Email Security with Continuity, Multi-tenancy

/0 Comments/in /by

Email is vital to business communications and operations. However, as the volume of email increases, so too does the amount of ransomware, phishing, business email compromise (BEC), spoofing, spam and virus attacks.

What’s more, government regulations (e.g., PCI, HIPAA, GDPR, etc.) now hold your business accountable for protecting confidential data, ensuring it is not leaked and supporting the secure exchange of email that contains sensitive customer data or confidential information.

Deploying and maintaining an on-premises email security solution is CAPEX-intensive and creates administrative overhead. Organizations can benefit from replacing legacy solutions with an easy-to-use, affordable cloud-based security solution. This helps protect organizations from email-borne threats such as ransomware, zero-day attacks, spear-phishing and BEC ─ all while meeting email compliance and regulatory mandates.

The new SonicWall Email Security 9.1 solution now includes email continuity to minimize business impact during planned and unplanned outages to your email servers.

Hosted Email Security

SonicWall HES is a cloud-based, multi-tenant security service that protects against today’s advanced email threats.

Hosted email security

SonicWall Hosted Email Security (HES) offers comprehensive cloud-based email protection to stop ransomware and other email-borne threats before they reach your network.

Email attachments are scanned by the SonicWall Capture Advanced Threat Protection (ATP) service, a multi-engine sandbox that automatically detects and prevents advanced threats from reaching your network. The solution blocks ransomware and zero-day threats in the cloud and ensures only safe emails are delivered to your inbox. Get the scalability you need with no upfront costs and predictable subscription rates.

SonicWall Email Security 9.1 firmware

With focus to improve our email security solution to better protect and enable our customer’s businesses, SonicWall is releasing an update to its firmware with security enhancements, updated and modern UI, and the following features.

Why email continuity is important

Business are global, operate 24/7 and depend on email. Outages to email services have significant impact on an organization’s productivity and disrupts business.

Traditional approaches to email continuity — designed to ensure high availability with on-prem email deployments — have proven costly and ineffective. In many cases, this leaves organizations with continued outages.

Small- and medium-sized business (SMB) can rarely justify the cost of building a highly redundant messaging infrastructure. Moving to cloud-based solutions enables organizations to lower costs and deliver better service, but outages are inevitable.

For example, Microsoft Office 365 claims a high degree of service availability (via their service-level agreements, or SLAs) at a global level, but when individual regions or businesses are involved, impact can be high. (For a helpful resource, outages to cloud service providers are recorded at downdector.com.)

Email continuity for SonicWall HES

SonicWall HES delivers simple, cost-effective protection against planned or unplanned downtime events, whether your email servers are on-premises, hybrid environments or in the cloud.

Email Continuity Infographic

Achieve 24/7 service availability with email continuity.

With SonicWall Continuity for Hosted Email Security,* ensure emails are always delivered and productivity is not impacted during planned and unplanned outages of on-prem email servers or a cloud provider, such as Office 365.

During outages, users can access a secure, browser-based Emergency Inbox to compose, read and respond to messages. Email spooling ensures no messages are lost when email servers are unavailable, and delivers them when the servers are up.

Managed service providers

When investigating an email security offering best suited for their customers, managed service providers (MSP) should not only select the most comprehensive solution, but also one that enables them to differentiate.

By deploying SonicWall Email Security, MSPs can deliver a managed email security service with robust multi-tenancy support, customized environment configurability for Microsoft Office 365, and an advanced security platform. The solution’s MSP-friendly capabilities include:

  • Flexible deployment options
  • Enhanced multi‐tenancy
  • RESTful APIs
  • Easy integration with Microsoft Office 365
  • Customized branding
  • Comprehensive reporting and monitoring

For more details, explore our resources for Email Continuity, Multi-tenancy for MSPs, and SonicWall Hosted Email Security.

