Multiple Remote Code Execution Vulnerabilities in JumpServer

/0 Comments/in /by

Overview

The SonicWall Capture Labs threat research team became aware of a couple of remote code execution vulnerabilities in JumpServer, assessed their impact and developed mitigation measures. JumpServer is an open-source bastion host and a professional operation and maintenance security audit system with a substantial presence in the China region. A bastion host is a specialized computer, intentionally exposed on a public network, designed to withstand attacks on a network named after a military fortification.

Identified as CVE-2024-29201 and CVE-2024-29202, JumpServer before version 3.10.7 allows low-privileged threat actors to execute arbitrary code within the Celery container with root privileges, earning a critical CVSS score of 9.9.

Technical Overview

CVE-2024-29201

This vulnerability arises due to a flaw in the input validation mechanism in JumpServer’s Ansible (An IT automation engine), which allows a threat actor with a low-privileged user account to execute arbitrary code in the context of a root user within one of its containers named ‘jms_celery’.

JumpServer enforces a mechanism to disallow the usage of a set of unsafe keywords to prevent users from running local injection commands while running a playbook job, as seen in Figure 1 (left). However, it can be circumvented using the Unicode representation of the character in place of the actual character, for instance, ‘\u0064’ instead of the character ‘d’. Figure 1 (right) illustrates an example of a malicious template that could exploit this vulnerability by running the command specified in the ‘shell’ field. It can be used to create a playbook job and then run a job to execute a specified command.

Figure 1: The set of defined unsafe keywords (left) and the playbook template to bypass validation (right).

CVE-2024-29202

This vulnerability allows the threat actor with a low-privileged user account to inject a malicious Jinja2 template in JumpServer’s Ansible that leads to the execution of arbitrary code within the ‘jms_celery’ container with root privileges. The malicious template, as seen in Figure 2 can be used to create a playbook job and then run the same to execute the desired command.

Figure 2: Malicious jinja2 template

Triggering the Vulnerability

Leveraging the vulnerabilities mentioned above requires the attacker to meet the following prerequisites:

  • The attacker must have network access to the target vulnerable system along with the low-privileged user account.
  • The attacker must have permission to access at least a single valid asset.
  • A playbook needs to be fabricated using any of the above templates from the ‘Job > Template > Playbook manage’ section.
  • A playbook job needs to be created from the ‘Job > Job list’ section, leveraging the playbook created in the previous step.
  • The created job needs to be run.

Exploitation

While steps to trigger the vulnerability look tricky, the exploitation is straightforward. Since the Celery container runs with the root privileges, it yields the threat actor database access and access to the sensitive information across all the managed assets, such as hosts, devices, database, cloud service, web and GPT. Additionally, considering the crucial functionality of the jump host, it can lead to the exposure and compromise of the private network. Achieving remote code execution by leveraging the discussed vulnerabilities is demonstrated in the video below.

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • IPS: 19849 JumpServer Ansible Playbook Input Validation Bypass
  • IPS: 19850 JumpServer Ansible Playbook Jinja2 Template Injection

Remediation Recommendations

Considering the pivotal position of a bastion host on a network, JumpServer users are strongly encouraged to upgrade their instances to the latest version (v3.10.7). If one cannot upgrade immediately, then the feature ‘Operation Center’ can be disabled temporarily by visiting System Settings > Features > Task Center.

Relevant Links

The 2023 Threat Mindset Survey: SonicWall Customers Sound Off

/0 Comments/in , /by

Cybersecurity is a dynamic, constantly changing field, and threats lurk around every corner for those lacking the knowledge or tools to protect themselves. To get a better idea of customer sentiment and firsthand experience on issues from finances to phishing, SonicWall conducts the Threat Mindset Survey each year. In late 2023, we sent ten questions to over 16,000 SonicWall customers worldwide, and the results reveal not only the hurdles they’re currently facing, but also the challenges they anticipate in the future.

This blog presents a few of the key findings from the 2023 SonicWall Threat Mindset Survey, as well as key takeaways.

A Majority Are More Concerned About Cyberattacks

We asked customers if their level of concern about cyberattacks has increased, decreased or remained the same when compared to previous years, and 55% of them are more concerned than ever before. Given that the data in our 2024 Cyber Threat Report showed that malware, cryptojacking, intrusion attempts and more have continued to increase, they’re right to be worried about a cyberattack on their organization.

Figure 1: A majority of SonicWall customers are more concerned about a cyberattack on their organization when compared to previous years.

Ransomware Still the Primary Concern

Data from our 2024 SonicWall Cyber Threat Report showed that in 2023, ransomware attacks increased in both sophistication and ruthlessness. And while attacks decreased year-over-year, 2023 still had the third-highest ransomware volume of any year on record. Given the continued prevalence of ransomware, it’s no surprise that customers continued to be most concerned about a ransomware attempt on their organization.

Phishing and encrypted malware attacks aren’t far behind ransomware, however, with 76% and 64% of respondents respectively listing them as top concerns.

