Magniber ransomware seen distributed via ISO disc image files

This week, the Sonicwall Capture Labs Research team analyzed a ransomware called Magniber.  This ransomware has been around since 2017 as a successor to Cerber and initially only targeted a specific country when we first covered it in the past. It has since widened its target and adopted many forms from javascript to archive files and more recently to Microsoft software installer (msi) files and ISO image. What has not changed is that it still purports to be a software security update to lure victims to installing it.

Infection Cycle:

The ransomware installer arrives as a fake windows update in the form of an optical disc image or ISO.

Within the iso are two files that can use the following filenames:

  • 5G offer.LNK
  • 5G-installer. MSI

The LNK file is a windows shortcut file that serves as a pointer to load the MSI file using msiexe.exe

The windows installer file (MSI) uses the following file properties.

And once executed displays the following installation progress window. Note that the Knowledge base code (KB5023921) referenced is nonexistent and completely made up.

Upon execution, the first thing it does is to delete the Volume Shadow copies via the following command and then proceeds to encryption.

vssadmin.exe Delete Shadows /all /quiet

It changes the desktop background upon successful infection.

A readme.html present in all directories that have encrypted files show instructions on how to retrieve the victim’s files.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Magniber.RSM_1 (Trojan)
  • GAV: Magniber.RSM_2 (Trojan)
  • GAV: Magniber.RSM_3 (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Adobe ColdFusion Heap Buffer Overflow Vulnerability

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  Adobe ColdFusion is an application development platform by Adobe Systems. It is an IDE used to develop web applications and supports a full scripting language, ColdFusion Markup Language (CFML). Since ColdFusion MX 6.0, the server component runs within a Java Runtime Environment (JRE). The ColdFusion Administrator organizes information about all ColdFusion server database connections in a single location. ColdFusion provides a number of supplied drivers for connecting to multiple databases specifically the ODBC Socket.

  The ODBC Socket is the data source relevant to the understanding of this vulnerability. ODBC Socket is a type of database driver that allows applications to connect to a database using the Open Database Connectivity (ODBC) interface, but instead of connecting directly to the database, the driver connects to a server that acts as a bridge between the application and the database. The “socket,” receives the applications requests and translates them into the appropriate format for the database, and then sends the results back to the application. The use of a socket allows for greater flexibility and scalability, as the socket can be configured to connect to multiple databases, and can also be used to add security features such as encryption and authentication.

  A heap-based and stack-based buffer overflow vulnerability exists in Adobe ColdFusion ODBC Server component. This vulnerability is due the lack of proper validation of user-supplied data, which can result in a buffer overflow.

  A remote, unauthenticated attacker could exploit this vulnerability by sending a maliciously crafted request to the target service. In the worst case, successful exploitation could result in arbitrary code execution with privileges of SYSTEM.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-35711.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.7 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.7 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  It’s important to have a good understanding of the General Inter-ORB Protocol (GIOP) and the Internet Inter-ORB Protocol (IIOP) before moving further into a vulnerability that utilizes them. These protocols are used for communication between objects in a distributed system, and are based on the Common Object Request Broker Architecture (CORBA) standard. Understanding the message format and structure, as well as the different types of messages that can be sent, is essential for properly implementing and utilizing these protocols. Additionally, knowing the specific endpoint or location on the network where IIOP traffic is being sent or received is important for proper routing and communication. Without a solid understanding of GIOP and IIOP, it may be difficult to properly implement and utilize the features and functionality provided by these protocols.

  When the component receives the GIOP packet, it first calls the function swsoc.exe+0xcd070() to check that Magic Bytes field is set to “GIOP”. Next, function swsoc.exe+0xcc620() is called, which checks if ServiceContext and the Principal fields are set to 0. This function also checks that Object Key is set to “IIOP:slx::” and Operation is set to “SSP”. Next, function swsoc.exe+0xd0160() is called that checks an unknown field in the request body. The opcodes are processed, one at a time, in a loop in the function swsoc.exe+0xcd910().

  In this loop, the vulnerable opcode 8 will be examined. If the opcode is encountered, the C library function memmove() will be called that uses the OpcodeDataSize field as the size parameter to move the bytes in the Data field to a heap buffer. By supplying an OpcodeDataSize value larger than 38, the vulnerable heap-buffer will be overrun.

Triggering the Problem:

  • The target host must have the vulnerable version of the software installed and running.
  • The attacker must have network connectivity to the target server.

Triggering Conditions:

  The attacker sends a crafted GIOP request message to the ODBC Server. The GIOP message contains an overly large OpcodeDataSize value.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • GIOP
    • IIOP
    • TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 3466 Adobe ColdFusion GIOP Heap Buffer Overflow

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Filtering network traffic using the signature above.
    • Blocking the affected ports from external network access if they are not required.
    • Updating to a non-vulnerable version of the product by applying the vendor provided patch.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Cybersecurity News & Trends

Curated cybersecurity news and trends from the industry’s leading bloggers and news outlets, for you from SonicWall.

We’re nearing the end of January, and SonicWall is still roaring into headlines. Read about the NSsp 15700’s “superpowers,” as described by the folks at iTWire, and see how CyberSecurityInsider breaks down some of our latest threat intelligence. Take a look at MedTechDive citing some of our data and see TechTarget’s piece on one of our partners.

This week has been busy for industry news. The FBI has taken down the ransomware gang known as Hive, and we have information from Dark Reading, Axios and Reuters. Security Week reports that German airports, banks and government have been hit with Killnet DDoS attacks. TechCrunch reports that backups have been stolen from a breach at LastPass. At Hacker News, we’re hearing about vulnerabilities in Samsung’s Galaxy app store on Android. Bleeping Computer is reporting that Microsoft OneNote attachments are the latest trend in email-based malware.

SonicWall News

2023 Predictions: Emerging Tech & Global Conflict Bring New Cyber Threats

CyberSecurityInsiders, SonicWall News: 2022 saw a shifting cybersecurity landscape as rising geopolitical conflicts brought new tactics, targets and goals for cybercrime. According to recent threat intelligence from SonicWall, global ransomware attempts declined 31% YoY as cybercriminals and nation-state actors opted for never-before-seen malware variants, IoT malware, and cryptojacking in attacks motivated by financial gain and state-sponsored hacktivism.

Cybersecurity ‘More Critical Than Ever’ In Era of Connected Care: BD

MedTechDive, SonicWall News: Ransomware attacks in which cybercriminals attempt to extort money declined by 23% overall during the first half of 2022 but increased 328% in healthcare, according to data from cybersecurity company SonicWall.

