Cybersecurity News & Trends – 09-25-20

/0 Comments/in /by

This week, foreign hackers made headlines for targeting everything from COVID-19 research, to NASA, to the U.S. presidential election.

SonicWall in the News

Top 5 CyberSecurity Innovations and Why They’re Drawing In The Money — TechGenix

  • SonicWall’s product with Perimeter 81 was in included in article, as an innovation in the zero-trust sector.

ChannelPro Weekly Podcast: Episode #157 – The New M&A (Mongrels & Animals) — ChannelPro Weekly

  • In its weekly news podcast, ChannelPro Network discussed SonicWall’s 7th generation of security products.

Coronavirus Puts Security At The Heart Of The Agenda — MicroScope

  • Terry Greer-King, vice-president for EMEA at SonicWall, says the “mass shift” from working within the corporate perimeter to working from home has made everyone inherently less secure, ushering in an era of “boundless cyber security”

Making Work-From-Home Security Work — ChannelPro Network

  • In an article about how to successfully and securely work from home, SonicWall’s data on the increase in ransomware from the midyear update to the 2020 Cyber Threat Report is included to showcase the dangers of ransomware attacks.

Industry News

U.S. warns ‘foreign actors’ aim to sow doubts over mail-in voting — Reuters

  • U.S. federal law enforcement and cybersecurity agencies on Tuesday warned that “foreign actors” will likely try to discredit the November presidential election by taking advantage of the slow counting of mail-in ballots.

UK Govt Advisor Warns: Universities the Latest Frontier for Cybercriminals — IT Supply Chain

  • Students’ return to universities has coincided with a spate of attacks against academic institutions across the North of England, prompting the National Cyber Security Centre to issue a warning: Prepare for disruption as the term starts.

FBI Open China-Related Counterintelligence Case Every 10 Hours — SC Media

  • FBI Director Christopher Wray offered the House Homeland Security Committee some sobering news about China: the FBI opens a new China-related counterintelligence case roughly every 10 hours.

Ransomware gang targets Russian businesses in rare coordinated attacks — ZDNet

  • Group breaks an unofficial rule in the cybercrime underground not to target the former Soviet space.

Lessons from the ransomware death: Prioritize cyber emergency preparedness — SC Magazine

  • The death of a woman, at least in part due to a ransomware attack, has placed security teams on high alert.

“LokiBot,” the malware that steals your most sensitive data, is on the rise — Ars Technica

  • Officials are seeing a big uptick in infections coming from LokiBot, an open-source DIY malware package that’s openly sold or traded in underground forums. It steals passwords and cryptocurrency wallets, and can also download and install new malware.

The dark web won’t hide you anymore, police warn crooks — ZDNet

  • ‘Operation Disruptor’ involved agencies from nine countries and resulted in the seizure of over $6.5m in cash and cryptocurrencies, as criminals are warned law enforcement will track them down.

Healthcare lags behind in critical vulnerability management, banks hold their ground — ZDNet

  • New research sheds light on which industries are performing well when it comes to patching high-risk bugs.

Officials say NASA facing increased targeting by foreign and domestic hackers — The Hill

  • Top officials at NASA say the agency is facing increasing attempts by foreign hackers to target sensitive information as it works to improve its IT security during the COVID-19 pandemic.

FBI sounds alarm on rampant personal-data theft by China-backed hackers — The Washington Times

  • China is engaged in massive data mining in the U.S. and likely has stolen personal information on nearly half of the entire U.S. population, FBI Director Christopher Wray revealed.

Chinese and Russian hackers pose ‘very, very real threat’ to COVID-19 research: FBI Director Wray — The Washington Times

  • Foreign hackers searching for ways to steal coronavirus research remain a “very, very real cyber threat,” FBI Director Christopher A. Wray told the House Homeland Security Committee.

U.K. warns of surge in ransomware threats against education sector — Bleeping Computer

  • The U.K. National Cyber Security Centre has issued an alert about a surge in ransomware targeting educational institutions, urging them to follow new recommendations for mitigating attacks.

