CVE-2019-13345 Squid proxy cross-site scripting vulnerability

/in /by

The cachemgr.cgi web module of Squid is vulnerable to cross-site scripting via the user_name or auth parameter (CVE-2019-13345)

Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages

A cross-site scripting vulnerability exists in Squid due to improper sanitation of the user_name and auth parameters within cachemgr.cgi. A remote, unauthenticated attacker could exploit this vulnerability by enticing a user to open a crafted link or a web page. Successful exploitation could result in execution of arbitrary script code under the security context of the target user’s browser.

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. An attacker can use XSS to send a malicious script to an unsuspecting user.

Reflected attacks are those where the injected script is reflected off the web server as in the case of Squid cachemgr.cgi

The request

Is reflected back

For understanding purposes here the script uses just an alert (‘XSS’) but in real life the attacker can use malicious scripts that can access any cookies, session tokens, or other sensitive information .The victim’s browser thinks the script came from a trusted source and will execute the script.

Analyzing the patch for the vulnerability, we see that the user_name input is not sanitized before being used.

SonicWall Capture Labs Threat Research team provides protection against this vulnerability with the following signatures:

IPS 1369 : Cross-Site Scripting (XSS) Attack 1

IPS 4349 : Cross-Site Scripting (XSS) Attack 43

IPS 14308 : Cross-Site Scripting (XSS) Attack 60

IPS 14309 : Cross-Site Scripting (XSS) Attack 61

WAF 9008: Cross-site Scripting (XSS) Attack

Threat graph:

Cryptojacking in 2019: Cryptocurrency Value Keeping Attack Vector in Play

/7 Comments/in /by

In the closing months of 2018, cryptojacking volume faded as prices for bitcoin and other cryptocurrencies fell.

Cryptocurrency markets are fast-moving, where quick bull runs (often caused by price manipulation) can cause dramatic price spikes. Bitcoin ($BTC) prices also drive the value of Monero ($XMR), which is the alt coin of choice for many cybercriminals since its transactions can’t be publicly tracked like bitcoin.

Halfway through 2019, bitcoin is surging again and is helping cryptojacking stay relevant as a lucrative option for cybercriminals. Cryptojacking volume hit 52.7 million registered attacks for the first six months of the year, as published in the mid-year update of the 2019 SonicWall Cyber Threat Report.

We can log hits and analyze signatures all day. But it still remains difficult to align cryptojacking attacks — and criminal intentions — with cryptocurrency value. For example, despite year-to-date highs for bitcoin prices in June (see graph below), the month showed the lowest cryptojacking volume of the year. A similar chart is available in the mid-year update that tracks attacks against Monero value.

Interestingly, Coinhive remains the top cryptojacking signature despite the service closing in March 2019. The top cryptojacking signature, Coinhive.JS_2, represented more than 33.7 million attacks between January and June 2019.

One reason for the high detection is that compromised websites have not been cleaned since the infection, even though the Coinhive service is non-existent and the URL has been abandon. This foundation, however, could potentially be used by malicious authors in the future.

“If Coinhive never returns, it only means attackers will have to resort to another miner or develop one of their own.”

If Coinhive never returns, it only means attackers will have to resort to another miner or develop one of their own. Monero is still the leading privacy-based coin, but others could find it more lucrative to mine other coins that have the option to shield transactions, like DASH, ZCash or Verge.

Ultimately, it doesn’t matter what they mine. It only matters how they mine and all forms of these illegal miners — present and future — damage systems and create security vulnerabilities.

Facebook Libra won’t be mined, but caution still required

When you talk about future cryptocurrencies, you have to mention the new entry from social media giant Facebook.

In June, Facebook announced its own cryptocurrency, Libra. Governed by the Libra Association, an independent, non-profit organization, Libra will theoretically give millions of global users instant access to cryptocurrency-based digital payments with almost no transaction fees and without the need for a traditional, centralized bank. This “easy access,” however, should come with caution, particularly with regards to security and privacy.

Because Libra will only be “minted” and released by the Libra Reserve, it can’t be mined like bitcoin or Monero. This likely means that Libra won’t be used in traditional cryptojacking attacks.

