Posts

Cukiesi, a Paradise ransomware variant demands over $50k for file retrieval

/in /by

The SonicWall Capture Labs threat research team has observed reports of a variant of Paradise ransomware called Cukiesi.  This ransomware family has been around since early 2018 and is reported to have originated from Russia.  The ransom demand is quite steep at 1.5 BTC ($55k at the time of writing this alert) and it is speculated that it is aimed at large organisations rather than the average home PC user.

 

Infection Cycle:

 

Upon infection, files on the system are encrypted and given a “_cU_{<6 alphanumeric char>}Cukiesi” extension to their filenames:

 

nooode.txt is dropped into all directories where files were encrypted.  It contains the following ransom message:

 

We reached out to the email addresses provided in the ransom note and had the following conversation with the operator:

 

The protonmail address had been deactivated but we received a response from the tutanota.com email address:

 

The ransom amount appears to be negotiable but at the time of writing this alert we were unsuccessful:

 

We are still awaiting a reply.

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Cukiesi.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Cybersecurity News & Trends – 01-15-21

/0 Comments/in /by

This week, the U.S. cyber czar gets new powers, a video game giant gets breached, and Robinhood gets sued.

SonicWall in the News

Defending Against SolarWinds Attacks: What Can Be Done? — TechTarget: SearchSecurity

  • Dmitriy’s zero-trust commentary was included in this article on how zero-trust and behavioral monitoring can be useful against nation-state attacks like the SolarWinds attack.

Cybersecurity Sales: Do You Have What It Takes to Succeed — Help Net Security

  • An interview with Terry Geer-King on his career growth was shared on Help Net Security.

Industry News

CISA Warns Organizations About Attacks on Cloud Services — Security Week

  • In light of successful cyberattacks targeting organizations’ cloud services, the U.S. Cybersecurity and Infrastructure Security Agency has published a series of recommendations on how businesses can improve their cloud security.

Scam-as-a-Service operation made more than $6.5 million in 2020 — ZDNet

  • The “Classiscam” operation is made up of around 40 groups operating in the U.S. and across several European countries.

Iranian cyberspies behind major Christmas SMS spear-phishing campaign — ZDNet

  • Iranian hackers managed to successfully hide URLs to phishing sites behind legitimate google.com links.

Hackers’ Attack on Email Security Company Raises New Red Flags — The New York Times

  • A breach at email security provider Mimecast underscores that Russia-linked hackers appear to have targeted victims along multiple avenues of attack.

Data Breach at ‘Resident Evil’ Gaming Company Widens — Threat Post

  • Capcom, the game developer behind Resident Evil, Street Fighter and Dark Stalkers, now says its recent attack compromised the personal data of up to 400,000 gamers.

Hacker sells Aurora Cannabis files stolen in Christmas cyberattack — Bleeping Computer

  • A hacker is selling data stolen from cannabis giant Aurora Cannabis after breaching their systems on Christmas.

State Department sets up new bureau for cybersecurity and emerging technologies — The Hill

  • The new Bureau of Cyberspace Security and Emerging Technologies (CSET) will help lead diplomatic efforts in cyberspace, including working to prevent cyber conflicts with potentially adversarial nations.

Ryuk gang estimated to have made more than $150 million from ransomware attacks — ZDNet

  • Most of the Ryuk gang’s “earnings” are being cashed out through accounts at crypto-exchanges Binance and Huobi.

Sealed U.S. Court Records Exposed in SolarWinds Breach — Krebs on Security

  • The ongoing SolarWinds breach may have jeopardized the privacy of countless sealed court documents on file with the U.S. federal court system, according to a memo.

Cyber czar to draw on new powers from defense bill — The Hill

  • New authorities from the recently enacted defense bill are expected to help the U.S. government in its response to the SolarWinds hack believed to be perpetrated by Russia.

Robinhood Hacking Victim Sues Trading Platform Over Security — Bloomberg

  • Siddharth Mehta said in a complaint provided by his lawyer that his account was looted of “tens of thousands of dollars” in July.

In Case You Missed It

Babuk ransomware actively spreading in the wild

/in /by

The SonicWall Capture Labs Threat Research team observed reports of a new variant family of Babuk ransomware actively spreading in the wild.

