High-Risk Path Traversal in SolarWinds Serv-U

Overview

The SonicWall Capture Labs threat research team became aware of a path traversal vulnerability in SolarWinds Serv-U, assessed its impact and developed mitigation measures. Serv-U server is a solution that provides a secure file transfer facility and control inside and outside the organization. Identified as CVE-2024-28995, SolarWinds Serv-U 15.4.2 HF 1 and previous versions allow an unauthenticated threat actor to access local files remotely, earning a high CVSS score of 8.6. On account of multiple reports of in-the-wild exploitation of the vulnerability, the users are strongly encouraged to upgrade their instances to the latest fixed version SolarWinds Serv-U 15.4.2 HF 2, as mentioned by the vendor in the advisory.

Technical Overview

This vulnerability arises from a flaw in the input validation mechanism while building a local path of a requested file in the BuildLocalPath method. It allows remote threat actors to provide a maliciously crafted InternalDir parameter in the request and traverse any path in the affected system. The Attacker can then provide any file name using InternalFile parameter to access the file.

The diff of the affected function provided by Rapid7 shows that the patch has introduced the check to eliminate the path traversal vector if it is present in the parameter, as seen in Figure 1. This implies that this function is highly likely to be the root cause of the issue.

Figure 1: Checks introduced in the affected function, source: rapid7

Additionally, as seen in Figure 2, the utilization of this affected function shows that it is responsible for processing the crucial inputs, InternalDir and InternalFile, provided by the user. These values are then used to retrieve a file. This means that the reading of an arbitrary file is possible by sending a crafted request.

Figure 2: Affected function processing user inputs, source: rapid7

Exploitation

To trigger and exploit this vulnerability, an attacker must send a request with a crafted value of InternalDir parameter, as seen in Figure 3. The exploitation of this vulnerability yields the remote threat actor an access to sensitive files and information on the server, as demonstrated by accessing win.ini file in the example. This vulnerability has a high impact on data confidentiality and does not require user interaction.

Figure 3: Exploit in action

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • IPS: 4454 SolarWinds Serv-U Path Traversal 2
  • IPS: 20138 SolarWinds Serv-U Path Traversal 3

Threat Graph

The SonicWall sensor data shows a significant number of exploit attempts, considering the software’s popularity.

Remediation Recommendations

Considering the widespread user base of SolarWinds products and the underlying risk of sensitive data exposure, users are strongly encouraged to upgrade their instances to the latest versions, as mentioned in the vendor advisory.

Relevant Links

Not If, But When: The Need for a SOC and Introducing the SonicWall European SOC

When you think about cyber threats or attacks, what comes to mind? It’s easy to associate cyberattacks with large enterprises since those are the attacks that frequently make the news. But small- and medium-sized businesses (SMBs) aren’t immune – in fact, they are often more attractive targets for threat actors because of their size and perceived lack of security. SMBs are also often targeted because they are part of the supply chain of a larger organization, or they can be collateral damage in software supply chain attacks.

Many SMBs turn to managed service providers (MSPs) to manage their IT and cybersecurity needs. These MSPs deploy numerous common security tools to the benefit of their customers, including firewalls, next-generation antivirus, endpoint detection and response (EDR), and others. All of these tools generate alerts; sometimes these alerts are urgent signs of a security problem, but they can also be false positives, and it can be hard to determine which alerts need immediate attention. Additionally, these alerts come at all hours of the day and night. If an MSP doesn’t have the staff to monitor and respond to alerts 24/7, what started as an annoying security alert could turn into a major cyber incident, as the delay in response gave the threat actor free dwell time.

What’s an MSP to do to keep their SMB clients secure? That’s where partnering with a 24/7 SOC provider to offer Managed Detection and Response (MDR), Cloud Detection and Response (CDR), and Network Detection and Response (NDR) can help.

A 24/7 SOC Makes All the Difference


Most MSPs don’t have a SOC of their own. Even if they have one or two security engineers, the bulk of the team is focused on broader IT needs and may not have the specific cybersecurity expertise to recognize the alerts that need response, and the security engineers simply can’t monitor everything around the clock. Adding the power of a 24/7 SOC through managed security services offerings like SonicWall’s helps eliminate alert fatigue while also ensuring critical security alerts are addressed promptly, thus minimizing any damage.

While it may be easy to think that having a SOC monitoring and responding to cyber threats at all hours is something only the biggest, multinational enterprises need, as noted above SMBs are targets themselves. Even more concerning: 60% of small businesses that are affected by a cyberattack go out of business within six months. The constant monitoring and quick response of a SOC is an essential piece of the security puzzle for SMBs and can quite literally be business-saving.

The SonicWall SOC: Now Available in Europe!

