Cybersecurity News & Trends

Curated cybersecurity news and trends from the industry’s leading bloggers and news outlets.

For our big read last week, we covered the ongoing story about the ChromeLoader Malware. This week, we’re covering a possibly bigger story about spear phishing hackers who have also weaponized well-known and widely used open-source software. This story has contributions from Microsoft, ARS Technica, and Infosecurity Magazine. According to Hacker News, attackers hid malware in a Microsoft Windows logo to set off a cyberattack against governments in the Middle East. According to Krebs on Security and Bleeping Computer, two new and previously unknown Zero-Day flaws have cropped up in Exchange Server, and as of this moment, Microsoft does not have a fix ready to deploy. And if the thought of going into the weekend with weaponized open-sourced software was unsettling, how about deepfakes in your email or text messaging? According to TrendMicro (with a bit of help from DarkReading), hackers are ‘this close’ to using deepfake technology.

Meanwhile, you’ll notice in this week’s list of news that SonicWall is doing very well in the global news circuit with good hits in education, healthcare and retail.

Remember that cybersecurity is everyone’s business. Be safe out there!

SonicWall News

Why retail stores are more vulnerable than ever to cybercrime

IFSEC Global, SonicWall Threat Report Mention: Figures from SonicWall’s Biannual Report revealed that ecommerce and online retail businesses saw a 264% surge in the past 12 months in ransomware attacks alone. These kinds of statistics are extremely worrying for retail businesses, so it is unsurprising that websites and digital security are at the forefront of retailers’ minds.

These steps can help keep colleges from being easy targets for cyberattacks

HigherEd Dive, SonicWall Byline from Immanuel Chavoya, and SonicWall mention: A cybersecurity strategist outlines cultural and technical changes to help institutions stave off attacks like malware or business email compromise. Recent data from SonicWall revealed surging attacks across the board in the first half of the year, with the overall education industry seeing a 110% spike in IoT malware attacks and a 51% increase in ransomware — despite a global decline in ransomware attacks.

SonicWall’s Matt Brennan Talks New Leadership and Taking ‘Outside-In’ Approach

CRNtv, SonicWall Interview with Matt Brennan: With a New CEO and Matt Brennan taking on the role as channel chief at SonicWall, Brennan discusses some of the changes partners can expect from the new leadership and winning a CRN 2022 Annual Report Card Award.

The Soaring Threat Going Undetected

Blockchain Tribune, SonicWall Byline from Immanuel Chavoya: The popularity of cryptocurrencies has increased, not only in their overall market value but also in the number of people looking to digital currencies to generate totally independent revenue. While some do this through investing and selling cryptocurrency directly, others are turning to transaction processing (cryptomining) to turn a profit.

3 Cybersecurity Solutions Likely to Gain Traction In 2022 And Beyond

Cyber Defense Magazine, SonicWall Threat Report Mention: In June 2021, there were nearly 78.4 million ransomware attacks worldwide. This implies that about 9.7 ransomware attempts per consumer were made for every business day.

Why Retail Stores Are More Vulnerable Than Ever to Cybercrime

IFSEC Global, SonicWall Threat Report Mention: Figures from SonicWall’s Biannual Report revealed that ecommerce and online retail businesses saw a 264% surge in the past 12 months in ransomware attacks alone. These kinds of statistics are extremely worrying for retail businesses, so it is unsurprising that websites and digital security are at the forefront of retailers’ minds.

Elections, A Full Plate for Cybercrime in Brazil

Monitor (Brazil), SonicWall Threat Report Mention: According to a report by SonicWall, there were approximately 33 million attacks in the country, which places it in the fourth position among the countries that suffer the most from this type of crime, behind only the US, Germany and the United Kingdom.

SonicWall Threat Report Mid-Year Update Highlights Significant Threat Variance

IT Brief New Zealand, SonicWall Threat Report Mention: The cyber threat landscape is continuing to become increasingly diverse. With COVID-19 and many geopolitical crises occurring worldwide, threat actors are capitalizing on various cybersecurity gaps, and, as a result, enterprises and end users are often put at risk.

Defending Against Ransomware Attacks

Professional Security, SonicWall Threat Report Mention: In retail in particular, in the year from February 2021, the 2022 SonicWall Cyber Threat Report revealed that there was a 264pc increase in ransomware attacks on ecommerce and online retail businesses. Estimates suggest that over 40% of retail organizations suffered a ransomware attack.

Ransomware Roulette with Consumer Trust – The Link Between Loyalty and Attacks

Information Security Buzz, SonicWall Threat Report Mention: In retail in particular, in the year from February 2021, the 2022 SonicWall Cyber Threat Report revealed that there was a 264% increase in ransomware attacks on ecommerce and online retail businesses. Estimates suggest that over 40% of retail organizations suffered a ransomware attack.

Metaverse: An Emerging Market in Virtual Reality

TechSling, SonicWall Threat Report Mention: Cyber-attacks have targeted market participants, raising high sensitivity and security concerns. According to SonicWall, nearly 500 million cyber-attacks were reported through September 2021, with over 1700 attacks reported per organization.

Protecting Against Customizable Ransomware

CXO Today, Threat Report Mention: All sorts of Cybercrimes have grown tremendously in recent years. SonicWall’s Cyber Threat Report published in early 2022, details a sustained meteoric rise in ransomware with 623.3 million attacks globally with an exponential rise in all monitored threats, cyberattacks and malicious digital assaults including: ransomware, encrypted threats, IoT malware and cryptojacking.

The Best Defense Is a Good Defense

ComputerWeekly (Spain), SonicWall Byline: In cybersecurity, building the best possible defense also means incorporating some offensive strategies to gain intelligence about attackers and understand how they try to penetrate systems, says SonicWall.

SonicWall Boosts Wireless Play with Ultra-High-Speed Wi-Fi 6 Access Points

AIthority, Threat Report Mention: SonicWall announced the introduction of the new Wi-Fi 6 wireless security product line, which provides always-on, always-secure connectivity for complex, multi-device environments. Powered by Wi-Fi 6 technology, the new SonicWave 600 series wireless access points, coupled with Wireless Network Manager (WNM) 4.0, enable organizations to automatically secure wireless traffic while boosting performance and simplifying connectivity.

Uber’s Ex-Security Chief Faces Landmark Trial Over Data Breach That Hit 57m Users

The Guardian, Threat Report Mention: The trial will play out as reports of ransomware attacks continue to rise. In 2021, the US saw a more than 95% increase in ransomware attacks, according to the threat intelligence firm SonicWall. Many of those attackers have targeted healthcare facilities and schools. Hackers targeted the Los Angeles Unified School District (LAUSD), the second-largest school district in the US, with a cyber-attack over Labor Day weekend.

Public Transport Group Go-Ahead Hit by Cyber Attack

Financial Times, Threat Report Mention: There were 2.8bn known malware attacks in the first half of the year, up 11 percent, according to cyber security company SonicWall.

Kansas Most at Risk for Malware Attacks

Fox 4 News Kansas City, SonicWall News: SonicWall reports that malware dropped 4% year over year in 2021, with a total of 5.4 billion hits reported by the firm’s devices around the world. The company detected 2.9 billion malware hits on their US sensors in 2021. Florida saw the most malware hits with 625 million in 2021. The state didn’t appear on the latest list, indicating that these attacks can be successfully thwarted by technologies like antivirus software and firewalls.

