A Vulnerability in Atlassian Confluence Server and Data Center Could Allow for Remote Code Execution

Read Time:33 Second

A vulnerability has been discovered in Atlassian Confluence Server and Data Center, which could allow for remote code execution. Confluence is a wiki tool used to help teams collaborate and share knowledge efficiently. Successful exploitation of this vulnerability could allow for remote code execution within the context of the service account used to run the Confluence Server or Data Center service. Depending on the privileges associated with the service account, an attacker could view, change, or delete data. If the service account has been configured to have fewer rights on the system, exploitation of this vulnerability could have less impact than if it was configured with administrative rights.

Read More

Active Exploitation of WSO2 Vulnerability (CVE-2022-29464) Delivers Malware

Read Time:2 Minute, 19 Second

FortiGuard Labs is aware that a WSO2 vulnerability (CVE-2022-29464) that was patched in February 2022 and was disclosed in April is still being actively exploited in the field. CVE-2022-29464 is an unrestricted arbitrary file upload, and remote code execution vulnerability that allows unauthenticated and remote attackers to execute arbitrary code in the vulnerable WSO2 products. Why is this Significant?This is significant because despite the fact CVE-2022-29464 was patched in February and was disclosed in April, the vulnerability is still being actively exploited. This means that attacks that leverage CVE-2022-29464 have some level of success rate even now. With the vulnerability being actively exploited and a Proof-of-Concept (POC) code became publicly available in late April. users and administrators should review the WSO2’s advisory and apply the patch or necessary workaround.Also, CVE-2022-29464 is included in the CISA’s Known Exploited Vulnerabilities Catalog, which lists vulnerabilities that US federal agencies are required to patch their information systems within specific timeframes and deadlines.What is CVE-2022-29464?CVE-2022-29464 is a vulnerability in multiple WSO2 products that allows unauthenticated and remote attackers to execute arbitrary code on the affected systems. The vulnerability is rated Critical and has a CVSS Score of 9.8. The advisory has the following products as vulnerable:WSO2 API Manager 2.2.0, up to 4.0.0WSO2 Identity Server 5.2.0, up to 5.11.0 WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, 5.6.0WSO2 Identity Server as Key Manager 5.3.0, up to 5.11.0WSO2 Enterprise Integrator 6.2.0, up to 6.6.0WSO2 Open Banking AM 1.4.0, up to 2.0.0 WSO2 Open Banking KM 1.4.0, up to 2.0.0What Malware were Deployed after Successful Exploitation of CVE-2022-29464?Cobalt Strike, backdoor, cryptocoin miner and hacktool are reported to have been deployed to the compromised systems.Has the Vendor Released an Advisory?Yes. See the Appendix for a link to “Security Advisory WSO2-2021-1738”.Has the Vendor Released a Patch for CVE-2022-29464?Yes. According to the WSO’s advisory, WSO2 released temporary mitigations in January 2022 and released permanent fixes for all the supported product versions in February.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against files associated with CVE-2022-29464:W64/Agent.CY!trELF/Agent.AR!trELF/BitCoinMiner.HF!trJava/Agent.AUJ!trJava/Webshell.E!trJava/Webshell.0CC4!trRiskware/Generic.H2Malicious_Behavior.SBFortiGuard Labs provides the following IPS coverage against CVE-2022-29464:WSO2.fileupload.Arbitrary.File.Upload (default action is set to pass)Known network IOCs for CVE-2022-29464 are blocked by the WebFiltering client.

Read More

CVE-2022-26134: Zero-Day Vulnerability in Atlassian Confluence Server and Data Center Exploited in the Wild

Read Time:3 Minute, 36 Second

A critical vulnerability in Atlassian Confluence Server and Data Center has been exploited in the wild by multiple threat actors. Organizations should review and implement mitigation guidance until a patch becomes available.

Background

On June 2, Atlassian published an advisory for CVE-2022-26134, a critical zero-day remote code execution vulnerability in Confluence Server and Data Center.

Frequently Asked Questions

What is Atlassian Confluence Server and Data Center?
Confluence is web-based software used for workspace collaboration. It can be deployed on-prem or as part of Atlassian Cloud.

What is CVE-2022-26134?
CVE-2022-26134 is a remote code execution vulnerability in Atlassian Confluence Server and Data Center.

