FortiGuard Labs has become aware of several ransomware strains that caught the public’s attention for the week of June 20th, 2022. It is imperative to raise awareness about ransomware variants because infections can cause severe damage to organizations. This week’s Ransomware Roundup Threat Signal covers eCh0raix, DeadLocker and Kawaii ransomware along with the Fortinet protections against them.What is eCh0raix Ransomware?eCh0raix, also known as QNAPCrypt and Qlocker, is a ransomware that has been in the field since 2019, and targets QNAP and Synology Network-Attached-Storage (NAS) devices. It encrypts files on those devices and adds a file extension such as “.encrypt” or “.muhstik”, and leaves a ransom note in “README_FOR_DECRYPT.txt”. Some eCh0raix’s ransom notes reportedly have a “.txtt” extension rather than “.txt”, which is considered as misspelling by the attacker. eCh0raix threat actors are known to typically ask for small amount of ransom ($1000 ~ $3000) in Bitcoin through a Onion site for file decryption.eCh0raix ransomware’s ransom noteIn May 2021, QNAP released an advisory warning QNAP users of eCh0raix ransomware targeting QNAP devices using weak passwords or outdated QTS firmware. QNAP again issued an advisory in June 2021 that eCh0raix ransomware was observed to have exploited several QNAP vulnerabilities in Photo Station (CVE-2019-7192, CVE-2019-7193, CVE-2019-7194, CVE-2019-7195). Those vulnerabilities were patched in late 2019. In mid-2021, a report surfaced that a vulnerability in Hybrid Backup Sync (HBS3) was exploited by eCh0raix ransomware. Assigned CVE-2021-28799, the vulnerability allows remote attackers to log in to vulnerable QNAP devices and install the ransomware. QNAP issued a patch for CVE-2021-28799 in April 2021.The advisory for eCh0raix ransomware issued by QNAP recommends the following actions to prevent eCh0raix infection:Use stronger passwords for your administrator accounts.Enable IP Access Protection to protect accounts from brute force attacks.Avoid using default port numbers 443 and 8080.Update QTS to the latest version.Update all installed applications to their latest versions.Some variants of eCh0raix ransomware allegedly target Synology NAS devices, however the attack vector has not been identified.What is the Status of Coverage?Fortinet provides the following AV coverage against known eCh0raix ransomware samples:ELF/eCh0raix.A!trELF/Filecoder_ECh0raix.A!trELF/Filecoder_ECh0raix.C!trLinux/Filecoder_ECh0raix.D!trLinux/Filecoder_ECh0raix.D!trELF/Cryptor.74B2!tr.ransomFortiGuard Labs provides the following IPS coverage against known vulnerabilities that were used to install eCh0raix ransomware to unpatched QNAP devices:QNAP.NAS.HBS.3.Authentication.Bypass (CVE-2021-28799)QNAP.Photo.Station.Authentication.Bypass (CVE-2019-7192, CVE-2019-7194, CVE-2019-7195)QNAP.QTS.Remote.Code.Injection (CVE-2019-7193)What is DeadLocker Ransomware?DeadLocker is a ransomware that was recently discovered and appears to target Turkey. The ransomware encrypts files on victim’s machine and adds “.deadlocked” to the affected files. It replaces desktop wallpaper and displays a ransom message in Turkish that demands the victim to purchase one year of Nitro service (most likely refers to Discord Nitro) or pay $650 US to decrypt the files. At the time of this writing, Discord Nitro costs $99 US annually. The attacker claims that the ransom amount will be reduced to $325 if a ransom is paid within 72 hours. Wallpaper of DeadLockerRansom message displayed by DeadLocker ransomwareRansom message in English translation:Oh no!!!! All your files are locked by DeadLocker 1-) What can I do?You can’t do much, you need a special password to open the files. 2-) How can I get my files back?You need to send 1 year of nitro or $650, if you pay within 72 hours it will be reduced to $325 3 – ) Where will I pay?You can contact [reducted] and get the address to send the nitro or $650Encrypted Files:[List of encrypted files]What is the Status of Coverage?Fortinet provides the following AV coverage against DeadLocker ransomware:MSIL/Locker.AFL!trWhat is Kawaii Ransomware?Kawaii is a new ransomware that claims to have encrypted files on the victim’s machine and demands $300 US worth of Bitcoin to decrypt them. Victims of Kawaii ransomware are given only 10 hours to pay a ransom, which is a probable attempt to add extra pressure to the victims. Once a ransom is paid, victims are asked to contact the attacker through email to obtain a decryption key.Kawaii ransomware’s ransom noteWhat is the Status of Coverage?Fortinet provides the following AV coverage against Kawaii ransomwareMSIL/HiddenTears.F0EE!tr.ransomAnything Else to Note?Victims of ransomware are cautioned against paying ransoms by such organizations as CISA, NCSC, the FBI, and HHS. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities which could potentially be illegal according to a U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) advisory.
Category Archives: Advisories
CVE-2017-20093
A vulnerability, which was classified as problematic, was found in Download Manager Plugin 2.8.99. Affected is an unknown function. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely.
CVE-2017-20094
A vulnerability, which was classified as problematic, has been found in NewStatPress Plugin 1.2.4. This issue affects some unknown processing. The manipulation leads to basic cross site scripting (Persistent). The attack may be initiated remotely. Upgrading to version 1.2.5 is able to address this issue. It is recommended to upgrade the affected component.
CVE-2017-20095
A vulnerability classified as critical was found in Simple Ads Manager Plugin. This vulnerability affects unknown code. The manipulation leads to code injection. The attack can be initiated remotely.
CVE-2017-20096
A vulnerability classified as problematic has been found in WP-SpamFree Anti-Spam Plugin 2.1.1.4. This affects an unknown part. The manipulation leads to basic cross site scripting. It is possible to initiate the attack remotely.
CVE-2017-20092
A vulnerability classified as problematic was found in Google Analytics Dashboard Plugin 2.1.1. Affected by this vulnerability is an unknown functionality. The manipulation leads to basic cross site scripting. The attack can be launched remotely.
ZDI-22-872: DevExpress SafeBinaryFormatter Deserialization of Untrusted Data Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on affected installations of DevExpress. Authentication is required to exploit this vulnerability.
python-twisted-22.4.0-1.fc37
FEDORA-2022-dc6dc2cfd3
Packages in this update:
python-twisted-22.4.0-1.fc37
Update description:
Automatic update for python-twisted-22.4.0-1.fc37.
Changelog
* Thu Jun 23 2022 Robert-André Mauchin <zebob.m@gmail.com> 22.4.0-1
– Update to 22.4.0 Close: rhbz#2046562 rhbz#2073115 rhbz#2060972
rhbz#2059508
USN-5492-1: Vim vulnerability
It was discovered that Vim incorrectly handled memory when opening and
searching the contents of certain files. If an attacker could trick a user
into opening a specially crafted file, it could cause Vim to crash.
USN-5487-3: Apache HTTP Server regression
USN-5487-1 fixed several vulnerabilities in Apache HTTP Server.
Unfortunately it caused regressions. USN-5487-2 reverted the
patches that caused the regression in Ubuntu 14.04 ESM for further
investigation. This update re-adds the security fixes for Ubuntu
14.04 ESM and fixes two different regressions: one affecting mod_proxy
only in Ubuntu 14.04 ESM and another in mod_sed affecting also Ubuntu 16.04 ESM
and Ubuntu 18.04 LTS.
We apologize for the inconvenience.
Original advisory details:
It was discovered that Apache HTTP Server mod_proxy_ajp incorrectly handled
certain crafted request. A remote attacker could possibly use this issue to
perform an HTTP Request Smuggling attack. (CVE-2022-26377)
It was discovered that Apache HTTP Server incorrectly handled certain
request. An attacker could possibly use this issue to cause a denial
of service. (CVE-2022-28614)
It was discovered that Apache HTTP Server incorrectly handled certain request.
An attacker could possibly use this issue to cause a crash or expose
sensitive information. (CVE-2022-28615)
It was discovered that Apache HTTP Server incorrectly handled certain request.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2022-29404)
It was discovered that Apache HTTP Server incorrectly handled certain
request. An attacker could possibly use this issue to cause a crash.
(CVE-2022-30522)
It was discovered that Apache HTTP Server incorrectly handled certain request.
An attacker could possibly use this issue to execute arbitrary code or cause
a crash. (CVE-2022-30556)
It was discovered that Apache HTTP Server incorrectly handled certain request.
An attacker could possibly use this issue to bypass IP based authentication.
(CVE-2022-31813)