Posts

Cybersecurity News & Trends – 08-21-20

/0 Comments/in /by

This week, U.S. national security was at the forefront, with authorities working to secure voting systems ahead of the November elections, FBI and CISA issuing warnings about Linux malware and the U.S. Army detailing North Korea’s cyberattack strategies.

SonicWall Spotlight

Interview: Bill Conner, President and CEO, SonicWall — Infosecurity

  • With remote working likely to be far more common going forward, businesses are considering what they should do to adequately secure themselves.

How to Negotiate with Cyber Terrorists During a Pandemic — Bloomberg (United Kingdom)

  • According to SonicWall’s mid-year Cyber Threat Report, the number of ransomware attacks climbed 20% in the first half of the year, to a total of 121.4 million.
    *Syndicated on Yahoo! Finance UK, Washington Post and The Star

D&H Expands Hosted Security Offerings for MSPs, SMBs — Channelnomics

  • D&H Distributing is giving MSPs and SMBend customers access to SonicWall’s security solutions through a subscription model that removes upfront costs and offers predictable monthly payments.

Cybersecurity News

Taiwan says China behind cyberattacks on government agencies, emails — Reuters

  • Taiwan said hacking groups linked to the Chinese government had attacked at least 10 government agencies and some 6,000 government email accounts to steal important data.

FritzFrog malware attacks Linux servers over SSH to mine Monero — Bleeping Computer

  • A sophisticated botnet campaign named FritzFrog has been discovered breaching SSH servers around the world.

Ongoing Campaign Uses HTML Smuggling for Malware Delivery — Security Week

  • Referred to as Duri, the campaign attempts to evade network security solutions, including proxies and sandboxes, to deliver malicious code.

IRS Granted Tens of Thousands of Devices Network Access Without Proper Authentication — Nextgov

  • Most devices accessing the Internal Revenue Service’s internal network using wireless connections and virtual private networks weren’t authenticated, according to an audit.

U.S. Army Report Describes North Korea’s Cyber Warfare Capabilities — Security Week

  • A 332-page report, titled “North Korean Tactics,” details North Korean forces and their actions, with one chapter focusing on electronic intelligence warfare.

How a new federal policy for telling election officials about cyber-intrusions got put to use — Cyberscoop

  • An unidentified hacker reportedly spoofed the email account of a voting-equipment vendor and sent a phishing email to a local election official in Missouri.

NSA and FBI warn that new Linux malware threatens national security — Ars Technica

  • The FBI and NSA have issued a joint warning that Russian state hackers are using a previously unknown piece of Linux malware to infiltrate sensitive networks, steal confidential information, and execute malicious commands.

CISA Warns of Phishing Emails Delivering KONNI Malware — Security Week

  • The Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert providing information on attacks delivering the KONNI remote access Trojan (RAT).

CactusPete hackers go on European rampage with Bisonal backdoor upgrade — ZDNet

  • The APT is attacking banks and military organizations throughout Eastern Europe.

Lawmakers introduce bill to help election officials address cyber vulnerabilities — The Hill

  • Reps. John Katko (R-N.Y.) and Kathleen Rice (D-N.Y.) introduced legislation to provide election officials with enhanced cybersecurity resources, as authorities ramp up warnings of foreign interference in the upcoming U.S. elections.

In Case You Missed It

Citrix ADC and Gateway Authorization Bypass Vulnerability

/in /by

Citrix ADC is an application delivery and load balancing solution that provides a high-quality user experience for web, traditional, and cloud-native applications – regardless of where they are hosted. It also provides web application acceleration as well as a Gateway functionality. Citrix ADC and Gateway are accessed primarily via HTTPS on port 443/TCP.
Vulnerability(CVE-2020-8193)
An authorization bypass vulnerability exists in Citrix Application Delivery Controller and Gateway. The
vulnerability can let remote users to get a valid session ID on Web UI without authentication. A remote, unauthenticated attacker could exploit the vulnerability by sending crafted requests to the target server.
Successful exploitation can result in authentication bypass.

The NetScaler IP (NSIP) address is the IP address which is used to access the NetScaler appliance for management purpose over HTTP (port 80). To restrict the NSIP administrative Web UI from unauthenticated users, the Admin UI needs the remote user to login by using HTTP POST request.

