Cybersecurity News & Trends

/0 Comments/in /by

Bringing you curated cybersecurity news and trends from leading news outlets and bloggers that monitor IT security worldwide.

The Mid-Year Update to the 2022 SonicWall Cyber Threat Report was released and ink was flying off the presses. Among the highlights were stories by the Financial Times, Axios and CoinDesk. We also got excellent coverage in Dubai and India.

Industry News is always extremely active. Tech Radar revealed that hackers are hijacking Microsoft servers to boost their proxies. According to The Verge, Microsoft is blocking macros on one of their older mainstay products by default. Hacker News reports that critical Atlassian Confluence vulnerability is under active exploitation. According to Bank Info Security, phishing-as-a-service just turned into a cut-rate business deal. Tech Republic says new variants of “infostealer malware” target Facebook-LinkedIn business accounts to harvest sensitive data. CRN and Bleeping Computer suspect there’s more going on with the Entrust data breach than has been released. And finally, for our Big Read from Dark ReadingHacker News and Bleeping Computer, we are witnessing the rise of the container attacks.

Stay cautious. And remember that cybersecurity is everyone’s business. Be safe out there!

SonicWall News

What Is Cryptojacking, The Cyber Attack Carried Out by Crypto Miners?

IndianExpress, SonicWall News: ‘Cryptojacking’ attacks on computer systems have gone up by 30% to 66.7 million in the first half of 2022 compared to the first half of last year, according to a report by SonicWall, a US-based cybersecurity firm. “While volume increases were widespread, some business sectors were hit harder than others, such as the finance industry, which saw a rise of 269%,” the report said.

Record Number Of ‘Never-Before-Seen’ Malware Variants Discovered

IPT-Net (Dubai), SonicWall News: SonicWall’s patented Real-Time Deep Memory Inspection (RTDMI) technology identified 270,228 never-before-seen malware variants during the first half of 2022 — a 45% increase year-to-date. The first quarter of 2022 marked a record-high in never-before-seen malware discoveries (147,851), with March 2022 being the most ever on record (59,259).

A Seismic Shift in Cyber Arms Race

MenaFN (Dubai), SonicWall News: SonicWall, publisher of the world’s most quoted ransomware threat intelligence, today released the mid-year update to the 2022 SonicWall Cyber Threat Report. The newest report, researched and compiled by SonicWall Capture Labs, unveils an 11% increase in global malware, a 77% spike in IoT malware, a 132% rise in encrypted threats and a geographically driven shift in ransomware volume as geopolitical strife impacts cybercriminal activity.

IoT Malware Attack Volume Up 123% in Healthcare

Health IT Security, Threat Report: SonicWall’s newly released mid-year report saw a global decrease in traditional ransomware attacks, but researchers also observed a 123% increase in IoT malware attack volume in healthcare. “Cybercrime has been a global phenomenon for decades,” Bill Conner, president and CEO of SonicWall, stated in the report.

“But with geopolitical forces accelerating the reconfiguration of the world’s cyber frontlines, the true danger presented by threat actors is coming to the fore — particularly among those that once saw the smallest share of attacks.”

India’s Malware Hits Are Up By 34%, 2nd Highest Globally

The Hans India, SonicWall News, Bill Conner quoted: The newest report, researched and compiled by SonicWall Capture Labs, unveils an 11% increase in global malware, a 77% spike in IoT malware, a 132% rise in encrypted threats and a geographically driven shift in ransomware volume as geopolitical strife impacts cybercriminal activity. “In the cyber arms race, cybersecurity and geopolitics have always been inseparably linked, and in the last six months we have seen that play out across the cyber landscape,” said SonicWall President and CEO Bill Conner.

FT Cryptofinance: US Regulators Vie for Crypto Control

The Financial Times, Bill Conner quoted: It’s still financial crime but it’s certainly not getting the attention from law enforcement,” SonicWall’s president Bill Conner told me, adding that cryptojacking is “every bit as serious as ransomware” and that “law enforcement has to start having a focus on it.

‘Cryptojacking’ Targeting Retail, Financial Sector Skyrockets

CoinDesk TV, SonicWall News: The number of “cryptojacking” cases across the financial sector has risen by 269% in the first half of 2022, according to SonicWall. The cybersecurity firm’s report also shows cyberattacks targeting the finance industry are now five times higher than attacks on retail. SonicWall President Bill Conner joins “First Mover” with details on the report.

Everything You Need to Know About Crypto-Jacking as It Surges to Record High

Proactive Investors, SonicWall News: Global crypto-jacking volumes rose by US$66.7mln, compared with the first half of 2021, to its highest level on record, according to American cybersecurity company SonicWall.

Ransomware Attacks Decline Amid Crypto Downturn

Axios, Immanuel Chavoya Quote: For ransomware, we’re seeing correlation that’s in line with crypto markets,” said Immanuel Chavoya, threat detection and response strategist at SonicWall, tells Axios. “Someone has changed the locks on your house, and you have to pay a fee to get back in,” he said, describing a typical ransomware attack.

Cryptojacking On the Rise Despite Market Slump

Cryptopolitan, SonicWall News: Over the years, cryptojacking has been used as one of the few methods to mine illegal crypto from unsuspecting users. This is because the hackers chance upon back door access via hacking the computer to mine crypto. However, in the last few months, reports have claimed that cryptojacking has skyrocketed to new highs. In a new report that SonicWall uploaded, crimes associated with cryptojacking worldwide have touched $66.7 million in the first half of this year.

SonicWall Accelerates Next Phase of Growth While Continuing to Drive Record Performance

Sales Tech Series, SonicWall News: SonicWall announced a change in its executive leadership as President and Chief Executive Officer Bill Conner takes on the role of Executive Chairman of the SonicWall Board. Former Chief Revenue Officer Bob VanKirk has been promoted to President and CEO to lead next growth phase.

How AI Will Extend the Scale and Sophistication of Cybercrime

TechMonitor, Bill Conner Quote: In addition to these individual methods, cybercriminals are using AI to help automate and optimize their operations, says Bill Conner, CEO of cybersecurity provider SonicWall. Modern cybercriminal campaigns involve a cocktail of malware, ransomware-as-a-service delivered from the cloud, and AI-powered targeting. These complex attacks require AI for testing, automation and quality assurance, Conner explains. “Without the AI it wouldn’t be possible at that scale.”

