Zyxel Threat Intelligence (Release Date: 2021-11-17)

zyxel_Lin
zyxel_Lin Posts: 26  Zyxel Employee
edited November 2021 in Security Highlight

According NTT Monthly Threat Report for August 2021, ransomware has exploded over the past couple of years. We’re likely facing at least a 300% growth in ransomware incidents and payouts over the past two years.

Zyxel keeps malware detection up-to-date. This article focuses on Cerber Ransomware. Part 2 and 3 will be included in the November Monthly Threat Report covering Intrusion Detection and Application Patrol update. You can view more about their details, history, and signature information in Zyxel Encyclopedia.

Part 1 Virus/Malware Spotlight


Highlight (partial) 

Name: Gen.Heur.MSIL.Androm

This Backdoor occurs on a system when a file dropped by malware or file downloaded on malicious sites

This Backdoor adds the following processes:

•  "%Windows%\System32\msiexec.exe"

(Note: %Windows% is the Windows folder, in common is C:\Windows on all Windows operating system versions.)

This Backdoor drops in the following files in the Windows User Startup folder then automatically execute when every system startup:

•  %User Startup%\v1v1vPk.exe

(Note: %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, C:\Documents and Settings\{User name}\Start Menu\Programs\Startup on Windows 2003(32-bit), XP and 2000(32-bit), or C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit), 10(64-bit).)


Name: Trojan.Ransom.Cerber. 

What Is Cerber Ransomware?

Ransom.Cerber is a type of malware that first occurred in 2016. The difference between Cerber and other types of ransomware is that Cerber is ransomware-as-a- “ransomware-as-a-service” (RaaS) model.

Malware developers offer their ransomware to hackers. Commissions are paid to the developers for the use of the malware. Ransom.Cerber encrypts users' data and demands a ransom to decrypt and there are currently no free decryption tools available. After kidnapping your files, the only method to access to your files again is to pay.

How does Cerber ransomware work?

Ransom.Cerber is distributed by an infected attachment to a phishing email or Trojan accompanied by a software download from infected websites. The algorithm of this Ransomware for encryption is RSA-2048 key (AES CBC 256-bit encryption). The Cerber ransomware will encrypt all your files like documents, image, audio, video, and even data storage files.

How to prevent Cerber Ransomware?

Zyxel security appliances provides comprehensive protection with  actively patched and monitored measures:

•Email Security stops malicious email
•URL Threat Filter stops user to open unsafe/malicious link (from email)
•IDP detects and stops Ransomware attempts to contact CC&C
•Anti-Malware protects user not to download malware-infected files
•SecuReporter find what kind of attacks are detected
Part 2 Intrusion Detection

Highlight

CVE-2020-0688

Base Score: 8.8 high

A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka 'Microsoft Exchange Memory Corruption Vulnerability'. (NIST)

CVE-2020-1687 

Base Score:  7.2 high

A remote code execution vulnerability exists in Microsoft Exchange server due to improper validation of cmdlet arguments. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the System user, aka 'Microsoft Exchange Server Remote Code Execution Vulnerability'. (NIST)

Part 3 Application Patrol


Applications have been added. The updated applications would be different by models. See more information via Zyxel Encyclopedia.


To make your life easier in managing your licenses for your devices, the Marketplace has been opened to buy licenses conveniently and securely.

These are the three major benefits for you as a customer when using the Marketplace:

  • Get immediate license renewal
  • Avoid incorrect license(s) purchased with our filtered product listing
  • Review your device and license status online