HermeticWiper data wiping malware targeting Ukrainian organizations

/in /by

The SonicWall Capture Labs Threat Research team has analyzed a sample which is widely believed to be targeting Ukrainian organizations.

The malware sample is digitally signed issued under the company name ‘Hermetica Digital Ltd’. There is a possibility that the attacker might have used a shell company to issue this digital certificate.

At the start and in due course of the execution it looks for the following privileges:

  • SeShutdownPrivilege
  • SeBackupPrivilege
  • SeLoadDriverPrivilege

The malware sample then identifies the operating system architecture and depending upon that loads the relevant driver.

If the malware is running on x64bit system it uses Wow64DisableWow64FsRedirection windows API to disable file system redirection so that the sample can copy the driver file in the %system32%\Drivers folder.

This malware’s resource section contains EaseUS Partition Manager drivers.
These are legitimate drivers associated with EaseUS Partition Master application which is a free partition software. These driver files are compressed by the Lempel-Ziv algorithm.

The malware enumerates the registry key SYSTEM\CurrentControlSet\Control\CrashControl and sets the value of CrashDumpEnabled form 2 (default value) to 0 so that Windows does not record any information in the memory dump file.

The malware drops the driver file in the %System%\Drivers folder and using SeLoadDriverPrivilege loads the driver.

It then uses the CreateServiceW and StartServiceW to load the driver as a Service.

The malware establishes connection with service control manager using OpenSCManager API and using OpenServiceW and ChangeServiceConfigW, it disables the VSS service (Volume Shadow Copy Service). This service is used to back up the application data.

The malware enumerates the physical drives starting from 0-100 and for each physical Drive \\.\EPMNTDRV\ device is called for a device number.

The EaseUS partition manager driver epmntdrv.sys is then used to access physical drives directly as well as getting partition information through specific IOCTLs.

The malware corrupts the first 512 bytes, the Master Boot Record (MBR) for every Physical Drive. It then waits for all sleeping threads to complete before initiating a reboot. And once the system is rebooted the missing OS prompt is displayed leaving the system unusable.

SonicWall RTDMI engine – part of Capture ATP – has a proactive 0-day protection against this malware.

 

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: HermeticWiper.A (Trojan)
  • GAV: HermeticWiper.A_1 (Trojan)

Capture Client 3.7: Rapid Threat Hunting with Deep Visibility and Storylines

/0 Comments/in , /by

As a threat hunter, your main mission is to understand the behavior of your endpoints and to capture abnormal behavior with rapid mitigation actions. You need the ability to, with a single click, search your fleet for indicators such as those mapped by the MITRE ATT&CK framework. You also need the ability to automate threat hunts for known attacks according to your own criteria.

With SonicWall Capture Client’s new Storylines capability, you can do all this and more, faster than ever before. Let’s take a look.

What is a Storyline?

Capture Client’s Deep Visibility offers rapid threat hunting capabilities thanks to SentinelOne’s patented Storylines technology. Each autonomous agent builds a model of its endpoint infrastructure and real-time running behavior.

The Storyline ID is an ID given to a group of related events in this model. When you find an abnormal event that seems relevant, use the Storyline ID to quickly find all related processes, files, threads, events and other data with a single query.

With Storylines, Deep Visibility returns full, contextualized data — including context, relationships and activities — allowing you to swiftly understand the root cause behind a threat with one search.

Image describing a query

The Storylines are continuously updated in real time as new telemetry data is ingested, providing a full picture of activity on an endpoint over time. This allows greater visibility, enables easy threat hunting and saves time.

Deep Visibility Comes with Ease of Use

Threat hunting in the Management console’s graphical user interface is powerful and intuitive. The Deep Visibility query language is based on a user-friendly SQL subset common on many other tools.

The interface assists in building the correct syntax by providing completion suggestions and a one-click command palette. This saves time and spares threat hunters — even those unfamiliar with the syntax — the pain of remembering how to construct queries.

A visual indicator shows whether the syntax is valid or not, eliminating time spent waiting for a bad query to return an error.

For example, users can search for a common “Living off the Land” technique by running a query across a 12-month period to return every process that added a net user:

Image describing common technique

(We also provide a great cheatsheet to rapidly power up your team’s threat hunting capabilities here.)

Use Case: Responding to Incidents

Suppose you’ve seen a report of a new Indicator of Compromise (IOC) in your threat intel feeds. Has your organization been exposed to it? With Storylines, you can quickly find out with a simple query across your environment. Here’s how:

In the Console’s Forensics view, copy the hash of the detection. In the Visibility view, begin typing in the query search field and select the appropriate hash algorithm from the command palette. Select or type =, then paste the hash to complete the query.

Image describing visibility view

The results will show all endpoints that ever had the file installed. Constructing powerful, threat hunting queries is that simple, even for members of your team with little to no experience with SQL-style syntax.

