The SonicWall Capture Labs Threat Research Team observed a new POS malware Called UDPOS [UDPOS.A].
UDPOS is a newly-discovered malware that preys upon credit card payment systems. UDPoS uses DNS tunneling to exfiltrate the data from the system.
The SonicWall Capture Labs Threat Research Team observed a new POS malware Called UDPOS [UDPOS.A].
UDPOS is a newly-discovered malware that preys upon credit card payment systems. UDPoS uses DNS tunneling to exfiltrate the data from the system.
Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks. In operation since before 1985, NTP is one of the oldest Internet protocols in current use. NTP’s has a native application implementation, ntpq, which can be accessed from command line.
A stack overflow vulnerability is reported in ntpq. Because the request parse function decodearr() failed to validate the size of request parameters, an attacker could overwrite the stack content with controllable content. A successful attack could lead to an arbitrary code execution on the target server with the privilege of the service application.
Because of the cryptocurrency market’s significant growth in the past couple of years, everyone wants a piece of that pie. Ransomare is still the most popular way for cybercriminals to generate that cryptocurrency income, but these days it seems that everything from personal computers to mobile devices and servers are all being targeted as possible hosts for secretly mining cryptocurrency. This week the SonicWall Capture Labs Threat Research Team has received reports of a malware purporting to be an image file but drops a cryptominer for Linux.
SonicWall has analyzed and addressed Microsoft’s security advisories for the month of March 2018. A list of issues reported, along with SonicWall coverage information are as follows:
The Sonicwall Capture Labs Threats Research team have come across Bosnian ransomware pretending to be from the Croatian Financial Agency (FINA). It is reported to arrive in the form of an email and demands an astronomical 200,000 Euros in bitcoin for decryption.
Asterisk is a software implementation of a telephone private branch exchange (PBX). It allows telephones interfaced with a variety of hardware technologies to make calls to one another, and to connect to telephony services, such as the public switched telephone network (PSTN) and voice over Internet Protocol (VoIP) services.
A memory corruption vulnerability has been reported on Asterisk. Due to improper handling of the SUBSCRIPBE request in the Session Initiation Protocol (SIP) implementation, a buffer overflow vulnerability can be triggered inside the service process memory space, An attacker could send a certain crafted SUBSCRIBE request, and cause Denial-of-Service or even remote code execution on the target server with the privilege of the service process.
SIP is a request-response based application layer protocol. The memory corruption vulnerability is triggered when the Asterisk SIP service parsing the SUBSCRIBE request’s header. During this process, a sequence of C functions will be called:
Oracle Remote Diagnostics Agent (RDA) is a command-line diagnostic tool that provides a suite of data collection and diagnostic scripts that aid in the analysis and support of Oracle products. RDA is installed by default for Oracle Fusion Middleware and Weblogic Server.
A command injection vulnerbility exists in RDA. Because the web service class OsUtils doesn’t have proper filtering for the HTTP parameter, causing a command injection vulnerability. An attacker could send a certain crafted HTTP POST request, and execute arbitrary command on the target server with the privelege of the web service.
In order to execute scanning commands for the Oracle products, the RDA implements the scanning applications using native applications, and invoke them via web control panels. There are a set of pre-defined command templates inside several XML configuration files, such as oracle_database.xml, oracle_dbmachine.xml and oracle_si_supercluster.xml. For instance:
The SonicWall Capture Labs Threat Research Team observed new malware Called OlympicDestroyer [OlympicDestroyer.A].
The Winter Olympics this year is being held in Pyeongchang, South Korea and OlympicDestroyer malware was designed to knock computers offline by deleting critical system files, which would render the machines useless. This Malware was used in an attack on the opening ceremony of the Pyeongchang Winter Games.