RunpeX Abuses Legitimate AntiMalware Driver

/in /by

SonicWall Capture Labs Research team has observed RunpeX is abusing vulnerable version of kernel driver belonging to Zemana AntiMalware. RunpeX is a protector and malware injector based on KoiVM .NET protector. RunpeX is widely used to deliver different malware families like Remcos, Formbook, AgentTesla, Redline, Vidar, etc. The legitimate driver dropped by RunpeX is used to kill/disable AV/EDR processes which are generally protected. This technique is also known as Bring Your Own Vulnerable Driver (BYOVD). Previously, this technique has been employed by APT groups, AV/EDR killer tools, and ransomware actors.

Layer 1:

First-stage loader is .net application, which contains encrypted second stage payload hardcoded in byte array. This byte array is decrypted and executed using Assembly.Load() method.

Figure 1: Byte array contains encrypted second-stage loader and InvokeMethod() function 

 

Before executing second stage payload, function named “Do()” is called to bypass AMSI detection by patching AmsiScanBuffer() function.   

Figure 2: Function to bypass AMSI  

Layer 2:

Second-stage loader is .net RunpeX, which is protected with customized KoiVM virtualizer. This payload is responsible for installing Zemana AntiMalware driver.

Figure 3: Decompiled code of second-stage payload

 

In order to disable security solutions, this second stage payload drops and install Zemana driver. The driver is dropped at the root of “c” drive with name “Zemana.sys” and is signed by “Zemana Ltd.”

Figure 4: Driver is signed by “Zemana Ltd”

 

To install driver on system, RunpeX elevate privileges using CMSTP UAC bypass technique. Below command is executed to achieve privilege escalation:

  • “c:\windows\system32\cmstp.exe /au C:\windows\temp\1brdhu0p.inf”

Figure 5: Privilege escalation and UAC bypass using cmstp.exe

 

The INF file used in this UAC bypass is similar to the file present on GitHub.

Figure 6: Content of inf file

 

In the next step, driver service is created with name “Zemana” to load driver.

Figure 7: Service named “Zemana” is created to load driver

 

Then it retrieves handle to the loaded driver using CreateFileA() function:

Figure 8: Code snippet to retrieve driver handle

 

Using the handle created in the above step, RunpeX sends IOCTL code 0x80002010 to register itself as a trusted process by the driver.

Figure 9: IOCTL used to add process in trusted list

 

Finally, RunpeX sends another IOCTL code 0x80002048 to terminate target process by passing process PID as parameter. Using this IOCTL, it terminates all processes which are present in the configuration list.

Figure 10: IOCTL used to terminate security software processes

 

Driver IOCTL functionality

Below figure shows IOCTL handler functions that are part of installed driver:

Figure 11: Driver function to handle IOCTLs

Indicators Of Compromise (IOCs):

  • 2d3c9078e40a6dd286b36dbaaf1f0a367d22a0f9e30a2fc93d1d8ba5b9b97ce8 – Initial Payload (.Net Application)

SonicWall Capture Labs provides protection against this threat via the following signature:

  • Injector.RPX (Trojan)

Cybersecurity News & Trends – 08-11-2023

/0 Comments/in /by

It’s the middle of August, and SonicWall is having another excellent month. Be sure to check out the Mid-Year 2023 Cyber Threat Report for the latest must-know data and trends in the cybersecurity space.

In industry news, Dark Reading covered the recent rise in ransomware’s victim count. Data Breach Today provided details on a dangerous data leak with the police in Northern Ireland. Bleeping Computer had the lowdown on Missouri’s Medicaid data breach. Hacker News reported on a massive exposure of U.K. voter data.

Remember to keep your passwords close and your eyes peeled – cybersecurity is everyone’s responsibility.

SonicWall News

SonicWall Promotes Michelle Ragusa-McBain To Global Channel Chief

CRN, SonicWall News: SonicWall has promoted Michelle Ragusa-McBain to head its sizable global partner organization, just months after hiring the channel veteran as its North America channel chief. Looking ahead, SonicWall is planning to roll out a “soft launch” of its revamped SecureFirst Partner Program in September, with a full global launch of the new program planned for February 2024, Ragusa-McBain told CRN.

SonicWall Promotes Cisco Vet to Global Channel Leader

Channel Futures, SonicWall News: SonicWall has promoted Michelle Ragusa-McBain to vice president and global channel leader. She joined SonicWall as vice president and North America channel leader in May. A key theme for SonicWall’s channel strategy is embracing an outside-in approach to crafting its strategy and executing with partners. What that means is we’re listening to our partners and customers more than ever before, rather than operating in a vacuum and telling you what you need.

Ransomware Attacks Skyrocket in Q2 2023

Infosecurity Magazine, SonicWall News: “Ransomware attacks surged by 74% in Q2 2023 compared to the first three months of the year, a new report has found.

The 2023 SonicWall Mid-Year Cyber Threat Report observed two “very unbalanced quarters” regarding the volume of ransomware attacks so far this year. SonicWall Capture Labs Threat Researchers recorded 51.2 million attacks in Q1 2023, representing the smallest number of attacks since Q4 2019.”

How Bitcoin Swings Helped Drive an Almost Nin-fold Surge in Cryptojacking attacks in Europe

DL News, SonicWall News: Cryptojacking attacks skyrocketed when Bitcoin prices fell, and could be the overture to something worse, according to SonicWall researchers. These attacks turn victims’ computers into unknowing crypto mining rigs. Bitcoin reached a $68,000 high in November 2021 before crashing down to as low as just above $16,000 in 2022. It currently hovers around $30,000.

Cryptojacking attacks surge 399% globally as threat actors diversify tactics

ITPro, SonicWall News: Security experts have issued a warning over a significant increase in cryptojacking attacks as threat actors seek to ‘diversify’ their tactics. The volume of cryptojacking attacks surged by 788% in Europe during the first half of the year, with attacks in North America also rising by 345%.

SonicWall: Ransomware Declines Further As Attackers ‘Pivot’ Their Tactics

CRN, SonicWall News: Ransomware continued to lose favor among malicious actors during the first half of 2023, but overall intrusions increased as some attackers switched focus to other types of threats, according to newly released SonicWall data. In the cybersecurity vendor’s report on the first six months of the year, ransomware attack volume dropped 41 percent from the same period a year earlier, the report released Wednesday shows.

Evolving Threats – Evolved Strategy

ITVoice, SonicWall News: The ever-evolving cybersecurity landscape is rapidly changing, and businesses must change with it. The massively expanding, distributed IT reality is creating an unprecedented explosion of exposure points for sophisticated cybercriminals and threat actors to exploit.

