SEC News

What's new arround internet

Last one

Src	Date (GMT)	Titre	Description	Tags	Stories	Notes
	2021-12-27 17:29:05	Meet Rook Ransomware (lien direct)	FortiGuard Labs is aware of a recently reported ransomware "Rook". According to a publicly available report, Rook appears to be based on the leaked Babuk ransomware source code. One of the Rook's victims is a financial institution in Kazakhstan which the ransomware gang stole more than 1,000 GB worth of data.Why is this Significant?This is significant because Rook is one of the recent ransomware gangs that joined the already crowded ransomware landscape. The ransomware reportedly infected a financial institution in Kazakhstan and stole more than 1,000 GB worth of data.What is Rook Ransomware?Rook ransomware is reported to be based on the leaked Babuk source code and was first discovered in the wild at the end of November 2021. Files encrypted by Rook ransomware typically has ".rook" file extension, however the earlier version of Rook is said to use ".tower" file extension instead. The ransomware leaves a ransom note in HowToRestoreYourFiles.txt, which the victim is instructed to contact the Rook gang by either accessing the Rook's Tor web site or emailing the threat actor. The ransom note warns the victim that the private key to decrypt the encrypted files will be destroyed if a security vendor or law enforcement agency joins the negotiation.How is Rook Ransomware Delivered?Rook ransomware is reported to have been delivered via Cobalt Strike or untrustworthy Torrent downloads.What is the Status of Coverage?FortiGuard Labs provide the following AV coverage against Rook ransomware:W32/Filecoder_Sodinokibi.A!tr.ransom	Threat Ransomware
	2021-12-27 17:28:38	Mortar Loader: New tool for Process Hollowing written in Pascal (lien direct)	Mortar Loader is a new process hollowing tool that can be leveraged by threat actors. Process Hollowing is a well-known evasion technique used by adversaries to defeat detection and prevention by security products. Mortar Loader is implemented as an open-source tool for red teamers in the Pascal programming language.A loader is malicious code or program used for loading the actual payload on the infected machine.What is Process Hollowing?Process Hollowing is a method of executing arbitrary code in the address space of a separate live process. It is commonly performed by creating a process in a suspended state then unmapping its memory, which can then be replaced with malicious code. Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses.How does Mortar Loader work?Mortar has two components, the payload encryptor and the loader itself.The encryptor runs on the attacker's machine to prepare the selected PE payload. It encrypts it with the blowfish symmetric encryption algorithm and encodes the ciphertext with base64.The Loader uses memory stream objects to reverse the operations and decode and decrypt the payload using a hardcoded key. It can be compiled as a standalone executable or a DLL. The plaintext payload is executed using the vanilla Process Hollowing technique without writing it to a file on diskWhat is the Status of Coverage?FortiEDR detects and blocks payloads executed by Mortar Loader out-of-the-box as it detects Process Hollowing from the operating system's perspective.Depending on the enabled set of policies, FortiEDR can block creation of such malicious processes (pre-execution) or malicious operations performed by the payload (post-infection).	Threat Tool
	2021-12-20 19:11:01	Mirai Malware that Allegedly Propagates Using Log4Shell Spotted in the Wild (lien direct)	FortiGuard Labs is aware of a new Mirai Linux variant that spreads using CVE-2021-44228 (Log4Shell). This is possibly the first Mirai variant equipped with Log4Shell exploit code incorporated alongside a Mirai variant, since the vulnerability came to light on December 9th 2021.This sample was discovered by security researcher @1ZRR4H on Twitter.How does this Mirai Variant Work? Is this a Worm?The Mirai variant exploits CVE-2021-44228 and CVE-2017-17215 (Huawei HG532 Remote Code Execution). If the exploit is successful, the targeted machine is redirected to a LDAP server to pass the next stage payload (varies) to the victim machine.Furthermore, chatter on OSINT channels have discussed whether or not this is a "worm." Our findings reveal that like a worm, it has the capability to propagate. But what makes it not a worm in the traditional sense is that all instructions are under control of the botmaster and it relies on an external resource for propagation. The botmaster can also start/stop various actions, unlike a worm. In conclusion, our analysis concludes that this Mirai variant is equipped with Log4Shell exploit code and Huawei H532 exploit code and does not classify as a worm.What is Mirai malware?Mirai malware is a Linux IoT malware that makes infected machines join a zombie network that is used for Distributed Denial of Service (DDoS) attacks. The first report of Mirai goes back to at least August 2016. Since the source code of Mirai was leaked publicly, there have been numerous threat actors and campaigns incorporating Mirai and related variants in the wild.FortiGuard Labs previously published several blogs on Mirai IoT malware. Please refer to the APPENDIX for links to related blogs.Why is this Significant?This sample was reported to be one of the first worm-like samples exploiting Log4Shell. However, our analysis has concluded that this specific sample does not qualify nor can it be classified as a worm.What is the Status of Coverage?FortiGuard Labs provide the following AV coverage against this Mirai malware variant:ELF/Mirai.VI!trFortiGuard Labs provides the following IPS coverage against CVE-2017-17215:Huawei.HG532.Remote.Code.ExecutionFor FortiEDR, all known samples have been added to our cloud intelligence and will be blocked if executed.All network IOCs are blocked by the WebFiltering client.	Threat Malware Vulnerability
