Microsoft Security Bulletin Coverage for January 2018

/in /by

SonicWall has analyzed and addressed Microsoft’s security advisories for the month of January, 2018. A list of issues reported, along with SonicWall coverage information are as follows:

  • CVE-2018-0741 Microsoft Color Management Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0743 Windows Subsystem for Linux Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0744 Windows Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0745 Windows Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0746 Windows Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0747 Windows Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0748 Windows Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0749 SMB Server Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0750 Windows GDI Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0751 Windows Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0752 Windows Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0753 Windows IPSec Denial of Service Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0754 OpenType Font Driver Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0758 Scripting Engine Memory Corruption Vulnerability
    IPS:13155 Scripting Engine Memory Corruption Vulnerability (JAN 18) 1

  • CVE-2018-0762 Scripting Engine Memory Corruption Vulnerability
    IPS:13156 Scripting Engine Memory Corruption Vulnerability (JAN 18) 2

  • CVE-2018-0764 .NET and .NET Core Denial Of Service Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0766 Microsoft Edge Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0767 Scripting Engine Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0768 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0769 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0770 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0772 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0773 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0774 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0775 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0776 Scripting Engine Memory Corruption Vulnerability
    IPS:13157 Scripting Engine Memory Corruption Vulnerability (JAN 18) 3

  • CVE-2018-0777 Scripting Engine Memory Corruption Vulnerability
    IPS:13158 Scripting Engine Memory Corruption Vulnerability (JAN 18) 4

  • CVE-2018-0778 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0780 Scripting Engine Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0781 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0784 ASP.NET Core Elevation Of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0785 ASP.NET Core Cross Site Request Forgery Vulnerabilty
    There are no known exploits in the wild.
  • CVE-2018-0786 .NET Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0787 ASP.NET Core Elevation Of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0788 OpenType Font Driver Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0789 Microsoft SharePoint Cross Site Scripting Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0790 Microsoft SharePoint Cross Site Scripting Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0791 Microsoft Outlook Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0792 Microsoft Word Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0793 Microsoft Outlook Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0794 Microsoft Word Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0795 Microsoft Office Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0796 Microsoft Excel Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0797 Microsoft Word Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0798 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0799 Microsoft Access Tampering Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0800 Scripting Engine Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0801 Microsoft Office Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0802 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0803 Microsoft Edge Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0804 Microsoft Word Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0805 Microsoft Word Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0806 Microsoft Word Remote Code Execution Vulnerability
    There are no known expl
    oits in the wild.
  • CVE-2018-0807 Microsoft Word Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0808 ASP.NET Core Denial Of Service Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0812 Microsoft Word Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0818 Scripting Engine Security Feature Bypass
    There are no known exploits in the wild.
  • CVE-2018-0819 Spoofing Vulnerability in Microsoft Office for MAC
    There are no known exploits in the wild.

Adobe vulnerabilities:

APSB18-01 Security updates for Adobe Flash Player:

  • CVE-2018-4871 Adobe Flash Player Information Disclosure Vulnerability
    SPY:5055 Malformed-File atf.MP.2

8 Cyber Security Predictions for 2018

/0 Comments/in /by

In preparation for the upcoming publication of the 2018 Annual SonicWall Threat Report, we’re busy reviewing and analyzing data trends identified by SonicWall Capture Labs over the course of 2017.

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from more than 1 million sensors around the world, performs rigorous testing and evaluation, establishes reputation scores for email senders and content, and identifies new threats in real-time.

With the New Year, it’s appropriate to recap last year’s trends, and offer a few preliminary insights into noteworthy trends we expect to see in 2018.

Ransomware will persist, evolve

Ransomware will continue to be the malware of choice. It has never been easier to make your own ransomware. With the rise of ransomware-as-a-service, even the most novice developer can create their own ransomware. As long as cybercriminals see the potential to make enough in ransom to cover the costs of development, we will continue to see an increase in variants.

However, an increase in variants does not mean an increase in successful attacks, which we will explore in detail in the 2018 Annual Cyber Threat Report.

SSL, TLS encryption will hide more attacks

For the first time, Capture Labs will publish real metrics on the volume of attacks uncovered inside encrypted web traffic. At the same time, the percentage of organizations that have deployed deep-packet inspection of encrypted threats (DPI-SSL/TLS) remains alarmingly low.

In the year ahead, we expect there will be more encrypted traffic being served online, but unencrypted traffic will remain for most public services. More sophisticated malware using encrypted traffic will be seen in cyberattacks.