After the remote users authenticate themselves, the server will generate a sessionID in the cookie for the
administrative session. An authorization bypass vulnerability exists in Citrix Application Delivery Controller and Gateway.Due to the design flaw this vulnerability can be triggered by posting to the report() function .

Based on the value specified in parameter type, the function report() will call the respective private functions
inside pcidss.php script. Due to the implementation flaw, the report function only checks the presence of “loginchallengeresponse” in the parameters of the POST request. This allows for authentication bypass and the attacker can get a valid session id which can later be used to gain direct access to the device.
Impact
A quick check on shodan reveals hundreds of vulnerable systems

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • IPS 15098:Citrix Products Authorization Bypass 1
  • IPS 15099:Citrix Products Authorization Bypass 2

Threat Graph

Vulnerable Products

Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7

Citrix has patched this vulnerability and the fix is available here.

Fake TikTok Beta steals TikTok, Facebook and Instagram credentials

/in /by

The popular social media app TikTok is getting banned in a number of countries. Fraudsters are using this opportunity to spread fake TikTok apps in an effort to infect and scam more victims. SonicWall Capture Labs threats research team identified one such fake TikTok app that tries to steal victim’s credentials of TikTok account by showing a fake login page.

Infection Cycle

  • Md5: 7bece16d84f38e36b531e4b22f298205
  • Package Name: insta.tiktok.in
  • Application Name: TikTok Beta

Upon installation and execution, we see a custom TikTok login page:

 

The fonts, colors and overall appearance of the login screen raises suspicion of a phishing/fake page.

On entering the credentials a 404 Page Not Found error is shown which further raises suspicion as popular apps handle such error conditions in a more professional and elegant way.

 

However if a victim as reached this far, his account is already compromised as the entered credentials are sent to the attacker’s server account-[redacted].000webhostapp.com as shown below:

 

Intelligence gathering

After further investigation of the domain we found the following links under Tik Tok Beta directory:

  • Tik Tok Beta.html – Login screen
  • Database420.txt – Stolen victim credentials as shown below:

 

 

We found similar directories for Facebook and Instagram on the same domain as well with a similar page – Database420.txt – for stolen credentials, indicating that authors behind this malware have multiple popular target apps in mind:

 

Phishing pages are a common medium in stealing sensitive user information. This app uses the popularity of TikTok to steal victim’s credentials. Someone with a keen sense of observation will easily spot the phishing page but as evident from one of the pages obtained on the server, few people were duped into entering their legitimate credentials.

One of the best way to safeguard against such threats is to install apps only from the Google Play Store and follow proper security practices.

SonicWall Capture Labs provides protection against this threat with the following signature:

  • Stealer.CR (Trojan)

 

Appendix

Fake login pages for TikTok, Facebook and Instagram:

 

 

Voidcrypt ransomware actively spreading in the wild

/in /by

The SonicWall Capture Labs threat research team observed reports of a new variant family of VoidCrypt ransomware [VoidCrypt.RSM] actively spreading in the wild.

The VoidCrypt ransomware encrypts the victim’s files with a strong encryption algorithm until the victim pays a fee to get them back.

Infection Cycle:

The ransomware adds the following files to the system:

  • Malware.exe
    •    %App.path%\ [Name]. < .Void >
    •    %App.path%\ Dycription.info.HTA > recovery instruction

Once the computer is compromised, the ransomware runs the following commands:

The ransomware encrypts all the files and appends the [Void] extension onto each encrypted file’s filename.

After encrypting all personal documents, the ransomware shows the following picture containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

 

We have been monitoring varying hits over the past few days for the signature that blocks this threat:

SonicWall Capture Labs threat research team provides protection against this threat via the following signatures:

  • GAV: VOIDCRYPT.RSM (Trojan)

 

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Cybersecurity News & Trends – 08-14-20

/0 Comments/in /by

This week marks one of the biggest launches in SonicWall history, bringing with it a comprehensive set of new solutions designed to increase security, simplify management and meet the challenges of today’s cybersecurity reality.

SonicWall Spotlight

SonicWall’s Biggest Launch To-Date Delivers Future-Proof Security, Remotely — CRN TV

  • CRN’s video discusses SonicWall CEO Bill Conner’s leadership and showcases the importance of SonicWall to the channel and the industry overall.