	2021-12-20 18:43:04	Log4j 2.17.0 Released In Response to New Log4j Vulnerability (CVE-2021-45105) (lien direct)	FortiGuard Labs is aware that the Apache Software Foundation released Log4j version 2.17.0 on December 18th 2021 in response to a new Log4j vulnerability (CVE-2021-45105). This is the third Log4j version Apache released since December 10th 2021. CVE-2021-45105 is identified as a Denial of Service (DoS) vulnerability.Why is this Significant?This is significant because CVE-2021-45105 is the latest vulnerability in Log4j that was revealed by Apache. Log4j version 2.17.0 marks the third update made by Apache since December 10th in response to a series of Log4j vulnerabilities with two of them being rated as critical. What is CVE-2021-45105?Apache describes CVE-2021-45105 as the following:"Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack".A CVSS score of 7.5 and severity of high were assigned to the vulnerability. What Versions of Log4j are Vulnerable?All Log4j versions from 2.0-beta9 to 2.16.0.Has the Vendor Released an Advisory for CVE-2021-45105?Yes, Apache released an advisory for CVE-2021-45105 on December 18th. See Appendix for a link to Fixed in Log4j 2.17.0 (Java 8).Has the Vendor Released a Fix for CVE-2021-45105?Yes, Log4j version 2.17.0 was released on December 18th 2021 to fix the issue.What is the Status of Coverage?Based on the available Proof-of-Concept code, exploit attempts are detected by IPS signature "Apache.Log4j.Error.Log.Remote.Code.Execution".Any Suggested Mitigation?Apache provided the following mitigation information:Log4j 1.x mitigationLog4j 1.x is not impacted by this vulnerability.Log4j 2.x mitigationImplement one of the following mitigation techniques:Java 8 (or later) users should upgrade to release 2.17.0.Alternatively, this can be mitigated in configuration:In PatternLayout in the logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC).Otherwise, in the configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.Also note that Apache Log4j is the only Logging Services subproject affected by this vulnerability. Other projects like Log4net and Log4cxx are not impacted by this.	Vulnerability
	2021-12-20 06:10:10	New Log4j Vulnerability (CVE-2021-45046) Results in Denial of Service (lien direct)	UPDATE December 17 2021: The Apache Software Foundation has changed Denial of Service to Remote Code Execution and has upgraded a CVSS score from 3.7 to 9.0 as such this Threat Signal has been updated accordingly along with protection information. What is the Vulnerability? (Updated on December 17th)This is a new vulnerability (CVE-2021-45046) discovered in Log4j, the same utility that last week announced a critical vulnerability known as Log4Shell (CVE-2021-44228). Successfully exploiting this new vulnerability would result in an information leak and remote code execution (RCE) in some environments and local code execution in all environments. Initially CVE-2021-45046 was identified as a Denial of Service vulnerability. The new vulnerability is tracked as CVE-2021-45046. The vulnerability was initially given a CVSS score of 3.7, however the score was upgraded to 9.0 as remote code execution and information leak could be achieved as a result of successful exploitation. Apache provides the following updated description in their advisory on December 16th: It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern, resulting in an information leak and remote code execution in some environments and local code execution in all environments; remote code execution has been demonstrated on macOS but no other tested environments. FortiGuard Labs previously released Threat Signal for CVE-2021-44228 (Log4Shell). See the Appendix for a link to "Apache Log4J Remote Code Execution Vulnerability (CVE-2021-44228)". What Versions of Log4j are Affected?All versions from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 Has Apache Released a Fix for CVE-2021-45046?Yes. In response to the issue, Apache Log4j 2.16.0 was released for Java 8 and up and 2.12.2 for Java 7. What is the Status of Coverage? (Updated on December 17th)FortiGuard Labs provides the following AV coverage against CVE-2021-45046:Apache.Log4j.Error.Log.Remote.Code.Execution Any Suggested Mitigation?Apache provides the following mitigation in their advisory: Log4j 1.x mitigation: Log4j 1.x is not impacted by this vulnerability. Log4j 2.x mitigation: Implement one of the mitigation techniques below.Java 8 (or later) users should upgrade to release 2.16.0.Users requiring Java 7 should upgrade to release 2.12.2 when it becomes available (work in progress, expected to be available soon).Otherwise, remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.	Threat Vulnerability