In response, we expect more organizations will enable traffic decryption and inspection methods into their network security infrastructure. This expanded deployment of DPI-SSL/TLS will rely in part on the success of solution providers reducing deployment complexity and cost to lower operating expense.

Cryptocurrency cybercrime expected to be on the rise

Due to rapid rise in cryptocurrency valuations, more cryptocurrency mining and related cybercrime is expected in the near future. Attackers will be exploring more avenues to utilize victim’s CPUs for cryptocurrency mining and cryptocurrency exchanges and mining operations will remain the targets for cyber theft.

UPDATE: On Jan. 8, SonicWall Capture Labs discovered a new malware that leverages Android devices to maliciously mine for cryptocurrency.

IoT will grow as a threat vector

As more devices connect to the internet, we expect to see more compromises of IoT devices. DDoS attacks via compromised IoT devices will continue to be a main threat for IoT attacks. We also expect to see an increase in information and intellectual property theft leveraging IoT, as capability of IoT devices have been largely improved, making IoT a richer target (e.g., video data, financial data, health data, etc.). The threat of botnets will also loom high with so many devices being publically exposed and connected to one another, including infrastructure systems, home devices and vehicles.

Android is still a primary target on mobile devices

Android attacks are both increasing and evolving, such as with recently discovered malware. Earlier ransomware threats used to simply cover the entire screen with a custom message, but now more are completely encrypting the device — some even resetting the lock screen security PIN. Overlay malware is very stealthy. It shows an overlay on top of the screen with contents designed to steal victim’s data like user credentials or credit card data. We expect more of these attacks in 2018.

Apple is on the cybercrime radar

While rarely making headlines, Apple operating systems are not immune to attack. While the platform may see a fewer number of attacks relative to other operating systems, it is still being targeted. We have seen increases in attacks on Apple platforms, including Apple TV. In the year ahead, macOS and iOS users may increasingly become victims of their own unwarranted complacency.

Adobe isn’t out of the woods

Adobe Flash vulnerability attacks will continue to decrease with wider implementation of HTML5. However, trends indicate an increase in attacks targeting other Adobe applications, such as Acrobat. There are signs that hackers will more widely leverage Adobe PDF files (as well as Microsoft Office file formats) in their attacks.

Defense-in-depth will continue to matter

Make no mistake: Layered defenses will continue to be important. While malware evolves, much of it often leverages traditional attack methods.

For example, WannaCry may be relatively new, but it leverages traditional exploit technology, making patching as important as ever. Traditional email-based threats, such as spear-phishing, will continue to become more sophisticated to evade human and security system detection. Cloud security will continue to grow in relevance, as more business data becomes stored in the data centers and both profit-driven cybercriminals and nation-states increasingly focus on theft of sensitive intellectual property.

Conclusion

When gazing into our crystal ball, we’re reminded that the only thing certain is change. Look for more detailed data in our soon-to-be-published 2018 SonicWall Annual Threat Report.

View Tech Brief

Sudden surge in Android miner malware observed

/in /by

Sonicwall Threats Research team observed a sudden spike in Android apps with hidden crypto miner functionality. Such apps masquerade themselves as legitimate apps – such as games, music or video apps but in the background they start mining cryptocurrency using the resources of the infected victim’s hardware.

Malicious Android apps with mining capability have been existing already but we saw a sudden surge in such apps on January 8, 2018. With the recent popularity of crypto-currencies like Bitcoin, Ethereum and Ripple the rise in such malware apps is not surprising.


Infection Cycle

The only permission are requested by the app is the ability to access the Internet. This permission is an extremely common permission that is used by most of the Android apps. Thus on the basis of permissions alone it is difficult to flag this app as malicious.

Crypto Mining

The cryptocurrency mining script resides in the Assets folder as engine.html. This script contains the functions to start and stop the mining:

The app starts a service – CoinHiveIntentService – which monitors, starts and stops the crypto-mining on the infected device.

Malware installer

One of the links that is are displayed on the app after startup is a redirector to install more malicious apps:

As shown above, this site is already being flagged as malicious.

