Category Archives: Advisories

CISA Advisory on Vulnerabilities Actively Exploited By Threat Actors Supported by China

Read Time:2 Minute, 43 Second

On October 6, 2022, the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) released a joint advisory that has a list of the most exploited vulnerabilities since 2020 by threat actors sponsored by China. The list includes 20 vulnerabilities across 13 vendors that were used against the U.S. and its allies.Why is this Significant?This is significant because the list contains vulnerabilities that are known to be exploited by Chinese threat actors. Patches and workarounds should be applied to the vulnerabilities as soon as possible.What Vulnerabilities are on the List?The list includes the following vulnerabilities:CVE-2022-26134: Atlassian Confluence Remote Code Execution Vulnerability via OGNL InjectionCVE-2022-24112: APISIX Admin API default access token Remote Code Execution VulnerabilityCVE-2022-1388: F5 BIG-IP iControl REST Authentication Bypass VulnerabilityCVE-2021-44228: Apache Log4j Error Log Remote Code Execution VulnerabilityCVE-2021-42237: Sitecore XP Insecure Deserialization Remote Code Execution VulnerabilityCVE-2021-41773: Apache HTTP Server Path Traversal VulnerabilityCVE-2021-40539: Zoho ManageEngine ADSelfService Plus RESTAPI Authentication Bypass VulnerabilityCVE-2021-36260: Hikvision Product SDK WebLanguage Tag Command Injection VulnerabilityCVE-2021-27065: Microsoft Exchange Server CVE-2021-27065 Remote Code Execution VulnerabilityCVE-2021-26858: Microsoft Exchange Server CVE-2021-26858 Remote Code Execution VulnerabilityCVE-2021-26857: Microsoft Exchange Server CVE-2021-26857 Remote Code Execution VulnerabilityCVE-2021-26855: Microsoft Exchange Server ProxyRequestHandler Remote Code Execution VulnerabilityCVE-2021-26084: Atlassian Confluence CVE-2021-26084 Remote Code Execution VulnerabilityCVE-2021-22205: GitLab Community and Enterprise Edition Remote Command Execution VulnerabilityCVE-2021-22005: VMware vCenter Analytics Service Arbitrary File Upload VulnerabilityCVE-2021-20090: Buffalo WSR2533DHP Arbitrary Directory Traversal VulnerabilityCVE-2021-1497: Cisco HyperFlex HX Auth Handling Remote Command Execution VulnerabilityCVE-2020-5902: F5 BIG-IP Traffic Management User Interface Directory Traversal VulnerabilityCVE-2019-19781: Citrix ADC and Gateway Directory Traversal VulnerabilityCVE-2019-11510: Pulse Secure SSL VPN HTML5 Information DisclosureWhat is the Status of Protection?FortiGuard Labs has the following IPS protection in place for the vulnerabilities listed in the CISA advisory:Atlassian.Confluence.OGNL.Remote.Code.Execution (CVE-2022-26134)APISIX.Admin.API.default.token.Remote.Code.Execution (CVE-2022-24112)F5.BIG-IP.iControl.REST.Authentication.Bypass (CVE-2022-1388)Apache.Log4j.Error.Log.Remote.Code.Execution (CVE-2021-44228)Sitecore.XP.Insecure.Deserialization.Remote.Code.Execution (CVE-2021-42237)Apache.HTTP.Server.cgi-bin.Path.Traversal (CVE-2021-41773)Zoho.ManageEngine.ADSelfService.Plus.Authentication.Bypass (CVE-2021-40539)Hikvision.Product.SDK.WebLanguage.Tag.Command.Injection (CVE-2021-36260)MS.Exchange.Server.CVE-2021-27065.Remote.Code.Execution (CVE-2021-27065)MS.Exchange.Server.CVE-2021-26858.Remote.Code.Execution (CVE-2021-26858)MS.Exchange.Server.UM.Core.Remote.Code.Execution (CVE-2021-26857)MS.Exchange.Server.ProxyRequestHandler.Remote.Code.Execution (CVE-2021-26855)Atlassian.Confluence.CVE-2021-26084.Remote.Code.Execution (CVE-2021-26084)GitLab.Community.and.Enterprise.Edition.Command.Injection (CVE-2021-22205)VMware.vCenter.Server.Analytics.Arbitrary.File.Upload (CVE-2021-22005)Arcadyan.Routers.images.Path.Authentication.Bypass (CVE-2021-20090)Cisco.HyperFlex.HX.Auth.Handling.Command.Injection (CVE-2021-1497)F5.BIG.IP.Traffic.Management.User.Interface.Directory.Traversal (CVE-2020-5902)Citrix.Application.Delivery.Controller.VPNs.Directory.Traversal (CVE-2019-19781)Pulse.Secure.SSL.VPN.HTML5.Information.Disclosure (CVE-2019-11510)

Read More

LilithBot Sold as Malware-as-a-Service (MaaS)

