Posts

Microsoft Security Bulletin Coverage for August 2021

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of August 2021. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2021-26432 Windows Services for NFS ONCRPC XDR Driver Remote Code Execution Vulnerability
IPS 2045: Windows NFS Remote Code Execution (CVE-2021-26432)

CVE-2021-34480 Scripting Engine Memory Corruption Vulnerability
IPS 2044: Scripting Engine Memory Corruption Vulnerability (CVE-2021-34480)

CVE-2021-34535 Remote Desktop Client Remote Code Execution Vulnerability
ASPY 207: Malformed-File exe.MP.197

CVE-2021-36948 Windows Update Medic Service Elevation of Privilege Vulnerability
ASPY 208: Malformed-File exe.MP.198

The following vulnerabilities do not have exploits in the wild :
CVE-2021-26423 .NET Core and Visual Studio Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-26424 Windows TCP/IP Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-26425 Windows Event Tracing Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26426 Windows User Account Profile Picture Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26428 Azure Sphere Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-26429 Azure Sphere Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26430 Azure Sphere Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-26431 Windows Recovery Environment Agent Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26433 Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-33762 Azure CycleCloud Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34471 Microsoft Windows Defender Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34478 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34483 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34484 Windows User Profile Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34485 .NET Core and Visual Studio Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-34486 Windows Event Tracing Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34487 Windows Event Tracing Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34524 Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34530 Windows Graphics Component Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34532 ASP.NET Core and Visual Studio Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-34533 Windows Graphics Component Font Parsing Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34534 Windows MSHTML Platform Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34536 Storage Spaces Controller Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34537 Windows Bluetooth Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-36926 Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-36927 Windows Digital TV Tuner device registration application Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-36932 Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-36933 Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-36936 Windows Print Spooler Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-36937 Windows Media MPEG-4 Video Decoder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-36938 Windows Cryptographic Primitives Library Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-36940 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-36941 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-36942 Windows LSA Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-36943 Azure CycleCloud Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-36945 Windows 10 Update Assistant Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-36946 Microsoft Dynamics Business Central Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2021-36947 Windows Print Spooler Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-36949 Microsoft Azure Active Directory Connect Authentication Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-36950 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
There are no known exploits in the wild.

Advantech R-SeeNet ping.php Command Injection Vulnerability

/in /by

Overview:

  Advantech R-SeeNet is a monitoring application that runs on a server and its job is to collect information from the routers, store it, process it and present it to a network administrator. R-SeeNet consists of two parts: R-SeeNet server and R-SeeNet PHP web-based application. R-SeeNet server is the non-visible part responsible for querying the routers and gathering information. The application also stores the recorded information into a MySQL database. R-SeeNet PHP web-based application is responsible to show both individual statistics and also whole network status.

  A command injection vulnerability has been reported in Advantech R-SeeNet. The vulnerability is due to insufficient validation of the parameter in ping.php.

  A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted request to the target system. Successful exploitation could result in arbitrary command execution in the security context of web server on the target server.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-21805.

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 9.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:U/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 9.4 (E:P/RL:U/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is unavailable.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  R-SeeNet web application server can send ping packets to other devices and get their status when receiving a request to the “ping.php” endpoint as below:

  

  Where the hostname parameter value contains the IP address or host name of a remote device.

  A command injection vulnerability exists in the Advantech R-SeeNet. When processing the request submitted to the ping.php endpoint, ping.php will first check if it is running on Windows platform. If not, it will construct a ping command-line string as below:

  ping -c 5 -s 64 -t 64 hostname

  Where the hostname is the value of the hostname request parameter. Then, it will use the PHP popen() function to execute the constructed ping command-line string and read its output.

  However, the ping.php does not sanitize the hostname parameter before using it to construct the ping commandline string. An attacker can submit a malicious command embedded in the value of the hostname parameter to the target server. The malicious command will then be appended to the constructed ping command line string. This could allow for the execution of arbitrary commands on the underlying system when ping.php calls PHP popen() to run the ping command-line string.