Our Success Is Based on The Philosophy of Knowledge Building And Sharing

Digital Terminal (India), SonicWall News: Commenting on the increasing cyber incidents, Debasish Mukherjee, Vice President, Regional Sales APJ, SonicWall Inc said, “Across the globe, we saw that pandemic while stretched companies’ networks, accelerated their digital transformation, on the downside exposed them to more cybercrime. Cybersecurity has become much more important in today’s times than ever before. The global cyber security market is estimated to record a CAGR of 10.5% over the forecast period of 2022 to 2032.”

Industry News

Big Read: Spear Phishing Hackers Weaponizing Open-Source Software

Last week, we covered the ongoing woes from a persistent and malicious malware that assumes the disguise of a Chrome browser extension called ChromeLoader that was likely put into circulation by Russian ransomware gangs. This week, the focus is on open-source software that has been obviously and strategically weaponized by North Korean hackers for pretty much the same reason, and they appear to be very flexible about how they go about their attacks.

According to a report from ARS Technica, researchers believe hackers with connections to the North Korean government have been pushing a Trojanized version of the PuTTY networking utility to backdoor the network of organizations they want to watch. Researchers from security firm Mandiant said on Thursday that at least one customer it serves had an employee who installed the fake network utility by accident. The incident caused the employer to become infected with a backdoor tracked by researchers as Airdry.v2. A group Mandiant tracks transmitted the file as UNC4034. Compromised versions of other open-source software include well-known utilities such as KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording (and that list appears to be growing).

Another angle, according to Microsoft, has successfully compromised numerous organizations in acts of corporate espionage, data theft, financial gain and general network mayhem. For example, one group, named ZINC, deploys agents to connect with people over LinkedIn as job recruiters. Once a conversation is established, victims are asked to move away from LinkedIn and switch to WhatsApp, where the victim may receive files that contain malware. Victims include engineers and technical support staff at defense, aerospace, media and IT companies in the US, UK, and India.

ARS Technica reminds us that ZINC is Microsoft’s name for a threat actor group also known as Lazarus, best known for the devastating 2014 compromise of Sony Pictures Entertainment.

Infosecurity Magazine nails the story on the head by headlining the Zinc methodology as “spear phishing” with the added reliance on weaponized apps like PuTTY SSH. In addition, they included a statement from Google subsidiary, Mandiant: “This is likely one of several malware delivery techniques being employed by North Korean actors after a target has responded to a fabricated job lure.” The Mandiant advisory includes several technical indicators to help companies spot UNC4034-related activity. Its publication comes days after US authorities seized $30m in stolen cryptocurrency from North Korea.

Cyber Attacks Against Middle East Governments Hide Malware in Windows logo

The Hacker News: An espionage-focused threat actor has been observed using a steganographic trick to conceal a previously undocumented backdoor in a Windows logo in its attacks against Middle Eastern governments. Broadcom’s Symantec Threat Hunter Team attributed the updated tooling to a hacking group known as Witchetty(LookingFrog, and TA410). Intrusions involving TA410 – believed to share connections with a Chinese threat group known as APT10 (aka Cicada, Stone Panda, or TA429) – stand out with a modular implant called LookBack. Attacks that lead to the deployment of Stegmap then weaponize ProxyLogon and ProxyShell vulnerabilities in Exchange Server to drop the China Chopper web shell, that’s then used to carry out credential theft and lateral movement activities before launching the LookBack malware. All from clicking a logo.

Microsoft: Two New Zero-Day Flaws in Exchange Server

KrebsOnSecurity: Microsoft Corp. is investigating reports that attackers are exploiting two previously unknown vulnerabilities in Exchange Server, a technology many organizations rely on to send and receive email. Microsoft says it is expediting work on software patches to plug the security holes. In the meantime, it is urging a subset of Exchange customers to enable a setting that could help mitigate ongoing attacks. In customer guidance released Thursday, Microsoft is investigating two reported zero-day flaws affecting Microsoft Exchange Server 2013, 2016, and 2019. CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability that can enable an authenticated attacker to remotely trigger the second zero-day vulnerability — CVE-2022-41082 — which allows remote code execution (RCE) when PowerShell is accessible to the attacker. Bleeping Computer also reports on the same issues here and offers additional perspective on the vulnerabilities and CISA reporting.

Hackers are Ready to Deploy Deepfakes on Your Cybersecurity

TrendMicro, DarkReading: This story was second-place for our big read for the week, with deepfake technology is now poised to be a standard tool for malicious cybersecurity campaigns. For the average person, it isn’t easy to detect and mitigate deepfakes. That means cybercriminals have a considerable upside for deploying it as part of any ransomware campaign.

DarkReading’s reading on TrendMicro’s new study makes it easy to see that all the necessary elements for widespread use of deepfake technology exist today. Many of the basic components and expertise can be found in underground markets and open forums. In addition, the study shows that deepfake-enabled scams such as phishing and business email compromise (BEC) will rapidly change the nature of the threat landscape.

“From hypothetical and proof-of-concept threats, [deepfake-enabled attacks] have moved to the stage where non-mature criminals are capable of using such technologies,” says Vladimir Kropotov, a security researcher with Trend Micro and the principal author of a report on the topic that the security vendor released this week.

“We already see how deepfakes are integrated into attacks against financial institutions, scams, and attempts to impersonate politicians,” he says, adding that what’s scary is that many of these attacks use identities of real people — often scraped from content they post on social media networks.

One of the main takeaways from Trend Micro’s study is the ready availability of tools, images, and videos for generating deepfakes. The security vendor found, for example, that multiple forums, including GitHub, offer source code for developing deepfakes to anyone who wants it. Similarly, enough high-quality images and videos of ordinary individuals and public figures are available for bad actors to create millions of fake identities or impersonate politicians, business leaders, and other famous personalities.

In Case You Missed It

Seamless Security: How SonicWall Solutions Work Together to Safeguard Your Organization – Sarah Choi

SonicWall’s Nicola Scheibe Recognized by CRN as One of 2022’s 100 People You Don’t Know But Should – Bret Fitzgerald

SonicWall NSM 2.3.4 Uplevels Central Management Capabilities – Amber Wolff

Cybersecurity and the Metaverse: Virtual and Real Threats – Ray Wyman

Why 5G Needs to Start with Secure Network Access – Rishabh Parmar

Security Platform Vendors vs. Best-of-Breed Approach to Security Architecture – Rajesh Agnihotri

Why Organizations Should Adopt Wi-Fi 6 Now – David Stansfield

Vote for SonicWall in Computing Security Awards 2022 – Bret Fitzgerald

SonicWall Earns 2022 CRN Annual Report Card (ARC) Honor – Bret Fitzgerald

SonicWall Capture ATP Earns 100% ICSA Threat Detection Rating for Sixth Straight Quarter – Amber Wolff

Ten Cybersecurity Books for Your Late Summer Reading List – Amber Wolff

CoinDesk TV Covers Cryptojacking with Bill Conner – Bret Fitzgerald

First-Half 2022 Threat Intelligence: Geopolitical Forces Rapidly Reshaping Cyber Frontlines – Amber Wolff