* Continuity for Hosted Email Security will be available as an add-on subscription beginning February 2018. For more details, visit mysonicwall.com or contact your preferred SonicWall partner.

Microsoft Security Bulletin Coverage for January 2018

/in /by

SonicWall has analyzed and addressed Microsoft’s security advisories for the month of January, 2018. A list of issues reported, along with SonicWall coverage information are as follows:

  • CVE-2018-0741 Microsoft Color Management Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0743 Windows Subsystem for Linux Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0744 Windows Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0745 Windows Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0746 Windows Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0747 Windows Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0748 Windows Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0749 SMB Server Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0750 Windows GDI Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0751 Windows Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0752 Windows Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0753 Windows IPSec Denial of Service Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0754 OpenType Font Driver Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0758 Scripting Engine Memory Corruption Vulnerability
    IPS:13155 Scripting Engine Memory Corruption Vulnerability (JAN 18) 1

  • CVE-2018-0762 Scripting Engine Memory Corruption Vulnerability
    IPS:13156 Scripting Engine Memory Corruption Vulnerability (JAN 18) 2

  • CVE-2018-0764 .NET and .NET Core Denial Of Service Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0766 Microsoft Edge Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0767 Scripting Engine Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0768 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0769 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0770 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0772 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0773 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0774 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0775 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0776 Scripting Engine Memory Corruption Vulnerability
    IPS:13157 Scripting Engine Memory Corruption Vulnerability (JAN 18) 3

  • CVE-2018-0777 Scripting Engine Memory Corruption Vulnerability
    IPS:13158 Scripting Engine Memory Corruption Vulnerability (JAN 18) 4

  • CVE-2018-0778 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0780 Scripting Engine Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0781 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0784 ASP.NET Core Elevation Of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0785 ASP.NET Core Cross Site Request Forgery Vulnerabilty
    There are no known exploits in the wild.
  • CVE-2018-0786 .NET Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0787 ASP.NET Core Elevation Of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0788 OpenType Font Driver Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0789 Microsoft SharePoint Cross Site Scripting Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0790 Microsoft SharePoint Cross Site Scripting Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0791 Microsoft Outlook Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0792 Microsoft Word Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0793 Microsoft Outlook Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0794 Microsoft Word Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0795 Microsoft Office Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0796 Microsoft Excel Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0797 Microsoft Word Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0798 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0799 Microsoft Access Tampering Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0800 Scripting Engine Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0801 Microsoft Office Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0802 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0803 Microsoft Edge Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0804 Microsoft Word Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0805 Microsoft Word Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0806 Microsoft Word Remote Code Execution Vulnerability
    There are no known expl
    oits in the wild.
  • CVE-2018-0807 Microsoft Word Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0808 ASP.NET Core Denial Of Service Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0812 Microsoft Word Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2018-0818 Scripting Engine Security Feature Bypass
    There are no known exploits in the wild.
  • CVE-2018-0819 Spoofing Vulnerability in Microsoft Office for MAC
    There are no known exploits in the wild.

Adobe vulnerabilities:

APSB18-01 Security updates for Adobe Flash Player:

  • CVE-2018-4871 Adobe Flash Player Information Disclosure Vulnerability
    SPY:5055 Malformed-File atf.MP.2

8 Cyber Security Predictions for 2018

/0 Comments/in /by

In preparation for the upcoming publication of the 2018 Annual SonicWall Threat Report, we’re busy reviewing and analyzing data trends identified by SonicWall Capture Labs over the course of 2017.

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from more than 1 million sensors around the world, performs rigorous testing and evaluation, establishes reputation scores for email senders and content, and identifies new threats in real-time.

With the New Year, it’s appropriate to recap last year’s trends, and offer a few preliminary insights into noteworthy trends we expect to see in 2018.

Ransomware will persist, evolve

Ransomware will continue to be the malware of choice. It has never been easier to make your own ransomware. With the rise of ransomware-as-a-service, even the most novice developer can create their own ransomware. As long as cybercriminals see the potential to make enough in ransom to cover the costs of development, we will continue to see an increase in variants.

