Posts

Top CVE's exploited in the wild

/in /by

SonicWALL Capture Labs Threat Research team observed the below vulnerabilities most exploited by hackers in the year 2019.

  • BlueKeep (CVE-2019-0708)
  • SharePoint Server (CVE-2019-0604)
  • Win32k (CVE-2019-0859)
  • ThinkPhp (CVE not assigned)
  • Atlassian Confluence (CVE-2019-3396)
  • Drupal (CVE-2019-6340)
  • Oracle WebLogic (CVE-2019-2725)
  • Exim Server (CVE-2019-10149)
  • Microsoft GDI (CVE-2019-0903)
  • Webmin Server (CVE-2019-15107)

BlueKeep (CVE-2019-0708)

A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka ‘Remote Desktop Services Remote Code Execution Vulnerability’.

Affected Products: Windows 7, Windows XP, Windows Server 2008 and  Windows Server 2003.

Reference: https://securitynews.sonicwall.com/xmlpost/rdp-vulnerability-cve-2019-0708/

 

SharePoint Server (CVE-2019-0604)

An insecure deserialization vulnerability has been reported in Microsoft SharePoint Server. This vulnerability is due to insufficient validation user-supplied data to EntityInstanceIdEncoder.

Affected Products
Microsoft SharePoint Enterprise Server 2016
Microsoft SharePoint Foundation 2010 & 2013
Microsoft SharePoint Server 2010, 2013 & 2019

Reference: https://securitynews.sonicwall.com/xmlpost/microsoft-sharepoint-server-flaw-cve-2019-0604-is-actively-being-exploited/

 

Win32k (CVE-2019-0859)

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka ‘Win32k Elevation of Privilege Vulnerability’.

Affected Products
Microsoft Windows 7, 8.1, 10 & Rt 8.1
Microsoft Windows Server 2008, 2012, 2016 & 2019

Reference: https://securitynews.sonicwall.com/xmlpost/cve-2019-0859-exploits-active-in-the-wild/

 

ThinkPhp (CVE not assigned)

A command execution vulnerability exists in ThinkPHP CMS. The vulnerability is due to improper validation of the URL parameters in App.php.

Reference: https://securitynews.sonicwall.com/xmlpost/thinkphp-remote-code-execution-rce-bug-is-actively-being-exploited/

 

Atlassian Confluence (CVE-2019-3396)

A server side template injection vulnerability has been reported in Atlassian Confluence Server. This vulnerability is due to improper validation of the _template JSON parameter.

Affected Products:

Atlassian Confluence Server 6.14.x prior to 6.14.2
Atlassian Confluence Server 6.13.x prior to 6.13.3
Atlassian Confluence Server 6.12.x prior to 6.12.3
Atlassian Confluence Server 6.6.x prior to 6.6.12

 

Drupal (CVE-2019-6340)

A remote code execution vulnerability has been reported in the web services components of Drupal Core. The vulnerability is due to improper sanitization of data for certain Field Types from non-form sources prior to deserialization.

Affected Products:

Drupal Drupal 8.5.x prior to 8.5.11
Drupal Drupal 8.6.x prior to 8.6.10
Drupal Drupal 7.x

Oracle WebLogic (CVE-2019-2725)

An insecure deserialization vulnerability has been reported in Oracle Weblogic. This vulnerability is due to insufficient validation of XML data within the body of HTTP POST requests.

Affected Products

Oracle WebLogic Server 12.1.3.0.0
Oracle WebLogic Server 10.3.6.0.0

Reference: https://securitynews.sonicwall.com/xmlpost/oracle-weblogic-vulnerability-actively-being-exploited-in-the-wild/

 

Exim Server (CVE-2019-10149)

A remote command execution injection vulnerability has been reported in Exim server. This vulnerability is due to insufficient handling of recipient address in the deliver_message() function.

Affected Products: Exim versions 4.87 to 4.91

Reference: https://securitynews.sonicwall.com/xmlpost/exim-email-servers-are-still-under-attack/

 

Microsoft GDI (CVE-2019-0903)

A remote code execution vulnerability has been reported in the GDI component of Microsoft Windows. The vulnerability is due to the way that GDI handles objects in memory.

Affected Products:

Microsoft Windows 7, 8.1, 10
Microsoft Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019

Webmin Server (CVE-2019-15107)

A command injection vulnerability has been reported in Webmin. The vulnerability is due to improper validation of user supplied input within password_change.cgi.

Affected Products: Webmin prior to 1.930

Reference: https://securitynews.sonicwall.com/xmlpost/hackers-continue-to-mount-attacks-on-webmin-servers/

 

Sodinokibi ransomware uses Oracle WebLogic exploit to infect servers

/in /by

The SonicWall Capture Labs Threat Research Team have observed reports of Sodinokibi, ransomware that exploits a deserialization vulnerability in Oracle WebLogic servers (CVE-2019-2725) as its primary infection vector. The exploit has also been used by other attackers to install crypto miners, info stealers and botnets. The attackers charge $1500 USD in Bitcoin for file decryption if the ransom is paid within 7 days. If the ransom is not paid within this period it doubles to $3000 USD.