How severe is this vulnerability?
CVE-2022-26134 was given a critical rating by Atlassian. At this time, there is no entry for this CVE in the National Vulnerability Database, so it has not been assigned an official CVSSv3 score. However, based on Atlassian’s severity level ratings, this puts this vulnerability between a CVSSv3 of 9.0 to 10.0.

How can an attacker exploit this vulnerability?
At the time of publication, specific details regarding how this vulnerability could be exploited were not made public. However, based on past vulnerabilities in Confluence, an attacker could exploit this flaw by sending a specially crafted request to a vulnerable Confluence Server or Data Center instance that is publicly accessible over the internet. Successful exploitation would allow an attacker to execute code remotely, which could result in full system takeover.

Has this vulnerability been exploited?
Yes, according to Atlassian’s advisory, there is known exploitation of this vulnerability against Confluence Server version 7.18.0.

Is 7.18.0 the only affected version?
No, Atlassian has since confirmed that all supported versions of Confluence Server and Data Center are affected.

We use Confluence as part of Atlassian Cloud. Are we affected?
No, Atlassian says that if you access Confluence through an atlassian.net domain, your site is not vulnerable and there is currently no evidence that Cloud sites have been targeted.

Is a patch available?
At the time of publication, a patch is not available for this vulnerability. However, Atlassian recently updated its advisory stating that a fix would be released by the end of day on June 3. This blog post will be updated once the fix is available.

What can organizations do to protect against this vulnerability?
Atlassian has provided temporary workaround instructions for customers based on their Confluence versions. They both require shutting down Confluence temporarily while applying the mitigations. For more information, please refer to the specific guidance from the Atlassian advisory:

For Confluence 7.15.0 – 7.18.0
For Confluence 7.0.0 – Confluence 7.14.2

How was this vulnerability discovered?
It has been credited to Volexity, which published a blog post about the vulnerability. According to the blog post, Volexity discovered exploitation of this vulnerability over the Memorial Day weekend during an incident response investigation.

Are there any indicators of compromise available?
Yes, Volexity shared a number of network indicators and indicators of compromise, including hunting rules to help defenders identify possible exploitation.

Do we know who is exploiting this flaw?
Volexity believes this vulnerability is being exploited by “multiple threat actors” that appear to be based out of China.

Is there a proof-of-concept (PoC) available for this vulnerability?
At the time this blog post was published, there was no PoC exploit publicly available for this vulnerability.

Does Tenable have any product coverage for this vulnerability?
While there is currently no patch available for this vulnerability, Tenable is investigating product coverage and will provide an update once we have more information to share. In the meantime, we advise organizations to review the recommended mitigation guidance from Atlassian.

Identifying affected systems

A list of Tenable plugins covering CVE-2022-26134 can be found here. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.

Get more information

Atlassian Security Advisory for CVE-2022-26134
Volexity Blog Post for Zero-Day Exploitation of CVE-2022-26134

