FortiGuard Labs is aware of a number of new ransomware strains for the week of May 30th, 2022. It is imperative to raise awareness about new ransomware strains as infections can cause severe damage to organizations. This week’s Ransomware Roundup Threat Signal covers Hive ransomware, Bright Black Ransomware and Karakurt Data Extortion Group, and Fortinet protections against them.What is Hive Ransomware?Hive ransomware is a Ransomware-as-a-Service (RaaS) that was first observed in June 2021. This ransomware is highlighted in this Threat Signal as Costa Rica’s public health system was reportedly compromised by the ransomware.As a RaaS, the Hive ransomware group consists of two types of groups: ransomware operator (developer) and affiliates. The former develops Hive ransomware, provides support for its affiliates, operates ransom payment site as well as a date leak site called “HiveLeaks” on Tor. The latter carries out actual attacks that infect victims, exfiltrate data from victims, and deploy Hive ransomware onto the compromised machine. An apparent underground forum post that recruited Hive ransomware conspirators promised 80% cut for the affiliates. Hive ransomware is the main arsenal that is deployed to the compromised machine to encrypt files. Before the file encryption takes place, data is stolen from the victim and shadow copies are deleted, which makes file recovery awfully difficult. Typical files encrypted by Hive ransomware have a .hive extension. Other reported file extensions include .aumcc, .sncip, .accuj and .qxycv. According to a report published by Group-IB, “the data encryption is often carried out during non-working hours or at the weekend” in an attempt to encrypt as many files as possible without being noticed.Typical ransom note left behind by Hive ransomware below:Your network has been breached and all data is encrypted.To decrypt all the data you will need to purchase our decryption software.Please contact our sales department at: xxxx://[removed].onion/ Login: [removed] Password: [removed] Follow the guidelines below to avoid losing your data: – Do not shutdown or reboot your computers, unmount external storages. – Do not try to decrypt data using third party software. It may cause irreversible damage. – Don’t fool yourself. Encryption has perfect secrecy and it’s impossible to decrypt without knowing the key. – Do not modify, rename or delete *.key.hive files. Your data will be undecryptable. – Do not modify or rename encrypted files. You will lose them. – Do not report to authorities. The negotiation process will be terminated immediately and the key will be erased. – Do not reject to purchase. Your sensitive data will be publicly disclosed at xxxx://[removed]onion/ The group employs a double extortion technique which victims are asked to make a ransom payment in order to recover encrypted files as well as to prevent the stolen data from being published to “HiveLeaks”. Some victims reportedly received phone calls from Hive threat actors. The victim will receive a decryption tool upon the completion of payment, however, there was a chatter that suggests the decryption tool did not work as advertised in some cases and made virtual machines unbootable due to the tool corrupting the MBR (Master Boot Record).Initial attack vectors include phishing emails with malicious attachment, attacking vulnerable RDP servers, and the use of compromised VPN credentials. Purchasing network access from initial access brokers is a possibility as well.Hive ransomware reportedly victimized companies across wide range of industries such as (but not restricted to) real estate, IT and manufacturing. Some RaaS have a policy to exclude governmental educational and military organizations, health care, and critical infrastructures such as gas pipelines and power plants. Hive ransomware does not appear to have such policy as its victims include health care and government organizations. In August, 2021, the Federal Bureau of Investigation (FBI) released a flash alert on Hive ransomware.See the Appendix for a link to “Indicators of Compromise Associated with Hive Ransomware” for the advisory.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against Hive ransomware:W64/Hive.A!trW32/Ransom.HIVE!trELF/Hive.B!trLinux/Hive.B!trW64/Filecoder_Hive.A!tr.ransomW32/Filecoder_Hive.A!trBSD/Filecoder_Hive.A!trW32/Filecoder_Hive_AGen.A!trLinux/Filecoder_Hive.E!trLinux/Filecoder_Hive.C!trLinux/Filecoder_Hive.D!trLinux/Filecoder_Hive.F!trW32/Filecoder_Hive_AGen.A!trW64/Filecoder_Hive_AGen.A!trW32/Filecoder_Hive_AGen.A!tr.ransomW64/Filecoder_Hive_AGen.A!tr.ransomW32/Ransom_Win64_HIVE.YXBKMZW64/Filecoder_Hive.A!tr.ransomW32/Ransom_Win64_HIVE.NIVSBHU!trW32/Ransom_Win64_HIVE.BYFUSKH!trW32/Ransom_Win64_HIVE.YXBKOZW32/Ransom_Win64_HIVE.YXBKLZW32/Ransom_Win64_HIVE.YXBKOZW32/Ransom_Win64_HIVE.YXBKBZW32/Ransom_Win64_HIVE.YXBKBZW32/Hive.B0FF!tr.ransomW32/Hive.B0FF!tr.ransomW32/Ransom_Win64_HIVE.LIVMOBG!trJS/MinerCoinHiveInURLDecode.D43A!trW64/Hive.B0FF!tr.ransomW32/Ransom_Win64_HIVE.CQCRPWJ!trW32/Ransom_Win64_HIVE.YXBJ2ZW32/Ransom_HiveCrypt.R06BC0DDM22FortiEDR provides protection from new ransomware variants such as Hive straight out of the box.What is Bright Black Ransomware?Black Bright ransomware is a new ransomware that displays a ransom note in ransnote.html. The ransom note claims files on the compromised machine were encrypted using AES-256 encryption and asks the victim to contact the malware author via Discord in order to recover the affected files. However, analysis performed by FortiGuard Labs revealed that Bright Black ransomware does NOT encrypt any files. In an attempt to fool the victim to pay the ransomware, it prepends “x” to the file extension of the targeted files. For example, the ransomware changes the .png file extension to .xpng. It also drops a decryptor tool. When the tool is ran, the decryptor asks for the code and reiterates the victim needs to DM the author to get the code. That is another attempt to make the victim believe that the files were encrypted. Bright Black ransomware’s ransom note Dropped Bright Black decryptorWhat is the Status of Coverage against Bright Black ransomware?FortiGuard Labs provides the following AV coverage:BAT/Renamer.AU!trWhat is the Karakurt Data Extortion Group?The Karakurt data extortion group is a threat actor who threatens the victim to pay ransom in Bitcoin for not releasing the data it stole from a compromised machine to the public. The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), and the Financial Crimes Enforcement Network (FinCEN) released a joint advisory on the Karakurt threat actor on June 1st, 2022.Please see the Appendix for a link to “Alert (AA22-152A): Karakurt Data Extortion Group” for the advisory.According to the advisory, there is no report that the threat actor encrypted any files as part of the attack. Known ransom demands range from $25,000 to $13,000,000, and typically the threat actor demands the ransom be paid within a week of first contact with the victim. The criminal group employs an aggressive tactic to get the victim to pay the ransom; the group reportedly contacted not only victim’s employees but also business partners, and clients via emails and phone calls. The advisory also indicates that, upon ransom was paid, the threat actor provided a brief statement on how the victim was compromised.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage on the available samples on the IOC list:Riskware/KryptikAnything Else to Note?Victims of ransomware are cautioned against paying ransoms by such organizations as CISA, NCSC, the FBI, and HHS. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities which could potentially be illegal according to a U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) advisory.