That said, if there’s money to be made, cybercriminals will find a way. Once Libra launches in 2020, SonicWall expects many of the early exploits to focus on social engineering and other online scams that will attempt to manipulate users into sending Libra (via the complementary Calibra digital wallet) on a number of supported applications, including Facebook, Facebook Messenger, WhatsApp, etc.

Specific details on how people can obtain and distribute Libra likely won’t surface before its 2020 debut, but plans are already in place to give away free Libra within marketing promotions.

Promotional campaigns are already promising free Libra, but intentions aren’t always clear. Users — especially those new to cryptocurrencies — will need to exercise extreme caution.

If people are allowed to transfer Libra between wallets, numerous scams or grey hat programs will initiate at launch. These will either be mass-complete promotions with the intent to consolidate and trade the currency for cash or incentivize people to do the heavy lifting for them.

CVE-2019-11581 Atlassian Jira Unauthorized Template Injection Vulnerability

/in /by

Jira is a proprietary issue tracking product developed by Atlassian that allows bug tracking and agile project management. It runs on a bundled Apache Tomcat application server and accessible via HTTP over port 8080/TCP or HTTPS over port 8443/TCP.

Vulnerability Description: 
CVE-2019-11581 is a server-side template injection vulnerability in Jira Server and Data Center, in the “ContactAdministrators” and the “SendBulkMail” actions. For this issue to be exploitable at least one of the following conditions must be met:

  • an SMTP server has been configured in Jira and the Contact Administrators Form is enabled; or
  • an SMTP server has been configured in Jira and an attacker has “JIRA Administrators” access.

In the first case, where the Contact Administrators Form is enabled, attackers are able to exploit this issue without authentication. In the second case, attackers with “JIRA Administrators” access can exploit this issue. In either case, successful exploitation of this issue allows an attacker to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center.

Vulnerability Details:

The template injection vulnerabilities are due to insufficient sanitization of parameters used to build portions of templates used to send outgoing emails.  When constructing an email to send to administrators, the subject line is directly passed in as a template and is not sanitized, providing the opportunity for code execution. A remote unauthenticated attacker can exploit this vulnerability by submitting a crafted request to the Contact Administrators form. Similarly a remote user with administrator access can exploit this vulnerability by submitting a crafted request to the Send Bulk Mail functionality. Successful exploitation results in the execution of arbitrary code in the  context of the Jira server.
Fig: Jira web page when Contact Administrators Form is enabled
Jira login page allows unauthorized users to contact administrators if “ContactAdministrators” Form is enabled. In the vulnerable versions, the input entered into the subject line is directly passed without proper sanitization, leading to arbitrary code execution.
Fig: Vulnerable Contact Form

Mitigation
If you are unable to upgrade Jira immediately, then as a temporary workaround, you can:

  1. Disable the Contact Administrators Form
  2. Block access to the endpoint /secure/admin/SendBulkMail!default.jspa

Fix
Atlassian has released the latest versions of Jira Server & Jira Data Center to address this issue. it’s advisory can be found here: https://confluence.atlassian.com/jira/jira-security-advisory-2019-07-10-973486595.html

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:
IPS: 14330 Atlassian JIRA Template Injection 1
IPS: 14331 Atlassian JIRA Template Injection 2
WAF: 1719 Atlassian JIRA Template Injection Code Execution
WAF: 1681 EXEC Statement (Possible SQL Injection)

Cyber Security News & Trends – 08-02-19

/0 Comments/in /by

This week, SonicWall CEO Bill Conner is recognized with a Top Executive accolade from CRN, it’s a tough week for major global retailers impacted by data breaches and cybersecurity concerns aboard the International Space Station.

SonicWall Spotlight

The Top 25 Enterprise IT Innovators Of 2019 – CRN

  • SonicWall CEO Bill Conner is listed as one of the 25 Most Innovative Executives, “always two steps ahead of the competition,” part of CRN’s Top 100 Executives Of 2019 list.