Infection Cycle:

The trojan uses the following icon:

Upon infection, the following text and background is displayed on the desktop:

It makes the following DNS query:

  • breathebettertolivebetter.com

It creates the following files:

  • 0vhra-readme.txt (copied to every directory containing encrypted files)
  • 2cb12ec9.lock (0 bytes. copied to every directory containing encrypted files)

It adds the following keys to the registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\recfg rnd_ext “.2cb12ec9”
  • HKEY_LOCAL_MACHINE\SOFTWARE\recfg pk_key (encryption key related hex values)
  • HKEY_LOCAL_MACHINE\SOFTWARE\recfg sk_key (encryption key related hex values)
  • HKEY_LOCAL_MACHINE\SOFTWARE\recfg 0_key (encryption key related hex values)
  • HKEY_LOCAL_MACHINE\SOFTWARE\recfg stat (encryption key related hex values)

It executes the following command to disable startup repair and remove Windows shadow copies:

It encrypts files on the system and gives each file an extension consisting of a random alphanumeric string.  In this case “2cb12ec9.

0vhra-readme.txt contains the following message:

The following link is provided in the message:

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B3EC8BB678B73C19

 

It is a webpage that is located on the tOR network:

Pressing “SUBMIT” or opening the second link (http://decryptor.top/B3EC8BB678B73C19) leads to the following page:

SonicWALL Capture Labs provides protection against this threat via the following signatures:

  • GAV: Sodinokibi.RSM_4 (Trojan)
  • GAV: Sodinokibi.RSM_3 (Trojan)
  • GAV: Sodinokibi.RSM_2 (Trojan)
  • GAV: Sodinokibi.RSM (Trojan)
  • GAV: Sodinokibi.FN (Trojan)
  • IPS: 14180 Oracle Weblogic 10.3.6.0.0/12.1.3.0.0 Remote Code Execution 1
  • IPS: 14181 Oracle Weblogic 10.3.6.0.0/12.1.3.0.0 Remote Code Execution 2
  • IPS: 14186 Oracle WebLogic Server Insecure Deserialization 9
  • IPS: 14187 Oracle WebLogic Server Insecure Deserialization 8
  • WAF: 1706 Oracle Weblogic 10.3.6.0.0/12.1.3.0.0 Remote Code Execution

Also, this threat is detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Oracle WebLogic Vulnerability actively being exploited in the wild

/in /by

An insecure deserialization vulnerability has been reported in Oracle WebLogic server. This vulnerability is due to insufficient validation of XML data within the body of HTTP POST requests. A remote attacker can exploit this vulnerability without authentication. Successful exploitation can result in arbitrary code execution under the context of the affected server.

Oracle WebLogic is one of the widely used Java application servers. It helps building and deploying distributed enterprise Java EE applications.

Serialization is the process of translating application data such as objects into a binary format that can be stored and reused by the same application or transmitted over the network to be used by another application.

Deserialization is the reverse of that process that takes data structured from some format, and rebuilding it into an object. By running deserialization, we should be able to fully reconstruct the serialized object.

Insecure Deserialization is a vulnerability which occurs when user input data is not sanitized or validated properly . This untrusted user data can be used to abuse the logic of an application, inflict a denial of service (DoS) attack, or even execute arbitrary remote code execution upon it being deserialized. Hence attackers craft the serialized data and the attack depends on what the application code does with the data.

CVE-2019-2725:

An insecure deserialization vulnerability has been reported in Oracle WebLogic server. User input is validated to ensure that tags that result in arbitrary method and constructor calls are blacklisted. The <class> tag is not correctly blacklisted. This allows the attacker to initiate any class with arbitrary constructor arguments. Attackers leverage this to achieve arbitrary code execution, by initiating a class object which accepts a byte array as a constructor argument. Upon initialization, the crafted malicious serialized byte array gets deserialized causing arbitrary remote code execution.

Exploit:

The below POST request to Oracle WebLogic server contains a shell code to download and execute a malicious payload on the vulnerable server.

POST / _Async / AsyncResponseService Http / 1.1
Host:x.x.x.x :7001

Fix:

Oracle has released an out-of-band patch that fixes the vulnerability. Please find the vendor advisory regarding this vulnerability: https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 14180 Oracle Weblogic 10.3.6.0.0/12.1.3.0.0 Remote Code Execution 1
IPS: 14181 Oracle Weblogic 10.3.6.0.0/12.1.3.0.0 Remote Code Execution 2
IPS: 14186 Oracle WebLogic Server Insecure Deserialization 9
IPS: 14187 Oracle WebLogic Server Insecure Deserialization 8
WAF: 1706 Oracle Weblogic 10.3.6.0.0/12.1.3.0.0 Remote Code Execution

Threat Graph: