Category Archives: Advisories

Syslogk: Linux Rootkit with Hidden Backdoor Payload

Read Time:1 Minute, 41 Second

FortiGuard Labs is aware of a report that a new rootkit for Linux that appears to be still in development was discovered. Namaed “Syslogk”, the rootkit is based on Adore-Ng, an old open-source kernel rootkit for Linux. Syslogk is hides directories containing malicious files and does not load the hidden Rekoobe backdoor malware until specifically-crafted magic packets are received.Why is this Significant?This is significant because “Syslogk” is a Linux rootkit that is in development as such it may be used in real attacks in near future. The rootkit contains a new variant of Rekoobe backdoor that will be launched only upon receiving specifically crafted magic packets from the threat actor.What is Syslogk?Syslogk is a Linux rootkit that is reportedly based on an old open-source Linux kernel rootkit called “Adore-Ng”.Syslogk rootkit is installed as kernel modules in the affected system and intercepts legitimate Linux commands in order to hide its files, folders, or processes. It can hide directories containing the malicious files dropped on the compromised machine, hides processes and network traffic, and remotely starts or stop payloads on demand. The rootkit is also capable of inspecting all TCP traffic. The rootkit also loads hidden Rekoobe backdoor only when it receives specifically-crafted magic packets from the threat actor.What is Rekoobe?Rekoobe is a Linux backdoor that is reportedly based on TinySHell, an open-source Unix backdoor. Rekoobe refers to its Command-and Control (C2) server and performs malicious activities based on remote commands it receives.What is the Status of Coverage?FortiGuard Labs provides the following coverage against Syslogk rootkit:Linux/Rootkit_Agent.BY!trFortiGuard Labs provides the following coverage against Rekoobe backdoor:Linux/Rekoobe.BLinux/Rekoobe.B!trLinux/Rekoobe.B!tr.bdrLinux/Rekoobe.D!trLinux/Rekoobe.F!trLinux/Rekoobe.N!trLinux/Agnt.A!trLinux/Agent.B!trLinux/Agent.BX!tr.bdrLinux/Agent.DL!trLinux/Agent.JO!trLinux/Agent.LF!trW32/Rekoobe.F!trW32/Multi.MIBSUN!tr.bdrELF/Rosta.487B.fam!tr.bdrAdware/AgentAdware/RekoobePossibleThreat

Read More

Active Exploitation of Confluence vulnerability (CVE-2022-26134)

Read Time:1 Minute, 27 Second

FortiGuard Labs is aware that an unauthenticated remote code execution vulnerability in Confluence (CVE-2022-26134) continues to be exploited to deploy malware in the field. Deployed malware reportedly includes Cerber2021 ransomware, Hezb, coinminers and Dark.IoT. The vulnerability was patched on June 3rd, 2022. Why is this Significant?This is significant because CVE-2022-26134 is a newly patched Confluence vulnerability that continues to be exploited in the field and various malware were deployed to the affected systems upon successful exploitation.What is CVE-2022-26134?CVE-2022-26134 is a critical vulnerability affects Confluence Server and Data Center which the latest patch has not yet been applied. The vulnerability relates to an Object-Graph Navigation Language (OGNL) injection that could allow an unauthenticated user to execute arbitrary code on the compromised system.Atlassian released a fix on June 3rd, 2022.FortiGuard Labs previously published a Threat Signal on the subject. See the Appendix for a link to “New Confluence Vulnerability (CVE-2022-26134) Exploited in the Wild”.What Malware were Deployed to the Compromised Servers?Malware such as Cerber2021 ransomware, Dark.IoT and coinminers such as Kinsing and XMRig miner are known to be deployed to the affected servers.What is the Status of Coverage?FortiGuard Labs detects the malicious samples that were known to be deployed through CVE-2022-21634 with the following AV signatures:W32/Filecoder.1104!tr.ransomELF/BitCoinMiner.HF!trELF/Mirai.A!trLinux/Agent.PZ!trLinux/CVE_2021_4034.G!trRiskware/CoinMinerAdware/MinerFortiGuard Labs released the following IPS signature against CVE-2022-26134 in version 21.331:Atlassian.Confluence.OGNL.Remote.Code.ExecutionInitially, the signature’s default action was set to “pass”, however the action was changed to “drop” from version 21.333.

Read More

USN-5478-1: util-linux vulnerability

Read Time:14 Second

Christian Moch and Michael Gruhn discovered that the libblkid library
of util-linux did not properly manage memory under certain
circumstances. A local attacker could possibly use this issue
to cause denial of service by consuming all memory through
a specially crafted MSDOS partition table.

Read More

SEC Consult SA-20220614-0 :: Reflected Cross Site Scripting in SIEMENS-SINEMA Remote Connect

Read Time:18 Second

Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on Jun 14

SEC Consult Vulnerability Lab Security Advisory < 20220614-0 >
=======================================================================
title: Reflected Cross Site Scripting
product: SIEMENS-SINEMA Remote Connect
vulnerable version: <=V3.0.1.0-01.01.00.02
fixed version: V3.1.0
CVE number: CVE-2022-29034
impact: medium
homepage: https://siemens.com

Read More

ghex-42.3-1.fc36

Read Time:18 Second

FEDORA-2022-23adf3d425

Packages in this update:

ghex-42.3-1.fc36

Update description:

Update to 42.3

main: Hotfix to workaround gtk #4880 (affects Save As dialogs on X11
primarily)
config: Add GNOME 42+ compatibility for dark mode, and fetch dark settings
from portal if possible
widget: Properly update highlights upon resize
find-replace: Remove spurious g_object_ref() call

Read More