What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-06-03 18:50:53 | New Confluence Vulnerability (CVE-2022-26134) Exploited in the Wild (lien direct) | FortiGuard Labs is aware of a new vulnerability in Confluence Server and Data Center (CVE-2022-26134) which was reportedly exploited as a zero-day in the wild. Rated critical, successful exploitation of the vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the compromised server. The vulnerability affects all supported versions of unpatched Confluence Server and Data Center.Why is this Significant?This is significant because Confluence Server and Data Center (CVE-2022-26134) was reportedly exploited as a 0-day in the wild. The vulnerability is an OGNL injection vulnerability that allows an unauthenticated remote attacker to execute arbitrary code on the compromised server.Confluence is a widely-used team workspace and collaboration tool developed by Atlassian. It is used to help teams collaborate and share knowledge via a content management system and is used by many large scale enterprise and organizations worldwide. This vulnerability does not have a CVSS score at the moment, but the ease of exploitation via an unauthenticated session and combined with remote code execution is a cause for concern.What versions of Confluence Server and Data Center are Affected by CVE-2022-26134?The advisory released by Atlassian states that the following versions are affected:All supported versions of Confluence Server and Data CenterConfluence Server and Data Center versions after 1.3.0What Malware was Deployed to the Compromised Server?It was reported that China Chopper has been deployed on to compromised servers. China Chopper is a tiny webshell that provides a remote attacker backdoor access to a compromised system.Has the Vendor Released an Advisory for CVE-2022-26134?Yes. See the Appendix for a link to "Confluence Security Advisory 2022-06-02".Has the Vendor Released a Patch?Yes, Atlassian has released a patch on June 3rd, 2022.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against the China Chopper webshell that was reportedly deployed on known compromised Confluence servers:Java/Websh.D!trAll known network IOC's associated with attacks leveraging CVE-2022-26134 are blocked by the FortiGuard WebFiltering Client.FortiGuard Labs is currently investigating for additional coverage against CVE-2022-26134. This Threat Signal will be updated when additional information becomes available.Any Suggested Mitigation?The advisory includes mitigation information. See the Appendix for a link to "Confluence Security Advisory 2022-06-02". | Malware Tool Vulnerability Threat | ||
|
2022-06-03 09:50:26 | Active Exploitation of WSO2 Vulnerability (CVE-2022-29464) Delivers Malware (lien direct) | FortiGuard Labs is aware that a WSO2 vulnerability (CVE-2022-29464) that was patched in February 2022 and was disclosed in April is still being actively exploited in the field. CVE-2022-29464 is an unrestricted arbitrary file upload, and remote code execution vulnerability that allows unauthenticated and remote attackers to execute arbitrary code in the vulnerable WSO2 products. Why is this Significant?This is significant because despite the fact CVE-2022-29464 was patched in February and was disclosed in April, the vulnerability is still being actively exploited. This means that attacks that leverage CVE-2022-29464 have some level of success rate even now. With the vulnerability being actively exploited and a Proof-of-Concept (POC) code became publicly available in late April. users and administrators should review the WSO2's advisory and apply the patch or necessary workaround.Also, CVE-2022-29464 is included in the CISA's Known Exploited Vulnerabilities Catalog, which lists vulnerabilities that US federal agencies are required to patch their information systems within specific timeframes and deadlines.What is CVE-2022-29464?CVE-2022-29464 is a vulnerability in multiple WSO2 products that allows unauthenticated and remote attackers to execute arbitrary code on the affected systems. The vulnerability is rated Critical and has a CVSS Score of 9.8. The advisory has the following products as vulnerable:WSO2 API Manager 2.2.0, up to 4.0.0WSO2 Identity Server 5.2.0, up to 5.11.0 WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, 5.6.0WSO2 Identity Server as Key Manager 5.3.0, up to 5.11.0WSO2 Enterprise Integrator 6.2.0, up to 6.6.0WSO2 Open Banking AM 1.4.0, up to 2.0.0 WSO2 Open Banking KM 1.4.0, up to 2.0.0What Malware were Deployed after Successful Exploitation of CVE-2022-29464?Cobalt Strike, backdoor, cryptocoin miner and hacktool are reported to have been deployed to the compromised systems.Has the Vendor Released an Advisory?Yes. See the Appendix for a link to "Security Advisory WSO2-2021-1738".Has the Vendor Released a Patch for CVE-2022-29464?Yes. According to the WSO's advisory, WSO2 released temporary mitigations in January 2022 and released permanent fixes for all the supported product versions in February.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against files associated with CVE-2022-29464:W64/Agent.CY!trELF/Agent.AR!trELF/BitCoinMiner.HF!trJava/Agent.AUJ!trJava/Webshell.E!trJava/Webshell.0CC4!trRiskware/Generic.H2Malicious_Behavior.SBFortiGuard Labs provides the following IPS coverage against CVE-2022-29464:WSO2.fileupload.Arbitrary.File.Upload (default action is set to pass)Known network IOCs for CVE-2022-29464 are blocked by the WebFiltering client. | Malware Vulnerability | ||
|
2022-06-03 09:37:18 | Ransomware Roundup - 2022/06/02 (lien direct) | FortiGuard Labs is aware of a number of new ransomware strains for the week of May 30th, 2022. It is imperative to raise awareness about new ransomware strains as infections can cause severe damage to organizations. This week's Ransomware Roundup Threat Signal covers Hive ransomware, Bright Black Ransomware and Karakurt Data Extortion Group, and Fortinet protections against them.What is Hive Ransomware?Hive ransomware is a Ransomware-as-a-Service (RaaS) that was first observed in June 2021. This ransomware is highlighted in this Threat Signal as Costa Rica's public health system was reportedly compromised by the ransomware.As a RaaS, the Hive ransomware group consists of two types of groups: ransomware operator (developer) and affiliates. The former develops Hive ransomware, provides support for its affiliates, operates ransom payment site as well as a date leak site called "HiveLeaks" on Tor. The latter carries out actual attacks that infect victims, exfiltrate data from victims, and deploy Hive ransomware onto the compromised machine. An apparent underground forum post that recruited Hive ransomware conspirators promised 80% cut for the affiliates. Hive ransomware is the main arsenal that is deployed to the compromised machine to encrypt files. Before the file encryption takes place, data is stolen from the victim and shadow copies are deleted, which makes file recovery awfully difficult. Typical files encrypted by Hive ransomware have a .hive extension. Other reported file extensions include .aumcc, .sncip, .accuj and .qxycv. According to a report published by Group-IB, "the data encryption is often carried out during non-working hours or at the weekend" in an attempt to encrypt as many files as possible without being noticed.Typical ransom note left behind by Hive ransomware below:Your network has been breached and all data is encrypted.To decrypt all the data you will need to purchase our decryption software.Please contact our sales department at: xxxx://[removed].onion/ Login: [removed] Password: [removed] Follow the guidelines below to avoid losing your data: - Do not shutdown or reboot your computers, unmount external storages. - Do not try to decrypt data using third party software. It may cause irreversible damage. - Don't fool yourself. Encryption has perfect secrecy and it's impossible to decrypt without knowing the key. - Do not modify, rename or delete *.key.hive files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to authorities. The negotiation process will be terminated immediately and the key will be erased. - Do not reject to purchase. Your sensitive data will be publicly disclosed at xxxx://[removed]onion/ The group employs a double extortion technique which victims are asked to make a ransom payment in order to recover encrypted files as well as to prevent the stolen data from being published to "HiveLeaks". Some victims reportedly received phone calls from Hive threat actors. The victim will receive a decryption tool upon the completion of payment, however, there was a chatter that suggests the decryption tool did not work as advertised in some cases and made virtual machines unbootable due to the tool corrupting the MBR (Master Boot Record).Initial attack vectors include phishing emails with malicious attachment, attacking vulnerable RDP servers, and the use of compromised VPN credentials. Purchasing network access from initial access brokers is a possibility as well.Hive ransomware reportedly victimized companies across wide range of industries such as (but not restricted to) real estate, IT and manufacturing. Some RaaS have a policy to exclude governmental educational and military organizations, health care, and critical infrastructures such as gas pipelines and power plants. Hive ransomware does not appear to have such policy as its victims include health care and government organizations. In August, 2021, the Federal Bureau of Investigation (FBI) released a flash alert on Hive ransomware.See the Appendix for | Ransomware Malware Tool Threat | ||
|
2022-05-31 10:18:52 | Follina: 0-day Windows MSDT Vulnerability (CVE-2022-30190) Exploited In The Wild (lien direct) | FortiGuard Labs is aware that a 0-day vulnerability in Microsoft Support Diagnostic Tool is being exploited in the wild. The first sample that exploits the vulnerability appeared on VirusTotal on April 12th, 2022. Assigned CVE-2022-30190, successful exploitation allows an attacker to run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user's rights.Why is the Significant?This is significant because the vulnerability is a 0-day vulnerability in Microsoft Support Diagnostic Tool that allows remote code execution and is being exploited in the wild.What is CVE-2022-30190?The vulnerability is a remote code execution vulnerability that was named "Follina" by a security researcher Kevin Beaumont. The name "Follina" was derived from the 0-day code referencing "0438", which is the area code of Follina, Italy. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application such as Word. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user's rights.A malicious Word file that is widely discussed online abuses the remote template feature in Microsoft Word and retrieves a remote HTML file. The retrieved HTML file uses the "ms-msdt" MSProtocol URI scheme load and execute the PowerShell payload. Note that ms-msdt refers to "Microsoft Support Diagnostic Tool", which a legitimate Microsoft tool collects and sends system information back to the Microsoft for problem diagnostic.What is concerning is that the vulnerability reportedly can be exploited if even if macros, one of the most prevalent ways to deliver malware via Microsoft Office files, are disabled. Also, if the document file is changed to RTF form, even previewing the document the vulnerability in Windows Explorer can trigged the exploit.How Widespread is this?While the attack that leverages the vulnerability does not appear to be widespread, however more attacks are expected as Proof-of-Concept code is available and a patch has not yet been released. Does the Vulnerability Have CVE Number?CVE-2022-30190 has been assigned to the vulnerability.Has Microsoft Released an Advisory?Yes. See the Appendix for a link to " Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability".Has Microsoft Released a Patch?No, Microsoft has not released a patch yet.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against the known sample that are associated with CVE-2022-30190:MSWord/Agent.2E52!tr.dldrKnown network IOCs for CVE-2022-30190 are blocked by the WebFiltering client.FortiGuard Labs is currently investigating for additional coverage against CVE-2022-30190. This Threat Signal will be updated when additional information becomes available.Any Suggested Mitigation?Microsoft released an official blog on CVE-2022-30190 that includes mitigation information. See the Appendix for a link to "Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability". | Malware Tool Vulnerability Threat | ★★ | |
|
2022-05-26 21:52:30 | Ransomware Roundup - 2022/05/26 (lien direct) | FortiGuard Labs became aware of a number of new Ransomware strains for the week of May 23rd, 2022. It is imperative to raise awareness about new ransomware as infections can cause severe damage to the affected machines and organizations. This Threat Signal covers Yashma ransomware, GoodWill ransomware and Horsemagyar ransomware along with Fortinet protections against them.What is Yashma Ransomware?Yashma ransomware is a new and is generated through Yashma ransomware builder. It is claimed as the sixth version of Chaos ransomware builder. Reportedly, compared to the fifth version, Yashma ransomware builder now supports the "forbidden country" option which attackers can choose not to run the generated ransomware based on the victim's location. The new builder also enables the ransomware to stop a wide variety of services running on the compromised machine such as anti-malware solutions, and Remote Desktop and Backup services. Additionally, it is important to note that from the fifth version of Chaos ransomware builder, the crafted ransomware can successfully encrypt files larger than 2,117,152 bytes and no longer corrupts them.A known sample of Yashma ransomware has the following ransom note:All of your files have been encrypted with Yashma ransomwareYour computer was infected with a ransomware. Your files have been encrypted and you won'tbe able to decrypt them without our help.What can I do to get my files back?You can buy our specialdecryption software, this software will allow you to recover all of your data and remove theransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only.How do I pay, where do I get Bitcoin?Purchasing Bitcoin varies from country to country, you are best advised to do a quick google searchyourself to find out how to buy Bitcoin.Many of our customers have reported these sites to be fast and reliable:Coinmama - hxxps://www[.]coinmama[.]com Bitpanda - hxxps://www[.]bitpanda[.]comPayment informationAmount: 0.1473766 BTCBitcoin Address: [removed] At the time of this writing, the attacker's bitcoin wallet has no transactions.FortiGuard Labs previously released several blogs on Chaos ransomware. See the Appendix for links to "Chaos Ransomware Variant Sides with Russia" and "Chaos Ransomware Variant in Fake Minecraft Alt List Brings Destruction to Japanese Gamers".What is the Status of Coverage for Yashma ransomware?FortiGuard Labs provides the following AV coverage against a known sample of Yashma ransomware:MSIL/Filecoder.APU!tr.ransomWhat is GoodWill Ransomware?GoodWill ransomware was recently discovered, however it appears to have been first observed in March 2022. The ransomware encrypts files on the compromised machine and adds a ".gdwill" file extension to the affected files.Unlike other ransomware that demands ransom to recover the encrypted files, GoodWill asks the victim to do three good deeds. Firstly, the victim must provide clothes and blankets to needy people on the street. Secondly, the victim must feed dinner to five children at a pizza or fried chicken joint. Lastly, the victim must visit a local hospital and provide financial assistance to those in need. After finishing each deed, proof must be provided to the attacker, and a decryption tool and video instruction will be provided to the victim after completing all the deeds.What is the Status of Coverage for GoodWill ransomware?FortiGuard Labs provides the following AV coverage against GoodWill ransomware:MSIL/Filecoder.AGR!tr.ransomWhat is Horsemagyar Ransomware?Horsemagyar ransomware is a new variant of Sojusz ransomware that was recently discovered. It encrypts files on the compromised machine and adds ".[10 digit ID number].spanielearslook.likeoldboobs" file extension to the encrypted files. The ransomware leaves a ransom note as Horse.txt. The first sighting of Sojusz ransomware goes back to February, 2022 and it added a ".[10 digit ID number].[attacker's email address].bec" extension to the files it encrypted.Example of ransom note left behind by Horsemagyar ransomware is below:: | Ransomware Tool Threat | ||
|