Britain’s Biggest Hospital Held To Ransom

Cyber Security Intelligence, SonicWall News: SonicWall expert Spencer Starkey said “The healthcare sector continues to be a prime target for malicious actors as evidenced by the recent attack on Barts Health NHS Trust. Not only does this attack risk the potential for exposed patient data, but any significant IT issue that halts patient care poses an immediate threat to life.”

Hackers claim breach is the ‘biggest ever’ in NHS history

Silicon Republic, SonicWall News: Spencer Starkey, vice-president of EMEA at cybersecurity company SonicWall, said that the healthcare sector continues to be a “prime target” for hackers globally. “Not only does this attack risk the potential for exposed patient data, but any significant IT issue that halts patient care poses an immediate threat to life,” said Starkey, referring to the Barts Health cyberattack. The ramifications of an attack on the healthcare sector can be disastrous and it’s important to place the utmost amount of time, money and efforts on securing it.

How to Reach Compliance with HIPAA

TrendMicro, SonicWall News: According to the 2022 SonicWall Cyber Threat Report, healthcare continued a large spike in malware in 2021, at 121%. While the largest jump in IoT malware attacks belonged to healthcare, which saw a 71% year-over-year increase. To shed light on the significance malware can carry, it’s important to look at how recent breaches could’ve been circumvented by abiding to the HIPAA rules and safeguards.

Why Attackers Love to Target IoT Devices

VentureBeat, SonicWall News: Malicious objects were blocked on more than 40% of OT systems. SonicWall Capture Labs threat researchers recorded 112.3 million instances of IoT malware in 2022, an 87% increase over 2021.

Industry News

Zero-day Exploits Cause Rise in Ransomware Victims

Between the first quarter of 2022 and the first quarter of 2023, ransomware’s victim count rose by 143%. As noted in the Mid-Year 2023 Cyber Threat Report, ransomware attacks as a whole are down. So why might the number of victims be up? The answer: zero-day exploits. Ransomware attackers are increasingly choosing to exploit zero-day vulnerabilities when choosing their next targets. The researchers found that threat actors are moving away from classic attack methods like phishing and moving straight to finding zero-day exploits, either on the gray market or through in-house development. The Cl0p ransomware gang may be the most notorious example of this. This year alone they’ve used zero-day exploits to break into multiple large companies with exploits on Fortra’s GoAnywhere software and MOVEit’s file transfer tool. Researchers also found that ransomware groups are moving away from encrypting the victim’s data and moving more toward exfiltrating the data. Gone are the days when a hacked company could find a way to unencrypt its data leaving the attackers in the dust – with the switch to exfiltration, victims can now either pay up or risk having their data sold on the Dark Web. These are concerning trends to see especially when many expect ransomware attack numbers to rebound in the second half of 2023. Robust cybersecurity measures and good cyber hygiene practices are the best ways for organizations to protect themselves from attacks.

Serious Data Mishap Puts Police in Northern Ireland in Danger

The Police Service of Northern Ireland (PSNI) accidentally uploaded a spreadsheet containing the first initials, surnames and locations of all officers and staff on its website earlier this week. The PSNI blamed ‘human error’ for the mistake. The spreadsheet was live on the PSNI website for at least three hours on Tuesday afternoon. Fortunately, the spreadsheet did not include home addresses. PSNI had created the spreadsheet to comply with a freedom of information request, but it’s unclear how it ended up on the website for the public’s view although an investigation is underway. This situation has even higher stakes with the historical context of policing in Northern Ireland. Many of the officers and employees actually hide their employment – some even go so far as to hide it from their families. That means that although it didn’t include home addresses, even the names of employees can have serious consequences. In March, the British government sounded the alarm on terrorism in Northern Ireland following an assassination attempt on a police officer. The head of a cybersecurity firm in Dublin called this leak “the most serious breach” he has ever seen. The information exposed in this spreadsheet could be used not just by petty criminals, but by republican paramilitaries to commit acts of terror against officers. The breach could result in numerous members of the PSNI needing to relocate their homes and families.

Missouri Medicaid Data Exposed in IBM MOVEit Breach

Following the Cl0p ransomware gangs MOVEit file transfer tool attacks, Missouri’s Department of Social Services (DSS) has announced that sensitive healthcare information from Missouri’s Medicaid program was exposed. The attack didn’t actually take place on Missouri’s DSS – it was against IBM, which provides data services to the DSS. IBM stated that they’ve been working with the DSS to minimize the damage from this incident. According to the DSS, the exposed information potentially includes names, department client numbers, dates of birth, benefit eligibility and medical claims information. According to Bleeping Computer, only two Social Security Numbers were included in the breach. The Missouri DSS recommended that all involved individuals freeze their credit to prevent fraud.

Voter Data of Over 40 million Exposed in UK Electoral Commission Breach

Voters in the United Kingdom should be wary as the U.K.’s Electoral Commission has announced that they’ve suffered a “complex” cyberattack. The commission identified the incident in October 2022 but noted that the attackers had access to the system since August 2021. With over a year of free reign inside the Commission’s systems, the threat actors had access to the voter data of 40 million people. The only excluded parties are those who registered anonymously or electors registered outside of the U.K. According to Hacker News, the data included names, email addresses, home addresses, phone numbers, personal images and more. As of now, the identity of the attackers is unknown. It’s also unclear why the Commission waited 10 months to disclose this attack. The Commission’s email server was also exposed which puts anyone who was in contact with the Commission through email at risk. A security watchdog recommended that anyone who has been in contact with the Commission and anyone who registered to vote between 2014 and 2022 should keep a careful eye out for unauthorized use of their personal information.

SonicWall Blog

Why Should You Choose SonicWall’s NSsp Firewalls? – Tiju Cherian

Utilize APIs to Scale Your MySonicWall Operation – Chandan Kumar Singh

First-Half 2023 Threat Intelligence: Tracking Cybercriminals Into the Shadows – Amber Wolff

If It’s Easy, It’s TZ – Tiju Cherian

Sonic Boom: Getting to Know the New SonicWall – Michelle Ragusa-McBain

SonicWall’s Traci McCulley Orr Honored as a Talent100 Leader – Bret Fitzgerald

3 & Free Promotion: How to Upgrade to a Gen 7 NSsp Firewall for Free – Michelle Ragusa-McBain

Monthly Firewall Services Option for Simplicity and Scalability – Sorosh Faqiri

Monitoring and Controlling Internet Usage with Productivity Reports – Ashutosh Maheshwari

