Posts

Snoopdog ransomware charges 36K in BTC for recovery. 20% discount negotiable

/in /by

The SonicWall Capture Labs threat research team have been tracking ransomware that encrypts and gives files a “.snoopdog” filename extension.  The operator charges 1 BTC for file retrieval.  However, as with most ransomware today, the price is negotiable and a discount may be provided to the victim.

 

Infection Cycle:

 

Upon execution, the malware encrypts files on the system.  Each file is given a “.snoopdog” extension to indicate that it has been encrypted.

 

The following files are dropped onto the infected system:

  • %APPDATA%\Roaming\noputana.exe (copy of original malware) [detected as: GAV: Snoopdog.RSM (Trojan)]
  • %APPDATA%\Roaming\userkey.dat
  • !DECRYPT_FILES.txt (dropped in all dirs where files were encrypted)

 

The following keys are added to the registry:

  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HelloAV “%APPDATA%\Roaming\noputana.exe”
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WelcomeBack “%APPDATA%\Roaming\!DECRYPT_FILES.txt”

 

!DECRYPT_FILES.txt contains the following message:

 

userkey.dat contains the following data:

1WOD64X5CWPMX8

 

The following applications are killed if found to be running:

msftesql.exe vmware-vmx.exe vmware-authd.exe sqlagent.exe sqlbrowser.exe sqlservr.exe
sqlwriter.exe oracle.exe ocssd.exe dbsnmp.exe synctime.exe mydesktopqos.exe
agntsvc.exe isqlplussvc.exe xfssvccon.exe mydesktopservice.exe ocautoupds.exe
agntsvc.exe agntsvc.exe agntsvc.exe encsvc.exe firefoxconfig.exe tbirdconfig.exe
ocomm.exe mysqld.exe mysqld-nt.exe mysqld-opt.exe dbeng50.exe sqbcoreservice.exe
excel.exe infopath.exe msaccess.exe mspub.exe onenote.exe outlook.exe powerpnt.exe
steam.exe thebat.exe thebat64.exe thunderbird.exe visio.exe winword.exe wordpad.exe
taskmgr.exe

 

The tOr link leads to the following page:

 

A Telegram link (http://t.me/SENDMYiDbot) is provided for communication with the malware operators.  We had the following conversation with the operator:

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Snoopdog.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Advantech iView Remote Command Injection

/in /by

Overview:

  Advantech iView application enables network managers to configure, update, manage and monitor B+B SmartWorx solutions from a central location. It is a Simple Network Management Protocol-based element management software provided free-of-charge with all intelligent FTTx, Optical Access and Media Conversion solutions. It is designed as a web-based application with the main program functionality residing on a web server and all user access through a web browser.

  A remote command execution has been reported in Advantech iView. The vulnerability is due to improper input sanitization. A remote user could exploit the vulnerability by sending a crafted request to the server.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-32930.

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.5 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  Advantech iView is a Java-based servlet application and requires a Java servlet container such as Apache/Tomcat to be installed on the web server. iView will store program information in a database and requires a relational database management system such as MySQL to be installed on the web server. Before using any features of iView, a user needs to authenticate with the system. Advantech iView allows user to create zero-touch provisioning (ZTP) configuration files for B&B Electronics devices that provide support for the related functionalities. The ZTP Configuration menu section displays the ZTP Configuration dialog which can be accessed from the “Tools” menu. The ZTP related services are handled by either NetworkServlet or CommandServlet endpoint. The URL mappings for these servlets are found in the web.xml file:

  A Command injection vulnerability exists in Advantech iView. The vulnerability is due to a lack of proper input validation for shell command injection characters in the HTTP request parameter fwfilename. When the application receives an HTTP request with Request-URI set to either “/iView3/CommandServlet” or “/iView3/NetworkServlet”, and request parameter ztp_config_name is set to the associated action; the doPost() method in Java class NetworkServlet is called. The “NetworkServlet” class checks the page_action_type parameter and invokes the associated function based on the task. For example, in the case of upgrading the ProView component, the application receives page_action_type parameter as “runProViewUpgrade” and in such case, the runProViewUpgrade() method is invoked to perform the upgrade operation. The vulnerable function accepts two more parameters in the HTTP request as device_id and filename.

