Ransomware Roundup – 2022/05/26

Read Time:4 Minute, 57 Second

FortiGuard Labs became aware of a number of new Ransomware strains for the week of May 23rd, 2022. It is imperative to raise awareness about new ransomware as infections can cause severe damage to the affected machines and organizations. This Threat Signal covers Yashma ransomware, GoodWill ransomware and Horsemagyar ransomware along with Fortinet protections against them.What is Yashma Ransomware?Yashma ransomware is a new and is generated through Yashma ransomware builder. It is claimed as the sixth version of Chaos ransomware builder. Reportedly, compared to the fifth version, Yashma ransomware builder now supports the “forbidden country” option which attackers can choose not to run the generated ransomware based on the victim’s location. The new builder also enables the ransomware to stop a wide variety of services running on the compromised machine such as anti-malware solutions, and Remote Desktop and Backup services. Additionally, it is important to note that from the fifth version of Chaos ransomware builder, the crafted ransomware can successfully encrypt files larger than 2,117,152 bytes and no longer corrupts them.A known sample of Yashma ransomware has the following ransom note:All of your files have been encrypted with Yashma ransomwareYour computer was infected with a ransomware. Your files have been encrypted and you won’tbe able to decrypt them without our help.What can I do to get my files back?You can buy our specialdecryption software, this software will allow you to recover all of your data and remove theransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only.How do I pay, where do I get Bitcoin?Purchasing Bitcoin varies from country to country, you are best advised to do a quick google searchyourself to find out how to buy Bitcoin.Many of our customers have reported these sites to be fast and reliable:Coinmama – hxxps://www[.]coinmama[.]com Bitpanda – hxxps://www[.]bitpanda[.]comPayment informationAmount: 0.1473766 BTCBitcoin Address: [removed] At the time of this writing, the attacker’s bitcoin wallet has no transactions.FortiGuard Labs previously released several blogs on Chaos ransomware. See the Appendix for links to “Chaos Ransomware Variant Sides with Russia” and “Chaos Ransomware Variant in Fake Minecraft Alt List Brings Destruction to Japanese Gamers”.What is the Status of Coverage for Yashma ransomware?FortiGuard Labs provides the following AV coverage against a known sample of Yashma ransomware:MSIL/Filecoder.APU!tr.ransomWhat is GoodWill Ransomware?GoodWill ransomware was recently discovered, however it appears to have been first observed in March 2022. The ransomware encrypts files on the compromised machine and adds a “.gdwill” file extension to the affected files.Unlike other ransomware that demands ransom to recover the encrypted files, GoodWill asks the victim to do three good deeds. Firstly, the victim must provide clothes and blankets to needy people on the street. Secondly, the victim must feed dinner to five children at a pizza or fried chicken joint. Lastly, the victim must visit a local hospital and provide financial assistance to those in need. After finishing each deed, proof must be provided to the attacker, and a decryption tool and video instruction will be provided to the victim after completing all the deeds.What is the Status of Coverage for GoodWill ransomware?FortiGuard Labs provides the following AV coverage against GoodWill ransomware:MSIL/Filecoder.AGR!tr.ransomWhat is Horsemagyar Ransomware?Horsemagyar ransomware is a new variant of Sojusz ransomware that was recently discovered. It encrypts files on the compromised machine and adds “.[10 digit ID number].spanielearslook.likeoldboobs” file extension to the encrypted files. The ransomware leaves a ransom note as Horse.txt. The first sighting of Sojusz ransomware goes back to February, 2022 and it added a “.[10 digit ID number].[attacker’s email address].bec” extension to the files it encrypted.Example of ransom note left behind by Horsemagyar ransomware is below:::: Hello my dear friend :::Unfortunately for you, a major IT security weakness left you open to attack, your files have been encryptedIf you want to restore them,write to our skype – [removed] DECRYPTIONAlso you can write ICQ live chat which works 24/7 @[removed]Install ICQ software on your PC https://icq[.]com/windows/ or on your mobile phone search in Appstore / Google market ICQWrite to our ICQ @HORSEMAGYAR https://icq[.]im/[removed]If we not reply in 6 hours you can write to our mail but use it only if previous methods not working – [removed]@onionmail.orgAttention!* Do not rename encrypted files.* Do not try to decrypt your data using third party software, it may cause permanent data loss.* We are always ready to cooperate and find the best way to solve your problem.* The faster you write, the more favorable the conditions will be for you.* Our company values its reputation. We give all guarantees of your files decryption,such as test decryption some of themWe respect your time and waiting for respond from your sidetell your MachineID: MAHINE_ID and LaunchID: LAUNCH__IDSensitive data on your system was DOWNLOADED.If you DON’T WANT your sensitive data to be PUBLISHED you have to act quickly.Data includes:- Employees personal data, CVs, DL, SSN.- Complete network map including credentials for local and remote services.- Private financial information including: clients data, bills, budgets, annual reports, bank statements.- Manufacturing documents including: datagrams, schemas, drawings in solidworks format- And more…What is the Status of Coverage against Horsemagyar Ransomware?FortiGuard Labs provides the following AV coverage against Horsemagyar ransomware:W32/Filecoder.NSF!tr.ransomAnything Else to Note?Victims of ransomware are cautioned against paying ransoms by such organizations as CISA, NCSC, the FBI, and HHS. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities which could potentially be illegal according to a U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) advisory.

Read More

CWE

Read Time:1 Minute, 11 Second

CWE (Common Weakness Enumeration) is a list of common types of hardware and software defects that have security implications. The CWE list can be used as a framework to describe and communicate such vulnerabilities in terms of CWEs.