Eyes In the Sky: How Governments Can Have Oversight Over Their Networks

GovInsider, SonicWall Mention: As the Covid-19 pandemic dramatically accelerated digital transformation among governments, they faced a significantly increased level of cyber-risk. In 2021, the number of ransomware attacks more than doubled from the number carried out in 2020, rising 105 per cent, according to a 2022 Cyber Threat Report by US cybersecurity company SonicWall.

Industry News

Hackers are Hijacking Microsoft Servers to Boost Proxies

TechRadar: Hackers are installing malware on Microsoft SQL servers to monetize the endpoints’ bandwidth. Findings from Ahnlab and researchers at the South Korean firm ASEC, this type of malware, called proxyware, allows the hacker to not re-sell the bandwidth to other people but also access the victim’s email account. In addition, hackers can install another strain on vulnerable Microsoft SQL servers where threat actors can use it to steal corporate data. IT departments are being advised to find ways to verify legitimate processes are using all their bandwidth. Individuals tempted to earn money from installing proxyware on their systems are also being cautioned that they risk being abused by cybergangs and freelancers.

Microsoft Office Is Blocking Macros by Default

The Verge: There’s been a bit of back and forth since Microsoft made the original announcement. Still, this week they made it clear with an update to Microsoft Office that blocks the use of Visual Basic for Applications (VBA) macros on downloaded documents. The company had temporarily stopped the security precaution to prevent infected macros from automatically running. Now the new default setting is rolling out, but with updated language to alert users and administrators what options they have when they try to open a file and it’s blocked. The move applies if Windows, using the NTFS file system, notes it as downloaded from the internet and not a network drive or site admins have marked as safe. And as of now, Microsoft isn’t changing anything on other platforms like Mac, Office on Android / iOS, or Office on the web.

Critical Atlassian Confluence Vulnerability Under Active Exploitation

Hacker News: Atlassian, which makes the Confluence team collaboration suite, issued warnings to customers that there’s a significant vulnerability in the ‘Questions For Confluence’ app. However, not all companies use this capability. Readers can find details of the vulnerability here: CVE-2022-26138, and concerns the use of a hard-coded password in the app that a remote, unauthenticated attacker could exploit to gain unrestricted access to all pages in Confluence. In layperson’s language, companies migrating data to the Confluence Cloud create an account that includes a hardcoded password to the users’ group. The process also reveals where to find the password to view and edit non-restricted messages.

Phishing-as-a-Service Platform Offers Cut-Rate Prices

Bank Info Security: A rising cybercrime syndicate has decided it’s easier to sell phishing kits than teach other cybercriminals to hook victims themselves, charging as little as $50 a month for a simple campaign. Calling themselves “Robin Banks,” – the novel phishing-as-a-service platform targets financial institutions in Canada, the U.S., the U.K. and Australia. Researchers at IronNet say the site not only has email and text phishing kits aimed at Bank of America, CapitalOne, Citibank, Lloyds Bank and Wells Fargo, but it also has templates customers can use to phish and steal Google, Microsoft, T-Mobile and Netflix users passwords. One example of a scam is a text message sent to people purporting to be from a bank alleging unusual activity on their debit card. Victims are asked to click on a link to very their identity. Hackers can sign up for the service for around $200 a month.

Infostealer Malware Targets Facebook Business Accounts to Capture Sensitive Data

TechRepublic: Facebook is often in the crosshairs of malware campaigns. A new attack analyzed by cybersecurity provider WithSecure Intelligence targets Facebook business users with the intent of stealing their sensitive data and taking over their accounts. Organizations that use Facebook’s Ads and Business platforms are being cautioned, according to researchers at WithSecure. The report says the hackers are targeting and phishing employees on LinkedIn who likely have high-level access to their company’s Facebook Business account. Those employees are tricked into downloading malware, which the hackers use to get into Facebook Business accounts. Victims may have managerial, digital marketing and HR titles. Employees need to be cautious about clicking attachments in LinkedIn messages. In addition, administrators need to watch their Facebook Business accounts closely for suspicious downloading activity.

Hackers Stole ‘Some Files’ During Recent Data Breach

CRN: Security vendor Entrust is confirming that hackers breached its network last month, accessing its systems used for internal operations and stealing some files. Minneapolis-based Entrust, which describes itself as a global leader in identities, payments, and data protection, was conspicuously quiet on Tuesday about what exactly was stolen during the June 18 breach. Entrust customers, which include governments and businesses, were told earlier this month. However, it isn’t known if only Entrust corporate data was stolen or if customer data was also involved in the data breach.

In a startling revelation for the Entrust breach, Bleeping Computer claims that a well-known ransomware gang is behind the attack and that they purchased compromised Entrust credentials and used them to breach their internal network. If Entrust does not pay the ransom demand, we will likely learn what ransomware operation was behind the attack and other details when the hackers publish the stolen data.

BIG READ: Rise of the Container Attacks

Multiple Sources: Dark Reading reports that hackers have sharply reduced the use of one of their favorite malware distribution tactics following Microsoft’s decision earlier this year to disable Office macros in documents downloaded from the internet. However, container files have risen to help cyber attackers get around the issue. This pivot is clear: In the months since Microsoft’s Oct. 21 announcement that it would disable macros by default, there’s been a 66% decline in threat actor use of VBA and XL4 macros, according to Proofpoint.

As proof of the emerging tactic, Hacker News notes a flurry of previously unknown variants of the Qakbot malware that appears to be a Microsoft write file but can also appear with multiple URLs as well as unknown file extensions (ex: OCX, ooccxx, dat, gyp) to deliver the payload. Other methods adopted by the group include code obfuscation and introducing new layers in the attack chain from initial compromise to execution. The package can also go under several other names, including QBot, QuackBot, or Pinkslipbot. The core has been a recurring threat since late 2007, evolving from its initial days as a banking trojan to a modular information stealer capable of deploying next-stage payloads.

Bleeping Computer says the QakBot series and its variants have been using a DLL hijacking flaw in Windows Calculator to infect computers, which also helps evade detection by security software. When the executable is launched, it will find the malicious version with the same name in the same folder, loading that instead and infecting the computer. Victims fooled into clicking on an infected attachment will download a password-protected zip file that appears to be an Acrobat PDF document. Hackers provide the victim with passwords to view the file. When clicked, the package delivers the malware.

