FortiGuard Labs is aware of that the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory for Cuba ransomware as part of their #StopRansomware effort. The advisory states that the number of organizations in the United States that were victimized by Cuba ransomware has increased since December 2021. Why is this Significant?This is significant because Cuba ransomware has reportedly victimized over 100 organizations across multiple industries including, but not limited to – infrastructure in the U.S. since December 2021 and extorted large sums of money from the victims.What is Cuba Ransomware?Cuba is a ransomware strain that has been around since at least 2019 and has reportedly victimized more than 100 organizations globally. According to the advisory, infection vectors used by the Cuba threat actors include emails, use of stolen credentials, RDP (Remote Desktop Protocol) session hijacking, exploitation of vulnerabilities such as CVE-2022-24521 and CVE-2020-1472. Also, the use of Hancitor malware was reportedly observed to deploy Cuba ransomware after victims’ network were breached.Once Cuba ransomware is deployed, it encrypts files on compromised machines, adds a “.cuba” file extension to the affected files, and drops a ransom note named “!! READ ME !!.txt”. The primary contact channel is Tox (a peer-to-peer instant messaging protocol). An alternative e-mail address is typically included in the ransom notes.FortiGuard Labs previously released a ransomware roundup blog on Cuba ransomware on August 18, 2022. See the Appendix for a link to “Alert (AA22-335A) #StopRansomware: Cuba Ransomware (CISA)”.What is the Status of Protection?FortiGuard Labs provides the following AV signatures for Cuba ransomware:W32/Agent.FEDD!trW32/Filecoder.OAE!trW32/Filecoder.OAE!tr.ransomW32/Filecoder.OHL!trW32/GenKryptik.EMOA!trW32/Injector.EQGY!trW32/Kryptik.HFMU!trW32/Kryptik.HGXH!trW32/PossibleThreatSome of the available files listed in the IOC section of the CISA advisory are detected by the following AV signatures:W32/Agent.ADBQ!trW64/Agent.CP!tr.dldrW32/GenKryptik.FSCS!trW32/PossibleThreatPossibleThreatPossibleThreat.PALLAS.HFortiGuard Labs provides the following IPS coverage for the vulnerabilities reportedly leveraged by Cuba ransomware threat actors:MS.Windows.CVE-2022-24521.Privilege.Elevation (CVE-2022-24521)MS.Windows.Server.Netlogon.Elevation.of.Privilege (CVE-2020-1472)FortiEDR protects customers from Cuba ransomware. See the Appendix for a link to “Threat Coverage: How FortiEDR protects against Cuba ransomware”.
Daily Archives: December 2, 2022
Heliconia Exploit Framework In the Wild
FortiGuard Labs is aware of a report that a new exploit framework dubbed “Heliconia” was discovered. Heliconia consists of three components that are designed to exploit vulnerabilities in Chrome, Firefox and Windows Defender to deliver payloads. According to outside reports, the exploit framework may have connection with a commercial spyware vendor.Why is this Significant?This is significant because the new exploit framework “Heliconia” is designed to exploit security holes in Chrome, Firefox and Windows Defender and deliver payloads. Google’s Threat Analysis Group (TAG) believes “Heliconia” may have connection with a commercial security solution vendor and the vulnerabilities may have been exploited as a 0-day.What Components are in the Three Components of Heliconia?Heliconia consists of the following three components:Heliconia Noise is designed to exploit a renderer vulnerability in Chrome. It also references a remotely hosted sandbox escape shellcode and installs an agent. While a CVE number has not been assigned to the renderer vulnerability, Google states that the vulnerability affects Chrome version 90.0.4430.72 to 91.0.4472.106 and was patched in August 2021.Heliconia Soft is designed to serve a PDF file containing an exploit for a Windows Defender vulnerability (CVE-2021-42298).Heliconia Files is designed to exploit vulnerabilities in both Windows and Linux versions of Firefox in chain. It first exploits CVE-2022-26485, followed by an unnamed sandbox escape and payload delivery.Have the Vendors Released a Patch for the Vulnerabilities?Patches are available for the reported vulnerabilities.How Widespread is this?While we do not know how widespread this is, CVE-2022-26485 was reportedly exploited by the Heliconia exploit framework as early as 2019. What is the Status of Protection?FortiGuard Labs provides the following IPS signature for CVE-2021-42298:MS.Defender.MpEngine.Remote.Code.ExecutionFortiGuard Labs is currently investigating CVE-2022-26485 for coverage. This Threat Signal will be updated when protection becomes available.
CVE-2019-16802
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
CVE-2019-16801
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
CVE-2019-16800
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
CVE-2019-16799
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
CVE-2019-16798
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
CVE-2019-16797
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
CVE-2019-16796
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
CVE-2019-16795
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.