At SonicWall, we’ve made a commitment to constantly listen and learn from our MSP partners. We’ve taken an outside-in approach to our product and service development, and we are committed to walking with our MSP partners throughout their journeys. That’s why, as a result of listening to our partners in Europe, we’re excited to announce the launch of our European Security Operations Center!

Our European SOC will power all our managed security services offerings for our European partners. Our SOC analysts are based in Ireland and Germany, and the product data centers also reside there, helping to ensure our MSP partners stay compliant with GDPR without having to fill out a million forms. The European SOC functions the same way our North American SOC does; as our MSP partner, you’ll be the hero to your clients, and we’ll stand behind you to keep you and your clients secure. The SOC can also provide service across the entire attack surface, including the endpoint, cloud and perimeter.

Ready to learn more? You can get started with SonicWall’s MDR with a free 30-day proof of concept! Reach out to your account manager or contact us to learn more.

New Orcinius Trojan Uses VBA Stomping to Mask Infection

Overview

This week, the SonicWall Capture Labs threat research team investigated a sample of Orcinius malware. This is a multi-stage trojan that is using Dropbox and Google Docs to download second-stage payloads and stay updated. It contains an obfuscated VBA macro that hooks into Windows to monitor running windows and keystrokes and creates persistence using registry keys.

Infection Cycle

The initial infection method is an Excel spreadsheet, in this case, “CALENDARIO AZZORTI.xls”.

Figure 1: Initial file detection

The file appears to be an Italian calendar with three worksheets that discuss billing cycles in various cities.

Figure 2: One of the visible sheets seen when opened

The file has a VBA macro that has been modified with a technique called ‘VBA stomping’, where the original source code is destroyed, leaving only compiled p-code. This means that viewing the macro within the document will show either nothing or a harmless version of the code that will run when opening (and closing) the file, as Olevba shows.

Figure 3: Olevba tool output showing some of the malicious functionality

On runtime, the file will run the macro and perform the following actions:

  • Check registry keys and write a new key to hide warnings
    • “HKCU\Software\Microsoft\Office\Excel\Security\VBAWarnings”
    • “HKCU\Software\Microsoft\Office\Word\Security\VBAWarnings”
  • Enumerate windows currently running using EnumThreadWindows
  • Set up persistence by writing a key to HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
  • Reach out to both of the encoded URLs and attempt to download using WScript.Shell
  • Use SetWindowsHookEx to monitor keyboard input
  • Create a number of randomized timers for activation and download attempts

Figure 4: Enumerating running windows

Figure 5: Setting a hook for keyboard monitoring

Figure 6: URLs and Synaptics references

There are also references to ‘Synaptics.exe’ and ‘cache1.exe’. This sample and listed URLs have been associated with Remcos, AgentTesla, Neshta, HTMLDropper and others that masquerade as ‘Synaptics.exe’ and can be found on VirusTotal. During runtime, the pages at both addresses were unavailable.

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this malware, the following signatures have been released:

  • Orcinius

IOCs

28dd92363338b539aeec00df283e20666ad1bdee90d78c6376f615a0b9481f97

URLs

www-env.dropbox-dns[.]com

hxxps://docs.google[.]com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

hxxps://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

A Deep Dive Into DarkME Rat Malware

DarkMe RAT steals information from victims’ machines and responds to various commands received from its Command and Control (C&C) server. A spike in distributing DarkMe RAT was observed in February 2024, exploiting the zero-day (CVE-2024-21412) by the hacking group Water Hydra. The SonicWall threat research team recently analyzed a variant of the DarkMe RAT malware. Execution of DarkMe RAT starts from a Windows Shortcut File (LNK) which uses a Microsoft Installer File and COM DLL registration to evade detection from security software.

Windows Shortcut File

The Windows Shortcut File (LNK) displays an image related to a stock trading graph to distract the user while a malicious batch script from a URL is executed in the background. The batch script is responsible for downloading and executing the malicious Microsoft Installer File (MSI). MSI files are not commonly used by malware authors and thus arouse less suspicion from security software.

Figure 1: Content of Windows Shortcut File

Figure 2: Image displayed to the user

A URL-hosted batch script downloads the MSI file into the %temp% folder and starts its execution.

Figure 3: Content of batch script

The LNK file, along with the MSI file, is hosted on a WebDAV share by the threat actor.

Figure 4: Content of attacker-hosted server

Microsoft Installer File

Windows Installer (msiexec.exe) extracts files from “oxc.msi” and starts executing the DLL file “AFWIKFNMUI9430.ocx” using rundll32 by calling the exported function “RunDllEntryPointW.” The malware involves the execution of multiple executable files to load and execute the encrypted DarkMe RAT binary “Video01.mp4.”