Deep Visibility = Fast Results

Forget about using query time to grab a cup of coffee: Deep Visibility returns results lightning fast. And thanks to its Streaming mode, you can preview the results of subqueries before the complete query is done.

Deep Visibility query results show detailed information from all your endpoints, displaying attributes like path, Process ID, True Context ID and much more.

With Deep Visibility, you can consume the data earlier, filter the data more easily, pivot for new drill-down queries, and understand the overall story much more quickly than with other EDR products.

Quicker Query of MITRE Behavioral Indicators

Deep Visibility makes hunting for MITRE ATT&CK TTPs fast and painless. It’s as easy as entering the MITRE ID.

For example, you could search your entire fleet for any process or event with behavioral characteristics of process injection with one simple query:

IndicatorDescription Contains “T1055”

There’s no need to form separate queries for different platforms. With Deep Visibility, a single query will return results from all your endpoints regardless of whether they are running Windows, Linux or macOS.

Image describing all results

Stay Ahead with Automated Hunts

Deep Visibility is designed to lighten the load on your team in every way, including giving you tools such as Watchlist, which allows you to set up and run custom threat hunting searches on your own schedule.

Creating a Watchlist is simplicity itself. In the Visibility view of the Management console, run your query. Then, click “Save new set,” choose a name for the Watchlist, and choose who should be notified. That’s it. The threat hunt will run across your environment at the specified timing interval and the recipients will receive alerts of all results.

With Storyline Automated Response (STAR) Custom Rules, you can save Deep Visibility queries or define new ones, let the queries run periodically and get notifications when a query returns results. This helps ensure your organization is secure regardless of whether you or your team are on duty.

Deep Insight at Every Level

Deep Visibility is built for granularity, allowing you to drill down on any piece of information from a query result.

Each column shows an alphabetical, filterable list of the matching items. Expanding the cell displays details; for most of these details, you can open a submenu and drill down even further. Or just use the selected details to run a new query.

Conclusion

As detailed in the 2022 SonicWall Cyber Threat Report, attacks of all types are on the rise. So it’s never been more important to proactively hunt for threats and find suspicious behaviors in its early stages — or to ensure your SOC has the tools to be as agile and efficient as possible.

SentinelOne’s Deep Visibility capabilities are available with Capture Client Premier. Click here for a free trial of Capture Client to see how Deep Visibility’s ease of use, speed and context can greatly improve your mean-time-to-detection and free up your analysts’ time.

Cybersecurity News & Trends – 02-18-22

/0 Comments/in /by

Lots of big news today. SonicWall’s upcoming Boundless 2022 global virtual event continues to rack up record registrations. See the video here and visit this page to register. Then there’s the release of the 2022 SonicWall Cyber Threat Report, which had the best first-day launch in its history. Attention garnered by the annual report toppled all previous company records. In industry news, turmoil in Ukraine ratchets up cyber threat fears, Iranians targeting VMWare, hackers targeting US defense contractors, hackers breaking into Microsoft Teams, and much more.

SonicWall News

There’s A Huge Surge In Hackers Holding Data For Ransom

Fortune Magazine: Governments worldwide saw a 1,885% increase in ransomware attacks, and the health care industry faced a 755% increase in those attacks in 2021, according to the 2022 Cyber Threat Report released Thursday by SonicWall, an internet cybersecurity company. According to the report, ransomware also rose 104% in North America, just under the 105% average increase worldwide.

Britain Should Never Seek A ‘Special Relationship’ With The EU, Says Lord Frost

The Telegraph (UK): UK ransomware climbed by 227 percent last year, the just-published SonicWall Threat Report also shows, while attempted cyberattacks also reached a record high.

SonicWall CEO On Ransomware: Every Good Vendor Was Hit In Past 2 Years

The Register: Public and private sectors are under attack as malware evolution accelerates. SonicWall’s annual cyber-threat report shows ransomware-spreading miscreants are making hay and getting quicker at doing so.

Why The Cloud Is A No-Brainer For Startups

Maddyness (UK): The global spike in ransomware due to the pandemic is alarming; according to the SonicWall Cyber Threat Report, there has been a 62% increase in ransomware globally.

Report Finds IoT Malware Attacks Targeting Routers On The Rise

CEPro: Research by SonicWall finds that ransomware attacks more than doubled last year, but IoT malware threats and cybersecurity attacks also continued to climb, hitting 60.1 million such attacks in 2021, the highest number ever recorded by the company in a single year.

Ransomware Attacks Surged 2X In 2021, SonicWall Reports

Venture Beat: new data released today by cybersecurity vendor SonicWall reveals that the total number of ransomware attacks more than doubled in 2021 — jumping 105% during the year compared to 2020.

SonicWall: Ransomware Attacks Increased 105% In 2021

TechTarget: According to researchers at SonicWall, who said in its annual threat report that ransomware attacks have grown by an eye-watering 105% over the last year, with 20 attacks being attempted every second.

