Posts

Windows Netlogon Elevation of Privilege Vulnerability CVE-2020-1472

/in /by

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a network device.
This vulnerability also called Zerologon has a CVSS score of 10.

Netlogon Remote Protocol

The Netlogon Remote Protocol is used for secure communication between machines in a domain and domain controllers (DCs) The communication is secured by using a shared session key computed between the client and the DC that is engaged in the secure communication. The session key is computed by using a preconfigured shared secret that is known to the client and the DC. The Microsoft Windows Netlogon Remote Protocol (MS-NRPC) is a core authentication component of Active Directory that provides authentication for user and computer accounts.

Vulnerability (CVE-2020-1472)

The vulnerability arises from a flaw in the cryptographic implementation of the Netlogon protocol, specifically in its usage of AES-CFB8 encryption. MS-NRPC uses an initialization vector (IV) of 0 (zero) in AES-CFB8 mode when authenticating computer accounts.Due to incorrect use of an AES mode of operation it is possible to spoof the identity of any computer account (including that of the DC itself) and set an empty password for that account in the domain.

The successful exploitation of the vulnerability will allow an attacker to

  • Impersonate any computer on the network,
  • Disable security features that protect the Netlogon process
  • Change a computer’s password associated with its Active Directory account.

Affected products

  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
  • Windows Server 2012
  • Windows Server 2012 (Server Core installation)
  • Windows Server 2012 R2
  • Windows Server 2012 R2 (Server Core installation)
  • Windows Server 2016
  • Windows Server 2016 (Server Core installation)
  • Windows Server 2019
  • Windows Server 2019 (Server Core installation)
  • Windows Server, version 1903 (Server Core installation)
  • Windows Server, version 1909 (Server Core installation)
  • Windows Server, version 2004 (Server Core installation)

Microsoft has patched this vulnerability and is urging to prioritize patching Domain Controllers, as this is likely the primary target.

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • IPS 15143:Windows Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472)1
  • IPS 15156:Windows Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472) 2
  • IPS 15158:Windows Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472) 3

This spyware poses as a fake Android WhatsApp update app

/in /by

SonicWall Capture Labs threats researchers observed an interesting Android sample that passes itself as a WhatsApp Updater app. Anyone with basic security awareness will quickly point that there is no separate app to update WhatsApp as clearly stated on the WhatsApp FAQ. As expected this app simply uses WhatsApp as a disguise to hide its spyware capabilities.

 

Distribution mechanism

This fake updater app (at the time of writing this blog) is hosted on android-update[.]net/whatsapp-update.apk. Installation of apps from unknown sources is blocked by default on Android devices, as a result whenever an apk file is downloaded the user is shown a warning stating that it might be dangerous to install said app. This website tries to convince the user to ignore that warning and states that WhatsApp update is completely safe to install:

The site android-update.net has been deemed malicious on Virustotal

 

Dangerous Permissions

This app requests for a few permissions that can be risky in the wrong hands:

  • receive_boot_completed
  • read_contacts
  • access_fine_location
  • read_history_bookmarks
  • write_settings
  • system_alert_window
  • record_audio
  • send_sms
  • bind_accessibility_service
  • bind_device_admin

Infection Cycle

After installation and execution the app is prompt in requesting for device admin privileges. This alone should be a red flag as WhatsApp itself does not request device admin privileges:

If the permission is not granted immediately, the app keeps requesting for the permission until its granted. This tactic is aimed towards ruining the user experience and forcing the user into granting the permission.

 

Siphoning personal data

The app communicates with the server  – superwat.biz – and begins ex-filtrating sensitive user related information from the device and the network. We have listed a few of these exchanges:

The communication begins with a POST message to the folder settings which signifies the different options/switches under which the app (which now shows indications of being a spyware) will operate:

 

Some noteworthy switches:

  • line_call_record
  • whatsapp_call_record
  • stream_recording
  • spy_call

 

There was a POST message to the folder DeviceInfo which sent device related data:

 

There was a POST message to the folder Put with high sensitivity data  that included:

  • Device imei
  • Apps installed with their memory usage
  • GPS location data
  • Browser history that displayed webpages opened
  • Name and phone number of contacts present on the device
  • Wifi network access point names with their mac addresses

 

Few more interesting network messages:

  • POST /play/WS/RemoteCommands
  • GET /play/ws/update-check/?update=getversion&brand=gvd8
  • GET /play/ws/update-check/?asset=armeabi-v7a

 

We created a VirusTotal relations graph that represents all the parties that were contacted by the spyware app

 

Domain WHOIS details

We found the following artifacts about the server superwat.biz and android-update.net:

 

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: AndroidOS.Spy.PN (Trojan)

 

Indicators of Compromise (IOC)

Sample details

Anubis infostealer wants your cryptocurrency wallet

/in /by

This week the Sonicwall Capture Labs research team analyzed an infostealing Trojan that is a mash up of another infostealer Trojan and a ransomware. This Trojan, is called Anubis but borrowed most of its code from another Trojan named Loki which is popularly sold in the underground market.

Infection Cycle

This Trojan uses the following icon:

Upon execution, it proceeds with perusing through the system and start stealing data, taking screenshots, etc. It then creates a random folder within the %temp% directory where it stores log files of stolen data.

This stolen data is then sent to a remote server.

During static analysis, it was noted that it had references to “Loki” within its strings as evidence of it borrowing code from this other infostealer Trojan. After all, Loki is a commodity malware commonly sold in underground sites.

This Trojan functions much like Loki and comes after the victim’s system information, browser data, credentials, credit card details and cryptocurrency wallets.

Coincidentally, during analysis we noticed references to ransomware functionality within its strings although this was not evident during runtime.

Apart from being sold underground, Lokibot has been known to be distributed via spam emails and Anubis, will highly be likely to be similarly distributed.

Always be vigilant and cautious when installing software programs particularly if you are not certain of the source.

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Anubis.ST (Trojan)
  • GAV: VHDLocker.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Microsoft Security Bulletin Coverage for September 2020

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of September 2020. A list of issues reported, along with SonicWall coverage information are as follows:

CVE-2020-0664 Active Directory Information Disclosure Vulnerability
IPS 15131:Microsoft Active Directory Information Disclosure Vulnerability (CVE-2020-0664)

CVE-2020-0856 Active Directory Information Disclosure Vulnerability
IPS 15132:Microsoft Active Directory Information Disclosure Vulnerability (CVE-2020-0856)

CVE-2020-0941 Win32k Information Disclosure Vulnerability
ASPY 5993:Malformed-File exe.MP.156

CVE-2020-1115 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 5994:Malformed-File exe.MP.157

CVE-2020-1152 Windows Win32k Elevation of Privilege Vulnerability
ASPY 5995:Malformed-File exe.MP.158

CVE-2020-1245 Win32k Elevation of Privilege Vulnerability
ASPY 5991:Malformed-File exe.MP.154

CVE-2020-1308 DirectX Elevation of Privilege Vulnerability
ASPY 5992:Malformed-File exe.MP.155

