10 Tips for a Safe and Happy Holiday

/0 Comments/in , /by

They’re not interested in peace on earth, a hippopotamus or their two front teeth. You won’t find them decking the halls, dashing through the snow or even up on the housetop. But that doesn’t mean cybercriminals aren’t out in force this time of year — and they’re relying on you being too wrapped up in your holiday preparations to see them coming.

They’re successful far too often: The last quarter of 2020 saw by far the most ransomware, with attacks in November reaching an all-time high in an already record-breaking year. If 2021 follows suit, this could be the worst holiday season for ransomware SonicWall has ever recorded — but fortunately, there are many things you can do to minimize your risk:

It’s the Most Wander-ful Time of the Year: Travel Tips

Roughly 63% of American adults plan to travel for the holidays this year — a nearly 40% jump over last year, and within 5% of 2019 levels. While it’s easy to become preoccupied by traffic jams, flight delays and severe weather, don’t forget that attackers love to leverage this sort of chaos. Follow these five travel best practices to keep cybercriminals grounded this holiday season.

1. Free Wi-Fi =/= Risk-Free Wi-Fi

When you stop for a coffee during your layover, or stumble into a greasy spoon on hour nine of your road trip back home, you might be tempted to log on to the free Wi-Fi. But unless your organization has implemented zero-trust security, beware. Try bringing a novel and coloring books to keep everyone occupied on the road, and if you must connect, use a VPN to access employer networks and avoid logging in to your bank, email or other sensitive accounts. Because some devices may try to connect to these networks automatically, you may need to disable auto-connect to fully protect against man-in-the-middle and other attacks.

2. Put Your Devices on Lockdown

Due to border restrictions finally beginning to ease in countries such as Canada, Australia, India and South Korea, and the United States, international travel is expected to be robust. In the U.S., roughly 2 million travelers are expected to pass through airports each day over the Christmas holiday. In crowds like this, it’s easy for a device to be misplaced, left behind or stolen. To limit potential damage from smartphones, laptops, tablets, etc. falling into the wrong hands, ensure they’re protected with facial recognition, fingerprint ID or a PIN. (This doesn’t just protect against data theft, it can also help combat regular theft: One study found that locked devices were three times more likely to be returned to their owners.)

3. Don’t Let Criminals Track You

Nearly 43% of Americans and 42% of Brits feel more comfortable traveling this year — but this doesn’t mean they should be comfortable with everyone knowing they’re traveling. Any location data you share on social media can be tempting to those wanting to break into homes or hotel rooms — whether to steal and exfiltrate data, or steal gaming consoles, jewelry, medications or even gifts under the tree.

4. Use Only Your Own Cords/Power Adapters

In our mobile-dependent society, it’s no surprise that cybercriminals have learned how to install malware in airport kiosks, USB charging stations and more. And while that “forgotten” iPhone charge cable might look tempting when your device is running on empty, even those can harbor malware. If you can’t find a secure charging area, ensure your device is powered off before plugging it in.

‘Tis the Season for Giving: Online Safety Tips

Even if you’re not traveling this year, chances are you’re buying gifts. While supply-chain challenges, pandemic considerations and more have made for a unique holiday shopping season, it’s important to put safety first when shopping online. Here are six things to look out for:

1. Holiday Phishing Emails

Perhaps you’ve received an invite to the Jones’ holiday party, a gift card or coupon, or an email from HR with details of an unexpected holiday bonus. If there’s an attachment, exercise extreme caution: It may harbor malware.

2. Spoofed Websites

Unfortunately for your wallet, emails boasting huge discounts at popular retailers are likely bogus. Walmart isn’t offering 70% off, and nobody is selling PlayStations for $100, not even during the holidays. If you enter your info into one of these lookalike retail (or charity) sites, the only thing you’re likely to get is your credentials stolen.

3. Fake Shipping Invoices

You’ve finished your shopping, and your gifts are on their way! But now FedEx is emailing to say your packages may not arrive in time and referring you to updated tracking information. Or your retailer is sending you a shipping label for returns, or verifying your gifts are being sent … to a completely different address. Look closely before you click: These emails usually aren’t from who they say they are.

4. Counterfeit Apps

Is that really the Target app or just a lookalike? Better double-check before you download and enter your payment information. Apple’s App Store and Google Play have safeguards in place to stop counterfeit apps, but some still occasionally get through.

5. Gift Card Scams

These originally took the form of “You’ve won a free gift card! Click here to claim!” In recent years, however, they’ve become more targeted, and may appear to offer gift cards as a bonus from your employer or a holiday gift from a friend. The easiest way to avoid being scammed? If you weren’t expecting a gift card from someone, ask them about it.

6. Santa’s Little Helpers

There are many services designed to send your child a letter from Santa for a small fee. But many times, these so-called “Santas” are really cybercriminals attempting to get you to click on a link and enter your payment information. A recent variation has scammers offering kits designed to take the stress and mess out of your elf’s holiday shenanigans (just move your elf and call it good!)

While the holiday season offers more than its share of scams, many can be put on ice with a little extra due diligence. Keep these holiday best practices in mind, and have a safe and happy holiday!

Apache Log4j Remote Code Execution Vulnerability

/in /by

Overview:

Apache Log4j is a Java-based logging utility that can be configured through a configuration file or through Java code. Apache Log4j provides many features, such as reliability, extensibility, multiple configuration support including xml/json/yaml, excellent performance and more.

A JNDI Injection vulnerability has been reported in the JndiManager class of Apache Log4j. This vulnerability is due to improper handling of logged messages.

A remote, unauthenticated attacker who can control log message contents can exploit this vulnerability by sending a specially crafted parameter to the target application. Successful exploitation results in the information disclosure, or remote code execution.

CVE Reference:

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-44228.

Common Vulnerability Scoring System (CVSS):

The overall CVSS score is 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C).

Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:

  • Attack vector is network.
  • Attack complexity is low.
  • Privileges required is none.
  • Attack vector is network.
  • Attack complexity is low.
  • Privileges required is none.
  • User interaction is none.
  • Scope is changed.
  • Impact of this vulnerability on data confidentiality is high.
  • Impact of this vulnerability on data integrity is high.
  • Impact of this vulnerability on data availability is high.

Temporal score is 9.3 (E:F/RL:O/RC:C), based on the following metrics:

  • The exploit code maturity level of this vulnerability is functional.
  • The remediation level of this vulnerability is official fix.
  • The report confidence level of this vulnerability is confirmed.

Technical Overview:

The Java Naming and Directory Interface (JNDI) is a Java API for a directory service that allows Java software clients to discover and look up data and resources (in the form of Java objects) via a name. JNDI support many services including Lightweight Directory Access Protocol (LDAP), Domain Name Service (DNS) and so on. Apache Log4j supports many performing lookups, including JNDI lookups.

