Posts

Eaton's Intelligent Power Manager (IPM) Vulnerability

/in /by

Overview:

  Eaton’s Intelligent Power Manager (IPM) software provides the tools needed to monitor and manage power devices in your physical or virtual environment keeping devices up and running during a power or environmental event. This software solution ensures system uptime and data integrity by enabling remote monitoring, managing and controlling devices on the network.

  An arbitrary file deletion vulnerability has been reported in Eaton Intelligent Power Management and Eaton Intelligent Power Protector. The vulnerability is due to missing input validation in meta_driver_srv.js. A remote unauthenticated attacker could exploit this vulnerability by sending a maliciously crafted packet. Successful exploitation of these vulnerabilities could allow attackers to delete arbitrary files on the target system.

  The main program mc2 contains compressed Javascript code which is relevant for understanding this vulnerability. The web interface can be accessed over HTTP or HTTPS on ports 4679 and 4680, respectively.

CVE Reference:

  Assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-23279

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.7 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H), based on the following metrics:;
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is none.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.7 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  An arbitrary file deletion vulnerability exists in Eaton Intelligent Power Manager. The vulnerability is due to missing authentication check and missing input validation in the HTTP requests sent to “/server/ meta_driver_srv.js” endpoint. When a user sends a HTTP request to this endpoint, the code in meta_driver_srv.js will parse the JSON data in the data request parameter.

  The code maintains the driverList list data structure in MetaDriverManager Javascript object that collects all driver IDs that are currently known to the application and can be found in the “configs/drivers/” directory. This directory maintains files where each file contains information about a driver ID and the file name is in the form of “X.drv”, where X is the driver ID.

  After parsing the JSON data in the data request parameter, the code will then check if any driver ID in the driverList data structure is or is not present in the JSON data. If it is not present, the code will delete the file in the “configs/ drivers” directory where the file name matches the driver ID that was not present in the JSON data. The code makes a call to function deleteDriver() in the MetaDriverManager Javascript file to do the file deletion. Afterwards, it will add the data for each driver ID found in the JSON data that is not present in the driverList data structure. Namely, it will create the new “.drv” file in the “configs/drivers” directory with the provided JSON data in the request.

  The problem with this code is the fact that it utilizes the driver ID keys in the provided JSON data to delete or create “.drv” file in the “configs/drivers” directory while not checking for directory traversal characters in the driver ID key. Therefore, the attacker can send the requests where the driver ID key in JSON data contains directory traversal characters.

*Note that the attacker will have to send two requests.

  • In the first request, the attacker will send a malicious request containing driver ID that is a path to the file that is to be deleted. While processing this first request, the code will proceed to overwrite that file with the data provided in the data request parameter. However, the overwritten content would be in JSON format and not fully controlled by the attacker.

  • The attacker then needs to send the second request where the driver ID, that was added when the first request was processed, is omitted from the request thereby initiating the code that will delete that file. By sending these two requests, the attacker can delete any file on the target system by employing directory traversal characters and the null character (%00). The null character is also needed to remove the trailing “.drv” extension from the maliciously crafted path.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The attacker must have network connectivity to the affected ports.

Triggering Conditions:

  The attacker sends a malicious HTTP request to overwrite the contents of the file and then sends the second request to delete the same file. The vulnerability is triggered when the affected software processes the second request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP, over port 4679/TCP
    • HTTPS, over port 4680/TCP

Attack Request:

Attack Response:

Patched Software:

  Eaton has patched these security issues and new versions of the affected software are released. The latest versions can be downloaded from below location:
    • Eaton IPM v1.69 – Download | IPM | Eaton
    • Eaton IPP v1.68 – Download software | Power management | Eaton

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 15540 Eaton Intelligent Power Manager Arbitrary File Deletion

Vendor Advisory:

Cybersecurity News & Trends – 04-30-21

/0 Comments/in /by

This week, attacks by cybercriminals in Russia and China made headlines — and the U.S. government is mobilizing to fight back.

