Posts

Fake Cyberpunk 2077 Android apps are on the move

/in /by

The action role-playing video game Cyberpunk 2077 has been one of the most awaited game in the recent times and after multiple delays the game finally released in December 2020. Even though the game had bugs and issues during the initial release, it garnered massive popularity and following during the initial release window. This attracted the attention of gamers and non-gamers alike, unsurprisingly malware writers and scamsters also started taking advantage of this popularity.

Fake download sources

Even though this game is not natively available on mobile devices like Android and IPhone, there are multiple sources that advertise Cyberpunk’s availability on these devices:

  • A number of websites host downloadable files with the name Cyberpunk, but they request for “verification” before the download can start. This verification usually lead to online “survey scam” websites which are after the users personal information:

 

  • There are a number of youtube videos that claim to show how to download and play Cyberpunk on mobile devices. Most of these videos direct users to websites that further lead to verification scams as highlighted above, some of the websites lead to android apps :

Different types of apps

We observed a number of different types of fake Cyberpunk named apps for Android, few of them are listed below:

 

Verification apps

These apps contain Cyberpunk game related assets files like icons and menu videos. These menu and intro videos get played once the app runs making them look authentic to the user. But once the video is displayed the user is forwarded to verification/online survey links.

  • MD5: 0766e628c6e6cf2048a6f6d007db4343
  • Package name: com.codwarzone.neta
  • Application name: Cyberpunk 2077

 

While not inherently malicious, these apps direct the users to sites that serve online survey scams. These scams try to extract sensitive user information and further misuse this information by selling it to data brokers, using it for phishing/spam/identity theft.

 

Ransomware

This app is a ransomware that uses the popularity of Cyberpunk to infect victims and demand ransom in the form of Bitcoin.

  • MD5: cbd92757051490316de527a02ac17947
  • Package name: com.codwarzone.neta
  • Application name: Cyberpunk 2077 Mobile (Beta)

The ransom message is hardcoded in the code:

 

This malware appends the extension “.coderCrypt” at the end of files

 

The ransomware demands ransom to be sent to the Bitcoin wallet address 336Fvf8fRrpySwq8gsaWdf7gfuGm5FQi8K. Below is the recent activity on this address:

 

Malware creators are yet again using the popularity of a game to spread their malicious creations. Right now Cyberpunk 2077 is not available natively for mobile devices, it can however be played on mobile by game streaming services such as Stadia. So any video or post that claims to show how to install this game on a mobile device is likely a fake.

 

SonicWall Capture Labs provide protection against this threat with the following signatures:

  • AndroidOS.CodeWare.RSM (Trojan)
  • AndroidOS.Injector.VF (Trojan)

 

Indicators of Compromise (IOC’s):

  • cbd92757051490316de527a02ac17947
  • 0766e628c6e6cf2048a6f6d007db4343

Critical CVE's of the year 2020

/in /by

CVE-2020-1472 Zerologon – A vulnerability in the cryptography of Microsoft’s Netlogon process that allows an attack against Microsoft Active Directory domain controllers, making it possible for a hacker to impersonate any computer, including the root domain controller.

Ref: https://securitynews.sonicwall.com/xmlpost/windows-netlogon-elevation-of-privilege-vulnerability-cve-2020-1472/

CVE-2020-0796 SMBGhost – A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka ‘Windows SMBv3 Client/Server Remote Code Execution Vulnerability’.

Ref: https://securitynews.sonicwall.com/xmlpost/windows-smbv3-remote-code-execution-vulnerability-cve-2020-0796/

CVE-2020-1350 SIGRed – A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests, aka ‘Windows DNS Server Remote Code Execution’ Vulnerability.

Ref: https://securitynews.sonicwall.com/xmlpost/windows-dns-server-remote-code-execution-vulnerability-cve-2020-1350/

CVE-2020-0601 Curveball – A vulnerability that affects the certificate verification function in the Crypt32.dll module provided by Microsoft.

Ref: https://securitynews.sonicwall.com/xmlpost/windows-cryptoapi-spoofing-vulnerability-cve-2020-0601/

CVE-2020-5902 – A critical vulnerability in the F5 BIG-IP Traffic Management User Interface (TMUI) also known as the Configuration Utility

Ref: https://securitynews.sonicwall.com/xmlpost/cve-2020-5902-hackers-actively-exploit-critical-vulnerability-in-f5-big-ip/

CVE-2020-14882 – A critical and easily exploitable remote code execution vulnerability (CVE-2020-14882) in Oracle WebLogic Server.