We’re constantly reminding managers and employees about the dangers of clicking unexpected attachments and email links (add social media). There are tools out there now that can easily spot these kinds of attacks.

In Case You Missed It

CoinDesk TV Covers Cryptojacking with Bill Conner – Bret Fitzgerald

First-Half 2022 Threat Intelligence: Geopolitical Forces Rapidly Reshaping Cyber Frontlines – Amber Wolff

2022 CRN Rising Female Star – Bret Fitzgerald

Enhance Security and Control Access to Critical Assets with Network Segmentation – Ajay Uggirala

Three Keys to Modern Cyberdefense: Affordability, Availability, Efficacy – Amber Wolff

BEC Attacks: Can You Stop the Imposters in Your Inbox? – Ken Dang

SonicWall CEO Bill Conner Selected as SC Media Excellence Award Finalist – Bret Fitzgerald

Cybersecurity in the Fifth Industrial Revolution – Ray Wyman

What is Cryptojacking, and how does it affect your Cybersecurity? – Ray Wyman

Why Healthcare Must Do More (and Do Better) to Ensure Patient Safety – Ken Dang

SonicWall Recognizes Partners, Distributors for Outstanding Performance in 2021 – Terry Greer-King

Anti-Ransomware Day: What Can We Do to Prevent the Next WannaCry? – Amber Wolff

CRN Recognizes Three SonicWall Employees on 2022 Women of the Channel List – Bret Fitzgerald

Enjoy the Speed and Safety of TLS 1.3 Support – Amber Wolff

Four Cybersecurity Actions to Lock it All Down – Ray Wyman

Understanding the MITRE ATT&CK Framework and Evaluations – Part 2 – Suroop Chandran

Five Times Flawless: SonicWall Earns Its Fifth Perfect Score from ICSA Labs – Amber Wolff

NSv Virtual Firewall: Tested and Certified in AWS Public Cloud – Ajay Uggirala

How SonicWall’s Supply-Chain Strategies Are Slicing Wait Times – Amber Wolff

SonicWall SMA 1000 Series Earns Best-Of Enterprise VPNs Award from Expert Insights – Bret Fitzgerald

World Backup Day: Because Real Life Can Have Save Points Too – Amber Wolff

CoinDesk TV Covers Cryptojacking with Bill Conner

/0 Comments/in /by

SonicWall’s mid-year update to its 2022 SonicWall Cyber Threat Report is creating some serious buzz – especially when it comes to cryptocurrency. The data reveals that global cryptojacking volumes increased by 66.7 million hits in the first half of 2022 – representing a 30% increase when compared to its 2021 levels over the same period.

In cryptojacking attacks, criminals use malware to gain access to computer networks. They then use the system’s computing power to mine cryptocurrencies like Bitcoin — a process that typically requires investing in costly state-of-the-art equipment and consumes vast amounts of electricity. The victim is often unaware of the intrusion.

Today, SonicWall CEO and President Bill Conner was interviewed by Coin Desk TV to discuss the meteoric rise of this criminal act.

“We are seeing a major shift as cybercriminals are using cryptojacking as a means to an end,” explained Conner. “Bad guys are getting into servers, computers, and laptops to take over the compute engine and run in the background to mine for crypto. The financial sector has been hit the hardest over the last six months, and I don’t anticipate that to slow down any time soon.”

Cryptojacking cases across the financial sector rose 269% in the first half of 2022 – that’s five times higher than attacks on retail. SonicWall registered record growth in total cryptojacking volume but unevenly distributed across 2022. In January this year, the metric stood at 18.4 million hits, a new all-time high surpassing previous record levels, taking the total Q1 attacks to 45.1 million.

As criminals continue to have success leveraging compute power to mine for crypto currency, you can expect the problem to increase.

“I think as the economy gets a little shaky, you will see cryptojacking and other malicious cyber activities increase – especially the second half of the year,” said Conner. “It’s really important to segment your networks to protect your data and valuable business assets.”

To learn more about the trends of cryptojacking, ransomware, malware and other cyber threats download the mid-year update to the 2022 SonicWall Cyber Threat Report now.

Apache Spark CI Vulnerability

/in /by

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  Apache Spark is a unified analytics engine for large-scale data processing. It provides high-level APIs in Java, Scala, Python and R, and an optimized engine that supports general execution graphs. It also supports a rich set of higher-level tools including Spark SQL for SQL and structured data processing, pandas API on Spark for pandas workloads, MLlib for machine learning, GraphX for graph processing, and Structured Streaming for incremental computation and stream processing.

  A command execution vulnerability has been reported in Apache Spark. The vulnerability is due to errors in parsing user requests when access control list (ACL) is enabled. Successful exploitation of this vulnerability can result in the execution of arbitrary commands.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-33891.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 9.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 9.0 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  The vulnerability is due to insufficient sanitation of the “doAs” parameter when processing incoming requests to the web UI. When a request is made to the web interface of an Apache Spark component, the function doFilter() is called to check if the user is authorized to view the web UI. The function will check if the “doAs” parameter is set and if the user is authorized to impersonate another user. If both conditions are met, the function checkUIViewPermissions() is called, this function will in turn call isUserInACL(). The parameters “doAs”, “viewAcls” and “viewAclsGroups” contain usernames and groups of users allowed to access the resources as defined in the Spark configuration.

  The getCurrentUserGroups() function will build a bash command line to call the id command to get the user’s groups and then pass it to executeAndGetOutput() to execute it. However, the username from the “doAs” parameter is not sanitized before it is added to the command line allowing an attacker to inject their own malicious commands.

  A remote, unauthenticated attacker can exploit this vulnerability by sending a request containing a crafted “doAs” parameter to the web UI of any vulnerable component. Successful exploitation can result in arbitrary OS command injection under the security context of the user running the Spark component.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The target system must be running the web UI for one of the vulnerable components.
  • The web interface must be configured to use the ACL.
  • If the history server UI is targeted, the server must have data for at least one app ID.
  • “spark.ui.view.acls” and “spark.ui.view.acls.groups” in the configuration must not contain the wildcard value “*”.