Following vulnerabilities do not have exploits in the wild :
CVE-2020-0648 Windows RSoP Service Application Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0718 Active Directory Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-0761 Active Directory Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-0766 Microsoft Store Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0782 Windows Cryptographic Catalog Services Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0790 Microsoft splwow64 Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0805 Projected Filesystem Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-0836 Windows DNS Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-0837 ADFS Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-0838 NTFS Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0839 Windows dnsrslvr.dll Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0870 Shell infrastructure component Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0875 Microsoft splwow64 Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0878 Microsoft Browser Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-0886 Windows Storage Services Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-0890 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-0904 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-0908 Windows Text Service Module Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-0914 Windows State Repository Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0921 Microsoft Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0922 Microsoft COM for Windows Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-0928 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0951 Windows Defender Application Control Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-0989 Windows Mobile Device Management Diagnostics Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-0997 Windows Camera Codec Pack Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-0998 Windows Graphics Component Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1012 WinINet API Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1013 Group Policy Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1030 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1031 Windows DHCP Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1033 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1034 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1038 Windows Routing Utilities Denial of Service
There are no known exploits in the wild.
CVE-2020-1039 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1044 SQL Server Reporting Services Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-1045 Microsoft ASP.NET Core Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-1052 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1053 DirectX Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1057 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1074 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1083 Microsoft Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1091 Windows Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1097 Windows Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1098 Windows Shell Infrastructure Component Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1119 Windows Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1122 Windows Language Pack Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1129 Microsoft Windows Codecs Library Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1130 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1133 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1146 Microsoft Store Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1159 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1169 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1172 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1180 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1193 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1198 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1200 Microsoft SharePoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1205 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-1210 Microsoft SharePoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1218 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1224 Microsoft Excel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1227 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1228 Windows DNS Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-1250 Win32k Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1252 Windows Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1256 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1285 GDI+ Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1303 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1319 Microsoft Windows Codecs Library Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1332 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1335 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1338 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1345 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1376 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1440 Microsoft SharePoint Server Tampering Vulnerability
There are no known exploits in the wild.
CVE-2020-1452 Microsoft SharePoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1453 Microsoft SharePoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1460 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1471 Windows CloudExperienceHost Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1482 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1491 Windows Function Discovery Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1506 Windows Start-Up Application Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1507 Microsoft COM for Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1508 Windows Media Audio Decoder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1514 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1523 Microsoft SharePoint Server Tampering Vulnerability
There are no known exploits in the wild.
CVE-2020-1532 Windows InstallService Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1559 Windows Storage Services Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1575 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1576 Microsoft SharePoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1589 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1590 Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1592 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1593 Windows Media Audio Decoder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1594 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1595 Microsoft SharePoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1596 TLS Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1598 Windows UPnP Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16851 OneDrive for Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16852 OneDrive for Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16853 OneDrive for Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16854 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16855 Microsoft Office Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16856 Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16857 Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16858 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-16859 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-16860 Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16861 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-16862 Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16864 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-16871 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-16872 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-16873 Xamarin.Forms Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-16874 Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16875 Microsoft Exchange Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-16878 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-16879 Projected Filesystem Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16881 Visual Studio JSON Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16884 Internet Explorer Browser Helper Object (BHO) Memory Corruption Vulnerability
There are no known exploits in the wild.

ECCENTRIC BANDWAGON, DPRK

/in /by

Overview:

SonicWall Capture Labs Threat Research Team recently found a new sample and activity for:
ECCENTRIC BANDWAGON, DPRK.

The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. North Korea, is officially named the Democratic People’s Republic of Korea (DPRK) as a country in East Asia constituting the northern part of the Korean Peninsula. North Korean group definitions are known to have significant overlap, and the name Lazarus Group is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea.

ECCENTRIC BANDWAGON, one of the new Remote Access Trojans (RAT) was created by HIDDEN COBRA.

The details behind the use of these remote tools are believed to be used in highly targeted attacks against financial, engineering, government, and non-governmental organisations.

All ECCENTRIC BANDWAGON variants consist of a primary DLL file that, when executed, uses three separate files for screen shots, systems logs, and key logs. Some variants will encrypt these files using RC4, while others include basic clean-up functionality that will attempt to remove log files once ECCENTRIC BANDWAGON has finished executing.

Sample, Static Information:

Dynamic Information:

Key-logging Artifacts:

Clipboard Capture:

Directory Removal and Clean-up:

Strings Set 01:

Strings Set 02:

Supported Systems:

  • Windows 10
  • Windows 8.1
  • Windows 8.0
  • Windows 7
  • Windows Vista

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: EccentricBandwagon.N (Trojan)

Appendix:

Sample SHA256 Hash: c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec

Jackpot ransomware actively spreading in the wild

/in /by

The SonicWall Capture Labs threat research team observed reports of a new variant family of Jackpot ransomware [Jackpot.RSM] actively spreading in the wild.

The Jackpot ransomware encrypts the victim’s files with a strong encryption algorithm until the victim pays a fee to get them back.

Infection Cycle:

The ransomware adds the following files to the system:

  • Malware.exe
    • %App.path%\ [Name]. < .Coin >
    • %App.path%\ payment request.txt > recovery instruction

Once the computer is compromised, the ransomware runs the following commands:

The ransomware encrypts all the files and appends the Coin extension onto each encrypted file’s filename.

After encrypting all personal documents, the ransomware shows the following picture containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

SonicWall Capture Labs threat research team provides protection against this threat via the following signature:

  • GAV: JACKPOT.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Darkside ransomware targets large corporations. Charges up to $2M.

/in /by

The SonicWall Capture Labs threat research team have observed a new family of ransomware called Darkside.   The operators of this ransomware primarily target large corporations.  Recently, a Canadian land developer and home builder, Brookfield Residential has been hit with Darkside ransomware.  In this case, the operators have not just encrypted data, but have stolen it and threatened to publish the company’s data online if it does not pay up.  Darkside has been around since early August and its operators have been launching multiple customized attacks towards known high revenue companies.  The operators charge between $200,000 and $2M for file decryption.  It has been reported that the operators have already obtained over $1M since the start of their campaign.

