Apache Log4j StrSubstitutor Vulnerability

/in /by

Overview:

  Apache Log4j is a logging library for Java. Log4j is a simple and flexible logging framework. With Log4j it is possible to enable logging at runtime without modifying the application binary. Apache Log4j is part of a project which is known as Apache Logging. The Log4j package is designed so that the logging statements can remain in shipped code without incurring a heavy performance cost. Logging behaviour can be controlled by editing a configuration file, without touching the application binary.

  An uncontrolled recursion vulnerability has been reported in the StrSubstitutor class of Apache Log4j. This vulnerability is due to improper handling of logged messages when the logging configuration uses a non-default Pattern Layout with a Context Map Lookup, Map Lookup, or Structured Data Lookup.

  A remote attacker who can control an item in the Thread Context Map or a MapMessage or StructuredDataMessage can exploit this vulnerability by sending a specially crafted parameter to the target application. Successful exploitation could result in a denial-of-service condition due to a crash of the Log4j service.

  Vendor: Logging Apache

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-45105

  See: CVE-ID

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C).

  Base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is none.
    • Impact of this vulnerability on data integrity is none.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 6.5 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  NVD CVSS Metrics

Technical Overview:

  An uncontrolled recursion vulnerability has been reported in the StrSubstitutor class of Apache Log4j. This vulnerability is due to improper handling of logged messages when the logging configuration uses a non-default Pattern Layout with a Context Map Lookup, Map Lookup, or Structured Data Lookup. When a variable is included in a lookup string, it is resolved by calling the substitute() method of the class org.apache.logging.log4j.core.lookup.StrSubstitutor.

  Once the marker for the end of a variable is found, the substitute() method is called recursively with the variable to be substituted. The method checkCyclicSubstitution() is called with each variable substitution, to detect infinite substitution loops. This method maintains a list of previously encountered variables in a variable named priorVariables. After the variable is resolved using the resolveVariable() method, the substitute() function is called recursively with the resolved content, to resolve any variables included in the result. However, when a variable is detected in the resolved content, substitute() is called recursively without supplying the priorVariables variable. Therefore, if a variable resolves to a nested lookup containing the same variable, it won’t be detected by the checkCyclicSubstitution() method, resulting in uncontrolled recursion.

  A remote attacker who can control an item in the Thread Context Map or a MapMessage or StructuredDataMessage can exploit this vulnerability by setting the item to an appropriate lookup containing a nested reference to itself. For example, if the attacker can control the value of the apiversion Thread Context Map item, they could set its value to the following string:

  

  Successful exploitation could result in a StackOverflowError due to uncontrolled recursion, leading to a denial of service condition due to a crash of the Log4j service.

Triggering the Problem:

  • The target must be running a vulnerable version of the software.
  • Target needs a non-default Pattern Layout with a Context Map Lookup, Map Lookup, or Structured Data Lookup.
  • Target must accept untrusted input within the Thread Context Map, MapMessage, or StructuredDataMessage.
  • The attacker must have network connectivity to the vulnerable server.

Triggering Conditions:

  The attacker sends a maliciously crafted parameter to the vulnerable server. The server adds the parameter to a Thread Context Map, MapMessage, or StructuredDataMessage and logs a message. The vulnerability is triggered when the server parses the lookup included in the parameter.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS:15738 Apache Log4j Self-Referential Lookup DoS (CVE-2021-45105) 1

  • IPS:15739 Apache Log4j Self-Referential Lookup DoS (CVE-2021-45105) 2

  • IPS:15740 Apache Log4j Self-Referential Lookup DoS (CVE-2021-45105) 3

  • IPS:18663 Apache Log4j Self-Referential Lookup DoS (CVE-2021-45105) 4

  Please note that if your web service/server is accessible over HTTPS, then enabling of Server DPI-SSL is necessary for the above signature to detect exploits targeting this vulnerability.

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Applying the vendor supplied patch.
    • Remove Context Map Lookups, Map Lookups, and Structured Data Lookups from the Apps Pattern Layout.
    • Detecting and blocking malicious traffic using the signature above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Github hosted Android ransomware being misused in the wild

/in /by

Github is a platform which is commonly used to host open-source projects, many such projects are security focused. SonicWall Threats Research team recently identified an Android ransomware that was found to be hosted on Github as an educational project.