Figure 5: Files extracted from MSI file

First Executable (AFWIKFNMUI9430.ocx)

The malware copies extracted files from the directory “%temp%” to “%appdata%\ WMProjectFiles” and imports registry entries from “info.txt” using the Registry Console Tool (reg.exe). The “info.txt” file contains registry entries to register the COM DLL “soundtrack.ocx” with CLSID “AAE802DB-FB67-4407-A175-61223EFF30D4.” The registered COM DLL is executed by “rundll32” with the CLSID in a Single-Threaded Apartment (STA) using the below command line: “rundll32.exe” /sta {AAE802DB-FB67-4407-A175-61223EFF30D4}

Figure 6: Content of registry file

Second Executable (soundtrack.ocx)

The malware copies a legitimate executable file from “%appdata%\WMProjectFiles\Sound.mp3” to “%appdata%\ProductConfigurations\WINDBVERS.EXE,” which is a targeted file for process hollowing to execute the DarkMe RAT binary. The malware decrypts the binary file “%appdata%\WMProjectFiles\WMFile01.tmp” into a DLL file “C:\Users\Public\Libraries\WMFile01.dll.” The file can be decrypted using a single byte XOR operation except for the initial few bytes of the MZ header. The malware invokes the decrypted DLL with the exported function “VBDLLDEMO.”

Third Executable (WMFile01.dll)

The DLL file decrypts the final payload (Video01.mp4) using the same logic used to decrypt the file (WMFile01.dll). The malware creates a suspended process for a legitimate file “%appdata%\ProductConfigurations\WINDBVERS.EXE” and resumes its execution after loading the DarkMe RAT malware code using process hollowing.

DarkME RAT

The Visual Basic compiled DarkMe RAT executable is highly obfuscated to make analysis of the file more difficult. While debugging, the malware makes the analyst go through the obfuscation code inside each module or function call.

Obfuscation

The malware code is obfuscated with a large amount of garbage code preceded by an always-followed jump instruction to the next executable code. The address followed by the jump may be a malware instruction or further obfuscated code.

Figure 7: Obfuscated code

An IDA Python script can be used to simplify the obfuscated code, making it easier to debug. The Python script searches for obfuscated code and replaces it with a single jump instruction to the actual malware code.

Figure 8: IDA Python script to remove obfuscation

String Encoding

The malware keeps the strings encoded, decoding them before use. Strings are encoded by their hex values, sometimes through a single iteration or sometimes through a double iteration.

Figure 9: Strings decryption

Single Instance Execution

The malware checks for the window name “MS-Office network” using the API FindWindowA and terminates its execution if the window name is found. If the malware instance is not already running, the malware creates a window named “MS-Office network” and continues executing the malicious code.

Data Exfiltration

The malware collects various information from the victim’s machine, including the country name, information about the installed antivirus product, computer name, username, and active window name. To retrieve the country information, the malware uses the API GetLocalInfoA with arguments “LOCALE_SISO3166CTRYNAME” and “LOCALE_SENGLISHCOUNTRYNAME,” which gets values “US” and “United States” respectively.

Figure 10: English name of the country

Figure 11: ISO-based name of the country

The malware retrieves the computer name and username information from the environment variables.

Figure 12: Gets computer name and username

The malware gets the installed antivirus information using Windows Management Instrumentation (WMI) queries. All the strings related to WMI queries are kept encrypted and are decrypted by adding 0x0A to each byte of the encrypted string.

Figure 13: Decryption logic for WMI-related queries

The malware executes the query “SELECT * FROM AntivirusProduct” to retrieve the installed antivirus details.

Figure 14: Code to retrieve AV information

The malware gets the active window name using the APIs GetForegroundWindow and GetWindowTextA. The information can be used by threat actors at the C&C server to identify the debugging environment. For example, if the malware is being debugged using the IDA debugger, threat actors will receive the active window name as “IDA” and can avoid further communication with the targeted machine.

Network Communication

The RC4 encrypted C2 address (AA1EC8EE260AEB1B34081CA091FD29F6240C4F) is decrypted using the RC4 key “noway123!$$#@35@!” to get the C2 address “unfawjelesst322.com.” The malware gets the IP address for the decrypted C2 host using the API gethostbyname and uses socket APIs for communicating with the C2 server.

Figure 15: C2 information

The malware collects and sends system information to the C2 server using the send API from DLL ws2_32.dll. The stolen information is separated using the delimiter “0xA9.”

Figure 16: Stolen Information

Asynchronous Commands from C2

The malware creates a window using the API CreateWindowExA for the “STATIC” class with the window name “SOCKET_WINDOW” and registers a callback function with the API SetWindowLongA. The callback function is responsible for receiving data from the C2 server using the recv API from DLL “wsock32.dll.” The malware registers the window “SOCKET_WINDOW” to receive network events for the socket connected to the C2 server using message number “401.”

