Posts

Microsoft Security Bulletin Coverage for February 2023

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of February 2023. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2023-21529 Microsoft Exchange Server Remote Code Execution Vulnerability
IPS 3520: Microsoft Exchange Server Remote Code Execution (CVE-2023-21529)

CVE-2023-21688 NT OS Kernel Elevation of Privilege Vulnerability
ASPY 403: Malicious-exe exe.MP_297

CVE-2023-21689 Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability
ASPY 404: Malicious-exe exe.MP_298

CVE-2023-21690 Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability
ASPY 405: Malicious-exe exe.MP_299

CVE-2023-21692 Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability
ASPY 406: Malicious-exe exe.MP_300

CVE-2023-21706 Microsoft Exchange Server Remote Code Execution Vulnerability
IPS 15834: Microsoft Exchange Server Remote Code Execution (CVE-2023-21706)

CVE-2023-21715 Microsoft Office Security Feature Bypass Vulnerability
ASPY 410: Malformed-File pub.MP.6

CVE-2023-21812 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 409: Malicious-exe exe.MP_303

CVE-2023-21823 Windows Graphics Component Elevation of Privilege Vulnerability
ASPY 408: Malicious-exe exe.MP_302

CVE-2023-23376 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 407: Malicious-exe exe.MP_301

The following vulnerabilities do not have exploits in the wild :
CVE-2023-21528 Microsoft SQL Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21553 Azure DevOps Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21564 Azure DevOps Server Cross-Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2023-21566 Visual Studio Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21567 Visual Studio Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21568 Microsoft SQL Server Integration Service (VS extension) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21570 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2023-21571 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2023-21572 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2023-21573 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2023-21684 Microsoft PostScript Printer Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21685 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21686 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21687 HTTP.sys Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21691 Microsoft Protected Extensible Authentication Protocol (PEAP) Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21693 Microsoft PostScript Printer Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21694 Windows Fax Service Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21695 Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21697 Windows Internet Storage Name Service (iSNS) Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21699 Windows Internet Storage Name Service (iSNS) Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21700 Windows iSCSI Discovery Service Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21701 Microsoft Protected Extensible Authentication Protocol (PEAP) Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21702 Windows iSCSI Service Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21703 Azure Data Box Gateway Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21704 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21705 Microsoft SQL Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21707 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21710 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21713 Microsoft SQL Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21714 Microsoft Office Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21716 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21717 Microsoft SharePoint Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21718 Microsoft SQL ODBC Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21721 Microsoft OneNote Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-21722 .NET Framework Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21777 Azure App Service on Azure Stack Hub Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21778 Microsoft Dynamics Unified Service Desk Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21797 Microsoft ODBC Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21798 Microsoft ODBC Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21799 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21800 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21801 Microsoft PostScript Printer Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21802 Windows Media Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21803 Windows iSCSI Discovery Service Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21804 Windows Graphics Component Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21805 Windows MSHTML Platform Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21806 Power BI Report Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-21807 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2023-21808 .NET and Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21809 Microsoft Defender for Endpoint Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-21811 Windows iSCSI Service Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21813 Windows Secure Channel Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21815 Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21816 Windows Active Directory Domain Services API Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21817 Windows Kerberos Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21818 Windows Secure Channel Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21819 Windows Secure Channel Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21820 Windows Distributed File System (DFS) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21822 Windows Graphics Component Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-23377 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-23378 Print 3D Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-23379 Microsoft Defender for IoT Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-23381 Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-23382 Azure Machine Learning Compute Instance Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-23390 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.

Microsoft OneNote files are widely used to deliver malware payloads

/in /by

There is a never ending run between the threat actors and the security software. The malware authors always look for techniques which can penetrate the active security defenses to get access of victim’s machine and one of the way is, to switch among low profile file types to carry the malicious payload. The malware authors are now using OneNote files which were rarely used for malicious purpose in the past. For the last few weeks, SonicWall RDTMI has been detecting a spike of malicious OneNote files that are being delivered to the victim’s machine as email attachments. SonicWall threat research team observed that the OneNote files are delivering AgentTesla, AysncRAT and QakBot malware. Threat actors are attaching HTML Application (HTA) files, batch files and Portable Executable (PE) files into the OneNote pages and hide the attached files behind an image. The image displays a message to lure the victim to click on them (contains a hidden attachment) which then triggers the malware execution:

Case 1 (Payload: AgentTesla)

Threat actor attaches malicious HTML Application (HTA) file into the OneNote page and duplicates the attachment references, to wider the user click area to access the attachment. The attachments are hidden by overlapping two images, first image is a blurred image which further overlapped by another image which asks user to “View Document”. Once user clicks on the image it will trigger the execution of hidden HTA file:

The HTA file executes two PowerShell instances, one instance to show some image from the web and other instance to download and execute AgentTesla malware on the victim’s machine:

 

The blurred HSBC document from the web is displayed, to mislead the user while performing the malicious activity in the background:

 

The second PowerShell instance starts execution of the downloaded executable in the background which further executes VBScript file and injects the AgentTesla payload into RegSvcs.exe which exfiltrates and sends the user data to its telegram hosted Command and Control (C2) server h[t][t]ps://api.telegram.org/bot5729374237:AAEdSD-W5rWlJyyU5nwVKvjLxJBT1jTdKRY/:

 

 

Case 2 (Payload: AsyncRAT)

Threat actor attaches an obfuscated batch file into the OneNote page. The batch attachment is hidden behind the image which asks user “Click to view document”. The file contains background image of displaying text DHL WORLDWIDE EXPRESS to pretending itself as a delivery document:

 

The Batch file is obfuscated which drops the PowerShell executable into OneNote temp folder with name “invoice.bat.exe” and executes a PowerShell script using the dropped PowerShell executable:

 

 

The PowerShell script reads data from the batch file and decrypts it. The decrypted data is decompressed to get the AsyncRAT executable file which is then executed:

 

The AsyncRAT is widely know malware and its source code is available on the GitHub:

 

In one of the AsyncRAT delivering variant, we have seen the OneNote page is attached with an executable file which further drops a bat file to continue execution, which results in executing AsyncRAT on the victim’s machine:

 

Case 3 (Payload: QakBot)

Threat actor attaches a batch commands file into the OneNote page. The attached file is hidden behind the image which asks user “Open”. The OneNote page also contains image displaying text “This document contains attachments from the cloud, to receive them, double click “open”:

The batch commands file executes PowerShell cmdlet which drops and executes another batch file into C:\Users\Public\aSUNY81.cmd and passes two arguments:

 

The dropped script downloads the QakBot payload from the URL h[t][t]ps://famille2point0.com/oghHO/01.png which is provided as second argument. The QakBot Dynamic Link Library (DLL) is executed by calling the export function Wind:

 

The QakBot injects the malicious payload into iexplorer.exe using process injection. QakBot binary uses tradition method for injecting the payload which involves opening the iexplorer.exe in suspended mode using CreateProcess API, then allocating memory into the iexplorer.exe and writing the payload data into it. After injecting code, mostly malware changes the Instruction Pointer (EIP) to the injected code using SetThreadContext API but QakBot modifies the bytes at EIP which jumps to the injected code:

 

IOCs

SHA256 OneNote files:

8fc8a2b79cb0c0f8113993056e682cd9b56140781cad6bfeabfeac8e6df543e1

1d27ed598f1eab480f067c8920d8f9cd7f7da8b1833d0f58f75d2e2944589210

0a001cf1fd5f6d6994a1635f87493723ba6c6299b67fdf1569c341c87b8aeda1

 

SHA256 PE files:

b75aad495d0bff2f1b5a2b89a8df42a9257f1f01394c859f3ad2bb40d91607d3

a18402d77acd4d9c8b9ae637ffb8ef44b566c777902bb95d81a8cb6c23fec9e7

53a1cbccdb9988dca39ce32963a951b4f8b9d843db57c288195e1cd160bd7f17

 

 

Unavailability of the archive file in any of the popular threat intelligence sharing portals like the VirusTotal and the ReversingLabs indicates its uniqueness and limited distribution:

 

Evidence of detection by RTDMI ™ engine can be seen below in the Capture ATP report for this file:

 

LockBit 3.0 'Black' targets large corps. Operator demands $9M for decryption

/in /by

LockBit 3.0, also known as LockBit Black, is a ransomware family that operates under the Ransomware-as-a-Service (RaaS) model, where the creators collaborate with affiliates who may not have the resources to create and deploy attacks. The LockBit ransomware family is known for its public presence, as it announced its services in July 2022 and even offered a bug bounty program and money to individuals who got the LockBit logo tattooed on their bodies. Despite the public attention, LockBit continues to be one of the most prevalent strains of ransomware and in September 2022, the builder for the ransomware was leaked and made available for download on GitHub.  During our analysis, we were able to engage in a direct conversation with the attacker who reveals a staggering $9M for file decryption.

 

Infection Cycle:

 

Upon infection, files on the system are encrypted.  Each encrypted file is given a “.NegNiNNop” file extension.  File names are also obfuscated. eg. 4sk2dwe.NegNiNNoP.  After encryption, the following message is displayed on the desktop background:

 

The following files are added to the system:

  • C:\ProgramData\NegNiNNoP.bmp [seen above]
  • C:\ProgramData\NegNiNNoP.ico
  • C:\Users\NegNiNNoP.README.txt
  • C:\Users\All Users\NegNiNNoP.bmp
  • C:\Users\All Users\NegNiNNoP.ico
  • C:\Users\{user}\NegNiNNoP.README.txt

 

The following registry key is added:

  • HKEY_CLASSES_ROOT\NegNiNNoP\DefaultIcon @ “C:\ProgramData\NegNiNNoP.ico”

 

NegNiNNoP.ico contains the following image:

 

A file called NegNiNNop.README.txt is written to the desktop and to all folders where files were encrypted.  It contains the following message:

 

A tOr address is provided in the message and brings the victim to the following pages:

 

The operators take pride in their work and display a list of victims on their site.  This list is filled with various organizations from around the world:

 

In addition to requiring payment for data retrieval, the operators double down and threaten to leak sensitive data to the public if the ransom is not paid in time.  This double extortion method adds additional pressure to the victim in an effort to force them to pay the ransom.  Leaked sensitive data is publically available on the site for all to see:

 

 

During our analysis, no data was exfiltrated from the system.

 

On the victim page, a “support” chat box is presented.  This enables direct communication with the attackers.  Ransomware operators usually use this for negotiation with their victims and to provide additional pressure:

 

We had the following live conversation with an operator revealing a $9M decryption fee:

 

The link took us to the following pages.  However, the files referenced were not from our network:

 

This appears to be a bug on their end:

 

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: LockBit3.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Linux Kernel ksmbd Integer Underflow Vulnerability

/in /by

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  KSMBD stands for Kernel-based SMB Direct. It’s a Linux kernel module that provides the implementation of the SMBv3 protocol, allowing the Linux kernel to act as a server for SMB (Server Message Block) clients. SMB is a protocol used for sharing files, printers, and other resources between computers in a network.

  SMBv3 is the latest version of the protocol and provides several new features and improvements over previous versions, including better security features such as encryption, improved performance, and better support for large files and high-availability scenarios.

  KSMBD enables the Linux kernel to directly handle SMB requests, eliminating the need for a user-space daemon to translate the requests into kernel calls. This results in improved performance and lower overhead compared to traditional SMB implementations that rely on user-space daemons.

  A denial of service vulnerability has been reported for Linux kernel. This vulnerability is due to an integer underflow in the ksmbd_decode_ntlmssp_auth_blob function.

  A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted request to the target server. Successfully exploiting this vulnerability could result in denial of service.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-0210.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 6.7 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C).

  Base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is none.
    • Impact of this vulnerability on data integrity is none.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 6.7 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  NTLMSSP is a proprietary authentication protocol used in Microsoft Windows. It involves the exchange of a series of messages between the client and the server to establish the authenticity of the client. The messages are encoded using the ASN.1 (Abstract Syntax Notation One) standard and serialized using the DER (Distinguished Encoding Rules) format. Understanding the details of NTLMSSP authentication, as well as the encoding and serialization formats used, is important for understanding this vulnerability.