In Case You Missed It

Advanced Threats: Am I At Risk?

/0 Comments/in /by

In “The Art of War,” Sun Tzu said, “If you know the enemy and know yourself, you need not fear the result of a hundred battles … if you know neither the enemy nor yourself, you will succumb in every battle.”

While he couldn’t have foreseen the digital salvos of two thousand years hence, his words ring as true for today’s cybersecurity arms race as they did for ancient Chinese military strategy. And now that the COVID-19 pandemic has ushered in a future where everyone is remote, everyone is mobile and everyone is less secure, cybercriminals are redoubling their efforts and specifically targeting remote workers — making it more important than ever to know what you’re up against.

Unfortunately, when it comes to cybercrime, it’s often much harder to know who your enemy is, where they’re located, or what weaponry they’re bringing to bear. Worse, in some cases you may not know until much later that you’ve even been attacked at all. We’ve seen cyberthreats evolve from basic computer viruses to widespread and devastating attacks such as Stuxnet, WannaCry, NotPetya, Spectra and more. But exactly how advanced and prevalent are today’s attacks?

According to the midyear update to the 2020 SonicWall Cyber Threat Report, while the quantity of malware deployed overall is dropping, the malware that is going out is both more advanced and more targeted than ever before. The degree of sophistication displayed in some phishing and social engineering strategies proves that even if you don’t know your adversary, they certainly know you — and if they’re successful in fooling you, their weapons of choice are often capable of completely circumventing legacy cybersecurity solutions.

These sorts of threats will often obfuscate in front of security solutions, only to execute later when in memory — or worse, in the CPU and hardware where you are a tenant, perhaps in a service you have in the cloud where the hardware itself executes the code and steals your information.

And if you’re thinking only a handful of cybercriminals have access to this level of sophistication, think again.

So far in 2020, every month has seen a significant year-over-year increase in the number of malware variants found by SonicWall Capture ATP (Advanced Threat Protection) and RTDMI (Real-time Deep Memory Inspection) — combined, they represent a full 62 percent increase over 2019’s first-half totals. In the first six months of 2020, Capture ATP and RTDMI found 315,395 new malware variants, including threats that do not exhibit any malicious behavior and hide their weaponry via encryption.

During this time, there has also been a whopping 176 percent increase in the number of malicious Office files, including some that can evade signature based anti-malware engines and hinder sandbox debugging and analysis. These files look just like any other file you may receive through the course of your workday, but can lead to data exfiltration, ransomware infections and more.

With the time between an attack’s proof of concept and threat researchers spotting the attack in the wild narrowing to just hours — and with attackers developing ways to create hundreds of variations on an attack faster than they can be identified and patched — it’s tempting to concede defeat.

Fortunately, however, it’s still possible to thwart a majority of cyberthreats, if you deploy the correct countermeasures. Join SonicWall cybersecurity expert Simon Wikberg as he explores today’s biggest threats and why they succeed in our upcoming webinar, “A Step Ahead: Future-proofing Against Tomorrow’s Attacks.

He’ll tackle the “know yourself” side of the equation by offering ways to determine your risk and profile your existing cybersecurity strategy.

And by sharing data from the SonicWall 2020 Mid-Year Cyber Threat Report, he’ll also help you become better acquainted with your adversaries, by revealing the places cybercriminals are targeting, spotlighting the techniques they’re using, and offering clues as to what they may be doing next.

By learning their tactics, you’ll be better able to create a plan, deploy proper countermeasures, and significantly decrease your risk of compromise in the next hundred battles — and beyond.

Click here to register for the webinar.