Figure 2: Ransomware is the most concerning attack type among most of our customers.

Concern Over Insider Threats Increases

We asked our customers which type of threat they think they’re most likely to see at their organization — and while the top answer was still financially motivated attacks, the number of people concerned about insider threats jumped 15% compared to last year. The reasons for this increase are outside the purview of our survey; however, recent headline-grabbing insider threat incidents, including an Air National Guardsmen leaking sensitive data to a Minecraft Discord server, may have played some role.

Figure 3: Fear of an insider threat attack increased by 15% over the past year.

15% of Customers Rarely or Never Read Industry News

For many of us, consuming cybersecurity news is a key component of our job. If you aren’t up to date on the latest trends and attack patterns in your industry, how can you adequately tailor your defenses to combat them?

But despite 54% of our customers deeming it a requirement amid today’s constantly evolving threat landscape, 15% of our customers say they rarely or never consume industry news — up from 9% last year.

Figure 4: 15% of SonicWall customers rarely or never consume cybersecurity news.

Many Customers Still Need to Set a Patching Policy

Frighteningly, more than a quarter of SonicWall customers have no set policy for rolling out patches for critical vulnerabilities. With patching being one of the lowest cost and highest impact practices an organization can implement to stop cyberattacks, it’s important to have a set protocol for deploying patches in the case of widespread or highly exploited vulnerabilities. In fact, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) have listed poor patch management as one of the top ten cybersecurity misconfigurations they see in organizations.

Figure 5: 27% of SonicWall customers have no official patching policy.

Headcount Comfort Up 6% from Last Year

At the beginning of 2023, there were a reported 750,000+ cybersecurity job openings in the United States alone, which means there’s obviously still a great need for talent in the cybersecurity space. The good news is that among SonicWall customers, headcount comfortability is up from last year.

Figure 6: The percentage of our customers with adequate headcount increased from 51% to 57% over the past year.

Security Budgets On the Rise

Last year, only 56% of respondents viewed their IT/cybersecurity budget as adequate, compared with 33% of respondents saying the opposite. Fortunately, it appears budgets have increased for some: Our most recent survey showed that 62% now have adequate security budgets, with the percentage reporting the contrary decreased by 8%.

Figure 7: Budgets appear to be on the rise according to our 2023 Threat Mindset Survey.

Fewer Organizations Worried About Hiring, Vendor Vulnerabilities

Last year, 48% of respondents said staying current with vendor vulnerabilities was one of their biggest issues when it came to addressing growing cybersecurity demands. This year, that number shrank to 12%. Organizations also seem to be having less trouble hiring and training staff, with 26% rating that a top concern in our last survey and just 8% saying the same in the most recent survey. And while fewer respondents reported inadequate budgets, consistent with Figure 7, those who were plagued by budget issues ranked that concern higher this year than last year.

Figure 8: Keeping up with the changing security landscape remained the top issue for respondents.

In Their Own Words

We also asked customers two more open-ended questions. Here are some of the responses:

In your own words, how has the evolving cyber threat landscape impacted your organization’s ability to operate normally?

“It is becoming increasingly difficult to achieve an adequate level of protection. We have to invest more and more time and money to get proper protection.” – IT Specialist, Small Business Engineering Company

“The labor diverted from business initiatives to cybersecurity swells year over year. The threat landscape evolves too quickly, which demands I spend more of my time managing cybersecurity, which has an impact on business operations.” –  Chief Information Officer, Management Company

“The evolving landscape is the new normal, so operating normally is more complex and full of security pitfalls than ever.” – IT Director, Educational Institution

In your own words, how has a proven cybersecurity product, solution or strategy positively impacted your organization’s ability to operate successfully?

“With SonicWall, we have peace of mind in securing our whole network against threats; it helps in focusing on real work.” – IT Professional, Small Business Professional Services Company

“We feel more secure about our posture and more confident in our ability to fend off attacks. Users are the weak link, and our strategy includes training for them.”  IT Director, County Government

“SonicWall simplifies a lot of tasks, provides great visibility, and allows for fairly good analysis and investigation.” –  IT Professional, Consulting Company

That’s a Wrap

SonicWall’s 2023 Threat Mindset Survey offers great insights into industry trends and the top concerns of our customers. While there are plenty of positive trends in this data, many businesses are more concerned about cyberattacks than ever before. If you’re among the organizations looking to level up your cybersecurity posture, from increasing protection via a patching strategy to maximizing simplicity through the use of MDR, we’d love to speak with you!

Chaos Ransomware Operator Gives Up Decryption Tool for Free

/0 Comments/in /by

Overview

The SonicWall CaptureLabs threat research team have been recently tracking ransomware created using the Chaos ransomware builder.  The builder appeared in June 2021 and has been used by many operators to infect victims and demand payment for file retrieval.  The sample we analyzed lead us to a conversation with the operator who freely gave up the decryptor program.