SonicWall in the News

‘A Perfect Score’: SonicWall Capture ATP Aces Latest ICSA Lab Test, Finds More ‘Never-Before-Seen’ Malware Than Ever — Company Press Release

  • SonicWall Capture Advanced Threat Protection (ATP) sandbox service with Real-Time Deep Memory Inspection™ (RTDMI) received a perfect score in the latest ICSA Labs Advanced Threat Defense test for Q1 2021.

Industry News

Here’s what Russia’s SVR spy agency does when it breaks into your network, says U.S. CISA infosec agency — The Register

  • Following attribution of the SolarWinds supply chain attack to Russia’s APT29/Cozy Bear, the U.S. CISA infosec agency has published a list of the spies’ known tactics.

Ransomware crooks threaten to ID informants if cops don’t pay up — Ars Technica

  • Ransomware operators have delivered a stunning ultimatum to Washington, D.C.’s Metropolitan Police Department: pay them $50 million, or they’ll leak the identities of confidential informants to street gangs.

Navy SEALs to Shift From Counterterrorism to Global Threats — Security Week

  • U.S. Navy SEALs are undergoing a major transition to improve leadership and expand their commando capabilities to battle threats from global powers like China and Russia.

Cyberspies target military organizations with new Nebulae backdoor — Bleeping Computer

  • A Chinese-speaking threat actor has deployed a new backdoor in multiple cyber-espionage operations, spanning roughly two years and targeting military organizations from Southeast Asia.

Suspected Chinese hackers are breaking into nearby military targets — Cyberscoop

  • The suspected PLA hackers are back in action.

Microsoft Weighs Revamping Flaw Disclosures After Suspected Leak — Bloomberg

  • Microsoft Corp. may revise a program that shares coding flaws in its products with other companies after a sprawling cyberattack against thousands of Microsoft Exchange email clients.

U.S. warns of Russian state hackers still targeting U.S., foreign orgs — Bleeping Computer

  • The FBI, the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency warned of continued attacks by Russian-backed APT 29 hacking group against U.S. and foreign organizations.

Law enforcement delivers final blow to Emotet — Cyberscoop

  • Law-enforcement officials are sending a specially crafted file to infected machines.

Selling of Mobile Phone Data Presents Security Risk for U.S. Armed Forces — The Wall Street Journal

  • Apps show troop movements buried in data available for purchase: a “major risk to national security.”

Ransomware’s perfect target: Why one industry needs to improve cybersecurity, before it’s too late — ZDNet

  • Dependencies on just-in-time supply chains and sometimes out-of-date technology make shipping and logistics an ever-more-tempting target for cybercriminals.

Apple’s ransomware mess is the future of online extortion — Ars Technica

  • Hackers want $50 million in exchange for not releasing schematics they stole from an Apple supplier.

China could ‘control the global operating system’ of tech, warns UK spy chief — ZDNet

  • The head of the UK’s intelligence service warns that the West must be prepared to face a world where technology is developed and controlled by states with “illiberal values.”

New cryptomining malware builds an army of Windows, Linux bots — Bleeping Computer

  • A recently discovered cryptomining botnet is actively scanning for vulnerable Windows and Linux enterprise servers and infecting them with Monero (XMRig) miner and self-spreader malware payloads.

ToxicEye: Trojan abuses Telegram platform to steal your data — ZDNet

  • This recently discovered RAT is using bots to propagate across Telegram channels.

In Case You Missed It

cURL new addition to LOLBins

/in /by

The SonicWall Capture Labs Threat Research Team has observed a new Microsoft Excel sample, which uses curl.exe to download AVE Maria Remote Admin Tool. This sample launches curl.exe using XLM Macro.

cURL is a command-line tool for getting or sending data including files using URL syntax. cUrl is included by default in Windows 10 build 17063, or later.

Any country where the French language is spoken, or is the official language, may be the target of this campaign, given that the sheet name is “Feuil1” which means “Sheet1” in French.

Analysis:

Upon opening the file, the user is displayed instructions to enable content as shown below:

Fig-1: Excel File

If the user enables macro, the following code is executed:

Fig-2: Macro Sheet

The downloaded file remains under analysis, and initial investigations show that it belongs to the “AVE-Maria RAT” family.

