The sprawling SolarWinds cyberattack which came to light last December was known for its sophistication in the breadth of tactics used to infiltrate and persist in the target infrastructure, so much so that Microsoft went on to call the threat actor behind the campaign “skillful and methodic operators who follow operations security (OpSec) best practices to minimize traces, stay under the radar, and avoid detection.”

As further proof of this, new research published today shows that the threat actor carefully planned each stage of the operation to “avoid creating the type of patterns that make tracking them simple,” thus deliberately making forensic analysis difficult.

By analyzing telemetry data associated with previously published indicators of compromise, RiskIQ said it identified an additional set of 18 servers with high confidence that likely communicated with the targeted, secondary Cobalt Strike payloads delivered via the TEARDROP and RAINDROP malware, representing a 56% jump in the attacker’s known command-and-control footprint.

password auditor

The “hidden patterns” were uncovered through an analysis of the SSL certificates used by the group.

The development comes a week after the U.S. intelligence agencies formally attributed the supply chain hack to the Russian Foreign Intelligence Service (SVR). The compromise of the SolarWinds software supply chain is said to have given APT29 (aka Cozy Bear or The Dukes) the ability to remotely spy or potentially disrupt more than 16,000 computer systems worldwide, according to the U.S. government.

The attacks are being tracked by the cybersecurity community under various monikers, including UNC2452 (FireEye), Nobelium (Microsoft), SolarStorm (Unit 42), StellarParticle (Crowdstrike), and Dark Halo (Volexity), citing differences in the tactics, techniques, and procedures (TTP) employed by the adversary with that of known attacker profiles, counting APT29.

“Researchers or products attuned to detecting known APT29 activity would fail to recognize the campaign as it was happening,” said Kevin Livelli, RiskIQ’s director of threat intelligence. “They would have an equally hard time following the trail of the campaign once they discovered it, which is why we knew so little about the later stages of the SolarWinds campaign.”

Earlier this year, the Windows maker noted how the attackers went to great lengths to ensure that the initial backdoor (SUNBURST aka Solorigate) and the post-compromise implants (TEARDROP and RAINDROP) stayed separated as much as possible so as to hinder efforts to spot their malicious activity. This was done so that in the event the Cobalt Strike implants were discovered on victim networks; it wouldn’t reveal the compromised SolarWinds binary and the supply chain attack that led to its deployment in the first place.

password auditor

But according to RiskIQ, this is not the only step the APT29 actor took to cover its tracks, which included —

  • Purchasing domains via third-party resellers and at domain auctions under varying names, in an attempt to obscure ownership information and repurchasing expired domains hitherto owned by legitimate organizations over a span of several years.
  • Hosting the first-stage attack infrastructure (SUNBURST) entirely in the U.S., the second-stage (TEARDROP and RAINDROP) primarily within the U.S., and the third-stage (GOLDMAX aka SUNSHUTTLE) mainly in foreign countries.
  • Designing attack code such that no two pieces of malware deployed during successive stages of the infection chain looked alike, and
  • Engineering the first-stage SUNBURST backdoor to beacon to its command-and-control (C2) servers with random jitter after a two-week period, in a likely attempt to outlive the typical lifespan of event logging on most host-based Endpoint Detection and Response (EDR) platforms.

“Identifying a threat actor’s attack infrastructure footprint typically involves correlating IPs and domains with known campaigns to detect patterns,” Livelli said.

“However, our analysis shows the group took extensive measures to throw researchers off their trail,” suggesting the threat actor took extensive measures to avoid creating such patterns.

Password Reset

There are many labor-intensive tasks that the IT service desk carries out on a daily basis. None as tedious and costly as resetting passwords.

Modern IT service desks spend a significant amount of time both unlocking and resetting passwords for end-users. This issue has been exacerbated by the COVID-19 pandemic.

Causes of account lockouts and password resets

End-user password policies, such as those found in Microsoft Active Directory Domain Services (ADDS), typically define a password age. The password age is the length of time an end-user can keep their current password.

While new guidance from NIST recommends against the long-held notion of forced password changes, it is still a common and required security mechanism across other compliance standards and industry certifications such as PCI and HITRUST.

When the password age is reached for the user account, the user must change their account password. It is generally prompted at the next login on their workstation. This scenario creates a series of likely events. Many end-users procrastinate changing their password, even if they are notified ahead of time.

