FortiGuard Labs is aware of a report that the “Cluster B” group who is an alleged affiliate to the Iranian threat actor “Cobalt Mirage” deployed Drokbk malware to victims’ machines. Drokbk uses Github to retrieve a Command-and-Control (C2) server location. According to the report, the Cluster B threat actor was observed to have used Drokbk in an attack against a U.S. government network in early 2022.Why is this Significant?This is significant because Drokbk malware was reportedly deployed to a compromised U.S. government networks in early 2022. Security vendor Secureworks attributed Drokbk to the “Cluster B” group who is an affiliate to an alleged Iranian threat actor “Cobalt Mirage”.What is Drokbk Malware?Drokbk is a .NET malware which prime functionality is to execute remote commands served from its Command-and-Control (C2) servers. The malware is designed to retrieve C2 locations from publicly available services such as Github.According to Secureworks, Drokbk was deployed to a U.S. government network in early February 2022 compromised by leveraging Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046).FortiGuard Labs previously released Outbreak Alert and Threat Signal for Log4j vulnerabilities. See the Appendix for a link to “Outbreak Alert: Apache Log4j2 Vulnerability” and “Apache Log4J Remote Code Execution Vulnerability (CVE-2021-44228)”.What is the Status of Coverage?FortiGuard Labs detect available samples in the report with the following AV signatures:MSIL/Agent.3606!trW64/MaliceyElie.84DB!trW32/PossibleThreatPossibleThreatFortiGuard Labs has IPS coverage in place for CVE-2021-44228 and CVE-2021-45046:Apache.Log4j.Error.Log.Remote.Code.ExecutionAll network IOCs in the report are blocked by Webfiltering.
FortiGuard Labs is aware of a report that a new wiper malware “Fantasy” that was deployed by potentially leveraging an unidentified software commonly used in the diamond industry. The report states that Fantasy wiper victims were observed in South Africa, Israel, and Hong Kong. The wiper malware reportedly targets over 300 file extensions for files to overwrite and delete.Why is this Significant?This is significant because Fantasy is a new wiper malware that overwrites and deletes files on compromised machines and have victimized multiple organizations. Fantasy wiper is believed to have been deployed to the victims’ machines through update mechanism of an unidentified software commonly used in the diamond industry, which classifies the attack as a supply-chain attack.What is Fantasy Wiper?Fantasy wiper is a destructive malware that overwrites and deletes files on compromised machines. Fantasy wiper was reportedly executed using a batch file dropped by another malware named “Sandals”. Sandals malware leverages credentials and hostnames collected by the threat actor prior to the deployment of Sandals and Fantasy for lateral movement in victim’s network.Fantasy wiper also deletes Windows event logs, all files in system drive and file system cache memory and overwrites the Master Boot Record (MBR).Who is behind the Fantasy Wiper Attack?The attack was attributed to the Agrius threat actor group. Agrius’ activities are believed to be align with Iran’s interests. Apostle and Deadwood wiper are previously linked to the Agrius group.What is the Status of Coverage?FortiGuard Labs detects Fantasy wiper with the following AV signature:MSIL/KillDisk.I!trOther relevant samples used in the reported attack are detected with the following AV signatures:BAT/Agent.NRG!trMSIL/Agent.F871!trRiskware/HackToolRiskware/LsassDumper
FortiGuard Labs is aware of a report that a new malware named “Redigo” was observed to have been installed on Redis honeypot servers vulnerable to CVE-2022-0543. The compromised Redis servers are likely used to perform Distributed Denial of Service (DDoS) attacks and cryptomining.Why is this Significant?This is significant because Redigo was installed on vulnerable Redis servers. Redis is an in-memory key-value store that can act as a high-performance database and cache server. Compromised servers are in control by remote attackers and are likely used for malicious activities.Created by Google, the Go programming language is platform independent and can run on various operating systems. Once considered novel, Golang malware is on the rise. FortiGuard Labs has recently published Zerobot, a new IoT botnet written in Golang.What is Redigo Malware?Redigo is a new Golang-based malware that was found to be installed on Redis servers vulnerable to CVE-2022-0543. Compromised Redis servers will be connected to malicious Command-and-Control (C2) servers that are likely used for DDoS attacks and cryptomining.What is CVE-2022-0543?CVE-2022-0543 is a vulnerability in Redis Debian packages disclosed in February 2022. Successful exploitation of the vulnerability allows remote attackers to execute arbitrary code on vulnerable Redis servers. CVE-2022-0543 has a CVSS score of 10.0.Is a Patch Available for CVE-2022-0543?Yes, a patch is available.What is the Status of Coverage?FortiGuard Labs provides the following AV signatures for Redigo:Linux/Redis.A!trPossibleThreatThe reported C2 server is blocked by Webfiltering.FortiGuard Labs provides the following IPS signature for CVE-2022-0543:Redis.Lua.Sandbox.Remote.Code.Execution
A vulnerability classified as problematic was found in pacparser up to 1.3.x. Affected by this vulnerability is the function pacparser_find_proxy of the file src/pacparser.c. The manipulation of the argument url leads to buffer overflow. Attacking locally is a requirement. Upgrading to version 1.4.0 is able to address this issue. The name of the patch is 853e8f45607cb07b877ffd270c63dbcdd5201ad9. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-215443.
In findAllDeAccounts of AccountsDb.java, there is a possible denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-169762606
Selected notes from packaging changes and improvements:
3.19.6 fixes CVE-2022-3171
3.19.5 fixes CVE-2022-1941
License updated to SPDX
Unnecessary dependency on python3-six removed
Python extension is now the compiled C++ version, improving performance
All subpackages now have the license file or depend on something that does
The -vim subpackage now depends on vim-filesystem, no longer on vim-enhanced
Added a man page for protoc
EXEMSI MSI Wrapper Versions prior to 10.0.50 and at least since version 6.0.91 will introduce a local privilege escalation vulnerability in installers it creates.
It was discovered that Pillow incorrectly handled the deletion of temporary
files when using a temporary directory that contains spaces. An attacker could
possibly use this issue to delete arbitrary files. This issue only affected
Ubuntu 20.04 LTS. (CVE-2022-24303)
It was discovered that Pillow incorrectly handled the decompression of highly
compressed GIF data. An attacker could possibly use this issue to cause Pillow
to crash, resulting in a denial of service. (CVE-2022-45198)
It was discovered that containerd incorrectly handled memory
when receiving certain faulty Exec or ExecSync commands. A remote
attacker could possibly use this issue to cause a denial of service
or crash containerd. (CVE-2022-23471, CVE-2022-31030)
It was discovered that containerd incorrectly set up inheritable file
capabilities. An attacker could possibly use this issue to escalate
privileges inside a container. This issue only affected Ubuntu 18.04 LTS,
Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2022-24769)
It was discovered that containerd incorrectly handled access to encrypted
container images when using imgcrypt library. A remote attacker could
possibly use this issue to access encrypted images from other users.
This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and
Ubuntu 22.04 LTS. (CVE-2022-24778)
