Posts

Critical CVE's of the year 2020

CVE-2020-1472 Zerologon – A vulnerability in the cryptography of Microsoft’s Netlogon process that allows an attack against Microsoft Active Directory domain controllers, making it possible for a hacker to impersonate any computer, including the root domain controller.

Ref: https://securitynews.sonicwall.com/xmlpost/windows-netlogon-elevation-of-privilege-vulnerability-cve-2020-1472/

CVE-2020-0796 SMBGhost – A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka ‘Windows SMBv3 Client/Server Remote Code Execution Vulnerability’.

Ref: https://securitynews.sonicwall.com/xmlpost/windows-smbv3-remote-code-execution-vulnerability-cve-2020-0796/

CVE-2020-1350 SIGRed – A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests, aka ‘Windows DNS Server Remote Code Execution’ Vulnerability.

Ref: https://securitynews.sonicwall.com/xmlpost/windows-dns-server-remote-code-execution-vulnerability-cve-2020-1350/

CVE-2020-0601 Curveball – A vulnerability that affects the certificate verification function in the Crypt32.dll module provided by Microsoft.

Ref: https://securitynews.sonicwall.com/xmlpost/windows-cryptoapi-spoofing-vulnerability-cve-2020-0601/

CVE-2020-5902 – A critical vulnerability in the F5 BIG-IP Traffic Management User Interface (TMUI) also known as the Configuration Utility

Ref: https://securitynews.sonicwall.com/xmlpost/cve-2020-5902-hackers-actively-exploit-critical-vulnerability-in-f5-big-ip/

CVE-2020-14882 – A critical and easily exploitable remote code execution vulnerability (CVE-2020-14882) in Oracle WebLogic Server.

Ref: https://securitynews.sonicwall.com/xmlpost/cve-2020-14882-oracle-weblogic-remote-code-execution-vulnerability-exploited-in-the-wild/

CVE-2020-0688 Microsoft Exchange Memory Corruption Vulnerability – A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory.

Ref: https://securitynews.sonicwall.com/xmlpost/hackers-are-actively-trying-to-exploit-vulnerable-microsoft-exchange-servers/

CVE-2020–25213 – A vulnerability in WordPress File Manager (wp-file-manager) plugin versions prior to 6.9 that allows remote attackers to upload and execute arbitrary PHP code.

Ref: https://securitynews.sonicwall.com/xmlpost/cve-2020-25213-wordpress-plugin-wp-file-manager-actively-being-exploited-in-the-wild/

Breach of FireEye Offensive Tools

On December 8, 2020, Cyber Security Firm FireEye disclosed an incident that resulted in theft of their offensive security tools (OSTs) used by their Red-Team to test the security posture of their customers.

Some of these tools look like the well-known offensive framework Cobalt Strike. This is evident in the naming convention used by FireEye,

In response to the breach, FireEye has provided Red Team tools countermeasures which are available on Github. These countermeasures include rules in multiple languages such as Snort, Yara, ClamAV, and HXIOC. Since none of these tools leverage 0-day vulnerability, FireEye also provided a listing of CVEs used by these tools.

An important aspect for preventing the usage of these red teaming tools in your environment is to address the vulnerabilities which are known to exploit.

SonicWall Capture Labs Threat Research team provides protection against the list of CVEs shown above as well as the Beacon tool used by FireEye Red-Team with the following signatures

IPS:14422 Pulse Connect Secure Information Disclosure
IPS:15143 Windows Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472) 1
IPS:15156 Windows Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472) 2
IPS:15158 Windows Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472) 3
IPS:15185 Windows Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472) 4
IPS:15081 Fortinet SSL VPN Web Portal Directory Traversal
IPS:13910 Adobe ColdFusion Arbitrary File Upload 1
IPS:14689 Microsoft SharePoint Remote Code Execution (FEB 19)
IPS:14225 Remote Desktop Services Remote Code Execution (MAY 19)
IPS:14725 Citrix NetScaler ADC/Gateway Directory Traversal 2
IPS:14886 ManageEngine Desktop Central Insecure Deserialization
IPS:14826 Microsoft Exchange Server Remote Code Execution (CVE-2020-0688)
IPS:14888 Microsoft Exchange Server Remote Code Execution (CVE-2020-0688) 2
IPS:14889 Microsoft Exchange Server Remote Code Execution (CVE-2020-0688) 3
IPS:14890 Microsoft Exchange Server Remote Code Execution (CVE-2020-0688) 4
IPS:11556 Win32k Elevation of Privilege (MS16-039) 2
IPS:2007 FireEye RUBEUS nonce 2 TCP
IPS:2009 FireEye RUBEUS nonce 2 UDP
IPS:15285 FireEye BEACON CSBundle USAToday Server
IPS:15286 FireEye RUBEUS Process
IPS:15287 FireEye GORAT Build ID
IPS:15288 FireEye BEACON CSBundle Original Stager