Figure 17: Register window to get socket event

When the callback function for the window “SOCKET_WINDOW” receives message number “401,” it receives a command from the C2 server using the API recv from wsock32.dll.

Figure 18: Window callback function to receive commands from C2

The malware supports the following commands from the C2 server:

  • STRFLS
  • STRFL2
  • 300100
  • SHLEXE
  • RNMFIL
  • DELDEL
  • DIRMAP
  • DELMAP
  • SEITUS
  • SEITUD
  • ZIPALO
  • FRIKAT
  • COPALO
  • PASALO

Persistence Entry

The malware registers the COM DLL “%appdata%\ \WMProjectFiles\soundtrack.ocx” and creates a persistence entry by adding a registry entry into “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” for executing the COM DLL.

Figure 19: Registers COM DLL

 

Figure 20: Makes persistence entry

Only a few security providers are detecting the LNK file at the time of analysis in popular threat intelligence sharing portals like VirusTotal and ReversingLabs, indicating its uniqueness and evasiveness:

Figure 21: LNK Detections on VirusTotal

Evidence of detection by the RTDMI(tm) engine can be seen below in the Capture ATP report for this file.

Figure 22: Capture report

Boost Your Business: SonicWall’s Service Provider Program Expands with New Products and Exclusive Offers

Organizations increasingly rely on security service providers to fill the gaps and face threats, exposure points, and personnel needs that are growing at a pace their budgets and actual headcount can’t keep up with. By implementing improvements focusing on simplicity and efficiency, organizations can better prepare themselves for the future. 

SonicWall has leveraged its nearly three decades in the channel industry to create a Service Provider partner program focused on delivering simplicity and efficiency to help our service provider partners meet the unprecedented demand for their knowledge and expertise. We are extending the program to more SonicWall products like Switches and Access Points to strengthen our SD-branch solution for service providers. 

The monthly program extension to its Switch and Access Point users delivers superior cloud management and CapEx reduction for all partners in the Service Provider program. With this launch, we will provide service providers with access to the hardware at a special service providerfriendly price that will be super exciting and cost-effective for your organization. Special pricing is available for all SonicWall Switches and SonicWave 600 Series Access Points starting July 1st, 2024. In addition, as an inaugural offer for customers, customers who register for the product in MySonicWall before October 1st, 2024, will receive 90 days of free services for the highest product bundle and 24/7 support. 

We aim to help service providers increase profitability by combining our expanding threat intelligence solutions with flexible pricing options. By adding program enhancements such as simplified operations, automated provisioning and billing, unified visibility and security management, and pre-defined threat analytics, reporting, and workflows, we’re offering service providers the opportunity to meet goals more efficiently than ever. 

Go to the FAQ page to learn more about this promotional offer. Visit our Secure Access product pages to learn more about Switches, Access Points, and Wireless Network Managers.  

Are you a partner looking to enroll in our Service Provider Program? Find out more about the monthly billing program here. Customers looking to procure Switches and Access Points on monthly billing and take advantage of the new promotional offer should contact their SonicWallpartner or our sales team. 

StrelaStealer Resurgence: Tracking a JavaScript-Driven Credential Stealer Targeting Europe

The SonicWall Capture Labs threat research team has been tracking StrelaStealer for a long time. Recently, in the third week of June, we observed a huge spike in JavaScript spreading StrelaStealer. StrelaStealer specifically steals Outlook and Thunderbird email credentials. The infection chain looks like previous versions of StrelaStealer except major checks have been added to avoid infecting systems in Russia. We are continuing to observe its target regions limited to Poland, Spain, Italy and Germany.

The Initial infection vector is an obfuscated JavaScript file that is sent to the victim through emails in archive files. The JavaScript file drops a self-copy at “C:\Users\<Username>” location with random names like “needlereportcreepy.bat”. The bat file is then executed to check the language of the operating system and to exclude Russian users from infection by the stealer. Upon confirmation of non-Russian users using OSLanguage code “1049”, the base64-encoded PE file is dropped in the same directory with a random name (here, duckquixoticextra-small) and no extension. This base64-encoded data is then decoded and a DLL with some random name (here, bellpeeleight.ico) is dropped. The DLL is then executed using regsvr32.exe.

Figure 1: Checks for OSLanguage

The DLL has highly obfuscated code – the same as what we have observed in recent StrelaStealer binaries. This loader DLL then decrypts the actual PE file from its data section and injects it into the current process.

All the necessary APIs needed for stealer functionality are loaded dynamically. The stealer first checks for the keyboard layout of the system using the GetKeyboardLayout() API.

Figure 2: Checks GetKeyboardLayout

It checks for multiple language codes including 0x0C0A(Spanish-Spain), 0x042D(Basque-Spain), 0x0415(Polish-Poland), 0x0403(Catalan-Spain), 0x040A(Spanish-Spain), 0x0410(Italian-Italy), 0x0407(German-Germany) to detect the geo location of the system.