Triggering Conditions:

  The attacker sends a request with a crafted “doAs” parameter to the target server. The vulnerability is triggered when the server processes the request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS

  

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS:3083 Apache Spark UI Remote Command Execution 2

  • IPS:3084 Apache Spark UI Remote Command Execution 3

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Detecting and filtering malicious traffic using the signatures above.
    • Updating to a non-vulnerable version of the product.
    • Disabling ACLs for the web UI for any component if it is not in use.
    • Disabling the web UI for any component if it is not in use.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

First-Half 2022 Threat Intelligence: Geopolitical Forces Rapidly Reshaping Cyber Frontlines

/0 Comments/in /by

Cybersecurity and geopolitics have always been inseparably linked, and in the past six months we’ve seen this increasingly play out across the threat landscape. Based on data from the mid-year update to the 2022 SonicWall Cyber Threat Report, the United States, the U.K. and other cybercrime hotspots are seeing decreases in cybercriminal activity, while many less-affected regions are seeing an uptick in threats.

“The international threat landscape is now seeing an active migration that is profoundly changing the challenges not only in Europe, but the United States as well,” said SonicWall expert on emerging threats Immanuel Chavoya. “Cybercriminals are working harder than ever to be ahead of the cybersecurity industry, and unlike many of the businesses they target, threat actors often have no shortage of skills, motivation, expertise and funding within their organizations.”

But it isn’t only the targets that are changing in the first half of 2022 — it’s the trends as well. Malware and ransomware have both reversed course, and for the first time in years we’re seeing increases in malware and decreases in ransomware. The threat data also revealed accelerations in certain trends, such as the spikes we’re seeing in IoT malware and other threat types. Here are some of the highlights:

Malware Makes a Comeback

After trending downward for several quarters, malware rose 11% worldwide during the first half of 2022. While a drop in ransomware helped temper this increase, a rise in cryptojacking and skyrocketing rates of IoT malware were more than enough to propel a double-digit increase.

Very few cyberthreat trends apply uniformly across the board, and the rise in malware is no exception. But the fact that places that usually see a lot of malware — such as the U.S., the U.K. and Germany — all saw decreases suggest that these global hotspots may be beginning to shift.

Ransomware Falls by Nearly a Quarter

Ransomware has risen dramatically over the past two years, but in the first half of 2022, global attack volume fell 23%. This long-awaited reversal seems largely a result of geopolitical factors, as ransomware groups in Russia struggle to keep up their previous pace amid the ongoing conflict with Ukraine.

Unfortunately, based on larger ongoing global trends, this reprieve isn’t expected to last.

“As bad actors diversify their tactics, and look to expand their attack vectors, we expect global ransomware volume to climb — not only in the next six months, but in the years to come,” said SonicWall President and CEO Bill Conner. “With so much turmoil in the geopolitical landscape, cybercrime is increasingly becoming more sophisticated and varying in the threats, tools, targets and locations.”

Ransomware is also shifting, however, resulting in some areas recording significantly different outcomes than usual. North America, which typically sees the bulk of ransomware attacks, experienced a 42% decrease in attack volume, while Europe recorded a 63% increase.

RTDMI Detections Rise Dramatically

In the first six months of 2022, SonicWall’s patented Real-Time Deep Memory Inspection™ (RTDMI) identified 270,228 never-before-seen malware variants — a 45% increase over the same period in 2021.

Included with the Capture Advanced Threat Protection sandbox service, this technology leverages machine learning to become highly effective at identifying new and advanced threats, and it continues to get better each year: Since it was introduced in early 2018, the number of new variants discovered by RTDMI has risen 2,079%.

IoT Malware Up 77%

With more IoT devices coming online than ever, it’s no surprise that opportunistic cybercriminals are increasingly flocking to IoT malware attacks. Since the beginning of the year, IoT malware volume has risen 77% to 57 million — more than at any point since SonicWall began tracking these attacks, and nearly as many as were recorded for the entire year of 2021.

Encrypted Threats Show Triple-Digit Increase

In the first half of 2022, encrypted threats spiked 132% over the same time period last year. This was based on an unusually high number of attacks in Q2 — attack volume rose so high in May that it became the second-highest month for encrypted threat volume SonicWall had ever seen.

Cybersecurity News & Trends

/0 Comments/in /by

Curated cybersecurity news and trends from leading news outlets that monitor IT security and safety around the world.

SonicWall continues to move headlines with industry publications and general news outlets. More quotes from SonicWall’s President and CEO, Bill Conner and mentions from SonicWall’s ongoing threat reports.

The industry’s big hits this week mainly were focused on ransomware activity. From Dark Reading, CloudMensis emerged as a previously unknown macOS spyware that exfiltrates documents, keystrokes, and screen captures, among other things. Bleeping Computer reports that the Black Basta ransomware gang targeted the giant construction corporation Knauf Group. From the gamer publication Destructoid, Bandai Namco is the latest victim of the notorious ransomware group known as ALPHV, also BlackCat. Threat Post reports on the unusual hiring practices of the hacking group AIG. From Hacker News, Evilnum malware is being deployed to target cryptocurrency and commodities platforms. And from a gamer fan magazine, Kotaku, someone hacked the NeoPets platform, stole data for 69 million accounts and is selling it for Bitcoin.

Remember, cybersecurity is everyone’s business. Be safe out there!

SonicWall News

SonicWall Accelerates Next Phase of Growth While Continuing to Drive Record Performance

Sales Tech Series, SonicWall News: SonicWall announced a change in its executive leadership as President and Chief Executive Officer Bill Conner takes on the role of Executive Chairman of the SonicWall Board. Former Chief Revenue Officer Bob VanKirk has been promoted to President and CEO to lead next growth phase.

How AI Will Extend the Scale and Sophistication Of Cybercrime

TechMonitor, Bill Conner Quote: In addition to these individual methods, cybercriminals are using AI to help automate and optimize their operations, says Bill Conner, CEO of cybersecurity provider SonicWall. Modern cybercriminal campaigns involve a cocktail of malware, ransomware-as-a-service delivered from the cloud, and AI-powered targeting. These complex attacks require AI for testing, automation and quality assurance, Conner explains. “Without the AI it wouldn’t be possible at that scale.”