  A remote, unauthenticated attacker can exploit the vulnerability by sending crafted requests to the server. Successful exploitation could result in arbitrary command execution with web server privileges on the target server.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The attacker must have network connectivity to the affected ports.

Triggering Conditions:

  The attacker sends an HTTP request containing maliciously crafted parameters to the target server. The vulnerability is triggered when the server processes the request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP, over port 80/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 15657 Advantech R-SeeNet ping.php Command Injection 1

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Blocking the affected ports from external network access if they are not required.
    • Filtering traffic based on the signature above.
  The vendor has not released any advisory regarding this vulnerability.

3S Smart Software Solutions CoDeSys Vulnerability

/in /by

Overview:

  3S Smart Software Solutions CoDeSys is an IEC 61131-compliant PLC program development environment for multiple programming languages. CoDeSys supports PLC devices from over 250 device manufacturers. The CoDeSys Gateway Server is a service which facilitates enumeration, programming and interaction over TCP with devices, which themselves do not feature network connectivity.

  A stack buffer overflow vulnerability exists in 3S Smart Software CoDeSys. The vulnerability is due to insufficient boundary checking when parsing requests and allows overflowing a stack buffer with an overly long string.

  A remote unauthenticated attacker could exploit this vulnerability by sending crafted requests to the vulnerable service on ports 1211/TCP and 1210/TCP. Successful exploitation could result in code execution with SYSTEM privileges. Unsuccessful attack attempts could cause the affected service to terminate abnormally, causing a denial of service (DoS) condition.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2012-4708.

Common Vulnerability Scoring System (CVSS):

  Base score is 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C), based on the following metrics:
    • Access vector is network.
    • Level of authentication required is none.
    • Impact of this vulnerability on data confidentiality is complete.
    • Impact of this vulnerability on data integrity is complete.
    • Impact of this vulnerability on data availability is complete.
  Temporal score is 7.4 (E:U/RL:OF/RC:C), based on the following metrics:
    • The exploitability level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  While the IEC 61131 specification is not publicly available, The following general structure of the file service related requests are (Opcodes 0x04,0x06 and 0x03F1), sent to the Gateway Server over the ports TCP/1211 and TCP/1210:

  All multi-byte integers are in little-endian byte order.

  An opcode 0x06 request, GS_PUT_File, can be used to upload a file to the base directory on a CoDeSys server. The contents of the file is sent in the FileContent field of an opcode 0x06 request. If the request is for a Filename that already exists on the server, the contents of the existing file will be replaced by the new contents sent within the request.

  A stack buffer overflow vulnerability exists in 3S CoDeSys Gateway Server. The vulnerability is due to insufficient validation of the length of the Filename string within opcode 0x04, 0x06 and 0x03F1 requests. The vulnerable code appends the user-controlled Filename to the base directory string “C:\WINDOWS\Gateway Files” and then copies the whole path string to a one of the three size stack buffers. Depending on the opcode of the request, the vulnerable code uses a stack buffer with the following sizes:

    • 0x1c0 (448) bytes for the opcode 0x03F1.
    • 0x128 (296) bytes for the opcode 0x06.
    • 0x210 (528) bytes for the opcode 0x04.

  The vulnerable function uses 36 (0x24) bytes of the allocated space for other purposes. Providing an overly long Filename overflows the stack buffer overwriting other data on the stack, including the return address and the SEH.

  A remote, unauthenticated attacker can exploit this vulnerability by sending a malicious opcode 0x04, 0x06 and 0x03F1 request to a vulnerable server. Successful exploitation would allow the attacker to execute arbitrary code in the security context of the affected service, which is SYSTEM. If the attack fails, the service may terminate abnormally, leading to a denial-of-service condition.

Triggering the Problem:

  The target host must have the vulnerable version of the software installed and running.

  • The attacker must have network connectivity to the target server.