The Babuk ransomware encrypts the victim’s files with a strong encryption algorithm until the victim pays a fee to get them back.

Infection Cycle:

The ransomware adds the following files to the system:

  • Malware.exe
    • %App.path%\ How To Restore Your Files.txt
    • %App.path%\ [__NIST_K571__]

Once the computer is compromised, the ransomware runs the following commands:

When Babuk is started it will create and assign a unique ID number to the victim then scan all local drives for data files to encrypt.

When encrypting files it will use the AES encryption algorithm and only encrypt those files that match the following extensions:

jpe, jpg, kdc, mdb, mdf, nef, crt, crw, dbf, dcr, der, dng, doc, docm, docx, xls, xlsb, xlsm, xlsx, pef, pem, pfx, ppt, pptm, pptx, psd, raf, raw, rtf.

The ransomware encrypts all the files and appends the [__NIST_K571__] extension onto each encrypted file’s

filename.

After encrypting all personal documents, the ransomware shows the following text file containing a message reporting that the computer has been encrypted and to contact its developer ( website ) for unlock instructions.

Screenshots from the ransomware website:

We have been monitoring varying hits over the past few days for the signature that blocks this threat:

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Blackheart.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Microsoft Security Bulletin Coverage for January 2021

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of January 2021. A list of issues reported, along with SonicWall coverage information are as follows:

CVE-2021-1647 Microsoft Defender Remote Code Execution Vulnerability
IPS 15356:Microsoft Defender Remote Code Execution Vulnerability (CVE-2021-1647)
ASPY 146:Malformed-File exe.MP.168

CVE-2021-1707 Microsoft SharePoint Server Remote Code Execution Vulnerability
ASPY 145:Malformed-File xml.MP.3

CVE-2021-1709 Windows Win32k Elevation of Privilege Vulnerability
ASPY 147:Malformed-File exe.MP.169

Following vulnerabilities do not have exploits in the wild :
CVE-2020-26870 Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-1636 Microsoft SQL Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1637 Windows DNS Query Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-1638 Windows Bluetooth Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-1641 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-1642 Windows AppX Deployment Extensions Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1643 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-1644 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-1645 Windows Docker Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-1646 Windows WLAN Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1648 Microsoft splwow64 Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1649 Active Template Library Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1650 Windows Runtime C++ Template Library Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1651 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1652 Windows CSC Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1653 Windows CSC Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1654 Windows CSC Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1655 Windows CSC Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1656 TPM Device Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-1657 Windows Fax Compose Form Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-1658 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-1659 Windows CSC Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1660 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-1661 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1662 Windows Event Tracing Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1663 Windows Projected File System FS Filter Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-1664 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-1665 GDI+ Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-1666 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-1667 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-1668 Microsoft DTV-DVD Video Decoder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-1669 Windows Remote Desktop Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-1670 Windows Projected File System FS Filter Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-1671 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-1672 Windows Projected File System FS Filter Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-1673 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-1674 Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-1676 Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-1677 Azure Active Directory Pod Identity Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-1678 NTLM Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-1679 Windows CryptoAPI Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-1680 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1681 Windows WalletService Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1682 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1683 Windows Bluetooth Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-1684 Windows Bluetooth Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-1685 Windows AppX Deployment Extensions Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1686 Windows WalletService Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1687 Windows WalletService Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1688 Windows CSC Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1689 Windows Multipoint Management Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1690 Windows WalletService Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1691 Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-1692 Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-1693 Windows CSC Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1694 Windows Update Stack Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1695 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1696 Windows Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-1697 Windows InstallService Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1699 Windows (modem.sys) Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-1700 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-1701 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-1702 Windows Remote Procedure Call Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1703 Windows Event Logging Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1704 Windows Hyper-V Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1705 Microsoft Edge (HTML-based) Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2021-1706 Windows LUAFV Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1708 Windows GDI+ Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-1710 Microsoft Windows Media Foundation Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-1711 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-1712 Microsoft SharePoint Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1713 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-1714 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-1715 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-1716 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-1717 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-1718 Microsoft SharePoint Server Tampering Vulnerability
There are no known exploits in the wild.
CVE-2021-1719 Microsoft SharePoint Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-1723 .NET Core and Visual Studio Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-1725 Bot Framework SDK Information Disclosure Vulnerability
There are no known exploits in the wild.

