What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-11-30 16:30:12 | Aurora Infostealer Sold on Darknet and Telegram (lien direct) | FortiGuard Labs is aware of a report that a new infostealer named "Aurora" is being offered for sale on the darkweb and Telegram. The infostealer was allegedly developed by a threat actor who previously developed the Aurora botnet. Aurora infostealer is capable of stealing data from compromised machines as well as downloading and executing remote files.Why is this Significant?This is significant because Aurora is a new Malware-as-a-Service (MaaS) infostealer reportedly advertised in darknet and telegram sites. Aurora not only steals information from compromised machines but also deploys additional malware. According to outside reports, several active threat actors are using Aurora infostealer. What is Aurora Infostealer?Aurora is a Go-based infostealer that targets web browsers, cryptocurrency related browser extensions, cryptocurrency wallets in compromised machines for data exfiltration. Aurora is also capable of downloading and executing remote files, which can be used for deployment of additional malware.The reported infection vector is luring users to install fake software promoted in bogus cryptocurrency and free software web sites. What is the Status of Protection?FortiGuard Labs provide the following AV signatures against known Aurora infostealer samples:W32/Agent.IE!trW32/PossibleThreatReported network IOCs associated with Aurora infostealer are blocked by the Webfiltering client. | Threat | ★★ | |
|
2022-11-21 22:09:06 | Alert (AA22-321A): #StopRansomware: Hive Ransomware (lien direct) | FortiGuard Labs is aware of that the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) released a joint advisory for Hive ransomware as part of their #StopRansomware effort. Hive ransomware is a Ransomware-as-a-Service (RaaS) consisting of developers and affiliates. It attempts to steal data, encrypt files on victims' machines, and demand ransom recover affected files and prevent stolen data from being published to their data leak site, called "HiveLeaks," on the DarkWeb.Why is this Significant?This is significant because Hive is a Ransomware-as-a-Service (RaaS) that, according to the advisory, has victimized more than 1,300 enterprises globally and extorted 100 million US dollars. The group has been active since June 2021 and did not only target private enterprises but also essential industries such as government organizations and healthcare services. What is Hive Ransomware?Hive is a Ransomware-as-a-Service (RaaS) consisting of two groups: developers and affiliates. Hive developers create, maintain, and update Hive ransomware and infrastructures such date leak site named "HiveLeaks" and negotiant site. Hive affiliates are responsible for finding and infecting victims, exfiltrating files, and deploying Hive ransomware to the victims' network.The latest Hive ransomware iterations are written in the Rust programing language. Older variants are written in Go.Reported initial infection vectors include emails, exploiting vulnerabilities such as CVE-2020-12812, CVE-2021-31207, CVE-2021-34473 and CVE-2021-34523.Hive ransomware encrypts files on victims' machines and typically appends a ".hive" file extension to the affected files. It also drops a ransom note named "HOW_TO_DECRYPT.txt", which instructs victims to visit a negotiation site on TOR.The advisory states that Hive ransomware is known to victimize organizations that were previously infected with Hive ransomware and recovered without paying ransom.What is the Status of Protection?FortiGuard Labs provides the following AV signatures for recent Hive ransomware samples that we collected:W32/Filecoder_Hive.A!tr.ransomW32/Filecoder_Hive.B!tr.ransomW32/Hive.4a4e!tr.ransomW32/Hive.B0FF!tr.ransomW32/Hive.d10e!tr.ransomW32/Hive.FD38!tr.ransomW64/Filecoder.AW!tr.ransomW64/Filecoder_Hive.A!tr.ransomW64/Filecoder_Hive.B!tr.ransomW64/Hive.31ec!tr.ransomW64/Hive.6bcb!tr.ransomW64/Hive.71de!tr.ransomW64/Hive.7cec!tr.ransomW64/Hive.933c!tr.ransomW64/Hive.A!trW64/Hive.B0FF!tr.ransomW64/Hive.c2e4!tr.ransomW64/Hive.e550!tr.ransomW64/Hive.ea51!tr.ransomW32/Filecoder.507F!tr.ransomW32/Agent.0b0f!tr.ransomW32/Agent.32a5!tr.ransomW32/Agent.65e3!tr.ransomW32/Agent.69ce!tr.ransomW32/Agent.6d49!tr.ransomW32/Agent.7c49!tr.ransomW64/Agent.U!trAll network IOCs on the advisory are blocked by Webfiltering.FortiGuard Labs provides the following IPS signatures for the vulnerabilities reportedly exploited as initial infection vector by Hive threat actors:MS.Exchange.MailboxExportRequest.Arbitrary.File.Write (CVE-2021-31207)MS.Exchange.Server.Autodiscover.Remote.Code.Execution (CVE-2021-34473)MS.Exchange.Server.Common.Access.Token.Privilege.Elevation (CVE-2021-34523) | Ransomware Threat | ★★★ | |
|
2022-11-21 22:06:09 | Joint CyberSecurity Advisory on a U.S. Federal Agency Breached by Iranian Threat Actors (lien direct) | FortiGuard Labs is aware of a joint advisory (AA22-320A) issued by Cybersecurity and Infrastructure security Agency (CISA) and the Federal Bureau of Investigation (FBI) on November 16, 2022. The advisory is related to an Iranian government-sponsored campaign where threat actors breached an unnamed U.S. federal agency and deployed a crypto miner and a hacktool to the compromised network.Why is this Significant?This is significant because threat actors backed by the Iranian government compromised a U.S. federal agency and deployed XMRig (crypto miner) and Mimikatz (a post-exploit tool used for credential harvesting).In February 2022, Iranian threat actors reportedly compromised a federal government agency by exploiting CVE-2021-44228, also known as Log4Shell, in an unpatched VMware Horizon server. This signifies the importance of timely patching of vulnerable systems.How did the Attack Occur?The initial infection vector was exploitation of CVE-2021-44228 (Log4Shell) in a vulnerable VMware Horizon server. Once the attacker got a foot in the door to the victim's network, the attacker downloaded and installed XMRig (mining software for Monero cyrptocurrency) after excluding the victim's C:\ drive from scanning by Windows Defender. The attacker leveraged RDP to move laterally to other systems on the victim's network, deployed PsExec (a free Microsoft tool execute processes on other systems) and Mimikatz (an open-source tool for credential harvesting) and implanted Ngrok (a dual use tunneling tool). Also, the attacker accessed the domain controller and retrieved a list of machines that belong to the domain furthering compromise.What is CVE-2021-44228 (Log4Shell)?CVE-2021-44228 is a remote code execution vulnerability in the popular Java-based logging utility Log4j2. The vulnerability was disclosed to the public by Apache in early December, however Proof-of-Concept (PoC) code for CVE-2021-44228 was believed to be available earlier.FortiGuard Labs previously released Outbreak Alert and Threat Signal for CVE-2022-44228. See the Appendix for a link to "Outbreak Alert: Apache Log4j2 Vulnerability" and "Apache Log4J Remote Code Execution Vulnerability (CVE-2021-44228)".What is the Status of Coverage? FortiGuard Labs detects the malicious files in the advisory that are available with the following AV signatures:Riskware/CoinMinerPossibleThreatAll reported network IOCs in the advisory are blocked by Webfiltering.FortiGuard Labs has IPS coverage in place for CVE-2021-44228 (Log4Shell):Apache.Log4j.Error.Log.Remote.Code.Execution | Tool Vulnerability Threat Patching | ★★★ | |
|
2022-11-21 22:02:17 | APT Billbug Victimized Asian Certification Authority and Government Agencies (lien direct) | FortiGuard Labs is aware of a report that APT group "Billbug" compromised a certificate authority (CA) as well as multiple government and defense organizations in Asia. Also known as Lotus Blossom and Thrip, the APT group reportedly has been active since 2009 and uses custom backdoor malware "Hannotog" and "Sagerunex" as well as available tools in compromised machines.Why is this Significant?This is significant because Billbug APT threat actor group targeted a certificate authority (CA). Should digital certificates be compromised, the attacker could use them to sign malware for detection evasion by security solutions and eavesdrop on HTTPS communications.Also, the reports indicate that multiple organizations in government and defense sectors in Asia were compromised by Billbug APT. What is Billbug APT?Billbug, Lotus Blossom and Thrip, is a threat actor that has been reportedly active since at last 2009 and has interests in U.S. organizations as well as government, defense, and communications organizations in Southeast Asia. Their primary motive is thought to be information espionage.Billbug APT employs living-off-the-land techniques and uses custom malware. The tools that were reportedly used by Billbug APT are the following:Hannotog backdoorSagerunex backdoorAdFindCertutilLogMeInMimikatzNBTscanPingPort ScannerPowerShellPsExecRouteTracertWinmailWinRARWinSCPWhat is the Status of Coverage?FortiGuard Labs detects the files in the report with the following AV signatures:W32/Agent.QTP!trW32/Elsentric.J!trW32/Generic.A!trW32/PossibleThreatW64/Agentb.F!trW64/Agent.LF!trW64/Elsentric.E!trW64/Elsentric.G!trMalicious_Behavior.SBPossibleThreat.PALLAS.HRiskware/Kryptik | Malware Threat | ★★★★ | |
|
2022-11-15 18:55:38 | Path Traversal Vulnerability (CVE-2022-0902) in ABB Flow Computer and Remote Controllers (lien direct) | FortiGuard Labs is aware a path-traversal vulnerability (CVE-2022-0902) that affects ABB Totalflow flow computers and remote controllers widely used by oil and gas utility companies. Successfully exploiting the vulnerability allows an attacker to inject and execute arbitrary code. The vulnerability is a path-traversal vulnerability in ABB Totalflow flow computers and remote controllers.Why is this Significant?This is significant because the new vulnerability (CVE-2022-0902) affects ABB TotalFlow flow computers and remote controllers widely used by oil and gas utility companies. ABB TotalFlow is used to calculate oil and gas volume and flow rates and is also used for billing and other purposes.By successfully exploiting the vulnerability, an attacker may be able to hinder affected oil and gas companies' abilities to correctly measure oil and gas flow, which may lead to safety issues and interruption of business.What is CVE-2022-0902?CVE-2022-0902 is a path-traversal vulnerability (CVE-2022-0902) in ABB TotalFlow flow computers and remote controllers. The vulnerability allows an attacker to gain access to restricted directories in ABB flow computers leading to arbitrary code execution in an affected system node.CVE-2022-0902 has a CVSS score of 8.1.What Products are Affected by the Vulnerability?According to the advisory issued by ABB, the following products are affected by the vulnerability:• RMC-100• RMC100L ITE• XIO• XFCG5• XRCG5• uFLOG5• UDCAll versions of the products without the latest update are vulnerable to CVE-2022-0902.Is CVE-2022-0902 being Exploited in the Wild?FortiGuard Labs is not aware that CVE-2022-0902 is exploited in the wild.Has the Vendor Released an Advisory?Yes. Please see the Appendix for a link to "ABB Flow Computer and Remote Controllers Path Traversal Vulnerability in Totalflow TCP protocol can lead to root access CVE ID: CVE-2022-0902".Has the Vendor Released a Patch?Yes, the vendor released a firmware update.What is the Status of Protection?FortiGuard Labs is currently investigating protection for CVE-2022-0902. We will update this Threat Signal when protection becomes available.Any Suggested Mitigation?The advisory issued by ABB includes mitigation and workarounds information. See the Appendix for a link to "ABB Flow Computer and Remote Controllers Path Traversal Vulnerability in Totalflow TCP protocol can lead to root access CVE ID: CVE-2022-0902". | Vulnerability Threat Guideline | ||
|
2022-11-02 11:17:06 | Azov "Ransomware" Wiper (lien direct) | FortiGuard Labs is aware of a new ransomware variant called "Azov". Reason why this ransomware variant is in quotations is because although it has the hallmarks of ransomware, it is considered a data wiper. This is because there is no way to recover the encrypted data and/or get in touch with the threat actors.After encryption, the note left behind to the victim, "RESTORE_FILES.txt," references well known OSINT researchers on Twitter. The note falsely reports that victims should get in touch with said researchers to request keys for decryption:#####!Azov ransomware!Hello, my name is hasherezade.I am the polish security expert.To recover your files contact us in twitter:@hasherezade@VK_Intel@demonslay335@malwrhunterteam@LawrenceAbrams@bleepincomputer[Why did you do this to my files?]I had to do this to bring your attention to the problem.Do not be so ignorant as we were ignoring Crimea seizure for years.The reason the west doesn't help enough Ukraine.Their only help is weapons, but no movements towards the peace!Stop the war, go to the streets!Since when that Z-army will be near to my Polska country.The only outcome is nuclear war.Change the future now!Help Ukraine, come to the streets!We want our children to live in the peaceful world.--------------------------------------------------Biden doesn't want help Ukraine.You people of United States, come to the streets, make revolution!Keep America great!Germany plays against their own people!Du! Ein mann aus Deutschland, komm doch, komm raus!Das ist aber eine Katastrophe, was Biden zu ihnen gemacht hat.Wie war das schoen, wenn Merkel war da?---------------------------------------------------#TaiwanIsChina#####How is Azov Being Distributed?Reports are that Azov is being dropped by SmokeLoader. Further reports as well reveal that Azov is being distributed on various pirated software, etc. sites as well.So if Files are Encrypted, why is this Referred to as a Wiper?This is because files are not recoverable and there are no instructions or contact information provided to the victim. Essentially files are rendered inoperable because there are no known decryption keys available.Is Decryption Possible?There are no known decryption keys or tools available at this time.What is the Status of Coverage?FortGuard Labs has AV coverage in place for Azov as:W64/AzovWiper.BVMK!tr.ransomW64/Generik.BVMK!tr.ransom | Ransomware Threat | ||
|
2022-11-01 16:54:25 | OpenSSL Release (3.0.7) (lien direct) | Today, the OpenSSL Project released a new version of OpenSSL (v3.0.7). Last week's early announcement indicated at first this was a CRITICAL vulnerability and included a fix for it. There was various chatter that this recent disclosure could be potentially similar to HEARTBLEED , but after today's announcement the issue was downgraded from CRITICAL to HIGH.Two vulnerabilities were disclosed, both are X.509 Email Address Buffer Overflows, and are vulnerable to denial of service attacks and the other, remote code execution.Why is this Significant?This is significant because the critical vulnerability exists in OpenSSL which is a widely adopted cryptographical toolkit used to achieve secure communications over the internet. Past critical vulnerabilities in OpenSSL resulted in remote code execution and information leaks, where the highest profile disclosure was HeartBleed back in 2014. What are the Details of the Critical Vulnerability in OpenSSL?Disclosed today by OpenSSL are two vulnerabilities:CVE-2022-3602 - X.509 Email Address 4-byte Buffer Overflow A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution.CVE-2022-3786 - X.509 Email Address Variable Length Buffer Overflow A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.' character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service).Are there Reports of Exploitation in the Wild?According to OpenSSL, no.What is the CVE Assignment for the Vulnerability?CVE-2022-3602 and CVE-2022-3786 have been assigned to these vulnerabilities.What is the CVSS score?According to OpenSSL, they do not provide CVSS scores.What is the Status of Protection?There is no information available to allow FortiGuard Labs to investigate protection. We are monitoring the situation closely and will update this Threat Signal when protection information becomes available. For further information on products affected by this latest disclosure, please reference the OpenSSL3 critical vulnerability from Fortinet PSIRT in the Appendix section.Any Recommended Mitigation?OpenSSL suggests users operating TLS servers may consider disabling TLS client authentication, if it is being used, until fixes are applied. FortiGuard Labs highly recommends organizations utilizing OpenSSL update OpenSSL to version 3.0.7. | Vulnerability Threat | ||
|
2022-10-19 18:12:29 | Newly Disclosed Vulnerability in Apache Commons Text Alllows for RCE (CVE-2022-42889) (lien direct) | FortiGuard Labs is aware of reports of a recent vulnerability in Apache Commons, which allows for remote code execution. Assigned, CVE-2022-42889, Apache Commons Text prior to 1.10.0 allows remote code execution (RCE) when applied to untrusted input due to insecure interpolation defaults.What are the Details of this Vulnerability?According to Apache, version 1.5 and 1.9 of Apache Commons are affected. Apache Commons suffers from default Lookup instance where included interpolators could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers.Applications using the defalts in versions 1.5 and 1.9 may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the default interpolators.Have there been Reports of Exploitation in the Wild?No. There have been no instances reported in the wild according to Apache. This is likely due to unique niche setups and the specific parameters required to successfully exploit this vulnerability.What is the CVSS Score?9.8 CRITICALThere are Reports that this is Similar to Log4Shell, hence the Designation #Text4Shell. Along with the CVSS Score of 9.8 is there Reason for Concern?Reports of this issue appear to be minimal, with no evidence at this time of active exploitation or wide install base similar to the Log4Shell event. This is due to the niche usage of Apache Commons and specific parameters that must be passed to successfully leverage this vulnerability. A small subset of open source programs have been observed using the parameters but those that are do not accept user defined parameters, which should limit the amount of exploitation attempts.Any Recommended Mitigation?It is suggested to upgrade to Apache Commons Text 1.10.0 as soon as time permits. If this is not possible, it is suggested that all internet facing sites running vulnerable versions of Apache Commons Text are put behind a firewall or removed from the public facing internet.What is the Status of AV/IPS Coverage?IPS signature development is currently being investigated and this Threat Signal will be updated when relevant information is available. | Vulnerability Threat | ||
