Export-grade ciphers are still in use (Oct 7, 2016)

/in /by

Since World War II, U.S government has regulated the export of cryptography for national security considerations. The export of cryptographic technology and devices from the United States was severely restricted by U.S. law until 1992, but was gradually eased until 2000. Export-grade ciphers were created in 1990s in response to U.S. regulation. Until recent years, many web browsers and web servers still support these weak ciphers for backward compatibility.

Last year, security searchers published papers revealing vulnerabilities regarding export-grade ciphers. (You might have heard FREAK attack and Logjam attack.) Since then, vendors of web browser and web server have taken necessary steps to stop supporting export-grade ciphers.

A year after the outbreaks, Dell SonicWALL still observes web traffic using export-grade ciphers. Statistics of September 2016 shows hits of IPS sid:6366 “Client Hello with EXPORT Cipher Suites 1”:

Export-grade ciphers are insecure and can damage the system. Dell SonicWALL urges all our customers to review their environment and patch the software that are still using these weak ciphers.

References:
https://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States

Shade Ransomware (Oct 7th, 2016)

/in /by

The Dell Sonicwall Threats Research team have observed a Ransomware Trojan that has been in existence for over a year and is still actively spreading in the wild. It spreads via malicious websites that use exploit kits and also infected email attachments. It is believed to be Russian in origin and has spread mostly in Russia.

Infection Cycle:

The Trojan uses the following icon:

Below is a sample of DNS queries made by the Trojan:

      thepieur.com
      asifroep.com
      goudabuy.com
      drybloom.com
      guluchui.com
      91catdog.com
      jennywei.com
      heximdev.com
      niukouji.com
      getvakil.com
      votepies.com
      scan-van.com
      etest365.com
      cdxxszjy.com
      footypie.com
      asifroep.com

The Trojan adds the following keys to the registry:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun Client Server Runtime Subsystem %ALLUSERSPROFILE%Application DataWindowscsrss.exe
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun NetworkSubsystem %ALLUSERSPROFILE%Application DataCsrsscsrss.exe
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun CSRSS %ALLUSERSPROFILE%Application DataDriverscsrss.exe

The Trojan adds the following files to the filesystem:

  • %SYSTEMROOT%README1.txt
  • %SYSTEMROOT%README10.txt
  • %SYSTEMROOT%README2.txt
  • %SYSTEMROOT%README3.txt
  • %SYSTEMROOT%README4.txt
  • %SYSTEMROOT%README5.txt
  • %SYSTEMROOT%README6.txt
  • %SYSTEMROOT%README7.txt
  • %SYSTEMROOT%README8.txt
  • %SYSTEMROOT%README9.txt
  • %USERSPROFILE%Local SettingsTemp4C7E0EC.exe [Detected as GAV: FileCryptor.LJR (Trojan)]
  • %USERSPROFILE%Local SettingsTempADADBC6C.exe [Detected as GAV: FileCryptor.GAP (Trojan)]
  • %ALLUSERSPROFILE%Application DataCsrsscsrss.exe [Detected as GAV: FileCryptor.LJR (Trojan)]
  • %ALLUSERSPROFILE%Application DataDriverscsrss.exe [Detected as GAV: FileCryptor.LJR (Trojan)]
  • %ALLUSERSPROFILE%Application DataWindowscsrss.exe [Detected as GAV: FileCryptor.LJR (Trojan)]

The readme files contain the following message:

      All the important files on your computer were encrypted.
      To decrypt the files you should send the following code:
      0E7F1123D9BE734AF274|0
      to e-mail address Yvonne.Vancese1982@gmail.com .
      Then you will receive all necessary instructions.
      All the attempts of decryption by yourself will result only in irrevocable loss of your data.
      If you still want to try to decrypt them by yourself please make a backup at first because
      the decryption will become impossible in case of any changes inside the files.
      If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!),
      use the feedback form. You can do it by two ways:
      1) Download Tor Browser from here:
      https://www.torproject.org/download/download-easy.html.en
      Install it and type the following address into the address bar:
      http://cryptsen7fo43rr6.onion/
      Press Enter and then the page with feedback form will be loaded.
      2) Go to the one of the following addresses in any browser:
      http://cryptsen7fo43rr6.onion.to/
      http://cryptsen7fo43rr6.onion.cab/

The links have been blocked at the time of writing this alert.