Turla Variant GoldenSky

/in /by

Overview:

SonicWall Capture Labs Threat Research Team recently found a new sample and activity for a Turla variant called GoldenSky. Turla has many names since 2014, aka: Turla, Snake, Venomous Bear, VENOMOUS Bear, Group 88, Waterbug, WRAITH, Turla Team, Uroburos, Pfinet, TAG_0530, KRYPTON, Hippo Team, Pacifier APT, Popeye, SIG23, Iron Hunter, MAKERSMARK.

Turla is known for targeting government organizations, military and diplomatic targets using a complex collection of malware and interesting command-and-control (C2) implementations.

Common tools include remote-access trojans (RATs), [Kazuar and Carbon] and HyperStack remote procedure call (RPC)-based backdoors. These tools often include several layers of obfuscation and defense-evasion techniques.

The RATs transmit the command-execution results and exfiltrate data from the victim’s network, while the RPC-based backdoors including HyperStack use the RPC protocol to perform lateral movement, issue and receive commands on other machines within the local network.

The upgrades seen in the campaign largely revolved around creating built-in redundancies for remote communication.

Sample Static Information:

Encryption Signatures:

Dynamic Information:

Inter-process communication (IPC):

The Pipe OpenMode:
PIPE_ACCESS_DUPLEX, The pipe is Bi-Directional; Both server and client processes can read from and write to the pipe.

The Pipe nMaxInstances are set to:
PIPE_UNLIMITED_INSTANCES(255), which is misleading, you can only have a total of 256 pipe instances.

The number of bytes for the Pipe (Input & Output) buffer are set for 0xF000 or 61,440 Bytes.

Reading and Writing to the Pipe:

Pipe Name:

INI File:

Turla’s variant name came from the .ini file that is created and read upon execution:

Pipe Registry Key Settings:

Other related thread information:

NET Resources:

Local network IPC Share:

Supported Systems:

  • Windows 10
  • Windows 8.1
  • Windows 8.0
  • Windows 7
  • Windows Vista

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: Goldensky.D (Trojan)

Appendix:

Sample SHA256 Hash: 48dced47372853658202b286920bb4fd0ab16de7c5d5b736eac84eee023d569f

Cybersecurity News & Trends – 01-08-21

/0 Comments/in /by

This week, the massive SolarWinds breach made headlines around the world, but that doesn’t mean other hackers took a holiday.

SonicWall in the News

Zero Trust Against Nation-State Attacks: Expert Explains Why it is Vital — Information Security Buzz

  • The fallout of the SolarWinds breach continues to reverberate across the industry, and the conversation is shifting to how to mitigate and defend against the next attack on this scale. Dmitriy Ayrapetov weighs in.

Reasons To Believe — Or Not Believe — in IoT — IoT Agenda

  • Data from SonicWall’s Threat Report on the increase in IoT attacks was included in an article on the benefits and challenges of IoT.

AI and ML: Is it a boon or bane for cyber security?” — VAR India

  • SonicWall VP of Regional Sales Debasish Mukherjee, talks about BYOD and the number of malicious attacks and cyber frauds across the globe due to the pandemic.

Industry News

North Korean hackers launch RokRat Trojan in campaigns against the South — ZDNet

  • A VBA self-decoding technique is being used to hide the malware on impacted systems.

Widely Used Software Company May Be Entry Point for Huge U.S. Hacking — The New York Times

  • Russian hackers may have piggybacked on a tool developed by JetBrains, which is based in the Czech Republic, to gain access to federal government and private sector systems in the United States.

Babuk Locker is the first new enterprise ransomware of 2021 — Bleeping Computer

  • It’s a new year, and with it comes a new ransomware. This one is called Babuk Locker, and it targets corporate victims in human-operated attacks.


Cyberattacks on Healthcare Spike 45% Since November — Threat Post

  • The relentless rise in COVID-19 cases is battering already-frayed healthcare systems — and ransomware criminals are taking the opportunity to strike.

Top admiral: SolarWinds computer hack didn’t harm U.S.-based nukes — The Washington Times

  • America’s nuclear arsenal wasn’t compromised by a recent cyberattack targeting computer networks used by government agencies and private companies, the Navy admiral at the helm of the U.S. Strategic Command said.