SonicWall NSM 2.3.5 Brings Enhanced Alerting Capabilities – Suriti Singh

Is Red/Blue Teaming Right for Your Network? – Stephan Kaiser

NSv Series and Microsoft Azure’s Government Cloud: Strengthening Cloud Security – Tiju Cherian

Four SonicWall Employees Featured on CRN’s 2023 Women of the Channel List – Bret Fitzgerald

NSv Series and AWS GovCloud: Facilitating Government’s Move to the Cloud – Tiju Cherian

Microsoft Security Bulletin Coverage for August 2023

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of August 2023. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2023-35359 Windows Kernel Elevation of Privilege Vulnerability
ASPY 467: Exploit-exe exe.MP_334

CVE-2023-35380 Windows Kernel Elevation of Privilege Vulnerability
ASPY 465: Exploit-exe exe.MP_332

CVE-2023-35382 Windows Kernel Elevation of Privilege Vulnerability
ASPY 466: Exploit-exe exe.MP_333

CVE-2023-35384 Windows HTML Platforms Security Feature Bypass Vulnerability
IPS 15908: Windows HTML Platforms Security Feature Bypass (CVE-2023-35384)

CVE-2023-35386 Windows Kernel Elevation of Privilege Vulnerability
ASPY 469: Exploit-exe exe.MP_336

CVE-2023-36900 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 470: Exploit-exe exe.MP_337

The following vulnerabilities do not have exploits in the wild :
CVE-2023-21709 Microsoft Exchange Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-29328 Microsoft Teams Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-29330 Microsoft Teams Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35368 Microsoft Exchange Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35371 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35372 Microsoft Office Visio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35376 Microsoft Message Queuing Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-35377 Microsoft Message Queuing Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-35378 Windows Projected File System Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-35379 Reliability Analysis Metrics Calculation Engine (RACEng) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-35381 Windows Fax Service Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35383 Microsoft Message Queuing Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-35385 Microsoft Message Queuing Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35387 Windows Bluetooth A2DP driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-35388 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35389 Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35390 .NET and Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35391 ASP.NET Core SignalR and Visual Studio Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-35393 Azure Apache Hive Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-35394 Azure HDInsight Jupyter Notebook Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-36865 Microsoft Office Visio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36866 Microsoft Office Visio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36869 Azure DevOps Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-36873 .NET Framework Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-36876 Reliability Analysis Metrics Calculation (RacTask) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-36877 Azure Apache Oozie Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-36881 Azure Apache Ambari Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-36882 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36889 Windows Group Policy Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-36890 Microsoft SharePoint Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-36891 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-36892 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-36893 Microsoft Outlook Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-36894 Microsoft SharePoint Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-36895 Microsoft Outlook Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36896 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36897 Visual Studio Tools for Office Runtime Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-36898 Tablet Windows User Interface Application Core Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36899 ASP.NET Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-36903 Windows System Assessment Tool Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-36904 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-36905 Windows Wireless Wide Area Network Service (WwanSvc) Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-36906 Windows Cryptographic Services Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-36907 Windows Cryptographic Services Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-36908 Windows Hyper-V Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-36909 Microsoft Message Queuing Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-36910 Microsoft Message Queuing Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36911 Microsoft Message Queuing Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36912 Microsoft Message Queuing Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-36913 Microsoft Message Queuing Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-36914 Windows Smart Card Resource Management Server Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-38154 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-38167 Microsoft Dynamics Business Central Elevation Of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-38169 Microsoft OLE DB Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-38170 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-38172 Microsoft Message Queuing Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-38175 Microsoft Windows Defender Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-38176 Azure Arc-Enabled Servers Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-38178 .NET Core and Visual Studio Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-38180 .NET and Visual Studio Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-38181 Microsoft Exchange Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-38182 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-38184 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-38185 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-38186 Windows Mobile Device Management Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-38188 Azure Apache Hadoop Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-38254 Microsoft Message Queuing Denial of Service Vulnerability
There are no known exploits in the wild.

Why Should You Choose SonicWall’s NSsp Firewalls?

/0 Comments/in /by

SonicWall’s firewalls for small and medium-sized businesses have a huge following, and for good reason: With award-winning threat protection and industry-leading TCO, our TZ and NSa Series firewalls offer some of the best values on the market today.

But just because these solutions are great, that doesn’t mean they’re a great fit for every business. If you’re securing a large enterprise, your security needs — from the number of ports and connections, to depth and breadth of management capabilities — are likely to be much different than those of a typical SMB. Fortunately, SonicWall offers a NGFW purpose-built for securing these massive (and often, massively complex) environments.

What is the SonicWall NSsp firewall?

NSsp stands for Network Security Services Platform. The SonicWall NSsp is a next-generation firewall with high port density and multi-gig speed interfaces. Designed for large enterprise, higher education, government agencies and MSSPs, it can process several million connections, scanning for zero-day (with Capture ATP) and other advanced threats and eliminating them in real time without slowing performance.

Like our other hardware and virtual firewall models, SonicWall NSsp runs on the SonicOS operating system. SonicOS leverages its patented, single-pass, low-latency Reassembly-Free Deep Packet Inspection (RFDPI) and Real-Time Deep Memory Inspection (RTDMI™) technologies to deliver industry-validated high security effectiveness, SD-WAN, real-time visualization, high-speed virtual private networking (VPN) and other robust security features.

How SonicWall NSsp empowers MSSPs, universities, and federal and enterprise customers

As business evolves — and as managed and unmanaged devices, networks, cloud workloads, SaaS applications, users, internet speeds, and encrypted connections all continue to proliferate — a firewall solution that cannot support any one of these becomes a chokepoint. When this happens, your firewall can quickly go from offering peace of mind to becoming a point of fear in and of itself.

From the 10700 all the way to the multi-bladed 15700 model, the SonicWall NSsp firewalls were designed to handle even the largest and most complex environments. Our multi-bladed units feature a modular design that minimizes required space and power consumption, ensuring that this firewall offers the maximum performance while minimizing physical size.

The NSsp Series includes multiple 100G/40G/10G interfaces, which allow you to process several million simultaneous encrypted and unencrypted connections with unparalleled threat prevention technology. With 70% of all sessions today being encrypted, having a firewall that can process and examine this traffic without impacting the end-user experience is critical to both productivity and network security.

Day-to-day management, monitoring and reporting of network activities is handled through the SonicWall Network Security Manager (NSM). This management solution provides an intuitive dashboard for managing firewall operations and accessing historical reports — all from a single source. The NSsp’s simplified deployment and setup, along with its ease of management, enable organizations to lower their total cost of ownership and realize a high return on investment.

How the SonicWall NSsp firewall beats the competition

SonicWall is known for offering superb NGFWs at a lower TCO, and the NSsp is no different. As these devices are often used by enterprises with redundancy as one of their core requirements, SonicWall offers even greater savings versus other vendors when deploying in a HA (High-Availability) configuration. When purchasing your HA solution through SonicWall, there’s no cost for subscription/services on the secondary unit.