The goal is to support all those methods (including automatic ones) to control and prevent software errors. It can be used at the development stage, during the Code Review activity, and later on during the penetration test activity to classify and communicate the vulnerability type to developers. The system is at version 4.7 and contains over 600 categories of weaknesses and vulnerabilities

The CWE Top 25 Most Dangerous Software Weakness List is a list of the most common programming errors that can lead to software vulnerabilities. Vulnerabilities present in the CWE Top 25 are usually easy to detect and exploit. For example, the CWE-79 is related to Cross-Site Scripting while the CWE-89 to SQL Injection. A similar project is Top Ten Owasp (Open Web Application Security Project). Compared to the CWE Top 25, the Top Ten OWASP focuses solely on vulnerabilities of web applications.
The CWE Most Important Hardware Weakness List serves the same purpose, but it focuses on hardware defects.

Please check our post about Vulnerability Analysis to learn more about CWE usage.

Please find a list of all the CWE below or use the search box above to find a specific CWE.

  • CWE-775 – Missing Release of File Descriptor or Handle after Effective Lifetime

    Description The software does not release a file descriptor or handle after its effective lifetime has ended, i.e., after the file descriptor/handle is no longer needed. When a file descriptor or handle is not released after use (typically by explicitly closing it), attackers can cause a denial of service by consuming all available file descriptors/handles,…

  • CWE-776 – Improper Restriction of Recursive Entity References in DTDs (‘XML Entity Expansion’)

    Description The software uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities. If the DTD contains a large number of nested or recursive entities, this can lead to explosive growth of data when parsed, causing…

  • CWE-777 – Regular Expression without Anchors

    Description The software uses a regular expression to perform neutralization, but the regular expression is not anchored and may allow malicious or malformed data to slip through. When performing tasks such as validating against a set of allowed inputs (allowlist), data is examined and possibly modified to ensure that it is well-formed and adheres to…

  • CWE-778 – Insufficient Logging

    Description When a security-critical event occurs, the software either does not record the event or omits important details about the event when logging it. When security-critical events are not logged properly, such as a failed login attempt, this can make malicious behavior more difficult to detect and may hinder forensic analysis after an attack succeeds.…

  • CWE-779 – Logging of Excessive Data

    Description The software logs too much information, making log files hard to process and possibly hindering recovery efforts or forensic analysis after an attack. While logging is a good practice in general, and very high levels of logging are appropriate for debugging stages of development, too much logging in a production environment might hinder a…

  • CWE-78 – Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

    Description The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. Modes of Introduction: – Architecture and Design Likelihood of Exploit: High  …

  • CWE-780 – Use of RSA Algorithm without OAEP

    Description The software uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP), which might weaken the encryption. Padding schemes are often used with cryptographic algorithms to make the plaintext less predictable and complicate attack efforts. The OAEP scheme is often used with RSA to nullify the impact of predictable common text.…

  • CWE-781 – Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code

    Description The software defines an IOCTL that uses METHOD_NEITHER for I/O, but it does not validate or incorrectly validates the addresses that are provided. When an IOCTL uses the METHOD_NEITHER option for I/O control, it is the responsibility of the IOCTL to validate the addresses that have been supplied to it. If validation is missing…

  • CWE-782 – Exposed IOCTL with Insufficient Access Control

    Description The software implements an IOCTL with functionality that should be restricted, but it does not properly enforce access control for the IOCTL. Modes of Introduction: – Architecture and Design Likelihood of Exploit:   Related Weaknesses CWE-749 CWE-781   Consequences Integrity, Availability, Confidentiality: Attackers can invoke any functionality that the IOCTL offers. Depending on the…

  • CWE-783 – Operator Precedence Logic Error

    Description The program uses an expression in which operator precedence causes incorrect logic to be used. While often just a bug, operator precedence logic errors can have serious consequences if they are used in security-critical code, such as making an authentication decision. Modes of Introduction: – Implementation Likelihood of Exploit: Low   Related Weaknesses CWE-670…

  • CWE-784 – Reliance on Cookies without Validation and Integrity Checking in a Security Decision

    Description The application uses a protection mechanism that relies on the existence or values of a cookie, but it does not properly ensure that the cookie is valid for the associated user. Attackers can easily modify cookies, within the browser or by implementing the client-side code outside of the browser. Attackers can bypass protection mechanisms…

  • CWE-785 – Use of Path Manipulation Function without Maximum-sized Buffer

    Description The software invokes a function for normalizing paths or file names, but it provides an output buffer that is smaller than the maximum possible size, such as PATH_MAX. Passing an inadequately-sized output buffer to a path manipulation function can result in a buffer overflow. Such functions include realpath(), readlink(), PathAppend(), and others. Windows provides…

  • CWE-732 – Incorrect Permission Assignment for Critical Resource

    Description The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. When a resource is given a permissions setting that provides access to a wider range of actors than required, it could lead to the exposure of sensitive information, or the modification…

  • CWE-733 – Compiler Optimization Removal or Modification of Security-critical Code

    Description The developer builds a security-critical protection mechanism into the software, but the compiler optimizes the program such that the mechanism is removed or modified. Modes of Introduction: Likelihood of Exploit:   Related Weaknesses CWE-1038   Consequences Access Control, Other: Bypass Protection Mechanism, Other   Potential Mitigations CVE References   CVE-2008-1685 C compiler optimization, as…

  • CWE-74 – Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)

    Description The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. Software has certain assumptions about what constitutes…

