SonicWall fixes a critical vulnerability that had been partially fixed
In October last year, SonicWall fixed a critical buffer overflow vulnerability in SonicOS under the identifier CVE-2020-5135, which affected more than 800,000 SonicWall VPN devices. This flaw allowed unauthenticated attackers to remotely execute code on the affected device or cause a denial of service by sending specifically crafted HTTP requests to the firewall. However, security researcher Craig Young now reveals that this patch left uncorrected a memory information exposure flaw, which has been identified as CVE-2021-20019 and had not been fixed until the most recent release of SonicOS.
More info: https://www.tripwire.com/state-of-security/featured/analyzing-sonicwalls-unsuccessful-fix-for-cve-2020-5135/
Zyxel alerts its customers of attacks against their devices
Zyxel has alerted customers via email about a series of attacks targeting VPN systems, firewalls and load balancers that the company offers and that have SSL-VPN-enabled remote management. Specifically, these attacks are said to target USG, ZyWALL, USG FLEX, ATP and VPN series network devices running the ZLD firmware on-premises. According to Zyxel, the attacker tries to access the device via WAN and if successful, attempts to bypass authentication systems and establish a VPN connection through an SSL tunnel with an unknown use a VPN connection through an SSL tunnel with an unknown user ((e.g. “zyxel_slIvpn”, “zyxel_ts”, “zyxel_vpn_test”) to manipulate the device’s configuration. At this stage, it is not known whether the input vector for these attacks is an old vulnerability present in unpatched devices is or whether it is a new 0-day vulnerability. Nevertheless, Zytel has shared a number of mitigation measures against this threat.
All the details: https://therecord.media/zyxel-says-a-threat-actor-is-targeting-its-enterprise-firewall-and-vpn-devices/
Matanbuchus: new Malware-as-a-Service
Researchers at Unit 42 in Palo Alto have published details of a new Malware-as-a-Service (Maas) called Matanbuchus Loader. This MaaS was first spotted in February this year on underground forums linked to BelailDemon threat actor, who set a price of $2500 for its acquisition. The initial distribution vector for the artifact is an Excel document with malicious macros, which will execute a file downloaded from an external domain. Matanbuchus has multiple capabilities such as running .exe or .dll files in memory, leveraging the schtasks.exe scheduled task service for persistence, running PowerShell commands or using system executables to load DLL libraries. Palo Alto has identified several organisations affected by this malware in the US and Belgium.
Learn more: https://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/
DarkRadiation: New ransomware targeting GNU/Linux systems with worm-like functionality
Trend Micro researchers have analysed the functioning of a recently discovered ransomware, which has been named DarkRadiation and targets GNU/Linux systems. It is fully implemented in Bash and most of its components target Red Hat and CentOS distributions, including to a lesser extent Debian-based distributions. This ransomware uses the Telegram API for communication with the C&C server and has worm-like functionality via SSH protocol. To evade detection it makes use of the open source obfuscation tool “node-bash-ofuscate”, with which the attackers obtain zero detections in VirusTotal. Researchers have observed that this ransomware is in continuous development, with multiple versions belonging to different campaigns.
More details: https://www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat–and-debian-based-linux-distributions.html