Ref: https://securitynews.sonicwall.com/xmlpost/cve-2020-14882-oracle-weblogic-remote-code-execution-vulnerability-exploited-in-the-wild/

CVE-2020-0688 Microsoft Exchange Memory Corruption Vulnerability – A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory.

Ref: https://securitynews.sonicwall.com/xmlpost/hackers-are-actively-trying-to-exploit-vulnerable-microsoft-exchange-servers/

CVE-2020–25213 – A vulnerability in WordPress File Manager (wp-file-manager) plugin versions prior to 6.9 that allows remote attackers to upload and execute arbitrary PHP code.

Ref: https://securitynews.sonicwall.com/xmlpost/cve-2020-25213-wordpress-plugin-wp-file-manager-actively-being-exploited-in-the-wild/

CVE-2020-17530: Apache struts vulnerability exploited in the wild

/in /by

SonicWall Capture Labs Threat Research team has observed hackers actively targeting the recent remote code execution vulnerability in the Apache Struts framework.

This vulnerability is due to insufficient input validation, leading to a forced double OGNL evaluation when evaluating raw user input. A remote attacker could exploit this vulnerability by sending a crafted request to the target server. Successful exploitation will allow an attacker to execute arbitrary code with the privileges of the server.

Apache Struts:

Apache Struts is a modern Java framework that uses the Model, View, Controller (MVC) architecture for building enterprise-ready web applications.

Model – The central component, which manages the data, logic, and rules of the application.

View – Presents information to the user, sometimes allowing multiple views of the same information.

Controller – Accepts input and converts it to commands for the model or view.

 

Object-Graph Navigation Language (OGNL) is an open-source expression language for Java, which, while using simpler expressions than the full range of those supported by the Java language, allows getting and setting propertiesproperties as well as execution of methods of Java classes.

OGNL uses Java reflection and inspection to address the Object Graph of the runtime application. This allows the program to change behavior based on the state of the object graph instead of relying on compile-time settings. It also allows changes to the object graph.

Due to its ability to create or change executable code, OGNL is capable of introducing critical security flaws to any framework that uses it.

Vulnerability | CVE-2020-17530 :

The OGNL context map is initialized with the mitigating controls that enforce the validations for accessing
packages, classes, and their normally private/ or protected methods/fields. These controls are defined by an instance
of the SecurityMemberAccess class. Similarly, by leveraging introspection via the BeanMap instance, private
properties of the SecurityMemberAccess instance can be accessed and modified. Most importantly excludedClasses and excludedPackageNames containing the set of excluded classes and package names
respectively can be cleared and thus effectively disabling every class and package access restriction.

An attacker is therefore able to completely disable all OGNL expression mitigation controls related to package and
class access. Arbitrary code execution can eventually be realized by invoking suitable methods from previously disallowed classes, for example, Execute.exec() method from “freemarker.template.utility package”.

Exploit:

SonicWall observed the below exploit request in which the BeanMap instance has been leveraged to access and modify the member access and set excludedClasses and excludedPackageNames to empty. One of the disallowed classes “Execute” from the “freemarker.template.utility” package that gives FreeMarker the ability to execute external commands is called to download and execute a malicious file.

Successful exploitation results in the execution of malicious payload “ssa” with the privileges of the server.

Trend Chart:

IPS hits for the signature “14514” in the last 40 days.

SonicWall Capture Labs Threat Research team protects against this exploit with the following signature:

IPS: 14514 Apache Struts OGNL Wildcard Remote Code Execution 8

Problem:

Some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.

Affected Products:

Apache Software Foundation Struts 2.0.0 through 2.5.25

Fix:

Avoid using forced OGNL evaluation on untrusted user input, and/or upgrade to Struts 2.5.26, which checks to ensure that expression evaluation won’t lead to the double evaluation.

