What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-11-15 18:55:38 | Path Traversal Vulnerability (CVE-2022-0902) in ABB Flow Computer and Remote Controllers (lien direct) | FortiGuard Labs is aware a path-traversal vulnerability (CVE-2022-0902) that affects ABB Totalflow flow computers and remote controllers widely used by oil and gas utility companies. Successfully exploiting the vulnerability allows an attacker to inject and execute arbitrary code. The vulnerability is a path-traversal vulnerability in ABB Totalflow flow computers and remote controllers.Why is this Significant?This is significant because the new vulnerability (CVE-2022-0902) affects ABB TotalFlow flow computers and remote controllers widely used by oil and gas utility companies. ABB TotalFlow is used to calculate oil and gas volume and flow rates and is also used for billing and other purposes.By successfully exploiting the vulnerability, an attacker may be able to hinder affected oil and gas companies' abilities to correctly measure oil and gas flow, which may lead to safety issues and interruption of business.What is CVE-2022-0902?CVE-2022-0902 is a path-traversal vulnerability (CVE-2022-0902) in ABB TotalFlow flow computers and remote controllers. The vulnerability allows an attacker to gain access to restricted directories in ABB flow computers leading to arbitrary code execution in an affected system node.CVE-2022-0902 has a CVSS score of 8.1.What Products are Affected by the Vulnerability?According to the advisory issued by ABB, the following products are affected by the vulnerability:• RMC-100• RMC100L ITE• XIO• XFCG5• XRCG5• uFLOG5• UDCAll versions of the products without the latest update are vulnerable to CVE-2022-0902.Is CVE-2022-0902 being Exploited in the Wild?FortiGuard Labs is not aware that CVE-2022-0902 is exploited in the wild.Has the Vendor Released an Advisory?Yes. Please see the Appendix for a link to "ABB Flow Computer and Remote Controllers Path Traversal Vulnerability in Totalflow TCP protocol can lead to root access CVE ID: CVE-2022-0902".Has the Vendor Released a Patch?Yes, the vendor released a firmware update.What is the Status of Protection?FortiGuard Labs is currently investigating protection for CVE-2022-0902. We will update this Threat Signal when protection becomes available.Any Suggested Mitigation?The advisory issued by ABB includes mitigation and workarounds information. See the Appendix for a link to "ABB Flow Computer and Remote Controllers Path Traversal Vulnerability in Totalflow TCP protocol can lead to root access CVE ID: CVE-2022-0902". | Threat Guideline Vulnerability | ||
|
2022-11-14 21:30:35 | Emotet Distributed Through U.S. Election Themed Link Files (lien direct) | FortiGuard Labs has discovered that Emotet was recently delivered through an archive file that has a file name targeting those interested in the U.S. midterm elections. The archive file is "US midterm elections The six races that could decide the US Senate.zip" that has a link file with the same name, which leads to Emotet.Why is this Significant?This is significant because Emotet is trying to leverage the interest of the U.S. midterm elections for infection. While FortiGuard Labs has not observed the infection vector, the file name "US midterm elections The six races that could decide the US Senate.zip" was likely distributed via emails. "The six races" likely refers to Arizona, Georgia, Michigan, Nevada, Pennsylvania, and Wisconsin where Democrats and Republican are expected to have close race in the elections, which gives better chance that recipients will open the archive contents. Emotets' modus operandi includes distribution via malicious spam campaigns and thread hijacking of emails.What's in "US midterm elections The six races that could decide the US Senate.zip"?The zip file contains a link file named "US midterm elections The six races that could decide the US Senate.lnk". When the link file is executed, it drops a further script in %tmp% that will attempt to cycle through several URLs to download a Emotet DLL.The downloaded Emotet connects to C2 server and will likely deliver additional malware.FortiGuard Labs discovered that the same script is present in other link files "New York Election news and updates....lnk" and "Amazon warns of slower sales as economy weakens.lnk" that were submitted to VirusTotal at the end of October and beginning of November respectively.What is the Status of Protection?FortiGuard Labs provides the following AV signatures for the archive and link file involved in the attack:• LNK/Agent.AMY!tr.dldr• PossibleThreat.PALLAS.HC2 address is blocked by FortiGuard Webfiltering Client. | Spam Guideline | ||
|
2022-10-14 01:23:24 | RCE Vulnerability in Zimbra Collaboration Suite (CVE-2022-41352) Being Exploited in the Wild (lien direct) | FortiGuard Labs is aware of reports that a vulnerability affecting Zimbra Collaboration Suite (CVE-2022-41352) is a newly reported zero-day and is being exploited in the wild. CVE-2022-41352 is a Remote Code Execution (RCE) vulnerability that allows an attacker to perform remote code execution on vulnerable servers.Why is this Significant?This is significant because CVE-2022-41352 is a remote code execution vulnerability which is a zero-day and is actively being exploited in the wild.Zimbra Collaboration, formerly known as Zimbra Collaboration Suite, is a cloud-based email, calendaring, and groupware solution developed by Synacor and is widely used worldwide. According to its Web site, Zimbra is used in more than 140 countries and over 1,000 government