Lockbit 2.0, the ransomware behind the Accenture breach

/in /by

Lockbit ransomware has been around since 2019 but recently released an updated version called Lockbit 2.0. It is another ransomware-as-a-service (RaaS) which is a subscription based model allowing partners to use a full-featured already developed ransomware app ready to carry an attack. On their website, they boast their 2.0 version as being the fastest encryption software as well as the fastest upload of stolen data amongst myriads of many other popular ransomwares, all while highlighting the many features of this ransomware.

Recently, there were reports of targeted attacks with Accenture being the latest prominent victim of this ransomware. For non-payment, Lockbit has started leaking their data on their website to the public.

Infection cycle:

Upon execution of the ransomware, it disables all running security programs and any other means that could permit system recovery. It spawns a cmd exe to run the following commands:

  • vssadmin delete shadows /all /quiet
  • wmic SHADOWCOPY /nointeractive
  •  wmic shadowcopy delete
  •  wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  •  wbadmin DELETE SYSTEMSTATEBACKUP
  •  wbadmin delete catalog -quiet
  •  wevtutil cl system
  •  wevtutil cl security
  •  wevtutil cl application
  •  bcdedit /set {default} recoveryenabled No

It then proceeds to encrypt the victim’s files. All encrypted files bear the lockbit icon and a .lockbit file extension.

It changes the wallpaper with instructions on how to recover the files as well as adding a text file in every directory where files have been encrypted.

On reboot, the victim can’t miss the ransom note because it also adds a run key in the registry which loads an hta file that has the same instructions on how to get the victim’s files back.

  • Key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • Name: {2C5F9FCC-F266-43F6-BFD7-838DAE269E11}
  • Data: %Desktop%\Lockbit_Ransomware.hta

It then proceeds to delete itself and no copy of the ransomware nor its components is left in the victim machine.

On Lockbit’s website, there are quite a few victims whose data have already been leaked to the public while others still have some days left to submit payment before facing the same consequence.

 

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Lockbit.RSM_2 (Trojan)
  • GAV: Lockbit.RSM_3 (Trojan)
  • GAV: Lockbit.RSM_4 (Trojan)

This threat is also detected by SonicWall Capture ATP with Real-Time Deep Memory Inspection (RTDMI) and the Capture Client endpoint solutions.

Cybersecurity News & Trends

/0 Comments/in /by

The Mid-Year Update to the 2021 SonicWall Cyber Threat Report continues to circulate through global news, and SonicWall rises to the status of an “admired brand.” In industry news, uncomfortable questions about U.S. cyber-intelligence methods, Autodesk’s admission, FIN7 hackers on the move, how Australia got hammered by hackers, and a Colorado man sues U.K. parents of hackers for a 3-year-old cryptocurrency hack.

SonicWall in the News

The Hybrid Workplace: The Next Frontier of Cyber Security — CPO Magazine

  • This story covers the aftermath of a REvil Kaseya attack. Thousands of business leaders are calculating their losses and cost of recovery, now dubbed the “worst ransomware attack on record.” The story cites the Mid-Year Update to the 2021 SonicWall Cyber Threat Report as a key source for the sharp rise of attacks via Microsoft Office documents that rose by 176% in 2020.

Ransomware threats explode in first-half 2021 — Frontier Enterprise

The Tech Industry Is Marching Ahead With These Admired Brands — Mybrandbook.com

  • A report that assesses the importance of “admired” brands in tech recounts SonicWall’s origins as a private company headquartered in Silicon Valley to a significant brand in cybersecurity with more than 1 million active security solutions trusted by more than 500,000 organizations in more than 215 countries.

Industry News

Hacker kids’ parents sued over $780k of stolen cryptocurrency — P.C. Gamer

  • In January of 2018, Colorado resident Andrew Schober was relieved of 16.4 bitcoin, worth around $780,000 in today’s market, by unknown hackers. Schober hired private investigators to track down the hack to two UK-based computer science students then minors. He’s now suing the parents of the two he believes hacked his account and stole his cash.

SolarWinds hackers targeted Autodesk in latest confirmed fallout from cyber-espionage campaign — CyberScoop

  • The list of victims keeps growing of the hackers (believed to be Russian) who breached a U.S. federal contractor. The hackers, it is believed, collected intelligence from all over the federal government. Autodesk filed an SEC disclosure to its investors that the hackers compromised one of its servers.

Juniper Breach Mystery Starts to Clear With New Details on Hackers and U.S. Role — Bloomberg

  • Days before Christmas in 2015, Juniper Networks Inc. alerted users that it had been breached. Five years later, the hackers have not been publicly identified, and no victims from the hack have surfaced. This brings the uncomfortable question about the methods U.S. intelligence agencies use to monitor hackers.