IOC (Attacker IP’s):

45.146.164.15
67.202.216.194
209.141.33.226
183.57.18.186
167.98.184.6
34.227.121.223
65.124.187.154
107.152.127.190
74.120.44.66
70.98.52.141
144.121.77.34
162.43.198.100
24.173.20.130
192.0.100.121
203.199.72.210
70.102.106.66
34.205.208.125
52.17.98.131
64.19.77.134
205.250.171.58
207.99.76.20
208.105.178.30
64.39.99.230
184.71.110.118
64.39.99.197
64.39.99.246
54.88.149.100
69.193.159.2
204.141.21.156
61.160.215.21
50.239.218.222
71.164.82.98
64.141.27.66
68.118.118.226
128.177.30.162
107.130.178.41
209.141.61.233
64.39.111.60
138.197.142.180
62.8.108.89
64.139.53.114
38.140.141.210
10.100.6.180
24.103.47.50
91.216.32.25
216.235.247.146
50.202.87.195
196.46.54.18
64.39.99.70
64.39.99.13
64.39.99.74
172.30.131.7
64.39.108.132
64.39.99.58
216.171.185.30
64.39.99.69
64.39.99.213
192.168.21.220
64.39.99.252
64.39.99.65
64.39.99.251
198.46.104.42
64.39.108.51
209.53.168.82
64.39.99.61
64.39.99.93
154.59.121.145
207.207.37.172
64.39.99.247
50.235.254.58
64.39.99.233
74.62.85.138
64.39.99.226
187.44.110.185
64.39.99.243
64.39.108.47
64.39.99.210
204.186.244.226
64.39.99.94
23.30.178.61
64.39.108.38
203.71.63.9
64.39.99.92
154.59.121.144
81.82.218.18
96.66.66.65
64.39.99.112
64.39.99.17
64.39.99.235
64.39.99.52
167.98.182.132
64.39.99.64
64.39.99.231
64.39.108.129
192.248.233.26
91.216.32.24
172.31.48.102
118.163.176.200
204.14.69.210
161.11.129.109

Mobef ransomware actively spreading in the wild

/in /by

The SonicWall Capture Labs Threat Research team observed reports of a new variant family of Mobef ransomware actively spreading in the wild.

The Mobef ransomware encrypts the victim’s files with a strong encryption algorithm just for fun.

Infection Cycle:

The ransomware adds the following files to the system:

  • Malware.exe
    • %App.path%\ IMPORTANT.README
    • %App.path%\ SECRET.KEYFILE

Once the computer is compromised, the ransomware runs the following commands:

When Mobef is started it will create and assign a unique ID number to the victim then scan all local drives for data files to encrypt.

When encrypting files it will use the AES encryption algorithm and only encrypt those files that match the following extensions:

mp3, mp4, jpe, jpg, kdc, mdb, mdf, mef, mrw, nef, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, rwl, srf, srw, wb2, wpd, wps, xlk, nrw, odb, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, xls, xlsb, xlsm, xlsx, pef, pem, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf.

Here is an example:

The ransomware encrypts all the without changing their extension filename.

After encrypting all personal documents, the ransomware shows the following image containing a message reporting that the computer has been encrypted just for fun.

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Mobef.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

SolarWinds Orion Vulnerability

/in /by

Updated January 15, 2021

The U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) have confirmed that malicious threat actors have been and are actively exploiting vulnerabilities in SolarWinds Orion products, specifically affected versions 2019.4 through 2020.2.1 HF1.

 

The threat actor primarily leverages a malware commonly known as SUNBURST to conduct a global supply-chain attack against the SolarWinds Orion platform. SolarWinds Orion is an enterprise-grade IT monitoring solution.

 

This malware was seen being distributed as part of SolarWinds Orion software updates from March 2020.  As part of the software update, this malware comes in the form of a dynamic linked library (DLL) that was digitally signed by SolarWinds.  Once loaded by legitimate SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe, this malware is capable of transferring data, file execution, system profiling, rebooting and more.

 

Apart from being digitally signed, this malware employed other evasion tactics.  These include employing Teardrop, which is a memory only dropper, to deploy a customized Cobalt Strike beacon.  It also encoded strings such as domain names, user-agents, registry keys and others.

 

A few of the notable encoded strings are as follows:

  • 583da945-62af-10e8-4902-a8f205c72b2e -> This is the name of a named pipe which will be used as a mutex to avoid multiple instances of the malware from running.
  • avsvmcloud[.]com -> one of the domain names this malware connects to.
  • SolarWindsOrionImprovementClient/3.0.0.382 -> the User-Agent field the malware will use during HTTP communication to the C&C Server

 

The Command & Control traffic is also difficult to detect as it was designed to mimic legitimate SolarWinds API calls.  Unlike other botnet malware which connects to their C&Cs in a regular basis, SUNBURST only communicates to the malicious server once every 12 to 14 days.

