SecurityWeek: SonicWall Patches Critical Vulnerabilities in GMS, Analytics Products https://www.securityweek.com/sonicwall-patches-critical-vulnerabilities-in-gms-analytics-products/ #Vulnerabilities #SonicWall

SonicWall a corrigé 15 vulnérabilités dont 4 failles critiques dans plusieurs de ses produits https://www.it-connect.fr/sonicwall-a-corrige-15-vulnerabilites-dont-4-failles-critiques-dans-plusieurs-de-ses-produits/ #SonicWall #Sécurité

SecurityAffairs: SonicWall urges organizations to fix critical flaws in GMS/Analytics products https://securityaffairs.com/148411/security/sonicwall-critical-flaws-gms-analytics.html #informationsecuritynews #ITInformationSecurity #PierluigiPaganini #SecurityAffairs #BreakingNews #SecurityNews #hackingnews #SonicWall #Security #Hacking

15 bug di sicurezza critici risolti da SonicWall sul Global Management System (GMS)

#SonicWall ha riportato recentemente di correggere molteplici #vulnerabilità critiche che incidono sulla gestione del Global Management System (#GMS) e nell’#Analytics dell’#azienda.

#redhotcyber #online #it #web #ai #hacking #privacy #cybersecurity #cybercrime #intelligence #intelligenzaartificiale #informationsecurity #ethicalhacking #dataprotection #cybersecurityawareness #cybersecuritytraining #cybersecuritynews #infosecurity

https://www.redhotcyber.com/post/15-bug-di-sicurezza-critici-risolti-da-sonicwall-sul-global-management-system-gms/

SonicWall Security und Bugfix-Updates für Firewalls
SonicOS 6.5.4.12 für

SuperMassive 9600
SuperMassive 9400
SuperMassive 9200
NSa 9650
NSa 9450
NSa 9250
NSa 6650
NSA 6600
TZ600 / TZ600P
TZ500 / TZ500 Wireless
TZ400 / TZ400 Wireless
TZ350 / TZ350 Wireless

Security-Fixes (u. a.):
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0005
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0003
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0003

#sonicwall #security

I dispositivi di SonicWall vengono attaccati da malware che sopravvive anche dopo il riavvio

Secondo #Mandiant gli hacker cinesi stanno attaccando i dispositivi #SonicWall Secure Mobile Access (#SMA) vulnerabili e li stanno infettando con #malware che ruba le credenziali che può sopravvivere anche dopo un aggiornamento del #firmware.

I #ricercatori di Mandiant e il team SonicWall #PSIRT ritengono che dietro questi attacchi ci sia il gruppo di hacking cinese #UNC4540.

#redhotcyber #informationsecurity #ethicalhacking #dataprotection #hacking #cybersecurity #cybercrime #cybersecurityawareness #cybersecuritytraining #cybersecuritynews #privacy #infosecurity

https://www.redhotcyber.com/post/i-dispositivi-di-sonicwall-vengono-attaccati-da-malware-che-sopravvive-anche-dopo-il-riavvio/

Happy Monday folks, I hope you had a restful weekend and managed to take a breather from all things cyber! Time to get back into it though, so let me give you hand - catch up on the week’s infosec news with the latest issue of our newsletter:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-09e?sd=pf

#Emotet are back and are using…OneNote lures? ISO disk images? Malvertising? Nah – they’re sticking with tier tried and true TTPs – their Red Dawn maldoc template from last year; macro-enabled documents as lures, and null-byte padding to evade automated scanners.

We’ve highlighted a report on the Xenomorph #Android Banking Trojan, which added support for targeting accounts of over 400 banks; automated bypassing of MFA-protected app logins, and a Session Token stealer module. With capabilities like these becoming the norm, is it time to take a closer look at the threat Mobile Malware could pose to enterprise networks?

North Korean hackers have demonstrated yet again that they’re tracking and integrating the latest techniques, and investing in malware development. A recent campaign saw eight new pieces of malware distributed throughout the kill chain, leveraging #Microsoft #InTune to deliver payloads and an in-memory dropper to abuse the #BYOVD technique and evade EDR solutions.