	2021-12-15 16:45:13	Newly Patched Windows Vulnerability (CVE-2021-43890) Being Exploited to Deliver Malware (lien direct)	FortiGuard Labs is aware of a report that a newly patched Windows vulnerability (CVE-2021-43890) is being exploited in the wild to deliver malware such as Emotet, Trickybot and Bazaloader. Exploiting CVE-2021-43890 allows an attacker to create a malicious package file that looks like a legitimate application. The vulnerability is patched as part of MS Tuesday in December 2021. Why is this Significant?This is significant because CVE-2021-43890 was abused as a zero-day to deliver Emotet, Trickybot and Bazaloader. Those malware typically deploy additional malware including ransomware to a compromised machine.What is CVE-2021-43890?CVE-2021-43890 is Windows AppX Installer Spoofing Vulnerability that allows an attack to spoof a malicious package as legitimate software. For example, an attacker can abuse CVE-2021-43890 to create a fake malicious package that has an icon of legitimate software, a valid certificate that marks the package as a Trusted App along with fraudulent publisher information. These pieces increase the chance of convincing the victim to run the file. Image of "Windows AppX Installer abuse to install Emotet" courtesy of BleepingComputerMicrosoft rates this vulnerability as important.Has the Vendor Released a Fix for the Vulnerability?Yes, Microsoft released a fix on December 14th, 2021, as part of December Patch Tuesday.What is the Status of Coverage?There is not sufficient information available yet that enables FortiGuard Labs to develop IPS protection for CVE-2021-43890.FortiGuard Labs provides the following AV coverage against malware that abuses CVE-2021-43890:W32/GenCBL.BHP!trW32/Kryptik.HNMX!tr	Ransomware Malware Vulnerability
	2021-12-15 14:16:25	Meet Blackcat: New Ransomware Written in Rust on the Block (lien direct)	FortiGuard Labs is aware of reports that a new ransomware called Blackcat, also known as ALPHV, was spotted in the wild. Blackcat is a yet another ransomware-as-a-service (RaaS) that recruit affiliates for corporate intrusions, encrypting files on the victim's network and stealing confidential files from it in order to get ransom. The ransomware could be the first malware written in Rust programming language.Why is this Significant?This is significant as Blackcat (ALPHV) is a new ransomware that has reportedly claimed victims already. Because it is a RaaS, it recruits affiliates, some of which may already have access to corporate networks. Also, this ransomware could be the first malware written in Rust programming language.What is Blackcat (ALPHV) Ransomware?According to BleepingComputer, Blackcat ransomware was recently advertised on Russian-speaking hacking forums. The ransomware "is entirely command-line driven, human-operated, and highly configurable, with the ability to use different encryption routines, spread between computers, kill virtual machines and ESXi VMs, and automatically wipe ESXi snapshots to prevent recovery".Before encrypting files on the compromised machine, the ransomware terminates processes and Windows services to ensure targeted files are not locked. It also steals files from the affected machine. The attacker then demands ransom in Bitcoin or Monero from the victim for file decryption and not releasing the stolen files to the public. Reportedly, the attacker also asks ransom for not launching Distributed Denial of Service (DDoS) against the victim.The infection vector for Blackcat ransomware varies from an affiliate to affiliate. Typically, ransomware is deployed from another malware delivered via email, the exploitation of vulnerabilities or unsecured Remote Desktop Protocol (RDP) connections. What is Rust?Rust is a programming language that was developed as an alternative to C/C++ in Mozilla. Rust is designed with safety and efficient resource management in mind. All the functionality of C and resource management of Java without the inherent memory security risks of the former and the performance issues of the latter. In February 2021, the Rust foundation was found as a non-profit organization whose primary focus is "to steward the Rust programming language and ecosystem, with a unique focus on supporting the set of maintainers that govern and develop the project".What is the Status of Coverage?FortiGuard Labs provide the following AV coverage against Blackcat (ALPHV) ransomware:W32/Filecoder.OJP!trW32/PossibleThreat	Ransomware Malware
	2021-12-13 09:00:42	Apache Log4J Remote Code Execution Vulnerability (CVE-2021-44228) (lien direct)	FortiGuard Labs is aware of a remote code execution vulnerability in Apache Log4j. Log4j is a Java based logging audit framework within Apache. Apache Log4j2 2.14.1 and below are susceptible to a remote code execution vulnerability where a remote attacker can leverage this vulnerability to take full control of a vulnerable machine.This vulnerability is also known as Log4shell and has the CVE assignment (CVE-2021-44228). FortiGuard Labs will be monitoring this issue for any further developments.What are the Technical Details?Apache Log4j2 versions 2.14.1 and below Java Naming and Directory Interface (JNDI) features do not protect against attacker controlled LDAP and other JNDI related endpoints. A remote code execution vulnerability exists where attacker controlled log messages or log message parameters are able to execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.What Versions of Software are Affected?Apache Log4J versions 2.0-beta9 to 2.14.1 are affected.Is there a Patch or Security Update Available?Yes, moving to version 2.15.0 mitigates this issue. Further mitigation steps are available from Apache as well. Please refer to the "Apache Log4j Security Vulnerabilities" in the APPENDIX for details.What is the CVSS Score?10 (CRITICAL)What is Exactly Apache Log4j?According to Apache:Log4j is a tool to help the programmer output log statements to a variety of output targets. In case of problems with an application, it is helpful to enable logging so that the problem can be located. With log4j it is possible to enable logging at runtime without modifying the application binary. The log4j package is designed so that log statements can remain in shipped code without incurring a high performance