SiteCloak Page Obfuscation Techniques Leading to Greater Number of Missed Phishing Attacks

/0 Comments/in /by

Ever since COVID-19 began closing offices and largely restricting people to their homes, cyber adversaries have been having a field day using the pandemic as a launchpad for phishing attacks. Organizations and individuals must be aware of the detective, preventive and protective measures required to safeguard their information assets against these attacks. We have seen a rise in the number of phishing attacks that bypass Office 365 due to the attackers’ use of obfuscation techniques on the credential harvesting website.

These SiteCloak methods bypass Microsoft’s real-time URL-filtering scanners by obfuscating the credential-harvesting page. This behavior is widespread, using a variety of techniques from multiple threat actors.

Attack Summary Overview:

Platform: Microsoft 365 Email

Email Security: Exchange Online Protection and Microsoft Advanced Threat Protection

Targets: All organizations, all sizes

Payload: Malicious Link

Technique: Obfuscation of Credential Harvesting Page

What is a SiteCloak attack?

To identify a malicious URL within an email, Microsoft will follow a link to scan the target page for potential malware or phishing behavior. To combat this, attackers are hiding the intent of the target page by using a variety of obfuscation techniques. This behavior is widespread and utilizes a variety of methods, some more sophisticated than others, borrowed from multiple threat actors. Most of these methods are capable of fooling Microsoft’s scanners.

In most cases, the target page turns out to be a credential harvesting site, but because these techniques are now in widespread use by several organizations, they are independent of the purpose of the page. If the user is not vigilant and provides their credentials, the user account is compromised.

Why are SiteCloak methods effective?

  • Concealed Page Intent: Microsoft URL filters are unable to determine the intent of an obfuscated page, so a malicious email is allowed to reach the user inbox.
  • Multiple Vulnerabilities: While categorized as a single method, attackers are using a variety of obfuscation techniques, meaning there is no single vulnerability to close. Even simple techniques are successful today, but while these are eventually caught, more advanced methods continue to remain effective.
  • Multiple Actors: Page obfuscation is now in use by multiple actors. The techniques are typical of email obfuscation, and many of them are old, so there is no direct link between a threat actor and their methodology.

What can you do?

  • Use a Password Manager: The best defense against most credential harvesting attacks is the use of a password manager. Most are free, and none can be fooled into entering a password into a malicious site, no matter how authentic it seems. You should never actually know your password.
  • Enable Multi-factor Authentication: MFA renders a username/password pair useless to an attacker.

Attack examples

These techniques are in use by a large number of threat organizations, so their methods vary widely.

  • Basic SiteCloak Obfuscation: ZeroFont
    In the simplest version of the attack, the credential harvesting page uses the same ZeroFont technique that was once a popular method to bypass Microsoft’s email scanners. Even old techniques can successfully fool the website scanner.
  • Advanced SiteCloak Obfuscation: JavaScript EncodingIn more advanced methods, the webpage is encoded using multiple layers of JavaScript obfuscation.
    The “unescaped” command is another JavaScript function that reads the ‘html_encoder_data’ to render the malicious web page.

    The rendered page is fairly advanced in that it does not ask the user to enter their email address, as it is encoded in the URL. It also asks for the password twice before redirecting the user to a real outlook.com page. Not only does this error-check the password for the attackers, but it also leaves the user the user with no hint that they entered their password on a fake site.

How SonicWall Can Help

SonicWall Cloud App Security can identify SiteCloak-obfuscated websites, because the web-rendering and scanning engines utilize the same indicators of attack discovered by the email-rendering and scanning filters. With CAS Protection enabled, the attacks are prevented from ever reaching your inbox, making email more secure and reliable.

To learn more about SonicWall Cloud App Security, click here.

Cybersecurity News & Trends – 09-18-20

/0 Comments/in /by

Between legislation to protect government IoT devices, developments in the TikTok saga and Supreme Court arguments, what’s happening at the federal level this week could have far-reaching implications for cybersecurity.

SonicWall in the News

Politics in the Technology World Order — Verdict Magazine
SonicWall President and CEO Bill Conner weighs in on the future of the U.S. data privacy landscape.

