libsignal-protocol-c-2.3.3-8.fc37
Backport a fix for CVE-2022-48468 for protobuf-c, which is bundled in libsignal-protocol-c.
https://github.com/protobuf-c/protobuf-c/commit/ec3d900001a13ccdaa8aef996b34c61159c76217
https://github.com/protobuf-c/protobuf-c/issues/499
https://github.com/protobuf-c/protobuf-c/pull/513
https://github.com/protobuf-c/protobuf-c/releases/tag/v1.4.1
libsignal-protocol-c-2.3.3-8.el9
Backport a fix for CVE-2022-48468 for protobuf-c, which is bundled in libsignal-protocol-c.
https://github.com/protobuf-c/protobuf-c/commit/ec3d900001a13ccdaa8aef996b34c61159c76217
https://github.com/protobuf-c/protobuf-c/issues/499
https://github.com/protobuf-c/protobuf-c/pull/513
https://github.com/protobuf-c/protobuf-c/releases/tag/v1.4.1
libsignal-protocol-c-2.3.3-9.fc38
Backport a fix for CVE-2022-48468 for protobuf-c, which is bundled in libsignal-protocol-c.
https://github.com/protobuf-c/protobuf-c/commit/ec3d900001a13ccdaa8aef996b34c61159c76217
https://github.com/protobuf-c/protobuf-c/issues/499
https://github.com/protobuf-c/protobuf-c/pull/513
https://github.com/protobuf-c/protobuf-c/releases/tag/v1.4.1
Several vulnerabilities were discovered in libxml2, a library providing
support to read, modify and write XML and HTML files.
A vulnerability has been discovered in Novi Survey, which could allow for arbitrary code execution. Successful exploitation of this vulnerability could allow for remote attackers to execute arbitrary code on the server in the context of the service account on affected installations of Novi Survey. Depending on the privileges associated with the service account an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
FortiGuard Labs is aware of a spate of recent BlackCat ransomware attacks targeting numerous entities in the past few weeks. This threat signal, along with our previous Threat Signals [1,2] on BlackCat is intended to provide some perspective on this group and its Ransomware as a Service model, along with known techniques, tactics and procedures (TTPs), as well as including available protections from FortiGuard Labs on known samples.What is BlackCat?BlackCat also known AlphaV, is one of the more popular Ransomware variants of 2023 – only following behind LockBit, which holds the top spot. This is a ransomware-as-a-service (RaaS) operation that targets both Windows and Linux platforms. BlackCat is believed to be a rehash of DarkMatter, which attacked Colonial Pipeline in 2021 in a highly publicized attack. Besides encrypting files for ransom, the group will exfiltrate and use blackmail techniques; including the disclosure of sensitive and personally identifiable information (PII) to create additional pressure on the victim for payment. In addition to the damage already done by an affiliate, BlackCat (affiliates) have been observed using triple extortion tactics. Triple extortion differs from double extortion in that it adds another component of stress; versus the typical encryption of files and threats to publish stolen data to the Internet. The threat actors (affiliates) will pressure victims by using various techniques (such as but not limited to – DDoS, contacting the victim’s business associates, etc.) to further pressure payment. What Sectors Are Targeted?From our FortiRecon service, we can see that Manufacturing (8%) tops the list of targets of BlackCat/AlphaV. Followed by a close second and third are Business Services (7%) and Law Firms & Legal Services (5%) respectively. What Countries Are Being Targeted?From our FortiRecon service, we can see that the United States (37%) tops the list of targets of BlackCat/AlphaV. Followed by a distant second and third is Canada (7%) and Australia (3%). The United States (including Canada and Australia) topping the list is unsurprising, given that various reports from other cybersecurity vendors have shown the same targeted regions: What Language is BlackCat Written in?Rust.When did BlackCat First Appear?It was first seen in November of 2021.Why is BlackCat Successful?It has a high payout and a customizable set of features for its affiliates. It uses a “wall of shame” website to blackmail and promote its attacks.BlackCat is also popular because various reports have stated that the group will pay affiliates at least 80-90 percent of profits of the ransomware payout.What is the RaaS model?The Ransomware as a Service (RaaS) model consists of the ransomware developer and affiliate. Affiliates are typically recruited and are typical hired professionals in the cybercrime space. They have been recruited to perform various steps to successfully compromise and gain access to a targeted network to ultimately deploy the ransomware. They will work with the ransomware developer to secure payment (the developer will provide the decryption key after payment is met) and ultimately, the affiliate will receive a significant portion of the ransom (anywhere from 