IT Services Industry Looks to Cyber, Cloud Consulting for Growth

TechTarget, SonicWall News: Logically’s MSSP offerings include extended detection and response, endpoint detection and response, and MDR; enterprise-level managed firewall services; and cybersecurity assessments, according to Skeens. The company runs a SOC. The company’s IT security technology partners include SonicWall.

The Sonicwall NSsp 15700 Brings Serious Network Protection Super Powers

iTWire, SonicWall News: iTWire really could go on and on; the list of features is almost endless. There is a database of applications for intelligent packet analysis, support for IoT devices, DNS protection and more. However, the best thing right now is to take it for a spin yourself. You can demo the SonicWall NSsp series firewalls online without any installation or commitment and see all the features and benefits in action.

Royal Mail ‘Cyber Incident’ Causes Widespread Disruption

Strategic Risk, SonicWall News: There were 623 million ransomware attacks globally in 2021 according to SonicWall, representing a 105% year-on-year increase. The UK saw a 228% surge and a 65% increase in never-before-seen malware.

8 Safety Solutions to Keep Your Business Secure

Business Info, SonicWall News: Network security devices are essential for any business. They establish a firewall that will protect internal networks from external threats, such as attacks from the internet. The SonicWall TZ270 uses patented Real-Time Deep Memory Inspection (RTDMI) to prevent cyber-attacks.

Safe Homes: Security Tech for Remote Workers

Silicon, SonicWall News: Speaking to Silicon UK, Rick Meder, VP of Strategic Partnerships and Platform Architecture at SonicWall, commented: “With most employees no longer within the protected perimeter of a traditional corporate network, the basic secure access tools in place for remote access workers have become quickly inadequate. The potential attack surface expands exponentially, oversight by security staff is met with extreme challenges, and policy complexity reaches levels like never before. Efforts to uphold an adequate security posture while maintaining workforce productivity quickly become overwhelming.”

Finally, Ransomware Victims Are Refusing to Pay Up

The Register, SonicWall News: SonicWall in October 2022 said that it saw a 31 percent drop in ransomware attacks in the first nine months of the year, but that also was coming off record numbers recorded in 2021. CEO Robert VanKirk at the time told The Register there was an “unstable cyberthreat landscape” fed by expanded attack surfaces, growing numbers of threats, and a tense geopolitical environment that included the Russia’s attack on Ukraine. The CEO also noted that even though the numbers in 2022 were down, they were still higher than in any year but 2021.

Top 7 AI Trends to Watch Out for In 2023

Silicon, SonicWall News: Immanuel Chavoya, emerging threat expert at cybersecurity company SonicWall, believes new AI software will give threat actors the ability to quickly exploit vulnerabilities and reduce the technical expertise required “down to a five-year-old level.”

All You Need to Know About The ‘Godfather’ Malware Targeting This Country’s Financial System

AMB Crypto, SonicWall News: “The research titled “2022 SonicWall Cyber Threat Report” from cybersecurity company SonicWall claims that cryptojacking attacks have increased in the banking sector by 269% year-to-date. This figure is nearly five times higher than cyberattacks directed at the retail sector. According to the study from SonicWall, the total number of cryptojacking incidents increased by 30% to 66.7 million in the first half of 2022.”

An Evolving Landscape: Top 10 Cybersecurity Predictions For 2023

Silicon Republic, SonicWall News: “Spencer Starkey, channel sales EMEA VP for SonicWall, predicts that healthcare and education will be among the sectors most targeted by cyberattacks in 2023. The cybersecurity company claims the healthcare sector saw a 328% year-on-year increase in ransomware attacks last year.”

Royal Mail’s Export Service Hit with Major Cyber Incident And Is Experiencing ‘Severe Disruption’

City AM, SonicWall News: “Terry Greer-King, Head of EMEA at SonicWall, a cybersecurity firm, linked this cyber incident to declining cyber safety in the UK. Greene told City Am: “The cyber incident at the Royal Mail shows that the public sector, like all other industries, is still vulnerable to mass cyberattack. As legacy IT concerns become more apart across the UK’s public sector, the state of its cybersecurity is still a main topic that must be addressed, especially after 2021 brought a 94% increase in malware on the global government sector. As a service that people and businesses alike depend on day-to-day, ensuring its digital infrastructure remains secure must be a top priority. To truly safeguard national public-sector cybersecurity, the government must take real concerted action now,” he added.

Industry News

Russia-backed Hacker Group Killnet Attacks German Infrastructure

After Germany agreed to send aid to Ukraine in the form of tanks, the Russia-backed cybercriminal gang known as Killnet attacked airports, banks and government offices in Germany with DDoS attacks. While the attack was instigated by Killnet, it is likely that more people took part in it. Killnet announced the attack on Wednesday following Germany’s announcement of sending aid to Ukraine. According to Security Week, Germany is on high alert for cybercriminal activity due to the geopolitical unrest in Europe.

FBI Hacks Hive Ransomware Gang

In perhaps the week’s biggest news, the U.S. government has busted the infamous Hive ransomware gang. The group has been extremely active since it first appeared in 2021. According to Dark Reading, the gang has been operating a ransomware-as-a-service (RaaS) platform. The gang does not discriminate, as they have attacked schools, infrastructure and businesses alike. According to the U.S. Department of Justice, they have been infiltrating Hive’s systems since July 2022 and have captured their decryption keys. According to Reuters, this move from the FBI may have saved victims up to $130 million. Government hackers were able to break into Hive’s networks and distribute their decryption keys to victims across the world. The government hackers warned the victims in advance so they could take precautions against Hive. Hive was one of the most notorious cybercriminal gangs in the world. They typically extorted international businesses and demanded huge cryptocurrency payments in return.

According to Axios, this move from the DoJ is one of the most significant moves the U.S. government has taken against a ransomware gang. Before now, the U.S. has been tight-lipped about its operations against cybercriminal gangs. In the wake of the attack on the Colonial Pipeline in 2021, ransomware has become a priority for the U.S. government. The FBI’s director, Christopher Wray, said the investigation into Hive is still ongoing. It’s unclear how large of a dent this will make in global ransomware attacks, but one thing is certain – it’s a good day to be fighting against cybercriminals.

GoTo Encrypted Backups Stolen in LastPass Breach

GoTo, the parent company of the popular password manager LastPass, has revealed that customers’ encrypted backup data was stolen during a recent breach. According to LastPass, the attackers used information that was stolen during an incident in August 2022. According to TechCrunch, the breach also impacted several of GoTo’s products, including its VPN tool, Hamachi. GoTo CEO Paddy Srinivasan said, “The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of multi-factor authentication settings, as well as some product settings and licensing information.” Srinivasan also said GoTo is advising impacted customers to reset passwords and MFA settings.

