Posts

Microsoft Security Bulletin Coverage for January 2022

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of January 2022. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2022-21881 Windows Kernel Elevation of Privilege Vulnerability
ASPY  285 Malformed-File exe.MP_228

CVE-2022-21882 Win32k Elevation of Privilege Vulnerability
ASPY  286 Malformed-File exe.MP_229

CVE-2022-21887 Win32k Elevation of Privilege Vulnerability
ASPY  287 Malformed-File exe.MP_230

CVE-2022-21897 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY  288 Malformed-File exe.MP_231

CVE-2022-21907 HTTP Protocol Stack Remote Code Execution Vulnerability
IPS 8535 Server Application Code Execution 28

CVE-2022-21908 Windows Installer Elevation of Privilege Vulnerability
ASPY 289 Malformed-File dll.MP_7

CVE-2022-21916 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 280:Malformed-File exe.MP_226

CVE-2022-21919 Windows User Profile Service Elevation of Privilege Vulnerability
ASPY 281:Malformed-File exe.MP_227

Adobe Coverage
CVE-2021-45067 Acrobat Reader Buffer Overflow Vulnerability
ASPY 282:Malformed-File pdf.MP_520

CVE-2021-44714 Acrobat Reader Security feature bypass
ASPY 283:Malformed-File pdf.MP_521

CVE-2021-44707 Acrobat Reader Buffer Overflow Vulnerability
ASPY 284:Malformed-File pdf.MP_522

The following vulnerabilities do not have exploits in the wild :
CVE-2021-22947 Open Source Curl Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-36976 Libarchive Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21833 Virtual Machine IDE Drive Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21834 Windows User-mode Driver Framework Reflector Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21835 Microsoft Cryptographic Services Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21836 Windows Certificate Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2022-21837 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21838 Windows Cleanup Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21839 Windows Event Tracing Discretionary Access Control List Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-21840 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21841 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21842 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21843 Windows IKE Extension Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-21846 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21847 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-21848 Windows IKE Extension Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-21849 Windows IKE Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21850 Remote Desktop Client Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21851 Remote Desktop Client Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21852 Windows DWM Core Library Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21855 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21857 Active Directory Domain Services Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21858 Windows Bind Filter Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21859 Windows Accounts Control Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21860 Windows AppContracts API Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21861 Task Flow Data Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21862 Windows Application Model Core API Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21863 Windows StateRepository API Server file Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21864 Windows UI Immersive Server API Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21865 Connected Devices Platform Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21866 Windows System Launcher Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21867 Windows Push Notifications Apps Elevation Of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21868 Windows Devices Human Interface Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21869 Clipboard User Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21870 Tablet Windows User Interface Application Core Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21871 Microsoft Diagnostics Hub Standard Collector Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21872 Windows Event Tracing Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21873 Tile Data Repository Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21874 Windows Security Center API Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21875 Windows Storage Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21876 Win32k Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-21877 Storage Spaces Controller Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-21878 Windows Geolocation Service Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21879 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21880 Windows GDI+ Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-21883 Windows IKE Extension Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-21884 Local Security Authority Subsystem Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21885 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21888 Windows Modern Execution Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21889 Windows IKE Extension Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-21890 Windows IKE Extension Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-21891 Microsoft Dynamics 365 (on-premises) Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2022-21892 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21893 Remote Desktop Protocol Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21894 Secure Boot Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2022-21895 Windows User Profile Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21896 Windows DWM Core Library Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21898 DirectX Graphics Kernel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21899 Windows Extensible Firmware Interface Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2022-21900 Windows Hyper-V Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2022-21901 Windows Hyper-V Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21902 Windows DWM Core Library Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21903 Windows GDI Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21904 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-21905 Windows Hyper-V Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2022-21906 Windows Defender Application Control Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2022-21910 Microsoft Cluster Port Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21911 .NET Framework Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-21912 DirectX Graphics Kernel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21913 Local Security Authority (Domain Policy) Remote Protocol Security Feature Bypass
There are no known exploits in the wild.
CVE-2022-21914 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21915 Windows GDI+ Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-21917 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21918 DirectX Graphics Kernel File Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-21920 Windows Kerberos Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21921 Windows Defender Credential Guard Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2022-21922 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21924 Workstation Service Remote Protocol Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2022-21925 Windows BackupKey Remote Protocol Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2022-21928 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21929 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21930 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21931 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21932 Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2022-21954 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21958 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21959 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21960 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21961 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21962 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21963 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21964 Remote Desktop Licensing Diagnoser Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-21969 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21970 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
There are no known exploits in the wild.

GitLab Community and Enterprise Edition Vulnerability

/in /by

Overview:

  GitLab is web-based Git repository manager that includes additional features to handle all stages of the DevOps lifecycle including continuous integration and delivery, issue tracking, monitoring, and integration with many other applications. GitLab is built on several technologies including Ruby, Rails, Go, and Redis and is available as a free Community Edition or a paid Enterprise Edition.

  A stored cross-site scripting vulnerability has been reported in the Community edition and Enterprise edition of GitLab. The vulnerability is due to insufficient input sanitization of ipynb files.

  A remote, authenticated attacker can exploit these vulnerabilities with crafted requests to the target server. Successful exploitation could result in arbitrary script execution in the target user’s browser.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-39906.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 6.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C).

  Base score is 7.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is low.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is low.
    • Impact of this vulnerability on data integrity is low.
    • Impact of this vulnerability on data availability is low.
  Temporal score is 6.7 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  A stored cross-site scripting vulnerability exists in GitLab. The vulnerability is due to insufficient Jupyter notebook rendering sanitization. The HTML output of a command can contain SVG data with a use element referencing a GitLab icons SVG file on the GitLab server. The attribute sanitization does not normalize the path. The path to a valid SVG file can be used with a relative path to a crafted SVG appended that passes the sanitization check in isUrlAllowed(). The crafted SVG must be hosted in a repository on the same GitLab host.

  In the crafted SVG file, a foreignObject element can be used to inject arbitrary HTML after GitLab sanitization is performed. The SVG specification mentions that a referenced SVG XML should be cloned for use element processing, without an exclusion for foreignObject elements. However, the only browser engine that honours the cloning of foreignObject elements is Gecko. As a result, this XSS can only be triggered on Firefox browsers. The SVG Working Group has discussed removing foreignObject from the elements to clone from use referenced SVG files, but this is not yet written into the specification.

  A remote, authenticated attacker can exploit this vulnerability by creating crafted SVG and IPYNB files on the target server. Successful exploitation results in arbitrary script execution in the target user’s browser.

  Scalable Vector Graphics (SVG) 2, 5.6.1. The use-element shadow tree
  SVG Working Group GitHub repository, and Issue

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The attacker must have network connectivity to the affected ports.
  • The attacker must have authorized access to a user with permissions to create files in a project.

Triggering Conditions:

  The attacker will authenticate to the target system. Once authenticated, the attacker will create a malicious SVG and IPYNB file.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 705 GitLab ipynb Stored XSS 1

  • IPS: 18693 GitLab ipynb Stored XSS 2

  Please note that if your web service/server is accessible over HTTPS, then enabling of Server DPI-SSL is necessary for the above signature to detect exploits targeting this vulnerability.

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Updating the product by obtaining a new revision or applying the vendor supplied patch.
    • Filtering attack traffic using the signatures above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Open source stealer malware, Mercurial, for "educational purposes" spotted in the wild

/in /by

The SonicWall Capture Labs threat research team has come across data theft malware derived from the Mercurial password stealer family.  This malware is open source and readily available on github for “educational purposes only”.  Because it is open source, it can be easily customized and deployed with little programming expertise necessary.  The malware is written in C# and is trivial to decompile.

 

Infection Cycle:

 

Upon infection, the malware copies itself to %APPDATA\Local\Temp\.  It also adds itself to the registry so that it is started after each reboot:

 

It scans the system for browser profile information:

 

In addition to searching for browser data, it also searches for Minecraft launch profile files and Discord Level DB files:

 

It contains a very basic level of antidebugging:

 

Any information that is gathered from the system is sent via an HTTP POST request to the operator:

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Blitzed.N (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Apache Log4j StrSubstitutor Vulnerability

/in /by

Overview:

  Apache Log4j is a logging library for Java. Log4j is a simple and flexible logging framework. With Log4j it is possible to enable logging at runtime without modifying the application binary. Apache Log4j is part of a project which is known as Apache Logging. The Log4j package is designed so that the logging statements can remain in shipped code without incurring a heavy performance cost. Logging behaviour can be controlled by editing a configuration file, without touching the application binary.

  An uncontrolled recursion vulnerability has been reported in the StrSubstitutor class of Apache Log4j. This vulnerability is due to improper handling of logged messages when the logging configuration uses a non-default Pattern Layout with a Context Map Lookup, Map Lookup, or Structured Data Lookup.

  A remote attacker who can control an item in the Thread Context Map or a MapMessage or StructuredDataMessage can exploit this vulnerability by sending a specially crafted parameter to the target application. Successful exploitation could result in a denial-of-service condition due to a crash of the Log4j service.

  Vendor: Logging Apache

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-45105

  See: CVE-ID

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C).

  Base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is none.
    • Impact of this vulnerability on data integrity is none.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 6.5 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  NVD CVSS Metrics

Technical Overview:

  An uncontrolled recursion vulnerability has been reported in the StrSubstitutor class of Apache Log4j. This vulnerability is due to improper handling of logged messages when the logging configuration uses a non-default Pattern Layout with a Context Map Lookup, Map Lookup, or Structured Data Lookup. When a variable is included in a lookup string, it is resolved by calling the substitute() method of the class org.apache.logging.log4j.core.lookup.StrSubstitutor.

  Once the marker for the end of a variable is found, the substitute() method is called recursively with the variable to be substituted. The method checkCyclicSubstitution() is called with each variable substitution, to detect infinite substitution loops. This method maintains a list of previously encountered variables in a variable named priorVariables. After the variable is resolved using the resolveVariable() method, the substitute() function is called recursively with the resolved content, to resolve any variables included in the result. However, when a variable is detected in the resolved content, substitute() is called recursively without supplying the priorVariables variable. Therefore, if a variable resolves to a nested lookup containing the same variable, it won’t be detected by the checkCyclicSubstitution() method, resulting in uncontrolled recursion.

  A remote attacker who can control an item in the Thread Context Map or a MapMessage or StructuredDataMessage can exploit this vulnerability by setting the item to an appropriate lookup containing a nested reference to itself. For example, if the attacker can control the value of the apiversion Thread Context Map item, they could set its value to the following string:

  

  Successful exploitation could result in a StackOverflowError due to uncontrolled recursion, leading to a denial of service condition due to a crash of the Log4j service.

Triggering the Problem:

  • The target must be running a vulnerable version of the software.
  • Target needs a non-default Pattern Layout with a Context Map Lookup, Map Lookup, or Structured Data Lookup.
  • Target must accept untrusted input within the Thread Context Map, MapMessage, or StructuredDataMessage.
  • The attacker must have network connectivity to the vulnerable server.

Triggering Conditions:

  The attacker sends a maliciously crafted parameter to the vulnerable server. The server adds the parameter to a Thread Context Map, MapMessage, or StructuredDataMessage and logs a message. The vulnerability is triggered when the server parses the lookup included in the parameter.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS:15738 Apache Log4j Self-Referential Lookup DoS (CVE-2021-45105) 1

  • IPS:15739 Apache Log4j Self-Referential Lookup DoS (CVE-2021-45105) 2

  • IPS:15740 Apache Log4j Self-Referential Lookup DoS (CVE-2021-45105) 3

  • IPS:18663 Apache Log4j Self-Referential Lookup DoS (CVE-2021-45105) 4

  Please note that if your web service/server is accessible over HTTPS, then enabling of Server DPI-SSL is necessary for the above signature to detect exploits targeting this vulnerability.

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Applying the vendor supplied patch.
    • Remove Context Map Lookups, Map Lookups, and Structured Data Lookups from the Apps Pattern Layout.
    • Detecting and blocking malicious traffic using the signature above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Github hosted Android ransomware being misused in the wild

/in /by

Github is a platform which is commonly used to host open-source projects, many such projects are security focused. SonicWall Threats Research team recently identified an Android ransomware that was found to be hosted on Github as an educational project.

 

Initial Discovery

We identified an Android apk (MD5: 6dc068db642247295e96437d8aca60a0) as malicious and upon inspecting its code found some interesting breadcrumbs which led us to the Github repository which was the origin for this treat. A simple search for the package name for this threat – com.termuxhackers.id – led us to the following Github repository:

 

One of the repositories hosted here is SARA – Simple Android Ransomware Attack:

 

We identified a number of malicious apps on a number of platforms that were spawned using this codebase. A number of these apps are masquerading as popular legitimate applications, few are listed below:

We identified more than 200 apps that have been created using this codebase.

 

Creating the ransomware

While building the apk, this kit asks the user to enter an unlock code:

 

Once executed, a screen with user entered text is overlayed on the screen and the victim cannot use the phone. Strings present in the strings.xml in the app resource folders are used on the ransom screen.

 

 

The unlock key is hardcoded in plaintext within the apk. The unlock key is added by the user during the app creation:

 

We analyzed a bunch of malicious apks, one instance in particular stood out where the ransom demand was 50BTC:

 

Overall this repository was created and distributed on Github for what appears to be educational purposes. However we identified a high number of apps created using this repository with legitimate app icons and application names. Whether this was created as a prank, with malicious intentions or to legitimately learn how ransomware works is yet to be determined.