Cybercriminals Target Retail With 264% Surge in Attacks

Charged Retail Tech News (UK): Cybercriminals have targeted the retail sector over the past 12 months, with a 264% surge in ransomware attacks on eCommerce and online retail businesses.

Over 620 million Ransomware Attacks Detected in 2021

InfoSecurity: According to SonicWall, corporate IT teams were faced with a triple-digit (105%) growth in ransomware attacks last year to over 623 million.

Threat Actor Adds New Marlin Backdoor to Its Arsenal

InfoRisk (UK): The massive amount of malware strains that cybercriminals can leverage today enables them to “concoct new cocktails capable of thwarting both past and present security systems,” Bill Conner, CEO and president of cybersecurity firm SonicWall, says.

Crypto Crime: UK’ Crypto Jacking’ Attacks Jump 564 Percent in One Year

City AM (UK): Global ransomware attacks doubled to 623m incidents in 2021, with some 91.7m crypto-jacking incidents taking place, up by almost a fifth compared to the previous year, according to a new report from cyber security company SonicWall.

Ransomware Attacks More Than Doubled Last Year

ZDNet: According to an analysis by cybersecurity researchers at SonicWall, the volume of attempted ransomware attacks targeting their customers rose by 105% in 2021 to a total of 623.3 million attempted incidents throughout the year.

Ransomware Data Leaks Saw Major Surge In 2021

ITProPortal: A separate report from SonicWall said that, for the first three quarters of 2021, attempted ransomware attacks grew 148 percent, year-on-year. At the same time, the average ransom demand rose 36 percent to $6.1 million.

Report: Pretty Much Every Type Of Cyberattack Increased In 2021

Planet Storyline: SonicWall’s 2022 Cyber Threat Report has come to some alarming, but likely unsurprising, conclusions: Pretty much every category of cyberattack increased in volume throughout 2021.

Ransomware Attacks Surged 2X In 2021, SonicWall Reports

TECHIO: In the latest indicator of just how severe the ransomware problem became last year, new data released today by cybersecurity vendor SonicWall reveals that the total number of ransomware attacks more than doubled in 2021 – jumping 105% during the year compared to 2020.

Cyberattacks Increased In 2021

TechRepublic: The only category to decrease was malware attacks, but SonicWall said in its report that even that number was deceptive.

Ransomware Attacks Increase 105% In 2021, SonicWall Report Finds

TechDecisions: SonicWall’s Cyber Threat Report reveals that ransomware volume has exploded over the last two years, rising 232% since 2019.

Breaking Comments On Red Cross Cyber Attack

Information Security Buzz: It’s been confirmed the Red Cross cyber attack was the work of nation-state actors. SonicWall’s latest report, released today, confirms this is not a standalone development, revealing a +1885% and +755% of ransomware attacks on the global government and healthcare sectors, respectively.

Ransomware Attacks Are Rising at An Unprecedented Rate

HotHardware: The ransomware threat is rising at an alarming rate, and a new report by SonicWall fleshes out the picture. 2020 alone saw 304 million ransomware attacks. As if that wasn’t enough, the doubling of ransomware attacks in 2021 over 2020 amounts to a total of 623 million ransomware attacks globally in 2021. Together, these two years represent a 232% rise in the volume of ransomware attacks since 2019.

SonicWall Research: Hackers Attempted 623M Ransomware Attacks in 2021

MSSP Alert: Nearly all monitored threats, cyberattacks and malicious digital assaults increased in 2021, according to the 2022 SonicWall Cyber Threat Report.

Healthcare Sector Saw The Largest Increase In IoT Malware Attacks In 2021

SCMagazine: The healthcare sector saw the largest increase in target IoT malware attacks in 2021, according to the latest annual SonicWall Cyber Threat Report. Compiled from data collected from 1.1 million global sources, researchers saw a 71% increase in IoT malware against healthcare clients.

105% Increase Seen in Global Ransomware Attacks, Reports SonicWall

ReadITQuik: The 2022 SonicWall Cyber Threat Report is now out, announced SonicWall. The report identified a 167% year-over-year increase in encrypted threats, a 6% volume rise in IoT malware, totaling 60.1 million hits by year’s end, as well as a ransomware volume rise of 232% since 2019.

SonicWall Releases New Cyber Threat Report 2022

Infopoint Security (De): SonicWall today released their annual Cyber ​​Threat Report for 2022. As the bi-annual report shows, ransomware attacks have increased significantly, with 623.3 million attacks worldwide.

Alarming Rise in Ransomware And Malicious Cyberattacks, With Threats Doubling In 2021

AAS (De): Over 623 million ransomware attacks worldwide – a whopping 105% increase + ransomware attacks up 232% since 2019 + ransomware up a whopping 98% in US and UK respectively.