cost. It follows that the speed of logging (or rather not logging) is capital.At the same time, log output can be so voluminous that it quickly becomes overwhelming. One of the distinctive features of log4j is the notion of hierarchical loggers. Using loggers it is possible to selectively control which log statements are output at arbitrary granularity.What is the Status of Protections?FortiGuard Labs has IPS coverage in place for this issue as (version 19.215):Apache.Log4j.Error.Log.Remote.Code.ExecutionWhile we urge customers to patch vulnerable systems as soon as possible, FortiEDR monitors and protects against payloads delivered by exploitation of the vulnerability. The picture below demonstrates blocking of a PowerShell payload used as part of CVE-2021-44228 exploitation:Detection of exploitable systems is possible via FortiEDR threat hunting by searching for loading of vulnerable log4j versions. This is an example of loading a vulnerable log4j library by a Apache Tomcat Server:Any Suggested Mitigation?According to Apache, the specific following mitigation steps are available:In releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to "true." For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.classFortiGuard Labs recommends organizations affected by CVE-2021-44228 to update to the latest version of 2.15.0 immediately. Apache also recommends that users running versions 1.0 or lower install version 2.0 or higher as 1.0 has reached end of life in August 2015 for Log4j to obtain security updates. Binary patches are never provided and must be compiled. For further details, refer to the "Apache Log4j Security Vulnerabilities" in the APPENDIX.If this is not possible, various counter measures such as isolating machines behind a firewall or VPN that are public facing is recommended.	Threat Tool Vulnerability		★★★★★
	2021-12-07 15:08:56	NICKEL - Targeting Organizations Across Europe, North America, and South America (lien direct)	FortiGuard Labs is aware of reports relating to NICKEL, a state sponsored group targeting varying interests in Europe, North and South America. NICKEL is a state sponsored group operating out of China and is targeting governmental organizations, diplomatic groups and non governmental organizations in 29 countries.NICKELs' modus operandi is the usage of exploits on unpached systems to compromise vulnerable systems and their unpatched services. Observed exploits used by NICKEL included the exploitation of services such as Microsoft Exchange, Microsoft SharePoint, and Pulse Secure VPN. Microsoft filed pleadings with the United States District Court of Eastern Virginia on December 2nd to seize control of servers used by NICKEL.What are the Technical Details?NICKEL malware variants use Internet Explorer COM interfaces to receive instructions from predefined command and control (C2) servers. The malware will then connect to the web-based C2 servers to check for a specific string located on these servers. Once confirmed, the malware will decode a Base64 encoded blob that will load shellcode for further exploitation.NICKEL malware is capable of capturing system information such as the IP address, OS version, system language, computer name and username of the current signed in user. It also contains backdoor functionality to execute commands and to upload and download files. NICKEL then uses the stolen and compromised credentials of the targeted victim to login to Microsoft 365 accounts via browser logins to exfiltrate victim emails for further damage.What Other Names is NICKEL Known As?According to Microsoft - NICKEL is also known as APT15, APT25, and Ke3Chang.Is this Limited to Targeted Attacks?Yes. Attacks are limited to varying targets in specific countries and verticals.What Countries were Targeted?They are:Argentina, Barbados, Bosnia and Herzegovina, Brazil, Bulgaria, Chile, Colombia, Croatia, Czech Republic, Dominican Republic, Ecuador, El Salvador, France, Guatemala, Honduras, Hungary, Italy, Jamaica, Mali, Mexico, Montenegro, Panama, Peru, Portugal, Switzerland, Trinidad and Tobago, United Kingdom, United States of America, and Venezuela.What is the Status of Protections?FortiGuard Labs provides the following AV coverage used in this campaign as:W32/Staser.COFE!trW32/Staser.CBQX!trW32/NetE.VH!trW32/BackDoor.U!trAll network IOC's are blocked by the FortiGuard WebFiltering client.Any Other Suggested Mitigation?Because it has been reported that NICKEL obtains access via unpatched and vulnerable systems, It is important to ensure that all known vendor vulnerabilities are addressed and updated to protect from attackers having a foothold within a network. Attackers are well aware of the difficulty of patching and if it is determined that patching is not feasible at this time, an assessment should be conducted to determine risk.Also - organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spear phishing attacks. They also need to encourage employees to never open attachments from someone they don't know, and to always treat emails from unrecognized/untrusted senders with caution. Since it has been reported that various phishing and spear phishing attacks have been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization be made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organizations' internal security department. Simple user awareness training on how to spot emails with malicious attachments or links could also help prevent initial access into the network.	Malware Guideline Patching	APT 15 APT 25	★★★★