Severe SolarWinds Hacking: 250 Organizations Affected? — Bank Info Security

  • Investigators are finding that the campaign appears to have compromised more than the 50 organizations originally suspected—and a Russian-linked hacking group may be responsible.

This malware uses a crafty new technique to establish the location of victims — Tech Radar 

  • A newly discovered form of malware grabs and queries the MAC address of the wireless router, enabling it to geo-locate its victim’s machine more accurately.

Cross-platform ElectroRAT malware drains cryptocurrency wallets — Bleeping Computer

  • Security researchers have discovered a new remote access trojan (RAT) used to empty the cryptocurrency wallets of thousands of Windows, Linux, and macOS users.

Major Gaming Companies Hit with Ransomware Linked to APT27 — Threat Post 

  • A recent slew of related ransomware attacks on top videogame companies has been associated with the notorious Chinese-linked APT27 threat group, suggesting that the advanced persistent threat (APT) is swapping up its historically espionage centralized tactics to adopt ransomware, a new report says.

2021 Cybersecurity Trends: Bigger Budgets, Endpoint Emphasis and Cloud — Cybersecurity Trends

  • Insider threats are redefined in 2021, the work-from-home trend will continue define the threat landscape and mobile endpoints become the attack vector of choice, according 2021 forecasts.

Be warned: COVID-19 vaccine scams are now appearing online, over text, and by email — ZDNet

  • With millions of us waiting for our place in the vaccine queue, criminals are already trying to cash in.

In Case You Missed It

Fake Cyberpunk 2077 Android apps are on the move

/in /by

The action role-playing video game Cyberpunk 2077 has been one of the most awaited game in the recent times and after multiple delays the game finally released in December 2020. Even though the game had bugs and issues during the initial release, it garnered massive popularity and following during the initial release window. This attracted the attention of gamers and non-gamers alike, unsurprisingly malware writers and scamsters also started taking advantage of this popularity.

Fake download sources

Even though this game is not natively available on mobile devices like Android and IPhone, there are multiple sources that advertise Cyberpunk’s availability on these devices:

  • A number of websites host downloadable files with the name Cyberpunk, but they request for “verification” before the download can start. This verification usually lead to online “survey scam” websites which are after the users personal information:

 

  • There are a number of youtube videos that claim to show how to download and play Cyberpunk on mobile devices. Most of these videos direct users to websites that further lead to verification scams as highlighted above, some of the websites lead to android apps :

Different types of apps

We observed a number of different types of fake Cyberpunk named apps for Android, few of them are listed below:

 

Verification apps

These apps contain Cyberpunk game related assets files like icons and menu videos. These menu and intro videos get played once the app runs making them look authentic to the user. But once the video is displayed the user is forwarded to verification/online survey links.

  • MD5: 0766e628c6e6cf2048a6f6d007db4343
  • Package name: com.codwarzone.neta
  • Application name: Cyberpunk 2077

 

While not inherently malicious, these apps direct the users to sites that serve online survey scams. These scams try to extract sensitive user information and further misuse this information by selling it to data brokers, using it for phishing/spam/identity theft.

 

Ransomware

This app is a ransomware that uses the popularity of Cyberpunk to infect victims and demand ransom in the form of Bitcoin.

  • MD5: cbd92757051490316de527a02ac17947
  • Package name: com.codwarzone.neta
  • Application name: Cyberpunk 2077 Mobile (Beta)

The ransom message is hardcoded in the code:

 

This malware appends the extension “.coderCrypt” at the end of files

 

The ransomware demands ransom to be sent to the Bitcoin wallet address 336Fvf8fRrpySwq8gsaWdf7gfuGm5FQi8K. Below is the recent activity on this address:

 

Malware creators are yet again using the popularity of a game to spread their malicious creations. Right now Cyberpunk 2077 is not available natively for mobile devices, it can however be played on mobile by game streaming services such as Stadia. So any video or post that claims to show how to install this game on a mobile device is likely a fake.