File properties indicate that the sample was created on 20-Sep-2020 and modified on 27-Apr-2021 8:14 pm (UTC) as shown below.

Fig-3: Sample properties

Sonicwall Capture ATP detected the sample as soon as it was first observed in the wild ( 27-Apr-2021 9:01:05 GMT) as is evident from the sample properties and Capture Detection Report:

Fig-4: Capture Report

 

Indicators of Compromise:

SHA256:

  • 2e07eafbfb9f4700dbb3983d59d45939eb80f99807aee1c85e955d6f67991794 {Excel File}
  • 5bdc77c84e5ae4fd2c48746ad421b04fb8af9dca2b4d0e9e38906b777f976577 {Excel File}
  • 27b2fd40a9bf3ea07a45437c743cf9fdba97565231e4ae3ea90adf897e26b663 {Executable File}

Network Activity:

  • akmestarhfc[.]in/public/smartpc[.]exe
  • http://bitcoincoin[.]xyz/payment/xls[.]exe

Cybersecurity News & Trends – 04-23-21

/0 Comments/in /by

This week hackers ramped up attacks on office workers, with malicious emails impersonating Slack, BaseCamp and Bloomberg Industry Group.

SonicWall in the News

The 8 Best Wireless Routers for Business in 2021 — Solutions Review

  • SonicWall SOHO 250 was included on Solutions Review’s (alphabetically organized) list of the top wireless routers of 2021.

Higher the Factors, Stronger the Security — Security MEA

  • Mohamed Abdallah, SonicWall regional director for MEA, explores the importance of multi-factor authentication.

Saudi GDP Can Spike Automation — Khaleej Times

  • Mohamed Abdallah, SonicWall regional director for MEA, discusses digital transformation initiatives in Saudi Arabia and the need for intelligent automation deployments.

Industry News

Apple Targeted in $50 Million Ransomware Hack of Supplier Quanta — Bloomberg

  • The REvil ransomware group is threatening Apple after one of its key MacBook suppliers, Quanta, allegedly refused to pay a $50 million ransom.

Hackers pose as Bloomberg employees in email scam — Cyberscoop

  • The ruse seeks to capitalize on the influence of Bloomberg Industry Group, whose analysis major corporations use to track markets.

Japan says Chinese military likely behind cyberattacks — The Washington Times

  • Tokyo police are investigating cyberattacks on about 200 Japanese companies and research organizations, including the country’s space agency, by a hacking group believed to be linked to the Chinese military.

US takes steps to protect electric system from cyberattacks — The Washington Times

  • The initiative encourages power plants and electric utilities to improve their ability to identify cyber threats, including implementing technologies to spot and respond to intrusions in real time.

Fake Microsoft Store, Spotify sites spread info-stealing malware — Bleeping Computer

  • Sites that impersonate the Microsoft Store, Spotify, and an online document converter are using malware to steal credit cards and passwords saved in web browsers.

Millions of web surfers are being targeted by a single malvertising group — Ars Technica

  • Hackers have compromised more than 120 ad servers over the past year in an ongoing campaign that displays malicious advertisements on sites that seem completely benign.

Discord Nitro gift codes now demanded as ransomware payments — Bleeping Computer

  • A new ransomware calling itself “NitroRansomware” encrypts victims’ files and then demands a Discord Nitro gift code in exchange for decryption.

Ryuk ransomware operation updates hacking techniques — Bleeping Computer

  • Recent attacks from Ryuk ransomware operators show that the actors have a new preference when it comes to gaining initial access to the victim network.

BazarLoader Malware Abuses Slack, BaseCamp Cloud — Threat Post

  • The BazarLoader malware’s email messages leverage worker trust in collaboration tools like Slack and BaseCamp to get them to click links containing malware payloads.

Did Someone at the Commerce Dept. Find a SolarWinds Backdoor in Aug. 2020? — Krebs on Security

  • On Aug. 13, 2020, someone uploaded a suspected malicious file to VirusTotal, a service that scans submitted files against more than five dozen antivirus and security products. Last month, Microsoft and FireEye identified that file as a newly discovered fourth malware backdoor used in the sprawling SolarWinds supply-chain hack.

