Month: April 2020

For the April edition of Patch Tuesday, Microsoft repaired a total of 110 security vulnerabilities across their product line. Included in this count are 37 remote code execution bugs, and 33 elevation of privilege bugs. The company rated eighteen of the vulnerabilities “Critical.”

This release’s most notable item is the follow-up to last month’s announcement, “Cybercriminals are exploiting two unpatched zero-day flaws affecting all supported versions of Windows“. At the time, the company advised a workaround for mitigating the risk. Today, the fix for the two vulnerabilities went live.

Here are the patch highlights:

Adobe Font Manager Library Remote Code Execution

CVE-2020-0938, CVE-2020-1020

Two font vulnerabilities are present in the handling of the old and obsolete Type 1 (PostScript) font standard that makes use of file extensions .PFB and .PFM.

If an attacker is able to manipulate an unpatched Windows system into handling and displaying a malicious Type 1 font file (crafted by the attacker), the bugs could be exploited to compromise the system.

On Windows versions prior to Windows 10, the code responsible for handling fonts is running in high-privileged kernel mode. This makes the impact much more severe on older editions, such as (the now unsupported) Windows 7, or Windows 8.1 – the bugs can be used to perform an elevation of privilege attack, in addition to remote code execution.

Thankfully, on Windows 10 systems the same code has been moved to be running in a low-privileged, sandboxed user mode process. This hardening measure limits the bugs’ usefulness for elevation of privilege attacks. However, they still expose the system to a remote code execution scenario.

Normally, an attacker can take advantage of a font vulnerability to achieve remote code execution by enticing a victim to open a web page or document that has the malicious font embedded in them.

In the case of web pages, the “CSS Web fonts” feature can be used for embedding. Office documents and PDF documents also have support for embedding fonts in them.

Fortunately, due to the Type 1 font standard falling from favor, and being replaced by the newer TrueType and OpenType standards, many software do not support the embedding of Type 1 fonts. This is true for example in web browsers and Office software, so it can be said that the remote code execution attack scope for Type 1 bugs is somewhat limited in comparison to bugs affecting TrueType fonts.

Windows Elevation of Privilege Vulnerabilities

Elevation of Privilege (EoP) vulnerabilities could permit an attacker with limited access to a Windows system to gain more control over it, typically allowing for “escaping” a low integrity or sandboxed process by exploiting such a vulnerability, and subsequently gaining unlimited permissions to the system.

This month’s EoP bugs affect an assortment of Windows components, among them: Win32k (Graphics), Push Notification Service, DirectX, and amusingly enough, two of the bugs were discovered in Windows Defender – the built-in anti-malware component of Windows.

SharePoint Remote Code Execution Vulnerability

CVE-2020-0920, CVE-2020-0929, CVE-2020-0931, CVE-2020-0932, CVE-2020-0971, CVE-2020-0974

Out of a total of 20(!) different bugs affecting SharePoint, 6 are classified Remote Code Execution.

SharePoint is a web-based collaborative platform. It is almost always used by organizations, not individuals. There wasn’t any detailed technical information about any of the bugs that were found, so it’s unclear whether these bugs affect users of SharePoint Server or SharePoint Online (or both).

However from the sheer amount of fixes being deployed for this product, it’s safe to assume the bugs as a whole constitute a high risk of compromise, and therefore this month’s patch is definitely not something to disregard if you use SharePoint.

Sophos detection guidance

Sophos has released following detection to address the following vulnerabilities. Please note that this is not an exhaustive list of protection measures Sophos has implemented, and that additional vulnerabilities and corresponding detection may be released in the future.

Unscrupulous marketers and cyber-criminals have seized upon concerns over the emergence of the COVID-19 global pandemic as bait for spam, phishing attacks and malware. In recent weeks, the use of “coronavirus” and “COVID-19” in domain names, potentially unwanted email messages, and phishing and malware delivery schemes has skyrocketed. As of April 14, Sophos has identified over 1,700 malicious domains using “corona” or “covid” in their names, of which 1,200 are currently active.

We’re continuing to work to identify, detect and block these threats. We’re also engaging with the security community to help defend more broadly against the surge in COVID-19 related threats. Joshua Saxe, Sophos’ chief scientist, has launched a Slack channel for open collaboration on taking on pandemic-themed threats. [Update, April 20: The Slack channel now has over 3,400 members from security firms, as well as private and government organizations.]

We’re also publishing indicators of compromise we discover for related threats in a public GitHub. In this report, we’ll examine some of the trends we’re seeing in pandemic-themed spam and scams. The data we present here is just a portion of what we’ve seen so far, and we continue to assess intelligence data as it becomes available.