Eyes In the Sky: How Governments Can Have Oversight Over Their Networks

GovInsider, SonicWall Mention: As the Covid-19 pandemic dramatically accelerated digital transformation among governments, they faced a significantly increased level of cyber-risk. In 2021, the number of ransomware attacks more than doubled from the number carried out in 2020, rising 105 per cent, according to a 2022 Cyber Threat Report by US cybersecurity company SonicWall.

French MVNO Left Crippled by Ransomware Attack

Total Telecom, SonicWall News: The scale and severity of ransomware attacks in the telecoms industry and beyond has been rising steadily in recent years, with SonicWall recording 495 million ransomware incidents globally in 2021, a 148% increase on 2020.

Best VPN services for SMBs

TechRepublic, SonicWall News: While hardware platforms — including equipment fromCisco, Fortinet and SonicWall — are often used, software-only VPN services are growing in popularity due to their simplicity, flexibility and capacity to provide protection when users connect to third-party applications and resources outside the organization’s network. Here’s how five leading VPN services for SMBs stack up.

Cyber Defense: Bill Conner of SonicWall on the 5 Things Every American Business Leader Should Do to Shield Themselves from A Cyberattack

Authority Magazine, Bill Conner Q&A: As a part of this series, I had the pleasure of interviewing Bill Conner, President and CEO of SonicWall, one of the world’s most trusted network security companies. With a career spanning more than 30 years across high-tech industries — previously leading key divisions of AT&T and managing Nortel’s $9 billion acquisition of Bay Networks and CEO of Entrust — Bill Conner is a corporate turnaround expert and global leader in cybersecurity, data protection and network infrastructure.

Marriott Hotels Super Another Data Breach

Intelligent CIO, SonicWall Mention: Bill Conner, CEO and President at SonicWall, also a GCHQ and NCSC advisor, has stated the criticality of this trend: “The recent breach of Marriott International is a stark example of the tireless work cybercriminals undertake to steal personal information. Not only does the Marriott breach damage brand reputation, but it also puts customers in a vulnerable position when sensitive information is comprised like passport numbers, credit card details and more.”

34 top UK Vendor Leaders Outline Channel Priorities

CRN UK, SonicWall Mention: While ConnectWise (2,500), Cisco (2,000), Fujitsu (1,500), Adobe (1,400) and SonicWall (1,200) all work with over 1,000 UK partners, others have narrower UK channels, with Check Point, F5 Networks and Mitel all working with 400 or fewer partners.

Mystery Hacker Says 1 billion People Exposed In ‘Biggest Hack in History’

The Independent, Bill Conner Quote: “Organizations and government entities carry a responsibility to consumers and civilians alike to guard their most valuable information at all costs,” Bill Conner, CEO of cybersecurity firm SonicWall and adviser to GCHQ and Interpol, told The Independent.

Industry News

Cloud-Enabled macOS Spyware Blows onto the Scene

Dark Reading: A previously unknown macOS spyware has surfaced in a highly targeted campaign, which exfiltrates documents, keystrokes, screen captures, and more from Apple machines. Interestingly, it exclusively uses public cloud-storage services for housing payloads and command-and-control (C2) communications — an unusual design choice that makes it difficult to trace and analyze the threat.

Dubbed CloudMensis by the researchers at ESET who discovered it, the backdoor was developed in Objective-C. ESET’s analysis of the malware released this week shows that the cyberattackers behind the campaign gain code execution and privilege escalation using known vulnerabilities after the initial compromise. Then, they install a first-stage loader component that retrieves the actual spyware payload from a cloud storage provider. In the sample the firm analyzed, pCloud was used to store and deliver the second stage, but the malware also supports Dropbox and Yandex as cloud repositories.

Building Materials Giant Knauf Hit by Black Basta Ransomware Gang

Bleeping Computer: The Knauf Group has announced it has been the target of a cyberattack that has disrupted its business operations, forcing its global IT team to shut down all IT systems to isolate the incident.

The cyberattack took place on the night of June 29, and at the time of writing this, Knauf is still in forensic investigation, incident response, and remediation. Emails seen by BleepingComputer warned that email systems were shut down as part of the response to the attack, but that mobile phones and Microsoft Teams were still working for communication.

Knauf is a German-based multinational building and construction materials producer that holds approximately 81% of the world’s wallboard market. The firm operates 150 production sites worldwide and owns U.S.-based Knauf Insulation and USG Corporation. Notably, Knauf Insulation has also posted a notice about the cyberattack on its site, so that entity has been impacted too.

Bandai Namco Data Leaked Following Alleged Ransomware Attack

Destructoid: Bandai Namco is the latest victim of the notorious ransomware group known as ALPHV, also BlackCat. It is suspected that the developer/publisher behind brands such as Tekken, Elden Ring, Dragon Ball FighterZ, and Soulcalibur has had data about its future releases, DLC, and reveals leaked online in the wake of the attack. Malware source code monitors VX-underground discovered and reported the news.

While some of the information has surfaced online this morning, the full extent of the data obtained by the hacking group is unknown. It could contain the personal details of company employees, as well as source code for the company’s current and upcoming releases and potentially data about the users of Bandai Namco games. As for supposed leaked games, don’t believe everything you see floating around.

This attack is the latest in a series of massive data thefts that, in recent years, have ransacked the digital vaults of various big-name video game companies such as Capcom, EA, and, perhaps most famously, CD Projekt RED, the latter of which lead to the release of the entire source code of smash hit Cyberpunk 2077.

Hackers for Hire: Adversaries Employ’ Cyber Mercenaries’

Threat Post: A for-hire cybercriminal group is feeling the talent drought in tech just like the rest of the sector and has resorted to recruiting so-called “cyber-mercenaries” to carry out specific illicit hacks as part of more extensive criminal campaigns.

Known as Atlas Intelligence Group (AIG) or Atlantis Cyber-Army, the cybergang has been spotted by security researchers recruiting independent black-hat hackers to execute specific aspects of its campaigns. AIG functions as a cyber-threats-as-a-service criminal enterprise. The threat group markets services that include data leaks, distributed denial of service (DDoS), remote desktop protocol (RDP) hijacking and additional network penetration services.

According to the report, AIG is unique in its outsourcing approach to committing cybercrimes. Organized threat groups tend to recruit individuals with specific capabilities that they can reuse and incent them with profit sharing. For example, RasS (ransomware-as-a-service) campaigns can involve multiple threat actors who get a cut of stolen funds or digital assets. What makes AIG different is it outsources specific aspects of an attack to mercenaries who have no further involvement in an attack.