Users also have various mobile devices connected to their accounts. If a user does not synchronize all device passwords when the account password is eventually changed, this will create issues that can lead to a lockout. It can create further confusion as the end-user may be using the correct password on their workstation.

What are the costs of account lockouts and password resets?

It might seem like a simple password reset is a trivial matter with no actual cost to the business. However, the data shows otherwise. A study by the Gartner Group found that between 20-50% of all service desk calls were for performing password resets. Forester Research adds to this finding by research showing the average help desk labor cost for a single password reset can cost upwards of $70 or more.

You may wonder, how is this possible?

First, suppose the organization is conscious of best practice security processes (which they should be) before a password can be changed for an end-user. In that case, the identity of the user requesting the password change must be verified. Why is this? An attacker may use social engineering tactics to persuade the service desk to change a legitimate user’s account password. This scenario hands an attacker legitimate credentials, which leads to a compromise of the environment. The process to verify end-user identity by manual means can be time-consuming.

Next, businesses may still be using interconnected legacy systems that require manually changing passwords in multiple places rather than a single change flowing across the environment seamlessly. The manual process required for the helpdesk team to ensure a password is changed correctly may be labor-intensive.

It can require the helpdesk team to log in and use many different tools for changing a password in multiple systems for a single user account. Finally, the end-user may be “dead in the water” waiting on the IT service desk to assist with unlocking a locked user account or resetting a password. The time spent where an end-user is locked out and unable to perform their work duties in itself will result in impacted business processes and will ultimately cost the business.

What tools reduce the cost of account lockouts and password resets?

Organizations looking to reduce the cost of account lockouts and password resets can significantly benefit from Self-Service Password Reset (SSPR) tools. Much as the name implies, an SSPR solution allows end-users to unlock their account and reset their passwords using a self-service workflow.

End-users have to enroll or be enrolled by system admins ahead of time in the SSPR solution for onboarding purposes. The user-led enrollment process allows the end-user to configure the various multi-factor identification methods needed to verify their identity to perform the self-service actions. It may include setting up synchronization with an authenticator app such as Google Authenticator, mobile verification by text or phone call, or other means. If led by the admin, this can require pre-filing the required verifier information in users’ Active Directory profiles.

Once the end-user enrolls/is enrolled in the solution, they can visit a web portal to begin the workflows to unlock their account or reset their password. They can do this without any involvement or intervention from the IT helpdesk. As you can imagine, this can reap tremendous benefits in terms of offloading the workflow from the service desk and allowing the end-user to take care of triaging their account issues.

SSPR solutions are only as good as the number of end-users who are enrolled. A good SSPR solution allows administrators to have the tools needed to onboard users programmatically. This capability includes pre-enrolling users, which doesn’t require effort from admins or end-users as the system would rely on existing Active Directory identifier data to enable users to use authentication methods that rely on that data. When this option is present in SSPR solutions, it can dramatically increase the adoption of the SSPR solution across the board.

Lowering password reset costs with Specops uReset SSPR

An effective SSPR solution provides the tools and capabilities needed for businesses to quickly give end-users easy enrollment capabilities and perform self-service account workflows. Specops uReset is a robust Self-Service Password Reset solution that effectively allows companies to eliminate password reset calls to their IT helpdesk.

It provides the following capabilities:

  • Enables users to reset their Active Directory passwords securely
  • Users can use any device and can reset their password from anywhere
  • Enrollment enforcement
  • Users can initiate the password reset process from a browser, mobile device, or right from the Windows logon screen
  • It allows companies to implement a series of multi-factor authentication requirements that align with the business cybersecurity policies
  • It includes geo-blocking
  • Administrators have access to PowerShell scripts to quickly onboard users into uReset.

Specops uReset self-service workflow

When users are locked out of their account or have forgotten their password, the Specops web portal allows them to unlock their account quickly.

Specops uReset allows quickly unlocking accounts and resetting passwords

The end-user is asked to verify their identity using the first of the configured multi-factor verification methods.

Mobile Code verification in Specops uReset

The user is prompted for the second form of multi-factor authentication configured. If you notice below, Specops uses a means to accumulate the required number of “stars” using the multi-factor authentication mechanisms configured. Below, three stars are needed for verification. However, this is configurable and can include multiple verification methods.

A second form of multi-factor authentication is needed for identity verification

The end-user enters the code from Google authenticator.