2022-05-24 13:32:10 | Cobalt Strike Delivered Through Fake Proof-of-Concept Code (lien direct) | FortiGuard Labs is aware of a report that a Cobalt Strike beacon was attempted to be delivered through a couple of fake Proof-of-Concept (POC) codes hosted on GitHub. The files pretend to be POCs for CVE-2022-26809 and CVE-2022-24500. They have already been removed from GitHub.Why is this Significant?This is significant because the attack targeted researchers, pen testers and infosec teams in organizations to deliver Cobalt Strike beacons, which will most likely be used to deliver malware such as ransomware.What is CVE-2022-26809?CVE-2022-26809 is a remote procedure call runtime remote code execution vulnerability that affects wide variety of Windows OS that includes Windows 7, 8, 10, 11, Windows Server 2008, 2012, 2016, 2019 and 2022. Assigned a CVSS score of 9.8, successfully exploiting the vulnerability allows an attacker to execute remote code with high privileges on a vulnerable system, leading to a full compromise. The vulnerability was patched as part of Patch Tuesday April 2022.FortiGuard Labs previously released Threat Signal on CVE-2022-26809. See the Appendix for a link to "Microsoft Released Advisory on a Critical Remote Code Execution Vulnerability in RPC (CVE-2022-26809)".What is CVE-2022-24500?CVE-2022-24500 is a Windows SMB remote code execution vulnerability that affects Windows 7, 8, 10, 11 and Windows Server 2008, 2012, 2019 and 2022. The vulnerability has a CVSS score of 8.8, and was patched as part of Patch Tuesday April 2022.The Microsoft advisory states that "For vulnerability to be exploited, a user would need to access a malicious SMB server to retrieve some data as part of an OS API call. This vulnerability requires that a user with an affected version of Windows access a malicious server. An attacker would have to host a specially crafted server share or website. An attacker would have no way to force users to visit this specially crafted server share or website, but would have to convince them to visit the server share or website, typically by way of an enticement in an email or chat message".What is Status of Coverage?FortiGuard Labs detect the fake POCs with the following AV coverage:PossibleThreatAll network IOC's are blocked by the WebFiltering client. | Malware Vulnerability Threat Guideline | ||
|
2022-05-24 13:31:49 | New ArguePatch Variant Attacks Ukraine (lien direct) | FortiGuard Labs is aware of a report that a new variant of ArguePatch malware was used in an attack against Ukraine. This ArguePatch variant includes a feature to set up a schedules task in order to perform a specific action at a specified time.Why is this Significant?This is significant because the new variant of ArguePatch malware now has a feature to perform a specific action at a specified time without setting up a scheduled task. This provides more stealthiness to the malware which allows it to stay under the radar until it actually starts to carry out a next stage action.What is ArguePatch?ArguePatch is a loader malware that was previously used in campaigns against Ukraine which involve CaddyWiper and Industroyer2. The malware is a patched version of a legitimate component of Hex-Rays IDA Pro software.FortiGuard Labs previously released Threat Signals on CaddyWiper and Industroyer2. See the Appendix for links to "Additional Wiper Malware Deployed in Ukraine #CaddyWiper" and "Industroyer2 Discovered Attacking Critical Ukrainian Verticals".What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against known variants of ArguePatch:W32/Agent.AECG!trW32/PossibleThreat | Malware Threat | ||
|
2022-05-24 13:31:05 | CISA Warns VMware Vulnerabilities Exploited in the Wild Leading to Full System Compromise (lien direct) | FortiGuard Labs is aware that the Cybersecurity and Infrastructure Security Agency (CISA) CISA released an advisory on recently patched VMware vulnerabilities (CVE-2022-22954 and CVE-2022-22960) being exploited separately and in combination, allowing threat actors to gain full control of the compromised system. Both vulnerabilities affect VMware Workspace ONE Access, Identity Manager, and vRealize Automation and were patched on April 6th, 2022. The advisory also states that CISA expects threat actors to develop exploits for newly patched VMware vulnerabilities (CVE-2022-22972 and CVE-2022-22973) quickly.Why is this Significant?This is significant because the advisory that CISA released on CVE-2022-22954 and CVE-2022-22960 was prompted by an actual incident which one large organization was compromised by an unidentified threat actor on or around April 12, 2022. According to the advisory, the threat actor "leveraged CVE-2022-22954 to execute an arbitrary shell command as a VMware user. The actor then exploited CVE-2022-22960 to escalate the user's privileges to root. With root access, the actor could wipe logs, escalate permissions, and move laterally to other systems". The advisory also warns that exploits for another VMware vulnerabilities (CVE-2022-22972 and CVE-2022-22973) will be developed soon. As such, the patches for the four vulnerabilities or workarounds should be applied as soon as possible.What is CVE-2022-22954, CVE-2022-22960, CVE-2022-22972 and CVE-2022-22973?CVE-2022-22954 is a vulnerability in VMware Workspace ONE Access, Identity Manager, and vRealize Automation, which an attacker with network access can trigger a server-side template injection that may result in remote code execution. The vulnerability has the CVSSv3 base score of 9.8 and is rated critical.FortiGuard Labs previously released Threat Signal on CVE-2022-22954. See Appendix for a link to "Newly Patched VMware Vulnerability (CVE-2022-22954) Being Exploited in the Wild".CVE-2022-22960 is a Local Privilege Escalation (LPE) vulnerability in VMware Workspace ONE Access, Identity Manager, and vRealize Automation. As LPE, attacker is required to have local access can escalate privileges to 'root'. The vulnerability has the CVSSv3 base score of 7.8 and is rated important.CVE-2022-22972 is an authentication bypass vulnerability that affects VMware Workspace ONE Access, Identity Manager and vRealize Automation. As LPE, exploitation happens locally as such an attacker is required to have access to the victim's machine to elevate privileges. The vulnerability has the CVSSv3 base score of 9.8 and is rated critical.CVE-2022-22973 is a Local Privilege Escalation (LPE) vulnerability that affects VMware Workspace ONE Access, Identity Manager and vRealize Automation. As LPE, attacker is required to have local access can escalate privileges to 'root'. The vulnerability has the CVSSv3 base score of 7.8 and is rated important.Has the Vendor Released Advisories?Yes, VMware released advisories for all four vulnerabilities. See the Appendix for links to "VMSA-2022-0011.1" and "VMSA-2022-0014".Has the Vendor Released Patches for the Vulnerabilities?VMware released patches for CVE-2022-22954 and CVE-2022-22960 on April 6th, 2022. Patches for CVE-2022-22972 and CVE-2022-22973 were released on May 18th, 2022. What is the Status of Coverage?FortiGuard Labs has released the following IPS signature for CVE-2022-22954:VMware.Workspace.ONE.Access.Catalog.Remote.Code.ExecutionA network IOC for CVE-2022-22954 called out in the CISA advisory is blocked by the WebFiltering client.CVE-2022-22960, CVE-2022-22972, CVE-2022-22973 were privately disclosed as such there currently is no available Proof-of-Concept code. FortiGuard Labs is monitoring the situation closely and will update this Threat Signal when protection becomes available.Any Suggested Mitigation?VMware has provided mitigations for CVE-2022-22954, CVE-2022-22960, CVE-2022-22972. See the Appendix for links to "KB88098" for CVE-2022-22954 and CVE-2022-22960, and "KB88433" for CVE-2022-22972. | Vulnerability Threat | ||
|
2022-05-24 13:29:37 | Meet BlackByte Ransomware (lien direct) | FortiGuard Labs is aware of a relatively new ransomware family "BlackByte" is in the wild, infecting organizations around the globe. BlackByte was first observed as early as July 2021. In February 2022, the Federal Bureau of Investigation (FBI) and the U.S. Secret Service (USSS) issued a joint advisory that "multiple US and foreign businesses, including entities in at least three US critical infrastructure sectors (government facilities, financial, and food & agriculture) were targeted by BlackByte ransomware affiliates. In common with other ransomware, BlackByte encrypts and steals files on the compromised machines, and demands ransom from the victim to recover the files and not to leak the stolen information to the public.Why is this Significant?This is significant as the BlackByte ransomware family reportedly compromised organizations around the globe including multiple US and foreign businesses and US critical infrastructure sectors. Also, ProxyShell, an exploit attack chain involving three vulnerabilities in Microsoft Exchange Server, widely used in enterprise email application, were reported to have been used as an infection vector. Microsoft issued patches for ProxyShell in May and July 2021. BlackByte ransomware infection may indicate that some organizations have not yet applied those fixes or workaround.FortiGuard Labs previously published multiple Threat Signals on ProxyShell. See the Appendix section for links to New Threat Actor Leverages ProxyShell Exploit to Serve RansomwareVulnerable Microsoft Exchange Servers Actively Scanned for ProxyShellBrand New LockFile Ransomware Distributed Through ProxyShell and PetitPotamWhat is BlackByte?BlackByte is a ransomware-as-a-service (RaaS), which runs a business of leasing necessary ransomware services to its affiliates. Such ransomware services including developing ransomware, creating and maintaining necessary infrastructures (i.e., ransom payment portal), ransom negotiation with victims as well as provides support service to the affiliates. Attacks are typically carried out by BlackByte affiliates, who rent and use those services. Once a victim is compromised and ransom is paid, BlackByte developers take a portion of the ransom as a service fee.How does the Attack Work?Typically attacks that deliver ransomware arrive in emails, however the join advisory reported that BlackByte threat actors, in some case, exploited known Microsoft Exchange Server vulnerabilities including ProxyShell to gain access to the victim's network. Once the attacker gains a foothold in the victim's network, the attacker deploys tools such as oft-abused Cobalt Strike to move laterally across the network and escalate privileges before exfiltrating and encrypting files. Some BlackByte ransomware variants may have worm functionality, which allows itself to self-propagate through the victim's network.Files that are encrypted by BlackByte ransomware typically have a ".blackbyte" file extension.BlackByte ransomware reportedly avoids encrypting files if the ransomware detects compromised systems that use Russian and ex-USSR languages.What is ProxyShell?ProxyShell is a name for a Microsoft Exchange Server exploit chain (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207) that allows an attacker to bypass ACL controls, elevate privileges and execute remote code on the compromised system.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against currently available Indicator-of-Compromises (IOCs) associated with BlackByte ransomware:RTF/BlackByte.DC56!tr.ransomW64/BlackByte.DC56!tr.ransomW32/Agent.CH!trW32/CobaltStrike.NV!trJS/Agent.49CC!trW32/PossibleThreatFortiGuard Labs provides the following IPS coverage against three vulnerabilities that are leveraged in ProxyShell:MS.Exchange.Server.CVE-2021-34473.Remote.Code.Execution (CVE-2021-34473)MS.Exchange.Server.Common.Access.Token.Privilege.Elevation (CVE-2021-34523)MS.Exchange.MailboxExportRequest.Arbitrary.File.Write (CVE-2021-31207)FortiEDR detects and blocks ProxyShell attacks out of the box without any prior knowledge | Ransomware Tool Threat | ||
|
2022-05-24 13:23:37 | Nerbian RAT Leverages COVID-19 and WHO Themed Emails to Spread (lien direct) | FortiGuard Labs is aware that a new Remote Access Trojan (RAT) called Nerbian RAT was delivered to the targets via COVID-19 and World Health Organization (WHO) themed emails. Nerbian RAT is written in the Go programming language and performs keylogging and screen capture on the compromised machine.Why is this Significant?This is significant because Nerbrian RAT was delivered through emails that leverages COVID-19 and World Health Organization (WHO) themed lures that are still effective today to COVID themed to compel unsuspecting victims to open malicious attachments. The RAT is also capable of stealing sensitive information from the compromised machine through keylogging and screen capture.What is Nerbian RAT?Nerbian RAT is a Remote Access Trojan and is written in the Go programming language. The malware was delivered to the target through COVID-19 and WHO themed emails such as the following:The attached document file contains malicious macros, which downloads a dropper file after macros are enabled. The dropper performs anti-reversing and anti-VM checks before launching Nerbian RAT. The malware has an encrypted configuration file containing information such which Command and Control (C2) servers to connect to and connection intervals, how many times the RAT tries to transfer files and C2 backup domains.The malware performs typical RAT activities such as keylogging and screen capture.How Widespread is the Malware?The malware was reportedly to have been observed in Italy, Spain, and the United Kingdom. What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against known samples of Nerbian RAT and associated files:VBA/Agent.XSQ!tr.dldrBAT/NerbianRAT.D!trMalicious_Behavior.SBRiskware/ApplicationW32/PossibleThreatPossibleThreat.PALLAS.HAll network IOC's are blocked by the WebFiltering client. | Malware | ||
|
2022-05-12 23:53:15 | Destructive Onyx ransomware in the wild (lien direct) | FortiGuard Labs is aware that a new ransomware "Onyx" is in the wild. The ransomware was first discovered in late April, 2022. The malware appears to be based on Chaos ransomware and overwrites files bigger than 2MB, making file recovery very difficult. What is this Significant?This is significant because the threat actor opted to have Onyx ransomware overwrite files bigger than 2MB on the compromised machine rather than encrypting them. Although the threat actor promises to decrypt the affected files after ransom payment is made, recovery of the overwritten files will be difficult.What does Onyx Ransomware do?The ransomware overwrites files bigger than 2MB on the compromised machine, encrypts files smaller than 2MB, and adds file extension ".ampkcz" to them. It also collects sensitive information such as credentials from the affected machine. It then displays the following ransom message and demands ransom from the victim in order to recover the affected files:"All of your files are currently encrypted by ONYX strain.As you already know, all of your data has been encrypted by our software.It cannot be recovered by any means without contacting our team directly.DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,if you want to try - we recommend choosing the data of the lowest value.DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond.So it will be better for both sides if you contact us as soon as possible.DON'T TRY TO CONTACT feds or any recovery companies.We have our informants in these structures, so any of your complaints will be immediately directed to us.So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publication of whole compromised data immediately.To prove that we REALLY CAN get your data back - we offer you to decrypt two random files completely free of charge.You can contact our team directly for further instructions through our website :TOR VERSION :(you should download and install TOR browser first https://torproject.org)http://[Removed}].onionLogin: [Removed]Password: [Removed]YOU SHOULD BE AWARE!We will speak only with an authorized person. It can be the CEO, top management, etc.In case you are not such a person - DON'T CONTACT US! Your decisions and action can result in serious harm to your company!Inform your supervisors and stay calm!"What is the Status of Coverage?FortiGuard Labs provides the following AV detection for known Onyx ransomware samples:MSIL/Filecoder.F9C3!tr.ransom | Ransomware Malware Threat | ★★ | |
|
2022-05-10 21:09:32 | F5 BIG-IP Remote Command Execution Vulnerability (CVE-2022-1388) (lien direct) | FortiGuard Labs is aware of a new remote command execution vulnerability affecting F5 BIG-IP clients. Exploiting this vulnerability will allow an attacker to completely take over an affected device. What are the Technical Details of this Vulnerability?According to the F5 security advisory, this vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only.Because this vulnerability does not require any sophistication to exploit, and the fact that in-the-wild exploitation are reported to have been observed and proof-of-concept (PoC) codes are publicly available, it is highly recommended that organizations affected by this latest vulnerability apply all patches immediately.What Versions Are Affected?Reported versions affected by CVE-2022-1388 are:BIG-IP versions 16.1.2 through 13.1.0 (versions under 13.1.0 are affected but will not be fixed)How Serious of an Issue is This?HIGH. CVE-2022-1388 has a CVSS score of 9.8. US-CERT (CISA) has also issued an alert for this issue. For further information, please refer to F5 Releases Security Advisories Addressing Multiple Vulnerabilities in the APPENDIX.How Widespread is this Attack?Global. Malicious scans by attackers are currently underway looking for vulnerable unpatched appliances, regardless of location. Proof-of-concept codes (POC) are available and the vulnerability is reported to have been actively exploited in the wild.What is the Status of Coverage?Customers running current (IPS) definitions are protected by:F5.BIG-IP.iControl.REST.Authentication.BypassFortiGuard Labs is continuously monitoring this vulnerability and we will update this Threat Signal once more information becomes available.Are There Any Reports of Nation State Activity Actively Exploiting CVE-2022-1388?Yes, the vulnerability is reported to have been actively exploited in the wild.Any Other Suggested Mitigation?According to F5, it is recommended to apply all available patches from the May 2022 update immediately. If patching is not possible at this time, F5 recommends blocking all access to the iControl REST interface of your BIG-IP system through self IP addresses. Mitigation details can be found in the article titled - "K23605346: BIG-IP iControl REST vulnerability CVE-2022-1388" in the APPENDIX section.The potential for damage to daily operations, reputation, and unwanted release of data, the disruption of business operations, etc. is apparent, and because of this it is important to keep all AV and IPS signatures up to date. It is also important to ensure that all known vendor vulnerabilities within an organization are addressed once available, and updated on a regular basis to protect against attackers establishing a foothold within a network. | Vulnerability Threat Patching | ★★★ | |
