On August 11, 2022, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on Zeppelin ransomware. The alert provides insight into the tactics, techniques, and procedures (TTPs) along with indicators of compromise used by Zeppelin threat actors. Zeppelin has been operating since 2019 and has targeted organizations across multiple industries as well as critical infrastructure sectors.What is Zeppelin ransomware?Zeppelin is a Delphi-based ransomware and is run as a Ransomware-as-a-Service (RaaS). First reports of Zeppelin ransomware goes back as far as December 2019. Some reports suggest that Zeppelin ransomware originates from the Vegaslocker and Buran strains.According to the CISA advisory, Zeppelin ransomware’s infection vectors include RDP exploitation, leveraging vulnerabilities in popular FireWall products and phishing emails. Once a threat actor compromises the victim’s network, it steals sensitive information from the victim before starting the file encryption process. Zeppelin ransomware typically adds a “.zeppelin” file extension to the affected files, however other files extensions used were observed. After files are encrypted, the victim is presented with a ransom note that is typically named “!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT” containing attacker’s contact information (email, Jabber, ICQ or Telegram) as well as a ransom message. Zeppelin victims are threatened that encrypted files will not be recovered, and stolen information will be released to the public if the ransom is not paid.Ransom note from a recent Zeppelin ransomware sampleThe advisory also states that threat actors ran Zeppelin ransomware more than once on the compromised network in some cases, which resulted in multiple decryption keys being required for file decryption.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against known Zeppelin ransomware variants:W32/Zeppelin.FBFD!tr.ransomW32/Buran.H!tr.ransomW32/Agent.H!tr.ransomW32/Filecoder_Buran.J!tr.ransomW32/Kryptik.GOGY!trW32/Kryptik.HIMG!trW32/Kryptik.HJEK!trW32/Generic.AC.171!trW64/Agent.EQ!trW32/Neshta.EW32/CoinMiner.NBX!trW32/PossibleThreatRiskware/Application
A heap-based buffer over write vulnerability was found in GhostScript’s lp8000_print_page() function in gdevlp8k.c file. An attacker could trick a user to open a crafted PDF file, triggering the heap buffer overflow that could lead to memory corruption or a denial of service.
An off-by-one overflow flaw was found in radare2 due to mismatched array length in core_java.c. This could allow an attacker to cause a crash, and perform a denail of service attack.
A double free issue was discovered in radare2 in cmd_info.c:cmd_info(). Successful exploitation could lead to modification of unexpected memory locations and potentially causing a crash.
A segmentation fault was discovered in radare2 with adf command. In libr/core/cmd_anal.c, when command “adf” has no or wrong argument, anal_fcn_data (core, input + 1) –> RAnalFunction *fcn = r_anal_get_fcn_in (core->anal, core->offset, -1); returns null pointer for fcn causing segmentation fault later in ensure_fcn_range (fcn).
Posted by Apple Product Security via Fulldisclosure on Aug 19
APPLE-SA-2022-08-18-1 Safari 15.6.1
Safari 15.6.1 addresses the following issues.
Information about the security content is also available at https://support.apple.com/HT213414.
WebKit
Available for: macOS Big Sur and macOS Catalina
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Apple is aware of a report that this issue
may have been actively exploited.
Description: An out-of-bounds write issue was…
Posted by Apple Product Security via Fulldisclosure on Aug 19
APPLE-SA-2022-08-17-1 iOS 15.6.1 and iPadOS 15.6.1
iOS 15.6.1 and iPadOS 15.6.1 addresses the following issues.
Information about the security content is also available at https://support.apple.com/HT213412.
Kernel
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: An application may be able to execute arbitrary code with…
Posted by Apple Product Security via Fulldisclosure on Aug 19
APPLE-SA-2022-08-17-2 macOS Monterey 12.5.1
macOS Monterey 12.5.1 addresses the following issues.
Information about the security content is also available at https://support.apple.com/HT213413.
Kernel
Available for: macOS Monterey
Impact: An application may be able to execute arbitrary code with
kernel privileges. Apple is aware of a report that this issue may
have been actively exploited.
Description: An out-of-bounds write issue was addressed…