|
2022-10-07 15:32:01 | CISA Advisory on Vulnerabilities Actively Exploited By Threat Actors Supported by China (lien direct) | On October 6, 2022, the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) released a joint advisory that has a list of the most exploited vulnerabilities since 2020 by threat actors sponsored by China. The list includes 20 vulnerabilities across 13 vendors that were used against the U.S. and its allies.Why is this Significant?This is significant because the list contains vulnerabilities that are known to be exploited by Chinese threat actors. Patches and workarounds should be applied to the vulnerabilities as soon as possible.What Vulnerabilities are on the List?The list includes the following vulnerabilities:CVE-2022-26134: Atlassian Confluence Remote Code Execution Vulnerability via OGNL InjectionCVE-2022-24112: APISIX Admin API default access token Remote Code Execution VulnerabilityCVE-2022-1388: F5 BIG-IP iControl REST Authentication Bypass VulnerabilityCVE-2021-44228: Apache Log4j Error Log Remote Code Execution VulnerabilityCVE-2021-42237: Sitecore XP Insecure Deserialization Remote Code Execution VulnerabilityCVE-2021-41773: Apache HTTP Server Path Traversal VulnerabilityCVE-2021-40539: Zoho ManageEngine ADSelfService Plus RESTAPI Authentication Bypass VulnerabilityCVE-2021-36260: Hikvision Product SDK WebLanguage Tag Command Injection VulnerabilityCVE-2021-27065: Microsoft Exchange Server CVE-2021-27065 Remote Code Execution VulnerabilityCVE-2021-26858: Microsoft Exchange Server CVE-2021-26858 Remote Code Execution VulnerabilityCVE-2021-26857: Microsoft Exchange Server CVE-2021-26857 Remote Code Execution VulnerabilityCVE-2021-26855: Microsoft Exchange Server ProxyRequestHandler Remote Code Execution VulnerabilityCVE-2021-26084: Atlassian Confluence CVE-2021-26084 Remote Code Execution VulnerabilityCVE-2021-22205: GitLab Community and Enterprise Edition Remote Command Execution VulnerabilityCVE-2021-22005: VMware vCenter Analytics Service Arbitrary File Upload VulnerabilityCVE-2021-20090: Buffalo WSR2533DHP Arbitrary Directory Traversal VulnerabilityCVE-2021-1497: Cisco HyperFlex HX Auth Handling Remote Command Execution VulnerabilityCVE-2020-5902: F5 BIG-IP Traffic Management User Interface Directory Traversal VulnerabilityCVE-2019-19781: Citrix ADC and Gateway Directory Traversal VulnerabilityCVE-2019-11510: Pulse Secure SSL VPN HTML5 Information DisclosureWhat is the Status of Protection?FortiGuard Labs has the following IPS protection in place for the vulnerabilities listed in the CISA advisory:Atlassian.Confluence.OGNL.Remote.Code.Execution (CVE-2022-26134)APISIX.Admin.API.default.token.Remote.Code.Execution (CVE-2022-24112)F5.BIG-IP.iControl.REST.Authentication.Bypass (CVE-2022-1388)Apache.Log4j.Error.Log.Remote.Code.Execution (CVE-2021-44228)Sitecore.XP.Insecure.Deserialization.Remote.Code.Execution (CVE-2021-42237)Apache.HTTP.Server.cgi-bin.Path.Traversal (CVE-2021-41773)Zoho.ManageEngine.ADSelfService.Plus.Authentication.Bypass (CVE-2021-40539)Hikvision.Product.SDK.WebLanguage.Tag.Command.Injection (CVE-2021-36260)MS.Exchange.Server.CVE-2021-27065.Remote.Code.Execution (CVE-2021-27065)MS.Exchange.Server.CVE-2021-26858.Remote.Code.Execution (CVE-2021-26858)MS.Exchange.Server.UM.Core.Remote.Code.Execution (CVE-2021-26857)MS.Exchange.Server.ProxyRequestHandler.Remote.Code.Execution (CVE-2021-26855)Atlassian.Confluence.CVE-2021-26084.Remote.Code.Execution (CVE-2021-26084)GitLab.Community.and.Enterprise.Edition.Command.Injection (CVE-2021-22205)VMware.vCenter.Server.Analytics.Arbitrary.File.Upload (CVE-2021-22005)Arcadyan.Routers.images.Path.Authentication.Bypass (CVE-2021-20090)Cisco.HyperFlex.HX.Auth.Handling.Command.Injection (CVE-2021-1497)F5.BIG.IP.Traffic.Management.User.Interface.Directory.Traversal (CVE-2020-5902)Citrix.Application.Delivery.Controller.VPNs.Directory.Traversal (CVE-2019-19781)Pulse.Secure.SSL.VPN.HTML5.Information.Disclosure (CVE-2019-11510) | Vulnerability Threat | ||
|
2022-10-02 22:04:17 | Vulnerable Microsoft Exchange Servers Actively Scanned for ProxyShell (lien direct) | FortiGuard Labs is aware of a report that Microsoft Exchange servers are actively being scanned to determine which ones are prone to ProxyShell. ProxyShell is an exploit attack chain involving three Microsoft exchange vulnerabilities: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207. When used in chain on a vulnerable Microsoft Exchange server, the attack allows the attacker to remotely run malicious code on the targeted system as a result. Microsoft patched all three vulnerabilities as part of Microsoft Patch Tuesday in April and May 2021.When was the Issue Disclosed?Security researcher Orange Tsai presented ProxyShell at the recent BlackHat, DefFon and the Pwn2Own contest.Were CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207 Disclosed as Part of the ProxyShell presentation?No, Microsoft disclosed CVE-2021-31207 in May and CVE-2021-34473 and CVE-2021-34523 in July as part of Patch Tuesday.How Significant is ProxyShell?MEDIUM-HIGH. While ProxyShell allows remote code execution on the compromised machine, patches are available for all three vulnerabilities, which lower the severity. According to security researcher Kevin Beaumont in relation to CVE-2021-34473, "about 50% of internet exposed boxes aren't patched yet," which somewhat raises severity.What is the Workflow of ProxyShell?In simple workflow, the attacker first exploits CVE-2021-34473 (Microsoft Exchange Server Remote Code Execution Vulnerability) on the vulnerable Microsoft Exchange server to gain Exchange backend access. Then CVE-2021-34523 (Microsoft Exchange Server Elevation of Privilege Vulnerability) is used to gain admin privilege, then CVE-2021-31207 (Microsoft Exchange Server Security Feature Bypass Vulnerability) is used to perform remote code execution.Has Microsoft released a patch for the vulnerabilities?Yes. Microsoft released a patch for CVE-2021-31207 in May.While CVE-2021-34473 and CVE-2021-34523 were disclosed in July 2021, Microsoft released a patch in April 2021 without disclosing them.Has any Malware been Deployed as a Result of the ProxyShell Exploit Attack Chain?FortiGuard Labs is not aware of any malware being deployed to the affected servers. However, earlier in the year, DearCry ransomware was delivered to the machines that were compromised using another Microsoft Exchange server exploit chain "ProxyLogon". As such, ransomware payload off ProxyShell is always a possibility. FortiGuard Labs is closely monitoring the situation and will update this Threat Signal when actual payload becomes available.What is the Status of Coverage?FortiGuard Labs provides the following IPS coverage against CVE-2021-34473:MS.Exchange.Server.Autodiscover.Remote.Code.ExecutionFortiEDR detects and blocks ProxyShell attacks out of the box without any prior knowledge or special configuration beforehand. Currently, there is not enough information available for us to develop protection for CVE-2021-31207 and CVE-2021-34523. FortiGuard Labs is closely monitoring the situation and will update this Threat Signal when additional coverage becomes available.Any Other Suggested Mitigation?Disconnect vulnerable Exchange servers from the internet until a patch can be applied.Due to the ease of disruption and potential for damage to daily operations, reputation, and unwanted release of personally identifiable information (PII), etc., it is important to keep all AV and IPS signatures up to date. It is also important to ensure that all known vendor vulnerabilities within an organization are addressed, and updated to protect against attackers establishing a foothold within a network. | Ransomware Malware Threat | ||
|
2022-10-02 22:03:46 | Brand New LockFile Ransomware Distributed Through ProxyShell and PetitPotam (lien direct) | FortiGuard Labs is aware of reports that previously unseen ransomware "LockFile" is being distributed using ProxyShell and PetitPotam. The attacker gains a foothold into the victim's network using ProxyShell, then uses PetitPotam to gain access to the domain controller which then enables them to deploy the LockFile ransomware onto the network.What is The Issue?A new ransomware dubbed LockFile is being distributed using ProxyShell and PetitPotam, which Microsoft recently released fixes for. Proof-of-Concept code for ProxyShell is publicly available as such attacks are getting increasingly popular.How does the Attack Work?The attacker gains a foothold into the victim's network using ProxyShell, then uses PetitPotam to gain access to the domain controller, which then enables the release of the LockFile ransomware onto the network.What is ProxyShell and PetitPotam?ProxyShell is a name for a Microsoft Exchange exploit chain (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207) that allows the attacker to bypass ACL controls, elevate privileges and execute remote code on the compromised system.PetitPotam (CVE-2021-36942) is a NTLM (NT LAN Manager) relay attack that allows the attacker to take control of a Windows domain with the Active Directory Certificate Service (AD CS) running.FortiGuard Labs previously posted Threat Signals on ProxyShell and PetitPotam. See the Appendix for the links to the relevant Threat Signals.Are the Patches Available for ProxyShell and PetitPotam?Three vulnerabilities that consists ProxyShell are already patched as the following: CVE-2021-34473 and CVE-2021-34523: Microsoft released a patch as part of April 2021 MS Tuesday.CVE-2021-31207: Microsoft released a patch as part of May 2021 MS Tuesday.CVE-2021-36942 is dubbed PetitPotam and is patched by Microsoft as part of August 2021 MS Tuesday.Microsoft has also provided mitigation for PetitPotam. See the Appendix for a link to "KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services".What is LockFile ransomware?LockFile is a previously unseen ransomware that first appeared in late July, 2021.Just like any other ransomware, LockFile encrypts files on the compromised system, asks the victim to access the attacker's onion site and demands ransom in order to recover the encrypted files.What is the Status of Coverage?FortiGuard Labs have the following AV coverage against the attack:W64/KillProc.M!trW32/Agent.QH!exploitW32/PetitPotam.A!exploitRiskware/KernelDrUtil.ERiskware/KDUFortiGuard Labs have the following IPS coverage against ProxyShell and PetitPotam:MS.Exchange.Server.Autodiscover.Remote.Code.ExecutionMS.Windows.Server.NTLM.Relay.Spoofing (initial action is set to "pass")FortiEDR detects and blocks Proxyshell attacks out of the box without any prior knowledge or special configuration beforehand. All known network IOC's are blocked by the FortiGuard WebFiltering Client.Any Other Suggested Mitigation?Due to the ease of disruption and potential for damage to daily operations, reputation, and unwanted release of personally identifiable information (PII), etc., it is important to keep all AV and IPS signatures up to date. It is also important to ensure that all known vendor vulnerabilities within an organization are addressed, and updated to protect against attackers establishing a foothold within a network. | Ransomware Threat | ||
|
2022-10-02 22:02:34 | New Threat Actor Leverages ProxyShell Exploit to Serve Ransomware (lien direct) | FortiGuard Labs is aware of a report that a new threat actor, "Tortillas," is leveraging the ProxyShell exploit to deliver ransomware. Based on the traits, the ransomware served by tortillas appears to be a Babuk ransomware variant. ProxyShell consists of three Microsoft Exchange vulnerabilities (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207) used in a chain that enables the attacker to remotely run malicious code on the targeted system as a result. The security flaws were patched by Microsoft in April and May 2021. Why is this Significant?This is significant because a previously undocumented threat actor "tortillas" is now taking advantage of the Proxyshell exploit chain to deliver a ransomware. While Microsoft released a fix for all three vulnerabilities used in ProxyShell in April and May 2021, more and more threat actors have since adopted ProxyShell in their attacks. In late August of this year, Lockfile ransomware was delivered through the ProxyShell and PetitPotam vulnerabilities. In September, the Conti ransomware gang reportedly added ProxyShell to their modus operandi.FortiGuard Labs previously released two Threat Signals associated with ProxyShell. See the Appendix for a link to "Vulnerable Microsoft Exchange Servers Actively Scanned for ProxyShell" and "Brand New LockFile Ransomware Distributed Through ProxyShell and PetitPotam."What is the Ransomware that is Deployed by Tortillas in this Attack?The deployed ransomware appears to be a Babuk ransomware variant based on traits. For example, this particular ransomware adds .babyk file extension, typical of Babuk ransomware, to the files it encrypts. FortiGuard Labs also observed that this malware shares similar mutexes to Babuk.The Babuk variant also steals data as part of a double extortion tactic. Upon encrypting the files and stealing data from the compromised machine, the Babuk variant instructs the victim to pay US $10,000 worth of Monero cryptocurrency to the attacker's wallet address for file decryption and for not releasing the stolen data to the public.What is the Tortillas Threat Actor?Tortillas appears to be a new threat actor whose activities have not been previously documented. FortiGuard Labs will monitor the threat actor and provide updates if any significant activities are observed.Has Microsoft Released a Patch for ProxyShell?Yes. Microsoft released a patch for CVE-2021-31207 in May. While CVE-2021-34473 and CVE-2021-34523 were disclosed in July 2021, Microsoft released a patch in April 2021 without disclosing them.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage for the Babuk variant sample used in this attack:MSIL/Agent.JBV!trFortiGuard Labs provide the following IPS coverage for this attack:MS.Exchange.Server.Autodiscover.Remote.Code.ExecutionMS.Exchange.MailboxExportRequest.Arbitrary.File.WriteMS.Exchange.Server.Common.Access.Token.Privilege.ElevationFortiEDR detects and blocks ProxyShell attacks out of the box without any prior knowledge or special configuration beforehand.All known network IOC's related to this threat are blocked by the FortiGuard WebFiltering Client. | Ransomware Malware Threat | ||
|
2022-09-29 20:51:28 | Possible New Microsoft Exchange RCE 0-day Being Exploited in the Wild (lien direct) | Note: This is a breaking news event. All information and updates related to this event will be updated once relevant information is available. FortiGuard Labs is aware of reports that an unpatched Microsoft Exchange vulnerability is being exploited in the wild. It is a Remote Command Execution (RCE) vulnerability, as such successful exploitation could allow an attacker to execute remote commands on affected Microsoft Exchange servers. At the time of this writing, patches and CVE assignments are not available. Also, Microsoft has not commented or confirmed that this is a zero day vulnerability.Why is this Significant?This is significant because this is likely a new unpatched Remote Command Execution (RCE vulnerability). Successful exploitation could allow an attacker to execute remote commands on affected Microsoft Exchange servers. Microsoft Exchange is widely used in Enterprise and an unpatched vulnerability poses a serious threat to many organizations worldwide.When was the Vulnerability Discovered?On September 28, 2022, GTSC (security vendor) published a blog on an unpatched Microsoft Exchange vulnerability which was leveraged in an attack against an unnamed critical infrastructure. Has Microsoft Released a Patch for the Vulnerability?At the time of this writing (September 29, 2022), Microsoft has not released a patch for the vulnerability.Has the Vendor Released an Advisory for the Vulnerability?No, Microsoft has not released an advisory at the time of this writing (September 29, 2022). Microsoft has yet to confirm that this is a new zero-day or vulnerability.What is the Status of Coverage?FortiGuard Labs is closely monitoring the situation and will update this Threat Signal once protections are available. All network IOCs on the GTSC blog are blocked by the WebFiltering client.What Mitigation Steps are Available?GTSC provided potential detection and mitigation information in their blog. Note that those detection and mitigation have not been verified by FortiGuard Labs. For additional information, see the Appendix for a link to "WARNING: NEW ATTACK CAMPAIGN UTILIZED A NEW 0-DAY RCE VULNERABILITY ON MICROSOFT EXCHANGE SERVER". | Vulnerability Threat | ||
|
2022-09-28 18:22:41 | BlackCat Uses Updated Infostealer Tools with File Corruption Capability (lien direct) | FortiGuard Labs is aware of a report the infamous BlackCat ransomware group has updated their infostealer tools. Dubbed Exmatter and Eamfo, the former is a data exfiltration tool which a newer version has a code for file corruption and the latter is a credential lifter for Veeam, which is backup software.Why is this Significant?This is significant because Blackcat is one of the active Ransomware-as-a-Service (RaaS) providers and their newly updated data exfiltration tool "Exmatter" is now capable of making processed files unusable.What is BlackCat?BlackCat, (also known as ALPHV and Noberus), is a relatively new Ransomware-as-a-Service (RaaS) and a ransomware variant with the same name. As a RaaS provider, it develops and offers various tools including ransomware, and recruits affiliates for corporate intrusions, encrypting files on the victim's network and stealing confidential files from it for financial gain. BlackCat ransomware is written in the Rust programming language.FortiGuard Labs previously released Threat Signal on Blackcat. See the Appendix for a link to "Meet Blackcat: New Ransomware Written in Rust on the Block". What is Exmatter?According to security vendor Symantec, Exmatter is a data exfiltration tool that was previously used by a BlackMatter ransomware affiliate. The tool is designed to steal various Microsoft Office files (Word, Excel and PowerPoint) as well as image, email and archive files. It supports FTP, SFTP and WebDav for file transfer of exfiltrated information. The newer version has code to corrupt files.What is Eamfo?Eamfo is a tool to steal credentials from Veeam backup software.What is the Status of Protection?FortiGuard Labs detects reported Exmatter and Eamfo tools with the following AV signatures:MSIL/Agent.DRB!trMSIL/Agent.DRB!tr.spyMSIL/Agent.7AAD!trW32/Crypt!trW32/PossibleThreatPossibleThreatPossibleThreat.PALLAS.HFortiGuard Labs has the following AV protection in place for known BlackCat ransomware:W32/Filecoder_BlackCat.A!tr.ransomW32/Ransom_Win32_BLACKCAT.YNCHH!tr.ransomW32/Ransom_Win32_BLACKCAT.YXCDU!tr.ransomW32/BlackCat.26B0!tr | Ransomware Tool Threat | ||