 

SolarWinds has confirmed the attack and has asked impacted customers using Orion to immediately upgrade to 2019.4 HF 6 or 2020.2.1 HF 1. Please visit www.solarwinds.com/securityadvisory for more information about your Orion upgrade options.

 

Both SolarWinds and the CISA strongly suggest that organizations using SolarWinds Orion verify the version they’re running and upgrade immediately, if required.

 

SonicWall Capture Labs threat researchers have investigated the vulnerability and published multiple signatures in different categories that identify malicious activity against affected SolarWinds Orion versions. It includes application identification signatures that detect if an organization has SolarWinds Orion deployed within its network; malicious domain signatures; malicious IPs; malware such as Sunburst, Supernova and Teardrop. These signatures are applied automatically to SonicWall firewalls with active security subscriptions.

Application signatures – identify SolarWinds Orion applications:

  • 15296: BUSINESS-APPS SolarWinds Orion (API Activity)
  • 2014: BUSINESS-APPS SolarWinds Orion (Update Activity)

IPS signatures – identify malicious domains:

  • 15292: SolarWinds Supply Chain Malware Activity 1
  • 15293: SolarWinds Supply Chain Malware Activity 2
  • 15294: SolarWinds Supply Chain Malware Activity 3
  • 15295: SolarWinds Supply Chain Malware Activity 4
  • 15298: SolarWinds Supply Chain Malware Activity 5
  • 15299: SolarWinds Supply Chain Malware Activity 6
  • 15300: SolarWinds Supply Chain Malware Activity 7
  • 15301: SolarWinds Supply Chain Malware Activity 8
  • 15302: SolarWinds Supply Chain Malware Activity 9
  • 15303: SolarWinds Supply Chain Malware Activity 10
  • 15308: SolarWinds Supply Chain Malware Activity 11
  • 15309: SolarWinds Supply Chain Malware Activity 12
  • 15310: SolarWinds Supply Chain Malware Activity 13
  • 15311: SolarWinds Supply Chain Malware Activity 14
  • 15312: SolarWinds Supply Chain Malware Activity 15
  • 15313: SolarWinds Supply Chain Malware Activity 16
  • 15314: SolarWinds Supply Chain Malware Activity 17
  • 15315: SolarWinds Supply Chain Malware Activity 18
  • 15316: SolarWinds Supply Chain Malware Activity 19
  • 15317: SolarWinds Supply Chain Malware Activity 20

GAV signatures – identify malwares: [Updated on Jan 14]

Sunburst – Backdoor malware that has been trojanized into multiple SolarWinds Orion update versions.

  • SunBurst.A (Trojan) IOC:d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600
  • SolarWinds.DL (Trojan), IOC:ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
  • SunBurst.A_1 (Trojan), IOC:32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
  • SunBurst.A_2 (Trojan), IOC:ad2fbf4add71f61173975989d1a18395afb8538ed889012b9d2e21c19e98bbd1
  • SunBurst.A_3 (Trojan), IOC:019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134

Supernova – a webshell planted in the code of the Orion network and applications monitoring platform and enabled adversaries to run arbitrary code on machines running the trojanized versions of the software.

  • Injector.DN_35 (Trojan) IOC:c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71
  • Supernova.A_1 (Trojan), IOC:1c96021ac8cb52173e762f6b008fb4c6e5ef113e6baa4e2cf4848e88c61d9700

Teardrop – a memory only dropper that runs as a service

  • Teardrop.B (Trojan), IOC:6e4050c6a2d2e5e49606d96dd2922da480f2e0c70082cc7e54449a7dc0d20f8d

Domain Blacklist: [Updated on Jan 15]

  • avsvmcloud.com
  • digitalcollege.org
  • freescanonline.com
  • deftsecurity.com
  • thedoccloud.com
  • virtualdataserver.com
  • incomeupdate.com
  • databasegalore.com
  • panhardware.com

 

SonicWall products and real-time security services can help organizations identify and mitigate SUNBURST malware and other attacks against vulnerable SolarWinds Orion versions.

 

To verify you have the latest SonicWall Intrusion Prevention Signatures (IPS), please follow the steps in this knowledgebase (KB) article: https://www.sonicwall.com/support/knowledge-base/detailed-information-on-intrusion-prevention-signature-ips-signature-ids/170505742887527/

 

Breach of FireEye Offensive Tools

/in /by

On December 8, 2020, Cyber Security Firm FireEye disclosed an incident that resulted in theft of their offensive security tools (OSTs) used by their Red-Team to test the security posture of their customers.