A joint investigation by #Mandiant and #SonicWall has unearthed a two-year campaign by Chinese actors, enabled through exploitation of unpatched SMA100 appliances and delivery of tailored payloads. A critical vulnerability reported by #Fortinet this week helps reinforce the point that perimeter devices need to be patched with urgency, as it’s a well-documented target for Chinese-affiliated actors.

#HiatusRAT is a novel malware targeting #DrayTek routers, sniffing network traffic and proxying C2 traffic to forward-deployed implants. TTPs employed in recent #BatLoader and #Qakbot campaigns are also worth taking note of, as is #GoBruteforcer, a new malware family targeting specific web server applications to brute force logins and deploy an IRC bot for C2.

Those in Vulnerability Management should take particular note of the #Veeam vulnerability, which appears trivial to exploit and actually delivers plaintext credentials to the attacker. CISA have also taken note of nearly 40k exploit attempts of a 2 year old code-exec-as-root vulnerability in the #VMWare Cloud Foundation product in the last two months, so make sure you’re patched against it.

#Redteam members have some excellent reading to look forward to, looking at HTTP request smuggling to harvest AD credentials and persisting with a MitM Exchange server, as well as a detailed post that examines #CobaltStrike’s reflective loading capability;

The #blueteam has some great tradecraft tips from @inversecos on #Azure DFIR, as well as tools to help scan websites for malicious objects, and to combat the new #Stealc #infostealer and well-established Raccoon Stealer.

Catch all this and much more in this week's newsletter:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-09e?sd=pf

#infosec #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #newsletter #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #soc #threatintel #threatintelligence #DarkWeb #mdm #dprk #FortiOS #FortiProxy

This week's #infosec newsletter issue is out! Have a look at it. It includes, but not only:

• CISA warns of actively exploited #Plex bug after #LastPass breach
• Brazil seizing #FlipperZero shipments to prevent use in crime
• #IBM X-Force on defining the #CobaltStrike Reflective Loader
• Security researchers targeted with new #malware via job offers on #LinkedIn
• Alleged NetWire RAT Operator Arrested in Croatia as FBI Seizes Website
• Xenomorph #Android malware now steals data from 400 banks
• #GitHub makes 2FA mandatory next week for active developers
• The #Akuvox E11 door phone/intercom is riddled with security holes
• Custom Chinese Malware Found on #SonicWall Appliance
• Building Great OT Incident Response Tabletop Exercises, by @hacks4pancakes
• Warning: Don't Let #Google Manage Your #Passwords
• #Fortinet warns of new critical unauthenticated RCE #vulnerability
• #Veeam fixes bug that lets hackers breach #backup infrastructure
• AI-Powered '#BlackMamba' Keylogging Attack Evades Modern #EDR Security
• Hard-coded secrets up 67% as secrets sprawl threatens software supply chain
• #Emotet malware attacks return after three-month break

.. And many more. Subscribe to receive it directly in your inbox every Sunday!

#cybersecurity #security #newsletter

https://0x58.substack.com/p/my-shared-links-week-102023

Threat actors with a connection to the Chinese government are infecting a widely used security appliance from #SonicWall with #malware that remains active even after the device receives firmware updates.

#China #InfoSec #SecureMobileAccess100
https://arstechnica.com/information-technology/2023/03/malware-infecting-widely-used-security-appliance-survives-firmware-updates/

#Malware infecting widely used #security appliance survives #firmware updates

Threat actors with a connection to the #Chinese government are infecting a widely used security appliance from #SonicWall with malware that remains active even after the device receives firmware updates, researchers said.
#China

https://arstechnica.com/?p=1923115

Suspected Chinese Campaign to Persist on SonicWall Devices, Highlights Importance of Monitoring Edge Devices

Mandiant, working in partnership with SonicWall Product Security and Incident Response Team (PSIRT), has identified a suspected Chinese campaign that involves maintaining long term persistence by running malware on an unpatched SonicWall Secure Mobile Access (SMA) appliance. The malware has functionality to steal user credentials, provide shell access, and persist through firmware upgrades. Mandiant currently tracks this actor as UNC4540.