|
2022-09-22 14:21:04 | Joint CyberSecurity Alert (AA22-264A) Iranian Threat Actors Targeting Albania (lien direct) | The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) today released a joint Cybersecurity Advisory that highlights recent campaigns targeting the Government of Albania in July and September of this year.Attacks have been attributed to threat actors named "HomeLand Justice" and their modus operandi appears to be disruption (rendering services offline) and destruction (wiping of disk drives and ransomware style encryption). It was observed that the threat actors also maintained persistence for over a year before these attacks were carried out. Other observed attacks were the exfiltration of data such as email, credentials and lateral movement. The attacks have been attributed to the government of Iran.What are the Technical Details of this Attack?Per the Joint Advisory, the threat actors used CVE-2019-0604, which is a vulnerability in Microsoft SharePoint (public facing) to obtain initial access. The threat actor used several webshells to establish and maintain persistence. Persistence and lateral movement were then established after compromise for several months before campaign activity began.Other observations were the usage of Remote Desktop Protocol (RDP), Server Message Block (SMB) and File Transfer Protocol (FTP) to maintain access. Once this was established, the attackers then moved on and compromised the targets Microsoft Exchange servers (further details are unknown) to create a rogue Exchange account to allow for further privilege escalation via the addition of an Organization Management role. Exfiltration and compromise of the Exchange server occurred over 6-8 months where roughly 20GB of data was exfiltrated. The attackers also leveraged VPN access, using compromised accounts, where Advanced port scanner, Mimikatz and LSASS tools were used. To cap off the campaign, the threat actors finally used a file cryptor via the victim's print server via RDP which would then propagate the file cryptor internally. This targeted specific file extensions, and after encryption, leaving a note behind. Furthering damage and adding insult to injury, hours after encryption took place, the threat actor will kick off another final devastating attack. The wiping of targeted disk drives.Is this Attack Widespread?No. Attacks are targeted and limited in scope.Any Suggested Mitigation?Due to the complexity and sophistication of the attack, FortiGuard Labs recommends that all AV and IPS signatures, (including but not limited to) the update and patching of all known vulnerabilities within an environment are addressed as soon as possible. Also, providing awareness and situational training for personnel to identify potential social engineering attacks via spearphishing, SMShing, and other social engineering attacks that could allow an adversary to establish initial access into a targeted environment is recommended.What is the Status of Coverage?For publically available samples, customers running the latest AV definitions are protected by the following signatures:BAT/BATRUNGOXML.VSNW0CI22!trW32/Filecoder.OLZ!tr.ransomW32/GenCBL.BUN!trW32/PossibleThreatRiskware/Disabler.B | Ransomware Vulnerability Threat Patching | ||
|
2022-09-08 19:21:11 | New Conti Ransomware Campaign Observed in the Wild (lien direct) | FortiGuard Labs has observed a new wave of ransomware threats belonging to the Conti malware family, active in Mexico. These variants appear to target the latest Linux and ESX systems and enable the attacker to encrypt files on the victim's machine and guest virtual machines. The variants are all dynamically linked 64-bit ELF samples written in C.A similar sample to the ones in this campaign was documented previously by Trellix.Why is this Significant?This is significant because the newly observed campaign was launched by the Conti ransomware group who are known for taking encrypted files and stolen information belonging to countless companies from varying sectors hostage for profits. The group announced it plans to retaliate against western targets after the Russian invasion into Ukraine adding a political motivation on top of financial gain.This new campaign seems to be similar to the previous campaigns however, some of the samples involved have much lower detection rates at the time of this writing.What Does the Malware Do?Conti ransomware variants used in the new campaign performs activities identical to the previous ones; it encrypts files on the compromised machine and adds a ".conti" file extension to them after the threat actor exfiltrates information from victim's network. It will then demand a ransom payment from the victim in order to recover the affected files and to prevent stolen information from being released to the public.It leaves a ransom note that reads:All of your files are currently encrypted by CONTI strain. If you don't know who we are - just "Google it".As you already know, all of your data has been encrypted by our software. It cannot be recovered by any means without contacting our team directly.DONT'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However, if you want to try - we recommend choosing the data of the lowest value.DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publich it on our news website if you do not respond. So it will be better for both sides if you contact us as soon as possible.DON'T TRY TO CONTACT feds or any recovery companies.We have our informants in these as a hostile intent and initiate the publication of whole compromised data immediatly.To prove that we REALLY CAN get your data back - we offer you to decrypt two random files completely free of charge.You can contact our team directly for further instructions through our website :TOR VERSION :(you should download and install TOR browser first https://torproject.org)http://[Removed].onion/-YOU SHOULD BE AWAREWe will speak only with an authorized person. It can be the CEO, top management, etc.In case you are not such a person - DON'T CONTACT USYour decisions and action can result in serious harm to your companyInform your supervisors and stay calmThe malware can also be run on ESX environments and has the ability to shut down and encrypt the associated virtual machines.The malware has a detailed helper dialog. This provides another indication for the fact Conti group consists of many people.What is the Status of Coverage?FortiGuard Labs provides the following AV signatures for the Conti ransomware samples observed in the new campaign:Linux/Filecoder_Conti.083E!tr.ransomLinux/Filecoder_Conti.0B97!tr.ransomLinux/Filecoder_Conti.14E3!tr.ransomLinux/Filecoder_Conti.3233!tr.ransomLinux/Filecoder_Conti.3691!tr.ransomLinux/Filecoder_Conti.3FA2!tr.ransomLinux/Filecoder_Conti.5DE1!tr.ransomLinux/Filecoder_Conti.638B!tr.ransomLinux/Filecoder_Conti.65AB!tr.ransomLinux/Filecoder_Conti.919D!tr.ransomLinux/Filecoder_Conti.BDC5!tr.ransomLinux/Filecoder_Conti.C2F5!tr.ransomLinux/Filecoder_Conti.C3D1!tr.ransomLinux/Filecoder_Babyk.H!trPossibleThreatFortiEDR blocks the Conti samples pre-execution. | Ransomware Malware Threat | ||
|
2022-09-08 19:12:07 | New Shikitega Malware Targets Linux Machines (lien direct) | FortiGuard Labs is aware of a new report of a new malware for Linux observed in the wild. Dubbed Shikitega, its attack flow involves multiple modules that are downloaded from a Command and Control (C2) server. Each module has its own purpose and is responsible for downloading and executing the next module. The goal of Shikitega is to deploy XMRig cryptominer, taking control of the compromised Linux machine. Why is this Significant?This is significant because Shikitega is a new Linux malware that is designed to take a full control of a compromised machine. It uses variety of attack arsenals: "Shikata Ga Nai" ("it cannot be helped" in Japanese) polymorphic shellcode encoder to evade detection from AV products, exploits for a couple of vulnerabilities for privilege escalation, a Metasploit meterpreter called "Mettle" that enables the attacker to perform a wide range of malicious activities on the infected machine, and XMRig cryptominer for mining Monero. What is Shikitega Malware?Shikitega is a malware that is designed to run on Linux machines and consists of small modules.The Shikitega's infection chain starts with a single dropper containing a payload obfuscated by "Shikata Ga Nai" polymorphic encoder. Once the payload is decrypted and executed, it does not only download the next module from its C2 server but also downloads another dropper module and run them. One new module is a Metasploit meterpreter called "Mettle" that allows the attacker to perform malicious activities on the infected machine such as taking a control of webcams and executing shell commands. The other module is also encoded using "Shikata Ga Nai" and is responsible for downloading another module and executing it with root privileges by exploiting two vulnerabilities (CVE-2021-4034 and CVE-2021-3493). The next module is XMrig, which is a legitimate but oft-abused cryptominer for Monero cryptocurrency. What Vulnerabilities does Shikitega Exploit?Shikitega exploits CVE-2021-4034 and CVE-2021-3493 for privilege escalation. CVE-2021-4034 is a vulnerability in the polkit packages that provide a component for controlling system-wide privileges. This component provides a uniform and organized way for non-privileged processes to communicate with privileged ones. Successful exploitation of the vulnerability an attacker with local network access to gain elevated privileges. The vulnerability has a CVSS score of 7.8 and is included in CISA's Known Exploited Vulnerabilities Catalog.CVE-2021-3493 is a flaw in the Linux kernel which the overlayfs stacking file system did not properly validate the application of file system capabilities with respect to user namespaces. Successful exploitation of the vulnerability an attacker with local network access to gain elevated privileges. The vulnerability has a CVSS score of 7.4.Are Patches Available for CVE-2021-4034 and CVE-2021-3493?Yes, both vulnerabilities have been fixed.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against available samples:PossibleThreatLinux/CVE_2021_3493.A!trLinux/CVE_2021_4034.G!trFortiGuard Labs is currently investigating additional coverage for CVE-2021-4034 and CVE-2021-3493. This Threat Signal will be updated when update becomes available. | Malware Vulnerability Threat | ||
|
2022-09-07 23:23:10 | Joint CyberSecurity Advisory on Vice Society (AA22-249A) (lien direct) | On September 6th, a joint cybersecurity advisory was issued by the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) on Vice Society ransomware group that has been active since the middle of 2021 and targets multiple industry sectors including education, healthcare, and government. The threat actor uses double extortion tactics, which victims are threatened for permanently losing encrypted files and leaking stolen data to the public should ransom payment is not made.Why is this Significant?This is significant because alleged Vice Society victims listed on the data leak site includes organizations in education, healthcare, and government sector, which are often exempted by other major ransomware groups. Of the last ten victims (as of September 7, 2022), more than half of them are in education and healthcare sectors.Once the threat actor sets foot into the victim's network, it laterally moves around the network, exfiltrates valuable information, and deploys ransomware which encrypts files on the compromised machine. The stolen data will be made available to the public, which may cause damage to the reputation of the affected companies.What is Vice Society Ransomware Group?Vice Society is a ransomware group that has been active since at least the middle of 2021 and targets both Windows and Linux systems. What's unique about this ransomware group is that it deploys third-party ransomware to its victims instead of developing its own ransomware. Such ransomware reportedly includes HelloKitty, FiveHands and Zeppelin ransomware.Below is a typical ransom note left behind by the Vice Society threat actor:As the ransom note states, deployed ransomware encrypts files on the compromised machines. Before the ransomware was pushed by the threat actor, it propagates through the victim's network using tools such as SystemBC, PowerShell Empire, and Cobalt Strike, and exfiltrate confidential information. The ransom note also provides a few contact email addresses. The threat actor puts additional pressure onto the victim by stating that stolen information will be released to the public if the victim does not email the attacker within seven days. The threat actor operates its own leak site where the threat actor lists victims and releases stolen data. The alleged victims are in many countries around the globe that include but not restricted to Argentina, Australia, Australia, Beirut, Brazil, Canada, Columbia, France, French Guiana, Germany, Greece, Indonesia, India, Italy, Kuwait, Malaysia, Netherland, New Zealand, Poland, Saudi Arabia, Singapore, Spain Sweden, Switzerland Thailand, and United Kingdom, United States.Top page of Vice Society leak siteA reported infection vector used by the Vice Society ransomware group is exploitation of vulnerabilities (CVE-2021-1675 and CVE-2021-34527) that affect Microsoft Windows Print Spooler. CVE-2021-34527 is also known as PrintNightmare, which FortiGuard Labs previously released Outbreak Alert and Threat Signal on. For more information PrintNightmare, see the Appendix for a link to "Microsoft PrintNightmare" and "#PrintNightmare Zero Day Remote Code Execution Vulnerability".Microsoft released a patch for CVE-2021-1675 and CVE-2021-34527 in June and July 2021 respectively.What is the Status of Coverage?FortiGuard Labs provides the following AV signatures against known ransomware samples used by Vice Society threat actor:W32/Buran.H!tr.ransomW32/Filecoder.OJI!trELF/Filecoder.8BB5!tr.ransomW32/Generic.AC.171!trFortiGuard Labs has the following IPS coverage in place for the "PrintNightmare" vulnerability (CVE-2021-34527) as well as CVE-2021-1675:MS.Windows.Print.Spooler.AddPrinterDriver.Privilege.EscalationAll network IOCs are blocked by the WebFiltering client. | Ransomware Vulnerability Threat | ||
|
2022-08-22 20:09:54 | Widespread Redlnk Malware Hides Its Code In .NET Metadata (lien direct) | FortiGuard Labs has found an active and widespread attack campaign that distributes a malware it dubs "RedInk", using the RegAsm.exe LOLBIN for execution and sandbox Evasion. The attack is carried out in three stages, in which the final stage, acting as both Remote Access Trojan (RAT) and botnet component, is installed on the victim's machine. What is this Significant?This is significant because FortiGuard Labs observed widespread distribution of Redlnk malware in an ongoing campaign. The final payload observed is a Remote Access Trojan (RAT) that enables a remote attacker to take control of the victim's machine.How Widespread is the Campaign?We have observed more than 3,600 unique samples of the first stage, with new samples being constantly served to evade detection from security solutions. FortiGuard Labs observed Redlnk malware distributed to Canada, Australia, the UK, and Japan. How does the Attack Work?While the initial infection vector has not been found, FortiGuard Labs observed the first stage malware were downloaded from the internet.The campaign's first stage is a 6 KB small .NET loader, manipulated to be able to run properly only using Regasm.exe. Some of the samples of the first stage found (from 3600 in total) hide part of the crucial malicious logic inside the metadata of the file: By using this way, the base64 encoded data isn't part of the .NET strings of the file and enables the attacker to partially evade detection.The aforementioned samples are compiling the following code at runtime (decoded from the "AssemblyDescription" base64) in order to download the next payload: The next stage we observed, called "loader.dll" by the attackers, is mainly used to kill the previous stage and load the next stage, encrypted, using a randomly generated AES key, from the server. The third stage, called "client.core" is a fully fledged malicious toolkit, functioning as both RAT and botnet component, able to install VNC on the victim to enable remote control of the computer by the attacker. Why Can only Regasm.exe Run the Redlnk Malware?RedInk doesn't have a standard DLL entry point, but rather a "ComUnregisterFunction", which rundll does not call, but RegAsm (T1218.009) does. This technique is useful both for sandbox evasion (T1497) and to bypass application control (UAC - T1548.002). What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against the malware samples used in the campaign:• MSIL/Cerbu.CA89!tr• MSIL/Dropper.E5B0!tr• MSIL/GenericKDZ.5CA8!tr• MSIL/Tedy.1448!tr• W32/Dloader.X!tr• W32/PossibleThreat• MSIL/Asbit.C!trAll network IOCs associated with this attack are blocked by the WebFiltering client.FortiEDR blocks the first stage of RedInk upon the initiation of a network connection: FortiEDR Threat Hunting customers can additionally query for it using the following query:Source.Process.Name:Regasm.exe AND Source.Process.CommandLine:*.txt* | Malware Threat | ||
|
2022-08-19 16:26:25 | SEABORGIUM APT Group Targets NATO Members and European Countries (lien direct) | FortiGuard Labs is aware of a report published by Microsoft of a threat actor named "SEABORGIUM", which the vendor attributed to Russia, that targeted organizations in NATO member countries as well as in Northern and Eastern Europe for espionage. Also referred as Callisto, TA446 and COLDRIVER, the threat actor has been active since 2015 and reportedly used a spyware developed by infamous HackingTeam in their earlier campaigns.Why is this Significant?This is significant because the "SEABORGIUM" threat actor has been active since 2015 and reportedly targeted various industries including defense contractors, think tanks, Non-Governmental Organizations (NGOs) and Intergovernmental Organizations (IGOs) in NATO member countries as well as other European countries for espionage.What is SEABORGIUM APT Group?SEABORGIUM is a threat actor that has reportedly targeted organizations that are associated with foreign and security policy making in Europe for at least seven years. Countries of interest include NATO partner nations as well as countries in Northern, Southern and Eastern Europe. The Microsoft blog indicates that the APT group targeted Ukraine's public sector prior to the ongoing Russo-Ukrainian war.The SEABORGIUM APT threat actor is also known as Callisto Group (Callisto), COLDRIVER, TA446, and is potentially related to Gamaredon Group.Infection tactics of SEABORGIUM include credential phishing attacks, sending a Word doc attachment with malware embedded or malicious macros, and sending emails with themes that the target is likely interested in; also establishing relationships on Social Networking Service (SNS), all presumably for email credential theft. The stolen credentials allow the threat actor to gain access to the victim's mailbox and exfiltrate information. The attacker also is believed to set up email rules in the victim's mailboxes that automatically forward incoming messages to the attacker's email address for data gathering.In earlier campaigns, the SEABORGIUM APT group is believed to have used the Scout implant from Galileo, one of the Remote Control Systems (RCS) developed by the infamous Italy based HackingTeam. The Scout agent sends victim's machine information and screen captures to the attacker's infrastructure.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage for the samples believed to be related with the SEABORGIUM APT group:W32/Agent.AAAI!trW32/Agent.AACX!trW32/Trojan.I!trPDF/Agent.A9BA!trVBA/Agent.ADO!trAll network IOCs associated with this attack are blocked by the WebFiltering client. | Malware Threat | ★★★ | |