Entering the code from Google authenticator

Specops uReset mandatory enrollment

Specops provides effective tools to enforce end-user enrollment into Specops uReset. One of those tools is the Enrollment reminder mode. Organizations can implement mandatory enrollment using the option Start unclosable fullscreen browser.

With an unclosable browser window, end-users will be helped/mandated to enroll into uReset. This setting can then be “assigned” to all users via an Active Directory Group Policy object.

Setting the enrollment reminder mode with Specops

Wrapping Up

Account unlock and password reset activities are incredibly costly to IT helpdesk operations. According to researchers, these activities can add up to over $70 per password reset. Self-Service Password Reset (SSPR) solutions provide the means to allow end-users to perform these activities themselves without involvement from the service desk.

Specops uReset is a robust SSPR solution providing the tools needed for organizations to effectively implement self-service capabilities for end-users to triage their account lockouts and password resets without helpdesk involvement.

It offers robust capabilities, including easy onboarding, configurable multi-factor authentication, enrollment enforcement, geo-blocking, and many other capabilities.

Learn more about Specops uReset here.

Adversaries are increasingly abusing Telegram as a “command-and-control” system to distribute malware into organizations that could then be used to capture sensitive information from targeted systems.

“Even when Telegram is not installed or being used, the system allows hackers to send malicious commands and operations remotely via the instant messaging app,” said researchers from cybersecurity firm Check Point, who have identified no fewer than 130 attacks over the past three months that make use of a new multi-functional remote access trojan (RAT) called “ToxicEye.”

password auditor

The use of Telegram for facilitating malicious activities is not new. In September 2019, an information stealer dubbed Masad Stealer was found to plunder information and cryptocurrency wallet data from infected computers using Telegram as an exfiltration channel. Then last year, Magecart groups embraced the same tactic to send stolen payment details from compromised websites back to the attackers.

The strategy also pays off in a number of ways. For a start, Telegram is not only not blocked by enterprise antivirus engines, the messaging app also allows attackers to remain anonymous, given the registration process requires only a mobile number, thereby giving them access to infected devices from virtually any location across the world.

The latest campaign spotted by Check Point is no different. Spread via phishing emails embedded with a malicious Windows executable file, ToxicEye uses Telegram to communicate with the command-and-control (C2) server and upload data to it. The malware also sports a range of exploits that allows it to steal data, transfer and delete files, terminate processes, deploy a keylogger, hijack the computer’s microphone and camera to record audio and video, and even encrypt files for a ransom.

password auditor

Specifically, the attack chain commences with the creation of a Telegram bot by the attacker, which is then embedded into the RAT’s configuration file, before compiling it into an executable (e.g. “paypal checker by saint.exe”). This .EXE file is then injected into a decoy Word document (“solution.doc”) that, when opened, downloads and runs the Telegram RAT (“C:\Users\ToxicEye\rat.exe”).

“We have discovered a growing trend where malware authors are using the Telegram platform as an out-of-the-box command-and-control system for malware distribution into organizations,” Check Point R&D Group Manager Idan Sharabi said. “We believe attackers are leveraging the fact that Telegram is used and allowed in almost all organizations, utilizing this system to perform cyber attacks, which can bypass security restrictions.”

Facebook on Wednesday said it took steps to dismantle malicious activities perpetrated by two state-sponsored hacking groups operating out of Palestine that abused its platform to distribute malware.

The social media giant attributed the attacks to a network connected to the Preventive Security Service (PSS), the security apparatus of the State of Palestine, and another threat actor known as Arid Viper (aka Desert Falcon and APT-C-23), the latter of which is alleged to be connected to the cyber arm of Hamas.

The two digital espionage campaigns, active in 2019 and 2020, exploited a range of devices and platforms, such as Android, iOS, and Windows, with the PSS cluster primarily targeting domestic audiences in Palestine. The other set of attacks went after users in the Palestinian territories and Syria and, to a lesser extent Turkey, Iraq, Lebanon, and Libya.

password auditor

Both the groups appear to have leveraged the platform as a springboard to launch a variety of social engineering attacks in an attempt to lure people into clicking on malicious links and installing malware on their devices. To disrupt the adversary operations, Facebook said it took down their accounts, blocked domains associated with their activity, and alerted users it suspects were singled out by these groups to help them secure their accounts.

Android Spyware in Benign-Looking Chat Apps

PSS is said to have used custom-built Android malware that was disguised as secure chat applications to stealthily capture device metadata, capture keystrokes, and upload the data to Firebase. In addition, the group deployed another Android malware called SpyNote that came with the ability to monitor calls and remotely access the compromised phones.