2022 CRN Rising Female Star – Bret Fitzgerald

Enhance Security and Control Access to Critical Assets with Network Segmentation – Ajay Uggirala

Three Keys to Modern Cyberdefense: Affordability, Availability, Efficacy – Amber Wolff

BEC Attacks: Can You Stop the Imposters in Your Inbox? – Ken Dang

SonicWall CEO Bill Conner Selected as SC Media Excellence Award Finalist – Bret Fitzgerald

Cybersecurity in the Fifth Industrial Revolution – Ray Wyman

What is Cryptojacking, and how does it affect your Cybersecurity? – Ray Wyman

Why Healthcare Must Do More (and Do Better) to Ensure Patient Safety – Ken Dang

SonicWall Recognizes Partners, Distributors for Outstanding Performance in 2021 – Terry Greer-King

Anti-Ransomware Day: What Can We Do to Prevent the Next WannaCry? – Amber Wolff

mySCADA Command Injection Vulnerability

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  mySCADA professional tools are for developing and managing HMI (Human-Machine Interface)/SCADA (Supervisory Control and Data Acquisition) industrial processes. myPRO is one tool in mySCADA that is used to allow remote access to HMIs created in mySCADA projects. Users can develop mySCADA projects through myDESIGNER, and upload them to myPRO to allow remote users the ability to access the HMI over the network.

  A command injection vulnerability has been reported in mySCADA myPRO. The vulnerability is due to insufficient sanitization of user data used in commands.

  A remote, authenticated attacker could exploit this vulnerability by sending a crafted request to the target server. Successful exploitation could result in command execution in the security context of the root user.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-2234.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is low.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.6 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  By default, mySCADA contains an HMI project to help administer the server it’s located in “/opt/myscada/prj2”. mySCADA projects can use server-side Node.js scripts to read or write data from various sources such as the sever database or PLCs (Programmable Logic Controller). The server-side scripts can be interacted with by sending an HTTP POST request to the endpoint “/sss2”, with parameters passed in the HTTP body within a JSON object.

  When myPRO starts, it creates an Nginx reverse proxy with the configuration file “hmi.conf”. The configuration file includes the file “hmi.auth” containing the configuration for endpoints on the server. Requests made to the endpoint “/sss2” will be forwarded to “hxxp://127.0.0.1:8889” to a Node.js server. myPRO will start Node.js and run the file “/opt/mypro/prj2/Scripts/main.js”.

  The main.js file will then call myscada.init() that will call listen() to start the server on port 8889. When the Node.js server receives a user request, the body of the HTTP request will be passed to the function JSON.parse() to parse the request. The decoded body is then passed to the function dataFromViewScripts() to process it. When dataFromViewScripts() is called, the value of the JSON key “type” is compared to multiple strings to determine how the request should be processed. If the “type” key value is “deleteBackup”, the function will first call require() with the parameter “child_process” to include the function exec().

  Next, the function exec() is called with the string “/opt/myscada/bin/Backup -d” concatenated with the value of the “filename” key from the JSON from the user request. However, the value of the “filename” is not sanitized, allowing an attacker to inject arbitrary commands to the command-line before it is executed. If the value of the type key is “createBackup” or “restoreBackup”, the values of the “manualType” or “filename” keys will be added to a command-line and executed in a similar manner.

Triggering the Problem:

  • The attacker must have network access to the target server.
  • The target must be running a vulnerable version of the software.
  • The attacker must be able to authenticate to the server.

Triggering Conditions:

  The attacker sends a crafted request to the target sever. The vulnerability is triggered when the server attempts to process the crafted request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 3278 mySCADA myPRO Command Injection 1
  • IPS: 3280 mySCADA myPRO Command Injection 2
  • IPS: 3287 mySCADA myPRO Command Injection 3

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Updating the product to a non-vulnerable version.
    • Filtering attack traffic using the signatures above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Seamless Security: How SonicWall Solutions Work Together to Safeguard Your Organization

Siloed solutions can’t keep up with modern cybersecurity needs. The future demands an integrated, holistic solution that maximizes security, visibility and agility.

No matter what security philosophy your organization adopts, it’s critical that individual solutions are working together to deliver layered protection and comprehensive visibility with control. In other words, to achieve a fortified security posture, a combination of hardware, software and network security components must be integrated intrinsically.

This blog series looks at different layers of SonicWall’s Boundless Cybersecurity, breaking down how each component is designed to seamlessly fit with the others for a tighter approach to deploying, managing and securing your environment.

Let’s start with the key benefits of leveraging a more holistic and intrinsic approach to securing your organization:

  1. End-to-end visibility and the ability to share intelligence across the unified security framework
  2. The contextual awareness needed to detect and remediate security risks with greater speed and accuracy
  3. The real-time and consolidated threat information that forms the basis of informed security policy decisions

While there are a number of benefits to choosing this approach, it’s important to note that it requires a security ecosystem that harnesses the power, agility and scalability of the cloud. That’s why SonicWall’s Capture Cloud Platform is the bedrock of Boundless Security — unifying and orchestrating cybersecurity across network, email, endpoint and cloud security offerings.

How SonicWall endpoint security and network security work seamlessly together

Now that we’ve outlined both the importance of a true integrated security posture and the key platform requirements, let’s take a quick look at how unified network and endpoint security work together.

In addition to protection-enhancing benefits like greater visibility and control, this approach also builds resistance by ensuring your endpoint security solution doesn’t leave you vulnerable to threats that infect your network.

Leveraging SonicWall next-generation firewalls (NGFW) together with Capture Client ensures endpoints and users are protected against threats and growing threat vectors. When integration is enabled, endpoints are detected on the network by the SonicWall enforcement service. Through this service, the firewall in turn checks the endpoints to make sure the Capture Client agent is deployed. If Capture Client is not installed, the endpoint’s access to the network is restricted.

This integration also enables sharing of user and device telemetry from the endpoints, enabling network threat alerts well as enforcement of deep packet inspection of encrypted traffic (DPI-SSL) by deploying trusted certificates to each endpoint.

How Capture Client, Capture Security Center and SonicWall NGFWs work together to ensure compliance and protect your network.

Key features when integrating SonicWall Capture Client and SonicWall Firewalls

Here are the key features that enable an integrated means of managing, monitoring and protecting your systems:

  • Endpoint Security Enforcement – Endpoints behind the firewall that do not have Capture Client running will not be able to access internet-based services via the firewall. Users of these endpoints will be prompted to download and install Capture Client via a Block page in their browser to regain connectivity to the internet.
  • User Visibility and Single Sign-On (SSO) – The IP addresses of endpoints behind the firewall are automatically mapped to the user logged into the endpoints at that time. This is used for user activity reporting, as well as single sign-on (SSO) to the firewall for user-based access policies.
  • Network Threat Alerts – Endpoints running Capture Client that trigger threat detections on the firewall by the GAV, IPS, App Control or Botnet engines will see a notification on their endpoint.
  • Enabling DPI-SSL – Certificate Provisioning can become a very cumbersome task and can hamper operational efficiency. With Capture Client Trusted Certificate Policies, administrators can enforce the installation of SSL certificates that will be used to inspect encrypted traffic to and from endpoints using the DPI-SSL feature.