and financial institutions.What is CVE-2022-41352?The vulnerability exists due to Amavis' (Zimbra's Anti-virus engine) usage of "cpio" to extract archives in emails and scan contents. By leveraging the vulnerability, an attacker can gain improper access to any other Zimbra user accounts, which can lead to remote code execution.What is the CVSS Score?CVE-2022-41352 has a CVSS rating of 9.8. Zimbra rates the vulnerability as "major".How Widespread is this?While we do not know how widespread this is, the first report of this vulnerability being exploited has been reported to be around the beginning of September 2022.What Versions of Zimbra Collaboration Suite are Vulnerable to CVE-2022-41352?Zimbra Collaboration Suite version 8.8.15 and 9.0 are vulnerable.Has the Vendor Released a Patch for CVE-2022-41352?Yes, the vendor released a patch on October 10, 2022.What is the Status of Protection?FortiGuard Labs released the following IPS signature for CVE-2022-41352:Zimbra.Collaboration.Suite.cpio.Remote.Code.Execution (default action is set to "pass")Any Suggested Mitigation?As mitigation, Zimbra recommends installing the pax package, an utility for creating and extracting archive files, to Zimbra servers. For details, please refer to the Appendix for a link to "Security Update - make sure to install pax/spax". | Guideline Vulnerability | ||
|
2022-08-19 16:25:45 | Joint CyberSecurity Advisory on Vulnerabilities in Zimbra Collaboration (CISA-MS-ISAC) (lien direct) | On August 16th, a joint cybersecurity advisory was issued by the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) on vulnerabilities in Zimbra Collaboration that is actively leveraged in the field by threat actors. The advisory covers five CVEs: CVE-2022-24682, CVE-2022-27924, CVE-2022-27925, CVE-2022-37042, and CVE-2022-30333.Why is this Significant?This is significant because the vulnerabilities in Zimbra Collaboration Suite called out in the advisory (CVE-2022-24682, CVE-2022-27924, CVE-2022-27925, CVE-2022-37042, and CVE-2022-30333) are leveraged in real attacks by threat actors, and as such relevant patches should be applied as soon as possible.Zimbra Collaboration, formerly known as Zimbra Collaboration Suite, is a cloud-based email, calendaring, and groupware solution developed by Synacor and is widely used worldwide. According to its Web site, Zimbra is used in more than 140 countries and over 1,000 government and financial institutions.How Widespread are the Attacks Leveraging the Vulnerabilities?While there is no information available as to how widespread the attacks are, wide adoption of Zimbra Collaboration is a high exploitation target for any threat actor.What are the Vulnerabilities Exploited in the Field?The advisory states a total of five vulnerabilities are exploited in the wild.CVE-2022-24682CVE-2022-24682 is a cross-site scripting (XSS) vulnerability in Zimbra Webmail. The vulnerability affects all versions of Zimbra 8.8.15 and was exploited as a zero-day. Remote attackers can leverage the vulnerability to run an arbitrary web script within the session of the connected Zimbra user.CVE-2022-27924CVE-2022-27924 is a memcache command injection vulnerability that impacts Zimbra Collaboration 8.8.15 and 9.0. Successful exploitation allows a remote attacker to steal email login credentials in plain text from Zimbra Collaboration without any user interaction.CVE-2022-27925CVE-2022-27925 is an arbitrary file upload vulnerability that affects Zimbra Collaboration 8.8.15 and 9.0. By leveraging the vulnerability, an authenticated remote attacker can upload arbitrary files to an arbitrary location on the vulnerable system. The advisory states that CVE-2022-27925 was observed to have been exploited in conjunction with CVE-2022-37042.CVE-2022-37042CVE-2022-37042 is an authentication bypass vulnerability that impacts Zimbra Collaboration 8.8.15 and 9.0. Successful exploitation allows an unauthenticated attacker to upload arbitrary files to an arbitrary location on the vulnerable system and leads to remote code execution. The advisory states that CVE-2022-37042 was observed to have been exploited in conjunction with CVE-2022-27925.CVE-2022-30333CVE-2022-30333 is a path traversal vulnerability that affects Linux and Unix versions of RARLAB UnRAR before version 6.12. Successfully exploiting the vulnerability allows an attacker to drop files to an arbitrary location on a vulnerable system during the unpacking operation.Has the Vendor Released a Patch?Yes. A patch is available for all vulnerabilities. For more details, see the Appendix for a link to "Zimbra Collaboration - Security Vulnerability Advisories" and "RARLAB".What is the Status of Coverage?FortiGuard Labs has the following IPS coverage in place against the exploitation of the vulnerabilities:Zimbra.Collaboration.Calendar.Reflected.XSS (CVE-2022-24682)Zimbra.Collaboration.Mboximport.Unrestricted.File.Upload (CVE-2022-27925 and CVE-2022-37042)FortiGuard Labs is investigating coverage for CVE-2022-27924 and CVE-2022-30333, and will update this threat signal once any relevant updates are available. | Threat Guideline Vulnerability | ★★ | |
|