Triggering Conditions:

  An attacker connects to the server and sends a crafted request containing a malicious Filename to the target host. The vulnerability is triggered when the affected product parses the malicious request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • 3S Smart Software Solutions CoDeSys Gateway Server Protocol, over port 1210/TCP
    • 3S Smart Software Solutions CoDeSys Gateway Server Protocol, over port 1211/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 4888 CODESYS Gateway Server Buffer Overflow 1

Remediation Details:

  Listed below are a number of actions that may be taken in order to minimize or eliminate the risks:
    • Upgrade to a non-vulnerable version of the product.
    • Restrict network access to the vulnerable ports to trusted hosts only.
    • Filter attack traffic using the IPS signature above.
  The vendor has released a security patch that mitigates this vulnerability (requires customer login):
  Vendor Advisory

Rise of Android malware masquerading Covid related themes

/in /by

Malware writers often use trending topics to masquerade their malicious creations. Ever since early 2020 the Covid-19 pandemic has given fuel to malware writers and scamsters to use Covid related themes to hide malicious applications. SonicWall Threats Research team has been observing Covid related Android malware since mid-2020. This blog highlights how Android malware trends have corresponded with the rise in Covid related mortality rate in different parts of the world.

The graph below shows Covid related deaths as seen in different parts of the world between April 2020 and July 2021 where peaks were visible in the following months –

  • March, 2020
  • August-September, 2020
  • November-December, 2020
  • January, 2021
  • May-June, 2021

Covid related Android malware trends – 2020

  • Keywords – Coronavirus, Covid

The graph below shows malicious Android apps with the application name and package name containing the keywords – Coronavirus, Covid. This graph has few peaks that coincide with the graph that shows Covid related deaths seen worldwide.

 

  • Keywords – Temperature, Meeting

Working from home became a common practice for a lot of workforce around the world. As a result online meeting related apps became very popular. As a result we see a number of malicious Android apps with names related to online meetings rise during few months that coincide with peaks related to Covid related infections.

During the first peak in March, high body temperature was one of the main symptoms of Covid infection, as a result malicious apps that claim to check the temperature also became popular among malware writers. Peak in numbers for fake temperature related malicious Android apps coincide with the first graph related to Covid infections.

 

Covid related Android malware trends – 2021

  • Keywords – Vaccination

Vaccinations started in the early months of 2021 all over the world and slowly ramped up as time progressed. Shortly we started seeing vaccination themed malicious android malware as anticipated

 

Covid related Government Apps

Countries all around the world developed apps on multiple platforms to monitor and trace people who got infected during the pandemic. Unsurprisingly malware writers used this opportunity to masquerade malicious apps using the name of legitimate government applications. Below are malicious counterparts of legitimate government apps:

 

Among the government Covid related apps, Aarogya Setu from India was the one that was masqueraded the most. We have seen malicious apps passed as Aarogya Setu apps for both 2020 and 2021:

 

It is safe to say that Covid has been a very lucrative topic for malware writers as they have used this label to hide their malicious creations. While the pandemic is far from over, Covid related malware is expected to rise as time passes.

Sonicwall Capture Labs provides protection against multiple threats associated with Android Covid related malware, some of the signatures are listed below:

  • AndroidOS.Cerberus.COVID
  • AndroidOS.Cerberus.COVID_2
  • AndroidOS.HiddenAd.COVID
  • AndroidOS.CoronaTracker.BNK
  • AndroidOS.Corona.IR
  • AndroidOS.Corona.IR_3
  • AndroidOS.CoronaVirus.Spy
  • AndroidOS.Banker.COVID_2
  • AndroidOS.CoronaTracker.RSM

 

References

 

Cisco ASA Cross Site Scripting Vulnerability

/in /by

Cisco Adaptive Security Appliance XSS is being exploited in the wild.

The Cisco ASA Family of security devices protects corporate networks and data centers of all sizes. Cisco Adaptive Security Appliance (ASA) Software is the core operating system for the Cisco ASA Family. It delivers enterprise-class firewall capabilities for ASA devices in an array of form factors – standalone appliances, blades, and virtual appliances – for any distributed network environment. ASA Software also integrates with other critical security technologies to deliver comprehensive solutions that meet continuously evolving security needs.

Vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web services interface of an affected device.