|
2022-08-19 16:25:45 | Joint CyberSecurity Advisory on Vulnerabilities in Zimbra Collaboration (CISA-MS-ISAC) (lien direct) | On August 16th, a joint cybersecurity advisory was issued by the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) on vulnerabilities in Zimbra Collaboration that is actively leveraged in the field by threat actors. The advisory covers five CVEs: CVE-2022-24682, CVE-2022-27924, CVE-2022-27925, CVE-2022-37042, and CVE-2022-30333.Why is this Significant?This is significant because the vulnerabilities in Zimbra Collaboration Suite called out in the advisory (CVE-2022-24682, CVE-2022-27924, CVE-2022-27925, CVE-2022-37042, and CVE-2022-30333) are leveraged in real attacks by threat actors, and as such relevant patches should be applied as soon as possible.Zimbra Collaboration, formerly known as Zimbra Collaboration Suite, is a cloud-based email, calendaring, and groupware solution developed by Synacor and is widely used worldwide. According to its Web site, Zimbra is used in more than 140 countries and over 1,000 government and financial institutions.How Widespread are the Attacks Leveraging the Vulnerabilities?While there is no information available as to how widespread the attacks are, wide adoption of Zimbra Collaboration is a high exploitation target for any threat actor.What are the Vulnerabilities Exploited in the Field?The advisory states a total of five vulnerabilities are exploited in the wild.CVE-2022-24682CVE-2022-24682 is a cross-site scripting (XSS) vulnerability in Zimbra Webmail. The vulnerability affects all versions of Zimbra 8.8.15 and was exploited as a zero-day. Remote attackers can leverage the vulnerability to run an arbitrary web script within the session of the connected Zimbra user.CVE-2022-27924CVE-2022-27924 is a memcache command injection vulnerability that impacts Zimbra Collaboration 8.8.15 and 9.0. Successful exploitation allows a remote attacker to steal email login credentials in plain text from Zimbra Collaboration without any user interaction.CVE-2022-27925CVE-2022-27925 is an arbitrary file upload vulnerability that affects Zimbra Collaboration 8.8.15 and 9.0. By leveraging the vulnerability, an authenticated remote attacker can upload arbitrary files to an arbitrary location on the vulnerable system. The advisory states that CVE-2022-27925 was observed to have been exploited in conjunction with CVE-2022-37042.CVE-2022-37042CVE-2022-37042 is an authentication bypass vulnerability that impacts Zimbra Collaboration 8.8.15 and 9.0. Successful exploitation allows an unauthenticated attacker to upload arbitrary files to an arbitrary location on the vulnerable system and leads to remote code execution. The advisory states that CVE-2022-37042 was observed to have been exploited in conjunction with CVE-2022-27925.CVE-2022-30333CVE-2022-30333 is a path traversal vulnerability that affects Linux and Unix versions of RARLAB UnRAR before version 6.12. Successfully exploiting the vulnerability allows an attacker to drop files to an arbitrary location on a vulnerable system during the unpacking operation.Has the Vendor Released a Patch?Yes. A patch is available for all vulnerabilities. For more details, see the Appendix for a link to "Zimbra Collaboration - Security Vulnerability Advisories" and "RARLAB".What is the Status of Coverage?FortiGuard Labs has the following IPS coverage in place against the exploitation of the vulnerabilities:Zimbra.Collaboration.Calendar.Reflected.XSS (CVE-2022-24682)Zimbra.Collaboration.Mboximport.Unrestricted.File.Upload (CVE-2022-27925 and CVE-2022-37042)FortiGuard Labs is investigating coverage for CVE-2022-27924 and CVE-2022-30333, and will update this threat signal once any relevant updates are available. | Vulnerability Threat Guideline | ★★ | |
|
2022-08-19 16:24:48 | Joint Cybersecurity Advisory on Zeppelin Ransomware (AA22-223A) (lien direct) | On August 11, 2022, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on Zeppelin ransomware. The alert provides insight into the tactics, techniques, and procedures (TTPs) along with indicators of compromise used by Zeppelin threat actors. Zeppelin has been operating since 2019 and has targeted organizations across multiple industries as well as critical infrastructure sectors.What is Zeppelin ransomware?Zeppelin is a Delphi-based ransomware and is run as a Ransomware-as-a-Service (RaaS). First reports of Zeppelin ransomware goes back as far as December 2019. Some reports suggest that Zeppelin ransomware originates from the Vegaslocker and Buran strains.According to the CISA advisory, Zeppelin ransomware's infection vectors include RDP exploitation, leveraging vulnerabilities in popular FireWall products and phishing emails. Once a threat actor compromises the victim's network, it steals sensitive information from the victim before starting the file encryption process. Zeppelin ransomware typically adds a ".zeppelin" file extension to the affected files, however other files extensions used were observed. After files are encrypted, the victim is presented with a ransom note that is typically named "!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT" containing attacker's contact information (email, Jabber, ICQ or Telegram) as well as a ransom message. Zeppelin victims are threatened that encrypted files will not be recovered, and stolen information will be released to the public if the ransom is not paid.Ransom note from a recent Zeppelin ransomware sampleThe advisory also states that threat actors ran Zeppelin ransomware more than once on the compromised network in some cases, which resulted in multiple decryption keys being required for file decryption.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against known Zeppelin ransomware variants:W32/Zeppelin.FBFD!tr.ransomW32/Buran.H!tr.ransomW32/Agent.H!tr.ransomW32/Filecoder_Buran.J!tr.ransomW32/Kryptik.GOGY!trW32/Kryptik.HIMG!trW32/Kryptik.HJEK!trW32/Generic.AC.171!trW64/Agent.EQ!trW32/Neshta.EW32/CoinMiner.NBX!trW32/PossibleThreatRiskware/Application | Ransomware Threat | ★★ | |
|
2022-08-10 11:45:56 | Microsoft Patch Tuesday Fixed 0-day Arbitrary Code Execution Vulnerability (CVE-2022-34713) (lien direct) | Microsoft has released 141 security fixes for this month's August 2022 release. Besides the usual security fixes, there was a zero-day of note:CVE-2022-34713: This is a vulnerability in Microsoft Support Diagnostic Tool (MSDT). Microsoft confirmed in their advisory that the vulnerability was exploited in the wild as a zero-day. CVE-2022-34713 is an arbitrary code execution (ACE) vulnerability, which requires user interaction. As such an user need to open a specifically crafted file or visit a specially designed Web site to be exploited. This has a CVSS score of 7.8 and is rated important.Why is this Significant?This is significant as Microsoft observed CVE-2022-34713 was exploited as a 0-day in the wild. Because the exploitation requires user interaction, an attacker likely uses social engineering to get users to open a specifically crafted file or visit a specially designed Web site for exploitation.How Widespread is the Attack that Leverages CVE-2022-34713?At this time, there is no information available as to how widespread the attack is. However, since the vulnerability was publicly disclosed, attacks that leverage CVE-2022-34713 may increase.Also, a similar vulnerability in MSDT (CVE-2022-30190, also known as Follina) that was patched in June 2022 by Microsoft is widely exploited in the wild. This is another indicator that likelihood of CVE-2022-34713 exploitation will likely increase.FortiGuard Labs previously released a Threat Signal for CVE-2022-30190 (Follina). See the Appendix for a link to "Follina: 0-day Windows MSDT Vulnerability (CVE-2022-30190) Exploited In The Wild".Is there Any Other Vulnerability in the August Patch Tuesday that Requires Attention?Microsoft also released a patch for another vulnerability in MSDT (CVE-2022-35743). While the vulnerability was not reported nor observed to have been exploited in the wild, the Microsoft advisory states that exploitation is likely to occur. As such a patch for CVE-2022-35743 should also be applied as soon as possible. This has a CVSS score of 7.8 and is rated important.Has Microsoft Released Security Advisories for CVE-2022-34713?Yes, Microsoft has issued an advisory for the vulnerability. See the Appendix for a link to "CVE-2022-34713: Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability".Has Microsoft Released a Patch for CVE-2022-34713?Yes, Microsoft has released a patch for CVE-2022-34713 on August 9th, 2022 as part of regular MS Tuesday for the month.What is the Status of Coverage?FortiGuard Labs is investigating coverage, and will update this threat signal once any relevant updates are available. | Tool Vulnerability Threat | ||
|
2022-08-10 11:45:31 | New Ransomware "Roadsweep" Used Against Albania (lien direct) | FortiGuard Labs is aware of a report that Roadsweep ransomware was used against the Albanian government. Other malware Chimneysweep backdoor and ZeroCleare wiper malware were potentially used in the attack.Why is this Significant?This is significant because a new ransomware was reportedly used against the Albanian government, a member of the North Atlantic Treaty Organization (NATO). A security vendor Mandiant, with moderate confidence, attributed the attack to an unknown threat actor who supports Iran.The attack potentially involved Chimneysweep backdoor and ZeroCleare wiper malware. The former provides backdoor access to the attacker and the latter enables the threat actor to overwrite specified files, making the affected files unrecoverable.An alleged threat actor claimed responsibility for the attack on web site and telegram channel and released information supposedly belonging to the victims in Albanian government organizations on them.What is Roadsweep Malware?Roadseep is a new ransomware that encrypts files that do not have a ".exe", ".dll", ".sys", ".lnk" and ".lckon" file extension on a compromised machine and adds a ".lck" file extension to them. It drops a ransom note that contains a politically inclined message and asks the victim to make a phone call to the attacker in order to decrypt the affected files. The ransom note also includes private recovery keys. What is Chimneysweep Malware?Chimneysweep is a malware that provides the attacker a backdoor access to a compromised machine. The malware connects to its C2 server and enables the remote attacker to execute commands. Such commands include capturing screenshots, downloading and executing files, downloading and installing plugins and collecting information from the compromised machine.According to Manidant, Chimneysweeper was dropped along with non-malicious Microsoft Office files or a video file by a digitally signed Self-Extracting cab file.What is ZeroCleare Malware?ZeroCleare is a destructive malware that was previously used against Middle Eastern energy companies in mid-2019. ZeroCleare is known to abuse a legitimate third-party driver for data wiping activity and is believed to have some semblance with another wiper malware "Shamoon". According to Mandiant, a new ZeroCleare variant is capable of wiping drives specified by the attacker as opposed only wiping the system drive. That was not seen in the previous variant.This year, FortiGuard Labs published a blog on history of wiper malware that includes ZeroCleare. See the Appendix for a link to "An Overview of the Increasing Wiper Malware Threat".What is the Status of Coverage?FortiGuard Labs detect known Ransomsweep samples with the following AV signatures:W32/Filecoder.OLZ!tr.ransomW32/Filecoder.OLZ!trFortiGuard Labs provide the following AV signatures against Chimneysweep malware:W32/Chimneysweep.A!trW32/Agent.PEI!tr.spyW32/Agent.PTQ!tr.spyW32/Generic.AC.3F197DW32/PossibleThreatPossibleThreat.MU FortiGuard Labs provide the following AV signatures against ZeroCleare malware:W32/Trojan_Win64_ZEROCLEARE.SMAW32/Trojan_Win64_ZEROCLEARE.SMBW32/Agent.XACVYS!trW32/Distrack!trW32/PossibleThreatAll network IOCs are blocked by the WebFiltering client. | Ransomware Malware Threat | ||
|
2022-08-05 09:19:20 | Newly Identified Green Stone Malware Leveraging Malicious Macros in Global Campaign (lien direct) | FortiGuard Labs is aware of a campaign targeting Iranian interests, specifically in the energy sector. Dubbed Green Stone, this malware is delivered through Microsoft Excel spreadsheets containing malicious macros. The Green Stone malware is obfuscated in Base64, where the macro code contains instructions to unpack Green Stone into a temporary directory where it is then executed.What is Green Stone?Green Stone is classified as an infostealer, is persistent and will steal information from the affected machine. It will look for specific registry entries in \Microsoft\Internet Explorer\TypedURLs to look for websites that the targeted machine recently visited. Besides containing basic infostealer functionality, Green Stone also connects to Telegram to send C2 traffic through, which is likely a way to evade detection.The threat has the ability to collect information about the victim machine, take screenshots and send it to a predetermined URI. Green Stone can do the following:Scan directory hierarchiesDelete files and folders Run commandsLocate filesRename files and directoriesCopy filesand UnzipBased on our data, connections to the C2 server reveal the United States accounts for 30 percent, Brazil 15 percent and Argentina, Korea and Germany accounting for less than 2 percent of connections to the 185.162.235[.]184 IP address of the attacker. Who is Behind Green Stone?There is not enough information at this time to determine attribution.Any Other Suggested Mitigation?As it has been observed that Green Stone threat actors have used malicious Microsoft Office files, likely through social engineering and phishing techniques, it is recommended to never enable macro based documents, especially from a sender that is not recognized.Due to the ease of disruption and damage to daily operations, reputation, and unwanted release of personally identifiable information (PII), etc. it is important to keep all AV and IPS signatures up to date.It is also important to ensure that all known vendor vulnerabilities are addressed, and updated to protect from attackers having a foothold within a network. Attackers are well aware of the difficulty of patching and if it is determined that patching is not feasible at this time, an assessment should be conducted to determine risk.Also - organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spear phishing attacks. They also need to encourage employees to never open attachments from someone they don't know, and to always treat emails from unrecognized/untrusted senders with caution. Since it has been reported that various phishing and spear phishing attacks have been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization be made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organizations' internal security department. Simple user awareness training on how to spot emails with malicious attachments or links could also help prevent initial access into the network.What is the Status of Coverage?Fortinet customers running the latest definitions are protected by the following (AV) signatures:WM/Agent!tr (Malicious Macro)W32/Agent.665F!tr (Green Stone)All network IOC's are blocked by the WebFiltering Client. | Malware Threat Patching | ||
|
2022-08-04 10:03:24 | Meet Woody the New Remote Access Trojan (lien direct) | FortiGuard Labs is aware of a report that a new Remote Access Trojan (RAT) called "Woody" has been lurking in the wild for the past year. Reported initial infection vectors include email attachments as well as Microsoft Word documents that leverage the recently patched Follina vulnerability (CVE-2022-30190). Once a victim is infected, Woody RAT collects and sends specific information to its Command-and-Control (C2) server and performs various activities based on the remote commands it receives.Why is this Significant?This is significant because Woody RAT reportedly was used in real world attacks over the past year, yet the malware came to light only recently. Initial infection vectors include leveraging the infamous Follina vulnerability (CVE-2022-30190) in which a patch was released on June 2022 and has been used in various attacks.What is Woody RAT?Woody is a Remote Access Trojan (RAT) that performs activities according to the remote commands it receives from its C2 server.Reported initial infection vectors include email attachments and usage of Microsoft Word that leverages the Follina vulnerability (CVE-2022-30190). In the former case, email attachments are ZIP files containing a Woody RAT executable file, which victims need to run manually to start infection process. In the latter case, victims receive weaponized Microsoft Word files which abuse the MSDT URI scheme to download and run Woody RAT. For reference, FortiGuard Labs previously released an Outbreak Alert and Threat Signal on CVE-2022-30190. See the Appendix for links to "MSDT Follina" and "Follina: 0-day Windows MSDT Vulnerability (CVE-2022-30190) Exploited in The Wild".Once Woody RAT compromises a victim's machine, it collects information such as OS, computer name and installed Anti-virus solutions and sends data to its C2 server. The RAT is capable of performing various activities on a compromised machine that include uploading and download files, listing up directories and capturing screenshots upon receiving remote commands.Has the Vendor Released a Patch for the Follina vulnerability (CVE-2022-30190) Used by Woody RAT?Yes. Microsoft released a patch as part of regular June 2022 MS Tuesday patch release.What is the Status of Coverage?FortiGuard Labs detects known Woody RAT and associated samples with the following AV signatures:W32/WoodyRAT.A!trMSOffice/Agent.AAP!trW64/Agent.OS!trW64/Reflo.WD!trMalicious_Behavior.SBPossibleThreat.PALLAS.HW32/PossibleThreatIn relation with CVE-2022-30190, the following signature will detect the retrieval of remote HTML files that contain the MSDT command:MS.Office.MSHTML.Remote.Code.Execution.All network IOCs associated with this attack are blocked by the WebFiltering client. | Malware Vulnerability Threat | ||
