Vulnerability in SonicWall Network Security Manager
SonicWall has released security patches to fix a vulnerability affecting local versions of the Network Security Manager (NSM) multi-user firewall management solution. Classified as CVE-2021-20026 and with a CVSS of 8.8, this flaw could be easily exploited without user interaction, although, as a mitigating factor, it is worth noting that you need to be authenticated on the system to exploit it. It affects NSM 2.2.0-R10-H1 and earlier, but not the already fixed NSM versions 2.2.1-R6 and 2.2.1-R6 (Enhanced). Likewise, this vulnerability would only affect on-premises deployments of NSM, with SaaS versions being unaffected. While the company has not indicated that there is any immediate danger of attackers exploiting this vulnerability, SonicWall is urging customers to remediate this flaw immediately.
Analysis of the malware used by threat actor Nobelium
Microsoft has published an analysis of the artefacts used in the initial stage of the USAID impersonation campaign by threat actor Nobelium, also known as APT29, which was behind the SolarWinds supply chain attack. There are four new malware families that have been identified:
- EnvyScout: allows the theft of NTLM credentials from Windows accounts and places a malicious ISO image on the compromised device. This malware has also been identified in a phishing campaign against the Belgian Embassy.
- Boombox: .exe file included in the ISO that acts as a downloader by downloading the encrypted malicious artefacts from Dropbox. It is also capable of collecting information about the Windows domain to forward it to a remote server in an encrypted form.
- NativeZone:DLL that acts as a loader and starts automatically when a user logs on to Windows in order to launch CertPKIProvider.dll (VaporRage).
- VaporRage: DLL that has shellcode download and execution capabilities from C2 servers and with which attackers perform various malicious activities, including the installation of Cobalt Strike beacons.
Active exploitation of a 0-day vulnerability in the Fancy Product Designer plugin
An active exploitation campaign of a 0-day vulnerability has been detected in the WordPress Fancy Product Designer plugin, which is currently present in more than 17,000 websites and allows customising the display of products in WordPress, WooCommerce and Shopify. This is a remote code execution and arbitrary file upload vulnerability that does not require user authentication. This flaw has been identified as CVE-2021-24370 (CVSSv3 of 9.8) and affects version 4.6.8 and earlier of the plugin on WordPress, WooComerce and Shopify platforms. However, the researchers state that the attacks are likely to be blocked on Shopify platforms as they have stricter access controls. Complete uninstallation of the plugin is recommended until a patch is available, as it is sometimes possible to exploit this vulnerability even if the plugin is disabled.
Distribution of Teabot and Flubot via malicious apps and websites
Since December 2020, several attacks against Android devices with the Teabot and Flubot malware families have been reported. Recently, Bitdefender researchers have identified a new wave of apps that distribute these banking trojans by trying to impersonate the top-rated legitimate apps in the Android store. For its part, Teabot has the ability to carry out overlay attacks through Android’s accessibility services, intercept messages, perform various keylogging activities, steal Google authentication codes and even take full remote control of affected devices. So far, it is targeting several well-known banking institutions such as Bankia, BBVA, Banco Santander or ING Spain, among others. On the other hand, Flubot has had a significant impact in Germany, Spain, Italy and the United Kingdom. The entry vector for this banking trojan continues to be SMS messages that try to impersonate parcel delivery companies such as DHL, FedEx or Correos. Flubot has the ability to steal bank details, contacts, SMS and other private data. It is also capable of executing other available commands, including sending SMS with content provided by the C2 server.
Epsilon Red: new ransomware exploiting Microsoft Exchange Proxylogon vulnerabilities
Sophos researchers have discovered a new ransomware, named Epsilon Red, after investigating an attack on an unidentified major US hospitality company. According to the researchers, the entry vector used by the threat actors was the exploitation of Proxylogon vulnerabilities, due to the company’s failure to apply security patches to protect its IT infrastructure, regarding its Microsoft Exchange servers. After gaining network compromise, the malicious actors gain access via RDP and use Windows Management Instrumentation (WMI) to execute software and PowerShell scripts to ultimately deploy the Epsilon Red ransomware. As for the characteristics of this new malware, it is written in Goland and has different PowerShell scripts with functionalities such as killing processes on the victim’s devices or disabling security solutions, among others. Although the origin of this threat is unknown and the name, along with the use of this tool, are unique to this attacker, the ransom note is very similar to that of the REvil ransomware.