This group used fake and compromised accounts to create fictitious personas, often posing as young women, and also as supporters of Hamas, Fatah, various military groups, journalists, and activists with an aim to build relationships with the targets and guide them toward phishing pages and other malicious websites.

“This persistent threat actor focused on a wide range of targets, including journalists, people opposing the Fatah-led government, human rights activists and military groups including the Syrian opposition and Iraqi military,” Facebook researchers leading the cyber espionage investigations said.

A Sophisticated Espionage Campaign

Arid Viper, on the other hand, was observed incorporating a new custom iOS surveillanceware dubbed “Phenakite” in their targeted campaigns, which Facebook noted was capable of stealing sensitive user data from iPhones without jailbreaking the devices prior to the compromise. Phenakite was delivered to users in the form of a fully functional but trojanized chat application named MagicSmile hosted on a third-party Chinese app development site that would surreptitiously run in the background and grab data stored on the phone without the user’s knowledge.

The group also maintained a huge infrastructure comprising 179 domains that were used to host malware or acted as command-and-control (C2) servers.

password auditor

“Lure content and known victims suggest the target demographic is individuals associated with pro-Fatah groups, Palestinian government organizations, military and security personnel, and student groups within Palestine,” the researchers added.

Facebook suspects Arid Viper used the iOS malware only in a handful of cases, suggesting a highly-targeted operation, with the Hamas-linked hackers simultaneously focusing on an evolving set of Android-based spyware apps that claimed to facilitate dating, networking, and regional banking in the Middle East, with the adversary masking the malware as fake app updates for legitimate apps like WhatsApp.

Once installed, the malware urged victims to disable Google Play Protect and give the app device admin permissions, using the entrenched access to record calls, capture photos, audio, video, or screenshots, intercept messages, track device location, retrieve contacts, call logs, and calendar details, and even notification information from messaging apps such as WhatsApp, Instagram, Imo, Viber, and Skype.

In an attempt to add an extra layer of obfuscation, the malware was then found to contact a number of attacker-controlled sites, which in turn provided the implant with the C2 server for data exfiltration.

“Arid Viper recently expanded their offensive toolkit to include iOS malware that we believe is being deployed in targeted attacks against pro-Fatah groups and individuals,” Facebook researchers said. “As the technological sophistication of Arid Viper can be considered to be low to medium, this expansion in capability should signal to defenders that other low-tier adversaries may already possess, or can quickly develop, similar tooling.”

Today there are plenty of cybersecurity tools on the market. It is now more important than ever that the tools you decide to use work well together. If they don’t, you will not get the complete picture, and you won’t be able to analyze the entire system from a holistic perspective.

This means that you won’t be able to do the right mitigations to improve your security posture. Here are examples of two tools that work very well together and how they will help you to get a holistic view of your cybersecurity posture.

Debricked – Use Open Source Securely

How is Open Source a Security Risk?

Open source is not a security risk per se; it’s more secure than proprietary software in many ways! With the code being publicly available, it’s a lot easier for the surrounding community to identify vulnerabilities, and fixes can be done quickly.

What you do need to keep in mind, though, is that any vulnerabilities in open source are publicly disclosed and the public to anyone and everyone who looks. This means that if an attacker wants to find a vulnerability in your system built on open source, they probably don’t need to put in much effort. It’s all out there, open for everyone to see.

How does open-source security work?

The most common aspect of open-source security is, like explained above, vulnerabilities. But according to Debricked, there are three main areas to keep in mind: vulnerabilities, licenses, and health.

The main problem that affects all three areas is the fact that the intake of packages usually isn’t preceded by a lot of research. Developers typically don’t have time to worry about bringing new vulnerabilities or non-compliant licenses into the codebase.

Debricked’s tool solves this problem, allowing developers to spend less time on security and more time on doing what they’re there to do – write code. This is done by identifying vulnerabilities and non-compliant packages, suggesting solutions, and finally preventing new ones from being imported.

How can my open-source security be improved when using Debricked’s tool?

As stated above; it enables you to get more control while letting go at the same time. You get a better overview of vulnerabilities and licenses while having to spend less time and energy on manual security work.