  In the implementation of the runProViewUpgrade() method, the vulnerable code first extracts the ipaddress and strDeviceModel from the Database using the supplied device_id. If the device_id can not be found in the Database, the vulnerable function will return with an error. The function builds a list of strings for the “command” parameter of the ProcessBuilder Java class in order to execute the CMD program. The value supplied in the fwfilename field is used to build one of the command arguments. However, the runProViewUpgrade() method does not sanitize the fwfilename parameter value for command injection characters before applying it to build the command-line string. An attacker can include command injection characters in the value of the fwfilename parameter which are then applied to construct the command line list. This allows for the execution of arbitrary commands on the underlying system when the start() method of Java class ProcessBuilder executes the constructed commands list.

Triggering the Problem:

  • The target system must have the vulnerable product installed and enabled.
  • The attacker must have network connectivity to the affected ports.
  • The attacker must know a valid device ID in the target application.

Triggering Conditions:

  The attacker sends a crafted HTTP request to the vulnerable server with malicious parameters. The vulnerability is triggered when the affected software processes the request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP, over port 8080/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS:15599 “Advantech iView Command Injection”

Remediation Details:

  Listed below are actions that may be taken in order to mitigate the risks associated with this vulnerability:
    • Restrict access to the affected communication port to trusted hosts only.
    • Upgrade the product with a new patched version.
    • Detect and block malicious traffic with IPS:15599
  The vendor, Advantech, has released a new version of the product:
  Vendor Advisory

AndroidBot malware with obfuscation and multiple capabilities spreading in the wild

/in /by

SonicWall Threats Research team observed an AndroidBot malware that contains multiple obfuscation layers that hides the hardcoded URLs and malicious code. Similar to a number of Android malware, this malware drops the dex file during execution that contains malicious code.

Sample details

At the time of writing this blog, this sample is hosted on the following link:

Infection Cycle

The app requests for a number of permissions, below are a few risky ones:

  • android.permission.CALL_PHONE
  • android.permission.CAPTURE_VIDEO_OUTPUT
  • android.permission.DISABLE_KEYGUARD
  • android.permission.READ_CONTACTS
  • android.permission.READ_SMS
  • android.permission.RECEIVE_BOOT_COMPLETED
  • android.permission.RECEIVE_SMS
  • android.permission.REORDER_TASKS
  • android.permission.REQUEST_DELETE_PACKAGES
  • android.permission.REQUEST_INSTALL_PACKAGES
  • android.permission.SEND_SMS
  • android.permission.SYSTEM_ALERT_WINDOW
  • android.permission.WRITE_EXTERNAL_STORAGE
  • android.permission.WRITE_SMS

 

Upon installation and execution the application requests for accessibility permissions, once granted the application gains the ability to execute its malicious components:

 

The main class listed in the Manifest.xml file is not present in the decompiled codebase:

 

The malware drops a file – agAzJPYW.dex – during execution which is actually the dex file that contains malicious code.:

 

This dex file contains the main activity which is listed in the original manifest.xml file:

 

The malware obfuscates the strings present in the code to deter security researchers from analyzing the malware and automated tools from identifying suspicious strings in the code:

 

However, the decryption routine is also present in the code which can be used to decode the strings:

 

Decoded string:

 

We identified several interesting bits when the strings were decoded:

 

 

 

Capabilities

This bot is capable of performing a series of malicious/dangerous actions on an infected device, some of them include:

  • Show custom notifications
  • Screencast/screencapture
  • TeamViewer execution
  • Read, write and send messages
  • Extract information about running processes
  • Extract information about the device
  • Load URLs
  • Receive messages via Fire Cloud Messaging (FCM)
  • Install and remove applications
  • Subscribe to premium messaging services
  • Check if emulator is present

 

Hardcoded URLs

The class BotConfigs contained an interesting string titled Admin URL. Upon deobfuscation we got the string – http://das37rwa5cyfkb7o.onion/api/mirrors. After a series of layers we ultimately obtained a login page on the link newspotheres.xyz:

 

Based on the hardcoded url’s obtained in the code we created a VirusTotal Graph as shown below:

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • AndroidOS.AndroidBot.DX

 

Indicators of Compromise (IOC):

 

We have blacklisted the following URLs:

  • https://newspotheres.xyz
  • https://babosiki.buzz
  • https://trustpoopin.xyz
  • https://trygotii.xyz
  • https://trytogoi.xyz

 

CHIYU Technology Devices CRLF injection vulnerability

/in /by

CHIYU Technology is a leading access control manufacturer and marketer of multi door access control system for enterprise, small business, and residential applications. BF-430 is a universal serial device server that enables industrial serial devices, such as, PLC, flow meters, gas meters, CNC machines, and biometric identification card readers to be monitored from the network.
Similarly BF-450M is a universal serial device server that can enable industrial serial devices, such as, access control, time attendance, PLC, CNC machines, and flow meters to be monitored from the network. Moreover, it includes built-in I/O control which could let users easily integrate with other systems via this special design.

