Samba spoolss Service DoS

/in /by
Description
Samba is a free software re-implementation of the SMB/CIFS networking protocol, providing file and print services for various Microsoft Windows clients. A Null pointer Denial of Service vulnerability exists on Samba print service for Samba Team Samba 4.0.0 to 4.4.x, 4.5.x to 4.5.16, 4.6.x to 4.6.14 and 4.7.x to 4.7.6, which may cause a remote Denial of Service.When Samba’s deamon application, smbd, handling the printer server name, the 3 functions will be called: RpcEnumPrinterDrivers() -> _spoolss_EnumPrinterDrivers() -> canon_servername(). The RpcEnumPrinterDrivers request will be forwarded to the _spoolss_EnumPrinterDrivers() function to handle.


Figure 1: pname in the request

Afterwards, the canon_servername will be called to parse the pName – print server name. However because the _spoolss_EnumPrinterDrivers fails to check if the input variable is NULL, this will potentially cause a NULL pointer reference, causing the service to crash. As is shown in figure 2. An attacker could send such a request remotely, and cause Denial of Service on the remote service.


Figure 2: NULL reference that causes DoS

SonicWall Capture Labs Threat Research team has developed the following signature to identify and stop the attacks:

  • IPS 13280: Samba spoolss Service DoS

 

LockCrypt ransomware spotted in the wild

/in /by

Description

The SonicWall Capture Labs Threat Research Team receives reports of new strains and versions of ransomwares daily. This week we analyzed this ransomware called Lockcrypt.

Infection Cycle:

Upon execution, it opens a window titled “crypt” showing its progress so far.

It sends some data over to a remote server, which then responds with more encrypted communication.

It creates and executes a batch file which kills all running processes not in the whitelist.

In turn it disables running AVs and throws off the windows security center.

Encrypted files get an encrypted file name along with a “.lock” file extension.

It also adds the ransom note text file in every directory where files were encrypted.

It adds the following in the registry to ensure that notepad opens this text file upon reboot:

  • HKLM/Software/Microsoft/Windows/CurrentVersion\Run unlock “c:\Windows
    otepad.exe” c:\ReadMe.TxT

A message box also appears with a warning before the user can log on to Windows. The user must click OK in the message box to continue logging on.

This was done by adding LegalNoticeCaption and LegalNoticeText data in the registry.

But forget about rebooting and logging on to Windows; an infected computer will render useless upon reboot, since some system files were also encrypted by LockCrypt.

Because of the prevalence of these types of malware attacks, we urge our users to back up their files regularly.

SonicWALL Capture Labs provide protection against this threat with the following signature:

  • GAV: LockCrypt.RSM (Trojan)

Cyber Security News & Trends – 04-06-18

/0 Comments/in /by

Each week, SonicWall collects the cyber security industry’s most compelling, trending and important interviews, media and news stories — just for you.

Special Section: 2018 SonicWall Cyber Threat Report

‘Malware-cocktail’ cyber attacks double in one year, shocking report warns — London Evening Standard

The News: The popular UK news publication highlights the shifting behavior of malware authors examined in the 2018 SonicWall Cyber Threat Report.

Quotable: SonicWall CEO Bill Conner described the attacks as a “cyber arms race affecting every government, business, organization and individual.”

Malware Attacks Up, Ransomware Attacks Down in 2017, SonicWall Reports — eWeek

The News: eWeek offers a slideshow that visually explores findings of this year’s SonicWall Cyber Threat Report.

Quotable: “There were a lot of mixed signals in the cyber security attack landscape in 2017 …”

Ransomware decreasing in quantity but increasing in potency — SecurityBrief

The News: SecurityBrief reporter Ashton Young outlines the increase in ransomware variants.

Quotable: “The risks to business, privacy and related data grow by the day — so much so that cybersecurity is outranking some of the more traditional business risks and concerns,” says SonicWall CEO Bill Conner.

Cyber Security News

A New Mira-style Botnet is Targeting the Financial Sector  ZDNet

  • Three financial sector institutions have become the latest victims of distributed denial-of-service (DDoS) attacks in recent months in what looks like an attack by the IoTroop botnet known to target financial firms.

Cyberattack Shows Vulnerability of Gas Pipeline Network The New York Times

  • Last week’s attack on four of the nation’s natural-gas pipeline operators that temporarily shut down computer communications with customers shines a light on the potential vulnerability of the nation’s energy system.

Iranian Hackers Breach Singapore Universities to Access Research Data — ZDNET

  • Believed to be part of last month’s attacks against global education institutions, the hackers breached 52 accounts across four Singapore universities, including NTU and NUS, to gain access to research articles.

