Posts

Runsomeaware ransomware as a service actively spreading in the wild

/in /by

The SonicWall Capture Labs Threat Research team observed reports of a new variant family of Runsomeaware RaaS actively spreading in the wild. Ransomware as a service (RaaS) is a subscription-based / free model that enables affiliates to use already-developed ransomware tools to execute ransomware attacks. hackers earn a percentage of each successful ransom payment. Ransomware as a Service (RaaS) is an adoption of the Software as a Service (SaaS) business model.

The Runsomeaware encrypts the victim’s files with a strong encryption algorithm.

Runsomeaware is a multi-component RaaS family and its POC has been released in the wild by its developers.

Infection Cycle:

The ransomware adds the following files to the system:

  • Malware.exe
    • %App.path%\ [Filename]. graysuit

Once the computer is compromised, the ransomware runs the following commands:

When Runsomeaware is started it will create and assign a unique ID number to the victim then scan all local drives for data files to encrypt.

When encrypting files, it will use the AES encryption algorithm and encrypt all files except following extensions:

The ransomware encrypts all the files and appends the [.graysuit] extension onto each encrypted file’s filename.

The hackers are active on a Discord Channel and they have released few tutorials on YouTube and GitHub.

Recently Discord have become handy mechanisms for cybercriminals. they’re being used to serve up malware to victims in the form of a link that looks trustworthy. In some cases, hackers have integrated Discord into their malware for C & C of their code running on infected machines, and even to steal data from victims.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Runsomeaware.A (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Laravel Ignition Remote Code Execution Vulnerability

/in /by

Ignition versions prior to 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents and file_put_contents. This is exploitable on sites using debug mode with Laravel versions prior to 8.4.2

Ignition is a beautiful and customizable error page for Laravel applications running on Laravel 5.5 and newer. It is the default error page for all Laravel 6 applications. It also allows to publicly share your errors on Flare. If configured with a valid Flare API key, errors in production applications will be tracked, and you’ll get notified when they happen. So, it can hook into the framework to display the uncompiled view path and your Blade view. It has various features such as app, user ,context and debug tab. It not only displays error but also suggests a solution.

Vulnerability | CVE-2021-3129

Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code. This is exploitable on sites using debug mode with Laravel before 8.4.2.

The vulnerability lies in a way in which the file_get_contents function is implemented in the module MakeViewVariableOptionalSolution.php of Ignition . The file_get_contents function doesn’t check the path and an attacker can abuse this weakness to view and write code of attackers choice at the path specified by an attacker.

This vulnerability is patched . When we look at the patched code we see that file_get_contents now checks the path before getting contents.

 

Threat graph:

 

SonicWall Capture Labs provides protection against this threat via following signatures:

    • IPS 15444:Laravel Ignition Insecure Deserialization 1
    • IPS 15445:Laravel Ignition Insecure Deserialization 2

Malicious VBA macro uses CLSID to create Shell object

/in /by

The SonicWall Capture Labs Threat Research Team has observed that Snake KeyLogger malware is being distributed using malicious word documents. The sample in distribution is using CLSID for WScript.Shell object creation rather than the name which is usually seen.

Infection Cycle

Upon opening the document, the user is displayed instructions to enable content as shown below:


Fig-1: Word Document

Shell Object creation:
This sample creates an instance of WScript.Shell object using CLSID. A CLSID is a globally unique identifier that identifies a COM class object.

CLSID’s that corresponds to Shell Object:

  • {72C24DD5-D70A-438B-8A42-98424B88AFB8}
  • {F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}

The Shell Object instance  is used to execute the PS command to download Snake Keylogger


Fig-2: VBA Macro present in document

 The Powershell command is transferred in obfuscated form as the content of word document:


Fig-3: Obfuscated PowerShell

De-Obfuscated PowerShell command shows it has AMSI bypass technique for Windows 10 systems. This is done to conceal AMSI bypassing technique and the next stage malware download URLs used in the script as seen after de-obfuscation


Fig-4: De-Obfuscated Powershell

Powershell code has embedded URLs from where the payload is downloaded. This sample uses the bit.ly URL shorten service and the target URL is “hxxp://qadir[.]tickfa[.]ir/ID3/0RIG0000000.jpg”. The payload, a windows executable file is stored as “0RIG0000000.jpg” on the remote host and belongs to SnakeKeylogger.

