What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2021-12-20 06:10:10 | New Log4j Vulnerability (CVE-2021-45046) Results in Denial of Service (lien direct) | UPDATE December 17 2021: The Apache Software Foundation has changed Denial of Service to Remote Code Execution and has upgraded a CVSS score from 3.7 to 9.0 as such this Threat Signal has been updated accordingly along with protection information. What is the Vulnerability? (Updated on December 17th)This is a new vulnerability (CVE-2021-45046) discovered in Log4j, the same utility that last week announced a critical vulnerability known as Log4Shell (CVE-2021-44228). Successfully exploiting this new vulnerability would result in an information leak and remote code execution (RCE) in some environments and local code execution in all environments. Initially CVE-2021-45046 was identified as a Denial of Service vulnerability. The new vulnerability is tracked as CVE-2021-45046. The vulnerability was initially given a CVSS score of 3.7, however the score was upgraded to 9.0 as remote code execution and information leak could be achieved as a result of successful exploitation. Apache provides the following updated description in their advisory on December 16th: It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern, resulting in an information leak and remote code execution in some environments and local code execution in all environments; remote code execution has been demonstrated on macOS but no other tested environments. FortiGuard Labs previously released Threat Signal for CVE-2021-44228 (Log4Shell). See the Appendix for a link to "Apache Log4J Remote Code Execution Vulnerability (CVE-2021-44228)". What Versions of Log4j are Affected?All versions from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 Has Apache Released a Fix for CVE-2021-45046?Yes. In response to the issue, Apache Log4j 2.16.0 was released for Java 8 and up and 2.12.2 for Java 7. What is the Status of Coverage? (Updated on December 17th)FortiGuard Labs provides the following AV coverage against CVE-2021-45046:Apache.Log4j.Error.Log.Remote.Code.Execution Any Suggested Mitigation?Apache provides the following mitigation in their advisory: Log4j 1.x mitigation: Log4j 1.x is not impacted by this vulnerability. Log4j 2.x mitigation: Implement one of the mitigation techniques below.Java 8 (or later) users should upgrade to release 2.16.0.Users requiring Java 7 should upgrade to release 2.12.2 when it becomes available (work in progress, expected to be available soon).Otherwise, remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability. | Vulnerability Threat | ||
|
2021-12-15 16:45:13 | Newly Patched Windows Vulnerability (CVE-2021-43890) Being Exploited to Deliver Malware (lien direct) | FortiGuard Labs is aware of a report that a newly patched Windows vulnerability (CVE-2021-43890) is being exploited in the wild to deliver malware such as Emotet, Trickybot and Bazaloader. Exploiting CVE-2021-43890 allows an attacker to create a malicious package file that looks like a legitimate application. The vulnerability is patched as part of MS Tuesday in December 2021. Why is this Significant?This is significant because CVE-2021-43890 was abused as a zero-day to deliver Emotet, Trickybot and Bazaloader. Those malware typically deploy additional malware including ransomware to a compromised machine.What is CVE-2021-43890?CVE-2021-43890 is Windows AppX Installer Spoofing Vulnerability that allows an attack to spoof a malicious package as legitimate software. For example, an attacker can abuse CVE-2021-43890 to create a fake malicious package that has an icon of legitimate software, a valid certificate that marks the package as a Trusted App along with fraudulent publisher information. These pieces increase the chance of convincing the victim to run the file. Image of "Windows AppX Installer abuse to install Emotet" courtesy of BleepingComputerMicrosoft rates this vulnerability as important.Has the Vendor Released a Fix for the Vulnerability?Yes, Microsoft released a fix on December 14th, 2021, as part of December Patch Tuesday.What is the Status of Coverage?There is not sufficient information available yet that enables FortiGuard Labs to develop IPS protection for CVE-2021-43890.FortiGuard Labs provides the following AV coverage against malware that abuses CVE-2021-43890:W32/GenCBL.BHP!trW32/Kryptik.HNMX!tr | Ransomware Malware Vulnerability | ||