Equifax Taps Mark Begor as CEO Following Cyber Attack That Exposed Data for 148M Consumers — USA Today

  • New Equifax CEO named. Mark Begor to lead the credit reporting giant’s bid to recover from a cyber breach that exposed the personal data of 148 million consumers.

20 suspect hackers arrested over online banking fraud ZDNet

  • On March 28, a series of arrests took place across Europe. In total, the raids resulted in the arrest of nine individuals from Romania and 11 in Italy, all of which are remanded in custody.

In Case You Missed It

Upcoming Events & Webinars

April 25
Webinar
11 A.M. PDT
Stop Fileless Malware with SonicWall Capture Client
Register Now

April 16-20
RSA Conference
San Francisco
Moscone Center
Booth 4115, North Hall

Hackers Attack Websites with Ransomware – April 2018

/in /by
Description
SonicWALL Threat Research Labs recently received reports of attackers targeting websites with ransomware. Attackers are uploading malicious PHP files onto the websites. These PHP files allow the attacker to encrypt the website’s files and then extort money from the site’s owner.Once uploaded, the attacker then connects to the ransomware via a web browser, as follows:The attacker can then submit a complex encryption key to encrypt the site’s content. This results to:

The malware overwrites the .htaccess file with the following contents:

#Bug7sec Team
DirectoryIndex shor7cut.php
ErrorDocument 404 /shor7cut.php

This redirects the website to the file shor7cut.php.

In addition, the ransomware traverses the directory searching for files to encrypt. The file contents are then encrypted using PHP’s mcrypt function. And then it is renamed with the .shor7cut extension name.

Once the malware is done encrypting, it sends an email to the attacker containing the encryption key used:

Once the site owner pays the ransom, the attacker then goes back to the ransomware PHP and choose the “DeInfection” option:

Entering the appropriate key, the ransomware then restores the files:

SonicWALL Threat Research Team has the following signature to protect their customers from this type of attack:

  • GAV 17970: Ronggolawe.RSM
  • WAF 1669: Ronggolawe.RSM

 

 

SonicWall at RSA Conference 2018

/0 Comments/in /by

The annual trek to the wind-swept hills of San Francisco is a long-standing tradition for many cyber security vendors and the packs of security pros who descend on the bay en masse. Yes, it’s already time for RSA Conference 2018.

SonicWall at RSA
April 16-19Booth 4115, North Hall
Moscone Center
San Francisco

Not a group to break convention, SonicWall will once again be present at the Moscone Center, April 16-19, to actively discuss today’s cyber security challenges and how cyber attacks impact businesses and organizations of all  sizes.

We encourage you to visit us at Booth 4115 in the North Expo Hall to explore the latest in security trends, threat intelligence and powerful cyber security solutions that help protect organizations in a fast-moving cyber arms race.

The booth will also feature the new SonicWall Security Center. We’ll show cyber attacks as they happen and illustrate the importance of real-time cyber threat intelligence and how it should empower the modern cyber security strategy.

Featured Presentation — Tuesday, April 17

This year’s conference will be highlighted by a presentation from John Gordineer, SonicWall’s Direct of Product Marketing. His cornerstone session, “The 2018 Threat Landscape: What We Learned in 2017 and What You Need to Know,” will go inside SonicWall Capture Labs telemetry data from millions of sensors around the globe to provide insight into the advances being made by both security professionals and cyber criminals.

Be sure to stop into the presentation on Tuesday, April 17, at 3 p.m. PDT, in the North Hall Briefing Center.

Fake bitcoin?

What would RSA Conference be without some sort of spectacle on the expo floor? Each day at Booth 4115 we’ll have exclusive demos (more on those later), giveaways and even a magician. Yes, a magician. And he’s magnificent.

As is custom, we’ll also have SonicWall swag like power banks, webcam covers, pens, notebooks and even fake bitcoin. They do exist.

Expo Hours

Moscone Center, North Expo Hall | Booth 4115

Monday, April 165 p.m. – 7 p.m.
Tuesday, April 1710 a.m. – 6 p.m.
Wednesday, April 1810 a.m. – 6 p.m.
Thursday, April 1910 a.m. – 3 p.m.

All Times PDT

Need help finding us? Just head to the North Hall and look for our awe-inspiring orange and black creatures. You can’t miss ‘em.

Helpful resources

Attend RSA Conference 2018 for Free

Want to experience the sights and sounds of RSA Conference 2018 but are short on cash? Use guest promo code X8SSONIC for free admission to the expo — compliments of SonicWall.