2022-07-24 22:00:19 | H0lyGh0st Ransomware Used to Target SMBs (lien direct) | FortiGuard Labs is aware of a report that H0lyGh0st ransomware was primarily used against "small-to-midsized businesses, including manufacturing organizations, banks, schools, and event and meeting planning companies". Microsoft attributed the ransomware to a North Korean hacking group. After the victim's networks are infiltrated, the threat actor then exfiltrates information which then deploys H0lyGh0st ransomware that encrypts files.Why is this Significant?This is significant as H0lyGh0st ransomware is a newly reported ransomware that was deployed to compromised small-to-midsized businesses by an alleged North Korean hacking group in newly discovered attacks.What is H0lyGh0st Ransomware?H0lyGh0st is a ransomware which encrypts files on a compromised machine for financial gain. After the victim's networks are compromised, the threat actor will exfiltrate information from the victim's machine. Then, H0lyGhst ransomware is deployed and encrypts files. The ransomware adds a ".h0lyenc" file extension to the affected files and leaves a ransom note in FOR_DECRYPT.html.The html file includes ransom message below:Please Read this text to decrypt all files encrypted.We have uploaded all files to cloud. Url: [redacted]Don't worry, you can return all of your files immediately if you pay.If you want to restore all of your files, Send mail to [redacted] with your Id. Your ID is [redacted]Or install tor browser and contact us with your id or [redacted] (If all of pcs in your company are encrypted).Our site : "A link to H0lyGh0st Onion site"After you pay, We will send unlocker with decryption keyAttention1. Do not rename encrypted files.2. Do not try to decrypt your data using third party software, it may cause permanent data loss.3. Decryption of your files with the help of third parties may cause increase price.4. Antivirus may block our unlocker, So disable antivirus first and execute unlocker with decryption key.According to the report, the ransom amount ranges from 1.2 to 5 Bitcoins, which amounts to 26,000 to 110,000 US dollars based on the exchange rate as of this publishing.What are the Initial Attack Vectors?While initial attack vectors have not been identified, CVE-2022-26352 is called out as a potential vulnerability that was exploited to break into target networks. CVE-2022-26352 is a critical arbitrary file upload vulnerability in dotCMS. A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted request to the target server. Successfully exploiting this vulnerability could result in arbitrary file be saved in target server and lead to remote code execution.Has the Vendor Released a Fix for CVE-2022-26352?Yes, a patch is available. For more information, see the Appendix for a link to "SI-62: Multipart File Directory Traversal can lead to remote execution".What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against known samples of H0lyGh0st ransomware:W64/Filecoder.788A!tr.ransomW32/Filecoder.AX!trW64/Agent.ACR!trW32/PossibleThreatMalicious_Behavior.SBFortiGuard Labs provides the following IPS coverage for CVE-2022-26352:DotCMS.API.Content.Arbitrary.File.Upload (default action is set to pass)Known network IOCs for H0lyGh0st ransomware are blocked by the WebFiltering client. | Threat Ransomware Guideline Vulnerability | ||
|
2022-06-09 17:30:25 | Qakbot Delivered Through CVE-2022-30190 (Follina) (lien direct) | FortiGuard Labs is aware of a report that CVE-2022-30190 is exploited in the wild to deliver Qakbot malware. Currently, a patch is not available for CVE-2022-30190. Also known as Qbot and Pinkslipbot, Qakbot started off as a banking malware. In recent years, Qakbot was seen as a delivery vehicle for other malware, which often results in a compromised machine being infected with ransomware.Why is this Significant?This is significant because CVE-2022-30190 is a Windows vulnerability that has no available patch and is being abused in the field. The current attack campaign delivers Qakbot to victim's machine. While final payload has not been identified nor reported, often Qakbot infection leads to ransomware deployed to the compromised machine. A publicly available report suggests Black Basta ransomware was deployed through Qakbot.What is CVE-2022-30190?CVE-20022-30190, also known as Follina, is a vulnerability in Microsoft Support Diagnostic Tool, which uccessful exploitation allows an attacker to run arbitrary code with the privileges of the calling application. FortiGuard Labs previously released Outbreal Alert and Threat Signal on CVE-2022-30190. See the Appendix for links to "MSDT Follina" and "Follina: 0-day Windows MSDT Vulnerability (CVE-2022-30190) Exploited In The Wild".How does the Current Qakbot Campaign Work?Reportedly, malicious emails arrive with an HTML attachment. Opening the HTML attachment downloads and saves a .zip file that an inner IMG file inside. The IMG file contains a DLL, a Word document, and a .LNK file. The DLL is a Qakbot variant which the link file will execute. Alternatively, the Word file will download and execute a remote HTML file, which has a script to abuse CVE-2022-30190, which then download and execute a Qakbot variant. What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against available samples associated with the current Qakbot campaign that abuses CVE-2022-30190:W32/Qbot.DM!trMSOffice/CVE_2021_40444.A!tr LNK/Agent.BD!trHTML/CVE_2022_30190.A!trRegarding IPS coverage, the following signature will detect the retrieval of remote HTML files that contain the MSDT command:MS.Office.MSHTML.Remote.Code.Execution.Known network IOCs for CVE-2022-30190 are blocked by the WebFiltering client.FortiEDR will provide protection from exploitation of this vulnerability and subsequent post-exploitation activity. See the Appendix for a link to "Technical Tip: How FortiEDR protects against CVE-2022-30190 'Follina' Microsoft Office protocol vulnerability" for more information.Th FortiGuard Content Disarm and Reconstruction (CDR) service can detect the attack in real-time and prevent it by disarming the "oleobject" data from Microsoft Office files. | Threat Ransomware Guideline Vulnerability | ||