Samsung’s Galaxy App Store Security Flaws

NCC Group has discovered two security flaws in Samsung’s Galaxy app store on Android. The vulnerabilities could allow threat actors to direct users to bogus landing pages or even install malicious apps on the user’s device. Hacker News reports that Samsung has patched the vulnerability to stop unauthorized access. These vulnerabilities only affect users who are running Android 12 or any version before that. Users who are running Android 13 are unaffected.

Microsoft OneNote Attachments Now Being Used to Spread Malware

Threat actors are now able to infect remote access users with phishing malware using OneNote attachments, according to Bleeping Computer. In the past, attackers have been able to attach malicious Excel and Word files to emails which ran macros on the infected computers to install malware. Microsoft has since disabled macros by default, which has forced threat actors to look elsewhere for getting malicious files from point A to point B. TrustWave SpiderLabs began warning users in December about OneNote files being used in this way. Fortunately, OneNote has been able to recognize these files and warn users not to open them. However, some users have ignored the warning and opened the malicious files anyways. The best way to protect yourself is to not open files from anyone you don’t know.

SonicWall Blog

Can You Catch All the Phish? Take Our New Phishing IQ Quiz and Find Out! – Ken Dang

Celebrating 2023 With Expanded “3 & Free” – Matt Brennan

‘3 & Free’ Promotion: How to Upgrade to a New SonicWall TZ Series NGFW for Free – Matt Brennan

The Art of Cyber War: Sun Tzu and Cybersecurity – Ray Wyman

Talking Boundless Cybersecurity at the Schoolscape IT 2022 Conference – Mohamed Abdallah

3 & Free: 1 Amazing Deal, 2 Exceptional Firewalls, 3 Years of Superior Threat Protection – Matt Brennan

SonicWall Wins CRN’s 2022 Tech Innovator Award in Enterprise Network Security – Bret Fitzgerald

SonicWall Included on the Acclaimed CRN Edge Computing 100 List for 2022 – Bret Fitzgerald

A New Era of Partnering to Win – Robert (Bob) VanKirk

Multiply Your Security with Multifactor Authentication – Amber Wolff

10 Reasons to Upgrade to the Latest SonicWall Gen 7 TZ Firewall – Sarah Choi

Cybersecurity News & Trends

Curated cybersecurity news and trends from the industry’s leading bloggers and news outlets, for you from SonicWall.

SonicWall continues to make waves in the news with its products and executives. Read Business Info’s safety solutions to keep your business secure and see what our VP of Strategic Partnerships and Platform Architecture, Rick Meder, had to say to Silicon. We also hear from our CEO, Bob VanKirk, and our emerging threat expert, Immanuel Chavoya.

In industry news, we’re taking a peek at newly discovered vulnerabilities, artificial intelligence and the open sea. Dark Reading reports that everyone’s favorite AI chatbot, ChatGPT, is dabbling in writing polymorphic malware. Over at Bleeping Computer, the word is that a vendor’s exposed database has caused trouble at Nissan. The good folks at Hacker News warn of a Linux vulnerability that has caught the attention of malicious actors. From Trend Micro, GitHub CodeSpaces has a port forwarding issue that’s allowing easy malware delivery. Security Weekly alerts us about a ransomware attack that affected 1,000 ships across the globe.

SonicWall News

Royal Mail ‘Cyber Incident’ Causes Widespread Disruption

Strategic Risk, SonicWall News: There were 623 million ransomware attacks globally in 2021 according to SonicWall, representing a 105% year on year increase. The UK saw a 228% surge and a 65% increase in never-seen-before malware.

8 Safety Solutions to Keep Your Business Secure

Business Info, SonicWall News: Network security devices are essential for any business. They establish a firewall that will protect internal networks from external threats, such as attacks from the internet. The SonicWall TZ270 uses Real-Time Deep Memory Inspection to prevent cyber-attacks.

Safe Homes: Security Tech for Remote Workers

Silicon, SonicWall News: Speaking to Silicon UK, Rick Meder, VP of Strategic Partnerships and Platform Architecture at SonicWall, commented: “With most employees no longer within the protected perimeter of a traditional corporate network, the basic secure access tools in place for remote access workers have become quickly inadequate. The potential attack surface expands exponentially, oversite by security staff is met with extreme challenges, and policy complexity reaches levels like never before. Efforts to uphold an adequate security posture while maintaining workforce productivity quickly become overwhelming.”

Finally, Ransomware Victims Are Refusing to Pay Up

The Register, SonicWall News: SonicWall in October 2022 said that it saw a 31 percent drop in ransomware attacks in the first nine months of the year, but that also was coming off record numbers recorded in 2021. CEO Robert VanKirk at the time told The Register there was an “unstable cyberthreat landscape” fed by expanded attack surfaces, growing numbers of threats, and a tense geopolitical environment that included the Russia’s attack on Ukraine. The CEO also noted that even those the numbers in 2022 were down, they were still higher than in any year but 2021.

Top 7 AI Trends to Watch Out for in 2023

Silicon, SonicWall News: Immanuel Chavoya, emerging threat expert at cybersecurity company SonicWall, believes new AI software will give threat actors the ability to quickly exploit vulnerabilities and reduce the technical expertise required “down to a five-year-old level.”

All You Need to Know About The ‘Godfather’ Malware Targeting This Country’s Financial System

AMB Crypto, SonicWall News: “The research titled “2022 SonicWall Cyber Threat Report” from cybersecurity company SonicWall claims that cryptojacking attacks have increased in the banking sector by 269% year-to-date. This figure is nearly five times higher than cyberattacks directed at the retail sector. According to the study from SonicWall, the total number of crypto-jacking incidents increased by 30% to 66.7 million in the first half of 2022.”

An Evolving Landscape: Top 10 Cybersecurity Predictions For 2023

Silicon Republic, SonicWall News: “Spencer Starkey, channel sales EMEA VP for SonicWall, predicts that healthcare and education will be among the sectors most targeted by cyberattacks in 2023. The cybersecurity company claims the healthcare sector saw a 328pc year-on-year increase in ransomware attacks last year.”

Royal Mail’s Export Service Hit with Major Cyber Incident and Is Experiencing ‘Severe Disruption’

City AM, SonicWall News: “Terry Greer-King, Head of EMEA at SonicWall, a cybersecurity firm, linked this cyber incident to declining cyber safety in the UK. Greene told City AM: “The cyber incident at the Royal Mail shows that the public sector, like all other industries, is still vulnerable to mass cyber attack. As legacy IT concerns become more apart across the UK’s public sector, the state of its cybersecurity is still a main topic that must be addressed, especially after 2021 brought a 94% increase in malware on the global government sector. As a service that people and businesses alike depend on day-to-day, ensuring its digital infrastructure remains secure must be a top priority. To truly safeguard national public-sector cybersecurity, the government must take real concerted action now,” he added.