These integrated features are only supported on Gen 7 firewalls and pre-Gen 7 firewalls running at least SonicOS 6.5.4, and will require some actions from the administrator. Check out this demo to see these features in action and learn how to set up and configure your SonicWall NGFW to integrate with SonicWall Capture Client.

Conclusion

There isn’t one single product or solution that provides an effective defense-in-depth strategy by itself. That’s why security and IT teams rely on multiple tools to ensure protection from threats and hackers. But managing multiple security solutions can be challenging and can result in silos — which can lead to gaps in your security posture.

To stay ahead and build resilience, your security tools have to be able to detect threats, respond efficiently and share information on emerging threats. These integrated tools autonomously detect threats and defend your network against new cyberattack methods.  Modern security tools share threat information collected and analyzed locally, allowing an endpoint security tool to communicate to network security tools about an identified threat and vice versa. By receiving and giving information about the new threat, tools can use shared data to create security policies to protect your system against identified threats.

To learn more about SonicWall Capture Client, visit our resource page for infographics, case studies, white papers, demos and more.

Clipboard Hijacker Dropped By STOP Ransomware

Recently we have seen multiple droppers dropping infostealers or banking trojans along with ransomware. Few weeks ago our researchers at SonicWall labs observed a clipbanker i.e. Clipboard Hijacker being dropped by djvu(STOP) ransomware.

Behaviour:
The Clipboard Hijacker malware was downloaded from URL hxxp://acacaca[.]org/files/1/build3[.]exe at path <Appdata>\Local\<UuId>\build3.exe. The dropped malware first uses dynamic API resolution to load APIs needed for further operations. It also makes sure that there is no other instance running by creating mutex “M5/610HP/STAGE2”. The name might implicate that this is the next stage of attack after ransomware execution.
It creates self copy at path <AppData>\Roaming\Microsoft\Network\mstsca[.]exe. This self copy is later executed using a scheduled task “Azure-Update-Task”. Task is scheduled to run every minute. The malware terminates itself after completing setting up scheduled task.

Fig 1. Scheduled Task

The mstsca[.]exe does the main clipboard hijacking activity. This again checks for mutex “M5/610HP/STAGE2” to confirm single instance is running at a time. The clipboard data is retrieved using GetClipboardData API. This data is then checked for string terminatore to check for separate strings in data.

Fig 2. String Check

Once found a string, length of string is calculated and cross-checked with the length of desired wallet address lengths.
After confirming desired length it checks for starting characters of the expected wallet addresses. In some cases few wallets have same length but these are differentiated based on initial characters. Below mentioned is the code snippet checking for bitcoin wallet address(Native SegWit addresses start with bc1q).

Fig 3. Bitcoin Wallet Check

This address from the retrieved clipboard is replaced by the address of same cryptocurrency already present in the binary. It continues to check for presence of other addresses till the clipboard data ends.
The replaced wallet addresses are copied to the current clipboard. The clipboard is cleared using EmptyClipboard and then the new data containing malware’s wallet addresses is copied to clipboard using SetClipboardData.

Fig 4. Clipboard Data Replace

After this, it sleeps for very short time and continues to check for clipboard data.

The malware has multiple wallet addresses of different wallets. One of the binance wallet from the list was mentioned in a magazin’s tweet(hxxps://twitter[.]com/westafricaweek/status/1471631329829834753). For this address, we have mentioned last one month’s amount received in below table.

Wallets:

Address

Wallet Amount Received($)

1My2QNmVqkvN5M13xk8DWftjwC9G1F2w8Z

bitcoin 1,224.97

3NLzE3tXwoagBrgFsjNNkPZfrESydTD8JP

bitcoin 0

bc1qx8vykfse9s9llguez9cuyjmy092yeqkesl2r5v

bitcoin

0

bnb136ns6lfw4zs5hg4n85vdthaad7hq5m4gtkgf23

binance 63,337,185
DBbgRYaKG993LFJKCWz73PZqveWsnwRmGc dogecoin

0

0xa6360e294DfCe4fE4Edf61b170c76770691aA111

ETH 918.67

LLiNjWA9h4LxVtDigLQ79xQdGiJYC4oHis

LitCoin

0

MBD2C8QV7RDrNtSDRe9B2iH5r7yH4iMcxk LitCoin

0.23

ltc1qa5lae8k7tzcw5lcjfvfs3n0nhf0z3cgrsz2dym

LitCoin 0
t1VQgJMcNsBHsDyu1tXmJZjDpgbm3ftmTGN Zcash

0

Ae2tdPwUPEZDqNhACJ3ZT5NdVjkNffGAwa4Mc9N95udKWYzt1VnFngLMnPE

Cardano 482.80

addr1qx4jwm700r2w6fneakg0r5pkg76vu7qkt6qv7zxza3qu3w9tyahu77x5a5n8nmvs78grv3a5eeupvh5qeuyv9mzpezuq60zykl

Cardano

6,683.23

Monero:
42UxohbdHGMYGPvW5Uep45Jt9Rj2WvTV958B5G5vHnawZhA4UwoD53Tafn6GRmcGdoSFUfCQN6Xm37LBZZ6qNBorFw3b6s2
89SPVUAPHDLSq5pRdf8Eo6SLnKRJ8BNSYYnvPL6iJxGP4FBCBmkeV3CTSLCbk6uydxRnub4gLH6TBRycxSAQN2m1KcnhrSZ

 

Although the malware has smaller functionality it may cause huge financial losses to victims. SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.

 

IOCs:
Stop Ransomware(parent file):
327224ab99915741b54b4e5b836ea8248cf2fe90d2113271422095cea8211d96

Clipboard Hijacker(dropped):
hxxp://acacaca[.]org/files/1/build3[.]exe
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0(build3.exe)

Microsoft Exchange Server zero day vulnerabilities

SonicWall Capture Labs Threat Research team is investigating following vulnerabilities in the Microsoft Exchange Server that are being exploited in the wild. First CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability and the second, identified as CVE-2022-41082 allows remote code execution (RCE).

Microsoft Exchange Server 2013, 2016, and 2019 are vulnerable to these attacks. CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. Authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities.

Microsoft has outlined some mitigations here

SonicWall Capture Labs provides protection against this threat via following signatures:

  • IPS 15499 :Microsoft Exchange Server SSRF (CVE-2022-41040)
  • IPS 15660 :autodiscover.json Access

In order to detect the exploitation of this vulnerability over HTTPS, server DPISSL needs to be enabled.
Please check for updates as we continue to monitor this threat.

PDF File is being used to spread AgentTesla

SonicWall Capture Labs Threat Research team has observed a PDF file getting detected by SonicWall Real Time Deep Memory Inspection (RTDMI), which comes as an e-mail attachment. The PDF file contains a link which downloads a malicious PowerPoint file, which then executes AgentTesla as the final payload on the victims machine. The threat actors are now more focused on delivery mechanism and infection chain, by keeping a low profile and very less exposure of malicious code to traditional security providers.

PDF File:

The PDF file contains a link to download the PPAM(PowerPoint File Add-in with macro) which is posted on “Mediafire file hosting service”. The PPAM file is downloaded with a genuine looking name as “invoice_4_812937_pdf.ppam”.