  • CWE-749 – Exposed Dangerous Method or Function

    Description The software provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Low   Related Weaknesses CWE-664 CWE-691   Consequences Integrity, Confidentiality, Availability, Access Control, Other:…

  • CWE-75 – Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)

    Description The software does not adequately filter user-controlled input for special elements with control implications. Modes of Introduction: – Architecture and Design Likelihood of Exploit:   Related Weaknesses CWE-74   Consequences Integrity, Confidentiality, Availability: Modify Application Data, Execute Unauthorized Code or Commands   Potential Mitigations Phase: Requirements Effectiveness: Description:  Programming languages and supporting technologies might…

  • CWE-754 – Improper Check for Unusual or Exceptional Conditions

    Description The software does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the software. Many functions will return some value about the success of their actions. This will alert the program whether or not to handle any errors caused by…

  • CWE-755 – Improper Handling of Exceptional Conditions

    Description The software does not handle or incorrectly handles an exceptional condition. Modes of Introduction: – Implementation Likelihood of Exploit: Medium   Related Weaknesses CWE-703   Consequences Other: Other   Potential Mitigations CVE References   CVE-2021-3011 virtual interrupt controller in a virtualization product allows crash of host by writing a certain invalid value to a…

  • CWE-756 – Missing Custom Error Page

    Description The software does not return custom error pages to the user, possibly exposing sensitive information. Modes of Introduction: Likelihood of Exploit:   Related Weaknesses CWE-755 CWE-209   Consequences Confidentiality: Read Application Data Attackers can leverage the additional information provided by a default error page to mount attacks targeted on the framework, database, or other…

  • CWE-757 – Selection of Less-Secure Algorithm During Negotiation (‘Algorithm Downgrade’)

    Description A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties. When a security mechanism can be forced to downgrade to…

  • CWE-758 – Reliance on Undefined, Unspecified, or Implementation-Defined Behavior

    Description The software uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity. This can lead to resultant weaknesses when the required properties change, such as when the software is ported to a different platform or if an interaction…

  • CWE-759 – Use of a One-Way Hash without a Salt

    Description The software uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the software does not also use a salt as part of the input. In cryptography, salt refers to some random addition of data to an input before hashing to make dictionary attacks more difficult.…

  • CWE-76 – Improper Neutralization of Equivalent Special Elements

    Description The software properly neutralizes certain special elements, but it improperly neutralizes equivalent special elements. The software may have a fixed list of special characters it believes is complete. However, there may be alternate encodings, or representations that also have the same meaning. For example, the software may filter out a leading slash (/) to…

  • CWE-760 – Use of a One-Way Hash with a Predictable Salt

    Description The software uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the software uses a predictable salt as part of the input. In cryptography, salt refers to some random addition of data to an input before hashing to make dictionary attacks more difficult. Modes of…

  • CWE-761 – Free of Pointer not at Start of Buffer

    Description The application calls free() on a pointer to a memory resource that was allocated on the heap, but the pointer is not at the start of the buffer. Modes of Introduction: – Implementation Likelihood of Exploit:   Related Weaknesses CWE-763 CWE-404   Consequences Integrity, Availability, Confidentiality: Modify Memory, DoS: Crash, Exit, or Restart, Execute…

  • CWE-762 – Mismatched Memory Management Routines

    Description The application attempts to return a memory resource to the system, but it calls a release function that is not compatible with the function that was originally used to allocate that resource. Modes of Introduction: – Implementation Likelihood of Exploit: Low   Related Weaknesses CWE-763 CWE-404   Consequences Integrity, Availability, Confidentiality: Modify Memory, DoS:…

  • CWE-763 – Release of Invalid Pointer or Reference

    Description The application attempts to return a memory resource to the system, but calls the wrong release function or calls the appropriate release function incorrectly. Modes of Introduction: – Implementation Likelihood of Exploit:   Related Weaknesses CWE-404 CWE-404 CWE-404   Consequences Integrity, Availability, Confidentiality: Modify Memory, DoS: Crash, Exit, or Restart, Execute Unauthorized Code or…

  • CWE-764 – Multiple Locks of a Critical Resource

    Description The software locks a critical resource more times than intended, leading to an unexpected state in the system. When software is operating in a concurrent environment and repeatedly locks a critical resource, the consequences will vary based on the type of lock, the lock’s implementation, and the resource being protected. In some situations such…

  • CWE-765 – Multiple Unlocks of a Critical Resource

    Description The software unlocks a critical resource more times than intended, leading to an unexpected state in the system. When software is operating in a concurrent environment and repeatedly unlocks a critical resource, the consequences will vary based on the type of lock, the lock’s implementation, and the resource being protected. In some situations such…

  • CWE-766 – Critical Data Element Declared Public

    Description The software declares a critical variable, field, or member to be public when intended security policy requires it to be private. Modes of Introduction: – Architecture and Design Likelihood of Exploit:   Related Weaknesses CWE-1061   Consequences Integrity, Confidentiality: Read Application Data, Modify Application Data Making a critical variable public allows anyone with access…

  • CWE-767 – Access to Critical Private Variable via Public Method

    Description The software defines a public method that reads or modifies a private variable. If an attacker modifies the variable to contain unexpected values, this could violate assumptions from other parts of the code. Additionally, if an attacker can read the private variable, it may expose sensitive information or make it easier to launch further…

  • CWE-690 – Unchecked Return Value to NULL Pointer Dereference

    Description The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. While unchecked return value weaknesses are not limited to returns of NULL pointers (see the examples in CWE-252), functions often return NULL to…