|
2022-05-03 19:33:22 | New Ransomware "Black Basta" in the Wild (lien direct) | FortiGuard Labs is aware of a new ransomware variant called "Black Basta" discovered in the wild. The ransomware employs a double-extortion tactic in which it encrypts files and exfiltrates confidential information from the victim, then demands a ransom for decrypting the affected files and threatens to publicize the exfiltrated data if a ransom is not paid.Black Basta ransomware is reported to have victimized several organizations in multiple countries.Why is this Significant?This is significant because Black Basta is a new ransomware that is reported to have victimized several organizations in multiple countries.What is Black Basta ransomware?Black Basta is a new ransomware that demands ransom from the victim for decrypting victim's files it encrypted and not to release the stolen data to the public.Black Basta ransomware deletes shadow copies from the compromised machine, which prevents the victim from being able to recover any files that have been encrypted. The ransomware also replaces the desktop wallpaper with an image with a black background that has the following ransom message:Your network is encrypted by the Black Basta group.Instructions in the filereadme.txt.The ransomware then will then restart the compromised machine in safe mode with the Windows Fax service running. After the reboot, the service launches the ransomware in order to start encrypting files. Files that are encrypted by Black Basta ransomware have ".basta" file extension and also have the ransomware's own file icon. Readme.txt, also dropped by the ransomware, contains a ransom note to instruct the victim to use a specific TOR address to contact the attacker.What does the Windows Fax service have to do with this? Is it Vulnerable?The Windows Fax Service is not vulnerable. The Windows Fax service is attacked to maintain persistence and in this variant of Black Basta, it is hijacking an existing service name (in this case Windows Fax), deleting it, and spawning a new service with the same name.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against known samples of Black Basta ransomware: W32/Filecoder.OKW!tr W32/Kryptik.HPHI!trW32/Filecoder.OKT!trW32/Filecoder.OKW!tr.ransomW32/Filecoder.OKT!tr.ransomW32/Malicious_Behavior.VEX | Ransomware | ||
|
2022-04-21 17:16:05 | CVE-2022-22718 on CISA\'s Known Exploited Vulnerabilities Catalog (lien direct) | FortiGuard Labs is aware that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2022-22718 to the Known Exploited Vulnerabilities Catalog. CVE-2022-24481 is a local privilege escalation vulnerability in the Windows Print Spooler and affects multiple versions of Windows OS. Microsoft issued a patch for the vulnerability as part of the February 2022 Patch Tuesday updates.Why is this Significant?This is significant because CISA's Known Exploited Vulnerabilities Catalog lists vulnerabilities that are known to be exploited in the wild. Although Microsoft rated CVE-2022-22718 as "Exploitation More Likely" in their advisory, the vulnerability is now on the active exploitation list as such the patch for CVE-2022-22718 should be applied as soon as possible.What is CVE-2022-22718?CVE-2022-22718 is a local privilege escalation vulnerability in the Windows Print Spooler and affects multiple versions of Windows OS. Successfully exploiting the vulnerability allows a local attacker to elevate privileges. CVE-2022-22718 has a CVSS score of 7.8. Has Microsoft Released an Advisory for CVE-2022-22718?Yes, Microsoft released an advisory on February 8, 2022. See the Appendix for a link to "Windows Print Spooler Elevation of Privilege Vulnerability - CVE-2022-22718".Has Microsoft Released a Patch for CVE-2022-22718?Yes, Microsoft released a patch as part of the February 2022 Patch Tuesday (February 8th, 2022).What is the Status of Coverage?FortiGuard Labs has the following IPS signature against CVE-2022-22718:MS.Windows.Print.Spooler.CVE-2022-22718.Privilege.Elevation | Vulnerability | ||
|
2022-04-15 10:35:40 | Microsoft Released Advisory on a Critical Remote Code Execution Vulnerability in RPC (CVE-2022-26809) (lien direct) | FortiGuard Labs is aware that Microsoft released a patch and advisory for a critical remote code execution vulnerability in Remote Procedure Call Runtime Library as part of the April Patch Tuesday. Assigned CVE-2022-26809 and a CVSS score of 9.8, successfully exploiting the vulnerability allows an attacker to execute remote code with high privileges on a vulnerable system, leading to a full compromise.Why is this Significant?This is significant because CVE-2022-26809 is rated by Microsoft as "critical" and "Exploitation More Likely" because of its impacts on all supported Windows products and due to the trivial nature of the vulnerability. Because of the potential impact that the vulnerability has, Microsoft released security updates for Windows 7, which reached end-of-life in January 2020. Also, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory urging users and administrators to apply the patch or apply the recommended mitigations.What is CVE-2022-26809?CVE-2022-26809 is a critical remote code execution vulnerability in Remote Procedure Call Runtime Library. The Microsoft advisory states "To exploit this vulnerability, an attacker would need to send a specially crafted RPC call to an RPC host. This could result in remote code execution on the server side with the same permissions as the RPC service," which allows the attacker to take control of an affected system.Is CVE-2022-26809 being Exploited in the Wild?At the time of this writing, the vulnerability is not reported nor observed to have been exploited in the wild.Has Microsoft Released a Patch for CVE-2022-26809?Yes, Microsoft released a patch on April 12th, 2022 as part of the April MS Tuesday. Due to the potential impact the vulnerability has, Microsoft also released security updates for Windows 7, which is no longer supported.What is the Status of Coverage?FortiGuard Labs has released the following IPS signature in version 20.297:MS.Windows.RPC.CVE-2022-26809.Remote.Code.Execution (default action is set to pass)What Mitigation Steps are Available?Microsoft has provided the following mitigation steps in the advisory:Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:1. Block TCP port 445 at the enterprise perimeter firewallTCP port 445 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks. However, systems could still be vulnerable to attacks from within their enterprise perimeter.2. Follow Microsoft guidelines to secure SMB trafficFor the Microsoft guidelines on how to secure SMB traffic, see the Appendix for a link to "Secure SMB Traffic in Windows Server". | Vulnerability Guideline | ||
|
2022-04-14 19:54:44 | Incomplete Fix for Apache Struts 2 Vulnerability (CVE-2021-31805) Amended (lien direct) | FortiGuard Labs is aware that the Apache Software Foundation disclosed and released a fix for a potential remote code execution vulnerability (CVE-2021-31805 OGNL Injection vulnerability ) that affects Apache Struts 2 on April 12th, 2022. Apache has acknowledged in an advisory that the fix was issued because the first patch released in 2020 did not fully remediate the issue. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also released an advisory on April 12th, 2022, warning users and administrators to review the security advisory "S2-062" issued by Apache and upgrade to the latest released version as soon as possible. Why is this Significant?This is significant because Apache Struts is widely used and successfully exploiting CVE-2021-31805 could result in an attacker gaining control of a vulnerable system. Because of the potential impact, CISA released an advisory urging users and administrators to review the security advisory "S2-062" issued by Apache and upgrade to the latest released version as soon as possible.On the side note, an older Struts 2 OGNL Injection vulnerability (CVE-2017-5638) was exploited in the wild that resulted in a massive data breach of credit reporting agency Equifax in 2017.What is Apache Struts 2?Apache Struts 2 is an open-source web application framework for developing Java web applications that extends the Java Servlet API to assist, encourage, and promote developers to adopt a model-view-controller (MVC) architecture.What is CVE-2021-31805?CVE-2021-31805 is an OGNL injection vulnerability in Struts 2 that enables an attacker to perform remote code execution on a vulnerable system. The vulnerability was originally assigned CVE-2020-17530, however CVE-2021-31805 was newly assigned to the vulnerability as some security researchers found a workaround for the original patch released in 2020.The vulnerability is described as "some of the tag's attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation."What Versions of Apache Struts are Vulnerable to CVE-2021-31805?Struts 2.0.0 - Struts 2.5.29 are vulnerable.Struts 2.0.0 and 2.5.29 were released in 2006 and 2022 respectively. Has the Vendor Released a Patch for CVE-2021-31805?Yes, Apache released a fixed version (2.5.30) of Apache Struts 2 on April 12th, 2022.Users and administrators are advised to upgrade to Struts 2.5.30 or greater as soon as possible.Has the Vendor Released an Advisory?Yes, Apache released an advisory on April 12th, 2022. See the Appendix for a link to "Security Bulletin: S2-062".What is the Status of Coverage?FortiGuard Labs provides the following IPS coverage for CVE-2020-17530, which applies for CVE-2021-31805:Apache.Struts.OGNL.BeanMap.Remote.Code.Execution | Data Breach Vulnerability Guideline | Equifax Equifax | |
|
2022-04-14 16:36:20 | Newly Patched VMware Vulnerability (CVE-2022-22954) Being Exploited in the Wild (lien direct) | FortiGuard Labs is aware that VMware has confirmed a recently patched critical vulnerability in VMware Workspace ONE Access and Identity Manager (CVE-2022-22954) has been exploited in the wild. Also, a Proof-of-Concept (PoC) code has already been made available to the public. An attacker with network access can trigger a server-side template injection that may result in remote code execution.Why is this Significant?This is significant because of the critical remote code execution vulnerability affecting Workspace ONE Access and VMware Identity Manager (vIDM) that are widely used. Since VMware has acknowledged in-the-wild exploitation of CVE-2022-22954 and a POC is available to the public, attacks that leverage the vulnerability will likely increase.What is CVE-2022-22954?CVE-2022-22954 is a vulnerability in Workspace ONE Access and VMware Identity Manager (vIDM), which an attacker with network access can trigger a server-side template injection that may result in remote code execution. The vulnerability has the CVSSv3 base score of 9.8 and is rated critical.Is the Vulnerability Exploited in the Wild?VMware has confirmed that exploitation of CVE-2022-22954 has occurred in the wild.Has the Vendor Released Security Advisories for CVE-2022-22954?Yes, VMware released a security advisory for the vulnerability on April 6th, 2022. See the Appendix for a link to "VMSA-2022-0011".The advisory was updated further on April 13th, 2022 for the confirmation of the in-the-wild exploitation. Has the Vendor Released a Patch for CVE-2022-22954?Yes, VMware released a patch on April 6th, 2022 as part of its security advisory. See the Appendix for a link to "VMSA-2022-0011". What is the Status of Coverage?FortiGuard Labs has released the following IPS signature for CVE-2022-22954 in version 20.297:VMware.Workspace.ONE.Access.Catalog.Remote.Code.Execution (default action is set to pass)What Mitigation Steps are Available?VMware has released a KB article that includes the workaround. See the Appendix for a link to "HW-154129 - Workaround instructions to address CVE-2022-22954, CVE-2022-22955, CVE-2022-22956, CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960 in Workspace ONE Access Appliance (VMware Identity Manager) (88098)". | Vulnerability | ★★★ | |
|
2022-04-13 17:50:35 | Microsoft Patch Tuesday 0-day Escalation of Privilege Vulnerability (CVE-2022-24521) (lien direct) | Microsoft has released over 117 security fixes for this month's April 2022 release. Besides the usual security fixes, there were two zero days of note and they are:CVE-2022-26904: This known zero-day flaw impacts the Windows User Profile Service. This is an EoP vulnerability. However, exploitation has not been seen in the wild and requires a race condition to successfully exploit. This has a CVSS score of 7.0.CVE-2022-24521: This bug is another EoP issue found in the Windows Common Log File System (CLFS) Driver. This bug has been reported by Microsoft as being actively exploited in the wild. This vulnerability was reported by the NSA and Crowdstrike to Microsoft after being observed to have been used in active attacks. This has a CVSS score of 7.8.On a side note, another CLFS vulnerability (CVE-2022-24481) was disclosed but it was not reported to be a zero day.Why is this Significant?This is significant as CVE-2022-24521 was exploited as a 0-day in the wild. Exploiting CVE-2022-24521 provides elevated privileges to an attacker, and as such the security bug was likely leveraged in conjunction with an unspecified code execution vulnerability.How Widespread is the Attack that Leverages CVE-2022-24521?At this time, there is no information available as to how widespread the attack is. However, since the vulnerability was publicly disclosed, attacks that leverage CVE-2022-24521 may increase.Is there Any Other Vulnerability in the April Patch Tuesday that Requires Attention?Microsoft also released a patch for another escalation of privilege vulnerability (CVE-2022-24481). While the vulnerability was not reported nor observed to have been exploited in the wild, the Microsoft advisory states that exploitation is likely to occur. As such a patch for CVE-2022-24481 should also be applied as soon as possible. It is important to note that this CVE was not a zero day.Has Microsoft Released Security Advisories for CVE-2022-24521 and CVE-2022-24481?Yes, Microsoft has issued advisories for both vulnerabilities. See the Appendix for a link to "CVE-2022-24521: Windows Common Log File System Driver Elevation of Privilege Vulnerability" and "CVE-2022-24481: Windows Common Log File System Driver Elevation of Privilege Vulnerability".Has Microsoft Released a Patch for CVE-2022-24521 and CVE-2022-24481?Yes, Microsoft has released a patch for both vulnerabilities on April 12nd, 2022 as part of regular MS Tuesday for the month.What is the Status of Coverage?FortiGuard Labs has released the following IPS signature for CVE-2022-24521 in version 20.295:MS.Windows.CVE-2022-24521.Privilege.Elevation (default action is set to pass)FortiGuard Labs has released the following IPS signature for CVE-2022-24481 in version 20.295:MS.Windows.CVE-2022-24481.Privilege.Elevation (default action is set to pass) | Vulnerability | ||
|
