Category Archives: Advisories

Qakbot Delivered Through CVE-2022-30190 (Follina)

Read Time:2 Minute, 12 Second

FortiGuard Labs is aware of a report that CVE-2022-30190 is exploited in the wild to deliver Qakbot malware. Currently, a patch is not available for CVE-2022-30190. Also known as Qbot and Pinkslipbot, Qakbot started off as a banking malware. In recent years, Qakbot was seen as a delivery vehicle for other malware, which often results in a compromised machine being infected with ransomware.Why is this Significant?This is significant because CVE-2022-30190 is a Windows vulnerability that has no available patch and is being abused in the field. The current attack campaign delivers Qakbot to victim’s machine. While final payload has not been identified nor reported, often Qakbot infection leads to ransomware deployed to the compromised machine. A publicly available report suggests Black Basta ransomware was deployed through Qakbot.What is CVE-2022-30190?CVE-20022-30190, also known as Follina, is a vulnerability in Microsoft Support Diagnostic Tool, which uccessful exploitation allows an attacker to run arbitrary code with the privileges of the calling application. FortiGuard Labs previously released Outbreal Alert and Threat Signal on CVE-2022-30190. See the Appendix for links to “MSDT Follina” and “Follina: 0-day Windows MSDT Vulnerability (CVE-2022-30190) Exploited In The Wild”.How does the Current Qakbot Campaign Work?Reportedly, malicious emails arrive with an HTML attachment. Opening the HTML attachment downloads and saves a .zip file that an inner IMG file inside. The IMG file contains a DLL, a Word document, and a .LNK file. The DLL is a Qakbot variant which the link file will execute. Alternatively, the Word file will download and execute a remote HTML file, which has a script to abuse CVE-2022-30190, which then download and execute a Qakbot variant. What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against available samples associated with the current Qakbot campaign that abuses CVE-2022-30190:W32/Qbot.DM!trMSOffice/CVE_2021_40444.A!tr LNK/Agent.BD!trHTML/CVE_2022_30190.A!trRegarding IPS coverage, the following signature will detect the retrieval of remote HTML files that contain the MSDT command:MS.Office.MSHTML.Remote.Code.Execution.Known network IOCs for CVE-2022-30190 are blocked by the WebFiltering client.FortiEDR will provide protection from exploitation of this vulnerability and subsequent post-exploitation activity. See the Appendix for a link to “Technical Tip: How FortiEDR protects against CVE-2022-30190 ‘Follina’ Microsoft Office protocol vulnerability” for more information.Th FortiGuard Content Disarm and Reconstruction (CDR) service can detect the attack in real-time and prevent it by disarming the “oleobject” data from Microsoft Office files.

Read More

CVE-2017-20021

Read Time:20 Second

A vulnerability, which was classified as critical, was found in Solare Solar-Log 2.8.4-56/3.5.2-85. This affects an unknown part of the component File Upload. The manipulation leads to privilege escalation. It is possible to initiate the attack remotely. Upgrading to version 3.5.3-86 is able to address this issue. It is recommended to upgrade the affected component.

Read More

CVE-2017-20022

Read Time:18 Second

A vulnerability has been found in Solare Solar-Log 2.8.4-56/3.5.2-85 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to information disclosure. The attack can be initiated remotely. Upgrading to version 3.5.3-86 is able to address this issue. It is recommended to upgrade the affected component.

Read More

CVE-2017-20023

Read Time:19 Second

A vulnerability was found in Solare Solar-Log 2.8.4-56/3.5.2-85 and classified as critical. This issue affects some unknown processing of the component Network Config. The manipulation leads to privilege escalation. The attack may be initiated remotely. Upgrading to version 3.5.3-86 is able to address this issue. It is recommended to upgrade the affected component.

Read More

CVE-2017-20024

Read Time:19 Second

A vulnerability was found in Solare Solar-Log 2.8.4-56/3.5.2-85. It has been classified as problematic. Affected is an unknown function. The manipulation leads to denial of service. It is possible to launch the attack remotely. Upgrading to version 3.5.3-86 is able to address this issue. It is recommended to upgrade the affected component.

Read More

CVE-2017-20025

Read Time:21 Second

A vulnerability was found in Solare Solar-Log 2.8.4-56/3.5.2-85. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component Flash Memory. The manipulation leads to privilege escalation. The attack can be launched remotely. Upgrading to version 3.5.3-86 is able to address this issue. It is recommended to upgrade the affected component.

Read More

CVE-2017-20026

Read Time:21 Second

A vulnerability has been found in HumHub up to 1.0.1 and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross site scripting (Reflected). The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.1.1 is able to address this issue. It is recommended to upgrade the affected component.

Read More

CVE-2017-20018

Read Time:12 Second

A vulnerability was found in XAMPP 7.1.1-0-VC14. It has been classified as problematic. Affected is an unknown function of the component Installer. The manipulation leads to privilege escalation. It is possible to launch the attack remotely.

Read More

CVE-2017-20019

Read Time:20 Second

A vulnerability classified as problematic was found in Solare Solar-Log 2.8.4-56/3.5.2-85. Affected by this vulnerability is an unknown functionality of the component Config Handler. The manipulation leads to information disclosure. The attack can be launched remotely. Upgrading to version 3.5.3-86 is able to address this issue. It is recommended to upgrade the affected component.

Read More