Study Find One in Four SMES Hit by Ransomware Last Year

Technology Magazine, SonicWall News: “Today, cyberattacks continue to present an ever-changing threat to businesses across all sectors. NCC Group’s Annual Threat Monitor report, which indicated ransomware attacks almost doubled in 2021, rising 92.7% on the previous year, while research by SonicWall found that 66% of customers were more concerned about cyberattacks last year.”

All You Need to Know About The ‘Godfather’ Malware Targeting This Country’s Financial System

AMB Crypto, SonicWall News: “The research titled “2022 SonicWall Cyber Threat Report” from cybersecurity company SonicWall claims that cryptojacking attacks have increased in the banking sector by 269% year-to-date. This figure is nearly five times higher than cyberattacks directed at the retail sector. According to the study from SonicWall, the total number of crypto-jacking incidents increased by 30% to 66.7 million in the first half of 2022.”

Leading Cybersecurity Companies for The Food Industry

Just Food, SonicWall News: “Amongst the leading vendors of cybersecurity in food industry are Dragos, Eat IT Drink IT, NCR, Netskope, PDI Software, Preciate, Singtel, SonicWall, TitanHQ, VikingCloud, Auvesy-MDT, Cali Group, and Cardonet.”

Goodbye 2022, Hello 2023: Experts Weigh in With Channel Expectations

MicroScope, SonicWall News: “Matt Brennan, vice-president of North America channel sales at SonicWall, believes the effects of supply chain disruption will continue to have an impact on 2023: “Supply chain challenges have wreaked havoc across most industries around the world. IT has been affected across the board. Because of these challenges, brand loyalty will fade. [Customers] won’t hesitate to make purchases they can get now rather than wait for a specific brand product later – fulfillment is critical, regardless of how long customers have been brand loyal.” Brennan adds that this will lead to a shift in the market as customers learn that “staying brand loyal is not necessary to run their businesses successfully”.

Industry News

ChatGPT Trips the Alarm Over Polymorphic Malware

Researchers at Cyberark recently warned that OpenAI’s ChatGPT, an online chatbot that has been stirring up noise in the media recently, could be used to create polymorphic malware. Dark Reading reports that polymorphic malware is a highly advanced type of malware that actually contains no malicious code. That makes it exceedingly difficult to detect.

Cyberark also warned that the AI could be used to generate injection code. ChatGPT is free to use and has a simple user interface. This makes ChatGPT something that Cybersecurity experts should be keeping in their peripheral vision. It may not be causing many problems just yet, but the potential for malicious use is most certainly there.

Exposed Database Leaks Personal Data Of 18,000 Nissan Customers

On Monday, Nissan began sending out notifications to customers that their data had been breached. Nissan said in the memo that they had received notification in June of 2022 that one of their third-party software developers had experienced a breach. Bleeping Computer reports that Nissan gave data to the vendor to develop and test software for them. The automaker placed the blame on the vendor’s database being poorly configured.

Nissan conducted an investigation and found that an unauthorized user likely had access to the data. NMAC numbers (Nissan finance account numbers), full names, and dates of birth were all included in the leak. Nissan noted that there was no evidence the data had been misused, but they did offer affected customers a one-year membership of Experian identity protection.

Hack Alert: Recently Patched Linux Tool Is the Newest Target Of Malicious Actors

A widely-used Linux tool, Control Web Panel, is being actively exploited by malicious actors after a vulnerability was patched. The bug, listed as CVE-2022-44877, gave elevated privileges and allowed for unauthenticated remote code execution on some servers according to Hacker News. All software versions before 0.9.8.1147 are impacted.

So far, exploitation of the bug has been minimal, with GreyNoise reporting four unique IP addresses attempting to abuse it. All frequent users of CWP are advised to apply the most up-to-date patches to avoid any issues.

Github CodeSpaces Vulnerability Causes Concerns About Easy Malware Delivery

GitHub CodeSpaces is a cloud-based integrated development environment that was fully released to the public in November 2022. A feature of this IDE that allows forwarded ports to be shared publicly could be exploited by malicious actors. It seems that these features could be used to create a malware file server with a legitimate GitHub account. GitHub would usually be alerted by a user using their tools in this way. Due to this vulnerability, a user could be serving malicious content directly under GitHub’s nose, and GitHub would be none the wiser.

Trend Micro reports that no abuse of this exploit has been witnessed thus far. The exploit was discovered during an internal security check on the platform.

Ransomware Attack on Ship Management Software Disrupts Servers On 1,000 Ships

A recognized maritime advisor, DNV, was the victim of a ransomware attack on its ShipManager system servers. The attack resulted in 1,000 ships being impacted globally. This attack comes a mere two weeks after the LockBit ransomware gang carried out an attack on Portugal’s Port of Lisbon. The European shipping industry has been the victim of multiple such attacks over the course of the past year.

On January 19th, DNV released a statement saying they are working to restore servers on the impacted ships. They made it clear that all of the impacted ships have maintained complete offline functionality throughout this ordeal.

SonicWall Blog

Can You Catch All the Phish? Take Our New Phishing IQ Quiz and Find Out! – Ken Dang

Celebrating 2023 With Expanded “3 & Free” – Matt Brennan

‘3 & Free’ Promotion: How to Upgrade to a New SonicWall TZ Series NGFW for Free – Matt Brennan

The Art of Cyber War: Sun Tzu and Cybersecurity – Ray Wyman

Talking Boundless Cybersecurity at the Schoolscape IT 2022 Conference – Mohamed Abdallah

3 & Free: 1 Amazing Deal, 2 Exceptional Firewalls, 3 Years of Superior Threat Protection – Matt Brennan

SonicWall Wins CRN’s 2022 Tech Innovator Award in Enterprise Network Security – Bret Fitzgerald

SonicWall Included on the Acclaimed CRN Edge Computing 100 List for 2022 – Bret Fitzgerald

A New Era of Partnering to Win – Robert (Bob) VanKirk

Multiply Your Security with Multifactor Authentication – Amber Wolff

10 Reasons to Upgrade to the Latest SonicWall Gen 7 TZ Firewall – Sarah Choi

Control Web Panel Remote Code Execution

Control Web Panel(CWP) is a advanced Free and PRO web hosting panel that gives flexibility to effectively and efficiently manage your server and clients.
Control Web Panel 7 versions prior to 0.9.8.1147 suffer from an unauthenticated remote code execution vulnerability.