 

Initial Discovery

We identified an Android apk (MD5: 6dc068db642247295e96437d8aca60a0) as malicious and upon inspecting its code found some interesting breadcrumbs which led us to the Github repository which was the origin for this treat. A simple search for the package name for this threat – com.termuxhackers.id – led us to the following Github repository:

 

One of the repositories hosted here is SARA – Simple Android Ransomware Attack:

 

We identified a number of malicious apps on a number of platforms that were spawned using this codebase. A number of these apps are masquerading as popular legitimate applications, few are listed below:

We identified more than 200 apps that have been created using this codebase.

 

Creating the ransomware

While building the apk, this kit asks the user to enter an unlock code:

 

Once executed, a screen with user entered text is overlayed on the screen and the victim cannot use the phone. Strings present in the strings.xml in the app resource folders are used on the ransom screen.

 

 

The unlock key is hardcoded in plaintext within the apk. The unlock key is added by the user during the app creation:

 

We analyzed a bunch of malicious apks, one instance in particular stood out where the ransom demand was 50BTC:

 

Overall this repository was created and distributed on Github for what appears to be educational purposes. However we identified a high number of apps created using this repository with legitimate app icons and application names. Whether this was created as a prank, with malicious intentions or to legitimately learn how ransomware works is yet to be determined.

 

Sonicwall Capture Labs provides protection against this threat using the signature listed below:

  • AndroidOS.Termux.RSM

 

Indicators of Compromise:

  • 00dc92f14326c7b0e87e877bfd12a7df
  • 6b9157e059da44f13843e682ac3bcba7
  • 6dc068db642247295e96437d8aca60a0

Spam Campaign Roundup: Christmas Holiday 2021 Edition

/in /by

With Christmas weekend upon us and many are still looking for the best last-minute deals, we noticed we are receiving an increasing amount of holiday related spam emails. We have been monitoring the amount of spam emails received this month and we noticed a trend where the amount received increases during the weekends.  Not surprising since consumers are spending more time shopping online so cybercriminals have become more aggressive and creative with their tactics.

The following are some of the common email subjects:

  • Don’t Wait! 80% off Christmas Sale
  • Christmas Sale Find the Perfect Gifts Now
  • Congratulations! You can get <insert merchant> $50 gift card!
  • Save up to 80% off on the perfect gift for everyone
  • Get a Drone as a gift
  • Ahoy! Christmas Special!
  • Hottest Christmas Gifts of 2021

Most of these emails are purporting to come from popular department stores promising gift cards, that when clicked would take you to a URL different from the real merchant’s website. The consumer will then be asked to enter their personal information and to participate in a number of “offers” often costing money in fees or subscriptions without the guarantee of ever receiving the products and services or the free gift card at the end of the process.

Some new tactic observed this year was the use of shortened URL masking the real website address where the link would take you. Adding a layer of trickery, to fool users into following links they otherwise wouldn’t click.

Another new trick this year, was adding a captcha to determine whether the user is actually human or bot.

They now also add a countdown timer to increase urgency and drive victims to act.

Rewards are too good to be true.

In this example, the user is asked to pay for a small amount to ship the reward in exchange for their credit card information.

We urge our users to always be vigilant and cautious with any unsolicited email and to avoid providing any personal information, particularly if you are not certain of the source.

SonicWALL Capture Labs Gateway Antivirus and Email Security service constantly monitor and provide protection against such malicious spam and phishing threats.

 

Yealink Device Management Command Injection Vulnerability

/in /by

SonicWall Capture Labs threat research team observed attacks exploiting vulnerability in Yealink devices.

Yealink’s powerful GUI-driven Yealink Device Management Platform delivers a comprehensive set of tools for implementing up to 5,000 Microsoft-certified Yealink Skype for Business IP phones. The platform solves the complexities of provisioning, management, call quality control and troubleshooting. The solution allows system-wide oversight and the ability to drill down into specific needs for various regions, user groups or even a particular device model.