The JNDI lookups feature on vulnerable version of Apache Log4j2.x allows it to add values at arbitrary places to Log4j configuration. Log4j is having a special syntax in the form ${lookup_name:key} (where lookup_name=one of the different lookups, key=attribute to be evaluated). When an attacker includes a string ${ in the request, the Log4j will attempt to write the same into the log data, while doing the same lookup method will be called which will find the strings after ${ and attempt to replace the strings with the actual values. For instance ${env:COMPUTERNAME} will become actual computer name(ex. TEST-PC) and ${env:AWS_ACCESS_KEY_ID} will become actual AWS SECRET KEY.

The JNDI lookups are enabled by default in the vulnerable versions of Log4j2.x and it does not sanitize the inputs, hence allowing attackers to send maliciously crafted requests to the web server or application which is using Log4j. The application will then respond with the evaluated strings.

Majority of attacks is using LDAP protocol as specified in the POCs available publicly, attackers are trying to leverage some other protocols as well, such as RMI, LDAPS, HTTP(S), DNS, IIOP, COBRA, NIS and NDS. Payloads are found in different section of HTTP request such as URI, parameters, headers such as User-Agent and Referrer and request body, as attackers trying to log the payload anyways so that it would be parsed by vulnerable Log4j.

This vulnerability becomes the worst exploited in the wild vulnerability in recent times, we are getting wide range of mutations in the payloads as attackers are trying to evade the protection or detection in place, for example, base64 encoded data. SonicWall has released multiple signatures to protect their customers.

Triggering the Problem:

  • The target must be running a vulnerable version of the software.
  • The attacker must have network connectivity to the vulnerable server.

Triggering Conditions:

The attacker sends a maliciously crafted parameter to the vulnerable server. The server logs the parameter using Log4j. The vulnerability is triggered when the server parses the JNDI lookup included in the log message.

SonicWall Capture Labs Threat Research is aware of vulnerability in Log4j Java-based logging library and has released the following IPS signature to detect the exploitation of threats related to CVE-2021-44228:

  • IPS: 2307  Apache Log4j2 JNDI Log Messages Remote Code Execution
  • IPS: 2067 Apache Log4j2 JNDI Log Messages Remote Code Execution LDAPS
  • IPS: 15732 Apache Log4j2 JNDI Log Messages Remote Code Execution NIS
  • IPS: 15733 Log4j2 JNDI Log Messages Remote Code Execution NDS
  • IPS: 15734 Apache Log4j2 JNDI Log Messages Remote Code Execution COBRA
  • IPS: 15735 Apache Log4j2 JNDI Log Messages Remote Code Execution RMI
  • IPS: 15736 Apache Log4j2 JNDI Log Messages Remote Code Execution IIOP
  • IPS: 15737 Apache Log4j2 JNDI Log Messages Remote Code Execution DNS 2
  • IPS: 2311 Apache Log4j2 JNDI Log Messages Remote Code Execution HTTP
  • IPS: 2315 Apache Log4j2 JNDI Log Messages Remote Code Execution DNS
  • IPS: 2328 Apache Log4j2 JNDI Log Messages Remote Code Execution HTTPS

Please note that if your web service/server is accessible over HTTPS, then enabling of Server DPI-SSL is necessary for the above signature to detect exploits targeting this vulnerability.

SonicWall’s, (WAF) Web Application Firewall, provides protection against this threat:

  • WAF: 1116 Apache Log4j2 JNDI Log Messages Remote Code Execution

Remediation Details:

The risks posed by this vulnerability can be mitigated or eliminated by:

  • Enable above mentioned IPS signatures on SonicWall firewalls
  • Enable Web Application Firewall signature above.
  • Updating to a non-vulnerable version of the product or applying the vendor supplied patch.
  • Removing the JndiLookup class from the classpath.

The vendor has released the following advisory regarding this vulnerability:
Vendor Advisory

Cybersecurity News & Trends – 12-10-21

/0 Comments/in /by

As the year winds down, SonicWall’s threat reports stand out as reliable sources for US and European news organizations wanting to show the scope of attacks this year. Industry News proves that the crisis continues, and IT managers worldwide are on alert. The International Monetary Fund (IMF) and ten countries conducted a simulated global attack on the global financial system (and the results were awful). In other news, a post-attack assessment reveals that the hackers saved the Irish Health System, Chinese hackers almost shut down power for three million Australians, and Lloyds of London quits cybersecurity insurance policies.

SonicWall in the News

Why Cybersecurity Must Be First

ARN Net (Australia): Why cybersecurity first should resonate with everyone is all over the news. Ransomware attacks rose to 304.6 million during the first six months in 2020, up 62% over 2019, according to our own widely quoted Mid-Year Update on the 2021 SonicWall Cyber Threat Report.

Retail’s Looming Holiday Threat: Ransomware

Politico: Part of a trend: Malware has long been a Black Friday and Cyber Monday concern. In 2019, security threat researchers at SonicWall estimated that cybergangs and individuals deployed 129.3 million malware attacks during the week of Thanksgiving, a 63 percent increase from the year before.

At EvCC, ‘The Wall’ Teaches Students How to Thwart Cybercrime

Herald NET: Everett college is the first in the nation to have a tool that can model cyber attacks aimed at vital infrastructure. During the first six months of 2021, there were more than 305 million attempted ransomware attacks compared to 306 million attempts in all of 2020, according to a mid-year 2021 SonicWall Cyber Threat report. Some three-quarters of those attempts targeted US organizations, the report said. “It’s gotten so bad that insurance companies are raising their rates on cyber liability coverage or dropping coverage altogether,” Hellyer said. “This sort of training is very important to our national and local security and economic interests.”

Do You Know Who is Responsible for Disaster Recovery in the Cloud?

MeriTalk: Ransomware is a disaster that isn’t rare. The 2021 SonicWall Cyber Threat Report found a 158% increase in ransomware attacks in North America in 2020. As a result, agencies that may have been slow to migrate to the cloud are now looking to the cloud as a cost-effective backup and disaster recovery solution to protect Federal systems against cyberattacks and data loss.

Ransomware Set To Break Records This Black Friday 2021

Information Security Buzz (Australia): Dmitriy Ayrapetov, Vice President Platform Architecture for SonicWall, offered expert commentary on cybercrime activity. He cited data from SonicWall’s recent threat reports, including 495 million global ransomware attacks logged this year to date, an increase of 148%.

12 Days of Phish-mas: A Festive Look at Phishing

Hashed Out: Experimenting with phishing examples using Microsoft products, the author received a fake request for a quote that contains a potentially malicious Microsoft Office file attachment. Office files, including Word docs and Excel spreadsheets, commonly spread malware and embedded phishing links via email. The author notes that SonicWall’s research shows that weaponized Microsoft Office files increased 67% in 2020.