2022-04-13 10:45:17 | Industroyer2 Discovered Attacking Critical Ukrainian Verticals (lien direct) | FortiGuard Labs is aware of new reports of Industroyer2, the successor to the Industroyer malware. First discovered in 2016, Industroyer was attributed to energy grid attacks in Kiev, Ukraine. The attack resulted in a loss of electricity for over an hour and was attributed to the Russian government (Sandworm). The latest discovery of Industroyer2 was discovered by researchers at ESET (who also discovered Industroyer in 2015).Industroyer is an Industrial Control System (ICS) specific malware that is modular and was discovered to have capabilities to control electrical substations and circuit breakers. It uses industrial communication protocols and techniques to conduct its operations via a global industry standard used by many critical infrastructure verticals.This latest variant of Industroyer2 was seen targeting ICS devices within electrical substations and then trying to erase any evidence of its attack by running CaddyWiper malware along with other Linux and Solaris (UNIX) wipers. It is currently unknown at this time how the threat actors were able to compromise and obtain initial access before entering into the ICS network. For further details on CaddyWiper, please see our Threat Signal here. This is a current news event, further details will be published when available.What are the Technical Details of this Attack?Industroyer2 is a Windows executable file and was executed via a scheduled task on April 8th. According to the analysis, it was compiled on March 23rd which suggests that the threat actors (Sandworm) behind this attack had planned it for over two weeks. Industroyer2 communicates over the IEC 60870-5-104 protocol, which is used by ICS/SCADA devices to communicate. This variant is different from the original Industroyer, which supported multiple ICS protocols.Caddywiper was deployed via a group policy object (GPO) to likely thwart any forensic recovery and analysis. It was found on machines that contained Industroyer2 installations. Other malware (ORCSHRED, SOLOSHRED, AWFULSHRED) found in these campaigns were destructive Linux and Solaris (UNIX) versions that acted as a worm and wiper and were deployed via shell scripts.What Operating Systems are Affected?Windows, Linux and Solaris systems are affected.What is the Severity of this Attack?Medium. This is limited specifically to targeted attacks.What is the Status of Coverage?FortiGuard Labs has the following (AV) signatures in place for publicly available samples as:W32/Agent.AECG!trData/KillDisk.NDA!trAll network IOC's are blocked by the WebFiltering client. | Malware Threat | ||
|
2022-04-05 10:07:30 | Borat RAT: New RAT with Ransomware Capability (lien direct) | FortiGuard Labs is aware of a report that a new Remote Access Trojan (RAT) called "Borat" is sold in underground forums. The RAT provides not only typical RAT capabilities such as keylogging, audio and webcam recording, and browser credential stealing to cybercriminals, but also offers file encryption and decryption capability as well as creating a ransom note on the victim's machine.Why is this Significant?This is significant because Borat RAT not only enables cybercriminals to perform typical RAT activities but also provides ransomware capabilities as well.What Functionalities Does Borat RAT Provide?Borat RAT allows an attacker to perform the following activities:KeyloggingRansomware activities such as encrypting and decrypting files as well as creating a ransom note on the victim's machineDistributed Denial of Service (DDoS)Audio and webcam recordingRemote desktopReverse proxySteals device infoProcess hollowingCredential stealingDiscord token stealingPlay audioSwap mouse buttonsHold mouseShow and hide the Desktop and the taskbarEnable and disable webcam lightHang systemTurn off the monitorDisplay blank screen What is the Status of Coverage?FortiGuard Labs provides the following AV coverage for Borat RAT:MSIL/Agent.CFQ!trMSIL/Keylogger.DUS!trMalicious_Behavior.SB | Ransomware | ||
|
2022-04-01 14:09:48 | AcidRain Wiper Suspected in Satellite Broadband Outage in Europe (lien direct) | FortiGuard Labs is aware a report that a new wiper malware was deployed and destroyed data on modems and routers for KA-SAT satellite broadband services, resulting in service outages across Europe on February 24th, 2022. The service interruption also caused the disconnection of remote access to 5,800 wind turbines in Europe. According to security vendor SentinelOne, AcidRain wiper shares similarities with a VPNFilter stage 3 destructive plugin. The Federal Bureau of Investigation (FBI) and Department of Justice disrupted the VPNFilter botnet by seizing a domain that was part of the Command-and-Control (C2) infrastructure. The Russian-connected the Sofacy threat actor (also known as APT28, Sednit, Pawn Storm, Fancy Bear, and Tsar) is believed to have operated the VPNFilter botnet. Why is this Significant?This is significant not only because a new wiper malware was used in the attack but also because the attack caused service interruption for satellite broadband services in Europe, including Ukraine, and 5,800 wind turbines in Europe were knocked offline.Also, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI released a joint advisory on March 17th, 2022, warning of cyberattacks on U.S. and international satellite communication (SATCOM) networks. What Happened?According to the statement released by Viasat, a provider of KA-SAT satellite broadband services, the attack occurred in two phases.1. On February 24th, 2022, "malicious traffic were detected emanating from several SurfBeam2 and SurfBeam 2+ modems and/or associated customer premise equipment (CPE) physically located within Ukraine and serviced by one of the KA-SAT consumer-oriented network partitions. This targeted denial of service attack made it difficult for many modems to remain online." 2. Then, the company started to observe a gradual decline of the connected modems. Subsequently, a large number of additional modems across much of Europe exited the network and they did not re-enter to the network. The statement continues as saying that the attacker gained remote access to the trusted management segment of the KA-SAT network through a misconfigured VPN appliance. The threat actor moved laterally through the network and ultimately sent "legitimate, targeted management commands on a large number of residential modems simultaneously. Specifically, these destructive commands overwrote key data in flash memory on the modems, rendering the modems unable to access the network, but not permanently unusable."The belief is that "these destructive commands" refer to AcidRain wiper malware.What is VPNFilter malware?VPNFilter is a IoT malware that was first reported in mid-2018 and targeted home and Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices. The malware is not only capable of performing data exfiltration but also rendering devices completely inoperable.FortiGuard Labs published a research blog series on VPNFilter malware in 2018. See the Appendix for a link to "VPNFilter Malware - Critical Update" and "VPNFilter Update - New Attack Modules Documented".What is the threat actor Sofacy?Sofacy is a threat actor who is believed to operate for Russian interests. The threat actor has been in operation since at least 2007 and targets a wide range of sectors including government, military and security organizations.One of the most infamous activities carried out by the Sofacy group is their alleged involvement in hacking "networks and endpoints associated with the U.S. election" in 2016, in which the FBI the US Department of Homeland Security (DHS) released a join advisory on December 29th, 2016.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against AcidRain wiper malware believed to have been used in the attack:ELF/AcidRain.A!tr | Malware Threat | VPNFilter VPNFilter APT 28 | |
|
2022-03-31 09:58:02 | SpringShell (Spring4Shell) : New Unpatched RCE Vulnerability in Spring Core Framework (lien direct) | FortiGuard Labs is aware that an alleged Proof-of-Concept (POC) code for a new Remote Code Execution (RCE) vulnerability in Spring Core, part of the popular web open-source framework for Java called "Spring," was made available to the public (the POC was later removed). Dubbed SpringShell (Spring4Shell), CVE-2022-22965 has been assigned to the vulnerability and an emergency fix was released on March 31st, 2022.Why is this Significant?This is significant because Spring Core is part of Spring Framework, one of the most popular JAVA frameworks used in the field and is very popular for enterprise applications. As such, wide exploitation of the vulnerability can impact users globally if the security update is not applied.What is the Vulnerability Detail?An insecure de-serialization exists in Spring Core Framework. The vulnerability is due to insufficient validation of user supplied inputs and could lead to remote code execution.The official advisory reads "A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it".Has the Vendor Released an Advisory?An advisory has been published by both Spring and VMware, who supports Spring. See the Appendix for a link to "Spring Framework RCE, Early Announcement" and "CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+".What Versions of Spring Core are Vulnerable?The official advisory states that the following prerequisites for the exploit:JDK 9 or higherApache Tomcat as the Servlet containerPackaged as a traditional WAR (in contrast to a Spring Boot executable jar)spring-webmvc or spring-webflux dependencySpring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versionsHas a CVE been Assigned to the Vulnerability?CVE-2022-22965 has been assigned to the vulnerability.There is a lot of online chatter about SpringShell being related to CVE-2022-22963 or CVE-2022-27772, but that is not the case.CVE-2022-22963 is a vulnerability in Spring Cloud and was patched on March 29, 2022.CVE-2022-27772 is a vulnerability in Spring Boot that allows temporary directory hijacking.Has the Vendor Released a Patch?Yes, the fix was released on March 31, 2022 for the following versions of Spring Framework:5.3.185.2.20What is the Status of Coverage?FortiGuard Labs provides the following AV coverage based on available SpringShell POCs:Python/SpingShell.A!exploitFortiGuard Labs is currently investigating for IPS coverage. This Threat Signal will be updated when coverage becomes available. | Vulnerability Threat Guideline | ||
|
2022-03-25 14:41:37 | Another Wiper Malware Targeted Enterprises in Ukraine #DoubleZero (lien direct) | FortiGuard Labs is aware that enterprises in Ukraine were targeted by another wiper malware. Dubbed "DoubleZero," the malware was distributed in a zip archive and destroys the compromised machine by overwriting files and deleting registry keys.Why is this Significant?This is significant because DoubleZero is the latest wiper malware used in the current Russia-Ukraine war and aims to destroy machines belonging to enterprises in Ukraine.FortiGuard Labs previous published multiple Threat Signals on other wiper malware that targeted Ukraine. See the Appendix for links to "Additional Wiper Malware Deployed in Ukraine #CaddyWiper," "New Wiper Malware Discovered Targeting Ukrainian Interests" and "Wiper Malware Hit Ukrainian Organizations."How Widespread is the Malware?At this time, there is no report that DoubleZero affected organizations outside of Ukraine.How does DoubleZero Work?DoubleZero was distributed in several ZIP archives, one of which is called "Virus ... extremely dangerous !!!. Zip." Once DoubleZero runs, it overwrites or uses API calls to zero out non-system files system files before moving on to overwrite critical system files and registry keys.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against the files involved in the attack:MSIL/DZeroWiper.CK!tr | Malware Threat | ||
|
2022-03-23 00:30:55 | GIMMICK Implant Used by StormCloud APT Targeting Users in Asia (lien direct) | FortiGuard Labs is aware of a new variant of the GIMMICK malware that is targeting Asian users. Discovered by researchers at Volexity, the GIMMICK implant has been attributed to the StormCloud APT group. According to the report, GIMMICK variants for macOS and Windows environments were seen. It also has been observed to be using File based command and control, specifically Google Cloud. GIMMICK has been attributed to nation state actors operating out of China. What is GIMMICK?GIMMICK is an implant that is similar to a remote access trojan (RAT) that allows the attacker to perform various instructions on the victim machine to further lateral movement. What makes this different from a RAT is that it is asynchronous in nature, moves in predefined pattern and does not really rely on an attacker to control. Once the implant is run, it follows a set of steps to further lateral movement and stores all information in a set of directories. Once these steps are completed, the exfiltrated data will be automatically uploaded to a predefined C2 server hosted on Google Drive. This allows for the implant to go undetected as traffic to Google Drive would be considered clean and not malicious traffic. What Operating Systems are Affected?MacOS and Windows platforms. Is GIMMICK Attributed to any other Groups?No. GIMMICK appears to be attributed to StormCloud only. What is the Status of Coverage?FortiGuard Labs has AV coverage in place as:Customers running the latest definitions are protected by the following (AV) signature:OSX/Gimmick.A!tr | Malware | ||
|
2022-03-23 00:26:45 | Joint CyberSecurity Advisory Alert on AvosLocker Ransomware (lien direct) | FortiGuard Labs is aware that a joint advisory on AvosLocker malware was recently issued by the Federal Bureau of Investigation (FBI) and the US Department of Treasury. AvosLocker is a Ransomware-as-a-Service (RaaS) that has targeted organizations across multiple critical infrastructure sectors in the United States. The targeted sectors include financial services, critical manufacturing, and government facilities organizations. Other AvosLocker victims are in multiple countries throughout the world. Why is this Significant?This is significant because the joint advisory indicates that organizations across multiple critical infrastructure sectors in the United States were targeted by AvosLocker ransomware. The advisory calls out vulnerabilities that the ransomware group exploited, which companies need to consider patching as soon as possible.What is AvosLocker?AvosLocker ransomware targets Windows and Linux systems and was first observed in late June 2021. As Ransomware-as-a-Service, AvosLocker is advertised on a number of Dark Web communities, recruiting affiliates (partners) and access brokers. After breaking into a target and locating accessible files on the victim network, AvosLocker exfiltrates data, encrypts the files with AES-256, and leaves a ransom note "GET_YOUR_FILES_BACK.txt". Some of the known file extensions that AvosLocker adds to the files it encrypted are ".avos", ".avos2", and ".avoslinux".On top of leaving a ransom note to have the victim pay in order to recover their encrypted files and to not have their stolen information disclosed to the public, some AvosLocker victims were reported to have received phone calls from an AvosLocker attacker. The calls threatened the victim to go to the payment site for negotiation. Some victims also received an additional threat that the attacker would launch Distributed Denial-of-Service (DDoS) attacks against them. AvosLocker's leak site is called "press release" where the victims are listed along with a description about them.How Widespread is AvosLocker Ransomware?The advisory indicates that AvosLocker's known victims are "in the United States, Syria, Saudi Arabia, Germany, Spain, Belgium, Turkey, United Arab Emirates, United Kingdom, Canada, China, and Taiwan".What Vulnerabilities are Exploited by AvosLocker?The advisory states that "multiple victims have reported on premise Microsoft Exchange Server vulnerabilities as the likely intrusion vector". Those vulnerabilities include CVE-2021-26855 and ProxyShell, which is an exploit attack chain involving three Microsoft exchange vulnerabilities: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207. Also, a path traversal vulnerability in the FortiOS SSL-VPN web portal was reported to have been exploited by the AvosLocker group.FortiGuard Labs previously posted a Threat Signal on ProxyShell. See the Appendix for a link to "Vulnerable Microsoft Exchange Servers Actively Scanned for ProxyShell" and FortiGuard Labs released a patch for CVE-2018-13379 in May 2019. For additional information, see the Appendix for a link to "Malicious Actor Discloses FortiGate SSL-VPN Credentials", and "The Art of War (and Patch Management)" for the importance of patch management.What Tools is AvosLocker Known to Utilize?The advisory references the following tools:Cobalt StrikeEncoded PowerShell scriptsPuTTY Secure Copy client tool "pscp.exe"RcloneAnyDeskScannerAdvanced IP ScannerWinLister What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against known samples of AvosLocker ransomware:W32/Cryptor.OHU!tr.ransomW32/Filecoder.OHU!tr.ransomELF/Encoder.A811!tr.ransomLinux/Filecoder_AvosLocker.A!trPossibleThreatFortiGuard Labs provides the following AV coverage against ProxyShell:MSIL/proxyshell.A!trMSIL/proxyshell.B!trFortiGuard Labs provides the following IPS coverage against CVE-2021-26855, ProxyShell, and CVE-2018-13379:MS.Exchange.Server.ProxyRequestHandler.Remote.Code.Execution (CVE-2021-26855)MS.Exchange.Server.CVE-2021-34473.Remote.Code.Execution (CVE-2021-34473)MS.Exchange.Server.Common.Access.Token.Privil | Ransomware Malware Tool Vulnerability Threat Patching | ★★ | |
|