Cyberattack on UK university knocks out online learning, Teams and Zoom — ZDNet

  • The attack cancelled all live online teaching for the rest of the week.

How the Kremlin Provides a Safe Harbor for Ransomware — Security Week

  • Ransomware is crippling local governments, hospitals, school districts and businesses by scrambling their data files until they pay up — and law enforcement has been largely powerless to stop it.

Swinburne University confirms over 5,000 individuals affected in data breach— ZDNet

  • The university confirmed the personal information included in the breach contained names, email addresses and phone numbers of staff, students and external parties.

HackBoss malware poses as hacker tools on Telegram to steal digital coins — Bleeping Computer

  • The authors of a cryptocurrency-stealing malware are distributing it over Telegram to aspiring cybercriminals under the guise of free malicious applications.

In Case You Missed It

Android banking trojan targets more than 450 apps

/in /by

SonicWall Capture Labs Threats Research team yet again observed malicious Android banking trojans that target a large number of financial apps. This time the malicious app is spreading by masquerading the Austrain PayLife bank app.

 

Sample Details:

 

Infection Cycle

Upon installation the application appears in the app drawer as follows:

Once executed, the application icon disappears from the app drawer giving the victim an impression that the application is no more present on the device. Next, it requests for Accessibility services permission from the victim:

 

Upon checking the AndroidManifest.xml file for the main activity, we see an entry for an activity that is not visible in the source code:

But on running the application on the device a few files are dropped in the folder app_DynamicOptDex. The sample we analyzed dropped the following interesting files:

  • AWrQyH.dex
  • AWrQyH.json

 

Within name.json file which is a .dex fiel in reality, we get the files containing malicious code including the main activity that was not visible earlier:

 

The malware is capable of accepting and executing the following commands:

  • Send_SMS
  • Flood_SMS
  • Download_SMS
  • Spam_on_contacts
  • Change_SMS_Manager
  • Run_App
  • StartKeyLogs
  • StopKeyLogs
  • StartPush
  • StopPush
  • Hide_Screen_Lock
  • Unlock_Hide_Screen
  • Admin
  • Profile
  • Start_clean_Push
  • Stop_clean_Push

 

Based on the commands and functionality, it appears that this malware is capable of carrying out a number of dangerous actions from the infected device:

  • Critical SMS related actions
  • Capture victim keystrokes
  • Send SMS messages to contacts, this may include the ability to spread the infection to people in contacts

 

The malware we analyzed communicates with a hardcoded server – autolycus.ug

 

During our analysis the malware communicated with the server by sending encrypted data at gate.php. However we did not receive any communication back from the server:

 

We observed the following VirusTotal graph for this domain:

 

The source code for this app contains a list of apps that are monitored by this malware, this list of around 455 apps contains a majority of financial apps. Few of these targeted apps are listed below, the complete list can be obtained here:

  1. ar.com.santander.rio.mbanking
  2. at.volksbank.volksbankmobile
  3. au.com.bankwest.mobile
  4. com.bancomer.mbanking
  5. com.bankaustria.android.olb
  6. com.bankofqueensland.boq
  7. com.bbva.mobile.pt
  8. com.CredemMobile
  9. com.db.pbc.DBPay
  10. com.desjardins.mobile

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: AndroidOS.Banker.AL (Trojan)

 

Indicators of compromise (IOC’s):

  • 670e49e6cdb47f8e6121fc706b2c6886
  • 6fb48c0121f446c3010867f02e0b53ee
  • e030c8ba233ea0b3b50daafbe54605a6

Runsomeaware ransomware as a service actively spreading in the wild

/in /by

The SonicWall Capture Labs Threat Research team observed reports of a new variant family of Runsomeaware RaaS actively spreading in the wild. Ransomware as a service (RaaS) is a subscription-based / free model that enables affiliates to use already-developed ransomware tools to execute ransomware attacks. hackers earn a percentage of each successful ransom payment. Ransomware as a Service (RaaS) is an adoption of the Software as a Service (SaaS) business model.

The Runsomeaware encrypts the victim’s files with a strong encryption algorithm.

