FortiGuard Labs is aware that a new ransomware called “Sugar” is in the wild. Reportedly, Sugar ransomware targets consumers rather than enterprises. The first sample of Sugar ransomware appears to have been discovered in the wild in early November. Sugar ransomware encrypts files on the compromised machine and appends “.emcoded01” file extension to them. Victims are asked to pay ransom to recover the encrypted files.What is Sugar Ransomware?Sugar is a ransomware that is written in Delphi and appeared in the wild in November 2021 at the latest. Once run, Sugar ransomware encrypts files on the compromised machine and appends “.encoded01” file extension to them. The malware then displays a ransom note that asks the victim to visit the attacker’s TOR page to pay the ransom in order to recover the encrypted files. The attacker offers to decrypt up to five files to prove that the encrypted files can be recovered upon ransom is paid.The ransom note displayed by Sugar ransomware looks similar to that of REvil ransomware. Also, the TOR site used by Sugar ransomware has close resemblance with that of Cl0p ransomware. However, there is no evidence to suggest that the Sugar ransomware group is associated with REvil and Cl0p threat actors.How Widespread is Sugar Ransomware?Based on the telemetry data collected by FortiGuard Labs, Sugar ransomware infections likely occurred in Canada, Thailand, the United States, Israel and Lithuania.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against Sugar ransomware:W32/Filecoder.OJD!tr.ransomW32/PossibleThreat
FortiGuard Labs is aware that a Proof-of-Concept (POC) code for a newly patched Windows vulnerability (CVE-2022-21882) that is reported to have been exploited in the wild was released to a publicly available online repository. CVE-2022-21882 is a local privilege (LPE) escalation vulnerability which allows a local, authenticated attacker to gain elevated local system or administrator privileges through a vulnerability in the Win32k.sys driver. The vulnerability is rated as Important by Microsoft and has CVSS score of 7.0.Why is this Significant?This is significant because now that the POC for CVE-2022-21882 has become available to the public attacks leveraging the vulnerability will likely increase. Because CVE-2022-21882 is a local privilege escalation the vulnerability will be used by an attacker that already has access to the network or will be chained with other vulnerabilities.What is CVE-2022-21882?CVE-2022-21882 is a local privilege (LPE) escalation vulnerability which allows a local, authenticated attacker to gain elevated local system or administrator privileges through a vulnerability in the Win32k.sys driver.Is the Vulnerability Exploited in the Wild?According to the Microsoft advisory, the vulnerability is being exploited in the wild.Has Microsoft Released an Advisory for CVE-2022-21882?Yes. See the Appendix for a link to the advisory.Has Microsoft Released a fix for CVE-2022-21882?Yes. Microsoft has released a patch as part of regular MS Tuesday on January 11th, 2022.What is the Status of Coverage?FortiGuard Labs provide the following IPS coverage for CVE-2022-21882:MS.Windows.Win32k.CVE-2022-21882.Privilege.ElevationFortiGuard Labs has released the following AV coverage based on the available POC:W64/Agent.A93E!exploit.CVE202221882
FortiGuard Labs is aware of a report that source code of BotenaGo malware was recently made available on GitHub. BotenaGo is a malware written in Golang and is reportedly capable of exploiting more than 30 vulnerabilities in various IoT devices such as routers, modems, and NAS devices, and varies the delivered payload depending on the device it successfully exploited.Why is this Significant?This is significant because the source code of BotenaGo malware is available on a publicly available repository and with the report that BotenaGo is capable of exploiting more than 30 vulnerabilities, an uptick of its activities is expected.What is BotenaGo Malware?BotenaGo is an IoT (Internet fo Things) malware written in Golang and may become a new arsenal used by Mirai attackers.The malware is reportedly capable of exploiting more than 30 vulnerabilities in various IoT devices (a list of those vulnerabilities is contained in the Alien Labs blog linked in the Appendix). After the targeted device is successfully exploited, the malware executes remote shell commands that download a payload that varies depending on the device it successfully compromised. BotenaGo also sets up a backdoor on the compromised