Cybersecurity Terms & Definitions Integrators Should Know

CEPro: In the first six months of 2021, globally, the education sector saw a 615% spike in ransomware incidents compared to 151% across all industries, according to a study from SonicWall.

700M Attacks in 2021 and Counting: Can Businesses Fight the Ransomware Tsunami?

Toolbox: Asking whether businesses are investing enough into technology or “organizational culture” is to blame, the writer observes surprise at the enormous rise in breaches this year. They also cite SonicWall’s recently released Q3 Threat Report. From the scale of the attacks, we get a peek into how cybercriminals leverage ransomware as their weapon of choice to hit anyone.

SonicWall Applauded by Frost & Sullivan

Business Chief: SonicWall is recognized for delivering excellent and reliable cybersecurity tools to worldwide organizations. The publication also mentions that Frost & Sullivan recognized SonicWall’s industry-leading network firewall solutions that enhance organizational security, efficiency, and reliability.

The True Cost Of Rising Cyber Threats

Forbes: The actual cost of ignoring rising cyber threats and ‘being too late’ is not lost on today’s business leaders, and cybersecurity is annually rated as a top priority for company IT budgets. SonicWall predicted that by the end of 2021, the ransomware attack total would be near 714 million, a 134% year-on-year increase.

How to Cut Down on Data Breach Stress and Fatigue

Security Intelligence: If you’re tired of hearing the words’ data breach’, you’re not alone. It’s looking like 2021 might end up becoming the year with the most ransomware attacks on record. In August, SonicWall reported that the global ransomware attack volume had increased 151% during the first six months compared to 2020.

Industry News

IMF, 10 Countries Simulate Cyberattack on Global Financial System

Reuters: The International Monetary Fund (IMF) along with the national banks from 10-countries simulated a major cyberattack on the global financial system. The program, called “Collective Strength,” was intended to increase global cooperation that could help minimize any potential damage to financial markets and banks. The simulated “war game,” as Israel’s Finance Ministry called it, was planned over the past year and evolved over ten days. The simulation result ended with sensitive financial data emerging on the Dark Web and resulted in fake news reports that caused chaos in global markets and a run on banks. Participants in the initiative included treasury officials from Israel, the United States, the United Kingdom, United Arab Emirates, Austria, Switzerland, Germany, Italy, the Netherlands and Thailand, as well as representatives from the International Monetary Fund, World Bank and Bank of International Settlements.

New Policy Gives Some Federal Agencies 24 Hours to Assess Major Cyberattacks

The Hill: A new policy recently rolled out by the White House gives certain federal agencies as little as 24 hours to assess the impact of a cyberattack and report the attack if it rises to a significant level of concern. According to a copy of the memo issued by the White House National Security Council (NSC), the policy applies to national security and intelligence agencies, including the FBI. The new policy gives agencies only 24 hours to report a cyberattack they assess as “a national security concern” to the White House.

The Irish Health System Was Saved By The Hackers

BBC: In March, someone working in the offices of the Irish Health Service Executive (HSE) opened a spreadsheet that had been sent to them by email two days earlier. The file was compromised with malware, and the gang behind it spent the next two months hacking their way through the networks and laying out data traps. There were multiple warning signs at work, but no investigation was launched, which meant IT managers missed a crucial opportunity to intervene. So, when the criminals unleashed their ransomware, the impact was devastatingly total. However, three months later, the attackers posted a link to a key so that the department managers could decrypt their files. The hackers gave no reasons, nor did they make any statements. Maybe the hackers had a change of heart; perhaps it was a test for something much worse. Nevertheless, this one act of mercy by the hackers allowed Irish health to embark on the road to recovery. According to an independent assessment report, without the decryption key, “it is unknown whether systems could have been recovered fully, or how long it would have taken to recover systems from back-ups, but it is highly likely that the recovery timeframe would have been considerably longer.”

Krebs: Cyberattacks Could Be Used To “Disrupt” Decision-Making

Axios: Former Cybersecurity and Infrastructure Security Agency Director Christopher Krebs told Axios at an event Thursday that America’s adversaries could use cyberattacks in the future to “disrupt” US decision-making. The big picture: Krebs, using China as an example, said that future cyber attacks could be part of “a larger, more complex approach by an adversary.” What he’s saying: “If things get hot in Taiwan, there’s a possibility that the Chinese government could use some sort of cyber capability to make us focus here rather than over there.”

Chinese Cyberattack Almost Shut Off Power for THREE MILLION Australians

Daily Mail: Chinese hackers came within minutes of shutting off power to three million Australian homes but were thwarted at the final hurdle. The Communist regime launched a ‘sustained’ ransomware attack on CS Energy’s two thermal coal plants in Queensland on November 27 – showing what Beijing could be capable of in a wartime scenario. There were panic stations within the energy firm as employees lost access to their emails and other critical internal data. IT specialists came up with a brilliant last-minute move to stop Beijing from gaining access by separating its corporate and operational computer systems. Once IT managers cut the network in half, hackers had no way of seizing control of the generators. Sources with knowledge of the hack attempt said the cyber-attackers were less than 30 minutes away from shutting down power.

Lloyd’s of London Calls it Quits for Cyber Insurance

CPO Magazine: Major insurance firm Lloyd’s of London has issued a bulletin indicating that its cyber insurance products will no longer cover the fallout of cyberattacks exchanged between nation-states. The insurer said last week that they would no longer cover damages from “cyber war” between countries and that this definition extends to operations that have a “major detrimental impact on the functioning of a state.” So, the looming question, if the cyber insurance firm no longer covers the fallout of digital war, do attacks infrastructure count? Quick to answer from Lloyd’s: No. The firm says that it no longer wants to deal in losses that result from “cyber war,” which the firm includes attacks that have a “major detrimental impact” on a state’s function, implying attacks on critical infrastructure.

The Top Data Breaches Of 2021

Security Magazine: A list of 2021’s top 10 data breaches and exposures and a few other noteworthy mentions. Particularly important is how the manufacturing and utilities sector was deeply impacted, with 48 compromises and a total of 48,294,629 victims. The healthcare sector followed, with 78 compromises resulting in more than 7 million victims. Other sectors that were hit resulted in 3.5 million victims, including financial services (1.6 million victims), government (1.4 million victims) and professional services (1.5 million victims). As SonicWall threat data has also shown, this is the year of the ransomware, and we still have four weeks to go!

In Case You Missed It

Zoho ManageEngine Arbitrary File Upload Vulnerability

/in /by

Overview:

  ManageEngine ServiceDesk is an IT help desk platform that provides functionality to manage various aspects of an IT environment such as changes, incidents and assets and also incorporates a standard ITIL framework. ManageEngine SupportCenter Plus is a web-based customer support software that lets organizations effectively manage customer tickets, their account & contact information and the service contracts. The code/features between these two applications is extensively shared.