Join Tenable’s Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Read More

Ransomware Roundup – 2022/06/02

Read Time:6 Minute, 27 Second

FortiGuard Labs is aware of a number of new ransomware strains for the week of May 30th, 2022. It is imperative to raise awareness about new ransomware strains as infections can cause severe damage to organizations. This week’s Ransomware Roundup Threat Signal covers Hive ransomware, Bright Black Ransomware and Karakurt Data Extortion Group, and Fortinet protections against them.What is Hive Ransomware?Hive ransomware is a Ransomware-as-a-Service (RaaS) that was first observed in June 2021. This ransomware is highlighted in this Threat Signal as Costa Rica’s public health system was reportedly compromised by the ransomware.As a RaaS, the Hive ransomware group consists of two types of groups: ransomware operator (developer) and affiliates. The former develops Hive ransomware, provides support for its affiliates, operates ransom payment site as well as a date leak site called “HiveLeaks” on Tor. The latter carries out actual attacks that infect victims, exfiltrate data from victims, and deploy Hive ransomware onto the compromised machine. An apparent underground forum post that recruited Hive ransomware conspirators promised 80% cut for the affiliates. Hive ransomware is the main arsenal that is deployed to the compromised machine to encrypt files. Before the file encryption takes place, data is stolen from the victim and shadow copies are deleted, which makes file recovery awfully difficult. Typical files encrypted by Hive ransomware have a .hive extension. Other reported file extensions include .aumcc, .sncip, .accuj and .qxycv. According to a report published by Group-IB, “the data encryption is often carried out during non-working hours or at the weekend” in an attempt to encrypt as many files as possible without being noticed.Typical ransom note left behind by Hive ransomware below:Your network has been breached and all data is encrypted.To decrypt all the data you will need to purchase our decryption software.Please contact our sales department at: xxxx://[removed].onion/ Login: [removed] Password: [removed] Follow the guidelines below to avoid losing your data: – Do not shutdown or reboot your computers, unmount external storages. – Do not try to decrypt data using third party software. It may cause irreversible damage. – Don’t fool yourself. Encryption has perfect secrecy and it’s impossible to decrypt without knowing the key. – Do not modify, rename or delete *.key.hive files. Your data will be undecryptable. – Do not modify or rename encrypted files. You will lose them. – Do not report to authorities. The negotiation process will be terminated immediately and the key will be erased. – Do not reject to purchase. Your sensitive data will be publicly disclosed at xxxx://[removed]onion/ The group employs a double extortion technique which victims are asked to make a ransom payment in order to recover encrypted files as well as to prevent the stolen data from being published to “HiveLeaks”. Some victims reportedly received phone calls from Hive threat actors. The victim will receive a decryption tool upon the completion of payment, however, there was a chatter that suggests the decryption tool did not work as advertised in some cases and made virtual machines unbootable due to the tool corrupting the MBR (Master Boot Record).Initial attack vectors include phishing emails with malicious attachment, attacking vulnerable RDP servers, and the use of compromised VPN credentials. Purchasing network access from initial access brokers is a possibility as well.Hive ransomware reportedly victimized companies across wide range of industries such as (but not restricted to) real estate, IT and manufacturing. Some RaaS have a policy to exclude governmental educational and military organizations, health care, and critical infrastructures such as gas pipelines and power plants. Hive ransomware does not appear to have such policy as its victims include health care and government organizations. In August, 2021, the Federal Bureau of Investigation (FBI) released a flash alert on Hive ransomware.See the Appendix for a link to “Indicators of Compromise Associated with Hive Ransomware” for the advisory.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against Hive ransomware:W64/Hive.A!trW32/Ransom.HIVE!trELF/Hive.B!trLinux/Hive.B!trW64/Filecoder_Hive.A!tr.ransomW32/Filecoder_Hive.A!trBSD/Filecoder_Hive.A!trW32/Filecoder_Hive_AGen.A!trLinux/Filecoder_Hive.E!trLinux/Filecoder_Hive.C!trLinux/Filecoder_Hive.D!trLinux/Filecoder_Hive.F!trW32/Filecoder_Hive_AGen.A!trW64/Filecoder_Hive_AGen.A!trW32/Filecoder_Hive_AGen.A!tr.ransomW64/Filecoder_Hive_AGen.A!tr.ransomW32/Ransom_Win64_HIVE.YXBKMZW64/Filecoder_Hive.A!tr.ransomW32/Ransom_Win64_HIVE.NIVSBHU!trW32/Ransom_Win64_HIVE.BYFUSKH!trW32/Ransom_Win64_HIVE.YXBKOZW32/Ransom_Win64_HIVE.YXBKLZW32/Ransom_Win64_HIVE.YXBKOZW32/Ransom_Win64_HIVE.YXBKBZW32/Ransom_Win64_HIVE.YXBKBZW32/Hive.B0FF!tr.ransomW32/Hive.B0FF!tr.ransomW32/Ransom_Win64_HIVE.LIVMOBG!trJS/MinerCoinHiveInURLDecode.D43A!trW64/Hive.B0FF!tr.ransomW32/Ransom_Win64_HIVE.CQCRPWJ!trW32/Ransom_Win64_HIVE.YXBJ2ZW32/Ransom_HiveCrypt.R06BC0DDM22FortiEDR provides protection from new ransomware variants such as Hive straight out of the box.What is Bright Black Ransomware?Black Bright ransomware is a new ransomware that displays a ransom note in ransnote.html. The ransom note claims files on the compromised machine were encrypted using AES-256 encryption and asks the victim to contact the malware author via Discord in order to recover the affected files. However, analysis performed by FortiGuard Labs revealed that Bright Black ransomware does NOT encrypt any files. In an attempt to fool the victim to pay the ransomware, it prepends “x” to the file extension of the targeted files. For example, the ransomware changes the .png file extension to .xpng. It also drops a decryptor tool. When the tool is ran, the decryptor asks for the code and reiterates the victim needs to DM the author to get the code. That is another attempt to make the victim believe that the files were encrypted. Bright Black ransomware’s ransom note Dropped Bright Black decryptorWhat is the Status of Coverage against Bright Black ransomware?FortiGuard Labs provides the following AV coverage:BAT/Renamer.AU!trWhat is the Karakurt Data Extortion Group?The Karakurt data extortion group is a threat actor who threatens the victim to pay ransom in Bitcoin for not releasing the data it stole from a compromised machine to the public. The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), and the Financial Crimes Enforcement Network (FinCEN) released a joint advisory on the Karakurt threat actor on June 1st, 2022.Please see the Appendix for a link to “Alert (AA22-152A): Karakurt Data Extortion Group” for the advisory.According to the advisory, there is no report that the threat actor encrypted any files as part of the attack. Known ransom demands range from $25,000 to $13,000,000, and typically the threat actor demands the ransom be paid within a week of first contact with the victim. The criminal group employs an aggressive tactic to get the victim to pay the ransom; the group reportedly contacted not only victim’s employees but also business partners, and clients via emails and phone calls. The advisory also indicates that, upon ransom was paid, the threat actor provided a brief statement on how the victim was compromised.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage on the available samples on the IOC list:Riskware/KryptikAnything Else to Note?Victims of ransomware are cautioned against paying ransoms by such organizations as CISA, NCSC, the FBI, and HHS. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities which could potentially be illegal according to a U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) advisory.