machine and awaits remote commands from the attacker on ports 19412 and 31412. It can also set a listener to system IO (terminal) user input and get remote commands through it.What Vulnerabilities are Exploited by BotenaGo?Some of the known vulnerabilities exploited by BotenaGo are below:CVE-2013-3307: Linksys X3000 1.0.03 build 001CVE-2013-5223: D-Link DSL-2760U Gateway (Rev. E1)CVE-2014-2321: ZTE modemsCVE-2015-2051: D-Link routersCVE-2016-11021: D-Link routersCVE-2016-1555: Netgear devicesCVE-2016-6277: Netgear devicesCVE-2017-18362: ConnectWise pluginCVE-2017-18368: Zyxel routers and NAS devicesCVE-2017-6077: Netgear devicesCVE-2017-6334: Netgear devicesCVE-2018-10088: XiongMai uc-httpd 1.0.0CVE-2018-10561: Dasan GPON home routersCVE-2018-10562: Dasan GPON home routersCVE-2019-19824: Realtek SDK based routersCVE-2020-10173: VR-3033 routerCVE-2020-10987: Tenda productsCVE-2020-8515: Vigor routersCVE-2020-8958: Guangzhou 1 GE ONUCVE-2020-9054: Zyxel routers and NAS devicesCVE-2020-9377: D-Link routers What is the Status of Coverage?FortiGuard Labs provide the following AV coverage against available BotenaGo malware samples:Linux/Botenago.A!trPossibleThreatFortiGuard Labs provides the following IPS coverage against exploit attempts made by BotenaGo:ZTE.Router.Web_shell_cmd.Remote.Command.Execution (CVE-2014-2321)D-Link.Devices.HNAP.SOAPAction-Header.Command.Execution (CVE-2015-2051)Netgear.macAddress.Remote.Command.Execution (CVE-2016-1555)NETGEAR.WebServer.Module.Command.Injection (CVE-2016-6277)TrueOnline.ZyXEL.P660HN.V1.Unauthenticated.Command.Injection (CVE-2017-18368)NETGEAR.ping_IPAddr.HTTP.Post.Command.Injection (CVE-2017-6077)NETGEAR.DGN.DnsLookUp.Remote.Command.Injection (CVE-2017-6334)XiongMai.uc-httpd.Buffer.Overflow (CVE-2018-10088)Dasan.GPON.Remote.Code.Execution (CVE-2018-10561, Dasan.GPON.Remote.Code.Execution)Comtrend.VR-3033.Remote.Command.Injection (CVE-2020-10173)Tenda.AC15.AC1900.Authenticated.Remote.Command.Injection (CVE-2020-10987)DrayTek.Vigor.Router.Web.Management.Page.Command.Injection (CVE-2020-8515)ZyXEL.NAS.Pre-authentication.OS.Command.Injection (CVE-2020-9054)All network IOCs are blocked by the WebFiltering client.FortiGuard Labs is currently investigating for additional coverage. This Threat Signal will be updated when new protection becomes available.
Update 1/11 – “What is the Status of Coverage” section updatedFortiGuard Labs is aware of newly discovered vulnerability in H2 Database software. The vulnerability is an unauthenticated remote code execution in the H2 database console and similar to Log4j, it is JNDI-based and has an exploit vector similar to it. This vulnerability has been assigned CVE-2021-42392 and was found by security researchers at JFrog. What is H2 Database?H2 is a relational database management system written in Java and is open source. It can be embedded in Java applications or run in client-server mode and data does not need to be stored on disk. What are the Technical Details?In a nutshell, the vector is similar to Log4Shell, where several code paths in the H2 database framework pass unfiltered attacker controlled URLs to the javax.naming.Context.lookup function, which allows for remote codebase loading (remote code execution). The H2 database contains a web based console which listens for connections at http://localhost:8082. The console will contain parameters that are passed by JdbcUtils.getConnection and a malicious URL controlled by the attacker.This vulnerability affects systems with H2 console installed. The vulnerability does not affect machines with H2 database installed in standalone mode. The vulnerability (by default) looks for connections from localhost, or a non remote connection. However, this vulnerability can be modified to listen for remote connections, therefore allowing susceptibility to remote code execution attacks. How Severe is This? Is it Similar to Log4j?According to the report, this is not believed to be as severe as Log4j, because of several factors. The first factor requires H2 console to be present on the system as both the console and database are able to operate independently of each other. Second, the default configuration of accepting connections from localhost must be edited to listen for external connections, which means that default installations are safe to begin with. What is the CVSS score?At this time, details are not available. What Mitigation Steps are Available?FortiGuard Labs recommends that users of H2 database software upgrade to version 2.0.206 immediately. If this is not possible, placing a vulnerable instance behind a firewall or removing access from the public facing internet is suggested. For further details on mitigation, please refer to the JFrog blog “The JNDI Strikes Back – Unauthenticated RCE in H2 Database Console” located in the APPENDIX. What is the Status of Coverage?Customers running the latest IPS definitions (19.237) are protected against exploitation of CVE-2021-42392 with the following signature:H2.Database.Console.JNDI.Remote.Code.Execution