USE CODE NOW

Samba LDAP Server Privilege Escalation

/in /by
Description
Samba is a free software re-implementation of the SMB/CIFS networking protocol, providing file and print services for various Microsoft Windows clients and can integrate with a Microsoft Windows Server domain, either as a Domain Controller (DC) or as a domain member. As of version 4, it supports Active Directory and Microsoft Windows NT domains.The Active Directory it supports, is a directory service used by Microsoft systems on Windows domain networks, in which Samba will provide user authentication services as the Active Directory Domain Controller (AC DC). To store the user privilege information, a object called nTSecurityDescriptor will be used.A vulnerability exists in Samba. As Samba has mistakenly allowed a nTSecurityDescriptor object with dangerous privilege, change Password extended right, to be assigned to the group “everyone” (SID S-1-1-0), which includs all authenticated users:

 aces: struct security_ace // Security Access Control Element (DACL)
 type : SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT (5)
 flags : 0x00 (0)
 0: SEC_ACE_FLAG_OBJECT_INHERIT
 0: SEC_ACE_FLAG_CONTAINER_INHERIT
 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
 0: SEC_ACE_FLAG_INHERIT_ONLY
 0: SEC_ACE_FLAG_INHERITED_ACE
 0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
 0: SEC_ACE_FLAG_FAILED_ACCESS
 size : 0x0028 (40)
 access_mask : 0x00000100 (256)
 object : union security_ace_object_ctr(case 5)
 object: struct security_ace_object
 flags : 0x00000001 (1)
 1: SEC_ACE_OBJECT_TYPE_PRESENT
 0: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT
 type : union security_ace_object_type(case 1)
 type : ab721a53-1e2f-11d0-9819-00aa0040529b // GUID for Change Password Extended Right
 inherited_type : union security_ace_object_inherited_type(case 0)
 trustee : S-1-1-0 // SID = "Everyone", causing the vulnerability

An authenticated user could reset the password for arbitrary users, causing a remote privilege escalation. Because changing the password requires the old password, this vulnerability cannot be exploited by a unauthenticated user.

SonicWall Capture Labs Threat Research team has developed the following signature to identify and stop the attacks:

  • IPS 13274: Samba LDAP Server Privilege Escalation

 

 

Sonicwall RTDMI engine discovers malicious MS Office file containing Java RAT in the wild

/in /by
Description
Sonicwall RTDMI engine as part of Sonicwall Capture ATP service identified a new malicious Microsoft Office Document file embedded with a Java malware RAT (Remote Access Trojan) in real time. Among many of its previously announced detection capabilities, SonicWall RTDMI engine can also look inside multiple layers of packaging and obfuscation to find well entrenched malware components in real-time and provide unparalleled detection capabilities. The non-existence of this malicious file on popular malware search portals (VirusTotal or Reversing Labs) indicates how fresh the malware sample is in the wild and the effectiveness of RTDMI. The figure below was taken when we started analysis of this threat and found no results on Virustotal:

Fig-1 : Virustotal results for the malicious file

On opening the office document, it advises the victim to open the embedded olepackage to view the fake invoice. This fake invoice is actually a malicious Jar (Java-Archive) file:

Fig-2 : Microsoft Office file

Upon further analysis, Sonicwall Capture Labs threat researchers determined that the malicious jar file belongs to a notorious Java JRat family called Adwind. If the system has Java runtime installed, then upon opening this Jar file, it’s malicious behaviour is exhibited. On execution, it drops a copy of itself into %temp% folder, drops a vbscript file and further downloads password recovery and other spying tools from internet into %temp% folder and executes them. It then proceeds to modify windows system registry to disable different antivirus and security software which are installed. It also disables System Restore from registry.

Few of the registry modifications are mentioned below:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
    • “DisableConfig”=dword:00000001
    • “DisableSR”=dword:00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe
    • “debugger”=”svchost.exe”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FProtTray.exe
    • “debugger”=”svchost.exe”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortiClient.exe
    • “debugger”=”svchost.exe”

 

Indicators of Compromise:

  • e8a3e9178d871b89db608615f663f7b09d6bad78421c3e1ce95c6776ed4df239 : Malicious Document File
  • f1d0a8c11e4eed1165e9434c1dff914cf9c7baf5be1f528d026ee0f683f1ce26 : Malicious Java JRat File

Evidence of the detection by RTDMI engine can be seen below in the Capture ATP report for this file:

How to Use Threat Intelligence to Stop Cyber Attacks

/0 Comments/in /by

To proactively protect networks and data in today’s fast-moving cyber arms race, organizations must be able to collect, analyze and apply threat intelligence to make smart and agile security decisions.

