SonicWall has analyzed and addressed Microsoft’s security advisories for the month of Feburary 2018. A list of issues reported, along with SonicWall coverage information are as follows:
SonicWall Threats Research team received reports of yet another Android crypto-miner spreading in the wild. Reports suggest this malware comes with worm-like propagation capabilities making it more dangerous compared to the usual crypto-miners that are rising in numbers.
We were able to identify a number of different components belonging to this threat, we will continue to update this post with more information as things get clearer.
This week, the SonicWall Capture Labs Threat Research Team has seen a java-based trojan delivered via malware spam. These unsolicited emails came very similar as other malspam campaigns, disguised as important messages containing links to download official documents. The sample we analyzed however, came with a link to download a fake UPS shipping label creator.
This trojan may use the following variations of filenames:
- DHL delivery.jar
The Sonicwall Capture Labs Threats Research team have come across a variant of the DesuCrypt ransomware called InsaneCrypt. This variant uses RC4 encryption and encrypts files immediately upon execution. Unlike earlier ransomware, there are no threatening countdown timers and ransom payments amounts immediately presented to the victim. Instead, as is the growing trend with most ransomware today, the victim must communicate with the operator via email for further instructions.
A code execution vulnerability exists in PHP’s exif extension module, which could cause denial of service on the server side. An attacker can exploit this vulnerability by sending a certain crafted JPEG or TIFF file to a web application.
The cause of this vulnerability is due to a null pointer exception during PHP parsing the exif part of a picture file. When handling the exif section, the PHP module will have a series of encoding converter functions.
The EMC Data Protection Advisor is a data protection management software to unify and automate monitoring, analysis and reporting across on-premises and cloud backup and recovery environments.
An authentication bypass vulnerability exists in EMC Data Protection Advisor. The application has integrated several hidden, hardcoded accounts with privileges, with default passwords:
User: Apollo System Test
Those accounts could be used for logon via REST APIs on the GUI service listened on HTTP port 9002/9004. An attacker could send a normal HTTP requests, with the hidden accounts credentials, gaining potential admin privileges.
To launch such an attack, first encode the credential with base64 in this format: [user]:[pass].