|
2022-05-24 13:32:10 | Cobalt Strike Delivered Through Fake Proof-of-Concept Code (lien direct) | FortiGuard Labs is aware of a report that a Cobalt Strike beacon was attempted to be delivered through a couple of fake Proof-of-Concept (POC) codes hosted on GitHub. The files pretend to be POCs for CVE-2022-26809 and CVE-2022-24500. They have already been removed from GitHub.Why is this Significant?This is significant because the attack targeted researchers, pen testers and infosec teams in organizations to deliver Cobalt Strike beacons, which will most likely be used to deliver malware such as ransomware.What is CVE-2022-26809?CVE-2022-26809 is a remote procedure call runtime remote code execution vulnerability that affects wide variety of Windows OS that includes Windows 7, 8, 10, 11, Windows Server 2008, 2012, 2016, 2019 and 2022. Assigned a CVSS score of 9.8, successfully exploiting the vulnerability allows an attacker to execute remote code with high privileges on a vulnerable system, leading to a full compromise. The vulnerability was patched as part of Patch Tuesday April 2022.FortiGuard Labs previously released Threat Signal on CVE-2022-26809. See the Appendix for a link to "Microsoft Released Advisory on a Critical Remote Code Execution Vulnerability in RPC (CVE-2022-26809)".What is CVE-2022-24500?CVE-2022-24500 is a Windows SMB remote code execution vulnerability that affects Windows 7, 8, 10, 11 and Windows Server 2008, 2012, 2019 and 2022. The vulnerability has a CVSS score of 8.8, and was patched as part of Patch Tuesday April 2022.The Microsoft advisory states that "For vulnerability to be exploited, a user would need to access a malicious SMB server to retrieve some data as part of an OS API call. This vulnerability requires that a user with an affected version of Windows access a malicious server. An attacker would have to host a specially crafted server share or website. An attacker would have no way to force users to visit this specially crafted server share or website, but would have to convince them to visit the server share or website, typically by way of an enticement in an email or chat message".What is Status of Coverage?FortiGuard Labs detect the fake POCs with the following AV coverage:PossibleThreatAll network IOC's are blocked by the WebFiltering client. | Threat Malware Guideline Vulnerability | ||
|
2022-04-15 10:35:40 | Microsoft Released Advisory on a Critical Remote Code Execution Vulnerability in RPC (CVE-2022-26809) (lien direct) | FortiGuard Labs is aware that Microsoft released a patch and advisory for a critical remote code execution vulnerability in Remote Procedure Call Runtime Library as part of the April Patch Tuesday. Assigned CVE-2022-26809 and a CVSS score of 9.8, successfully exploiting the vulnerability allows an attacker to execute remote code with high privileges on a vulnerable system, leading to a full compromise.Why is this Significant?This is significant because CVE-2022-26809 is rated by Microsoft as "critical" and "Exploitation More Likely" because of its impacts on all supported Windows products and due to the trivial nature of the vulnerability. Because of the potential impact that the vulnerability has, Microsoft released security updates for Windows 7, which reached end-of-life in January 2020. Also, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory urging users and administrators to apply the patch or apply the recommended mitigations.What is CVE-2022-26809?CVE-2022-26809 is a critical remote code execution vulnerability in Remote Procedure Call Runtime Library. The Microsoft advisory states "To exploit this vulnerability, an attacker would need to send a specially crafted RPC call to an RPC host. This could result in remote code execution on the server side with the same permissions as the RPC service," which allows the attacker to take control of an affected system.Is CVE-2022-26809 being Exploited in the Wild?At the time of this writing, the vulnerability is not reported nor observed to have been exploited in the wild.Has Microsoft Released a Patch for CVE-2022-26809?Yes, Microsoft released a patch on April 12th, 2022 as part of the April MS Tuesday. Due to the potential impact the vulnerability has, Microsoft also released security updates for Windows 7, which is no longer supported.What is the Status of Coverage?FortiGuard Labs has released the following IPS signature in version 20.297:MS.Windows.RPC.CVE-2022-26809.Remote.Code.Execution (default action is set to pass)What Mitigation Steps are Available?Microsoft has provided the following mitigation steps in the advisory:Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:1. Block TCP port 445 at the enterprise perimeter firewallTCP port 445 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks. However, systems could still be vulnerable to attacks from within their enterprise perimeter.2. Follow Microsoft guidelines to secure SMB trafficFor the Microsoft guidelines on how to secure SMB traffic, see the Appendix for a link to "Secure SMB Traffic in Windows Server". | Guideline Vulnerability | ||
|