The vulnerability is due to insufficient validation of user-supplied input by the web services interface of an affected device. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive, browser-based information.

Cross site scripting XSS

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.

XSS attacks abuse the dynamic way websites interact with the browsers. It makes possible, for an attacker, to control the victim’s browser and his/her interaction with a given vulnerable website. To display back content provided or controlled by a user, like an URL parameter or an input field, a flawed application opens the door to manipulation of this content.

Cisco Adaptive Security Appliance XSS | CVE-2020-3580

When the website or application just reflects back content maliciously manipulated by user it is called a reflected XSS attack. This reflection, affects the way browsers displays the page and how they process things and behave.

For exploiting the Cisco ASA vulnerability the attacker abuses the svg tag’s onload event . Since the event handler code does not properly sanitize the input whatever is written in the alert is reflected back to the user.

Authentication is not needed to exploit this vulnerability. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive, browser-based information such as user’s session cookie, allowing an attacker to hijack the user’s session and take over the account. A successful exploit could also lead to the disclosure of end user files, installation of Trojan horse programs, redirect the user to some other page or site, or modify presentation of content.

SonicWall Capture Labs provides protection against this threat via following signatures:

      • IPS 15614: Cisco Adaptive Security Appliance XSS

Following versions are vulnerable

  • Earlier than 9.61
  • 9.61
  • 9.71
  • 9.8
  • 9.9
  • 9.101
  • 9.12
  • 9.13
  • 9.14
  • 9.15

Cisco had patched this vulnerability.

Threat Graph

Metamorfo Banking Malware Abusing Nvidia Executable

/in /by

SonicWall Threats Research team has observed a highly obfuscated batch(BAT) file inside an archive which is downloaded to the victim’s machine. The BAT file executes a PowerShell script which downloads an archive file containing Metamorfo banking malware. The archive file also contains other genuine files including NVIDIA Smart Maximise Helper Host executable, which is abused by the malware to load Metamorfo banking trojan using Dynamic Link Library (DLL) search order hijacking.

 

BATCH SCRIPT:

The batch script creates folder C:\ProgramData\Adobe-Fireworks-_<randombytes>, if not already exists and executes the PowerShell script to download the archive file:

PowerShell Script:

The PowerShell script downloads an archive file from Unified Resource Locator (URL) “h[t][t]ps://diasdegloria.s3.sa-east-1.amazonaws.com/voolivre-gelopanama-v1.artcos-78.docx” to C:\ProgramData\Adobe-Fireworks-_<randombytes>\Adobe-Fireworks-_<randombytes>.zip, however the URL is being updated frequently by the malware author.

The archive files contains Metamorfo banking trojan NvSmartMax.dll and a bunch of genuine files which includes NVIDIA Smart Maximise Helper Host executable, libeay32.dll and ssleay32.dll and others. The PowerShell script executes the NVIDIA Smart Maximise Helper Host executable which load Metamorfo banking trojan NvSmartMax.dll from current working directory.

Metamorfo Execution:

The malware uses a common technique of DLL injection to inject itself  into Internet Explorer executable. The DLL injection techniques involves below API sequences:

  • CreateProcessW : Creates process for Internet Explorer in suspended mode.
  • VirtualAllocEx : Allocates 1000 bytes into newly created Internet Explorer process.
  • WriteProcessMemory : Writes NvSmartMax.dll path to the allocated memory.
  • CreateRemoteThread : Calls the API using address of LoadLibraryW, passing written NvSmartMax.dll address as parameter.

 

Registry modifications:

The malware makes below persistence entry:

The malware also makes few other entries into HKEY_CURRENT_USER\Control Panel which seems configuration storage location for malware, as it also looks for HKCU\Control Panel\newprogram registry value:

 

File modifications:

The malware looks for below files on the victim’s machine:

  • C:\ProgramData\Adobe-Fireworks-_66c\Adobe-Fireworks-_66c.cab
  • C:\ProgramData\Adobe-Fireworks-_66c\mreb.xml
  • C:\ProgramData\Adobe-Fireworks-_66c\mreboot
  • C:\mreboot

 

Metamorf banking trojan primarily targets Brazil or Portugal citizens. It was initially abusing AVAST executable but recently it has started abusing Nvidia executable. SonicWall threat research team is continuously monitoring the Metamorf banking trojan distribution.