Payload Analysis:

The payload is a compiled .Net file and its basic information is shown below:


Fig-5: Details of PE file

The downloaded file contains an encrypted PE file in resource, which is decrypted using AES – ECB mode and loaded into memory. Decyrption Key is SHA256 of hardcoded bytes present in the sample.


Fig-6: Decryption routine

Persistence:

Sample copies itself to startup folder as driver.exe.

  • %appdata%\Microsoft\Windows\Start Menu\Programs\Startup\drivers.exe

Sonicwall Capture ATP provides protection from this threat as shown below:


Fig-7: Capture ATP report

Indicators Of Compromise:

SHA256

  • 706f441b1e5b188f4373c6b680ea2c2b50ab81c2163bdaf690b3ec224581b8fb — Malicious Document File
  • 81b94fd7902d516f81fa99c090180e431b1e389e2ccd418fa2d0b3105d98fad9 — Downloaded Executable File

Network Connections:

  • bit[.]ly/2ZJ9xRc
  • qadir[.]tickfa[.]ir/ID3/0RIG0000000.jpg

Files:

  • %temp%\czxdpfb.exe
  • %appdata%\Microsoft\Windows\Start Menu\Programs\Startup\drivers.exe

 

Ransomware uses Discord for C2 communications

/in /by

The Sonicwall Capture Labs Research team has observed another ransomware being circulated in the wild recently. To maintain communications with the compromised system this ransomware uses Discord’s built in webhooks function. Discord is much more than just a text and voice communication platform geared towards gamers. Discord offers an open API where one can create guilds or servers and channels. A webhook is the easiest way to automate posting messages to a channel. It is basically a URL which you can send a message to which in turn posts that message to a specified channel. Using a legitimate platform to send and receive communications from perfectly disguises a malicious network activity as valid in an attempt to bypass security applications. That’s why Discord has been favored by cybercriminals lately to aid in their malicious doings.

Infection Cycle:

This ransomware arrives as an executable using the following icon:

Upon execution, it drops the following files in the %temp% directory:

  • %temp%/*random*/*random*/aescrypt.exe – used for encrypting files
  • %temp%/*random*/*random*/DiscordSendWebhook.exe – used to send communication out
  • %temp%/*random*/*random*/1A1C.bat – the main script
  • %temp%/kill.bat – script to kill task manager

It then spawns cmd to run scripts via the command prompt and let everything happen in the background without the victim’s knowledge.

It creates a copy of itself and adds it to Startup. It then deletes all volume shadow copies to ensure that the victim will not be able to restore files and the entire system after the ransomware encryption.

  • copy /b /y %0 “%appdata%\Microsoft\Windows\Start Menu\Programs\Startup”
  • wmic shadowcopy delete
  • vssadmin delete shadows /all /quiet

It then adds the following system policies through the registry to ensure uninterrupted execution by disabling Windows prompts for consent before running a program, disabling ctrl+alt+del keys, disabling task manager and swapping mouse buttons:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v “PromptOnSecureDesktop” /t REG_DWORD /d “0” /f
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v “ConsentPromptBehaviorAdmin” /t REG_DWORD /d “0” /f
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v “EnableLUA” /t REG_DWORD /d “1” /f
  • HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layout /v “Scancode Map” /t REG_BINARY /d “00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000” /f /reg:64 > nul
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v “DisableTaskMgr” /t REG_DWORD /d “1” /f > nul
  • HKCU\Control Panel\Mouse /v SwapMouseButtons /t REG_SZ /d “1” /f > nul

It then uses the Discord webhook functionality to send a message to the following Discord guild

It then also kills all known web browsers that might be currently running on the system.

Next, it adds two scheduled tasks to ensure that one instance of malware runs every time a user logs on and another every 5 days.

Upon successful encryption of files, the malware sends another message via webhook to its Discord channel with the system info and IDs to help identify this victim’s machine.

Then, it creates 100 copies of Pay2Decrypt1-100.txt files with the information of how to decrypt the files.