Perimeter 81 Looks To Take Firewall Appliances Out — Security Boulevard
SonicWall, an investor in Perimeter 81’s recent funding round, has partnered with the firm on its firewall-as-a-service software.

Sectigo to Be Acquired by GI Partners — Sectigo Press Release
In a comment about the acquisition, SonicWall President, CEO and Sectigo Board Chairman Bill Conner said, “The future is bright for Sectigo as the company builds on its impressive position as a digital identity and web security solutions leader.”

Industry News

This security awareness training email is actually a phishing scam — Bleeping Computer
A creative phishing campaign spoofs a well-known security company in an email pretending to be a reminder to complete security awareness training.

Oracle-TikTok Deal to Undergo U.S. Security Review — The Wall Street Journal
The Treasury Department said it would review an agreement for Oracle and others to revamp TikTok’s U.S. operations, with the aim of avoiding a ban of the popular video-sharing app.

House approves bill to secure internet-connected federal devices against cyber threats — The Hill
The Internet of Things (IoT) Cybersecurity Improvement Act, passed unanimously by the House, would require all internet-connected devices purchased by the federal government to comply with minimum security recommendations.

Hackers are getting more hands-on with their attacks. That’s not a good sign — ZDNet
Both nation-state-backed hackers and cybercriminals are trying to take advantage of the rise in remote working — and getting more sophisticated in their approach.

LockBit ransomware launches data leak site to double-extort victims — Bleeping Computer
The LockBit ransomware gang has launched a new data leak site to be used as part of their double extortion strategy to scare victims into paying a ransom.

Zerologon attack lets hackers take over enterprise networks — ZDNet
If you’re managing enterprise Windows servers, don’t skip on the August 2020 Patch.

Security researchers slam Voatz brief to the Supreme Court on anti-hacking law — Cyberscoop
The Supreme Court is about to take up a case with major implications for computer research — and a group of high-profile cybersecurity specialists doesn’t want mobile voting firm Voatz to have the last word.

Don’t pay the ransom, mate. Don’t even fix a price, say Australia’s cyber security bods — The Register
Over the past 12 months, the Australian Cyber Security Centre has observed real-world impacts of ransomware incidents, which have typically originated from a user executing a file received as part of a spearphishing campaign.

Russian Intelligence Hackers Are Back, Microsoft Warns, Aiming at Officials of Both Parties — The New York Times
China is also growing more adept at targeting campaign workers, with Beijing mostly aiming at Biden campaign officials.

Iran Says US Vote Hack Allegation ‘Absurd’ — Security Week
Tehran on Friday hit back at allegations by Microsoft that Iran-based hackers had targeted the U.S. presidential campaigns.

Treasury Dept. sanctions Russian, Ukrainian individuals for election interference — The Hill
The Treasury Department has added four Russian and Ukrainian individuals to its specially designated nationals list, citing attempts by the individuals to interfere in U.S. elections.

In Case You Missed It

Windows Netlogon Elevation of Privilege Vulnerability CVE-2020-1472

/in /by

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a network device.
This vulnerability also called Zerologon has a CVSS score of 10.

Netlogon Remote Protocol

The Netlogon Remote Protocol is used for secure communication between machines in a domain and domain controllers (DCs) The communication is secured by using a shared session key computed between the client and the DC that is engaged in the secure communication. The session key is computed by using a preconfigured shared secret that is known to the client and the DC. The Microsoft Windows Netlogon Remote Protocol (MS-NRPC) is a core authentication component of Active Directory that provides authentication for user and computer accounts.

Vulnerability (CVE-2020-1472)

The vulnerability arises from a flaw in the cryptographic implementation of the Netlogon protocol, specifically in its usage of AES-CFB8 encryption. MS-NRPC uses an initialization vector (IV) of 0 (zero) in AES-CFB8 mode when authenticating computer accounts.Due to incorrect use of an AES mode of operation it is possible to spoof the identity of any computer account (including that of the DC itself) and set an empty password for that account in the domain.