Innovative features

Debricked likes to focus on two main things:

First and foremost, data quality. Debricked uses an array of sources, not just the traditional ones, to build their vulnerability database. Their tool is based on machine learning, which helps us find new vulnerabilities faster as well as be more accurate than any human could be. As of right now, debricked scores a precision of over 90% in most of the languages that debricked support, and debricked are constantly looking for new ways to improve.

The latest addition to their offering, so now it’s not even available in the tool yet, is what debricked call Open Source Health. OSH is a way of measuring the wellbeing of open source projects quantitatively. It gives us data on a series of aspects, such as security (how quickly does the project disclose vulnerabilities?), community health (are the core maintainers still active?), and popularity (how many commits have been made the past year, is the number decreasing?) and much much more. It minimizes the amount of time needed for researching a package before importing it and makes it easier to make informed decisions

securiCAD by foreseeti – Continuously Manage Your Security Risk Posture with Attack Simulations

securiCAD by foreseeti is a leading tool for managing your cybersecurity risk posture. It enables users to get a holistic, in-depth view of the cybersecurity risk posture, triage and prioritize the risks, and identify and prioritize the risk mitigation actions with the best risk-mitigating effect. This is done through state-of-the-art price awarded automated threat modeling and attack simulations.

The simulations can be run continuously in your cloud or on-prem environment – providing your security and DevOps teams with continuous risk insights and proactive mitigation action advice. And as the simulations are conducted on digital twins/models of your environments, you do not interfere with your live environment and can test different what-if scenarios and mitigations at no risk in the model.

The science behind the product is based on decades of research at the Royal Institute of Technology in Stockholm. securiCAD has simplified making sure that you have control over your environment. This is done by preventing breaches by analyzing your configurations, allowing you to detect misconfigurations, potential lateral movements, and prioritize vulnerabilities.

The securiCAD Concept


Generate Model:

The digital twin model can be automatically created by importing data via the securiCAD API’s. In cloud environments, such as AWS and Azure, etc., you simply import the cloud-config data. If you have vulnerability scan data, you can import this into the model as well. The digital twin model of your environment is then automatically created.

The logic is exactly the same in on-prem environments. You can also create a model manually – which is the case in design case threat modeling. After having provided securiCAD with the model data, you define high-value assets and choose the attacker profile.

Simulate attacks:

One of the best things about the simulation part is that it is done on a digital twin model of your environment. So that no tests will in any way affect your live environment. After you have set the parameters, the tool automatically simulates thousands of AI attacks towards the digital twin model. The attacker will try all possible attacks and try to reach and compromise all parts of the infrastructure.

Manage Risk Exposure – Find, prioritize and mitigate:

Each simulation results in a report with detailed information, including:

  • Visualization of your environment
  • Risk Exposure for all the high-value assets combined.
  • Critical Paths for attackers to reach your high-value assets.
  • Chokepoints in your architecture that are an asset where attacks (towards attack steps with a consequence on them) converge in the model.
  • Threat Summary with ranked threats and descriptions.
  • Suggested Mitigations to lower your risk exposure.

Combining the Tools

Data from Debricked

Since the most common aspect of open-source security is vulnerabilities, it is important you get the right data and can base your decisions on what risks you should mitigate. That is why if you have any open source-based code in your project, you should include Debricked’s vulnerability database when analyzing your environment.

Predictive Attack Simulations from securiCAD by foreseeti

securiCAD supports data from third parties such as Debricked. This enables you to gather all the data in one place, and since all the prioritization is done automatically, this is an effective use of your resources. Environments can be hard to visualize, securiCAD makes this easy since all concepts, services, and configurations are represented in the digital twin, and if you combine this with, for example, Debricked’s tool, you can also visualize the dependencies.

The Holistic View

It isn’t always the vulnerability with the highest severity that is the most dangerous one. It can often be the combination of several vulnerabilities that can be devastating. While Debricked provides the vulnerability data, securiCAD will analyze the architecture from a proactive and holistic point of view.

With the complete picture, you will find the weak spots in your environments – the critical paths for attackers to reach your high-value assets – and get insights into what you need to do to mitigate risks. Continuously, at scale, over time.

Prominent Apple supplier Quanta on Wednesday said it suffered a ransomware attack from the REvil ransomware group, which is now demanding the iPhone maker pay a ransom of $50 million to prevent leaking sensitive files on the dark web.

In a post shared on its deep web “Happy Blog” portal, the threat actor said it came into possession of schematics of the U.S. company’s products such as MacBooks and Apple Watch by infiltrating the network of the Taiwanese manufacturer, claiming it’s making a ransom demand to Apple after Quanta expressed no interest in paying to recover the stolen blueprints.