This ransomware appends .lck to all encrypted files. It even manages to encrypt its own aescrypt.exe and DiscordWebhook.exe.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Pay2Decrypt.RSM

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

Microsoft Security Bulletin Coverage for April 2021

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of April 2021. A list of issues reported, along with SonicWall coverage information are as follows:

CVE-2021-28310 Win32k Elevation of Privilege Vulnerability
ASPY 173 Malformed-File exe.MP.175

CVE-2021-28324 Windows SMB Information Disclosure Vulnerability
ASPY 175 Malformed-File exe.MP.178

CVE-2021-28325 Windows SMB Information Disclosure Vulnerability
ASPY 176 Malformed-File exe.MP.179

CVE-2021-28442 Windows TCP/IP Information Disclosure Vulnerability
ASPY 174 Malformed-File exe.MP.177

Following vulnerabilities do not have exploits in the wild :

CVE-2021-26413 Windows Installer Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-26415 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26416 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-26417 Windows Overlay Filter Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-27064 Visual Studio Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-27067 Azure DevOps Server and Team Foundation Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-27072 Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-27079 Windows Media Photo Codec Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-27086 Windows Services and Controller App Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-27088 Windows Event Tracing Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-27089 Microsoft Internet Messaging API Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27090 Windows Secure Kernel Mode Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-27091 RPC Endpoint Mapper Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-27092 Azure AD Web Sign-in Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-27093 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-27094 Windows Early Launch Antimalware Driver Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-27095 Windows Media Video Decoder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27096 NTFS Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-28309 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-28311 Windows Application Compatibility Cache Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-28312 Windows NTFS Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-28313 Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-28314 Windows Hyper-V Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-28315 Windows Media Video Decoder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28316 Windows WLAN AutoConfig Service Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-28317 Microsoft Windows Codecs Library Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-28318 Windows GDI+ Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-28319 Windows TCP/IP Driver Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-28320 Windows Resource Manager PSM Service Extension Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-28321 Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-28322 Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-28323 Windows DNS Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-28326 Windows AppX Deployment Server Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-28327 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28328 Windows DNS Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-28329 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28330 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28331 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28332 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28333 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28334 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28335 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28336 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28337 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28338 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28339 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28340 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28341 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28342 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28343 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28344 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28345 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28346 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28347 Windows Speech Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-28348 Windows GDI+ Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28349 Windows GDI+ Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28350 Windows GDI+ Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28351 Windows Speech Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-28352 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28353 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28354 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28355 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28356 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28357 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28358 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28434 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28435 Windows Event Tracing Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-28436 Windows Speech Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-28437 Windows Installer Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-28438 Windows Console Driver Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-28439 Windows TCP/IP Driver Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-28440 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-28441 Windows Hyper-V Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-28443 Windows Console Driver Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-28444 Windows Hyper-V Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-28445 Windows Network File System Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28446 Windows Portmapping Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-28447 Windows Early Launch Antimalware Driver Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-28448 Visual Studio Code Kubernetes Tools Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28449 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28450 Microsoft SharePoint Denial of Service Update
There are no known exploits in the wild.
CVE-2021-28451 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28452 Microsoft Outlook Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2021-28453 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28454 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28456 Microsoft Excel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-28457 Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28458 Azure ms-rest-nodeauth Library Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-28459 Azure DevOps Server and Team Foundation Services Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-28460 Azure Sphere Unsigned Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28464 VP9 Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28466 Raw Image Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28468 Raw Image Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28469 Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28470 Visual Studio Code GitHub Pull Requests and Issues Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28471 Remote Development Extension for Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28472 Visual Studio Code Maven for Java Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28473 Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28475 Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28477 Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28480 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28481 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28482 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28483 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.

SSRF, vRealize Operations Manager API

/in /by

Overview:

  VMware vRealize Operations Manager delivers intelligent operations management with application-to-storage visibility across physical, virtual, and cloud infrastructures. CVE-2021-21975 is an unauthenticated server-side request forgery (SSRF) vulnerability in VMware vRealize Operations API. The vulnerability was privately reported to VMware. Patches and Workarounds are available to address the vulnerability in impacted VMware products below. VMware has evaluated this issue to be of ‘Important’ severity with a maximum CVSSv3 base score of 8.6.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-21975

Common Vulnerability Scoring System (CVSS):

  Base 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C):
    • Access vector is NETWORK
    • Access complexity is LOW
    • Level of authentication required is NONE
    • Impact of this vulnerability on data confidentiality is COMPLETE
    • Impact of this vulnerability on data integrity is COMPLETE
    • Impact of this vulnerability on data availability is COMPLETE
  Temporal 7.8 (E:POC/RL:OF/RC:C):
    • The exploitability level of this vulnerability is PROOF OF CONCEPT
    • The remediation level of this vulnerability is OFFICIAL FIX
    • The report confidence level of this vulnerability is CONFIRMED

Attack Behavior & Chain Reaction:

  Performs a Server Side Request Forgery attack to steal administrative credentials.