After each DNS request it makes the following HTTP GET request to each host:

The C&C server is located on the tor network where all communication is encrypted. An RSA-3072 public key is requested from the server:

The Trojan will then search the filesystem for files with predefined extensions and encrypt them using the RSA-3072 public key. Upon encrypting files it renames them using a filename similar to the following with a da_vinci_code extension:

  • WY4BA86OCcwPVkbdji2JiS888iAqO7jOnXtXvJtekBU=.0E7F1123D9BE734AF274.da_vinci_code

After encrypting these files it displays the following message on the desktop background:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

      GAV: Shade.A (Trojan)
      GAV: FileCryptor.LJR (Trojan)
      GAV: FileCryptor.GAP (Trojan)

HPE Network Automation RCE Vulnerability (Sept 30, 2016)

/in /by

HPE Network Automation software is a management tool for tracking, regulating and automating configurations and software changes across the distributed network. HPE Network Automation software is using Java modules to supply its functionalities.

An arbitrary code execution vulnerability has been discovered in HPE Network Automation software 9.1x, 9.2x, 10.0x before 10.00.02.01, and 10.1x before 10.11.00.01. A remote attack can exploit the target through a crafted serialized Java object, related to the Apache Commons Collections (ACC) library. A successful exploitation can result in the execution of arbitrary code under the context of the HPE Network Automation service on the target server. HPE has released the patch for this vulnerability on Sept 20, 2016.

Dell SonicWALL threat research team has researched this vulnerability and released the following IPS signature:

  • IPS:11887 HPE Network Automation Insecure Deserialization

This vulnerability is referred by CVE as CVE-2016-4385.

Vulnerability on Adobe Flash Player, Exploit in the Wild (Sep 23, 2016)

/in /by

Adobe Flash Player is prone to a use-after-free vulnerability CVE-2016-4228. This vulnerability affects Adobe Flash Player before 18.0.0.366, 19.x through 22.0.0.209 on Windows and OS X and before 11.2.202.632 on Linux. An attacker could exploit this vulnerability remotely by a certain crafted swf file, such as embedded in a HTML file. A successful attack could cause arbitrary code execution with the privilege of the current running process.

A prove-of-concept exploit is already in the wild (see reference). Below is the detailed analysis:

The object class that caused this use-after-free is called MovieClip, which is used for manipulate movie clips in ActionScript. The PoC uses the createEmptyMovieClip() function to create such an object.


Figure 1: Documented createEmptyMovieClip() function and its usage.

Afterwards a Rectangle object was created from the flash.geom package. In both the getter/setter function, the previously created MovieClip object (mc) was freed using the removeMovieClip() method.

var g = flash.geom;
g.addProperty(“Rectangle”,func,func); //point both getter and setter to a same function

function func()
{
trace(“here”);
mc.removeMovieClip(); //… and in this function, the MovieClip object is freed
… //fix heap
}
At this point, the MovieClip object will not be freed until the getter/setter function is actually invoked. And by doing so, the object’s reference count will be reduced by 1, causing the object to be freed, and all the reference will be destroyed as well – and the use-after-free would not happen.

However, there’s an undocumented function that can be used to call the getter/setter, while still keeping the reference of the MovieClip object: the ASnative() method. The ASnative function is used for return the handler or property of an ActionScript function, depending on the parameters:

var f = ASnative(900,405);

Afterwards, the PoC tried to access the reference of MovieClip object, causing an use-after-free vulnerability.

The break-down of the PoC is shown in the figure below:

Figure 4: The PoC exploit

Dell SonicWALL Threat Research Team has researched this vulnerability and released following signatures to protect their customers:

  • SPY:1024
  • SPY:1371

Reference: https://bugs.chromium.org/p/project-zero/issues/detail?id=842

Bosnian Ransomware spreading in the wild (September 23, 2016)

/in /by

The Dell SonicWall Threats Research team has received reports of a new Ransomware Trojan, which encrypts the victim’s files and leaves an email address to be contacted to unlock victim’s files.

Infection cycle:

The Trojan comes across as a pdf document:

The Trojan copies itself posing as TrendMicro at the location

C:UsersAdminTrendMicro

The trojan encrypts all the victims documents and pictures.

It stores a 16 byte file key.pkm for encryption.

The file sound.wav contains the ransom message.