However, an increase in variants does not mean an increase in successful attacks, which we will explore in detail in the 2018 Annual Cyber Threat Report.

SSL, TLS encryption will hide more attacks

For the first time, Capture Labs will publish real metrics on the volume of attacks uncovered inside encrypted web traffic. At the same time, the percentage of organizations that have deployed deep-packet inspection of encrypted threats (DPI-SSL/TLS) remains alarmingly low.

In the year ahead, we expect there will be more encrypted traffic being served online, but unencrypted traffic will remain for most public services. More sophisticated malware using encrypted traffic will be seen in cyberattacks.

In response, we expect more organizations will enable traffic decryption and inspection methods into their network security infrastructure. This expanded deployment of DPI-SSL/TLS will rely in part on the success of solution providers reducing deployment complexity and cost to lower operating expense.

Cryptocurrency cybercrime expected to be on the rise

Due to rapid rise in cryptocurrency valuations, more cryptocurrency mining and related cybercrime is expected in the near future. Attackers will be exploring more avenues to utilize victim’s CPUs for cryptocurrency mining and cryptocurrency exchanges and mining operations will remain the targets for cyber theft.

UPDATE: On Jan. 8, SonicWall Capture Labs discovered a new malware that leverages Android devices to maliciously mine for cryptocurrency.

IoT will grow as a threat vector

As more devices connect to the internet, we expect to see more compromises of IoT devices. DDoS attacks via compromised IoT devices will continue to be a main threat for IoT attacks. We also expect to see an increase in information and intellectual property theft leveraging IoT, as capability of IoT devices have been largely improved, making IoT a richer target (e.g., video data, financial data, health data, etc.). The threat of botnets will also loom high with so many devices being publically exposed and connected to one another, including infrastructure systems, home devices and vehicles.

Android is still a primary target on mobile devices

Android attacks are both increasing and evolving, such as with recently discovered malware. Earlier ransomware threats used to simply cover the entire screen with a custom message, but now more are completely encrypting the device — some even resetting the lock screen security PIN. Overlay malware is very stealthy. It shows an overlay on top of the screen with contents designed to steal victim’s data like user credentials or credit card data. We expect more of these attacks in 2018.

Apple is on the cybercrime radar

While rarely making headlines, Apple operating systems are not immune to attack. While the platform may see a fewer number of attacks relative to other operating systems, it is still being targeted. We have seen increases in attacks on Apple platforms, including Apple TV. In the year ahead, macOS and iOS users may increasingly become victims of their own unwarranted complacency.

Adobe isn’t out of the woods

Adobe Flash vulnerability attacks will continue to decrease with wider implementation of HTML5. However, trends indicate an increase in attacks targeting other Adobe applications, such as Acrobat. There are signs that hackers will more widely leverage Adobe PDF files (as well as Microsoft Office file formats) in their attacks.

Defense-in-depth will continue to matter

Make no mistake: Layered defenses will continue to be important. While malware evolves, much of it often leverages traditional attack methods.

For example, WannaCry may be relatively new, but it leverages traditional exploit technology, making patching as important as ever. Traditional email-based threats, such as spear-phishing, will continue to become more sophisticated to evade human and security system detection. Cloud security will continue to grow in relevance, as more business data becomes stored in the data centers and both profit-driven cybercriminals and nation-states increasingly focus on theft of sensitive intellectual property.

Conclusion

When gazing into our crystal ball, we’re reminded that the only thing certain is change. Look for more detailed data in our soon-to-be-published 2018 SonicWall Annual Threat Report.

View Tech Brief

Sudden surge in Android miner malware observed

/in /by

Sonicwall Threats Research team observed a sudden spike in Android apps with hidden crypto miner functionality. Such apps masquerade themselves as legitimate apps – such as games, music or video apps but in the background they start mining cryptocurrency using the resources of the infected victim’s hardware.