 

Sonicwall Capture Labs provides protection against this threat using the signature listed below:

  • AndroidOS.Termux.RSM

 

Indicators of Compromise:

  • 00dc92f14326c7b0e87e877bfd12a7df
  • 6b9157e059da44f13843e682ac3bcba7
  • 6dc068db642247295e96437d8aca60a0

Spam Campaign Roundup: Christmas Holiday 2021 Edition

/in /by

With Christmas weekend upon us and many are still looking for the best last-minute deals, we noticed we are receiving an increasing amount of holiday related spam emails. We have been monitoring the amount of spam emails received this month and we noticed a trend where the amount received increases during the weekends.  Not surprising since consumers are spending more time shopping online so cybercriminals have become more aggressive and creative with their tactics.

The following are some of the common email subjects:

  • Don’t Wait! 80% off Christmas Sale
  • Christmas Sale Find the Perfect Gifts Now
  • Congratulations! You can get <insert merchant> $50 gift card!
  • Save up to 80% off on the perfect gift for everyone
  • Get a Drone as a gift
  • Ahoy! Christmas Special!
  • Hottest Christmas Gifts of 2021

Most of these emails are purporting to come from popular department stores promising gift cards, that when clicked would take you to a URL different from the real merchant’s website. The consumer will then be asked to enter their personal information and to participate in a number of “offers” often costing money in fees or subscriptions without the guarantee of ever receiving the products and services or the free gift card at the end of the process.

Some new tactic observed this year was the use of shortened URL masking the real website address where the link would take you. Adding a layer of trickery, to fool users into following links they otherwise wouldn’t click.

Another new trick this year, was adding a captcha to determine whether the user is actually human or bot.

They now also add a countdown timer to increase urgency and drive victims to act.

Rewards are too good to be true.

In this example, the user is asked to pay for a small amount to ship the reward in exchange for their credit card information.

We urge our users to always be vigilant and cautious with any unsolicited email and to avoid providing any personal information, particularly if you are not certain of the source.

SonicWALL Capture Labs Gateway Antivirus and Email Security service constantly monitor and provide protection against such malicious spam and phishing threats.

 

Yealink Device Management Command Injection Vulnerability

/in /by

SonicWall Capture Labs threat research team observed attacks exploiting vulnerability in Yealink devices.

Yealink’s powerful GUI-driven Yealink Device Management Platform delivers a comprehensive set of tools for implementing up to 5,000 Microsoft-certified Yealink Skype for Business IP phones. The platform solves the complexities of provisioning, management, call quality control and troubleshooting. The solution allows system-wide oversight and the ability to drill down into specific needs for various regions, user groups or even a particular device model.

Yealink Device Management Command Injection Vulnerability | CVE-2021-27561
A command injection vulnerability exists in Yealink Device Management. It  allows command injection as root via the  URI, without authentication.

Yealink DM server does not filter the user provided data which allows remote unauthenticated attackers to execute arbitrary commands.

In the above exploit, the attacker is able to bypass authentication and download and execute malicious script from the attacker controlled server .

Following versions are vulnerable:

  • Yealink Device Management (DM) 3.6.0.20

SonicWall Capture Labs provides protection against this threat via following signatures:

      • IPS 15456:Yealink DM Remote Code Execution

IoCs

  • 03f37a12673fd7ad01b744f84b61aad062a5b6eafbeb7aeac4a00ef28159ad80
  • 203.159.80.241

Threat Graph

GarrantDecrypt ransomware operator charges $5000 for decryption. Price negotiable.

/in /by

The SonicWall Capture Labs threat research team has been tracking ransomware, known to some in the antivirus community as GarrantDecrypt.  The current variant of this ransomware appeared in late November 2021.  The malware is aimed at infecting casual PC users rather than large corporations.  The ransom charge for file decryption is relatively cheap at $5000 in BTC.  This is significantly lower than what we have seen with most ransomware and the price can be negotiated down further with the operator.

 

Infection Cycle:

 

Upon infection, files on the system are encrypted.  Each encrypted file is given a “.decrypt” extension.  #file.decrypt#.txt is dropped into every directory containing encrypted files:

 

#file.decrypt#.txt contains the following message:

 

The malware disables various security policies on the system.  This can be seen in the decompiled code:

 

Only the encryption routine is present in the malware.  Decryption requires a seperate program provided by the operator:

 

We reached out to file.decrypt@yahoo.com and had the following conversation with the operator who appears to be German:

 

 

After a brief negotiation, we were able to have the price reduced:

 

 

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: GarrantDecrypt.N (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

AveMaria RAT is being delivered using ISO files

/in /by

Threat actors are using low profile file type to propagate malware as they are overlooked by many security software. One of them is optical disk image (ISO image), which is treated as a trusted file type. ISO files are being abused by threat actors to deliver the payload to the victim’s machine, without being detected. SonicWall RTDMI ™ engine has recently detected a bunch of ISO files which execute AveMaria RAT on victim’s machine, are being delivered as an email attachment.