  An arbitrary file upload vulnerability has been reported in Zoho ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP, and SupportCenter Plus. The vulnerability is due to an unspecified flaw related to the /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration.

  A remote attacker could exploit this vulnerability by sending crafted requests to the target server. Successful exploitation could allow the attacker to execute arbitrary code with privileges of SYSTEM.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-44077.

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.7 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.7 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  ManageEngine ServiceDesk/SupportCenter include the features for configuring technicians information. The IT help desk team comprises the help desk team manager, help desk agent, and technicians who will be handling the requests posted / raised by various requesters from different accounts. A user can add, edit, or remove the technicians in the application and also provide them with various access privileges that suit their role and need. A user can also view the list of technicians in a particular account and/or site by selecting the account from the Accounts combo box and site from Technicians for combo box. The feature relevant to understanding this vulnerability is importing technicians information from a comma-separated (CSV) file into the application. Note that this feature is a legacy feature that is no longer available in both the unpatched (at least in the versions 11012 and 11012) and patched version of the SupportCenter Plus application.

  This feature is accessible via Apache Struts action ImportTechnicians defined in struts-config.xml. This feature is mapped to Request-URL “/RestAPI/ ImportTechnicians”. An unrestricted arbitrary file upload vulnerability exists in ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP and SupportCenter Plus products. The vulnerability is due to improper validation of the filename parameter.

  The user sends a POST request to /RestAPI/ImportTechnicians and the value of the Content-Type header is string multipart/form-data, the execute method in the class com.adventnet.servicedesk.setup.action.ImportTechniciansAction is eventually called. The execute method uses the value of the filename attribute of the Content-Disposition header in the body of the request to write the contents of the file in the “\SupportCenterPlus\bin” or “\ServiceDesk\bin” directories (dependent on the specific product of ManageEngine).

  The uploaded file is not checked for the expected file extension which is “.csv”. Note that directory traversal is not possible as the Java classes org.apache.struts.upload.CommonsMultipartRequestHandler and org.apache.struts.upload.CommonsMultipartRequestHandler.CommonsFormFile from struts.core-1.3.11.jar are used by the application to remove from the filename parameter all characters before the last ‘/’ or ‘\’ character, before the vulnerable code in com.adventnet.servicedesk.setup.action.ImportTechniciansAction is reached.

  A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted request to ImportTechnicians action to write or overwrite arbitrary files in “\SupportCenterPlus\bin” or “\ServiceDesk\bin” directories (dependent on the specific product of ManageEngine). For instance, an attacker can overwrite file jreCorrector.bat in this directory. This batch file is executed during the startup of the product by wrapper.exe executable. It is also executed during the shutdown of the product. Also ManageEngine ServiceDesk/SupportCenter products are by default started automatically as a Windows service during the Windows startup (or after Windows restart). Therefore, successful exploitation could result in the arbitrary code execution with SYSTEM-level privileges.

Triggering the Problem:

  • The target must be running a vulnerable version of the software.
  • The attacker must have network connectivity to the target server.

Triggering Conditions:

  The attacker sends a request to the vulnerable servlet on the target server. The vulnerability is triggered when the server processes the request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP, over port 8080/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 2302 ManageEngine Products ImportTechnicians Arbitrary File Creation

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Restricting access to the affected communication port to trusted hosts only.
    • Upgrading to a non-vulnerable version of the product when available.
    • Detecting and blocking malicious traffic using the signature above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory 1
  Vendor Advisory – ServiceDesk Plus MSP
  Vendor Advisory 2
  Vendor Advisory – ServiceDesk Plus
  Vendor Advisory 3

Feature rich Android banker masquerades as DHL parcel tracking app and uses Telegram API as a means of communication

/in /by

SonicWall Threats Research team observed an Android malware masquerading as a DHL app. This app is (at the time of writing the blog) actively hosted on hxxp://dhl-getnextalert.duckdns.org and gets downloaded as DHL.apk:

 

Application analysis

Android apk specifics:

The app requests for a number of permissions but some of these stand out when it comes to the privacy of a user:

  • CALL_PHONE
  • SHUTDOWN
  • WAKE_LOCK
  • RECEIVE_SMS
  • READ_SMS
  • SEND_SMS
  • REQUEST_IGNORE_BATTERY_OPTIMIZATIONS
  • MODIFY_AUDIO_SETTINGS
  • READ_CONTACTS
  • WRITE_CALL_LOG
  • READ_CALL_LOG
  • WRITE_CONTACTS
  • REQUEST_DELETE_PACKAGES
  • RECEIVE_BOOT_COMPLETED
  • FOREGROUND_SERVICE

A vigilant user should take a step back and think if an app that claims to be a package delivery app like DHL needs the permission to shutdown a mobile device.

 

Once installed the application requests for accessibility permissions from the victim:

 

The malware shows a lengthy explanation to the user for granting the accessibility service:

 

Capabilities

This malware is well equipped to perform a number of operations, some of the capabilities include:

  • Dump SMS, call logs, contacts
  • Send SMS to all contacts (Can be used to spread to other devices)
  • Show a list of installed apps
  • Install and uninstall apps
  • Disable Google Play Protect
  • Open URL in browser
  • Forward SMS to Telegram Bot
  • Inject pages on the device (Can be used for phishing)
  • Read all notifications (Can be used to steal OTP)
  • Steal Google Authenticator codes
  • Steal Wifi password, credit card details
  • Hide app icon (Makes the malware stealthy)

 

Some of these capabilities are highlighted below:

  • The malware extracts and sends identifiers for the infected device which includes:
    • Brand
    • Model
    • Version
    • Serial

 

  • The malware can forward SMS messages that are received on the device to the attacker:

 

  • The malware is capable of communicating with the attacker via Telegram:

 

  • The malware has capabilities of stealing Google Authenticator information:

 

  • The malware can monitor notifications that are displayed on the device. This trick can be used to steal OTP codes that are received by the victim:

 

Network Communication

Once the malware is executed on the device, it communicates with the attacker using Telegram. It informs about the infection by reporting that a new device has installed the malware:

 

It sends the details of the infected device:

 

One of the network exchange involves sending a list of commands that the malware supports:

 

 

network investigation

The domain name includes dhl  which indicates that this domain was created to spread DHL themed malware/threats. VirusTotal graph gives more information about the connections of this domain to other malicious domains:

 

As visible there are a number of other malicious links that are hosted on duckdns.org with themes related to popular organizations. Some examples are listed below:

  • citi22bankonline.duckdns.org
  • jpmorgamrecovery.duckdns.org
  • citibank-security09.duckdns.org
  • kenzy-group87.duckdns.org
  • billoptusnet.duckdns.org
  • dhl-getnextalert.duckdns.org

A number of these domains have malicious ratings on VirusTotal.