It displays the following ransom message (in bosnian):

This translates to :

All of your files on your computer are locked and it is impossible to break the encryption. It is impossible to break the CryptoLocker. If you want the files back to pick up the mail.

Ransom for all your files and permanent protection from similar invasions is only 50 euros Answer the mail.

When tried to enter random key, it displays the following message and deletes the files:

We urge our users to always be vigilant and cautious with any unsolicited attachments specially if you are not certain of the source.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Spyeye.Y (Trojan)

We are Sparta; The Battle to Defend our Data from Invaders

/0 Comments/in /by

With a background in security and ancient history, I love to draw correlations between the famed battles of old and the network security struggles of the modern world. To better understand this you have to look at the data. Since our customers started using SonicWall Capture Advanced Threat Protection (ATP) Service we now have a better look to see where attacks are coming from and how often they happen. To get a manageable sample size I thought I would narrow this down to 300 companies; one for each Spartan in the battle of Thermopylae.

It was this legendary battle where a small force of 300 Spartans teamed up with a few thousand Greek soldiers to defend their homeland from an invading force more than 10 times their size. Every day, companies are pitched in a similar conflict with those who want to penetrate their network’s defenses to gain access to their data. Outnumbered by an onslaught of newly authored malware, companies need help keeping their data secure in the face of ransomware and other zero-day attacks. In the technology world, one of SonicWall’s Spartans is Capture ATP, a multi-engine cloud-based isolated environment where customers can examine suspicious code, files, and executable programs.

This ATP Service was released for general availability in August 2016 and the metadata has been coming in. One of the biggest questions our partners and customers have is about the amount of data that is sent to the cloud and the speed of the service. In short, the speed of cloud-based analysis is fast; but to help you understand, let’s take a peek at one day’s data from 300 customers in their “Battle of Thermopylae” to stay secure.

In one day, a pool of 300 average customers can expect (rounded numbers for readability):

  • 28,800 files will not be known to the firewall and will be sent to Capture for further analysis.
  • 10,700 will be known or duplicate to the Capture service and won’t require further processing. The file verdict will be returned to the firewall and the file blocked or released per policy.
  • 18,100 will be unique and will go through pre-filtering before sandbox analysis.
  • 15,450 will be identified as good and allowed to pass through into the network.
  • 130 will be fairly new malware known by Capture pre-filter but not the firewall’s static-filters at the time of scan but will very soon.
  • After this step 2,520 (+/- 15%) will be labeled as suspicious and will be sent to Capture ATP sandboxes for analysis. Most will be identified as good and hashes are created and sent to our Capture database so we don’t have to analyze them again.
  • On this day, six were found to be never-before-seen malware (44 were found in the previous seven days; with a high of 10 and a low of 1).
  • These six were a mixture of Trojans, ransomware (Locky) and other malware.
  • In near real-time, six hashes for the newly discovered malicious files were submitted to the Capture database and all other Capture ATP subscribers are immediately protected from follow-on attacks. These files were also sent to the SonicWall GRID team to analyze and create signatures to be added to the GAV and IPS database within 48 hours.
  • Two seconds was the median processing time per file.
  • 83% of files are analyzed with a verdict in under five seconds.
  • The total amount of data sent to the cloud for all 300 was less than 9.8 GB which is about 32.6 MB uploaded for each organization; the equivalent of watching a 10-minute YouTube video.
  • To understand the plight of the 300, they will see 2,450 new malware variants in a year which is more than eight per network.

It stands to reason that SonicWall Capture ATP’s multi-engine environment gives customers a powerful and fast tool to stop the most advanced persistent threats from hitting an organization’s infrastructure. To learn how you can leverage SonicWall Capture read this technical brief on how to deliver deeper network security. Remember together, we are Sparta!

Converse with us on Twitter or Email us.