SonicWall Leads SMB Market To Resolve Stretched Security Budgets And Risks For Newly Extended Remote Workforces — Source Security

  • SonicWall is introducing new zero-touch enabled, multi-gigabit SonicWall TZ firewalls with SD-Branch capabilities, along with a redesigned cloud-native management console.

SonicWall Refreshes High End Both Enterprise and SMB Firewalls — ChannelBuzz

  • ChannelBuzz highlights the new versions of SonicWall’s firewalls and includes commentary from Bill Conner on the importance of the launch.

SonicWall Sounds Off On Next-Gen Security Line Up  — SDxCentral

  • SDxCentral explains how SonicWall’s Gen 7 offerings expand the company’s enterprise capabilities and strengthen its current portfolio of products.

SonicWall Ships High-Speed Firewalls for SMB and Branch Office Environments — The ChannelPro Network

  • In a feature on SonicWall’s Gen 7 launch, the ChannelPro Network discusses SonicWall’s new firewall appliances.

Cybersecurity News

Israel Says It Thwarted Cyber Attack Targeting Defense Industry — Bloomberg

  • Israel has announced it foiled a cyberattack targeting its defense industry by a shadowy group that the U.S. has linked to North Korea. .

Agent Tesla Spyware Adds Fresh Tricks to Its Arsenal — Threat Post

  • The RAT is surging in 2020, becoming more prevalent than even the infamous TrickBot or Emotet malware.

Trump Moves on China Apps May Create New Internet ‘Firewall’ — Security Week

  • A Trump administration ban on apps such as TikTok and WeChat risks fragmenting an already fragile global internet and creating an American version of China’s “Great Firewall.

Avaddon ransomware launches data leak site to extort victims — Bleeping Computer

  • The Avaddon ransomware operators’ site will be used to publish the stolen data of victims who do not pay a ransom demand.

Hacked government, college sites push malware via fake hacking tools — Bleeping Computer

  • A large scale hacking campaign appears to offer articles on hacking social network accounts, but instead delivers malware and scams.

UN reports sharp increase in cybercrime during pandemic — The Washington Times

  • A 350% increase in phishing websites was reported in Q1 2020, many targeting hospitals and health care systems responding to the COVID-19 pandemic

Magecart group uses homoglyph attacks to fool you into visiting malicious websites — ZDNet

  • A new campaign is utilizing the Inter kit and favicons to hide skimming activities.

Maryland officials warn gun dealers about phishing scams — The Washington Times

  • Authorities in Maryland have issued an advisory about an apparent email phishing scam targeting firearms dealers in the state.

In Case You Missed It

Microsoft Security Bulletin Coverage for August 2020

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of August 2020. A list of issues reported, along with SonicWall coverage information are as follows:

CVE-2020-1380 Scripting Engine Memory Corruption Vulnerability
IPS 15107:Scripting Engine Memory Corruption Vulnerability (CVE-2020-1380)
IPS 15109:Scripting Engine Memory Corruption Vulnerability (CVE-2020-1380)2

CVE-2020-1464 Windows Spoofing Vulnerability
ASPY 5983:Malformed-File msi.MP.1

CVE-2020-1472 Netlogon Elevation of Privilege Vulnerability
IPS 15143:Windows Netlogon Elevation of Privilege Vulnerability(CVE-2020-1472)

CVE-2020-1480 Windows GDI Elevation of Privilege Vulnerability
IPS 2282:BAD-FILES: Suspicious Executable File Download 9

CVE-2020-1529 Windows GDI Elevation of Privilege Vulnerability
ASPY 5982:Malformed-File exe.MP.150

CVE-2020-1566 Windows Kernel Elevation of Privilege Vulnerability
ASPY 5452:Malformed-File exe.MP.64

CVE-2020-1567 MSHTML Engine Remote Code Execution Vulnerability
IPS 15105:MSHTML Engine Remote Code Execution (CVE-2020-1567)

CVE-2020-1570 Scripting Engine Memory Corruption Vulnerability
IPS 15106:Scripting Engine Memory Corruption Vulnerability (CVE-2020-1570)

CVE-2020-1578 Windows Kernel Information Disclosure Vulnerability
ASPY 5981:Malformed-File exe.MP.152