Malicious Android apps with mining capability have been existing already but we saw a sudden surge in such apps on January 8, 2018. With the recent popularity of crypto-currencies like Bitcoin, Ethereum and Ripple the rise in such malware apps is not surprising.


Infection Cycle

The only permission are requested by the app is the ability to access the Internet. This permission is an extremely common permission that is used by most of the Android apps. Thus on the basis of permissions alone it is difficult to flag this app as malicious.

Crypto Mining

The cryptocurrency mining script resides in the Assets folder as engine.html. This script contains the functions to start and stop the mining:

The app starts a service – CoinHiveIntentService – which monitors, starts and stops the crypto-mining on the infected device.

Malware installer

One of the links that is are displayed on the app after startup is a redirector to install more malicious apps:

As shown above, this site is already being flagged as malicious.

We observed a sharp rise in miner samples on January 8, 2018. The following are common among these samples:

  • The code structure
  • Certificate thumbprint/serial number
  • Miner service – CoinHiveIntentService
  • Hardcoded domain – hxxp://lp.androidapk.world/?appid=


Sonicwall Capture Labs provides protection against this threat with the following signatures:

  • GAV: AndroidOS.MoneroMiner.MNR (Trojan)
  • GAV: AndroidOS.CoinHack.MNR (Trojan)

Few Android samples that we observed as part of the surge:

  • com.gamehivecorp.kicktheboss2r.hack.apk
  • com.bennettracingsimulations.dirttrackin.hack
  • com.atari.mobile.rctc.hack
  • com.astragon.cs2014.hack
  • com.aspyr.swkotor.hack
  • com.and.games505.TerrariaPaid.hack
  • com.amazon.mShop.android.shopping.hack
  • com.activision.boz.hack
  • com.abtnprojects.ambatana.hack

Update 1

Once the miner app starts, the CPU usage on the device increases almost reaching 100% utilization. This app however did not heat up the phone similar to another mining app that we covered earlier.

Genasom Ransomware operator requests remote access for fix

/in /by

The SonicWall Capture Labs Threat Research Team has conducted an experimental dialog similar to our previous PayDay ransomware SonicAlert. This time we look at a ransomware threat known as Genasom where the operators use email to communicate and negotiate payment with their victims. In this case the operator wanted direct access to the infected machine in order to “fix” the problem after which a small donation is requested (according to them).

 

Infection cycle:

The Trojan uses the following icon:

 

The Trojan drops the following files onto the system:

  • %APPDATA%BC0DD974EC.exe [Detected as GAV: Genasom.RSM_2 (Trojan)]
  • _HELP_INSTRUCTION.TXT (in every directory containing encrypted files)

 

The Trojan adds the following keys to the registry:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun 00FF0DD974EC {original run location}
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun BC0DD974EC %APPDATA%BC0DD974EC.exe

 

_HELP_INSTRUCTION.TXT contains the following text:

Hello!Attention! All Your data was encrypted!For specific informartion, please send us an email with Your ID number:serverup@keemail.meserverup@protonmail.comserverup1@yandex.comserverup3@yandex.comann.c@iname.comPlease send email to all email addresses! We will help You as soon as possible!DECRYPT-ID-6f179b9f-7506-4075-beea-5791809b6c04 numberIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!

 

From here the victim is left with no choice but to contact the operators via email. The following, is a short conversation we had with the operator:

 

We do not know what is behind this ‘good will’ scheme but would advise infected users to never take the bait. The operator will most likely cause more harm than good once granted access. This could range installing further malware and snooping on other machines within the network to launching DDoS attacks from the infected machine.