Infection Cycle

Upon initial infection, files on the system are encrypted and given a random filename extension made up of 4 alphanumeric characters:

Figure 1: Encrypted files

hahaha.txt is written to all directories containing encrypted files.  It contains the following message:

Figure 2: Ransom note

The code is written in .NET and easy to decompile using an open source decompiler.

The decompiled code shows a list of target directories:

Figure 3: Targeted directories

It contains a list of file extensions to target:

Figure 4: Targeted file extensions

It disables system recovery modes and deletes shadow copies and system backups:

Figure 5: Disabling system recovery

An image is embedded in the executable file and is base64 encoded:

Figure 6: Image base64 encoded

Figure 7: Converting image from base64

After base64 decoding, the following image is displayed on the desktop background:

Figure 8: Ransom desktop image

The ransom note states “pls write to discord kakoy_to_chel_ on discord”. We contacted the operator on discord and had the following conversation:

Figure 9: Initial conversation with operator

decryptor-decrypter.zip contains the following files:

Figure 10: Contents of zip file

It contains the private key for decrypting files:

Figure 11: Private key for decryptor

We ask the operator why they created the malware but their intentions are unclear:

Figure 12: Conversation with operator continued

Figure 13: Asking the operator about their reason for creating the malware

The operator confirms that Chaos ransomware builder was used to create the malware:

Figure 14: The operator confirms the use of the Chaos Ransomware Builder

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Chaos.RSM(Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

Updated StrelaStealer Targeting European Countries

/0 Comments/in /by

Overview

SonicWall Capture Labs threat research team has observed an updated variant of StrelaStealer. StrelaStealer is an infostealer malware known for targeting Spanish-speaking users and focuses on stealing email account credentials from Outlook and Thunderbird. StrelaStealer was reported in the wild in early November 2022. StrelaStealer has been updated with an obfuscation technique and anti-analysis technique.

Technical Analysis

MD5: 1E37C3902284DD865C20220A9EF8B6A9

SHA256: F2D7CF39392D394D6CCD0F9372DB7D486D4CB2BB6C3BBFD0D8BFBB6117A5E211

This updated version of malware delivered via JavaScript comes in archive files as attachments in emails. The initial vector is JavaScript which will drop the 64-bit executable file in the %userprofile% folder and execute the malware process. We have observed that StrelaStealer is being delivered as a 64-bit exe as well as a DLL via JavaScript. We are explaining the analysis for the 64-bit executable in this blog. This 64-bit executable is a wrapper that will act as a loader for the actual payload.

In the main 64-bit executable file, the data section has an encryption key, and the size of the encryption key is 0x2714 bytes. The encoded payload is embedded in the data section at the end of the encryption key. The size of the payload is 0x1C600. A single-byte XOR encryption is performed to decrypt an encoded PE file from the data section.

Figure 1:  Encryption key started from 0x10th offset in the data section

Figure 2:  Obfuscated Jumps

Figure 3: Graph view for obfuscated function

Figure 4: Another graph view of the obfuscated function

Figure 5:  PEB parsing code fragments inside the jump code block

This obfuscation is quite effective. Anti-analysis techniques delay the execution, and the researcher has to search the code fragments inside the jump blocks, which is a tedious task.

Along with jump blocks and multiple loops, there are multiple dummy functions that are not doing anything but wasting time while analyzing the sample.

Figure 6: Dummy functions inside nested Jumps

Figure 7: Dummy functions

Figure 8: XOR decryption to decrypt the encoded payload

Once it decrypts the payload, it reads the encoded API string array at the end of the encoded payload embedded in the data section. Within the payload, the first DWORD is the size of the array and next is the API function array. This array is of size 0x52 bytes and the encryption key used earlier to decrypt the payload will also be used to decrypt the API array. The only difference between the decryption of the payload and the array  is malware uses an encryption key of size 0x52 bytes from the 4th offset of encryption key.

Figure 9: Encoded API array

Figure 10: Malware calculates the start offset of the encoded API string and starts decrypting it

Figure 11: API array after an XOR decryption

It accesses the PEB structure and parses it to get the list of loaded modules in process memory.

The following is an example of the instructions set to parse the PEB.

Figure 11B: Instructions

Here InLoadOrderModuleList is a doubly-linked list that contains the loaded modules for the process.

The malware parses this “InLoadOrderModuleList” to get the Imagebase address of kernel32.dll with the goal of resolving the VirutalAlloc API Then the malware will parse the PE structure of kernel32.dll to get the name of each exported function and matches them with the API string that got decrypted earlier in 0x52 byte array. If the API name matches the exported function name, then the malware will read the associated function RVA from the export directory and add it to the Imagebase of kernel32.dll,. Using this method, the malware resolves each API dynamically. It will resolve 4 APIs – here VirtualAlloc,  LoadLibraryA , GetProcAddress , and MessageBoxTimeoutA. Once its finished resolving the APIs, the malware will show the error massage box and then continue execution.