“Our team is negotiating the sale of large quantities of confidential drawings and gigabytes of personal data with several major brands,” the REvil operators said. “We recommend that Apple buy back the available data by May 1.”

password auditor

Since first detected in June 2019, REvil (aka Sodinokibi or Sodin) has emerged as one of the most prolific ransomware-as-a-service (RaaS) groups, with the gang being the first to adopt the so-called technique of “double extortion” that has since been emulated by other groups to maximize their chances of making a profit.

The strategy seeks to pressure victim companies into paying up mainly by publishing a handful of files stolen from their extortion targets prior to encrypting them and threatening to release more data unless and until the ransom demand is met.

The main actor associated with advertising and promoting REvil on Russian-language cybercrime forums is called Unknown, aka UNKN. The ransomware is also operated as an affiliate service, wherein threat actors are recruited to spread the malware by breaching corporate network victims, while the core developers take charge of maintaining the malware and payment infrastructure. Affiliates typically receive 60% to 70% of the ransom payment.

Ransomware operators have netted more than $350m in 2020, a 311% jump from the previous year, according to blockchain analysis company Chainalysis.

password auditor

The latest development also marks a new twist in the double extortion game, in which a ransomware cartel has gone after a victim’s customer following an unsuccessful attempt to negotiate ransom with the primary victim.

We have reached out to Quanta for comment, and we will update the story if we hear back.

However, in a statement shared with Bloomberg, the company said it worked with external IT experts in response to “cyber attacks on a small number of Quanta servers,” adding “there’s no material impact on the company’s business operation.”

Google on Tuesday released an update for Chrome web browser for Windows, Mac, and Linux, with a total of seven security fixes, including one flaw for which it says an exploit exists in the wild.

Tracked as CVE-2021-21224, the flaw concerns a type confusion vulnerability in V8 open-source JavaScript engine that was reported to the company by security researcher Jose Martinez on April 5

According to security researcher Lei Cao, the bug [1195777] is triggered when performing integer data type conversion, resulting in an out-of-bounds condition that could be used to achieve arbitrary memory read/write primitive.

password auditor

“Google is aware of reports that exploits for CVE-2021-21224 exist in the wild,” Chrome’s Technical Program Manager Srinivas Sista said in a blog post.

The update comes after proof-of-concept (PoC) code exploiting the flaw published by a researcher named “frust” emerged on April 14 by taking advantage of the fact that the issue was addressed in the V8 source code, but the patch was not integrated into the Chromium codebase and all the browsers that rely on it, such as Chrome, Microsoft Edge, Brave, Vivaldi, and Opera.

The one-week patch gap meant the browsers were vulnerable to attacks until the patches posted in the open-source code repository were released as a stable update.

password auditor

It’s worth noting that Google halved the median “patch gap” from 33 days in Chrome 76 to 15 days in Chrome 78, which was released in October 2019, thereby pushing severe security fixes every two weeks.

The latest set of fixes also arrive close on the heels of an update the search giant rolled out last week with patches for two security vulnerabilities CVE-2021-21206 and CVE-2021-21220, the latter of which was demonstrated at the Pwn2Own 2021 hacking contest earlier this month.

Chrome 90.0.4430.85 is expected to roll out in the coming days. Users can update to the latest version by heading to Settings > Help > About Google Chrome to mitigate the risk associated with the flaws.

SonicWall has addressed three critical security vulnerabilities in its hosted and on-premises email security (ES) product that are being actively exploited in the wild.

Tracked as CVE-2021-20021 and CVE-2021-20022, the flaws were discovered and reported to the company by FireEye’s Mandiant subsidiary on March 26, 2021, after the cybersecurity firm detected post-exploitation web shell activity on an internet-accessible system within a customer’s environment that had SonicWall’s Email Security (ES) application running on a Windows Server 2012 installation. A third flaw (CVE-2021-20023) identified by FireEye was disclosed to SonicWall on April 6, 2021.

FireEye is tracking the malicious activity under the moniker UNC2682.

password auditor

“These vulnerabilities were executed in conjunction to obtain administrative access and code execution on a SonicWall ES device,” researchers Josh Fleischer, Chris DiGiamo, and Alex Pennino said.

The adversary leveraged these vulnerabilities, with intimate knowledge of the SonicWall application, to install a backdoor, access files, and emails, and move laterally into the victim organization’s network.”