Some of these tools look like the well-known offensive framework Cobalt Strike. This is evident in the naming convention used by FireEye,

In response to the breach, FireEye has provided Red Team tools countermeasures which are available on Github. These countermeasures include rules in multiple languages such as Snort, Yara, ClamAV, and HXIOC. Since none of these tools leverage 0-day vulnerability, FireEye also provided a listing of CVEs used by these tools.

An important aspect for preventing the usage of these red teaming tools in your environment is to address the vulnerabilities which are known to exploit.

SonicWall Capture Labs Threat Research team provides protection against the list of CVEs shown above as well as the Beacon tool used by FireEye Red-Team with the following signatures

IPS:14422 Pulse Connect Secure Information Disclosure
IPS:15143 Windows Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472) 1
IPS:15156 Windows Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472) 2
IPS:15158 Windows Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472) 3
IPS:15185 Windows Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472) 4
IPS:15081 Fortinet SSL VPN Web Portal Directory Traversal
IPS:13910 Adobe ColdFusion Arbitrary File Upload 1
IPS:14689 Microsoft SharePoint Remote Code Execution (FEB 19)
IPS:14225 Remote Desktop Services Remote Code Execution (MAY 19)
IPS:14725 Citrix NetScaler ADC/Gateway Directory Traversal 2
IPS:14886 ManageEngine Desktop Central Insecure Deserialization
IPS:14826 Microsoft Exchange Server Remote Code Execution (CVE-2020-0688)
IPS:14888 Microsoft Exchange Server Remote Code Execution (CVE-2020-0688) 2
IPS:14889 Microsoft Exchange Server Remote Code Execution (CVE-2020-0688) 3
IPS:14890 Microsoft Exchange Server Remote Code Execution (CVE-2020-0688) 4
IPS:11556 Win32k Elevation of Privilege (MS16-039) 2
IPS:2007 FireEye RUBEUS nonce 2 TCP
IPS:2009 FireEye RUBEUS nonce 2 UDP
IPS:15285 FireEye BEACON CSBundle USAToday Server
IPS:15286 FireEye RUBEUS Process
IPS:15287 FireEye GORAT Build ID
IPS:15288 FireEye BEACON CSBundle Original Stager

An Android stealer with a multitude of spyware capabilities

/in /by

SonicWall Threats Research team came across an Android spyware that steals sensitive user information and sends it to the attacker. The app has a plethora of functionalities that are centered towards stealing information from the device. However a more concerning element of the malware is that all the stolen information is transmitted over an unsecured http channel.

Infection Cycle

Details of the sample analyzed:

  • MD5:5c698417916ab2a9df1d577507be5725
  • App Name: 19금 틱톡 (19 gold tiktok)
  • Package Name: com.yjx.callservice

Upon installation the app is visible in the app drawer as follows:

Upon execution the app starts communicating with the attacker using the hardcoded IP 116.193.152.176:7788. The communication happens over http which indicates that any user information sent to the user is done so over an unsecured channel. One of the first things done by the app is creating a unique id for the infected device, this id is saved in the shared_prefs file locally and then shared with the attacker to report the initial infection. This is performed using a POST request to addNewUser as shown below:

The malware then sends the following data from the infected device:

  • Contacts on the device are sent to addContactes (notice the spelling error):

  • Apps installed are sent to addAppes (another spelling mistake):

 

There are additional interesting API requests present in the code that highlight the features and capabilities of this malware:

  • addNewAccount
  • addNewCallloges
  • addNewLocation
  • addNewSmses
  • getAllBlackList
  • editUserMobileNetwork
  • findCall
  • getRealPhone
  • getAllIncoming
  • uploadFile

 

Functionalities in the code

The malware is capable of communicating with the attacker using webSocket. The malware can execute the following functionality based on the code received via webSockets:

  • take_photo

  • start_record

There are additional traces in the code which reveal more functionality of the malware. It is capable of the following:

  • Steal all the SMS on the device:

  • Steal the call logs from the device:

  • Steal all contacts:

  • Get all apps installed on the device, we saw this functionality being used via network communication earlier:

 

Additional investigation

  • A network graph of the attacker’s domain reveals two additional apps that communicate with it:

 

  • The two apk’s related to this campaign have similar functionality. Below are the MD5’s:
    • e8509b2a57423a1b4b2d8bcf33973974
    • b67d42100440dd6c03b56da2c71b5130

 

  • The hardcoded attacker’s  domain opens a login page. As mentioned before this happens over http, as a result any sensitive information can be further snooped by someone else:

 

  • Following hardcoded information is present in the code:

Attacker server IP:

Gmail credentials:

QQ chat id:

Overall this malware is geared towards stealing sensitive user information from an infected device. The log messages and text present in the code is Korean, additionally the language used on the attacker’s server login is Korean as well.