 

Unavailability of the archive file in any of the popular threat intelligence sharing portals like the VirusTotal and the ReversingLabs indicates its uniqueness and limited distribution:

 

Evidence of detection by RTDMI ™ engine can be seen below in the Capture ATP report for this file:

Microsoft Security Bulletin Coverage for July 2021

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of July 2021. A list of issues reported, along with SonicWall coverage information is as follows:

CVE-2021-31979 Windows Kernel Elevation of Privilege Vulnerability
ASPY 197:Malformed-File exe.MP.195

CVE-2021-33771 Windows Kernel Elevation of Privilege Vulnerability
ASPY 198:Malformed-File exe.MP.196

CVE-2021-34448 Scripting Engine Memory Corruption Vulnerability
IPS 15631:Scripting Engine Memory Corruption Vulnerability (CVE-2021-34448)

CVE-2021-34449 Win32k Elevation of Privilege Vulnerability
ASPY 185:Malformed-File exe.MP.184

CVE-2021-34467 Microsoft SharePoint Server Remote Code Execution Vulnerability
IPS 15630:Microsoft SharePoint Server Remote Code Execution (CVE-2021-34467)

CVE-2021-34473 Microsoft Exchange Server Remote Code Execution Vulnerability
IPS 15632:Microsoft Exchange Server Remote Code Execution (CVE-2021-34473)

CVE-2021-34527 Windows Print Spooler Remote Code Execution Vulnerability
IPS 15622: Print Spooler AddPrinterDriverEx Request

Adobe Coverage:
CVE-2021-28640Acrobat Reader Use After Free
ASPY 195: Malformed-File pdf.MP.476

CVE-2021-28635 Acrobat Reader Use After Free
ASPY 196: Malformed-File pdf.MP.477

The following vulnerabilities do not have exploits in the wild :
CVE-2021-31183 Windows TCP/IP Driver Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-31196 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31206 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31947 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31961 Windows InstallService Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31984 Power BI Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-33740 Windows Media Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-33743 Windows Projected File System Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-33744 Windows Secure Kernel Mode Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-33745 Windows DNS Server Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-33746 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-33749 Windows DNS Snap-in Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-33750 Windows DNS Snap-in Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-33751 Storage Spaces Controller Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-33752 Windows DNS Snap-in Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-33753 Microsoft Bing Search Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-33754 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-33755 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-33756 Windows DNS Snap-in Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-33757 Windows Security Account Manager Remote Protocol Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-33758 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-33759 Windows Desktop Bridge Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-33760 Media Foundation Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-33761 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-33763 Windows Remote Access Connection Manager Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-33764 Windows Key Distribution Center Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-33765 Windows Installer Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-33766 Microsoft Exchange Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-33767 Open Enclave SDK Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-33768 Microsoft Exchange Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-33772 Windows TCP/IP Driver Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-33773 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-33774 Windows Event Tracing Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-33775 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-33776 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-33777 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-33778 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-33779 Windows ADFS Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-33780 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-33781 Active Directory Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-33782 Windows Authenticode Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-33783 Windows SMB Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-33784 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-33785 Windows AF_UNIX Socket Provider Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-33786 Windows LSA Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-33788 Windows LSA Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-34438 Windows Font Driver Host Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34439 Microsoft Windows Media Foundation Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34440 GDI+ Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-34441 Microsoft Windows Media Foundation Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34442 Windows DNS Server Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-34444 Windows DNS Server Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-34445 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34446 Windows HTML Platform Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-34447 Windows MSHTML Platform Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34450 Windows Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34451 Microsoft Office Online Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-34452 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34454 Windows Remote Access Connection Manager Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-34455 Windows File History Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34456 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34457 Windows Remote Access Connection Manager Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-34458 Windows Kernel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34459 Windows AppContainer Elevation Of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34460 Storage Spaces Controller Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34461 Windows Container Isolation FS Filter Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34462 Windows AppX Deployment Extensions Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34464 Microsoft Defender Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34466 Windows Hello Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-34468 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34469 Microsoft Office Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-34470 Microsoft Exchange Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34474 Dynamics Business Central Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34476 Bowser.sys Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-34477 Visual Studio Code .NET Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34479 Microsoft Visual Studio Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-34488 Windows Console Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34489 DirectWrite Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34490 Windows TCP/IP Driver Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-34491 Win32k Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-34492 Windows Certificate Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-34493 Windows Partition Management Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34494 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34496 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-34497 Windows MSHTML Platform Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34498 Windows GDI Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34499 Windows DNS Server Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-34500 Windows Kernel Memory Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-34501 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34503 Microsoft Windows Media Foundation Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34504 Windows Address Book Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34507 Windows Remote Assistance Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-34508 Windows Kernel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34509 Storage Spaces Controller Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-34510 Storage Spaces Controller Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34511 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34512 Storage Spaces Controller Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34513 Storage Spaces Controller Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34514 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34516 Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34517 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-34518 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34519 Microsoft SharePoint Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-34520 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34521 Raw Image Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34522 Microsoft Defender Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34523 Microsoft Exchange Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34525 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34528 Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34529 Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.