Fig : screenshot of PDF file

 

PPAM (PowerPoint) File:

The PowerPoint file has an embedded macro, The macro has an “Auto_Open” function which creates an instance of WScript.Shell object using CLSID {72C24DD5-D70A-438B-8A42-98424B88AFB8}. And using this Shell Object Mshta is executed to run the remote HTML file.

Fig: screenshot of macro

HTML File:

The HTML file contains an obfuscated JavaScript, which tries to kill “WinWord.exe” process and creates a scheduled task as ‘micsrssowfwWorsald’ which opens “http[:]//www[.]4kfgjfkg[.]blogspot[.]com/atom.xml” using Mshta. It also loads a remote hosted PowerShell script using  IRM(Invoke-RestMethod) and runs its using IEX(Invoke-Expression).

Fig: Deobfuscated HTML code

PowerShell Script:

The PowerShell script, creates a folder in ‘C:\ProgramData\’ as ‘MEMEMAN’ and drops 5 files in that folder as:

  • helloitsindian.vbs : First file to be executed which runs two files ‘JIGIJIGI.vbs’ and ‘JIGIJIGI.bat’ and also copies itself at same location.
  • JIGIJIGI.vbs : This VBS file creates two scheduled tasks as ‘Appligation’ which executes helloitsindian.vbs and ‘ChromiumPluginupdate’ which executes ‘ChromeExtentionUpdate.vbs’, both run  at an interval of 120 mins and 45 mins respectively, and then deletes itself.
  • ChromeExtentionUpdate.vbs : This VBS file checks whether it is executed with admin privileges, if not then again execute itself with admin privileges. The it runs ‘JIGIJIGI.bat’, also modify the registry entry ‘HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA’ as ‘0’ to disable Windows User Account Controls notification. Then deletes the ‘ChromiumPluginupdate’ scheduled task and deletes itself.
  • JIGIJIGI.bat : It just executes ‘GOLGAPORA.PS1’ using PowerShell with ‘-NoProfile -ExecutionPolicy Bypass -Command’ arguments.
  • GOLGAPORA.PS1 : This PowerShell script is responsible for transferring execution to the AgentTesla.

GOLGAPORA.PS1:

This PowerShell script first tries to kill “msbuild”, “CasPol”, “jsc”, “cmstp” and “mshta” processes. It has two hex encoded PE files, one is the test.exe(Loader File) and other one is the AgentTesla malware file.

It loads the test.exe($YIV4Z) hex bytes as assembly using ‘System.Reflection.Assembly’ and find TypeDef as ‘CALC.PAYSIAS’, then finds a method named as ‘Execute’ in this TypeDef. It invokes this method three times with two arguments, first argument is the path of a genuine exe(one of these jsc.exe, caspol.exe or Msbuild.exe) and second argument is the byte array of the AgentTesla PE file($WULC4). This method in test.exe, creates the process by the path given as first argument and using Process hollowing techniques replace the code with AgentTesla malware code passed as second argument.

This PowerShell script then runs two more PowerShell commands present is variables $OASI4 and $DEF. Which tries to bypass AMSI, disables script logging, disables AVProtection, add exclusions etc.

The AgentaTesla binary has File Description as ‘Web Browser Pass View’ and Company Name as ‘NirSoft’ to disguise itself as NirSoft password recovery Tool.

AgentTesla:

AgentTesla steals system sensitive information like keystrokes, login credentials used in browsers, collect various types of data likes cookies, clipboard data, system information and email clients used on infected machines. In our cases it connecting to the ftp server hosted at this IP address ‘107[.]182[.]129[.]168’ and posting the a HTML file which has the gathered information of the infected machine on this FTP server, the HTML file name format is PW_[UserName]-[DeivceName]_[Date&Time].html.

We got the credentials of the FTP server where it is keeping all the stolen information. Below is the screenshot of the files present at that server at the time of analysis.

 

Unavailability of the PDF file and AgentTesla PE file in popular threat intelligence sharing portals like the VirusTotal indicates its uniqueness and limited distribution:

Fig: ScreenShot of no presence of PDF file on VT

 

Fig: ScreenShot of no presence of AgentTesla file on VT

The Powerpoint file is on VT with very less AV’s detections.

Fig: Less AV’s detecting the PowerPoint File

SonicWall Real Time Deep Memory Inspection (RTDMI) is detecting the malicious PDF file, PowerPoint file, test.exe and the AgentTesla too.

Evidence of detection by RTDMI ™ engine can be seen below in the Capture ATP report for this file:

IOCs:

  • PDF files:
    • 025e30e26d9fa00704341845ab5e0dd097421f7ebb3a199aca7b4ca63e38dd0a
    • 11a410994a72dd8c425efb07eb010feab044da83cb8d9297fc58caac9234814e
    • 14a3cf9f5195ff0569e1aca332a678168e4033fd7bb9e2abf58d976091da487f
    • 1eb130b70d0ad9edd8d0c3aae85285e4f5a2b89cb2261270a53520c8e848a8ad
    • 20fffce237d00f8f2f18be97f0923d4539595d2770a3fbfd55612c1a3e6c5c49
    • 30120bc60edfd917684c9db65f0cce73a9200ae7b7e8a67ade47daf470f472fc
    • 347d7ff129922925586b4a85477c5d36653dbdac257f4b8ab3600eac1968e93c
    • 404b4dc973010fb5414e8c1de1ebc7ca26dad76e3ef8b39f86fdfb358983d5bf
    • 943bab7877f8f66d0cfd23d377bbe903cc33e8231d83610ff246cf49f2928e11
    • c73eaba24ac6046c98b3a53f533b779d412794b99a6c6b48b2bef0a7cf3e397b
    • fd2ca85f0eaa8150ab386190793d1f5a09f346b17daee7713c5ad5b5de0f7d25
  • PowerPoint Files:
    • 0a78f630b03cdcafaf8a056986ad208651d72ea1365a75f1c53202292b48dfc1
    • 470f45f8b3a5b7dd11f120a37bda0275d27df62c2080e5ce925804cd2f16fc0f
    • 4fd8e19204982c6a0b542d252e51a121bf5e380be79db4e6f52f4541eaac044d
    • b0cf8520a0a7185c96397e1cb36a49d6215fd8643a1790a95bd19dd123130fe2
    • c639cb71b586b5468a37ece7afc56c2b9653f15021a9ecc83e6428c744ac99b8
    • d581f15f3176e4f22c22a61f3506b50a715a4297876e9f250bf37f55880c45b6
    • f7353ec4f751d69464d3b51344e2283e8a5607eb5c2b66cbb5a6b0102a58f697
  • PowerPoint executing remote HTML file:
    • 18f7ee55aeeba4d8e780fa3f56bf48129dfa8fb224c715f83536c2dc7af3ac8b
  • PowerShell file HTML executes:
    • 741a149fbaa0c23f37423c56d0f32372c0b04415980e6e6ed5884e97dca70887
  • test.exe :
    • 39e67f25b0fa660db0541bf37e315fb4def772bd3b6d67991b64a5a85914477d
  • AgentTesla :
    • 91e2b07568642b001f91ce89b9cae0fb436dbc82ee0df28c00a756cd96ee94c4

SonicWall’s Nicola Scheibe Recognized by CRN as One of 2022’s 100 People You Don’t Know But Should

MILPITAS, Calif. — September 26, 2022 — SonicWall announced today that CRN, a brand of The Channel Company, has named Sr. Director, Global Field Marketing Nicola Scheibe, as one of the IT channel’s 100 People You Don’t Know But Should for 2022. This annual list honors the IT channel’s unsung heroes who work tirelessly to support channel partners, while rarely stepping into the spotlight.