Malware
Analysis of a compromised device revealed a collection of files that give the attacker a highly privileged and available access to the appliance. The malware consists of a series of bash scripts and a single ELF binary identified as a TinyShell variant. The overall behavior of the suite of malicious bash scripts shows a detailed understanding of the appliance and is well tailored to the system to provide stability and persistence. #malware #security #cybersecurity #sonicwall #firmware #networksecurity #infosec #informationsecurity

https://www.mandiant.com/resources/blog/suspected-chinese-persist-sonicwall

Malware infecting widely used security appliance survives firmware updates - Enlarge (credit: Getty Images)

Threat actors with a connection... - https://arstechnica.com/?p=1923115 #sonicwall #malware #biz⁢ #sma100

Ars Technica: Malware infecting widely used security appliance survives firmware updates https://arstechnica.com/?p=1923115 #Tech #arstechnica #IT #Technology #sonicwall #malware #Biz&IT #sma100

#SonicWall SMA appliance infected by a custom #malware allegedly developed by Chinese hackers
https://securityaffairs.com/143273/hacking/sonicwall-sma-custom-malware.html
#securityaffairs #hacking #malware

Mandiant, working in partnership with SonicWall Product Security and Incident Response Team (PSIRT), has identified a suspected Chinese campaign that involves maintaining long term persistence by running malware on an unpatched SonicWall Secure Mobile Access (SMA) appliance. The malware has functionality to steal user credentials, provide shell access, and persist through firmware upgrades. Mandiant currently tracks this actor as UNC4540.

A Pattern of Chinese Network Device Compromises

Developing malware for a managed appliance is often no trivial task. Vendors typically do not enable direct access to the Operating System or filesystem for users, instead offering administrators a graphical UI or limited Command Line Interface (CLI) with guardrails preventing anyone from accidentally breaking the system. Because of this lack of access, attackers require a fair amount of resource and effort to develop exploits and malware for managed devices.

In recent years Chinese attackers have deployed multiple zero-day exploits and malware for a variety of internet facing network appliances as a route to full enterprise intrusion, and the instance reported here is part of a recent pattern that Mandiant expects to continue in the near term. For further information, see Mandiant blog post: Suspected Chinese Threat Actors Exploiting FortiOS Vulnerability (CVE-2022-42475). In particular the section "China Continues to Focus on Network Devices" summarizes some of Mandiant’s recent findings. #malware #security #mandiant #sonicwall #cybersecurity #networksecurity #apt

https://www.mandiant.com/resources/blog/suspected-chinese-persist-sonicwall

#SonicWall firewall vulnerability #security

https://borncity.com/win/2023/03/05/critical-vulnerability-cve-2023-0656-in-sonicwall-firewalls/

Sonicwall Firewalls - kritische Sicherheislücke - CVSS: 7.5 (High)

Affected Product(s)
Product(s): Gen 7 TZ, NSa and NSsp firewalls; Gen 6.5 NSv virtual firewalls

Impacted Version(s): 7.0.1-5095 and earlier; 7.0.1-5083 and earlier; 6.5.4.4-44v-21-1551 and earlier

Fixed Version(s): 7.0.1-5111

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0004

#sonicwall #

Has anyone else had a Sonicwall randomly corrupt it's own firmware and reset to setup / recovery mode?

Nothing in logs and after a restore from the last but one config it's up and running again.

The DC it's in was working on one side of the UPS but don't think that should do anything. Nothing else on the same power was affected.

#sonicwall #systemsengineering #networks

Updating: Read the commentary thread by @GossiTheDog that begins at
https://infosec.exchange/@GossiTheDog@cyberplace.social/109603106559818167'

#CottSystems #ransomware #patch #infosec #cybersecurity #DataBreach #DataProtection #ProxyNotShell #OWA #SonicWall

Round 2 of Discoveries:

Relevant hashtags: #Sonicwall #networking #sysadmin #office365 #ExchangeOnline #infosecurity #Linux #networkengineer #vmware

Discovery 7: When I first started, the Asset Management Inventory was a locally hosted Excel sheet on a shared/network drive.

To note, there were over 4000 manageable assets on that inventory. It was shared between all IT Staff.

I set up a Snipe-IT Instance locally hosted and never looked back. I still have nightmares about the time spent using that accursed Excel sheet.