  • CWE-691 – Insufficient Control Flow Management

    Description The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways. Modes of Introduction: – Architecture and Design Likelihood of Exploit:   Related Weaknesses   Consequences Other: Alter Execution Logic   Potential Mitigations CVE References  

  • CWE-692 – Incomplete Denylist to Cross-Site Scripting

    Description The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed. While XSS might seem simple to prevent, web browsers vary so widely in how they parse web pages, that a denylist cannot keep track of all the variations. The “XSS Cheat Sheet”…

  • CWE-693 – Protection Mechanism Failure

    Description The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. This weakness covers three distinct situations. A “missing” protection mechanism occurs when the application does not define any mechanism against a certain class of attack. An “insufficient” protection mechanism might provide some defenses…

  • CWE-694 – Use of Multiple Resources with Duplicate Identifier

    Description The software uses multiple resources that can have the same identifier, in a context in which unique identifiers are required. If the software assumes that each resource has a unique identifier, the software could operate on the wrong resource if attackers can cause multiple resources to be associated with the same identifier. Modes of…

  • CWE-695 – Use of Low-Level Functionality

    Description The software uses low-level functionality that is explicitly prohibited by the framework or specification under which the software is supposed to operate. The use of low-level functionality can violate the specification in unexpected ways that effectively disable built-in protection mechanisms, introduce exploitable inconsistencies, or otherwise expose the functionality to attack. Modes of Introduction: –…

  • CWE-696 – Incorrect Behavior Order

    Description The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways which may produce resultant weaknesses. Modes of Introduction: – Architecture and Design Likelihood of Exploit:   Related Weaknesses CWE-691   Consequences Integrity: Alter Execution Logic   Potential Mitigations CVE References   CVE-2019-9805 Chain: Creation of the packet…

  • CWE-697 – Incorrect Comparison

    Description The software compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses. Modes of Introduction: – Implementation Likelihood of Exploit:   Related Weaknesses   Consequences Other: Varies by Context   Potential Mitigations CVE References   CVE-2016-10003 Proxy performs incorrect comparison of request headers, leading to infoleak

  • CWE-698 – Execution After Redirect (EAR)

    Description The web application sends a redirect to another location, but instead of exiting, it executes additional code. Modes of Introduction: – Implementation Likelihood of Exploit:   Related Weaknesses CWE-705 CWE-670   Consequences Other, Confidentiality, Integrity, Availability: Alter Execution Logic, Execute Unauthorized Code or Commands This weakness could affect the control flow of the application…

  • CWE-7 – J2EE Misconfiguration: Missing Custom Error Page

    Description The default error page of a web application should not display sensitive information about the software system. Modes of Introduction: – Architecture and Design Likelihood of Exploit:   Related Weaknesses CWE-756   Consequences Confidentiality: Read Application Data A stack trace might show the attacker a malformed SQL query string, the type of database being…

  • CWE-703 – Improper Check or Handling of Exceptional Conditions

    Description The software does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the software. Modes of Introduction: – Architecture and Design Likelihood of Exploit:   Related Weaknesses   Consequences Confidentiality, Availability, Integrity: Read Application Data, DoS: Crash, Exit, or Restart, Unexpected State   Potential Mitigations CVE References  

  • CWE-704 – Incorrect Type Conversion or Cast

    Description The software does not correctly convert an object, resource, or structure from one type to a different type. Modes of Introduction: – Architecture and Design Likelihood of Exploit:   Related Weaknesses CWE-664   Consequences Other: Other   Potential Mitigations CVE References  

  • CWE-705 – Incorrect Control Flow Scoping

    Description The software does not properly return control flow to the proper location after it has completed a task or detected an unusual condition. Modes of Introduction: – Architecture and Design Likelihood of Exploit:   Related Weaknesses CWE-691   Consequences Other: Alter Execution Logic, Other   Potential Mitigations CVE References   CVE-2014-1266 chain: incorrect “goto”…

  • CWE-706 – Use of Incorrectly-Resolved Name or Reference

    Description The software uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere. Modes of Introduction: – Architecture and Design Likelihood of Exploit:   Related Weaknesses CWE-664 CWE-99   Consequences Confidentiality, Integrity: Read Application Data, Modify Application Data   Potential Mitigations…

  • CWE-707 – Improper Neutralization

    Description The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component. Modes of Introduction: – Architecture and Design Likelihood of Exploit:   Related Weaknesses   Consequences Other: Other   Potential…

  • CWE-708 – Incorrect Ownership Assignment

    Description The software assigns an owner to a resource, but the owner is outside of the intended control sphere. This may allow the resource to be manipulated by actors outside of the intended control sphere. Modes of Introduction: – Architecture and Design Likelihood of Exploit:   Related Weaknesses CWE-282 CWE-345   Consequences Confidentiality, Integrity: Read…

  • CWE-71 – DEPRECATED: Apple ‘.DS_Store’

    Description This entry has been deprecated as it represents a specific observed example of a UNIX Hard Link weakness type rather than its own individual weakness type. Please refer to CWE-62. Modes of Introduction: Likelihood of Exploit:   Related Weaknesses   Consequences   Potential Mitigations CVE References  

  • CWE-710 – Improper Adherence to Coding Standards

    Description The software does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities. Modes of Introduction: – Architecture and Design Likelihood of Exploit:   Related Weaknesses   Consequences Other: Other   Potential Mitigations Phase: Implementation Effectiveness: Description:  Document and closely follow coding standards.…

  • CWE-72 – Improper Handling of Apple HFS+ Alternate Data Stream Path

    Description The software does not properly handle special paths that may identify the data or resource fork of a file on the HFS+ file system. If the software chooses actions to take based on the file name, then if an attacker provides the data or resource fork, the software may take unexpected actions. Further, if…

