Category Archives: Advisories

New Wiper Malware “Fantasy” Used in Supply-Chain Attack

Read Time:1 Minute, 25 Second

FortiGuard Labs is aware of a report that a new wiper malware “Fantasy” that was deployed by potentially leveraging an unidentified software commonly used in the diamond industry. The report states that Fantasy wiper victims were observed in South Africa, Israel, and Hong Kong. The wiper malware reportedly targets over 300 file extensions for files to overwrite and delete.Why is this Significant?This is significant because Fantasy is a new wiper malware that overwrites and deletes files on compromised machines and have victimized multiple organizations. Fantasy wiper is believed to have been deployed to the victims’ machines through update mechanism of an unidentified software commonly used in the diamond industry, which classifies the attack as a supply-chain attack.What is Fantasy Wiper?Fantasy wiper is a destructive malware that overwrites and deletes files on compromised machines. Fantasy wiper was reportedly executed using a batch file dropped by another malware named “Sandals”. Sandals malware leverages credentials and hostnames collected by the threat actor prior to the deployment of Sandals and Fantasy for lateral movement in victim’s network.Fantasy wiper also deletes Windows event logs, all files in system drive and file system cache memory and overwrites the Master Boot Record (MBR).Who is behind the Fantasy Wiper Attack?The attack was attributed to the Agrius threat actor group. Agrius’ activities are believed to be align with Iran’s interests. Apostle and Deadwood wiper are previously linked to the Agrius group.What is the Status of Coverage?FortiGuard Labs detects Fantasy wiper with the following AV signature:MSIL/KillDisk.I!trOther relevant samples used in the reported attack are detected with the following AV signatures:BAT/Agent.NRG!trMSIL/Agent.F871!trRiskware/HackToolRiskware/LsassDumper

Read More

New Redigo Malware Targets Vulnerable Redis Servers

Read Time:1 Minute, 24 Second

FortiGuard Labs is aware of a report that a new malware named “Redigo” was observed to have been installed on Redis honeypot servers vulnerable to CVE-2022-0543. The compromised Redis servers are likely used to perform Distributed Denial of Service (DDoS) attacks and cryptomining.Why is this Significant?This is significant because Redigo was installed on vulnerable Redis servers. Redis is an in-memory key-value store that can act as a high-performance database and cache server. Compromised servers are in control by remote attackers and are likely used for malicious activities.Created by Google, the Go programming language is platform independent and can run on various operating systems. Once considered novel, Golang malware is on the rise. FortiGuard Labs has recently published Zerobot, a new IoT botnet written in Golang.What is Redigo Malware?Redigo is a new Golang-based malware that was found to be installed on Redis servers vulnerable to CVE-2022-0543. Compromised Redis servers will be connected to malicious Command-and-Control (C2) servers that are likely used for DDoS attacks and cryptomining.What is CVE-2022-0543?CVE-2022-0543 is a vulnerability in Redis Debian packages disclosed in February 2022. Successful exploitation of the vulnerability allows remote attackers to execute arbitrary code on vulnerable Redis servers. CVE-2022-0543 has a CVSS score of 10.0.Is a Patch Available for CVE-2022-0543?Yes, a patch is available.What is the Status of Coverage?FortiGuard Labs provides the following AV signatures for Redigo:Linux/Redis.A!trPossibleThreatThe reported C2 server is blocked by Webfiltering.FortiGuard Labs provides the following IPS signature for CVE-2022-0543:Redis.Lua.Sandbox.Remote.Code.Execution

Read More

CVE-2019-25078

Read Time:24 Second

A vulnerability classified as problematic was found in pacparser up to 1.3.x. Affected by this vulnerability is the function pacparser_find_proxy of the file src/pacparser.c. The manipulation of the argument url leads to buffer overflow. Attacking locally is a requirement. Upgrading to version 1.4.0 is able to address this issue. The name of the patch is 853e8f45607cb07b877ffd270c63dbcdd5201ad9. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-215443.

Read More

CVE-2021-0934

Read Time:16 Second

In findAllDeAccounts of AccountsDb.java, there is a possible denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-169762606

Read More

protobuf-3.19.6-1.fc37

Read Time:28 Second

FEDORA-2022-25f35ed634

Packages in this update:

protobuf-3.19.6-1.fc37

Update description:

Selected notes from packaging changes and improvements:

3.19.6 fixes CVE-2022-3171
3.19.5 fixes CVE-2022-1941
License updated to SPDX
Unnecessary dependency on python3-six removed
Python extension is now the compiled C++ version, improving performance
All subpackages now have the license file or depend on something that does
The -vim subpackage now depends on vim-filesystem, no longer on vim-enhanced
Added a man page for protoc

See PR for more details.

Read More

USN-5777-1: Pillow vulnerabilities

Read Time:23 Second

It was discovered that Pillow incorrectly handled the deletion of temporary
files when using a temporary directory that contains spaces. An attacker could
possibly use this issue to delete arbitrary files. This issue only affected
Ubuntu 20.04 LTS. (CVE-2022-24303)

It was discovered that Pillow incorrectly handled the decompression of highly
compressed GIF data. An attacker could possibly use this issue to cause Pillow
to crash, resulting in a denial of service. (CVE-2022-45198)

Read More

USN-5776-1: containerd vulnerabilities

Read Time:40 Second

It was discovered that containerd incorrectly handled memory
when receiving certain faulty Exec or ExecSync commands. A remote
attacker could possibly use this issue to cause a denial of service
or crash containerd. (CVE-2022-23471, CVE-2022-31030)

It was discovered that containerd incorrectly set up inheritable file
capabilities. An attacker could possibly use this issue to escalate
privileges inside a container. This issue only affected Ubuntu 18.04 LTS,
Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2022-24769)

It was discovered that containerd incorrectly handled access to encrypted
container images when using imgcrypt library. A remote attacker could
possibly use this issue to access encrypted images from other users.
This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and
Ubuntu 22.04 LTS. (CVE-2022-24778)

Read More

A Vulnerability in Fortinet’s FortiOS Could Allow for Arbitrary Code Execution

Read Time:25 Second

A vulnerability has been discovered in Fortinet’s FortiOS, which could allow for arbitrary code Execution. FortiOS is the Fortinet’s proprietary Operation System which is utilized across multiple product lines. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Read More