FortiGuard Labs is aware of a report that the “Cluster B” group who is an alleged affiliate to the Iranian threat actor “Cobalt Mirage” deployed Drokbk malware to victims’ machines. Drokbk uses Github to retrieve a Command-and-Control (C2) server location. According to the report, the Cluster B threat actor was observed to have used Drokbk in an attack against a U.S. government network in early 2022.Why is this Significant?This is significant because Drokbk malware was reportedly deployed to a compromised U.S. government networks in early 2022. Security vendor Secureworks attributed Drokbk to the “Cluster B” group who is an affiliate to an alleged Iranian threat actor “Cobalt Mirage”.What is Drokbk Malware?Drokbk is a .NET malware which prime functionality is to execute remote commands served from its Command-and-Control (C2) servers. The malware is designed to retrieve C2 locations from publicly available services such as Github.According to Secureworks, Drokbk was deployed to a U.S. government network in early February 2022 compromised by leveraging Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046).FortiGuard Labs previously released Outbreak Alert and Threat Signal for Log4j vulnerabilities. See the Appendix for a link to “Outbreak Alert: Apache Log4j2 Vulnerability” and “Apache Log4J Remote Code Execution Vulnerability (CVE-2021-44228)”.What is the Status of Coverage?FortiGuard Labs detect available samples in the report with the following AV signatures:MSIL/Agent.3606!trW64/MaliceyElie.84DB!trW32/PossibleThreatPossibleThreatFortiGuard Labs has IPS coverage in place for CVE-2021-44228 and CVE-2021-45046:Apache.Log4j.Error.Log.Remote.Code.ExecutionAll network IOCs in the report are blocked by Webfiltering.

Read More

FortiGuard Labs is aware of a report that a new wiper malware “Fantasy” that was deployed by potentially leveraging an unidentified software commonly used in the diamond industry. The report states that Fantasy wiper victims were observed in South Africa, Israel, and Hong Kong. The wiper malware reportedly targets over 300 file extensions for files to overwrite and delete.Why is this Significant?This is significant because Fantasy is a new wiper malware that overwrites and deletes files on compromised machines and have victimized multiple organizations. Fantasy wiper is believed to have been deployed to the victims’ machines through update mechanism of an unidentified software commonly used in the diamond industry, which classifies the attack as a supply-chain attack.What is Fantasy Wiper?Fantasy wiper is a destructive malware that overwrites and deletes files on compromised machines. Fantasy wiper was reportedly executed using a batch file dropped by another malware named “Sandals”. Sandals malware leverages credentials and hostnames collected by the threat actor prior to the deployment of Sandals and Fantasy for lateral movement in victim’s network.Fantasy wiper also deletes Windows event logs, all files in system drive and file system cache memory and overwrites the Master Boot Record (MBR).Who is behind the Fantasy Wiper Attack?The attack was attributed to the Agrius threat actor group. Agrius’ activities are believed to be align with Iran’s interests. Apostle and Deadwood wiper are previously linked to the Agrius group.What is the Status of Coverage?FortiGuard Labs detects Fantasy wiper with the following AV signature:MSIL/KillDisk.I!trOther relevant samples used in the reported attack are detected with the following AV signatures:BAT/Agent.NRG!trMSIL/Agent.F871!trRiskware/HackToolRiskware/LsassDumper

Read More

FortiGuard Labs is aware of a report that a new malware named “Redigo” was observed to have been installed on Redis honeypot servers vulnerable to CVE-2022-0543. The compromised Redis servers are likely used to perform Distributed Denial of Service (DDoS) attacks and cryptomining.Why is this Significant?This is significant because Redigo was installed on vulnerable Redis servers. Redis is an in-memory key-value store that can act as a high-performance database and cache server. Compromised servers are in control by remote attackers and are likely used for malicious activities.Created by Google, the Go programming language is platform independent and can run on various operating systems. Once considered novel, Golang malware is on the rise. FortiGuard Labs has recently published Zerobot, a new IoT botnet written in Golang.What is Redigo Malware?Redigo is a new Golang-based malware that was found to be installed on Redis servers vulnerable to CVE-2022-0543. Compromised Redis servers will be connected to malicious Command-and-Control (C2) servers that are likely used for DDoS attacks and cryptomining.What is CVE-2022-0543?CVE-2022-0543 is a vulnerability in Redis Debian packages disclosed in February 2022. Successful exploitation of the vulnerability allows remote attackers to execute arbitrary code on vulnerable Redis servers. CVE-2022-0543 has a CVSS score of 10.0.Is a Patch Available for CVE-2022-0543?Yes, a patch is available.What is the Status of Coverage?FortiGuard Labs provides the following AV signatures for Redigo:Linux/Redis.A!trPossibleThreatThe reported C2 server is blocked by Webfiltering.FortiGuard Labs provides the following IPS signature for CVE-2022-0543:Redis.Lua.Sandbox.Remote.Code.Execution

Read More

FEDORA-EPEL-2022-4cd9e0dc82

Packages in this update:

mujs-1.3.2-1.el9

Update description:

This version corrects some CVEs

Read More

A vulnerability classified as problematic was found in pacparser up to 1.3.x. Affected by this vulnerability is the function pacparser_find_proxy of the file src/pacparser.c. The manipulation of the argument url leads to buffer overflow. Attacking locally is a requirement. Upgrading to version 1.4.0 is able to address this issue. The name of the patch is 853e8f45607cb07b877ffd270c63dbcdd5201ad9. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-215443.

Read More