Hackers Use Evilnum Malware to Target Cryptocurrency and Commodities Platforms

Hacker News: The advanced persistent threat (APT) actor tracked as Evilnum is again exhibiting renewed activity aimed at European financial and investment entities.

Evilnum is a backdoor that can be used for data theft or to load additional payloads. Malware includes multiple components to evade detection and modify infection paths based on identified antivirus software.

Targets include organizations with operations supporting foreign exchanges, cryptocurrency, and decentralized finance (DeFi). The latest spate of attacks is said to have commenced in late 2021. The findings also dovetail with a report from Zscaler last month that detailed low-volume targeted attack campaigns launched against companies in Europe and the UK.

Neopets Hacker Steals 69 Million Accounts, Tries To Sell Them For Bitcoin

Kotaku: A rogue hacker has reportedly stolen over 69 million Neopets accounts and is currently attempting to sell the information for roughly $92,000 in bitcoin. Neopets is a long-running virtual pet website where users can dress up their pets, play minigames, participate in a virtual economy, and socialize with other community members. While Neopets has existed since 1999, the website still has nearly 4 million visitors per month as of April this year.

The community fansite Jellyneo reported that the hacker could obtain “the complete data and source code” of the website, which means that all accounts’ emails and passwords are potentially compromised. Jellyneo claimed that email addresses, passwords, gender, IP addresses, countries, and birthdays were being sold on a “hacker website” for four bitcoin (about $92,072 based on current values). Although bitcoin is traceable, hackers prefer to use it for criminal activities because wallets don’t require identifying information and law enforcement can’t freeze the accounts. However, it was reported that Neopets is working with a forensics firm and law enforcement to investigate the breach.

In Case You Missed It

2022 CRN Rising Female Star – Bret Fitzgerald

Enhance Security and Control Access to Critical Assets with Network Segmentation – Ajay Uggirala

Three Keys to Modern Cyberdefense: Affordability, Availability, Efficacy – Amber Wolff

BEC Attacks: Can You Stop the Imposters in Your Inbox? – Ken Dang

SonicWall CEO Bill Conner Selected as SC Media Excellence Award Finalist – Bret Fitzgerald

Cybersecurity in the Fifth Industrial Revolution – Ray Wyman

What is Cryptojacking, and how does it affect your Cybersecurity? – Ray Wyman

Why Healthcare Must Do More (and Do Better) to Ensure Patient Safety – Ken Dang

SonicWall Recognizes Partners, Distributors for Outstanding Performance in 2021 – Terry Greer-King

Anti-Ransomware Day: What Can We Do to Prevent the Next WannaCry? – Amber Wolff

CRN Recognizes Three SonicWall Employees on 2022 Women of the Channel List – Bret Fitzgerald

Enjoy the Speed and Safety of TLS 1.3 Support – Amber Wolff

Four Cybersecurity Actions to Lock it All Down – Ray Wyman

Understanding the MITRE ATT&CK Framework and Evaluations – Part 2 – Suroop Chandran

Five Times Flawless: SonicWall Earns Its Fifth Perfect Score from ICSA Labs – Amber Wolff

NSv Virtual Firewall: Tested and Certified in AWS Public Cloud – Ajay Uggirala

How SonicWall’s Supply-Chain Strategies Are Slicing Wait Times – Amber Wolff

SonicWall SMA 1000 Series Earns Best-Of Enterprise VPNs Award from Expert Insights – Bret Fitzgerald

World Backup Day: Because Real Life Can Have Save Points Too – Amber Wolff

CRN Honors SonicWall With 5-Star Rating in 2022 Partner Program Guide – Bret Fitzgerald

Cyberattacks on Government Skyrocketed in 2021 – Amber Wolff

New Lilith ransomware in early development

/in /by

The Sonicwall CaptureLabs threat research team has observed reports of the launch of a new ransomware family named Lilith.  Lilith ransomware is written in C/C++ and targets 64-bit Windows machines.  Encrypted files are marked with a  “.lilith” extension.  The sample we obtained indicates that it is in early development, as some features reported in the AV community were not present during our analysis.

 

 

Infection Cycle:

 

Upon running the executable, files on the system are encrypted

Restore_Your_Files.txt contains the following message:

 

During our analysis, no data was leaked from the system.

 

The .onion link leads to the following Lilith home page:

 

This page appears to be a placeholder and does not contain any functionality yet.  It is speculated that this may become an extortion page that threatens to leak victim data.

 

The following programs are terminated if they are running:

 

Restore_Your_files.txt is dropped into each directory that contains encrypted files:

 

Each encrypted file is given a .lilith extension:

 

We reached out to the operators via the supplied tox ID in the ransom note but received no response.

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Lilith.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Oracle MySQL NDB Cluster RCE

/in /by

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  MySQL is a popular open-source implementation of a relational database that supports the Structured Query Language (SQL) for querying and updating stored data. Communication with the database occurs using the MySQL protocol. As with other database implementations, MySQL supports a number of database storage engines, such as the NDB storage engine.

  An index boundary error has been reported in Oracle MySQL. The vulnerability exists in the MySQL NDB Cluster component when handling GSN_CREATE_NODEGROUP_IMPL_REQ signals.

  A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted packet to the vulnerable server. Successful exploitation will allow an attacker to execute arbitrary code in the context of the application.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-21490.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.5 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  An index boundary error exists in Oracle NDB Cluster Data node. The vulnerability is due to improper validation when handling the incoming signals. More specifically, when the NDB Data node receives a GSN_CREATE_NODEGROUP_IMPL_REQ signal to the SUMA block, the function Suma::execCREATE_NODEGROUP_IMPL_REQ() is called to handle the signal. The vulnerable function will parse the signal data as the CreateNodegroupImplReq format:

  

  The values in the nodes array will be used as indexes to refer to a NDB node object. However, this index value is not validated correctly. If the value is larger than or equal to MAX_NDB_NODES (145), the related memory operation will bypass the boundary of the object array and result in a memory corruption condition.