 

SonicWall Capture Labs provide protection against this threat with the following signatures:

  • AndroidOS.CodeWare.RSM (Trojan)
  • AndroidOS.Injector.VF (Trojan)

 

Indicators of Compromise (IOC’s):

  • cbd92757051490316de527a02ac17947
  • 0766e628c6e6cf2048a6f6d007db4343

Critical CVE's of the year 2020

/in /by

CVE-2020-1472 Zerologon – A vulnerability in the cryptography of Microsoft’s Netlogon process that allows an attack against Microsoft Active Directory domain controllers, making it possible for a hacker to impersonate any computer, including the root domain controller.

Ref: https://securitynews.sonicwall.com/xmlpost/windows-netlogon-elevation-of-privilege-vulnerability-cve-2020-1472/

CVE-2020-0796 SMBGhost – A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka ‘Windows SMBv3 Client/Server Remote Code Execution Vulnerability’.

Ref: https://securitynews.sonicwall.com/xmlpost/windows-smbv3-remote-code-execution-vulnerability-cve-2020-0796/

CVE-2020-1350 SIGRed – A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests, aka ‘Windows DNS Server Remote Code Execution’ Vulnerability.

Ref: https://securitynews.sonicwall.com/xmlpost/windows-dns-server-remote-code-execution-vulnerability-cve-2020-1350/

CVE-2020-0601 Curveball – A vulnerability that affects the certificate verification function in the Crypt32.dll module provided by Microsoft.

Ref: https://securitynews.sonicwall.com/xmlpost/windows-cryptoapi-spoofing-vulnerability-cve-2020-0601/

CVE-2020-5902 – A critical vulnerability in the F5 BIG-IP Traffic Management User Interface (TMUI) also known as the Configuration Utility

Ref: https://securitynews.sonicwall.com/xmlpost/cve-2020-5902-hackers-actively-exploit-critical-vulnerability-in-f5-big-ip/

CVE-2020-14882 – A critical and easily exploitable remote code execution vulnerability (CVE-2020-14882) in Oracle WebLogic Server.

Ref: https://securitynews.sonicwall.com/xmlpost/cve-2020-14882-oracle-weblogic-remote-code-execution-vulnerability-exploited-in-the-wild/

CVE-2020-0688 Microsoft Exchange Memory Corruption Vulnerability – A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory.

Ref: https://securitynews.sonicwall.com/xmlpost/hackers-are-actively-trying-to-exploit-vulnerable-microsoft-exchange-servers/

CVE-2020–25213 – A vulnerability in WordPress File Manager (wp-file-manager) plugin versions prior to 6.9 that allows remote attackers to upload and execute arbitrary PHP code.

Ref: https://securitynews.sonicwall.com/xmlpost/cve-2020-25213-wordpress-plugin-wp-file-manager-actively-being-exploited-in-the-wild/

CVE-2020-17530: Apache struts vulnerability exploited in the wild

/in /by

SonicWall Capture Labs Threat Research team has observed hackers actively targeting the recent remote code execution vulnerability in the Apache Struts framework.

This vulnerability is due to insufficient input validation, leading to a forced double OGNL evaluation when evaluating raw user input. A remote attacker could exploit this vulnerability by sending a crafted request to the target server. Successful exploitation will allow an attacker to execute arbitrary code with the privileges of the server.

Apache Struts:

Apache Struts is a modern Java framework that uses the Model, View, Controller (MVC) architecture for building enterprise-ready web applications.

Model – The central component, which manages the data, logic, and rules of the application.

View – Presents information to the user, sometimes allowing multiple views of the same information.

Controller – Accepts input and converts it to commands for the model or view.

 

Object-Graph Navigation Language (OGNL) is an open-source expression language for Java, which, while using simpler expressions than the full range of those supported by the Java language, allows getting and setting propertiesproperties as well as execution of methods of Java classes.

OGNL uses Java reflection and inspection to address the Object Graph of the runtime application. This allows the program to change behavior based on the state of the object graph instead of relying on compile-time settings. It also allows changes to the object graph.

Due to its ability to create or change executable code, OGNL is capable of introducing critical security flaws to any framework that uses it.