Egregor Ransomware

Overview:

SonicWall Capture Labs Threat Research Team recently found a new sample and activity for Egregor Ransomware. The Egregor sample below is a library (DLL) that contains code and data that can be used by more than one program at the same time. The library is highly obfuscated and encrypted using Salsa20, ChaCha Stream Cipher and RSA encryption. This makes analysis difficult to bypass from the reverse engineering and debugging point of view.

The library contains export functions that are required to be called from other stages of the infection chain. The export function parameters usually accept the key or password to unlock, deobfuscated, and decrypt the code sections. Once the sample is done unwinding, it will release the payload hidden inside. The key and/or password is normally unique or specific to each sample. This key and/or password is always located somewhere inside the sample. It’s up to the researcher to locate the desired information inside.

The command we can use to bypass the distribution methods below for debugging:
regsrv32.exe path_to_dll DllRegisterServer param1 param2

Egregor, releases stolen data on their website egregornews to increase pressure on the victim to pay the ransom. Egregor News, is used to post the names and domains, along with data sets of Egregor victims.

Distribution Methods & Tactics:

  • Cobalt Strike
  • RDP Exploit
  • Phishing
  • CVE-2020-0688
  • CVE-2018-8174
  • CVE-2018-4878
  • CVE-2018-15982
  • QBot
  • Ursnif
  • icedID

RaaS News Website:

Stage 1, Static Information:

ChaCha / Salsa20 Initial State Information:

Stage 1: uses a implementation of ChaCha(2008)/Salsa20(2005) as the main encryption. The “nothing-up-my-sleeve number”, which is used to pinpoint ChaCha or Salsa20 is “expand 32-byte k” This is considered the algorithm constant and “nothing-up-my-sleeve number”. When you see this constant its considered a 256 bit implementation. The 32-byte constant can be seen below:

The key used for unlocking stage 1:
“Elon Musk 2024! To The Future!!!” and “SpaceX!!”
The words are filtered, parsed and rearranged for parts of the ChaCha decryption stage.

Stage 1, Dynamic Information:

Start of Encrypted Data

End of Encrypted Data

The size of the encrypted data: 0x4EAADh or 322,221d.

After Decryption:

String Artifacts:

Two of the parameters shown in this picture above are (dash dash)del and (dash dash)dubisteinmutterficker.
dubisteinmutterficker is German for “you’re a mother fucker.”
We also see references to Elon Musk and SpaceX.

2nd Stage, Commands Payload Will Accept:

Egregor’s payload can accept several command line arguments, including:

  • –fast: Is used to limit file size for encryption.
  • –full: perform encryption of the full victim system (including local and network drives).
  • –multiproc: multi-process support.
  • –nomimikatz: Mimikatz is an open source toolkit.
  • –nonet: does not encrypt network drives.
  • –path: specific folder to encrypt.
  • –target: target extension for encryption.
  • –append: file extension to append to encrypted files.
  • –norename: does not rename the files it encrypts.
  • –greetings: prepends the name to the ransom note, presumably to directly address the victim.
  • –samba: provide shared access to files, printers, and serial ports between nodes.
  • –killrdp: remote desktop protocol

The most common command that is used is (-full).

Supported Systems:

  • Windows 10
  • Windows 8.1
  • Windows 8.0
  • Windows 7
  • Windows Vista

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: Egregor.RSM (Trojan)

Appendix:

Sample SHA256 Hash: 38b155b6546db882189cc79bcac0b0284d3f858e0feb1e5dbc24b22f78cdfb68

Hackers are actively trying to exploit vulnerable Microsoft Exchange Servers

SonicWall Capture Labs Threat Research team observes attackers actively probing for vulnerable Microsoft Exchange servers.