Ransomware Today: Everything You Need to Know to Protect Your Business – Infoblox Threattalk (podcast)

  • Infoblox’s podcast discusses the evolving rate of ransomware attacks and what organizations need to do to decrease the likelihood of a ransomware attack, referring to the 2019 Sonicwall Cyber Threat Report data that ransomware attacks have grown per customer at a rate of 11% year on year.

Four Signs the U.S Government Is Becoming More Aggressive With Cybersecurity – Law.com

  • With the NSA launching the Cybersecurity Directorate in October, Law.com argue that we are entering an era of more aggressive cybersecurity, quoting SonicWall CEO Bill Conner on the need for public and private sectors to share data.

Cybersecurity News

Hacker Threatened Shooting at Social Media Company, U.S. Says – Bloomberg

  • The Seattle woman accused of a massive hack of personal and financial data from Capital One Financial Corp. threatened to shoot up an unnamed California social media company, according to court records.

Data Breach Can Cost About $3.2 Million. So What Has Your Business Done to Protect Important Data? – The Philadelphia Inquirer

  • Two recent studies have found that over half of small and medium-sized companies are not prepared for a cyberattack, despite the cost of a data breach having risen 12% over the last five years and now averaging $3.92 million per business.

Cybersecurity Officials Warn State and Local Agencies (Again) to Fend off Ransomware – Ars Technica

  • As Louisiana was declaring a cybersecurity state of emergency, Baltimore was approving $10 million in spending to recover from its own nearly month-long ransomware related IT outage. Reacting to these and other incidents, several US government departments, CISA, MS-ISAC, NGA & NASCIO, have issued a joint statement for state, local, territorial and tribal government partners recommending immediate action to safeguard against ransomware attacks.

Sephora Data Breach Hits Southeast Asia and ANZ Customers – ZDNet

  • Some personal information such as first and last name, date of birth, gender, email address, and encrypted password, as well as data related to beauty preferences may have been exposed.

5 Experimental Cybersecurity Trends Your Business Needs to Know About – Tech Republic

  • Disinformation defense, open source security, zero-knowledge proofs, homomorphic encryption and blockchain security – five experimental cybersecurity trends Tech Republic speculate are increasingly becoming more important.

New Mirai Botnet Lurks in the Tor Network to Stay Under the Radar – ZDNet

  • A new, Mirai based, Internet of Things botnet has been found hiding online, launching itself from the Tor network in an effort to prevent takedowns. While this is not the first time that malware has attempted to anonymize itself and become more difficult to combat by using Tor, some experts think this may be a “possible precedent” setting case.

And Finally

Cybersecurity test on ISS – Phys.org

  • Space, the cybersecurity frontier. Experiments are being carried out to improve cybersecurity on the International Space Station.

In Case You Missed It

Android scams related to the new viral trend – FaceApp

/in /by

When an application or game becomes a viral sensation, malware writers are quick to leverage their popularity for spreading scams.We have seen this with Fortnite and Apex Legends in the past, now we are seeing it again with the new viral application – FaceApp.

SonicWall Capture Labs Threats Research team has observed a number of scams using the wildly popular FaceApp to lure innocent victims. Highlighted below are the different types of scams that we observed:

Verification and survey scams – Web

There are a number of websites which claim to provide FaceApp Pro version for free. Upon clicking them, the user is redirected to a fake survey/verification websites aiming to extract sensitive user information such as email and credit card details. Here are some examples of such websites (at the time of writing this blog):

  • h[xx]ps://appmolly.com/faceapp-pro
  • h[xx]p://tweakapps/club/index-4.html

It is interesting to note that when we changed index-4.html to index-3.html and index-5.html we could see similar pages for PUBG mobile and Spotify premium respectively. This indicates that scamsters setup multiple pages for what is trending at the moment:

Verification and survey scams – Mobile

We observed a FaceApp-Pro apk (MD5: bb99a60d9f69a18b3d115d615c0e2fbd) that is part of a malware clone scam (more about this later in the blog). This app requests the users to ‘verify their mobile device’ before they can use the app:

The app starts displaying survey links which aim at extracting credit-card and other sensitive details from the users.

