xml_security.rb in the ruby-saml gem before 1.0.0 for Ruby allows XPath injection and code execution because prepared statements are not used.

Read More

FortiGuard Labs is aware of a report that a new malware “CosmicEnergy” designed to disrupt electric power systems was discovered. CosmicEnergy was specifically crafted to target IEC-104-compliant Remote Terminal Units (RTUs) used to control power transmission and distribution in Europe and Asia.Why is this Significant?This is significant because the new malware “CosmicEnergy” is capable of interacting with the devices responsible for managing power grids leading to potential power outages. Reportedly, potentially affected devices are primarily located in Europe, the Middle East and Asia. What is CosmicEnergy?CosmicEnergy is a new malware that is designed to disrupt devices used for managing power grids. Reportedly the malware may have been developed as a red team tool by a Russian cyber security company for power disruption drills.CosmicEnergy consists of two components: one is PIEHOP designed to access a MSSQL server within the victim’s network and upload files to the server, the other is LIGHTWORK used capable of sending commands via the IEC-104 protocol to the connected Remote Terminal Units (RTUs).Note to successfully carry out the attack using CosmicEnergy, attackers are required to have various credentials beforehand, such as logins and IP addresses of the target MSSQL server, which considerably raises the attack hurdle.How WideSpread is CosmicEnergy?FortiGuard Labs is not aware of any reports of CosmicEnergy used in the wild.What is the Status of Coverage?FortiGuard Labs has the following AV signatures in place for the PIEHOP installer and LIGHTWORK samples called out in the report:W32/Agent.HOP!trW32/Agent.ORK!tr

Read More

FortiGuard Labs is aware of a report that the Blacktail threat actor exploited the recently patched PaperCut vulnerability (CVE-2023-27350) to distribute the Windows version of Buhti ransomware. The IBM Aspera Faspex code execution vulnerability (CVE-2022-47986) is also being reportedly exploited by the same threat actor.Why is this Significant?This is significant because the Blacktail threat actor reportedly exploited the recently patched PaperCut vulnerability to deploy the Windows version of Buhti ransomware. As such the patch should be applied as soon as possible.What is Buhti Ransomware?Buhti is a ransomware variant that was first spotted in February 2023 and is designed to encrypt files on compromised machines. Blacktail, a threat actor behind the Buhti ransomware, is believed to use a unique data exfiltration tool to steal various files prior to ransomware deployment. The group demands ransom from victims for file decryption tostop the stolen files from being made available to the public.Blacktail reportedly exploited the PaperCut MF/NG Improper Access Control vulnerability (CVE-2023-27350) to distribute the Windows version of Buhti ransomware, which is believed to be based on leaked Lockbit 3.0 ransomware code. Another Buhti variant supports Linux platforms and is based on the leaked Babuk ransomware code.Another report indicates that the Blacktail group also exploited the IBM Aspera Faspex code execution vulnerability (CVE-2022-47986).What is the PaperCut Vulnerability (CVE-2023-27350)?CVE-2023-27350 is an authentication bypass vulnerability in PaperCut NG due to improper access control in the vulnerable application. An unauthenticated, remote attacker may be able to exploit this via a crafted request. Successful exploitation could lead to arbitrary code execution within the security context of the affected system.CISA added CVE-2023-27350 to the Known Exploited Vulnerabilities catalog on April 21st, 2023.FortiGuard Labs published an Outbreak Alert for the PaperCut vulnerability. Please see the Appendix for a link to “Oubreak Alert: PaperCut MF/NG Improper Access Control Vulnerability”.What is the IBM Aspera Faspex code execution vulnerability (CVE-2022-47986)?CVE-2022-47986 is a code execution vulnerability in IBM Aspera Faspex stemmed from improper handling of user request. A remote attacker could exploit this vulnerability by sending a crafted message to the target system. Successfully exploiting this vulnerability could result in remote code execution.CISA added CVE-2022-47986 to the Known Exploited Vulnerabilities catalog on February 21st, 2023.FortiGuard Labs published Outbreak Alert for the IBM Aspera Faspex code execution vulnerability. Please see the Appendix for a link to “Outbreak Alert: IBM Aspera Faspex Code Execution Vulnerability”.What is the Status of Protection?FortiGuard Labs has the following AV signatures in place for the known Buhti ransomware samples:Linux/Filecoder.BQ!trW32/Lockbit.K!tr.ransomFortiGuard Labs has the following IPS signatures in place for CVE-2023-27350 and CVE-2022-47986 respectively:PaperCut.NG.SetupCompleted.Authentication.BypassIBM.Aspera.Faspex.CVE-2022-47986.Remote.Code.Execution

Read More

Several vulnerabilities were discovered in libraw, a library for reading
RAW files obtained from digital photo cameras, which may result in
denial of service or the execution of arbitrary code if specially
crafted files are processed.

Read More

Jose Gomez discovered that the Catalog API endpoint in the Docker
registry implementation did not sufficiently enforce limits, which
could result in denial of service.

Read More