CVE-2020-1584 Windows dnsrslvr.dll Elevation of Privilege Vulnerability
ASPY 5980:Malformed-File exe.MP.151

CVE-2020-1587 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
ASPY 5979:Malformed-File exe.MP.153

Adobe Coverage:

CVE-2020-9697 Acrobat Reader Disclosure of Sensitive Data
ASPY 5984:Malformed-File pdf.MP.334

CVE-2020-9693 Acrobat Reader Arbitrary Code Execution
ASPY 5985:Malformed-File pdf.MP.335

Following vulnerabilities do not have exploits in the wild :

CVE-2020-0604 Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1046 .NET Framework Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1337 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1339 Windows Media Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1377 Windows Registry Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1378 Windows Registry Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1379 Media Foundation Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1383 Windows RRAS Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1417 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1455 Microsoft SQL Server Management Studio Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-1459 Windows ARM Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1466 Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-1467 Windows Hard Link Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1470 Windows Work Folders Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2020-1473 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1474 Windows Image Acquisition Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1475 Windows Server Resource Management Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1476 ASP.NET and .NET Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1477 Media Foundation Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1478 Media Foundation Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1479 DirectX Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1483 Microsoft Outlook Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1484 Windows Work Folders Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1485 Windows Image Acquisition Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1486 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1487 Media Foundation Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1488 Windows AppX Deployment Extensions Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1489 Windows CSC Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1490 Windows Storage Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1492 Media Foundation Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1493 Microsoft Outlook Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1494 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1495 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1496 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1497 Microsoft Excel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1498 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1499 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-1500 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-1501 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-1502 Microsoft Word Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1503 Microsoft Word Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1504 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1505 Microsoft SharePoint Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1509 Local Security Authority Subsystem Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1510 Win32k Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1511 Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1512 Windows State Repository Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1513 Windows CSC Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1515 Windows Telephony Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1516 Windows Work Folders Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1517 Windows File Server Resource Management Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1518 Windows File Server Resource Management Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1519 Windows UPnP Device Host Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1520 Windows Font Driver Host Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1521 Windows Speech Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1522 Windows Speech Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1524 Windows Speech Shell Components Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1525 Media Foundation Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1526 Windows Network Connection Broker Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1527 Windows Custom Protocol Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1528 Windows Radio Manager API Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1530 Windows Remote Access Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1531 Windows Accounts Control Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1533 Windows WalletService Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1534 Windows Backup Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1535 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1536 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1537 Windows Remote Access Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1538 Windows UPnP Device Host Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1539 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1540 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1541 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1542 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1543 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1544 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1545 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1546 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1547 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1548 Windows WaasMedic Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1549 Windows CDP User Components Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1550 Windows CDP User Components Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1551 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1552 Windows Work Folder Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1553 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1554 Media Foundation Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1555 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1556 Windows WalletService Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1557 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1558 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1560 Microsoft Windows Codecs Library Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1561 Microsoft Graphics Components Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1562 Microsoft Graphics Components Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1563 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1564 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1565 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1568 Microsoft Edge PDF Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1569 Microsoft Edge Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1571 Windows Setup Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1573 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1574 Microsoft Windows Codecs Library Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1577 DirectWrite Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1579 Windows Function Discovery SSDP Provider Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1580 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1581 Microsoft Office Click-to-Run Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1582 Microsoft Access Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1583 Microsoft Word Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1585 Microsoft Windows Codecs Library Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1591 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-1597 ASP.NET Core Denial of Service Vulnerability
There are no known exploits in the wild.

Cybersecurity News & Trends – 08-07-20

/0 Comments/in /by

This week, hackers dominated the headlines. But from financial firms, to voting machines, to entire countries, many are beginning to mount a stronger defense.

SonicWall Spotlight

AT&T Cybersecurity: Do Secure VPNs, Don’t Pay Ransoms — SDxCentral

  • The author notes that, per SonicWall’s mid-year update to the 2020 Cyber Threat Report, there was a 20% jump in ransomware globally in the first half of 2020 compared to mid-year 2019, including a staggering 109% spike in the U.S.

3 Tips For Improving Your Cybersecurity Program This School Year — EdTech Magazine

  • As schools prepare to reopen, EdTech Magazine offers three ways districts can improve their cybersecurity programs.

Covid-19 pandemic: Russian hackers target UK, US and Canadian research — Pharmaceutical Technology

  • Security services in the UK, US and Canada have determined that Russian cyber hacking group APT29 has attempted to illicitly access Covid-19 research. SonicWall CEO Bill Conner discusses how state-sponsored espionage groups are targeting medical data.