  There is an integer underflow exists in the ksmbd kernel module when handling SMB2 SESSION_SETUP messages. Specifically, the flaw exists due to failure of message validation when processing the NTLMSSP authentication messages. A vulnerable function ksmbd_decode_ntlmssp_auth_blob() is responsible for handling the NTLMSSP_AUTH message. It extracts the value from Length for NTLM Response field and store it into a local variable nt_len. Then, it uses the calculation result of nt_len – CIFS_ENCPWD_SIZE(16) as the argument blen of the function ksmbd_auth_ntlmv2(). The function ksmbd_auth_ntlmv2() allocates a kernel buffer using size of blen+CIFS_CRYPTO_KEY_SIZE(8) and operates two memory copies using the size of CIFS_CRYPTO_KEY_SIZE and blen respectively.

  However, the vulnerable function failed to validate if nt_len is smaller than CIFS_ENCPWD_SIZE(16) or not. A positive value under 16 will result in an integer underflow condition. To make the memory allocation success, the value need to be in the range of 8-15. For example, if the nt_len is 12, then blen would be -4 and the memory allocation size is 4, and the later memory copy with sizes of 8 and 0xFFFFFFFC (-4) both result in the memory overflowed.

Triggering the Problem:

  • The vulnerable system must be listening on the vulnerable SMB port, and accept incoming connections.
  • The attacker must have connectivity to the target system.
  • The attacker must know a valid SMB user name on the target system.

Triggering Conditions:

  The attacker connects to the target ksmbd server. The vulnerability is triggered when the attacker sends a crafted SMB2 SESSION_SETUP request with crafted Security Blob field.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • SMB/CIFS

  

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 3510 Linux Kernel ksmbd DoS 1

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Configure the vulnerable product to allow access to trusted clients only.
    • Update to a non-vulnerable version of the product.
    • Filter attack traffic using the signature above.
  The vendor has released the following commit regarding this vulnerability:
  Vendor Advisory

Berbew Backdoor Spotted In The Wild

/in /by

This week, the Sonicwall Capture Labs Research team analyzed a sample of Berbew, a trojan that has been seen used in connection with Download.Ject and FormBook to steal user passwords for banking and other financial institutions. Berbew acts as both an infostealer and proxy to allow for command and control (C2) activities or routing of additional malware.

Analysis

Berbew has previously been reported as being a second-stage payload once the first stage has infiltrated a target and used an exploit; Download.Ject targeted Microsoft IIS services, FormBook is transmitted via phishing email attachments. Static analysis shows that the file is 56kb in size with a timestamp set in the year 2036.

 

 Figure 1: Future creation date

 

There are a variety of additional red flags in the form of file sections, in which each is a random alphanumeric string. Two of these are also self-modifying, a method that malware can use to change its own code. The second section (.E9Mdns0) is also making use of virtualized code which is a protective measure against analysis, but it’s empty before runtime meaning that data will be inserted during runtime. The last item to note is that the entry-point is set within section ‘.neYm’; this is atypical because the entry-point is generally in the first section of any program.

 

Figure 2: Items to note, 1) section names, 2) self-modifying sections, 3) virtualized code, 4) entry-point address

 

The strings show some additional context as to what the program can do. WININET.DLL is a networking library which appears will read from URL entries. It has the ability to read, write and search through registry entries using the ‘Reg’ values, as well as obtaining security settings on the system.

 

Figure 3: Berbew program strings

 

At runtime, the executable drops 934 files within ‘C:\Windows\SYSWOW64’ and executes between 23-25 in sequence. Of the files dropped, 467 are duplicates of the main executable, with the other half being DLL files. They have a naming scheme of six alphabetic characters and 32.exe, or eight alphabetic characters (this applies to both the .EXE and .DLL files). A hook is set up for capturing data using ‘DirectDrawCreateEx’, which allows for saving keyboard, mouse, clipboard, and screen activity.