Industry News

US Companies Warned to Prepare for Russian Cyber Attacks

Defense One: US companies, particularly in the defense industry, should be prepared for an increase in cyberattacks aimed at stealing data or disrupting operations due to new aggressive Russian activity aimed at Ukraine, a top Department of Justice official said on Thursday. The remarks come one day after a recent alert from the FBI, National Security Agency, and the Cybersecurity and Infrastructure Security Agency, or CISA, warning that Russian hackers had hit defense contractors and were likely to continue their attempts.

Ukraine Cyberattack Is Largest of Its Kind In Country’s History, Says Official

CNN: A high-volume cyberattack that temporarily blocked access to the websites of Ukrainian defense agencies and banks on Tuesday was “the largest [such attack] in the history of Ukraine,” according to a government minister. Speaking at a press conference Wednesday, Ukrainian Minister of Digital Transformation of Ukraine Mykhailo Fedorov added that it is too early to tell who was responsible for the attack. However, officials said the distributed denial of service (DDoS) attack — which bombarded Ukrainian websites with phony traffic — was coordinated and well planned.

Iranian Hackers Targeting VMware Horizon Log4j Flaws to Deploy Ransomware

The Hacker News: A “potentially destructive actor” aligned with the government of Iran is actively exploiting the well-known Log4j vulnerability to infect unpatched VMware Horizon servers with ransomware. Cybersecurity firm SentinelOne dubbed the group “TunnelVision” owing to their heavy reliance on tunneling tools, with overlaps in tactics observed to that of a broader group tracked under the moniker Phosphorus as well as Charming Kitten and Nemesis Kitten.

Russian Hackers Have Targeted Defense Contractors to Steal Sensitive Data

Gizmodo: US Intelligence authorities say that a multi-year hacking campaign has resulted in sensitive IT information being stolen from Pentagon-linked defense contractors and subcontractors. According to the report, the goal is to steal sensitive data and information using spear phishing, brute force attacks, credential harvesting, and other typical intrusion techniques. The purpose of the hacking campaigns appears to have been to acquire “sensitive information” about things like US weapons and missile development, intelligence, surveillance, and reconnaissance capabilities, vehicle and aircraft design, and command, control, and communications systems, officials said.

Hackers Circulate Malware by Breaking Into Microsoft Teams Meetings

PC Magazine: Hackers have been spotted infiltrating Microsoft Teams meetings to circulate malware to unsuspecting users. Last month, email security provider Avanan noticed the attacks, which involve hackers dropping malicious executable files on Microsoft Teams through in-session chats. “Avanan has seen thousands of these attacks per month,” the company warned in a Thursday report. The hackers are likely infiltrating Microsoft Teams after first compromising an email account belonging to an employee. The email account can then be used to access Teams meetings at their company. Also reported by Bleeping Computer, if you are one of the 270 million people who use Microsoft Teams every day, it may be time to make sure your account is locked down. Part of the onus here does fall on Microsoft, too. Teams isn’t precisely feature-rich when it comes to security and scanning files for malicious content. The ability for guests and other temporary users to share files also poses a security risk, though that isn’t necessarily how the hackers spread this particular malware.

In Case You Missed It

Functionality rich Android malware identified in the wild

/in /by

SonicWall Threats Research Team  received reports of an Android malware in the wild that was hosted on an active domain. This malware appears to be a Remote Access Trojan that has a number of capabilities.

 

Application Specifics

 

App Execution

Installing the application, the icon is visible without any application name:

 

The AndroidManifest.xml file can be used to identify how the application starts the execution flow. In this application the main activity is listed as – com.depart.buddy.lz. However looking at the code, this class is not visible in the list of classes:

 

This indicates that most likely a new dex file might be dropped during execution and this file will contain the class pointed as the main activity. Once executed, a file named kreaslX.json is dropped in the folder below:

 

Renaming the .json file to .zip and opening it in a disassembler shows us the missing class files:

 

The file shared preferences file settings.xml can be viewed as the configuration file for this application. A number of capabilities of this malware are listed in this file:

 

Notable capabilities include:

  • Log SMS messages on the device
  • Log applications installed on the device
  • Log contacts
  • Request for Admin privileges
  • Lock device
  • Start TeamViewer application
  • Switch the sound off
  • Kill an application
  • Keylogger functionality
  • Turn PlayProtect off

Network Investigation

The application is hosted on hxxps://www.kisa.link/PMmG. VirusTotal graph shows multiple malicious indicators connected with this domain:

 

A hardcoded admin panel IP was identified in the shared_preferences.xml fille – hxxp://helalolsundayiogli.co.vu. VirusTotal graph for this domain shows multiple apk files connected to this domain:

 

Overall this application appears to be part of a larger campaign which is being propagated via the links mentioned. The nature of this application is that of a Remote Access Trojan which is capable of accepting commands and executing the in-built functionality.