  • CWE-73 – External Control of File Name or Path

    Description The software allows user input to control or influence paths or file names that are used in filesystem operations. Modes of Introduction: – Architecture and Design Likelihood of Exploit: High   Related Weaknesses CWE-642 CWE-610 CWE-20 CWE-22 CWE-41 CWE-98 CWE-434 CWE-59   Consequences Integrity, Confidentiality: Read Files or Directories, Modify Files or Directories The…

USN-5450-1: Subversion vulnerabilities

Read Time:21 Second

Evgeny Kotkov discovered that subversion servers did not properly follow
path-based authorization rules in certain cases. An attacker could
potentially use this issue to retrieve information about private paths.
(CVE-2021-28544)

Thomas Weißschuh discovered that subversion servers did not properly handle
memory in certain configurations. A remote attacker could potentially use
this issue to cause a denial of service or other unspecified impact.
(CVE-2022-24070)

Read More

New Linux-based ransomware targets VMware servers

Read Time:45 Second

Researchers at Trend Micro have discovered some new Linux-based ransomware that’s being used to attack VMware ESXi servers, a bare-metal hypervisor for creating and running several virtual machines (VMs) that share the same hard drive storage. Called Cheerscrypt, the bad app is following in the footsteps of other ransomware programs—such as LockBit, Hive and RansomEXX—that have found ESXi an efficient way to infect many computers at once with malicious payloads.

Roger Grimes, a defense evangelist with security awareness training provider KnowBe4, explains that most of the world’s organizations operate using VMware virtual machines. “It makes the job of ransomware attackers far easier because they can encrypt one server—the VMware server—and then encrypt every guest VM it contains. One compromise and encryption command can easily encrypt dozens to hundreds of other virtually run computers all at once.”

To read this article in full, please click here

Read More

Rapidly evolving IoT malware EnemyBot now targeting Content Management System servers and Android devices

Read Time:11 Minute, 41 Second

Executive summary

AT&T Alien Labs™ has been tracking a new IoT botnet dubbed “EnemyBot”, which is believed to be distributed by threat actor Keksec. During our investigations, Alien Labs has discovered that EnemyBot is expanding its capabilities, exploiting recently identified vulnerabilities (2022), and now targeting IoT devices, web servers, Android devices and content management system (CMS) servers. In addition, the malware base source code can now be found online on Github, making it widely accessible.

Key takeaways:

EnemyBot’s base source code can be found on Github, making it available to anyone who wants to leverage the malware in their attacks.
The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities.
Services such as VMware Workspace ONE, Adobe ColdFusion, WordPress, PHP Scriptcase and more are being targeted as well as IoT and Android devices.
The threat group behind EnemyBot, Keksec, is well-resourced and has the ability to update and add new capabilities to its arsenal of malware on a daily basis (see below for more detail on Keksec)

Background

First discovered by Securonix in March 2022 and later detailed in an in-depth analysis by Fortinet, EnemyBot is a new malware distributed by the threat actor “Keksec” targeting Linux machines and IoT devices.

According to the malware Github’s repository, EnemyBot derives its source code from multiple botnets to a powerful and more adjustable malware. The original botnet code that EnemyBot is using includes: Mirai, Qbot, and Zbot. In addition, the malware includes custom development (see figure 1).

Figure 1. EnemyBot page on Github.

The Keksec threat group is reported to have formed back in 2016 by a number of experienced botnet actors. In November 2021, researchers from Qihoo 360 described in detail the threat actor’s activity in a presentation, attributing to the Keksec the development of botnets for different platforms including Windows and Linux:

Linux based botnets: Tsunami and Gafgyt
Windows based botnets: DarkIRC, DarkHTTP
Dual systems: Necro (developed in Python)

Source code analysis

The developer of the Github page on EnemyBot self describes as a “full time malware dev,” that is also available for contract work. The individual states their workplace as “Kek security,” implying a potential relationship with the broader Keksec group (see figure 2).

Figure 2. EnemyBot developer description.

The malware repository on Github contains four main sections:

cc7.py

This module is a Python script file that downloads all dependencies and compiles the malware into different OS architectures including x86, ARM, macOS, OpenBSD, PowerPC, MIPS, and more (see figure 3)

Figure 3. Compiling malware source code to macOS executable.

Once compilation is complete, the script then creates a batch file ‘update.sh’ which is used by the bot as a downloader that is then delivered to any identified vulnerable targets to spread the malware.

Figure 4. Generated `update.sh` file to spread EnemyBot on different architectures.

enemy.c

This is the main bot source code. Though it is missing the main exploitation function, it includes all other functionality of the malware and the attacks the bot supports by mixing the various botnet source codes as mentioned above (Mirai, Qbot, and Zbot) — mainly Mirai and Qbot (see figure 5).

 

Figure 5. EnemyBot source code.

hide.c

This module is compiled and manually executed to encode / decode the malware’s strings by the attacker to hide strings in binary. For that, the malware is using a simple swap table, in which each char is replaced with a corresponding char in the table (see in figure 6).

Figure 6. String decode.

servertor.c

Figure 7 shows the command-and-control component (C&C) botnet controller. C&C will be executed on a dedicated machine that is controlled by the attacker. It can control and send commands to infected machines. (figure 7)

Figure 7. C&C component.

New variant analysis

Most of EnemyBot functionality relates to the malware’s spreading capabilities, as well as its ability to scan public-facing assets and look for vulnerable devices. However, the malware also has DDoS capabilities and can receive commands to download and execute new code (modules) from its operators that give the malware more functionality.