Malware writers often create a malicious app and make copies of it with different application names and icons to increase their chances of infecting users based on what is trending at the moment. Given its current popularity, the name FaceApp is being leveraged in multiple scams. He have highlights of few such instances below.

 

Malware Clones – SMS Stealer

  • Package name: com.example.asus.myapplication

As visible below there are a number of apps with the same name but different icons, FaceApp being one of them (Koodous link)

Upon inspection, this application turned out to be a SMS stealer which is dormant at the moment since the server it tries to contact to has been cleaned/shutdown:

We found a telegram link in the code as well, it is possible that this application received commands via Telegram:

We found code related to reading and sending SMS messages from the infected device:

 

Malware Clones – Verification Scams

This application has already been highlighted previously when discussing the verification scam. Among other application names we saw the name FaceApp being used as part of this scam (Koodous link):

Malware Clones – Spyware

We observed a  few malware apps with the FaceApp name and icon which are a little older but, contain dangerous functionalities. These apps do not have the same package names but, can be grouped based on similar activity names:

  • Package name: ffo.bzgbuamnsxouu.huzckzj
  • Package name: fjfw.phlrugygex.jhkheqxciezscs

Among other permissions, these malware apps asks for a few sensitive permissions that can cause a big impact on user’s data and enable the attacker to spy on the victim:

  • read external storage
  • write external storage
  • get tasks
  • read contacts
  • read sms
  • send sms
  • receive sms
  • call phone
  • receive boot completed
  • get accounts
  • read contacts
  • read history bookmarks
  • call phone
  • write settings

This malware is equipped to execute a number of commands coming from the attacker, some of them include:

  • sendsms – Sends a SMS from the device
  • getlastsms – Extracts the last SMS received on the device
  • sendflood – Sends a large number of SMS message to a particular number
  • call – Calls a particular number
  • megalock – Lock the device with a custom password sent by the attacker

In order to execute few commands mentioned above, the malware needs device administrator privileges. The following code shows the custom message used by the malware to trick users to grant that privilege:

As FaceApp continues to gain popularity we expect to see more such scams surface in the near future. Staying vigilant and being careful about what applications are downloaded and installed on the device is one of the most potent ways to be safe among such scams.

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: AndroidOS.FakeFaceApp.BT
  • GAV: AndroidOS.FakeFaceApp.SM
  • GAV: AndroidOS.FakeFaceApp.MV

Indicators of compromise:

  • a86d054bae218db30523690add463355 – ffo.bzgbuamnsxouu.huzckzj
  • a86d054bae218db30523690add463355 – ffo.bzgbuamnsxouu.huzckzj
  • b888e34899e2572961e9a757066c0492 – com.example.asus.myapplication
  • bb99a60d9f69a18b3d115d615c0e2fbd – com.comunidadapk.fkapps

 

Inside the Capital One Data Breach: What Went Wrong

/1 Comment/in /by

In one of the biggest data breaches publicly disclosed, Capital One revealed that a hacker gained access to personal information from 106 million credit card applicants and customers in the United States and Canada.

Capital One’s breach disclosure comes after Equifax recently agreed to pay up to $700 million to federal and state agencies to settle litigation around a 2017 data breach that affected 147 million people.

“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” said Richard D. Fairbank, Chairman and CEO in a public statement. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”

According to Capital One, beyond the credit card application data, the individual also obtained portions of credit card customer data, including:

  • Customer status data (e.g., credit scores, credit limits, balances, payment history, contact information)
  • Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018

No bank account numbers or Social Security numbers were compromised, other than:

  • About 140,000 Social Security numbers of credit card customers
  • About 80,000 linked bank account numbers of our secured credit card customers

The intrusion allegedly occurred through a “misconfigured web application firewall that enabled access to the data.” Capital One immediately fixed the configuration vulnerability that the individual exploited and promptly began working with federal law enforcement.

“Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual,” said a statement from Capital One.

Capital One expects to spend between $100 million and $150 million on customer notifications, credit monitoring, technology costs and legal support associated with the breach in 2019 alone, according to CRN.