Cybersecurity News

Insecure satellite Internet is threatening ship and plane safety — Ars Technica

  • At the Black Hat security conference, researcher James Pavur presented findings that show that satellite-based Internet is putting millions at risk despite safeguards implemented by providers.

How the US Can Prevent the Next ‘Cyber 9/11’ — Wired

  • In an interview with WIRED, former national intelligence official Sue Gordon discusses Russian election interference and other digital threats to democracy.

U.S. Government Launches Cyber Career Path Tool — Security Week

  • The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week announced the launch of a free tool designed to help users identify and navigate a potential career path.

U.S. coronavirus fraud losses near $100 million as COVID scams double — Reuters

  • U.S. losses from coronavirus-related fraud and identity theft have reached nearly $100 million, while complaints of COVID-19 scams have at least doubled in most states.

Financial Firms’ Cybersecurity Spending Jumps 15%, Survey Finds — Bloomberg

  • Big banks and other financial firms are spending 15% more this year to defend computer networks from cyber criminals, and the pandemic and work-from-home arrangements are probably spurring further increases.

Hackers Get Green Light to Test U.S. Voting Systems — The Wall Street Journal

  • Election Systems & Software, the top U.S. seller of voting-machine technology, is calling a truce in its feud with computer security researchers over the ways they probe for vulnerabilities of the company’s systems.

Hackers can abuse Microsoft Teams updater to install malware — Bleeping Computer

  • Microsoft Teams can still double as a Living off the Land binary (LoLBin) and help attackers retrieve and execute malware from a remote location.

Robots Running the Industrial World Are Open to Cyber Attacks — Bloomberg

  • According to a new report titled “Rogue Automation,” some robots have flaws that could make them vulnerable to advanced hackers, who could steal data or alter a robot’s movements remotely.

Interpol Warns of ‘Alarming’ Cybercrime Rate During Pandemic — Security Week

  • Global police body Interpol has warned of an “alarming” rate of cybercrime during the coronavirus pandemic.

CISA, DOD, FBI expose new versions of Chinese malware strain named Taidoor — ZDNet

  • U.S. government agencies say the Taidoor remote access trojan (RAT) has been used as far back as 2008.

Exclusive: China-backed hackers ‘targeted COVID-19 vaccine firm Moderna’ — Reuters

  • Chinese government-linked hackers targeted biotech company Moderna Inc., a U.S.-based coronavirus vaccine research developer, this year in a bid to steal data, according to a U.S. security official.

Hackers Are Targeting the Remote Workers Who Keep Your Lights On — Bloomberg

  • With many of the people who help keep the grid running now working from home, cyberattacks targeting the power sector have surged.

Hackers Broke Into Real News Sites to Plant Fake Stories — Wired

  • A disinformation operation broke into the content management systems of Eastern European media outlets in a campaign to spread misinformation about NATO.

In Case You Missed It

Chinese Remote Access Trojan Taidoor

/in /by

Overview:

SonicWall Capture Labs Threat Research Team recently observed activity for the Chinese Remote Access Trojan Taidoor. Taidoor is composed of two stages, the loader and RAT module. The loader starts the service and decrypts the second file. The loader uses its export function “MyStart” for the initial infection. The function will allocate memory space for a new file called “svchost.dll”.

Before the new file is called it will have to go through a series of routines to decrypt the contents of the file. The DLL uses RC4 encryption, the key is actually rebuilt using the following sting: “ar1zyAXt7d6556sAsvchUQc2”. Once filtered, the RC4 key will be: “ar1z7d6556sAyAXtUQc2”.

The RC4 algorithm is also used to decrypt the import names and other related strings.

DLL Loader Layer, Static Information:

Checking binary static information… (Not Corrupted)…

PDB:

Exports:

DllMain:

RC4 Prefiltered Key:

Dynamic Information:

Looking inside “MyStart” Export Routine:

Creating the RAT module:

Once the svchost dll is allocated in memory it will cycle the exports and located the “Start” export routine in the new dll.

