.buzz
  • https://trustpoopin.xyz
  • https://trygotii.xyz
  • https://trytogoi.xyz

 

CHIYU Technology Devices CRLF injection vulnerability

/in /by

CHIYU Technology is a leading access control manufacturer and marketer of multi door access control system for enterprise, small business, and residential applications. BF-430 is a universal serial device server that enables industrial serial devices, such as, PLC, flow meters, gas meters, CNC machines, and biometric identification card readers to be monitored from the network.
Similarly BF-450M is a universal serial device server that can enable industrial serial devices, such as, access control, time attendance, PLC, CNC machines, and flow meters to be monitored from the network. Moreover, it includes built-in I/O control which could let users easily integrate with other systems via this special design.

CRLF injection vulnerability
A CRLF injection vulnerability exists if an attacker can inject the CRLF characters into a web application. A CRLF injection attack can be used to escalate to more malicious attacks such as Cross-site Scripting (XSS), page injection, web cache poisoning etc. The term CRLF refers to Carriage Return (ASCII 13, HEX 0d) Line Feed (ASCII 10, HEX 0a).CR and LF are special characters that are used to signify the End of Line (EOL) in Windows operating system. A CRLF injection attack occurs when a user manages to submit a CRLF into an application. This is most commonly done by modifying an HTTP parameter or URL.

CVE-2021-31249
A CRLF injection vulnerability exists in BF-430, BF-431, and BF-450M TCP IP Converter devices. This is due to a lack of validation on the parameter redirect= available on multiple CGI components.

As can br seen in this example   i.e. CRLF is used to split and   is used to carry out a cross-site scripting attack. In this case the CRLF injection vulnerability leads to XSS attack.

SonicWall Capture Labs provides protection against this threat via following signatures:

    • IPS 15592:CHIYU Technology Devices CRLF injection

A quick check on Shodan shows vulnerable devices.

 

Another ransomware possibly belonging to the Revil ransomware group seen actively spreading in the wild

/in /by

The SonicWall Capture Labs Research team has been observing a massive increase in ransomware attacks with increasingly targeted attacks hitting mostly critical infrastructures. With companies willing to pay millions in ransom payment to restore operations, the ransomware industry has never been more lucrative for cybercriminals. This week we have observed a spike in detections for a somewhat small player in the ransomware world. We have first spotted Prometheus ransomware in February and have not seen a lot of action until this week.

Interestingly, with Revil Ransomware in spotlight for which a lot of the high profile ransomware attacks have been attributed to lately, Prometheus ransomware claims to be from the same cybercriminal group. We have no proof that this is true, however.

Infection Cycle:

Upon execution, the first thing this ransomware does is to find and delete Raccine, an open source program that blocks ransomware from deleting shadow copies of a system’s data – a very common ransomware behavior. It employs taskill.exe to kill the Raccine executable, if it happens to be present in the system as well as delete any Raccine-related registry values.

It then continues to kill other running processes using taskkill.exe including Microsoft Office processes like winword.exe, excel, mspub and visio, sql database related processes like sqlservice.exe, dbeng50.exe, mysqld.exe, among many others.

It also employs sc.exe to configure certain system services such as “SQLwriter start” to disable the functionality to be able to create backup and restore SQL Server data through the Volume Shadow Copy Service.

To ensure network connectivity it pings a loopback address 127.0.0.7

It also executes netsh.exe to run commands to alter the firewall settings to allow the infected system to be discoverable within the network and to allow for files and printer sharing.

Once target files have been encrypted, it displays an alert on the system tray and also opens an hta file with instructions on how to pay and retrieve files.  The header of the instructions imparts that Prometheus belongs to the well-known Revil ransomware group.

 

Another similar sample that we analyzed appears to be a more beefy program with more functionalities such as running commands to check the ARP table which can possibly be used for ARP attacks.

Also running a powershell command to delete all volume shadow copies.

And also trying to configure and login to the local router admin page using additional dropped components.

This newer version also provides additional ways to reach the ransomware authors outside of the Tor browser.

This goes to show that we will mostly likely see more from this ransomware group because they have been continuously improving their program with more robust functionalities to improve infection and possibly evade detection.

This week, we have noticed an uptick in detection for this particular ransomware.

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Prometheus.RSM (Trojan)
  • GAV: Prometheus.RSM_1 (Trojan)
  • GAV: Prometheus.RSM_2 (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

 

 

Cybersecurity News & Trends

/0 Comments/in /by

This week governments in the U.S. and U.K. geared up to fight back against the growing threat of ransomware.

SonicWall in the News

NCSC updates schools ransomware guidance amid surge — Computer Weekly

  • The National Cyber Security Centre says it is dealing with a renewed surge of ransomware attacks targeting schools, colleges and universities.

Orange Business Services taps Ericsson for enterprise IoT security — Computer Weekly

  • According to the 2021 SonicWall Cyber Threat Report, malware attacks on IoT devices in 2020 jumped by 66% compared with 2019.

