26 January 2021

CYBERSECURITY NEWS V. 26.01 – Public exploit for SAP SolMan vulnerability, Dovecat malware

hexway cybersecurity blog brings you the latest news about attacks and data breaches, emerging malware, and vendor security updates

News FYI

SonicWall Hacked Through 0-Day Vulnerability In Its VPN Products

SonicWall, a security hardware manufacturer has issued an urgent notice revealing that hackers have infiltrated its internal systems through a zero-day vulnerability in its VPN products.

The attackers exploited a previously unknown vulnerability in the Secure Mobile Access (SMA) VPN device and NetExtender VPN client to carry out a sophisticated attack on SonicWall's internal systems.

The vulnerability affects the following products:

  • NetExtender VPN client version 10.x (released in 2020) used for connecting to SMA 100 series appliances and SonicWall firewalls;
  • Secure Mobile Access (SMA) version 10.x running on SMA 200, SMA 210, SMA 400, SMA 410 physical appliances, and the SMA 500v virtual appliance.

Users of the affected products are strongly advised to enable two-factor authentication, restrict SSL VPN connections to SMA installations to only known whitelisted IP addresses, and disable access to firewalls through NetExtender.

SonicWall did not disclose any details of the vulnerability.

Public exploit for obtaining superuser rights in SAP SolMan

An exploit for a critical SAP SolMan vulnerability was published on Github this month. SAP SolMan is a lifecycle management platform supporting all SAP solutions.

The exploit is fully functional and targets the CVE-2020-6207 vulnerability, a missing authentication in SAP Solution Manager (User Experience Monitoring) version 7.2. By exploiting the vulnerability, an attacker can compromise all SMDAgents connected to SAP Solution Manager. A successful attack could impact an organization's cybersecurity, exposing critical data, SAP applications, and business processes.

By gaining control over SAP SolMan, an attacker could shutdown systems, access sensitive data, delete data, and assign superuser privileges to any new or existing user.

According to Onapsis: "The release of a public exploit significantly increases the chance of an attack attempt since it also expands potential attackers not only to SAP-experts or professionals but also to script-kiddies or less-experienced attackers that can now leverage public tools instead of creating their own."

QNAP warns users about new crypto miner

QNAP has warned NAS owners about the new Dovecat malware that infects devices to mine bitcoins.

The malware spreads by connecting to QNAP NAS systems, attacking devices accessible via the Internet and poorly protected with weak passwords. QNAP issued a warning after receiving user reports from users about two unknown processes, dovecat and dedpma. They run nonstop and use a lot of memory. Devices running these processes are considered compromised.

The company advises users to update QTS and Malware Remover, use strong, unique passwords, firewall, disable SSH and Telnet and other unnecessary applications and services.

Attackers use Windows RDP servers to amplify DDoS attacks

Netscout noticed that attackers are using Windows RDP systems to amplify DDoS attacks. Attackers target Windows servers with RDP enabled on UDP port 3389.

Cybercriminals can send malformed UDP packets to RDP servers, which will reflect on the DDoS attack target, increasing in size, leading to a large amount of unwanted traffic entering the target's system. According to NetScout, the amplification ratio is 85.9:1, which is high, surpassed only by Jenkins (100), DNS (179), WS-Discovery (300-500), NTP (550), Memcached (50,000) servers.

According to experts, the use of RPD to amplify attacks is already becoming a mass phenomenon. Netscout has found over 14,000 RDP servers running on UDP port 3389.

Try Hexway online

Related posts