2022-04-14 19:54:44 | Incomplete Fix for Apache Struts 2 Vulnerability (CVE-2021-31805) Amended (lien direct) | FortiGuard Labs is aware that the Apache Software Foundation disclosed and released a fix for a potential remote code execution vulnerability (CVE-2021-31805 OGNL Injection vulnerability ) that affects Apache Struts 2 on April 12th, 2022. Apache has acknowledged in an advisory that the fix was issued because the first patch released in 2020 did not fully remediate the issue. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also released an advisory on April 12th, 2022, warning users and administrators to review the security advisory "S2-062" issued by Apache and upgrade to the latest released version as soon as possible. Why is this Significant?This is significant because Apache Struts is widely used and successfully exploiting CVE-2021-31805 could result in an attacker gaining control of a vulnerable system. Because of the potential impact, CISA released an advisory urging users and administrators to review the security advisory "S2-062" issued by Apache and upgrade to the latest released version as soon as possible.On the side note, an older Struts 2 OGNL Injection vulnerability (CVE-2017-5638) was exploited in the wild that resulted in a massive data breach of credit reporting agency Equifax in 2017.What is Apache Struts 2?Apache Struts 2 is an open-source web application framework for developing Java web applications that extends the Java Servlet API to assist, encourage, and promote developers to adopt a model-view-controller (MVC) architecture.What is CVE-2021-31805?CVE-2021-31805 is an OGNL injection vulnerability in Struts 2 that enables an attacker to perform remote code execution on a vulnerable system. The vulnerability was originally assigned CVE-2020-17530, however CVE-2021-31805 was newly assigned to the vulnerability as some security researchers found a workaround for the original patch released in 2020.The vulnerability is described as "some of the tag's attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation."What Versions of Apache Struts are Vulnerable to CVE-2021-31805?Struts 2.0.0 - Struts 2.5.29 are vulnerable.Struts 2.0.0 and 2.5.29 were released in 2006 and 2022 respectively. Has the Vendor Released a Patch for CVE-2021-31805?Yes, Apache released a fixed version (2.5.30) of Apache Struts 2 on April 12th, 2022.Users and administrators are advised to upgrade to Struts 2.5.30 or greater as soon as possible.Has the Vendor Released an Advisory?Yes, Apache released an advisory on April 12th, 2022. See the Appendix for a link to "Security Bulletin: S2-062".What is the Status of Coverage?FortiGuard Labs provides the following IPS coverage for CVE-2020-17530, which applies for CVE-2021-31805:Apache.Struts.OGNL.BeanMap.Remote.Code.Execution | Data Breach Guideline Vulnerability | Equifax Equifax | |
|
2022-03-31 09:58:02 | SpringShell (Spring4Shell) : New Unpatched RCE Vulnerability in Spring Core Framework (lien direct) | FortiGuard Labs is aware that an alleged Proof-of-Concept (POC) code for a new Remote Code Execution (RCE) vulnerability in Spring Core, part of the popular web open-source framework for Java called "Spring," was made available to the public (the POC was later removed). Dubbed SpringShell (Spring4Shell), CVE-2022-22965 has been assigned to the vulnerability and an emergency fix was released on March 31st, 2022.Why is this Significant?This is significant because Spring Core is part of Spring Framework, one of the most popular JAVA frameworks used in the field and is very popular for enterprise applications. As such, wide exploitation of the vulnerability can impact users globally if the security update is not applied.What is the Vulnerability Detail?An insecure de-serialization exists in Spring Core Framework. The vulnerability is due to insufficient validation of user supplied inputs and could lead to remote code execution.The official advisory reads "A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it".Has the Vendor Released an Advisory?An advisory has been published by both Spring and VMware, who supports Spring. See the Appendix for a link to "Spring Framework RCE, Early Announcement" and "CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+".What Versions of Spring Core are Vulnerable?The official advisory states that the following prerequisites for the exploit:JDK 9 or higherApache Tomcat as the Servlet containerPackaged as a traditional WAR (in contrast to a Spring Boot executable jar)spring-webmvc or spring-webflux dependencySpring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versionsHas a CVE been Assigned to the Vulnerability?CVE-2022-22965 has been assigned to the vulnerability.There is a lot of online chatter about SpringShell being related to CVE-2022-22963 or CVE-2022-27772, but that is not the case.CVE-2022-22963 is a vulnerability in Spring Cloud and was patched on March 29, 2022.CVE-2022-27772 is a vulnerability in Spring Boot that allows temporary directory hijacking.Has the Vendor Released a Patch?Yes, the fix was released on March 31, 2022 for the following versions of Spring Framework:5.3.185.2.20What is the Status of Coverage?FortiGuard Labs provides the following AV coverage based on available SpringShell POCs:Python/SpingShell.A!exploitFortiGuard Labs is currently investigating for IPS coverage. This Threat Signal will be updated when coverage becomes available. | Threat Guideline Vulnerability | ||
|
