FortiGuard Labs is aware of a report that a new threat actor, “Tortillas,” is leveraging the ProxyShell exploit to deliver ransomware. Based on the traits, the ransomware served by tortillas appears to be a Babuk ransomware variant. ProxyShell consists of three Microsoft Exchange vulnerabilities (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207) used in a chain that enables the attacker to remotely run malicious code on the targeted system as a result. The security flaws were patched by Microsoft in April and May 2021. Why is this Significant?This is significant because a previously undocumented threat actor “tortillas” is now taking advantage of the Proxyshell exploit chain to deliver a ransomware. While Microsoft released a fix for all three vulnerabilities used in ProxyShell in April and May 2021, more and more threat actors have since adopted ProxyShell in their attacks. In late August of this year, Lockfile ransomware was delivered through the ProxyShell and PetitPotam vulnerabilities. In September, the Conti ransomware gang reportedly added ProxyShell to their modus operandi.FortiGuard Labs previously released two Threat Signals associated with ProxyShell. See the Appendix for a link to “Vulnerable Microsoft Exchange Servers Actively Scanned for ProxyShell” and “Brand New LockFile Ransomware Distributed Through ProxyShell and PetitPotam.”What is the Ransomware that is Deployed by Tortillas in this Attack?The deployed ransomware appears to be a Babuk ransomware variant based on traits. For example, this particular ransomware adds .babyk file extension, typical of Babuk ransomware, to the files it encrypts. FortiGuard Labs also observed that this malware shares similar mutexes to Babuk.The Babuk variant also steals data as part of a double extortion tactic. Upon encrypting the files and stealing data from the compromised machine, the Babuk variant instructs the victim to pay US $10,000 worth of Monero cryptocurrency to the attacker’s wallet address for file decryption and for not releasing the stolen data to the public.What is the Tortillas Threat Actor?Tortillas appears to be a new threat actor whose activities have not been previously documented. FortiGuard Labs will monitor the threat actor and provide updates if any significant activities are observed.Has Microsoft Released a Patch for ProxyShell?Yes. Microsoft released a patch for CVE-2021-31207 in May. While CVE-2021-34473 and CVE-2021-34523 were disclosed in July 2021, Microsoft released a patch in April 2021 without disclosing them.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage for the Babuk variant sample used in this attack:MSIL/Agent.JBV!trFortiGuard Labs provide the following IPS coverage for this attack:MS.Exchange.Server.Autodiscover.Remote.Code.ExecutionMS.Exchange.MailboxExportRequest.Arbitrary.File.WriteMS.Exchange.Server.Common.Access.Token.Privilege.ElevationFortiEDR detects and blocks ProxyShell attacks out of the box without any prior knowledge or special configuration beforehand.All known network IOC’s related to this threat are blocked by the FortiGuard WebFiltering Client.
This vulnerability allows remote attackers to escalate privileges on affected installations of Centreon. Authentication is required to exploit this vulnerability.
Note that besides the ordinary builds for the current Fedora and EPEL branches, there is an additional distro-independed build available at https://buc.fedorapeople.org/seamonkey . So if you have friends who use other Linux distro, but that distro does not provide SeaMonkey yet, you can recommend it for them.
Note that besides the ordinary builds for the current Fedora and EPEL branches, there is an additional distro-independed build available at https://buc.fedorapeople.org/seamonkey . So if you have friends who use other Linux distro, but that distro does not provide SeaMonkey yet, you can recommend it for them.
Note that besides the ordinary builds for the current Fedora and EPEL branches, there is an additional distro-independed build available at https://buc.fedorapeople.org/seamonkey . So if you have friends who use other Linux distro, but that distro does not provide SeaMonkey yet, you can recommend it for them.
Note that besides the ordinary builds for the current Fedora and EPEL branches, there is an additional distro-independed build available at https://buc.fedorapeople.org/seamonkey . So if you have friends who use other Linux distro, but that distro does not provide SeaMonkey yet, you can recommend it for them.
Note that besides the ordinary builds for the current Fedora and EPEL branches, there is an additional distro-independed build available at https://buc.fedorapeople.org/seamonkey . So if you have friends who use other Linux distro, but that distro does not provide SeaMonkey yet, you can recommend it for them.
Multiple security issues were discovered in Chromium, which could result
in the execution of arbitrary code, denial of service or information
disclosure.
[Sec] Possible crash when playing manipulated IT / MPTM files with a T00 command.
MTM: In MultiTracker, setting speed and tempo are mutually exclusive commands. Still, some MultiTracker modules were made to be played with external players such as DMP, so they actually rely on “standard” speed / tempo behaviour. Decide which behaviour to use by checking of speed and tempo commands are found on the same row.
MTM: Ignore sample loops if the loop end is <= 2.
Echo DMO: Migrate left and right delay values in modules made with OpenMPT versions between 1.27.01.00 and 1.30.05.00 to the correct interpretation.
FLAC: Update to v1.4.1 (2022-09-22).
[Sec] Possible crash when playing manipulated IT / MPTM files with a T00 command.
MTM: In MultiTracker, setting speed and tempo are mutually exclusive commands. Still, some MultiTracker modules were made to be played with external players such as DMP, so they actually rely on “standard” speed / tempo behaviour. Decide which behaviour to use by checking of speed and tempo commands are found on the same row.
MTM: Ignore sample loops if the loop end is <= 2.
Echo DMO: Migrate left and right delay values in modules made with OpenMPT versions between 1.27.01.00 and 1.30.05.00 to the correct interpretation.
FLAC: Update to v1.4.1 (2022-09-22).