In new variants of EnemyBot, the malware added a webscan function containing a total of 24 exploits to attack vulnerabilities of different devices and web servers (see figure 8).

Figure 8. EnemyBot calls for a new function “webscan_xywz”.

To perform these functions, the malware randomly scans IP addresses and when it gets a response via SYN/ACK, EnemyBot then scans for vulnerabilities on the remote server by executing multiple exploits.

The first exploit is for the Log4j vulnerability discovered last year as CVE-2021-44228 and CVE-2021-45046:

Figure 9. Exploiting the Log4J vulnerability.

The malware also can adopt new vulnerabilities within days of those vulnerabilities being discovered. Some examples are Razer Sila (April 2022) which was published without a CVE (see figure 10) and a remote code execution (RCE) vulnerability impacting VMWare Workspace ONE with CVE-2022-22954 the same month (see figure 11).

Figure 10. Exploiting vulnerability in Razar Sila.

Figure 11. Exploiting vulnerability in VMWare Workspace ONE.

EnemyBot has also begun targeting content management systems (e.g. WordPress) by searching for vulnerabilities in various plugins, such as “Video Synchro PDF” (see figure 12).

Figure 12. EnemyBot targeting WordPress servers.

In the example shown in figure 12, notice that the malware elevates a local file inclusion (LFI) vulnerability into a RCE by injecting malicious code into the ‘/proc/self/environ’. This method is not new and was described in 2009. The malware uses LFI to call ‘environ’ and passes the shell command in the user agent http header.

Another example of how the malware uses this method is shown in figure 13. In this example the malware is exploiting a vulnerability in DBltek GoIP.

Figure 13. Executing shell command through LFI vulnerability in DBltek.

After infection, EnemyBot will wait for further commands from its C&C. However, in parallel it will also further propogate by scanning for additional vulnerable devices. Alien Labs has listed below the commands the bot can receive from its C&C (accurate as of the publishing of this article). 

In case an Android device is connected through USB, or Android emulator running on the machine, EnemyBot will try to infect it by executing shell command. (figure 14)

Figure 14. EnemyBot “adb_infect” function to attack Android devices.

Command

Action

SH

Execute shell command

PING

Ping to server, wait for command

LDSERVER

Change loader server for payload.

TCPON

Turn on sniffer.

RSHELL

Create a reverse shell on an infected machine.

TCPOFF

Turn off sniffer.

UDP

Start UDP flood attack.

TCP

Start TCP flood attack.

HTTP

Start HTTP flood attack.

HOLD

Start TCP connection flooder.

TLS

Start TLS attack, start handshake without closing the socket.

STD

Start non spoofed UDP flooder.

DNS

Start DNS flooder.

SCANNER ON | OFF

Start/Stop scanner – scan and infect vulnerable devices.

OVH

Start DDos attack on OVH.

BLACKNURSE

Start ICMP flooder.

STOP

Stop ongoing attacks. kill child processes

ARK

Start targeted attack on ARK: Survivor Evolved video game server.

ADNS

Receive targets list from C&C and start DNS attack.

ASSDP

Start SSDP flood attack.

We have also listed the current vulnerabilities EnemyBot uses. As mentioned, some of them have not been assigned a CVE yet. (As of the publishing of this article.)

CVE Number

Affected devices

CVE-2021-44228, CVE-2021-45046

Log4J RCE

CVE-2022-1388

F5 BIG IP RCE

No CVE (vulnerability published on 2022-02)

Adobe ColdFusion 11 RCE

CVE-2020-7961

Liferay Portal – Java Unmarshalling via JSONWS RCE

No CVE (vulnerability published on 2022-04)

PHP Scriptcase 9.7 RCE

CVE-2021-4039

Zyxel NWA-1100-NH Command injection

No CVE (vulnerability published on 2022-04)

Razar Sila – Command injection

CVE-2022-22947

Spring Cloud Gateway – Code injection vulnerability

CVE-2022-22954

VMWare Workspace One RCE

CVE-2021-36356, CVE-2021-35064

Kramer VIAware RCE

No CVE (vulnerability published on 2022-03)

WordPress Video Synchro PDF plugin LFI

No CVE (vulnerability published on 2022-02)

Dbltek GoIP LFI

No CVE(vulnerability published on 2022-03)

WordPress Cab Fare Calculator plugin LFI

No CVE(vulnerability published on 2022-03)

Archeevo 5.0 LFI

CVE-2018-16763

Fuel CMS 1.4.1 RCE

CVE-2020-5902

F5 BigIP RCE

No CVE (vulnerability published on 2019)

ThinkPHP 5.X RCE

No CVE (vulnerability published on 2017)

Netgear DGN1000 1.1.00.48 ‘Setup.cgi’ RCE

CVE-2022-25075

TOTOLink A3000RU command injection vulnerability

CVE-2015-2051

D-Link devices – HNAP SOAPAction – Header command injection vulnerability

CVE-2014-9118

ZHOME < S3.0.501 RCE

CVE-2017-18368

Zyxel P660HN – unauthenticated command injection

CVE-2020-17456

Seowon SLR 120 router RCE

CVE-2018-10823

D-Link DWR command injection in various models

Recommended actions

Maintain minimal exposure to the Internet on Linux servers and IoT devices and use a properly configured firewall.
Enable automatic updates to ensure your software has the latest security updates.
Monitor network traffic, outbound port scans, and unreasonable bandwidth usage.