We observed a sharp rise in miner samples on January 8, 2018. The following are common among these samples:

  • The code structure
  • Certificate thumbprint/serial number
  • Miner service – CoinHiveIntentService
  • Hardcoded domain – hxxp://lp.androidapk.world/?appid=


Sonicwall Capture Labs provides protection against this threat with the following signatures:

  • GAV: AndroidOS.MoneroMiner.MNR (Trojan)
  • GAV: AndroidOS.CoinHack.MNR (Trojan)

Few Android samples that we observed as part of the surge:

  • com.gamehivecorp.kicktheboss2r.hack.apk
  • com.bennettracingsimulations.dirttrackin.hack
  • com.atari.mobile.rctc.hack
  • com.astragon.cs2014.hack
  • com.aspyr.swkotor.hack
  • com.and.games505.TerrariaPaid.hack
  • com.amazon.mShop.android.shopping.hack
  • com.activision.boz.hack
  • com.abtnprojects.ambatana.hack

Update 1

Once the miner app starts, the CPU usage on the device increases almost reaching 100% utilization. This app however did not heat up the phone similar to another mining app that we covered earlier.

Genasom Ransomware operator requests remote access for fix

/in /by

The SonicWall Capture Labs Threat Research Team has conducted an experimental dialog similar to our previous PayDay ransomware SonicAlert. This time we look at a ransomware threat known as Genasom where the operators use email to communicate and negotiate payment with their victims. In this case the operator wanted direct access to the infected machine in order to “fix” the problem after which a small donation is requested (according to them).

 

Infection cycle:

The Trojan uses the following icon:

 

The Trojan drops the following files onto the system:

  • %APPDATA%BC0DD974EC.exe [Detected as GAV: Genasom.RSM_2 (Trojan)]
  • _HELP_INSTRUCTION.TXT (in every directory containing encrypted files)

 

The Trojan adds the following keys to the registry:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun 00FF0DD974EC {original run location}
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun BC0DD974EC %APPDATA%BC0DD974EC.exe

 

_HELP_INSTRUCTION.TXT contains the following text:

Hello!Attention! All Your data was encrypted!For specific informartion, please send us an email with Your ID number:serverup@keemail.meserverup@protonmail.comserverup1@yandex.comserverup3@yandex.comann.c@iname.comPlease send email to all email addresses! We will help You as soon as possible!DECRYPT-ID-6f179b9f-7506-4075-beea-5791809b6c04 numberIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!

 

From here the victim is left with no choice but to contact the operators via email. The following, is a short conversation we had with the operator:

 

We do not know what is behind this ‘good will’ scheme but would advise infected users to never take the bait. The operator will most likely cause more harm than good once granted access. This could range installing further malware and snooping on other machines within the network to launching DDoS attacks from the infected machine.

 

Sounds too good to be true and probably is.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Genasom.RSM (Trojan)
  • GAV: Genasom.RSM_2 (Trojan)
  • GAV: Genasom.A_16 (Trojan)
  • GAV: Genasom.A_17 (Trojan)
  • GAV: Genasom.A_18 (Trojan)
  • GAV: Genasom.A_19 (Trojan)

How to Hide a Sandbox: The Art of Outfoxing Advanced Cyber Threats

/0 Comments/in /by

Malware often incorporates advanced techniques to evade analysis and discovery by firewalls and sandboxes. When malware sees evidence that dynamic analysis is occurring, it can invoke different techniques to evade analysis, such as mimicking the behavior of harmless files that are typically ignored by threat detection systems.

Traditional sandboxing approaches that signal their own presence — for example, by instrumenting underlying virtual machines (VM) to intercept malicious function calls — make the analysis environment visible. This can trigger an action by malware to conceal itself.

Because of the increased focus by malware authors on developing evasion tactics, it is important to apply a multi-disciplinary approach to analyzing suspicious code, especially for detecting and analyzing ransomware and malware that attempt credential theft.

SonicWall’s award-winning Capture Advanced Threat Protection (ATP) multi-engine sandbox platform efficiently discovers what code wants to do from the application, to the OS, to the software that resides on the hardware. In fact, SonicWall formed a partnership with VMRay to leverage their agentless hypervisor-level analysis technology as one of the three powerful Capture ATP engines. The VMRay technology executes suspicious code, analyzes changes within the memory of a system to detect malicious activity, while resisting evasion tactics and maximizing zero-day threat detection.

How VMRay enhances Capture ATP

VMRay brings an agentless hypervisor-based approach to dynamic malware analysis. The hypervisor is the underlying computing platform that creates, runs and manages virtual machines on the underlying hardware. Most sandboxing solutions use a hypervisor as a launch pad for either the emulators or virtual machines that are hooked and monitored.