Infographic on zero-day threats

Learn More

Microsoft Security Bulletin Coverage (Sept 13, 2016)

/in /by

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of Sept 13, 2016. A list of issues reported, along with Dell SonicWALL coverage information are as follows:

MS16-104 Cumulative Security Update for Internet Explorer

  • CVE-2016-3247 Microsoft Browser Memory Corruption Vulnerability
    IPS:11854 ” Microsoft Browser Memory Corruption Vulnerability (MS16-104) “
  • CVE-2016-3291 Microsoft Browser Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-3292 Internet Explorer Memory Corruption Vulnerability
    GAV “MalAgent.H_4622”

  • CVE-2016-3295 Microsoft Browser Memory Corruption Vulnerability
    IPS:11855 ” Microsoft Browser Memory Corruption Vulnerability (MS16-104) 1″
  • CVE-2016-3297 Microsoft Browser Memory Corruption Vulnerability
    IPS:11856 ” Microsoft Browser Memory Corruption Vulnerability (MS16-104) 2″
  • CVE-2016-3324 Internet Explorer Memory Corruption Vulnerability
    IPS:11788 ” Suspicious Obfuscated JavaScript Code 38 “
  • CVE-2016-3325 Microsoft Browser Information Disclosure Vulnerability
    IPS:11858 ” Microsoft Browser Information Disclosure Vulnerability (MS16-104) 1 “
  • CVE-2016-3351 Microsoft Browser Information Disclosure Vulnerability
    SPY:1184 ” Malformed-File html.MP.64_2 “
  • CVE-2016-3353 Internet Explorer Security Feature Bypass
    There are no known exploits in the wild.
  • CVE-2016-3375 Scripting Engine Memory Corruption Vulnerability
    SPY:1173 ” Malformed-File html.MP.63 “

MS16-105 Cumulative Security Update for Microsoft Edge

  • CVE-2016-3247 Microsoft Browser Memory Corruption Vulnerability
    IPS:11854 ” Microsoft Browser Memory Corruption Vulnerability (MS16-104) “
  • CVE-2016-3291 Microsoft Browser Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-3294 Microsoft Edge Memory Corruption Vulnerability
    IPS:11850 ” Microsoft Edge Memory Corruption Vulnerability (MS16-105) “
  • CVE-2016-3295 Microsoft Browser Memory Corruption Vulnerability
    IPS:11855 ” Microsoft Browser Memory Corruption Vulnerability (MS16-104) 1″
  • CVE-2016-3297 Microsoft Browser Memory Corruption Vulnerability
    IPS:11856 ” Microsoft Browser Memory Corruption Vulnerability (MS16-104) 2″
  • CVE-2016-3325 Microsoft Browser Information Disclosure Vulnerability
    IPS:11858 ” Microsoft Browser Information Disclosure Vulnerability (MS16-104) 1 “
  • CVE-2016-3330 Microsoft Edge Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-3350 Microsoft Edge Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-3351 Microsoft Browser Information Disclosure Vulnerability
    SPY:1184 ” Malformed-File html.MP.64_2 “
  • CVE-2016-3370 PDF Library Information Disclosure Vulnerability
    SPY:1121 ” Malformed-File pdf.MP.174_3 “
  • CVE-2016-3374 Microsoft Edge Information Disclosure Vulnerability
    SPY:1150 ” Malformed-File pdf.MP.175_2 “
  • CVE-2016-3377 Scripting Engine Memory Corruption Vulnerability
    IPS:11853 ” Scripting Engine Memory Corruption Vulnerability (MS16-105) “

MS16-106 Security Update for Microsoft Graphics Component

  • CVE-2016-3348 Win32k Elevation of Privilege Vulnerability
    SPY: 1122 “Malformed-File exe.MP.22 “
  • CVE-2016-3349 Win32k Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-3354 GDI Information Disclosure Vulnerability
    SPY:1284 ” Malformed-File py.MP.1_2 “
  • CVE-2016-3355 GDI Elevation of Privilege Vulnerability
    SPY:1159 ” Malformed-File exe.MP.23″
  • CVE-2016-3356 GDI Remote Code Execution Vulnerability
    There are no known exploits in the wild.

MS16-107 Security Update for Microsoft Office

  • CVE-2016-0137 Microsoft APP-V Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-0141 Microsoft Information Disclosure Vulnerability
    This is a local Vulnerability.
  • CVE-2016-3357 Microsoft Office Memory Corruption Vulnerability
    SPY:1128 ” Malformed-File ppt.MP.5″
  • CVE-2016-3358 Microsoft Office Memory Corruption Vulnerability
    SPY:1162 ” Malformed-File xlsb.MP.4 “
  • CVE-2016-3359 Microsoft Office Memory Corruption Vulnerability
    SPY:1195 ” Malformed-File xlsb.MP.5″
  • CVE-2016-3360 Microsoft Office Memory Corruption Vulnerability
    SPY:1199 “Malformed-File ppt.MP.6 “
  • CVE-2016-3361 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-3362 Microsoft Office Memory Corruption Vulnerability
    SPY:4964 “Malformed-File xlsb.MP.6”
  • CVE-2016-3363 Microsoft Office Memory Corruption Vulnerability
    SPY:1206 Malformed-File xls.MP.53 “
  • CVE-2016-3364 Microsoft Office Memory Corruption Vulnerability
    SPY:1217 Malformed-File docx.MP.10 “
  • CVE-2016-3365 Microsoft Office Memory Corruption Vulnerability
    SPY:1123 Malformed-File xlsb.MP.2 “
  • CVE-2016-3366 Microsoft Office Spoofing Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-3381 Microsoft Office Memory Corruption Vulnerability
    SPY:1139 Malformed-File xlsb.MP.3 “

