FortiGuard Labs is aware of a report that a new variant of ArguePatch malware was used in an attack against Ukraine. This ArguePatch variant includes a feature to set up a schedules task in order to perform a specific action at a specified time.Why is this Significant?This is significant because the new variant of ArguePatch malware now has a feature to perform a specific action at a specified time without setting up a scheduled task. This provides more stealthiness to the malware which allows it to stay under the radar until it actually starts to carry out a next stage action.What is ArguePatch?ArguePatch is a loader malware that was previously used in campaigns against Ukraine which involve CaddyWiper and Industroyer2. The malware is a patched version of a legitimate component of Hex-Rays IDA Pro software.FortiGuard Labs previously released Threat Signals on CaddyWiper and Industroyer2. See the Appendix for links to “Additional Wiper Malware Deployed in Ukraine #CaddyWiper” and “Industroyer2 Discovered Attacking Critical Ukrainian Verticals”.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against known variants of ArguePatch:W32/Agent.AECG!trW32/PossibleThreat

Read More

Kyle Zeng discovered that the Network Queuing and Scheduling subsystem of
the Linux kernel did not properly perform reference counting in some
situations, leading to a use-after-free vulnerability. A local attacker
could use this to cause a denial of service (system crash) or execute
arbitrary code.

Read More

FortiGuard Labs is aware that the Cybersecurity and Infrastructure Security Agency (CISA) CISA released an advisory on recently patched VMware vulnerabilities (CVE-2022-22954 and CVE-2022-22960) being exploited separately and in combination, allowing threat actors to gain full control of the compromised system. Both vulnerabilities affect VMware Workspace ONE Access, Identity Manager, and vRealize Automation and were patched on April 6th, 2022. The advisory also states that CISA expects threat actors to develop exploits for newly patched VMware vulnerabilities (CVE-2022-22972 and CVE-2022-22973) quickly.Why is this Significant?This is significant because the advisory that CISA released on CVE-2022-22954 and CVE-2022-22960 was prompted by an actual incident which one large organization was compromised by an unidentified threat actor on or around April 12, 2022. According to the advisory, the threat actor “leveraged CVE-2022-22954 to execute an arbitrary shell command as a VMware user. The actor then exploited CVE-2022-22960 to escalate the user’s privileges to root. With root access, the actor could wipe logs, escalate permissions, and move laterally to other systems”. The advisory also warns that exploits for another VMware vulnerabilities (CVE-2022-22972 and CVE-2022-22973) will be developed soon. As such, the patches for the four vulnerabilities or workarounds should be applied as soon as possible.What is CVE-2022-22954, CVE-2022-22960, CVE-2022-22972 and CVE-2022-22973?CVE-2022-22954 is a vulnerability in VMware Workspace ONE Access, Identity Manager, and vRealize Automation, which an attacker with network access can trigger a server-side template injection that may result in remote code execution. The vulnerability has the CVSSv3 base score of 9.8 and is rated critical.FortiGuard Labs previously released Threat Signal on CVE-2022-22954. See Appendix for a link to “Newly Patched VMware Vulnerability (CVE-2022-22954) Being Exploited in the Wild”.CVE-2022-22960 is a Local Privilege Escalation (LPE) vulnerability in VMware Workspace ONE Access, Identity Manager, and vRealize Automation. As LPE, attacker is required to have local access can escalate privileges to ‘root’. The vulnerability has the CVSSv3 base score of 7.8 and is rated important.CVE-2022-22972 is an authentication bypass vulnerability that affects VMware Workspace ONE Access, Identity Manager and vRealize Automation. As LPE, exploitation happens locally as such an attacker is required to have access to the victim’s machine to elevate privileges. The vulnerability has the CVSSv3 base score of 9.8 and is rated critical.CVE-2022-22973 is a Local Privilege Escalation (LPE) vulnerability that affects VMware Workspace ONE Access, Identity Manager and vRealize Automation. As LPE, attacker is required to have local access can escalate privileges to ‘root’. The vulnerability has the CVSSv3 base score of 7.8 and is rated important.Has the Vendor Released Advisories?Yes, VMware released advisories for all four vulnerabilities. See the Appendix for links to “VMSA-2022-0011.1” and “VMSA-2022-0014”.Has the Vendor Released Patches for the Vulnerabilities?VMware released patches for CVE-2022-22954 and CVE-2022-22960 on April 6th, 2022. Patches for CVE-2022-22972 and CVE-2022-22973 were released on May 18th, 2022. What is the Status of Coverage?FortiGuard Labs has released the following IPS signature for CVE-2022-22954:VMware.Workspace.ONE.Access.Catalog.Remote.Code.ExecutionA network IOC for CVE-2022-22954 called out in the CISA advisory is blocked by the WebFiltering client.CVE-2022-22960, CVE-2022-22972, CVE-2022-22973 were privately disclosed as such there currently is no available Proof-of-Concept code. FortiGuard Labs is monitoring the situation closely and will update this Threat Signal when protection becomes available.Any Suggested Mitigation?VMware has provided mitigations for CVE-2022-22954, CVE-2022-22960, CVE-2022-22972. See the Appendix for links to “KB88098” for CVE-2022-22954 and CVE-2022-22960, and “KB88433” for CVE-2022-22972.