The main stealing functionality starts with the Mozilla Thunderbird email client. It checks for the presence of logins.json and key4.db at the directory IC:\Users\Jay\AppData\Roaming\Thunderbird\Profiles\” . If found, the data is sent to the IP http://45.9.74[.]176/.

Next, it checks for the presence of the registry key “SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\”. The information about email accounts is stored in subfolders under this key. All of this information is retrieved by enumerating the registry key. The information is then sent to the same IP address.

More information about StrelaStealer can be found in our previous blog.

IOCs

SHA256:

0f069016bc5c9347099589c103c8617e716ad301c3b83b69b5ebd11ef623cf78

a4cd72aea29e992fcdf808370f3a7c9333458535b86c9a11a1fff20299f837e6

f2afca709e2973f2733887e401c903580e1ffe4d4ae6d7ea28cc5a6149ba4b96

2385a4dcf8076eb51ad6893624d36ba49beac92f1e681297afbb89cd5be46c57

b36fee8895bd828a42a166488b4a2574a232726d89153e3e37fe4382020f7800

00e7bdaa8ff895b3b82a0b9cc8ba1971d6401e9cf575ec44a5bc3adc6bfd0771

IPs

45.9.74[.]176

SonicProtect: Ultimate Security and Investment Protection for Your Business

As a firewall user, you’re likely no stranger to the headaches of price hikes, inflation and the tedious task of planning annual operation costs.

Picture this: you’ve bought an extended warranty for an old appliance like a refrigerator. When it’s time to upgrade, you’re left wondering about the remainder of your warranty. Now, imagine you could “roll over” that warranty to your new appliance. Sounds great, right? With SonicWall, you can.

SonicProtect Subscription: Superior Threat and Investment Protection

In July, we’re launching our SonicProtect Subscription to all of our firewall customers. Think of it like an extended warranty with a rollover feature. It lets you protect your investment in security services, gives you maximum flexibility, cuts costs, and ensures you get the top-notch security features of our latest firewalls without sacrificing your warranty.

SonicProtect Subscription will deliver superior threat protection and investment protection for all generations of SonicWall firewalls with a single security service subscription.

A SonicProtect Subscription provides the highest tier of security services available on any hardware or virtual firewall platform generation. For example, SonicProtect offers the Advanced Gateway Security Suite (AGSS) for Gen5 and Gen6/6.5 firewall platforms and the Advanced Protection Security Suite (APSS) for Gen7 firewall platforms.

Within the subscription period, the remainder of the security services carry over from one generation of firewalls to the next. For example, SonicProtect for the TZ400 family products will offer AGSS for TZ400 hardware, and when the customer upgrades to a TZ470, the remainder of the subscription can be applied to the TZ470 with APSS.

Advantages to Customers

Why is this beneficial to customers?

  • With 3-year and 5-year terms, SonicProtect subscriptions offer price protection on multi-year security services.
  • Customers also benefit from discounted multi-year service subscription fees and the ability to avoid any premiums on subscriptions similar to those on newer generation platforms.
  • It also offers the ability to predict OpEx spending related to security services.
  • This program entitles our customers to the highest tier of security services available on a given platform, including our patented Real-Time Deep Memory Inspection (RTDMI™) and patented single-pass, low-latency, Reassembly-Free Deep Packet Inspection (RFDPI) engines.

Embrace Flexibility and Simplicity

The SonicProtect subscription is yet another initiative from SonicWall that continues our track record of pioneering flexible consumption models. SonicProtect now gets added to our already-robust portfolio of other programs providing license portability, including a pay-as-you-go (PAYG) licensing model in cloud marketplaces, a credit-based consumption model with FlexSpend, a customer loyalty program that allows customers to refresh to our latest offerings and migrate existing licenses, and monthly billing options for MSPs and MSSPs.

In addition to offering innovative consumption models, we are also heavily invested in providing greater simplicity. At RSA 2024, we demoed SonicPlatform and were awarded a spot in CRN’s “20 Coolest Cybersecurity Products at RSA ‘24.”

SonicPlatform is an innovative cybersecurity platform designed specifically for our customers, Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs). It unifies all SonicWall products under a singular, integrated interface and represents a significant stride toward a more integrated, efficient and secure management ecosystem for SonicWall’s diverse product suite. SonicPlatform not only streamlines management tasks; it also fosters deep integration, enabling the sharing of contextual information across all enforcement points within the product family and with third-party vendors.

Ready to Upgrade?

SonicWall firewalls deliver the platform advantage with SonicPlatform and investment protection with SonicProtect.

If you’d like to leverage a SonicProtect subscription for your SonicWall firewalls, contact your SonicWall partner or us here. Learn more about SonicProtect Subscription.