MS16-108 Security Update for Microsoft Exchange Server

  • CVE-2016-0138 Microsoft Exchange Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-3378 Microsoft Exchange Open Redirect Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-3379 Microsoft Exchange Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

MS16-109 Security Update for Silverlight

  • CVE-2016-3367 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.

MS16-110 Security Update for Microsoft Windows

  • CVE-2016-3346 Windows Permissions Enforcement Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-3352 Microsoft Information Disclosure Vulnerability
    IPS:11851 Microsoft NTLM Information Disclosure (MS16-110) 1 “
  • CVE-2016-3368 Windows Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-3369 Windows Denial of Service Vulnerability
    There are no known exploits in the wild.

MS16-111 Security Update for Windows Kernel

  • CVE-2016-3305 Windows Session Object Elevation of Privilege Vulnerability
    SPY:1228 Malformed-File exe.MP.24″
  • CVE-2016-3306 Windows Session Object Elevation of Privilege Vulnerability
    SPY:1261 Malformed-File exe.MP.25″
  • CVE-2016-3371 Windows Kernel Elevation of Privilege Vulnerability
    SPY:1262 Malformed-File exe.MP.26″
  • CVE-2016-3372 Windows Kernel API GUID Collision Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-3373 Windows Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

MS16-091 Security Update for .NET Framework

  • CVE-2016-3255 .NET Information Disclosure Vulnerability
    There are no known exploits in the wild.

MS16-112 Security Update for Windows Lock Screen

  • CVE-2016-3302 Windows Lock Screen Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

MS16-113 Security Update for Windows Secure Kernel Mode

  • CVE-2016-3344 Windows Secure Kernel Mode Information Disclosure Vulnerability
    There are no known exploits in the wild.

MS16-114 Security Update for Windows SMBv1 Server

  • CVE-2016-3345 Windows SMB Authenticated Remote Code Execution Vulnerability
    There are no known exploits in the wild.

MS16-115 Security Update for Windows SMBv1 Server

  • CVE-2016-3370 PDF Library Information Disclosure Vulnerability
    SPY:1121 ” Malformed-File pdf.MP.174_3 “
  • CVE-2016-3374 Microsoft Edge Information Disclosure Vulnerability
    SPY:1150 ” Malformed-File pdf.MP.175_2 “

MS16-116 Security Update for Windows SMBv1 Server

  • CVE-2016-3375 Scripting Engine Memory Corruption Vulnerability
    SPY:1173 ” Malformed-File html.MP.63 “

Unlock92 Ransomware V2.0 seen in the wild (Sep 9, 2016)

/in /by

The Dell Sonicwall Threat Research team has received reports of yet another ransomware. Unlock92 ransomware was first seen barely two months ago and security researchers were quick to jump on it to find flaws in its implementation and create a decryption tool to help victims restore files. But cybercriminals immediately caught on and released a new version where files are encrypted with a randomly generated RSA-2048 key.

Infection Cycle:

Unlock92 arrives as a seemingly harmless Microsoft Office file and may use the following icons:

Figure 1: Unlock92 purports to be a harmeless Word document or Excel spreadsheet

Upon execution, it spawns the corresponding legimate MS Office executable to launch that application:

Figure 2: Unlock92 launches the legitimate MS Excel program

Figure 3: Unlock92 launches the legitimate MS Word program

Also seen in figure 3 above is Unlock92 spawning cmd.exe. It runs the net view command to find the list of domains, computers, or shared resources accessible from the victim’s machine.

Figure 4: Unlock92 runs the net view command

Upon successful infection, Unlock92 encrypts the victim’s file and adds a “.blocked” extension to them.