It is very important to compare the threat performance and the cost of the solution to calculate the actual TCO. You’re not really using a firewall unless you have turned on all the security services—so any meaningful evaluation requires that any service that would be operating during a normal day to be on for testing. SonicWall also offers a report called Capture Threat Assessment (CTA 2.0) that can be used to evaluate the overall effectiveness of the solution. Below is snippet from a CTA report’s executive summary page:

An image that shows an summary of the advantages of the NSsp firewall through SonicWall Network Security Manager (NSM).

A chart that illustrates the application highlights of the SonicWall NSsp.

We recently commissioned the Tolly Group to compare the SonicWall NSsp with a comparable Fortinet solution, and the NSsp came out on top. Read Tolly Group’s report with comparison of NSsp firewalls with Fortinet’s solution

Conclusion

When evaluating enterprise firewall vendors and overall solution’s TCO, keep in mind the importance of threat performance with all the security services being turned ON.  SonicWall NSsp NGFW provides you the right combination of features and solutions, all with the performance your enterprise environment requires.

Netgear ProSAFE NMS300 SQLi Vulnerability

/in /by

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  The Netgear ProSAFE Network Management System (NMS300) is a centralized and comprehensive management application designed for network administrators. It enables them to discover, monitor, configure, and report on SNMP-based enterprise-class network devices. The Netgear Network Management System NMS300 provides insights into network elements, including third-party devices, and its web-based user interface simplifies the process of monitoring and administering an entire network.

  An SQL injection vulnerability has been reported in Netgear ProSafe NMS300. This vulnerability arises due to improper input validation in the getNodesByTopologyMapSearch component.

  A remote, authenticated attacker could exploit this vulnerability by sending a specially crafted request to the target server. Successful exploitation of this vulnerability could result in SQL injection or, in the worst-case scenario, remote code execution in the context of the SYSTEM user.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-38099.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is low.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.6 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  When a user navigates to the device list through the topology map search feature, an HTTP GET request is dispatched to the Request-URI “/topology.do?method=getDeviceListByDim”. Upon receipt of this request, the function TopologyMapController.getDeviceByDim() is invoked. This function displays the values of all devices identified in the preceding search request. Multiple parameter values are saved into different variables, with the ‘exclude’ parameter being of particular relevance to this vulnerability. The value for the ‘exclude’ parameter is stored in the ‘exclude’ variable.

  Following this, the NodeInfoDao.getNodesTopologyMapSearch() method is invoked, passing the ‘exclude’ variable’s value into the ‘equips’ variable. This function is responsible for constructing and running the SQL query needed to fetch the specified device list. The corresponding SQL query is stored as a string in the ‘sql’ variable:
  
  If the ‘equips’ variable’s value is not empty, the string ” and nodeId not in (equips) ” is appended to the ‘sql’ variable’s value (where equips is replaced by the ‘equips’ variable’s value). The SQL query contained in the ‘sql’ variable is then executed, and the result of the query is returned.

Triggering the Problem:

  • The target must be running a vulnerable version of the software.
  • The attacker must have network access to the vulnerable software.
  • The attacker must have permission to view the device list via the Topology map search component.

Triggering Conditions:

  The vulnerability is triggered when the HTTP request is received that includes an embedded SQL injection which will get triggered when the request is processed.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS
  What a successful GET Request might look like:
  

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 4001 NETGEAR ProSAFE NMS300 SQL Injection

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Applying the vendor-supplied patch to eliminate this vulnerability.
    • Filtering traffic based on the signature above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Cybersecurity News & Trends – 08-04-2023

/0 Comments/in /by

August is here, and today we’re celebrating National Chocolate Chip Cookie Day – you should consider doing the same. SonicWall has had a great week in the news following last week’s release of our Mid-Year Update to the 2023 Cyber Threat Report, as well as this week’s announcement of Michelle Ragusa-McBain’s promotion to SonicWall Global Channel Chief, which was covered by both CRN and Channel Futures.

In industry news, TechCrunch covered a Russian state-backed Microsoft Teams attack. Nextgov broke down the Biden administration’s new National Cyber Workforce and Education Strategy. Dark Reading provided details on Tesla jailbreaks that could put more drivers in the hot seat – literally. Bleeping Computer had the lowdown on Chinese hackers breaching air-gapped computers in Eastern Europe.

Remember to keep your passwords close and your eyes peeled: cybersecurity is everyone’s responsibility.

SonicWall News

SonicWall Promotes Michelle Ragusa-McBain To Global Channel Chief

CRN, SonicWall News: SonicWall has promoted Michelle Ragusa-McBain to head its sizable global partner organization, just months after hiring the channel veteran as its North America channel chief. Looking ahead, SonicWall is planning to roll out a “soft launch” of its revamped SecureFirst Partner Program in September, with a full global launch of the new program planned for February 2024, Ragusa-McBain told CRN.

SonicWall Promotes Cisco Vet to Global Channel Leader

Channel Futures, SonicWall News: SonicWall has promoted Michelle Ragusa-McBain to vice president and global channel leader. She joined SonicWall as vice president and North America channel leader in May. A key theme for SonicWall’s channel strategy is embracing an outside-in approach to crafting its strategy and executing with partners. What that means is we’re listening to our partners and customers more than ever before, rather than operating in a vacuum and telling you what you need.

Ransomware Attacks Skyrocket in Q2 2023

Infosecurity Magazine, SonicWall News: “Ransomware attacks surged by 74% in Q2 2023 compared to the first three months of the year, a new report has found.

The 2023 SonicWall Mid-Year Cyber Threat Report observed two “very unbalanced quarters” regarding the volume of ransomware attacks so far this year. SonicWall Capture Labs Threat Researchers recorded 51.2 million attacks in Q1 2023, representing the smallest number of attacks since Q4 2019.”

How Bitcoin Swings Helped Drive an Almost Nin-fold Surge in Cryptojacking attacks in Europe

DL News, SonicWall News: Cryptojacking attacks skyrocketed when Bitcoin prices fell, and could be the overture to something worse, according to SonicWall researchers. These attacks turn victims’ computers into unknowing crypto mining rigs. Bitcoin reached a $68,000 high in November 2021 before crashing down to as low as just above $16,000 in 2022. It currently hovers around $30,000.

Cryptojacking attacks surge 399% globally as threat actors diversify tactics

ITPro, SonicWall News: Security experts have issued a warning over a significant increase in cryptojacking attacks as threat actors seek to ‘diversify’ their tactics. The volume of cryptojacking attacks surged by 788% in Europe during the first half of the year, with attacks in North America also rising by 345%.