2022-03-18 13:39:21 | New Rootkit Used by UNC2891 for ATM Money Heist (lien direct) | FortiGuard Labs is aware of a report that a threat actor known as UNC2891 used a previously unknown rootkit to capture banking card and PIN verification data from compromised ATM switch servers. The captured data was used to perform fraudulent transactions. Dubbed Caketap, the rootkit allows the threat actor to hide network connections, processes, and files, and install several hooks into system functions to receive commands and configurations from the attacker's remote server.Why is this Significant?This is significant because the previously unknown Caketap rootkit deployed by the threat actor for Oracle Solaris systems provides stealth for the attacker's activities and the data it steals can be used for unauthorized financial transactions. The attacks carried out by UNC2891 are financially motivated and could cause great financial damage to the targeted financial institutions. What is Caketap?Caketap is a kernel module rootkit used by UNC2891 on Oracle Solaris systems. The rootkit is used to hide network connections, processes, and files, and install several hooks into system functions to receive commands and configurations from the attacker's remote server.The rootkit is capable of intercepting certain messages sent for the Payment Hardware Security Module (HSM) in order to disable proper banking card verification and return a valid response to approve fraudulent banking cards. It also examines PIN verification messages. If PIN verification messages are not for a fraudulent banking card, then Caketap does not disrupt valid verification but saves the messages. If Caketap detects PIN verification messages for fraudulent banking cards, it replays the previously saved valid messages for PIN verification bypass.Thales, an HSM vendor, describes the Payment Hardware Security Module (HSM) as "a hardened, tamper-resistant hardware device that is used primarily by the retail banking industry to provide high levels of protection for cryptographic keys and customer PINs used during the issuance of magnetic stripe and EMV chip cards (and their mobile application equivalents) and the subsequent processing of credit and debit card payment transactions".What is UNC2891?UNC2891 is a threat actor whose main motivation is reportedly for financial gain and has been active for several years. The threat actor is known to not only have extensive knowledge on Oracle Solaris systems, but also Linux and Unix systems.What Other Tools does UNC2891 Use?The following tools are reported to have been used by the threat actor:SLAPSTICK - the Pluggable Authentication Module (PAM) based backdoorCustom version of TINYSHELL - backdoorSTEELHOUND - in-memory dropperSTEELCORGI - in-memory dropperSUN4ME - toolkits that contains tools to spy on network, host enumeration, exploit known vulnerabilities and wipe logsWINGHOOK - keylogger for Linux and Unix systemsWINGCRACK - utility that is used to decode and display the information collected by WINGHOOKBINBASH - ELF utility that executes a shell after the group ID and user ID are set to either "root" or specified valuesWIPERIGHT - ELF utility for Linux and Unix systems and is used to clear specific logsMIGLOGCLEANER - ELF utility for Linux and Unix systems that is used to wipe logs or remove certain strings from logsWhat is the Status of Coverage?FotriGuard Labs provide the following AV coverage:Linux/Agent.T!tr | Threat | ||
|
2022-03-17 18:07:18 | LokiLocker Ransomware with Built-in Wiper Functionality (lien direct) | FortiGuard Labs is aware of a report that LokiLocker ransomware is equipped with built-in wiper functionality. The ransomware targets the Windows OS and is capable of erasing all non-system files and overwriting the Master Boot Record (MBR) if the victim opts not to pay the ransom, leaving the compromised machine unusable. According to the report, most victims of LokiLocker ransomware are in Eastern Europe and Asia.Why is this Significant?This is significant because LokiLocker ransomware has built-in wiper functionality which can overwrite the MBR and delete all non-system files on the compromised machine if the victim does not pay ransom in a set time frame. Successfully overwriting the MBR will leave the machine unusable.What is LokiLocker Ransomware?LokiLocker is a .NET ransomware that has been active since as early as August 2021. The ransomware encrypts files on the compromised machines and demands ransom from the victim to recover the encrypted files. The ransomware adds a ".Loki" file extension to the files it encrypted. It also leaves a ransom note in a Restore-My-Files.txt file. The malware is protected with NETGuard, an open-source tool for protecting .NET applications, as well as KoiVM, a virtualizing protector for .NET applications.LokiLocker has a built-in configuration file, which contains information such as the attacker's email address, campaign or affiliate name, Command-and-Control (C2) server address and wiper timeout. Wiper timeout is set to 30 days by default. The value tells the ransomware to wait 30 days before deleting non-system files and overwriting the Master Boot Record (MBR) of the compromised machine. The configuration also has execution options which controls what actions the ransomware should or should not carry out on the compromised machine. The execution options include not wiping the system and the MBR, not encrypting the C Drive and not scanning for and encrypting network shares. The wiping option is set to false by default, however the option can be modified by the attacker.How is LokiLocker Ransomware Distributed?While the current infection vector is unknown, early LokiLocker variants were distributed through Trojanized brute-checker hacking tools. According to the public report, most victims of LokiLocker ransomware are in Eastern Europe and Asia. Fortinet's telemetry indicates the C2 domain was accessed the most from India, followed by Canada, Chile and Turkey.What is the Status of Coverage?FortiGuard Labs provide the following AV coverage:W32/DelShad.GRG!tr.ransomW32/DelShad.GSE!tr.ransomW32/DelShad.GUJ!tr.ransomW32/Filecoder.AKJ!trW32/Generic.AC.171!trW32/PossibleThreatW32/Ramnit.AMSIL/Filecoder.AKJ!trMSIL/Filecoder.AKJ!tr.ransomMSIL/Filecoder_LokiLocker.D!trMSIL/Filecoder.4AF0!tr.ransomMSIL/Filecoder.64CF!tr.ransomPossibleThreatAll known network IOC's are blocked by the FortiGuard WebFiltering client. | Ransomware Malware Tool | ||
|
2022-03-16 15:04:14 | Joint CyberSecurity Advisory Alert on Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and âPrintNightmareâ Vulnerability (AA22-074A) (lien direct) | FortiGuard Labs is aware of a recent report issued by the U.S. Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) that Russian state-sponsored cyber actors have gained network access to a non-governmental organization (NGO) through exploitation of default Multi-Factor Authentication (MFA) protocols and the "PrintNightmare" vulnerability (CVE-2021-34527). The attack resulted in data exfiltration from cloud and email accounts of the target organization.Why is this Significant?This is significant because the advisory describes how a target organization was compromised by Russian state-sponsored cyber actors. The advisory also provides mitigations.How did the Attack Occur?The advisory provides the following attack sequence:"Russian state-sponsored cyber actors gained initial access to the victim organization via compromised credentials and enrolling a new device in the organization's Duo MFA. The actors gained the credentials via brute-force password guessing attack, allowing them access to a victim account with a simple, predictable password. The victim account had been un-enrolled from Duo due to a long period of inactivity but was not disabled in the Active Directory. As Duo's default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network.Using the compromised account, Russian state-sponsored cyber actors performed privilege escalation via exploitation of the "PrintNightmare" vulnerability (CVE-2021-34527) to obtain administrator privileges. The actors also modified a domain controller file, c:\windows\system32\drivers\etc\ hosts, redirecting Duo MFA calls to localhost instead of the Duo server. This change prevented the MFA service from contacting its server to validate MFA login-this effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to "Fail open" if the MFA server is unreachable. Note: "fail open" can happen to any MFA implementation and is not exclusive to Duo.After effectively disabling MFA, Russian state-sponsored cyber actors were able to successfully authenticate to the victim's virtual private network (VPN) as non-administrator users and make Remote Desktop Protocol (RDP) connections to Windows domain controllers. The actors ran commands to obtain credentials for additional domain accounts; then using the method described in the previous paragraph, changed the MFA configuration file and bypassed MFA for these newly compromised accounts. The actors leveraged mostly internal Windows utilities already present within the victim network to perform this activity. Using these compromised accounts without MFA enforced, Russian state-sponsored cyber actors were able to move laterally to the victim's cloud storage and email accounts and access desired content."What is the "PrintNightmare" vulnerability (CVE-2021-34527)?The "PrintNightmare" vulnerability" was a critical vulnerability affecting Microsoft Windows Print Spooler. Microsoft released an out-of-bound advisory for the vulnerability on July 6th, 2021.Has Microsoft Released a Patch for the "PrintNightmare" vulnerability (CVE-2021-34527)?Yes, Microsoft released an out-of-bound patch for the "PrintNightmare" vulnerability in July, 2021.Due to its severity, Microsoft made the patches available for unsupported OS such as Windows 7 and Windows Server 2012.Successful exploitation of the vulnerability allows an attack to run arbitrary code with SYSTEM privileges.FortiGuard Labs released an Outbreak Alert and Threat Signal for PrintNightmare. See the Appendix for a link to "Fortinet Outbreak Alert: Microsoft PrintNightmare" and "#PrintNightmare Zero Day Remote Code Execution Vulnerability".What is the Status of Coverage?FortiGuard Labs has IPS coverage in place for the "PrintNightmare" vulnerability (CVE-2021-34527):MS.Windows.Print.Spooler.AddPrinterDriver.Privilege.EscalationAll known network IOC\ | Vulnerability Threat Patching | ||
|
2022-03-15 13:20:59 | (Déjà vu) Additional Wiper Malware Deployed in Ukraine #CaddyWiper (lien direct) | FortiGuard Labs is aware of new wiper malware observed in the wild attacking Ukrainian interests. The wiper was found by security researchers today at ESET. The wiper is dubbed CaddyWiper. Preliminary analysis reveals that the wiper malware erases user data and partition information from attached drives. According to the tweet, CaddyWiper does not share any code with HermeticWiper or IsaacWiper or any known malware families.This is a breaking news event. More information will be added when relevant updates are available.For further reference about Ukrainian wiper attacks please reference our Threat Signal from January and February. Also, please refer to our recent blog that encompasses the recent escalation in Ukraine, along with salient advice about patch management and why it is important, especially in today's political climate.Is this the Work of Nobelium/APT29?At this time, there is not enough information to correlate this to Nobelium/APT29 or nation state activity. Was this Sample Signed?No. Unlike the HermeticWiper sample related to Ukrainian attacks, this sample is unsigned.Why is Malware Signed?Malware is often signed by threat actors as a pretense to evade AV or any other security software. Signed malware allows threat actors to evade and effectively bypass detection, guaranteeing a higher success rate. What is the Status of Coverage?FortiGuard Labs has AV coverage in place for publicly available samples as:W32/CaddyWiper.NCX!tr | Malware Threat | APT 29 | |
|
2022-03-10 23:39:03 | APT41 Compromised Six U.S. State Government Networks (lien direct) | FortiGuard Labs is aware of a report that threat actor APT41 compromised at least six networks belonging to U.S. state governments between May 2021 and February 2022. To gain a foothold into the victim's network, the threat actor used a number of different attack vectors: exploiting vulnerable Internet facing web applications and directory traversal vulnerabilities, performing SQL injection, and conducting de-serialization attacks. The intent of APT41 appears to be reconnaissance, though how the stolen information is to be used has not yet been determined.Why is this Significant? This is significant because at least six U.S. state government systems were broken into and data exfiltration was performed by APT41 as recent as February 2022 In addition, a zero-day vulnerability in the USAHerds application (CVE-2021-44207) as well as Log4j (CVE-2021-44228), among others, were exploited in the attacksWhat's the Detail of the Attack?APT41 performed several different ways to break into the targeted networks.In one case, the group exploited a SQL injection vulnerability in a Internet-facing web application. In another case, a then previously unknown vulnerability (CVE-2021-44207) in USAHerds, which is a web application used by agriculture officials to manage animal disease control and prevention, livestock identification and movement. Also, APT41 reportedly started to exploit the infamous Log4j vulnerability (CVE-2021-44228) within hours of Proof-of-Concept (PoC) code becoming available. Patches for both vulnerabilities are available. Once successful in breaking into the victim's network, the threat actor performed reconnaissance and credential harvesting activities. What is APT41?APT41 is a threat actor who has been active since at least 2012. Also known as TA415, Double Dragon, Barium, GREF and WickedPanda, the group reportedly performs Chinese state-sponsored espionage activities. APT41 targets organizations in multiple countries across a wide range of industries, such as telecommunications, industrial and engineering and think tanks. In 2020, five alleged members of the group were charged by the U.S. Justice Department for hacking more than 100 companies in the United States.What are the Tools Used by APT41?APT41 is known to use the following tools:ASPXSpy - web shell backdoorBITSAdmin - PowerShell cmdlets for creating and managing file transfers.BLACKCOFFEE - backdoor that disguise its communications as benign traffic to legitimate websites certutil - command-line utility tool used for manipulating certification authority (CA) data and components.China Chopper - web shell backdoor that allows attacker to have remote access to an enterprise networkCobalt Strike - a commercial penetration testing tool, which allows users to perform a wide range of activitiesDerusbi - DLL backdoorEmpire - PowerShell post-exploitation agent, which provides a wide range of attack activities to usersgh0st RAT - Remote Access Trojan (RAT)MESSAGETAP - data mining malware Mimikatz - open-source credential dumpernjRAT - Remote Access Trojan (RAT)PlugX - Remote Access Trojan (RAT)PowerSploit - open-source, offensive security framework which allows users to perform a wide range of activitiesROCKBOOT - BootkitShadowPad - backdoorWinnti for Linux - Remote Access Trojan (RAT) for LinuxZxShell - Remote Access Trojan (RAT)Badpotato - open-source tool that allows elevate user rights towards System rightsDustPan - shellcode loader. aka StealthVectorDEADEYE - downloaderLOWKEY - backdoorKeyplug - backdoorWhat are Other Vulnerabilities Known to be Exploited by APT41?APT41 exploited the following, but not restricted to, these vulnerabilities in the past:CVE-2020-10189 (ManageEngine Desktop Central remote code execution vulnerability)CVE-2019-19781 (Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance)CVE-2019-3396 (Atlassian Confluence Widget Connector Macro Velocity Template Injection)CVE-2017-11882 (Microsoft Office Memory Corruption Vulnerability)CVE-2017-0199 (Microsoft Office/WordPad Remote Code Execut | Malware Tool Vulnerability Threat Guideline | APT 41 APT 15 APT 15 | |
|