Runsomeaware is a multi-component RaaS family and its POC has been released in the wild by its developers.

Infection Cycle:

The ransomware adds the following files to the system:

  • Malware.exe
    • %App.path%\ [Filename]. graysuit

Once the computer is compromised, the ransomware runs the following commands:

When Runsomeaware is started it will create and assign a unique ID number to the victim then scan all local drives for data files to encrypt.

When encrypting files, it will use the AES encryption algorithm and encrypt all files except following extensions:

The ransomware encrypts all the files and appends the [.graysuit] extension onto each encrypted file’s filename.

The hackers are active on a Discord Channel and they have released few tutorials on YouTube and GitHub.

Recently Discord have become handy mechanisms for cybercriminals. they’re being used to serve up malware to victims in the form of a link that looks trustworthy. In some cases, hackers have integrated Discord into their malware for C & C of their code running on infected machines, and even to steal data from victims.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Runsomeaware.A (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Laravel Ignition Remote Code Execution Vulnerability

/in /by

Ignition versions prior to 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents and file_put_contents. This is exploitable on sites using debug mode with Laravel versions prior to 8.4.2

Ignition is a beautiful and customizable error page for Laravel applications running on Laravel 5.5 and newer. It is the default error page for all Laravel 6 applications. It also allows to publicly share your errors on Flare. If configured with a valid Flare API key, errors in production applications will be tracked, and you’ll get notified when they happen. So, it can hook into the framework to display the uncompiled view path and your Blade view. It has various features such as app, user ,context and debug tab. It not only displays error but also suggests a solution.

Vulnerability | CVE-2021-3129

Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code. This is exploitable on sites using debug mode with Laravel before 8.4.2.

The vulnerability lies in a way in which the file_get_contents function is implemented in the module MakeViewVariableOptionalSolution.php of Ignition . The file_get_contents function doesn’t check the path and an attacker can abuse this weakness to view and write code of attackers choice at the path specified by an attacker.

This vulnerability is patched . When we look at the patched code we see that file_get_contents now checks the path before getting contents.

 

Threat graph:

 

SonicWall Capture Labs provides protection against this threat via following signatures:

    • IPS 15444:Laravel Ignition Insecure Deserialization 1
    • IPS 15445:Laravel Ignition Insecure Deserialization 2

Malicious VBA macro uses CLSID to create Shell object

/in /by

The SonicWall Capture Labs Threat Research Team has observed that Snake KeyLogger malware is being distributed using malicious word documents. The sample in distribution is using CLSID for WScript.Shell object creation rather than the name which is usually seen.

Infection Cycle

Upon opening the document, the user is displayed instructions to enable content as shown below:


Fig-1: Word Document

Shell Object creation:
This sample creates an instance of WScript.Shell object using CLSID. A CLSID is a globally unique identifier that identifies a COM class object.

CLSID’s that corresponds to Shell Object:

  • {72C24DD5-D70A-438B-8A42-98424B88AFB8}
  • {F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}

The Shell Object instance  is used to execute the PS command to download Snake Keylogger


Fig-2: VBA Macro present in document

 The Powershell command is transferred in obfuscated form as the content of word document:


Fig-3: Obfuscated PowerShell

De-Obfuscated PowerShell command shows it has AMSI bypass technique for Windows 10 systems. This is done to conceal AMSI bypassing technique and the next stage malware download URLs used in the script as seen after de-obfuscation


Fig-4: De-Obfuscated Powershell

Powershell code has embedded URLs from where the payload is downloaded. This sample uses the bit.ly URL shorten service and the target URL is “hxxp://qadir[.]tickfa[.]ir/ID3/0RIG0000000.jpg”. The payload, a windows executable file is stored as “0RIG0000000.jpg” on the remote host and belongs to SnakeKeylogger.

Payload Analysis:

The payload is a compiled .Net file and its basic information is shown below:


Fig-5: Details of PE file

The downloaded file contains an encrypted PE file in resource, which is decrypted using AES – ECB mode and loaded into memory. Decyrption Key is SHA256 of hardcoded bytes present in the sample.


Fig-6: Decryption routine

Persistence:

Sample copies itself to startup folder as driver.exe.