 

Sonicwall Capture Labs provides protection against this threat using the signature listed below:

  • AndroidOS.Spy.SM

 

Indicators of Compromise:

  • bfdd4663a096b21a1d2b7c993bb0aecd
  • 2dc70002c841181ee1e832381f8429ab

 

Realtek Jungle SDK remote code execution

/in /by

Realtek currently manufactures and sells a variety of microchips globally. Realtek chipsets are found in many embedded devices in the IoT space. Realtek offers total HomeKit solutions with Ameba (RTL8711 series) and iCOM (RTL8196/8188 series) that can be easily implemented into various IoT platform designs, e.g. smart plug, smart home appliances, home security systems, and smart sensor/lighting devices.RTL8xxx SoCs provide wireless capabilities and the SDK exposes services over the network.

CVE-2021-35395
Realtek Jungle SDK version v2.x up to v3.4.14B provides an HTTP web server exposing a management interface that can be used to configure the access point.There are two versions of of this management interface namely one based on Go-Ahead named webs and another based on Boa named boa. Arbitrary command execution in formSysCmd via the sysCmd parameter exists in this SDK. Successful exploitation of this vulnerability allows remote attackers to gain arbitrary code execution on the device.

The HTTP web server ‘boa’ is also vulnerable to multiple buffer overflows due to unsafe copies of some overly long parameters submitted in the form, such as

  • unsafe copy of ‘submit-url’ parameter in formRebootCheck/formWsc/formWlanMultipleAP
  • unsafe copy of ‘peerPin’ parameter in formWsc

  • unsafe copy of ‘ifname’ parameter in formWlSiteSurvey

  •  unsafe copy of ‘hostname’ parameter in formStaticDHCP


The root cause of the above vulnerabilities is insufficient validation of the  buffer size and unsafe calls to sprintf/strcpy. An attacker can exploit these vulnerabilities by crafting arguments in a specific request. Successful exploitation could lead  server crash and denial of service.
Realtek has patched these vulnerabilities.

SonicWall Capture Labs provides protection against this threat via following IPS signatures:

  • 18646:Realtek Jungle SDK Remote Code Execution 2
  • 18645 Realtek Jungle SDK Remote Code Execution 1
  • 18649 Realtek Jungle SDK HTTP Server Buffer Overflow 5
  • 18648 Realtek Jungle SDK HTTP Server Buffer Overflow 4
  • 18647 Realtek Jungle SDK HTTP Server Buffer Overflow 3
    • 18644 Realtek Jungle SDK HTTP Server Command Injection
  • 18643 Realtek Jungle SDK HTTP Server Buffer Overflow 2
  • 18642 Realtek Jungle SDK HTTP Server Buffer Overflow

Threat Graph

2021 Threat Intelligence Shows Attacks Rising Across the Board

/0 Comments/in /by

While the world continued to grapple with the challenges of 2020 — such as the ongoing COVID-19 pandemic and the shift to remote work — cybercriminals were building on what they learned that year to become more adaptable and formidable in 2021.

But as cybercriminals followed the moves of an ever-changing world, SonicWall Capture Labs threat researchers followed the movement of cybercriminals, recording where they attacked, who they targeted and what sorts of new techniques they developed. By compiling these findings into the 2022 SonicWall Cyber Threat Report, we’re offering organizations the actionable threat intelligence they need to combat the rising tide of cybercrime.

“It’s imperative to understand the skill set of bad actors to ultimately thwart their increasingly sophisticated and targeted attacks,” SonicWall President and CEO Bill Conner said. “The 2022 SonicWall Cyber Threat Report shines a spotlight on the growing plague of ransomware and other attempts of digital extortion.”

Here are a few of the key findings from the report:

Ransomware

In 2021, SonicWall Capture Labs Threat Researchers recorded 623.2 million ransomware attempts globally, an increase of 105% year over year. This increase was fueled by large volumes of Ryuk, SamSam and Cerber attacks, which together made up 62% of the total ransomware volume.

While the growth in ransomware was unusually aggressive, so were many of the techniques ransomware gangs used to separate legitimate organizations from their money. Double extortion continued to grow in 2021, and terrifying new triple extortion techniques began taking hold as well. Supply-chain attacks and attacks on vital infrastructure also increased, putting pressure on lawmaking bodies around the world to unify against ransomware’s growing threats.

Malware

As attacks of nearly every type have grown over the past couple of years, we’ve been able to count on one silver lining: “Well, at least malware volume is down.” A look at the data for 2021, however, shows signs that this sustained fall may soon be coming to an end.

While malware was still down 4% year-over-year, this is the smallest percentage drop we’ve seen in some time, with a rebound in the second half almost completely erasing the 22% drop recorded for the first half. Moreover, malware didn’t fall everywhere: the UK and India saw increases of 48% and 41% respectively.

Log4j Exploits

From Dec. 11, 2021, through Jan. 31, 2022, SonicWall Capture Labs Threat Researchers logged 142.2 million Log4j exploit attempts — an average of 2.7 million attempts each day. The data shows threat actors pivoting to attack these vulnerabilities at an alarming rate, with large numbers of attempts continuing to this day.