|
2021-12-13 09:00:42 | Apache Log4J Remote Code Execution Vulnerability (CVE-2021-44228) (lien direct) | FortiGuard Labs is aware of a remote code execution vulnerability in Apache Log4j. Log4j is a Java based logging audit framework within Apache. Apache Log4j2 2.14.1 and below are susceptible to a remote code execution vulnerability where a remote attacker can leverage this vulnerability to take full control of a vulnerable machine.This vulnerability is also known as Log4shell and has the CVE assignment (CVE-2021-44228). FortiGuard Labs will be monitoring this issue for any further developments.What are the Technical Details?Apache Log4j2 versions 2.14.1 and below Java Naming and Directory Interface (JNDI) features do not protect against attacker controlled LDAP and other JNDI related endpoints. A remote code execution vulnerability exists where attacker controlled log messages or log message parameters are able to execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.What Versions of Software are Affected?Apache Log4J versions 2.0-beta9 to 2.14.1 are affected.Is there a Patch or Security Update Available?Yes, moving to version 2.15.0 mitigates this issue. Further mitigation steps are available from Apache as well. Please refer to the "Apache Log4j Security Vulnerabilities" in the APPENDIX for details.What is the CVSS Score?10 (CRITICAL)What is Exactly Apache Log4j?According to Apache:Log4j is a tool to help the programmer output log statements to a variety of output targets. In case of problems with an application, it is helpful to enable logging so that the problem can be located. With log4j it is possible to enable logging at runtime without modifying the application binary. The log4j package is designed so that log statements can remain in shipped code without incurring a high performance cost. It follows that the speed of logging (or rather not logging) is capital.At the same time, log output can be so voluminous that it quickly becomes overwhelming. One of the distinctive features of log4j is the notion of hierarchical loggers. Using loggers it is possible to selectively control which log statements are output at arbitrary granularity.What is the Status of Protections?FortiGuard Labs has IPS coverage in place for this issue as (version 19.215):Apache.Log4j.Error.Log.Remote.Code.ExecutionWhile we urge customers to patch vulnerable systems as soon as possible, FortiEDR monitors and protects against payloads delivered by exploitation of the vulnerability. The picture below demonstrates blocking of a PowerShell payload used as part of CVE-2021-44228 exploitation:Detection of exploitable systems is possible via FortiEDR threat hunting by searching for loading of vulnerable log4j versions. This is an example of loading a vulnerable log4j library by a Apache Tomcat Server:Any Suggested Mitigation?According to Apache, the specific following mitigation steps are available:In releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to "true." For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.classFortiGuard Labs recommends organizations affected by CVE-2021-44228 to update to the latest version of 2.15.0 immediately. Apache also recommends that users running versions 1.0 or lower install version 2.0 or higher as 1.0 has reached end of life in August 2015 for Log4j to obtain security updates. Binary patches are never provided and must be compiled. For further details, refer to the "Apache Log4j Security Vulnerabilities" in the APPENDIX.If this is not possible, various counter measures such as isolating machines behind a firewall or VPN that are public facing is recommended. | Tool Vulnerability Threat | ★★★★★ | |
|
2021-12-06 22:36:49 | Joint CyberSecurity Advisory on Attacks Exploiting Zoho ManageEngine ServiceDesk Plus Vulnerability (CVE-2021-44077) (lien direct) | FortiGuard Labs is aware of a recent joint advisory released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) on APT actors actively exploiting a critical vulnerability in Zoho ManageEngine ServiceDesk Plus. Successfully exploiting the vulnerability (CVE-2021-44077) enables an attacker to compromise administrator credentials, propagate through the compromised network, and conduct cyber espionage.Why is this Significant?This is significant because the advisory was released due to active exploitation of the vulnerability being observed. Zoho, the vendor of ManageEngine ServiceDesk