Now, the malware calls the “VirtualAlloc” API to allocate memory in the process and start its task as loader to load the actual payload.

  • The malware parses the PE file structure of the payload from the data section where previously it decrypted the PE file and read each section header one by one.
  • To map the process as per section alignment, it reads the virtual address of each section and adds it to the image base of the injected PE and copies each section of data to this offset in memory.
  • The malware will not copy the PE header to the injected PE, this has been done intentionally to evade detection from AV products.
  • It reads the relocation section and does the fixup as it gets loaded at the different base address in the memory.
  • It reads the import address table of the payload file from the data section region and resolves the API address dynamically using the “LoadLibraryA” and “GetProcAddress”  APIs and copies these all function pointers to the IAT of the injected payload.
  • When the injected PE file is ready for execution, it will read the RVA of the address from the entry point from the PE file in the data section and add the base address of the injected payload and redirect execution to the injected code.

Figure 12: Configuration setting for the payload

The injected payload is 64-bit executable file, it will call the “GetKeyboardLayout” API and check the lower words of the return value with the hardcoded values in binary. It tries to check if the keyboard layout is from the following countries. If it is, then the malware will continue its execution, otherwise it terminates itself.

LanguageLocation (or type)Language ID
GermanGermany0x0407
SpanishSpain0x040A
SpanishSpain0x0C0A
CatalanSpain0x0403
BasqueSpain0x042D
ItalianItaly0x0410
PolishPoland0x0415

Figure 13: Call to the “GetKeyboardLayout” API and check language identifiers

Now, the payload retrieves the computer name by calling the “GetComputerNameA” API and encrypts the first 4 bytes of the computer name string using single byte XOR encryption. The encryption key is “MIR24”, which is hardcoded in binary. It will create a Mutex with the name of this partially encrypted computer name string. If a Mutex already exists, it will terminate it.

Figure 14: Creating a Mutex and executing its core functionality to steal data from the infected machine

As we can see in Figure 14, it will execute the function which will steal confidential data from the infected machine.

Here, we have found two functions in the malware. The first is used to steal data from Mozilla Thunderbird, which is a free and open-source email client software. The other function is intended to steal data from Outlook.

  • It searches for the folder path “C:\Users\<username>\AppData\Roaming\Thunderbird\Profiles\”

All of your data such as messages, passwords and user preferences as well as changes made while you use Thunderbird are stored in a special folder called profile.

  • If it finds this folder path on the system, it will call the FindFirstFileAand FindNextFileA APIs to search for two files in the subdirectory. The first is “logins.json” (account and password) and the second is “key4.db” (password database).
  • It reads the data from both of these files and appends both files’ data one after another, starting network communication.
  • It establishes a connection to its server and prepares an HTTP post request with the user-agent “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36” and then exfiltrates this data to its server.

http[:]//45[.]9[.]74.12/server.php .

  • The server IP is hardcoded in binary which is “45.9.74[.]12”
  • Before sending data to the server, it will encrypt it with the single byte XOR encryption. The encryption key is hardcoded in binary which is “00ca8abe-6ab2-4b10-97c8-925934cf0423”

Figure 15: Searches for the “logins.json” and “key4.db” files from the profile folder

Figure 16: StrelaStealer is expecting the response from its server

We have analysed the second function statically where it reads the windows registry key, enumerates data from it and tries to locate the ‘IMAP User’, ‘IMAP Server’ and ‘IMAP Password’ values.

The IMAP Password contains the user password in encrypted form. The malware will call the Windows “CryptUnprotectData”  API to decrypt it.

The following registry key is enumerated to steal Outlook data:

“SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\”

Figure 17: Outlook registry key would have been enumerated to steal data from the infected machine

Figure 18: Network communication with server

The archive file cannot be found in any of the popular threat intelligence sharing portals like VirusTotal at the time of writing this blog.

Figure 19: File is not available on VirusTotal

This threat is detected by SonicWall Capture ATP w/RTDMI . Evidence of the detection by our RTDMI engine can be seen below in the Capture ATP report for this file.

Figure 20: Capture report

IOCs

Archive file
MD5: ca4797bf995c91864c8b290ebd4e1c7b
SHA256: 74f21472fed71aaccbd60b34615a8390725cbab6cb25bbc6a51bd723ff8bd01a

JavaScript (Initial vector)
Md5 : C235CE3765F9B1606BDA81E96B71C23B
SHA256 : E083662C896C47064FD47411D47459BF4B1CB26847B5D26AEDD7F9D701CABD43

Main 64-bit executable file
MD5 : 1E37C3902284DD865C20220A9EF8B6A9
SHA256 : F2D7CF39392D394D6CCD0F9372DB7D486D4CB2BB6C3BBFD0D8BFBB6117A5E211

Injected 64-bit Payload
MD5 : 95F51B48FB079ED4E5F3499D45B7F14E
SHA256 : C02BB26582576261645271763A17DE925C2D90D430E723204BAEC82030DC889A

Server IP : “45[.]9.74[.]12”

Backup Best Practices To Help You Get Back Up and Running

/0 Comments/in /by

Each year on March 31, we celebrate World Backup Day as a reminder of how priceless our data is. Whether you’re a big tech company with thousands of terabytes of invaluable data, or a parent wanting to ensure the safety of precious memories like birthday parties, holidays and first days of school, World Backup Day is for everybody in this increasingly data-dependent world.  