Category Archives: Advisories
vim-8.2.5052-1.fc35
FEDORA-2022-bb2daad935
Packages in this update:
vim-8.2.5052-1.fc35
Update description:
Security fixes for CVE-2022-1886, CVE-2022-1942
Security fixes for CVE-2022-1851, CVE-2022-1898, CVE-2022-1897, CVE-2022-1927
firefox-101.0-1.fc36
FEDORA-2022-080ea50338
Packages in this update:
firefox-101.0-1.fc36
Update description:
New upstream update (101.0)
Fixed missing popups in some scenarios on Wayland (https://bugzilla.mozilla.org/show_bug.cgi?id=1771104)
webkit2gtk3-2.36.3-1.fc35
FEDORA-2022-c05acca28d
Packages in this update:
webkit2gtk3-2.36.3-1.fc35
Update description:
Update to 2.36.3:
Support capturing already encoded video streams, which takes advantage of encoding done in hardware by devices which support this feature.
Avoid using experimental GStreamer elements for video demuxing.
Avoid using the legacy GStreamer VA-API decoding plug-ins, which often cause rendering issues and are not much maintained. Their usage can be re-enabled setting WEBKIT_GST_ENABLE_LEGACY_VAAPI=1 in the environment.
Fix playback of YouTube streams which use dynamic ad insertion.
Fix display capture with Pipewire.
Fix several crashes and rendering issues.
webkit2gtk3-2.36.3-1.fc36
FEDORA-2022-e883576e1c
Packages in this update:
webkit2gtk3-2.36.3-1.fc36
Update description:
Update to 2.36.3:
Support capturing already encoded video streams, which takes advantage of encoding done in hardware by devices which support this feature.
Avoid using experimental GStreamer elements for video demuxing.
Avoid using the legacy GStreamer VA-API decoding plug-ins, which often cause rendering issues and are not much maintained. Their usage can be re-enabled setting WEBKIT_GST_ENABLE_LEGACY_VAAPI=1 in the environment.
Fix playback of YouTube streams which use dynamic ad insertion.
Fix display capture with Pipewire.
Fix several crashes and rendering issues.
DSA-5157 cifs-utils – security update
Jeffrey Bencteux reported two vulnerabilities in cifs-utils, the Common
Internet File System utilities, which can result in escalation of
privileges (CVE-2022-27239) or an information leak (CVE-2022-29869).
USN-5459-1: cifs-utils vulnerabilities
Aurélien Aptel discovered that cifs-utils invoked a shell when requesting a
password. In certain environments, a local attacker could possibly use this
issue to escalate privileges. This issue only affected Ubuntu 18.04 LTS and
Ubuntu 20.04 LTS. (CVE-2020-14342)
It was discovered that cifs-utils incorrectly used host credentials when
mounting a krb5 CIFS file system from within a container. An attacker
inside a container could possibly use this issue to obtain access to
sensitive information. This issue only affected Ubuntu 18.04 LTS and Ubuntu
20.04 LTS. (CVE-2021-20208)
It was discovered that cifs-utils incorrectly handled certain command-line
arguments. A local attacker could possibly use this issue to obtain root
privileges. (CVE-2022-27239)
It was discovered that cifs-utils incorrectly handled verbose logging. A
local attacker could possibly use this issue to obtain sensitive
information. (CVE-2022-29869)
buildah-1.23.4-1.fc35
FEDORA-2022-396c568c5e
Packages in this update:
buildah-1.23.4-1.fc35
Update description:
bump to v1.23.4, security fix for CVE-2022-21698
Add missing container networking dependencies (#2081834)
CVE-2021-26633
SQL injection and Local File Inclusion (LFI) vulnerabilities in MaxBoard can cause information leakage and privilege escalation. This vulnerabilities can be exploited by manipulating a variable with a desired value and inserting and arbitrary file.
CVE-2021-26634
SQL injection and file upload attacks are possible due to insufficient validation of input values in some parameters and variables of files compromising Maxboard, which may lead to arbitrary code execution or privilege escalation. Attackers can use these vulnerabilities to perform attacks such as stealing server management rights using a web shell.