 

Sounds too good to be true and probably is.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Genasom.RSM (Trojan)
  • GAV: Genasom.RSM_2 (Trojan)
  • GAV: Genasom.A_16 (Trojan)
  • GAV: Genasom.A_17 (Trojan)
  • GAV: Genasom.A_18 (Trojan)
  • GAV: Genasom.A_19 (Trojan)

How to Hide a Sandbox: The Art of Outfoxing Advanced Cyber Threats

/0 Comments/in /by

Malware often incorporates advanced techniques to evade analysis and discovery by firewalls and sandboxes. When malware sees evidence that dynamic analysis is occurring, it can invoke different techniques to evade analysis, such as mimicking the behavior of harmless files that are typically ignored by threat detection systems.

Traditional sandboxing approaches that signal their own presence — for example, by instrumenting underlying virtual machines (VM) to intercept malicious function calls — make the analysis environment visible. This can trigger an action by malware to conceal itself.

Because of the increased focus by malware authors on developing evasion tactics, it is important to apply a multi-disciplinary approach to analyzing suspicious code, especially for detecting and analyzing ransomware and malware that attempt credential theft.

SonicWall’s award-winning Capture Advanced Threat Protection (ATP) multi-engine sandbox platform efficiently discovers what code wants to do from the application, to the OS, to the software that resides on the hardware. In fact, SonicWall formed a partnership with VMRay to leverage their agentless hypervisor-level analysis technology as one of the three powerful Capture ATP engines. The VMRay technology executes suspicious code, analyzes changes within the memory of a system to detect malicious activity, while resisting evasion tactics and maximizing zero-day threat detection.

How VMRay enhances Capture ATP

VMRay brings an agentless hypervisor-based approach to dynamic malware analysis. The hypervisor is the underlying computing platform that creates, runs and manages virtual machines on the underlying hardware. Most sandboxing solutions use a hypervisor as a launch pad for either the emulators or virtual machines that are hooked and monitored.

Figure 1 VMRay runs as part of the hypervisor on top of the host OS

VMRay takes a different approach to sandbox analysis by monitoring the activity of the target machine, entirely from the outside, using Virtual Machine Introspection (VMI). VMRay combines CPU hardware virtualization extensions with an innovative monitoring concept called Intermodular Transition Monitoring (ITM) to deliver agentless monitoring of VMs running a native OS without emulation or hooking (to avoid being detected by advanced malware). VMRay runs as part of the hypervisor on top of the host OS, which, in turn, is running on bare metal.

Because VMs in the sandbox aren’t instrumented, threats execute as they would in the wild, and the analysis is invisible — even to the most evasive strains of malware.

VMRay’s agentless hypervisor-based approach provides four key benefits to the SonicWall Capture ATP cloud service:

  • Resistance to evasive malware
  • Detailed analysis results
  • Extraction of IOCs
  • Real-time, high-volume detection

To learn more about these benefits in greater detail, read the Solution Brief: Five Best Practices for Advanced Threat Protection.

DOWNLOAD SOLUTION BRIEF

Meltdown and Spectre: The Intel chip vulnerability Introduction and Assessment

/in /by

The vulnerability

The Meltdown and Spectre are a series of critical vulnerabilities that leads to sensitive information disclosure from an operating system, caused by a fundamental design flaw in Intel’s processors.

On Jan 3, Google Project Zero has disclosed the Vulnerability Note VU#584653 “CPU hardware vulnerable to side-channel attacks”.

A PoC has already been published on GitHub

How big is the threat?

A success exploit of this vulnerability allows an attacker to access sensitive information inside the protected memory regions. Such information may include passwords, emails and documents. Those data are most likely to appear in plaintext in memory when being processed by the OS and applications. Because the OS level memory isolation is usually considered trustworthy. And this time, it broke.

There are two approaches of exploiting the vulnerabilities.

The Meltdown – “User level attacks Kernel level”: A malicious, unprivlleged user level application could access the OS kernel mode memory due to the failure boundary check. Related vulnerability: CVE-2017-5754

The Spectre – “User level attacks User level”: A malicious user level application reads the memory of another normal running user level application due to a bug on the CPU’s speculative execution feature. Related vulnerabilities: CVE-2017-5753, CVE-2017-5715

The attack surface exists on both client side and server side. The possible attack scenarios includes attacking the cloud-based shared hosting, attacking the client side with web based JavaScript, and it can also used as a supportive way to launch a memory corruption vulnerability exploit, to bypass the Kernel level ASLR protection.

