FortiGuard Labs is aware of a report that a new wiper malware was used to in recent attacks targeting Ukraine. Dubbed SwiftSlicer, the wiper malware overwrites files in specified directories in the affected machines and deletes shadow copies to prevent file recovery.Why is this Significant?This is significant because SwiftSlicer is a new destructive malware used in real attacks. SwiftSlicer overwrites files in attacker specified folders and deletes shadow copies, which makes file recovery difficult.What is SwiftSlicer?SwiftSlicer is a wiper malware that is written in Go-language. The malware is designed to overwrite non-system drives as well as files under %CSIDL_SYSTEM%drivers and %CSIDL_SYSTEM_DRIVE%WindowsNTDS. It also leverages the Windows Management Instrumentation Command-line (WMIC) tool to delete shadow copies.Other vendors have attributed SwiftSlicer to Sandworm Team who is believed to be a Russian threat actor responsible for destructive attacks such as NotPetya and Olympic Destroyer and cyber-attacks against the Ukrainian electrical grid in 2015 and 2016.How Widespread is SwiftSlicer?As of this writing, there is no report that indicates SwiftSlicer was used to target non-Ukrainian organizations.What is the Status of Protection?FortiGuard Labs provides the following AV signature for SwiftSlicer:W32/Malicious_Behavior.VEX
VMware published patches last week for four vulnerabilities in its vRealize Log Insight product that, if combined, could allow attackers to take over the log collection and analytics platform. This week, a proof-of-concept exploit chain has been released by security researchers, along with detailed explanations for each vulnerability, meaning in-the-wild attacks could soon follow.
“Gaining access to the Log Insight host provides some interesting possibilities to an attacker, depending on the type of applications that are integrated with it,” researchers with penetration testing firm Horizon3.ai said in their analysis of the flaws. “Often logs ingested may contain sensitive data from other services and may allow an attack to gather session tokens, API keys, and PII. Those keys and sessions may allow the attacker to pivot to other systems and further compromise the environment.”
It was discovered that LibTIFF incorrectly handled certain malformed
images. If a user or automated system were tricked into opening a
specially crafted image, a remote attacker could crash the application,
leading to a denial of service, or possibly execute arbitrary code with
user privileges. This issue was only fixed in Ubuntu 14.04 ESM.
(CVE-2019-14973, CVE-2019-17546, CVE-2020-35523, CVE-2020-35524,
CVE-2022-3970)
It was discovered that LibTIFF was incorrectly acessing a data structure
when processing data with the tiffcrop tool, which could lead to a heap
buffer overflow. An attacker could possibly use this issue to cause a
denial of service or execute arbitrary code. (CVE-2022-48281)
UK banking group TSB is calling on social networks and dating apps to better protect their users from fake profiles, following an alarming spike in romance fraud.
Read more in my article on the Tripwire State of Security blog.