|
2022-07-24 22:00:19 | H0lyGh0st Ransomware Used to Target SMBs (lien direct) | FortiGuard Labs is aware of a report that H0lyGh0st ransomware was primarily used against "small-to-midsized businesses, including manufacturing organizations, banks, schools, and event and meeting planning companies". Microsoft attributed the ransomware to a North Korean hacking group. After the victim's networks are infiltrated, the threat actor then exfiltrates information which then deploys H0lyGh0st ransomware that encrypts files.Why is this Significant?This is significant as H0lyGh0st ransomware is a newly reported ransomware that was deployed to compromised small-to-midsized businesses by an alleged North Korean hacking group in newly discovered attacks.What is H0lyGh0st Ransomware?H0lyGh0st is a ransomware which encrypts files on a compromised machine for financial gain. After the victim's networks are compromised, the threat actor will exfiltrate information from the victim's machine. Then, H0lyGhst ransomware is deployed and encrypts files. The ransomware adds a ".h0lyenc" file extension to the affected files and leaves a ransom note in FOR_DECRYPT.html.The html file includes ransom message below:Please Read this text to decrypt all files encrypted.We have uploaded all files to cloud. Url: [redacted]Don't worry, you can return all of your files immediately if you pay.If you want to restore all of your files, Send mail to [redacted] with your Id. Your ID is [redacted]Or install tor browser and contact us with your id or [redacted] (If all of pcs in your company are encrypted).Our site : "A link to H0lyGh0st Onion site"After you pay, We will send unlocker with decryption keyAttention1. Do not rename encrypted files.2. Do not try to decrypt your data using third party software, it may cause permanent data loss.3. Decryption of your files with the help of third parties may cause increase price.4. Antivirus may block our unlocker, So disable antivirus first and execute unlocker with decryption key.According to the report, the ransom amount ranges from 1.2 to 5 Bitcoins, which amounts to 26,000 to 110,000 US dollars based on the exchange rate as of this publishing.What are the Initial Attack Vectors?While initial attack vectors have not been identified, CVE-2022-26352 is called out as a potential vulnerability that was exploited to break into target networks. CVE-2022-26352 is a critical arbitrary file upload vulnerability in dotCMS. A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted request to the target server. Successfully exploiting this vulnerability could result in arbitrary file be saved in target server and lead to remote code execution.Has the Vendor Released a Fix for CVE-2022-26352?Yes, a patch is available. For more information, see the Appendix for a link to "SI-62: Multipart File Directory Traversal can lead to remote execution".What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against known samples of H0lyGh0st ransomware:W64/Filecoder.788A!tr.ransomW32/Filecoder.AX!trW64/Agent.ACR!trW32/PossibleThreatMalicious_Behavior.SBFortiGuard Labs provides the following IPS coverage for CVE-2022-26352:DotCMS.API.Content.Arbitrary.File.Upload (default action is set to pass)Known network IOCs for H0lyGh0st ransomware are blocked by the WebFiltering client. | Ransomware Vulnerability Threat Guideline | ||
|
2022-07-07 08:14:35 | North Korean State-Sponsored Threat Actors Deploying "MAUI" Ransomware (lien direct) | Today, the United States Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Agency (CISA) and the Department of Treasury released a joint Cybersecurity Advisory on Maui Ransomware, which is attributed to state sponsored activity by the government of North Korea. The Joint CSA provides detailed insight on the various TTPs used by the threat actors behind Maui, which has targeted the Health and Public Health Sector.How Serious of an Issue is This?High. As ransomware activity causes downtime, theft of confidential and personally identifiable information (PII) and other significant impact to operations, it is important to ensure that various security measures are in place, like being up to date with patching vulnerable machines/infrastructure. Also, ensuring employees are trained and up to date on various social engineering attempts and tactics used by threat actors will be a first line of defense against such attacks.What is Maui Ransomware?Maui ransomware is unique in a way that it requires manual execution to start the encryption routine. Maui also features a CLI (command line interface) that is used by the threat actor to target specific files to encrypt. Maui also has the ability to identify previously encrypted files due to customer headers containing the original path of the file.Who are HIDDEN COBRA/LAZARUS/APT38/BeagleBoyz?HIDDEN COBRA also known as Lazarus/APT38/BeagleBoyz has been atributed to the government of North Korea. Also, they have been linked to multiple high-profile, financially-motivated attacks in various parts of the world - some of which have caused massive infrastructure disruptions. Notable attacks include the 2014 attack on a major entertainment company and a 2016 Bangladeshi financial institution heist that almost netted nearly $1 Billion (USD) for the attackers. Had it not been for a misspelling in an instruction that caused a bank to flag and block thirty transactions, HIDDEN COBRA would have pulled off a heist unlike any other. Although HIDDEN COBRA failed in their attempt, they were still able to net around 81 million dollars in total.The most recent notable attack attributed to HIDDEN COBRA was the Wannacry Ransomware attack, which resulted in massive disruption and damage worldwide to numerous organizations, especially those in manufacturing. Various estimates of the impact were in the hundreds of millions of dollars, with some estimates claiming billions. Other verticals which this group has targeted include critical infrastructures, entertainment, finance, healthcare, and telecommunication sectors across multiple countries.Who are the BeagleBoyz?The BeagleBoyz group is a newly identified group that is a subset of activity by the threat actors known as HIDDEN COBRA/LAZARUS/APT 38 and has been observed committing financial crimes, specifically cryptocurrency related thefts. Further information about the BeagleBoyz can be found here.What Operating Systems are Affected?Windows based operating systems are affected.What is the Status of Coverage?Fortinet customers running the latest definitions are protected against Maui with the following (AV) signatures:W32/Ransom_Win32_MAUICRYPT.YACC5W32/Agent.C5C2!trW32/PossibleThreatAnything Else to Note?Victims of ransomware are cautioned against paying ransoms by such organizations as CISA, NCSC, the FBI, and HHS. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities which could potentially be illegal according to a U.S. Department of Treasury's Office of Foreign Assets Control (OFAC) advisory. | Ransomware Threat Patching Medical | Wannacry Wannacry APT 38 | |
|
2022-06-24 00:25:56 | Ransomware Roundup – 2022/06/23 (lien direct) | FortiGuard Labs has become aware of several ransomware strains that caught the public's attention for the week of June 20th, 2022. It is imperative to raise awareness about ransomware variants because infections can cause severe damage to organizations. This week's Ransomware Roundup Threat Signal covers eCh0raix, DeadLocker and Kawaii ransomware along with the Fortinet protections against them.What is eCh0raix Ransomware?eCh0raix, also known as QNAPCrypt and Qlocker, is a ransomware that has been in the field since 2019, and targets QNAP and Synology Network-Attached-Storage (NAS) devices. It encrypts files on those devices and adds a file extension such as ".encrypt" or ".muhstik", and leaves a ransom note in "README_FOR_DECRYPT.txt". Some eCh0raix's ransom notes reportedly have a ".txtt" extension rather than ".txt", which is considered as misspelling by the attacker. eCh0raix threat actors are known to typically ask for small amount of ransom ($1000 ~ $3000) in Bitcoin through a Onion site for file decryption.eCh0raix ransomware's ransom noteIn May 2021, QNAP released an advisory warning QNAP users of eCh0raix ransomware targeting QNAP devices using weak passwords or outdated QTS firmware. QNAP again issued an advisory in June 2021 that eCh0raix ransomware was observed to have exploited several QNAP vulnerabilities in Photo Station (CVE-2019-7192, CVE-2019-7193, CVE-2019-7194, CVE-2019-7195). Those vulnerabilities were patched in late 2019. In mid-2021, a report surfaced that a vulnerability in Hybrid Backup Sync (HBS3) was exploited by eCh0raix ransomware. Assigned CVE-2021-28799, the vulnerability allows remote attackers to log in to vulnerable QNAP devices and install the ransomware. QNAP issued a patch for CVE-2021-28799 in April 2021.The advisory for eCh0raix ransomware issued by QNAP recommends the following actions to prevent eCh0raix infection:Use stronger passwords for your administrator accounts.Enable IP Access Protection to protect accounts from brute force attacks.Avoid using default port numbers 443 and 8080.Update QTS to the latest version.Update all installed applications to their latest versions.Some variants of eCh0raix ransomware allegedly target Synology NAS devices, however the attack vector has not been identified.What is the Status of Coverage?Fortinet provides the following AV coverage against known eCh0raix ransomware samples:ELF/eCh0raix.A!trELF/Filecoder_ECh0raix.A!trELF/Filecoder_ECh0raix.C!trLinux/Filecoder_ECh0raix.D!trLinux/Filecoder_ECh0raix.D!trELF/Cryptor.74B2!tr.ransomFortiGuard Labs provides the following IPS coverage against known vulnerabilities that were used to install eCh0raix ransomware to unpatched QNAP devices:QNAP.NAS.HBS.3.Authentication.Bypass (CVE-2021-28799)QNAP.Photo.Station.Authentication.Bypass (CVE-2019-7192, CVE-2019-7194, CVE-2019-7195)QNAP.QTS.Remote.Code.Injection (CVE-2019-7193)What is DeadLocker Ransomware?DeadLocker is a ransomware that was recently discovered and appears to target Turkey. The ransomware encrypts files on victim's machine and adds ".deadlocked" to the affected files. It replaces desktop wallpaper and displays a ransom message in Turkish that demands the victim to purchase one year of Nitro service (most likely refers to Discord Nitro) or pay $650 US to decrypt the files. At the time of this writing, Discord Nitro costs $99 US annually. The attacker claims that the ransom amount will be reduced to $325 if a ransom is paid within 72 hours. Wallpaper of DeadLockerRansom message displayed by DeadLocker ransomwareRansom message in English translation:Oh no!!!! All your files are locked by DeadLocker 1-) What can I do?You can't do much, you need a special password to open the files. 2-) How can I get my files back?You need to send 1 year of nitro or $650, if you pay within 72 hours it will be reduced to $325 3 - ) Where will I pay?You can contact [reducted] and get the address to send the nitro or $650Encrypted Files:[List of encrypted files]What is the Status of Coverage?Fortinet provides the following AV coverage against DeadLocker | Ransomware Vulnerability Threat | ||
|
2022-06-16 21:35:48 | Ransomware Roundup – 2022/06/16 (lien direct) | FortiGuard Labs has become aware of several ransomware strains that caught the public's attention for the week of June 13th, 2022. It is imperative to raise awareness about ransomware variants because infections can cause severe damage to organizations. This week's Ransomware Roundup Threat Signal covers Nyx, Solidbit, RobbinHood and HelloXD ransomware along with the Fortinet protections against them.What is Nyx ransomware?Nyx is a double-extortion ransomware that was recently discovered. It steals data from the victim and encrypts files on the compromised machine and then demands a ransom from the victim in exchange for file recovery and not leaking the stolen information to the public. It leaves a ransom note in a file called READ_ME.txt that includes the victim's unique ID, the attacker's contact email address as well as secondary email address which the victim should use in case the attacker did not respond within 48 hours of the first email being sent to the attacker. Nyx ransomware's ransom noteThe ransomware adds the following file extension to the files it encrypts:[victim's unique ID].[the attacker's primary contact email].NYX Files encrypted by Nyx ransomwareWhat is the Status of Coverage?FortiGuard Labs provides the following AV coverage against Nyx ransomware:W32/Filecoder.NHQ!tr.ransomWhat is Solidbit ransomware?Solidbit is a ransomware that encrypts files on the compromised machine and demands a ransom from the victim for file recovery. Solidbit ransomware's lock screenSolidbit ransomware drops a ransom note in a file named RESTORE-MY-FILES.txt, which includes Solidbit's own TOR site where the victim is asked to visit to contact the attacker along with the decryption ID. Solidbit ransomware's ransom noteThe TOR site offers free decryption of a file (up to a maximum file size of 1MB) to prove that decryption works properly. The Solidbit threat actor also provides chat support for victims. Solibit ransomware's TOR siteWhat is the Status of Coverage?FortiGuard Labs provides the following AV coverage against Solidbit ransomware:MSIL/Filecoder.APU!tr.ransomWhat is RobbinHood ransomware?RobbinHood is a ransomware has been in the wild since at least 2019. This ransomware is covered in this week's ransomware roundup given a report recently surfaced that it was responsible for infecting an auto parts manufacture in February, 2022 which resulted in shutdown of the factories.Written in Golang, RobbinHood is a simple ransomware that encrypts files on the compromised machine and demands ransom for decrypting the affected files. A typical ransom note left behind by RobbinHood ransomware has the attacker's bitcoin address and asks the victim to pay the ransom within 3 to 4 days depending on the ransomware variant. The attacker warns that the ransom amount increases by $10,000 each day if the payment is not made during the specified window. However, some RobbinHood ransom notes state that the victim's keys will be removed after 10 days. This makes file recovery impossible in order to add pressure to the victim to pay the ransom. Also, the attacker asks the victim not to contact law enforcement or security vendors.Known file extensions that RobbinHood ransomware adds to encrypted files include ".enc_robbin_hood" and ".rbhd".It also deletes shadow copies, which makes file recovery difficult.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against RobbinHood ransomware:W32/Robin.AB!tr.ransomW32/Robin.A!trW32/RobbinHood.A!tr.ransomW32/RobbinHood.A!trW32/Ransom_Win32_ROBBINHOOD.SMW32/Filecoder_RobbinHood.D!tr.ransomW32/Filecoder_RobbinHood.D!trW32/Filecoder_RobbinHood.C!trW32/Filecoder_RobbinHood.B!tr.ransomW32/Filecoder_RobbinHood.B!trW32/Filecoder_RobbinHood.A!trWhat is HelloXD ransomware?HelloXD is a ransomware that targets both Windows and Linux systems. The ransomware has been in the field since at least November 2021 and typically comes with a logo having a red face with horns. HelloXD ransomware logoIn order to inhibit file recovery, it deletes shadow copies before encryptin | Ransomware Threat | ||
|
2022-06-14 19:12:22 | Syslogk: Linux Rootkit with Hidden Backdoor Payload (lien direct) | FortiGuard Labs is aware of a report that a new rootkit for Linux that appears to be still in development was discovered. Namaed "Syslogk", the rootkit is based on Adore-Ng, an old open-source kernel rootkit for Linux. Syslogk is hides directories containing malicious files and does not load the hidden Rekoobe backdoor malware until specifically-crafted magic packets are received.Why is this Significant?This is significant because "Syslogk" is a Linux rootkit that is in development as such it may be used in real attacks in near future. The rootkit contains a new variant of Rekoobe backdoor that will be launched only upon receiving specifically crafted magic packets from the threat actor.What is Syslogk?Syslogk is a Linux rootkit that is reportedly based on an old open-source Linux kernel rootkit called "Adore-Ng".Syslogk rootkit is installed as kernel modules in the affected system and intercepts legitimate Linux commands in order to hide its files, folders, or processes. It can hide directories containing the malicious files dropped on the compromised machine, hides processes and network traffic, and remotely starts or stop payloads on demand. The rootkit is also capable of inspecting all TCP traffic. The rootkit also loads hidden Rekoobe backdoor only when it receives specifically-crafted magic packets from the threat actor.What is Rekoobe?Rekoobe is a Linux backdoor that is reportedly based on TinySHell, an open-source Unix backdoor. Rekoobe refers to its Command-and Control (C2) server and performs malicious activities based on remote commands it receives.What is the Status of Coverage?FortiGuard Labs provides the following coverage against Syslogk rootkit:Linux/Rootkit_Agent.BY!trFortiGuard Labs provides the following coverage against Rekoobe backdoor:Linux/Rekoobe.BLinux/Rekoobe.B!trLinux/Rekoobe.B!tr.bdrLinux/Rekoobe.D!trLinux/Rekoobe.F!trLinux/Rekoobe.N!trLinux/Agnt.A!trLinux/Agent.B!trLinux/Agent.BX!tr.bdrLinux/Agent.DL!trLinux/Agent.JO!trLinux/Agent.LF!trW32/Rekoobe.F!trW32/Multi.MIBSUN!tr.bdrELF/Rosta.487B.fam!tr.bdrAdware/AgentAdware/RekoobePossibleThreat | Malware Threat | ||
|