CRN’s editorial team assembles this list every year based on feedback from solution providers and industry executives to identify behind-the-scenes channel players who help partners drive growth, innovation, and profit.

With her 15+ year experience in IT security, Scheibe is responsible for all direct field marketing activities, as well as any joint activities with partners and distributors across SonicWall’s global regions.

“Nicola is a perfect reflection of SonicWall’s commitment to our partner network, as she has built a strong channel team, managed the global roll-out of marketing campaigns to and through our channel partners and helped build SonicWall’s channel strategy,” said SonicWall Executive Vice President of Americas Channel Jason Carter “I am grateful to CRN for recognizing Nicola’s remarkable contributions. She has been an instrumental leader, and she has been integral in driving our channel expansion over the last several years.”

“We are thrilled to honor and recognize the extraordinary group included on this year’s 100 People You Don’t Know But Should list for their remarkable contributions to the channel and their partners,” said Blaine Raddon, CEO of The Channel Company. “There are many talented and creative individuals working behind the scenes every day that contribute to channel growth and make game-changing decisions that impact partner success.”

CRN’s 100 People You Don’t Know But Should spotlights some of the channel’s best and brightest people who may not be as visible as some channel chiefs or CEOs but are just as important to the partner community.

The 100 People You Don’t Know But Should will be featured in the October issue of CRN Magazine and can be found online at www.crn.com/100people.

Cybersecurity News & Trends

A curated collection of the top cybersecurity news and trends from leading bloggers and news outlets.

Our big cybersecurity read this week is a developing story over the ChromeLoader Malware that seems to be getting worse and worse, with contributions from Red Canary, Bleeping Computer, the Register, VMware, and Dark Reading. Please note that it’s a strongly recommended read for anyone using Google Chrome. Next is a big hack of the 2K gaming platform, which was apparently hit by hackers earlier this week. As reported by Engadget, the company was very quick to acknowledge the hack and is warning the public not to open any emails from its support department. Next, Dark Reading dug up evidence of the mysterious ‘Metador’ cyber-espionage group infecting multiple telecommunications company services, internet service providers, and universities in Africa and the Middle East. And saving the best for last, back to Dark Reading, was it an angry developer who worked for the hackers? We’ll probably never know, but whoever it was probably helped develop LockBit’s latest ransomware encryptor (LockBit 3.0) and then released the decoder to the public.

And you will notice that SonicWall continues to run the global circuit with new developments and more corporate mentions, and always on the front lines protecting your networks and properties.

Remember that cybersecurity is everyone’s business. Be safe out there!

SonicWall News

SonicWall’s Matt Brennan Talks New Leadership and Taking ‘Outside-In’ Approach

CRNtv, SonicWall Interview with Matt Brennan: With a New CEO and Matt Brennan taking on the role as channel chief at SonicWall, Brennan discusses some of the changes partners can expect from the new leadership and winning a CRN 2022 Annual Report Card Award.

The Soaring Threat Going Undetected

Blockchain Tribune, SonicWall Byline from Immanuel Chavoya: The popularity of cryptocurrencies has increased, not only in their overall market value but also in the number of people looking to digital currencies to generate totally independent revenue. While some do this through investing and selling cryptocurrency directly, others are turning to transaction processing (cryptomining) to turn a profit.

3 Cybersecurity Solutions Likely to Gain Traction In 2022 And Beyond

Cyber Defense Magazine, SonicWall Threat Report Mention: In June 2021, there were nearly 78.4 million ransomware attacks worldwide. This implies that about 9.7 ransomware attempts per consumer were made for every business day.

Why Retail Stores Are More Vulnerable Than Ever to Cybercrime

IFSEC Global, SonicWall Threat Report Mention: Figures from SonicWall’s Biannual Report revealed that ecommerce and online retail businesses saw a 264% surge in the past 12 months in ransomware attacks alone. These kinds of statistics are extremely worrying for retail businesses, so it is unsurprising that websites and digital security are at the forefront of retailers’ minds.

Elections, A Full Plate for Cybercrime in Brazil

Monitor (Brazil), SonicWall Threat Report Mention: According to a report by SonicWall, there were approximately 33 million attacks in the country, which places it in the fourth position among the countries that suffer the most from this type of crime, behind only the US, Germany and the United Kingdom.

SonicWall Threat Report Mid-Year Update Highlights Significant Threat Variance

IT Brief New Zealand, SonicWall Threat Report Mention: The cyber threat landscape is continuing to become increasingly diverse. With COVID-19 and many geopolitical crises occurring worldwide, threat actors are capitalizing on various cybersecurity gaps, and, as a result, enterprises and end users are often put at risk.

Defending Against Ransomware Attacks

Professional Security, SonicWall Threat Report Mention: In retail in particular, in the year from February 2021, the 2022 SonicWall Cyber Threat Report revealed that there was a 264pc increase in ransomware attacks on ecommerce and online retail businesses. Estimates suggest that over 40% of retail organizations suffered a ransomware attack.

Ransomware Roulette with Consumer Trust – The Link Between Loyalty and Attacks

Information Security Buzz, SonicWall Threat Report Mention: In retail in particular, in the year from February 2021, the 2022 SonicWall Cyber Threat Report revealed that there was a 264% increase in ransomware attacks on ecommerce and online retail businesses. Estimates suggest that over 40% of retail organizations suffered a ransomware attack.

Metaverse: An Emerging Market in Virtual Reality

TechSling, SonicWall Threat Report Mention: Cyber-attacks have targeted market participants, raising high sensitivity and security concerns. According to SonicWall, nearly 500 million cyber-attacks were reported through September 2021, with over 1700 attacks reported per organization.

Protecting Against Customizable Ransomware

CXO Today, Threat Report Mention: All sorts of Cybercrimes have grown tremendously in recent years. SonicWall’s Cyber Threat Report published in early 2022, details a sustained meteoric rise in ransomware with 623.3 million attacks globally with an exponential rise in all monitored threats, cyberattacks and malicious digital assaults including: ransomware, encrypted threats, IoT malware and cryptojacking.

The Best Defense Is a Good Defense

ComputerWeekly (Spain), SonicWall Byline: In cybersecurity, building the best possible defense also means incorporating some offensive strategies to gain intelligence about attackers and understand how they try to penetrate systems, says SonicWall.

SonicWall Boosts Wireless Play with Ultra-High-Speed Wi-Fi 6 Access Points

AIthority, Threat Report Mention: SonicWall announced the introduction of the new Wi-Fi 6 wireless security product line, which provides always-on, always-secure connectivity for complex, multi-device environments. Powered by Wi-Fi 6 technology, the new SonicWave 600 series wireless access points, coupled with Wireless Network Manager (WNM) 4.0, enable organizations to automatically secure wireless traffic while boosting performance and simplifying connectivity.

