Multiple vulnerabilities have been discovered in VMware vRealize Network Insight (vRNI), the most severe of which could result in arbitrary code execution. VMware vRealize Network Insight (vRNI) is an IT management platform which enables visibility, optimization and management of an organization’s physical, virtual and cloud infrastructure. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Multiple vulnerabilities have been discovered in Mozilla Firefox, Firefox Extended Support Release (ESR) and Mozilla Thunderbird, the most severe of which could allow for arbitrary code execution.
Mozilla Firefox is a web browser used to access the Internet.
Mozilla Firefox ESR is a version of the web browser intended to be deployed in large organizations.
Mozilla Thunderbird is an email client.
Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
On December 11th, 2022, FortiGuard Labs observed a significant spike in IPS signature “TP-Link.Tapo.C200.IP.Camera.Command.Injection”. The IPS signature is for CVE-2021-4045 and detects an attack to exploit a Command Injection vulnerability in TP-Link Tapo C200 IP Camera. Successful exploitation of the vulnerability allows remote attackers to gain control of vulnerable devices.Why is this Significant?This is significant due to the detection spike in our IPS signature, which indicates attackers are attempting to exploit TP-Link Tapo C200 IP Camera devices vulnerable to CVE-2021-4045. Also, proof-of-concept (PoC) code for CVE-2021-4045 is readily available. As such, firmware updates need to be applied to the vulnerable devices as soon as possible.What is CVE-2021-4045?CVE-2021-4045 is a Command Injection vulnerability in TP-Link Tapo C200 IP Camera. Successful exploitation of the vulnerability allows remote attackers to gain control of vulnerable devices. CVE-2021-4045 impacts Tapo C200 version 1.15 and below and has a CVSS score of 9.8. How Widespread is the Attack?Based on the telemetry collected by FortiGuard Labs last 24 hours, 24.55% of the detected exploit attempts came from unidentified countries, followed by Japan (22.48%) and the United States (13.95%).Top 10 Countries where “TP-Link.Tapo.C200.IP.Camera.Command.Injection” was Detected last 24 hours
Country
Percentage
Unknown
24.55%
Japan
22.48%
United States
13.95%
Italy
5.43%
Austria
3.88%
Switzerland
2.84%
Netherlands
2.58%
Germany
2.33%
Belgium
2.07%
Canada
2.07%
Has the Vendor Released a Patch for CVE-2021-4045?Yes, the vendor released firmware with a fix.
FortiGuard Labs is aware of a report that the “Cluster B” group who is an alleged affiliate to the Iranian threat actor “Cobalt Mirage” deployed Drokbk malware to victims’ machines. Drokbk uses Github to retrieve a Command-and-Control (C2) server location. According to the report, the Cluster B threat actor was observed to have used Drokbk in an attack against a U.S. government network in early 2022.Why is this Significant?This is significant because Drokbk malware was reportedly deployed to a compromised U.S. government networks in early 2022. Security vendor Secureworks attributed Drokbk to the “Cluster B” group who is an affiliate to an alleged Iranian threat actor “Cobalt Mirage”.What is Drokbk Malware?Drokbk is a .NET malware which prime functionality is to execute remote commands served from its Command-and-Control (C2) servers. The malware is designed to retrieve C2 locations from publicly available services such as Github.According to Secureworks, Drokbk was deployed to a U.S. government network in early February 2022 compromised by leveraging Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046).FortiGuard Labs previously released Outbreak Alert and Threat Signal for Log4j vulnerabilities. See the Appendix for a link to “Outbreak Alert: Apache Log4j2 Vulnerability” and “Apache Log4J Remote Code Execution Vulnerability (CVE-2021-44228)”.What is the Status of Coverage?FortiGuard Labs detect available samples in the report with the following AV signatures:MSIL/Agent.3606!trW64/MaliceyElie.84DB!trW32/PossibleThreatPossibleThreatFortiGuard Labs has IPS coverage in place for CVE-2021-44228 and CVE-2021-45046:Apache.Log4j.Error.Log.Remote.Code.ExecutionAll network IOCs in the report are blocked by Webfiltering.