2022-06-14 19:07:50 | Active Exploitation of Confluence vulnerability (CVE-2022-26134) (lien direct) | FortiGuard Labs is aware that an unauthenticated remote code execution vulnerability in Confluence (CVE-2022-26134) continues to be exploited to deploy malware in the field. Deployed malware reportedly includes Cerber2021 ransomware, Hezb, coinminers and Dark.IoT. The vulnerability was patched on June 3rd, 2022. Why is this Significant?This is significant because CVE-2022-26134 is a newly patched Confluence vulnerability that continues to be exploited in the field and various malware were deployed to the affected systems upon successful exploitation.What is CVE-2022-26134?CVE-2022-26134 is a critical vulnerability affects Confluence Server and Data Center which the latest patch has not yet been applied. The vulnerability relates to an Object-Graph Navigation Language (OGNL) injection that could allow an unauthenticated user to execute arbitrary code on the compromised system.Atlassian released a fix on June 3rd, 2022.FortiGuard Labs previously published a Threat Signal on the subject. See the Appendix for a link to "New Confluence Vulnerability (CVE-2022-26134) Exploited in the Wild".What Malware were Deployed to the Compromised Servers?Malware such as Cerber2021 ransomware, Dark.IoT and coinminers such as Kinsing and XMRig miner are known to be deployed to the affected servers.What is the Status of Coverage?FortiGuard Labs detects the malicious samples that were known to be deployed through CVE-2022-21634 with the following AV signatures:W32/Filecoder.1104!tr.ransomELF/BitCoinMiner.HF!trELF/Mirai.A!trLinux/Agent.PZ!trLinux/CVE_2021_4034.G!trRiskware/CoinMinerAdware/MinerFortiGuard Labs released the following IPS signature against CVE-2022-26134 in version 21.331:Atlassian.Confluence.OGNL.Remote.Code.ExecutionInitially, the signature's default action was set to "pass", however the action was changed to "drop" from version 21.333. | Malware Vulnerability Threat | ||
|
2022-06-13 12:40:35 | PingPull RAT Activity Observed in New in the Wild Attacks (GALLIUM APT) (lien direct) | FortiGuard Labs is aware of a newly discovered in-the-wild remote access tool (RAT) used by GALLIUM APT, called PingPull. GALLIUM has targeted telecommunication, financial and governmental verticals, specifically in Africa, Europe and Southeast Asia in the past.GALLIUM was first detailed by CyberReason and Microsoft in 2019 in an operation targeting telecom providers stealing call detail records (CDR) that contain transactional information of SMS messages, sent and received phone calls, timestamps and other records. GALLIUM uses various off the shelf tools, and modified open source tools and malware to attack organizations for various campaigns. PingPull was observed by Palo Alto Networks in this latest campaign. Usage of the China Chopper webshell is commonly associated with this APT group as well.Powered by the CTABecause of our partnership in the Cyber Threat Alliance alongside other trusted partner organizations, Fortinet customers were protected in advance of this announcement.What is PingPull?PingPull is a remote access trojan (RAT). What makes PingPull novel is the usage of ICMP (Internet Control Message Protocol) which is not a typical TCP/UDP packet, that allows the threat actor to evade detection as it is not often monitored for anomalous activity. PingPull can also leverage HTTPS and TCP as well for further evasion. PingPull has been observed to install itself as a service for persistence. Besides containing typical RAT functionality, PingPull allows for a reverse shell further adding insult to injury. Previous RATs used by GALLIUM were modified versions of Poison Ivy and Gh0st Rat.Who is GALLIUM?GALLIUM is an APT group attributed to the Chinese government. The modus operandi of this group is to use various off the shelf tools to eventually compromise an organization via the utilization of stolen certificates to ultimately perform lateral movement within. Due to non-standardized APT naming conventions, GALLIUM is also known as Operation Soft Cell (CyberReason).What is the Status of Coverage?FortiGuard customers are protected against PingPull RAT by the following (AV) signatures:W32/PossibleThreatW64/Agent.BGA!trAll known URIs are blocked by the WebFiltering Client. | Malware Tool Threat | ||
|
2022-06-09 18:46:13 | Ransomware Roundup – 2022/06/09 (lien direct) | FortiGuard Labs has become aware of several ransomware that caught public attention for the week of June 6th, 2022. It is imperative to raise awareness about ransomware variants because infections can cause severe damage to organizations. This week's Ransomware Roundup Threat Signal covers YourCyanide, LockBit, WhiteCat, and DeadBolt ransomware along with the Fortinet protections against them.What is YourCyanide ransomware?YourCyanide ransomware is a CMD-based ransomware variant still under development and abuses PasteBin, Discord, Telegram and Google services. The ransomware belongs to GonnaCope ransomware family that was discovered in April 2022.YourCyanide ransomware reportedly arrives as an LNK (Link) file that contains a PowerShell script that downloads and runs a malicious file from Discord. The downloaded file then drops and executes a CMD file. The CMD file downloads another CMD file from Pastebin, which performs several activities that include:Checks for usernames for which the ransomware avoids infection.Drops a Batch file that continues to open the Blank Screen Saver fileChecks for specific services and security applications which the ransomware tries to terminateSwaps the mouse buttonDisables TaskManagerRanames files in Desktop, Documents, Music, Pictures, Videos, and Downloads folders. Renamed files have a ".cyn" file extensionCreates two VBS files that send the ransomware as an email attachment Copies itself to D, E, F, G, and H drivers as well as UserProfile folderDrops a ransom note to DesktopDownloads a remote CMD file from DiscordThe CMD file downloaded from Discord steals access token from applications including Chrome, Discord, and Microsoft Edge, and collects information such as installed applications, and machine information from the compromised machine. The collected information will be then sent to a Telegram chat bot.It also reportedly downloads an executable file from Google Docs and executes it. The remote executable file is no longer accessible, however the file is likely used to steal credentials from various Web browsers.Screenshot of YourCyanide's ransom noteWhat is the Status of Coverage?FortiGuard Labs provides the following AV coverage against available samples associated with YourCyanide ransomware:BAT/Agent.QU!tr.dldrBAT/Agent.C20D!trLNK/Agent.AG!tr.dldrLNK/Agent.3D7B!tr.dldrPossibleThreatWhat is LockBit ransomware?LockBit is a ransomware that encrypts files in victims' machines and exfiltrate data. It then demands ransom in exchange for decrypting the affected files and not releasing the stolen data to the public. LockBit functions as Ransomware-as-a-Service (RaaS) that has been active for years and provides Lockbit ransomware, operates data leaks and ransom payment sites, and offers ransom negotiation service to its affiliate. Affiliates of LockBit typically earn approximately 70-80% of earnings, while the LockBit operators earn the rest.LockBit ransomware recently came to light again this week because Evil Corp reportedly switched their ransomware to LockBit in order to avoid sanctions imposed by the U.S. government. Evil Corp is a threat actor group that is known to have developed and use Dridex banking malware for financial gain. Dridex was also used to deliver another malware such as ransomware to victims' machines. Alleged ransomware that were previously associated with Evil Corp includes Bitpaymer, Doppelpaymer, Wastedlocker and Hades. FortiGuard Labs previously released a Threat Signal on LockBit. See the Appendix for a link to "LockBit 2.0 Ransomware as a Service (RaaS) Incorporates Enhanced Delivery Mechanism via Group Policy".What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against recent Lockbit ransomware samples:W32/LockBit.29EA!tr.ransomW32/Generic.AC.171!trMSIL/Generic.EBMY!trW32/Filecoder.NXQ!tr.ransomW32/Filecoder.OAN!tr.ransomWhat is WhiteCat ransomware?WhiteCat is a new Chaos ransomware variant. It checks for "forbidden country" by looking at the current input language/keyboard. If the current inpur/keyboard is set to "az-Latn- | Ransomware Malware Vulnerability Threat | ||
|
2022-06-09 17:30:25 | Qakbot Delivered Through CVE-2022-30190 (Follina) (lien direct) | FortiGuard Labs is aware of a report that CVE-2022-30190 is exploited in the wild to deliver Qakbot malware. Currently, a patch is not available for CVE-2022-30190. Also known as Qbot and Pinkslipbot, Qakbot started off as a banking malware. In recent years, Qakbot was seen as a delivery vehicle for other malware, which often results in a compromised machine being infected with ransomware.Why is this Significant?This is significant because CVE-2022-30190 is a Windows vulnerability that has no available patch and is being abused in the field. The current attack campaign delivers Qakbot to victim's machine. While final payload has not been identified nor reported, often Qakbot infection leads to ransomware deployed to the compromised machine. A publicly available report suggests Black Basta ransomware was deployed through Qakbot.What is CVE-2022-30190?CVE-20022-30190, also known as Follina, is a vulnerability in Microsoft Support Diagnostic Tool, which uccessful exploitation allows an attacker to run arbitrary code with the privileges of the calling application. FortiGuard Labs previously released Outbreal Alert and Threat Signal on CVE-2022-30190. See the Appendix for links to "MSDT Follina" and "Follina: 0-day Windows MSDT Vulnerability (CVE-2022-30190) Exploited In The Wild".How does the Current Qakbot Campaign Work?Reportedly, malicious emails arrive with an HTML attachment. Opening the HTML attachment downloads and saves a .zip file that an inner IMG file inside. The IMG file contains a DLL, a Word document, and a .LNK file. The DLL is a Qakbot variant which the link file will execute. Alternatively, the Word file will download and execute a remote HTML file, which has a script to abuse CVE-2022-30190, which then download and execute a Qakbot variant. What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against available samples associated with the current Qakbot campaign that abuses CVE-2022-30190:W32/Qbot.DM!trMSOffice/CVE_2021_40444.A!tr LNK/Agent.BD!trHTML/CVE_2022_30190.A!trRegarding IPS coverage, the following signature will detect the retrieval of remote HTML files that contain the MSDT command:MS.Office.MSHTML.Remote.Code.Execution.Known network IOCs for CVE-2022-30190 are blocked by the WebFiltering client.FortiEDR will provide protection from exploitation of this vulnerability and subsequent post-exploitation activity. See the Appendix for a link to "Technical Tip: How FortiEDR protects against CVE-2022-30190 'Follina' Microsoft Office protocol vulnerability" for more information.Th FortiGuard Content Disarm and Reconstruction (CDR) service can detect the attack in real-time and prevent it by disarming the "oleobject" data from Microsoft Office files. | Ransomware Vulnerability Threat Guideline | ||
|
2022-06-03 18:50:53 | New Confluence Vulnerability (CVE-2022-26134) Exploited in the Wild (lien direct) | FortiGuard Labs is aware of a new vulnerability in Confluence Server and Data Center (CVE-2022-26134) which was reportedly exploited as a zero-day in the wild. Rated critical, successful exploitation of the vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the compromised server. The vulnerability affects all supported versions of unpatched Confluence Server and Data Center.Why is this Significant?This is significant because Confluence Server and Data Center (CVE-2022-26134) was reportedly exploited as a 0-day in the wild. The vulnerability is an OGNL injection vulnerability that allows an unauthenticated remote attacker to execute arbitrary code on the compromised server.Confluence is a widely-used team workspace and collaboration tool developed by Atlassian. It is used to help teams collaborate and share knowledge via a content management system and is used by many large scale enterprise and organizations worldwide. This vulnerability does not have a CVSS score at the moment, but the ease of exploitation via an unauthenticated session and combined with remote code execution is a cause for concern.What versions of Confluence Server and Data Center are Affected by CVE-2022-26134?The advisory released by Atlassian states that the following versions are affected:All supported versions of Confluence Server and Data CenterConfluence Server and Data Center versions after 1.3.0What Malware was Deployed to the Compromised Server?It was reported that China Chopper has been deployed on to compromised servers. China Chopper is a tiny webshell that provides a remote attacker backdoor access to a compromised system.Has the Vendor Released an Advisory for CVE-2022-26134?Yes. See the Appendix for a link to "Confluence Security Advisory 2022-06-02".Has the Vendor Released a Patch?Yes, Atlassian has released a patch on June 3rd, 2022.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against the China Chopper webshell that was reportedly deployed on known compromised Confluence servers:Java/Websh.D!trAll known network IOC's associated with attacks leveraging CVE-2022-26134 are blocked by the FortiGuard WebFiltering Client.FortiGuard Labs is currently investigating for additional coverage against CVE-2022-26134. This Threat Signal will be updated when additional information becomes available.Any Suggested Mitigation?The advisory includes mitigation information. See the Appendix for a link to "Confluence Security Advisory 2022-06-02". | Malware Tool Vulnerability Threat | ||
|
2022-06-03 09:37:18 | Ransomware Roundup - 2022/06/02 (lien direct) | FortiGuard Labs is aware of a number of new ransomware strains for the week of May 30th, 2022. It is imperative to raise awareness about new ransomware strains as infections can cause severe damage to organizations. This week's Ransomware Roundup Threat Signal covers Hive ransomware, Bright Black Ransomware and Karakurt Data Extortion Group, and Fortinet protections against them.What is Hive Ransomware?Hive ransomware is a Ransomware-as-a-Service (RaaS) that was first observed in June 2021. This ransomware is highlighted in this Threat Signal as Costa Rica's public health system was reportedly compromised by the ransomware.As a RaaS, the Hive ransomware group consists of two types of groups: ransomware operator (developer) and affiliates. The former develops Hive ransomware, provides support for its affiliates, operates ransom payment site as well as a date leak site called "HiveLeaks" on Tor. The latter carries out actual attacks that infect victims, exfiltrate data from victims, and deploy Hive ransomware onto the compromised machine. An apparent underground forum post that recruited Hive ransomware conspirators promised 80% cut for the affiliates. Hive ransomware is the main arsenal that is deployed to the compromised machine to encrypt files. Before the file encryption takes place, data is stolen from the victim and shadow copies are deleted, which makes file recovery awfully difficult. Typical files encrypted by Hive ransomware have a .hive extension. Other reported file extensions include .aumcc, .sncip, .accuj and .qxycv. According to a report published by Group-IB, "the data encryption is often carried out during non-working hours or at the weekend" in an attempt to encrypt as many files as possible without being noticed.Typical ransom note left behind by Hive ransomware below:Your network has been breached and all data is encrypted.To decrypt all the data you will need to purchase our decryption software.Please contact our sales department at: xxxx://[removed].onion/ Login: [removed] Password: [removed] Follow the guidelines below to avoid losing your data: - Do not shutdown or reboot your computers, unmount external storages. - Do not try to decrypt data using third party software. It may cause irreversible damage. - Don't fool yourself. Encryption has perfect secrecy and it's impossible to decrypt without knowing the key. - Do not modify, rename or delete *.key.hive files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to authorities. The negotiation process will be terminated immediately and the key will be erased. - Do not reject to purchase. Your sensitive data will be publicly disclosed at xxxx://[removed]onion/ The group employs a double extortion technique which victims are asked to make a ransom payment in order to recover encrypted files as well as to prevent the stolen data from being published to "HiveLeaks". Some victims reportedly received phone calls from Hive threat actors. The victim will receive a decryption tool upon the completion of payment, however, there was a chatter that suggests the decryption tool did not work as advertised in some cases and made virtual machines unbootable due to the tool corrupting the MBR (Master Boot Record).Initial attack vectors include phishing emails with malicious attachment, attacking vulnerable RDP servers, and the use of compromised VPN credentials. Purchasing network access from initial access brokers is a possibility as well.Hive ransomware reportedly victimized companies across wide range of industries such as (but not restricted to) real estate, IT and manufacturing. Some RaaS have a policy to exclude governmental educational and military organizations, health care, and critical infrastructures such as gas pipelines and power plants. Hive ransomware does not appear to have such policy as its victims include health care and government organizations. In August, 2021, the Federal Bureau of Investigation (FBI) released a flash alert on Hive ransomware.See the Appendix for | Ransomware Malware Tool Threat | ||
|
2022-05-31 10:18:52 | Follina: 0-day Windows MSDT Vulnerability (CVE-2022-30190) Exploited In The Wild (lien direct) | FortiGuard Labs is aware that a 0-day vulnerability in Microsoft Support Diagnostic Tool is being exploited in the wild. The first sample that exploits the vulnerability appeared on VirusTotal on April 12th, 2022. Assigned CVE-2022-30190, successful exploitation allows an attacker to run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user's rights.Why is the Significant?This is significant because the vulnerability is a 0-day vulnerability in Microsoft Support Diagnostic Tool that allows remote code execution and is being exploited in the wild.What is CVE-2022-30190?The vulnerability is a remote code execution vulnerability that was named "Follina" by a security researcher Kevin Beaumont. The name "Follina" was derived from the 0-day code referencing "0438", which is the area code of Follina, Italy. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application such as Word. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user's rights.A malicious Word file that is widely discussed online abuses the remote template feature in Microsoft Word and retrieves a remote HTML file. The retrieved HTML file uses the "ms-msdt" MSProtocol URI scheme load and execute the PowerShell payload. Note that ms-msdt refers to "Microsoft Support Diagnostic Tool", which a legitimate Microsoft tool collects and sends system information back to the Microsoft for problem diagnostic.What is concerning is that the vulnerability reportedly can be exploited if even if macros, one of the most prevalent ways to deliver malware via Microsoft Office files, are disabled. Also, if the document file is changed to RTF form, even previewing the document the vulnerability in Windows Explorer can trigged the exploit.How Widespread is this?While the attack that leverages the vulnerability does not appear to be widespread, however more attacks are expected as Proof-of-Concept code is available and a patch has not yet been released. Does the Vulnerability Have CVE Number?CVE-2022-30190 has been assigned to the vulnerability.Has Microsoft Released an Advisory?Yes. See the Appendix for a link to " Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability".Has Microsoft Released a Patch?No, Microsoft has not released a patch yet.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against the known sample that are associated with CVE-2022-30190:MSWord/Agent.2E52!tr.dldrKnown network IOCs for CVE-2022-30190 are blocked by the WebFiltering client.FortiGuard Labs is currently investigating for additional coverage against CVE-2022-30190. This Threat Signal will be updated when additional information becomes available.Any Suggested Mitigation?Microsoft released an official blog on CVE-2022-30190 that includes mitigation information. See the Appendix for a link to "Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability". | Malware Tool Vulnerability Threat | ★★ | |