Plus, states in their advisory that "we are noticing exploits of this vulnerability, and we strongly urge all customers using ServiceDesk Plus (all editions) with versions 11305 and below to update to the latest version immediately".What Product and Versions are Vulnerable?The vulnerable product is all editions of ServiceDesk Plus. Vulnerable versions are all versions up to, and including, version 11305.What are the Technical Details of the Vulnerability?Not much information is currently available on the vulnerability other than the vulnerability is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration.What is CVE Number and Severity Assigned to the Vulnerability?The vulnerability is assigned CVE-2021-44077 and is rated critical with CVSS score of 9.8.Which Industries are Targeted?According to the advisory, Critical Infrastructure Sector industries, including the healthcare, financial services, electronics and IT consulting industries are targeted by threat actors.What Malicious Activities Conducted by the Threat Actors were Observed?CISA provided the following Tactics, techniques and procedures (TTPs) for the observed activities:Writing webshells to disk for initial persistenceObfuscating and Deobfuscating/Decoding Files or InformationConducting further operations to dump user credentialsLiving off the land by only using signed Windows binaries for follow-on actionsAdding/deleting user accounts as neededStealing copies of the Active Directory database (NTDS.dit) or registry hivesUsing Windows Management Instrumentation (WMI) for remote executionDeleting files to remove indicators from the hostDiscovering domain accounts with the net Windows commandUsing Windows utilities to collect and archive files for exfiltrationUsing custom symmetric encryption for command and control (C2)Has the Vendor Patched the Vulnerability?Yes, Zoho released a patch on September 16, 2021.Has the Vendor Released an Advisory?Yes, the vendor released an advisory on September 16, 2021. Additional advisory was released on November 22, 2021. Links are in the Appendix.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against available files that were used in the attack: Java/Webshell.AD!trW64/Agent.BG!tr.pwsW32/Agent.CY!trTrojan.Win32.Agentb.kpbcHEUR:Trojan-Dropper.Win32.Agentb.genHEUR:Backdoor.Multi.MalGO.aBackdoor.Java.JSP.auTrojan.Win64.Agentb.azoTrojan.Win32.Agentb.kpbdTrojan.Win64.Agentb.azpAs for CVE-2021-44077, there is no sufficient information available for FortiGuard Labs to develop IPS protection. FortiGuard Labs will investigate protection once such information becomes available and will update this Threat Signal with protection. | Vulnerability Threat | ★★★★★ | |
|
2021-11-23 17:18:27 | New Proof of Concept for CVE-2021-42321 Released (Microsoft Exchange Remote Code Execution Vulnerability) (lien direct) | FortiGuard Labs is aware of a new proof of concept that is leveraging CVE-2021-42321, a Microsoft Exchange Server Remote Code Execution Vulnerability. The proof of concept, released by security researcher @jannggg on Twitter is a post authentication remote code execution vulnerability. Patches for CVE-2021-42321 were released by Microsoft on November 9th, and the vulnerability is rated as IMPORTANT.What is the CVSS Score?This vulnerability has a CVSS Base Score of 8.8.Does the Attacker Need to be Authenticated?Yes. The attacker needs to be authenticated to the Microsoft Exchange Server.What Versions of Software are Affected?Microsoft has released security updates for for the following versions of Microsoft Exchange:Exchange Server 2013Exchange Server 2016Exchange Server 2019Is this Being Exploited In the Wild?Yes, Microsoft states that exploitation is limited to targeted attacks.Has the Vendor Issued a Patch?Yes, Microsoft issued a patch on November 9th. For further information on the vulnerability, including a link towards the available patches, please refer to the "Released: November 2021 Exchange Server Security Updates" link in the APPENDIX.Any Suggested Mitigation?As there have been reports of exploitation in the wild, including proof of concept code now available, it is imperative that patches are applied to affected systems as soon as possible. Also, to determine which machines may be behind on updates with respect to this latest patch, Microsoft has made available a PowerShell script that will help inventory potentially vulnerable machines on the network. Please refer to the "Exchange Server Health Checker" in the APPENDIX for this script.What is the the Status of Coverage?Coverage is being investigated at this time for feasibility. This threat signal will be updated once there is further information available. | Vulnerability Threat | ||