A brief summary of the three flaws are below –

  • CVE-2021-20021 (CVSS score: 9.4) – Allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host
  • CVE-2021-20022 (CVSS score: 6.7) – Allows a post-authenticated attacker to upload an arbitrary file to the remote host, and
  • CVE-2021-20023 (CVSS score: 6.7) – A directory traversal flaw that allows a post-authenticated attacker to read an arbitrary file on the remote host.

The administrative access not only enabled the attacker to exploit CVE-2021-20023 to read configuration files, counting those containing information about existing accounts as well as Active Directory credentials but also abuse CVE-2021-20022 to upload a ZIP archive containing a JSP-based web shell called BEHINDER that’s capable of accepting encrypted command-and-control (C2) communications.

password auditor

“With the addition of a web shell to the server, the adversary had unrestricted access to the command prompt, with the inherited permissions of the NT AUTHORITY\SYSTEM account,” FireEye said, adding the attacker then used “living off the land” (LotL) techniques to harvest credentials, move laterally across the network, and even “compress a subdirectory [that] contains daily archives of emails processed by SonicWall ES.”

In the incident observed by the firm, the threat actor is said to have escalated their attack by conducting an internal reconnaissance activity, albeit briefly, prior to being isolated and removed from the environment, thus foiling their mission. The true motive behind the intrusion remains unclear.

SonicWall users are recommended to upgrade to 10.0.9.6173 Hotfix for Windows and 10.0.9.6177 Hotfix for hardware and ESXi virtual appliances. The SonicWall Hosted Email Security product was automatically patched on April 19 and hence no additional action is required.

android malware

Researchers have uncovered a new set of fraudulent Android apps in the Google Play store that were found to hijack SMS message notifications for carrying out billing fraud.

The apps in question primarily targeted users in Southwest Asia and the Arabian Peninsula, attracting a total of 700,000 downloads before they were discovered and removed from the platform.

The findings were reported independently by cybersecurity firms Trend Micro and McAfee.

password auditor

“Posing as photo editors, wallpapers, puzzles, keyboard skins, and other camera-related apps, the malware embedded in these fraudulent apps hijack SMS message notifications and then make unauthorized purchases,” researchers from McAfee said in a Monday write-up.

The fraudulent apps belong to the so-called “Joker” (aka Bread) malware, which has been found to repeatedly sneak past Google Play defenses over the past four years, resulting in Google removing no fewer than 1,700 infected apps from the Play Store as of early 2020. McAfee, however, is tracking the threat under a separate moniker named “Etinu.”

The malware is notorious for perpetrating billing fraud and its spyware capabilities, including stealing SMS messages, contact lists, and device information. The malware authors typically employ a technique called versioning, which refers to uploading a clean version of the app to the Play Store to build trust among users and then sneakily adding malicious code at a later stage via app updates, in a bid to slip through the app review process.

The additional code injected serves as the first-stage payload, which masquerades seemingly innocuous .PNG files and establishes with a command-and-control (C2) server to retrieve a secret key that’s used to decrypt the file to a loader. This interim payload then loads the encrypted second payload that’s ultimately decrypted to install the malware.

McAfee’s investigation of the C2 servers revealed users’ personal information, including carrier, phone number, SMS message, IP address, country, network status, along with auto-renewing subscriptions.

password auditor

The list of nine apps is below –

  • Keyboard Wallpaper (com.studio.keypaper2021)
  • PIP Photo Maker (com.pip.editor.camera)
  • 2021 Wallpaper and Keyboard (org.my.favorites.up.keypaper)
  • Barber Prank Hair Dryer, Clipper and Scissors (com.super.color.hairdryer)
  • Picture Editor (com.ce1ab3.app.photo.editor)
  • PIP Camera (com.hit.camera.pip)
  • Keyboard Wallpaper (com.daynight.keyboard.wallpaper)
  • Pop Ringtones for Android (com.super.star.ringtones)
  • Cool Girl Wallpaper/SubscribeSDK (cool.girly.wallpaper)

Users who have downloaded the apps are urged to check for any unauthorized transactions while also taking steps to watch out for suspicious permissions requested by apps and carefully scrutinize apps before they are installed on the devices.

“Judging by how Joker operators repeatedly ensure the malware’s persistence in Google Play even after being caught numerous times, most probably there are ways [the operators] are profiting from this scheme,” Trend Micro researchers said.