Posts

Critical remote code execution flaw in VMware is being actively exploited

/in /by

A critical remote code execution vulnerability has been reported in VMware’s vSphere/vCenter. The vulnerability is due to improper validation of paths in an uploaded tarball. A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted request to the target server. Successful exploitation can result in code execution in the context of the target process.

CVE-2021-21972:

vCenter Server is the centralized management utility for VMware and is used to manage virtual machines.  The vulnerability is reported in the vRealize Operations (vrop) plugin that comes with the default installation of vCenter. This plugin allows unauthorized file upload and fails to validate the paths provided in the uploaded tarball. An unauthenticated, remote attacker could exploit this vulnerability by uploading a specially crafted file to a vulnerable vCenter Server endpoint that is publicly accessible over port 443. Successful exploitation of this vulnerability would result in an attacker gaining unrestricted RCE privileges on the underlying operating system that hosts vCenter Server.

In most cases, vCenter is available only to users having access to the internal networks. According to Shodan, however, more than 6000 Center servers are exposed online and vulnerable to an attack.

Bad Packets observed mass scanning activity for CVE-2021-21972, searching for vulnerable vCenter servers.

According to Sans Internet Storm Center, attack activity for port 443 has significantly increased over the last few days. Attackers are likely to be scanning for vulnerable vCenter servers.

 

Fix:

The affected vCenter Server plugin for vROPs is available in all default installations.

Impacted product versions:

  • 7.0 prior to 7.0 U1c
  • 6.7 prior to 6.7 U3l
  • 6.5 prior to 6.5 U3n

Upgrade to one of the patched versions 7.0 U1c or 6.7 U3l or 6.5 U3n. If upgrading is not feasible, follow the KB workarounds KB82374 to disable the vulnerable plugin.

Find VMware security advisory here

SonicWall Capture Labs Threat Research team provides protection against this vulnerability with the following signatures.

IPS: 15403 VMware vCenter Server VMSA-2021-0002 Remote Code Execution (Linux)
IPS: 15404 VMware vCenter Server VMSA-2021-0002 Remote Code Execution (Windows)
IPS: 15406 VMware vCenter Server vropspluginui Access
IPS: 15408 VMware vCenter Server VMSA-2021-0002 Remote Code Execution 3
IPS: 15409 VMware vCenter Server VMSA-2021-0002 Remote Code Execution 4
IPS: 15410 VMware vCenter Server VMSA-2021-0002 Remote Code Execution 5
IPS: 15411 VMware vCenter Server VMSA-2021-0002 Remote Code Execution 6
IPS: 15412 VMware vCenter Server VMSA-2021-0002 Remote Code Execution 7

Parasite ransomware targeting French users actively spreading in the wild

/in /by

The SonicWall Capture Labs Threat Research team observed reports of a new variant family of Parasite ransomware actively spreading in the wild.

The Parasite ransomware encrypts the victim’s files with a strong encryption algorithm until the victim pays a fee to get them back.

The ransomware targeting French speaking users and designed for very specific region.

Infection Cycle:

The ransomware adds the following files to the system:

  • Malware.exe
    • %App.path%\ [Filename]. Parasite

Once the computer is compromised, the ransomware runs the following commands:

When Parasite is started it will create and assign a unique ID number to the victim then scan all local drives for data files to encrypt.

When encrypting files it will use the AES encryption algorithm and only encrypt those files that match the following extensions:

txt ,doc ,docx ,xls ,xlsx ,ppt ,pptx ,odt ,jpeg ,png ,csv ,sql ,mdb ,sln ,php ,asp ,aspx ,html ,xml ,psd ,rar ,wma ,avi ,wmv ,d3dbsp ,zip ,sie ,sum ,ibank ,qdf ,gdb ,tax ,pkpass ,bkp ,qic ,bkf ,sidn ,sidd ,mddata ,itl ,itdb ,icxs ,hvpl ,hplg ,hkdb ,mdbackup ,syncdb ,gho ,cas ,svg ,map ,wmo ,itm ,fos ,mov ,vdf ,ztmp ,sis ,sid ,ncf ,menu ,layout ,dmp ,blob ,esm ,vcf ,vtf ,dazip ,fpk ,mlx ,iwd ,vpk ,tor ,psk ,rim ,fsh ,ntl ,arch00 ,lvl ,snx ,cfr ,vpp_pc ,lrf ,mcmeta ,vfs0 ,mpqge ,kdb ,dba ,rofl ,hkx ,bar ,upk ,das ,iwi ,litemod ,asset ,forge ,ltx ,bsa ,apk ,sav ,lbf ,slm ,bik ,epk ,rgss3a ,pak ,big ,wallet ,wotreplay ,xxx ,desc ,flv ,css ,pfx  ,wav ,bin ,conf ,ico ,jfif

The ransomware encrypts all the files and appends the [.Parasite] extension onto each encrypted file’s filename.