  • %appdata%\Microsoft\Windows\Start Menu\Programs\Startup\drivers.exe

Sonicwall Capture ATP provides protection from this threat as shown below:


Fig-7: Capture ATP report

Indicators Of Compromise:

SHA256

  • 706f441b1e5b188f4373c6b680ea2c2b50ab81c2163bdaf690b3ec224581b8fb — Malicious Document File
  • 81b94fd7902d516f81fa99c090180e431b1e389e2ccd418fa2d0b3105d98fad9 — Downloaded Executable File

Network Connections:

  • bit[.]ly/2ZJ9xRc
  • qadir[.]tickfa[.]ir/ID3/0RIG0000000.jpg

Files:

  • %temp%\czxdpfb.exe
  • %appdata%\Microsoft\Windows\Start Menu\Programs\Startup\drivers.exe

 

Cybersecurity News & Trends – 04-16-21

/0 Comments/in /by

This week utilities were under attack, as an Iran nuclear plant and a Kansas water facility both faced sabotage attempts.

SonicWall in the News

Internet of Things Malware Attacks Increase by 152% in North America in 2020, Other Continents also Witness a Significant Spike — Digital Information World

  • This article features data from SonicWall’s recent 2021 Cyber Threat Report, with a focus on the increase in IoT and malware attacks.

Video: 10 Minute IT Jams – SonicWall VP on the cybersecurity lessons learned from the last 12 months — Security Brief Asia

  • SonicWall’s vice president of regional sales – APAC, Debasish Mukherjee, discusses cybersecurity lessons learned from the pandemic.

Why some jobseekers have turned to cyber crime during the pandemic — ComputerWeekly

  • ComputerWeekly spoke with SonicWall EMEA Vice-President Terry Greer-King about cybercriminal activity during the pandemic.

‘Boundless Cybersecurity’: How SonicWall is helping to uncover unknown threats — Intelligent CISO

  • Intelligent CISO interviewed Osca St. Marthe, SonicWall’s executive director of sales engineering for EMEA, about the company’s boundless security model.

Remote Work Sparking Rise in Cybersecurity Threats, HTSA Told — Consumer Electronics Daily

  • SonicWall Solutions Architect Rick Meder was quoted in reference to the 2021 Cyber Threat Report.

Industry News

U.S. House committee approves blueprint for Big Tech crackdown — Reuters

  • The U.S. House of Representatives Judiciary Committee has formally approved a report accusing Big Tech companies of buying or crushing smaller firms, Rep. David Cicilline’s (D-R.I.) office said in a statement Thursday.

NSA, FBI, DHS expose Russian intelligence hacking tradecraft — Cyberscoop

  • The U.S. government warned the private sector that Russian government hackers are actively exploiting vulnerabilities to target U.S. companies and the defense industrial base.

NBA’s Houston Rockets Face Cyber-Attack by Ransomware Group — Bloomberg

  • The NBA’s Houston Rockets are investigating a cyberattack against their networks from a relatively new ransomware group claiming to have stolen internal business data.

 IBM Uncovers More Attacks Against COVID-19 Vaccine Supply Chain — Bloomberg

  • A hacking campaign detected by IBM last year targeting organizations involved in the manufacturing, transportation and storage of COVID-19 vaccines is now thought to have targeted more than 40 companies in 14 countries.

Iran nuclear attack: Mystery surrounds nuclear sabotage at Natanz — BBC

  • Within hours of Iran proudly announcing the launch of its latest centrifuges at its site in Natanz, a power blackout damaged some of the machines.

Bitcoin hits record before landmark Coinbase listing on Nasdaq — Reuters

  • Bitcoin hit a record of $62,741 on Tuesday, extending its 2021 rally to new heights a day before the listing of Coinbase shares in the U.S.

100M More IoT Devices Are Exposed—and They Won’t Be the Last — Wired

  • The “Name: Wreck” flaws in TCP/IP are the latest in a series of vulnerabilities with global implications.

QBot malware is back replacing IcedID in malspam campaigns — Bleeping Computer

  • Malware distributors are rotating payloads once again, switching between trojans that in many cases serve as an intermediary stage in a longer infection chain.