Windows PHP Servers in CGI Mode Vulnerable to Exploitation (CVE-2024-4577)

Overview 

The SonicWall Capture Labs threat research team became aware of an exploited-in-the-wild information disclosure vulnerability affecting the Windows-based PHP servers used in CGI mode. Identified as CVE-2024-4577 and given a CVSSv3 score of 9.8, the vulnerability is more severe than it initially appears. Labeled as an argument injection vulnerability and categorized as CWE-78 – Improper Neutralization of Special Elements used in an OS Command – this vulnerability allows an attacker to read/modify/execute any file on the system, take control and compromise affected servers. 

A proof of concept is publicly available on GitHub. The Windows machines running affected versions (PHP 8.3 < 8.3.8, PHP 8.2 < 8.2.20, PHP 8.1 < 8.1.29 or end-of-life) of PHP with specific locales in PHP-CGI mode on XAMPP installations are vulnerable. Although XAMPP is popular mainly for dev environments, up to 250k exposed Apache servers are running PHP on Windows, according to Shodan. PHP has released a patch, and it is advisable to update it immediately.  

Technical Overview  

This vulnerability allows threat actors to circumvent the PHP CGI mode by sending a crafted POST query to the vulnerable PHP server running Japanese and Chinese locales. 

PHP is a server scripting language, and a powerful tool for making dynamic and interactive web pages. It is extremely popular and is used in over 75% of all websites where the server-side programming language is known.  

The vulnerability is due to the misuse of the Best-Fit feature of encoding conversion in the Windows operating system which converts 0xAD to 0x2D. That means the trick lies in that %AD will be decoded to a “soft hyphen,” which PHP will turn into a real hyphen. While implementing PHP, the team overlooked this feature, allowing unauthenticated actors to bypass the security features of CVE-2012-1823, using specific characters or queries that allow them to execute arbitrary code. The PHP CGI module may misinterpret hyphen characters as PHP options, which may allow a malicious user to pass options to the PHP binary and thus run arbitrary PHP code on the server and compromise PHP sites. 

XAMPP users can be exploited directly when the Action directive is mapped to corresponding HTTP requests to a PHP-CGI executable binary in the Apache HTTP Server, as shown in Figure 1. 

Figure 1: PHP-CGI Function 

Figure 2: httpd-xampp.conf 

In another methodology, default XAMPP servers are vulnerable, because the PHP directory is exposed via ScriptAlias directive. 

ScriptAlias /php-cgi/ “C:/xampp/php/” 

Triggering the Vulnerability 

Before execution, there are a few basic vulnerability checks.  

  • Primarily, the operating system should be Windows. 
  • To ensure that CVE-2024-4577 would exploit a vulnerable PHP server, some lines related to the PHP-CGI function in httpd-xampp.conf should be enabled, as shown in Figures 1 and 2.  
  • The vulnerable PHP servers should be set to either Japanese or Chinese (Simplified or Traditional) locales. This setting can be performed as shown in Figure 3.

An example POST request to trigger the vulnerability would look like: 

http[:]//target-ip:port/?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input 

This allows an attacker to inject command-line options into PHP when it is running in a CGI-based or default XAMPP setup. Malicious code can be passed through “php://input” and executed using the “auto_prepend_file” option to call “include_path.”. Additionally, the “auto_append_file” option is also accepted by vulnerable PHP servers. 

Exploiting the Vulnerability 

The necessary and sufficient condition to exploit the issue is a crafted POST request to vulnerable Apache servers with an enabled PHP-CGI function. An attacker only needs to be able to access the instance remotely which could be over the internet or a local network.  A working PoC with a crafted POST query aids in exploiting this vulnerability.  

Leveraging the publicly available PoC, a demonstration of exploitation can be seen in Figure 4. 

Figure 3: Control Panel 

Figure 4: CVE-2024-4577 Exploitation 

Out of the 250k exposed Apache servers running PHP on Windows, according to Shodan, multiple events were observed wherein attackers leveraged this vulnerability to upload malware in the second week of June 2024. According to Imperva analysis, it was peculiarly observed that the malware activity was a part of “TellYouThePass” ransomware. The ransomware appears to alter the service to an open directory, encrypt files and add ransom notes (with filenames including READ_ME9.html, READ_ME10.html, READ_ME11.html).  

There are around 1,000 compromised hosts online as of June 13, primarily in China, likely because Windows systems with Chinese or Japanese locales are inherently vulnerable due to their default XAMPP configuration. 

SonicWall Protections 

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released: 

  • IPS: 4451 – PHP CGI Argument Injection. 

Remediation Recommendations 

Considering the severe consequences of this vulnerability and the trend of nefarious activists trying to leverage the exploit in the wild, users are strongly encouraged to upgrade their instances to PHP’s new releases, 8.3.8, 8.2.20 and 8.1.29, to address the vulnerability.  

