Category Archives: Advisories

Azov “Ransomware” Wiper

Read Time:1 Minute, 57 Second

FortiGuard Labs is aware of a new ransomware variant called “Azov”. Reason why this ransomware variant is in quotations is because although it has the hallmarks of ransomware, it is considered a data wiper. This is because there is no way to recover the encrypted data and/or get in touch with the threat actors.After encryption, the note left behind to the victim, “RESTORE_FILES.txt,” references well known OSINT researchers on Twitter. The note falsely reports that victims should get in touch with said researchers to request keys for decryption:#####!Azov ransomware!Hello, my name is hasherezade.I am the polish security expert.To recover your files contact us in twitter:@hasherezade@VK_Intel@demonslay335@malwrhunterteam@LawrenceAbrams@bleepincomputer[Why did you do this to my files?]I had to do this to bring your attention to the problem.Do not be so ignorant as we were ignoring Crimea seizure for years.The reason the west doesn’t help enough Ukraine.Their only help is weapons, but no movements towards the peace!Stop the war, go to the streets!Since when that Z-army will be near to my Polska country.The only outcome is nuclear war.Change the future now!Help Ukraine, come to the streets!We want our children to live in the peaceful world.————————————————–Biden doesn’t want help Ukraine.You people of United States, come to the streets, make revolution!Keep America great!Germany plays against their own people!Du! Ein mann aus Deutschland, komm doch, komm raus!Das ist aber eine Katastrophe, was Biden zu ihnen gemacht hat.Wie war das schoen, wenn Merkel war da?—————————————————#TaiwanIsChina#####How is Azov Being Distributed?Reports are that Azov is being dropped by SmokeLoader. Further reports as well reveal that Azov is being distributed on various pirated software, etc. sites as well.So if Files are Encrypted, why is this Referred to as a Wiper?This is because files are not recoverable and there are no instructions or contact information provided to the victim. Essentially files are rendered inoperable because there are no known decryption keys available.Is Decryption Possible?There are no known decryption keys or tools available at this time.What is the Status of Coverage?FortGuard Labs has AV coverage in place for Azov as:W64/AzovWiper.BVMK!tr.ransomW64/Generik.BVMK!tr.ransom

Read More

flatpak-runtime-f36-3620221025180145.2 flatpak-sdk-f36-3620221025180145.2

Read Time:33 Second

FEDORA-FLATPAK-2022-8109f715d7

Packages in this update:

flatpak-runtime-f36-3620221025180145.2
flatpak-sdk-f36-3620221025180145.2

Update description:

Security fixes for openssl CVE-2022-3602 and CVE-2022-3786

Add google-noto-sans-mono-vf-fonts to runtime

See https://github.com/fedora-silverblue/issue-tracker/issues/299

As with the recent addition of the serif fonts, this is necessary for flatpaks to show monospace fonts correctly in some cases. We believe fontconfig should manage to fall back correctly to a different font in these cases, but currently it does not, so it makes sense to add the Fedora default font to the runtime as a mitigation.

Read More

OpenSSL Release (3.0.7)

Read Time:2 Minute, 30 Second

Today, the OpenSSL Project released a new version of OpenSSL (v3.0.7). Last week’s early announcement indicated at first this was a CRITICAL vulnerability and included a fix for it. There was various chatter that this recent disclosure could be potentially similar to HEARTBLEED , but after today’s announcement the issue was downgraded from CRITICAL to HIGH.Two vulnerabilities were disclosed, both are X.509 Email Address Buffer Overflows, and are vulnerable to denial of service attacks and the other, remote code execution.Why is this Significant?This is significant because the critical vulnerability exists in OpenSSL which is a widely adopted cryptographical toolkit used to achieve secure communications over the internet. Past critical vulnerabilities in OpenSSL resulted in remote code execution and information leaks, where the highest profile disclosure was HeartBleed back in 2014. What are the Details of the Critical Vulnerability in OpenSSL?Disclosed today by OpenSSL are two vulnerabilities:CVE-2022-3602 – X.509 Email Address 4-byte Buffer Overflow A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution.CVE-2022-3786 – X.509 Email Address Variable Length Buffer Overflow A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.’ character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service).Are there Reports of Exploitation in the Wild?According to OpenSSL, no.What is the CVE Assignment for the Vulnerability?CVE-2022-3602 and CVE-2022-3786 have been assigned to these vulnerabilities.What is the CVSS score?According to OpenSSL, they do not provide CVSS scores.What is the Status of Protection?There is no information available to allow FortiGuard Labs to investigate protection. We are monitoring the situation closely and will update this Threat Signal when protection information becomes available. For further information on products affected by this latest disclosure, please reference the OpenSSL3 critical vulnerability from Fortinet PSIRT in the Appendix section.Any Recommended Mitigation?OpenSSL suggests users operating TLS servers may consider disabling TLS client authentication, if it is being used, until fixes are applied. FortiGuard Labs highly recommends organizations utilizing OpenSSL update OpenSSL to version 3.0.7.

Read More