After encrypting all personal documents, the ransomware shows the following text file containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

The ransomware shows different message for French speaking targets:

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Parasite.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Discord services misused to host malware including Android bankers

/in /by

Discord is a digital distribution platform geared towards building communities. But malware authors are misusing this as a medium to host malicious applications, these hosted applications can be accessed and downloaded even without having an account on Discord.

While investigating an Android banker, the Sonicwall Capture Labs Research team observed that it was hosted on Discord server cdn.discordapp.com. Further investigations revealed that this server is hosting/communicating (at the time of writing this blog) with a large number of malicious applications. We observed the following types of malicious apps in connection with this server:

  • Android apks
  • Executables
  • Compresses RAR’s

Below is a Virustotal Graph for this observation:

 

 

We analyzed few Android apps which share similar functionality and obfuscation measures designed to hide their true functionality from automated security scanners.

In both cases the Main activity mentioned in the AndroidManifest.xml file is not present in the decompiled code of the app. This indicates that most likely a separate dex file might be dropped on the system which contains decrypted code which gets invoked:

 

Upon execution the apps request for Accessibility Services, until the permission is granted the request screen keeps showing up intermittently:

 

The malware contains obfuscated code, not providing much information about its functionality:

 

However when the malware runs on the device, it drops a .json file in the FOLDERNAME. This is a .dex file in reality as indicated by the initial file header:

 

Upon renaming the file and opening it in a .dex file viewer like Jadx we can see readable code, there is junk code along with legible code. We can finally see the Main Activity class that is specified in the Manifest file which was previously unknown:

 

The malware is capable of accepting and executing the following commands:

  • grabbing_lockpattern
  • run_record_audio
  • run_socks5
  • update_inject
  • stop_socks5
  • rat_connect
  • change_url_connect
  • request_permission
  • clean_cache
  • change_url_recover
  • send_mailing_sms
  • run_admin_device
  • access_notifications
  • url
  • ussd
  • sms_mailing_phonebook
  • get_data_logs
  • get_all_permission
  • grabbing_google_authenticator2
  • notification
  • grabbing_pass_gmail
  • remove_app
  • remove_bot
  • send_sms
  • run_app
  • call_forward
  • patch_update

This malware is yet another good example that shows the dangers of granting Accessibility Service to an application. If the permissions is not granted a malware may keep requesting for this permission, this is a tell-tale sign that something is not right.

Android malware occupies a small slice among the myriad malicious apps hosted on Discord. There have been conversations about malware being hosted on Discord for a while but the issue still appears to persist.

 

SonicWall Capture Labs provide protection against this threat with the following signatures:

  • AndroidOS.Obfuscated.ST (Trojan)
  • AndroidOS.Banker.CM (Trojan)

 

Indicators of Compromise (IOC’s):

  • e8a0b4aa368473a5a0d1183fb79e127b
  • 2e87bd0a77bfdf78ff50634b0ec1c7ae

Attackers actively targeting vulnerable Netgear DGN devices

/in /by

SonicWall Capture Labs threat research team observed attacks exploiting an old vulnerability in Netgear DGN devices . Netgear produces networking hardware for consumers, businesses, and service providers. Netgear DGN are ADSL+ Modem Router that provide customers with an easy and secure way to set up a wireless home network with fast access to the Internet over a high-speed digital subscriber line.

Netgear DGN1000 and DGN2200 devices are prone to a remote authentication-bypass vulnerability. Remote attackers can exploit this issue to bypass the authentication mechanism and execute commands within the context of affected devices with elevated privileges.

NETGEAR DGN Devices Remote Command Execution Vulnerability

Below are some examples of exploits in the wild

The vulnerable device doesn’t check authentication for URLs containing the “currentsetting.htm” substring, so the following URL can be accessed without authentication.

http://<velnerable-device-ip>/setup.cgi?currentsetting.htm=1

The “setup.cgi” page can then be abused to execute arbitrary commands.