FIN7 Hackers Using Windows 11 Themed Documents to Drop Javascript Backdoor — The Hacker News

  • Spear-phishing campaigns leveraging weaponized Windows 11 Alpha-themed Word documents with Visual Basic macros. The macros inject malicious payloads, including a JavaScript implant that attacks a U.S.-based point-of-sale (PoS) service provider.

How Hackers Hammered Australia After China Ties Turned Sour — Bloomberg

  • A few days after Prime Minister Scott Morrison called for an independent international probe into the origins of the coronavirus, Chinese bots swarmed onto Australian government networks. It was April 2020. Bloomberg brings the incident to light in this week’s article.  

Regulators Tighten Scrutiny of Data Breach Disclosures — The Wall Street Journal

  • Lawyers warn that companies must pay closer attention to what they say after hackers strike, as regulators crack down on inaccurate disclosures and Congress debates mandatory reporting of cybersecurity breaches.

Biden administration establishes program to recruit tech professionals to serve in government — The Hill

  • The Biden administration announced it was establishing a program to recruit and train people to serve in digital positions within the federal government and address the COVID-19 pandemic and cybersecurity concerns.

Bangkok Airways hit by LockBit ransomware attack, loses lots data after refusing to pay — The Register

  • Bangkok Airways has revealed it was the victim of a cyberattack from ransomware group LockBit on August 23, resulting in the publishing of stolen data.

LockFile Ransomware Uses Never-Before Seen Encryption to Avoid Detection — Threat Post 

  • Researchers from Sophos discovered the emerging threat in July, which exploits the ProxyShell vulnerabilities in Microsoft Exchange servers to attack systems.

Initial Access Broker use, stolen account sales spike in cloud service cyberattacks — ZDNet

  • On Tuesday, Lacework published its 2021 Cloud Threat Report vol.2, outlining how today’s cybercriminals are attempting to cut out some of the legwork involved in campaigns against cloud service providers.

Cyberattackers are now quietly selling off their victim’s internet bandwidth — ZDNet

  • Another intrusion with a twist: attackers use “proxyware” to target their victim’s internet connection and generate illicit revenue.

Cybercriminal sells tool to hide malware in AMD, NVIDIA GPUs — Bleeping Computer

  • Cybercriminals are making strides towards malware attacks that execute code from the graphics processing unit (GPU) of a compromised system.

Boston Public Library discloses cyberattack, system-wide technical outage — Bleeping Computer

  • The Boston Public Library (BPL) has disclosed today that its network was hit by a cyberattack on Wednesday, leading to a system-wide technical outage. 

U.S. Justice Department Introduces Cyber Fellowship Program — Security Week

  • The program will train selected attorneys on emerging national security and criminal cyber threats and how to fight them. The trainees will be rotating department components focused on cyber defense, such as the Criminal Division, the U.S. Attorneys’ Offices, and the National Security Division. 

Researchers, cybersecurity agency urge action by Microsoft cloud database users — Reuters

  • On Saturday, researchers who discovered a massive flaw in the central databases stored in Microsoft Corp’s Azure cloud platform urged all users to change their digital access keys, not just the 3,300 the company notified this week.

Bangkok Airways apologizes for passport info breach as LockBit ransomware group threatens data leak — ZDNet

  • The company said that it discovered a “cybersecurity attack which resulted in unauthorized and unlawful access to its information system” on August 23.

In Case You Missed It

Centreon hostGroupDependency.php SQL Injection Vulnerability

/in /by

Overview:

  Centreon is an open source IT monitoring solution. Centreon open source solution is the foundation for the Centreon EMS software suite which offers additional licensed modules. Centreon open source solution includes integration tools for IT Operations Management production environment.

  An SQL Injection vulnerability has been reported in the Centreon Web Application. The vulnerability is due to incorrect input validation in hostGroupDependency.php.

  A remote, authenticated attacker could exploit this vulnerability by sending a maliciously crafted request to the server. A successful attack may result in arbitrary SQL command execution against the database on the target server.

CVE Reference:

  This vulnerability has not been assigned a Common Vulnerabilities and Exposures (CVE) identifier.

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C).