(As a reminder, SonicWall has released a number of signatures to help protect customers against Log4j exploit attempts — if you haven’t yet patched your organization’s internal systems against these vulnerabilities, we strongly urge you to do so.)

Capture ATP and RTDMI

In 2021, SonicWall Capture Advanced Threat Protection (ATP) with Real-Time Deep Memory Inspection (RTDMI)™ became the only solution in ICSA Labs Advanced Threat Defense (ATD) certification history to earn four straight perfect scores, all without a single false positive.

SonicWall’s data on the evolution of Capture ATP and RTDMI shed some light on how we accomplished this feat. In 2021, RTDMI identified 442,151 never-before-seen malware variants, an increase of 65% year over year and an average of 1,221 per day.

Cryptojacking

Given 2021’s record-high cryptocurrency prices, not even mining crackdowns and increased federal scrutiny were enough to keep cryptojacking down. SonicWall Capture Labs threat researchers recorded a 19% year-over-year increase in cryptojacking, amounting to an average of 338 attempts per customer network.

Break Free with SonicWall Boundless 2022

/0 Comments/in , /by

SonicWall is proud to announce Boundless 2022, a worldwide virtual event, Feb. 23 & 24, connecting SonicWall partners with our elite innovators, experts, leaders and special guests. Join us for our largest partner event of the year, offering access to executives, global thinkers in cybersecurity, partner-focused content and the very latest updates on our technology vision.

With cyber threats of almost all types on the rise, the work of cybersecurity professionals has never been more important and potentially more rewarding. Threat vectors have widened so much that the daily battle of keeping our hybrid networks safe now includes securing infinite endpoints buried within multi-variable environments.

We’ve never lost sight of the fact that our partners are on the frontlines doing this hard work every day. Boundless 2022 is SonicWall’s opportunity to huddle with our partners and engage our mutual futures.

We’ve learned a lot, and it’s time to share.

Boundless 2022: A Virtual, Multi-Lingual Experience

Created and produced exclusively for SonicWall partners, we offer unparalleled content, insight, and expert analysis to help you succeed in 2022 and beyond. This year, we are running three regional events to ensure that partners can attend sessions in their time zone. Presentations will be available in multiple languages including English, Portuguese, Spanish, French, German and Italian.

Boundless 2022 offers:

  • Engaging and Informative Keynotes
  • Special Celebrity Guests Penn & Teller
  • Executive Leadership Sessions
  • Threat Landscape Update
  • Product Innovation Insights
  • Regional Partner Breakouts

Hosted by Celebrity Guests Penn & Teller

Boundless 2022’s entertainment comes from the renowned magic team, Penn & Teller, which complements the theme of our partner-focused event.

The legendary magicians have made a long career cutting the magic rulebook in half (they’ve also burned it, boiled it, made it vanish several times). They surprised audiences with their comedy and shocked the performing community with their fun and unabashed approach to presenting, while revealing secrets of stage magic as part of the entertainment.

Similarly, SonicWall seeks to empower its partners to break away from constrained security methodology toward unbound techniques with faster and more cost-effective technology. And like Penn & Teller, we’re removing the shroud of mystery and offering detailed and frank discussions from cybersecurity thought-leaders and SonicWall executives.

PLUS Penn & Teller ask that attendees bring along a deck of cards to the live virtual event so that they may participate in a live magic trick.

Join Us in Your Time Zone and in Your Language

Boundless 2022 registration is now open. Visit the Boundless 2022 website to reserve your virtual seat today!

To learn more about SonicWall and Boundless 2022, please visit www.Boundless2022.com.

Cybersecurity News & Trends – 02-11-22

/0 Comments/in /by

SonicWall’s Boundless 2022 global virtual partner event, scheduled for Feb. 23 & 24, is experiencing record registration. See the promotional video HERE and visit this page to register. In general news, the Feds arrest a New York couple for trying to launder $3.5 billion in cryptocurrency and the email that we all received from Equifax (and since deleted) was not a hoax. In other news, Georgia voter registration data is breached, a Nintendo Switch hacker gets more than 3 years in prison and a $14 million bill, and ModifiedElephant has been planting fake digital evidence that gets activists and dissidents arrested.

SonicWall News

Record Registrations for Boundless 2022 Global Virtual Partner Experience

SonicWall is generating a record registration for the Boundless 2022 Virtual Partner Conference. Created exclusively for SonicWall partners, the event will offer unparalleled content, insight, and expert analysis. Presentations will be offered for three time zone schedules and in six partner languages: English, Spanish, French, German, French and Italian. See the promotional video here. This year, the event will feature an appearance from a renowned magic team, Penn & Teller. The event is scheduled for Feb. 23 & 24. Visit this page to register.