2022-03-09 18:47:38 | FBI Releases Updated Indicators of Compromise for RagnarLocker Ransomware (lien direct) | FortiGuard Labs is aware that the U.S. Federal Bureau of Investigation (FBI) released the updated indicators of compromise (IOCs) for RagnarLocker (Ragnar_Locker) Ransomware on March 8th, 2022. The report states "As of January 2022, the FBI has identified at least 52 entities across 10 critical infrastructure sectors affected by RagnarLocker ransomware, including entities in the critical manufacturing, energy, financial services, government, and information technology sectors."The first sighting of the ransomware goes back to at least February, 2020. RagnarLocker ransomware employs triple extortion tactics: it demands ransom after encrypting files, threatens to publicize stolen data and to stop DDoS (Distributed Denial of Service) attack against the victim.Why is this Significant?This is significant because the FBI is aware that more than 50 organizations across 10 critical infrastructure sectors were affected by RagnarLocker ransomware. The fact the FBI has made additional IOCs available to the public insinuates that RagnarLocker will continue to be active and will likely produce more victims.What is RagnarLocker Ransomware?The first report of RagnarLocker (Ragnar_Locker) ransomware dates back to as early as February 2020.Just like any other ransomware, RagnarLocker encrypts files on the compromised machine and steals valuable data. It also deletes all Volume Shadow Copies, which prevents recovery of the encrypted files. Although there are some exceptions, files encrypted by RagnarLocker ransomware generally have a file extension that starts with .ragnar_ or ragn@r_ followed by random characters.On top of usual ransom demand to decrypt the files it encrypted, the ransomware threatens to publicize the data it stole from the victim if the ransom demand is not met. The RagnarLocker threat actors also adds pressure to the victim to pay the ransom by performing DDoS (Distributed Denial of Service) attack against the victim.One notable thing about this ransomware is that it has code to check the location of the computer before encryption process starts. If the computer belongs Russia, Azerbaijan, Armenia, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Tajikistan, Turkmenistan, Uzbekistan and Ukraine, the ransomware terminates itself. What are the Mitigations for RagnarLocker Ransomware?The following are the mitigations recommended by FBI:Back-up critical data offline.Ensure copies of critical data are in the cloud or on an external hard drive or storage device. This information should not be accessible from the compromised network.Secure your back-ups and ensure data is not accessible for modification or deletion from the system where the data resides.Use multi-factor authentication with strong passwords, including for remote access services.Keep computers, devices, and applications patched and up-to-date.Monitor cyber threat reporting regarding the publication of compromised VPN login credentials and change passwords and settings.Consider adding an email banner to emails received from outside your organization.Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.Audit user accounts with administrative privileges and configure access controls with least privilege in mind.Implement network segmentation.What is the Status of Coverage?FortiGuard Labs provide the following AV coverage against RagnarLocker ransomware:Linux/Filecoder_RagnarLocker.A!trW32/RagnarLocker.43B7!tr.ransomW32/Filecoder_RagnarLocker.A!trW32/RagnarLocker.A!tr.ransomW32/RagnarLocker.C!trW32/RagnarLocker.B!tr.ransomW32/RagnarLocker.4C9D!tr.ransomW32/Filecoder_RagnarLocker.A!tr.ransomW32/RagnarLocker.C!tr.ransomW32/Filecoder_RagnarLocker.C!trW32/Filecoder.94BA!tr.ransomW32/Filecoder.OAH!tr.ransomAll network IOCs are blocked by the WebFiltering client. | Ransomware Threat | ||
|
2022-03-09 18:28:40 | MicroBackdoor Used in Attacks Against Ukraine Organizations (lien direct) | FortiGuard Labs is aware of a report from CERT-UA that Ukrainian organizations are under cyberattacks that aim to install a publicly available backdoor named "MicroBackdoor." The cyberattacks are attributed to APT group "UAC-0051", also known as unc1151, who has reportedly acted for Belarusian government's interests in the past.Why is this Significant?This is significant because, according to CERT-UA, Ukraine organizations were attacked by an APT group whose past activities are said to be aligned with Belarusian government's interests.What's the Detail of the Attack?Unfortunately, the initial attack vector is unknown. What's known is that the victims received "dovidka.zip", which contains "dovidka.chm". The CHM file contains two files. An image.jpg is an image file used as a decoy. Another file is file.htm, which creates "ignit.vbs". The VBS file decodes three files: "core.dll," "desktop.ini" and "Windows Prefetch.lnk." The LNK file launches the INI file using wscript.exe. Then, the INI file runs the DLL using regasm.exe. The core.dll is a .NET loader that decodes and executes MicroBackdoor on the compromised machine.What is MicroBackdoor?MicroBackdoor is a publicly available backdoor that receives commands from a Command and Control (C2) server and performs various activities.According to the description on the MicroBackdoor repository"Micro Backdoor client supports 32-bit and 64-bit versions of Windows XP, Vista, 7, 8, 8.1, 10, Server 2003, Server 2003 R2, Server 2008, Server 2008 R2, Server 2012, Server 2012 R2, Server 2016 and Server 2019 of any editions, languages and service packs."What is the Status of Coverage?FortiGuard Labs provide the following AV coverage against available files involved in the attack:PossibleThreat.PALLAS.HVBS/Agent.OVE!trLNK/Agent.7AB4!trAll network IOCs are blocked by the WebFiltering client. | |||
|
2022-03-07 14:34:22 | RuRAT Malware Used in Spear-phishing Attacks Against US media Organizations (lien direct) | FortiGuard Labs is aware of a report that RuRAT malware was distributed in the recent spear-phishing attack against media organizations in the United States. While the tactic used in this attack is not sophisticated, the installed RuRAT malware provides the attacker a foothold into the victim's network where confidential information will be collected for further activities.Why is this Significant?This is significant because media organizations in the United States are reported to have been targeted in the spear-phishing attack. RuRAT payload provides the attacker an opportunity to collect confidential information from the compromised machine and perform lateral movement in the victim's network. Not connected in any way to this attack, TV broadcasters in South Korea were affected by a wiper malware served through a malicious backdoor program in 2013 in which their operations were significantly disrupted. How does the Attack Work?According to the report by Cluster25, the victims received an email with a link. The email has the following content:"Hello, we are a group of venture capitalists investing in promising projects. We saw your website and were astounded by your product. We want to discuss the opportunity to invest or buy a part of the share in your project. Please get in touch with us by phone or in Vuxner chat. Your agent is Philip Bennett. His username in Vuxner is philipbennett Make sure you contact us ASAP because we are not usually so generous with our offers. Thank you in advance!"Upon clicking the link, the victim is redirected to a Web page where the victim is instructed to click a link to download and install a software Vuxner chat. The downloaded file is an installer for Vuxner Trillian not Vuxner chat. After the victim completes the installation and exits the installer, another remote file, turns out to be an installer for RuRAT, is downloaded and installed onto the victim's machine. What is RuRAT?RuRAT, the first report of which goes back to at least October 2020, is a Remote Access Trojan (RAT) that provides an attacker a remote access to the compromised machine. Functionalities of RuRAT include:- Listening for incoming communications- Taking screenshots- Keylogging- Recording AudioWhat is the Status of Coverage?FortiGuard Labs provides the following AV coverage for files involved in this attack: W32/IndigoRose.AP!tr.dldrW32/RemoteUtilities.W!trW32/Agent.9EE5!trAll network IOCs are blocked by the WebFiltering client. | Malware | ||
|
2022-03-01 09:16:53 | Remote Utilities Software Distributed in Ukraine via Fake Evacuation Plan Email (lien direct) | FortiGuard Labs is aware that a copy of Remote Manipulator System (RMS) was submitted from Ukraine to VirusTotal on February 28th, 2022. The RMS is a legitimate remote administration tool that allows a user to remotely control another computer. The file name is in Ukrainian and is "Evacuation Plan (approved by the SSU on 28.02.2022 by Order No. 009363677833).exe" in translation to English. The SSU likely stands for the Security Service of Ukraine. Why is this Significant?This is significant because given its file name, the country where the file was submitted to VirusTotal and the current situation in Ukraine, the file may have been distributed to Ukrainians.What does the File Do?The file silently installs a copy of legitimate Remote Utilities software to the compromised machine. The software allows a remote user to control the compromised machine.Based on the telemetry FortiGuard Labs collected, there is one IP address in Ukraine that connected to the remote IP that likely belongs to the attacker. How was the File Distributed to the Targets?Most likely via links in email.CERT-UA published a warning today that "the representatives of the Center for Combating Disinformation began to receive requests for information from the mail of the Ukrainian Security Service. Such notifications are fake and are a cyberattack". The email below is reported have been used in the attack.Machine translation:Email subject: Evacuation plan from: SBU (Urgent) -28.02.2022 day off: 534161WARNING! This is an external sheet: do not click on the links or open a tab if you do not trust the editor.Report a suspicious list to ib@gng.com.ua.Security Service of UkraineGood afternoon, you need to have acquainted with the electronic evacuation plan until 01.03.2022, to give data on the number of employees, fill in the document in accordance with Form 198\00-22SBU-98.To ensure confidentiality of the transferred data, the password: 2267903645 is set on the deposit.See the document on:hxxps://mega.nz/file/[reducted]Mirror 2: hxxps://files.dp.ua/en/[reducted]Mirror 3: hxxps://dropmefiles.com/[reducted]While the remote files were not available at the time of the investigation, the email and "Evacuation Plan (approved by the SSU on 28.02.2022 by Order No. 009363677833).exe" are likely connected based on the email content and the file name. Can the File Attributed to a Particular Threat Actor?It's possible that a threat actor distributed the file to target Ukraine. However, while the Remote Utilities software is silently installed on the compromised machine, it displays an icon in Windows's taskbar. Since most threat actors aim to hide their activities, this is potentially an act of novice attacker who tries to take advantage of the current situation in Ukraine.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against the files involved in this attack:Riskware/RemoteAdmin_RemoteUtilities | Tool Threat | ||
|
2022-03-01 09:15:01 | Kernel Level Rat "Daxin" Discovered (lien direct) | FortiGuard Labs is aware of a newly discovered backdoor dubbed Daxin. Discovered by Symantec, this backdoor allows an attacker to gather and perform various command and control actions and data exfiltration on victim machines. Because of our partnership with the Cyber Threat Alliance, we were provided with IOCs to create Fortinet protections in advance so that it would be ready for today's announcement.What separates this backdoor from many others is that Daxin is a Windows kernel level driver, also referred to as rootkits. Kernel level rootkits operate at ring 0, which allows them to operate at the highest privileges of the operating system with impunity. What makes this threat dangerous and very effective is that it is able to leverage existing services and utilize them to perform whatever is needed without raising any suspicion by network administrators and or endpoint security software. Daxin does not contain any unique capabilities from other backdoors; however, besides its ability to run at kernel level, Daxin can also intercept TCP/IP connections in real time for further evasion. Further communications noted were the use of a custom TCP/IP stack to communicate in multiple nodes on highly secured networks.This backdoor has been attributed to state sponsored threat actors of China where targets are organizations that are of interest to the Chinese government.What Operating Systems Were Targeted?Windows operating systems.What is the Likelihood of Exploitation?Low. This is due to the attacks observed being focused on the specific interests by the threat actors behind Daxin, and not as part of a widespread attack.Is this Limited to Targeted Attacks?Yes, all attacks observed were limited to state sponsored targets. This included governmental organizations of interest, telecommunications, transportation, and manufacturing sectors as well.What is the Status of Coverage?Customers running the latest AV definitions are protected by the following signatures:W32/Agent.FF56!tr.bdrW32/Backdoor.DAXIN!trW32/PossibleThreatW64/Agent.FF56!tr.bdrW64/Backdoor.DAXIN!trW64/Agent.QWHWSZ!trMalicious_Behavior.SBW32/Exforel.B!tr.bdrDx.BG3D!trW64/Agent.WT!trW32/PossibleThreat | Threat | ||
|
2022-02-27 22:30:37 | Previously Unseen Backdoor Bvp47 Potentially Victimized Global Targets (lien direct) | FortiGuard Labs is aware of a report by Pangu Lab that a new Linux backdoor malware that reportedly belongs to the Equation group was used to potentially compromise more than 200 organizations across over 40 countries around the globe. The Equation group is regarded as one of the most highly skilled threat actors, which some speculate have close connections with National Security Agency (NSA). The threat actor is also reported have been tied to the Stuxnet malware that was used in 2010 cyber attack on a nuclear centrifuge facility in Iran.Why is this Significant?Bvp47 is a previously undiscovered backdoor malware that was reportedly used in cyber attacks carried out by the Equation group. According to the report and information available in the documents that presumably leaked from the Equation group, over 200 organizations spread across more than 40 countries may have been infected with the Bvp47 malware.The Bvp47 file called out in the report was first submitted to VirusTotal in late 2013, which indicates that Bvp47 was used and undiscovered for close to a decade.How was the Connection between the Bvp47 malware and the Equation Group Established?Pangu Lab concluded that Bvp47 belongs to the Equation group because one of the folders included in the documents leaked by the Shadow Brokers in 2017 contained a RSA private key required by Bvp47 for its command execution and other operations.What is the Shadow Brokers?The Shadow Brokers is a threat actor who claimed to have stolen highly classified information from the Equation group in 2016. The stolen information includes zero-day exploits, operation manuals and description of tools used by the Equation group. The Shadow Brokers then attempted to sell the information to the highest bidder. After no one purchased the information, The threat actor released the information to the public after the auction attempt failed.One of the most famous exploits included in the leaked documents is EternalBlue. Within a few weeks of the leak, EternalBlue was incorporated in Wannacry ransomware which caused global panic in 2017.What are the Characteristics of Bvp47?Bvp is a Linux backdoor that performs actions upon receiving commands from Command and Control (C2) servers.Because the Bvp47 framework is incorporated with components such as "dewdrops" and "solutionchar_agents" that are included in the Shadow Brokers leaks, the backdoor is for mainstream Linux distributions, FreeBSD, Solaris as well as JunOS,.Bvp47 also runs various environment checks. If the requirements are not met, the malware deletes itself.What is the Status of Coverage?FortiGuard Labs provide the following AV coverage against Bvp47:ELF/Agent.16DC!tr | Ransomware Malware Threat | Wannacry Wannacry | |
|
2022-02-27 20:18:23 | F5 Releases August 2021 Security Advisory Including Critical CVE-2021-23031 (lien direct) | FortiGuard Labs is aware that F5 released a security advisory on August 24th about vulnerabilities affecting multiple versions of BIG-IP and BIG-IQ. The US Cybersecurity and Infrastructure Security Agency (CISA) published an advisory the next day urging the customers to apply the fixes or put necessary mitigations in place. Of the 13 vulnerabilities that are rated high by the vendor, CVE-2021-23031 is given the highest CVSS score of 8.8 out of 10 and affects BIG-IP Advanced WAF and Application Security Manager (ASM). When abused, the vulnerability allows "an authenticated attacker with access to the Configuration utility can execute arbitrary system commands, create or delete files, and/or disable services," which may result in the attack gaining complete control of the system. However, the CVSS score and rating jumps to 9.9 and Critical, respectively, when the products are running in Appliance mode. As Appliance mode is described as " designed to meet the needs of customers in especially sensitive sectors", CVE-2021-23031 requires additional attention and care.When Did the Vendor Post the Advisory?The vendor released the advisory on August 24th, 2021.What is the Breakdown of the Advisory?The advisory has 13 high vulnerabilities, 15 medium vulnerabilities, 1 low vulnerability and 6 security exposures affecting multiple versions of BIG-IP and BIG-IQ. However, high rating for CVE-2021-23031 is elevated to critical when the affected products are running in Appliance mode.For more details, see the Appendix for a link to "K50974556: Overview of F5 vulnerabilities (August 2021)"What is the Result of Successful Exploitation of CVE-2021-23031?Successful exploitation allows "an authenticated attacker with access to the Configuration utility can execute arbitrary system commands, create or delete files, and/or disable services." In the worst case scenario, the vulnerability enables the attack to take complete control of the system.What are the Technical Details of CVE-2021-23031?The advisory does not offer much technical details, nor why there are two separate ratings for the vulnerability other than the 9.9 rating applies to "the limited number of customers using Appliance mode."For more details, see the Appendix for a link to "K41351250: BIG-IP Advanced WAF and BIG-IP ASM vulnerability CVE-2021-23031"What is Appliance Mode?The following is provided by F5 in regard with Appliance mode:BIG-IP systems have the option of running in Appliance mode. Appliance mode is designed to meet the needs of customers in especially sensitive sectors by limiting the BIG-IP system administrative access to match that of a typical network appliance and not a multi-user UNIX device.For more details, see the Appendix for a link to "K12815: Overview of Appliance mode".How Does That Affect Overall Severity of CVE-2021-23031?Combining the facts that the vulnerability allows an authenticated attacker to take complete control of the system, the CVSS score is 9.9 when the affected products are running in Appliance mode. Since Appliance mode is designed especially for sensitive sectors, the actual severity could be even higher.What Products Are Vulnerable to CVE-2021-23031?BIG-IP Advanced Web Application Firewall (WAF) and Application Security Manager (ASM) are vulnerable to CVE-2021-23031.Which Versions of WAF and ASM Are Vulnerable to CVE-2021-23031?The following versions are listed as vulnerable per F5:16.0.0 - 16.0.115.1.0 - 15.1.214.1.0 - 14.1.413.1.0 - 13.1.312.1.0 - 12.1.511.6.1 - 11.6.5Is the Vulnerability Exploited in the Wild?At the time of this writing, FortiGuard Labs is not aware of the vulnerability being exploited in the wild.FortiGuard Labs will continue to monitor the situation and provide updates as they become available.Is There Any Mitigation for CVE-2021-23031?According to the advisory, "the only mitigation is to remove access (to the Configuration utility) for users who are not completely trusted".Has the Vendor Released Patches for the Vulnerabilities in their August 2021 Advisory?Yes, the vendor has released patches for all vulnerabil | Vulnerability | ||