What is a Backup? 

A backup is essentially a digital insurance policy for your data. A backup is a complete copy of your most important data stored separately from the main data. You can store this copy on a secondary storage device such as a spare hard drive or SSD, as well as in the cloud. Having a backup of your most important assets can keep you protected in the event of a disaster, such as a ransomware attack or hardware failure. If you don’t have a backup, all of your data is dependent on a single point of failure – whether that be the storage device your data lives on or the security of your system. Backing up this data offers a way to ensure this data lives on even in cases of natural disaster and other catastrophes.  

As Easy as 3-2-1 

Some organizations and individuals may already have a single backup of their data, either on a physical hard drive or in the cloud, but it’s actually best practice to do both. Many cyber hygiene experts believe that when it comes to backups, you should follow the 3-2-1 rule: 

  • Have three complete backups of your data at any given time 
  • Store two of these backups on physical media devices such as an extra hard drive or SSD 
  • Store one backup in the cloud  

If you follow the 3-2-1 rule, you’re going to be ahead of the curve when it comes to backup best practices. And if you’re frequently updating these backups, you can greatly reduce the potential harm that certain cyberattacks could do to your organization.  

Other Backup Best Practices 

Like with any form of cyber hygiene, it’s not as simple as just having multiple backups. The 3-2-1 rule is a great start, but there are several backup best practices you can follow to get the most benefits from your backups.  

  • Ensure your backups are up-to-date, and include all the data you would need to restore your systems in the case of a cyberattack or other emergency 
  • Store your physical backups in a safe location – preferably offsite 
  • Encrypt all of your backup data and make sure it can’t be tampered with 
  • Automate frequent backups, and test your backups regularly to ensure integrity 
  • Develop a backup restoration plan and practice it frequently so that when something does happen, you already know exactly what to do and how to do it 

Putting these backup hygiene best practices to work for you might make the difference between “starting from zero” and “backup hero” in no time. And when a threat actor tries to take your data hostage, you can rest easy knowing you have multiple current backups to get your systems operational and lessen the blow.  

Make Everyday World Backup Day 

While March 31 is the day of the year when backup hygiene and best practices will be the loudest, truthfully you should be treating every day like it’s World Backup Day. Cybercriminals, hardware failures, major bugs and other potential disasters can and do strike at any time of the year. Making frequent backups and rigorously practicing your backup emergency plans is a key responsibility in protecting your data. And if you fear that you’re going to forget all the great information in this blog, feel free to save it – and then create multiple backups of it. And then maybe a couple more! 

Progress Kemp LoadMaster Unauthenticated Command Injection Vulnerability

/0 Comments/in /by

Overview

The SonicWall Capture Labs threat research team became aware of a noteworthy vulnerability — an Unauthenticated Command Injection — in Progress Kemp Loadmaster, assessed its impact and developed mitigation measures for it. Kemp Technologies’ LoadMaster, an application delivery controller and load balancer, published an advisory on this vulnerability affecting all LoadMaster releases after 7.2.48.1 and the LoadMaster Multi-Tenant (MT) VFNs. LoadMaster can be deployed on various platforms such as hardware, cloud and virtual machines. This vulnerability is identified as CVE-2024-1212 and was assigned a critical CVSS score of 9.8.  Considering the sizeable user base, low attack complexity and publicly available exploit code including a Metasploit module, LoadMaster users are strongly encouraged to upgrade their instances to the latest versions with utmost priority.

Technical Overview

This vulnerability allows threat actors to circumvent the authentication mechanism by sending a crafted request to the web server.

The conditions that led to the exploitation of the vulnerability in the Progress Kemp LoadMaster load balancer were:

  • Bypassing Disabled API Restrictions: It was possible to access the REST API, even when disabled, by crafting a specific request path and parameters. This bypass allowed researchers to reach critical functions that were supposed to be inaccessible with the API disabled.
  • Unauthenticated User Input Handling: The system did not properly validate or sanitize the “REMOTE_USER” and “REMOTE_PASS” environment variables, which were set based on user-provided basic authentication headers. This flaw allowed for the injection of arbitrary commands.
  • Command Injection via System Call: The lack of validation and sanitization led to constructing a command with user-controllable input that was then passed to a system() call. This behavior facilitated the execution of arbitrary commands on the system.
  • Exploiting Basic Authentication for Command Execution: By manipulating the base64-encoded authorization string sent in the HTTP headers, attackers could inject commands that the server would execute, enabling a direct path to command injection and system compromise.

