FortiGuard Labs is aware of a report that a new ransomware “Somnia” was observed in attacks against Ukraine. Somnia ransomware was deployed as a final payload in multiple staged attacks involving a fake IP scanner, Vidar stealer, and Cobalt Strike. The attack was attributed to FRwL (aka Z-Team, UAC-0118).Why is this Significant?This is significant because Somnia is the latest ransomware that reportedly targets Ukrainian interests. Other ransomware variants that previously targeted Ukraine include are but not restricted to Prestige, AcidRain, DoubleZero, CaddyWiper, IssacWiper, HermeticWiper, and WhisperGate.How was Somnia Ransomware Distributed?Somnia ransomware was reportedly distributed in an attack chain that goes through multiple stages. First, the attacker creates a fake Advanced IP Scanner Web site in an attempt to trick Ukrainian organizations into downloading and installing Vidar stealer disguised as “Advanced IP Scanner” installer. Once a victim’s machine is compromised by Vidar stealer, it tries to steal Telegram’s session data, which is then used to compromise VPN connections giving the attacker access to the victim’s network. Cobalt Strike was seen deployed to the compromised network. Reportedly Rсlone, Anydesk, and Ngrok were observed for data exfiltration. Finally, Somnia ransomware deployed to encrypt files on the compromised machines.What is Somnia Ransomware?Somnia is a ransomware that encrypts files on compromised machines. According to CERT-UA, there are two different types of Somnia ransomware; the one uses 3DES algorithm for file encryption and the other uses the AES algorithm. The affected files have a “.somnia” file extension.Somnia ransomware targets and encrypts files with the following extensions:File extensions targeted by Somnia ransomware (screenshot taken from a CERT-UA report)Since Somnia ransomware does not drop any ransom note and attacker’s contact information, victims will likely will not be able to decrypt the encrypted files.What is the Status of Protection?While Somnia ransomware samples are not publicly available, FortiGuard Labs detect the fake Advanced IP Scanner used as initial infection vector with the following AV signature:• W32/PossibleThreatReported network IOCs are blocked by Webfiltering.
Category Archives: Advisories
Emotet Distributed Through U.S. Election Themed Link Files
FortiGuard Labs has discovered that Emotet was recently delivered through an archive file that has a file name targeting those interested in the U.S. midterm elections. The archive file is “US midterm elections The six races that could decide the US Senate.zip” that has a link file with the same name, which leads to Emotet.Why is this Significant?This is significant because Emotet is trying to leverage the interest of the U.S. midterm elections for infection. While FortiGuard Labs has not observed the infection vector, the file name “US midterm elections The six races that could decide the US Senate.zip” was likely distributed via emails. “The six races” likely refers to Arizona, Georgia, Michigan, Nevada, Pennsylvania, and Wisconsin where Democrats and Republican are expected to have close race in the elections, which gives better chance that recipients will open the archive contents. Emotets’ modus operandi includes distribution via malicious spam campaigns and thread hijacking of emails.What’s in “US midterm elections The six races that could decide the US Senate.zip”?The zip file contains a link file named “US midterm elections The six races that could decide the US Senate.lnk”. When the link file is executed, it drops a further script in %tmp% that will attempt to cycle through several URLs to download a Emotet DLL.The downloaded Emotet connects to C2 server and will likely deliver additional malware.FortiGuard Labs discovered that the same script is present in other link files “New York Election news and updates….lnk” and “Amazon warns of slower sales as economy weakens.lnk” that were submitted to VirusTotal at the end of October and beginning of November respectively.What is the Status of Protection?FortiGuard Labs provides the following AV signatures for the archive and link file involved in the attack:• LNK/Agent.AMY!tr.dldr• PossibleThreat.PALLAS.HC2 address is blocked by FortiGuard Webfiltering Client.
USN-5722-1: nginx vulnerabilities
It was discovered that nginx incorrectly handled certain memory operations in
the ngx_http_mp4_module module. A local attacker could possibly use this issue
with a specially crafted mp4 file to cause nginx to crash, stop responding, or
access arbitrary memory. (CVE-2022-41741, CVE-2022-41742)
python3.7-3.7.15-2.fc35
FEDORA-2022-760d1eac9b
Packages in this update:
python3.7-3.7.15-2.fc35
Update description:
Security fix for CVE-2022-37454
DSA-5279 wordpress – security update
Several vulnerabilities were discovered in WordPress, a web blogging
tool. They allowed remote attackers to perform SQL injection, create
open redirects, bypass authorization access, or perform Cross-Site
Request Forgery (CSRF) or Cross-Site Scripting (XSS) attacks.
DSA-5280 grub2 – security update
Several issues were found in GRUB2’s font handling code, which could
result in crashes and potentially execution of arbitrary code. These
could lead to by-pass of UEFI Secure Boot on affected systems.
DSA-5281 nginx – security update
It was discovered that parsing errors in the mp4 module of Nginx, a
high-performance web and reverse proxy server, could result in denial
of service, memory disclosure or potentially the execution of arbitrary
code when processing a malformed mp4 file.
python3.8-3.8.15-2.fc35
FEDORA-2022-7798bf3aa3
Packages in this update:
python3.8-3.8.15-2.fc35
Update description:
Security fix for CVE-2022-37454
python3.7-3.7.15-2.fc37
FEDORA-2022-4f547d1cc6
Packages in this update:
python3.7-3.7.15-2.fc37
Update description:
Security fix for CVE-2022-37454
python3.7-3.7.15-2.fc38
FEDORA-2022-792bd23738
Packages in this update:
python3.7-3.7.15-2.fc38
Update description:
Automatic update for python3.7-3.7.15-2.fc38.
Changelog
* Mon Nov 14 2022 Miro Hrončok <mhroncok@redhat.com> – 3.7.15-2
– CVE-2022-37454: Fix buffer overflows in _sha3 module
Related: rhbz#2140200