Yealink Device Management Command Injection Vulnerability | CVE-2021-27561
A command injection vulnerability exists in Yealink Device Management. It  allows command injection as root via the  URI, without authentication.

Yealink DM server does not filter the user provided data which allows remote unauthenticated attackers to execute arbitrary commands.

In the above exploit, the attacker is able to bypass authentication and download and execute malicious script from the attacker controlled server .

Following versions are vulnerable:

  • Yealink Device Management (DM) 3.6.0.20

SonicWall Capture Labs provides protection against this threat via following signatures:

      • IPS 15456:Yealink DM Remote Code Execution

IoCs

  • 03f37a12673fd7ad01b744f84b61aad062a5b6eafbeb7aeac4a00ef28159ad80
  • 203.159.80.241

Threat Graph

Cybersecurity News & Trends

/0 Comments/in /by

There’s a lot of Industry News to report this week. First, the brief AWS outage almost felt like the one that Amazon suffered earlier this month. Then there’s the Log4j vulnerability that has the full attention of the entire cyber news community. Then, back to breaches and ransomware reporting, the big HR firm Kronos was hit by ransomware which may affect paycheck and timecard processing for several weeks. Plus, the declaration that 2021 is the year when cybersecurity was everyone’s business and analysis on America’s answer to the Russians to stop cyberattacks.

Industry News

AWS Runs into IT Problems. Briefly This Time.

The Register (UK): Amazon Web Services gave everyone a scare earlier in the week as it once again suffered a partial IT breakdown, briefly taking down a chunk of the web with it. If you found you could not use your favorite website or app during that time, this may have been why. Many feared another full-on AWS outage, as we saw earlier this month. After some delay, Amazon posted that its US-West-2 region was experiencing connectivity problems, then the outage appeared to move to other regions. But only ten minutes after the initial report, Amazon said they had worked out the root cause of the loss of connectivity to the regions, made some fixes, and was expecting a fast recovery. Complete recovery was reported within 30 minutes from the first sign of trouble.

Why The Web Is Losing Sleep Over the Log4j Vulnerability.

The Federal (India): Security pros say it’s one of the worst computer vulnerabilities they’ve ever seen. Others report that state-backed Chinese and Iranian hackers and rogue cryptocurrency miners have already seized on it. The Department of Homeland Security is sounding a dire alarm, ordering federal agencies to urgently eliminate the bug because it’s so easily exploitable — and telling those with public-facing networks to put up firewalls if they can’t be sure. The affected software is small and often undocumented. Detected in an extensively used utility called Log4j developed by Apache Software, it is a logging utility used by millions of apps, enterprises and other vital software. Logging is what allows developers to view the activities of an app. The flaw lets internet-based attackers quickly seize control of everything from industrial control systems to web servers and consumer electronics. Simply identifying which systems use the utility is a challenge; it is often hidden under other software layers.

Kronos Hit with Ransomware, Warns Paychecks Delayed ‘Several Weeks’.

ZD Net: HR management platform Kronos has been hit with a ransomware attack. The company revealed that hackers may have accessed information from many of its high-profile customers. UKG, Kronos’ parent company, said the vital service will be out for “several weeks” and urged customers to “evaluate and implement alternative business continuity protocols related to the affected UKG solutions.” In a statement to ZDNet, UKG said it “recently became aware of a ransomware incident that has disrupted the Kronos Private Cloud,” which they said, “houses solutions used by a limited number of our customers.” In other reporting by NPR and CNN, Kronos admitted that the attack could impact employee paychecks and timesheet processing for weeks.

Cox Discloses Data Breach After Hacker Impersonates Support Agent.

Bleeping Computer: Cox Communications has disclosed a data breach after a hacker impersonated a support agent to gain access to customers’ personal information. The company is a digital cable provider and telecommunication company that provides internet, television, and phone services throughout several regions in the US. This week, customers began receiving letters in the mail disclosing that Cox Communications learned on October 11th, 2021, that “unknown person(s)” impersonated a Cox support agent to access customer information.

Gravatar “Breach” Exposes Data of 100+ Million Users.