The surge of spam

The spam we found to be carrying an installer for Trickbot malware earlier this month was just one example of how spammers and criminals are using hunger for information about the pandemic to lure in their targets.

While COVID-19 emerged as a crisis in China in December, references to the virus in spam and phishing emails only really began to emerge in January—and like the virus itself, they grew exponentially. By early March, COVID-19 and Coronavirus already represented a significant percentage of the spam traffic we measured.

Spam campaigns detected by Sophos included:

• A sextortion scheme threatening to infect the target’s family with COVID-19 if they didn’t pay.
• A scam purporting to be a fundraising plea from the World Health Organization, asking for donations in Bitcoin to fund COVID-19 research.
• Messages purportedly from WHO, but carrying documents with dropper malware.
• Marketing for “emergency supplies,” including filter masks.
• A sales pitch for a $37 video download, purporting to offer insider information from a “military source” on how to survive Coronavirus
• [Update, March 27) We’re continuing to see new COVID-19 related extortion scams. Here’s another we’ve detected and blocked:

Building spamming and phishing infrastructure

COVID-19 has left a huge mark on the Internet’s namespace over the past two months. Certificate transparency log data from the major certificate authorities has shown a significant rise in the number of SSL certificates registered for sites using “corona” or “covid” in their names.

To get a sense of how big that change has been, we looked at  log data over the past six months for new certificates issued for hostnames with “corona” or “covid-19” in them. To establish a baseline from before the outbreak became global news, we looked at the same period a year ago (September 2018 to March 2019) for comparison.

Before January, most certificates that contained “corona” referred to a locality, service or legitimate brand name. These accounted for an average of 288 certificates activated per month.  References to “covid” did not exist in any certificate registrations we could find record of prior to 2020, and the only domain that really stands out belongs to Arizona-based A/V accessory manufacturer COVID, which owns the .com domain.

The pandemic changed the equation. Starting in January of 2020, there was an exponential rise in new certificates carrying these terms, nearly doubling from the norm to 558 for that month, and then nearly doubling again in February to 868. In the first two-thirds of March, over  6,086 new  certificates bearing host names with “covid” and “corona” were issued—nearly a 20-time increase over the year before.

Over 65% of these new domains were programmatically registered for free through Let’s Encrypt, and another 5% used Cloudflare as a Certificate Authority (Cloudflare provides free SSL for sites that use its content delivery network).

By no means are all of these malicious, but many are suspicious—particularly since they include an abundance of sites that were bulk-configured using site templates, domains configured through low-cost registrars or subdomains configured on potentially compromised domains.

One host serving as home for a number of “covid-19” related web addresses—associated with a service that offers free websites and low cost domain name registration—had 11,322 domain names associated with it. Those domains appear to have been programmatically created and registered for certificates, as they follow the same naming pattern {covid-19[additional search keyword].com).

The raw number of domain names we’ve observed being registered that are related to the COVID-19 pandemic is even larger. On March 20, the peak day (so far), people registered 3011 new domains that contained the text “covid” or “corona,” in the four largest top-level domains (TLDs) we monitor (.com, .us. .org, and .info). Since February 8, we’ve observed 42,578 (as of midnight, March 24) newly-registered covid or corona domain names.

While some of these domains may have been registered for benign or even beneficial purposes, many are simply parked, while others are displaying basic, mostly empty website content as placeholders for some promised future content. Part of the collaboration on the Slack channels and with our partners at the Cyber Threat Alliance involves sorting out the useful and legitimate sites that may have been registered by legitimate health authorities from the dark humor, spammy, or actively malicious ones. It’s hard to know the intent of a domain registrant when there’s no content in—just for one weird example, there’s coronavirusshaquilleoneal[.]com.

Sophos has identified over 60 domains as actively malicious, though some of those domains have gone dark since we first detected them. The following specific sites have been linked to malware downloads, and are potential network indicators of compromise, but they are likely just the tip of the iceberg as far as malicious domains go:

corona-masr21.com
netflixcovid19s.com
chasecovid19v.com
chasecovid19t.com
chasecovid19s.com
corona-masr2.com
chase7-covid.com
masry-corona51.com
corona-virusapps.com
coronavirus-realtime.com
covid-19-gov.claims
corona-virus-map.net
corona-map-data.com
coronavirus-apps.com
childcarecorona.com
impots-covid19.com
corona-apps.com
coronaviruscovid19-information.com
coronations.usa.cc

[Update, March 27] One domain we’ve investigated, covid19hacks[.]com, is acting as a redirector gateway to a series of deceptive and potentially malicious download sites, including fake software update pages:

These pages are the end of a trail of forwarding HTTPS pages, on domains including:

covid19hacks.com
yourbig-prizenow2.life
mobile-app-market-here1.life
best.prizedea2040.info

[Update, 4/08]

One of the most prevalent scams related to COVID-19 are sites offering supplies or medicine to prevent or fight infections.  Several are picking up on the promotion by some of Hydroxycloroquine and Azithromycin as drugs to help fight COVID-19 infections.