SonicWall: Ransomware Declines Further As Attackers ‘Pivot’ Their Tactics

CRN, SonicWall News: Ransomware continued to lose favor among malicious actors during the first half of 2023, but overall intrusions increased as some attackers switched focus to other types of threats, according to newly released SonicWall data. In the cybersecurity vendor’s report on the first six months of the year, ransomware attack volume dropped 41 percent from the same period a year earlier, the report released Wednesday shows.

Evolving Threats – Evolved Strategy

ITVoice, SonicWall News: The ever-evolving cybersecurity landscape is rapidly changing, and businesses must change with it. The massively expanding, distributed IT reality is creating an unprecedented explosion of exposure points for sophisticated cybercriminals and threat actors to exploit.

Britain’s Biggest Hospital Held To Ransom

Cyber Security Intelligence, SonicWall News: SonicWall expert Spencer Starkey said “The healthcare sector continues to be a prime target for malicious actors as evidenced by the recent attack on Barts Health NHS Trust. Not only does this attack risk the potential for exposed patient data, but any significant IT issue that halts patient care poses an immediate threat to life.”

Hackers claim breach is the ‘biggest ever’ in NHS history

Silicon Republic, SonicWall News: Spencer Starkey, vice-president of EMEA at cybersecurity company SonicWall, said that the healthcare sector continues to be a “prime target” for hackers globally. “Not only does this attack risk the potential for exposed patient data, but any significant IT issue that halts patient care poses an immediate threat to life,” said Starkey, referring to the Barts Health cyberattack. The ramifications of an attack on the healthcare sector can be disastrous and it’s important to place the utmost amount of time, money and efforts on securing it.

How to Reach Compliance with HIPAA

TrendMicro, SonicWall News: According to the 2022 SonicWall Cyber Threat Report, healthcare continued a large spike in malware in 2021, at 121%. While the largest jump in IoT malware attacks belonged to healthcare, which saw a 71% year-over-year increase. To shed light on the significance malware can carry, it’s important to look at how recent breaches could’ve been circumvented by abiding to the HIPAA rules and safeguards.

Why Attackers Love to Target IoT Devices

VentureBeat, SonicWall News: Malicious objects were blocked on more than 40% of OT systems. SonicWall Capture Labs threat researchers recorded 112.3 million instances of IoT malware in 2022, an 87% increase over 2021.

Industry News

US Cyber Workforce to Expand Under New White House Strategy

The new National Cyber Workforce and Education Strategy was released by the Biden administration this week. The plan centers around making cybersecurity education more affordable and accessible and also making cybersecurity concepts more of a focus in early childhood education. The plan was released by the Office of the National Cyber Director, which is currently occupied by Camille Stewart Gloster while Harry Coker Jr awaits confirmation. Stewart Gloster explained that the plan is upheld by four pillars – teach every American foundational cyber skills, strengthen and grow America’s cyber workforce, transform cyber education and strengthen the federal cyber workforce. Obviously, not every American will end up working in cybersecurity, but having those foundational skills will still be a huge benefit to the country as a whole. Demand for skilled cybersecurity workers is higher than ever currently. Under the Biden administration’s plan, some of the barriers to breaking into the cyber workforce will be lowered or broken down to allow more diverse workers and workers coming from lower-income backgrounds to get a foot in the door. This plan will not create changes overnight, but it’s a positive step forward in a world increasingly jostled by cyberattacks.

Russian Threat Actors Hack Government Agencies Using Microsoft Teams

A social-engineering attack from Russian state-sponsored hackers has left dozens of organizations across the globe feeling vulnerable, including some government agencies in the United States. The Russian hacker group ‘Cozy Bear’ posed as technical support staff on Microsoft Teams in order to steal user credentials and infiltrate organizations. The threat actors used already compromised Microsoft 365 accounts to make the phony accounts and sent messages to Teams users trying to get them to approve multi-factor authentication prompts. Once they got in, they then exfiltrated sensitive data. Microsoft didn’t name any of the organizations or agencies that fell victim to these attacks, but they did state that the targets indicated “specific espionage activities” from the hackers.

Researchers Have Figured Out How to Jailbreak Teslas

Where there is a feature locked behind a paywall, there are people who want to find a way to get past it, and Teslas are no different. Researchers have found that it’s possible to jailbreak a Tesla to unlock paywalled features like heated seats, faster acceleration and even faster internet speeds. The jailbreak can even unlock self-driving features that are against the law in certain parts of the world. The researchers were doctoral students from Technical University Berlin, and they’ll present their research at Black Hat USA next week. One of the students claimed that the attack they’ve discovered can be pulled off by anyone with an electrical engineering background, a soldering iron and around $100. Using the attack, the students were able to take it a step further and reverse-engineer the boot flow to extract a “vehicle-unique, hardware-bound RSA key” that is used to authenticate the car to Tesla’s network. It’s that key that can allow users to implement region-locked features like maps and self-driving. The researchers did note that this attack could also be used for more nefarious purposes such as stealing private data and personal information. The full scope of the attack should be unveiled at Black Hat USA in the session titled, “Jailbreaking an Electric Vehicle in 2023 or What It Means to Hotwire Tesla’s x86-Based Seat Heater.”

Air-gapped Devices in Eastern Europe Breached by New Malware

Industrial organizations in Eastern Europe have been under fire recently from a Chinese state-sponsored hacking group known as ‘Zirconium.’ Zirconium has been developing a new type of attack to steal data from air-gapped computers, which are typically responsible for critical functions and holding an organization’s most sensitive data. The attack works by using a complex system of implants and modules in stages to profile the systems, infect them, steal data and finally export data. The stolen files are actually archived using WinRAR and then uploaded to Dropbox. The entire attack took over a year, beginning in April 2022 and involving three separate stages. Bleeping Computer has a more in-depth analysis of exactly how the attack works from beginning to end.