|
2021-11-19 10:21:31 | Memento Group Exploited CVE-2021-21972, Hid Five Months to Deploy Ransomware (lien direct) | FortiGuard Labs is aware of a report that a new adversary carried out an attack using a Python-based ransomware called "Memento." The Memento attackers are reported to have taken advantage of a remote code execution vulnerability in a VMWare vCenter Server plugin (CVE-2021-21972) as a initial attack vector. The group started to exploit the vulnerability in April, then stayed in the network until they deployed ransomware to the victim's network upon completion of their data exfiltration. Why is this Significant?This is significant because the attacker was able to stay in the victim's network for more than 5 months after they gained initial access to the network by exploiting CVE-2021-21972. Because of the severity of the vulnerability, CISA released an alert on February 24th, 2021 to urge admins to apply the patch as soon as possible. What is CVE-2021-21972?CVE-2021-21972 is a remote code execution vulnerability in a VMWare vCenter Server plugin. This vulnerability is due to improper handling of the request parameters in the vulnerable application. A remote attacker could exploit this vulnerability by uploading a specially crafted file to the targeted server. Successful exploitation of this vulnerability could lead to arbitrary code execution on the affected system. CVE-2021-21972 has a CVSS (Common Vulnerability Scoring System) score of 9.8 and affects the following products:vCenter Server 7.0 prior to 7.0 U1cvCenter Server 6.7 prior to 6.7 U3lvCenter Server 6.5 prior to 6.5 U3n For more details, see the Appendix for a link to the VMware advisory "VMSA-2021-0002". Has the Vendor Released a Patch for CVE-2021-21972?Yes, VMWare released a patch for CVE-2021-21972 in February 2021. What's the Details of the Attack Carried Out by Memento Group?According to security vendor Sophos, the attacker gained access to the victim's network in April 2021 by exploiting the vulnerability CVE-2021-21972. In May, the attacker deployed the wmiexec remote shell tool and the secretsdump hash dumping tool to a Windows server. Wmiexec is a tool that allows the attacker to remotely execute commands through WMI (Windows Management Instrumentation). Secretsdump is a tool that allows the attacker to extract credential material from the Security Account Manager (SAM) database. The attacker then downloaded a command-line version of the WinRAR and two RAR archives containing various hacking tools used for reconnaissance and credential theft to the compromised server. After that, the adversary used RDP (Remote Desktop Protocol) over SSH to further spread within the network. In late October, after successfully staying low for 5 months, the attacker collected files from the compromised machines and put them in an archive file using WinRAR for data exfiltration. Then the attacker deployed the initial variant of the Memento ransomware to the victim's network, but the file encryption process was blocked due to the anti-ransomware protection. The attack then switched its ransom tactic by putting the victim's files into password-protected archive files instead of encrypting them. What is Memento Ransomware?Memento is a Python-based ransomware used by the Memento group. The first Memento variant simply encrypts files in the compromised machine. The second variant does not involve file encryption. It collects files from the compromised machine and puts them into password-protected files. What is the Status of Coverage?FortiGuard Labs provides the following AV coverage for the available samples used in the attack:W32/KeyLogger.EH!tr.spyPossibleThreat.PALLASNET.HRiskware/MinerRiskware/ImpacketRiskware/MimikatzRiskware/Secretdmp FortiGuard Labs provides the following IPS coverage for CVE-2021-21972?VMware.vCenter.vROps.Directory.Traversal Other Workaround? VMWare provided workaround for CVE-2021-21972. See Appendix for a link to "Workaround Instructions for CVE-2021-21972 and CVE-2021-21973 on VMware vCenter Server (82374)". | Ransomware Tool Vulnerability Guideline |
To see everything:
Our RSS (filtrered)