Triggering the Vulnerability

The flaw is in the processing of the “/access/” RESTful API Interface to the LoadMaster.

Figure 1: LoadMaster CGI Bash Script

As seen in the code shared by RhinoSecurity Labs in Figure 1,  user input to the “/access/” API is directly put into a bash script leading to a critical vulnerability tracked as CVE-2024-1212. Before being passed to any function(s), the user input should be mandatorily parameterized and sanitized.

Leveraging this unauthenticated command injection vulnerability requires access to the vulnerable LoadMaster administrator web user interface. The publicly available also shows the possibility of privilege escalation once the shell is obtained.

An example request to trigger the vulnerability would look like this http[:]//target-ip:port/access/set?param=enableapi&value=1 with the Authorization parameter containing the command injection, as shown in Figure 2.

Figure 2: Triggering CVE-2024-1212 PoC packet capture

Notice the command injection is base64 encoded. When decoded, the attacker is sending the ‘;echo ‘[S]’hostname;echo’[E]’;’:anything as shown in Figure 3.

Figure 3: Decoded-authorization-header

The default admin configuration of a LoadMaster instance is a user named “bal”, as shown in Figure 4. One can fully control the system by manipulating sudo user entries via the management interface.

Figure 4: Default LoadMaster interface

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • IPS 4362 – Progress Kemp LoadMaster Command Injection

Threat Graphs

SonicWall sensors have confirmed exploitation attempts of this vulnerability. The graph below indicates increased exploitation attempts over the last 6 days.

Figure 5: Threat graph

Remediation Recommendations

Considering the severe consequences of this vulnerability and the trending of unauthenticated nefarious activists trying to get Loadmaster management interface access using the exploit in the wild, users are strongly encouraged to upgrade their instances as published in the vendor advisory.

Relevant Links

*Originally this article claimed we had confirmed active exploitation of this vulnerability. This was a mistake. We have confirmed exploitation attempts, and the article now reflects that.

Kicking Off Another Winning Year

/0 Comments/in /by

The past year has been filled with wins here at SonicWall. We revamped our SecureFirst Partner Program, made important additions to the SonicWall family in Solutions Granted and Banyan, and triumphed in countless other ways. Perhaps most importantly, we continued to strive for excellence in all we do.

And this isn’t just us singing our own praises — plenty of others have taken note of all the great things happening at SonicWall, and our hard work has paid off. With that, we’re thrilled to announce the awards won by SonicWall and SonicWall leaders for an incredible job in 2023!

SonicWall Corporate Awards

Each year, the CRN Partner Program Guide is looked to by solution and service providers so they can determine which partner programs can provide them with not only the most robust product portfolios, but also the best incentives to help partners be successful. The most esteemed award a company can receive in this category is the 5-Star Award, and we’re happy to announce that SonicWall has been given the 5-Star Award in the 2024 CRN Partner Program Guide.

SonicWall was also named as a finalist in the SC Awards’ Best SME Security Solution category for our TZ Series next-generation firewalls (NGFWs). To cap things off, SonicWall was named to CRN’s 20 Coolest Network Security Companies of 2024 list.

CRN Channel Chiefs

Each year, CRN’s editorial staff names Channel Chiefs based on factors such as professional accomplishments, industry standing and sheer dedication to the channel partner community. This list is reserved for those leaders who are truly making an impact through excellent innovation and strategy in the channel. We’re over the moon to have three such individuals on our team here at SonicWall. Help us congratulate our CRN Channel Chiefs for 2024:

  • Jason Carter, Chief Revenue Officer
  • Michelle Ragusa-McBain, Global Channel Chief
  • Spencer Starkey, Vice President of Sales, EMEA

Michelle Ragusa-McBain

Along with being named a CRN Channel Chief, SonicWall’s Michelle Ragusa-McBain showed exactly why she’s our Global Channel Chief, earning enough awards to have a section of her own:

  • Channel Futures’ 2024 Circle of Excellence
  • Channel Futures’ 2024 Channel Influencer
  • CRN’s Woman of the Year Finalist
  • CRN’s Channel Madness Finalist

Way to go, Michelle!

Looking Ahead

Thank you to all SonicWall team members and partners for your contributions and incredible efforts this past year. Without you all, none of these awards would be possible. We hope to make 2024 even better than 2023, and we’re looking forward to continuing to celebrate our progress and one another!

Here’s to a great year ahead!

New Golang Trojan Installs Certificate for Comms Evasion

/0 Comments/in /by

Overview

This week, the Sonicwall Capture Labs threat research team analyzed a new Golang malware sample. It uses multiple geographic checks and publicly available packages to screenshot the system before installing a root certificate to the Windows registry for HTTPS communications to the C2. There is currently no malware family affiliated, but the IP and URL addresses have been used by AgentTesla, GuLoader, PureLog Stealer and others.

Technical Analysis

The sample is detected as a Golang 64-bit executable with a WinAuth certificate. The timestamp has been tampered with, as it shows a creation date of December 31, 1969.