The successful exploitation of the vulnerability will allow an attacker to

  • Impersonate any computer on the network,
  • Disable security features that protect the Netlogon process
  • Change a computer’s password associated with its Active Directory account.

Affected products

  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
  • Windows Server 2012
  • Windows Server 2012 (Server Core installation)
  • Windows Server 2012 R2
  • Windows Server 2012 R2 (Server Core installation)
  • Windows Server 2016
  • Windows Server 2016 (Server Core installation)
  • Windows Server 2019
  • Windows Server 2019 (Server Core installation)
  • Windows Server, version 1903 (Server Core installation)
  • Windows Server, version 1909 (Server Core installation)
  • Windows Server, version 2004 (Server Core installation)

Microsoft has patched this vulnerability and is urging to prioritize patching Domain Controllers, as this is likely the primary target.

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • IPS 15143:Windows Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472)1
  • IPS 15156:Windows Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472) 2
  • IPS 15158:Windows Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472) 3

This spyware poses as a fake Android WhatsApp update app

/in /by

SonicWall Capture Labs threats researchers observed an interesting Android sample that passes itself as a WhatsApp Updater app. Anyone with basic security awareness will quickly point that there is no separate app to update WhatsApp as clearly stated on the WhatsApp FAQ. As expected this app simply uses WhatsApp as a disguise to hide its spyware capabilities.

 

Distribution mechanism

This fake updater app (at the time of writing this blog) is hosted on android-update[.]net/whatsapp-update.apk. Installation of apps from unknown sources is blocked by default on Android devices, as a result whenever an apk file is downloaded the user is shown a warning stating that it might be dangerous to install said app. This website tries to convince the user to ignore that warning and states that WhatsApp update is completely safe to install:

The site android-update.net has been deemed malicious on Virustotal

 

Dangerous Permissions

This app requests for a few permissions that can be risky in the wrong hands:

  • receive_boot_completed
  • read_contacts
  • access_fine_location
  • read_history_bookmarks
  • write_settings
  • system_alert_window
  • record_audio
  • send_sms
  • bind_accessibility_service
  • bind_device_admin

Infection Cycle

After installation and execution the app is prompt in requesting for device admin privileges. This alone should be a red flag as WhatsApp itself does not request device admin privileges:

If the permission is not granted immediately, the app keeps requesting for the permission until its granted. This tactic is aimed towards ruining the user experience and forcing the user into granting the permission.

 

Siphoning personal data

The app communicates with the server  – superwat.biz – and begins ex-filtrating sensitive user related information from the device and the network. We have listed a few of these exchanges:

The communication begins with a POST message to the folder settings which signifies the different options/switches under which the app (which now shows indications of being a spyware) will operate:

 

Some noteworthy switches:

  • line_call_record
  • whatsapp_call_record
  • stream_recording
  • spy_call

 

There was a POST message to the folder DeviceInfo which sent device related data:

 

There was a POST message to the folder Put with high sensitivity data  that included:

  • Device imei
  • Apps installed with their memory usage
  • GPS location data
  • Browser history that displayed webpages opened
  • Name and phone number of contacts present on the device
  • Wifi network access point names with their mac addresses

 

Few more interesting network messages:

  • POST /play/WS/RemoteCommands
  • GET /play/ws/update-check/?update=getversion&brand=gvd8
  • GET /play/ws/update-check/?asset=armeabi-v7a

 

We created a VirusTotal relations graph that represents all the parties that were contacted by the spyware app

 

Domain WHOIS details

We found the following artifacts about the server superwat.biz and android-update.net:

 

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: AndroidOS.Spy.PN (Trojan)

 

Indicators of Compromise (IOC)

Sample details

Cybersecurity News & Trends – 09-11-20

/0 Comments/in /by

This week, students are going back to school, cybersecurity is going into outer space, and Emotet is going through the roof.