The malware also uses file extension (.scr) and long file name including many special characters, which can also work as an evasion technique for a few security software:

 

The ISO contains a .NET executable which performs 1.5 seconds sleep operation 9 times then downloads binary data from an URL. The download data is being reversed to create a valid AveMaria Dynamic Link Library (DLL) file:

 

AveMaria DLL now being executed by calling one of its exported function:

AveMaria RAT

AveMaria malware behaves as InfoStealer, KeyLogger and Remote Access Trojan (RAT).  By analyzing the code, it seems the malware is also working on modifying Remote Desktop Services (termsrv.dll) to allow concurrent access by multiple users. The malware steals data from various installed apps from the victim’s machine including Microsoft Outlook and Mozilla Thunderbird.

The malware copies RegAsm.exe into %temp% directory and execute it to inject malicious code into the process:

 

List of web browsers targeted by the malware to steal stored credentials:

  • Microsoft Edge
  • UC Browser
  • QQ Browser
  • Opera
  • Blisk
  • Chromium
  • Brave
  • Vivaldi
  • Comodo Dragon
  • Torch
  • SlimJet
  • CentBrowser

 

Only a few security providers are detecting the ISO file at the time of analysis in popular threat intelligence sharing portals like the VirusTotal and the ReversingLabs indicates its uniqueness and evasiveness:

 

Evidence of the detection by RTDMI ™ engine can be seen below in the Capture ATP report for this file:

Microsoft Security Bulletin Coverage for December 2021

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of December 2021. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2021-41333 Windows Print Spooler Elevation of Privilege Vulnerability
ASPY 272:Malformed-File exe.MP_221

CVE-2021-43207 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 274:Malformed-File exe.MP_223

CVE-2021-43226 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 276:Malformed-File exe.MP_225

CVE-2021-43233 Remote Desktop Client Remote Code Execution Vulnerability
ASPY 273:Malformed-File exe.MP_222

CVE-2021-43883 Windows Installer Elevation of Privilege Vulnerability
ASPY 275:Malformed-File exe.MP_224

The following vulnerabilities do not have exploits in the wild :
CVE-2021-40441 Windows Media Center Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-40452 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-40453 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-41360 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-41365 Microsoft Defender for IoT Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-42293 Microsoft Jet Red Database Engine and Access Connectivity Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42294 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-42295 Visual Basic for Applications Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-42309 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-42310 Microsoft Defender for IoT Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-42311 Microsoft Defender for IoT Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-42312 Microsoft Defender for IOT Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42313 Microsoft Defender for IoT Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-42314 Microsoft Defender for IoT Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-42315 Microsoft Defender for IoT Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-42320 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-43214 Web Media Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-43215 iSNS Server Memory Corruption Vulnerability Can Lead to Remote Code Execution
There are no known exploits in the wild.
CVE-2021-43216 Microsoft Local Security Authority Server (lsasrv) Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-43217 Windows Encrypting File System (EFS) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-43219 DirectX Graphics Kernel File Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-43222 Microsoft Message Queuing Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-43223 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-43224 Windows Common Log File System Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-43225 Bot Framework SDK Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-43227 Storage Spaces Controller Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-43228 SymCrypt Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-43229 Windows NTFS Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-43230 Windows NTFS Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-43231 Windows NTFS Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-43232 Windows Event Tracing Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-43234 Windows Fax Service Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-43235 Storage Spaces Controller Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-43236 Microsoft Message Queuing Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-43237 Windows Setup Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-43238 Windows Remote Access Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-43239 Windows Recovery Environment Agent Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-43240 NTFS Set Short Name Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-43242 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-43243 VP9 Video Extensions Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-43244 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-43245 Windows Digital TV Tuner Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-43246 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-43247 Windows TCP/IP Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-43248 Windows Digital Media Receiver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-43255 Microsoft Office Trust Center Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-43256 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-43875 Microsoft Office Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-43877 ASP.NET Core and Visual Studio Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-43880 Windows Mobile Device Management Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-43882 Microsoft Defender for IoT Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-43888 Microsoft Defender for IoT Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-43889 Microsoft Defender for IoT Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-43891 Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-43893 Windows Encrypting File System (EFS) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-43896 Microsoft PowerShell Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-43899 Microsoft 4K Wireless Display Adapter Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-43905 Microsoft Office app Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-43907 Visual Studio Code WSL Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.