SonicWall Sheds Light On Ransomware Attacks As NCSC Announces Continued Rise — Information Security Buzz

  • Last week, NCSC announced it is investigating another increase in ransomware attacks against educational institutions in the UK.

Three Best Practices to Neutralize Ransomware Attacks — Dataversity

  • Since 2019, ransomware attacks have soared by 158% in North America and by 62% globally, according to the 2021 SonicWall Cyber Threat Report — which also stated that cybercriminals are using more sophisticated tactics to try to shut down companies in exchange for a data “ransom.”

Ransomware attacks on the UK education sector — Professional Security

  • “Ransomware attackers have identified universities’ vulnerabilities as providing something valuable as well as information that is readily exportable,” Terry Greer-King, VP EMEA of SonicWall, said. “Hackers can not only disable networks, but they can also thoroughly infiltrate the systems and … access an organization’s records, bypassing security altogether.”

Are you certain you are on the right side of defending against tomorrow’s APTs? — Everything Industrial

  • Ashley Lawrence, SonicWall Regional Sales Senior Manager for Sub-Saharan Africa, is featured for his views on Advanced Persistent Threats and how SonicWall’s RTDMI and Capture ATP can help protect businesses.

Industry News

Security researcher says attacks on Russian government have Chinese fingerprints – and typos, too — The Register

  • An advanced persistent threat that Russia found inside government systems seems to have come from a Chinese entity rather than a western group, security researchers say.

U.S. Senate passes sweeping bill to address China tech threat — Reuters

  • The U.S. Senate voted 68-32 to approve a sweeping package of legislation intended to boost the country’s ability to compete with Chinese technology.

Hacker Known as Max Is 55-Year-Old Woman From Russia, U.S. Says — Bloomberg

  • Witte appeared before a U.S. magistrate judge on June 4 for her arraignment, where she waived her rights to a detention hearing.

LinkedIn asks Supreme Court to review whether data scraping is prohibited hacking — The Washington Times

  • Social networking platform LinkedIn asked the Supreme Court to review whether the “scraping” of data from its website equates to illegal hacking under federal law.

JBS Hackers Took Data From Australia and Brazil, Researcher Says — Bloomberg

  • Security Scorecard found evidence that hackers took data from a JBS location in Brazil in April and May. The attackers began taking large amounts of data from the company’s network in March and continued until the hack was discovered late last month.

What Hackers Can Learn About You From Your Social-Media Profile — The Wall Street Journal

  • That post you ‘liked’ on Facebook? Your alma mater on LinkedIn? They are all clues that can make you — and your company — vulnerable.

Ransomware Struck Another Pipeline Firm—and 70GB of Data Leaked — Wired 

  • LineStar Integrity Services was hacked around the same time as Colonial Pipeline, and now radical transparency activists have brought the attack to light.

CISA Announces Vulnerability Disclosure Policy Platform — Security Week

  • The U.S. Cybersecurity and Infrastructure Security Agency (CISA) today announced that it has partnered with the crowdsourced cybersecurity community for the launch of its vulnerability disclosure policy (VDP) platform.

Ransomware attack hits House members’ web tool to communicate with voters — The Washington Times

  • Cybercriminals have attacked a web tool that members of the House of Representatives use to communicate with voters.

Insurer Chubb paid $65,000 to help a city unlock ransomware in 2018. A second hack was more expensive. — Cyberscoop

  • A city in California didn’t disclose a ransomware payment for more than two years after its insurer covered the cost, the city manager acknowledged amid yet another ransomware attack on the municipality.

First Known Malware Surfaces Targeting Windows Containers — Dark Reading 

  • Siloscape is designed to create a backdoor in Kubernetes clusters to run malicious containers.

Ransomware warning: There’s been another spike in attacks on schools and universities — ZDNet

  • NCSC alert says there’s been a rise in ransomware attacks targeting the education sector at a critical time in the academic calendar.

The cost of ransomware attacks worldwide will go beyond $265 billion in the next decade — ZDNet

  • Current estimates suggest that ransomware will cost us approximately $20 billion this year, a 57x jump from 2015.

U.S. officials up pressure on firms, foreign adversaries over cyberattacks — The Wall Street Journal

  • President Joe Biden is reportedly considering all options, including a military response, to counter the growing threat.

In Case You Missed It

Introducing the Updated SonicWall Network Security Administrator (SNSA) for SonicOS 7 Course

/0 Comments/in /by

With plenty of customers now running SonicOS 7.0, SonicWall Global Enablement has updated the SonicWall Network Security Administrator (SNSA) course to show you how to take advantage of SonicWall’s most advanced security operating system yet.

The SNSA training curriculum is designed to teach students specific SonicWall network security technology. The course will provide students with the skills to successfully implement and configure SonicWall firewall appliances and security services.

Improvements included with the updated SNSA course:

  • Two days of instructor-led classroom training: 80% hands-on labs and 20% lecture
  • Four hours of online learning modules (recommended to be completed prior to the classroom portion)
  • Instruction and materials based on the recently released SonicOS 7 firmware

SonicWall Security Certification Courses

SonicWall offers other training and certification courses to support the needs of our partners, customers and employees. These include:

SonicWall Network Security Professional (SNSP) Course

Available to students who have achieved the SNSA certification, the SNSP course is designed to further enhance an individual’s network security technical skills.