SonicWall Spotlight

Cybersecurity for the post-COVID new normal of work — Managing the Future of Work podcast

  • SonicWall CEO Bill Conner discusses how COVID-19 and the 2020 election are creating unprecedented infrastructure challenges in cybersecurity, and how forces such as the cybersecurity business gap and the need for secure remote access will shape the cybersecurity landscape going forward.

Tackle the Growing Number of IoT Ransomware Threats — TechTarget – IoT Agenda

  • Ransomware attacks have increased 20% worldwide in the first half of the year and 105% in the U.S., according to SonicWall’s latest cyberthreat report.

Cybersecurity News

FBI: Thousands of orgs targeted by RDoS extortion campaign — Bleeping Computer

  • The FBI has warned U.S. companies that thousands of organizations around the world, from various industry sectors, have been threatened with DDoS attacks within six days unless they pay a Bitcoin ransom.

Inter: a ‘low bar’ kit for Magecart credit card skimmer attacks on e-commerce websites — ZDNet

  • Researchers say that any attacker with “a little cash to burn” can join the attack trend.

 Website Crashes and Cyberattacks Welcome Students Back to School — The New York Times

  • With many districts across the country opting for online learning, a range of technical issues marred the first day of classes.

Phishing adds overlay on official company page to steal logins — Bleeping Computer

  • A phishing campaign deployed recently at various businesses uses the company’s home page to disguise the attack and trick potential victims into providing login credentials.

Money from bank hacks rarely gets laundered through cryptocurrencies — ZDNet

  • Despite being considered a cybercrime haven, cryptocurrencies play a very small role in laundering funds obtained from bank hacks, the SWIFT financial organization said.

White House issues cybersecurity space policy — SpaceNews

  • Space Policy Directive 5 is the first comprehensive government policy on cybersecurity for satellites and related systems, and outlines best practices to protect space systems from hacking and other cyber threats.

U.S. Department of Defense discloses critical and high severity bugs — Bleeping Computer

  • The U.S. Department of Defense has disclosed details about four security vulnerabilities on its infrastructure. Two of them have a high severity rating, while the other two received a critical score.

France, Japan, New Zealand warn of sudden spike in Emotet attacks — ZDNet

  • Emotet activity has ramped up to new levels in September 2020, alarming some cybersecurity agencies.

In Case You Missed It

Overcoming Advanced Evasion of Malware Detection

/0 Comments/in /by

Malware evasion tactics are now fully present in the arsenal of threat actors. It’s essential that any threat detection technology remain hidden from malware to be able to effectively detect advanced attacks. Equally important, the technology must be able to detect malicious objects that don’t have signatures and to identify malicious capabilities — even if the malicious code hasn’t yet executed. SonicWall Capture Advanced Threat Protection (ATP) with Real-Time Deep Memory Inspection™ (RTDMI) technology offers an advanced layered defense to stay ahead of advanced evasive threats.

It’s this technology stack that SonicWall security services, clients and devices plug into for advanced malware detection and protection. From Next-Generation Firewall (NGFW), to Email Security, to Capture Client and more, Capture ATP is exposed to the latest evasive threats from around the globe, all day, every day.

Overview of SonicWall Capture ATP

To protect customers against the increasing dangers of zero-day threats, SonicWall Capture ATP Service detects and can block advanced threats at the gateway until verdict (on select devices and services). This service is the industry’s first advanced threat-detection offering that combines multilayer sandboxing, including full system emulation and virtualization techniques, to analyze suspicious code behavior that can block until verdict.

Because of the increased focus on developing evasion tactics for malware, it’s important to apply a multi-engine approach to analyzing suspicious code, especially to find and stop ransomware and credential theft.

SonicWall’s award-winning multi-engine sandbox platform efficiently discovers what code wants to do — from the application, to the OS, to the software that resides on the hardware. This approach includes the ability to analyze code within the memory of a system using RTDMI.