Search Engine Journal: A security site emailed notices of a data breach affecting over 100 million users of Gravatar. Gravatar denies that it was hacked, but the security alert company, named “HaveIBeenPwned,” notified users that hackers leaked the profile information of 114 million Gravatar users. They also reported that the leak was characterized as a data breach.

2021 Was the Year Cybersecurity Became Everyone’s Business.

Axios: We do not have to go very far to find evidence that cybersecurity has gone center stage. Diplomats, presidents and premiers have devoted quite a lot of time lately to quickly drafted mutual cybersecurity arrangements. In addition, the J.P. Morgan International Council identified cybersecurity as the most significant threat facing businesses and government. Many advisors and experts say that it will be challenging to reach a point where we can proclaim a permanent “win” in the battle against malicious attacks. The worry this year was that the world was on the losing end. Earlier this year, it clearly felt like the attackers had the upper hand. The combination of cryptocurrency and ransomware proved to be especially difficult. For one thing, victims tended to want to pay up rather than take the risk of data loss and disruption of their business. The rise in cyberattacks also made complex foreign relations far more complicated as the boundaries of interests blurred rules of engagement. In contrast, there are clear lines when allies are physically attacked. But in cyberspace, the divisions are no longer binary. Cyberattacks are personal – some deal with very private information – but they also expose liabilities such as who is responsible for investigation and recovery, and who is on tab for damages. But these attacks also eroded the trust that people have in markets, governments, resources and even national power. The cyberattacks prey on our weakest points; they sow distrust in information while they create confusion and exacerbate anxiety.

Six Months Later: Biden’s Warning to Russia About Cyber Attacks.

Washington Post: Six months ago, President Biden warned Russian President Vladimir Putin in a face-to-face meeting that he must rein in criminal ransomware hackers operating on Russian territory or face consequences. Since then, though, most researchers indicate that there’s been no reduction in the overall pace of ransomware attacks from Russia. This point is also supported by the Cybersecurity and Infrastructure Security Agency (CISA). In that one proclamation, President Biden’s stern challenge to Russia was intended to punctuate international concern about attacks that have threatened gas and meat supplies and stoked global fear. But, six months later, is there any hope that behavior changed at all? Like everything else in these complicated times, the analysis depends on how you look at things. The US has launched several covert counter-cyber operations, and these alone may have been enough to taper the activities of some groups. The Justice Department recently clawed back more than $8 million in ransomware payments from hackers’ cryptocurrency accounts. DOJ was also successful in netting a few high-profile arrests and even caused one group to shut down their operations. The real and honest answer is that it’ll take much longer than we can see in six months. In the meantime, better security technology and improved user behavior, maybe there’s reason for hope in 2022.

In Case You Missed It

GarrantDecrypt ransomware operator charges $5000 for decryption. Price negotiable.

/in /by

The SonicWall Capture Labs threat research team has been tracking ransomware, known to some in the antivirus community as GarrantDecrypt.  The current variant of this ransomware appeared in late November 2021.  The malware is aimed at infecting casual PC users rather than large corporations.  The ransom charge for file decryption is relatively cheap at $5000 in BTC.  This is significantly lower than what we have seen with most ransomware and the price can be negotiated down further with the operator.

 

Infection Cycle:

 

Upon infection, files on the system are encrypted.  Each encrypted file is given a “.decrypt” extension.  #file.decrypt#.txt is dropped into every directory containing encrypted files:

 

#file.decrypt#.txt contains the following message:

 

The malware disables various security policies on the system.  This can be seen in the decompiled code:

 

Only the encryption routine is present in the malware.  Decryption requires a seperate program provided by the operator:

 

We reached out to file.decrypt@yahoo.com and had the following conversation with the operator who appears to be German:

 

 

After a brief negotiation, we were able to have the price reduced:

 

 

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: GarrantDecrypt.N (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

How SonicWall ZTNA protects against Log4j (Log4Shell)

/0 Comments/in /by

The Log4j vulnerability likely affects millions of devices. But it (and vulnerabilities like it) can be stopped.

IMPORTANT: For the latest information regarding SonicWall products and Apache Log4j, please see PSIRT Advisory ID SNWLID-2021-0032, which will be continually updated. The SonicWall Product Security and Incident Response Team (PSIRT) is always researching and providing up-to-date information about the latest vulnerabilities. 