Calling the call routine to start the Remote Access Trojan module:

Network Artifacts:

Command and Control Information:

  • cnaweb.mrslove.com
  • 210.68.69.82

Supported Systems:

  • Windows 10
  • Windows 8.1
  • Windows 8.0
  • Windows 7
  • Windows Vista

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: Taidoor.LD

Appendix:

Sample SHA256 Hash: 4a0688baf9661d3737ee82f8992a0a665732c91704f28688f643115648c107d4

Fake Chinese Word Processing App installs an Infostealer Trojan

/in /by

The Sonicwall Capture Labs Research team has come across a Chinese word processor that comes packaged with an infostealer. This word processor comes as a Nullsoft installer and appears to be a legitimate notepad or Word application alternative.

Infection Cycle:

This Trojan comes as an NSIS installer and uses the following icon:

Upon execution, it guides the user through a typical software installation prompts and then launches the word processing app window.

However, upon further inspection, it appears that it launched the word processing app alongside another copy of AllRoundPad.exe.

Simultaneously, several connections to remote servers were made.

This Trojan has accessed personal information including browsing history, user IP, location among others. It also attempts to access and modify the system’s internet settings.

It creates .tmp files in the %temp% directory with information gathered regarding the victim’s machine. These are then later sent out to a remote server.

This installation comes with an uninstaller. However using the uninstaller only removes the word processing app and leaves behind a copy of the Trojan in the %temp% directory which is responsible for all the malicious behaviors observed.

We urge our users to only use official and reputable websites as their source of software programs. Always be vigilant and cautious when installing software applications particularly if you are not certain of the source.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Chindo.AB_4 (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

 

CVE-2020-5902: Hackers actively exploit critical Vulnerability in F5 BIG-IP

/in /by

BIG-IP

F5’s BIG-IP is a product family comprises software, hardware, and virtual appliances designed around application availability, access control, and security solutions. BIG-IP software products run on top of F5’s Traffic Management Operation System® (TMOS), designed specifically to inspect network and application traffic and make real-time decisions based on the configurations given. BIG-IP Configuration Utility is a Web GUI for F5 users to set up the BIG-IP product and to make additional changes.

Vulnerability | CVE-2020-5902

BIG-IP Web GUI is accessible over HTTPS on port 443/TCP via the following URL: https://<BIG-IP server>/tmui/login.jsp

A directory traversal vulnerability exists in the F5 BIG-IP product family. This is due to insufficient validation of the URI within the HTTP requests. By using a semicolon in URI, a remote attacker can bypass the access control policy set up on Apache and forward the malicious URI to the Tomcat backend server. When Tomcat normalizes the URI, any string followed by a semicolon will be ignored. The root cause of the vulnerability is how Apache and Tomcat parse the URL differently, allowing users to bypass the authentication and invoke JSP modules. Successful exploitation allows unauthenticated remote attackers to access the internal java binaries on the vulnerable server.

The following internal JSP files are wildly used to compromise:

/tmui/tmui/locallb/workspace/tmshCmd.jsp
/tmui/tmui/locallb/workspace/fileRead.jsp
/tmui/tmui/locallb/workspace/fileWrite.jsp

Exploit:

We observe the below http exploit requests targeting F5 BIG-IP servers vulnerable to CVE-2020-5902.

Impact:

A quick search on Shodan reveals more than 6000 BIG-IP servers exposed publicly over the internet. Over 2000 of those servers seem vulnerable to CVE-2020-5902.

Trend Chart:

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 15070 F5 BIG-IP TMUI Remote Command Execution

Affected Products:

BIG-IP versions 11.6.1 – 11.6.5, 12.1.0 – 12.1.5,  13.1.0 – 13.1.3, 14.1.0 – 14.1.2, 15.1.0 and 15.0.0 – 15.0.1 are affected by this vulnerability.

Find vendor advisory here

IOC:

Attacker IP’s:

195.54.160.115
207.180.201.51
222.172.157.32
172.31.48.102
222.172.229.58
182.245.198.246
172.105.149.194
27.115.124.75
27.115.124.10
111.206.250.198
27.115.124.74
182.245.199.208
111.206.250.235
111.206.250.230
64.39.99.67
157.43.37.216
49.206.2.81
111.206.250.236
111.206.250.229
115.236.45.236
115.238.89.37
111.206.250.197
27.115.124.9
180.169.87.53
61.166.216.165