Cybersecurity: Victims are spotting cyberattacks much more quickly – but there’s a catch — ZDNet

  • Cybercriminals are spending less time inside networks before they’re discovered. But that’s partly because when hackers deploy ransomware, they don’t stay hidden for long.

Small Kansas water utility system hacking highlights risks — The Washington Times

  • A former Kansas utility worker has been charged with remotely tampering with a public water system’s cleaning procedures, highlighting the difficulty smaller utilities face in protecting against hackers.

Biden budget request calls for major investments in cybersecurity, emerging technologies — The Hill

  • President Biden called for over $1.3 billion in cybersecurity funds, along with major investments in emerging technologies such as quantum computing and artificial intelligence, as part of his proposed budget request sent to Congress.

Financial industry preps for proposal that would require 36-hour breach notification — Cyberscoop

  • A proposal would mandate that financial firms report more kinds of cyber incidents to regulators within 36 hours.

Joker malware infects over 500,000 Huawei Android devices — Bleeping Computer

  • More than 500,000 Huawei users have downloaded from the company’s official Android store applications infected with Joker malware that subscribes to premium mobile services.

In Case You Missed It

Ransomware uses Discord for C2 communications

/in /by

The Sonicwall Capture Labs Research team has observed another ransomware being circulated in the wild recently. To maintain communications with the compromised system this ransomware uses Discord’s built in webhooks function. Discord is much more than just a text and voice communication platform geared towards gamers. Discord offers an open API where one can create guilds or servers and channels. A webhook is the easiest way to automate posting messages to a channel. It is basically a URL which you can send a message to which in turn posts that message to a specified channel. Using a legitimate platform to send and receive communications from perfectly disguises a malicious network activity as valid in an attempt to bypass security applications. That’s why Discord has been favored by cybercriminals lately to aid in their malicious doings.

Infection Cycle:

This ransomware arrives as an executable using the following icon:

Upon execution, it drops the following files in the %temp% directory:

  • %temp%/*random*/*random*/aescrypt.exe – used for encrypting files
  • %temp%/*random*/*random*/DiscordSendWebhook.exe – used to send communication out
  • %temp%/*random*/*random*/1A1C.bat – the main script
  • %temp%/kill.bat – script to kill task manager

It then spawns cmd to run scripts via the command prompt and let everything happen in the background without the victim’s knowledge.

It creates a copy of itself and adds it to Startup. It then deletes all volume shadow copies to ensure that the victim will not be able to restore files and the entire system after the ransomware encryption.

  • copy /b /y %0 “%appdata%\Microsoft\Windows\Start Menu\Programs\Startup”
  • wmic shadowcopy delete
  • vssadmin delete shadows /all /quiet

It then adds the following system policies through the registry to ensure uninterrupted execution by disabling Windows prompts for consent before running a program, disabling ctrl+alt+del keys, disabling task manager and swapping mouse buttons:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v “PromptOnSecureDesktop” /t REG_DWORD /d “0” /f
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v “ConsentPromptBehaviorAdmin” /t REG_DWORD /d “0” /f
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v “EnableLUA” /t REG_DWORD /d “1” /f
  • HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layout /v “Scancode Map” /t REG_BINARY /d “00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000” /f /reg:64 > nul
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v “DisableTaskMgr” /t REG_DWORD /d “1” /f > nul
  • HKCU\Control Panel\Mouse /v SwapMouseButtons /t REG_SZ /d “1” /f > nul

It then uses the Discord webhook functionality to send a message to the following Discord guild

It then also kills all known web browsers that might be currently running on the system.

Next, it adds two scheduled tasks to ensure that one instance of malware runs every time a user logs on and another every 5 days.

Upon successful encryption of files, the malware sends another message via webhook to its Discord channel with the system info and IDs to help identify this victim’s machine.

Then, it creates 100 copies of Pay2Decrypt1-100.txt files with the information of how to decrypt the files.

This ransomware appends .lck to all encrypted files. It even manages to encrypt its own aescrypt.exe and DiscordWebhook.exe.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Pay2Decrypt.RSM

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.