|
2022-05-26 21:52:30 | Ransomware Roundup - 2022/05/26 (lien direct) | FortiGuard Labs became aware of a number of new Ransomware strains for the week of May 23rd, 2022. It is imperative to raise awareness about new ransomware as infections can cause severe damage to the affected machines and organizations. This Threat Signal covers Yashma ransomware, GoodWill ransomware and Horsemagyar ransomware along with Fortinet protections against them.What is Yashma Ransomware?Yashma ransomware is a new and is generated through Yashma ransomware builder. It is claimed as the sixth version of Chaos ransomware builder. Reportedly, compared to the fifth version, Yashma ransomware builder now supports the "forbidden country" option which attackers can choose not to run the generated ransomware based on the victim's location. The new builder also enables the ransomware to stop a wide variety of services running on the compromised machine such as anti-malware solutions, and Remote Desktop and Backup services. Additionally, it is important to note that from the fifth version of Chaos ransomware builder, the crafted ransomware can successfully encrypt files larger than 2,117,152 bytes and no longer corrupts them.A known sample of Yashma ransomware has the following ransom note:All of your files have been encrypted with Yashma ransomwareYour computer was infected with a ransomware. Your files have been encrypted and you won'tbe able to decrypt them without our help.What can I do to get my files back?You can buy our specialdecryption software, this software will allow you to recover all of your data and remove theransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only.How do I pay, where do I get Bitcoin?Purchasing Bitcoin varies from country to country, you are best advised to do a quick google searchyourself to find out how to buy Bitcoin.Many of our customers have reported these sites to be fast and reliable:Coinmama - hxxps://www[.]coinmama[.]com Bitpanda - hxxps://www[.]bitpanda[.]comPayment informationAmount: 0.1473766 BTCBitcoin Address: [removed] At the time of this writing, the attacker's bitcoin wallet has no transactions.FortiGuard Labs previously released several blogs on Chaos ransomware. See the Appendix for links to "Chaos Ransomware Variant Sides with Russia" and "Chaos Ransomware Variant in Fake Minecraft Alt List Brings Destruction to Japanese Gamers".What is the Status of Coverage for Yashma ransomware?FortiGuard Labs provides the following AV coverage against a known sample of Yashma ransomware:MSIL/Filecoder.APU!tr.ransomWhat is GoodWill Ransomware?GoodWill ransomware was recently discovered, however it appears to have been first observed in March 2022. The ransomware encrypts files on the compromised machine and adds a ".gdwill" file extension to the affected files.Unlike other ransomware that demands ransom to recover the encrypted files, GoodWill asks the victim to do three good deeds. Firstly, the victim must provide clothes and blankets to needy people on the street. Secondly, the victim must feed dinner to five children at a pizza or fried chicken joint. Lastly, the victim must visit a local hospital and provide financial assistance to those in need. After finishing each deed, proof must be provided to the attacker, and a decryption tool and video instruction will be provided to the victim after completing all the deeds.What is the Status of Coverage for GoodWill ransomware?FortiGuard Labs provides the following AV coverage against GoodWill ransomware:MSIL/Filecoder.AGR!tr.ransomWhat is Horsemagyar Ransomware?Horsemagyar ransomware is a new variant of Sojusz ransomware that was recently discovered. It encrypts files on the compromised machine and adds ".[10 digit ID number].spanielearslook.likeoldboobs" file extension to the encrypted files. The ransomware leaves a ransom note as Horse.txt. The first sighting of Sojusz ransomware goes back to February, 2022 and it added a ".[10 digit ID number].[attacker's email address].bec" extension to the files it encrypted.Example of ransom note left behind by Horsemagyar ransomware is below:: | Ransomware Tool Threat | ||
|
2022-05-24 13:32:10 | Cobalt Strike Delivered Through Fake Proof-of-Concept Code (lien direct) | FortiGuard Labs is aware of a report that a Cobalt Strike beacon was attempted to be delivered through a couple of fake Proof-of-Concept (POC) codes hosted on GitHub. The files pretend to be POCs for CVE-2022-26809 and CVE-2022-24500. They have already been removed from GitHub.Why is this Significant?This is significant because the attack targeted researchers, pen testers and infosec teams in organizations to deliver Cobalt Strike beacons, which will most likely be used to deliver malware such as ransomware.What is CVE-2022-26809?CVE-2022-26809 is a remote procedure call runtime remote code execution vulnerability that affects wide variety of Windows OS that includes Windows 7, 8, 10, 11, Windows Server 2008, 2012, 2016, 2019 and 2022. Assigned a CVSS score of 9.8, successfully exploiting the vulnerability allows an attacker to execute remote code with high privileges on a vulnerable system, leading to a full compromise. The vulnerability was patched as part of Patch Tuesday April 2022.FortiGuard Labs previously released Threat Signal on CVE-2022-26809. See the Appendix for a link to "Microsoft Released Advisory on a Critical Remote Code Execution Vulnerability in RPC (CVE-2022-26809)".What is CVE-2022-24500?CVE-2022-24500 is a Windows SMB remote code execution vulnerability that affects Windows 7, 8, 10, 11 and Windows Server 2008, 2012, 2019 and 2022. The vulnerability has a CVSS score of 8.8, and was patched as part of Patch Tuesday April 2022.The Microsoft advisory states that "For vulnerability to be exploited, a user would need to access a malicious SMB server to retrieve some data as part of an OS API call. This vulnerability requires that a user with an affected version of Windows access a malicious server. An attacker would have to host a specially crafted server share or website. An attacker would have no way to force users to visit this specially crafted server share or website, but would have to convince them to visit the server share or website, typically by way of an enticement in an email or chat message".What is Status of Coverage?FortiGuard Labs detect the fake POCs with the following AV coverage:PossibleThreatAll network IOC's are blocked by the WebFiltering client. | Malware Vulnerability Threat Guideline | ||
|
2022-05-24 13:31:49 | New ArguePatch Variant Attacks Ukraine (lien direct) | FortiGuard Labs is aware of a report that a new variant of ArguePatch malware was used in an attack against Ukraine. This ArguePatch variant includes a feature to set up a schedules task in order to perform a specific action at a specified time.Why is this Significant?This is significant because the new variant of ArguePatch malware now has a feature to perform a specific action at a specified time without setting up a scheduled task. This provides more stealthiness to the malware which allows it to stay under the radar until it actually starts to carry out a next stage action.What is ArguePatch?ArguePatch is a loader malware that was previously used in campaigns against Ukraine which involve CaddyWiper and Industroyer2. The malware is a patched version of a legitimate component of Hex-Rays IDA Pro software.FortiGuard Labs previously released Threat Signals on CaddyWiper and Industroyer2. See the Appendix for links to "Additional Wiper Malware Deployed in Ukraine #CaddyWiper" and "Industroyer2 Discovered Attacking Critical Ukrainian Verticals".What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against known variants of ArguePatch:W32/Agent.AECG!trW32/PossibleThreat | Malware Threat | ||
|
2022-05-24 13:31:05 | CISA Warns VMware Vulnerabilities Exploited in the Wild Leading to Full System Compromise (lien direct) | FortiGuard Labs is aware that the Cybersecurity and Infrastructure Security Agency (CISA) CISA released an advisory on recently patched VMware vulnerabilities (CVE-2022-22954 and CVE-2022-22960) being exploited separately and in combination, allowing threat actors to gain full control of the compromised system. Both vulnerabilities affect VMware Workspace ONE Access, Identity Manager, and vRealize Automation and were patched on April 6th, 2022. The advisory also states that CISA expects threat actors to develop exploits for newly patched VMware vulnerabilities (CVE-2022-22972 and CVE-2022-22973) quickly.Why is this Significant?This is significant because the advisory that CISA released on CVE-2022-22954 and CVE-2022-22960 was prompted by an actual incident which one large organization was compromised by an unidentified threat actor on or around April 12, 2022. According to the advisory, the threat actor "leveraged CVE-2022-22954 to execute an arbitrary shell command as a VMware user. The actor then exploited CVE-2022-22960 to escalate the user's privileges to root. With root access, the actor could wipe logs, escalate permissions, and move laterally to other systems". The advisory also warns that exploits for another VMware vulnerabilities (CVE-2022-22972 and CVE-2022-22973) will be developed soon. As such, the patches for the four vulnerabilities or workarounds should be applied as soon as possible.What is CVE-2022-22954, CVE-2022-22960, CVE-2022-22972 and CVE-2022-22973?CVE-2022-22954 is a vulnerability in VMware Workspace ONE Access, Identity Manager, and vRealize Automation, which an attacker with network access can trigger a server-side template injection that may result in remote code execution. The vulnerability has the CVSSv3 base score of 9.8 and is rated critical.FortiGuard Labs previously released Threat Signal on CVE-2022-22954. See Appendix for a link to "Newly Patched VMware Vulnerability (CVE-2022-22954) Being Exploited in the Wild".CVE-2022-22960 is a Local Privilege Escalation (LPE) vulnerability in VMware Workspace ONE Access, Identity Manager, and vRealize Automation. As LPE, attacker is required to have local access can escalate privileges to 'root'. The vulnerability has the CVSSv3 base score of 7.8 and is rated important.CVE-2022-22972 is an authentication bypass vulnerability that affects VMware Workspace ONE Access, Identity Manager and vRealize Automation. As LPE, exploitation happens locally as such an attacker is required to have access to the victim's machine to elevate privileges. The vulnerability has the CVSSv3 base score of 9.8 and is rated critical.CVE-2022-22973 is a Local Privilege Escalation (LPE) vulnerability that affects VMware Workspace ONE Access, Identity Manager and vRealize Automation. As LPE, attacker is required to have local access can escalate privileges to 'root'. The vulnerability has the CVSSv3 base score of 7.8 and is rated important.Has the Vendor Released Advisories?Yes, VMware released advisories for all four vulnerabilities. See the Appendix for links to "VMSA-2022-0011.1" and "VMSA-2022-0014".Has the Vendor Released Patches for the Vulnerabilities?VMware released patches for CVE-2022-22954 and CVE-2022-22960 on April 6th, 2022. Patches for CVE-2022-22972 and CVE-2022-22973 were released on May 18th, 2022. What is the Status of Coverage?FortiGuard Labs has released the following IPS signature for CVE-2022-22954:VMware.Workspace.ONE.Access.Catalog.Remote.Code.ExecutionA network IOC for CVE-2022-22954 called out in the CISA advisory is blocked by the WebFiltering client.CVE-2022-22960, CVE-2022-22972, CVE-2022-22973 were privately disclosed as such there currently is no available Proof-of-Concept code. FortiGuard Labs is monitoring the situation closely and will update this Threat Signal when protection becomes available.Any Suggested Mitigation?VMware has provided mitigations for CVE-2022-22954, CVE-2022-22960, CVE-2022-22972. See the Appendix for links to "KB88098" for CVE-2022-22954 and CVE-2022-22960, and "KB88433" for CVE-2022-22972. | Vulnerability Threat | ||
|
2022-05-24 13:29:37 | Meet BlackByte Ransomware (lien direct) | FortiGuard Labs is aware of a relatively new ransomware family "BlackByte" is in the wild, infecting organizations around the globe. BlackByte was first observed as early as July 2021. In February 2022, the Federal Bureau of Investigation (FBI) and the U.S. Secret Service (USSS) issued a joint advisory that "multiple US and foreign businesses, including entities in at least three US critical infrastructure sectors (government facilities, financial, and food & agriculture) were targeted by BlackByte ransomware affiliates. In common with other ransomware, BlackByte encrypts and steals files on the compromised machines, and demands ransom from the victim to recover the files and not to leak the stolen information to the public.Why is this Significant?This is significant as the BlackByte ransomware family reportedly compromised organizations around the globe including multiple US and foreign businesses and US critical infrastructure sectors. Also, ProxyShell, an exploit attack chain involving three vulnerabilities in Microsoft Exchange Server, widely used in enterprise email application, were reported to have been used as an infection vector. Microsoft issued patches for ProxyShell in May and July 2021. BlackByte ransomware infection may indicate that some organizations have not yet applied those fixes or workaround.FortiGuard Labs previously published multiple Threat Signals on ProxyShell. See the Appendix section for links to New Threat Actor Leverages ProxyShell Exploit to Serve RansomwareVulnerable Microsoft Exchange Servers Actively Scanned for ProxyShellBrand New LockFile Ransomware Distributed Through ProxyShell and PetitPotamWhat is BlackByte?BlackByte is a ransomware-as-a-service (RaaS), which runs a business of leasing necessary ransomware services to its affiliates. Such ransomware services including developing ransomware, creating and maintaining necessary infrastructures (i.e., ransom payment portal), ransom negotiation with victims as well as provides support service to the affiliates. Attacks are typically carried out by BlackByte affiliates, who rent and use those services. Once a victim is compromised and ransom is paid, BlackByte developers take a portion of the ransom as a service fee.How does the Attack Work?Typically attacks that deliver ransomware arrive in emails, however the join advisory reported that BlackByte threat actors, in some case, exploited known Microsoft Exchange Server vulnerabilities including ProxyShell to gain access to the victim's network. Once the attacker gains a foothold in the victim's network, the attacker deploys tools such as oft-abused Cobalt Strike to move laterally across the network and escalate privileges before exfiltrating and encrypting files. Some BlackByte ransomware variants may have worm functionality, which allows itself to self-propagate through the victim's network.Files that are encrypted by BlackByte ransomware typically have a ".blackbyte" file extension.BlackByte ransomware reportedly avoids encrypting files if the ransomware detects compromised systems that use Russian and ex-USSR languages.What is ProxyShell?ProxyShell is a name for a Microsoft Exchange Server exploit chain (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207) that allows an attacker to bypass ACL controls, elevate privileges and execute remote code on the compromised system.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against currently available Indicator-of-Compromises (IOCs) associated with BlackByte ransomware:RTF/BlackByte.DC56!tr.ransomW64/BlackByte.DC56!tr.ransomW32/Agent.CH!trW32/CobaltStrike.NV!trJS/Agent.49CC!trW32/PossibleThreatFortiGuard Labs provides the following IPS coverage against three vulnerabilities that are leveraged in ProxyShell:MS.Exchange.Server.CVE-2021-34473.Remote.Code.Execution (CVE-2021-34473)MS.Exchange.Server.Common.Access.Token.Privilege.Elevation (CVE-2021-34523)MS.Exchange.MailboxExportRequest.Arbitrary.File.Write (CVE-2021-31207)FortiEDR detects and blocks ProxyShell attacks out of the box without any prior knowledge | Ransomware Tool Threat | ||
|
2022-05-12 23:53:15 | Destructive Onyx ransomware in the wild (lien direct) | FortiGuard Labs is aware that a new ransomware "Onyx" is in the wild. The ransomware was first discovered in late April, 2022. The malware appears to be based on Chaos ransomware and overwrites files bigger than 2MB, making file recovery very difficult. What is this Significant?This is significant because the threat actor opted to have Onyx ransomware overwrite files bigger than 2MB on the compromised machine rather than encrypting them. Although the threat actor promises to decrypt the affected files after ransom payment is made, recovery of the overwritten files will be difficult.What does Onyx Ransomware do?The ransomware overwrites files bigger than 2MB on the compromised machine, encrypts files smaller than 2MB, and adds file extension ".ampkcz" to them. It also collects sensitive information such as credentials from the affected machine. It then displays the following ransom message and demands ransom from the victim in order to recover the affected files:"All of your files are currently encrypted by ONYX strain.As you already know, all of your data has been encrypted by our software.It cannot be recovered by any means without contacting our team directly.DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,if you want to try - we recommend choosing the data of the lowest value.DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond.So it will be better for both sides if you contact us as soon as possible.DON'T TRY TO CONTACT feds or any recovery companies.We have our informants in these structures, so any of your complaints will be immediately directed to us.So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publication of whole compromised data immediately.To prove that we REALLY CAN get your data back - we offer you to decrypt two random files completely free of charge.You can contact our team directly for further instructions through our website :TOR VERSION :(you should download and install TOR browser first https://torproject.org)http://[Removed}].onionLogin: [Removed]Password: [Removed]YOU SHOULD BE AWARE!We will speak only with an authorized person. It can be the CEO, top management, etc.In case you are not such a person - DON'T CONTACT US! Your decisions and action can result in serious harm to your company!Inform your supervisors and stay calm!"What is the Status of Coverage?FortiGuard Labs provides the following AV detection for known Onyx ransomware samples:MSIL/Filecoder.F9C3!tr.ransom | Ransomware Malware Threat | ★★ | |