Read Time:1 Minute, 10 Second

FortiGuard Labs is aware of a report that the LilithBot malware is being sold as Malware-as-a-Service (MaaS) by a group called “Eternity”. LilithBot is a multi-functional malware that can act as infostealer, cryptominer and clipper. The Eternity group is said to sell other malware types such as ransomware.Why is this Significant?This is significant as LilithBot is multi-functional and is sold as Malware-as-a-Service. This means that LilithBot provides various buyers the instant ability to control infected machines for malicious purposes.What is LilithBot ?LilithBot is a malware variant that is being sold by the Eternity group and has built-in functionalities that contain the following:Infostealer that collects pictures and information from browsers. It also uploads collected information to its C2 servers.Cryptominer that mines Monero (XMR) cryptocurrency.Clipper that monitors a user’s clipboard and replaces user’s crypto addresses with the attacker’s addresses.What is the Eternity Group?According to reports, Eternity is a cybercriminal group that sells various malware including LilithBot and ransomware as a combined Malware-as-a-Service on Tor. Bitcoins and various altcoins such as Monero and Ethereum are reportedly accepted as payment for usage.What is the Status of Protection?FortiGuard Labs provides the following AV coverage for LilithBot malware:MSIL/Agent.AES!tr.spyW64/GenKryptik.FQTL!trW32/PossibleThreatAll reported network IOCs are blocked by the WebFiltering client.

Read More

CISA Adds CVE-2022-36804 to the Known Exploited Vulnerabilities Catalog

Read Time:1 Minute, 53 Second

FortiGuard Labs is aware that the Cybersecurity & Infrastructure Security Agency (CISA) recently added CVE-2022-36804 (Atlassian Bitbucket Server and Data Center Command Injection Vulnerability) to their Known Exploited Vulnerabilities catalog. The catalog list vulnerabilities that are being actively exploited in the wild and require federal agencies to apply patches by the due date. Successfully exploiting CVE-2022-36804 allows an attacker to execute arbitrary commands.Why is this Significant?This is significant because the vulnerability is in widely used Bitbucket Server and Data Center and is being actively exploited in the wild. Successful exploitation allows a remote attacker to execute arbitrary commands.The vulnerability is rated Critical by Atlassian, has a CVSS score of 9.9, and attack complexity is listed as low.What is Bitbucket?Bitbucket is a widely used repository management and collaboration tool that provides a code storage location for developers and enables them to manage, track and control their code.When was CVE-2022-36804 Discovered?The vulnerability was disclosed by Atlassian on August 24, 2022.What is CVE-2022-36804?CVE-2022-36804 is a critical command injection vulnerability that affects Atlassian’s Bitbucket Server and Data Center. Successful exploitation of the vulnerability allows an attacker that has access to a publicly repository or has read access to a private repository to run arbitrary commands.What Version of Bitbucket Server and Datacenter does the Vulnerability Affect?The vulnerability affects the following versions of Bitbucket Server and Datacenter:7.6 prior to 7.6.177.17.0 prior to 7.17.107.21 prior to 7.21.48.0 prior to 8.0.38.1 prior to 8.1.38.2 prior to 8.2.28.3 prior to 8.3.1Has the Vendor Released an Advisory?Yes, Atlassian released an advisory on August 24, 2022.Has the Vendor Released a Patch for CVE-2022-36804?Yes, Atlassian released fixed versions on August 21, 2022.What is the Status of Protection?FortiGuard Labs has the following IPS protection in place for CVE-2022-36804:Atlassian.Bitbucket.Server.CVE-2022-36804.Command.InjectionAny Suggested Mitigation?Atlassian provided the mitigation information in the advisory. For details, see the Appendix for a link to “Bitbucket Server and Data Center Advisory 2022-08-24”.

Read More

USN-5663-1: Thunderbird vulnerabilities

Read Time:56 Second

Multiple security issues were discovered in Thunderbird. If a user were
tricked into opening a specially crafted website in a browsing context, an
attacker could potentially exploit these to cause a denial of service,
spoof the mouse pointer position, obtain sensitive information, spoof the
contents of the addressbar, bypass security restrictions, or execute
arbitrary code. (CVE-2022-2505, CVE-2022-36318, CVE-2022-36319,
CVE-2022-38472, CVE-2022-38473, CVE-2022-38476 CVE-2022-38477,
CVE-2022-38478)

Multiple security issues were discovered in Thunderbird. An attacker could
potentially exploit these in order to determine when a user opens a
specially crafted message. (CVE-2022-3032, CVE-2022-3034)

It was discovered that Thunderbird did not correctly handle HTML messages
that contain a meta tag in some circumstances. If a user were tricked into
replying to a specially crafted message, an attacker could potentially
exploit this to obtain sensitive information. (CVE-2022-3033)

A security issue was discovered with the Matrix SDK in Thunderbird. An
attacker sharing a room with a user could potentially exploit this to
cause a denial of service. (CVE-2022-36059)

Read More

CVE-2021-40162

Read Time:12 Second

A maliciously crafted TIF, PICT, TGA, or RLC files in Autodesk Image Processing component may be forced to read beyond allocated boundaries when parsing the TIFF, PICT, TGA, or RLC files. This vulnerability may be exploited to execute arbitrary code.

Read More

CVE-2021-40165

Read Time:12 Second

A maliciously crafted TIFF, PICT, TGA, or RLC file in Autodesk Image Processing component may be used to write beyond the allocated buffer while parsing TIFF, PICT, TGA, or RLC files. This vulnerability may be exploited to execute arbitrary code.

Read More

CVE-2021-40166

Read Time:12 Second

A maliciously crafted PNG file in Autodesk Image Processing component may be used to attempt to free an object that has already been freed while parsing them. This vulnerability may be exploited by attackers to execute arbitrary code.

Read More