 

Targets

The malware stores a huge list of application names that it targets. It can be speculated that the malware can detect presence of these targeted apps and can show corresponding fake phishing pages for these apps that can be used to steal login credentials, credit card information and other valuable information. The malware stores apps belonging to the following categories along with the number of targeted apps

  • Cryptocurrency – 14
  • Social Media – 6
  • Mail – 8

The malware targets a number of banks from different countries. Below is a list of countries and the number of banks belonging to each country that are targeted:

  • Australia – 17
  • Canada – 4
  • Germany – 14
  • Spain – 9
  • India – 11
  • Italy – 12
  • Netherlands – 5
  • Poland – 20
  • Russia – 22
  • Turkey – 18
  • United-Kingdom – 12
  • United-States – 23

 

Additional observations

The app contains mis-spelled words like Assablity, MainActivitryLoader, Reciever which leads us to believe that there is a chance that this app is created by non-english speaking developers:

 

The directory structure which is accessible on the server contains interesting indicators

  • Few files/directories have last modified date as 12/04/2021
  • One of the directory has the last modified date as 08/07/2021 so we can assume that attackers have been working on this threat from at least the last 4 months

 

We found a hardcoded address at the location of the installed files on the infected device – hxxps://rikobot.xyz

 

 

In summary, this banking threat contains a large number of targeted applications from multiple countries. It is feature rich with a large number of capabilities under its belt and finally, it communicates with the attackers via Telegram bots.

 

Sonicwall Capture Labs provides protection against this threat using the signature listed below:

  • AndroidOS.Telegram.BK
  • AndroidOS.Telegram.BK_1

 

Indicators of Compromise:

  • 6a729b0ac0fd14c2c5ee97018e61705e
  • 6a9f23b83c09d90d436163af3684c45d

 

Some of the targeted applications that are hardcoded in this malware are:

au.com.bankwest.mobile
au.com.cua.mb
au.com.ingdirect.android
au.com.mebank.banking
au.com.nab.mobile
au.com.suncorp.SuncorpBank
ch.protonmail.android
co.uk.Nationwide.Mobile
coinone.co.kr.official
com.abnamro.nl.mobile.payments
com.albarakaapp
com.anz.android.gomoney
com.aol.mobile.aolapp
com.att.myWireless
com.axis.mobile
com.bankinter.launcher
com.bankofbaroda.mconnect
com.bankofqueensland.boq
com.barclays.android.barclaysmobilebanking
com.bbva.netcash
com.bcu.bcu
com.bendigobank.mobile
com.binance.dev
com.bitfinex.mobileapp
com.btckorea.bithumb
com.btcturk.pro
com.chase.sig.android
com.cibc.android.mobi
com.citi.citimobile
com.citibank.mobile.au
com.clairmail.fth
com.coinbase.android
com.comarch.security.mobilebanking
com.csam.icici.bank.imobile
com.db.mm.norisbank
com.db.pwcc.dbmobile
com.ddengle.bts
com.denizbank.mobildeniz
com.dunamu.exchange
com.empik.empikapp
com.empik.empikfoto
com.facebook.orca
com.finansbank.mobile.cepsube
com.finanteq.finance.ca
com.firsttech.firsttech
com.fusion.ATMLocator
com.garanti.cepsubesi
com.getingroup.mobilebanking
com.google.android.gm
com.grppl.android.shell.BOS
com.grppl.android.shell.CMBlloydsTSB73
com.grppl.android.shell.halifax
com.idamob.tinkoff.android
com.idamobile.android.hcb
com.idbi.mpassbook
com.ifs.banking.fiid3364
com.ifs.banking.fiid8025
com.imb.banking2
com.imo.android.imoim
com.IndianBank.IndOASIS
com.infonow.bofa
com.infrasoft.uboi
com.ing.mobile
com.ingbanktr.ingmobil
com.instagram.android
com.konylabs.capitalone
com.korbit.exchange
com.kubi.kucoin
com.kutxabank.android
com.kuveytturk.mobil
com.latuabancaperandroid
com.lynxspa.bancopopolare
com.magiclick.odeabank
com.mail.mobile.android.mail
com.microsoft.office.outlook
com.mobikwik_new
com.mobile.banking.bnp
com.mobillium.papara
com.moneybookers.skrillpayments
com.moneybookers.skrillpayments.neteller
com.mycelium.wallet
com.navyfederal.android
com.openbank
com.oxigen.oxigenwallet
com.paxful.wallet
com.payeer
com.payoneer.android
com.paypal.android.p2pmobile
com.plunien.poloniex
com.Plus500
com.pnc.ecommerce.mobile
com.pozitron.iscep
com.rbc.mobile.android
com.rbs.mobile.android.natwest
com.rbs.mobile.android.rbs
com.rbs.mobile.android.ubn
com.regions.mobbanking
com.rsi
com.sbi.lotusintouch
com.sbi.SBIFreedomPlus
com.scotiabank.banking
com.scotiabank.banking”
com.snapchat.android
com.snapwork.hdfc
com.starfinanz.smob.android.sfinanzstatus
com.stripe.android.dashboard
com.suntrust.mobilebanking
com.targo_prod.bad
com.td
com.tdbank
com.teb
com.tecnocom.cajalaboral
com.tescobank.mobile
com.tmobtech.halkbank
com.touchin.perfectmoney
com.triodos.bankingnl
com.unicredit
com.unocoin.unocoinwallet
com.usaa.mobile.android.usaa
com.usbank.mobilebanking
com.vakifbank.mobile
com.vzw.hss.myverizon
com.wallet.crypto.trustapp
com.westernunion.android.mtapp
com.wf.wellsfargomobile
com.whatsapp
com.woodforest
com.yahoo.mobile.client.android.mail
com.ykb.android
com.ziraat.ziraatmobil
com.ziraatkatilim.mobilebanking
de.comdirect.android
de.commerzbanking.mobil
de.consorsbank
de.dkb.portalapp
de.fiduciagad.android.vrwallet
de.ingdiba.bankingapp
de.postbank.finanzassistent
de.santander.presentation
de.sdvrz.ihb.mobile.app
es.bancosantander.apps
es.cm.android
es.evobanco.bancamovil
es.lacaixa.mobile.android.newwapicon
eu.unicreditgroup.hvbapptan
finansbank.enpara
io.hotbit.shouy
it.bnl.apps.banking
it.bnl.apps.enterprise.bnlpay
it.bpc.proconl.mbplus
it.copergmps.rt.pf.android.sp.bmps
it.gruppocariparma.nowbanking
it.ingdirect.app
it.nogood.container
it.popso.SCRIGNOapp
kr.co.gopax
localbitcoin
logo.com.mbanking
modulbank.ru.app
nl.asnbank.asnbankieren
nl.snsbank.mobielbetalen
org.banksa.bank
org.bom.bank
org.stgeorge.bank
org.telegram.messenger
org.vystarcu.mobilebanking
org.westpac.bank
piuk.blockchain.android
pl.aliorbank.aib
pl.allegro
pl.bps.bankowoscmobilna
pl.bzwbk.bzwbk24
pl.bzwbk.ibiznes24
pl.ceneo
pl.com.rossmann.centauros
pl.ideabank.mobilebanking
pl.mbank
pl.millennium.corpApp
pl.orange.mojeorange
pl.pkobp.iko
pl.pkobp.ipkobiznes
posteitaliane.posteapp.apppostepay
ru.akbars.mobile
ru.alfabank.mobile.android
ru.alfabank.oavdo.amc
ru.avangard
ru.ftc.faktura.expressbank
ru.gazprombank.android.mobilebank.app
ru.mail.mailapp
ru.mkb.mobile
ru.mts.money
ru.mw
ru.ok.android
ru.raiffeisennews
ru.rosbank.android
ru.rshb.dbo
ru.sberbankmobile
ru.tutu.tutu_emp
ru.ucb.android
ru.vtb24.mobilebanking.android
ru.yandex.taxi
tr.com.hsbc.hsbcturkey
tr.com.sekerbilisim.mbank
uk.co.hsbc.hsbcukmobilebanking
uk.co.santander.santanderUK
uk.co.tsb.newmobilebank
us.hsbc.hsbcus
wit.android.bcpBankingApp.millenniumPL