  A remote, unauthenticated attacker can send a malicious GSN_CREATE_NODEGROUP_IMPL_REQ signal to result in the out of boundary read or write condition. Successful exploitation could possibly allow an attacker to execute arbitrary code in the context of the application. A failed weaponized exploit attempt will result in a denial-of-service condition.

Triggering the Problem:

  • The target host must have a vulnerable version of the affected product installed and running.
  • The attacker must have the means to deliver crafted packets to the target service.

Triggering Conditions:

  The attacker sends a GSN_CREATE_NODEGROUP_IMPL_REQ signal to the target server. The vulnerability is triggered when the server processes the malicious command.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • ndbd

  

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 2997 MySQL Cluster Data Node RCE 4

Remediation Details:

  The actions listed below may be taken in order to mitigate or eliminate the risks associated with this vulnerability:
    • Restrict remote connections to trusted hosts only.
    • Filter attack traffic using the signature above.
    • Upgrade the vulnerable product to a non-vulnerable version.
  The vendor released the following advisory regarding this vulnerability:
  Vendor Advisory

Known Trojan named AsyncRAT is now going fileless

/in /by

Writing a complete new malware code is always harder than tweaking, an already written and perfectly working code. Threat actors are using already written malware codes, either by buying it from the dark web or getting an open source code, available on various forum like GitHub or Pastebin. The threat actors are now more focused on delivery mechanism and infection chain, by keeping a low profile and very less exposure of malicious code to traditional security providers. However security software which investigate in memory are able to spot the actual malicious behavior. SonicWall Real Time Deep Memory Inspection (RTDMI) has detected a VBScript inside an archive which executes a web hosted PowerShell script to deliver and execute fileless AsyncRAT on the victim’s machine. The source code of AsyncRAT is publicly available on GitHub.

VBScript

The VBScript is obfuscated which involves multiple string reverse and concatenate operations. The VBScript gets the Windows Scripting Host shell object using CLSID “F935DC22-1CF0-11D0-ADB9-00C04FD58A0B” to further execute PowerShell script from an Unified Resource Locator (URL):

 

Instead of “.ps1” extension, the PowerShell script hosted URL contains “.txt” extension which makes the URL less suspicious. The malware does not save the PowerShell script onto the files system, it rather executes the PowerShell script in memory:

PowerShell Script

The malware infection chain starts from the VBScript, involves PowerShell scripts, task scheduler, DLL loader, batch file to read PowerShell cmdlet and finally executes the AsyncRAT on the victim’s machine:

 

The web hosted PowerShell script is highly obfuscated which creates malware directory “C:\ProgramData\HVLWIQDYCCPXWPCLXUYGXB” to save intermediate files, used in the infection chain. The malware uses 3 seconds sleep between various tasks execution:

 

Intermediate files saved in the malware directory:

  • HVLWIQDYCCPXWPCLXUYGXB.ps1 (First stage PowerShell script)
  • HVLWIQDYCCPXWPCLXUYGXB.vbs (Obfuscated VBScript)
  • HVLWIQDYCCPXWPCLXUYGXB.bat (Batch file contains cmdlet)
  • STVEVBEQXPLHZJQTHEIGGV.ps1 (Final stage PowerShell script)

The web hosted PowerShell script continues the infection chain by executing first stage PowerShell script which schedules a task to run the VBScript from malware directory every 3 minutes:

 

The highly obfuscated VBScript gets WIN32_Process object using Windows Management Instrumentation (WMI) to spawns a PowerShell process which reads the cmdlet from the batch file and executes the final stage PowerShell script:

 

The final stage PowerShell script contains two encoded binaries, DLL loader and AsyncRAT. The malware executes the DLL loader passing AsyncRAT binary bytes array and path to “C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe” as arguments. The DLL loader then loads and executes the AsyncRAT in the context of “jsc.exe“:

 

AsyncRAT

The AsyncRAT is very well known advance malware and its source code is publicly available on the GitHub. The threat actor has obfuscated the names of the functions, disabled some of the features and customized the code a little as per his requirements:

The malware initializes the configuration components and creates mutex “AsyncMutex_6SI8OkPnk” to guarantee single instance execution at a time. The malware contains code to check virtual environment, make persistence entry and get privilege access, however the code is disabled in this variant using the flag value.

 

C&C Communication

The malware connects to its Command and Control (C&C) server “rock.dynip.org” at port number 222:

 

The malware sends below information from the victim’s machine to the C&C server:

  • Packet type
  • Hardware ID
  • Username
  • Operating System info
  • Execution path
  • Version
  • Execution mode (Admin | User)
  • Active GUI window name
  • Antivirus
  • Executable time
  • Group

 

The malware receives below commands from the C&C server:

  • ping
  • pong
  • plugin
  • savePlugin

 

ping

The malware receives ping command from the C&C server which means no action is needed:

pong

The malware has registered a timer which keeps increasing the interval value. Once the malware receives pong command, the interval value is sent to the C&C server by setting the packet type to “pong”.

plugin

The malware receives the plugin command along with the plugin hash value. The malware checks if the plugin is already installed on the victim’s machine by looking the hash value into registry “HKEY_CURRENT_USER\Software“. If the plugin is already installed on the victim’s machine, the malware executes the plugin in memory else the malware sends the plugin hash value by setting the packet type to “sendPlugin“:

 

savePlugin

The malware receives the “savePlugin” command along with the compressed plugin bytes and its hash value. The malware saves the compressed plugin bytes into the registry entry “HKEY_CURRENT_USER\Software\6D8AD34F424F899EC2B0” with value name to hash of the plugin. The plugin bytes are decompressed and invoked by the malware:

 

The C&C server sends to 2 plugins to the victim’s machine:

Plugin 1

Name: Miscellaneous

SHA256: c3f842cc2228aff03f109bd7e13cc233e2ac7a383b35fdae9171c80af6def354

Plugin 2

Name: RemoteDesktop

SHA256: 470e625ab097155fe562394a450f3830d7725d8032f00dd3fb16243a7cf62930

 

Unavailability of the archive file in any of the popular threat intelligence sharing portals like the VirusTotal and the ReversingLabs indicates its uniqueness and limited distribution:

 

Evidence of detection by RTDMI ™ engine can be seen below in the Capture ATP report for this file:

Malicious Embedded Office File inside PDF is delivering REMCOS RAT

/in /by

SonicWall Capture Labs Threat Research team has observed a malicious PDF file, comes as an e-mail attachment, detected by SonicWall RTDMI ™ engine which is delivering REMCOS RAT as the final payload.