Vulnerability | CVE-2020-17530 :

The OGNL context map is initialized with the mitigating controls that enforce the validations for accessing
packages, classes, and their normally private/ or protected methods/fields. These controls are defined by an instance
of the SecurityMemberAccess class. Similarly, by leveraging introspection via the BeanMap instance, private
properties of the SecurityMemberAccess instance can be accessed and modified. Most importantly excludedClasses and excludedPackageNames containing the set of excluded classes and package names
respectively can be cleared and thus effectively disabling every class and package access restriction.

An attacker is therefore able to completely disable all OGNL expression mitigation controls related to package and
class access. Arbitrary code execution can eventually be realized by invoking suitable methods from previously disallowed classes, for example, Execute.exec() method from “freemarker.template.utility package”.

Exploit:

SonicWall observed the below exploit request in which the BeanMap instance has been leveraged to access and modify the member access and set excludedClasses and excludedPackageNames to empty. One of the disallowed classes “Execute” from the “freemarker.template.utility” package that gives FreeMarker the ability to execute external commands is called to download and execute a malicious file.

Successful exploitation results in the execution of malicious payload “ssa” with the privileges of the server.

Trend Chart:

IPS hits for the signature “14514” in the last 40 days.

SonicWall Capture Labs Threat Research team protects against this exploit with the following signature:

IPS: 14514 Apache Struts OGNL Wildcard Remote Code Execution 8

Problem:

Some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.

Affected Products:

Apache Software Foundation Struts 2.0.0 through 2.5.25

Fix:

Avoid using forced OGNL evaluation on untrusted user input, and/or upgrade to Struts 2.5.26, which checks to ensure that expression evaluation won’t lead to the double evaluation.

IOC (Attacker IP’s):

45.146.164.15
67.202.216.194
209.141.33.226
183.57.18.186
167.98.184.6
34.227.121.223
65.124.187.154
107.152.127.190
74.120.44.66
70.98.52.141
144.121.77.34
162.43.198.100
24.173.20.130
192.0.100.121
203.199.72.210
70.102.106.66
34.205.208.125
52.17.98.131
64.19.77.134
205.250.171.58
207.99.76.20
208.105.178.30
64.39.99.230
184.71.110.118
64.39.99.197
64.39.99.246
54.88.149.100
69.193.159.2
204.141.21.156
61.160.215.21
50.239.218.222
71.164.82.98
64.141.27.66
68.118.118.226
128.177.30.162
107.130.178.41
209.141.61.233
64.39.111.60
138.197.142.180
62.8.108.89
64.139.53.114
38.140.141.210
10.100.6.180
24.103.47.50
91.216.32.25
216.235.247.146
50.202.87.195
196.46.54.18
64.39.99.70
64.39.99.13
64.39.99.74
172.30.131.7
64.39.108.132
64.39.99.58
216.171.185.30
64.39.99.69
64.39.99.213
192.168.21.220
64.39.99.252
64.39.99.65
64.39.99.251
198.46.104.42
64.39.108.51
209.53.168.82
64.39.99.61
64.39.99.93
154.59.121.145
207.207.37.172
64.39.99.247
50.235.254.58
64.39.99.233
74.62.85.138
64.39.99.226
187.44.110.185
64.39.99.243
64.39.108.47
64.39.99.210
204.186.244.226
64.39.99.94
23.30.178.61
64.39.108.38
203.71.63.9
64.39.99.92
154.59.121.144
81.82.218.18
96.66.66.65
64.39.99.112
64.39.99.17
64.39.99.235
64.39.99.52
167.98.182.132
64.39.99.64
64.39.99.231
64.39.108.129
192.248.233.26
91.216.32.24
172.31.48.102
118.163.176.200
204.14.69.210
161.11.129.109

Cybersecurity News & Trends – 12-18-20

/0 Comments/in /by

This week, the massive SolarWinds breach made headlines around the world, but that doesn’t mean other hackers took a holiday.

SonicWall in the News

The 25 Hottest Edge Security Companies: 2020 Edge Computing 100 — CRN

  • SonicWall was recognized in CRN’s 2020 Edge Computing 100 list for its new SD-Branch and Cloud Edge Secure Access solutions.

