FortiGuard Labs is aware of a report that a new rootkit for Linux that appears to be still in development was discovered. Namaed “Syslogk”, the rootkit is based on Adore-Ng, an old open-source kernel rootkit for Linux. Syslogk is hides directories containing malicious files and does not load the hidden Rekoobe backdoor malware until specifically-crafted magic packets are received.Why is this Significant?This is significant because “Syslogk” is a Linux rootkit that is in development as such it may be used in real attacks in near future. The rootkit contains a new variant of Rekoobe backdoor that will be launched only upon receiving specifically crafted magic packets from the threat actor.What is Syslogk?Syslogk is a Linux rootkit that is reportedly based on an old open-source Linux kernel rootkit called “Adore-Ng”.Syslogk rootkit is installed as kernel modules in the affected system and intercepts legitimate Linux commands in order to hide its files, folders, or processes. It can hide directories containing the malicious files dropped on the compromised machine, hides processes and network traffic, and remotely starts or stop payloads on demand. The rootkit is also capable of inspecting all TCP traffic. The rootkit also loads hidden Rekoobe backdoor only when it receives specifically-crafted magic packets from the threat actor.What is Rekoobe?Rekoobe is a Linux backdoor that is reportedly based on TinySHell, an open-source Unix backdoor. Rekoobe refers to its Command-and Control (C2) server and performs malicious activities based on remote commands it receives.What is the Status of Coverage?FortiGuard Labs provides the following coverage against Syslogk rootkit:Linux/Rootkit_Agent.BY!trFortiGuard Labs provides the following coverage against Rekoobe backdoor:Linux/Rekoobe.BLinux/Rekoobe.B!trLinux/Rekoobe.B!tr.bdrLinux/Rekoobe.D!trLinux/Rekoobe.F!trLinux/Rekoobe.N!trLinux/Agnt.A!trLinux/Agent.B!trLinux/Agent.BX!tr.bdrLinux/Agent.DL!trLinux/Agent.JO!trLinux/Agent.LF!trW32/Rekoobe.F!trW32/Multi.MIBSUN!tr.bdrELF/Rosta.487B.fam!tr.bdrAdware/AgentAdware/RekoobePossibleThreat
Category Archives: Advisories
Active Exploitation of Confluence vulnerability (CVE-2022-26134)
FortiGuard Labs is aware that an unauthenticated remote code execution vulnerability in Confluence (CVE-2022-26134) continues to be exploited to deploy malware in the field. Deployed malware reportedly includes Cerber2021 ransomware, Hezb, coinminers and Dark.IoT. The vulnerability was patched on June 3rd, 2022. Why is this Significant?This is significant because CVE-2022-26134 is a newly patched Confluence vulnerability that continues to be exploited in the field and various malware were deployed to the affected systems upon successful exploitation.What is CVE-2022-26134?CVE-2022-26134 is a critical vulnerability affects Confluence Server and Data Center which the latest patch has not yet been applied. The vulnerability relates to an Object-Graph Navigation Language (OGNL) injection that could allow an unauthenticated user to execute arbitrary code on the compromised system.Atlassian released a fix on June 3rd, 2022.FortiGuard Labs previously published a Threat Signal on the subject. See the Appendix for a link to “New Confluence Vulnerability (CVE-2022-26134) Exploited in the Wild”.What Malware were Deployed to the Compromised Servers?Malware such as Cerber2021 ransomware, Dark.IoT and coinminers such as Kinsing and XMRig miner are known to be deployed to the affected servers.What is the Status of Coverage?FortiGuard Labs detects the malicious samples that were known to be deployed through CVE-2022-21634 with the following AV signatures:W32/Filecoder.1104!tr.ransomELF/BitCoinMiner.HF!trELF/Mirai.A!trLinux/Agent.PZ!trLinux/CVE_2021_4034.G!trRiskware/CoinMinerAdware/MinerFortiGuard Labs released the following IPS signature against CVE-2022-26134 in version 21.331:Atlassian.Confluence.OGNL.Remote.Code.ExecutionInitially, the signature’s default action was set to “pass”, however the action was changed to “drop” from version 21.333.
USN-5478-1: util-linux vulnerability
Christian Moch and Michael Gruhn discovered that the libblkid library
of util-linux did not properly manage memory under certain
circumstances. A local attacker could possibly use this issue
to cause denial of service by consuming all memory through
a specially crafted MSDOS partition table.
SEC Consult SA-20220614-0 :: Reflected Cross Site Scripting in SIEMENS-SINEMA Remote Connect
Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on Jun 14
SEC Consult Vulnerability Lab Security Advisory < 20220614-0 >
=======================================================================
title: Reflected Cross Site Scripting
product: SIEMENS-SINEMA Remote Connect
vulnerable version: <=V3.0.1.0-01.01.00.02
fixed version: V3.1.0
CVE number: CVE-2022-29034
impact: medium
homepage: https://siemens.com…
ghex-42.3-1.fc36
FEDORA-2022-23adf3d425
Packages in this update:
ghex-42.3-1.fc36
Update description:
Update to 42.3
main: Hotfix to workaround gtk #4880 (affects Save As dialogs on X11
primarily)
config: Add GNOME 42+ compatibility for dark mode, and fetch dark settings
from portal if possible
widget: Properly update highlights upon resize
find-replace: Remove spurious g_object_ref() call
USN-5477-1: ncurses vulnerabilities
Hosein Askari discovered that ncurses was incorrectly performing
memory management operations when dealing with long filenames while
writing structures into the file system. An attacker could possibly
use this issue to cause a denial of service or execute arbitrary
code. (CVE-2017-16879)
Chung-Yi Lin discovered that ncurses was incorrectly handling access
to invalid memory areas when parsing terminfo or termcap entries where
the use-name had invalid syntax. An attacker could possibly use this
issue to cause a denial of service. (CVE-2018-19211)
It was discovered that ncurses was incorrectly performing bounds
checks when processing invalid hashcodes. An attacker could possibly
use this issue to cause a denial of service or to expose sensitive
information. (CVE-2019-17594)
It was discovered that ncurses was incorrectly handling
end-of-string characters when processing terminfo and termcap files.
An attacker could possibly use this issue to cause a denial of
service or to expose sensitive information. (CVE-2019-17595)
It was discovered that ncurses was incorrectly handling
end-of-string characters when converting between termcap and
terminfo formats. An attacker could possibly use this issue to cause
a denial of service or execute arbitrary code. (CVE-2021-39537)
It was discovered that ncurses was incorrectly performing bounds
checks when dealing with corrupt terminfo data while reading a
terminfo file. An attacker could possibly use this issue to cause a
denial of service or to expose sensitive information.
(CVE-2022-29458)
vim-8.2.5085-1.fc35
FEDORA-2022-c302c5f62d
Packages in this update:
vim-8.2.5085-1.fc35
Update description:
The newest upstream commit
Security fix for CVE-2022-2000
golang-github-emicklei-restful-3.8.0-1.fc35
FEDORA-2022-589a0ad690
Packages in this update:
golang-github-emicklei-restful-3.8.0-1.fc35
Update description:
Update to 3.8.0. Fixes rhbz#1948196.
Mitigate CVE-2022-1996.
golang-github-emicklei-restful-3.8.0-1.fc36
FEDORA-2022-185697ef56
Packages in this update:
golang-github-emicklei-restful-3.8.0-1.fc36
Update description:
Update to 3.8.0. Fixes rhbz#1948196.
Mitigate CVE-2022-1996.
oniguruma-6.8.2-2.el7
FEDORA-EPEL-2022-a9236c0113
Packages in this update:
oniguruma-6.8.2-2.el7
Update description:
Backport fix for CVE-2019-13225 from RHEL8.