Industry News

Feds Arrest a New York Couple and Seize $3.6 Billion In Stolen Cryptocurrency

CNN: A New York couple has been arrested and charged with conspiring to launder $4.5 billion in stolen cryptocurrency funds. Law enforcement officials have seized $3.6 billion of those funds in what US Deputy Attorney General Lisa Monaco called “the department’s largest financial seizure ever.” Ilya Lichtenstein, 34, and his wife, Heather Morgan, 31, are accused of laundering money taken in a massive hack of cryptocurrency exchange Bitfinex in 2016.

Vodafone Portugal Hit by Hackers, Says No Client Data Breach

Reuters: Vodafone’s Portuguese unit said on Tuesday a hacker attack overnight had disrupted its services but assured its customers that their data had not been compromised because of the incident, which is under investigation. Vodafone Portugal reported that its system faced technical problems on Monday evening, with thousands of customers saying they could not make calls or access the internet on their phones or computers. It later discovered the technical issues were caused by what it described as a “deliberate and malicious” cyber attack.

No, that email from Equifax was not a scam.

Washington Post: As part of a settlement package for a massive data breach in 2017, just about everyone is entitled to free credit monitoring for four years. Equifax announced a massive breach had exposed the personal information of approximately 147 million people. At the time, the company said hackers exploited a “website application vulnerability.” People’s names, Social Security numbers, birth dates, addresses — and in some instances driver’s license numbers, credit card numbers and other personal information — were compromised, putting millions of folks at risk of identity theft and other fraudulent activity. In a 2019 complaint, the Federal Trade Commission alleged that Equifax had failed to patch its network after being alerted to the security vulnerability. Equifax, without admitting guilt, agreed that year to a settlement with the FTC, the Consumer Financial Protection Bureau and 50 states and territories. Part of that settlement was providing credit monitoring. But, given the damage the breach caused facilitating the vast number of phishing messages everyone has been receiving since the breach, and the resulting cadence of breaches and ransomware cases, the settlement, say critics, doesn’t go far enough.

Amazon Closes Exposed Flexbooker Bucket After December Data Breach

ZDNet: Digital scheduling platform FlexBooker has been accused of exposing the sensitive data of millions of customers, according to security researchers at vpnMentor. The researchers said the Ohio-based tech company used an AWS S3 bucket to store data but did not implement any security measures, leaving the contents totally exposed and easily accessible to anyone with a web browser. The 19 million exposed files included full names, email addresses, phone numbers and appointment details.

Data Breach Exposes Georgia Voters’ Registration Information

The Hill: Voting software company EasyVote Solutions said Tuesday that it experienced a data breach on Jan. 31, resulting in some Georgia voters’ registration information being shared on the internet. No Social Security numbers or driver’s license numbers were shared online. However, hackers collected public information such as names, addresses, races and birthdates and shared it online. EasyVote offers services that simplify the check-in process for voters in many Georgia counties, including Fulton, Oconee and Paulding.

Switch Hacker Given +3-year Sentence and Owes Nintendo $14.5M

GeekWire: One member of the Team Xecuter hacker group has been sentenced to 40 months behind bars and a $14.5 million bill for his role in his group’s creation and sale of tools used to pirate video games for the Nintendo Switch. The hacker, Gary W. “GaryOPA” Bowser, was initially indicted in Seattle in August 2020 alongside Max “MAXiMiLiEN” Louarn and Yuanning Chen. Bowser shares his name with the traditional antagonist of the Super Mario Bros. game and current Nintendo of America president Doug Bowser but they are not related. The hackers created modification devices and specialized hardware for use with various video game consoles to modify and occasionally “jailbreak” them. The group had been active in the game modification space since at least 2013, producing mod tools for Nintendo systems including the original PlayStation, Xbox, and Xbox 360.

FBI Issues Alert for LockBit 2.0 Ransomware Group, Enlist Public for Help

SC Media: Because security professionals needed something else to keep them occupied, the LockBit ransomware campaign is back for round two. This is another ransomware campaign run in the as-a-Service pattern — RaaS. LockBit 2 has caught enough attention that the FBI has published a FLASH message about it. The alert also seeks to enlist the public’s help for information like boundary logs showing communications with foreign IP addresses, sample ransom notes, contacts with threat actors, Bitcoin wallet information, decryptor files and samples of encrypted files.

Researchers Found Zimbra Zero-Day XSS Vulnerability Under Attack

LatestHackingNews (LHN): Researchers from Volexity shared their findings of the active exploitation of Zimbra zero-day. They observed that the threat actors exploit the flaw in spear-phishing campaigns. Upon analyzing one such phishing email, they noticed the attempt to exploit an XSS zero-day bug in the Zimbra email platform. Zimbra is an open-source web email platform frequently used to substitute for Microsoft Exchange which makes it a lucrative target for threat actors. In the malicious campaign that Veloxity spotted, the attackers executed the attack in two phases. In the first phase, the attackers aim at assessing the success rate of the phishing attack. At this point, the attackers merely wish to observe whether the target user opens the phishing email or not. Then, in the second phase, the attackers change the phishing email’s design to make it more appealing for the target user to open.