 

SonicWall Capture Labs provide protection against this threat with the following signature:

  • Banker.SP (Trojan)

Indicators of Compromise (IOC’s):

  • 5c698417916ab2a9df1d577507be5725
  • e8509b2a57423a1b4b2d8bcf33973974
  • b67d42100440dd6c03b56da2c71b5130

 

 

Microsoft Security Bulletin Coverage for December 2020

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of December 2020. A list of issues reported, along with SonicWall coverage information are as follows:

CVE-2020-17096 Windows NTFS Remote Code Execution Vulnerability
ASPY 136:Malformed-File dll.MP.6

CVE-2020-17121 Microsoft SharePoint Remote Code Execution Vulnerability
ASPY 135:Malformed-File cab.MP.2

CVE-2020-17140 Windows SMB Information Disclosure Vulnerability
IPS 15284 Windows SMBv2 Information Disclosure (CVE-2020-17140)

CVE-2020-17144 Microsoft Exchange Remote Code Execution Vulnerability
ASPY 134:Malformed-File exe.MP.167

CVE-2020-17152 Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability
IPS 15283:Microsoft Dynamics 365 Remote Code Execution Vulnerability

CVE-2020-17158 Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability
IPS 15283:Microsoft Dynamics 365 Remote Code Execution Vulnerability

Following vulnerabilities do not have exploits in the wild :
CVE-2020-16958 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16959 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16960 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16961 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16962 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16963 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16964 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16971 Azure SDK for Java Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-16996 Kerberos Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-17002 Azure SDK for C Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-17089 Microsoft SharePoint Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17092 Windows Network Connections Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17094 Windows Error Reporting Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17095 Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17097 Windows Digital Media Receiver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17098 Windows GDI+ Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17099 Windows Lock Screen Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-17103 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17115 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-17117 Microsoft Exchange Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17118 Microsoft SharePoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17119 Microsoft Outlook Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17120 Microsoft SharePoint Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17122 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17123 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17124 Microsoft PowerPoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17125 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17126 Microsoft Excel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17127 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17128 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17129 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17130 Microsoft Excel Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-17131 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-17132 Microsoft Exchange Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17133 Microsoft Dynamics Business Central/NAV Information Disclosure
There are no known exploits in the wild.
CVE-2020-17134 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17135 Azure DevOps Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-17136 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17137 DirectX Graphics Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17138 Windows Error Reporting Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17139 Windows Overlay Filter Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-17141 Microsoft Exchange Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17142 Microsoft Exchange Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17143 Microsoft Exchange Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17145 Azure DevOps Server and Team Foundation Services Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-17147 Dynamics CRM Webclient Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-17148 Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17150 Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17153 Microsoft Edge for Android Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-17156 Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17159 Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17160 Azure Sphere Security Feature Bypass Vulnerability
There are no known exploits in the wild.

Egregor Ransomware

/in /by

Overview:

SonicWall Capture Labs Threat Research Team recently found a new sample and activity for Egregor Ransomware. The Egregor sample below is a library (DLL) that contains code and data that can be used by more than one program at the same time. The library is highly obfuscated and encrypted using Salsa20, ChaCha Stream Cipher and RSA encryption. This makes analysis difficult to bypass from the reverse engineering and debugging point of view.

The library contains export functions that are required to be called from other stages of the infection chain. The export function parameters usually accept the key or password to unlock, deobfuscated, and decrypt the code sections. Once the sample is done unwinding, it will release the payload hidden inside. The key and/or password is normally unique or specific to each sample. This key and/or password is always located somewhere inside the sample. It’s up to the researcher to locate the desired information inside.

The command we can use to bypass the distribution methods below for debugging:
regsrv32.exe path_to_dll DllRegisterServer param1 param2

Egregor, releases stolen data on their website egregornews to increase pressure on the victim to pay the ransom. Egregor News, is used to post the names and domains, along with data sets of Egregor victims.