RTDMI was specifically designed to provide complete visibility into malware behavior that other technologies miss, while remaining hidden from the malware itself. Combined with the rest of the Capture ATP technology stack, it offers a uniquely isolated inspection environment that simulates an entire host, including the CPU, system memory and all input/output devices.

This approach to advanced malware detection allows SonicWall to observe all the malicious actions engineered into a piece of malware, without being visible to the malware. Detecting evasive tactics is essential and complements our ability to detect malicious network, memory, settings, and other malware actions and changes.

Common malware evasion tactics

One of the key characteristics of advanced malware is its level of stealth and ability to evade detection. In addition to defeating signature-based detection products and behavior-based detection tools, there are dozens of these evasion techniques advanced malware uses to avoid detection. The table below lists the basic categories of these tactics.

Evasion Tactic Tactic Description Tactic Result
Stalling Delays Tactic remains idle to defeat timer-based recognition Most legacy sandboxes can detect if malware calls the OS sleep function, but they can’t spot evasion if the malware performs the delay internally without calling the OS.
Action-Required Delays Tactic delays malicious activity pending a specific user action (e.g., click mouse, open or close a file or app). Conventional sandbox will not detect malware waiting on user action.
Intelligent Delays Tactic discovers sandbox and suspends all malicious activities. Malware waits until it has completed penetration of host or machine before injecting, modifying or downloading code; decrypting files; moving laterally across network; or connecting to C2 servers
Fragmentation Tactic splits malware into fragments, which only execute when reassembled by the targeted system. As legacy sandboxes typically evaluate fragments separately, each fragment appears harmless, thus evading detection.
Return-Oriented Programming (ROP) Evasion Tactic modifies the stack (memory addresses of code to be executed next), thus injecting functionality without altering the actual code. ROP evasions delegates the execution of its malicious code to other programs, instead of the malware program, thereby hiding it from conventional detection.
Rootkits A rootkit is an application (or set of applications) that hides malicious code in the lower OS layers. A conventional sandbox does not monitor what an OS does with calls from applications, so the malicious actions performed by a rootkit will generally go undetected.

Espionage, ransomware and other advanced threats are growing ever more sophisticated. The only way to defeat these types of malware is to implement tools that have been designed specifically to detect known evasion techniques, easily adapt to new ones and work with your existing security stack. SonicWall leverages and maximizes your existing investment in security systems, and with SonicWall Capture ATP with RTDMI, you’ll be ready to defeat today’s sophisticated threats. Click here to learn more.

Anubis infostealer wants your cryptocurrency wallet

/in /by

This week the Sonicwall Capture Labs research team analyzed an infostealing Trojan that is a mash up of another infostealer Trojan and a ransomware. This Trojan, is called Anubis but borrowed most of its code from another Trojan named Loki which is popularly sold in the underground market.

Infection Cycle

This Trojan uses the following icon:

Upon execution, it proceeds with perusing through the system and start stealing data, taking screenshots, etc. It then creates a random folder within the %temp% directory where it stores log files of stolen data.

This stolen data is then sent to a remote server.

During static analysis, it was noted that it had references to “Loki” within its strings as evidence of it borrowing code from this other infostealer Trojan. After all, Loki is a commodity malware commonly sold in underground sites.

This Trojan functions much like Loki and comes after the victim’s system information, browser data, credentials, credit card details and cryptocurrency wallets.

Coincidentally, during analysis we noticed references to ransomware functionality within its strings although this was not evident during runtime.

Apart from being sold underground, Lokibot has been known to be distributed via spam emails and Anubis, will highly be likely to be similarly distributed.

Always be vigilant and cautious when installing software programs particularly if you are not certain of the source.