Hackers Planted Fake Digital Evidence on Devices of Indian Activists and Lawyers

Hacker News and Washington Post: A previously unknown hacking group has been linked to targeted attacks against human rights activists, human rights defenders, academics, and lawyers across India to plant “incriminating digital evidence.” Cybersecurity firm SentinelOne attributed the intrusions to a group it tracks as “ModifiedElephant,” an elusive threat actor that’s been operational since at least 2012, whose activity aligns sharply with Indian state interests. According to reports, the primary goal of ModifiedElephant is to facilitate long-term surveillance of targeted individuals, ultimately leading to the delivery of “evidence” on the victims’ compromised systems to frame and incarcerate vulnerable opponents. As reported by Washington Post, an Indian activist charged with terrorism was previously targeted by hackers linked to prominent cyber espionage attacks and may have planted fake digital evidence on his devices. The report was based on an investigation conducted by SentinelOne, which helped shed light on what amounted to a concerted, nearly decade-long effort to surveil a group of dissidents. It also offers new clues about the connections between groups that cybersecurity experts have observed targeting foreign adversaries and domestic critics.

In Case You Missed It

Ransomware asking victims to subscribe to a YouTube channel

/in /by

The SonicWall Capture Labs Threat Research team has come across a ransomware with a bizaare demand in exchange for decryption. This ransomware calls itself “Black Eye” but instead of demanding for cryptocurrency as payment, it requires the victim to subscribe to a YouTube channel and to comment on the videos on the said channel.

Infection cycle:

Upon execution, this ransomware creates a copy of itself in the following directory:

  • %AppData%\Roaming\BLACK EYE RANSOMWARE.exe

It then spawns the copy and begins encrypting the files in the victim machine. It adds 4 random characters to all encrypted files.

It also adds a text file in all the directories named “readme_it.txt” which is then opened in notepad upon successful infection.

This is a poorly written ransom note with a lot of grammatical and spelling errors.

To get their files back, victims are asked to subscribe to a YouTube channel. The owner of the said channel appears to have had an interest on ransomware ever since and has been posting videos about ransomware.

It also changes the desktop wallpaper to this photo.

And to maintain persistence, it adds a copy of the ransom note in the %Startup% directory along with the link to the “Black Eye Ransomware” executable which will both run upon system reboot.

It is unclear if the malware author has actually successfully infected victims who agreed to subscribe to his Youtube channel. But when we first analyzed this malware, that channel had 60+ subscribers and this week it has grown to 73.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Black.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Microsoft Security Bulletin Coverage for February 2022

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of February 2022. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2022-21989 Windows Kernel Elevation of Privilege Vulnerability
IPS 2457:Windows Kernel Elevation of Privilege Vulnerability (CVE-2022-21989)

CVE-2022-21994 Windows DWM Core Library Elevation of Privilege Vulnerability
ASPY 293:Malformed-File exe.MP_234

CVE-2022-21996 Win32k Elevation of Privilege Vulnerability
ASPY 294:Malformed-File exe.MP_235

CVE-2022-22000 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 295:Malformed-File exe.MP_236

CVE-2022-22715 Named Pipe File System Elevation of Privilege Vulnerability
ASPY 296:Malformed-File exe.MP_237

CVE-2022-22718 Windows Print Spooler Elevation of Privilege Vulnerability
ASPY 297:Malformed-File exe.MP_238

The following vulnerabilities do not have exploits in the wild :
CVE-2022-21844 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21926 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21927 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21957 Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21965 Microsoft Teams Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-21968 Microsoft SharePoint Server Security Feature BypassVulnerability
There are no known exploits in the wild.
CVE-2022-21971 Windows Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21974 Roaming Security Rights Management Services Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21981 Windows Common Log File System Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21984 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21985 Windows Remote Access Connection Manager Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-21986 .NET Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-21987 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2022-21988 Microsoft Office Visio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21991 Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21992 Windows Mobile Device Management Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21993 Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-21995 Windows Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21997 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21998 Windows Common Log File System Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-21999 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-22001 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-22002 Windows User Account Profile Picture Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-22003 Microsoft Office Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-22004 Microsoft Office ClickToRun Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-22005 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-22709 VP9 Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-22710 Windows Common Log File System Driver Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-22712 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-22716 Microsoft Excel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-22717 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-23252 Microsoft Office Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-23254 Microsoft Power BI Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-23255 Microsoft OneDrive for Android Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2022-23256 Azure Data Explorer Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2022-23261 Microsoft Edge (Chromium-based) Tampering Vulnerability
There are no known exploits in the wild.
CVE-2022-23262 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-23263 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-23269 Microsoft Dynamics GP Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2022-23271 Microsoft Dynamics GP Elevation Of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-23272 Microsoft Dynamics GP Elevation Of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-23273 Microsoft Dynamics GP Elevation Of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-23274 Microsoft Dynamics GP Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-23276 SQL Server for Linux Containers Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-23280 Microsoft Outlook for Mac Security Feature Bypass Vulnerability
There are no known exploits in the wild.