  Base score is 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is high.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.2 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  A user with admin privileges can manage the notification settings for a host group on the “Configuration”->”Notification”->”Host Groups” page in the Centreon web interface. When clicking a host group on the web page, a request will be submitted to the “/centreon/main.get.php” endpoint as shown in an example below:

  

  In the request above, the parameter “p” contains a topology_page number (e.g. 60408 in the above example) which is used by Centreon application to locate the correspondent PHP file to handle this request. The mappings of a topology_page number and its correspondent PHP file is defined in the insertTopology.sql. For the topology_page number 60408 in the “p” request parameter, the corresponding PHP file to handle this request is:

  

  The hostGroupDependency.php is relevant to the vulnerability in this report.

  An SQL injection vulnerability exists in the Centreon web application. The vulnerability is due to a lack of input validation on the dep_id request parameter in the hostGroupDependency.php. When receiving a request submitted to “main.get.php” endpoint, the main.get.php will check the “p” request parameter value. If the value is 60408, it will route the request to hostGroupDependency.php. The hostGroupDependency.php will read the dep_id request parameter value and then check the “o” request parameter value. If “o” parameter value is the character “c”, “w” or “a”, it will call formHostGroupDependency.php to process this request. In formHostGroupDependency.php, it will first check if the “o” parameter is “c” or “w” and if yes, it will construct a SQL statement by appending the dep_id parameter value. Then, it will execute the SQL statement to query the “dependency” table in the database.

  However, the formHostGroupDependency.php does not sanitize the dep_id parameter before appending it to the SQL statement. A malicious user is therefore able to directly manipulate the Centreon database by embedding arbitrary SQL commands within the dep_id parameter in the HTTP requests. For example, an attacker may utilize the “;” character (or its URL-encoded equivalent) in a HTTP request to terminate a SQL statement with a malicious create table command, as shown below:

  

  A remote, authenticated attacker could exploit this vulnerability by sending a maliciously crafted request to the server. A successful attack may result in arbitrary SQL command execution at the database on the target server, potentially leading to the execution of arbitrary code in the security context as root.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The attacker must have network connectivity to the affected ports.
  • The attacker must authenticate to the target system.

Triggering Conditions:

  The attacker authenticates and then sends an HTTP request containing maliciously crafted parameters to the target server. The vulnerability is triggered when the request is processed by the target server.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP, over port 80/TCP
    • HTTPS, over port 443/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 15666 Centreon main.get.php SQL Injection
  • IPS: 15674 Centreon main.get.php SQL Injection 2

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Blocking the affected ports from external network access if they are not required.
    • Filtering traffic based on the signature above.
    • Upgrading the product to a non-vulnerable version.
  The vendor has released an advisory regarding this vulnerability:
  Vendor Advisory

Elevating SonicWall to the Cloud

/0 Comments/in /by

If the cloud were human, it would say veni, vidi, vici!

One can argue whether “the cloud” is still just a buzzword … whether it’s real or just another person’s computer … whether it’s a journey or a destination. But regardless of our conclusions, the cloud has arrived, the cloud is in vogue, and the cloud is here to stay.

Cloud is enabling a fundamental technology shift that, in many ways, shakes up how we live both our digital and our physical lives. SonicWall believes the purpose of any technology is to solve problems, and the cloud is no different.

That’s why we’re leveraging cloud technology as much as possible. We’re using the cloud to make our customers more secure and, at the same time, we’re also building our portfolio to secure data in the cloud.

As you can see in the visual below, we already have many products and solutions that take advantage of the cloud. They not only use cloud-native components — they’re also delivered from the cloud. Capture ATP, our threat detection capture technology that includes patented Real-Time Deep Memory Inspection (RTDMI™), is delivered to all SonicWall security products via the cloud.

All our central management solutions, such as Network Security Manager (NSM), Wireless Network Manager (WNM), Capture Client (CC) Management Console, etc., use cloud-native architecture. They can scale and manage tens and thousands of individual units.

Our single-pane-of-glass management solution, SonicWall Capture Security Center (CSC), is entirely cloud-native and cloud-delivered. We expect CSC to become not only the visualization and reporting tool, but also the threat detection and response tool for SonicWall partners and customers (more on that in the future).

But our work isn’t limited to the use of cloud technology for development and delivery. In the last few years, SonicWall has introduced and updated solutions such as our virtual firewall (NSv) and Secure Mobile Access (SMA) to secure data and access in the cloud. We offer cloud-delivered Hosted Email Security (HES) that secures the cloud email services such as Microsoft Office365 and Google GSuite.

We’ve also been developing new solutions specifically for the cloud, such as Cloud App Security (CAS) and Cloud Edge Secure Access, that help you secure your users and data in the cloud. Cloud Edge Secure Access represents our entry into the ZTNA/SASE world, which involves delivering multiple networking and security capabilities from the cloud.