Lets take the following example

The URL leverages the “syscmd” function of the “setup.cgi” script to execute arbitrary commands. The attacker connects to malicious domain to downloads malicious file and saves it in the tmp directory to execute.

Following versions are vulnerable:
NetGear DGN1000 running firmware prior to version 1.1.00.48
Netgear DGN2200 v1

This vulnerability is patched.

SonicWall Capture Labs provides protection against this threat via following signature

IPS 13034: NETGEAR DGN Devices Remote Command Execution

Threat Graph
Signature hits for 13034 for past week.

 

IoCs
112.30.110.51
113.118.133.39
115.50.245.72
117.242.208.60
119.123.239.63

Quick check on shodan shows vulnerable devices

A phishing campaign uses morse code to hide malicious URL

/in /by

Obfuscation is a commonly used technique by malware authors to render their code unreadable to prevent easy interpretation of the program that might give clues on their intent or behavior. This week, the Sonicwall Capture Labs Research team has analyzed a phishing email attachment that uses morse code to hide malicious scripts and URLs within the file.

Infection Cycle

The malicious file comes as a spam email attachment pretending to be an invoice and uses the following filename:

  • <random>_invoice<random>.xlsx.html

It pretends to be an excel spreadsheet and upon execution it displays a fake session timeout error message for Office365 which then requires you to login and type in your password. This login information is sent to a remote server and the user is then redirected to a page with another fake error message.

This html file uses morse code to hide malicious URLs within the file.

It uses javascript to map the alpha-numeric characters to the dots and dashes in morse code. The decoded value is a hex string which further decodes to another nested script which loads another javascript hosted on a remote server.

These two URLs are the main files for this phishing campaign. The first one loads a css file as shown below.

While the second loads the main html page with the icons, images used and fake session time out message display prompting the user to login. This html page shows the remote server where stolen login information are then sent once the user types in his login information.

The remote server tanikawashuntaro dot com appears to be a compromised legitimate website.

We urge our users to always be vigilant and cautious with any unsolicited email and to avoid providing any personal information, particularly if you are not certain of the source.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Morse.PH (Trojan)

Microsoft Security Bulletin Coverage for February 2021

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of February 2021. A list of issues reported, along with SonicWall coverage information are as follows:

CVE-2021-1698 Windows Win32k Elevation of Privilege Vulnerability
ASPY 5907:Malformed-File exe.MP.131

CVE-2021-1732 Windows Win32k Elevation of Privilege Vulnerability
ASPY 149:Malformed-File exe.MP.170

CVE-2021-24072 Microsoft SharePoint Server Remote Code Execution Vulnerability
IPS 15383:Microsoft SharePoint Server Remote Code Execution (CVE-2021-24072)

CVE-2021-24074 Windows TCP/IP Remote Code Execution Vulnerability
IPS 15379:Windows TCP/IP Remote Code Execution (CVE-2021-24074)

CVE-2021-24078 Windows DNS Server Remote Code Execution Vulnerability
IPS 15380:Windows DNS Server Remote Code Execution (CVE-2021-24078)

CVE-2021-24086 Windows TCP/IP Denial of Service Vulnerability
IPS 15377:Windows TCP/IP DoS (CVE-2021-24086)

CVE-2021-24094 Windows TCP/IP Remote Code Execution Vulnerability
IPS 15378:Windows TCP/IP Remote Code Execution (CVE-2021-24094)

Adobe Coverage

CVE-2021-21017 Heap-based Buffer Overflow Vulnerability
ASPY 500 :Malformed-File pdf.MP.428
CVE-2021-21037 Path Traversal Vulnerability
ASPY 501 :Malformed-File pdf.MP.429
CVE-2021-21060 Improper Input Validation Vulnerability
ASPY 502 Malformed-File jpg.MP.18