Vulnerability | CVE-2020-0688:

A remote code execution vulnerability has been reported in Microsoft Exchange Server. The weakness is due to the server failing to properly create unique keys at the time of installation. Microsoft Exchange Server does not randomly generate a key for each installation, but instead, all installations of Microsoft Exchange Server includes the same validationKey and decryptionKey values ​​in web.config. Knowledge of the static key allows an authenticated attacker with a mailbox to trick the server into deserializing maliciously crafted data. 

Exploitation:

  • Exchange User Account Takeover:

This is a crucial step in leveraging this vulnerability as compromising an Exchange user account would allow an attacker to take over the vulnerable Microsoft Exchange Server. As a result, attackers try to locate the Exposed Vulnerable Outlook Web Application using search engines such as Shodan, and then try to authenticate through credential stuffing. In this stage, hackers take sets of credentials that have been leaked through data breaches or other means, then attempt to use these credentials to log in to an exchange account.

  • Retrieve Session Information:  

External users who connect to Outlook on the web (OWA) will also have access to the ECP to access their own options page. ECP (Exchange Control Panel) is the web-based management console in Exchange Server. After an exchange user account has been successfully taken over, the attackers log in to the Exchange Control Panel i.e “https://<ServerFQDN>/ecp” to retrieve ViewStateGenerator and ViewStateUserKey from the authenticated session.

ValidationKey is already known to attackers as vulnerable versions of exchange server use the same static key “CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF” as validationKey  and SHA1 as validation algorithm.

  1. ViewStateGenerator – retrieved from the authenticated session.
  2. ViewStateUserKey – retrieved from the authenticated session.
  3. ValidationKey – static for vulnerable servers.
  4. ValidationAlg – known for vulnerable servers.
  • Generate ViewState Payload:

The next step is to create a ViewState payload. Many ASP.Net Websites use Viewstate to exchange the state of controls on a page between the Client and the Server to achieve state-fullness. Viewstate, a base64 serialized parameter is then posted back from the client to the server within the body of the page via a hidden parameter called __VIEWSTATE. This parameter is deserialized on the server-side to retrieve the data. With all the retrieved information, attackers create a ViewState payload using .Net exploit tools like shown below.

ysoserial.exe -p ViewState -g TextFormattingRunProperties -c <malicious code>

--validationalg="SHA1" --validationkey=<Validationkey> --generator=<ViewStateGenerator>

--viewstateuserkey=<ViewStateUserKey> --isdebug –islegacy

  • Remote Code Execution:

After successfully generating the ViewState payload, attackers perform remote code execution by submitting the following URL to the vulnerable Exchange server.

https://<ServerFQDN>/ecp/default.aspx?__VIEWSTATEGENERATOR=<ViewStateGenerator>&__VIEWSTATE=<CraftedViewStatePayload>

Patch:

Find the vendor advisory here

Microsoft patched this vulnerability in February 2020 by randomizing the cryptographic keys at install time.

SonicWALL Capture Labs Threat Research team provides protection against this threat with the following signatures:

IPS: 14826 Microsoft Exchange Server Remote Code Execution (CVE-2020-0688)

IPS: 14825 /ecp/default.aspx Access (INFO)

IOC’s (Indicators of Compromise):

Find below some of the IP addresses that SonicWall firewall blocked

13.57.228.15
54.185.160.4
138.68.14.1
12.251.232.10
134.209.89.216
138.197.128.133
139.162.189.189
157.245.238.238
159.203.19.15
159.203.47.213
172.105.64.188
172.105.90.222
173.255.200.120
178.79.185.139
192.241.180.240
192.241.181.54
45.33.69.57
45.33.70.185
45.33.81.143
45.79.49.174
45.79.57.25
46.101.117.27
46.101.245.165
46.101.98.23
66.175.201.230
69.164.221.241
97.107.135.129