Last week’s disclosure of the Apache Log4j (CVE-2021-44228) vulnerability put the internet on fire and set cybersecurity teams scrambling to provide a fix. The issue lies in Log4j, an open-source Apache logging framework that developers have been using for years to keep track of activities within an application. CVE-2021-44228 allows remote attackers, who actively scan the internet for systems affected by the vulnerability, to easily take control of vulnerable systems

What is the Log4j vulnerability?

Log4j is a Java library broadly used in enterprise and web applications. The problem is that the Log4j framework is unrestrained and follows requests without any vetting or verifications. This “implicit trust” approach allows an attacker to conduct a completely unauthenticated remote code execution (RCE) by submitting a specially crafted request to the vulnerable system. An attacker needs to strategically send a malicious code string that eventually gets logged by Log4j version 2.0 or higher to allow them to take control.

To make matters worse, Log4j is not easy to patch in production systems. If something goes wrong, an organization’s logging capability could be compromised precisely when it’s needed most — to watch for attempted exploitation.

Most tech vendors, including Amazon Web Services, Microsoft, Google Cloud, IBM and Cisco, have reported that some of their services were vulnerable. These vendors and others have been quickly working to fix any issues, release software updates where applicable and advise customers on the next steps. SonicWall has also been working to provide necessary patches, investigate the impact and provide necessary updates to customers.

What is the scope of the impact for Log4j?

The discovery of this zero-day vulnerability has created a virtual earthquake because it affects anything that uses Java. Any servers that are exposed to the internet and run Java applications with the affected Log4j library are at risk.

Attempts to exploit this vulnerability are particularly hard to detect because any string that might get logged by Log4j could trigger the vulnerability — it could be anything from user-agent or system-generated strings to email subject lines.

The Microsoft Security Response Center has reported that most Log4Shell activities have been mass scanning and fingerprinting by hackers, probably for future attacks, as well as scanning by security companies and researchers. Other observed activities have included installing coin miners, running Cobalt Strike to enable credential theft and lateral movement, and exfiltrating data from the compromised systems.

How ZTNA adoption minimizes Log4j risk

SonicWall Cloud Edge is built on zero-trust architecture that enables access and network connectivity to internal and external resources. By combining Cloud Edge Zero Trust Network Architecture (ZTNA) and tightly defined policies, admins can ensure servers are not publicly exposed to the internet, but only to users who meet certain criteria and are allowed to pass through network firewall or Stateful FWaaS.

Using ZTNA and SDP architecture to protect and hide all of the underlying services from public access, we can mitigate the Log4Shell vulnerability by only passing activity logs within the internal network. SonicWall Cloud Edge ZTNA by default will not allow them to be sent outside the local network over a public internet connection.

SonicWall Cloud Edge significantly reduces the attack surface and potential damage to the internal network by allowing admins to precisely control and limit any traffic generated from inside or outside the network. By segmenting your cloud, on-prem or hybrid network with ZTNA, you can also contain the spread of malicious code or activity within your defined network perimeter.

AveMaria RAT is being delivered using ISO files

/in /by

Threat actors are using low profile file type to propagate malware as they are overlooked by many security software. One of them is optical disk image (ISO image), which is treated as a trusted file type. ISO files are being abused by threat actors to deliver the payload to the victim’s machine, without being detected. SonicWall RTDMI ™ engine has recently detected a bunch of ISO files which execute AveMaria RAT on victim’s machine, are being delivered as an email attachment.

The malware also uses file extension (.scr) and long file name including many special characters, which can also work as an evasion technique for a few security software:

 

The ISO contains a .NET executable which performs 1.5 seconds sleep operation 9 times then downloads binary data from an URL. The download data is being reversed to create a valid AveMaria Dynamic Link Library (DLL) file:

 

AveMaria DLL now being executed by calling one of its exported function:

AveMaria RAT

AveMaria malware behaves as InfoStealer, KeyLogger and Remote Access Trojan (RAT).  By analyzing the code, it seems the malware is also working on modifying Remote Desktop Services (termsrv.dll) to allow concurrent access by multiple users. The malware steals data from various installed apps from the victim’s machine including Microsoft Outlook and Mozilla Thunderbird.