Remote Code Execution vulnerability
A remote code execution (RCE) vulnerability is a type of software vulnerability that allows an attacker to execute arbitrary code on a targeted system or device. This can be done by exploiting a flaw in the software or by injecting malicious code into the system via a network connection or other means. RCE vulnerabilities are considered to be particularly severe because they can allow an attacker to gain complete control over a targeted system or device.
Unauthenticated Remote Code Execution (RCE) is a type of vulnerability that allows an attacker to execute arbitrary code on a target system or device without the need for any authentication or authorization. This means that the attacker does not need to provide any valid credentials or have any previous access to the system in order to exploit the vulnerability.

Control Web Panel Remote Code Execution | CVE-2022-44877
Unauthenticated RCE exists in Control Web Panel.
login/index.php in Control Web Panel( or CentOS Web Panel) 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter.

Following is an example of exploit :

Decoding base64 gives us following code :

The code is a command line that runs a Python script that creates a socket connection to an attacker controlled IP address and port number specified within the script. Once the connection is established, the script uses the os.dup2 function to redirect input, output, and error for the script to the socket.This allows the script to run a shell command, in this case “sh”, and receive input, output and error through the socket connection. The pty.spawn function is then used to spawn a new process in the connected shell.
The command “login=$(echo” is setting the variable “login” to the output of the command “echo”. Then, the Python script for creating a socket connection and spawning a shell is run. After that, the output of that command is piped to the command “base64 -d” which decodes the base64 encoded text, and then the final command “| bash” is used to execute the decoded output as a command in the bash shell.
Overall the attacker is trying to open a reverse shell connection to IP address and port specified in the Python script.

SonicWall Capture Labs provides protection against this threat via following signature:

  • IPS 18864:Control Web Panel 7 RCE

Control Web Panel has patched this vulnerability .

Threat Graph

Cybersecurity News & Trends

Curated cybersecurity news and trends from the industry’s leading bloggers and news outlets, for you from SonicWall.

SonicWall is leading this news cycle with more company mentions and stories featuring executives and cybersecurity experts like Spencer Starkey, Senior Director, Regional Sales-EMEA, and Terry Greer-King, Vice President, EMEA and APJ Sales.

In industry news, we run the full range of international hacks and highly developed phishing campaigns. The Record reports that a pro-Russian hacktivist group is going after NATO targets. This story has contributions from Sentinel Labs, Reuters, and Cyberscoop. From Cyberwire, a critical hack alert about phishers hitting Microsoft’s Dynamic 365 Customer voice services. Bleeping Computer alerted us about a breach at Norton LifeLock. Dark Reading reports that “sneaky” hackers are wooing corporate workers with fake Zoom downloads. So please watch what you click. CSO Online reports on a developing story about a ransomware group actively exploiting the Citrix (CVE-2022 27510) vulnerability. And Hacker News warns us that tainted VPN installers are spreading EyeSpy surveillance ware.

As always, watch the corners before you cross the road, and remember that cybersecurity is everyone’s business.

SonicWall News

All You Need to Know About The ‘Godfather’ Malware Targeting This Country’s Financial System

AMB Crypto, SonicWall News: “The research titled “2022 SonicWall Cyber Threat Report” from cybersecurity company SonicWall claims that cryptojacking attacks have increased in the banking sector by 269% year-to-date. This figure is nearly five times higher than cyberattacks directed at the retail sector. According to the study from SonicWall, the total number of crypto-jacking incidents increased by 30% to 66.7 million in the first half of 2022.”

An Evolving Landscape: Top 10 Cybersecurity Predictions For 2023

Silicon Republic, SonicWall News: “Spencer Starkey, channel sales EMEA VP for SonicWall, predicts that healthcare and education will be among the sectors most targeted by cyberattacks in 2023. The cybersecurity company claims the healthcare sector saw a 328pc year-on-year increase in ransomware attacks last year.”

Royal Mail’s Export Service Hit with Major Cyber Incident And Is Experiencing ‘Severe Disruption’

City AM, SonicWall News: “Terry Greer-King, Head of EMEA at SonicWall, a cybersecurity firm, linked this cyber incident to declining cyber safety in the UK. Greene told City Am : “The cyber incident at the Royal Mail shows that the public sector, like all other industries, is still vulnerable to mass cyber attack. As legacy IT concerns become more apart across the UK’s public sector, the state of its cybersecurity is still a main topic that must be addressed, especially after 2021 brought a 94% increase in malware on the global government sector. As a service that people and businesses alike depend on day-to-day, ensuring its digital infrastructure remains secure must be a top priority. To truly safeguard national public-sector cybersecurity, the government must take real concerted action now,” he added.

Study Find One in Four SMES Hit By Ransomware Last Year

Technology Magazine, SonicWall News: “Today, cyberattacks continue to present an ever-changing threat to businesses across all sectors. NCC Group’s Annual Threat Monitor report, which indicated ransomware attacks almost doubled in 2021, rising 92.7% on the previous year, while research by SonicWall found that 66% of customers were more concerned about cyberattacks last year.”

All You Need to Know About The ‘Godfather’ Malware Targeting This Country’s Financial System

AMB Crypto, SonicWall News: “The research titled “2022 SonicWall Cyber Threat Report” from cybersecurity company SonicWall claims that cryptojacking attacks have increased in the banking sector by 269% year-to-date. This figure is nearly five times higher than cyberattacks directed at the retail sector. According to the study from SonicWall, the total number of crypto-jacking incidents increased by 30% to 66.7 million in the first half of 2022.”

Leading Cybersecurity Companies for The Food Industry

Just Food, SonicWall News: “Amongst the leading vendors of cybersecurity in food industry are Dragos, Eat IT Drink IT, NCR, Netskope, PDI Software, Preciate, Singtel, SonicWall, TitanHQ, VikingCloud, Auvesy-MDT, Cali Group, and Cardonet.”

Goodbye 2022, Hello 2023: Experts Weigh in With Channel Expectations

MicroScope, SonicWall News: “Matt Brennan, vice-president of North America channel sales at SonicWall, believes the effects of supply chain disruption will continue to have an impact on 2023: “Supply chain challenges have wreaked havoc across most industries around the world. IT has been affected across the board. Because of these challenges, brand loyalty will fade. [Customers] won’t hesitate to make purchases they can get now rather than wait for a specific brand product later – fulfilment is critical, regardless of how long customers have been brand loyal.” Brennan adds that this will lead to a shift in the market as customers learn that “staying brand loyal is not necessary to run their businesses successfully”.