Triggering the Vulnerability:

  One of the REST API URIs vRealize Operations Manager supports is “/casa/nodes/thumbprints”, which is accessible without authentication due to the configuration in the casa-security-context.xml file:
  (sec:http pattern=”/nodes/thumbprints” security=’none’)

  On the server end, a function called getNodesThumbprints() is called to handle API request on the above URI. The HTTP payload for this request is an address array in JSON format, such as:
  [“127.0.0.1:443”]

  The vulnerability is due to a lack of sanitization of the incoming HTTP requests. When the server receives an HTTP POST request to the URI “/casa/nodes/thumbprints”, the vulnerable function getNodesThumbprints() will try to get the address array from the HTTP data payload and send HTTP request on URI “/casa/node/thumbprint” to these addresses.

  If a URI was provided in the address value of the array, then the “/casa/node/thumbprint” will be appended on the
URI to send. For example, if following HTTP data payload was sent:
  [“test.com:443/test/”]

  Then the function getNodesThumbprints() will send URI “/test/casa/node/thumbprint” to test.com:443. Therefore, the attackers cannot fully control the URI for the forgery requests. It is noted that for versions before VMware vRealize Operations Manager 8.3, the server will send credential of account “maintenanceAdmin” in the Authorization header of the HTTP request.

  A remote attacker could exploit the vulnerability by sending a crafted request to target server. Successful exploitation could result in stealing of administrative credentials in some versions of VMware vRealize Operations Manager.

Post Data:

Affected products:

  vRealize Operations Manager
  • 7.0.0
  • 7.5.0
  • 8.0.0, 8.0.1
  • 8.1.0, 8.1.1
  • 8.2.0
  • 8.3.0
  VMware Cloud Foundation (vROps)
  • 3.x
  • 4.x
  vRealize Suite Lifecycle Manager (vROps)
  • 8.x

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 15487 VMware vRealize Operations Manager API SSRF

Remediation Details:

  • The file /usr/lib/vmware-casa/casa-webapp/logs/casa.log is of particular interest for tracking suspicious requests.
  • KB83210
  • KB83095
  • KB83094
  • KB83093
  • KB82367
  • KB83287

  Click -> Knowledge Base Search

Appendix – Discovered By:

  Egor Dimitrenko of Positive Technologies reported this vulnerability.

Uniwinnicrypt ransomware charges over $550k for file recovery

/in /by

The SonicWall Capture Labs threat research team have been tracking a ransomware family named Uniwinnicrypt.  This malware is aimed at large corporations and the operators charge over $550k USD in crypto (Monero and Bitcoin) for file recovery.  A custom chat site hosted on the tOr network is provided by the operators for negotiations with their victims.  However, conversations between the victims and operators are publicly accessible.

 

Infection cycle:

 

Upon infection, code is injected into grpconv.exe, iexpress.exe or write.exe.  This code performs the encryption of files on the system:

 

The extension “.uniwinnicrypt” is appended to all encrypted files.

 

HOW_FIX_FILES.htm is dropped into all directories where files were encrypted.  It contains the following message:

 

The tOr link leads to the following page:

 

After entering the requested information, the following existing conversation between a victim (not us) and the operator can be seen:

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Uniwinnicrypt.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

March 2021 OpenSSL Vulnerability

/in /by

Overview:

  A denial of service vulnerability has been reported in OpenSSL library. An OpenSSL TLS server may crash if a remote attacker sends a maliciously crafted renegotiation ClientHello message (the exploit) from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-3449,
dated 2021-03-17.

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C).