The malware copies RegAsm.exe into %temp% directory and execute it to inject malicious code into the process:

 

List of web browsers targeted by the malware to steal stored credentials:

  • Microsoft Edge
  • UC Browser
  • QQ Browser
  • Opera
  • Blisk
  • Chromium
  • Brave
  • Vivaldi
  • Comodo Dragon
  • Torch
  • SlimJet
  • CentBrowser

 

Only a few security providers are detecting the ISO file at the time of analysis in popular threat intelligence sharing portals like the VirusTotal and the ReversingLabs indicates its uniqueness and evasiveness:

 

Evidence of the detection by RTDMI ™ engine can be seen below in the Capture ATP report for this file:

The Rise and Growth of Malware-as-a-Service

/0 Comments/in /by

A deep dive into the minds of the hackers and their new and profitable business model.

Imagine you’re part of a group of hackers, and you spend hours upon hours coding the perfect malware package. Then, you and your team successfully hit a few companies with ransomware. Of course, once you collect your ransom, other groups would get their hands on your hard work and try to replicate your success — but your work is done.

But imagine if you could offer your hard work as a service to those other groups for a fee? You’ve now tipped into the world of malware-as-a-service (MaaS).

To understand the present malware crisis, we must get into the minds of the hackers who do the hard work of creating the tools of their trade. The first part of that journey is to recognize that malware is software and software is business. Some of it is brilliant, albeit misguided. And hack-as-a-service? Well, that’s just next-level genius.

The Proof is in the Numbers

As many of us have only just begun our education in cybersecurity, people are still reasonably astonished that hackers came up with a business model to support their “industry.” Why be surprised? After all, this is the same community that figured out how to hack our networks and devices and generate a global security crisis. And proof of their effectiveness is in the numbers.

Four months ago, SonicWall released its widely quoted Mid-Year Update on the 2021 SonicWall Cyber Threat Report with alarming news of the sharp rise in ransomware and other malicious attacks. Unfortunately, news from the third quarter was not much better: ransomware’s rise has not slowed.

Image that explains the rise of ransomware in Europe and North America

This year was already proving to be the most active year for ransomware on record. According to the latest data, activity continues to climb with no sign of slowing down. After posting a groundbreaking 188.9 million ransomware attacks in the second quarter, attacks continued and broke another record of 190.4 million in the third quarter. The total 495.1 million attacks represent a 148% increase over 2020, making 2021 the most costly and dangerous year on record.

Maas Is a Demonstrative Business Model

Many other corporate software companies — Microsoft 365, Google Workspace, Salesforce, to name a few — are available to consumers as a software service; thus, software-as-a-services (SaaS). The business model puts creators in the development and maintenance side of the equation of customizable applications that manage all sorts of tasks.

The arrangement is a big help to organizations that do not have the software skills or willingness to develop their own applications. Similarly, hacker groups with expertise can offer their malware-as-a-service (MaaS) to people who want to make money from hacking, which leads us to “ransomware-as-a-service.” Both labels are apt descriptions of the activities taken by well-known hacker gangs such as Circus Spider, Conti, DarkSide, REvil.

There are dozens of other groups that have franchised their skills to other gangs that have complementary expertise and capabilities in such areas as phishing, social engineering, encryption tools, server power, ransom collection — and they do it all under agreements to share revenues generated from their joint activities.

The fact we can call it a business model at all spells out how lethal the situation has become. With the ransomware crisis still raging on, wannabe attackers of all skill levels can now rise as major global cyberthreat gangs. Anyone with a grudge and enough time on their hands can chase after government agencies, major enterprise networks – and even smaller players like the average home office user.

Maas As a Turnkey Threat Asset

In effect, MaaS is a turnkey threat. And within SonicWall’s latest threat data is another sign of what that could mean: a 73% increase in unique malware variants.