 

Figure 4: Runtime sequence of dropped executables

 

In addition, there are also registry keys written for persistence:
– HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Web Event Logger
– HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32
– HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

These will be triggered on restart to load one of the dropped DLL files and restart the program. The dropped DLL files are all identical to each other and only 7kb in size.

Figure 5: Detection of dropped DLL

 

When a financial website has been brought up, or during regular use, the system will bring up prompts to change passwords. This info is then relayed to one of the URLs in memory; however, no connections are made before data has been collected.

SonicWall Capture Labs provides protection against this threat via the following signature:

GAV: Berbew.F (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

IOCs

Sample 1
MD5: 7350C5C9F3020FB201AD2184453DBBAC
SHA1: C68E9514A58D803C65647191153F35BD742A7463
SHA256: BCC12EEF62B196293032ECB05804510474A276B9A12DD70248F55EFFD405474C
Size: 56kb

Sample 2
MD5: FE1AE2707A3D86E7EF8B921A77D571EB
SHA1: 01F484BA1B4B28555FD8DD959A428C94A652443D
SHA256: 73AE10E87168EA0F543C0CFE23B1BA71726AC597E52F06075432EFE30FDED843
Size: 7kb

Registry Keys

– HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Web Event Logger
– HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32
– HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

URLs

hxxp://adult-empire[.]com/index.php
hxxp://color-bank[.]ru/index.php
hxxp://crutop.nu
hxxp://crutop.nu/index.htm
hxxp://crutop.nu/index.php
hxxp://crutop.nuAWM
hxxp://crutop[.]ru/index.htm
hxxp://crutop[.]ru/index.php
hxxp://cvv[.]ru/index.htm
hxxp://cvv[.]ru/index.php
hxxp://devx.nm[.]ru/index.php
hxxp://fethard.biz/index.htm
hxxp://fethard.biz/index.php
hxxp://gaz-prom[.]ru/index.htm
hxxp://hackers.lv/index.php
hxxp://kadet[.]ru/index.htm
hxxp://kavkaz[.]ru/index.htm
hxxp://kidos-bank[.]ru/index.htm
hxxp://konfiskat.org/index.htm
hxxp://ldark.nm[.]ru/index.htm
hxxp://master-x
hxxp://parex-bank[.]ru/index.htm
hxxp://promo[.]ru/index.htm
hxxp://ros-neftbank[.]ru/index.php
hxxp://trojan[.]ru/index.php
hxxp://virus-list.com/index.php
hxxp://www.redline[.]ru/index.php

 

 

 

 

 

 

 

 

Zoho ManageEngine SAML Response RCE Vulnerability

/in /by

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  ManageEngine is a subsidiary of Zoho Corporation that provides IT management software for businesses. The company offers a range of products for network, systems, applications, security, and service desk management. ManageEngine’s solutions aim to help organizations simplify and automate their IT operations, allowing them to focus on their core business objectives.

  Apache Santuario is an open-source implementation of the XML Security specifications. It provides a library for securing XML documents, including signing and encryption, and offers a secure and stable XML security solution. Santuario is used by various software projects, including the Apache Axis2 Web services engine, to secure their XML communications. It is apart of the Apache Software Foundation and is governed by it’s open-source community.

  A remote code execution vulnerability has been reported in multiple Zoho ManageEngine products. The vulnerability is due to an outdated version of Apache Santuario in the impacted products allowing an attacker to execute XSLT in SAML response messages.

  A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted request to the target server. Successful exploitation could result in arbitrary code execution under the security context of SYSTEM.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-47966.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 9.3 (E:F/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is functional.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  Before understanding this vulnerability it’s important to research the key technologies below:

    1. SAML SSO (Security Assertion Markup Language Single Sign-On)
    2. SAML 2.0
    3. XSLT (eXtensible Stylesheet Language Transformations)
    4. Apache Xalan

  SAML SSO is a protocol that allows users to authenticate to multiple web applications using a single set of credentials. This technology provides a secure and convenient way for users to access multiple web applications with a single login, which is managed by a central identity provider. SAML SSO eliminates the need for users to remember and manage multiple sets of login credentials, which can improve the user experience and reduce the risk of password-related security breaches.