CRLF injection vulnerability
A CRLF injection vulnerability exists if an attacker can inject the CRLF characters into a web application. A CRLF injection attack can be used to escalate to more malicious attacks such as Cross-site Scripting (XSS), page injection, web cache poisoning etc. The term CRLF refers to Carriage Return (ASCII 13, HEX 0d) Line Feed (ASCII 10, HEX 0a).CR and LF are special characters that are used to signify the End of Line (EOL) in Windows operating system. A CRLF injection attack occurs when a user manages to submit a CRLF into an application. This is most commonly done by modifying an HTTP parameter or URL.

CVE-2021-31249
A CRLF injection vulnerability exists in BF-430, BF-431, and BF-450M TCP IP Converter devices. This is due to a lack of validation on the parameter redirect= available on multiple CGI components.

As can br seen in this example   i.e. CRLF is used to split and   is used to carry out a cross-site scripting attack. In this case the CRLF injection vulnerability leads to XSS attack.

SonicWall Capture Labs provides protection against this threat via following signatures:

    • IPS 15592:CHIYU Technology Devices CRLF injection

A quick check on Shodan shows vulnerable devices.

 

Another ransomware possibly belonging to the Revil ransomware group seen actively spreading in the wild

/in /by

The SonicWall Capture Labs Research team has been observing a massive increase in ransomware attacks with increasingly targeted attacks hitting mostly critical infrastructures. With companies willing to pay millions in ransom payment to restore operations, the ransomware industry has never been more lucrative for cybercriminals. This week we have observed a spike in detections for a somewhat small player in the ransomware world. We have first spotted Prometheus ransomware in February and have not seen a lot of action until this week.

Interestingly, with Revil Ransomware in spotlight for which a lot of the high profile ransomware attacks have been attributed to lately, Prometheus ransomware claims to be from the same cybercriminal group. We have no proof that this is true, however.

Infection Cycle:

Upon execution, the first thing this ransomware does is to find and delete Raccine, an open source program that blocks ransomware from deleting shadow copies of a system’s data – a very common ransomware behavior. It employs taskill.exe to kill the Raccine executable, if it happens to be present in the system as well as delete any Raccine-related registry values.

It then continues to kill other running processes using taskkill.exe including Microsoft Office processes like winword.exe, excel, mspub and visio, sql database related processes like sqlservice.exe, dbeng50.exe, mysqld.exe, among many others.

It also employs sc.exe to configure certain system services such as “SQLwriter start” to disable the functionality to be able to create backup and restore SQL Server data through the Volume Shadow Copy Service.

To ensure network connectivity it pings a loopback address 127.0.0.7

It also executes netsh.exe to run commands to alter the firewall settings to allow the infected system to be discoverable within the network and to allow for files and printer sharing.

Once target files have been encrypted, it displays an alert on the system tray and also opens an hta file with instructions on how to pay and retrieve files.  The header of the instructions imparts that Prometheus belongs to the well-known Revil ransomware group.

 

Another similar sample that we analyzed appears to be a more beefy program with more functionalities such as running commands to check the ARP table which can possibly be used for ARP attacks.

Also running a powershell command to delete all volume shadow copies.

And also trying to configure and login to the local router admin page using additional dropped components.

This newer version also provides additional ways to reach the ransomware authors outside of the Tor browser.

This goes to show that we will mostly likely see more from this ransomware group because they have been continuously improving their program with more robust functionalities to improve infection and possibly evade detection.

This week, we have noticed an uptick in detection for this particular ransomware.

