Which? study finds many fail to provide basic online protection
Daily Archives: February 7, 2023
MKS Instruments falls victim to ransomware attack
Semiconductor equipment maker MKS Instruments is investigating a ransomware event that occurred on February 3 and impacted its production-related systems, the company said in a filing with the US Security and Exchange Commission.
MKS Instruments is an Andover, Massachusetts-based provider of subsystems for semiconductor manufacturing, wafer level packaging, package substrate and printed circuit boards.
An email sent to MKS Instruments seeking more information about the attack remained unanswered, while the company’s website continued to be inaccessible at the time of writing, with a error notification that read, “Unfortunately, www.mks.com is experiencing an unscheduled outage. Please check back again at a later time.”
tigervnc-1.13.0-1.fc36
FEDORA-2023-c41e8f24bb
Packages in this update:
tigervnc-1.13.0-1.fc36
Update description:
Tigervnc 1.13.0 update.
CVE-2023-0494 tigervnc: xorg-x11-server: DeepCopyPointerClasses use-after-free leads to privilege elevation
tigervnc-1.13.0-1.fc37
FEDORA-2023-4d443bd03f
Packages in this update:
tigervnc-1.13.0-1.fc37
Update description:
Tigervnc 1.13.0 update.
CVE-2023-0494 tigervnc: xorg-x11-server: DeepCopyPointerClasses use-after-free leads to privilege elevation
Multiple Vulnerabilities in Google Android OS Could Allow for Privilege Escalation
Multiple vulnerabilities have been discovered in Google Android OS, the most severe of which could allow for privilege escalation. Android is an operating system developed by Google for mobile devices, including, but not limited to, smartphones, tablets, and watches. Successful exploitation of the most severe of these vulnerabilities could allow for privilege escalation. Depending on the privileges associated with the exploited component, an attacker could then install programs; view, change, or delete data; or create new accounts with full rights.
ESXiArgs Ransomware Globally Targets Unpatched ESXi Servers Worldwide
FortiGuard Labs is aware of reports that ESXi servers around the globe that are vulnerable to the VMware ESXi OpenSLP HeapOverflow vulnerability (CVE-2021-21974) are being exploited through the OpenSLP (port 427) to deliver a new ransomware “ESXiArgs”. The ransomware encrypts files in affected ESXi servers and demand a ransom for file decryption.Why is this Significant?This is significant because a new ransomware “ESXiArgs” is being deployed to ESXi servers that are prone to the VMware ESXi OpenSLP HeapOverflow vulnerability (CVE-2021-21974). The ransomware encrypts files with pre-specified file extensions and demands a ransom from victims for file decryption.A patch for CVE-2021-21974 was released almost two years ago, which lowers the impact and severity of this incident.What is ESXiArgs Ransomware?ESXiArgs is a new ransomware that encrypts files on ESXi servers and According to OSINT, the ransomware targets files with “.vmdk”, “.vmx”, “.vmxf”, “.vmsd”, “.vmsn”, “.vswp”, “.vmss”, “.nvram”, and “.vmem” file extensions. The ransomware reportedly creates a args file containing metadata for each file it encrypted. Data exfiltration has not been reported.ESXiArgs ransomware is said to be related to another ransomware “Nevada”, however we have not been able to verify the claim.What is CVE-2021-21974 (VMware ESXi OpenSLP HeapOverflow vulnerability)?CVE-2021-21974 is a heap overflow vulnerability in OpenSLP and affects VMware ESXi version 7.0, 6.7, and 6.5. The vulnerability is due to an improper boundary check condition in the application. A remote, unauthenticated attacker can exploit this to execute arbitrary code with the privileges of the OpenSLP service, via a crafted request the target server.The vulnerability has a CVSS score of 8.8 and is rated important.Has the Vendor Released a Patch for CVE-2021-21974?Yes, VMWare released a patch for CVE-2021-21974 on February 23rd, 2021.What is the Status of Protection?FortuGuard Labs provides protection for this latest attack with the following AV signatures:ELF/Filecoder.85D3!tr.ransomLinux/Agent.SR!trPython/Agent.937D!trFortiGuard Labs has the following IPS signature in place for CVE-2021-21974 (VMware ESXi OpenSLP HeapOverflow vulnerability):• VMware.ESXi.OpenSLP.Heap.Buffer.Overflow
New HeadCrab Malware Targets Redis Servers
FortiGuard Labs is aware of a report that a new malware “HeadCrab” was deployed to over 1,000 Redis servers around the globe for crypto mining attacks. HeadCrab threat actor reportedly targets internet facing Redis servers that do not require authentication.Why is this Significant?This is significant because “HeadCrab” malware was discovered to be installed on over 1,000 compromised Redis severs around the globe. While the main purpose of HeadCrab appears to be for crypto mining operations, an attacker can perform other malicious activities and deploy malware to the affected Redis servers since they are under control of the attacker. As such, vulnerable Redis servers exposed to the internet need to be either taken offline or authentication be enabled.What is HeadCrab malware?HeadCrab is a malware that was deployed to internet facing Redis servers which do not require authentication. Once the HeadCrab threat actor finds and compromises a vulnerable Redis server, the compromised server is synchronized with the attacker’s master Redis server, which serves HeadCrab malware.HeadCrab malware receives commands from the attacker’s master Redis server and performs activities accordingly. While the threat actor reportedly used HeadCrab for mining Monero crypto currency, it could be used for other malicious activities such as exfiltrating information. Also, threat actors can serve other malware and perform malicious activities on compromised Redis servers.What is the Status of Protection?FortiGuard Labs detect known HeadCrab malware samples with the following AV signatures:ELF/Miner.AF76!trELF/Agent.D9F0!trELF/Agent.E2A0!tr
ZDI-23-095: Microsoft Azure Machine Learning Service Cleartext Storage of Credentials Information Disclosure Vulnerability
This vulnerability allows remote attackers to disclose sensitive information on Microsoft Azure. Authentication is required to exploit this vulnerability.
ZDI-23-096: Microsoft Azure Machine Learning Service Cleartext Storage of Credentials Information Disclosure Vulnerability
This vulnerability allows remote attackers to disclose sensitive information on Microsoft Azure. Authentication is required to exploit this vulnerability.
ZDI-23-097: Microsoft Azure Machine Learning Service JWT Cleartext Storage of Credentials Information Disclosure Vulnerability
This vulnerability allows remote attackers to disclose sensitive information on Microsoft Azure. Authentication is required to exploit this vulnerability.