Figure 1 VMRay runs as part of the hypervisor on top of the host OS

VMRay takes a different approach to sandbox analysis by monitoring the activity of the target machine, entirely from the outside, using Virtual Machine Introspection (VMI). VMRay combines CPU hardware virtualization extensions with an innovative monitoring concept called Intermodular Transition Monitoring (ITM) to deliver agentless monitoring of VMs running a native OS without emulation or hooking (to avoid being detected by advanced malware). VMRay runs as part of the hypervisor on top of the host OS, which, in turn, is running on bare metal.

Because VMs in the sandbox aren’t instrumented, threats execute as they would in the wild, and the analysis is invisible — even to the most evasive strains of malware.

VMRay’s agentless hypervisor-based approach provides four key benefits to the SonicWall Capture ATP cloud service:

  • Resistance to evasive malware
  • Detailed analysis results
  • Extraction of IOCs
  • Real-time, high-volume detection

To learn more about these benefits in greater detail, read the Solution Brief: Five Best Practices for Advanced Threat Protection.

DOWNLOAD SOLUTION BRIEF

Meltdown and Spectre: The Intel chip vulnerability Introduction and Assessment

/in /by

The vulnerability

The Meltdown and Spectre are a series of critical vulnerabilities that leads to sensitive information disclosure from an operating system, caused by a fundamental design flaw in Intel’s processors.

On Jan 3, Google Project Zero has disclosed the Vulnerability Note VU#584653 “CPU hardware vulnerable to side-channel attacks”.

A PoC has already been published on GitHub

How big is the threat?

A success exploit of this vulnerability allows an attacker to access sensitive information inside the protected memory regions. Such information may include passwords, emails and documents. Those data are most likely to appear in plaintext in memory when being processed by the OS and applications. Because the OS level memory isolation is usually considered trustworthy. And this time, it broke.

There are two approaches of exploiting the vulnerabilities.

The Meltdown – “User level attacks Kernel level”: A malicious, unprivlleged user level application could access the OS kernel mode memory due to the failure boundary check. Related vulnerability: CVE-2017-5754

The Spectre – “User level attacks User level”: A malicious user level application reads the memory of another normal running user level application due to a bug on the CPU’s speculative execution feature. Related vulnerabilities: CVE-2017-5753, CVE-2017-5715

The attack surface exists on both client side and server side. The possible attack scenarios includes attacking the cloud-based shared hosting, attacking the client side with web based JavaScript, and it can also used as a supportive way to launch a memory corruption vulnerability exploit, to bypass the Kernel level ASLR protection.

Besides the Proof-of-Concept code on GitHub. Researchers has demonstrated leaking the kernel memory.

One lucky thing is, the attackers for this vulnerability would be “passive” and “read-only”, comparing to an actively exploited RCE vulnerability.

Am I affected?

The answer is most likely to be Yes –

  • The chip vendors Intel, AMD and ARM are affected.
  • Windows, Linux (Android included) and macOS are affected
  • Cloud service vendors such as AWS and AliCloud are affected

Microsoft has also released a PowerShell script to detect whether a Windows system is affected here.

How can I get protected?

Patching this vulnerability is more difficult than usual: It happens on hardware level, affects multiple platforms, including varies version of mobile and IoT devices. The current patch on Linux and Windows will incur a 5-30% performance hit on Intel products.

Please keep updated on the newly released patches and apply them when available, or to confirm with your service provider that they have updated to the latest patch. Big vendors are already giving feedback about their patching status:

  • VMware:
    https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html
  • AMD:
    https://www.amd.com/en/corporate/speculative-execution
  • Red Hat:
    https://access.redhat.com/security/vulnerabilities/speculativeexecution
  • Nvidia:
    https://forums.geforce.com/default/topic/1033210/nvidias-response-to-speculative-side-channels-cve-2017-5753-cve-2017-5715-and-cve-2017-5754/
  • Xen:
    https://xenbits.xen.org/xsa/advisory-254.html
  • ARM:
    https://developer.arm.com/support/security-update
  • Amazon:
    https://aws.amazon.com/de/security/security-bulletins/AWS-2018-013/
  • Mozilla:
    https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/

For SonicWall users:

The Meltdown and Spectre are side channel attacks in the memory level, which won’t leave logs like other exploits targeting specific services. While the attacks and malwares can still be detected and intercepted via network traffic.

