Category Archives: Advisories

[CVE-2021-40150] Reolink E1 Zoom Camera <= 3.0.0.716 Unauthenticated Web Server Configuration Disclosure

Read Time:25 Second

Posted by Julien Ahrens (RCE Security) on Jun 03

RCE Security Advisory
https://www.rcesecurity.com

1. ADVISORY INFORMATION
=======================
Product: Reolink E1 Zoom Camera
Vendor URL: https://reolink.com/product/e1-zoom/
Type: Exposure of Sensitive Information to an Unauthorized Actor [CWE-200]
Date found: 2021-08-26
Date published: 2022-06-01
CVSSv3 Score: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVE: CVE-2021-40150

2. CREDITS
==========…

Read More

[CVE-2021-40149] Reolink E1 Zoom Camera <= 3.0.0.716 Unauthenticated Private Key Disclosure

Read Time:25 Second

Posted by Julien Ahrens (RCE Security) on Jun 03

RCE Security Advisory
https://www.rcesecurity.com

1. ADVISORY INFORMATION
=======================
Product: Reolink E1 Zoom Camera
Vendor URL: https://reolink.com/product/e1-zoom/
Type: Exposure of Sensitive Information to an Unauthorized Actor [CWE-200]
Date found: 2021-08-26
Date published: 2022-06-01
CVSSv3 Score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVE: CVE-2021-40149

2. CREDITS
==========…

Read More

A Vulnerability in Atlassian Confluence Server and Data Center Could Allow for Remote Code Execution

Read Time:33 Second

A vulnerability has been discovered in Atlassian Confluence Server and Data Center, which could allow for remote code execution. Confluence is a wiki tool used to help teams collaborate and share knowledge efficiently. Successful exploitation of this vulnerability could allow for remote code execution within the context of the service account used to run the Confluence Server or Data Center service. Depending on the privileges associated with the service account, an attacker could view, change, or delete data. If the service account has been configured to have fewer rights on the system, exploitation of this vulnerability could have less impact than if it was configured with administrative rights.

Read More

Active Exploitation of WSO2 Vulnerability (CVE-2022-29464) Delivers Malware

Read Time:2 Minute, 19 Second

FortiGuard Labs is aware that a WSO2 vulnerability (CVE-2022-29464) that was patched in February 2022 and was disclosed in April is still being actively exploited in the field. CVE-2022-29464 is an unrestricted arbitrary file upload, and remote code execution vulnerability that allows unauthenticated and remote attackers to execute arbitrary code in the vulnerable WSO2 products. Why is this Significant?This is significant because despite the fact CVE-2022-29464 was patched in February and was disclosed in April, the vulnerability is still being actively exploited. This means that attacks that leverage CVE-2022-29464 have some level of success rate even now. With the vulnerability being actively exploited and a Proof-of-Concept (POC) code became publicly available in late April. users and administrators should review the WSO2’s advisory and apply the patch or necessary workaround.Also, CVE-2022-29464 is included in the CISA’s Known Exploited Vulnerabilities Catalog, which lists vulnerabilities that US federal agencies are required to patch their information systems within specific timeframes and deadlines.What is CVE-2022-29464?CVE-2022-29464 is a vulnerability in multiple WSO2 products that allows unauthenticated and remote attackers to execute arbitrary code on the affected systems. The vulnerability is rated Critical and has a CVSS Score of 9.8. The advisory has the following products as vulnerable:WSO2 API Manager 2.2.0, up to 4.0.0WSO2 Identity Server 5.2.0, up to 5.11.0 WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, 5.6.0WSO2 Identity Server as Key Manager 5.3.0, up to 5.11.0WSO2 Enterprise Integrator 6.2.0, up to 6.6.0WSO2 Open Banking AM 1.4.0, up to 2.0.0 WSO2 Open Banking KM 1.4.0, up to 2.0.0What Malware were Deployed after Successful Exploitation of CVE-2022-29464?Cobalt Strike, backdoor, cryptocoin miner and hacktool are reported to have been deployed to the compromised systems.Has the Vendor Released an Advisory?Yes. See the Appendix for a link to “Security Advisory WSO2-2021-1738”.Has the Vendor Released a Patch for CVE-2022-29464?Yes. According to the WSO’s advisory, WSO2 released temporary mitigations in January 2022 and released permanent fixes for all the supported product versions in February.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against files associated with CVE-2022-29464:W64/Agent.CY!trELF/Agent.AR!trELF/BitCoinMiner.HF!trJava/Agent.AUJ!trJava/Webshell.E!trJava/Webshell.0CC4!trRiskware/Generic.H2Malicious_Behavior.SBFortiGuard Labs provides the following IPS coverage against CVE-2022-29464:WSO2.fileupload.Arbitrary.File.Upload (default action is set to pass)Known network IOCs for CVE-2022-29464 are blocked by the WebFiltering client.