Uber’s Ex-Security Chief Faces Landmark Trial Over Data Breach That Hit 57m Users

The Guardian, Threat Report Mention: The trial will play out as reports of ransomware attacks continue to rise. In 2021, the US saw a more than 95% increase in ransomware attacks, according to the threat intelligence firm SonicWall. Many of those attackers have targeted healthcare facilities and schools. Hackers targeted the Los Angeles Unified School District (LAUSD), the second-largest school district in the US, with a cyber-attack over Labor Day weekend.

Public Transport Group Go-Ahead Hit by Cyber Attack

Financial Times, Threat Report Mention: There were 2.8bn known malware attacks in the first half of the year, up 11 percent, according to cyber security company SonicWall.

Kansas Most at Risk for Malware Attacks

Fox 4 News Kansas City, SonicWall News: SonicWall reports that malware dropped 4% year over year in 2021, with a total of 5.4 billion hits reported by the firm’s devices around the world. The company detected 2.9 billion malware hits on their US sensors in 2021. Florida saw the most malware hits with 625 million in 2021. The state didn’t appear on the latest list, indicating that these attacks can be successfully thwarted by technologies like antivirus software and firewalls.

Our Success Is Based on The Philosophy of Knowledge Building And Sharing

Digital Terminal (India), SonicWall News: Commenting on the increasing cyber incidents, Debasish Mukherjee, Vice President, Regional Sales APJ, SonicWall Inc said, “Across the globe, we saw that pandemic while stretched companies’ networks, accelerated their digital transformation, on the downside exposed them to more cybercrime. Cybersecurity has become much more important in today’s times than ever before. The global cyber security market is estimated to record a CAGR of 10.5% over the forecast period of 2022 to 2032.”

Industry News

Big Read: ChromeLoader Malware Headaches Spreading into Ransomware and More Pain

By now, you’ve heard (or should have heard) about the malware that’s been making the rounds in millions of desktops and laptops all over the world. It’s literally THAT kind of problem. ChromeLoader, a malicious Chrome browser extension, is classified as a pervasive hijacker. It modifies the browser settings to hijack search queries to popular engines such as Google, Yahoo!, and Bing. The malicious code can also use PowerShell to insert itself into the browser. We found a report from Red Canary about a malicious campaign to spread the ChromeLoader malware, which hijacks victims’ browsers. And it looks like it got worse from there.

Bleeping Computer reports that VMware and Microsoft are warning of an ongoing, widespread Chromeloader malware campaign that has evolved into a more dangerous threat, seen dropping malicious browser extensions, node-WebKit malware, and even ransomware in some cases. Chromeloader infections surged in Q1 2022, with warnings about advertising fraud. They’re reporting says that the malware infected Chrome with a malicious extension that redirected user traffic to advertising sites to perform click fraud and generate income for the threat actors.

The “worse part”? The Register reports that nasty variants of the software are now dropping in on Windows PCs and Macs, according to researchers at VMware’s Carbon Black Managed Detection and Response (MDR) team. The unit’s report this week about the rapidly growing number of more dangerous ChromeLoader variants dovetails with what other cybersecurity researchers have detected.

That development comes on the heels of a warning from Microsoft late last week, reported by Dark Reading, about a click-fraud campaign by a threat group called DEV-0796 and likely using an infected ChromeLoader to hit victims’ computers with malware. According to Dark Reading, the Windows port of ChromeLoader is typically delivered as ISO image files that victims are tricked into downloading.

2K Confirms Its Support Desk Was Hacked to Send Malware to Gamers

Engadget: Video game publisher 2K is warning the public not to open any emails from its support account after confirming it had been hacked. “Earlier today, we became aware that an unauthorized third party illegally accessed the credentials of one of our vendors to the help desk platform that 2K uses to provide support to our customers,” the official 2K Support Twitter account posted on Tuesday.

News of the security breach broke yesterday after Bleeping Computer shared screenshots of phishing emails sent to 2K customers. The emails took the form of unsolicited support tickets. Those who opened the message were subsequently sent a second email prompting them to download “the new 2K games launcher.” Putting the 107MB executable through VirusTotal and Any.RunBleeping Computer found it contained malware designed to steal any passwords its target may have stored on their browser.

2K recommends immediately changing any passwords stored in your browser, enabling two-factor authentication where possible, installing anti-virus software and checking that the forwarding settings on your email accounts haven’t been changed.

Researchers Uncover Mysterious ‘Metador’ Cyber-Espionage Group

Dark Reading: A new threat actor infected a telecommunications company in the Middle East and multiple Internet service providers and universities in the Middle East and Africa is responsible for two “extremely complex” malware platforms. Still, a lot about the group remains shrouded in mystery, according to current research.

SentintelLabs researchers shared their findings at LabsCon. They named the group Metador based on the phrase “I am meta” in the malicious code and the fact that server messages are often in Spanish. Although the group has appeared active since December 2020, it has flown under the radar for the past few years. Juan Andres Guerrero–Saade is the senior director at SentinelLabs. He said the team shared information about Metador with researchers from other security firms and government partners, but before this discovery, no one knew anything.

MetaMain, a backdoor, can log mouse and keyboard activity and take screenshots to exfiltrate files and data. Hackers can also use it for installing Mafalda. This highly modular framework gives attackers the ability to gather system and network information and other capabilities. Both MetaMain, as well as Mafalda work entirely in memory. They do not need to be installed on the hard drive.

LockBit Ransomware Builder Leaked Online By “Angry Developer”

Bleeping Computer: A new and interesting twist in the game of ransomware has been reported, and it’s probably not what you think. The LockBit ransomware operation has suffered a breach, and even that’s not what you think. An allegedly disgruntled hacker developer has apparently leaked the gang’s newest encryptor. Yes. We told you this was interesting.

Back in June, the LockBit ransomware operation released version 3.0 of their encryptor, codenamed LockBit Black, after testing it for two months. According to Bleeping Computer, the new version promised to ‘Make Ransomware Great Again,’ adding new anti-analysis features, a ransomware bug bounty program, and new extortion methods. All seemed fabulous for the crime gang, but then the gang itself suffered a breach when two people (or maybe the same person) leaked the LockBit 3.0 builder on Twitter. As the story goes, a newly created Twitter account called ‘Ali Qushji’ posted that team hacked LockBits servers and found a builder for the LockBit 3.0 ransomware encryptor.