FortiGuard Labs is aware of a report that a new wiper malware “Fantasy” that was deployed by potentially leveraging an unidentified software commonly used in the diamond industry. The report states that Fantasy wiper victims were observed in South Africa, Israel, and Hong Kong. The wiper malware reportedly targets over 300 file extensions for files to overwrite and delete.Why is this Significant?This is significant because Fantasy is a new wiper malware that overwrites and deletes files on compromised machines and have victimized multiple organizations. Fantasy wiper is believed to have been deployed to the victims’ machines through update mechanism of an unidentified software commonly used in the diamond industry, which classifies the attack as a supply-chain attack.What is Fantasy Wiper?Fantasy wiper is a destructive malware that overwrites and deletes files on compromised machines. Fantasy wiper was reportedly executed using a batch file dropped by another malware named “Sandals”. Sandals malware leverages credentials and hostnames collected by the threat actor prior to the deployment of Sandals and Fantasy for lateral movement in victim’s network.Fantasy wiper also deletes Windows event logs, all files in system drive and file system cache memory and overwrites the Master Boot Record (MBR).Who is behind the Fantasy Wiper Attack?The attack was attributed to the Agrius threat actor group. Agrius’ activities are believed to be align with Iran’s interests. Apostle and Deadwood wiper are previously linked to the Agrius group.What is the Status of Coverage?FortiGuard Labs detects Fantasy wiper with the following AV signature:MSIL/KillDisk.I!trOther relevant samples used in the reported attack are detected with the following AV signatures:BAT/Agent.NRG!trMSIL/Agent.F871!trRiskware/HackToolRiskware/LsassDumper
FortiGuard Labs is aware of a report that a new malware named “Redigo” was observed to have been installed on Redis honeypot servers vulnerable to CVE-2022-0543. The compromised Redis servers are likely used to perform Distributed Denial of Service (DDoS) attacks and cryptomining.Why is this Significant?This is significant because Redigo was installed on vulnerable Redis servers. Redis is an in-memory key-value store that can act as a high-performance database and cache server. Compromised servers are in control by remote attackers and are likely used for malicious activities.Created by Google, the Go programming language is platform independent and can run on various operating systems. Once considered novel, Golang malware is on the rise. FortiGuard Labs has recently published Zerobot, a new IoT botnet written in Golang.What is Redigo Malware?Redigo is a new Golang-based malware that was found to be installed on Redis servers vulnerable to CVE-2022-0543. Compromised Redis servers will be connected to malicious Command-and-Control (C2) servers that are likely used for DDoS attacks and cryptomining.What is CVE-2022-0543?CVE-2022-0543 is a vulnerability in Redis Debian packages disclosed in February 2022. Successful exploitation of the vulnerability allows remote attackers to execute arbitrary code on vulnerable Redis servers. CVE-2022-0543 has a CVSS score of 10.0.Is a Patch Available for CVE-2022-0543?Yes, a patch is available.What is the Status of Coverage?FortiGuard Labs provides the following AV signatures for Redigo:Linux/Redis.A!trPossibleThreatThe reported C2 server is blocked by Webfiltering.FortiGuard Labs provides the following IPS signature for CVE-2022-0543:Redis.Lua.Sandbox.Remote.Code.Execution
A vulnerability classified as problematic was found in pacparser up to 1.3.x. Affected by this vulnerability is the function pacparser_find_proxy of the file src/pacparser.c. The manipulation of the argument url leads to buffer overflow. Attacking locally is a requirement. Upgrading to version 1.4.0 is able to address this issue. The name of the patch is 853e8f45607cb07b877ffd270c63dbcdd5201ad9. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-215443.