Conclusion

Keksec’s EnemyBot appears to be just starting to spread, however due to the authors’ rapid updates, this botnet has the potential to become a major threat for IoT devices and web servers. The malware can quickly adopt one-day vulnerabilities (within days of a published proof of concept). This indicates that the Keksec group is well resourced and that the group has developed the malware to take advantage of vulnerabilities before they are patched, thus increasing the speed and scale at which it can spread.

Detection methods

The following associated detection methods are in use by Alien Labs. They can be used by readers to tune or deploy detections in their own environments or for aiding additional research.

SURICATA IDS SIGNATURES

Log4j sids: 2018202, 2018203, 2034647, 2034648, 2034649, 2034650, 2034651, 2034652, 2034653, 2034654, 2034655, 2034656, 2034657, 2034658, 2034659, 2034660, 2034661, 2034662, 2034663, 2034664, 2034665, 2034666, 2034667, 2034668, 2034671, 2034672, 2034673, 2034674, 2034676, 2034699, 2034700, 2034701, 2034702, 2034703, 2034706, 2034707, 2034708, 2034709, 2034710, 2034711, 2034712, 2034713, 2034714, 2034715, 2034716, 2034717, 2034723, 2034743, 2034744, 2034747, 2034748, 2034749, 2034750, 2034751, 2034755, 2034757, 2034758, 2034759, 2034760, 2034761, 2034762, 2034763, 2034764, 2034765, 2034766, 2034767, 2034768, 2034781, 2034782, 2034783, 2034784, 2034785, 2034786, 2034787, 2034788, 2034789, 2034790, 2034791, 2034792, 2034793, 2034794, 2034795, 2034796, 2034797, 2034798, 2034799, 2034800, 2034801, 2034802, 2034803, 2034804, 2034805, 2034806, 2034807, 2034808, 2034809, 2034810, 2034811, 2034819, 2034820, 2034831, 2034834, 2034835, 2034836, 2034839, 2034886, 2034887, 2034888, 2034889, 2034890, 2838340, 2847596, 4002714, 4002715

4001913: AV EXPLOIT LifeRay RCE (CVE-2020-7961)

4001943: AV EXPLOIT Liferay Portal Java Unmarshalling RCE (CVE-2020-7961)

4002589: AV EXPLOIT LifeRay Remote Code Execution – update-column (CVE-2020-7961)

2031318: ET CURRENT_EVENTS 401TRG Liferay RCE (CVE-2020-7961)

2031592: ET WEB_SPECIFIC_APPS Liferay Unauthenticated RCE via JSONWS Inbound (CVE-2020-7961)

2035955: ET EXPLOIT Razer Sila Router – Command Injection Attempt Inbound (No CVE)

2035956: ET EXPLOIT Razer Sila Router – LFI Attempt Inbound (No CVE)

2035380: ET EXPLOIT VMware Spring Cloud Gateway Code Injection (CVE-2022-2294) (set)

2035381: ET EXPLOIT VMware Spring Cloud Gateway Code Injection (CVE-2022-2294)

2035876: ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954)

2035875: ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954)

2035874: ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954)

2036416: ET EXPLOIT Possible VMware Workspace ONE Access RCE via Server-Side Template Injection Inbound (CVE-2022-22954)

4002364: AV EXPLOIT Fuel CMS RCE (CVE-2018-16763)

2030469: ET EXPLOIT F5 TMUI RCE vulnerability CVE-2020-5902 Attempt M1

2030483: ET EXPLOIT F5 TMUI RCE vulnerability CVE-2020-5902 Attempt M2

2836503: ETPRO EXPLOIT Attempted THINKPHP < 5.2.x RCE Inbound

2836504: ETPRO EXPLOIT Attempted THINKPHP < 5.2.x RCE Outbound

2836633: ETPRO EXPLOIT BlackSquid Failed ThinkPHP Payload Inbound

2026731: ET WEB_SERVER ThinkPHP RCE Exploitation Attempt

2024916: ET EXPLOIT Netgear DGN Remote Command Execution

2029215: ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound

2034576: ET EXPLOIT Netgear DGN Remote Code Execution

2035746: ET EXPLOIT Totolink – Command Injection Attempt Inbound (CVE-2022-25075)

4001488: AV TROJAN Mirai Outbound Exploit Scan, D-Link HNAP RCE (CVE-2015-2051)

2034491: ET EXPLOIT D-Link HNAP SOAPAction Command Injection (CVE-2015-2051)

4000095: AV EXPLOIT Unauthenticated Command Injection (ZyXEL P660HN-T v1)

4002327: AV TROJAN Mirai faulty Zyxel exploit attempt

2027092: ET EXPLOIT Possible ZyXEL P660HN-T v1 RCE

4002226: AV EXPLOIT Seowon Router RCE (CVE-2020-17456)

2035950: ET EXPLOIT SEOWON INTECH SLC-130/SLR-120S RCE Inbound M1 (CVE-2020-17456)

2035951: ET EXPLOIT SEOWON INTECH SLC-130/SLR-120S RCE Inbound M2 (CVE-2020-17456)

2035953: ET EXPLOIT D-Link DWR Command Injection Inbound (CVE-2018-10823)

 

AGENT SIGNATURES

Java Process Spawning Scripting Process

 

Java Process Spawning WMIC

Java Process Spawning Scripting Process via Commandline (For Jenkins servers)

Suspicious process executed by Jenkins Groovy scripts (For Jenkins servers)

Suspicious command executed by a Java listening process (For Linux servers)

Associated indicators (IOCs)

The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the OTX Pulse. Please note, the pulse may include other activities related but out of the scope of the report.