Figure 5: Example of encrypted files in a victim’s machine

It also adds a copy of the instruction file and keyvalue.bin file to all the directories in the system as seen in Figure 5 above. The private key is encrypted with a RSA-2048 public key and saved as a file named keyvalue.bin. These files are also added to the Startup menu so they are launched automatically when you start Windows.They are also pinned to the Start and Program menus so the victim will never miss them.

Figure 6: Instruction file and keyvalue.bin files pinned to Start/Program menus

The instruction file whose file name translates to “!!!!!!!! How to recover files !!!!!!!” reads:

"Your files are encrypted with RSA- 2048 algorithm cryptographically . If you want to recover them, send one of the encrypted files and keyvalue.bin file to the e-mail address: unlock92@india.com If you do not receive a reply within 24 hours, then download the TOR browser from www.torproject.com and visit the following website: hxxp://ezxxxxxxxxxxxxxx.onion - the most current email address will be listed there. It is not possible to visit this website without a TOR browser. Attempts to self-recover files may irreversibly damage them!"

Because of the prevalence of these types of malware attacks, we urge our users to back up their files regularly.

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: Unlock92.A (Trojan)

Command Injection vulnerabilities in FreePBX Framework

/in /by

FreePBX is an open source web-based Administrative tool to control and manage Asterisk, an implementation of telephone Private Branch eXchange (PBX). It supports various IP telephony protocols to connect telephone services together including the public switched telephone network.

Due improper handling of user uploaded filenames, command injection vulnerability exists in Recording module of FreePBX. After receiving file from user, function convert() from class Media//Media is called. Which calls another convert function from class Media//Driver//Drivers//SoxShell to convert file. The SoxShell class uses Process component from a 3rd party vendor, Symfony to execute sox command in a sub-process. Due to lack of prior validation of file name from user, any malformed file name with injection code could get executed in new sub process. Remote attacker can exploit this vulnerability by injecting commands in file name. Successful exploitation would lead to arbitrary command execution under the security context of the unprivileged user asterisk.

Another SQL injection vulnerability exists in FreePBX due to improper sanitization of display HTTP parameter passed to config.php. After receiving request for /admin/config.php, modulefunctions.class.php is called to construct SQL query using value of display HTTP parameter. The query is later executed by “DB.class.php”. Lack of verification of display HTTP parameter allows attacker to construct malicious HTTP request containing SQL commands to alter FreePBX database asterisk. Successful exploitation can lead to execution of maliciously injected SQL statement on the server, which can result in the back-end database data alteration and eventually lead to arbitrary code execution with the privileges of the mysql user.

Dell SonicWALL has researched these vulnerabilities. The following signatures has been created to protect our customers.

  • IPS: 11848 FreePBX Framework Remote Command Execution
  • IPS: 11843 FreePBX Framework SQL Injection

RanserKD ransomware uses Imgur to store infection data (Sept 2nd, 2016)

/in /by

Ransomware continues its steady upward trend and it seems that almost daily there is a new Ransomware family or variant spreading across the internet. The RanSerkD family is fairly recent and is one of the rare families that use large hosting sites such as DropBox or in this case Imgur as part of its infection cycle.

Infection Cycle:

The Trojan uses the following icon:

The Trojan reports infection over UDP to a variety of IP addresses in the 37.x.x.x block:

It also uses an image album hosted on imgur.com to keep track of infections:

The files uploaded to Imgur use valid PNG file format headers in order to be accepted by Imgur’s servers. The rest of the file contains the infected system information and details on files that were encrypted:

The Trojan adds the following files to the filesystem:

  • %USERPROFILE%Local SettingsTempOyowVgCc.exe [Detected as GAV: RanSerKD (Trojan)]
  • %USERPROFILE%Local SettingsTempuoislYbV.html
  • %USERPROFILE%Recent!Recovery_aV26PK.html.lnk
  • %USERPROFILE%Recent!Recovery_aV26PK.txt.lnk
  • %USERPROFILE%Start MenuProgramsStartupFKsDUFe5.lnk

The Trojan encrypts various files on the system and appends “.cry” to their filenames. After encrypting files and deleting desktop icons the following files are dropped onto the desktop:

They contain the following message:

The message refers to a link hosted on the TOR anonymity network. The link provides information on how to pay for retrieving the encrypted files:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: RanSerKD (Trojan)