|
2022-02-27 20:17:01 | ProxyToken (CVE-2021-33766): Authentication Bypass in Microsoft Exchange Server (lien direct) | UPDATE 9/17 - An IPS signature has been released in definitions (18.160) as "MS.Exchange.Server.SecurityToken.Authentication.Bypass"FortiGuard Labs is aware of a new disclosure dubbed PROXYTOKEN, which is an authentication bypass in Microsoft Exchange server. The vulnerability was reported by security researcher Le Xuan Tuyen of the Zero Day Initiative (ZDI) in March 2021, and patched by Microsoft in the July 2021 release.Assigned CVE-2021-33766, this vulnerability allows an unauthenticated attacker to configure actions on mailboxes belonging to arbitrary users on the mail server. An example of this usage allows the threat actor to forward all emails addressed to an arbitrary user and forward them to an attacker controlled account.What are the Technical Details of this Vulnerability?Microsoft Exchange server creates two reference sites in IIS, one listening on port 80 HTTP and the other port 443 HTTPS. These pages are known as the Exchange Front End, and the Exchange Back End runs on port 81 HTTP and port 444 for HTTPS respectively. The front end is essentially a proxy to the back end. When forms require authentication, pages are served via /owa/auth/logon/aspx. Essentially, the issue lies when an Exchange specific feature called "Delegated Authentication" is deployed, the front end is unable to perform authentication on its own and passes each request directly to the back end and ultimately relies on the back end to determine if the incoming request is properly authenticated.Is there a Patch Available?Yes. Microsoft has released patches for this in the July 2021 release.What is the Status of Coverage?Customers running the latest definitions are protected by the following IPS signature:MS.Exchange.Server.SecurityToken.Authentication.BypassWhat Products are Affected?Microsoft Exchange Server 2019, 2016, 2013 are affected.Any Other Suggested Mitigation?Disconnect vulnerable Exchange servers from the internet until a patch can be applied.Due to the ease of disruption and potential for damage to daily operations, reputation, and unwanted release of personally identifiable information (PII), etc., it is important to keep all AV and IPS signatures up to date. It is also important to ensure that all known vendor vulnerabilities within an organization are addressed, and updated to protect against attackers establishing a foothold within a network. | Vulnerability Threat | ||
|
2022-02-23 18:34:00 | New Wiper Malware Discovered Targeting Ukrainian Interests (lien direct) | FortiGuard Labs is aware of new wiper malware observed in the wild attacking Ukrainian interests. The wiper was found by security researchers today at ESET. Various estimates from both outfits reveal that the malware wiper has been installed on several hundreds of machines within the Ukraine. Cursory analysis reveals that wiper malware contains a valid signed certificate that belongs to an entity called "Hermetica Digital" based in Cyprus. This is a breaking news event. More information will be added when relevant updates are available. For further reference about Ukrainian wiper attacks please reference our Threat Signal from January. Also, please refer to our most recent blog that encompasses the recent escalation in Ukraine, along with salient advice about patch management and why it is important, especially in today's political climate. Is this the Work of Nobelium/APT29?At this time, there is not enough information to correlate this to Nobelium/APT29 or nation state activity. Are there Other Samples Observed Using the Same Certificate?No. Cursory analysis at this time highlights that the Hermetica Digital certificate used by this malware sample is the only one that we are aware of at this time. Was the Certificate Stolen?Unknown at this time. As this is a breaking news event, information is sparse. Why is the Malware Signed?Malware is often signed by threat actors as a pretence to evade AV or any other security software. Signed malware allows for threat actors to evade and effectively bypass detection and guaranteeing a higher success rate. What is the Status of Coverage?FortiGuard Labs has AV coverage in place for publicly available samples as:W32/KillDisk.NCV!tr | Malware Threat | APT 29 | |
|
2022-02-16 16:54:16 | Active Exploitation Against Adobe Commerce and Magento Through CVE-2022-24086 (lien direct) | FortiGuard Labs is aware of reports that Magento Open Source and Adobe Commerce are actively being targeted and exploited through CVE-2022-24086. This vulnerability can lead to remote code execution (RCE) on an exploited server which means an attacker will be able to execute arbitrary commands remotely. The vulnerability is rated as Critical by Adobe and has CVSS score of 9.8 out of 10.Why is this Significant?Since Magento and Adobe Commerce are very popular E-commerce platform across the globe, this can potentially impact a high number of online shoppers. Moreover, the attack complexity needed to carry out a successful attack has been deemed relatively low/easy and no extra privileges/permissions are required to execute this attack. A successful attack can result in the total loss of confidentiality, integrity and availability of the information and resources stored in the exploited server.In addition, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2022-24086 to the Known Exploited Vulnerabilities to Catalog, which lists vulnerabilities that "are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise." What is CVE-2022-24086?Adobe classifies CVE-2022-24086 as a vulnerability that stems from "improper input validation." Without properly sanitizing input from a user, the input can be modified so that it executes arbitrary commands on the exploited server.What Versions of Adobe Commerce and Magento are Prone to CVE-2022-24086?The vulnerability exists for Adobe Commerce 2.4.3-p1 and earlier versions, as well as 2.3.7-p2 and earlier versions. For Adobe Commerce 2.3.3 and below, this vulnerability does not exist. The vulnerability exists for both Adobe Commerce and Magento Open Source versions 2.3.3-p1 to 2.3.7-p2 and from 2.4.0 to 2.4.3-p1.Is the Vulnerability Exploited in the Wild?FortiGuard Labs has been made aware of exploits being used in the wild for this vulnerabilityHas the Vendor Released a Fix?Yes. Adobe has released patches for all versions from 2.3.3-p1 to 2.3.7-p2 and from 2.4.0 to 2.4.3-p1.What is the Status of Coverage?Proof-of-Concept (POC) code is not available at the time of this writing and as such, no coverage is available.FortiGuard Labs is actively looking for additional information and will update this Threat Signal when protection becomes available. | Vulnerability Threat Guideline | ||
|
2022-02-07 10:51:16 | ACTINIUM - Targeting Interests in the Ukraine (lien direct) | FortiGuard Labs is aware of various campaigns targeting Ukraine by threat actors known as ACTINIUM/Gamaredon/DEV-0157. ACTINIUM's modus operandi targets various verticals to conduct cyber espionage, including but not limited to governmental, NGO, law enforcement and nonprofit organizations. This latest campaign targeting Ukraine was observed by security analysts at Microsoft. Observed TTPs of ACTINIUM include spearphishing emails using specially crafted Microsoft Word documents that contain malicious macros. Other observed tactics use image files in the emails that are very tiny in scale and report back to the hosting server so that the attacker can check to see if the email was viewed or not. Of course, this depends on whether the recipient chooses to download images or not.Previous analysis on Gamaredon (another name for ACTINIUM) conducted by FortiGuard Labs can be found here. FortiGuard Labs also documented attacks against Ukraine here.What are the Technical Details of the Attack?ACTINIUM uses multiple stage processes that contain payloads that download and execute further additional payloads. Observed staging techniques contain highly obfuscated VBScripts, PowerShells, self-extracting archives, LNK files, etc. To remain persistent, ACTINIUM relies on scheduled tasks. To evade detection and analysis, the usage of randomly generated dictionary words from a predefined word list were used to assign subdomains, scheduled tasks and file names to further confuse analysts. Other observations seen are the usage of DNS records that are frequently changed and contain unique domain names using multiple IP addresses attributed to them.Three malware families were documented in the report, and they are:PowerPunch - Downloader and droppers using PowerShellPterodo - Malware that uses various hashing algorithms and on-demand schemes for decrypting data while freeing allocated heaps space to evade detection and thwart analysis. The malware is evolving, with the usage of various strings to POST content using forged user agents and various commands and scheduled tasks.QuietSieve - These are heavily obfuscated .NET binaries that act primarily as an infostealer.Who/What is Behind this Attack?According to Microsoft, this latest attack is attributed to the Russian FSB. This is per previous reports by the Ukrainian government linking Gamaredon actors to the FSB.Is this a Widespread Attack?No. According to Microsoft, attacks are limited to targeted attacks in the Ukraine.What is the Status of Coverage?Fortinet customers running the latest definitions are protected by the following AV signatures:MSIL/Pterodo.JJ!trMSIL/Pterodo_AGen.B!trMSIL/Pterodo.JK!trMSIL/Pterodo.JF!trMSIL/Pterodo.JI!trPossibleThreatW32/PossibleThreatVBS/SAgent!trW32/APosT.AUC!trW32/Pterodo.AWR!trW32/APosT!trW32/APosT.AWN!trVBA/Amphitryon.1918!trW32/Pterodo.AVL!trW32/Pterodo.AUZ!trW32/Pterodo.ASQ!trW32/GenKryptik.FGHO!trRiskware/PterodoW32/Pterodo.APR!trW32/Pterodo.AQB!trAll network IOC's are blocked by the WebFiltering client.Any Other Suggested Mitigation?As ACTINIUM uses spearphishing techniques as an entry point, organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing attacks. They also need to encourage employees to never open attachments from someone they don't know, and to always treat emails from unrecognized/untrusted senders with caution. Since it has been reported that various phishing and spearphishing attacks have been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization be made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organizations' internal security department. Simple user awareness training on how to spot emails with malicious attachments or links could also help prevent initial access into the network.Due to the ease of disruption and potential for damage to daily operations, reputation, | Malware Threat | ||
|
2022-02-03 16:21:02 | Sugar Ransomware in the Wild (lien direct) | FortiGuard Labs is aware that a new ransomware called "Sugar" is in the wild. Reportedly, Sugar ransomware targets consumers rather than enterprises. The first sample of Sugar ransomware appears to have been discovered in the wild in early November. Sugar ransomware encrypts files on the compromised machine and appends ".emcoded01" file extension to them. Victims are asked to pay ransom to recover the encrypted files.What is Sugar Ransomware?Sugar is a ransomware that is written in Delphi and appeared in the wild in November 2021 at the latest. Once run, Sugar ransomware encrypts files on the compromised machine and appends ".encoded01" file extension to them. The malware then displays a ransom note that asks the victim to visit the attacker's TOR page to pay the ransom in order to recover the encrypted files. The attacker offers to decrypt up to five files to prove that the encrypted files can be recovered upon ransom is paid.The ransom note displayed by Sugar ransomware looks similar to that of REvil ransomware. Also, the TOR site used by Sugar ransomware has close resemblance with that of Cl0p ransomware. However, there is no evidence to suggest that the Sugar ransomware group is associated with REvil and Cl0p threat actors.How Widespread is Sugar Ransomware?Based on the telemetry data collected by FortiGuard Labs, Sugar ransomware infections likely occurred in Canada, Thailand, the United States, Israel and Lithuania.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against Sugar ransomware:W32/Filecoder.OJD!tr.ransomW32/PossibleThreat | Ransomware Malware Threat | ||
|
2022-02-02 02:49:45 | Proof-of-Concept Code Now Available for an Exploited Windows Local Privilege Escalation Vulnerability (lien direct) | FortiGuard Labs is aware that a Proof-of-Concept (POC) code for a newly patched Windows vulnerability (CVE-2022-21882) that is reported to have been exploited in the wild was released to a publicly available online repository. CVE-2022-21882 is a local privilege (LPE) escalation vulnerability which allows a local, authenticated attacker to gain elevated local system or administrator privileges through a vulnerability in the Win32k.sys driver. The vulnerability is rated as Important by Microsoft and has CVSS score of 7.0.Why is this Significant?This is significant because now that the POC for CVE-2022-21882 has become available to the public attacks leveraging the vulnerability will likely increase. Because CVE-2022-21882 is a local privilege escalation the vulnerability will be used by an attacker that already has access to the network or will be chained with other vulnerabilities.What is CVE-2022-21882?CVE-2022-21882 is a local privilege (LPE) escalation vulnerability which allows a local, authenticated attacker to gain elevated local system or administrator privileges through a vulnerability in the Win32k.sys driver.Is the Vulnerability Exploited in the Wild?According to the Microsoft advisory, the vulnerability is being exploited in the wild.Has Microsoft Released an Advisory for CVE-2022-21882?Yes. See the Appendix for a link to the advisory.Has Microsoft Released a fix for CVE-2022-21882?Yes. Microsoft has released a patch as part of regular MS Tuesday on January 11th, 2022.What is the Status of Coverage?FortiGuard Labs provide the following IPS coverage for CVE-2022-21882:MS.Windows.Win32k.CVE-2022-21882.Privilege.ElevationFortiGuard Labs has released the following AV coverage based on the available POC:W64/Agent.A93E!exploit.CVE202221882 | Vulnerability | ||
|