While all solutions mentioned above are already available, we are currently working on future SonicWall product lines, which will be cloud-delivered and offer greater in-cloud security.

To learn more about SonicWall solutions designed to utilize or secure the cloud, visit our products page. This journey is going to be exciting. Stay tuned!

How Cybercrime Impacted Education in 2021

/0 Comments/in , /by

According to a report in The Journal, as of early August, more than 60% of parents were hesitant to send their children back to school this fall due to a large uptick in pediatric COVID-19 cases. As we have seen since, many of these fears were well-founded, as schools in Texas, Georgia, Florida, Tennessee and elsewhere have been forced to close almost as quickly as they opened due to widespread exposures, quarantines and staff shortages.

This unpredictable and ever-shifting education landscape has wreaked havoc on a back-to-school season that was once expected to herald a return to normalcy. But unfortunately for school leadership and IT administrators already dealing with a learning environment subject to change from day to day, this level of upheaval and uncertainty has historically been compounded by another crisis: cybercrime.

Toward the beginning of the pandemic, attacks on K-12 schools and higher education began rising as hackers realized that schools were frequently both overwhelmed and underprotected.

“K-12 institutions have limited resources to dedicate to network defense, leaving them vulnerable to cyberattacks,” the FBI warned in an alert sent in late June 2020.

It’s been more than a year since that initial report — enough time to collect the sort of data needed for an apples-to-apples comparison of 2020 and 2021. Unfortunately, as reported in the mid-year update to the 2021 SonicWall Cyber Threat Report, even as schools have reopened, any expected reprieve has remained elusive. Almost every type of cyberthreat against education has continued to rise drastically in the first half of 2021, painting a frightening picture of what might lie ahead as our K-12 and higher-education institutions face increasing challenges.

Ransomware

In April 2021, Broward County Public School District, one of the largest in the U.S., received a ransom demand of $40 million, the second-highest to date. To help ensure they received payment, the criminals threatened to publish student and employee data online — an increasingly popular tactic among cybercriminals known as “double extortion.”

But while this may be an extreme example, it represents a trend of increasingly audacious demands on schools. And as more schools show a willingness to pay at least something, the number of attacks has begun to rise even faster.

In the first half of 2020, SonicWall threat researchers recorded 1.4 million ransomware attacks on K-12 and higher education institutions. By the first half of 2021, this number had risen to 10.1 million — an increase of 615%.

As observed by SonicWall, education was top vertical targeted by ransomware in three of the first six months of 2021.

IoT Attacks

When students and teachers made the shift to online learning in early 2020, they introduced millions of new devices to the network, widening the attack surface considerably.

Mirroring the trends we saw among organizations as a whole, IoT attacks rose over the course of 2020, as cybercriminals recognized an opportunity to access unprotected or inadequately protected networks.

While IoT attacks in general rose 59% in the first half of 2021 over the same time period in 2020, those in education saw an even larger jump, despite the fact that many students had returned to in-person classes. Among schools and colleges, IoT attacks rose 78% year-to-date — a gap we may see continue to widen if more students are sent home for remote learning.

Cryptojacking

In April 2021, Washington educational organizations discovered that they’d been hit by a cryptojacking attack dating back to at least February. Given what was happening in the crypto market at the time, the timing was unsurprising: Cryptojacking is largely tied to the price of cryptocurrency, and in early 2021, cryptocurrency was soaring to record highs.

But in late spring, amid warnings of increased tax enforcement on cryptocurrency earnings and news of mining bans in China and elsewhere, the prices of cryptocurrency — and cryptojacking — crashed hard.

For schools, which saw a mind-boggling 1,917% increase in the number of cryptojacking attacks in the first half of 2021 over the first half of 2020 (versus a 23% increase among organizations as a whole), this was welcome news. But with the prices of most cryptocurrencies continuing to rebound, it’s possible we could see a sustained rise, rather than a drop, once the data from the second half of 2021 is in.

In March 2021, the K-12 Security Information Exchange and the K-12 Cybersecurity Resource Center released a report stating, “The 2020 calendar year saw a record-breaking number of publicly-disclosed school cyber incidents,” with many of these incidents “resulting in school closures, millions of dollars of stolen taxpayer dollars, and student data breaches directly linked to identity theft and credit fraud.”

Unfortunately, as the data from the first half of 2021 shows, attacks on K-12 and higher education institutions have only risen since then. While government programs such as the CARES Act, ARP and more will certainly help, unless we see sustained investment in cybersecurity in the coming years, K-12 and higher education will likely continue to be targeted.