SonicWall Blog

Utilize APIs to Scale Your MySonicWall Operation – Chandan Kumar Singh

First-Half 2023 Threat Intelligence: Tracking Cybercriminals Into the Shadows – Amber Wolff

If It’s Easy, It’s TZ – Tiju Cherian

Sonic Boom: Getting to Know the New SonicWall – Michelle Ragusa-McBain

SonicWall’s Traci McCulley Orr Honored as a Talent100 Leader – Bret Fitzgerald

3 & Free Promotion: How to Upgrade to a Gen 7 NSsp Firewall for Free – Michelle Ragusa-McBain

Monthly Firewall Services Option for Simplicity and Scalability – Sorosh Faqiri

Monitoring and Controlling Internet Usage with Productivity Reports – Ashutosh Maheshwari

SonicWall NSM 2.3.5 Brings Enhanced Alerting Capabilities – Suriti Singh

Is Red/Blue Teaming Right for Your Network? – Stephan Kaiser

NSv Series and Microsoft Azure’s Government Cloud: Strengthening Cloud Security – Tiju Cherian

Four SonicWall Employees Featured on CRN’s 2023 Women of the Channel List – Bret Fitzgerald

NSv Series and AWS GovCloud: Facilitating Government’s Move to the Cloud – Tiju Cherian

Utilize APIs to Scale Your MySonicWall Operation

/0 Comments/in /by

At SonicWall, we strongly believe in simplifying technology and techniques for our partners and customers. We’re continuously putting forth the effort to make the jobs of our MSP and MSSP partners easier and more scalable. In the modern era, with our partners and customers using an increasing number of different technologies and products, it can be challenging to stay in sync and to integrate with various ecosystems.

We’ve been receiving requests from our partners to enable access to MySonicWall APIs without needing to log in to MySonicWall. We’re thrilled to announce that we’ve recently made our MySonicWall APIs publicly available to anyone with MySonicWall access  — and we believe this will revolutionize the way that our partners use our product.

Features & Functionality

The MySonicWall API (MSW API) feature has been designed to make our partners’ lives easier and their work more organized. With our new API functionality, our partners and customers can access our product’s features and functionalities programmatically. These integration capabilities will enable them to create custom workflows, push and pull data, and automate processes across multiple applications using our product as a tool. With this functionality, they can:

  • Create MSW API tokens for/by themselves
  • Use MSW API to generate tokens for different SonicWall products (i.e., NSM, etc.)
  • Create/manage MySonicWall users
  • Access MSSP monthly provisioning operations
  • Create/manage MySonicWall tenants
  • Create/manage SonicWall products
  • Get billing/license details
  • Get tenant and product details for audit and reporting purposes

But that’s not all — for more information about everything you can do with MSW APIs, along with sample use cases, check out the MySonicWall API User Guide.

User Interface

We have designed the API user interface to be clean, simple and intuitive. To generate an MSW API token, simply log in to MySonicWall, navigate to My Workspace-> User Groups -> User List, and click on “Generate My API Key.”

After clicking, a new dialog box will open. Enter the description, IP address (optional field), select the validity period and click on the Confirm button to create the API token. Make sure to copy and save the API token.

We are delighted to bring this innovative technology to our partners, and we’re confident that the MSW API feature will make our product more efficient, productive and easy to use.

Availability

The MSW API feature is available to MSSP monthly partners automatically and to our entire partner community on a by-request basis, and we are excited to get feedback from our users. This new functionality is part of our ongoing commitment to make our product more accessible to our customers, and we believe that it will significantly benefit them by enabling faster provisioning, reducing errors and improving productivity.

Our team has been working tirelessly on this new feature, and we are excited to share it with our customers. We’re confident that our API functionality will provide a new level of integration, setting the stage for limitless opportunities and possibilities. We’re continuously striving to make our products and technology more user-friendly and scalable while also working to make sure they seamlessly integrate with your ecosystem.

To get started with our API functionality, please head over to the Getting Started Knowledge Base article and follow the easy-to-use documentation or post your queries to the ‘Community’ page for further assistance.

Thank you for your continued support, and we can’t wait to see how you will use this new feature to improve your work and lives.

A new variant from Chaos Ransomware family surfaces

/in /by

The SonicWall Capture Labs Research team has received a sample of a new variant from Chaos Ransomware family which is a customizable ransomware builder that emerged in underground forums, by falsely marketing itself as the .NET version of Ryuk.

It provided the following customizable options which a cybercriminal can use to customize a ransomware.

  • processName = “svchost.exe”;
  • sleepTextbox = 10;
  • spreadName = “surprise.exe”;
  • userDir = “C:\\Users\\”;
  • checkAdminPrivilage = true;
  • checkCopyRoaming = true;
  • checkdeleteBackupCatalog = true;
  • checkdeleteShadowCopies = true;
  • checkdisableRecoveryMode = true;
  • checkSleep = false;
  • checkSpread = true;
  • checkStartupFolder = true;
  • droppedMessageTextbox = “read_it.txt”;
  • encryptedFileExtension = “”;
  • encryptionAesRsa = true;
  • messages = new string[]; #Ransomware message content

Infection Cycle:

At the start of the execution it checks its own filename and the location from where it is running.

If the process name and the location name is not %appdata%\\svchost.exe, it drops a copy of itself to %appdata%\\svchost.exe and launches it.

After that it checks for the “checkSleep” variable which is provided at the time of building ransomware, if the value is False is will skip executing the sleepOutOfTempFolder(), function which also checks the folder location form where it is running and if the path does not matches, it uses another count variable “sleepTextbox” whose value is multiplied by 1000 times and resulting value is passed to thread and sleeps for that many milliseconds.

It then checks for the checkStartupFolder flag and if its true it calls addLinkToStartup() function.

It creates a file svchost.url in which it adds the location of the file and copy the file into User Startup folder to
enable its automatic execution at every system startup

It has a hardcoded list of directories and files with valid extension in those directories are only encrypted.

List of the extension

Before encrypting the file it checks for the list of valid file extensions and the filename should not be one in the droppedMessageTextbox supplied at the time of building the ransomware.

This droppedMessageTextbox contains the name of the file which contains the ransomware message.
In our case the filename is “read_it.txt”;

Before encrypting the file it checks for the File length.
If the file length is below 2,117,152 bytes, it encrypts the file using EncryptFile method and if the size is bigger than
2,117,152 bytes a random string of a random length between 200000000 and 300000000 bytes is generated and encoded using the randomEncode method.

It creates a 20 byte random password and converts the password to a byte array using UTF8 encoding.
The content of the file is then AES encrypted using that key.
It then encrypts the key generated earlier using the RSA encryption

AES encrypted content are again converted into Base64 encoding.

It then concat the RSAEncrypted key and base64 encoded content into the file using File.WriteAllText method.

Finally, original file is moved to same location by appending a random extension using the RandomStringForExtension method.
It then drops the “read_it.txt” containing the ransomware message on that location.

Once the encryption is done it delete Shadow Copies, disable Recovery Mode and delete Backup Catalog file using below commands.

“vssadmin delete shadows /all /quiet & wmic shadowcopy delete”
“bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no”
“wbadmin delete catalog -quiet”

In order or spread, it loops through all the available drives on the system and if the drive is not a C:\ drive and the spreadName file is not present on the system, It copies the malware’s file to that drive with the specified spreadName.