Figure 1: Sample detection with Detect It Easy

The certificate listed is issued from ‘RUNNINGWITHSCISSORS LTD’ but does not have an issuer signatory.

Figure 2: There is no signer, email or creation date with this certificate

Looking at the sample, one section included is non-standard, .symtab; this section is associated with ELF/Linux files and should not be on a Windows executable.

Figure 3: This is a Linux file-type section and would not be accessed by normal means

Because of the way Golang compiles binaries, the program had to have the gopcln table reconstructed in order to see the inner workings of the file.

 

Figure 4: Malware functions in cleartext

Once done, there are several items of note. Newly renamed functions list out the primary methods of . The strings show a pattern that looks to be used to send system information to the attacker – this is confirmed later. This pattern contains information for a system UUID, remote IP, username, hostname, Windows version, process ID, process name and architecture.

Figure 5: There is an ASCII pattern for information that may be sent to the attacker

Next, the packages reveal that the author is using public GitHub applications from the following repositories to generate and save screenshots:

Figure 6: These GitHub packages are public and are not malicious on their own

During runtime, the malware will start by querying main system information using process injection via VirtualAlloc and running WMIC. The following two commands are run first:

  • ‘SELECT UUID FROM Win32_ComputerSystemProduct’
  • C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Next, these registry keys are queried for the Windows version and hostname:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters

When attempting to control/open WMIC, the sample looked in the following locations, as well as trying to find a file with an unusual name:

  • C:\Users\user\Desktop
  • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\
  • C:\Windows
    C:\Windows\system32
  • C:\Windows\Wbem\

Figure 7: Sample of locations WMIC is searched for along with an unusual file

Once WMIC has been launched, both the main executable and WMIC will load, or attempt to load, the following DLLs:

Apphelp.dll
Cryptbase.dll
Winmm.dll
Powrprof.dll
Umpdc.dll
Userenv.dll
Profapi.dll
Netapi32.dll
Wkscli.dll
Netutils.dll
Samcli.dll
Samlib.dll
Iphlpapi.dll
Dhcpcsvc6.dll
Dhcpcsvc.dll
Dnsapi.dll
Mswsock.dll
Rasadhlp.dll
Fwpuclnt.dll
Msasn1.dll
Cryptsp.dll
Rsaenh.dll
Gpapi.dll
Framedynos.dll
Sspicli.dll
Kernel.appcore.dll
Wbemcomm.dll
Msxml6.dll
Urlmon.dll
Iertutil.dll
Srvcli.dll
Uxtheme.dll
Vcruntime140.dll
Vcruntime140_1.dll
Amsi.dll
Vbscript.dll
sxs.dll

The majority of these were not used during testing, which means that they may be used after initial contact is made with the C2 for further data collection or additional malware utilities.

Figure 8: Sample listing of DLLs searched for by the trojan

When the sample reaches out on the network, it attempts to get an IP using ‘ip-api.com/json’ and to make initial contact with the C2 at ‘https://daily-mashriq[.]org/goyxdrkhjilchyigflztv’ using a ping.

Once those steps are complete, the malware installs a new root certificate by overriding data in the following registry key using ‘CertGetCertificateChain’:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Figure 9: Previous data being overwritten by the new certificate

Although the main functions go into detail about screenshots, there are also API calls in memory for tracking other Windows events. These are monitored with SetWindowsHookExW and TrackMouseEvent. Screenshots are created using the GitHub packages previously mentioned.

Figures 10, 11: Code showing that the ‘kbinani’ takes the screenshot, then ‘fogleman’ saves it.

Network connection to ‘daily-mashriq[.]org’ is attempted with the previously discovered pattern containing information encoded with chacha20 and sent using User-Agent “AGCYRNRWWWFZZSWWFWDYDCVDN”:

Figure 12: Encoded information sent to the C2

However, after the initial message has attempted to POST, subsequent messages only include the UID and are sent every seven seconds.

Figure 13: Repeated POSTS only contain the UID

The following ports are also bound for listening: 49708-49711, 49720-49730, and 49733-49750.

As of this writing, it appears that the domain has been blocked by (CHECK THIS).

SonicWall Protections

SonicWall Capture Labs provides protection against this threat via the following signature:

  • MalAgent.Go.Trojan

IOCs

  • 8f4cf379ee2bef6b60fec792d36895dce3929bf26d0533fbb1fdb41988df7301
  • https://daily-mashriq.org/goyxdrkhjilchyigflztv
  • http://ip-api.com/json/

Unpatched PHP Deserialization Vulnerability in Artica Proxy

/0 Comments/in /by

Overview

SonicWall Capture Labs threat research team became aware of a deserialization vulnerability with the Artica Proxy appliance, assessed its impact and developed mitigation measures. Artica Proxy is a comprehensive proxy solution performing tasks such as web filtering and categorization, SSL inspection, and bandwidth management. The vendor reports having over 100K servers installed around the world.

