A Trojan SDK snuck past Google Play protections to infest 101 Android applications, bent on exfiltrating infected device data. Read More
Related Posts
![Researchers Unveal GuLoader Malware’s Latest Anti-Analysis Techniques](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5_TxcyV7SUHsD2Fwm3zDxe01fM9-3qK_e4LSfRYQpjwdfbYRmqpNrazgpdx0EISNQEJBfzeDDZ5_gCcuWGzFXK6rr-QXVh6MuBXOZU83n7JtOA6KYgTC9bf0_-l9SBFdaQ8METrwSFaZf1wjd5CPKqOOm45uKRKbBDry7HwmU1AiNMDv-KCBptq9lfZHM/s72-c/antivirus-bypass.jpg)
Researchers Unveal GuLoader Malware’s Latest Anti-Analysis Techniques
Researchers Unveal GuLoader Malware’s Latest Anti-Analysis Techniques
Threat hunters have unmasked the latest tricks adopted by a malware strain called GuLoader in an effort to make analysis more challenging.
"While GuLoader’s core functionality hasn’t changed drastically over the past few years, these constant updates in their obfuscation techniques make analyzing GuLoader a time-consuming and resource-intensive process," Elastic Security Labs Read More
The Hacker News | #1 Trusted Cybersecurity News Site
FTC sues H&R Block over deceptive ‘free’ online filing ads
FTC sues H&R Block over deceptive ‘free’ online filing ads
The U.S. Federal Trade Commission (FTC) sued tax preparation giant H&R Block over the company’s deceptive “free” online filing advertising and for pressuring people into overpaying for its services. […] Read More
BleepingComputer
178,000+ Publicly Exposed Sonicwall Firewalls Vulnerable to RCE Attacks
178,000+ Publicly Exposed Sonicwall Firewalls Vulnerable to RCE Attacks
Due to Sonicwall Firewalls’ widespread usage in organizations, hackers find them to be appealing targets when looking to breach networks.
By taking advantage of security holes in Sonicwall Firewalls, malicious users can get unwanted access to confidential data, make it easier for outsiders to infiltrate networks, and launch several kinds of cyberattacks.
Cybersecurity researchers at Bishopfox recently discovered 178,000 vulnerable Sonicwall firewalls that could be exploited by the threat actors in the wild.
Document
Free Webinar
Fastrack Compliance: The Path to ZERO-Vulnerability
Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.
Sonicwall Firewall Vulnerable to RCE Attacks
SonicWall NGFW series 6 and 7 faces unauthenticated DoS vulnerabilities (CVE-2022-22274, CVE-2023-0656), potentially allowing remote code execution.
However, no wild exploitation was reported, but a POC for CVE-2023-0656 is public. The BinaryEdge data shows 76% of exposed SonicWall firewalls (178,637 of 233,984) vulnerable.
The impact of a widespread attack could be severe as the default SonicOS restarts after a crash, but three crashes lead to maintenance mode.
Cybersecurity analysts analyzed the “CVE-2022-22274” using Ghidra and BinDiff to compare sonicosv binary versions. Leveraged Watchtowr Labs’ analysis and Praetorian’s decryption tool for efficient research.
Besides this, experts identified key code changes in HTTP request handling functions between NSv firmware versions 6.5.4.4-44v-21-1452 and 6.5.4.4-44v-21-1519.
In the vulnerable code, there are two __snprintf_chk() calls that were sequentially used with output from the first determining the second’s arguments.
The changes in the patched version include converting a variable from signed to unsigned, adding bounds checks, and enhancing input/output checks for the second call.
Meanwhile, the “__snprintf_chk()” was crucial as the SonicWall developers assumed its return value equaled characters written and overlooked a discrepancy highlighted in “snprintf()” documentation.
The issue arises with the use of maxlen as a size_t that leads to an integer overflow when subtracting from 1024. The second function specifies writing an excessively large amount of data into a small 1024-byte buffer which helps bypass overflow protection due to maxlen being set to the maximum 64-bit unsigned integer value.
This hints at developers writing code with snprintf() that enables overflow protection at compile time, causing a mismatch with __snprintf_chk() and resulting in strlen being set to the maximum value.
Patched firmware adds a check between snprintf() calls, ensuring the first’s return value is under 1024 to restore buffer overflow protection.
If the check fails, then the second function call is skipped, which terminates the request handling without modifying the original calls.
On distinct URI paths, the CVE-2022-22274 and CVE-2023-0656 share the same vulnerability, which could be exploited to crash vulnerable devices.
Here, researchers urged users to perform a secure vulnerability check for deployed SonicWall NGFW devices, and if they found any vulnerable device, then the following two steps are recommended to be taken immediately:-
From public access, make sure to remove the web management interface immediately.
Ensure that the old firmware is upgraded to the latest available version.
At the moment, identifying a target’s firmware and hardware versions is a hurdle for attackers, as the exploit needs customization.
Remote fingerprinting of SonicWall firewalls is not known, making the likelihood of RCE low. However, researchers strongly recommended securing your devices to avoid potential DoS attacks.
Looking for cost-effective penetration testing services? Try Kelltron’s to assess and evaluate the security posture of digital systems – Free Demo
The post 178,000+ Publicly Exposed Sonicwall Firewalls Vulnerable to RCE Attacks appeared first on Cyber Security News.
Cyber Security News