TYPE

INDICATOR

DESCRIPTION

IP ADDRESS

80.94.92[.]38

Malware C&C

SHA256

7c0fe3841af72d55b55bc248167665da5a9036c972acb9a9ac0a7a21db016cc6

Malware hash

SHA256

2abf6060c8a61d7379adfb8218b56003765c1a1e701b346556ca5d53068892a5

Malware hash

SHA256

7785efeeb495ab10414e1f7e4850d248eddce6be91738d515e8b90d344ed820d

Malware hash

SHA256

8e711f38a80a396bd4dacef1dc9ff6c8e32b9b6d37075cea2bbef6973deb9e68

Malware hash

SHA256

31a9c513a5292912720a4bcc6bd4918fc7afcd4a0b60ef9822f5c7bd861c19b8

Malware hash

SHA256

139e1b14d3062881849eb2dcfe10b96ee3acdbd1387de82e73da7d3d921ed806

Malware hash

SHA256

4bd6e530db1c7ed7610398efa249f9c236d7863b40606d779519ac4ccb89767f

Malware hash

SHA256

7a2a5da50e87bb413375ecf12b0be71aea4e21120c0c2447d678ef73c88b3ba0

Malware hash

SHA256

ab203b50226f252c6b3ce2dd57b16c3a22033cd62a42076d09c9b104f67a3bc9

Malware hash

SHA256

70674c30ed3cf8fc1f8a2b9ecc2e15022f55ab9634d70ea3ba5e2e96cc1e00a0

Malware hash

SHA256

f4f9252eac23bbadcbd3cf1d1cada375cb839020ccb0a4e1c49c86a07ce40e1e

Malware hash

SHA256

6a7242683122a3d4507bb0f0b6e7abf8acef4b5ab8ecf11c4b0ebdbded83e7aa

Malware hash

SHA256

b63e841ded736bca23097e91f1f04d44a3f3fdd98878e9ef2a015a09950775c8

Malware hash

SHA256

4869c3d443bae76b20758f297eb3110e316396e17d95511483b99df5e7689fa0

Malware hash

SHA256

cdf2c0c68b5f8f20af448142fd89f5980c9570033fe2e9793a15fdfdadac1281

Malware hash

 

Mapped to MITRE ATT&CK

The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:

TA0001: Initial Access:

T1190: Exploit Public-Facing Application

TA0008: Lateral Movement:

T1210: Exploitation of Remote Services
T1021: Remote Services

TA0011: Command and Control

T1132: Data Encoding
T1001: Data Obfuscation
T1030: Proxy:

003: Multi-hop Proxy

Read More

CVE-2021-28509

Read Time:19 Second

This advisory documents the impact of an internally found vulnerability in Arista EOS state streaming telemetry agent TerminAttr and OpenConfig transport protocols. The impact of this vulnerability is that, in certain conditions, TerminAttr might leak MACsec sensitive data in clear text in CVP to other authorized users, which could cause MACsec traffic to be decrypted or modified by other authorized users on the device.

Read More

CVE-2021-28508

Read Time:19 Second

This advisory documents the impact of an internally found vulnerability in Arista EOS state streaming telemetry agent TerminAttr and OpenConfig transport protocols. The impact of this vulnerability is that, in certain conditions, TerminAttr might leak IPsec sensitive data in clear text in CVP to other authorized users, which could cause IPsec traffic to be decrypted or modified by other authorized users on the device.

Read More

CWE-69 – Improper Handling of Windows ::DATA Alternate Data Stream

Read Time:1 Minute, 12 Second

Description

The software does not properly prevent access to, or detect usage of, alternate data streams (ADS).

An attacker can use an ADS to hide information about a file (e.g. size, the name of the process) from a system or file browser tools such as Windows Explorer and ‘dir’ at the command line utility. Alternately, the attacker might be able to bypass intended access restrictions for the associated data fork.

Alternate data streams (ADS) were first implemented in the Windows NT operating system to provide compatibility between NTFS and the Macintosh Hierarchical File System (HFS). In HFS, data and resource forks are used to store information about a file. The data fork provides information about the contents of the file while the resource fork stores metadata such as file type.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-66

 

Consequences

Access Control, Non-Repudiation, Other: Bypass Protection Mechanism, Hide Activities, Other

 

Potential Mitigations

Phase: Testing

Description: 

Software tools are capable of finding ADSs on your system.

Phase: Implementation

Description: 

Ensure that the source code correctly parses the filename to read or write to the correct stream.

CVE References

  • CVE-1999-0278
    • In IIS, remote attackers can obtain source code for ASP files by appending “::$DATA” to the URL.
  • CVE-2000-0927
    • Product does not properly record file sizes if they are stored in alternative data streams, which allows users to bypass quota restrictions.

CWE-689 – Permission Race Condition During Resource Copy

Read Time:43 Second

Description

The product, while copying or cloning a resource, does not set the resource’s permissions or access control until the copy is complete, leaving the resource exposed to other spheres while the copy is taking place.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-362
CWE-362
CWE-732

 

Consequences

Confidentiality, Integrity: Read Application Data, Modify Application Data

 

Potential Mitigations

CVE References

  • CVE-2002-0760
    • Archive extractor decompresses files with world-readable permissions, then later sets permissions to what the archive specified.
  • CVE-2005-2174
    • Product inserts a new object into database before setting the object’s permissions, introducing a race condition.
  • CVE-2006-5214
    • Error file has weak permissions before a chmod is performed.
  • CVE-2003-0265
    • Database product creates files world-writable before initializing the setuid bits, leading to modification of executables.