Read More

SSO explained: Single sign-on definition, examples, and terminology

Read Time:33 Second

What is SSO?

Single sign-on (SSO) is a centralized session and user authentication service in which one set of login credentials can be used to access multiple applications. Its beauty is in its simplicity; the service authenticates you on one designated platform, enabling you to then use a variety of services without having to log in and out each time.

In the most common arrangement, the identity provider and service provider establish a trust relationship by exchanging digital certificates and metadata, and communicate with one another via open standards such as Security Assertion Markup Language (SAML), OAuth, or OpenID. 

To read this article in full, please click here

Read More

vim-8.2.5052-1.fc35

Read Time:12 Second

FEDORA-2022-bb2daad935

Packages in this update:

vim-8.2.5052-1.fc35

Update description:

Security fixes for CVE-2022-1886, CVE-2022-1942

Security fixes for CVE-2022-1851, CVE-2022-1898, CVE-2022-1897, CVE-2022-1927

Read More

webkit2gtk3-2.36.3-1.fc35

Read Time:32 Second

FEDORA-2022-c05acca28d

Packages in this update:

webkit2gtk3-2.36.3-1.fc35

Update description:

Update to 2.36.3:

Support capturing already encoded video streams, which takes advantage of encoding done in hardware by devices which support this feature.
Avoid using experimental GStreamer elements for video demuxing.
Avoid using the legacy GStreamer VA-API decoding plug-ins, which often cause rendering issues and are not much maintained. Their usage can be re-enabled setting WEBKIT_GST_ENABLE_LEGACY_VAAPI=1 in the environment.
Fix playback of YouTube streams which use dynamic ad insertion.
Fix display capture with Pipewire.
Fix several crashes and rendering issues.

Read More

webkit2gtk3-2.36.3-1.fc36

Read Time:32 Second

FEDORA-2022-e883576e1c

Packages in this update:

webkit2gtk3-2.36.3-1.fc36

Update description:

Update to 2.36.3:

Support capturing already encoded video streams, which takes advantage of encoding done in hardware by devices which support this feature.
Avoid using experimental GStreamer elements for video demuxing.
Avoid using the legacy GStreamer VA-API decoding plug-ins, which often cause rendering issues and are not much maintained. Their usage can be re-enabled setting WEBKIT_GST_ENABLE_LEGACY_VAAPI=1 in the environment.
Fix playback of YouTube streams which use dynamic ad insertion.
Fix display capture with Pipewire.
Fix several crashes and rendering issues.

Read More