Microsoft Security Bulletin Coverage for Feb 2020

SonicWall Capture Labs Threat Research Team has analyzed and addressed Microsoft’s security advisories for the month of February 2020. A list of issues reported, along with SonicWall coverage information are as follows:
CVE-2020-0618 Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-0655 Remote Desktop Services Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-0657 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 5885:Malformed-File exe.MP.118
CVE-2020-0658 Windows Common Log File System Driver Information Disclosure Vulnerability
ASPY 5885:Malformed-File exe.MP.118
CVE-2020-0659 Windows Data Sharing Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0660 Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-0661 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-0662 Windows Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-0663 Microsoft Edge Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0665 Active Directory Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0666 Windows Search Indexer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0667 Windows Search Indexer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0668 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0669 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0670 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0671 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0672 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0673 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-0674 Scripting Engine Memory Corruption Vulnerability
ASPY 14745:HTTP Client Shellcode Exploit 114
CVE-2020-0675 Windows Key Isolation Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0676 Windows Key Isolation Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0677 Windows Key Isolation Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0678 Windows Error Reporting Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0679 Windows Function Discovery Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0680 Windows Function Discovery Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0681 Remote Desktop Client Remote Code Execution Vulnerability
IPS 14793:Remote Desktop Client Remote Code Execution Vulnerability (CVE-2020-0681)
CVE-2020-0682 Windows Function Discovery Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0683 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0685 Windows COM Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0686 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0688 Microsoft Exchange Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-0689 Microsoft Secure Boot Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-0691 Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0692 Microsoft Exchange Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0693 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-0694 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-0695 Microsoft Office Online Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-0696 Microsoft Outlook Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-0697 Microsoft Office Tampering Vulnerability
There are no known exploits in the wild.
CVE-2020-0698 Windows Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0701 Windows Client License Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0702 Surface Hub Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-0703 Windows Backup Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0704 Windows Wireless Network Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0705 Windows Network Driver Interface Specification (NDIS) Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0706 Microsoft Browser Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0707 Windows IME Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0708 Windows Imaging Library Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-0709 DirectX Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0710 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-0711 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-0712 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-0713 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-0714 DirectX Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0715 Windows Graphics Component Elevation of Privilege Vulnerability
ASPY 5889:Malformed-File exe.MP.122
CVE-2020-0716 Win32k Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0717 Win32k Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0719 Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0720 Win32k Elevation of Privilege Vulnerability
ASPY 5890:Malformed-File exe.MP.123
CVE-2020-0721 Win32k Elevation of Privilege Vulnerability
ASPY 5891:Malformed-File exe.MP.124
CVE-2020-0722 Win32k Elevation of Privilege Vulnerability
ASPY 5892:Malformed-File exe.MP.125
CVE-2020-0723 Win32k Elevation of Privilege Vulnerability
ASPY 5893:Malformed-File exe.MP.126
CVE-2020-0724 Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0725 Win32k Elevation of Privilege Vulnerability
ASPY 5888:Malformed-File exe.MP.121
CVE-2020-0726 Win32k Elevation of Privilege Vulnerability
ASPY 5888:Malformed-File exe.MP.121
CVE-2020-0727 Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0728 Windows Modules Installer Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0729 LNK Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-0730 Windows User Profile Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0731 Win32k Elevation of Privilege Vulnerability
ASPY 5887:Malformed-File exe.MP.120
CVE-2020-0732 DirectX Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0733 Windows Malicious Software Removal Tool Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0734 Remote Desktop Client Remote Code Execution Vulnerability
ASPY 5884:Malformed-File exe.MP.117
CVE-2020-0735 Windows Search Indexer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0736 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0737 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0738 Media Foundation Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-0739 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0740 Connected Devices Platform Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0741 Connected Devices Platform Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0742 Connected Devices Platform Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0743 Connected Devices Platform Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0744 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0745 Windows Graphics Component Elevation of Privilege Vulnerability
ASPY 5886:Malformed-File exe.MP.119
CVE-2020-0746 Microsoft Graphics Components Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0747 Windows Data Sharing Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0748 Windows Key Isolation Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0749 Connected Devices Platform Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0750 Connected Devices Platform Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0751 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-0752 Windows Search Indexer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0753 Windows Error Reporting Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0754 Windows Error Reporting Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0755 Windows Key Isolation Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0756 Windows Key Isolation Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0757 Windows SSH Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0759 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-0767 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-0792 Windows Graphics Component Elevation of Privilege Vulnerability
There are no known exploits in the wild.