Relevant Links 

 

What is Content Filtering and Why Do Organizations Need It on the Endpoint?

While Hollywood has depicted cyberattacks as being conducted by a single, shadowy hacker sitting in a dark room and breaking into lucrative networks without needing to interact with any users on the network, in reality, over 90% of cyber attacks require some sort of user interaction. This sobering statistic alludes to the reality that often, user behavior and even the simplest user actions can have severe consequences that call for the attention of both network and security administrators to prevent and mitigate. In addition, with more endpoints than ever that are off-network, administrators require effective tools that prevent access to content that could pose a risk to users on each endpoint and organizations need tools that can reduce their attack surfaces in an increasingly off-network world. While content filtering has long been one of the integral tools that addresses both concerns, content filtering specifically on the endpoint is a necessary consideration in the face of today’s distributed workforce.

What is Content Filtering?

Content filtering is a software tool that allows the restriction or control of content a user is able to access across the web. This can allow the implementation of a company’s policies regarding web usage through hardware or on the company network. Content filtering addresses a primary security concern of organizations: how to control behavior on a certain endpoint, the internet or a network.

Content filters can use a variety of techniques and systems that are tied to other security tools like firewalls and can assist in blocking or allowing certain access to webpages. Because of this capability, there are a multitude of other benefits that can be accessed by enforcing certain policies through content filtering. On top of that, content filtering on the endpoint can provide protection regardless of the user’s network or location,

Why is Content Filtering Important on the Endpoint?

With the explosion of endpoints that are off-network due to hybrid and remote workforce trends, the best way for content filtering tools to help organizations reduce risks is by enforcing policies through the endpoint rather than traditional means such as through firewalls on the on-prem network. Specifically on the endpoint, content filtering can prevent cyber-attack intrusion methods such as: malware delivered via URLs, drive-by downloads, compromised legitimate websites and much more. Often times, the benefit of tools like content filtering is to protect users from themselves. Unfettered access to the internet can easily lead users to being especially vulnerable to common phishing and malware attacks.

Take the example of common social engineering and fraud phishing attacks where users are led to click through to a spoofed website. Attacks like this can lead to stolen credentials, unknowingly downloading malware files or worse. During the height of the COVID-19 pandemic in 2020, both government and private sector experienced increased risk of COVID-related phishing emails and spoofed sites that led to a 220% increase in phishing incidents. Falsely dressed as legitimate governmental websites or charitable donation requests, these malicious websites and emails were used as vehicles for credential harvesting, malware delivery and more. Although there have continued to be plenty of high-profile attacks on large enterprises in recent years, SMBs have become a common target for cybercriminals and stand to lose the most with many affected SMBs being bankrupted by cyberattacks. In today’s threat landscape, content filtering is a critical line of defense and reduces the risks to an organization’s cyber environment.

Use Cases for Content Filtering

While we started by highlighting the security needs and benefits of using content filtering tools, there are a variety of relevant use cases for content filtering beyond security:

  1. Increased Productivity: With seemingly endless demands on our shortening attention spans, many corners of the internet can become notorious productivity sinks. To counteract this, organizations can use content filtering to contribute to productivity by eliminating access to certain pages like social media, streaming or online shopping sites.
  2. Improved Network Performance: As non-work-related internet usage is restricted, the network’s bandwidth usage is alleviated, and organizations can experience faster connections with more efficiency.
  3. Compliance to Public Sector Regulations: For organizations such as educational institutions, state and local governments that have compliance and safety policies that need to be enforced, content filtering can keep employees from visiting known spam sites or students from accessing adult content – all of which can protect an organization against legal liabilities.

Finding the Right Content Filtering Tool for Your Organization

Content filtering has become an essential part of any administrator’s toolbox across today’s modern business landscape. Regardless of the vertical or size, the right content filtering tool should keep your organization productive, compliant and safe by enforcing proactive policies through content filtering.

SonicWall is a cybersecurity forerunner with more than 30 years of expertise and is committed to providing services and solutions that meet partners where they’re at. As part of this ethos, SonicWall Capture Client packages the best of enterprise-grade protection at the endpoint with other powerful and integral features like content filtering – which is often at an additional cost from separate vendors. Together, Capture Client is an endpoint solution that is cost-effective, consolidates tools and is a key component to a layered cyber protection and threat prevention strategy. While Capture Client’s dual engine is well-equipped to protect endpoints from all types of advanced threats, organizations need to take part in their own risk mitigation. They can do this by narrowing their attack surface and using Capture Client’s content filtering capabilities to altogether block access to inappropriate and malicious content.

To discover a truly unified dual-engine endpoint security solution and find out more about its content filtering capabilities, start a free trial or speak to our team today.