 

Infection Cycle:

 

When running the malware the following User Account Control dialog is shown:

 

Files on the system are encrypted and given a “ehre.eb2e8d90″ extension.  A file named README.eb2e8d90.TXT is copied into all directories containing encrypted files.

 

README.eb2e8d90.TXT contains the following message:

 

As the malware is aimed at large corporations, the message states that over 100GB of data has been uploaded to the operators.  However, we did not observe any data being uploaded during our analysis.

 

The link provided in the ransom message leads to the following page hosted on a server on tOr:

 

Upon entering the key provided in the message, the following page is displayed:

 

$2 Million in crypto is demanded for file decryption.  It is interesting to note that in addition to Bitcoin, Monero is offered as a valid paymenet method.  Compared to Bitcoin, Monero is used significantly less by ransomware operators.  However, one of Monero’s key features is its untraceability.  We expect to see an increase in malware operators using cryptocurrency of this nature.

 

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Darkside.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Advantech WebAccess NMS Arbitrary File Upload Vulnerability is being exploited

/in /by

Advantech WebAccess/NMS is a web browser-based software package for networking management systems (NMS). It is designed with SNMP and ICMP communication standards for managing all Ethernet-Enabled Advantech products and third-parties devices. NMS can bring users an easy-to-use platform to monitor and manage networking remotely. Advantech WebAccess/NMS platform runs on top of the Apache webserver

Vulnerability | CVE-2020-10621

One of the services provided by Advantech WebAccess NMS enables users to upload a config file to the server and then instructs devices to restore their configuration with this uploaded config file. The service is requested via an HTTP request which places the uploaded file and several parameters in the format of multipart/form-data. The request is handled in the class ConfigRestoreAction via the following Request-URI:

/SCMS/web/access/ConfigRestoreAction.action

An arbitrary file upload vulnerability exists in the Advantech WebAccess NMS. This is due to the lack of sanitation on the “cfgfile” parameter in the ConfigRestoreAction class. When receiving the request submitted to the “ConfigRestoreAction.action” endpoint, the execute() method of the ConfigRestoreAction class is called to handle the request.  The input parameter “cfgfile” is not sanitized before applying it to create the destination file path in the application installation directory. The destination file path could point to any location on the NMS server, which leads to arbitrary file upload conditions.

In the below request, the attacker posts an HTTP request with a malicious file and crafted parameters to the vulnerable server.

POST /SCMS/web/access/ConfigRestoreAction.action?cfgfile=<crafted input> HTTP/1.1

A remote, unauthenticated attacker can exploit this vulnerability by submitting a crafted request to the target server. Successful exploitation could lead to arbitrary file upload and, in the worst case, code execution condition under the security context of the system.

Trend Chart:

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 15119 Advantech WebAccess ConfigRestoreAction Arbitrary File Upload

Affected Products:

Advantech WebAccess/NMS versions prior to 3.0.2 are affected by this vulnerability.

 

Android spyware abusing app icons for Amazon, Netflix and other popular apps

/in /by

Mobile applications have made our life easy be it entertainment, social media, e-commerce or banking, an app is available for everything. Popular app names are misused by malware authors to victimize users.

SonicWall Capture Labs threat research team has been observing spyware using icons of well-liked android apps with millions of downloads. Icons of some popular apps being abused by spyware:

 

 (Original vs fake app icon)

 

Upon clicking the app icon, a pop-up with the message “App isn’t installed” is displayed, suggesting the user that the app didn’t install besides hiding the app icon from the app drawer.

 

The config file is created which indicates the app tried to establish a connection with remote host “193.161.193.99”.