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Prometheus.RSM (Trojan)
  • GAV: Prometheus.RSM_1 (Trojan)
  • GAV: Prometheus.RSM_2 (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

 

 

Microsoft Security Bulletin Coverage for June 2021

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of June 2021. A list of issues reported, along with SonicWall coverage information is as follows:

CVE-2021-31199 Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability
ASPY 192:Malformed-File exe.MP.187

CVE-2021-31201 Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability
ASPY 193:Malformed-File exe.MP.188

CVE-2021-31952 Windows Kernel-Mode Driver Elevation of Privilege Vulnerability
ASPY 187:Malformed-File exe.MP.183

CVE-2021-31954 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 194:Malformed-File exe.MP.189

CVE-2021-31955 Windows Kernel Information Disclosure Vulnerability
ASPY 189:Malformed-File exe.MP.185

CVE-2021-31956 Windows NTFS Elevation of Privilege Vulnerability
ASPY 188:Malformed-File exe.MP.184

CVE-2021-31959 Scripting Engine Memory Corruption Vulnerability
IPS 15594:Scripting Engine Memory Corruption Vulnerability (CVE-2021-31959)

CVE-2021-33739 Microsoft DWM Core Library Elevation of Privilege Vulnerability
ASPY 190:Malformed-File exe.MP.186

Adobe Coverage:
CVE-2021-28554 Acrobat Reader Arbitrary Code Execution Vulnerability
ASPY 191:Malformed-File pdf.MP.478

The following vulnerabilities do not have exploits in the wild :
CVE-2021-1675 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26414 Windows DCOM Server Security Feature Bypass
There are no known exploits in the wild.
CVE-2021-26420 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31938 Microsoft VsCode Kubernetes Tools Extension Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31939 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31940 Microsoft Office Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31941 Microsoft Office Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31942 3D Viewer Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31943 3D Viewer Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31944 3D Viewer Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31945 Paint 3D Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31946 Paint 3D Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31948 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-31949 Microsoft Outlook Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31950 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-31951 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31953 Windows Filter Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31957 .NET Core and Visual Studio Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-31958 Windows NTLM Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31960 Windows Bind Filter Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31962 Kerberos AppContainer Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-31963 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31964 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-31965 Microsoft SharePoint Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31966 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31967 VP9 Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31968 Windows Remote Desktop Services Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-31969 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31970 Windows TCP/IP Driver Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-31971 Windows HTML Platform Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-31972 Event Tracing for Windows Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31973 Windows GPSVC Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31974 Server for NFS Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-31975 Server for NFS Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31976 Server for NFS Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31977 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-31978 Microsoft Defender Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-31980 Microsoft Intune Management Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31983 Paint 3D Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31985 Microsoft Defender Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-33742 Windows MSHTML Platform Remote Code Execution Vulnerability
There are no known exploits in the wild.

VMware vCenter Server vSAN Health Check plug-in RCE Vulnerability

/in /by

Overview:

Multiple vulnerabilities have been discovered and reported in the VMware vSphere Client (HTML5), specifically in VMware vCenter Server vSAN Health Check plug-in product. Among these vulnerabilities, CVE-2021-21985 is a remote code execution vulnerability rated as Critical.

CVE-2021-21985 is caused by invalid input checking in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.

 

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 15574 VMware vCenter Server vSAN Health Check plug-in Possible RCE Attempt 1
  • IPS: 15575 VMware vCenter Server vSAN Health Check plug-in Possible RCE Attempt 2
  • IPS: 15576 VMware vCenter Server vSAN Health Check plug-in Possible RCE Attempt 3

Note: given that vCenter is likely enabled for access via TLS/HTTPS, DPISSL (Server deployment) would have to be enabled in order for these signatures to cover all cases of a real world exploitation of this vulnerability.

 

SonicWall has detected the following attacks with the above signatures:

 

Remediation Details:

The risks posed by this vulnerability can be mitigated or eliminated by:

  • Reconfigure the plugin settings according to the vendor advisory.
  • Apply the updates from the vendor.

The vendor has released the following advisory regarding this vulnerability:

        Vendor Advisory

Cybersecurity News & Trends – 06-04-2021

/0 Comments/in /by

This week Cozy Bear meddled in politics, REvil disrupted the global meat supply and schools fortified their defenses.

SonicWall in the News

Radio Interview with SonicWall President and CEO Bill Conner — KRLD 
SonicWall President and CEO Bill Conner discusses who is responsible for rising attacks on enterprises, governments and SMBs worldwide — and what’s to be done.

SonicWall, The Conference of Italian University Rectors to Collaborate on Cybersecurity Training, Research and Digital Innovation — FE News
SonicWall today announced its partnership with the Conference of Italian University Rectors (CRUI) to promote and enable mutual collaboration in research, development, transformation and digital innovation activities.