Cyberattack ‘Leaves UK Infrastructure Exposed for Month’ — Newsweek

  • SonicWall President and CEO Bill Conner, who in recent years has advised the U.K. and U.S. governments on how best they can protect critical national assets from cybercrime, said the hackers appeared to be motivated by geopolitical control.

Cases of Cyber Ransomware Rising During COVID Pandemic — MSN

SonicWall Capture Labs Threat Research Team Warns of Egregor Ransomware Attacks — SME Channels

  • SonicWall Capture Labs Threat Research team warns that Egregor Ransomware attacks — which steal system information and banking and online account credentials, as well as deploy keyloggers and remote backdoors — will likely intensify.

SolarWinds Supply Chain Attack Led to FireEye, US Government Breaches — SDxCentral

  • Bill’s commentary on the U.S. Treasury hack was featured in an SDxCentral article about recent data breaches.

SonicWall Seeks The Bliss of The Predictable — ChannelPro Network

  • ChannelPro Network shared a feature on SonicWall’s SecureFirst Partner Program for its ChannelBeat column.

Industry News

SolarWinds Breach Potentially Gave Hackers ‘God Access’: Ex-White House Official — Newsweek

  • The SolarWinds breach potentially gave hackers “God access” or a “God door” to computer systems using the companies OrionIT software, a former White House official has warned.

FireEye, Microsoft create kill switch for SolarWinds backdoor — Bleeping Computer

  • Microsoft, FireEye and GoDaddy have collaborated to create a kill switch for the SolarWinds Sunburst backdoor that forces the malware to terminate itself.

Little-Known SolarWinds Gets Scrutiny Over Hack, Stock Sales — Security Week

  • The revelation that elite cyber spies spent months exploiting SolarWinds’ software to peer into computer networks has put many of its high-profile customers on high alert — and it’s raising questions about whether company insiders knew of its security vulnerabilities as its biggest investors sold off stock.

Russia’s Hacking Frenzy Is a Reckoning — Wired

  • Despite years of warning, the U.S. still has no good answer for the sort of “supply chain” attack that has left Washington stunned.

Malicious Domain in SolarWinds Hack Turned into ‘Killswitch’ — Krebs on Security

  • A key malicious domain name used to control computer systems compromised via the months-long breach at SolarWinds was commandeered by security experts and used as a “killswitch” designed to turn the sprawling cybercrime operation against itself.

Schiff calls for ‘urgent’ work to defend nation in the wake of massive cyberattack — The Hill

  • House Intelligence Committee Chairman Adam Schiff, D-Calif., on Wednesday called on Congress to undertake “urgent work” to defend critical networks in the wake of a massive cyber espionage attack on the U.S. government.

FBI says DoppelPaymer ransomware gang is harassing victims who refuse to pay — ZDNet

  • FBI says the ransomware group has been calling victims and threatening to send individuals to their homes if they don’t pay the ransom.

“Evil mobile emulator farms” used to steal millions from US and EU banks — Ars Technica

  • Researchers from IBM Trusteer say they’ve uncovered a massive fraud operation that used a network of mobile device emulators to drain millions of dollars from online bank accounts in just days.

EU unveils revamp of cybersecurity rules days after hack — The Washington Times

  • The EU unveiled plans to revamp its dated cybersecurity rules, just days after data on a new coronavirus vaccine was unlawfully accessed in a hack attack on the European Medicines Agency.

45 million medical scans from hospitals all over the world left exposed online for anyone to view – some servers were laced with malware — The Register

  • CybelAngel, which sells a digital risk protection platform, reported not only was the sensitive personal information unsecured, but cybercriminals had also accessed those servers and poisoned them with apparent malware.

Microsoft: New malware can infect over 30K Windows PCs a day — Bleeping Computer

  • Microsoft has warned of an ongoing campaign pushing Adrozek, a new browser hijacking and credential-stealing malware which, at its peak, was able to take over more than 30,000 devices every day.

Massive Subway UK phishing attack is pushing TrickBot malware — Bleeping Computer

  • A massive phishing campaign pretending to be a Subway order confirmation has been spotted distributing the notorious TrickBot malware.

This new ransomware is growing in strength and could become a major threat warn researchers — ZDNet

  • The group behind MountLocker ransomware are “clearly just warming up,” researchers say.

In Case You Missed It