2022-01-28 10:28:18 | BotenaGo Malware Targets Multiple IoT Devices (lien direct) | FortiGuard Labs is aware of a report that source code of BotenaGo malware was recently made available on GitHub. BotenaGo is a malware written in Golang and is reportedly capable of exploiting more than 30 vulnerabilities in various IoT devices such as routers, modems, and NAS devices, and varies the delivered payload depending on the device it successfully exploited.Why is this Significant?This is significant because the source code of BotenaGo malware is available on a publicly available repository and with the report that BotenaGo is capable of exploiting more than 30 vulnerabilities, an uptick of its activities is expected.What is BotenaGo Malware?BotenaGo is an IoT (Internet fo Things) malware written in Golang and may become a new arsenal used by Mirai attackers.The malware is reportedly capable of exploiting more than 30 vulnerabilities in various IoT devices (a list of those vulnerabilities is contained in the Alien Labs blog linked in the Appendix). After the targeted device is successfully exploited, the malware executes remote shell commands that download a payload that varies depending on the device it successfully compromised. BotenaGo also sets up a backdoor on the compromised machine and awaits remote commands from the attacker on ports 19412 and 31412. It can also set a listener to system IO (terminal) user input and get remote commands through it.What Vulnerabilities are Exploited by BotenaGo?Some of the known vulnerabilities exploited by BotenaGo are below:CVE-2013-3307: Linksys X3000 1.0.03 build 001CVE-2013-5223: D-Link DSL-2760U Gateway (Rev. E1)CVE-2014-2321: ZTE modemsCVE-2015-2051: D-Link routersCVE-2016-11021: D-Link routersCVE-2016-1555: Netgear devicesCVE-2016-6277: Netgear devicesCVE-2017-18362: ConnectWise pluginCVE-2017-18368: Zyxel routers and NAS devicesCVE-2017-6077: Netgear devicesCVE-2017-6334: Netgear devicesCVE-2018-10088: XiongMai uc-httpd 1.0.0CVE-2018-10561: Dasan GPON home routersCVE-2018-10562: Dasan GPON home routersCVE-2019-19824: Realtek SDK based routersCVE-2020-10173: VR-3033 routerCVE-2020-10987: Tenda productsCVE-2020-8515: Vigor routersCVE-2020-8958: Guangzhou 1 GE ONUCVE-2020-9054: Zyxel routers and NAS devicesCVE-2020-9377: D-Link routers What is the Status of Coverage?FortiGuard Labs provide the following AV coverage against available BotenaGo malware samples:Linux/Botenago.A!trPossibleThreatFortiGuard Labs provides the following IPS coverage against exploit attempts made by BotenaGo:ZTE.Router.Web_shell_cmd.Remote.Command.Execution (CVE-2014-2321)D-Link.Devices.HNAP.SOAPAction-Header.Command.Execution (CVE-2015-2051)Netgear.macAddress.Remote.Command.Execution (CVE-2016-1555)NETGEAR.WebServer.Module.Command.Injection (CVE-2016-6277)TrueOnline.ZyXEL.P660HN.V1.Unauthenticated.Command.Injection (CVE-2017-18368)NETGEAR.ping_IPAddr.HTTP.Post.Command.Injection (CVE-2017-6077)NETGEAR.DGN.DnsLookUp.Remote.Command.Injection (CVE-2017-6334)XiongMai.uc-httpd.Buffer.Overflow (CVE-2018-10088)Dasan.GPON.Remote.Code.Execution (CVE-2018-10561, Dasan.GPON.Remote.Code.Execution)Comtrend.VR-3033.Remote.Command.Injection (CVE-2020-10173)Tenda.AC15.AC1900.Authenticated.Remote.Command.Injection (CVE-2020-10987)DrayTek.Vigor.Router.Web.Management.Page.Command.Injection (CVE-2020-8515)ZyXEL.NAS.Pre-authentication.OS.Command.Injection (CVE-2020-9054)All network IOCs are blocked by the WebFiltering client.FortiGuard Labs is currently investigating for additional coverage. This Threat Signal will be updated when new protection becomes available. | Malware Threat | ||
|
2022-01-26 21:58:14 | Critical VMware vCenter Server vulnerability (CVE-2021-22005) being exploited in the wild (lien direct) | FortiGuard Labs is aware that VMware disclosed a critical vulnerability (CVE-2021-22005) on September 21st, 2021 that affects vCenter Server versions 6.7 and 7.0. A malicious attacker with network access to port 443 on vCenter Server can exploit the vulnerability and can execute code on vCenter Server upon successful exploitation. The VMware advisory was updated on September 24th that the vulnerability is being exploited in the wild. In addition, exploit code is publicly available.Why is this Significant?VMware has one of the highest market shares in the server virtualization market so the vulnerability can have widespread affect. Also, some public reports indicate that CVE-2021-22005 is being exploited in the wild. With exploit code being publicly available, more attackers are expected to leverage the security bug. Because of the potential impact the vulnerability has in the field, CISA released an advisory on September 24th, 2021.What are the Details of the Vulnerability?Details of the vulnerability have not been disclosed by VMware.Has VMware Released an Advisory for CVE-2021-22005?Yes, the vendor released a cumulative advisory on September 21st, 2021. See the Appendix for a link to VMSA-2021-0020.1. The vendor also released a supplemental blog post and an advisory. See the Appendix to a link to "VMSA-2021-0020: What You Need to Know" and "VMSA-2021-0020: Questions & Answers".Has the Vendor Released a Patch?Yes. VMware released a patch on September 21st, 2021.Any Mitigation and or Workarounds?VMware provided workarounds in a blog. See the Appendix to a link to "Workaround Instructions for CVE-2021-22005 (85717)".What is The Status of Coverage?FortiGuard Labs is investigating for IPS protection. This Threat Signal will be updated with protection information as it becomes available. | Vulnerability Threat | ||
|
2022-01-26 21:56:08 | Multiple Agency Announcement on APT Actors Exploiting Zoho ManageEngine ADSelfService Plus (AA21-259A) (lien direct) | On September 16th, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and United States Coast Guard Cyber Command (CGCYBER) released a new joint advisory titled - Alert (AA21-259A) APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus. Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to a REST API authentication bypass, which ultimately allows for remote code execution. The vulnerability has been assigned CVE-2021-40539.What Are the Technical Details of the Vulnerability?An authentication bypass vulnerability exists in Zoho ManageEngine ADSelfService Plus version 6113 and prior. Remote code execution is possible via affected REST API URL(s) that could allow for remote code execution. Successful exploitation of the vulnerability allows an attacker to place webshells within the victim environment. Once inside the victim environment, an adversary can conduct the following - Lateral movement, compromising administrator credentials, post exploitation, and exfiltrating registry hives and Active Directory files from a domain controller.Is this Being Exploited in the Wild?Yes. According to US-CERT, this is limited to targeted attacks by a sophisticated unnamed APT group.What Verticals are Being Targeted?According to the US-CERT alert, the following list of verticals have been observed to be targeted - academic institutions, defense contractors, and critical infrastructure entities in multiple industry sectors including transportation, IT, manufacturing, communications, logistics, and finance. What is the CVSS score?9.8 CRITICALHas the Vendor Issued a Patch?Yes, patches were released on September 6th, 2021 by the vendor. Please refer to the APPENDIX "ADSelfService Plus 6114 Security Fix Release" for details.What is the Status of Coverage? FortiGuard Labs provides the following IPS signature for CVE-2021-40539:Zoho.ManageEngine.ADSelfService.Plus.Authentication.BypassAny Mitigation and or Workarounds?It is strongly recommended to update to ADSelfService Plus build 6114. This update is located on the vendor homepage "ADSelfService Plus 6114 Security Fix Release" within the APPENDIX. It is also highly suggested to keep all affected devices from being publicly accessible or being placed behind a physical security appliance/firewall, such as a FortiGate. For further mitigation and workarounds, please refer to the US-CERT Alert and the Zoho Advisory in the APPENDIX. | Vulnerability | ||
|
2022-01-17 20:32:11 | Wiper malware hit Ukrainian organizations (lien direct) | FortiGuard Labs is aware of a report that multiple organizations in the Ukraine were impacted by destructive malware. The malware looks to be some kind of ransomware at first glance; however, it does not have the telltale signs of ransomware. It overwrites the victim's Master Boot Record (MBR) and files with specific file extensions without any recovery mechanism, which are enough to classify the malware as a destructive wiper malware.Why is this Significant?This is significant because the attack involves a wiper malware that destroys the victim's MBR and certain files without any recovery mechanism.How Widespread is the Attack?At this point, the attack only affected multiple unnamed organizations in Ukraine.What the Details of the Attack?Initial attack vector has not yet been identified.This attack involves three malware.The first malware overwrites the victim's Master Boot Record (MBR) which makes Windows OS unbootable and leaves a ransom note that reads below:Your hard drive has been corrupted.In case you want to recover all hard drivesof your organization,You should pay us $10k via bitcoin wallet1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv and send message viatox ID 8BEDC411012A33BA34F49130D0F186993C6A32DAD8976F6A5D82C1ED23054C057ECED5496F65with your organization name.We will contact you to give further instructions.The second malware simply downloads a wiper malware hosted on a Discord channel and executes it.The wiper malware searches for and overwrites files with the following file extensions on the victim's machine:.3DM .3DS .7Z .ACCDB .AI .ARC .ASC .ASM .ASP .ASPX .BACKUP .BAK .BAT .BMP .BRD .BZ .BZ2 .CGM .CLASS .CMD .CONFIG .CPP .CRT .CS .CSR .CSV .DB .DBF .DCH .DER .DIF .DIP .DJVU.SH .DOC .DOCB .DOCM .DOCX .DOT .DOTM .DOTX .DWG .EDB .EML .FRM .GIF .GO .GZ .HDD .HTM .HTML .HWP .IBD .INC .INI .ISO .JAR .JAVA .JPEG .JPG .JS .JSP .KDBX .KEY .LAY .LAY6 .LDF .LOG .MAX .MDB .MDF .MML .MSG .MYD .MYI .NEF .NVRAM .ODB .ODG .ODP .ODS .ODT .OGG .ONETOC2 .OST .OTG .OTP .OTS .OTT .P12 .PAQ .PAS .PDF .PEM .PFX .PHP .PHP3 .PHP4 .PHP5 .PHP6 .PHP7 .PHPS .PHTML .PL .PNG .POT .POTM .POTX .PPAM .PPK .PPS .PPSM .PPSX .PPT .PPTM .PPTX .PS1 .PSD .PST .PY .RAR .RAW .RB .RTF .SAV .SCH .SHTML .SLDM .SLDX .SLK .SLN .SNT .SQ3 .SQL .SQLITE3 .SQLITEDB .STC .STD .STI .STW .SUO .SVG .SXC .SXD .SXI .SXM .SXW .TAR .TBK .TGZ .TIF .TIFF .TXT .UOP .UOT .VB .VBS .VCD .VDI .VHD .VMDK .VMEM .VMSD .VMSN .VMSS .VMTM .VMTX .VMX .VMXF .VSD .VSDX .VSWP .WAR .WB2 .WK1 .WKS .XHTML .XLC .XLM .XLS .XLSB .XLSM .XLSX .XLT .XLTM .XLTX .XLW .YML .ZIPIt also changes the file extension of the affected file to a random four-byte extension.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against the malware involved:W32/KillMBR.NGI!trMSIL/Agent.FP!tr.dldrThe following AV coverage is available for the wiper malware that has not yet been confirmed: MSIL/Agent.VVH!trFortiGuard Labs is currently investigating the last file to confirm the destructive capability of the wiper malware. This blog will be updated when additional information becomes available. | Ransomware Malware | ||
|
2022-01-12 18:27:37 | Wormable Windows Vulnerability (CVE-2022-21907) Patched by Microsoft (lien direct) | FortiGuard Labs is aware that a total of 96 vulnerabilities were patched by Microsoft on January 11th, 2022 as part of regular MS Patch Tuesday. In those vulnerabilities, CVE-2022-21907 (HTTP Protocol Stack Remote Code Execution Vulnerability) is one of the nine vulnerabilities that are rated critical. In the advisory, Microsoft warned that CVE-2022-21907 is wormable and "recommends prioritizing the patching of affected servers".Why is this Significant?This is significant because CVE-2022-21907 is considered wormable as such malware can exploit the vulnerability to self-propagate without any user interaction nor elevated privilege. CVE-2022-21907 targets the HTTP trailer support feature that is enabled by default in various Windows 10 and 11 versions, as well as Windows Server 2022. The vulnerability also has a CVSS score of 9.8 (max score 10).What is CVE-2022-21907?CVE-2022-21907 is a remote code execution vulnerability in HTTP protocol stack (http.sys). HTTP.sys is a legitimate Windows component that is responsible for parsing HTTP requests. An unauthenticated attacker could craft and send a malicous packet to an affected server utilizing the HTTP Protocol Stack (http.sys) to process packets, which leads to remote code execution.Which Versions of Windows are Vulnerable?Per the Microsoft advisory, the following Windows versions are vulnerable:Windows Server 2019Windows Server 2022Windows 10Windows 11Note that the HTTP trailer support feature is inactive by default in Windows Server 2019 and Windows 10 version 1809. As such, they are not vulnerable unless the feature is enabled.Is the Vulnerability Exploited in the Wild?FortiGuard Labs is not aware of CVE-2022-21907 being exploited in the wild at the time of this writing.Has the Vendor Released a Fix?Yes. Microsoft released a fix for CVE-2022-21907 on January 11th, 2022 as part of regular Patch Tuesday.What is the Status of Coverage?FortiGuard Labs is currently investigating protection and will update this Threat Signal once coverage information becomes available.Any Mitigation?Microsoft provided the following mitigation in the advisory:In Windows Server 2019 and Windows 10 version 1809, the the HTTP Trailer Support feature that contains the vulnerability is not active by default. The following registry key must be configured to introduce the vulnerable condition:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\"EnableTrailerSupport"=dword:00000001This mitigation does not apply to the other affected versions. | Malware Vulnerability Threat Patching Guideline | ||
|
2022-01-07 18:18:27 | Remote Code Execution in H2 Console JNDI - (CVE-2021-42392) (lien direct) | FortiGuard Labs is aware of newly discovered vulnerability in H2 Database software. The vulnerability is an unauthenticated remote code execution in the H2 database console and similar to Log4j, it is JNDI-based and has an exploit vector similar to it. This vulnerability has been assigned CVE-2021-42392 and was found by security researchers at JFrog. What is H2 Database?H2 is a relational database management system written in Java and is open source. It can be embedded in Java applications or run in client-server mode and data does not need to be stored on disk. What are the Technical Details?In a nutshell, the vector is similar to Log4Shell, where several code paths in the H2 database framework pass unfiltered attacker controlled URLs to the javax.naming.Context.lookup function, which allows for remote codebase loading (remote code execution). The H2 database contains a web based console which listens for connections at http://localhost:8082. The console will contain parameters that are passed by JdbcUtils.getConnection and a malicious URL controlled by the attacker.This vulnerability affects systems with H2 console installed. The vulnerability does not affect machines with H2 database installed in standalone mode. The vulnerability (by default) looks for connections from localhost, or a non remote connection. However, this vulnerability can be modified to listen for remote connections, therefore allowing susceptibility to remote code execution attacks. How Severe is This? Is it Similar to Log4j?According to the report, this is not believed to be as severe as Log4j, because of several factors. The first factor requires H2 console to be present on the system as both the console and database are able to operate independently of each other. Second, the default configuration of accepting connections from localhost must be edited to listen for external connections, which means that default installations are safe to begin with. What is the CVSS score?At this time, details are not available. What Mitigation Steps are Available?FortiGuard Labs recommends that users of H2 database software upgrade to version 2.0.206 immediately. If this is not possible, placing a vulnerable instance behind a firewall or removing access from the public facing internet is suggested. For further details on mitigation, please refer to the JFrog blog "The JNDI Strikes Back - Unauthenticated RCE in H2 Database Console" located in the APPENDIX. What is the Status of Coverage?FortiGuard Labs is currently assessing an IPS signature to address CVE-2021-42392. This Threat Signal will be updated once a relevant update is available. | Vulnerability Threat | ||
|
2021-12-28 19:12:16 | Log4j 2.17.1 Released for CVE-2021-44832 (lien direct) | FortiGuard Labs is aware of a newly disclosed remote code execution vulnerability affecting Log4j. Assigned CVE-2021-44832, this vulnerability allows for a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.There has been confusion on Twitter as to whether this is actually a remote code execution (RCE) or arbitrary code execution (ACE) vulnerability. Researcher Yaniv Naziry (@YNizry) initially stated today that a new RCE vulnerability related to Log4j is to be announced, and later retracted their initial statement confirming that it is indeed arbitrary code execution and not remote code execution. Compounding matters, Apache classifies CVE-2021-44832 as a remote code execution vulnerability. In the writeup for CVE-2021-44832, Apache states that the attacker needs permission to "modify the logging configuration file" to successfully exploit this vulnerability which is not indicative of an RCE. CVE-2021-44832 is fixed in Log4j 2.17.1 (Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6).What is Arbitary Code Execution and Remote Code Execution?Arbitrary code execution (ACE) results from a flaw in software or hardware that allows for an attacker to target a specific machine or process to run code of their choice. Remote Code Execution (RCE) allows for an attacker to arbitrarily execute code remotely on a wide area network, such as the Internet.What Versions of Log4J are Affected?All versions from 2.0-alpha7 to 2.17.0, excluding 2.3.2 and 2.12.4.What is the CVSS Score?6.6 (MODERATE) What is the Status of Coverage?Analysis on this new vulnerability is underway to determine coverage feasibility. We will update this threat signal when updates are available.What Mitigation is Suggested?According to Apache, the following Mitigation is available:Log4j 1.x mitigationLog4j 1.x is not impacted by this vulnerability.Log4j 2.x mitigationUpgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later).In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than Java. Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability. Also note that Apache Log4j is the only Logging Services subproject affected by this vulnerability. Other projects like Log4net and Log4cxx are not impacted by this. | Vulnerability Threat |
To see everything:
Our RSS (filtrered)