Industry News

Meat giant JBS now fully operational after ransomware attack — Bleeping Computer
JBS, the world’s largest beef producer, has confirmed that all its global facilities are fully operational and operate at normal capacity after the REvil ransomware attack that hit its systems last weekend.

Why One Hack on One Firm Can Shake Global Meat Supply — Bloomberg
In the last three years, a fire, a pandemic and now a cyberattack have disrupted the U.S. meat industry. Here’s how one hack impacts the global economy.

U.S. schools land IBM grants to protect themselves against ransomware — ZDNet
All U.S. K-12 public school districts were eligible to apply for the grants, designed to help school officials “proactively prepare for and respond to cyberattacks.”

U.S. seizes two domains used in cyberattacks that mimicked USAID communications — Reuters
The U.S. Justice Department said it had seized two Internet domains used in spear-phishing attacks mimicking email communications from the U.S. Agency for International Development.

Cyber-Insurance Fuels Ransomware Payment Surge — Threat Post 
Companies relying on their cyber-insurance policies to pay off ransomware groups are being blamed for a recent uptick in ransomware attacks.

New breach from hackers behind SolarWinds ‘mostly unsuccessful,’ Microsoft says — The Washington Times 
Microsoft said the latest hack was largely unsuccessful, meaning Microsoft has not discovered a significant number of compromised organizations.

Swedish Health Agency shuts down SmiNet after hacking attempts — ZDNet
The Swedish Public Health Agency shut down SmiNet, the country’s infectious diseases database, after it was targeted in several hacking attempts.

Kenyan Arrested in Qatar First Targeted By Phishing Attack — Bloomberg
A Kenyan security guard writing compelling, anonymous accounts of being a low-paid worker there found himself targeted by a phishing attack that could have revealed his location just before his arrest, analysts say.

New Russian hacks spark calls for tougher Biden actions — The Hill
Officials are calling for harsher measures against Russia following reports that SolarWinds hackers were continuing to launch cyberattacks against U.S. government agencies and other organizations.

Interpol intercepts $83 million fighting financial cybercrime — Bleeping Computer
The International Criminal Police Organisation has intercepted $83 million belonging to victims of online financial crime from being transferred to the accounts of their attackers.

This Android trojan malware is using fake apps to infect smartphones, steal bank details — ZDNet
TeaBot malware tells victims they need to click a link because their phone is damaged with a virus  — then infects them via the link.

Pulse Secure VPN hacking also hit transportation, telecom firms, FireEye says — Cyberscoop
The U.S. government has also been affected.

Hong Kong recorded phishing surge in 2020 as scum sought to cash in on viral worries — The Register 
Criminals tried to exploit Hong Kong residents’ COVID-related anxiety, according to new security data released yesterday.

UF Health Florida hospitals back to pen and paper after cyberattack — Bleeping Computer
UF Health Central Florida has suffered a reported ransomware attack that forced two hospitals to shut down portions of their IT network.

Fujifilm confirms ransomware attack disrupted business operations — Bleeping Computer
Today, Japanese multinational conglomerate Fujifilm officially confirmed that they had suffered a ransomware attack earlier this week that disrupted business operations.

Cozy Bear revisits one of its greatest hits, researchers say: election skulduggery — Cyberscoop
The recent spearphishing campaign uses an election fraud document as a lure. The emails purport to be from the U.S. Agency for International Development, and have targeted government agencies, research institutions and nongovernmental organizations.

In Case You Missed It

SonicWall’s Bill Conner Talks Ransomware on the Radio — Lindsey Lockhart
Infiltrate, Adapt, Repeat: A Look at Tomorrow’s Malware Landscape — Brook Chelmo
Join us for the 2021 SonicWall Partner Virtual Roadshow — David Bankemper
Capture Client 3.6 Launch Brings Key Features — Brook Chelmo
Using Client VPN with Your Firewall for WFH: a Setup for Disaster? — Jean-Pier Talbot

Microsoft Visual Studio RCE Vulnerability

/in /by

Overview:

  Microsoft Visual Studio is an integrated development environment (IDE) from Microsoft. It can be used to develop console and graphical user interface (GUI) applications along with web sites, web applications, and web services. This is achieved in combination with native and managed code for all platforms supported by Microsoft Windows, Windows Mobile, Windows CE, .NET Framework, .NET Compact Framework and Microsoft Silverlight.