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Anubis.ST (Trojan)
  • GAV: VHDLocker.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Microsoft Security Bulletin Coverage for September 2020

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of September 2020. A list of issues reported, along with SonicWall coverage information are as follows:

CVE-2020-0664 Active Directory Information Disclosure Vulnerability
IPS 15131:Microsoft Active Directory Information Disclosure Vulnerability (CVE-2020-0664)

CVE-2020-0856 Active Directory Information Disclosure Vulnerability
IPS 15132:Microsoft Active Directory Information Disclosure Vulnerability (CVE-2020-0856)

CVE-2020-0941 Win32k Information Disclosure Vulnerability
ASPY 5993:Malformed-File exe.MP.156

CVE-2020-1115 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 5994:Malformed-File exe.MP.157

CVE-2020-1152 Windows Win32k Elevation of Privilege Vulnerability
ASPY 5995:Malformed-File exe.MP.158

CVE-2020-1245 Win32k Elevation of Privilege Vulnerability
ASPY 5991:Malformed-File exe.MP.154

CVE-2020-1308 DirectX Elevation of Privilege Vulnerability
ASPY 5992:Malformed-File exe.MP.155

Following vulnerabilities do not have exploits in the wild :
CVE-2020-0648 Windows RSoP Service Application Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0718 Active Directory Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-0761 Active Directory Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-0766 Microsoft Store Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0782 Windows Cryptographic Catalog Services Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0790 Microsoft splwow64 Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0805 Projected Filesystem Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-0836 Windows DNS Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-0837 ADFS Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-0838 NTFS Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0839 Windows dnsrslvr.dll Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0870 Shell infrastructure component Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0875 Microsoft splwow64 Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0878 Microsoft Browser Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-0886 Windows Storage Services Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0890 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-0904 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-0908 Windows Text Service Module Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-0914 Windows State Repository Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0921 Microsoft Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0922 Microsoft COM for Windows Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-0928 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0951 Windows Defender Application Control Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-0989 Windows Mobile Device Management Diagnostics Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0997 Windows Camera Codec Pack Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-0998 Windows Graphics Component Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1012 WinINet API Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1013 Group Policy Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1030 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1031 Windows DHCP Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1033 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1034 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1038 Windows Routing Utilities Denial of Service
There are no known exploits in the wild.
CVE-2020-1039 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1044 SQL Server Reporting Services Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-1045 Microsoft ASP.NET Core Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-1052 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1053 DirectX Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1057 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1074 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1083 Microsoft Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1091 Windows Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1097 Windows Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1098 Windows Shell Infrastructure Component Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1119 Windows Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1122 Windows Language Pack Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1129 Microsoft Windows Codecs Library Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1130 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1133 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1146 Microsoft Store Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1159 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1169 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1172 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1180 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1193 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1198 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1200 Microsoft SharePoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1205 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-1210 Microsoft SharePoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1218 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1224 Microsoft Excel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1227 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1228 Windows DNS Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-1250 Win32k Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1252 Windows Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1256 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1285 GDI+ Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1303 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1319 Microsoft Windows Codecs Library Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1332 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1335 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1338 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1345 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1376 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1440 Microsoft SharePoint Server Tampering Vulnerability
There are no known exploits in the wild.
CVE-2020-1452 Microsoft SharePoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1453 Microsoft SharePoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1460 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1471 Windows CloudExperienceHost Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1482 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1491 Windows Function Discovery Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1506 Windows Start-Up Application Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1507 Microsoft COM for Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1508 Windows Media Audio Decoder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1514 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1523 Microsoft SharePoint Server Tampering Vulnerability
There are no known exploits in the wild.
CVE-2020-1532 Windows InstallService Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1559 Windows Storage Services Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1575 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1576 Microsoft SharePoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1589 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1590 Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1592 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1593 Windows Media Audio Decoder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1594 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1595 Microsoft SharePoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1596 TLS Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1598 Windows UPnP Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16851 OneDrive for Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16852 OneDrive for Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16853 OneDrive for Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16854 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16855 Microsoft Office Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16856 Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16857 Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16858 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-16859 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-16860 Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16861 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-16862 Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16864 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-16871 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-16872 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-16873 Xamarin.Forms Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-16874 Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16875 Microsoft Exchange Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-16878 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-16879 Projected Filesystem Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16881 Visual Studio JSON Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16884 Internet Explorer Browser Helper Object (BHO) Memory Corruption Vulnerability
There are no known exploits in the wild.