Following vulnerabilities do not have exploits in the wild :
CVE-2021-1639 Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-1721 .NET Core and Visual Studio Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-1722 Windows Fax Service Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-1724 Microsoft Dynamics Business Central Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2021-1726 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-1727 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1728 System Center Operations Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1730 Microsoft Exchange Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-1731 PFX Encryption Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-1733 Sysinternals PsExec Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1734 Windows Remote Procedure Call Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-24066 Microsoft SharePoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-24067 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-24068 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-24069 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-24070 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-24071 Microsoft SharePoint Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-24073 Skype for Business and Lync Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-24075 Windows Network File System Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-24076 Microsoft Windows VMSwitch Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-24077 Windows Fax Service Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-24079 Windows Backup Engine Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-24080 Windows Trust Verification API Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-24081 Microsoft Windows Codecs Library Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-24082 Microsoft.PowerShell.Utility Module WDAC Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-24083 Windows Address Book Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-24084 Windows Mobile Device Management Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-24085 Microsoft Exchange Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-24087 Azure IoT CLI extension Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-24088 Windows Local Spooler Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-24091 Windows Camera Codec Pack Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-24092 Microsoft Defender Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-24093 Windows Graphics Component Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-24096 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-24098 Windows Console Driver Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-24099 Skype for Business and Lync Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-24100 Microsoft Edge for Android Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-24101 Microsoft Dataverse Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-24102 Windows Event Tracing Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-24103 Windows Event Tracing Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-24105 Package Managers Configurations Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-24106 Windows DirectX Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-24109 Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-24111 .NET Framework Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-24112 .NET Core for Linux Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-24114 Microsoft Teams iOS Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-25195 Windows PKU2U Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26700 Visual Studio Code npm-script Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-26701 .NET Core and Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.

Cukiesi, a Paradise ransomware variant demands over $50k for file retrieval

/in /by

The SonicWall Capture Labs threat research team has observed reports of a variant of Paradise ransomware called Cukiesi.  This ransomware family has been around since early 2018 and is reported to have originated from Russia.  The ransom demand is quite steep at 1.5 BTC ($55k at the time of writing this alert) and it is speculated that it is aimed at large organisations rather than the average home PC user.

 

Infection Cycle:

 

Upon infection, files on the system are encrypted and given a “_cU_{<6 alphanumeric char>}Cukiesi” extension to their filenames:

 

nooode.txt is dropped into all directories where files were encrypted.  It contains the following ransom message:

 

We reached out to the email addresses provided in the ransom note and had the following conversation with the operator:

 

The protonmail address had been deactivated but we received a response from the tutanota.com email address:

 

The ransom amount appears to be negotiable but at the time of writing this alert we were unsuccessful:

 

We are still awaiting a reply.

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Cukiesi.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Babuk ransomware actively spreading in the wild

/in /by

The SonicWall Capture Labs Threat Research team observed reports of a new variant family of Babuk ransomware actively spreading in the wild.

The Babuk ransomware encrypts the victim’s files with a strong encryption algorithm until the victim pays a fee to get them back.

Infection Cycle:

The ransomware adds the following files to the system:

  • Malware.exe
    • %App.path%\ How To Restore Your Files.txt
    • %App.path%\ [__NIST_K571__]

Once the computer is compromised, the ransomware runs the following commands:

When Babuk is started it will create and assign a unique ID number to the victim then scan all local drives for data files to encrypt.

When encrypting files it will use the AES encryption algorithm and only encrypt those files that match the following extensions:

jpe, jpg, kdc, mdb, mdf, nef, crt, crw, dbf, dcr, der, dng, doc, docm, docx, xls, xlsb, xlsm, xlsx, pef, pem, pfx, ppt, pptm, pptx, psd, raf, raw, rtf.

The ransomware encrypts all the files and appends the [__NIST_K571__] extension onto each encrypted file’s

filename.

After encrypting all personal documents, the ransomware shows the following text file containing a message reporting that the computer has been encrypted and to contact its developer ( website ) for unlock instructions.

Screenshots from the ransomware website:

We have been monitoring varying hits over the past few days for the signature that blocks this threat:

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Blackheart.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Microsoft Security Bulletin Coverage for January 2021

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of January 2021. A list of issues reported, along with SonicWall coverage information are as follows:

CVE-2021-1647 Microsoft Defender Remote Code Execution Vulnerability
IPS 15356:Microsoft Defender Remote Code Execution Vulnerability (CVE-2021-1647)
ASPY 146:Malformed-File exe.MP.168

CVE-2021-1707 Microsoft SharePoint Server Remote Code Execution Vulnerability
ASPY 145:Malformed-File xml.MP.3

CVE-2021-1709 Windows Win32k Elevation of Privilege Vulnerability
ASPY 147:Malformed-File exe.MP.169

