FortiGuard Labs is aware of a new ransomware variant called “Black Basta” discovered in the wild. The ransomware employs a double-extortion tactic in which it encrypts files and exfiltrates confidential information from the victim, then demands a ransom for decrypting the affected files and threatens to publicize the exfiltrated data if a ransom is not paid.Black Basta ransomware is reported to have victimized several organizations in multiple countries.Why is this Significant?This is significant because Black Basta is a new ransomware that is reported to have victimized several organizations in multiple countries.What is Black Basta ransomware?Black Basta is a new ransomware that demands ransom from the victim for decrypting victim’s files it encrypted and not to release the stolen data to the public.Black Basta ransomware deletes shadow copies from the compromised machine, which prevents the victim from being able to recover any files that have been encrypted. The ransomware also replaces the desktop wallpaper with an image with a black background that has the following ransom message:Your network is encrypted by the Black Basta group.Instructions in the filereadme.txt.The ransomware then will then restart the compromised machine in safe mode with the Windows Fax service running. After the reboot, the service launches the ransomware in order to start encrypting files. Files that are encrypted by Black Basta ransomware have “.basta” file extension and also have the ransomware’s own file icon. Readme.txt, also dropped by the ransomware, contains a ransom note to instruct the victim to use a specific TOR address to contact the attacker.What does the Windows Fax service have to do with this? Is it Vulnerable?The Windows Fax Service is not vulnerable. The Windows Fax service is attacked to maintain persistence and in this variant of Black Basta, it is hijacking an existing service name (in this case Windows Fax), deleting it, and spawning a new service with the same name.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against known samples of Black Basta ransomware: W32/Filecoder.OKW!tr W32/Kryptik.HPHI!trW32/Filecoder.OKT!trW32/Filecoder.OKW!tr.ransomW32/Filecoder.OKT!tr.ransomW32/Malicious_Behavior.VEX
For compatibility with modern sites the default version of Firefox for the User-Agent string has now been set to 78.0 . The value can be changed in Preferences–>Advanced–>HTTP Networking .
Note that besides the ordinary builds for the current Fedora and EPEL branches, there is an additional distro-independed build available at https://buc.fedorapeople.org/seamonkey . So if you have friends who use other Linux distro, but that distro does not provide SeaMonkey yet, you can recommend it for them.
For compatibility with modern sites the default version of Firefox for the User-Agent string has now been set to 78.0 . The value can be changed in Preferences–>Advanced–>HTTP Networking .
Note that besides the ordinary builds for the current Fedora and EPEL branches, there is an additional distro-independed build available at https://buc.fedorapeople.org/seamonkey . So if you have friends who use other Linux distro, but that distro does not provide SeaMonkey yet, you can recommend it for them.
For compatibility with modern sites the default version of Firefox for the User-Agent string has now been set to 78.0 . The value can be changed in Preferences–>Advanced–>HTTP Networking .
Note that besides the ordinary builds for the current Fedora and EPEL branches, there is an additional distro-independed build available at https://buc.fedorapeople.org/seamonkey . So if you have friends who use other Linux distro, but that distro does not provide SeaMonkey yet, you can recommend it for them.
For compatibility with modern sites the default version of Firefox for the User-Agent string has now been set to 78.0 . The value can be changed in Preferences–>Advanced–>HTTP Networking .
Note that besides the ordinary builds for the current Fedora and EPEL branches, there is an additional distro-independed build available at https://buc.fedorapeople.org/seamonkey . So if you have friends who use other Linux distro, but that distro does not provide SeaMonkey yet, you can recommend it for them.
For compatibility with modern sites the default version of Firefox for the User-Agent string has now been set to 78.0 . The value can be changed in Preferences–>Advanced–>HTTP Networking .
Note that besides the ordinary builds for the current Fedora and EPEL branches, there is an additional distro-independed build available at https://buc.fedorapeople.org/seamonkey . So if you have friends who use other Linux distro, but that distro does not provide SeaMonkey yet, you can recommend it for them.
Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code, information disclosure or spoofing.
NXP MQX Versions 5.1 and prior are vulnerable to integer overflow in mem_alloc, _lwmem_alloc and _partition functions. This unverified memory assignment can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution.
David Bouman discovered that the netfilter subsystem in the Linux kernel
did not properly validate passed user register indices. A local attacker
could use this to cause a denial of service or possibly execute arbitrary
code. (CVE-2022-1015)
David Bouman discovered that the netfilter subsystem in the Linux kernel
did not initialize memory in some situations. A local attacker could use
this to expose sensitive information (kernel memory). (CVE-2022-1016)
It was discovered that the ST21NFCA NFC driver in the Linux kernel did not
properly validate the size of certain data in EVT_TRANSACTION events. A
physically proximate attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2022-26490)
IBM Maximo Asset Management 7.6.1.1 and 7.6.1.2 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. By sending a specially crafted HTTP request, a remote attacker could exploit this vulnerability to inject HTTP HOST header, which will allow the attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 205680.