The Lifecycle of a Threat: The Inner Workings of the Security Operations Center

In a world where cyber criminals target businesses both large and small with ever-changing tactics and techniques, heroes emerge: Managed Service Providers (MSPs). They may not wear capes, but every day, MSPs provide crucial security and IT support to their customers. However, with new threats appearing almost daily, it can be impossible for the average MSP to keep up, especially as threat actors tend to take action well outside of normal working hours, including weekends, holidays and the middle of the night.

Having a Security Operations Center (SOC) is a crucial step for MSPs to defend their clients at all hours of the day and night, but building a SOC yourself can cost upwards of $1 million and come with many staffing and compliance headaches. For many MSPs, partnering to get a SOC is the way to go, such as partnering with SonicWall and our Managed Security Services team.

SonicWall’s SOC is defending our MSP partners and their clients day and night from shadowy cybercriminals. Here’s how they do it.

The Trifecta of the SOC: People, Process, Technology

Any effective SOC is a combination of three things: people, process and technology. While it’s easy to focus only on security tools like endpoint detection or antivirus software, it’s crucial that those tools are configured properly and that effective processes are in place to ensure the SOC is running efficiently.

That’s why the people are the most important element of the SOC: they are cyber experts who stay on top of the latest cyber threats and new techniques being used by threat actors. They also apply that knowledge and experience to the configuration of security tools. They can quickly determine which alerts are relevant and recognize patterns in the alerts that security tools throw, allowing them to spot and stop attacks at very early stages, minimizing damage for your clients. While security tools and software are important, it’s the people who bring the true value to a SOC.

Preparation is Everything

Arguably the most important part of the incident response cycle is the preparation before a cyber event takes place. Taking the time to ensure that all security tools have the latest updates, all endpoints have the correct tools installed, and that tools are using the latest security rules can make the difference between an annoying minor alert and a full security incident.

SonicWall’s SOC works with our partners to ensure that their environments are as prepared and protected as possible before a threat actor ever takes action. When new partners start out with SonicWall Managed Security Services, the SOC team conducts a white-glove onboarding process to ensure security tools are installed and configured properly. After that, the team performs configuration audits twice monthly and provides a report card to partners that includes any necessary actions needed to be optimally secure.

Minor, Major and Critical Alerts

The SonicWall Security Operations Center monitors for alerts and abnormal behavior 24 hours a day to protect our MSP partners and their clients from cyber threats. When alerts come in from security tools, a SOC analyst conducts an investigation. The SOC’s rules and technology configurations automatically classify alerts as minor, major or critical, and the SOC analyst can then upgrade or downgrade the alert as needed based on what they find in their investigation.

  • Minor Alerts are used for situations where abnormal activities have been identified in the environment, such as files being quarantined in unusual folders. There’s no evidence of anything else happening; something’s just weird. These alerts can be false positives. If further investigation or action is recommended, the SOC analyst will email you.
    If we were to think of the SOC as firefighters, in a Minor Alert, the SOC smells smoke but finds no evidence of a fire.
  • Major Alerts are used when there is confidence of malicious or suspicious activity in the environment. Often, this is activity that was stopped by security tools, such as quarantined malware, but further investigation is warranted to ensure the full threat has been addressed. In the event of a Major Alert, the SonicWall SOC will contact you by email with recommended next steps.
    To use our firefighter analogy, in Major Alerts the SOC smells smoke and the smoke detector is going off, but there is no evidence of an active fire.
  • Critical Alerts are used when there is high confidence of an active compromise happening. These alerts are when the SOC takes immediate action to mitigate the threat to keep any damage as minimal as possible, such as isolating an endpoint, pulling a server offline or deactivating a potentially compromised user account. Taking these immediate actions in response to a critical threat helps reduce attacker dwell time and keeps the attack from spreading across the network.
    In our firefighter comparison, this is the time the SOC sees active flames and works quickly to put them out to keep them from spreading and causing more damage.

When a Critical Alert happens, the SonicWall SOC team will call you on the phone every fifteen minutes for the first hour, and then every hour after that. Don’t worry – if you don’t answer, the SOC team won’t wait. The threat will still be addressed and we’ll fill you in once we’re able to connect.

Once the threat is contained, the SOC analyst will create a report that documents the incident, including what specifically happened, the scope of the incident, the actions they took to mitigate the threat, and any other areas of impact you may need to be aware of. They will also make recommendations for your next steps toward full remediation.

SonicWall’s Security Operations Center stands ready to defend all our MSP partners and their end clients, and we’ve made getting the around-the-clock protection of a SOC easier than ever. Our Managed Security Services are available with no annual contracts or long-term commitments and with no minimums. We partner with you and scale with you as your business scales – whether up or down.

Ready to get started? Contact us today to learn how you can get started with Managed Detection and Response (MDR) with a free 30-day proof of concept!