	2021-12-06 22:36:49	Joint CyberSecurity Advisory on Attacks Exploiting Zoho ManageEngine ServiceDesk Plus Vulnerability (CVE-2021-44077) (lien direct)	FortiGuard Labs is aware of a recent joint advisory released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) on APT actors actively exploiting a critical vulnerability in Zoho ManageEngine ServiceDesk Plus. Successfully exploiting the vulnerability (CVE-2021-44077) enables an attacker to compromise administrator credentials, propagate through the compromised network, and conduct cyber espionage.Why is this Significant?This is significant because the advisory was released due to active exploitation of the vulnerability being observed. Zoho, the vendor of ManageEngine ServiceDesk Plus, states in their advisory that "we are noticing exploits of this vulnerability, and we strongly urge all customers using ServiceDesk Plus (all editions) with versions 11305 and below to update to the latest version immediately".What Product and Versions are Vulnerable?The vulnerable product is all editions of ServiceDesk Plus. Vulnerable versions are all versions up to, and including, version 11305.What are the Technical Details of the Vulnerability?Not much information is currently available on the vulnerability other than the vulnerability is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration.What is CVE Number and Severity Assigned to the Vulnerability?The vulnerability is assigned CVE-2021-44077 and is rated critical with CVSS score of 9.8.Which Industries are Targeted?According to the advisory, Critical Infrastructure Sector industries, including the healthcare, financial services, electronics and IT consulting industries are targeted by threat actors.What Malicious Activities Conducted by the Threat Actors were Observed?CISA provided the following Tactics, techniques and procedures (TTPs) for the observed activities:Writing webshells to disk for initial persistenceObfuscating and Deobfuscating/Decoding Files or InformationConducting further operations to dump user credentialsLiving off the land by only using signed Windows binaries for follow-on actionsAdding/deleting user accounts as neededStealing copies of the Active Directory database (NTDS.dit) or registry hivesUsing Windows Management Instrumentation (WMI) for remote executionDeleting files to remove indicators from the hostDiscovering domain accounts with the net Windows commandUsing Windows utilities to collect and archive files for exfiltrationUsing custom symmetric encryption for command and control (C2)Has the Vendor Patched the Vulnerability?Yes, Zoho released a patch on September 16, 2021.Has the Vendor Released an Advisory?Yes, the vendor released an advisory on September 16, 2021. Additional advisory was released on November 22, 2021. Links are in the Appendix.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against available files that were used in the attack: Java/Webshell.AD!trW64/Agent.BG!tr.pwsW32/Agent.CY!trTrojan.Win32.Agentb.kpbcHEUR:Trojan-Dropper.Win32.Agentb.genHEUR:Backdoor.Multi.MalGO.aBackdoor.Java.JSP.auTrojan.Win64.Agentb.azoTrojan.Win32.Agentb.kpbdTrojan.Win64.Agentb.azpAs for CVE-2021-44077, there is no sufficient information available for FortiGuard Labs to develop IPS protection. FortiGuard Labs will investigate protection once such information becomes available and will update this Threat Signal with protection.	Threat Vulnerability		★★★★★
	2021-12-02 14:48:08	Yanluowang Ransomware Used By a Threat Actor Previously Linked to Thieflock Ransomware (lien direct)	FortiGuard Labs is aware of a report that Yanluowang ransomware was recently used by a threat actor who previously employed Thieflock ransomware. According to Symantec, the threat actor focuses on organizations across multiple sectors in the United States. Yanluowang ransomware was first reported in October 2021. Yanluowang attackers demand ransomware from the victims and tell them not to contact law enforcement or ransomware negotiation firms. If they do, the attackers threaten the victim with distributed denial of service (DDoS) attacks as well as making phone calls to alert the victim's business partners. Why is this Significant? This is significant because the attacker, who mainly targets U.S. corporations, appears to have switched their arsenal from Thieflock ransomware to Yanluowang ransomware. Because of this, companies in the United States need to pay extra attention to the tools, tactics, and procedure (TTPs) that this attacker uses. What TTPs is the Attacker Known to Use?According to the report, the attacker uses the following tools:GrabFF: A tool to dump passwords from FirefoxGrabChrome: A tool to dump passwords from ChromeBrowserPassView: A tool to dump passwords from Web browsers such as Internet Explorer, Chrome, Safari, Firefox, and OperaKeeThief: A PowerShell script to copy the master key from KeePassCustomized versions of Secretsdump: Security Account Manager (SAM) credential-dumping toolsFileGrab: A tool to capture newly created files in Windows file systemsCobalt Strike Beacon: A tool that allows the attacker to perform command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement.ProxifierPE: A tool to proxy connections back to attacker's Command and Control server (C&C)ConnectWise: A remote desktop software that provides remote access to the attackerAdFind: A command-line Active Directory query toolSoftPerfect Network Scanner: A tool to discover hostnames and network servicesBazarLoader: A backdoor program that is used to deploy additional malware and steal confidential information from the compromised machine. The attacker typically downloads BazarLoader using PowerShell.The initial attack vector is unclear so suspicious emails must be handled with caution and the patches for products and software that are used in