FortiGuard Labs is aware that the U.S. Federal Bureau of Investigation (FBI) released the updated indicators of compromise (IOCs) for RagnarLocker (Ragnar_Locker) Ransomware on March 8th, 2022. The report states “As of January 2022, the FBI has identified at least 52 entities across 10 critical infrastructure sectors affected by RagnarLocker ransomware, including entities in the critical manufacturing, energy, financial services, government, and information technology sectors.”The first sighting of the ransomware goes back to at least February, 2020. RagnarLocker ransomware employs triple extortion tactics: it demands ransom after encrypting files, threatens to publicize stolen data and to stop DDoS (Distributed Denial of Service) attack against the victim.Why is this Significant?This is significant because the FBI is aware that more than 50 organizations across 10 critical infrastructure sectors were affected by RagnarLocker ransomware. The fact the FBI has made additional IOCs available to the public insinuates that RagnarLocker will continue to be active and will likely produce more victims.What is RagnarLocker Ransomware?The first report of RagnarLocker (Ragnar_Locker) ransomware dates back to as early as February 2020.Just like any other ransomware, RagnarLocker encrypts files on the compromised machine and steals valuable data. It also deletes all Volume Shadow Copies, which prevents recovery of the encrypted files. Although there are some exceptions, files encrypted by RagnarLocker ransomware generally have a file extension that starts with .ragnar_ or ragn@r_ followed by random characters.On top of usual ransom demand to decrypt the files it encrypted, the ransomware threatens to publicize the data it stole from the victim if the ransom demand is not met. The RagnarLocker threat actors also adds pressure to the victim to pay the ransom by performing DDoS (Distributed Denial of Service) attack against the victim.One notable thing about this ransomware is that it has code to check the location of the computer before encryption process starts. If the computer belongs Russia, Azerbaijan, Armenia, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Tajikistan, Turkmenistan, Uzbekistan and Ukraine, the ransomware terminates itself. What are the Mitigations for RagnarLocker Ransomware?The following are the mitigations recommended by FBI:Back-up critical data offline.Ensure copies of critical data are in the cloud or on an external hard drive or storage device. This information should not be accessible from the compromised network.Secure your back-ups and ensure data is not accessible for modification or deletion from the system where the data resides.Use multi-factor authentication with strong passwords, including for remote access services.Keep computers, devices, and applications patched and up-to-date.Monitor cyber threat reporting regarding the publication of compromised VPN login credentials and change passwords and settings.Consider adding an email banner to emails received from outside your organization.Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.Audit user accounts with administrative privileges and configure access controls with least privilege in mind.Implement network segmentation.What is the Status of Coverage?FortiGuard Labs provide the following AV coverage against RagnarLocker ransomware:Linux/Filecoder_RagnarLocker.A!trW32/RagnarLocker.43B7!tr.ransomW32/Filecoder_RagnarLocker.A!trW32/RagnarLocker.A!tr.ransomW32/RagnarLocker.C!trW32/RagnarLocker.B!tr.ransomW32/RagnarLocker.4C9D!tr.ransomW32/Filecoder_RagnarLocker.A!tr.ransomW32/RagnarLocker.C!tr.ransomW32/Filecoder_RagnarLocker.C!trW32/Filecoder.94BA!tr.ransomW32/Filecoder.OAH!tr.ransomAll network IOCs are blocked by the WebFiltering client.

Read More

FortiGuard Labs is aware of a report from CERT-UA that Ukrainian organizations are under cyberattacks that aim to install a publicly available backdoor named “MicroBackdoor.” The cyberattacks are attributed to APT group “UAC-0051”, also known as unc1151, who has reportedly acted for Belarusian government’s interests in the past.Why is this Significant?This is significant because, according to CERT-UA, Ukraine organizations were attacked by an APT group whose past activities are said to be aligned with Belarusian government’s interests.What’s the Detail of the Attack?Unfortunately, the initial attack vector is unknown. What’s known is that the victims received “dovidka.zip”, which contains “dovidka.chm”. The CHM file contains two files. An image.jpg is an image file used as a decoy. Another file is file.htm, which creates “ignit.vbs”. The VBS file decodes three files: “core.dll,” “desktop.ini” and “Windows Prefetch.lnk.” The LNK file launches the INI file using wscript.exe. Then, the INI file runs the DLL using regasm.exe. The core.dll is a .NET loader that decodes and executes MicroBackdoor on the compromised machine.What is MicroBackdoor?MicroBackdoor is a publicly available backdoor that receives commands from a Command and Control (C2) server and performs various activities.According to the description on the MicroBackdoor repository”Micro Backdoor client supports 32-bit and 64-bit versions of Windows XP, Vista, 7, 8, 8.1, 10, Server 2003, Server 2003 R2, Server 2008, Server 2008 R2, Server 2012, Server 2012 R2, Server 2016 and Server 2019 of any editions, languages and service packs.”What is the Status of Coverage?FortiGuard Labs provide the following AV coverage against available files involved in the attack:PossibleThreat.PALLAS.HVBS/Agent.OVE!trLNK/Agent.7AB4!trAll network IOCs are blocked by the WebFiltering client.

Read More

Jeremy Mousset discovered two XML parsing vulnerabilities in the Tryton
application platform, which may result in information disclosure or
denial of service.

Read More

Jeremy Mousset discovered two XML parsing vulnerabilities in the Tryton
application platform, which may result in information disclosure or
denial of service.

Read More