Tips for Health Systems on Managing Legacy Systems to Strengthen Security

HealthTech, SonicWall News: A lack of support from the manufacturer generally means a lack of security patches. As a result, devices running a legacy OS are easy targets for attackers — in fact, malware attacks on internet-connected devices spiked 123 percent in the first half of 2022, according to research from SonicWall.

Cybersecurity for Investors: Why Digital Defenses Require Good Governance

Yahoo! Finance, SonicWall News: Cyberattacks are very costly. In the first half of 2022, at least 2.8 billion malware attacks were recorded globally, an increase of 11% over the previous 12 months, according to cybersecurity company SonicWall.

Remote Monitoring, AI Research and Data at Risk: Healthcare Tech Predictions For 2023

BetaNews, SonicWall News: Healthcare could come under threat from geopolitical attacks believes Immanuel Chavoya, threat detection and response strategist at SonicWall. “When it comes to protecting against threats of geopolitically motivated attacks, the present call to action is to be proactive, rather than reactive, to an assault. Attacks such as targeted malware or vulnerability exploitation could be used to inflict chaos on critical infrastructure such as healthcare, electric utilities, financial institutions, and oil and gas. These attacks tie up resources, cause financial damage, and send a signal. In 2023, organizations and governments will need to be prepared by ensuring that they don’t have any issues that could become low-hanging fruit for attacks and closely monitor their network activity for quick identification of and reaction to any attack.

Future Tech Role of Partners

CRN (India), SonicWall News: Security threats are becoming increasingly sophisticated, and organizations are looking for proactive ways to secure their IT environments. Whether their environment is in the Cloud, on-premises or a hybrid, organizations look to managed security services providers (MSSPs) to provide the best-in-class security to protect their business and mitigate future risk.

SonicWall CEO: Partner Program Revamp on Tap for Early 2023

CRN, SonicWall News: As other vendors are increasing their prices, we’re actually doing the opposite,” he said. If a customer and a partner commit to buying three years of services—services that go with our solutions—what they end up getting is the firewall hardware at no charge. That translates to a double-digit price decrease savings.

Industry News

Pro-Russian Hacktivists Go After NATO

A pro-Russian hacktivist group has been going after targets in NATO countries since the war against Ukraine started. The Record report that group NoName057(16) 

used Telegram and GitHub to launch distributed denial-of-service attacks against Ukraine and several NATO countries.

According to researchers at Sentinel Labs, the group targeted candidate websites in the 2023 Czech presidential election and businesses and organizations across Poland and Lithuania. According to Reuters, the group is also responsible for disrupting Denmark’s financial sector earlier this week.

The gang also used GitHub to host their distributed denial of service tools. Cyberscoop reports that GitHub disabled the group’s accounts this Tuesday. 

Hack Alert: Microsoft’s Dynamic 365 customer voice service

Threat actors are busy developing new methods to attack companies that use Microsoft’s Dynamic 365 customer voice service.

According to Cyberwire, hackers use Microsoft Customer Voice to send phishing messages to victims in the form of a service notification to the end user. Hackers harvest the password when the victim logs in to view the document. In another attack variant, the end user is enticed to click on the link in the email to print a document. An easy defensive fix is to hover over URLs to validate the sender before clicking links in emails or text messages.

Norton LifeLock Warns That Hackers Breached Password Manager Accounts

Bleeping Computer reports that Gen Digital, previously Symantec Corporation and NortonLifeLock, is now sending customers data breach notifications informing them of hackers’ successful breach of Norton Password Manager accounts through a credential-stuffing attack.

A letter sample was shared with the Office of the Vermont attorney general. It appears that the attackers did not cause a breach at the company but rather account compromises on other platforms. According to the company, their systems were not compromised. However, they claim that an unauthorized third party has used the username and password of user accounts.

Sneaky Hackers Woos Corporate Workers With Fake Zoom Downloads

According to Dark Reading, a sneaky new info stealer is sliding onto user machines via website redirects from Google Ads that pose as download sites for popular remote workforce software, such as Zoom and AnyDesk.

Researchers from Cyble have revealed that the threat actors behind the new malware “Rhadamanthysstealer,” which is available on the Dark Web as a malware-as-a-service model, are using two delivery methods to spread their payload, as disclosed by researchers at Cyble.

Researchers detected several phishing domains that the threat actors created to spread Rhadamanthys, most of which appear to be legitimate installer links for the software above brands. Some of the malicious links they identified include: bluestacks-install[.]com, zoomus-install[.]com, install-zoom[.]com, install-anydesk[.]com, and zoom-meetings-install[.]com.

Ransomware Group Actively Exploiting Citrix Vulnerability

A ransomware group known as Royal is believed to be actively exploiting a critical security flaw affecting Citrix systems, according to the cyber research team at cyber insurance provider At-Bay. Announced by Citrix on November 8, 2022, the vulnerability, identified as CVE-2022-27510, allows for the potential bypass of authentication measures on two Citrix products: the Application Delivery Controller (ADC) and Gateway.

There were no known instances of the vulnerability being exploited in the wild at the time of disclosure. However, as of the first week of 2023, At-Bay’s cyber researchers claimed new information suggests the Royal ransomware group is now actively exploiting it. Royal, considered one of the more sophisticated ransomware groups, emerged in January 2022 and was particularly active in the second half of last year.

Beware: Tainted VPNs Spreading EyeSpy Surveillanceware

Hackers know how we use VPN services to protect ourselves from… them. According to Hacker News, hackers have created tainted VPN installers to deliver a piece of surveillance ware dubbed EyeSpy as part of a malware campaign that started in May 2022. It uses “components of SecondEye – a legitimate monitoring application – to spy on users of 20Speed VPN, an Iranian-based VPN service, via trojanized installers,” Bitdefender said in an analysis.

A majority of the infections are said to originate in Iran, with smaller detections in Germany and the U.S., the Romanian cybersecurity firm added.

It has many features, including taking screenshots, activating microphones, logging keystrokes, gathering files and saved passwords from web browsers, and remotely controlling the machines to run arbitrary commands.

SecondEye previously came under the radar in August 2022, when Blackpoint Cyber revealed the threat actors’ use of its spyware modules and infrastructure for data and payload storage.