For some organizations, this is part of everyday life — even if it’s still increasingly difficult. For others, it’s just not possible based on company size, expertise, budget or any number of challenging factors.

SonicWall wants each and every organization to know what they’re up against. We’ve discussed the enhanced SonicWall Security Center, but it’s important for organizations to realize that it includes real-time Threat Meters that provide actionable cyber threat intelligence that may be leveraged to better protect their business.

The SonicWall Threat Meters offer a graphical view of the worldwide attacks over the last 24 hours, countries being attacked and geographic attack origins. This complimentary tool helps accurately illustrate the pace and speed of the cyber arms race.

Within the SonicWall Security Center, the highly interactive threat meters provide real-time threat intelligence about today’s most critical attack trends. This includes attacks data about:

Knowing the cyber threats — in real time

But identifying the attacks isn’t the only value here. Understanding what’s at risk and what is being mitigated is unmistakably valuable for organizations of all types. For example, did you know that in February 2018 alone, the average SonicWall customer faced the following:

  • 2,510 malware attacks, a month-over-month increase of 138 percent
  • 45 ransomware attacks, a month-over-month increase of 122 percent
  • 169 encrypted cyber attacks, a month-over-month increase of 125 percent
  • 715 new attack variants per business day, a month-over-month increase of 43 percent
  • 11 phishing attacks per day

Security Center Malware Map

How to stop cyber attacks

Organizations should leverage this threat intelligence to implement a security strategy that delivers automated, real-time breach detection and protection. This can be achieved via an integrated suite of cyber security controls that include next-generation firewalls, cloud sandbox, email security, remote access solutions, SSL and TLS deep packet inspection, and security management and reporting capabilities.

SonicWall is ready to help you design and deploy a security strategy that matches the business objectives, size and budgets of your organization. Connect with a SonicWall security expert, or an authorized SonicWall partner, to get started.

See Real-Time Threat Intelligence

Did you know you can improve your security posture by knowing what attacks are most likely to target your organization? Visit the SonicWall Security Center to see the latest attack trends, types and volume across the world.

VISIT THE SECURITY CENTER

UselessDisk: A fake ransomware bootlocker

/in /by

DescriptionThe SonicWall Capture Labs Threat Research Team have come across a fake ransomware Trojan that functions as a bootlocker. It is named Uselessdisk because of the debugging symbols and project name strings that the developer has left in the executable file. Its aim is simple: render the system unbootable and pretend that files on the system have been encrypted. Ask for $300 USD in bitcoin for file recovery.

Infection Cycle:

Upon running the malware, it quickly reboots the machine and displays the following message:

Usually the process of encrypting files takes at least a few seconds so we were suspicious when this malware claimed to achieve this so quickly. We were doubtful as to whether any encryption was actually taking place at all. Running the malware through a debugger and analysing its behavior confirmed this doubt.

The Trojan is quite simply, a boot locker. Its first step is to acquire direct access to the physical drive by using the CreateFileA API to open “\\.PHYSICALDRIVE0”. It also attempts to lock the volume for exclusive access to the drive by using the IO control code FSCTL_UNLOCK_VOLUME with the DeviceIOControl API call:

These functions only return successful if the Trojan is run in administrator mode. If the above calls return successfully the Trojan then calls WriteFile to overwrite the MBR (Master Boot Record):

This causes the above message to be shown on the screen at boot time and renders the operating system unbootable.

Once the MBR has been overwritten, the Trojan unlocks the volume then uses WinExec to run the shutdown command with arguments to reboot the system immediately:

There are no other file or encryption API functions present in the malware executable.

The Trojan is unlikely to be lucrative. The bitcoin address (1GZCw453MzQr8V2VAgJpRmKBYRDUJ8kzco) has received no transactions yet at the time of writing this alert:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: UselessDisk.RSM (Trojan)

 

 

Phishing Emails: The Spear of the Cyber Attack

/0 Comments/in /by

As we know, email is the most popular attack vector used by threat actors to carry out targeted cyber attacks. In fact, more than 90 percent of cyber attacks start with a phishing email campaign. It is the easiest way for a cyber criminal to enter a network and execute tactics to accomplish an objective — be it data exfiltration, delivering a malicious payload or phishing for credentials.

Using social engineering, the tactics of accomplishing these objectives are highly sophisticated and targeted. Email is a primary collaborative tool to share documents, such as PDFs and Microsoft Word files, and URLs that could be weaponized with malware. Logically, phishing has evolved with this user behavior.