Distribution Methods & Tactics:

  • Cobalt Strike
  • RDP Exploit
  • Phishing
  • CVE-2020-0688
  • CVE-2018-8174
  • CVE-2018-4878
  • CVE-2018-15982
  • QBot
  • Ursnif
  • icedID

RaaS News Website:

Stage 1, Static Information:

ChaCha / Salsa20 Initial State Information:

Stage 1: uses a implementation of ChaCha(2008)/Salsa20(2005) as the main encryption. The “nothing-up-my-sleeve number”, which is used to pinpoint ChaCha or Salsa20 is “expand 32-byte k” This is considered the algorithm constant and “nothing-up-my-sleeve number”. When you see this constant its considered a 256 bit implementation. The 32-byte constant can be seen below:

The key used for unlocking stage 1:
“Elon Musk 2024! To The Future!!!” and “SpaceX!!”
The words are filtered, parsed and rearranged for parts of the ChaCha decryption stage.

Stage 1, Dynamic Information:

Start of Encrypted Data

End of Encrypted Data

The size of the encrypted data: 0x4EAADh or 322,221d.

After Decryption:

String Artifacts:

Two of the parameters shown in this picture above are (dash dash)del and (dash dash)dubisteinmutterficker.
dubisteinmutterficker is German for “you’re a mother fucker.”
We also see references to Elon Musk and SpaceX.

2nd Stage, Commands Payload Will Accept:

Egregor’s payload can accept several command line arguments, including:

  • –fast: Is used to limit file size for encryption.
  • –full: perform encryption of the full victim system (including local and network drives).
  • –multiproc: multi-process support.
  • –nomimikatz: Mimikatz is an open source toolkit.
  • –nonet: does not encrypt network drives.
  • –path: specific folder to encrypt.
  • –target: target extension for encryption.
  • –append: file extension to append to encrypted files.
  • –norename: does not rename the files it encrypts.
  • –greetings: prepends the name to the ransom note, presumably to directly address the victim.
  • –samba: provide shared access to files, printers, and serial ports between nodes.
  • –killrdp: remote desktop protocol

The most common command that is used is (-full).

Supported Systems:

  • Windows 10
  • Windows 8.1
  • Windows 8.0
  • Windows 7
  • Windows Vista

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: Egregor.RSM (Trojan)

Appendix:

Sample SHA256 Hash: 38b155b6546db882189cc79bcac0b0284d3f858e0feb1e5dbc24b22f78cdfb68

Beware of fraud apps leveraging Google Play Store for distribution

/in /by

SonicWall Capture Labs threat research team has been regularly sharing information about the malware threats plaguing Android devices. SonicWall has tracked down another finance-based malicious app. The app until recently was distributed via Google Play Store which has now been removed from the Play Store after we reported this to the concerned team.

The app targets Indian Android Phone consumers and is portrayed as an app that would assist in obtaining a loan. High installation count (0.1-0.5 Milion) indicates many users might have fallen prey to this fraud app. A similar fraud app has been noticed in the Google Play Store, the concerned team has already been notified of the app.

 

At present, the fraudulent app isn’t detected by any AV vendor as is seen on the popular threat intelligence sharing portal VirusTotal.

 

 

The app promised to provide easy loans to customers and appeared to look genuine by providing information about Loan EMI and interest in its description.

Post installation, it showed a list of permissions required. Interestingly, the app prompted the user to grant permissions by describing why those permissions are required. The app instructed the user to complete 3 steps to get a loan.

 

In the first step, called the “Submit info”, personal, work and bank related information are collected from the user. There is no validation for entered user account details which are being asked  as shown below:

  

 

 

In the second step, the user’s credit limit is computed as is assumed based on the information provided in step one. The user is then asked to make a payment of 399INR as a security deposit before the loan request could be processed further. Various payment options like Net banking, UPI, and Debit/Credit Card are provided to the user.  An active timer is also started to rush in the user into making payment.

 

SonicWall Capture Labs provide protection against this threat with the following signatures:

  • FraudApp.B (Trojan)
  • FraudApp.C (Trojan)

 

Indicators of Compromise (IOC’s):

  • 2dd16df38421e8ba98e52bbc4fab81145a672775b72bf676f19b6c55a209cb1c
  • 0317c1270d57ffc57dda791f3786de34205055d6e42a1e2f30216971b790867