  SAML 2.0 is the latest version of the SAML standard and includes a number of improvements over SAML 1.1, making it the dominant standard for SSO. SAML 2.0 provides greater security, improved encryption and signing, and a more flexible data format, making it well-suited to a wide range of use cases. This technology is widely adopted by organizations of all sizes and is supported by a large number of identity providers and service providers.

  XSLT is a language used to transform XML (eXtensible Markup Language) documents into other formats. XSLT is used to define a set of rules for transforming the structure and content of an XML document into a different format that can be more easily displayed or processed. This technology is commonly used in conjunction with XML to create dynamic, data-driven websites, generate reports, and transform XML data into other formats for data exchange between systems. XSLT provides a powerful way to manipulate and display XML data, making it an essential tool for many XML-based applications.

  Apache Xalan is an open-source implementation of the XSLT and XML Path Language (XPath) standards. It provides a library for transforming XML documents into other formats, such as HTML, plain text, or XML with a different structure. Apache Xalan is written in Java and is part of the Apache XML Project, which is maintained by the Apache Software Foundation. This technology is widely used in a variety of applications for transforming and processing XML data, including for generating reports, transforming data for data exchange between systems, and creating dynamic, data-driven websites. Apache Xalan provides a high-performance, flexible, and easy-to-use solution for transforming XML data.

  The vulnerability is due to the server processing user XSLT transformations received in SAML responses. When an identity provider authenticates a user through SAML SSO on Key Manager Plus, it will send a request to the endpoint “/saml2” on the server and will be processed by the function service().

  Before a transformation is executed, the function checkSecureValidation() is called. This function will check if secureValidation in the Transform object is set to “true” and if the “Algorithm” attribute of the “transform” XML element is set to “http://www.w3.org/TR/1999/REC-xslt-19991116” corresponding to an XSLT transformation. If both are true, the function will throw an exception, as XSLT transformation are forbidden when secureValidation is enabled. If the checkSecureValidation() function does not throw an exception, the functions t.performTransform() and transformSpi.enginePerformTransform() will be called to execute the transform.

  The function enginePerformTransform() will be called to execute the XSLT transformation. The function will call selectNode() to find the stylesheet XML element containing the transformation. The function TransformerFactor.newInstance() is called to create a TransformerFactory object. The function setFeature() is called on the TransformerFactory object with the parameters “http://javax.xml.XMLConstants/feature/secureprocessing” and “Boolean.TRUE” to enable secure processing in Apache Xalan where the XSLT will be executed. The function transform() will be called to execute the XSLT in the transform element. However, the version of Apache Xalan included in the impacted version KeyManager Plus is vulnerable to CVE-2014-0107. This vulnerability allows an attacker to bypass some restrictions imposed by secure processing on a TransformerFactory object by using certain attributes such as “content-handler” that can load arbitrary classes, possibly leading to arbitrary code execution.

  As secureValidation in the included version of Apache Santuario is set to false by default, and secure processing can be bypassed in the included version of Apache Xalan an attacker can send a crafted SAML response to the target containing an XML “Transform” element containing an arbitrary XSLT transformation.

Triggering the Problem:

  • The attacker must have network access to the target server.
  • The target must be running a vulnerable version of the software.
  • The target server must have SAML SSO enabled.

Triggering Conditions:

  The attacker sends a crafted SAML response to the target server. The vulnerability is triggered when the server validates the response and executes XSLT in a transformation in the XML.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTPS
    • HTTP

  Attacker Transform Payload, Executes Calc.:

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 3481 ManageEngine products xmlsec Remote Code Execution 1
  • IPS: 3491 ManageEngine products xmlsec Remote Code Execution 2
  • IPS: 18881 ManageEngine products xmlsec Remote Code Execution 3

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Upgrading the product to a non-vulnerable version.
    • Filtering traffic based on the signatures above.
    • Disabling SAML SSO if not needed.
    • Blocking the affected ports from external network access if they’re not required.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Magniber ransomware seen distributed via ISO disc image files

/in /by

This week, the Sonicwall Capture Labs Research team analyzed a ransomware called Magniber.  This ransomware has been around since 2017 as a successor to Cerber and initially only targeted a specific country when we first covered it in the past. It has since widened its target and adopted many forms from javascript to archive files and more recently to Microsoft software installer (msi) files and ISO image. What has not changed is that it still purports to be a software security update to lure victims to installing it.