.Some of these sites forward to overseas pharmaceutical sites or to web stores offering filter masks; others have skeletal WordPress installations that appear to be placeholders for future phishing or spam sites. One offers a $9 book on how to create a “do-it-yourself vaccine” for coronavirus.

curecorona.co
zithromaxcovid19.com
jesse.hydroxychloroquinecovid-19cure.com
www.hydroxychloroquine-coronavirus.com
coronacurethon.org 
diyvaccinecurecoronavirus.com
covidrx.ca
covidizerx.pl
corona-vaccine-info.com
corona-virus-vaccine.com

Others we’ve found are simply registered and parked, in the hope of selling them as part of the coronavirus “gold rush.”

The following sites were registered and park through reg.ru, a Russian domain registry, and may be potential pharmacy scam sites in the future:

covid-pharma.net
covid-pharma.net 
covid-pharma.net 
covid-pharma.org
covid-pharma.ru

Malware abusing anxiety over COVID

We’ve identified multiple malware families and potentially unwanted applications thus far communicating with COVID-19 related domains in some way. There are also ransomware that reference coronavirus in the ransom notes.

For example, three different versions of the DownloadGuide adware PUA  were detected connecting to domains containing “COVID” or “Corona”. These may have been advertisements pushed to the adware randomly.

Additionally, a group of malicious files used the web host coronavirusstatus[.]space to host payloads or as a C2 server. They include:

• An AutoIT dropper script, which we identify as Troj/AutoIt-CYW.
• Corona.exe  and isoburn.exe, both of which which we identify as Troj/PWS-CJJ and Troj/Steal-JZ.
• Corona-virus-Map.com.exe (which we identify as Troj/MSIL-NZP).
• The file aut6C13.tmp (which we identify as Troj/PWS-CJJ malware).

In addition to communicating with the host, this malware group also connects to the Telegram encrypted communications API server.

These and additional IOCs will be added to our GitHub repository.

And it was inevitable that someone would eventually create a ransomware and call it Coronavirus.

Acknowledgments

SophosLabs wishes to acknowledge the efforts of Richard Cohen, Brett Cove, Krisztián Diriczi, Fraser Howard, Tamás Kocsír, and Chet Wisniewski to track down various threats, and the efforts of the Cyber Threat Alliance and the community of threat researchers on the COVID-19 Cyber Threat Coalition Slack channel for sharing a wide range of attack data with the wider community of security researchers and SOC analysts.

We’ve released XG Firewall v18 MR1.

Enhancements

• Supports new SD-RED 20 and SD-RED 60 devices.
• XG Firewall web console now shows granular reasons for firmware upload failure
• Plus, more than 45 issues resolved in this release (refer Issues Resolved section below)
• With the tremendous need for VPN connectivity in this challenging time, we have put together some important information here for you to achieve your networking needs:
  1. To configure VPN Remote Access on your Sophos XG Firewall. Check out this useful Community post!
  2. To substitute XG for RED devices via Light-Touch deployment from Sophos Central. Check out this useful Community post!

Note: Upgrade from SF 17.5 MR11 to v18.0 MR1 is now supported.

More on XG Firewall v18

Please refer XG Firewall v18 highlights for more details on all-new Xstream Architecture delivering extreme new levels of visibility, protection and performance. Also, check out our XG Firewall v18 playlist on YouTube to find out what’s new in XG Firewall v18!

Get it now!

As usual, this firmware update is no charge for all licensed XG Firewall customers. The firmware will be rolled-out automatically to all systems over the coming weeks but you can access the firmware anytime to do a manual update through Licensing Portal. You can refer this article for more information on How to upgrade the firmware.

For fresh installations, we will update this post with installer download links soon.