In Case You Missed It

SonicWall NSM 2.3.4 Uplevels Central Management Capabilities – Amber Wolff

Cybersecurity and the Metaverse: Virtual and Real Threats – Ray Wyman

Why 5G Needs to Start with Secure Network Access – Rishabh Parmar

Security Platform Vendors vs. Best-of-Breed Approach to Security Architecture – Rajesh Agnihotri

Why Organizations Should Adopt Wi-Fi 6 Now – David Stansfield

Vote for SonicWall in Computing Security Awards 2022 – Bret Fitzgerald

SonicWall Earns 2022 CRN Annual Report Card (ARC) Honor – Bret Fitzgerald

SonicWall Capture ATP Earns 100% ICSA Threat Detection Rating for Sixth Straight Quarter – Amber Wolff

Ten Cybersecurity Books for Your Late Summer Reading List – Amber Wolff

CoinDesk TV Covers Cryptojacking with Bill Conner – Bret Fitzgerald

First-Half 2022 Threat Intelligence: Geopolitical Forces Rapidly Reshaping Cyber Frontlines – Amber Wolff

2022 CRN Rising Female Star – Bret Fitzgerald

Enhance Security and Control Access to Critical Assets with Network Segmentation – Ajay Uggirala

Three Keys to Modern Cyberdefense: Affordability, Availability, Efficacy – Amber Wolff

BEC Attacks: Can You Stop the Imposters in Your Inbox? – Ken Dang

SonicWall CEO Bill Conner Selected as SC Media Excellence Award Finalist – Bret Fitzgerald

Cybersecurity in the Fifth Industrial Revolution – Ray Wyman

What is Cryptojacking, and how does it affect your Cybersecurity? – Ray Wyman

Why Healthcare Must Do More (and Do Better) to Ensure Patient Safety – Ken Dang

SonicWall Recognizes Partners, Distributors for Outstanding Performance in 2021 – Terry Greer-King

Anti-Ransomware Day: What Can We Do to Prevent the Next WannaCry? – Amber Wolff

SonicWall NSM 2.3.4 Uplevels Central Management Capabilities

Today’s businesses must protect more, in more places, more quickly than ever before. As they do, they’re confronted by more attacks launched by more bad actors. Unfortunately, this acceleration never seems to reach the “supply” side of the equation — many organizations are struggling to get by on stagnant IT budgets, and the number of qualified cybersecurity professionals still isn’t keeping pace with the demand.

As your cybersecurity infrastructure expands, so do the challenges of managing it. To help organizations centralize and simplify firewall management in today’s increasingly complex threat landscape, SonicWall introduced Network Security Manager (NSM) in the latter half of 2020.

SonicWall NSM: Centralized Management. Elevated Security

SonicWall NSM is a scalable, cloud-native application designed to help organizations optimize, control and monitor hundreds of network security devices — including firewalls, managed switches and secure wireless access points — from anywhere via a simple interface. Available in both a cloud solution and an on-premises deployment, NSM offers complete, real-time visibility into your traffic and threats; the ability to synchronize consistent security policies across your environment; a full audit trail to ease compliance; and intuitive, self-guided workflows to uplevel and empower your admins.

SonicWall NSM 2.3.4: More Features, Less Complexity

With the release of NSM version 2.3.4, SonicWall is adding four new feature capabilities to an already highly robust and versatile management solution: Zero Touch 2.0, System Events for Gen 7 firewalls, tenant- and group-level custom reports, and CIDR-based search.

Zero Touch 2.0

The ability to onboard new firewalls from anywhere has been a major benefit of NSM since the beginning — but Zero Touch 2.0 both strengthens and enhances this capability. Zero Touch 2.0 is a new microservices-based architecture designed to further simplify the onboarding of firewalls. It increases the reliability of the connection between NSM and the firewalls in your ecosystem, providing a stable, high-performance connection that speeds firmware upgrades and configuration deployments via NSM.

While the move to Zero Touch 2.0 will require migration, users won’t need to do anything to take advantage of these new capabilities: the move will be done in phases by SonicWall. If you’re running one of the supported models (see below), watch your MySonicWall account — you’ll receive a notification in advance when your account is selected for an upgrade. Once the migration is complete, Zero Touch 2.0 will appear in the firewall inventory.

Zero Touch 2.0 allows you to onboard new firewalls from anywhere, saving time and travel costs

Zero Touch 2.0 is available for Gen 6 TZ/NSA/NSsp, Gen 7 TZ/NSA/NSsp and NSv deployments running Gen 6 versions 6.5.4.x or higher and Gen7 versions 7.0.1-5065 or higher.

System Events (Gen 7 Firewalls)

NSM maintains an event log for tracking potential security threats. With the release of NSM version 2.3.4, Gen 7 firewalls with NSM Advanced licenses can now view system event logs in NSM. This option can be accessed under Firewall -> Monitor -> System Events.

If you have uploaded to Gen 7, you can now track potential security threats in real time.

For compliance recordkeeping or to ease in investigations, admins can export the system events data in CSV format.

Users running SonicOS 7.0.1-5080 and higher will be able to take advantage of the new System Events feature.

Tenant- and Group-Level Custom Reports

NSM’s granular reporting capabilities already allowed users to schedule reporting, customize reports with any combination of traffic data, and access up to a year’s worth of recorded logs to aid in historical analysis, anomaly detection, discovery of security gaps and more. Now, with the release of NSM 2.3.4, users can create custom reports at the device group level or the tenant level as well.

The new Custom Reports feature adds functionality to the already robust NSM reporting capabilities.

Creating these custom reports is as easy as navigating to the Management view and selecting a device group under “Scope Selector.”

CIDR-Based Search

With the release of NSM 2.3.4, admins are now able to search multiple IPs within the Analytics data by using a CIDR. For example, all the subnets under the series 142.250 can be searched by entering 142.250.0.0/16 in the search box.

Smarter management tools are required for security teams to do their job effectively — and as attacks grow more sophisticated and security teams are increasingly stretched, these tools need to become even smarter over time. With NSM 2.3.4, SonicWall is upleveling its network management solution, giving businesses of all sizes new capabilities to ensure easier, more versatile and more comprehensive firewall management.

SonicWall NSM 2.3.4 for SaaS began rolling out in late August, and the on-premises version will be released in November 2022. To learn more about SonicWall NSM, click here.

Wavlink WN533A8 Cross-Site Scripting

Wavlink is a wireless network and comprehensive IT peripherals brand that serves countries around the world
Its product offerings include the Wavlink WN533A8, a wireless router with tri-band Wi-Fi technology that adds another independent stream of communication onto 5 GHz to increase network bandwidth.

Cross-Site Scripting
Cross-Site Scripting (XSS) attacks are a type of injection attack that occurs when malicious scripts are injected into otherwise benign and trusted websites. An attacker then uses a web application to send malicious code, generally in the form of a browser side script, to the end user.

XSS attacks abuse the dynamic way websites interact with the browsers. These attacks make it possible , for an attacker, to control the victim’s browser and their interaction with a given vulnerable website. Injection attacks display back content provided or controlled by a user, like an URL parameter or an input field. This opens the door to manipulation of the content.
When the website or application simply reflects back content maliciously manipulated by user it is called a reflected XSS attack. This reflection affects the way browsers displays the page , how they behave and process things.

Wavlink WN533A8 Cross-Site Scripting | CVE-2022-34048
Wavlink WN533A8 M33A8.V5030.190716 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the login_page parameter.
The application fails to validate and sanitize input leading to XSS. When a malicious code is passed to the vulnerable login_page , it is reflected back to the victim browser. Since the code comes from a “trusted” server, the browser then executes it .This could lead to disclosure of a user’s session cookie,which in turn could allow the attacker to hijack the user’s session and take over the account.

 

SonicWall Capture Labs provides protection against this threat via following signature:

  • IPS 1326:Wavlink WN533A8 Cross-Site Scripting

Threat Graph