  The IDE supports a wide variety of programming languages and technologies; either built-in or as extensions. Built-in languages include C, C++, C++/CLI, Visual Basic .NET, C#, F#, JavaScript, TypeScript, XML, XSLT, HTML, and CSS. Support for other languages such as Python, Ruby, Node.js, and M among others is also available via extensions.

  A remote code execution vulnerability has been reported in the Python interpreter services, a component of the Python language support extension for Microsoft Visual Studio. The vulnerability is due to a design weakness. The python language interpreter “python.exe” may be provided in a Python project workspace. The embedded interpreter will be executed when the project is opened without confirmation from the user.

  A remote, unauthenticated attacker can exploit this vulnerability by enticing a user to open a malicious Python project/workspace. The workspace contains a crafted “python.exe” file in a subdirectory. Successful exploitation results in code execution in the context of the Microsoft Visual Studio IDE.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-27068

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is required.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.3 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  Upon opening a workspace/folder containing python source files, the workspace initialization procedure begins at the method InitializeCurrentContext in PythonWorkspaceContextProvder.cs. This procedure involves discovering Python interpreters within the workspace. The Python interpreter, in a Windows OS environment is the binary file “python.exe”. The initialization process requires the interpreter in other to retrieve interpreter information. The method FindInterpretersInSubFolders in WorkspaceInterpreterFactoryProvider.cs invokes the method CreateEnvironmentInfo for each interpreter path discovered within the workspace. The method CreateEnvironmentInfo is also defined in WorkspaceInterpreterFactoryProvider.cs and will in turn invoke the method PrefixFromSysPrefix defined in the same class file, on the discovered path. The method PrefixFromSysPrefix will build and execute the following template command line:

  (full path to interpreter within workspace) -c "import sys; print(sys.prefix)"

  The method CreateEnvironmentInfo, made no attempt to validate the integrity of the discovered python interpreter. Therefore, an attacker can craft a Python workspace such that an included python.exe is in fact a malicious binary which will be executed autonomously on opening the crafted workspace within Visual Studio.

  A remote, unauthenticated attacker can exploit this vulnerability by enticing a user to open a malicious Python project/workspace. The workspace contains a crafted “python.exe” file in a subdirectory. Successful exploitation results in code execution in the context of Microsoft Visual Studio.

Triggering the Problem:

  • A vulnerable version of Microsoft Visual Studio is installed.
  • The attacker must be able to deliver a malicious Python project to the target user.

Triggering Conditions:

  The attacker creates a malicious Python project for Microsoft Visual Studio and delivers it to the target user. The Python project contains a maliciously crafted python.exe file within a subdirectory. The vulnerability is triggered when this project is processed by a vulnerable version of Microsoft Visual Studio.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP, over port 80/TCP
    • HTTPS, over port 443/TCP
    • SSH, over port 22/TCP
    • FTP, over port 21/TCP
    • SMB/CIFS, over ports 139/TCP, 445/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 15579 Microsoft Visual Studio Remote Code Execution (CVE-2021-27068)

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Not cloning and opening untrusted Python projects within Visual Studio.
    • Upgrading to a non-vulnerable version of Visual Studio.
    • Filtering malicious traffic.
  The vendor, Microsoft, has released the following advisory regarding this vulnerability:
  Vendor Advisory

NETGEAR ProSAFE NMS MFileUploadController Vulnerability

/in /by

Overview:

  Netgear ProSAFE Network Management System NMS300 is a centralized and comprehensive management application for network administrators that enables them to discover, monitor, configure, and report on SNMP based enterprise-class network devices. The Netgear Network Management System NMS300 delivers insights into the network, including third-party devices and its web-based user interface makes it easier to monitor and administer an entire network.

  This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26. Authentication is not required to exploit this vulnerability. The specific flaw exists within the MFileUploadController class. The issue results from the lack of proper validation of a user-supplied path, prior to use in file operations. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-27274.

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is low.
    • Privileges required is low.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.6 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Attack Packet Overview:

  The Content-Type header line contains the following:

    • “multipart/form-data” – Data is in multiple parts. Defining separated parts by the boundary keyword.
    • “boundary=” – Separating keyword or sequence of characters.

  The Content-Disposition header line contains the following:

    • “form-data”
    • “name=” – name of form element being returned.
    • “filename=” – Suggested file name to be used if detached and stored in a separate file.

  

Technical Overview:

  A user with the “observer” privilege can manage the MIB config files via the “mib browser” page in the NMS300 web interface to upload a MIB config file. A request to the Request-URI “/lib-1.0/external/flash/MfileUpload.do” will be sent to the server to upload a MIB config file.