Infection Cycle:

The ransomware installer arrives as a fake windows update in the form of an optical disc image or ISO.

Within the iso are two files that can use the following filenames:

  • 5G offer.LNK
  • 5G-installer. MSI

The LNK file is a windows shortcut file that serves as a pointer to load the MSI file using msiexe.exe

The windows installer file (MSI) uses the following file properties.

And once executed displays the following installation progress window. Note that the Knowledge base code (KB5023921) referenced is nonexistent and completely made up.

Upon execution, the first thing it does is to delete the Volume Shadow copies via the following command and then proceeds to encryption.

vssadmin.exe Delete Shadows /all /quiet

It changes the desktop background upon successful infection.

A readme.html present in all directories that have encrypted files show instructions on how to retrieve the victim’s files.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Magniber.RSM_1 (Trojan)
  • GAV: Magniber.RSM_2 (Trojan)
  • GAV: Magniber.RSM_3 (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Adobe ColdFusion Heap Buffer Overflow Vulnerability

/in /by

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  Adobe ColdFusion is an application development platform by Adobe Systems. It is an IDE used to develop web applications and supports a full scripting language, ColdFusion Markup Language (CFML). Since ColdFusion MX 6.0, the server component runs within a Java Runtime Environment (JRE). The ColdFusion Administrator organizes information about all ColdFusion server database connections in a single location. ColdFusion provides a number of supplied drivers for connecting to multiple databases specifically the ODBC Socket.

  The ODBC Socket is the data source relevant to the understanding of this vulnerability. ODBC Socket is a type of database driver that allows applications to connect to a database using the Open Database Connectivity (ODBC) interface, but instead of connecting directly to the database, the driver connects to a server that acts as a bridge between the application and the database. The “socket,” receives the applications requests and translates them into the appropriate format for the database, and then sends the results back to the application. The use of a socket allows for greater flexibility and scalability, as the socket can be configured to connect to multiple databases, and can also be used to add security features such as encryption and authentication.

  A heap-based and stack-based buffer overflow vulnerability exists in Adobe ColdFusion ODBC Server component. This vulnerability is due the lack of proper validation of user-supplied data, which can result in a buffer overflow.

  A remote, unauthenticated attacker could exploit this vulnerability by sending a maliciously crafted request to the target service. In the worst case, successful exploitation could result in arbitrary code execution with privileges of SYSTEM.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-35711.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.7 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.7 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  It’s important to have a good understanding of the General Inter-ORB Protocol (GIOP) and the Internet Inter-ORB Protocol (IIOP) before moving further into a vulnerability that utilizes them. These protocols are used for communication between objects in a distributed system, and are based on the Common Object Request Broker Architecture (CORBA) standard. Understanding the message format and structure, as well as the different types of messages that can be sent, is essential for properly implementing and utilizing these protocols. Additionally, knowing the specific endpoint or location on the network where IIOP traffic is being sent or received is important for proper routing and communication. Without a solid understanding of GIOP and IIOP, it may be difficult to properly implement and utilize the features and functionality provided by these protocols.

  When the component receives the GIOP packet, it first calls the function swsoc.exe+0xcd070() to check that Magic Bytes field is set to “GIOP”. Next, function swsoc.exe+0xcc620() is called, which checks if ServiceContext and the Principal fields are set to 0. This function also checks that Object Key is set to “IIOP:slx::” and Operation is set to “SSP”. Next, function swsoc.exe+0xd0160() is called that checks an unknown field in the request body. The opcodes are processed, one at a time, in a loop in the function swsoc.exe+0xcd910().

  In this loop, the vulnerable opcode 8 will be examined. If the opcode is encountered, the C library function memmove() will be called that uses the OpcodeDataSize field as the size parameter to move the bytes in the Data field to a heap buffer. By supplying an OpcodeDataSize value larger than 38, the vulnerable heap-buffer will be overrun.