Identified as CVE-2024-2054, the administrative web interface allows the deserialization of any PHP objects provided by users without authentication, thereby allowing code to be executed under the “www-data” user account, earning an expected score of 9.8. This affects version 4.50 and all previous versions. While there are no reports of active exploitation currently, a publicly available PoC is provided by the Korelogic research team, and the vendor has not issued a patch yet. As a result, it is strongly encouraged that organizations follow the steps in the mitigation section below. SonicWall customers are already protected through IPS signature 19786, released on March 18th.

Technical Overview

While unauthenticated, a user can make an HTTP POST request to the “/wizard/wiz.wizard.progress.php” endpoint. This endpoint may receive the “build-js” query parameter as seen in Figure 1.

Figure 1: wiz.wizard.progress.php lines 10-16

While processing the “build-js” user input, it performs a base64 decode operation and then sends the decoded value to the “unserialize” PHP function, as seen in Figure 2.

Figure 2: wiz.wizard.progress.php buld.js function

This is the root cause of the vulnerability, as an unauthenticated attacker can control the base64 encoded input which is then directly deserialized.

Triggering the Vulnerability

To trigger this vulnerability, an attacker must send an HTTP POST request to the Artica Proxy instance with the crafted “build-js” parameter set to a base64-encoded payload. Using the public PoC code as an example, this could be accomplished using the Linux “curl” command, as shown in Figure 3.

Figure 3: Triggering the vulnerability using curl

Exploitation

While triggering the vulnerable code path is simplistic, exploitation is slightly trickier. As with most deserialization attacks, execution is limited to what modules may be installed on the system – in this case, PHP modules. An attacker must leverage these modules meaningfully to achieve the desired execution by deserializing serialized objects. When searching for a suitable object to use within the installed PHP modules, the “Net_DNS2_Cache_File” destructor within the “Net_DSN2” library stands out, as shown in Figure 4.

Figure 4: NET_DNS2_CAHCE_FILE destructor file write

When a “Net_DNS2_Cache_File” object is destroyed, it may write a file to the disk. This indicates that an attacker can leverage creating and destroying this object to write a file to the system.  As PHP web shells are a common tool used by attackers, this is a likely choice for exploitation.

It is worth noting that the possibility of this destructor being leveraged by the attackers was reported in 2016 to the Net_DNS2 project on GitHub, tracked as issue 50.

Figure 5: GitHub Issue reporting vulnerable code

The Net_DNS2 project mitigated the issue several months later in 2016, however, Artica Proxy is using an outdated version of the library, which can be seen in the DNS2.inc file located on the filesystem.

Figure 6: Net_DNS2 class version on Artica Proxy

To illustrate exploitation, Figure 7 shows a segment where an unauthenticated user manages to overwrite the existing “wiz.upload.php” file.  The clip first displays the original “wiz.upload.php” file and then shows the file overwritten by a simple web shell after exploitation.  This is achieved by utilizing a “Net_DNS2_Cache_File” object to embed the web shell, allowing the execution of harmful PHP code under the “www-data” user account.  The payload executes the “whoami” command confirming the user.

Figure 7: Successful exploitation

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • IPS: 19786 Artica Proxy PHP Deserialization

Remediation Recommendations

Unfortunately, no patch is currently available for this vulnerability. It is recommended to either remove the ‘usr/share/article-postfix/wizard’ directory (as it is not a critical component for the proxy to function properly) or move this directory outside of the web root folder. Doing so will make the vulnerable code inaccessible from the network, drastically reducing risk.

Relevant Links

Lighter Ransomware Locks Users Out of System

/0 Comments/in /by

Overview

This week, the Sonicwall Capture Labs threat research team analyzed a ransomware calling itself Lighter Ransomware. Upon execution, it opens up a window with a countdown timer instructing the victim to reach out immediately before the timer ends – or face greater consequences.

Infection Cycle

The malware arrives as a portable executable that, once executed, immediately displays this warning window.

Figure 1: Lighter ransomware window with countdown.

It lets the user know that they have been infected with ransomware and displays instructions on how to get their files back. Interestingly, this ransomware only asks for $100.

However, most common keyboard shortcuts are blocked, which renders the system unusable once this window is displayed.

Figure 2: Functionality showing keyboard shortcuts being blocked

Common file utilities such as taskmanager, cmd, msconfig, regedit and processxp are blocked.

Figure 3. Functionality showing to kill taskmgr  

Files are then simultaneously encrypted using AES encryption, specifically, the RijndaelManaged class, and the malware adds the .L0cked extension to all encrypted files.

Figure 4: AES encryption functionality using the RijndaelManaged class

Figure 5: Encrypted files with the .L0cked file extension

This ransomware targets files with the following file extensions seen in the screenshot below:

Figure 6: File extensions targeted by this ransomware

Unless the user forces a reboot, they will be unable to do most common tasks while the warning window is displayed.

SonicWall Protections

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Lighter.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and Capture Client endpoint solutions.