Things to know before upgrading

Issues Resolved

• NC-30903 [Authentication] STAS configuration is editable via GUI on AUX machine
• NC-50703 [Authentication] Access server restarted with coredump using STAS and Chrome SSO
• NC-50716 [Authentication] Cannot import LDAP server via XMLAPI if client cert is “None”
• NC-54689 [Authentication] Support download certificate for iOS 13 and above
• NC-55277 [Authentication] Service “Chromebook SSO” is missing on Zone page
• NC-51660 [Backup-Restore] Restore failed using a backup of XG135 on SG230 appliance
• NC-55015 [Bridge] Wifi zone is not displayed while creating bridge
• NC-55356 [Bridge] TCP connection fails for VLAN on bridge with HA Active-Active when source_client IP address is odd
• NC-52616 [Certificates] Add support for uploading of CRLs in DER format
• NC-55739 [Certificates] EC certificate shows up as “RSA” in SSLx CA cert dropdowns
• NC-55305 [CM (Zero Touch)] System don’t restart on changing time zone while configured through ZeroTouch
• NC-55617 [CM (Zero Touch)] Getting wrong error message in log viewer after ZeroTouch process
• NC-55909 [Core Utils] Unable to see application object page on SFM
• NC-30452 [CSC] Dynamic interface addresses not showing on Aux after failover
• NC-54233 [CSC] EpollWorker coredump
• NC-55386 [Dynamic Routing (PIM)] PIM-SM import fails with LAG as dependent entity
• NC-55625 [Dynamic Routing (PIM)] In HA with multicast interface, routes are not getting updated in the Aux routing table
• NC-55461 [Email] After adding/edit FQDN host with smarthost, it is not displayed on the list until refresh the page
• NC-58898 [Email] Potential RCE through heap overflow in awarrensmtp (CVE-2020-11503)
• NC-55635 [Firewall] Display filter for forwarded is not working properly on packet capture page
• NC-55657 [Firewall] HA backup restore fails when port name is different in backup and appliance
• NC-55884 [Firewall] IPS policy id and appfilter id not displaying in firewall allow log in logviewer
• NC-55943 [Firewall] Failed to resume existing connection after removal of heartbeat from firewall configuration
• NC-57084 [Firewall] Custom DMZ not listed in dedicated link HA configuration
• NC-44938 [Firmware Management, UX] Web UI does not surface reasons for firmware upload failure
• NC-55756 [Gateway Management] Gateway isn’t deleted from SFM UI after deleting it from SFM
• NC-55552 [HA] WWAN interface showing in HA monitoring ports
• NC-55281 [Import-Export Framework] Full configuration import fails when using third party certificate for webadmin setting
• NC-55171 [Interface Management] VLAN Interface IP is not assigned via DHCP when gateway name uses some special characters
• NC-55442 [Interface Management] DNS name lookup showing incorrect message
• NC-55462 [Interface Management] Import fails on configuring Alias over VLAN
• NC-55659 [Interface Management] Invalid gateway IP and network IP configured using API for IPv6
• NC-56733 [Interface Management] Patch PPPd (CVE-2020-8597)
• NC-51776 [IPS Engine] Edit IPS custom rule protocol doesn’t work after creation
• NC-51558 [IPsec] Add warning message before deleting xfrm ipsec tunnel
• NC-55309 [Logging] Local acl rule not created through log viewer for IPv4 and IPv6
• NC-50413 [Logging Framework] Gateway up event log for PPPoE interface not always shown in logviewer
• NC-55346 [Logging Framework] Clear All for “Content filtering” does not clear SSL/TLS filter option
• NC-56831 [Policy Routing] SIP traffic sometimes not working with SDWAN policy route
• NC-46009 [SecurityHeartbeat] Spontaneous reconnects of many endpoints
• NC-51562 [SecurityHeartbeat] Heartbeat service not started after HA failover
• NC-52225 [Synchronized App Control] SAC page loading issues as the list of apps increases
• NC-54078 [UI Framework] Internet Explorer UI issue on certain rules and policies pages
• NC-56821 [Up2Date Client] SSL VPN downloading with the 0KB
• NC-54007 [Web] File type block messages sometimes contain mimetype rather than file type

Making the most of your new XG Firewall features

Free Online Training

• Available for free for all XG Firewall customers, our delta training program will help you make the most of the new features in XG Firewall v18.
• This online program walks you through the key enhancements since v17.5 and takes about 90 minutes to complete.

Customer Resources and How-To Videos

• Also be sure to visit the Customer Resource Center for the latest How-To Videos and links to documentation, the community forums, training and other resources.

Take advantage of Partner and Sophos Professional Services

• To augment your local Sophos partner’s services, we offer services to help you getting up and running and make the most of your XG Firewall, including the latest capabilities in v18.
• While Sophos Professional Services can help with any task, here are the most common services they provide:
  • XG Firewall deployment and setup
  • XG Firewall v18 DPI, FastPath and SSL Engine Optimization
  • XG Firewall Health Checks

Here are some direct links to helpful resources:

New to XG Firewall?

If you’re new to XG Firewall, see how it provides the world’s best network visibility, protection and response on the new XG Firewall website.