  Base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is none.
    • Impact of this vulnerability on data integrity is none.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 6.5 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  The primary goal of the SSL protocol, Secure Socket Layer (SSL) is to provide privacy and reliability between two communicating applications and the primary goal of the TLS protocol, Transport Layer Security (TLS) is to provide a secure channel between two communicating peers. Both protocols are cryptographic protocols that provide authentication, confidentiality and data integrity for communication over TCP/IP networks. By using cryptographic algorithms such as symmetric key ciphers, cryptographically secure hash functions, and asymmetric cryptography, also known as public-key cryptography, is a process that uses a pair of related keys; one public key and one private key; to encrypt and decrypt a message and protect it from unauthorized access or use. The listed protocols enable hosts to communicate securely over insecure networks.

Triggering the Problem:

  • The target must have a vulnerable version of the product running, with TLS 1.2 enabled.
  • The target application must have TSL renegotiation enabled.
  • The attacker must have network connectivity to the vulnerable application.

Triggering Conditions:

  The attacker sends a TLS 1.2 Client Hello handshake message containing a non-empty signature_algorithms extension, then renegotiates with an empty signature_algorithms extension but non-empty signature_algorithms_cert extension. The vulnerability is triggered when the server processes the new Client Hello message.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • TLS
    • HTTPS, over ports 443/TCP, 8443/TCP
    • SMTP, over ports 25/TCP, 587/TCP

Patched Software:

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 15483 “Client Renegotiation within Short Period”

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Upgrading to the patched releases to eliminate the vulnerability.
    • Disabling TLS 1.2 version in OpenSSL.
    • Disabling renegotiation if it was not needed.
  The vendor has released the following advisory regarding this vulnerability:
  Open SSL News Advisory

Appendix – Discovered By:

  This issue was reported to OpenSSL on 18th March 2021 by Benjamin Kaduk from Akamai and was discovered by Xiang Ding and others at Akamai. The fix was developed by Tomáš Mráz.

China’s “Winnti” Spyder Module

/in /by

Overview:

SonicWall’s Capture Labs Threat Research Team, recently captured and evaluated a new malicious sample termed Spyder, from China’s “Winnti” hacking group. This backdoor is written in C++ and designed to run on 64-bit Windows. This module is being used for targeted attacks on information storage systems, collecting information about corrupted devices, executing mischievous payloads, coordinating script execution, and C&C server communication. The module is loaded by the MSDTC system service using a well-known DLL Hijacking method. The function names within the modules export table are related to the exported functions of the apphelp.dll system library.

Static Information & Error Checking Information:

Dynamic Information:

Dll Main inside x64 debug:

Encrypted PE File in memory:

Call to Shellcode see RAX:

Dll Main inside Encrypted PE File:

Network Artifacts:

Get Request:

Possible domains in the wild:

  • sidc.everywebsite.us
  • snoc.hostingupdate.club
  • wntc.livehost.live
  • hccadkml89.dnslookup.services
  • koran.junlper.com
  • nted.tg9f6zwkx.icu
  • sidcfpprx14.in.ril.com
  • sidcfpprx01.in.ril.com
  • sidcfpprx25.in.ril.com
  • sidcfpprx10.in.ril.com

Supported Systems:

  • Windows 10
  • Windows 8.1
  • Windows 8.0
  • Windows 7
  • Windows Vista

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: Spyder.DN (Trojan)

Appendix:

Sample SHA-1 Hash: 41777d592dd91e7fb2a1561aff018c452eb32c28

Hog ransomware decrypts victims who join their Discord server spreading in the wild

/in /by

The SonicWall Capture Labs Threat Research team observed reports of a new variant family of Hog ransomware actively spreading in the wild.

The Hog ransomware encrypts the victim’s files with a strong encryption algorithm and only decrypts them if they join the developer’s Discord server.

Infection Cycle:

The ransomware adds the following files to the system:

  • Malware.exe
    • %App.path%\ [Filename]. Hog

Once the computer is compromised, the ransomware runs the following commands:

When Hog is started it will create and assign a unique ID number to the victim then scan all local drives for data files to encrypt.

When encrypting files it will use the AES encryption algorithm and encrypt all files except following extensions:

.exe .dll .ini .scr .sys .vmx .vmdk

The ransomware encrypts all the files and appends the [.Hog] extension onto each encrypted file’s filename.

 

If the victim has joined the Discord server the ransomware will decrypt the victims’ files using a static key embedded in the ransomware.

After encrypting all personal documents, the ransomware shows the following page containing a message reporting that the computer has been encrypted and how to unlock the files.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: HogRansom.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.