Following vulnerabilities do not have exploits in the wild :
CVE-2020-26870 Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-1636 Microsoft SQL Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1637 Windows DNS Query Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-1638 Windows Bluetooth Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-1641 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-1642 Windows AppX Deployment Extensions Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1643 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-1644 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-1645 Windows Docker Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-1646 Windows WLAN Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1648 Microsoft splwow64 Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1649 Active Template Library Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1650 Windows Runtime C++ Template Library Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1651 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1652 Windows CSC Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1653 Windows CSC Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1654 Windows CSC Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1655 Windows CSC Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1656 TPM Device Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-1657 Windows Fax Compose Form Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-1658 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-1659 Windows CSC Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1660 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-1661 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1662 Windows Event Tracing Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1663 Windows Projected File System FS Filter Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-1664 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-1665 GDI+ Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-1666 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-1667 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-1668 Microsoft DTV-DVD Video Decoder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-1669 Windows Remote Desktop Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-1670 Windows Projected File System FS Filter Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-1671 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-1672 Windows Projected File System FS Filter Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-1673 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-1674 Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-1676 Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-1677 Azure Active Directory Pod Identity Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-1678 NTLM Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-1679 Windows CryptoAPI Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-1680 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1681 Windows WalletService Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1682 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1683 Windows Bluetooth Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-1684 Windows Bluetooth Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-1685 Windows AppX Deployment Extensions Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1686 Windows WalletService Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1687 Windows WalletService Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1688 Windows CSC Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1689 Windows Multipoint Management Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1690 Windows WalletService Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1691 Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-1692 Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-1693 Windows CSC Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1694 Windows Update Stack Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1695 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1696 Windows Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-1697 Windows InstallService Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1699 Windows (modem.sys) Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-1700 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-1701 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-1702 Windows Remote Procedure Call Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1703 Windows Event Logging Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1704 Windows Hyper-V Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1705 Microsoft Edge (HTML-based) Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2021-1706 Windows LUAFV Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1708 Windows GDI+ Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-1710 Microsoft Windows Media Foundation Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-1711 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-1712 Microsoft SharePoint Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1713 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-1714 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-1715 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-1716 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-1717 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-1718 Microsoft SharePoint Server Tampering Vulnerability
There are no known exploits in the wild.
CVE-2021-1719 Microsoft SharePoint Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1723 .NET Core and Visual Studio Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-1725 Bot Framework SDK Information Disclosure Vulnerability
There are no known exploits in the wild.

Turla Variant GoldenSky

/in /by

Overview:

SonicWall Capture Labs Threat Research Team recently found a new sample and activity for a Turla variant called GoldenSky. Turla has many names since 2014, aka: Turla, Snake, Venomous Bear, VENOMOUS Bear, Group 88, Waterbug, WRAITH, Turla Team, Uroburos, Pfinet, TAG_0530, KRYPTON, Hippo Team, Pacifier APT, Popeye, SIG23, Iron Hunter, MAKERSMARK.

Turla is known for targeting government organizations, military and diplomatic targets using a complex collection of malware and interesting command-and-control (C2) implementations.

Common tools include remote-access trojans (RATs), [Kazuar and Carbon] and HyperStack remote procedure call (RPC)-based backdoors. These tools often include several layers of obfuscation and defense-evasion techniques.

The RATs transmit the command-execution results and exfiltrate data from the victim’s network, while the RPC-based backdoors including HyperStack use the RPC protocol to perform lateral movement, issue and receive commands on other machines within the local network.

The upgrades seen in the campaign largely revolved around creating built-in redundancies for remote communication.

Sample Static Information:

Encryption Signatures:

Dynamic Information:

Inter-process communication (IPC):

The Pipe OpenMode:
PIPE_ACCESS_DUPLEX, The pipe is Bi-Directional; Both server and client processes can read from and write to the pipe.

The Pipe nMaxInstances are set to:
PIPE_UNLIMITED_INSTANCES(255), which is misleading, you can only have a total of 256 pipe instances.

The number of bytes for the Pipe (Input & Output) buffer are set for 0xF000 or 61,440 Bytes.

Reading and Writing to the Pipe:

Pipe Name:

INI File:

Turla’s variant name came from the .ini file that is created and read upon execution:

Pipe Registry Key Settings:

Other related thread information:

NET Resources:

Local network IPC Share:

Supported Systems:

  • Windows 10
  • Windows 8.1
  • Windows 8.0
  • Windows 7
  • Windows Vista

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: Goldensky.D (Trojan)

Appendix:

Sample SHA256 Hash: 48dced47372853658202b286920bb4fd0ab16de7c5d5b736eac84eee023d569f