Phishing campaigns are facile to steal credential

/in /by

SonicWall Capture Labs Threats Research team has been detecting an ongoing phishing campaign which abuses users by pretending to be genuine software platform using their logo. Upon opening the PDF file, an image with instructions on how to download PDF Invoice is displayed to the user:

 

 

If the instructions as mentioned in the PDF file are followed, a malicious URL is opened, the user is shown a genuine looking webpage with options to select email providers like Office365 and others to view the document:

 

 

 

Depending upon the email provider chosen by the user, one of the following forms would be displayed:

 

 

 

Upon entering the user credentials and clicking the log-in button the user is displayed an error saying Incorrect username or password.

 

 

 

However, in the background the malware author steals user credentials when the log-in button is clicked and sends them to remote web server and uses Cloud flare servers to stay anonymous as shown below:

 

 

The PDF files is not detected by any vendor when checked on top threat intelligence sharing portals like VirusTotal:

 

 

SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.

Indicators Of Compromise (IOC):

  • beb92babeedfc365857b1f8df2491de84c567e4fe090555cf9217a3075e1267e

 

A Record-Breaking Year for SonicWall’s Boundless Future

/0 Comments/in /by

SonicWall experiences a fantastic year of accomplishments and growth – right in the middle of a global cybersecurity crisis!

Crisis often brings about growth in intuition, knowledge and skill. The cybersecurity industry has made tremendous strides over the past year amid record-breaking network breaches worldwide and a dramatic increase in cybercrime. But SonicWall in particular has proven itself more than equal to the challenges at hand, growing its product line, winning media recognition and earning third-party certifications and awards.

30 Years and More Boundless than Ever

2021 marked SonicWall’s 30th year as a major cybersecurity solutions provider. When the company — then called Sonic Systems — entered the firewall market, it had fewer than 40 employees. Today, the company serves more than 500,000 customers in more than 215 countries, including government agencies, organizations and enterprises.

During the year, SonicWall completed the rollout of a number of new solutions, including new NGFWs. These products represented the latest additions in the “Boundless” cybersecurity platform, designed to provide deployment choices to the customer while solving real-world use cases faced by SMBs, enterprises, governments and MSSPs.

SonicWall in the News

The Mid-Year Update to the SonicWall 2021 Cyber Threat Report, released in July, also made waves — and not just within the cybersecurity community. The update was cited in a number of news outlets, such as CNN and PBS News Hour. The Wall Street Journal drew on SonicWall’s threat data for a story about the record rise in ransomware and another about the arrest and extradition of a known criminal hacker. U.S. senators also used SonicWall threat data in their proposal for cybersecurity legislation.

As we noted recently in our weekly Cybersecurity News blog, these reports continue to be cited even months after their release, highlighting SonicWall’s role as an authority in cybersecurity research.

Certification with Flying Colors

During a year of unprecedented threats and attacks, SonicWall’s products have also earned their share of coverage, proving themselves more than capable of handling the increase in cybercriminal activity. Third-party evaluators conducted several tests during the year and found that SonicWall’s newly released NGFWs, combined with SonicWall protection software, are more efficient at keeping networks safe and stopping malware.

For example, in a recent Tolly Report, the SonicWall NSa 2700 showed a three-year total cost of ownership less than two-thirds of our nearest competitor’s model. In addition, the SonicWall NGFW was found to have three times the threat protection throughput and a “dramatically lower” cost per Gbps processed.

During testing by ICSA Labs, SonicWall TZ, NSa, NSsp and NSv firewalls flew through all testing certifications for enterprise firewalls and anti-malware protection. Additionally, SonicWall Capture Advanced Threat Protection (ATP) surpassed the lab’s Advanced Threat Defense testing regimen with a perfect score for the third time in a row.

Third-party testing also highlighted SonicWall’s patented RTDMI (Real-Time Deep Memory Inspection) technology, which can be found in our cloud-based ATP service. As reported in SonicWall threat reports, not only did RTDMI uncover 307,516 never-before-seen malware variants during the first three quarters of 2021, but the data also revealed that, during that time, cybercriminals released an average of 1,126 new malware versions per day. This sharp increase in variants has many security analysts worried about the rate at which cybercriminals have learned to diversify software and deploy new attacks.

An Award-Winning Year

SonicWall also racked up numerous awards during the year. For example, at the Globee 17th Annual 2021 Cybersecurity Global Excellence Awards, SonicWall received top honors from 10 technology categories, including advanced persistent threats, best security hardware, enterprise network firewalls and security management.

CRN recognized several SonicWall executives and managers in 2021, and it ultimately placed the company on its 2021 Edge Computing 100 list. This recognition is reserved for companies that excel in providing channel partners with the technology needed to build next-generation, intelligent edge cybersecurity solutions. Selection criteria include feedback from partner solution providers on the impact of cybersecurity companies, as well as these companies’ influence on the market and the types of technology and services they make available.

And to top off all, Frost & Sullivan recently analyzed the global network firewall market and awarded SonicWall its 2021 Global Competitive Strategy Leadership Award for “Best Practices.”

Meeting the Boundless Future

The challenges from the past are where we accumulate our best understanding of where we must go in the future. However, the middle part between the past and the future is where we face our most significant challenges.