2022-03-10 23:39:03 | APT41 Compromised Six U.S. State Government Networks (lien direct) | FortiGuard Labs is aware of a report that threat actor APT41 compromised at least six networks belonging to U.S. state governments between May 2021 and February 2022. To gain a foothold into the victim's network, the threat actor used a number of different attack vectors: exploiting vulnerable Internet facing web applications and directory traversal vulnerabilities, performing SQL injection, and conducting de-serialization attacks. The intent of APT41 appears to be reconnaissance, though how the stolen information is to be used has not yet been determined.Why is this Significant? This is significant because at least six U.S. state government systems were broken into and data exfiltration was performed by APT41 as recent as February 2022 In addition, a zero-day vulnerability in the USAHerds application (CVE-2021-44207) as well as Log4j (CVE-2021-44228), among others, were exploited in the attacksWhat's the Detail of the Attack?APT41 performed several different ways to break into the targeted networks.In one case, the group exploited a SQL injection vulnerability in a Internet-facing web application. In another case, a then previously unknown vulnerability (CVE-2021-44207) in USAHerds, which is a web application used by agriculture officials to manage animal disease control and prevention, livestock identification and movement. Also, APT41 reportedly started to exploit the infamous Log4j vulnerability (CVE-2021-44228) within hours of Proof-of-Concept (PoC) code becoming available. Patches for both vulnerabilities are available. Once successful in breaking into the victim's network, the threat actor performed reconnaissance and credential harvesting activities. What is APT41?APT41 is a threat actor who has been active since at least 2012. Also known as TA415, Double Dragon, Barium, GREF and WickedPanda, the group reportedly performs Chinese state-sponsored espionage activities. APT41 targets organizations in multiple countries across a wide range of industries, such as telecommunications, industrial and engineering and think tanks. In 2020, five alleged members of the group were charged by the U.S. Justice Department for hacking more than 100 companies in the United States.What are the Tools Used by APT41?APT41 is known to use the following tools:ASPXSpy - web shell backdoorBITSAdmin - PowerShell cmdlets for creating and managing file transfers.BLACKCOFFEE - backdoor that disguise its communications as benign traffic to legitimate websites certutil - command-line utility tool used for manipulating certification authority (CA) data and components.China Chopper - web shell backdoor that allows attacker to have remote access to an enterprise networkCobalt Strike - a commercial penetration testing tool, which allows users to perform a wide range of activitiesDerusbi - DLL backdoorEmpire - PowerShell post-exploitation agent, which provides a wide range of attack activities to usersgh0st RAT - Remote Access Trojan (RAT)MESSAGETAP - data mining malware Mimikatz - open-source credential dumpernjRAT - Remote Access Trojan (RAT)PlugX - Remote Access Trojan (RAT)PowerSploit - open-source, offensive security framework which allows users to perform a wide range of activitiesROCKBOOT - BootkitShadowPad - backdoorWinnti for Linux - Remote Access Trojan (RAT) for LinuxZxShell - Remote Access Trojan (RAT)Badpotato - open-source tool that allows elevate user rights towards System rightsDustPan - shellcode loader. aka StealthVectorDEADEYE - downloaderLOWKEY - backdoorKeyplug - backdoorWhat are Other Vulnerabilities Known to be Exploited by APT41?APT41 exploited the following, but not restricted to, these vulnerabilities in the past:CVE-2020-10189 (ManageEngine Desktop Central remote code execution vulnerability)CVE-2019-19781 (Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance)CVE-2019-3396 (Atlassian Confluence Widget Connector Macro Velocity Template Injection)CVE-2017-11882 (Microsoft Office Memory Corruption Vulnerability)CVE-2017-0199 (Microsoft Office/WordPad Remote Code Execut | Threat Malware Guideline Tool Vulnerability | APT 41 APT 15 APT 15 | |
|
2022-02-16 16:54:16 | Active Exploitation Against Adobe Commerce and Magento Through CVE-2022-24086 (lien direct) | FortiGuard Labs is aware of reports that Magento Open Source and Adobe Commerce are actively being targeted and exploited through CVE-2022-24086. This vulnerability can lead to remote code execution (RCE) on an exploited server which means an attacker will be able to execute arbitrary commands remotely. The vulnerability is rated as Critical by Adobe and has CVSS score of 9.8 out of 10.Why is this Significant?Since Magento and Adobe Commerce are very popular E-commerce platform across the globe, this can potentially impact a high number of online shoppers. Moreover, the attack complexity needed to carry out a successful attack has been deemed relatively low/easy and no extra privileges/permissions are required to execute this attack. A successful attack can result in the total loss of confidentiality, integrity and availability of the information and resources stored in the exploited server.In addition, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2022-24086 to the Known Exploited Vulnerabilities to Catalog, which lists vulnerabilities that "are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise." What is CVE-2022-24086?Adobe classifies CVE-2022-24086 as a vulnerability that stems from "improper input validation." Without properly sanitizing input from a user, the input can be modified so that it executes arbitrary commands on the exploited server.What Versions of Adobe Commerce and Magento are Prone to CVE-2022-24086?The vulnerability exists for Adobe Commerce 2.4.3-p1 and earlier versions, as well as 2.3.7-p2 and earlier versions. For Adobe Commerce 2.3.3 and below, this vulnerability does not exist. The vulnerability exists for both Adobe Commerce and Magento Open Source versions 2.3.3-p1 to 2.3.7-p2 and from 2.4.0 to 2.4.3-p1.Is the Vulnerability Exploited in the Wild?FortiGuard Labs has been made aware of exploits being used in the wild for this vulnerabilityHas the Vendor Released a Fix?Yes. Adobe has released patches for all versions from 2.3.3-p1 to 2.3.7-p2 and from 2.4.0 to 2.4.3-p1.What is the Status of Coverage?Proof-of-Concept (POC) code is not available at the time of this writing and as such, no coverage is available.FortiGuard Labs is actively looking for additional information and will update this Threat Signal when protection becomes available. | Threat Guideline Vulnerability | ||