|
2022-05-10 21:09:32 | F5 BIG-IP Remote Command Execution Vulnerability (CVE-2022-1388) (lien direct) | FortiGuard Labs is aware of a new remote command execution vulnerability affecting F5 BIG-IP clients. Exploiting this vulnerability will allow an attacker to completely take over an affected device. What are the Technical Details of this Vulnerability?According to the F5 security advisory, this vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only.Because this vulnerability does not require any sophistication to exploit, and the fact that in-the-wild exploitation are reported to have been observed and proof-of-concept (PoC) codes are publicly available, it is highly recommended that organizations affected by this latest vulnerability apply all patches immediately.What Versions Are Affected?Reported versions affected by CVE-2022-1388 are:BIG-IP versions 16.1.2 through 13.1.0 (versions under 13.1.0 are affected but will not be fixed)How Serious of an Issue is This?HIGH. CVE-2022-1388 has a CVSS score of 9.8. US-CERT (CISA) has also issued an alert for this issue. For further information, please refer to F5 Releases Security Advisories Addressing Multiple Vulnerabilities in the APPENDIX.How Widespread is this Attack?Global. Malicious scans by attackers are currently underway looking for vulnerable unpatched appliances, regardless of location. Proof-of-concept codes (POC) are available and the vulnerability is reported to have been actively exploited in the wild.What is the Status of Coverage?Customers running current (IPS) definitions are protected by:F5.BIG-IP.iControl.REST.Authentication.BypassFortiGuard Labs is continuously monitoring this vulnerability and we will update this Threat Signal once more information becomes available.Are There Any Reports of Nation State Activity Actively Exploiting CVE-2022-1388?Yes, the vulnerability is reported to have been actively exploited in the wild.Any Other Suggested Mitigation?According to F5, it is recommended to apply all available patches from the May 2022 update immediately. If patching is not possible at this time, F5 recommends blocking all access to the iControl REST interface of your BIG-IP system through self IP addresses. Mitigation details can be found in the article titled - "K23605346: BIG-IP iControl REST vulnerability CVE-2022-1388" in the APPENDIX section.The potential for damage to daily operations, reputation, and unwanted release of data, the disruption of business operations, etc. is apparent, and because of this it is important to keep all AV and IPS signatures up to date. It is also important to ensure that all known vendor vulnerabilities within an organization are addressed once available, and updated on a regular basis to protect against attackers establishing a foothold within a network. | Vulnerability Threat Patching | ★★★ | |
|
2022-04-13 10:45:17 | Industroyer2 Discovered Attacking Critical Ukrainian Verticals (lien direct) | FortiGuard Labs is aware of new reports of Industroyer2, the successor to the Industroyer malware. First discovered in 2016, Industroyer was attributed to energy grid attacks in Kiev, Ukraine. The attack resulted in a loss of electricity for over an hour and was attributed to the Russian government (Sandworm). The latest discovery of Industroyer2 was discovered by researchers at ESET (who also discovered Industroyer in 2015).Industroyer is an Industrial Control System (ICS) specific malware that is modular and was discovered to have capabilities to control electrical substations and circuit breakers. It uses industrial communication protocols and techniques to conduct its operations via a global industry standard used by many critical infrastructure verticals.This latest variant of Industroyer2 was seen targeting ICS devices within electrical substations and then trying to erase any evidence of its attack by running CaddyWiper malware along with other Linux and Solaris (UNIX) wipers. It is currently unknown at this time how the threat actors were able to compromise and obtain initial access before entering into the ICS network. For further details on CaddyWiper, please see our Threat Signal here. This is a current news event, further details will be published when available.What are the Technical Details of this Attack?Industroyer2 is a Windows executable file and was executed via a scheduled task on April 8th. According to the analysis, it was compiled on March 23rd which suggests that the threat actors (Sandworm) behind this attack had planned it for over two weeks. Industroyer2 communicates over the IEC 60870-5-104 protocol, which is used by ICS/SCADA devices to communicate. This variant is different from the original Industroyer, which supported multiple ICS protocols.Caddywiper was deployed via a group policy object (GPO) to likely thwart any forensic recovery and analysis. It was found on machines that contained Industroyer2 installations. Other malware (ORCSHRED, SOLOSHRED, AWFULSHRED) found in these campaigns were destructive Linux and Solaris (UNIX) versions that acted as a worm and wiper and were deployed via shell scripts.What Operating Systems are Affected?Windows, Linux and Solaris systems are affected.What is the Severity of this Attack?Medium. This is limited specifically to targeted attacks.What is the Status of Coverage?FortiGuard Labs has the following (AV) signatures in place for publicly available samples as:W32/Agent.AECG!trData/KillDisk.NDA!trAll network IOC's are blocked by the WebFiltering client. | Malware Threat | ||
|
2022-04-01 14:09:48 | AcidRain Wiper Suspected in Satellite Broadband Outage in Europe (lien direct) | FortiGuard Labs is aware a report that a new wiper malware was deployed and destroyed data on modems and routers for KA-SAT satellite broadband services, resulting in service outages across Europe on February 24th, 2022. The service interruption also caused the disconnection of remote access to 5,800 wind turbines in Europe. According to security vendor SentinelOne, AcidRain wiper shares similarities with a VPNFilter stage 3 destructive plugin. The Federal Bureau of Investigation (FBI) and Department of Justice disrupted the VPNFilter botnet by seizing a domain that was part of the Command-and-Control (C2) infrastructure. The Russian-connected the Sofacy threat actor (also known as APT28, Sednit, Pawn Storm, Fancy Bear, and Tsar) is believed to have operated the VPNFilter botnet. Why is this Significant?This is significant not only because a new wiper malware was used in the attack but also because the attack caused service interruption for satellite broadband services in Europe, including Ukraine, and 5,800 wind turbines in Europe were knocked offline.Also, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI released a joint advisory on March 17th, 2022, warning of cyberattacks on U.S. and international satellite communication (SATCOM) networks. What Happened?According to the statement released by Viasat, a provider of KA-SAT satellite broadband services, the attack occurred in two phases.1. On February 24th, 2022, "malicious traffic were detected emanating from several SurfBeam2 and SurfBeam 2+ modems and/or associated customer premise equipment (CPE) physically located within Ukraine and serviced by one of the KA-SAT consumer-oriented network partitions. This targeted denial of service attack made it difficult for many modems to remain online." 2. Then, the company started to observe a gradual decline of the connected modems. Subsequently, a large number of additional modems across much of Europe exited the network and they did not re-enter to the network. The statement continues as saying that the attacker gained remote access to the trusted management segment of the KA-SAT network through a misconfigured VPN appliance. The threat actor moved laterally through the network and ultimately sent "legitimate, targeted management commands on a large number of residential modems simultaneously. Specifically, these destructive commands overwrote key data in flash memory on the modems, rendering the modems unable to access the network, but not permanently unusable."The belief is that "these destructive commands" refer to AcidRain wiper malware.What is VPNFilter malware?VPNFilter is a IoT malware that was first reported in mid-2018 and targeted home and Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices. The malware is not only capable of performing data exfiltration but also rendering devices completely inoperable.FortiGuard Labs published a research blog series on VPNFilter malware in 2018. See the Appendix for a link to "VPNFilter Malware - Critical Update" and "VPNFilter Update - New Attack Modules Documented".What is the threat actor Sofacy?Sofacy is a threat actor who is believed to operate for Russian interests. The threat actor has been in operation since at least 2007 and targets a wide range of sectors including government, military and security organizations.One of the most infamous activities carried out by the Sofacy group is their alleged involvement in hacking "networks and endpoints associated with the U.S. election" in 2016, in which the FBI the US Department of Homeland Security (DHS) released a join advisory on December 29th, 2016.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against AcidRain wiper malware believed to have been used in the attack:ELF/AcidRain.A!tr | Malware Threat | VPNFilter VPNFilter APT 28 | |
|
2022-03-31 09:58:02 | SpringShell (Spring4Shell) : New Unpatched RCE Vulnerability in Spring Core Framework (lien direct) | FortiGuard Labs is aware that an alleged Proof-of-Concept (POC) code for a new Remote Code Execution (RCE) vulnerability in Spring Core, part of the popular web open-source framework for Java called "Spring," was made available to the public (the POC was later removed). Dubbed SpringShell (Spring4Shell), CVE-2022-22965 has been assigned to the vulnerability and an emergency fix was released on March 31st, 2022.Why is this Significant?This is significant because Spring Core is part of Spring Framework, one of the most popular JAVA frameworks used in the field and is very popular for enterprise applications. As such, wide exploitation of the vulnerability can impact users globally if the security update is not applied.What is the Vulnerability Detail?An insecure de-serialization exists in Spring Core Framework. The vulnerability is due to insufficient validation of user supplied inputs and could lead to remote code execution.The official advisory reads "A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it".Has the Vendor Released an Advisory?An advisory has been published by both Spring and VMware, who supports Spring. See the Appendix for a link to "Spring Framework RCE, Early Announcement" and "CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+".What Versions of Spring Core are Vulnerable?The official advisory states that the following prerequisites for the exploit:JDK 9 or higherApache Tomcat as the Servlet containerPackaged as a traditional WAR (in contrast to a Spring Boot executable jar)spring-webmvc or spring-webflux dependencySpring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versionsHas a CVE been Assigned to the Vulnerability?CVE-2022-22965 has been assigned to the vulnerability.There is a lot of online chatter about SpringShell being related to CVE-2022-22963 or CVE-2022-27772, but that is not the case.CVE-2022-22963 is a vulnerability in Spring Cloud and was patched on March 29, 2022.CVE-2022-27772 is a vulnerability in Spring Boot that allows temporary directory hijacking.Has the Vendor Released a Patch?Yes, the fix was released on March 31, 2022 for the following versions of Spring Framework:5.3.185.2.20What is the Status of Coverage?FortiGuard Labs provides the following AV coverage based on available SpringShell POCs:Python/SpingShell.A!exploitFortiGuard Labs is currently investigating for IPS coverage. This Threat Signal will be updated when coverage becomes available. | Vulnerability Threat Guideline | ||
|
2022-03-25 14:41:37 | Another Wiper Malware Targeted Enterprises in Ukraine #DoubleZero (lien direct) | FortiGuard Labs is aware that enterprises in Ukraine were targeted by another wiper malware. Dubbed "DoubleZero," the malware was distributed in a zip archive and destroys the compromised machine by overwriting files and deleting registry keys.Why is this Significant?This is significant because DoubleZero is the latest wiper malware used in the current Russia-Ukraine war and aims to destroy machines belonging to enterprises in Ukraine.FortiGuard Labs previous published multiple Threat Signals on other wiper malware that targeted Ukraine. See the Appendix for links to "Additional Wiper Malware Deployed in Ukraine #CaddyWiper," "New Wiper Malware Discovered Targeting Ukrainian Interests" and "Wiper Malware Hit Ukrainian Organizations."How Widespread is the Malware?At this time, there is no report that DoubleZero affected organizations outside of Ukraine.How does DoubleZero Work?DoubleZero was distributed in several ZIP archives, one of which is called "Virus ... extremely dangerous !!!. Zip." Once DoubleZero runs, it overwrites or uses API calls to zero out non-system files system files before moving on to overwrite critical system files and registry keys.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against the files involved in the attack:MSIL/DZeroWiper.CK!tr | Malware Threat | ||
|
2022-03-23 00:26:45 | Joint CyberSecurity Advisory Alert on AvosLocker Ransomware (lien direct) | FortiGuard Labs is aware that a joint advisory on AvosLocker malware was recently issued by the Federal Bureau of Investigation (FBI) and the US Department of Treasury. AvosLocker is a Ransomware-as-a-Service (RaaS) that has targeted organizations across multiple critical infrastructure sectors in the United States. The targeted sectors include financial services, critical manufacturing, and government facilities organizations. Other AvosLocker victims are in multiple countries throughout the world. Why is this Significant?This is significant because the joint advisory indicates that organizations across multiple critical infrastructure sectors in the United States were targeted by AvosLocker ransomware. The advisory calls out vulnerabilities that the ransomware group exploited, which companies need to consider patching as soon as possible.What is AvosLocker?AvosLocker ransomware targets Windows and Linux systems and was first observed in late June 2021. As Ransomware-as-a-Service, AvosLocker is advertised on a number of Dark Web communities, recruiting affiliates (partners) and access brokers. After breaking into a target and locating accessible files on the victim network, AvosLocker exfiltrates data, encrypts the files with AES-256, and leaves a ransom note "GET_YOUR_FILES_BACK.txt". Some of the known file extensions that AvosLocker adds to the files it encrypted are ".avos", ".avos2", and ".avoslinux".On top of leaving a ransom note to have the victim pay in order to recover their encrypted files and to not have their stolen information disclosed to the public, some AvosLocker victims were reported to have received phone calls from an AvosLocker attacker. The calls threatened the victim to go to the payment site for negotiation. Some victims also received an additional threat that the attacker would launch Distributed Denial-of-Service (DDoS) attacks against them. AvosLocker's leak site is called "press release" where the victims are listed along with a description about them.How Widespread is AvosLocker Ransomware?The advisory indicates that AvosLocker's known victims are "in the United States, Syria, Saudi Arabia, Germany, Spain, Belgium, Turkey, United Arab Emirates, United Kingdom, Canada, China, and Taiwan".What Vulnerabilities are Exploited by AvosLocker?The advisory states that "multiple victims have reported on premise Microsoft Exchange Server vulnerabilities as the likely intrusion vector". Those vulnerabilities include CVE-2021-26855 and ProxyShell, which is an exploit attack chain involving three Microsoft exchange vulnerabilities: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207. Also, a path traversal vulnerability in the FortiOS SSL-VPN web portal was reported to have been exploited by the AvosLocker group.FortiGuard Labs previously posted a Threat Signal on ProxyShell. See the Appendix for a link to "Vulnerable Microsoft Exchange Servers Actively Scanned for ProxyShell" and FortiGuard Labs released a patch for CVE-2018-13379 in May 2019. For additional information, see the Appendix for a link to "Malicious Actor Discloses FortiGate SSL-VPN Credentials", and "The Art of War (and Patch Management)" for the importance of patch management.What Tools is AvosLocker Known to Utilize?The advisory references the following tools:Cobalt StrikeEncoded PowerShell scriptsPuTTY Secure Copy client tool "pscp.exe"RcloneAnyDeskScannerAdvanced IP ScannerWinLister What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against known samples of AvosLocker ransomware:W32/Cryptor.OHU!tr.ransomW32/Filecoder.OHU!tr.ransomELF/Encoder.A811!tr.ransomLinux/Filecoder_AvosLocker.A!trPossibleThreatFortiGuard Labs provides the following AV coverage against ProxyShell:MSIL/proxyshell.A!trMSIL/proxyshell.B!trFortiGuard Labs provides the following IPS coverage against CVE-2021-26855, ProxyShell, and CVE-2018-13379:MS.Exchange.Server.ProxyRequestHandler.Remote.Code.Execution (CVE-2021-26855)MS.Exchange.Server.CVE-2021-34473.Remote.Code.Execution (CVE-2021-34473)MS.Exchange.Server.Common.Access.Token.Privil | Ransomware Malware Tool Vulnerability Threat Patching | ★★ |
To see everything:
Our RSS (filtrered)