Today, even as the number of distributed workforces grow and hybrid cloud environments become a greater fixture in the network schema, SonicWall is helping businesses build around the blind spots found in conventional office-centric networks. If our year of accomplishment and growth is any indication, we’ve successfully embarked on a path that delivers more efficient and effective solutions.

Learn more about our shared boundless future, and let’s prosper together.

Cybersecurity News & Trends – 12-03-21

/0 Comments/in /by

SonicWall’s widely quoted threat reports are still pulling in massive attention from the US and European news organizations, helped along by the Agence France-Presse (AFP). Several news outlets also noted SonicWall’s launch of the Gen7 NGFW products and winning the Frost & Sullivan’s 2021 Global Competitive Strategy Leadership Award. Meanwhile, in Industry News, the FBI netted international arrests by selling a “secure” communication app, damage from ‘Double-Extortion’ ransomware rises 935%, and civilians find themselves in the crossfire of a rising cyberwar between Iran and Israel.

SonicWall in the News

China’s Missile Turducken

Politico: In 2019, security threat researchers at SonicWall Capture Labs estimated that ransomware gangs deployed 129.3 million malware attacks during the week of Thanksgiving, a 63% increase from the year before.

700M Attacks in 2021 and Counting: Can Businesses Fight the Ransomware Tsunami?

Toolbox: Asking whether businesses are investing enough into technology, or “organizational culture” is to blame, the writer observes surprise at the enormous rise in breaches this year. They also cite SonicWall’s recently released Q3 Threat Report. From the scale of the attacks, we get a peek into how cybercriminals leverage ransomware as their weapon of choice to hit anyone.

SonicWall Applauded by Frost & Sullivan

Business Chief: SonicWall is recognized for delivering excellent and reliable cybersecurity tools to worldwide organizations. The publication also mentions that Frost & Sullivan recognized SonicWall’s industry-leading network firewall solutions that enhance organizational security, efficiency, and reliability.

The True Cost Of Rising Cyber Threats

Forbes: The actual cost of ignoring rising cyber threats and ‘being too late’ is not lost on today’s business leaders, and cybersecurity is annually rated as a top priority for company IT budgets. SonicWall predicted that by the end of 2021, the ransomware attack total would be near 714 million, a 134% year-on-year increase.

Frost & Sullivan recognizes SonicWall

Yahoo Finance: Based on its recent analysis of the network firewall market, Frost & Sullivan recognizes SonicWall with the Frost & Sullivan’s 2021 Global Competitive Strategy Leadership Award for redefining and leading the network market roadmap.

Did the Cybersecurity Stakes Get Even Higher in 2021?

Government Technology: In 2021, cybersecurity will get more serious. Already a growing threat, ransomware exploded, with attacks becoming more frequent and costly. The volume of ransomware attacks against US targets rose 185 percent year over year in the first half of 2021, according to Internet security solutions provider SonicWall.

SonicWall’s new firewall models protect enterprises from the most advanced cyberattacks

ITWire: SonicWall adds three new firewall models— NSa 5700, NSsp 10700, and NSsp 11700—to its Generation 7 cybersecurity evolution, touted to be the most extensive product launch in the company’s 30-year history.

How to Cut Down on Data Breach Stress and Fatigue

Security Intelligence: If you’re tired of hearing the words’ data breach’, you’re not alone. It’s looking like 2021 might end up becoming the year with the most ransomware attacks on record. In August, SonicWall reported that the global ransomware attack volume had increased 151% during the first six months compared to 2020.

SonicWall’s new firewalls: Trimmed for throughput

Market Research Telecast: SonicWall adds the three firewalls NSa 5700, NSsp 10700 and NSsp 11700 to its cybersecurity portfolio MSSPs (Managed Security Service Providers). The design goal of the new products was primarily performance.

Act now to protect yourself against cybercrime, says former hacker Marshal Webb

Daily Record (UK): Cybercrime is a fast-growing threat to every organisation online. According to the 2021 SonicWall Cyber Threat Report, in the first half of this year, there were 304.7 million ransomware threats – a rise of more than 150% on the same time last year. Former hacker turned cybersecurity expert Marshal Webb is calling for organisations to protect themselves and their customers.

Cryptocrimes Proliferate: Ransomware, New Threat Campaigns

BankInfo Security: The cryptocurrency sector has witnessed ransomware incidents, malware campaigns and a cryptocurrency address-altering attack. SonicWall security researcher Dmitriy Ayrapetov said, “The new campaign is another example of how relentless cybercriminals are in their search for profit.”

Tech 2022 trends: Meatless meat, Web 3.0, Big Tech battles

AFP, Dunyan News (India): Cybersecurity company SonicWall wrote in late October: “With 495 million ransomware attacks logged by the company this year to date, 2021 will be the most costly and dangerous year on record.”

Trends for 2022: Big Tech battles

AFP, Manila Times (Philippines): The spike toward record ransomware attacks and data leaks in 2021 looks likely to spill over into the coming year. Cybersecurity company SonicWall wrote in late October: “With 495 million ransomware attacks logged by the company this year to date, 2021 will be the most costly and dangerous year on record.”

Tech 2022 trends: Web 3.0 and crypto, Big Tech battles

AFP, ET Telecom (India): After a year that made the terms like ‘work from home’ and metaverse instantly recognizable, cybersecurity company SonicWall reported that 495 million ransomware attacks were logged by the company this year. They said that “2021 will be the most costly and dangerous year on record.”

Industry News

How a Complicated Cybersecurity Story Got More Complicated

Slate: In one of the more unusual cybersecurity policing stories of the past year, the FBI announced in June that it had created its own company, called ANOM, to sell devices with a pre-installed encrypted messaging app to criminals. They marketed the ANOM app as providing end-to-end encrypted messaging, comparable to the security protections offered by services like Signal, WhatsApp, and iMessage. However, the messages were intercepted by law enforcement, which had designed the app for precisely that purpose. The effort’s success surprised even the FBI with more than 12,000 ANOM devices and services sold. The operation, named Operation Trojan Shield, led to the arrests of 800 people worldwide along with the seizure of contraband, 250 firearms, and more than $48 million.

Ransomware attack on Planned Parenthood steals data of 400,000 patients

ARS Technica: Hackers broke into a Planned Parenthood network and accessed medical records or sensitive data for more than 400,000 patients. The organization says that the intrusion and data theft were limited to Planned Parenthood’s Los Angeles chapter patients. Organization personnel first noticed the hack on October 17 and investigated.

‘Double-Extortion’ Ransomware Damage Skyrockets 935%

Threat Post: The ransomware business is booming, and researchers say that inadequate corporate security and a flourishing ransomware-as-a-service (RaaS) affiliate market are to blame. Access to compromised networks is cheap, thanks to a rise in the number of initial-access brokers, and RaaS tools can turn everyday petty crooks into full-blown cybercriminals in an afternoon for just a few bucks.