How can you prevent such a breach using SonicWall WAF?

The SonicWall web application firewall supports OWASP Top 10 and PCI DSS compliance, providing protection against malicious injection and cross-site scripting attacks, credit card and Social Security number theft, cookie tampering and cross-site request forgery.

SonicWall WAF offers Information Disclosure Protection, a data loss prevention technique that ensures that sensitive information, such as credit card numbers and Social Security numbers, are not leaked. SonicWall WAF also provides strong authentication mechanisms (i.e., two-factor or multifactor authentication) and facilitates seamless configuration/deployment through admin friendly management API.

To ensure your SonicWall is properly configured, please refer to the our in-depth administration guide and the SonicWall WAF settings resource.

Black Hat USA 2019: SonicWall Heads to Vegas

/1 Comment/in /by

Black Hat USA 2019 is almost here. And it wouldn’t be a cybersecurity event without the SonicWall crew in attendance.

Can you believe this “little” show is now in its 22nd year? Started in 1997, the Black Hat Briefings grew from a one-show enterprise in Las Vegas to a global event. Today, Black Hat Briefings and Trainings bring together the world’s top cybersecurity researchers, vendors, experts and trainers for annual events in the U.S., Europe and Asia.

This year, SonicWall will be live at Booth 1310. Join SonicWall’s Brook Chelmo, Srudi Dineshan, Rob Krug, Ed Gradek, Ken Dang and Bobby Cornwell to discuss the latest in cybersecurity, advanced threats, wireless security and more. The group will have a live demo every 30 minutes.

Their sessions will also dive into specific use cases around firewall management, shadow IT, endpoint protection, customized threat intelligence and cloud-based Wi-Fi management.

SonicWall at Black Hat USA 2019

Booth 1310

Aug. 7-8 | Mandalay Bay Convention Center

Where to register for Black Hat USA 2019

Once you’re at the Mandalay Bay Convention Center for Black Hat USA 2019, event registration will be located on Level 1 of the Bayside Foyer.

The best giveaways: socks, retro headphones and more

The SonicWall crew will be in the booth August 7-8 to help you reserve your spot for each of the sessions. They’ll also be ready to reward your participation with some of the best swag in Vegas, including the limited ‘SOC in Box’ giveaway and JLab Audio Rewind wireless retro headphones.

Black Hat resources

Before you head to Las Vegas, be sure to explore and review available resources to help plan for your trip. This is especially true for first-time attendees. The event has a lot going on and you don’t want to waste a full day just getting your bearings.

Wind River VxWorks and URGENT/11: Patch Now

/0 Comments/in /by

Notice: SonicWall physical firewall appliances running certain versions of SonicOS utilize third-party TCP/IP code for remote management that contain vulnerabilities named URGENT/11. At this time, there is no indication that the discovered vulnerabilities are being exploited in the wild, however:

SonicWall STRONGLY advises to apply the SonicOS patch immediately. Patches are available for all recent SonicOS versions. Detailed instructions are provided in the Security Advisory.

SonicWall provides the patched versions of SonicOS at no charge, including for customers not currently covered by an active support contract. SonicWall also recommends updating to the latest SonicOS release (6.5.4.4), which provides firewall capabilities to help protect other devices vulnerable to URGENT/11.

Wind River VxWorks and URGENT/11 vulnerabilities

Security researchers at Armis have discovered and responsibly disclosed 11 vulnerabilities in the TCP/IP stack of Wind River’s VxWorks real-time operating system, which is utilized by millions of devices around the world, as well as in space, on Mars and in certain versions of SonicOS. The Wind River VxWorks TCP/IP stack, named IPNET, contains vulnerabilities that have been given the name “URGENT/11.”  The one material vulnerability type that impacted SonicOS is addressed by the patch releases.

Unmanageable & un-patchable: The Wild West of IoT

Wind River VxWorks is a real-time operating system that is widely used in IoT and embedded applications, such as networking, telecom, automotive, medical, industrial, consumer electronics, aerospace and beyond.