Triggering the Problem:

  • The target host must have the vulnerable version of the software installed and running.
  • The attacker must have network connectivity to the target server.

Triggering Conditions:

  The attacker sends a crafted GIOP request message to the ODBC Server. The GIOP message contains an overly large OpcodeDataSize value.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • GIOP
    • IIOP
    • TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 3466 Adobe ColdFusion GIOP Heap Buffer Overflow

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Filtering network traffic using the signature above.
    • Blocking the affected ports from external network access if they are not required.
    • Updating to a non-vulnerable version of the product by applying the vendor provided patch.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Control Web Panel Remote Code Execution

/in /by

Control Web Panel(CWP) is a advanced Free and PRO web hosting panel that gives flexibility to effectively and efficiently manage your server and clients.
Control Web Panel 7 versions prior to 0.9.8.1147 suffer from an unauthenticated remote code execution vulnerability.

Remote Code Execution vulnerability
A remote code execution (RCE) vulnerability is a type of software vulnerability that allows an attacker to execute arbitrary code on a targeted system or device. This can be done by exploiting a flaw in the software or by injecting malicious code into the system via a network connection or other means. RCE vulnerabilities are considered to be particularly severe because they can allow an attacker to gain complete control over a targeted system or device.
Unauthenticated Remote Code Execution (RCE) is a type of vulnerability that allows an attacker to execute arbitrary code on a target system or device without the need for any authentication or authorization. This means that the attacker does not need to provide any valid credentials or have any previous access to the system in order to exploit the vulnerability.

Control Web Panel Remote Code Execution | CVE-2022-44877
Unauthenticated RCE exists in Control Web Panel.
login/index.php in Control Web Panel( or CentOS Web Panel) 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter.

Following is an example of exploit :

Decoding base64 gives us following code :

The code is a command line that runs a Python script that creates a socket connection to an attacker controlled IP address and port number specified within the script. Once the connection is established, the script uses the os.dup2 function to redirect input, output, and error for the script to the socket.This allows the script to run a shell command, in this case “sh”, and receive input, output and error through the socket connection. The pty.spawn function is then used to spawn a new process in the connected shell.
The command “login=$(echo” is setting the variable “login” to the output of the command “echo”. Then, the Python script for creating a socket connection and spawning a shell is run. After that, the output of that command is piped to the command “base64 -d” which decodes the base64 encoded text, and then the final command “| bash” is used to execute the decoded output as a command in the bash shell.
Overall the attacker is trying to open a reverse shell connection to IP address and port specified in the Python script.

SonicWall Capture Labs provides protection against this threat via following signature:

  • IPS 18864:Control Web Panel 7 RCE

Control Web Panel has patched this vulnerability .

Threat Graph

GPcode ransomware leaves victims stranded

/in /by

The SonicWall Capture Labs threat reseach team have tracking a well established ransomware family known as GPcode.  GPcode ransomware is typically spread through email attachments or social engineering techniques, such as disguising the malware as a legitimate software update.  Once the malware is run on a victim’s machine, it encrypts files using a strong encryption algorithm, specifically RSA-1024 and AES-256, which makes it impossible to decrypt files without the decryption key.  GPcode has been active since 2005 and was nicknamed the “$20 ransomware”.  It is considered one of the first examples of ransomware and is still being seen in the wild today.  However, GPcode malware authors do not have a track record of providing decryption keys after a ransom is paid and in this case, they are uncontactable.

 

 

Infection Cycle:

 

Upon infection, files on the system are encrypted.  Each encrypted file is given a “.ENCODED” file extension.  The following image is displayed on the desktop background:

 

The following message is displayed using Notepad:

 

During runtime, the malware writes ntfs_system.bat and executes it:

 

ntfs_system.bat contains the following script.  This is used to delete the original malware file:

del "{malware file path}"
del %0

 

The malware can be seen writing the ransom note file to the desktop:

 

We tried reaching out to the email address provided in the ransom note but the email bounced:

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Gpcode.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.