  The MIB file content is transferred in a multipart/form-data part within the HTTP message body, and the filename parameter within the Content-Disposition header specifies the name of the file. The uploaded file will be saved into the following directory:

  /Install_Dir/apache-tomcat-6.0.33/webapps/ROOT/type_dir/sub_dir/filename/

  Where the “Install_Dir” is where the NMS300 is installed, and the “filename” is the filename parameter within the Content-Disposition header in the multipart/form-data part. The “type_dir” and “sub_dir” are derived from mapping the value of the type and sub request parameters to various sub-directory names. This mapping is specified in the file “resource.properties” which has the following contents:

  

  For example, if the type parameter value is “mib”, the “type_dir” is “WEB-INF/mibs/Customized/”; if the sub parameter value is “4”, the “sub-dir” is “Switch/”. Therefore, the nms300_mibpath for the uploaded MIB file in the above example is:

  /Install_Dir/apache-tomcat-6.0.33/webapps/ROOT/WEB-INF/mibs/Customized/Switch/a.mib

  If type and sub parameters are omitted or contain empty value, the “type_dir” is assigned as the string “null” and the “sub_dir” is assigned as the empty string “” in the application. Therefore, the nms300_mibpath for the uploaded MIB file will be a string as below:

  /Install_Dir/apache-tomcat-6.0.33/webapps/ROOT/nulla.mib

  An unrestricted file upload vulnerability exists in the NETGEAR Management System NMS300. The vulnerability is due to a failure to validate the file type of the uploaded file. When the server receives the HTTP POST request with Request-URI containing “/lib-1.0/external/flash/MfileUpload.do”, the method uploadFile() in MFileUploadController class is executed. This method retrieves the values from the type, sub, and filename parameters in the request and then uses them to build the nms300_mibpath for the uploaded MIB file. Then, the uploadFile() method writes the uploaded file content into the nms300_mibpath. Then, the uploadFile() will call the parseNewMIB() method of the MibLoader class to parse the uploaded MIB file. If the uploaded file is not in the format of a MIB config file, the
parseNewMIB() will throw exceptions and cause uploadFile() to delete this uploaded MIB file

  However, the uploadFile() does not sanitize the filename parameter for dangerous file extension type. Also, it does not validate the type and sub parameter. If type and sub parameters are omitted or contain empty value, an attacker can upload a malicious JSP file with the filename parameter like “poc.jsp” and then the file will be saved in a nms300_mibpath as below:

  /Install_Dir/apache-tomcat-6.0.33/webapps/ROOT/nullpoc.jsp

  Because uploadFile() will delete the uploaded file if it is not a MIB config file, the attacker must try to pass this checking. The attacker can achieve it by embedding the malicious JSP code inside the comment lines of a normal MIB config file, as shown in the example below:

  

  Where the comment line starts with “–” and the JSP codes follows. This makes the uploaded JSP file kept on the server without being deleted. Later, due to the files under the directory “/Install_Dir/apache-tomcat-6.0.33/webapps/ROOT/” can be remotely accessed without any restriction via HTTP requests, the attacker can submit a subsequent request with an URL as below:

  hxxp://server-ip:8080/nullpoc.jsp

    and get the uploaded JSP file executed on the target server, which can cause arbitrary code execution.

  Note that, beginning from NMS300 version 1.5.0.14, authentication has already been required to access the URI “/lib-1.0/external/flash/MfileUpload.do”. Therefore, in general, an attacker must authenticate to the server to exploit this vulnerability. Unauthenticated attack can only be applied to servers older than version 1.5.0.14.

  A remote attacker could exploit the vulnerability by sending crafted HTTP requests to the target server. Successful exploitation would result in the code execution under the security context of SYSTEM.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The attacker must have network connectivity to the affected ports.
  • The attacker must authenticate to the target system.

Triggering Conditions:

  The attacker authenticates and then sends an HTTP request containing crafted parameters to upload a malicious file to the target server. The vulnerability is triggered when the server processes the request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP, over port 8080/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS 15572: NETGEAR ProSAFE MFileUploadController Arbitrary File Creation

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Blocking the affected ports from external network access if they are not required.
    • Upgrading the product to a non-vulnerable version.
  The vendor has released the following advisory regarding this vulnerability:
    Vendor Advisory