70-90 percent). This is a symbiotic relationship; as it allows both parties that may not be proficient in development (Affiliate) along with knowledge of brute forcing, pen testing, exploitation of vulnerabilities, lateral movement, etc. (Ransomware Developer). Another key factor to this relationship is that the developer can focus on improving the ransomware; while the hired affiliate can do the hard dirty work. We have seen this in GandCrab in the past, where various improvements and evasion of AV and other security products were implemented in various releases. RaaS services have all the attributes of a well run enterprise that rivals many organizations, but obviously an illegal one.Any Suggested Mitigation?To ensure the security of your organization, along with preventing unauthorized access by a threat actor, there are several best practices recommended by FortiGuard Labs. Start by regularly reviewing domain controllers, servers, workstations, and active directories for new accounts. Back up all data frequently and keep backup copies offline. Check Task Scheduler for unrecognized tasks and random processes, including all logs for unexpected shutdowns. Implement network segmentation and determine steps for a recovery plan if not already available. It is suggested to install updates and patches as soon as they become available. Use multifactor authentication and change passwords regularly. Disable unused remote access ports and monitor logs for potential malicious activity. It is suggested that a routine audit of user accounts occurs on a frequent basis. It is also suggested to audit user accounts with administrative privileges. Finally, it is suggested to keep all antivirus and anti-malware software updated in a timely manner.What is the Status of Coverage?FortiGuard Labs FortiEDR solution has a comprehensive knowledge base article that highlights detection and mitigation coverage for BlackCat/AlphaV along with post-execution behavior. Please refer to Threat Coverage: How FortiEDR protects against BlackCat (ALPHV) ransomware for further details.FortiGuard Labs has the following (AV) signatures in place for associated BlackCat Ransomware samples as:ELF/Encoder.46B8!tr.ransomELF/Encoder.5BD0!tr.ransomLinux/Filecoder_BlackCat.A!trLinux/Filecoder_BlackCat.G!trLinux/Filecoder_BlackCat.K!trPossibleThreatPowerShell/Agent.GU!trW32/Agent.1164!trW32/BlackCat.26B0!trW32/BlackCat.A!tr.ransomW32/BlackCat.BF43!tr.ransomW32/Expiro.NDGW32/Filecoder.5F85!tr.ransomW32/Filecoder.A!tr.ransomW32/Filecoder.OMZ!tr.ransomW32/Filecoder_BlackCat.A!tr.ransomW32/GenericKD.47303031!trW32/GenKryptik.CNLN!trW32/Nitol.AB!trW32/PossibleThreatW32/Ransom.BLACKCAT!trW64/Filecoder.GG!trMITRE ATT&CKTA0002 – ExecutionTechnique ID Technique Description Observed ActivityT1059.001 Command and Scripting Interpreter: cmd.exe BlackCat ransomware uses cmd.exe commands to delete the volume shadow copies. Technique ID Technique Description Observed ActivityT1047 Windows Management Instrumentation BlackCat ransomware uses the command “wmic.exe Shadowcopy Delete” to access the WMI service to identify and delete volume shadow copies. TA0007 – DiscoveryTechnique ID Technique Description Observed ActivityT1083 File and Directory Discovery BlackCat ransomware searches directories and files inside for encryption. Technique ID Technique Description Observed ActivityT1018 Remote System Discovery BlackCat ransomware searches for the network IP addresses by checking ARP table entries. TA0008 – Lateral MovementTechnique ID Technique Description Observed ActivityT1210 Exploitation of Remote Services BlackCat ransomware tries to connect to other connected endpoints identified through scraping ARP table entries on compromised endpoints through NetBios services on port 137. TA0005 – Defense EvasionTechnique ID Technique Description Observed ActivityT1112 Modify Registry BlackCat ransomware modifies registry values of “control paneldesktop” to display ransom notes after reboot. Technique ID Technique Description Observed ActivityT1562.001 Impair Defenses: Disable or Modify Tools BlackCat ransomware terminates processes on affected endpoints before starting the encryption process.Here is list of processes/services which are killed by the malware: “mepocs”, “memtas”, “veeam”, “svc$”, “backup”, “sql”, “vss”, “msexchange”, “sql$”, “mysql”, “mysql$”, “sophos”, “MSExchange”, “MSExchange$”, “WSBExchange”, “PDVFSService”, “BackupExecVSSProvider”, “BackupExecAgentAccelerator”, “BackupExecAgentBrowser”, “BackupExecDiveciMediaService”, “BackupExecJobEngine”, “BackupExecManagementService”, “BackupExecRPCService”, “GxBlr”, “GxVss”, “GxClMgrS”, “GxCVD”, “GxCIMgr”, “GXMMM”, “GxVssHWProv”, “GxFWD”, “SAPService”, “SAP”, “SAP$”, “SAPD$”, “SAPHostControl”, “SAPHostExec”, “QBCFMonitorService”, “QBDBMgrN”, “QBIDPService”, “AcronisAgent”, “VeeamNFSSvc”, “VeeamDeploymentService”, “VeeamTransportSvc”, “MVArmor”, “MVarmor64”, “VSNAPVSS”, “AcrSch2Svc” TA0040 – ImpactTechnique ID Technique Description Observed ActivityT1486 Data Encrypted for Impact BlackCat ransomware encrypts files in the infected system. Technique ID Technique Description Observed ActivityT1490 Inhibit System Recovery BlackCat ransomware tries to delete the shadow copies by executing the “wmic.exe Shadowcopy Delete” command and the vssadmin command through cmd.exe. Technique ID Technique Description Observed ActivityT1489 Service Stop BlackCat ransomware disables services to allow the encryption process to more effectively encrypt key files on affected endpoints.List of processes/services killed by malware:”mepocs”, “memtas”, “veeam”, “svc$”, “backup”, “sql”, “vss”, “msexchange”, “sql$”, “mysql”, “mysql$”, “sophos”, “MSExchange”, “MSExchange$”, “WSBExchange”, “PDVFSService”, “BackupExecVSSProvider”, “BackupExecAgentAccelerator”, “BackupExecAgentBrowser”, “BackupExecDiveciMediaService”, “BackupExecJobEngine”, “BackupExecManagementService”, “BackupExecRPCService”, “GxBlr”, “GxVss”, “GxClMgrS”, “GxCVD”, “GxCIMgr”, “GXMMM”, “GxVssHWProv”, “GxFWD”, “SAPService”, “SAP”, “SAP$”, “SAPD$”, “SAPHostControl”, “SAPHostExec”, “QBCFMonitorService”, “QBDBMgrN”, “QBIDPService”, “AcronisAgent”, “VeeamNFSSvc”, “VeeamDeploymentService”, “VeeamTransportSvc”, “MVArmor”, “MVarmor64”, “VSNAPVSS”, “AcrSch2Svc”
Graham wonders what would happen if his bouncing buttocks were captured on camera by a Tesla employee, and we take a look at canny scams connected to China’s Operation Fox Hunt.
All this and more is discussed in the latest edition of the “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault.
FortiGuard Labs is observing active exploitation of several ThinkPHP remote code execution vulnerabilities (CVE-2019-9082 and CVE-2018-20062). Successful exploitation of the vulnerabilities could allow a remote attacker to execute arbitrary code on the affected system. Both vulnerabilities are on CISA’s Known Exploited Vulnerabilities (KEV) catalog.Why is this Significant?This is significant because active exploitation of CVE-2019-9082 and CVE-2018-20062 is being observed. Also, Proof-of-Concept (PoC) code is publicly available for both vulnerabilities. They are on CISA’s Known Exploited Vulnerabilities (KEV) catalog. As such, patches should be applied as soon as possible.What is CVE-2019-9082?CVE-2019-9082 is a PHP injection vulnerability that affects ThinkPHP prior to version 3.2.4. Successful exploitation could allow a remote attacker to execute arbitrary code on the affected system. The vulnerability has a CVSS base score of 8.8.What is CVE-2018-20062?CVE-2018-20062 is a PHP injection vulnerability that affects ThinkPHP prior to version 5.0.23. Successful exploitation could allow a remote attacker to execute arbitrary code on the affected system. The vulnerability has a CVSS base score of 9.8.Is Patch Available for CVE-2019-9082 and CVE-2018-20062?Yes, patch is available for both CVE-2019-9082 and CVE-2018-20062.What is the Status of Protection?FortiGuard Labs has the following IPS signatures in place for CVE-2019-9082 and CVE-2018-20062:ThinkPHP.Controller.Parameter.Remote.Code.Execution
APT28, the hacking arm of Russia’s GRU military intelligence agency has been backdooring Cisco routers by exploiting a remote code execution vulnerability in the Cisco IOS implementation of the simple network management protocol (SNMP), according to a statement by Western security agencies. The malware deployed on compromised routers patches the router’s authentication mechanism to always accept any password for any local user.
“In 2021, APT28 used infrastructure to masquerade simple network management protocol (SNMP) access into Cisco routers worldwide,” the UK National Cyber Security Centre (NCSC) said in a joint advisory with the US National Security Agency (NSA), the US Cybersecurity and Infrastructure Security Agency (CISA), and the US Federal Bureau of Investigation (FBI). “This included a small number based in Europe, US government institutions, and approximately 250 Ukrainian victims.”
The Domain Name System (DNS) is often referred to as the phone book of the internet. DNS translates web addresses, which people use, into IP addresses, which machines use. But DNS was not designed with security in mind. And even though companies have invested incredible amounts of money into their security stack (and even though they’ve had since the 1980s to figure this out), DNS traffic often goes unmonitored.
This has only worsened with the adoption of encrypted DNS, known as DNS-over-HTTPS (DoH). Since its introduction in late 2018, DoH has grown from a personal privacy feature that most IT teams blocked outright, to an encouraged enterprise privacy and security function. While DoH protects traffic in transit, it also leaves organizations with little to no visibility over what’s happening with their DNS queries.