New Ransomware Variant Could Become Next Big Threat

Dark Reading: Yanluowang is one among numerous new ransomware variants that have surfaced this year. Just this week, Red Canary researchers reported observing a threat actor exploiting the ProxyShell set of vulnerabilities in Microsoft Exchange to deploy a new ransomware variant called BlackByte, which others, such as TrustWave’s SpiderLabs, have recently warned about as well.

Israel and Iran Broaden Cyberwar to Attack Civilian Targets

New York Times: Iranians couldn’t buy gas. Israelis found their intimate dating details posted online. As a result, the Iran-Israel shadow war is now hitting ordinary citizens. Millions of ordinary people in Iran and Israel recently found themselves caught up in the crossfire of a cyberwar between their countries. The escalation comes as American authorities have warned of Iranian attempts to hack hospitals’ computer networks and other critical infrastructure in the United States. As hopes fade for a diplomatic resurrection of the Iranian nuclear agreement, such attacks are only likely to increase.

In Case You Missed It

Microsoft Exchange Server HandleBackEndCalculationException Vulnerability

/in /by

Overview:

  Microsoft Exchange Server is an ASP.NET implementation of an email and calendaring server and is capable of handling most standard Internet protocols as well as numerous proprietary Microsoft protocols and formats. Microsoft Exchange Server provides web access for users to various components such as Outlook Web Access and Autodiscover. Autodiscover is a component that allows clients to automatically discover the Exchange settings for the client without requiring users to know specific server addresses.

  A reflected cross-site scripting vulnerability has been reported in Microsoft Exchange Server. The vulnerability is due to insufficient sanitization of incoming request parameters reflected in exception messages returned by the
server.

  A remote attacker can exploit this vulnerability by enticing a target user into clicking a malicious link. Successful exploitation could result in arbitrary script execution in the target user’s browser.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-41349.

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C).

  Base score is 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is required.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.6 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  When any Exchange module receives an HTTP request, it is eventually handled by the OnPostAuthorizeInternal() method of the ProxyModule class in Microsoft.Exchange.FrontEndHttpProxy.dll. In the case the request is not authenticated, the SelectHandlerForUnauthenticatedRequest() method is then called which checks the value of the HttpProxy.ProtocolType property to determine which module the request was received by and decide which specific ProxyRequestHandler class to instantiate in order to handle the request. In the case that the request is received by the Autodiscover module (i.e. the request-URI begins with “/autodiscover”) HttpProxy.ProtocolType is set to “Autodiscover” and as a result SelectHandlerForUnauthenticatedRequest() creates an AutodiscoverProxyRequestHandler object as the handler for the request.

  Once the handler is chosen, the Run() method of the ProxyRequestHandler object is called which applies the handler to the HttpContext object for the request with the RemapHandler() method. The request is then processed with the BeginProcessRequest() method which queues a call to the BeginCalculateTargetBackEnd() method in the thread pool. BeginCalculateTargetBackEnd() calls InternalBeginCalculateTargetBackEnd() which attempts to resolve the anchor mailbox location for the request. The resolution is performed by first calling TryDirectTargetCalculation(), which returns null because this is the default method behaviour and the method is not overridden by AutodiscoverRequestHandler or any of its parent classes. InternalBeginCalculateTargetBackEnd() then calls ResolveAnchorMailbox() which is overridden in AutodiscoverRequestHandler and its parent classes EwsAutodiscoverProxyRequestHandler and BEServerCookieProxyRequestHandler.

  AutodiscoverRequestHandler.ResolveAnchorMailbox() only handles autodiscover requests with a request-URI containing “/wssecurity/x509cert” and otherwise calls EwsAutodiscoverProxyRequestHandler.ResolveAnchorMailbox(). This method inspects the request-URI to see if it corresponds to a specific type of autodiscover request. If the request path ends with “/autodiscover.json” it is considered an “autodiscover V2 preview request” and if this is the case, an explicit logon address is retrieved from the Email HTTP query, form field, or cookie value. When attempting to retrieve the value from HTML form fields, the ValidateHttpValueCollection() method is called to validate the form fields. In turn, this method calls ValidateString() on each form field.

  Each field is checked by calling System.Web.Util.RequestValidator.IsValidRequestString(), which calls System.Web.CrossSiteScriptingValidation.IsDangerousString() with the form field value. This method considers the value dangerous if it contains either (1) ‘<' followed by a letter, '!', '/', or '?'; or (2) the sequence "&#". If the form field value is considered dangerous, the ValidateString() method returns an HttpRequestValidationException exception. This exception's message contains the form name and its truncated value.

  If an HttpRequestValidationException exception is thrown, it is caught by the method BeginCalculateTargetBackEnd() and the exception is handled by HandleBackEndCalculationException(). This exception is eventually handled by the method HandleHttpException(), which returns the exception message as the HTTP response, without encoding the message contents.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The attacker must be able to deliver a malicious URL to the target user.

Triggering Conditions:

  An attacker entices a user to open a page that redirects the user to a malicious URL. The vulnerability is triggered when the server parses the crafted request and returns a page containing injected JavaScript code to the target user’s browser.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTPS, over port 443/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 15711 Microsoft Exchange Server Spoofing Vulnerability (CVE-2021-41349)

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Applying the vendor supplied patch resolving the vulnerability.
    • Upgrading to a version unaffected by the vulnerability.
    • Detecting and filtering malicious traffic using the signature above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

WordPress websites plagued by fake ransomware

/in /by

A number of WordPress websites have been infected with what appeared to be ransomware. The infected websites show a warning on its homepage saying the site has been encrypted and listing a bitcoin address on where to send payment to restore the site. But further analysis finds that the warning was fake and was just meant to scare and extort money.

 

Infection details:

Websites that are infected show a warning sign on their homepage:

But this warning turned out to be bogus and is just a simple html page.

It also includes a simple script to add a countdown timer to add a sense of urgency and make it more believable.

It appears that an infected directorist_base.php was responsible for the bogus warning page. But nothing was encrypted.

directorist_base.php

Although another file named “azz_encrypt.php” is being referenced but the file cannot be found in the system. Presumably this file can be used for encrypting the system given the filename.

azz_encrypt.php

These compromised websites had no serious damage and these cybercriminals just wanted a quick buck using a simple hack. However, the fact that these cybercriminals were able to get access and deploy this rather effortless scheme means they could have done more damage had they used a more sophisticated malware.

A quick google search for the phrase “FOR RESTORE SEND 0.1 BITCOIN:” turns up quite a few websites that are infected with this malware. However, it appears that none of them had been scared enough to pay the demand since the bitcoin address specified on the warning has not received any payment yet.

3BkiGYFh6QtjtNCPNNjGwszoqqCka2SDEc

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV:FakeWP.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.