Category Archives: Advisories

Industroyer2 Discovered Attacking Critical Ukrainian Verticals

Read Time:1 Minute, 59 Second

FortiGuard Labs is aware of new reports of Industroyer2, the successor to the Industroyer malware. First discovered in 2016, Industroyer was attributed to energy grid attacks in Kiev, Ukraine. The attack resulted in a loss of electricity for over an hour and was attributed to the Russian government (Sandworm). The latest discovery of Industroyer2 was discovered by researchers at ESET (who also discovered Industroyer in 2015).Industroyer is an Industrial Control System (ICS) specific malware that is modular and was discovered to have capabilities to control electrical substations and circuit breakers. It uses industrial communication protocols and techniques to conduct its operations via a global industry standard used by many critical infrastructure verticals.This latest variant of Industroyer2 was seen targeting ICS devices within electrical substations and then trying to erase any evidence of its attack by running CaddyWiper malware along with other Linux and Solaris (UNIX) wipers. It is currently unknown at this time how the threat actors were able to compromise and obtain initial access before entering into the ICS network. For further details on CaddyWiper, please see our Threat Signal here. This is a current news event, further details will be published when available.What are the Technical Details of this Attack?Industroyer2 is a Windows executable file and was executed via a scheduled task on April 8th. According to the analysis, it was compiled on March 23rd which suggests that the threat actors (Sandworm) behind this attack had planned it for over two weeks. Industroyer2 communicates over the IEC 60870-5-104 protocol, which is used by ICS/SCADA devices to communicate. This variant is different from the original Industroyer, which supported multiple ICS protocols.Caddywiper was deployed via a group policy object (GPO) to likely thwart any forensic recovery and analysis. It was found on machines that contained Industroyer2 installations. Other malware (ORCSHRED, SOLOSHRED, AWFULSHRED) found in these campaigns were destructive Linux and Solaris (UNIX) versions that acted as a worm and wiper and were deployed via shell scripts.What Operating Systems are Affected?Windows, Linux and Solaris systems are affected.What is the Severity of this Attack?Medium. This is limited specifically to targeted attacks.What is the Status of Coverage?FortiGuard Labs has the following (AV) signatures in place for publicly available samples as:W32/Agent.AECG!trData/KillDisk.NDA!trAll network IOC’s are blocked by the WebFiltering client.

Read More

CVE-2019-6834

Read Time:17 Second

A CWE-502: Deserialization of Untrusted Data vulnerability exists which could allow an attacker to execute arbitrary code on the targeted system with SYSTEM privileges when placing a malicious user to be authenticated for this vulnerability to be successfully exploited. Affected Product: Schneider Electric Software Update (SESU) SUT Service component (V2.1.1 to V2.3.0)

Read More

CVE-2021-22794

Read Time:10 Second

A CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability exists that could cause remote code execution. Affected Product: StruxureWare Data Center Expert (V7.8.1 and prior)

Read More

CVE-2021-22795

Read Time:12 Second

A CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability exists that could cause remote code execution when performed over the network. Affected Product: StruxureWare Data Center Expert (V7.8.1 and prior)

Read More

CVE-2021-22797

Read Time:24 Second

A CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal) vulnerability exists that could cause malicious script to be deployed in an unauthorized location and may result in code execution on the engineering workstation when a malicious project file is loaded in the engineering software. Affected Product: EcoStruxure Control Expert (V15.0 SP1 and prior, including former Unity Pro), EcoStruxure Process Expert (2020 and prior, including former HDCS), SCADAPack RemoteConnect for x70 (All versions)

Read More

CVE-2015-20107

Read Time:15 Second

In Python (aka CPython) through 3.10.4, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments).

Read More

USN-5378-4: Gzip vulnerability

Read Time:18 Second

USN-5378-1 fixed a vulnerability in Gzip. This update provides
the corresponding update for Ubuntu 14.04 ESM and 16.04 ESM.

Original advisory details:

Cleemy Desu Wayo discovered that Gzip incorrectly handled certain
filenames. If a user or automated system were tricked into performing zgrep
operations with specially crafted filenames, a remote attacker could
overwrite arbitrary files.

Read More

USN-5378-3: XZ Utils vulnerability

Read Time:18 Second

USN-5378-2 fixed a vulnerability in XZ Utils. This update provides
the corresponding update for Ubuntu 14.04 ESM and 16.04 ESM.

Original advisory details:

Cleemy Desu Wayo discovered that Gzip incorrectly handled certain
filenames. If a user or automated system were tricked into performing zgrep
operations with specially crafted filenames, a remote attacker could
overwrite arbitrary files.

Read More