This way the malware can potentially infect other machines whose drives are mapped onto the victim’s machine.

Once the encryption is completed it displays the ransomware message text.

It set the below wallpaper

SonicWall Capture Labs provides protection against this threat via the following signature:

GAV:MalAgent.RSM_99 (Ransomware)

Cybersecurity News & Trends – 07-27-2023

/0 Comments/in /by

This week, SonicWall is celebrating the release of the mid-year update to the 2023 Cyber Threat Report. Infosecurity Magazine, CRNDL News and ITPro have already pored through the report – be sure to give it a read for the latest threat intelligence and fresh insights into the current threat landscape.

In industry news, Dark Reading reported on new data showing that the cost of a data breach has increased and also detailed the Biden administration’s nomination for National Cyber Director. Bleeping Computer broke down a massive crypto heist pulled off by North Korea’s Lazarus group. TechCrunch provided details on a worm malware spreading through Call of Duty lobbies.

Remember to keep your passwords close and your eyes peeled – cybersecurity is everyone’s responsibility.

SonicWall News

Ransomware Attacks Skyrocket in Q2 2023

Infosecurity Magazine, SonicWall News: “Ransomware attacks surged by 74% in Q2 2023 compared to the first three months of the year, a new report has found.

The 2023 SonicWall Mid-Year Cyber Threat Report observed two “very unbalanced quarters” regarding the volume of ransomware attacks so far this year. SonicWall Capture Labs Threat Researchers recorded 51.2 million attacks in Q1 2023, representing the smallest number of attacks since Q4 2019.”

How Bitcoin Swings Helped Drive an Almost Nin-fold Surge in Cryptojacking attacks in Europe

DL News, SonicWall News: Cryptojacking attacks skyrocketed when Bitcoin prices fell, and could be the overture to something worse, according to SonicWall researchers. These attacks turn victims’ computers into unknowing crypto mining rigs. Bitcoin reached a $68,000 high in November 2021 before crashing down to as low as just above $16,000 in 2022. It currently hovers around $30,000.

Cryptojacking attacks surge 399% globally as threat actors diversify tactics

ITPro, SonicWall News: Security experts have issued a warning over a significant increase in cryptojacking attacks as threat actors seek to ‘diversify’ their tactics. The volume of cryptojacking attacks surged by 788% in Europe during the first half of the year, with attacks in North America also rising by 345%.

SonicWall: Ransomware Declines Further As Attackers ‘Pivot’ Their Tactics

CRN, SonicWall News: Ransomware continued to lose favor among malicious actors during the first half of 2023, but overall intrusions increased as some attackers switched focus to other types of threats, according to newly released SonicWall data. In the cybersecurity vendor’s report on the first six months of the year, ransomware attack volume dropped 41 percent from the same period a year earlier, the report released Wednesday shows.

Evolving Threats – Evolved Strategy

ITVoice, SonicWall News: The ever-evolving cybersecurity landscape is rapidly changing, and businesses must change with it. The massively expanding, distributed IT reality is creating an unprecedented explosion of exposure points for sophisticated cybercriminals and threat actors to exploit.

Britain’s Biggest Hospital Held To Ransom

Cyber Security Intelligence, SonicWall News: SonicWall expert Spencer Starkey said “The healthcare sector continues to be a prime target for malicious actors as evidenced by the recent attack on Barts Health NHS Trust. Not only does this attack risk the potential for exposed patient data, but any significant IT issue that halts patient care poses an immediate threat to life.”

Hackers claim breach is the ‘biggest ever’ in NHS history

Silicon Republic, SonicWall News: Spencer Starkey, vice-president of EMEA at cybersecurity company SonicWall, said that the healthcare sector continues to be a “prime target” for hackers globally. “Not only does this attack risk the potential for exposed patient data, but any significant IT issue that halts patient care poses an immediate threat to life,” said Starkey, referring to the Barts Health cyberattack. The ramifications of an attack on the healthcare sector can be disastrous and it’s important to place the utmost amount of time, money and efforts on securing it.

How to Reach Compliance with HIPAA

TrendMicro, SonicWall News: According to the 2022 SonicWall Cyber Threat Report, healthcare continued a large spike in malware in 2021, at 121%. While the largest jump in IoT malware attacks belonged to healthcare, which saw a 71% year-over-year increase. To shed light on the significance malware can carry, it’s important to look at how recent breaches could’ve been circumvented by abiding to the HIPAA rules and safeguards.

Why Attackers Love to Target IoT Devices

VentureBeat, SonicWall News: Malicious objects were blocked on more than 40% of OT systems. SonicWall Capture Labs threat researchers recorded 112.3 million instances of IoT malware in 2022, an 87% increase over 2021.

Changes in the Ransomware Threat to State and Local Governments

StateTech, SonicWall News: According to SonicWall’s 2023 Cyber Threat Report, ransomware has “been on a tear” for the past few years, growing 105 percent year over year in 2021. While the report found that attacks were down in 2022, ransomware targets still reported very large number of attacks compared to levels in 2018, 2019 and 2020.

Clop’s MOVEit ransom deadline expires

ComputerWeekly, SonicWall News: At the time of writing, no data had yet been published, and SonicWall EMEA vice-president Spencer Starkey urged victims to hold the line in the face of the gang’s threats and grandstanding.

As the clock ticks closer, businesses impacted by the MOVEit hack may be tempted to pay off the hackers and move on. While this appears as the fastest way to resolve this, in fact, it actually feeds the monster, encouraging more attacks, said Starkey. On the other hand, not paying might lead to potential data loss and the cost of restoring systems, but it also helps starve these criminal operations and may discourage future attacks. At this stage, the key is customer and employee communication. The companies impacted must always strive to keep those channels flowing both ways, to reassure those who may be affected that they are doing everything possible to recover from and resolve the incident.

Industry News

President Biden Nominates Former NSA Executive Director as National Cyber Director

After months of waiting, President Biden has announced his nomination to fill the position of National Cyber Director in former NSA executive director Harry Coker. The position has been vacant since Chris Inglis stepped down in February. With the recently released national cybersecurity strategy, the new director will have plenty to do once his nomination is confirmed. Coker is a veteran of the United States Navy and has also held positions in the Central Intelligence Agency previous to his time with the NSA. He was also a member of President Biden’s national security staff when Biden took office in 2021. This nomination comes barely two weeks after a group of cybersecurity organizations sent a strongly worded letter to the White House asking them to speedily nominate someone – a rare victory for all strongly-worded-letter enthusiasts. The nomination will now move through Congress for Coker to be confirmed.