UPDATE January 13 2022: Protection section has been updated with a IPS signature information.FortiGuard Labs is aware that a total of 96 vulnerabilities were patched by Microsoft on January 11th, 2022 as part of regular MS Patch Tuesday. In those vulnerabilities, CVE-2022-21907 (HTTP Protocol Stack Remote Code Execution Vulnerability) is one of the nine vulnerabilities that are rated critical. In the advisory, Microsoft warned that CVE-2022-21907 is wormable and “recommends prioritizing the patching of affected servers”.Why is this Significant?This is significant because CVE-2022-21907 is considered wormable as such malware can exploit the vulnerability to self-propagate without any user interaction nor elevated privilege. CVE-2022-21907 targets the HTTP trailer support feature that is enabled by default in various Windows 10 and 11 versions, as well as Windows Server 2022. The vulnerability also has a CVSS score of 9.8 (max score 10).What is CVE-2022-21907?CVE-2022-21907 is a remote code execution vulnerability in HTTP protocol stack (http.sys). HTTP.sys is a legitimate Windows component that is responsible for parsing HTTP requests. An unauthenticated attacker could craft and send a malicous packet to an affected server utilizing the HTTP Protocol Stack (http.sys) to process packets, which leads to remote code execution.Which Versions of Windows are Vulnerable?Per the Microsoft advisory, the following Windows versions are vulnerable:Windows Server 2019Windows Server 2022Windows 10Windows 11Note that the HTTP trailer support feature is inactive by default in Windows Server 2019 and Windows 10 version 1809. As such, they are not vulnerable unless the feature is enabled.Is the Vulnerability Exploited in the Wild?FortiGuard Labs is not aware of CVE-2022-21907 being exploited in the wild at the time of this writing.Has the Vendor Released a Fix?Yes. Microsoft released a fix for CVE-2022-21907 on January 11th, 2022 as part of regular Patch Tuesday.What is the Status of Coverage? (Updated January 13 2022)FortiGuard Labs has released the following IPS signature in version 19.241:MS.Windows.HTTP.Protocol.Stack.CVE-2022-21907.Code.Execution (default action is set to pass)Any Mitigation?Microsoft provided the following mitigation in the advisory:In Windows Server 2019 and Windows 10 version 1809, the the HTTP Trailer Support feature that contains the vulnerability is not active by default. The following registry key must be configured to introduce the vulnerable condition:HKEY_LOCAL_MACHINESystemCurrentControlSetServicesHTTPParameters”EnableTrailerSupport”=dword:00000001This mitigation does not apply to the other affected versions.
Multiple security issues were discovered in Chromium, which could result
in the execution of arbitrary code, denial of service or information
disclosure.
Multiple vulnerabilities have been discovered in Cisco Products, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow an unauthenticated, remote attacker to execute code on the affected systems. Depending on the privileges associated with the targeted user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users configured to have fewer privileges on the system could be less impacted than those who operate with elevated privileges.
Several vulnerabilities have been discovered in the interpreter for
the Ruby language and the Rubygems included, which may result
in information disclosure or denial of service.
Several vulnerabilities have been discovered in the interpreter for the
Ruby language and the Rubygems included, which may result in
XML roundtrip attacks, the execution of arbitrary code, information
disclosure, StartTLS stripping in IMAP or denial of service.
Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Google Chrome is a web browser used to access the Internet. Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser. Depending on the privileges associated with the application, an attacker could view, change, or delete data. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.