SonicWall used its patented RTDMI™ (Real-Time Deep Memory Inspection) technology embedded in its cloud-based Capture Advanced Threat Protection (ATP) sandbox service to uncover 307,516 never-before-seen malware variants during the first three quarters of 2021. This unsettling discovery means that cybercriminals are releasing an average of 1,126 new malware versions per day.

Dcorativ Imag

The rise in variants points coupled with the increase in activity shows that the “hacker industry” has learned how to rapidly diversify the software they use to attack networks and computers. The result is that businesses, governments and individuals will find it increasingly difficult to protect themselves. Clearly, the combination of security weaknesses demonstrated by previous attacks and the rise of MaaS/RaaS has excited a whole new threat level.

Learning the New Threat Landscape

Considering how quickly the threat landscape has grown this year, network operators of all sizes are in a race against time to get ahead of the crisis with better cybersecurity. Therefore, effective vulnerability management and is the essential core of everyone’s mission.

Here’s your invitation to find out what thought leaders in cybersecurity know about this emerging threat. Explore how cybercriminals are leveraging the software-as-a-service business model to establish a rapidly growing ‘hacker economy.’ This webcast will include insights on new trends, define the MaaS/RaaS business model, and what you can do to protect your business.

Presented by Simon Wikberg, SonicWall Cybersecurity Expert, the webcast will also dive into deep business data behind MaaS and known examples that have been uncovered.

VIEW ON-DEMAND WEBCAST

Microsoft Security Bulletin Coverage for December 2021

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of December 2021. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2021-41333 Windows Print Spooler Elevation of Privilege Vulnerability
ASPY 272:Malformed-File exe.MP_221

CVE-2021-43207 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 274:Malformed-File exe.MP_223

CVE-2021-43226 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 276:Malformed-File exe.MP_225

CVE-2021-43233 Remote Desktop Client Remote Code Execution Vulnerability
ASPY 273:Malformed-File exe.MP_222

CVE-2021-43883 Windows Installer Elevation of Privilege Vulnerability
ASPY 275:Malformed-File exe.MP_224

The following vulnerabilities do not have exploits in the wild :
CVE-2021-40441 Windows Media Center Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-40452 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-40453 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-41360 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-41365 Microsoft Defender for IoT Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-42293 Microsoft Jet Red Database Engine and Access Connectivity Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42294 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-42295 Visual Basic for Applications Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-42309 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-42310 Microsoft Defender for IoT Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-42311 Microsoft Defender for IoT Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-42312 Microsoft Defender for IOT Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42313 Microsoft Defender for IoT Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-42314 Microsoft Defender for IoT Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-42315 Microsoft Defender for IoT Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-42320 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-43214 Web Media Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-43215 iSNS Server Memory Corruption Vulnerability Can Lead to Remote Code Execution
There are no known exploits in the wild.
CVE-2021-43216 Microsoft Local Security Authority Server (lsasrv) Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-43217 Windows Encrypting File System (EFS) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-43219 DirectX Graphics Kernel File Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-43222 Microsoft Message Queuing Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-43223 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-43224 Windows Common Log File System Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-43225 Bot Framework SDK Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-43227 Storage Spaces Controller Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-43228 SymCrypt Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-43229 Windows NTFS Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-43230 Windows NTFS Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-43231 Windows NTFS Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-43232 Windows Event Tracing Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-43234 Windows Fax Service Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-43235 Storage Spaces Controller Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-43236 Microsoft Message Queuing Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-43237 Windows Setup Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-43238 Windows Remote Access Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-43239 Windows Recovery Environment Agent Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-43240 NTFS Set Short Name Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-43242 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-43243 VP9 Video Extensions Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-43244 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-43245 Windows Digital TV Tuner Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-43246 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-43247 Windows TCP/IP Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-43248 Windows Digital Media Receiver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-43255 Microsoft Office Trust Center Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-43256 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-43875 Microsoft Office Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-43877 ASP.NET Core and Visual Studio Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-43880 Windows Mobile Device Management Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-43882 Microsoft Defender for IoT Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-43888 Microsoft Defender for IoT Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-43889 Microsoft Defender for IoT Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-43891 Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-43893 Windows Encrypting File System (EFS) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-43896 Microsoft PowerShell Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-43899 Microsoft 4K Wireless Display Adapter Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-43905 Microsoft Office app Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-43907 Visual Studio Code WSL Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.