FEDORA-2022-b197d64471
Packages in this update:
bind-9.16.33-1.fc35
bind-dyndb-ldap-11.9-16.fc35
Update description:
Upstream release notes
bind-9.16.33-1.fc35
bind-dyndb-ldap-11.9-16.fc35
Upstream release notes
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) today released a joint Cybersecurity Advisory that highlights recent campaigns targeting the Government of Albania in July and September of this year.Attacks have been attributed to threat actors named “HomeLand Justice” and their modus operandi appears to be disruption (rendering services offline) and destruction (wiping of disk drives and ransomware style encryption). It was observed that the threat actors also maintained persistence for over a year before these attacks were carried out. Other observed attacks were the exfiltration of data such as email, credentials and lateral movement. The attacks have been attributed to the government of Iran.What are the Technical Details of this Attack?Per the Joint Advisory, the threat actors used CVE-2019-0604, which is a vulnerability in Microsoft SharePoint (public facing) to obtain initial access. The threat actor used several webshells to establish and maintain persistence. Persistence and lateral movement were then established after compromise for several months before campaign activity began.Other observations were the usage of Remote Desktop Protocol (RDP), Server Message Block (SMB) and File Transfer Protocol (FTP) to maintain access. Once this was established, the attackers then moved on and compromised the targets Microsoft Exchange servers (further details are unknown) to create a rogue Exchange account to allow for further privilege escalation via the addition of an Organization Management role. Exfiltration and compromise of the Exchange server occurred over 6-8 months where roughly 20GB of data was exfiltrated. The attackers also leveraged VPN access, using compromised accounts, where Advanced port scanner, Mimikatz and LSASS tools were used. To cap off the campaign, the threat actors finally used a file cryptor via the victim’s print server via RDP which would then propagate the file cryptor internally. This targeted specific file extensions, and after encryption, leaving a note behind. Furthering damage and adding insult to injury, hours after encryption took place, the threat actor will kick off another final devastating attack. The wiping of targeted disk drives.Is this Attack Widespread?No. Attacks are targeted and limited in scope.Any Suggested Mitigation?Due to the complexity and sophistication of the attack, FortiGuard Labs recommends that all AV and IPS signatures, (including but not limited to) the update and patching of all known vulnerabilities within an environment are addressed as soon as possible. Also, providing awareness and situational training for personnel to identify potential social engineering attacks via spearphishing, SMShing, and other social engineering attacks that could allow an adversary to establish initial access into a targeted environment is recommended.What is the Status of Coverage?For publically available samples, customers running the latest AV definitions are protected by the following signatures:BAT/BATRUNGOXML.VSNW0CI22!trW32/Filecoder.OLZ!tr.ransomW32/GenCBL.BUN!trW32/PossibleThreatRiskware/Disabler.B
User input included in error response, which could be used in a phishing attack.
python3.6-3.6.15-5.fc35
Fix for CVE-2021-28861
python3.6-3.6.15-11.fc36
Fix for CVE-2021-28861
python3.6-3.6.15-12.fc37
Fix for CVE-2021-28861
The SCCM plugin for GLPI is a plugin to synchronize computers from SCCM (version 1802) to GLPI. In versions prior to 2.3.0, the Configuration page is publicly accessible in read-only mode. This issue is patched in version 2.3.0. No known workarounds exist.
bind-9.16.33-1.fc36
bind-dyndb-ldap-11.9-20.fc36
Upstream release notes
bind-9.18.7-1.fc37
bind-dyndb-ldap-11.10-6.fc37
Upstream release notes
grafana-9.0.9-1.fc37
update to 9.0.9 tagged upstream community sources, see CHANGELOG
resolve CVE-2022-35957 grafana: Escalation from admin to server admin when auth proxy is used (rhbz#2128565)