the company must be applied.What is Yanluowang Ransomware? Yanluowang ransomware is reported to perform the following actions:Terminates all hypervisor virtual machines (VMs) running on the compromised machineTerminates processes, such as SQL and back-up solution Veeam, that are listed in processes.txtEncrypts files on the victim's machine and appends the .yanluowang extension to themDrops a ransom noteIn the ransom note, Yanluowang attacker asks the victim to follow their rules including not to contact law enforcement or ransomware negotiation companies or else the attacker will launch distributed denial of service (DDoS) attacks against the victim and will make phone calls to the victim's employees and business partners. What is the Status of Protection?FortiGuard Labs provides the following AV coverage against Yanluowang ransomware:W32/Ylwransom.A!tr.ransom All network IOCs are blocked by the WebFiltering client.	Threat Ransomware Malware Tool		★★
	2021-11-30 11:26:16	New Variant of Phobos Ransomware Hitting the Wild (lien direct)	FortiGuard Labs is aware that a new variant of Phobos ransomware is hitting the wild. Phobos ransomware is thought to have a close relationship to the CrySIS and Dharma ransomware families. Phobos ransomware encrypts files with predetermined file extensions and deletes shadow copies and the backup catalog to prevent the easy restoration of the files.Why is this Significant?This is significant because Phobos is an older ransomware that has been around since at least late 2017 and has been updated several times since. The newly observed variant provides a proof that Phobos is still actively developed and used. What is Phobos Ransomware?Phobos is a ransomware that is thought to be closely related to the CrySIS and Dharma ransomware families and generally targets small to medium-sized businesses. There is not much notable about the ransomware as it encrypts files with predetermined file extensions and deletes shadow copies and the backup catalog to prevent the easy restoration of the files. This particular Phobos ransomware variant adds "[(removed)@imap.cc].XIII.XIII" file extension to the files it encrypts and demands ransom to decrypt the affected files.How does Phobos Ransomware Arrive?Phobos ransomware is delivered either via malicious attachments in emails or through vulnerable Remote Desktop Protocol (RDP) connections.What is the Status of Coverage?FortiGuard Labs provides AV coverage against this new variant of Phobos ransomware as W32/Generic.AP.34AB98!tr.FortiGuard Labs provides the following AV protection against other known variants of Phobos ransomware:W32/Phobos.A!tr.ransomW32/Phobos.B!trW32/Filecoder_Phobos.A!trW32/Filecoder_Phobos.A!tr.ransomW32/Filecoder_Phobos.B!trW32/Phobos.B!tr.ransomW32/Phobos.C!trW32/Phobos.C!tr.ransomW32/Filecoder_Phobos.E!tr.ransomW32/Phobos.E!tr.ransomW32/Phobos.F!tr.ransomW32/Filecoder_Phobos.C!trW32/Phobos.HGAF!tr.ransomW32/Phobos.B828!tr.ransomW32/Phobos.B936!tr.ransomW32/Filecoder_Phobos.E!trW32/Phobos.3257!tr.ransomW32/Phobos.8B03!tr.ransomW32/Filecoder_Phobos.C!tr.ransomW32/PhobosRansom.190E!tr.ransomRiskware/Filecoder_PhobosAny Other Suggested Mitigation?Due to the ease of disruption and the potential for damage to daily operations, reputation, and unwanted release of personally identifiable information (PII), etc., it is important to keep all AV and IPS signatures up to date. It is also important to ensure that all known vendor vulnerabilities within an organization are addressed, and updated to protect against attackers establishing a foothold within a network.Also - organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing attacks. They also need to encourage employees to never open attachments from someone they don't know, and to always treat emails from unrecognized/untrusted senders with caution. Since it has been reported that various phishing and spearphishing attacks have been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization be made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organizations' internal security department. Simple user awareness training on how to spot emails with malicious attachments or links could also help prevent initial access into the network.	Ransomware		★★★★★
	2021-11-30 11:24:48	Recent APT37 Activity and Chinotto, a Multi Platform Infostealer (lien direct)	FortiGuard Labs is aware of reports of recent activity from APT37. APT37 is a nation-state threat actor attributed to North Korea. The latest discovery by researchers at Kaspersky Labs has revealed a sophisticated, targeted attack that utilizes the stolen credentials from Facebook and email accounts belonging to an associate of the targeted victim.The victim was socially engineered and compelled into opening rar zipped attachments purporting to be from the trusted sender that contained a malicious Word document. The Word document is multi stage in design, and uses a malicious macro to initiate the first stage. The first stage detects the presence of AV software, and if AV is not present will initiate the second stage which is a shellcode that will download the final third stage payload.Ultimately, after several months of dwelling undetected on the infected system, the backdoor will then download the multiplatform infostealer, "Chinotto." Windows variants were sent via spearphishing emails and Android variants were sent via SMShing texts.What Operating Systems are Affected?Chinoto targets Windows and Android based operating systems.Is This Limited to Targeted Attacks?Yes.How Serious of an Issue is This?Medium.What is APT37?APT37 (also known as GROUP123 and Scarcruft), attributed to North Korean threat actors, has