|
2022-01-12 18:27:37 | Wormable Windows Vulnerability (CVE-2022-21907) Patched by Microsoft (lien direct) | FortiGuard Labs is aware that a total of 96 vulnerabilities were patched by Microsoft on January 11th, 2022 as part of regular MS Patch Tuesday. In those vulnerabilities, CVE-2022-21907 (HTTP Protocol Stack Remote Code Execution Vulnerability) is one of the nine vulnerabilities that are rated critical. In the advisory, Microsoft warned that CVE-2022-21907 is wormable and "recommends prioritizing the patching of affected servers".Why is this Significant?This is significant because CVE-2022-21907 is considered wormable as such malware can exploit the vulnerability to self-propagate without any user interaction nor elevated privilege. CVE-2022-21907 targets the HTTP trailer support feature that is enabled by default in various Windows 10 and 11 versions, as well as Windows Server 2022. The vulnerability also has a CVSS score of 9.8 (max score 10).What is CVE-2022-21907?CVE-2022-21907 is a remote code execution vulnerability in HTTP protocol stack (http.sys). HTTP.sys is a legitimate Windows component that is responsible for parsing HTTP requests. An unauthenticated attacker could craft and send a malicous packet to an affected server utilizing the HTTP Protocol Stack (http.sys) to process packets, which leads to remote code execution.Which Versions of Windows are Vulnerable?Per the Microsoft advisory, the following Windows versions are vulnerable:Windows Server 2019Windows Server 2022Windows 10Windows 11Note that the HTTP trailer support feature is inactive by default in Windows Server 2019 and Windows 10 version 1809. As such, they are not vulnerable unless the feature is enabled.Is the Vulnerability Exploited in the Wild?FortiGuard Labs is not aware of CVE-2022-21907 being exploited in the wild at the time of this writing.Has the Vendor Released a Fix?Yes. Microsoft released a fix for CVE-2022-21907 on January 11th, 2022 as part of regular Patch Tuesday.What is the Status of Coverage?FortiGuard Labs is currently investigating protection and will update this Threat Signal once coverage information becomes available.Any Mitigation?Microsoft provided the following mitigation in the advisory:In Windows Server 2019 and Windows 10 version 1809, the the HTTP Trailer Support feature that contains the vulnerability is not active by default. The following registry key must be configured to introduce the vulnerable condition:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\"EnableTrailerSupport"=dword:00000001This mitigation does not apply to the other affected versions. | Threat Malware Guideline Patching Vulnerability | ||
|
2021-12-07 15:08:56 | NICKEL - Targeting Organizations Across Europe, North America, and South America (lien direct) | FortiGuard Labs is aware of reports relating to NICKEL, a state sponsored group targeting varying interests in Europe, North and South America. NICKEL is a state sponsored group operating out of China and is targeting governmental organizations, diplomatic groups and non governmental organizations in 29 countries.NICKELs' modus operandi is the usage of exploits on unpached systems to compromise vulnerable systems and their unpatched services. Observed exploits used by NICKEL included the exploitation of services such as Microsoft Exchange, Microsoft SharePoint, and Pulse Secure VPN. Microsoft filed pleadings with the United States District Court of Eastern Virginia on December 2nd to seize control of servers used by NICKEL.What are the Technical Details?NICKEL malware variants use Internet Explorer COM interfaces to receive instructions from predefined command and control (C2) servers. The malware will then connect to the web-based C2 servers to check for a specific string located on these servers. Once confirmed, the malware will decode a Base64 encoded blob that will load shellcode for further exploitation.NICKEL malware is capable of capturing system information such as the IP address, OS version, system language, computer name and username of the current signed in user. It also contains backdoor functionality to execute commands and to upload and download files. NICKEL then uses the stolen and compromised credentials of the targeted victim to login to Microsoft 365 accounts via browser logins to exfiltrate victim emails for further damage.What Other Names is NICKEL Known As?According to Microsoft - NICKEL is also known as APT15, APT25, and Ke3Chang.Is this Limited to Targeted Attacks?Yes. Attacks are limited to varying targets in specific countries and verticals.What Countries were Targeted?They are:Argentina, Barbados, Bosnia and Herzegovina, Brazil, Bulgaria, Chile, Colombia, Croatia, Czech Republic, Dominican Republic, Ecuador, El Salvador, France, Guatemala, Honduras, Hungary, Italy, Jamaica, Mali, Mexico, Montenegro, Panama, Peru, Portugal, Switzerland, Trinidad and Tobago, United Kingdom, United States of America, and Venezuela.What