Threat: Backdoor.Win32.NetSpy.10
Vulnerability: Unauthenticated Remote Command Execution
Description: The malware listens on TCP port 7306. Attackers who can reach
infected hosts can run commands made available by the backdoor. Sending
commands using Ncat…
Threat: Backdoor.Win32.NetCat32.10
Vulnerability: Unauthenticated Remote Command Execution
Description: The malware listens on TCP port 6666. Attackers who can reach
infected systems can run commands made available by the backdoor using
TELNET.
Family:…
Threat: HackTool.Win32.IpcScan.c
Vulnerability: Local Stack Buffer Overflow
Description: Loading a specially crafted PE file will cause a stack buffer
overflow overwriting the ECX and EIP registers.
Family: IpcScan
Type: PE32
MD5:…
Threat: Backdoor.Win32.Psychward.03.a
Vulnerability: Weak Hardcoded Password
Description: The malware listens in TCP port 69. The password “tyme” is
weak and stored in plaintext with the executable.
Family: Psychward
Type: PE32
MD5:…
Threat: Backdoor.Win32.Prorat.cwx
Vulnerability: Insecure Permissions
Description: The malware writes a “.EXE” file with insecure permissions to
c drive granting change (C) permissions to the authenticated user group.
Standard users can rename…
Threat: Backdoor.Win32.MotivFTP.12
Vulnerability: Authentication Bypass
Description: The malware listens on TCP port 21. Third-party attackers who
can reach infected systems can logon using any username/password
combination. Intruders may then upload…
FortiGuard Labs is aware that the Apache Software Foundation disclosed and released a fix for a potential remote code execution vulnerability (CVE-2021-31805 OGNL Injection vulnerability ) that affects Apache Struts 2 on April 12th, 2022. Apache has acknowledged in an advisory that the fix was issued because the first patch released in 2020 did not fully remediate the issue. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also released an advisory on April 12th, 2022, warning users and administrators to review the security advisory “S2-062” issued by Apache and upgrade to the latest released version as soon as possible. Why is this Significant?This is significant because Apache Struts is widely used and successfully exploiting CVE-2021-31805 could result in an attacker gaining control of a vulnerable system. Because of the potential impact, CISA released an advisory urging users and administrators to review the security advisory “S2-062” issued by Apache and upgrade to the latest released version as soon as possible.On the side note, an older Struts 2 OGNL Injection vulnerability (CVE-2017-5638) was exploited in the wild that resulted in a massive data breach of credit reporting agency Equifax in 2017.What is Apache Struts 2?Apache Struts 2 is an open-source web application framework for developing Java web applications that extends the Java Servlet API to assist, encourage, and promote developers to adopt a model-view-controller (MVC) architecture.What is CVE-2021-31805?CVE-2021-31805 is an OGNL injection vulnerability in Struts 2 that enables an attacker to perform remote code execution on a vulnerable system. The vulnerability was originally assigned CVE-2020-17530, however CVE-2021-31805 was newly assigned to the vulnerability as some security researchers found a workaround for the original patch released in 2020.The vulnerability is described as “some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{…} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.”What Versions of Apache Struts are Vulnerable to CVE-2021-31805?Struts 2.0.0 – Struts 2.5.29 are vulnerable.Struts 2.0.0 and 2.5.29 were released in 2006 and 2022 respectively. Has the Vendor Released a Patch for CVE-2021-31805?Yes, Apache released a fixed version (2.5.30) of Apache Struts 2 on April 12th, 2022.Users and administrators are advised to upgrade to Struts 2.5.30 or greater as soon as possible.Has the Vendor Released an Advisory?Yes, Apache released an advisory on April 12th, 2022. See the Appendix for a link to “Security Bulletin: S2-062”.What is the Status of Coverage?FortiGuard Labs provides the following IPS coverage for CVE-2020-17530, which applies for CVE-2021-31805:Apache.Struts.OGNL.BeanMap.Remote.Code.Execution
A vulnerability has been discovered in Apache Struts, which could allow for remote code execution. Apache Struts is an open source framework used for building Java web applications. Successful exploitation of this vulnerability could allow for remote code execution. Depending on the privileges associated with the user, an attacker could then install programs; view; change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
A vulnerability has been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Google Chrome is a web browser used to access the Internet. Successful exploitation of the most severe could allow an attacker to execute arbitrary code in the context of the browser. Depending on the privileges associated with the application, an attacker could view, change, or delete data. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of this vulnerability could have less impact than if it was configured with administrative rights.
FortiGuard Labs is aware that VMware has confirmed a recently patched critical vulnerability in VMware Workspace ONE Access and Identity Manager (CVE-2022-22954) has been exploited in the wild. Also, a Proof-of-Concept (PoC) code has already been made available to the public. An attacker with network access can trigger a server-side template injection that may result in remote code execution.Why is this Significant?This is significant because of the critical remote code execution vulnerability affecting Workspace ONE Access and VMware Identity Manager (vIDM) that are widely used. Since VMware has acknowledged in-the-wild exploitation of CVE-2022-22954 and a POC is available to the public, attacks that leverage the vulnerability will likely increase.What is CVE-2022-22954?CVE-2022-22954 is a vulnerability in Workspace ONE Access and VMware Identity Manager (vIDM), which an attacker with network access can trigger a server-side template injection that may result in remote code execution. The vulnerability has the CVSSv3 base score of 9.8 and is rated critical.Is the Vulnerability Exploited in the Wild?VMware has confirmed that exploitation of CVE-2022-22954 has occurred in the wild.Has the Vendor Released Security Advisories for CVE-2022-22954?Yes, VMware released a security advisory for the vulnerability on April 6th, 2022. See the Appendix for a link to “VMSA-2022-0011”.The advisory was updated further on April 13th, 2022 for the confirmation of the in-the-wild exploitation. Has the Vendor Released a Patch for CVE-2022-22954?Yes, VMware released a patch on April 6th, 2022 as part of its security advisory. See the Appendix for a link to “VMSA-2022-0011”. What is the Status of Coverage?FortiGuard Labs has released the following IPS signature for CVE-2022-22954 in version 20.297:VMware.Workspace.ONE.Access.Catalog.Remote.Code.Execution (default action is set to pass)What Mitigation Steps are Available?VMware has released a KB article that includes the workaround. See the Appendix for a link to “HW-154129 – Workaround instructions to address CVE-2022-22954, CVE-2022-22955, CVE-2022-22956, CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960 in Workspace ONE Access Appliance (VMware Identity Manager) (88098)”.