SonicWall Capture Labs Threat Research team is keep monitoring the newly emerged exploits and malwares for this vulnerability. The following signatures are already developed to identify and stop the attacks:

  • GAV: Exploit.Spectre.A
  • IPS 13149: Suspicious Javascript Code (Speculative Execution)
  • WAF 1673: Suspicious Javascript Code (Speculative Execution)

Reference:

  • [1] Meltdown and Spectre https://meltdownattack.com/
  • [2] Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/
  • [3] Vulnerability Note VU#584653 https://www.kb.cert.org/vuls/id/584653
  • [4] Meltdown and Spectre analysis from Antiylab http://www.freebuf.com/vuls/159269.html
  • [5] We translated Intel’s crap attempt to spin its way out of CPU security bug PR nightmare http://www.theregister.co.uk/2018/01/04/intel_meltdown_spectre_bugs_the_registers_annotations/

EMC Data Protection Advisor authentication bypass vulnerability

/in /by

The EMC Data Protection Advisor is a data protection management software to unify and automate monitoring, analysis and reporting across on-premises and cloud backup and recovery environments.

An authentication bypass vulnerability exists in EMC Data Protection Advisor. The application has integrated several hidden, hardcoded accounts with privileges, with default passwords:

 

User: Apollo System Test
Pass: [hidden]

User: emc.dpa.agent.logon
Pass: [hidden]

User: emc.dpa.metrics.logon
Pass: [hidden]

 

Those accounts could be used for logon via REST APIs on the GUI service listened on HTTP port 9002/9004. An attacker could send a normal HTTP requests, with the hidden accounts credentials, gaining potential admin privileges.

To launch such an attack, first encode the credential with base64 in this format: [user]:[pass].

Then send a HTTP request with the credentials in the HTTP header:

We recommand all administrators to update the EMC Data Protection Advisor with the latest patch asap. SonicWall Capture Labs Threat Research team has developed the following signature to identify and stop the attacks:

  • IPS 13192: EMC Data Protection Advisor Authentication Bypass 1
  • IPS 13193: EMC Data Protection Advisor Authentication Bypass 2
  • IPS 13194: EMC Data Protection Advisor Authentication Bypass 3

Android mining trojan so aggressive it can break your device

/in /by

As cryptocurrencies become more valuable, cybercriminals are upping their game to try to make a healthy profit out of their unwilling victims. This week, the SonicWall Capture Labs Threat Research Team has received reports of a malicious android app which turns your mobile device into a cryptocurrency mining slave.

Infection cycle:

The sample we have analyzed installed a fake security application called CM Security. It even uses the same icon as the legitimate version from Cheetah Mobile.

Upon installation it asks for admin privileges.

After being granted with the admin rights, the malicious app hides its icon from the main menu. It also makes it difficult for a standard user to uninstall this app with the option grayed out.

This app checks for the operating system build to verify whether it is being run on a virtual environment or an emulator. It checks for common emulators such as Android emulator kernel Goldfish, Genymotion and Droid4x.

With admin rights, this malware now has access to the phone’s address book and send SMS among many others.

This malware uses the wakelock mechanism to force the device to stay on while also using the keyguard service to let it lock and unlock the keyboard.

We found the following modules within the app which are related to displaying advertisements on the user’s device.

We also found modules on what appears to be how the compromised device will communicate back to a remote server and possibly how commands can be received and malicious tasks can then be carried out.

And lastly, we found this mining class from within the app. This malware used Coinhive which is a javascript miner for Monero blockchain.

It has been reported that with the aggressive mining efforts that this malware does, it puts the device under strain making it work at full load which then causes it to overheat and break the device.

Sonicwall Capture Labs provides protection against this threat with the following signature:

  • GAV: AndroidOS.Coinminer.JS (Trojan)

Cisco Prime Network Analysis Module Directory Traversal Vulnerability

/in /by

Cisco Prime Network Analysis Module (NAM) is a network management software that allows network administrators with multifaceted visibility to help optimize network resources, troubleshoot performance issues, and deliver a consistent enduser experience.

A directory traversal vulnerability has been reported in the Cisco Prime Network Analysis Module. Because an input validation bug when processing certain HTTP parameters, an attacker could send a certain crafted HTTP request to graph.php to gain access to any file/folder accessible to the web service, and even delete any file if the permission is allowed to the web service.

The file graph.php in Cisco Prime Network Analysis Module is used for displaying graphic elements such as charts on the webpage. This file has a module of reading local files inside /tmp. The name of the file in /tmp directory will be specified by the sfile parameter. However, the graph.php lacks necessary filtering on this parameter. When a request is set with “../”, it could access files outside the web folder, causing a directory traversal vulnerability. What makes things worse is, the HTTP request is used for deleting a file. That means an unauthenticated attacker could cause decent damage on the target server.