been in operation for several years. During that time, APT37 has been attributed to the Adobe Flash zero-day attack (CVE-2018-4878) that targeted researchers based in South Korea who were performing research on North Korea. APT37 focuses on various organizations with an interest in North Korea.APT37 is famous for exploiting vulnerabilities in the Hangul Word Processor (HWP) which is commonly used in South Korea, especially by those in the government sector. Analysis suggests that this is a very detailed and sophisticated threat actor with an arsenal of malware and exploits at their disposal that targets various verticals and organizations with specially crafted campaigns. Other vectors besides the Adobe and Hangul vulnerabilities observed were the usage of Microsoft vulnerabilities as well, specifically CVE-2017-0199 (Microsoft Office UAC bypass) and CVE-2015-2545 (Microsoft Office Encapsulated PostScript (EPS). For further details on the exploitation of HWP documents and campaigns previously analyzed, please refer to our blog here.What is the Status of Coverage?FortiGuard Labs has AV coverage in place for publicly available samples as:VBA/Agent.AAK!trW32/PossibleThreatVBA/Agent.AF3C!trW32/Agent.ACDD!trPossibleThreat.MUPossibleThreat.PALLAS.HW32/FRS.VSNTGF20!trW32/Bsymem.MSJ!trAll network IOCs are blocked by the WebFiltering client.Any Other Suggested Mitigation?Due to the ease of disruption and the potential for damage to daily operations, reputation, and unwanted release of personally identifiable information (PII), etc. it is important to keep all AV and IPS signatures up to date.It is also important to ensure that all known vendor vulnerabilities are addressed and updated to protect from attackers having a foothold within a network. Attackers are well aware of the difficulty of patching and if it is determined that patching is not feasible at this time, an assessment should be conducted to determine risk.Also, as this campaign was sent via spearphishing and smsshing - organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing/smishing attacks. They also need to encourage employees to never open attachments from someone they don't know, and to always treat emails from unrecognized/untrusted senders with caution. Since it has been reported that various phishing/spearphishing/smishing attacks have been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization be made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organizations' internal security department. Si	Threat Malware Cloud Patching	APT 37
	2021-11-23 17:18:27	New Proof of Concept for CVE-2021-42321 Released (Microsoft Exchange Remote Code Execution Vulnerability) (lien direct)	FortiGuard Labs is aware of a new proof of concept that is leveraging CVE-2021-42321, a Microsoft Exchange Server Remote Code Execution Vulnerability. The proof of concept, released by security researcher @jannggg on Twitter is a post authentication remote code execution vulnerability. Patches for CVE-2021-42321 were released by Microsoft on November 9th, and the vulnerability is rated as IMPORTANT.What is the CVSS Score?This vulnerability has a CVSS Base Score of 8.8.Does the Attacker Need to be Authenticated?Yes. The attacker needs to be authenticated to the Microsoft Exchange Server.What Versions of Software are Affected?Microsoft has released security updates for for the following versions of Microsoft Exchange:Exchange Server 2013Exchange Server 2016Exchange Server 2019Is this Being Exploited In the Wild?Yes, Microsoft states that exploitation is limited to targeted attacks.Has the Vendor Issued a Patch?Yes, Microsoft issued a patch on November 9th. For further information on the vulnerability, including a link towards the available patches, please refer to the "Released: November 2021 Exchange Server Security Updates" link in the APPENDIX.Any Suggested Mitigation?As there have been reports of exploitation in the wild, including proof of concept code now available, it is imperative that patches are applied to affected systems as soon as possible. Also, to determine which machines may be behind on updates with respect to this latest patch, Microsoft has made available a PowerShell script that will help inventory potentially vulnerable machines on the network. Please refer to the "Exchange Server Health Checker" in the APPENDIX for this script.What is the the Status of Coverage?Coverage is being investigated at this time for feasibility. This threat signal will be updated once there is further information available.	Threat Vulnerability
	2021-11-19 10:21:31	Memento Group Exploited CVE-2021-21972, Hid Five Months to Deploy Ransomware (lien direct)	FortiGuard Labs is aware of a report that a new adversary carried out an attack using a Python-based ransomware called "Memento." The Memento attackers are reported to have taken advantage of a remote code execution vulnerability in a VMWare vCenter Server plugin (CVE-2021-21972) as a initial attack vector. The group started to exploit the vulnerability in April, then stayed in the network until they deployed ransomware to the victim's network upon completion of their data exfiltration. Why is this Significant?This is significant because the attacker was able to stay in the victim's network for more than 5 months after they gained initial access to the network by exploiting CVE-2021-21972. Because of the severity of the vulnerability, CISA released an alert on February 24th, 2021 to urge admins to apply the patch as soon as possible. What is CVE-2021-21972?CVE-2021-21972 is a remote code execution vulnerability in a VMWare vCenter Server plugin. This vulnerability is due to improper handling of