SonicWall Blog

Can You Catch All the Phish? Take Our New Phishing IQ Quiz and Find Out! – Ken Dang

Celebrating 2023 With Expanded “3 & Free” – Matt Brennan

‘3 & Free’ Promotion: How to Upgrade to a New SonicWall TZ Series NGFW for Free – Matt Brennan

The Art of Cyber War: Sun Tzu and Cybersecurity – Ray Wyman

Talking Boundless Cybersecurity at the Schoolscape IT 2022 Conference – Mohamed Abdallah

3 & Free: 1 Amazing Deal, 2 Exceptional Firewalls, 3 Years of Superior Threat Protection – Matt Brennan

SonicWall Wins CRN’s 2022 Tech Innovator Award in Enterprise Network Security – Bret Fitzgerald

SonicWall Included on the Acclaimed CRN Edge Computing 100 List for 2022 – Bret Fitzgerald

A New Era of Partnering to Win – Robert (Bob) VanKirk

Multiply Your Security with Multifactor Authentication – Amber Wolff

10 Reasons to Upgrade to the Latest SonicWall Gen 7 TZ Firewall – Sarah Choi

GPcode ransomware leaves victims stranded

The SonicWall Capture Labs threat reseach team have tracking a well established ransomware family known as GPcode.  GPcode ransomware is typically spread through email attachments or social engineering techniques, such as disguising the malware as a legitimate software update.  Once the malware is run on a victim’s machine, it encrypts files using a strong encryption algorithm, specifically RSA-1024 and AES-256, which makes it impossible to decrypt files without the decryption key.  GPcode has been active since 2005 and was nicknamed the “$20 ransomware”.  It is considered one of the first examples of ransomware and is still being seen in the wild today.  However, GPcode malware authors do not have a track record of providing decryption keys after a ransom is paid and in this case, they are uncontactable.

 

 

Infection Cycle:

 

Upon infection, files on the system are encrypted.  Each encrypted file is given a “.ENCODED” file extension.  The following image is displayed on the desktop background:

 

The following message is displayed using Notepad:

 

During runtime, the malware writes ntfs_system.bat and executes it:

 

ntfs_system.bat contains the following script.  This is used to delete the original malware file:

del "{malware file path}"
del %0

 

The malware can be seen writing the ransom note file to the desktop:

 

We tried reaching out to the email address provided in the ransom note but the email bounced:

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Gpcode.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Can You Catch All the Phish? Take Our New Phishing IQ Quiz and Find Out!

Sometimes you realize it just a split-second too late. A wave of terror passes over you as you wonder, What did I just click? I think I’ve really messed up!

If this sounds familiar to you, don’t beat yourself up. Being duped by a good phishing scam can happen to the very best of us, and you’re joining millions of innocent victims worldwide who have done the same.

But it’s also important to take immediate action and to know what you need to do to avoid repeating the mistake. The human element contributes to 82% of breaches, according to the 2022 Verizon DBIR. Besides employing security technologies to prevent phishing attacks, companies must also take a hardline approach to educating people on how to spot phishing emails.

To help avoid email scammers continuing to get the better of us, SonicWall is thrilled to announce our new online Phishing Quiz. This quiz is designed to help educate users on how to recognize common signs of a phishing email. And because it’s interactive, it’s more engaging and informative than a simple email or handout would be.

Email is often the first attack vector.

Based on the lessons of past data breaches, those successful attacks involve using multiple tactics, techniques and procedures (TTP) to compromise the user. Moreover, in those events, email was the first to deliver at least one of the following:

  1. The initial URL, in the form of a link to an exploit kit or phishing website
  2. The malicious attachment, in the form of a dropper or payload
  3. A pretexting message that becomes the starting point for a social engineering attack, manipulating users into giving up their credentials, sending money, disclosing sensitive data, etc.

Today, we’re seeing targeted phishing and pretexting attacks that are very well developed. The genuine appearance of these emails sent from stolen or fake identities can trick even the most security-conscious users. In addition, security practitioners we spoke with said they still see users clicking on phishing emails because they are unable to discern legitimate emails from fake ones.

Phishing tactics, techniques and procedures (TTP) are too clever.

As security vendors create new capabilities to protect users from phishing emails that bypass pre-delivery filters, attackers are equally devoted to creating more clever ways to reach the inbox. An example of these attacks is a low-volume, high-quality targeted phishing email that appears to come from Microsoft 365 or Gmail, as shown below.

Phishing emails are now more advanced. Attackers can replicate MFA screens to steal credentials.

This fake email renders professionally and is personalized for specific users, as opposed to the traditional high-volume spray-and-pray campaigns of the past. These attacks are sophisticated in both their ability to reach the inbox and the user experience on the back end. Each link brings up the login window of the second page of the account challenge, which pre-populates the user’s email address. It already knows who you are.

The phishing innovation curve is now happening post-delivery, as in the above example. In other words, instead of putting the malicious URL in the email, phishers link to a redirect server that acts as a gateway, sending queries from a security company to a benign site. In contrast, queries coming from the intended victims are directed to the phishing server.

The obfuscation methods developed over the years include identity deception, multiple redirections, URL splits, HTML tag manipulation, polymorphic malware, and dynamic obfuscated scripts, to name a few. We have seen skilled hackers combine numerous obfuscation techniques inside targeted phishing campaigns to hide the true intent of the target page, which is often a credential-harvesting page.

People are not perfect.

“Human beings are not creatures of logic; we are creatures of emotion. And we do not care what’s true. We care how it feels,” said Will Smith, a famous actor, rapper and perhaps even philosopher of our generation. These words have a deep connection to those who live and breathe cybersecurity. The notion that as long as human emotions can be manipulated, someone will likely make a bad mistake underscores one of many complex challenges for security practitioners to fix, but it cannot be addressed through technology alone. While phishing prevention technologies are necessary, it is also essential to establish a cybersecurity awareness program.

Raise employee awareness with the SonicWall Phishing Quiz.

Aside from advancing artificial intelligence and machine learning technologies inside security tools, SonicWall investments in training humans to resist human deception is part of a more significant effort to help people become part of the solution instead of being part of the problem.

The belief that security rests only on security practitioners and their technologies is dangerous, because when a phishing email invariably does make it to the inbox, there is no further line of defense. To reduce this human risk factor requires a culture and a mindset adjustment at the corporate and the individual level, aimed at getting everyone consciously thinking and proactively involved to become a key stakeholder in an organization’s security.

In a simple but effective way, the SonicWall Phishing Quiz encourages people to stay aware and exercise healthy suspicion when checking and responding to emails. The quiz lets you interactively examine a series of sample emails, including embedded links, to test your intuition and knowledge in distinguishing legit versus phishing emails.

The Phishing IQ Test evaluates your ability to identify fraudulent emails using real examples of common phishing attacks.

To measure your own ability to spot phishing emails, take the SonicWall Phishing Quiz today.