Read More

Ransomware Roundup – 2022/06/02

Read Time:6 Minute, 27 Second

FortiGuard Labs is aware of a number of new ransomware strains for the week of May 30th, 2022. It is imperative to raise awareness about new ransomware strains as infections can cause severe damage to organizations. This week’s Ransomware Roundup Threat Signal covers Hive ransomware, Bright Black Ransomware and Karakurt Data Extortion Group, and Fortinet protections against them.What is Hive Ransomware?Hive ransomware is a Ransomware-as-a-Service (RaaS) that was first observed in June 2021. This ransomware is highlighted in this Threat Signal as Costa Rica’s public health system was reportedly compromised by the ransomware.As a RaaS, the Hive ransomware group consists of two types of groups: ransomware operator (developer) and affiliates. The former develops Hive ransomware, provides support for its affiliates, operates ransom payment site as well as a date leak site called “HiveLeaks” on Tor. The latter carries out actual attacks that infect victims, exfiltrate data from victims, and deploy Hive ransomware onto the compromised machine. An apparent underground forum post that recruited Hive ransomware conspirators promised 80% cut for the affiliates. Hive ransomware is the main arsenal that is deployed to the compromised machine to encrypt files. Before the file encryption takes place, data is stolen from the victim and shadow copies are deleted, which makes file recovery awfully difficult. Typical files encrypted by Hive ransomware have a .hive extension. Other reported file extensions include .aumcc, .sncip, .accuj and .qxycv. According to a report published by Group-IB, “the data encryption is often carried out during non-working hours or at the weekend” in an attempt to encrypt as many files as possible without being noticed.Typical ransom note left behind by Hive ransomware below:Your network has been breached and all data is encrypted.To decrypt all the data you will need to purchase our decryption software.Please contact our sales department at: xxxx://[removed].onion/ Login: [removed] Password: [removed] Follow the guidelines below to avoid losing your data: – Do not shutdown or reboot your computers, unmount external storages. – Do not try to decrypt data using third party software. It may cause irreversible damage. – Don’t fool yourself. Encryption has perfect secrecy and it’s impossible to decrypt without knowing the key. – Do not modify, rename or delete *.key.hive files. Your data will be undecryptable. – Do not modify or rename encrypted files. You will lose them. – Do not report to authorities. The negotiation process will be terminated immediately and the key will be erased. – Do not reject to purchase. Your sensitive data will be publicly disclosed at xxxx://[removed]onion/ The group employs a double extortion technique which victims are asked to make a ransom payment in order to recover encrypted files as well as to prevent the stolen data from being published to “HiveLeaks”. Some victims reportedly received phone calls from Hive threat actors. The victim will receive a decryption tool upon the completion of payment, however, there was a chatter that suggests the decryption tool did not work as advertised in some cases and made virtual machines unbootable due to the tool corrupting the MBR (Master Boot Record).Initial attack vectors include phishing emails with malicious attachment, attacking vulnerable RDP servers, and the use of compromised VPN credentials. Purchasing network access from initial access brokers is a possibility as well.Hive ransomware reportedly victimized companies across wide range of industries such as (but not restricted to) real estate, IT and manufacturing. Some RaaS have a policy to exclude governmental educational and military organizations, health care, and critical infrastructures such as gas pipelines and power plants. Hive ransomware does not appear to have such policy as its victims include health care and government organizations. In August, 2021, the Federal Bureau of Investigation (FBI) released a flash alert on Hive ransomware.See the Appendix for a link to “Indicators of Compromise Associated with Hive Ransomware” for the advisory.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against Hive ransomware:W64/Hive.A!trW32/Ransom.HIVE!trELF/Hive.B!trLinux/Hive.B!trW64/Filecoder_Hive.A!tr.ransomW32/Filecoder_Hive.A!trBSD/Filecoder_Hive.A!trW32/Filecoder_Hive_AGen.A!trLinux/Filecoder_Hive.E!trLinux/Filecoder_Hive.C!trLinux/Filecoder_Hive.D!trLinux/Filecoder_Hive.F!trW32/Filecoder_Hive_AGen.A!trW64/Filecoder_Hive_AGen.A!trW32/Filecoder_Hive_AGen.A!tr.ransomW64/Filecoder_Hive_AGen.A!tr.ransomW32/Ransom_Win64_HIVE.YXBKMZW64/Filecoder_Hive.A!tr.ransomW32/Ransom_Win64_HIVE.NIVSBHU!trW32/Ransom_Win64_HIVE.BYFUSKH!trW32/Ransom_Win64_HIVE.YXBKOZW32/Ransom_Win64_HIVE.YXBKLZW32/Ransom_Win64_HIVE.YXBKOZW32/Ransom_Win64_HIVE.YXBKBZW32/Ransom_Win64_HIVE.YXBKBZW32/Hive.B0FF!tr.ransomW32/Hive.B0FF!tr.ransomW32/Ransom_Win64_HIVE.LIVMOBG!trJS/MinerCoinHiveInURLDecode.D43A!trW64/Hive.B0FF!tr.ransomW32/Ransom_Win64_HIVE.CQCRPWJ!trW32/Ransom_Win64_HIVE.YXBJ2ZW32/Ransom_HiveCrypt.R06BC0DDM22FortiEDR provides protection from new ransomware variants such as Hive straight out of the box.What is Bright Black Ransomware?Black Bright ransomware is a new ransomware that displays a ransom note in ransnote.html. The ransom note claims files on the compromised machine were encrypted using AES-256 encryption and asks the victim to contact the malware author via Discord in order to recover the affected files. However, analysis performed by FortiGuard Labs revealed that Bright Black ransomware does NOT encrypt any files. In an attempt to fool the victim to pay the ransomware, it prepends “x” to the file extension of the targeted files. For example, the ransomware changes the .png file extension to .xpng. It also drops a decryptor tool. When the tool is ran, the decryptor asks for the code and reiterates the victim needs to DM the author to get the code. That is another attempt to make the victim believe that the files were encrypted. Bright Black ransomware’s ransom note Dropped Bright Black decryptorWhat is the Status of Coverage against Bright Black ransomware?FortiGuard Labs provides the following AV coverage:BAT/Renamer.AU!trWhat is the Karakurt Data Extortion Group?The Karakurt data extortion group is a threat actor who threatens the victim to pay ransom in Bitcoin for not releasing the data it stole from a compromised machine to the public. The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), and the Financial Crimes Enforcement Network (FinCEN) released a joint advisory on the Karakurt threat actor on June 1st, 2022.Please see the Appendix for a link to “Alert (AA22-152A): Karakurt Data Extortion Group” for the advisory.According to the advisory, there is no report that the threat actor encrypted any files as part of the attack. Known ransom demands range from $25,000 to $13,000,000, and typically the threat actor demands the ransom be paid within a week of first contact with the victim. The criminal group employs an aggressive tactic to get the victim to pay the ransom; the group reportedly contacted not only victim’s employees but also business partners, and clients via emails and phone calls. The advisory also indicates that, upon ransom was paid, the threat actor provided a brief statement on how the victim was compromised.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage on the available samples on the IOC list:Riskware/KryptikAnything Else to Note?Victims of ransomware are cautioned against paying ransoms by such organizations as CISA, NCSC, the FBI, and HHS. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities which could potentially be illegal according to a U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) advisory.