is the Status of Protections?FortiGuard Labs provides the following AV coverage used in this campaign as:W32/Staser.COFE!trW32/Staser.CBQX!trW32/NetE.VH!trW32/BackDoor.U!trAll network IOC's are blocked by the FortiGuard WebFiltering client.Any Other Suggested Mitigation?Because it has been reported that NICKEL obtains access via unpatched and vulnerable systems, It is important to ensure that all known vendor vulnerabilities are addressed and updated to protect from attackers having a foothold within a network. Attackers are well aware of the difficulty of patching and if it is determined that patching is not feasible at this time, an assessment should be conducted to determine risk.Also - organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spear phishing attacks. They also need to encourage employees to never open attachments from someone they don't know, and to always treat emails from unrecognized/untrusted senders with caution. Since it has been reported that various phishing and spear phishing attacks have been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization be made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organizations' internal security department. Simple user awareness training on how to spot emails with malicious attachments or links could also help prevent initial access into the network. | Malware Guideline Patching | APT 15 APT 25 | ★★★★ |
|
2021-11-19 10:21:31 | Memento Group Exploited CVE-2021-21972, Hid Five Months to Deploy Ransomware (lien direct) | FortiGuard Labs is aware of a report that a new adversary carried out an attack using a Python-based ransomware called "Memento." The Memento attackers are reported to have taken advantage of a remote code execution vulnerability in a VMWare vCenter Server plugin (CVE-2021-21972) as a initial attack vector. The group started to exploit the vulnerability in April, then stayed in the network until they deployed ransomware to the victim's network upon completion of their data exfiltration. Why is this Significant?This is significant because the attacker was able to stay in the victim's network for more than 5 months after they gained initial access to the network by exploiting CVE-2021-21972. Because of the severity of the vulnerability, CISA released an alert on February 24th, 2021 to urge admins to apply the patch as soon as possible. What is CVE-2021-21972?CVE-2021-21972 is a remote code execution vulnerability in a VMWare vCenter Server plugin. This vulnerability is due to improper handling of the request parameters in the vulnerable application. A remote attacker could exploit this vulnerability by uploading a specially crafted file to the targeted server. Successful exploitation of this vulnerability could lead to arbitrary code execution on the affected system. CVE-2021-21972 has a CVSS (Common Vulnerability Scoring System) score of 9.8 and affects the following products:vCenter Server 7.0 prior to 7.0 U1cvCenter Server 6.7 prior to 6.7 U3lvCenter Server 6.5 prior to 6.5 U3n For more details, see the Appendix for a link to the VMware advisory "VMSA-2021-0002". Has the Vendor Released a Patch for CVE-2021-21972?Yes, VMWare released a patch for CVE-2021-21972 in February 2021. What's the Details of the Attack Carried Out by Memento Group?According to security vendor Sophos, the attacker gained access to the victim's network in April 2021 by exploiting the vulnerability CVE-2021-21972. In May, the attacker deployed the wmiexec remote shell tool and the secretsdump hash dumping tool to a Windows server. Wmiexec is a tool that allows the attacker to remotely execute commands through WMI (Windows Management Instrumentation). Secretsdump is a tool that allows the attacker to extract credential material from the Security Account Manager (SAM) database. The attacker then downloaded a command-line version of the WinRAR and two RAR archives containing various hacking tools used for reconnaissance and credential theft to the compromised server. After that, the adversary used RDP (Remote Desktop Protocol) over SSH to further spread within the network. In late October, after successfully staying low for 5 months, the attacker collected files from the compromised machines and put them in an archive file using WinRAR for data exfiltration. Then the attacker deployed the initial variant of the Memento ransomware to the victim's network, but the file encryption process was blocked due to the anti-ransomware protection. The attack then switched its ransom tactic by putting the victim's files into password-protected archive files instead of encrypting them. What is Memento Ransomware?Memento is a Python-based ransomware used by the Memento group. The first Memento variant simply encrypts files in the compromised machine. The second variant does not involve file encryption. It collects files from the compromised machine and puts them into password-protected files. What is the Status of Coverage?FortiGuard Labs provides the following AV coverage for the available samples used in the attack:W32/KeyLogger.EH!tr.spyPossibleThreat.PALLASNET.HRiskware/MinerRiskware/ImpacketRiskware/MimikatzRiskware/Secretdmp FortiGuard Labs provides the following IPS coverage for CVE-2021-21972?VMware.vCenter.vROps.Directory.Traversal Other Workaround? VMWare provided workaround for CVE-2021-21972. See Appendix for a link to "Workaround Instructions for CVE-2021-21972 and CVE-2021-21973 on VMware vCenter Server (82374)". | Ransomware Guideline Tool Vulnerability |
1
We have: 15 articles.
We have: 15 articles.
To see everything:
Our RSS (filtrered)