While firewalls are charged with protecting perimeters of organizations, they are actively managed and monitored devices, frequently from a central location. For every firewall, there is a human who wakes up each morning with a question, “Is my firewall working? Is it up to date?” Within days of an update becoming available, these humans schedule a maintenance window and close the security gap.

However, for the overwhelming majority of other devices connected or exposed to the internet, there is no such human, and the number of these IoT devices is larger than that of firewalls by several orders of magnitude. It is this multitude of connected devices that are not actively managed or patched that poses an iceberg-like risk to the internet.

Vulnerabilities are eventually discovered for even the best software, and the security of the internet and the online ecosystem relies on the ability to roll out and deploy the fixes.

In the mid-year update to the 2019 SonicWall Cyber Threat Report, SonicWall Capture Labs threat researchers have already logged 13.5 million IoT attacks, which outpaces the first two quarters of 2018 by 54.6%.

This reality is taking hold in the minds not only of security practitioners, but also of government regulators, as the hundreds of millions of IoT devices are found to be vulnerable and remain unpatched.

This is one of the risky underbellies of the internet, led by the explosion of IoT devices, including consumer-grade devices that are frequently deployed at the edge of the internet and then forgotten for a decade. IoT’s broad reach should reverberate through several industries as a wakeup call.

‘Never stop patching’

The weaponization of published vulnerabilities against old software serves as an important reminder that customers should never procrastinate software updates, which are one of the most important steps you can take to secure your infrastructure against today’s rapidly-evolving threat landscape.

Do not ignore them or put them off. Patch now. And never stop patching.

Exim email servers are still under attack

/in /by

Exim remote command execution vulnerability has been exploited in the wild since June. This week, Security researchers have observed that Exim vulnerability (CVE-2019-10149) is being exploited to install a new Watchbog Linux malware variant.  After successful exploitation, Watchbog will download and execute cryptocurrency miner payload on the compromised servers.  As per Shodan search from today, there are over 1.5 million unpatched Exim servers that are vulnerable to this attack. SonicWall Capture Labs Threat Research team continues to observe attempts to exploit this vulnerability.

Exim
Exim is a mail transfer agent (MTA) used on Unix-like operating systems. It contains implementations of SMTP server for incoming messages as well ,as a SMTP ( Simple Mail Transfer Protocol) or LMTP ( Local Mail Transfer Protocol ) client for outgoing emails.
SMTP
SMTP is a connection-oriented, text-based protocol in which a mail sender communicates with a mail receiver by issuing command strings and supplying necessary data over a Transmission Control Protocol (TCP) connection. An SMTP session consists of commands originated by an SMTP client (the initiating agent) and corresponding responses from the SMTP server (the listening agent) so that the session is opened, and session parameters are exchanged.

An SMTP transaction consists of the follwing three command/reply sequences:

1. MAIL command, to identify the sender, to establish the return address or bounce-address.
2. RCPT command, to establish a recipient of the message. This command can be issued multiple times, one for each recipient.
3. DATA command, to give the mail data and finally the end of mail data indicator confirming the transaction.

SMTP Mail Transaction:

CVE-2019-10149:

A command injection vulnerability has been reported in Exim. This is due to insufficient sanitization of recipient email addresses, whether the recipient is local or remote. In the vulnerable versions, local part of the receipt address is sent as input to the expand_string() method without enough validation. A remote attacker can exploit this vulnerability by attempting to send an email to a crafted recipient on the target server. Successful exploitation results in the execution of arbitrary commands as the root user.

 

Fig: Snapshot of the code snippet 

Local Exploitation:
The utility expand_string() in the above shown code recognizes the “${run{<command> <args>}}” specified as input, and because new->address is the recipient of the mail that is being delivered, a local attacker can simply send a mail to “${run{…}}@localhost” and execute arbitrary commands, as root.

 

Remote Exploitation (Non-default configuration):
The above exploitation method doesn’t work remotely as the Exim’s default configuration requires the local part of the recipient’s address (the part that precedes the @ sign) to be the name of a local user when requests come from the remote server.
But in various non-default configurations this vulnerability can be exploited remotely say If the “verify = recipient” ACL that checks the local part of the recipient’s address to be the name of a local user was removed manually by an administrator or If Exim was configured to recognize special tags like “+” in the recipient’s address then a remote attacker can simply use the local exploitation method i.e RCPT TO “local_user+${run{…}}@localhost” instead of local_user@localhost.