 

The spyware is capable of:

  • Hiding icon from the app drawer
  • Reading contacts and call logs
  • Reading SMS
  • Reading geolocation data
  • Internet connection type
  • Fetching Installed application list and updates
  • Recording Audio
  • Check if the device is rooted
  • Make phone call

Technical Details:

The app hides its icon, making it difficult for the user to identify the app responsible for the spying activity:

 

Reads contact list with other details using the MIME like saved Email-id, and call log:

 

            (Victim’s call log)

 

Reads SMS every time the user receives a new SMS with “android.provider.Telephony.SMS_RECEIVED”:

 

It accesses the victim’s geo-location data:

 

Checks victim’s Internet connection type WIFI or using mobile data(2g/3g/4g) based on the return type of “getNetworkType

 

It fetches installed application information from the victim’s device:

 

Captures audio with multiple recording options supported on the device:

 

Capable to make phone call on specified number:

 

SonicWall Capture Labs provides protection against this threat with the following signature:

  • AndroidOS.SpyNote.SD

 

Indicators Of Compromise (IOC’s):

  • 5fe3a6571f7709ea967af6d5b333ebc200375c986575d44a66f032b053741339
  • 7419092afc4b71d5ec50f5ed32452520a36b3c20efb0efddb37b9de9ed0a4b7f
  • 8d6158ae2c442aa3aa6a3d3291b14a76b7007903c1fe4df5b16c15c962f7e4cd
  • ad9191973d233f53a55b498ad55710b9a2abc15d905eeea14753fc3df5c0d880
  • 6b02203b5ca6133f4c7c51be4be1784f3c695523d7e70b39db098668bd1201c6
  • 90e6113130cea5c601399c7804793f34a76af10974e6c70920a964f6ddc3a21a
  • 7491a5d7dccf2034826a984c9dca42718ca7921d63596d68fb4586fe652291c2
  • e73d9c382da3e108ef13dace8b644100d89d766106bdbdf7e4f5853b5b75f279
  • 5bd051ee3610fb752c16a319131e93846c321b80752df3d54aea346a03aa6155
  • eaee3179c7e9be8b5653b404f7d29990c1644193c7f6f8e52729a7878ae4c2a7
  • a9f6f8b2fb0ddaf6f6e9171c566950d2c604aa2d2e703e2397f1450b1075db91
  • 80f14b2fce58261442622fa77d861604b7f8548f4cf373387f2aa360d4f3560a
  • a3abb775436bcf82554cd90150974867bff000c9ab432b1bd6937cdf525bcf81
  • c8dd02c9b2874c5a8ab6d79e713665d17e405505fbc18464cd070d1368e2d4a0
  • 442d0177494542ec553196e689d9e6120dbff5e3acc0dfa777fce470dea937cb
  • 6f14f011dc2eced02b0bbab79e05f985b39cd66dd8f5dc950092c9ffa3c82a51

Citrix ADC and Gateway Authorization Bypass Vulnerability

/in /by

Citrix ADC is an application delivery and load balancing solution that provides a high-quality user experience for web, traditional, and cloud-native applications – regardless of where they are hosted. It also provides web application acceleration as well as a Gateway functionality. Citrix ADC and Gateway are accessed primarily via HTTPS on port 443/TCP.
Vulnerability(CVE-2020-8193)
An authorization bypass vulnerability exists in Citrix Application Delivery Controller and Gateway. The
vulnerability can let remote users to get a valid session ID on Web UI without authentication. A remote, unauthenticated attacker could exploit the vulnerability by sending crafted requests to the target server.
Successful exploitation can result in authentication bypass.

The NetScaler IP (NSIP) address is the IP address which is used to access the NetScaler appliance for management purpose over HTTP (port 80). To restrict the NSIP administrative Web UI from unauthenticated users, the Admin UI needs the remote user to login by using HTTP POST request.

After the remote users authenticate themselves, the server will generate a sessionID in the cookie for the
administrative session. An authorization bypass vulnerability exists in Citrix Application Delivery Controller and Gateway.Due to the design flaw this vulnerability can be triggered by posting to the report() function .

Based on the value specified in parameter type, the function report() will call the respective private functions
inside pcidss.php script. Due to the implementation flaw, the report function only checks the presence of “loginchallengeresponse” in the parameters of the POST request. This allows for authentication bypass and the attacker can get a valid session id which can later be used to gain direct access to the device.
Impact
A quick check on shodan reveals hundreds of vulnerable systems

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • IPS 15098:Citrix Products Authorization Bypass 1
  • IPS 15099:Citrix Products Authorization Bypass 2

Threat Graph

Vulnerable Products

Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7

Citrix has patched this vulnerability and the fix is available here.