Read More

FortiGuard Labs is aware of a relatively new ransomware family “BlackByte” is in the wild, infecting organizations around the globe. BlackByte was first observed as early as July 2021. In February 2022, the Federal Bureau of Investigation (FBI) and the U.S. Secret Service (USSS) issued a joint advisory that “multiple US and foreign businesses, including entities in at least three US critical infrastructure sectors (government facilities, financial, and food & agriculture) were targeted by BlackByte ransomware affiliates. In common with other ransomware, BlackByte encrypts and steals files on the compromised machines, and demands ransom from the victim to recover the files and not to leak the stolen information to the public.Why is this Significant?This is significant as the BlackByte ransomware family reportedly compromised organizations around the globe including multiple US and foreign businesses and US critical infrastructure sectors. Also, ProxyShell, an exploit attack chain involving three vulnerabilities in Microsoft Exchange Server, widely used in enterprise email application, were reported to have been used as an infection vector. Microsoft issued patches for ProxyShell in May and July 2021. BlackByte ransomware infection may indicate that some organizations have not yet applied those fixes or workaround.FortiGuard Labs previously published multiple Threat Signals on ProxyShell. See the Appendix section for links to New Threat Actor Leverages ProxyShell Exploit to Serve RansomwareVulnerable Microsoft Exchange Servers Actively Scanned for ProxyShellBrand New LockFile Ransomware Distributed Through ProxyShell and PetitPotamWhat is BlackByte?BlackByte is a ransomware-as-a-service (RaaS), which runs a business of leasing necessary ransomware services to its affiliates. Such ransomware services including developing ransomware, creating and maintaining necessary infrastructures (i.e., ransom payment portal), ransom negotiation with victims as well as provides support service to the affiliates. Attacks are typically carried out by BlackByte affiliates, who rent and use those services. Once a victim is compromised and ransom is paid, BlackByte developers take a portion of the ransom as a service fee.How does the Attack Work?Typically attacks that deliver ransomware arrive in emails, however the join advisory reported that BlackByte threat actors, in some case, exploited known Microsoft Exchange Server vulnerabilities including ProxyShell to gain access to the victim’s network. Once the attacker gains a foothold in the victim’s network, the attacker deploys tools such as oft-abused Cobalt Strike to move laterally across the network and escalate privileges before exfiltrating and encrypting files. Some BlackByte ransomware variants may have worm functionality, which allows itself to self-propagate through the victim’s network.Files that are encrypted by BlackByte ransomware typically have a “.blackbyte” file extension.BlackByte ransomware reportedly avoids encrypting files if the ransomware detects compromised systems that use Russian and ex-USSR languages.What is ProxyShell?ProxyShell is a name for a Microsoft Exchange Server exploit chain (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207) that allows an attacker to bypass ACL controls, elevate privileges and execute remote code on the compromised system.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against currently available Indicator-of-Compromises (IOCs) associated with BlackByte ransomware:RTF/BlackByte.DC56!tr.ransomW64/BlackByte.DC56!tr.ransomW32/Agent.CH!trW32/CobaltStrike.NV!trJS/Agent.49CC!trW32/PossibleThreatFortiGuard Labs provides the following IPS coverage against three vulnerabilities that are leveraged in ProxyShell:MS.Exchange.Server.CVE-2021-34473.Remote.Code.Execution (CVE-2021-34473)MS.Exchange.Server.Common.Access.Token.Privilege.Elevation (CVE-2021-34523)MS.Exchange.MailboxExportRequest.Arbitrary.File.Write (CVE-2021-31207)FortiEDR detects and blocks ProxyShell attacks out of the box without any prior knowledge or special configuration beforehand.Any Other Suggested Mitigation?Due to the ease of disruption and potential for damage to daily operations, reputation, and unwanted release of personally identifiable information (PII), etc., it is important to keep all AV and IPS signatures up to date. It is also important to ensure that all known vendor vulnerabilities within an organization are addressed and updated to protect against attackers establishing a foothold within a network.Also – organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing attacks. They also need to encourage employees to never open attachments from someone they don’t know, and to always treat emails from unrecognized/untrusted senders with caution. Since it has been reported that various phishing and spearphishing attacks have been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization be made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organizations’ internal security department. Simple user awareness training on how to spot emails with malicious attachments or links could also help prevent initial access into the network.Disconnect vulnerable Exchange servers from the internet until a patch can be applied.