 // open file if(!file_exists($sfile) || !($f = fopen($sfile, "r"))) { error_log("Stat file not found: $sfile"); exit; }  // read file while(!feof($f) && strncmp(fgets($f, 2000), "| Interval ", 12)) // skip other stats {;} fgets($f, 2000); $j = 0; $bytes = array(); while(!feof($f)) { $s = fgets($f, 2000);   $s = substr($s , strrpos($s, "| "));   $s = substr($s, 1, -2);   $bytes[$j++] = (int)trim($s); } fclose($f);  // only checks if the path starts with /tmp/, if so, delete the file. // no filter on the parameter  if(strncmp($sfile, "/tmp/", 5)==0) unlink($sfile);

SonicWall Capture Labs Threat Research team has developed the following signature to identify and stop the attacks:

  • IPS 13122: Cisco Prime Network Analysis Module graph sfile Directory Traversal

Home Automation Security: Is it too late?

/0 Comments/in /by

In a casual conversation with my realtor friend, I learned that many upscale tract builders now include home automation to increase margin. We’ve come a long way since the X10 days.

Home automation is still a splintered industry. No end-to-end solutions exist. There are, of course, the commercial integrators targeting custom estates with project cost measured in the percentage of home values.

The value of these integrators is that these specialized vendors found various sub-systems that work well together. These solutions are often around for decades. The security works by virtue of being discrete systems interconnected via serial copper links, some with odd protocols like bit banging. These are easy to hack, but one needs physical access. We have not heard of many breaches for that reason.

Apple, Amazon Change the Game

But with Apple HomeKit and Amazon Echo, the world changed dramatically. From a vendor’s perspective, solutions such as HomeKit significantly decrease the complexity of a product. A HomeKit vendor only focuses on contributing a small part of a solution, which can be as small as a single light bulb. HomeKit brings it all together.

Some devices have built-in Ethernet or Wi-Fi interfaces, but many speak some proprietary wired or wireless protocols and use a small device called a “bridge” or a “hub” to translate to a central controller. I actually like the bridge approach. It brings many legacy players into the consumer arena with very solid solutions.

Echo and HomeKit are not the only controllers in town. There are many many other products from old dogs, such as HomeSeer, to new vendors, like Wink, popping up each day. Some are already exiting. Any of these devices can be grouped into on-prem and cloud solutions.

Home automation: On-prem or in the cloud

On-prem controllers theoretically can be deployed with air-gap. They do not need internet access other than for optional remote access and software updates, and perhaps initial licensing. Cloud controllers need internet access to work. If you lose access to the internet, devices stop working.

Complexity doesn’t end there. Since vendors came up with bridges and hubs, it does not cost them much more to add out-of-the box siloed cloud access, giving consumers an instant plug-and-play experience without the need of a controller. Consumers appreciate the ease of deployment, but need an app for each island.

Geeks like me appreciate the APIs into these bridges, which provide the same benefits as systems that used to cost into the tens of thousands of dollars.

3 Best Practices for Home Automation Security

How do we secure all of this? Because of the diversity of systems around, I cannot give a flat response. Here are some basic tips:

  1. Unique emails and passwords. First, give anything with cloud access a very secure password registered to an email account that is not used for anything else and not generally known.
  2. Secure and segment Wi-Fi access. Secure the home network very thoroughly with a strong Wi-Fi password. Add an isolated guest network for devices outside the family. This goes, of course, with solid perimeter controls, such as gateway antivirus (GAV) and intrusion prevention systems (IPS).
  3. Implement network isolation. This can be challenging. Many systems need client devices — smart phones, bridges and controllers — to all be in the same broadcast domain.For instance, HomeKit uses an Apple TV as a remote access hub to HomeKit devices within the broadcast domain.  Firewalls can be still deployed here, but in L2 bridged mode. Luckily, bridges typically use HTTPS, SSH, telnet and HTTP to communicate, in that order. Occasionally, you see some odd sockets. But, mostly, we can control them via SPI rules and apply IPS on common services. L2 segmentation is the key word here, such as Native Bridge support in SonicOS 6.5.

It will be very exciting to observe the consumer home automation industry mature — both from capabilities and security. You will hear more from us in the coming quarters as SonicWall takes a special interest in IoT.