In this two-day, instructor-led course, students will learn how to monitor, investigate, analyze and configure SonicWall NGFWs running SonicOS — as well as how to enable advanced functionality related to secure and remote connectivity, network optimization, and threat prevention.

Upon successfully completing the SNSP program, the students will be able to demonstrate SonicWall product expertise and the application skillsets required to mount a proactive, effective defense against current and evolving network and cybersecurity threats.

Successful completion of the SNSP curriculum qualifies the student to take the SNSP Certification Exam.

SonicWall Secure Mobile Access Administrator (SMAA) Course

The Secure Mobile Access Administrator (SMAA) eLearning training curriculum is designed around specific SonicWall SMA 1000 series appliances. Students will learn to provide secure, anywhere access to applications and resources for employees, business partners and other users.

Once the Secure Mobile Access Administrator eLearning course has been completed, students are eligible to take the Secure Mobile Access Administrator exam.

Microsoft Security Bulletin Coverage for June 2021

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of June 2021. A list of issues reported, along with SonicWall coverage information is as follows:

CVE-2021-31199 Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability
ASPY 192:Malformed-File exe.MP.187

CVE-2021-31201 Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability
ASPY 193:Malformed-File exe.MP.188

CVE-2021-31952 Windows Kernel-Mode Driver Elevation of Privilege Vulnerability
ASPY 187:Malformed-File exe.MP.183

CVE-2021-31954 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 194:Malformed-File exe.MP.189

CVE-2021-31955 Windows Kernel Information Disclosure Vulnerability
ASPY 189:Malformed-File exe.MP.185

CVE-2021-31956 Windows NTFS Elevation of Privilege Vulnerability
ASPY 188:Malformed-File exe.MP.184

CVE-2021-31959 Scripting Engine Memory Corruption Vulnerability
IPS 15594:Scripting Engine Memory Corruption Vulnerability (CVE-2021-31959)

CVE-2021-33739 Microsoft DWM Core Library Elevation of Privilege Vulnerability
ASPY 190:Malformed-File exe.MP.186

Adobe Coverage:
CVE-2021-28554 Acrobat Reader Arbitrary Code Execution Vulnerability
ASPY 191:Malformed-File pdf.MP.478

The following vulnerabilities do not have exploits in the wild :
CVE-2021-1675 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26414 Windows DCOM Server Security Feature Bypass
There are no known exploits in the wild.
CVE-2021-26420 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31938 Microsoft VsCode Kubernetes Tools Extension Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31939 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31940 Microsoft Office Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31941 Microsoft Office Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31942 3D Viewer Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31943 3D Viewer Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31944 3D Viewer Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31945 Paint 3D Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31946 Paint 3D Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31948 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-31949 Microsoft Outlook Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31950 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-31951 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31953 Windows Filter Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31957 .NET Core and Visual Studio Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-31958 Windows NTLM Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31960 Windows Bind Filter Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31962 Kerberos AppContainer Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-31963 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31964 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-31965 Microsoft SharePoint Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31966 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31967 VP9 Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31968 Windows Remote Desktop Services Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-31969 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31970 Windows TCP/IP Driver Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-31971 Windows HTML Platform Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-31972 Event Tracing for Windows Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31973 Windows GPSVC Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31974 Server for NFS Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-31975 Server for NFS Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31976 Server for NFS Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31977 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-31978 Microsoft Defender Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-31980 Microsoft Intune Management Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31983 Paint 3D Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31985 Microsoft Defender Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-33742 Windows MSHTML Platform Remote Code Execution Vulnerability
There are no known exploits in the wild.

VMware vCenter Server vSAN Health Check plug-in RCE Vulnerability

/in /by

Overview:

Multiple vulnerabilities have been discovered and reported in the VMware vSphere Client (HTML5), specifically in VMware vCenter Server vSAN Health Check plug-in product. Among these vulnerabilities, CVE-2021-21985 is a remote code execution vulnerability rated as Critical.

CVE-2021-21985 is caused by invalid input checking in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.

 

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 15574 VMware vCenter Server vSAN Health Check plug-in Possible RCE Attempt 1
  • IPS: 15575 VMware vCenter Server vSAN Health Check plug-in Possible RCE Attempt 2
  • IPS: 15576 VMware vCenter Server vSAN Health Check plug-in Possible RCE Attempt 3

Note: given that vCenter is likely enabled for access via TLS/HTTPS, DPISSL (Server deployment) would have to be enabled in order for these signatures to cover all cases of a real world exploitation of this vulnerability.

 

SonicWall has detected the following attacks with the above signatures:

 

Remediation Details:

The risks posed by this vulnerability can be mitigated or eliminated by:

  • Reconfigure the plugin settings according to the vendor advisory.
  • Apply the updates from the vendor.

The vendor has released the following advisory regarding this vulnerability:

        Vendor Advisory