Read More

vim-8.2.5052-1.fc35

Read Time:12 Second

FEDORA-2022-bb2daad935

Packages in this update:

vim-8.2.5052-1.fc35

Update description:

Security fixes for CVE-2022-1886, CVE-2022-1942

Security fixes for CVE-2022-1851, CVE-2022-1898, CVE-2022-1897, CVE-2022-1927

Read More

webkit2gtk3-2.36.3-1.fc35

Read Time:32 Second

FEDORA-2022-c05acca28d

Packages in this update:

webkit2gtk3-2.36.3-1.fc35

Update description:

Update to 2.36.3:

Support capturing already encoded video streams, which takes advantage of encoding done in hardware by devices which support this feature.
Avoid using experimental GStreamer elements for video demuxing.
Avoid using the legacy GStreamer VA-API decoding plug-ins, which often cause rendering issues and are not much maintained. Their usage can be re-enabled setting WEBKIT_GST_ENABLE_LEGACY_VAAPI=1 in the environment.
Fix playback of YouTube streams which use dynamic ad insertion.
Fix display capture with Pipewire.
Fix several crashes and rendering issues.

Read More

webkit2gtk3-2.36.3-1.fc36

Read Time:32 Second

FEDORA-2022-e883576e1c

Packages in this update:

webkit2gtk3-2.36.3-1.fc36

Update description:

Update to 2.36.3:

Support capturing already encoded video streams, which takes advantage of encoding done in hardware by devices which support this feature.
Avoid using experimental GStreamer elements for video demuxing.
Avoid using the legacy GStreamer VA-API decoding plug-ins, which often cause rendering issues and are not much maintained. Their usage can be re-enabled setting WEBKIT_GST_ENABLE_LEGACY_VAAPI=1 in the environment.
Fix playback of YouTube streams which use dynamic ad insertion.
Fix display capture with Pipewire.
Fix several crashes and rendering issues.

Read More