 

Remote Exploitation (Default Configuration):
Another elaborate way specified in the vulnerability report that allows remote exploitation in the Exim’s default configuration. If the attacker can set up a malicious email server on a domain they control and place the malicious string expansion in the local portion of the sender’s address and send a message with a valid recipient but crafted to bounce back to the attacker controlled email server. In order to make the outgoing message from Exim server fail i.e to set RECIP_FAIL_TIMEOUT, the attacker controlled server can very slowly send a long SMTP response over a 7 day period and finally send a response such as a 550 error to cause the outgoing message to be “frozen” by Exim. On the next scheduled queue run, Exim will then attempt to deliver the bounce message once again but because the message is older than the default permitted age for frozen messages, process_recipients is set to RECIP_FAIL_TIMEOUT, and the malicious string specified in the sender address is then expanded by the expand_string() utility and executed as root.

Trend Chart:

The below graph shows how this vulnerability has been actively exploited.
   Fig: IPS hits for the sig ID 14240 in the last 40 days
Majority of the exploit attempts come from the IP address “89.248.171.57”.  Exim users have also reported online that they have been hacked by this attacker. This attacker is still actively looking for vulnerable Exim servers.

Fix:

Exim version 4.87 to 4.91 is vulnerable by default. This vulnerability is fixed in version 4.92.

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 14240 Exim deliver_message Remote Command Execution 1
IPS: 14241 Exim deliver_message Remote Command Execution 2
IPS: 14242 Exim deliver_message Remote Command Execution 3
IPS: 14243 Exim deliver_message Remote Command Execution 4

Metamorfo Banking Trojan spotted using Avast Utility

/in /by

The SonicWall Capture Labs Threat Research Team has spotted Metamorfo malware known to distribute banking Trojans using a legitimate tool by Avast, a popular security product. The malware arrives as a seemingly harmless Adobe installer and to evade detection it uses a renamed copy of the Avast memory dumping tool to load its malicious components.

Infection cycle:

The Trojan arrives as a windows installer database, MSI file.

It uses the following file properties pretending to be an Adobe Acrobat Reader installer.

 

Upon execution, it displays a fake splash window that makes the victim believe that Adobe Reader is being installed.

This installer has an embedded objuscated javascript code that when decoded reveals its intention.

It downloads a fake image file, with a PNG extension  which is in fact a ZIP archive containing additional components.

The archive is then unpacked into the %APPDATA% directory  which contains the following files:

  • %APPDATA%/yDnKLM.exe – non-malicious renamed AVDump32.exe utility from Avast
  • %APPDATA%/yDnKLM.dmp – malicious file detected as GAV: Metamorfo.BZ_2 (Trojan)
  • %APPDATA%/dbghelp.dll – malicious file detected as GAV: Metamorfo.BZ_ (Trojan)
  • %APPDATA%/ ssleay64.dll – malicious file detected as GAV: Metamorfo.BZ_3 (Trojan)
  • %APPDATA%/borlndmm.dll – non-malicious Borland Memory Manager library
  • %APPDATA%/libeay32.dll – non-malicious OpenSSL library
  • %APPDATA%/ ssleay32.dll – non-malicious OpenSSL library

The installer will then invoke a system reboot. Upon successful reboot it launches the legitimate Avast file to load the malicious dbghelp.dll library and then subsequently loads another non-malicious program, windows media player to load the malicious .dmp file.

The malicious files have the ability to steal user information by accessing computer name and keystrokes and to connect to a remote server, submit files, invoke mouse clicks, execute commands.

During our analysis the malicious ssleay64.dll was not loaded.

Sonicwall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Metamorfo.BZ_4(Trojan)
  • GAV: Metamorfo.BZ_5(Trojan)
  • GAV: Metamorfo.BZ_6 (Trojan)
  • GAV: Downloader.MSI (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.