FortiGuard Labs is aware of reports that several organizations worldwide downloaded and installed trojanized versions of X_Trader software, which is believed to be the infection vector of the 3CX breach. Some of the reported victims are in critical infrastructure sectors in the United States and Europe. The malicious installers deployed the Veiledsignal backdoor to targeted machines.Why is this Significant?This is significant because several unnamed organizations worldwide, including those in critical infrastructure sector, downloaded and installed malicious versions of the X_Trader software believed to be the attack vector used in the recent 3CX incident. The infection allowed the alleged attacker Lazarus, the infamous North Korean threat actor, to have backdoor access to affected organizations through the deployed Veiledsignal malware.X_Trader software is a trading platform developed by Trading Technologies. How did the Attack Occur?Reports indicate that the trojanized versions of X_Trader software installers were hosted on the official Trading Technologies Web site, which appears to have been compromised in early 2022. CVE-2022-0609 (Use After Free Vulnerability in Google Chrome). was reportedly leveraged in the compromise. The malicious installers are digitally signed using a Trading Technologies’ signing certificate. There is no indication that the installers were actively distributed, rather they had to be manually downloaded and installed.Once the installers are executed, they copy the legitimate X_Trader executable and drop two malicious DLLs that are then sideloaded by the executable. One DLL acts as a loader of the other DLL containing Veiledsignal backdoor payload.Veiledsignal backdoor injects a module into the Chrome, Firefox, or Edge web browsers, which connects to the attacker’s C2 (Command-and-Control) server for commands.What is the Status of Protection?FortiGuard Labs has the following AV signatures in place for the known available trojanized X_Trader installers:Riskware/NukeSpedW32/Sphone_XC3.Q!trFortiGuard Labs has the following AV signatures in place for other known available files used in the attack:W64/NukeSped.PB!trRiskware/NukeSpedW64/BURNTCIGAR.84DB!trW64/ShellcodeRunner.KZ!trW32/Kryptik.F5ED!trW32/Shellcode.RDI!trW64/Agent.203F!trW32/PossibleThreatC2 of of the Veiledsignal backdoor is blocked by Webfiltering.FortiGuard Labs has the following IPS signature in place for CVE-2022-0609:Google.Chrome.UpdateAnimationTiming.Use.After.Free
Category Archives: Advisories
USN-6052-1: Linux kernel vulnerability
It was discovered that the Traffic-Control Index (TCINDEX) implementation
in the Linux kernel did not properly perform filter deactivation in some
situations. A local attacker could possibly use this to gain elevated
privileges. Please note that with the fix for this CVE, kernel support for
the TCINDEX classifier has been removed.
USN-6051-1: Linux kernel vulnerabilities
It was discovered that the Traffic-Control Index (TCINDEX) implementation
in the Linux kernel did not properly perform filter deactivation in some
situations. A local attacker could possibly use this to gain elevated
privileges. Please note that with the fix for this CVE, kernel support for
the TCINDEX classifier has been removed. (CVE-2023-1829)
It was discovered that a race condition existed in the io_uring subsystem
in the Linux kernel, leading to a use-after-free vulnerability. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2023-1872)
USN-6050-1: Git vulnerabilities
It was discovered that Git incorrectly handled certain commands.
An attacker could possibly use this issue to overwriting some paths.
(CVE-2023-25652)
Maxime Escourbiac and Yassine BENGANA discovered that Git incorrectly
handled some gettext machinery. An attacker could possibly use this issue
to allows the malicious placement of crafted messages. (CVE-2023-25815)
André Baptista and Vítor Pinho discovered that Git incorrectly handled
certain configurations. An attacker could possibly use this issue
to arbitrary configuration injection. (CVE-2023-29007)
CVE-2018-25085
A vulnerability classified as problematic was found in Responsive Menus 7.x-1.x-dev on Drupal. Affected by this vulnerability is the function responsive_menus_admin_form_submit of the file responsive_menus.module of the component Configuration Setting Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. Upgrading to version 7.x-1.7 is able to address this issue. The name of the patch is 3c554b31d32a367188f44d44857b061eac949fb8. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-227755.
ZDI-23-499: (Pwn2Own) NETGEAR RAX30 soap_serverd Stack-based Buffer Overflow Authentication Bypass Vulnerability
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR RAX30 routers. Authentication is not required to exploit this vulnerability.
ZDI-23-498: (Pwn2Own) NETGEAR RAX30 libcms_cli Command Injection Remote Code Execution Vulnerability
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR RAX30 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.
ZDI-23-497: (Pwn2Own) NETGEAR RAX30 GetInfo Missing Authentication Information Disclosure Vulnerability
This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of NETGEAR RAX30 routers. Authentication is not required to exploit this vulnerability.
ZDI-23-496: NETGEAR RAX30 lighttpd Misconfiguration Remote Code Execution Vulnerability
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR RAX30. Authentication is not required to exploit this vulnerability.
ZDI-23-495: NETGEAR RAX30 rex_cgi JSON Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR RAX30 routers. Authentication is required to exploit this vulnerability.