TAKE THE QUIZ

Microsoft Security Bulletin Coverage for January 2023

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of January 2023. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2023-21552 Windows GDI Elevation of Privilege Vulnerability
ASPY 392: Malicious-exe exe.MP_294

CVE-2023-21674 Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability
ASPY 393: Malicious-exe exe.MP_295

CVE-2023-21768 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
ASPY 396: Malicious-exe exe.MP_296

Adobe Coverage:
CVE-2023-21604 Acrobat Reader Buffer Overflow
ASPY 397: Malformed-File pdf.MP_563

CVE-2023-21605 Acrobat Reader Buffer Overflow
ASPY 398: Malformed-File pdf.MP_564

CVE-2023-21581 Acrobat Reader Out-of-bounds Read
ASPY 399: Malformed-File pdf.MP_565

The following vulnerabilities do not have exploits in the wild :
CVE-2023-21524 Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21525 Windows Encrypting File System (EFS) Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21527 Windows iSCSI Service Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21531 Azure Service Fabric Container Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21532 Windows GDI Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21535 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21536 Event Tracing for Windows Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21537 Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21538 .NET Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21539 Windows Authentication Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21540 Windows Cryptographic Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21541 Windows Task Scheduler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21542 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21543 Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21546 Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21547 Internet Key Exchange (IKE) Protocol Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21548 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21549 Windows Workstation Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21550 Windows Cryptographic Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21551 Microsoft Cryptographic Services Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21555 Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21556 Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21557 Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21558 Windows Error Reporting Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21559 Windows Cryptographic Services Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21560 Windows Boot Manager Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-21561 Microsoft Cryptographic Services Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21563 BitLocker Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-21675 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21676 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21677 Windows Internet Key Exchange (IKE) Extension Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21678 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21679 Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21680 Windows Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21681 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21682 Windows Point-to-Point Protocol (PPP) Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21683 Windows Internet Key Exchange (IKE) Extension Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21724 Microsoft DWM Core Library Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21725 Microsoft Windows Defender Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21726 Windows Credential Manager User Interface Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21727 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21728 Windows Netlogon Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21729 Remote Procedure Call Runtime Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21730 Windows Cryptographic Services Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21732 Microsoft ODBC Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21733 Windows Bind Filter Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21734 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21735 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21736 Microsoft Office Visio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21737 Microsoft Office Visio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21738 Microsoft Office Visio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21739 Windows Bluetooth Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21741 Microsoft Office Visio Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21742 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21743 Microsoft SharePoint Server Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-21744 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21745 Microsoft Exchange Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-21746 Windows NTLM Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21747 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21748 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21749 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21750 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21752 Windows Backup Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21753 Event Tracing for Windows Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21754 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21755 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21757 Windows Layer 2 Tunneling Protocol (L2TP) Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21758 Windows Internet Key Exchange (IKE) Extension Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21759 Windows Smart Card Resource Management Server Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-21760 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21761 Microsoft Exchange Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21762 Microsoft Exchange Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-21763 Microsoft Exchange Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21764 Microsoft Exchange Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21765 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21766 Windows Overlay Filter Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21767 Windows Overlay Filter Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21771 Windows Local Session Manager (LSM) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21772 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21773 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21774 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21776 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21779 Visual Studio Code Remote Code Execution
There are no known exploits in the wild.
CVE-2023-21780 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21781 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21782 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21783 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21784 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21785 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21786 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21787 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21788 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21789 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21790 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21791 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21792 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21793 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.

Celebrating 2023 With Expanded “3 & Free”

In December, we announced our limited-time “3 & Free” promotion on SonicWall TZ370 and TZ470 firewalls. While promotions that include a free firewall have always been popular, the response to our TZ promotion has been tremendous.

As a result, we’ve decided to celebrate the arrival of the new year by dramatically expanding the scope of our offer: Our 3 & Free pricing now applies to almost every TZ Series firewall that SonicWall carries.

3 & Free: What’s New for 2023

While we’ve added new models to the promotion, qualifying for an upgrade to the latest TZ Series firewall is as simple as ever. Through March 31, current SonicWall customers or those looking to swap out a competitor’s appliance can purchase three years of SonicWall’s Advanced Protection Service Suite (APSS), and they’ll receive a TZ appliance absolutely free. 

Protect your brand, customers and data while stopping advanced cyberattacks, filtering dangerous content and enjoying 24x7 support

The APSS suite offers all the tools you need to protect against today’s sophisticated malware, ransomware, encrypted threats, viruses, spyware, zero-day exploits and more. The comprehensive package includes:

  • Capture Advanced Threat Protection with RTDMI™
  • Gateway Anti-Virus
  • Anti-Spyware
  • Intrusion Prevention
  • Application Firewall Service
  • Content Filtering Services
  • Comprehensive Anti-Spam
  • NSM Essential with Management and 7-Day Reporting and 24×7 Firmware Support

In addition, you’ll get all the benefits of our latest operating system, SonicOS 7. Built from the ground up to be simpler, more capable and more flexible than any OS before it, SonicOS 7 features advanced security, simplified policy management, and critical networking and management capabilities — all designed to meet the needs of distributed enterprises with next-gen SD-Branches and small- to medium-sized businesses.

“3 & Free”: More than just TZ

Our TZ Series promo is just one of three 3 & Free promotions we’re running to ring in the new year: We also have great deals on NSa Series NGFWs and SonicWave Access Points.

NSa Series “3 & Free”

Despite its remarkable versatility, the entry-level TZ Series isn’t a fit for every use case: Some larger and more complex deployments call for a more robust appliance. That’s why we’re also offering a 3 & Free promotion on two of our most popular NSa Series firewalls.

Through Jan. 31, 2023, when you purchase an NSa 2700 or NS3700 High Availability appliance and three years of Advanced Protection Service Suite, you’ll also get the primary NSa 2700 or NS3700 NGFW and a stateful HA Upgrade Service License free.

This promotion is for every SonicWall upgrade that qualifies, regardless of whether you’re a current SonicWall customer or you’re making the switch from a competing product.

More on the NSa Series 3 & Free promotion and what sets the NSa Series apart from its competitors.

SonicWave Access Points “3 & Free”

If you’re all set for firewalls, but your wireless connectivity could use an upgrade, we also have a promo for you.

SonicWall’s 600 Series SonicWave Wireless Access Points leverage 802.11ax — the most advanced technology available — to deliver superior performance in complex, multi-device environments. These access points offer enterprises ‘always on, always secure’ access point operations, all while simplifying the user experience.

Best of all, while supplies last, when you buy three SonicWave 621, SonicWave 641 or SonicWave 681 access points, you’ll get the fourth absolutely free. This offer applies to access points purchased individually as well as four-packs and eight-packs, allowing you to multiply your savings.