Read More

FortiGuard Labs is aware that a new Remote Access Trojan (RAT) called Nerbian RAT was delivered to the targets via COVID-19 and World Health Organization (WHO) themed emails. Nerbian RAT is written in the Go programming language and performs keylogging and screen capture on the compromised machine.Why is this Significant?This is significant because Nerbrian RAT was delivered through emails that leverages COVID-19 and World Health Organization (WHO) themed lures that are still effective today to COVID themed to compel unsuspecting victims to open malicious attachments. The RAT is also capable of stealing sensitive information from the compromised machine through keylogging and screen capture.What is Nerbian RAT?Nerbian RAT is a Remote Access Trojan and is written in the Go programming language. The malware was delivered to the target through COVID-19 and WHO themed emails such as the following:The attached document file contains malicious macros, which downloads a dropper file after macros are enabled. The dropper performs anti-reversing and anti-VM checks before launching Nerbian RAT. The malware has an encrypted configuration file containing information such which Command and Control (C2) servers to connect to and connection intervals, how many times the RAT tries to transfer files and C2 backup domains.The malware performs typical RAT activities such as keylogging and screen capture.How Widespread is the Malware?The malware was reportedly to have been observed in Italy, Spain, and the United Kingdom. What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against known samples of Nerbian RAT and associated files:VBA/Agent.XSQ!tr.dldrBAT/NerbianRAT.D!trMalicious_Behavior.SBRiskware/ApplicationW32/PossibleThreatPossibleThreat.PALLAS.HAll network IOC’s are blocked by the WebFiltering client.

Read More

Kyle Zeng discovered that the Network Queuing and Scheduling subsystem of
the Linux kernel did not properly perform reference counting in some
situations, leading to a use-after-free vulnerability. A local attacker
could use this to cause a denial of service (system crash) or execute
arbitrary code. (CVE-2022-29581)

Bing-Jhong Billy Jheng discovered that the io_uring subsystem in the Linux
kernel contained in integer overflow. A local attacker could use this to
cause a denial of service (system crash) or execute arbitrary code.
(CVE-2022-1116)

Jann Horn discovered that the Linux kernel did not properly enforce seccomp
restrictions in some situations. A local attacker could use this to bypass
intended seccomp sandbox restrictions. (CVE-2022-30594)

Read More

Kyle Zeng discovered that the Network Queuing and Scheduling subsystem of
the Linux kernel did not properly perform reference counting in some
situations, leading to a use-after-free vulnerability. A local attacker
could use this to cause a denial of service (system crash) or execute
arbitrary code. (CVE-2022-29581)

Jann Horn discovered that the Linux kernel did not properly enforce seccomp
restrictions in some situations. A local attacker could use this to bypass
intended seccomp sandbox restrictions. (CVE-2022-30594)

Read More

The AGG Software Web Server version 4.0.40.1014 and prior is vulnerable to cross-site scripting, which may allow an attacker to remotely execute arbitrary code.

Read More