North Korean Lazarus Hackers Connected to $60 million Crypto Theft

The notorious Lazarus gang from North Korea has been linked to a recent $60 million theft on the payment processing company Alphapo. The crypto payment platform is frequently used for things like gambling, e-commerce and other online purchases. Alphapo was attacked this past Sunday and the hacker gang drained people’s wallets of millions of dollars in cryptocurrency. A cryptochain investigator who goes by “ZackXBT” noticed that the attackers also stole $37 million of TRON and Bitcoin which brought the total to a whopping $60 million. The Lazarus group has not publicly claimed the attack, but researchers noted that Lazarus tends to leave a very distinct fingerprint during attacks. According to Bleeping Computer, Lazarus has previously been linked to similar attacks such as a $35 million theft on Atomic Wallet, a $100 million attack on Harmony Horizon and a $617 million heist on Axie Infinity. They noted that a common tactic of Lazarus is to bait crypto firm employees with fake job offers that actually lead to infected links. Lazarus gains access to the company networks and then begins planning its thefts. Law enforcement agencies and blockchain analysis firms have not yet confirmed the groups participation in this attack.

The Cost of a Data Breach Has Increased by 15%

According to a new report by IBM, the cost of a data breach has increased by 15% over the past three years skyrocketing to $4.45 million per breach for affected businesses. Despite this, 57% of businesses still seem inclined to simply pass the buck to consumers rather than invest in sturdier cybersecurity. Many consumers are facing the double whammy of businesses not caring enough to protect their data and then being charged more when these loosely secured organizations lose their information. IBM did find several ways organizations could better protect their data including investing more in security and being willing to involve law enforcement. The report stated that 37% of breached organizations refused to involve the authorities. It seems that these businesses want to attain consumer data without taking measures to ensure its security. Cybersecurity is incredibly accessible for businesses today with numerous free and paid tools to provide better protection. Breaches are still possible even with good security, but refusing to invest more in security after experiencing a costly incident like a data breach is simply bad business.

Malware Spreading Through Call of Duty Game Lobbies

Hackers have been wreaking havoc on players in an old Call of Duty game. Last month, a Steam user made a post alerting other players of Call of Duty: Modern Warfare 2 (2009) that threat actors were using “hacked lobbies” to spread malware. Another user analyzed the malware and noted that it appeared to be a worm. Activision, the developers of Call of Duty, posted a tweet vaguely acknowledging the malware letting players know that the servers will be going offline presumably for action to be taken. It’s unclear so far why the hackers are spreading malware through the game lobbies, but it’s clear that they’re exploiting one or more bugs in the game itself to accomplish this. The worm works by spreading from one infected player in a lobby to other players who don’t have adequate protection on their computers. Anybody who has been playing the game over the past few months should run an anti-virus software on their computer to see if they’ve been infected. Viruses spreading through games is not uncommon, but they typically spread through trojanized versions of the game installers. Malware spreading through actual game lobbies is not very common.

SonicWall Blog

First-Half 2023 Threat Intelligence: Tracking Cybercriminals Into the Shadows – Amber Wolff

If It’s Easy, It’s TZ – Tiju Cherian

Sonic Boom: Getting to Know the New SonicWall – Michelle Ragusa-McBain

SonicWall’s Traci McCulley Orr Honored as a Talent100 Leader – Bret Fitzgerald

3 & Free Promotion: How to Upgrade to a Gen 7 NSsp Firewall for Free – Michelle Ragusa-McBain

Monthly Firewall Services Option for Simplicity and Scalability – Sorosh Faqiri

Monitoring and Controlling Internet Usage with Productivity Reports – Ashutosh Maheshwari

SonicWall NSM 2.3.5 Brings Enhanced Alerting Capabilities – Suriti Singh

Is Red/Blue Teaming Right for Your Network? – Stephan Kaiser

NSv Series and Microsoft Azure’s Government Cloud: Strengthening Cloud Security – Tiju Cherian

Four SonicWall Employees Featured on CRN’s 2023 Women of the Channel List – Bret Fitzgerald

NSv Series and AWS GovCloud: Facilitating Government’s Move to the Cloud – Tiju Cherian

XWiki RCE Vulnerability

/in /by

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  XWiki is recognized as a second-generation wiki platform, bringing together the conventional wiki functionality and the unique potential of an application development platform. It showcases a broad array of features typical of a wiki, such as advanced access rights and effective user management. Additionally, XWiki’s defining trait lies in its capacity to allow the creation of new applications, which can be developed directly on top of the platform.

  Recently, a significant issue has emerged pertaining to XWiki, specifically a reported vulnerability that allows remote code execution. This vulnerability stems from improper handling of documentTree macro parameters within the system. The improper escaping of these parameters creates a security gap, making the platform susceptible to external threats.

  The security flaw opens up an opportunity for remote attackers to exploit this vulnerability. They can do so by sending specially crafted requests to the target server, where XWiki is being hosted. Should the attack be successful, the exploiter would gain the ability to execute code remotely.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-29509.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C).

  Base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.8 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  XWiki boasts a powerful scripting feature set, allowing users to create everything from simple to intricate web applications on an XWiki page (or view) layer. There is no need for users to compile code or deploy software components – instead, they can utilize scripting syntax alongside wiki markup directly within the content of an XWiki page.

  The platform supports a range of scripting languages, including Velocity, Groovy, and Python, all of which are enabled by default. XWiki incorporates the JSR-223 scripting platform, which facilitates the evaluation of script code. Additionally, XWiki utilizes a script macro that assesses script code and is structured as follows:

  

  To declare script code for default enabled languages, users can directly use the language name:

  

  The standard XWiki flavor includes the “Flamingo Theme Application” extension. This allows users to customize site skins, and the extension has a macro “FlamingoThemesCode.WebHome”. This macro lists the sub-documents of any given document. When a page request is made with the GET parameter sheet set to “FlamingoThemesCode.WebHome”, the same macro is used to render the page. The parameter document:$doc.documentReference is set to the current page, and this value is passed to the documentTree macro, which in turn lists the sub-documents of the present page.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The target user must have network connectivity to the affected ports.

Triggering Conditions:

  The attacker requests a malicious page using the FlamingoThemesCode.WebHome view. The vulnerability is triggered when the server processes the requests.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS

  Get Request:
  
  URL Decoded:
  

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 2062 XWiki Commons documentTree Remote Code Execution 1
  • IPS: 18914 XWiki Commons documentTree Remote Code Execution 2

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Updating to a non-vulnerable version of the product.
    • Filtering attack traffic using the signatures above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory