Category Archives: Advisories

USN-5335-1: ImageMagick vulnerabilities

Read Time:1 Minute, 11 Second

It was discovered that ImageMagick incorrectly handled certain values
when processing XPM image data or large images. If a user or automated
system using ImageMagick were tricked into opening a specially crafted
image, an attacker could exploit this to cause a denial of service or
possibly execute code with the privileges of the user invoking the program.
(CVE-2020-19667, CVE-2017-13144)

Suhwan Song discovered that ImageMagick incorrectly handled memory
when processing PNG,PALM,MIFF image data. If a user or automated system
using ImageMagick were tricked into opening a specially crafted image,
an attacker could exploit this to cause a denial of service or possibly
execute code with the privileges of the user invoking the program.
(CVE-2020-25664, CVE-2020-25665, CVE-2020-25674, CVE-2020-27753)

Suhwan Song discovered that ImageMagick incorrectly handled certain values
when processing image data. If a user or automated system using
ImageMagick were tricked into opening a specially crafted image, an
attacker could exploit this to cause a denial of service.
(CVE-2020-25676, CVE-2020-27750, CVE-2020-27760, CVE-2020-27762,
CVE-2020-27766, CVE-2020-27770)

Zhang Xiaohui discovered that ImageMagick incorrectly handled certain values
when processing image data. If a user or automated system using
ImageMagick were tricked into opening a specially crafted image, an
attacker could exploit this to cause a denial of service.
(CVE-2021-20176, CVE-2021-20241, CVE-2021-20243)

Read More

CVE-2021-22571

Read Time:11 Second

A local attacker could read files from some other users’ SA360 reports stored in the /tmp folder during staging process before the files are loaded in BigQuery. We recommend upgrading to version 1.0.3 or above.

Read More

LokiLocker Ransomware with Built-in Wiper Functionality

Read Time:2 Minute, 17 Second

FortiGuard Labs is aware of a report that LokiLocker ransomware is equipped with built-in wiper functionality. The ransomware targets the Windows OS and is capable of erasing all non-system files and overwriting the Master Boot Record (MBR) if the victim opts not to pay the ransom, leaving the compromised machine unusable. According to the report, most victims of LokiLocker ransomware are in Eastern Europe and Asia.Why is this Significant?This is significant because LokiLocker ransomware has built-in wiper functionality which can overwrite the MBR and delete all non-system files on the compromised machine if the victim does not pay ransom in a set time frame. Successfully overwriting the MBR will leave the machine unusable.What is LokiLocker Ransomware?LokiLocker is a .NET ransomware that has been active since as early as August 2021. The ransomware encrypts files on the compromised machines and demands ransom from the victim to recover the encrypted files. The ransomware adds a “.Loki” file extension to the files it encrypted. It also leaves a ransom note in a Restore-My-Files.txt file. The malware is protected with NETGuard, an open-source tool for protecting .NET applications, as well as KoiVM, a virtualizing protector for .NET applications.LokiLocker has a built-in configuration file, which contains information such as the attacker’s email address, campaign or affiliate name, Command-and-Control (C2) server address and wiper timeout. Wiper timeout is set to 30 days by default. The value tells the ransomware to wait 30 days before deleting non-system files and overwriting the Master Boot Record (MBR) of the compromised machine. The configuration also has execution options which controls what actions the ransomware should or should not carry out on the compromised machine. The execution options include not wiping the system and the MBR, not encrypting the C Drive and not scanning for and encrypting network shares. The wiping option is set to false by default, however the option can be modified by the attacker.How is LokiLocker Ransomware Distributed?While the current infection vector is unknown, early LokiLocker variants were distributed through Trojanized brute-checker hacking tools. According to the public report, most victims of LokiLocker ransomware are in Eastern Europe and Asia. Fortinet’s telemetry indicates the C2 domain was accessed the most from India, followed by Canada, Chile and Turkey.What is the Status of Coverage?FortiGuard Labs provide the following AV coverage:W32/DelShad.GRG!tr.ransomW32/DelShad.GSE!tr.ransomW32/DelShad.GUJ!tr.ransomW32/Filecoder.AKJ!trW32/Generic.AC.171!trW32/PossibleThreatW32/Ramnit.AMSIL/Filecoder.AKJ!trMSIL/Filecoder.AKJ!tr.ransomMSIL/Filecoder_LokiLocker.D!trMSIL/Filecoder.4AF0!tr.ransomMSIL/Filecoder.64CF!tr.ransomPossibleThreatAll known network IOC’s are blocked by the FortiGuard WebFiltering client.

Read More