How email attachments are weaponized

File attachments, such as Microsoft Word documents and Adobe PDFs, have the ability to include embedded URLs, macros and scripts. This makes it possible for these files to work as executable malware. These malicious file attachments are used as delivery vehicles for ransomware and other zero-day threats. Here are some of the most popular methods files can be weaponized:

Embedded macros and scripts that hide malicious payloads
First, attackers embed a macro that obfuscates malicious payloads in the document. They then use personal information gathered through social engineering to mislead the user into enabling the macro content to run and infect the victim’s computer. These exploits take advantage of software vulnerabilities and then launch the intended payload to infect the computer.

Embedded macros and scripts that download malware from external sites
Documents can also be embedded with scripts that call external Command & Control (C&C) servers or websites to download malware inconspicuously. Often, these downloaded payloads take the form of ransomware, trojans, infostealers or botnets that make your system part of the malicious networks that carry out attacks on behalf of cyber criminals.

Fake attachments and embedded links
In some cases, attackers send documents or fake attachments, such as a PDF or a Word file, with embedded URLs. After clicking on the URL, the victim is redirected to a sign-in page that looks and feels authentic. These sign-in pages are well crafted and designed to deceive even educated users. Unsuspecting victims often fall prey by entering their credentials into the sign-in page.

High-profile phishing attacks

Google, January 2017
This phishing scam targeting Google users was clever and deceiving. Victims received an email that seemed to come from a familiar contact. The email included a legitimate file attachment that looked like a PDF or Word document. But the attachment was, in fact, an image with an embedded URL. Victims who clicked the attachment for a preview were redirected to a well-designed Google sign-in page that looked authentic. The fake page prompted the victim to enter credentials that enabled the cyber criminals to compromise the user’s Google account.

DocuSign, May 2017
A company that provides digital document-signature services, DocuSign, was the victim of a targeted phishing campaign. Users received an email that appeared to come from DocuSign and included a “Review Document” link. Once the link was clicked, a weaponized Word document with embedded malicious macro was downloaded. When the user enabled the content, the macro called a C&C server to download malware payload stealthily onto the victim’s computer.

Netflix, November 2017
Toward the end of last year, Netflix made the headlines for all the wrong reasons. A successful and sophisticated phishing campaign targeted the streaming service’s subscribers. This attack did not include any file attachments. Instead, attackers crafted a personalized email informing them that their account was suspended. They were asked to take an action by clicking on a fake link that redirected the then to a well-designed web page to collect credentials and credit card information.

Pyeongchang Olympics, January 2018
The 2018 Winter Olympics in Pyeongchang, South Korea, was one of the first victims of 2018 via a deadly, targeted spear-phishing attack. Appearing to be sent by National Counter-Terrorism Center (NCTC), the email included an attachment — a malicious Microsoft Word document with the original file name 농식품부, 평창 동계올림픽 대비 축산악취 방지대책 관련기관 회의 개최.doc (“Organized by Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics”). This spear-phishing campaign’s objective was to establish back doors into the networks once the victim opened the Microsoft Word document attachment.

How to stop phishing and other email attacks

Email security is no longer just about blocking mass spam and phishing campaigns. The above incidents indicate the evolution of how cyber criminals use email as a threat vector, and how they use the versatility of PDFs and Microsoft documents to their advantage.

These are advanced email threats that are carefully planned and highly targeted attacks. Traditional anti-spam and signature-based anti-malware simply cannot stop these attacks.

A multi-layered security approach provides the best defense against these email threats. The layers should include advanced threat protection features, such as sandbox analysis for email file attachments and embedded URLs, and email authentication technologies such as SPF, DKIM and DMARC.

It is also true that not all sandboxes offer equal protection. The cloud-based SonicWall Capture Advanced Threat Protection (ATP) service blocks the most evasive malware with its multi-engine approach.

Capture ATP now includes the recently announced, patent-pending Real-Time Deep Memory Inspection (RTDMITM) technology. RTDMI blocks malware that does not exhibit any malicious behavior or hides its weaponry via encryption.

By forcing malware to reveal its weaponry in memory, the RTDMI engine proactively blocks mass-market, zero-day threats and unknown malware utilizing real-time memory-based inspection techniques. This means, by design, RTDMI can sniff out malware obfuscated within PDF files and Microsoft Office documents by threat actors.

With high performance, fast scan times and block-until-verdict capability, Capture ATP offers comprehensive protection against advanced cyber threats.

To learn more about our analysis of the cyber arms race, and what you can expect in 2018, download a complimentary copy of the 2018 SonicWall Cyber Threat Report.

Download the 2018 SonicWall Cyber Threat Report

The cyber arms race is a challenge we face together. And it’s the core reason we’re committed to passing our findings, intelligence, analysis and research to the global public via the SonicWall 2018 Cyber Threat Report.

READ THE FULL REPORT