Spammers piggybacking on the Kaseya server exploit

/in /by

The recent Kaseya VSA server exploit incident has given an opportunity for cybercriminals to distribute fake Kaseya update programs. An unsuspecting user is tricked to downloading a program that appears to be from Kaseya but in fact runs malware.

Infection Cycle:

This Trojan arrives via a spam campaign. A user might receive an email similar to this screenshot below:

It purports to be coming from Kaseya’s “response team” with a download link to a tool that is a “critical fix” for the recently reported issue. The tool appears to be hosted on the legitimate Kaseya.com website but clicking on the link takes you to a different URL. Discord has been a popular choice for hosting malicious payloads lately.

The malware uses a legitimate sounding filename, but this particular sample has the following file properties

Upon execution, the malware goes through the registry and appears to be scoping the system looking through system policies and services. Many are very specific that were not found in our test system.

It then goes on to download another file.

And then intermittently just keeps connecting to a remote server.

Since there isn’t an official fix from Kaseya yet, some users might fall for this in an attempt to protect their networks from being a target of a possible attack. Kaseya has issued a statement regarding this to remind their customers to not click on any link if they are not certain of the source.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Malagent.FT (Trojan)

This threat is also detected by SonicWall Capture ATP with Real-Time Deep Memory Inspection (RTDMI) and the Capture Client endpoint solutions.

Oracle Endeca Server RCE Vulnerability

/in /by

Overview:

  Oracle Endeca Server is a hybrid search-analytical database. It organizes complex and varied data from disparate source systems into a flexible data model that reduces the need for upfront modeling. Oracle Endeca Server is designed for discovery. Through its flexible data model, columnar storage, and in-memory analytics, it unifies search, navigation, and analytics to deliver fast answers on structured and unstructured data.

  A command execution vulnerability exists in Oracle Endeca Server. The vulnerability is due to the controlSoapBinding web service exposing the createDataStore method which contains a flaw that allows for the injection of arbitrary commands.

  A remote, unauthenticated attacker could exploit this vulnerability by sending a specially crafted request to the affected server. Successful exploitation could result in arbitrary command execution with elevated privileges.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2013-3763.

Common Vulnerability Scoring System (CVSS):

  Base score is 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C), based on the following metrics:
    • Access vector is network.
    • Access complexity is low.
    • Level of authentication required is none.
    • Impact of this vulnerability on data confidentiality is complete.
    • Impact of this vulnerability on data integrity is complete.
    • Impact of this vulnerability on data availability is complete.
  Temporal score is 8.3 (E:F/RL:OF/RC:C), based on the following metrics:
    • The exploitability level of this vulnerability is functional.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  Oracle Endeca Server uses commands to manage the database. The command-line interface executes commands in a remote system by sending a SOAP request. SOAP (Simple Object Access Protocol) is a specification for exchanging information with web services. Messages are sent over HTTP using a POST request using XML (eXtensible Markup Language) to structure the data.