the request parameters in the vulnerable application. A remote attacker could exploit this vulnerability by uploading a specially crafted file to the targeted server. Successful exploitation of this vulnerability could lead to arbitrary code execution on the affected system. CVE-2021-21972 has a CVSS (Common Vulnerability Scoring System) score of 9.8 and affects the following products:vCenter Server 7.0 prior to 7.0 U1cvCenter Server 6.7 prior to 6.7 U3lvCenter Server 6.5 prior to 6.5 U3n For more details, see the Appendix for a link to the VMware advisory "VMSA-2021-0002". Has the Vendor Released a Patch for CVE-2021-21972?Yes, VMWare released a patch for CVE-2021-21972 in February 2021. What's the Details of the Attack Carried Out by Memento Group?According to security vendor Sophos, the attacker gained access to the victim's network in April 2021 by exploiting the vulnerability CVE-2021-21972. In May, the attacker deployed the wmiexec remote shell tool and the secretsdump hash dumping tool to a Windows server. Wmiexec is a tool that allows the attacker to remotely execute commands through WMI (Windows Management Instrumentation). Secretsdump is a tool that allows the attacker to extract credential material from the Security Account Manager (SAM) database. The attacker then downloaded a command-line version of the WinRAR and two RAR archives containing various hacking tools used for reconnaissance and credential theft to the compromised server. After that, the adversary used RDP (Remote Desktop Protocol) over SSH to further spread within the network. In late October, after successfully staying low for 5 months, the attacker collected files from the compromised machines and put them in an archive file using WinRAR for data exfiltration. Then the attacker deployed the initial variant of the Memento ransomware to the victim's network, but the file encryption process was blocked due to the anti-ransomware protection. The attack then switched its ransom tactic by putting the victim's files into password-protected archive files instead of encrypting them. What is Memento Ransomware?Memento is a Python-based ransomware used by the Memento group. The first Memento variant simply encrypts files in the compromised machine. The second variant does not involve file encryption. It collects files from the compromised machine and puts them into password-protected files. What is the Status of Coverage?FortiGuard Labs provides the following AV coverage for the available samples used in the attack:W32/KeyLogger.EH!tr.spyPossibleThreat.PALLASNET.HRiskware/MinerRiskware/ImpacketRiskware/MimikatzRiskware/Secretdmp FortiGuard Labs provides the following IPS coverage for CVE-2021-21972?VMware.vCenter.vROps.Directory.Traversal Other Workaround? VMWare provided workaround for CVE-2021-21972. See Appendix for a link to "Workaround Instructions for CVE-2021-21972 and CVE-2021-21973 on VMware vCenter Server (82374)".	Ransomware Guideline Tool Vulnerability
	2021-11-16 13:16:47	BlackMatter Uses New Custom Data Exfiltration Tool (lien direct)	FortiGuard Labs is aware that a BlackMatter ransomware affiliate started to use a new custom data exfiltration tool called "Exmatter". The tool is used to steal specific file types from predetermined directories and upload them to an attacker's server. This process happens before the ransomware is deployed to the victim's network.Why is this Significant?This is significant because Exmatter appears to target specific file types which the attacker thinks are valuable so it can steal them as quickly as possible. That allows the attacker to spend less time on the network before deploying the BlackMatter ransomware.What File Types is Exmatter Designed to Steal?According to security vendor Symantec, files with the following file extensions on the compromised machine are targeted by Exmatter: .doc.docx.xls.xlsx.pdf.msg.png.ppt.pptx.sda.sdm.sdw.csv.xlsm.zip.json.config.ts.cs.js.asp.pstAre There Multiple Versions of Exmatter?According to the security vendor, there are at least four versions of Exmatter that were used by a BlackMatter affiliate. Newer versions include additional file extensions to steal, as well as specific strings in file names that Exmatter excludes from the exfiltration targets. One directory target was shortened so that Exmatter can search for more files for exfiltration. Also SFTP server details used for uploading the stolen data were updated with Webdav to serve as a backup in case the SFTP transmission did not work.What is the Significance of the Updates Made to Exmatter?It is significant because the attacker used lessons learned from the networks of previous victims to update Exmatter to make data exfiltration more efficient and effective against future victims.What does FortiGuard Labs Know About BlackMatter Ransomware?BlackMatter ransomware is a fairly new Ransomware-as-a-Service (RaaS) and was discovered in late July 2021. The group posted ads on hacking forums recruiting affiliates and asking to buy access to compromised corporate networks to deploy ransomware. FortiGuard Labs has previously released two Threat Signals on BlackMatter ransomware. See the Appendix for a link to the Threat Signal, "Meet BlackMatter: Yet Another RaaS in the Wild" and to the Threat Signal, "Joint CyberSecurity Advisory on BlackMatter Ransomware (AA21-291A)."What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against Exmatter:MSIL/Agent.7AAD!trW32/Crypt!trPossibleThreatAll Network IOC's related to this threat are blocked by the FortiGuard WebFiltering Client.	Threat Ransomware Tool

Last update at: 2024-05-30 05:08:28
See our sources.

To see everything: Our RSS (filtrered)