Besides the Proof-of-Concept code on GitHub. Researchers has demonstrated leaking the kernel memory.

One lucky thing is, the attackers for this vulnerability would be “passive” and “read-only”, comparing to an actively exploited RCE vulnerability.

Am I affected?

The answer is most likely to be Yes –

  • The chip vendors Intel, AMD and ARM are affected.
  • Windows, Linux (Android included) and macOS are affected
  • Cloud service vendors such as AWS and AliCloud are affected

Microsoft has also released a PowerShell script to detect whether a Windows system is affected here.

How can I get protected?

Patching this vulnerability is more difficult than usual: It happens on hardware level, affects multiple platforms, including varies version of mobile and IoT devices. The current patch on Linux and Windows will incur a 5-30% performance hit on Intel products.

Please keep updated on the newly released patches and apply them when available, or to confirm with your service provider that they have updated to the latest patch. Big vendors are already giving feedback about their patching status:

  • VMware:
    https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html
  • AMD:
    https://www.amd.com/en/corporate/speculative-execution
  • Red Hat:
    https://access.redhat.com/security/vulnerabilities/speculativeexecution
  • Nvidia:
    https://forums.geforce.com/default/topic/1033210/nvidias-response-to-speculative-side-channels-cve-2017-5753-cve-2017-5715-and-cve-2017-5754/
  • Xen:
    https://xenbits.xen.org/xsa/advisory-254.html
  • ARM:
    https://developer.arm.com/support/security-update
  • Amazon:
    https://aws.amazon.com/de/security/security-bulletins/AWS-2018-013/
  • Mozilla:
    https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/

For SonicWall users:

The Meltdown and Spectre are side channel attacks in the memory level, which won’t leave logs like other exploits targeting specific services. While the attacks and malwares can still be detected and intercepted via network traffic.

SonicWall Capture Labs Threat Research team is keep monitoring the newly emerged exploits and malwares for this vulnerability. The following signatures are already developed to identify and stop the attacks:

  • GAV: Exploit.Spectre.A
  • IPS 13149: Suspicious Javascript Code (Speculative Execution)
  • WAF 1673: Suspicious Javascript Code (Speculative Execution)

Reference:

  • [1] Meltdown and Spectre https://meltdownattack.com/
  • [2] Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/
  • [3] Vulnerability Note VU#584653 https://www.kb.cert.org/vuls/id/584653
  • [4] Meltdown and Spectre analysis from Antiylab http://www.freebuf.com/vuls/159269.html
  • [5] We translated Intel’s crap attempt to spin its way out of CPU security bug PR nightmare http://www.theregister.co.uk/2018/01/04/intel_meltdown_spectre_bugs_the_registers_annotations/

EMC Data Protection Advisor authentication bypass vulnerability

/in /by

The EMC Data Protection Advisor is a data protection management software to unify and automate monitoring, analysis and reporting across on-premises and cloud backup and recovery environments.

An authentication bypass vulnerability exists in EMC Data Protection Advisor. The application has integrated several hidden, hardcoded accounts with privileges, with default passwords:

 

User: Apollo System Test
Pass: [hidden]

User: emc.dpa.agent.logon
Pass: [hidden]

User: emc.dpa.metrics.logon
Pass: [hidden]

 

Those accounts could be used for logon via REST APIs on the GUI service listened on HTTP port 9002/9004. An attacker could send a normal HTTP requests, with the hidden accounts credentials, gaining potential admin privileges.

To launch such an attack, first encode the credential with base64 in this format: [user]:[pass].