  A typical request sent to the SOAP interface will have the following structure:

  A command execution vulnerability exists in Oracle Endeca Server. The vulnerability is due to insufficient validation of SOAP requests sent to the target server. When the vulnerable web application, endeca-server-7.4.war, receives a request to createDataStore function from the user, it uses the value of the dataStoreConfig tag as the parameters to pass to external commands. Inside the dataStoreConfig tag, there may be a dataFiles tag, otherwise the server will use the value from the name tag to build a dataFiles variable. The web application will use this variable to build an external command. The parameters are not sanitized before they are used. If the value of the name or dataFiles includes a double quote character (") (encoded as quot or #34 or #x22) the vulnerable program interprets the double quote as a terminator character for a text string and will treat the rest of the parameter as a continuation of the command line. If the following string contains characters that serve as command line separators on the target operating system (such as ampersand “&”, pipe “|”, backtick “`”, a dollar-parenthesis sequence “$(“and a semicolon “;”), it is possible to inject a shell command and execute it on the target system.

  By crafting a malicious request, a remote, un-authenticated attacker can exploit this vulnerability to execute arbitrary commands on the affected system. The executed commands will run in the security context of SYSTEM.

Triggering the Problem:

  • The target host must have the vulnerable product installed.
  • The attacker must have network connectivity to the Oracle Endeca Server.

Triggering Conditions:

  The attacker sends a malicious request to the affected service on the vulnerable system. The crafted request to the createDataStore function contains a malicious name or dataFiles tag value. The vulnerability is triggered upon processing the malicious request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • SOAP/HTTP, over port 7770/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 4691 Oracle Endeca Server Remote Command Execution 2

Remediation Details:

  Listed below are several actions, which may be taken in order to minimize or eliminate the risks posed:
    • Limit network connectivity to the affected communication service to trusted users only.
    • Detect and filter malicious traffic using the signature provided above.
    • Apply the vendor-provided patch to eliminate the vulnerability.
  The vendor, Oracle, has not issued a security advisory to address this vulnerability:
  Vendor Advisory

Kaseya VSA server exploitation and another supply chain ransomware attack

/in /by

The SonicWall Capture Labs threat research team has analyzed the ransomware that is spreading using the exploitation of the Kaseya standalone on-premises VSA server and the subsequent supply-chain attacks.

The attack starts with exploitation of the Kaseya server. The ransomware dropper (agent.crt) encoded in base-64 format is uploaded to the Kaseya VSA server using the file upload functionality. In addition, the attacker uploads userFilterTableRpt.asp on the victim server which likely allows it to take advantage of  additional vulnerabilities on the VSA server in order to issue the hotfix procedure. Once the server (standalone version) is exploited the attacker issues a hotfix update to the agent to transfer ransomware from the server to all the managed endpoint agents. This file is decoded/decrypted as agent.exe and executed. The sample is found to belong to the REvil/Sodinokibi ransomware family.

 

Infection Cycle:

The sample agent.exe is the ransomware dropper and its purpose is to drop the following files that are stored in its resource section and execute them. The location where the files are dropped in the system depends on the user’s privilege access.

  1. mpsvc.dll (stored in the resource named ‘MODLIS’ )
  2. MsMpEng.exe (stored in the resource named ‘SOFTIS’ )


Fig-1: Dropper retreiving files from Resource

agent.exe executes ‘MsMpEng.exe’ using CreateProcess API as shown in the above image. MsMpEng.exe is a clean file related to Microsoft Security Essentials. It imports a custom dll named ‘mpsvc.dll’, which is the same name used by the threat actor for the other malicious DLL dropped by agent.exe. Due to the order of preference, while loading  dll, malicious DLL present in the current folder is loaded into memory by MsMpEng.exe


Fig-2:Import table of MsMpEng.exe

MsMpEng.exe loads the mpsvc.dll and executes the function ‘ServiceCrtMain’, which is exported by the dll, as shown below:


Fig-3:MsMpEng.exe calling ServiceCrtMain

Once the execution control is transferred to mpsvc.dll, it does the following:

  • Creates a Mutex
    • \BaseNamedObjects\422BE415-4098-BB75-3BD9-3E62EE8E8423
  • Encrypts the files and changes the extension to a random name
    • “filename.doc” is renamed to  “filename.doc.6t0s1w”
  • Adds a readme.txt ransom note in every folder, the name of readme text will be the same, as per appended extension, to every encrypted file
    • “6t0s1w-readme.txt”
  • There is a configuration file embedded in the DLL, which contains:
    • Folders that are excluded during the ransomware encryption routine
      • program files, appdata, mozilla, application data, google, windows.old, programdata, system volume information, program files (x86), boot, tor browser, windows, intel, perflogs, msocache
    • Files that are excluded during the ransomware encryption process:
      • ntldr, thumbs.db, bootsect.bak, autorun.inf, ntuser.dat.log, iconcache.db, bootfont.bin, ntuser.dat, ntuser.ini, desktop.ini
    • File extensions that are excluded from the encryption process
      • ps1, ldf, lock, theme, msi, sys, wpx, cpl, adv, msc, scr, bat, key, ico, dll, hta, deskthemepack, nomedia, msu, rtp, msp, idx, ani, 386, diagcfg, bin, mod, ics, com, hlp, spl, nls, cab, exe, diagpkg, icl, ocx, rom, prf, themepack, msstyles, lnk, icns, mpa, drv, cur, diagcab, cmd, shs
    • Terminates the following process if running:
      • encsvc, powerpnt, ocssd, steam, isqlplussvc, outlook, sql, ocomm, agntsvc, mspub, onenote, winword, thebat, excel, mydesktopqos, ocautoupds, thunderbird, synctime, infopath, mydesktopservice, firefox, oracle, sqbcoreservice, dbeng50, tbirdconfig, msaccess, visio, dbsnmp, wordpad, xfssvccon
    • The following services are stopped if running:
      • veeam, memtas, sql, backup, vss, sophos, svc$, mepocs

On completion of the encryption routine, the following ransom note is displayed to the victim.


Fig-4:Ransomware notes

If the sample has administrator privilege, then it encrypts the MasterBootRecord (MBR).


Fig-5: System with infected MBR

The ransomware will store all generated public / private keys and random file extension ( appended to encrypted files ) during its operation under “SOFTWARE\BlackLivesMatter” reg key. This crucial information can be used later by malware .

Fig-6: Registry Key Created – Software/BlackLivesMatter

The malware checks the default set language of the user and system using GetUserDefaultUILanguage and GetSystemDefaultUILanguage.

If it matches the listed language then it stops further execution.

Fig-7: Language check

It creates mutex to execute only one instance using createMutexW API.

If we execute more than one instance of malware then it will show error as “ERR0R D0UBLE RUN!”

Fig-8: Mutex Created

The files are encrypted using the Salsa20 algorithm.

Fig-9: Salsa20 algorithm

 

 This threat can be detected via the following methods:

  • GAV: MalAgent.VSA (Trojan)
  • GAV: Filecoder.N (Trojan)
  • IPS: [2041]Kaseya VSA Server userFilterTableRpt Request

This threat can also be detected by SonicWall Capture ATP with Real-Time Deep Memory Inspection (RTDMI) and the Capture Client endpoint solutions.

SonicWall Capture Labs continues to monitor this threat and will provide further information as it becomes available.

Indicators Of Compromise (IOC):

Files:

  • 561cffbaba71a6e8cc1cdceda990ead4 (agent.exe)
  • a47cf00aedf769d60d58bfe00c0b5421 (mpsvc.dll)
  • 95f0a946cd6881dd5953e6db4dfb0cb9 (agent.crt)

Registry:

  • HKLM\BlackLivesMatter\

References:

  1. Incident Overview & Technical Details – Kaseya
  2. Important Notice July 6th, 2021 – Kaseya