Infection Cycle:

The PDF file has a malicious embedded doc file, which is dropped and executed from %temp% folder. PDF file has an OpenAction tag, set to a javascript which is embedded in PDF. On opening the PDF file the script is executed. Embedded DOC file name is “has been verified. However PDF, SVG, xlsx, .docx”.

Java Script inside PDF, which drops and executes DOC file

The DOC file has a reference to an external URL, which is a RTF file. It loads the RTF file from “hxxps://shortener[.]vc/fSpur”, whose final redirected URL is “hxxp://45[.]85[.]190[.]156/receipt/290.doc”. This RTF file has a CVE-2017-11882 exploit, which further downloads an .Net executable at “C:\Users\Public\vbc.exe” and executes it.

External Frame Object Link in webSettings.xml.rels

The .Net executable ‘vbc.exe’ makes a copy of itself in %APPDATA% as ‘doc.exe’, and creates RUN registry entry for it as ‘wix’. And then executes doc.exe.

The .Net executable file has a compressed .Net DLL file in its ‘AppPropsLib.Documents.resources’ resource object named as ‘_22’. It decompresses the resource and loads the obfuscated DLL(internal name of the DLL is Periodicity.dll) in the memory and calls its second export, and passes it three string arguments “5374617469634172726179496E69745479706553697A65”, “7157624F” and “AppPropsLib”. First argument is “StaticArrayInitTypeSize” (passed in hex format) name of another Bitmap object present in the doc.exe resource, second argument is the decryption key “qWbO” (passed in hex format) and third argument is the resource name in doc.exe.

Then Periodicity.dll loads the bitmap resource present in doc.exe and extracts ARGB values for all the pixels in an array. It then gets the encrypted data size from the first pixel ARGB value and copies the encrypted data into another array, then starts decrypting it using the key passed as an argument and the last byte of the encrypted data array.

Loading ARGB value of pixels in an array

Decrypting using the key passed in the argument

The decrypted data is yet another .Net highly obfuscated DLL file whose internal name is Thookinieng.dll. The .Net DLL has encrypted resources, one of which is  REMCOS RAT. Its decrypted data has some interesting string :

Strings Used to check Sandbox or VM

Powershell command to add ExclusionPath for Defender

REMCOS keeps the configuration information in the resource named as settings. The very first byte tells us the RC4 key size, followed by RC4 key which is further followed by the encrypted configuration information:

The version of REMCOS Rat payload is ‘v3.4.0 Pro’ .It reads the key from the resource and decrypts configuration data using RC4 algorithm which contains Command and Control (C&C) server’s IP address, port number, password, REMCOS executable’s name and key logging filename etc.:

 

Malicious PDF hashes:

  • f33170bbdf2c134c5de88cd931f850db16c093a9a26694040f889cea2c485cec
  • 677011006f557a3c25befb217086f099708077c6d27e091e16be15f619fa9547
  • 1f8a033bf8d5ab6d08b618980565c7f633985c154f5b8f6086f48b3d8304f906
  • baa63cbb933cd6b69e18a9db664b95eb03902deb49767d94ab5b23322aeed650
  • 3c29a03355bf0daea04e1c9f14523f71b88d839a3aab4ef52326f5632973d747
  • d762702d22cbd585c26f778dd47cbb6807679f7a5b7e7b8eedb63676db0bcf71

The file is detected by few security vendors on popular threat intelligence sharing portal VirusTotal at the time of writing this blog, this indicates its spreading potential:

Evidence of detection by RTDMI ™ engine can be seen below in the Capture ATP report for this file:

Android ransomware purports to be a free social media follower application

/in /by

Sonicwall Capture Labs Threat Research team has observed many Android locker ransomware which asks to communicate using social media platforms. There is no assurance of getting the key even after paying the ransom amount, they just use these apps for monetary gain. Some of the applications look like free social media follower apps but are ransomware as shown below.

 

Figure 1: Ransomware App Icons

 

All these malicious apps are recently submitted over malware sharing platforms like Virus Total.

 

Figure 2: VirusTotal submission history

 

Infection Cycle:

Major permissions used in these apps are mentioned below:

  • SYSTEM_ALERT_WINDOW
  • RECEIVE_BOOT_COMPLETED
  • SET_WALLPAPER
  • READ_EXTERNAL_STORAGE
  • WRITE_EXTERNAL_STORAGE
  • READ_CONTACTS
  • READ_SMS
  • ACCESS_FINE_LOCATION
  • WAKE_LOCK
  • INTERNET
  • REQUEST_INSTALL_PACKAGE
  • CAMERA

Permission “SYSTEM_ALERT_WINDOW“  is used to display overlay windows above all activity windows in order to show ransom notes.

After installation app is not visible on the app drawer, to view installed app information we need to go into settings->Apps

 

Figure 3: Malicious app visible under settings

 

In the manifest file, “android.intent.category.LAUNCHER” is not set in MainActivity as shown below, which means that this application does not have a desktop startup icon.

 

Figure 4: Main activity launcher missing

 

Malicious application launches after “ACTION_BOOT_COMPLETED” system event which is fired once the Android system has completed the boot process, sets a lock screen with a ransom note and the user is not able to access the device.

 

Figure 5: Ransom note

 

On further investigation of malicious code, each malicious file has a different ransom note and different keys which are present in code itself under “password” field. No actual encryption of any file present on the device takes place except by locking the screen.

 

Figure 6: Password and Ransom note present in code

 

SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.

Indicators of Compromise (IOC):

11a11a11a266f9d3858d1b52aca73b701406cbc587bf52a5256c20452d574d0a

193c8bc1f44cf310e670c0a4a9e19f9ad35afaac63eb549f9cc8dafa240555af

2cd6920661eec231b66ac3601ca380ba846490c8f535b903d3844326084ac490

2da6a8f85888d39c3a45b6d6367492e67243e985ef8bc4dc441fd66ffcbe3d9c

ac70993fb26bd4590d3656a4b6ba1e0787a9c524ed5ed5592663a6d8c05c32a1

ec38798940dbab431f3dacab74267b143e206ed8e3fc406be90125825198576a