Then send a HTTP request with the credentials in the HTTP header:

We recommand all administrators to update the EMC Data Protection Advisor with the latest patch asap. SonicWall Capture Labs Threat Research team has developed the following signature to identify and stop the attacks:

  • IPS 13192: EMC Data Protection Advisor Authentication Bypass 1
  • IPS 13193: EMC Data Protection Advisor Authentication Bypass 2
  • IPS 13194: EMC Data Protection Advisor Authentication Bypass 3

Android mining trojan so aggressive it can break your device

/in /by

As cryptocurrencies become more valuable, cybercriminals are upping their game to try to make a healthy profit out of their unwilling victims. This week, the SonicWall Capture Labs Threat Research Team has received reports of a malicious android app which turns your mobile device into a cryptocurrency mining slave.

Infection cycle:

The sample we have analyzed installed a fake security application called CM Security. It even uses the same icon as the legitimate version from Cheetah Mobile.

Upon installation it asks for admin privileges.

After being granted with the admin rights, the malicious app hides its icon from the main menu. It also makes it difficult for a standard user to uninstall this app with the option grayed out.

This app checks for the operating system build to verify whether it is being run on a virtual environment or an emulator. It checks for common emulators such as Android emulator kernel Goldfish, Genymotion and Droid4x.

With admin rights, this malware now has access to the phone’s address book and send SMS among many others.

This malware uses the wakelock mechanism to force the device to stay on while also using the keyguard service to let it lock and unlock the keyboard.

We found the following modules within the app which are related to displaying advertisements on the user’s device.

We also found modules on what appears to be how the compromised device will communicate back to a remote server and possibly how commands can be received and malicious tasks can then be carried out.

And lastly, we found this mining class from within the app. This malware used Coinhive which is a javascript miner for Monero blockchain.

It has been reported that with the aggressive mining efforts that this malware does, it puts the device under strain making it work at full load which then causes it to overheat and break the device.

Sonicwall Capture Labs provides protection against this threat with the following signature:

  • GAV: AndroidOS.Coinminer.JS (Trojan)

Cisco Prime Network Analysis Module Directory Traversal Vulnerability

/in /by

Cisco Prime Network Analysis Module (NAM) is a network management software that allows network administrators with multifaceted visibility to help optimize network resources, troubleshoot performance issues, and deliver a consistent enduser experience.

A directory traversal vulnerability has been reported in the Cisco Prime Network Analysis Module. Because an input validation bug when processing certain HTTP parameters, an attacker could send a certain crafted HTTP request to graph.php to gain access to any file/folder accessible to the web service, and even delete any file if the permission is allowed to the web service.

The file graph.php in Cisco Prime Network Analysis Module is used for displaying graphic elements such as charts on the webpage. This file has a module of reading local files inside /tmp. The name of the file in /tmp directory will be specified by the sfile parameter. However, the graph.php lacks necessary filtering on this parameter. When a request is set with “../”, it could access files outside the web folder, causing a directory traversal vulnerability. What makes things worse is, the HTTP request is used for deleting a file. That means an unauthenticated attacker could cause decent damage on the target server.

 // open file if(!file_exists($sfile) || !($f = fopen($sfile, "r"))) { error_log("Stat file not found: $sfile"); exit; }  // read file while(!feof($f) && strncmp(fgets($f, 2000), "| Interval ", 12)) // skip other stats {;} fgets($f, 2000); $j = 0; $bytes = array(); while(!feof($f)) { $s = fgets($f, 2000);   $s = substr($s , strrpos($s, "| "));   $s = substr($s, 1, -2);   $bytes[$j++] = (int)trim($s); } fclose($f);  // only checks if the path starts with /tmp/, if so, delete the file. // no filter on the parameter  if(strncmp($sfile, "/tmp/", 5)==0) unlink($sfile);

SonicWall Capture Labs Threat Research team has developed the following signature to identify and stop the attacks:

  • IPS 13122: Cisco Prime Network Analysis Module graph sfile Directory Traversal