FortiGuard Labs is aware that AndroxGh0st malware is actively used in the field to primarily target .env files that contain confidential information such as credentials for various high profile applications such as – AWS, O365, SendGrid, and Twilio from the Laravel web application framework.Why is this Significant?This is significant as AndroxGh0st malware is actively used in the field to target Laravel .env files that contain sensitive information such as credentials for AWS, O365, SendGrid, and Twilio. FortiGuard Labs observes in the wild attempts by the AndroxGh0st malware more than 40,000 Fortinet devices a day.What is AndroxGh0st Malware?AndroxGh0st is a Python malware designed to search for and extract .env files from the Laravel Laravel application.AndroxGh0st supports numerous functions to abuse SMTP such as scanning and exploiting exposed credentials and APIs, and web shell deployment.What is the Status of Protection?FortiGuard Labs has the following AV signatures in place for known AndroxGh0st malware samples:Python/AndroxGhost.A!trPython/AndroxGhost.HACK!trPHP/AndroxGhost.AZZA!trW32/AndroxGhost.HACK!trW32/AndroxGhost.BEAE!trMSIL/AndroxGhost.HACK!trFortiGuard Labs has the following IPS signature in place for AndroxGh0st:AndroxGh0st.Malware
On March 16th, 2023, CISA, FBI and MS-ISAC released a joint advisory on LockBit 3.0 ransomware as part of #StopRansomware effort. LockBit 3.0, also known as LockBit Black, operates a Ransomware-as-a-Service (RaaS) service and employs a double-extortion tactic to get victims to pay ransom.Why is this Significant?This is significant because organizations hit by ransomware are likely to suffer from and not limited to – operational downtime, damaged reputation, heavy cost of time and manpower due recovery effort, and exposure of stolen data. AA23-075A is the latest #StopRansomware joint advisory released by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Multi-State Information Sharing & Analysis Center (MS-ISAC), which provides observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against LockBit 3.0 ransomware.What is LockBit 3.0?LockBit 3.0 is a ransomware variant that is a successor to LockBit and LockBit 2.0 ransomware which was released in mid-2022. The ransomware operates as Ransomware-as-a-Service (RaaS) and employs a double-extortion tactic that demands victims pay ransom to recover affected files and not have stolen information leaked to the public.As a ransomware, LockBit 3.0 encrypts files on compromised machines. Prior to the file encryption routine, attackers exfiltrate information using custom and dual-use tools such as Stealbit and rclone, and publicly available file sharing services. The ransomware also drops a ransom note labeled [Ransomware ID].README.txt. Furthermore, LockBit 3.0 deletes shadow copies to prevent file recovery and replaces desktop wallpaper with its own. The ransomware stops its operation if a compromised machine’s language setting is set to predefined languages such as Russian, Armenian, Belarusian, Georgian and Ukrainian. Example of LockBit 3.0 ransomware’s ransom noteWhat is the Status of Protection?FortiGuard Labs has the following AV signatures in place for LockBit 3.0 samples known to us:W32/Lockbit.K!tr.ransomW32/Filecoder_Lockbit.H!trW32/BlackMatter.D!trW32/BlackMatter.E!tr.ransomW32/BlackMatter.K!tr.ransomW32/BlackMatter.O!tr.ransomW32/Filecoder_BlackMatter.D!trW32/Filecoder_BlackMatter.D!tr.ransomW32/Filecoder_BlackMatter.E!trW32/Filecoder_BlackMatter.E!tr.ransomW32/AZG!tr.ransomNSIS/Injector.AOW!trW32/PossibleThreat
ForegeRock is adding a new passwordless authentication capability, called Enterprise Connect Passwordless, to its flagship Identity Platform product to help eliminate the need for user passwords in large organizations.
ForgeRock has partnered with Israel-based Secret Double Octopus to offer the new feature set, designed to allow companies to integrate passwordless technology into enterprise IT infrastructure and provide end users with a unified login approach to all their applications.
“While ForgeRock already offers passwordless authentication for mobile and web applications, the new Enterprise Connect Passwordless authentication extends passwordless capabilities to common enterprise infrastructure like workstations, databases, servers, and VPNs,” said Peter Barker, ForgeRock’s chief product officer.
ForegeRock is adding a new passwordless authentication capability, called Enterprise Connect Passwordless, to its flagship Identity Platform product to help eliminate the need for user passwords in large organizations.
ForgeRock has partnered with Israel-based Secret Double Octopus to offer the new feature set, designed to allow companies to integrate passwordless technology into enterprise IT infrastructure and provide end users with a unified login approach to all their applications.
“While ForgeRock already offers passwordless authentication for mobile and web applications, the new Enterprise Connect Passwordless authentication extends passwordless capabilities to common enterprise infrastructure like workstations, databases, servers, and VPNs,” said Peter Barker, Forgerock’s chief product officer.
USN-5904-1 fixed vulnerabilities in SoX. It was discovered that the fix for
CVE-2021-33844 was incomplete. This update fixes the problem.
Original advisory details:
Helmut Grohne discovered that SoX incorrectly handled certain inputs. If a
user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to cause a
denial of service. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM,
and Ubuntu 18.04 LTS. (CVE-2019-13590)
Helmut Grohne discovered that SoX incorrectly handled certain inputs. If a
user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to cause a
denial of service. (CVE-2021-23159, CVE-2021-23172, CVE-2021-23210,
CVE-2021-33844, CVE-2021-3643, CVE-2021-40426, CVE-2022-31650, and
CVE-2022-31651)
USN-5806-1 fixed vulnerabilities in Ruby. This update fixes the problem
for Ubuntu 20.04 LTS.
Original advisory details:
Hiroshi Tokumaru discovered that Ruby did not properly handle certain
user input for applications which generate HTTP responses using cgi gem.
An attacker could possibly use this issue to maliciously modify the
response a user would receive from a vulnerable application.
