Q3 Cyber Threat Report: The Ransomware Ecosystem is Increasingly Distributed
Ransomware attacks remained high in Q3 2024 thanks to the RansomHub, PLAY, and LockBit 3.0 ransomware gangs. Check out the full cyber report for more info.
Fortinet released an advisory detailing a critical security flaw (CVE-2023-25610) in their FortiOS and FortiProxy administrative interface. The vulnerability allows for an unauthenticated attacker to execute arbitrary code or commands. Corvus has observed similar vulnerabilities lead to ransomware incidents. Security patches have been released and should be applied as soon as possible.
Attackers can execute arbitrary code or commands against unpatched devices, gaining a foothold into the network. From there the attacker would be able to conduct further exploitation and potentially move around the network. Impacted organizations should apply a security patch immediately.
FortiOS version 7.4.0 or above
FortiOS version 7.2.4 or above
FortiOS version 7.0.10 or above
FortiOS version 6.4.12 or above
FortiOS version 6.2.13 or above
FortiProxy version 7.2.3 or above
FortiProxy version 7.0.9 or above
FortiProxy version 2.0.12 or above
FortiOS-6K7K version 7.0.10 or above
FortiOS-6K7K version 6.4.12 or above
FortiOS-6K7K version 6.2.13 or above
a. Disable HTTP/HTTPS administrative interface
OR
Limit IP addresses that can reach the administrative interface:
config firewall address
edit "my_allowed_addresses"
set subnet <MY IP> <MY SUBNET>
end
b. Then create an Address Group:
config firewall addrgrp
edit "MGMT_IPs"
set member "my_allowed_addresses"
end
c. Create the Local in Policy to restrict access only to the predefined group on management interface (here: port1):
config firewall local-in-policy
edit 1
set intf port1
set srcaddr "MGMT_IPs"
set dstaddr "all"
set action accept
set service HTTPS HTTP
set schedule "always"
set status enable
next
edit 2
set intf "any"
set srcaddr "all"
set dstaddr "all"
set action deny
set service HTTPS HTTP
set schedule "always"
set status enable
end
d. If using non default ports, create appropriate service object for GUI administrative access:
config firewall service custom
edit GUI_HTTPS
set tcp-portrange <admin-sport>
next
edit GUI_HTTP
set tcp-portrange <admin-port>
end
Use these objects instead of "HTTPS HTTP "in the local-in policy 1 and 2 below.
When using an HA reserved management interface, the local in policy needs to be configured slightly differently - please see: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-a-local-in-policy-on-a-HA/ta-p/222005
Please contact Fortinet customer support for assistance.
_________________________________
Adobe released an advisory detailing critical security flaws (CVE-2023-26359 & CVE-2023-26360) in their ColdFusion product, often used for web application development and delivery. The vulnerabilities allow for an unauthenticated attacker to execute arbitrary code or commands. Adobe reports at least one of the flaws is being actively exploited. Security patches have been released and should be applied as soon as possible.
Update Number: Update 15 and earlier versions
Platform: All
Update Number: Update 5 and earlier versions
Platform: All
Attackers can execute arbitrary code or commands against unpatched devices, gaining a foothold into the network. From there the attacker would be able to conduct further exploitation and potentially move around the network.
_________________________________
A threat actor compromised the 3CX VoIP DesktopApp resulting in malicious code being installed in the legitimate software. The app is now being used in supply chain attacks. Cyber security firms have attributed the attacks to state-sponsored threat actors, noting that the malicious activity affects both Windows and Mac environments.
We encourage your organization to take the following steps to mitigate against potential attack:
We always recommend advanced EDR solutions enriched by active threat intelligence and proactive monitoring to stay on top of advanced threats like supply chain attacks.
We recommend blocking the following domains used by the backdoor:
akamaicontainer[.]com
akamaitechcloudservices[.]com
azuredeploystore[.]com
azureonlinecloud[.]com
azureonlinestorage[.]com
convieneonline[.]com
dunamistrd[.]com
glcloudservice.[.]
journalide[.]org
msedgepackageinfo[.]com
msstorageazure[.]com
msstorageboxes[.]com
officeaddons[.]com
officestoragebox[.]com
pbxcloudeservices[.]com
pbxphonenetwork[.]com
pbxsources[.]com
qwepoi123098[.]com
sbmsa[.]wiki
sourceslabs[.]com
Soyoungjun[.]com
visualstudiofactory[.]com
zacharryblogs[.]com
Compromised MSI: aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868
ffmpeg.dll: 7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896
d3dcompiler_47.dll: 11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03
_________________________________
The apparent financial instability of several banking institutions, most prominently Silicon Valley Bank, has led many organizations to change their banking relationships. This means in the coming days there will be an unusually large volume of communication about banking information between organizations and their customers, vendors and partners.
Any communication about sending or receiving payments carries risk: claims for fraudulent funds transfers (FFTs) are already the most frequent type experienced by Corvus customers. Since threat actors know that many organizations will be sending and receiving requests to change payment instructions, they will be poised to take advantage. In fact, Corvus has observed a large number of new website domain registrations with names that mimic bank login pages for use in phishing campaigns.
We encourage your organization to take the following steps to mitigate against potential attacks:
If there is no policy, or one is lacking detail, review this Corvus article for more information: Securing Funds Transfers (Out-of-Band Authentication and Other Considerations). The following practices are recommended to be included in your process:
_________________________________
On February 3rd, 2023, reports emerged showing an extensive ransomware campaign targeting publicly exposed VMware ESXi servers. Researchers believe that the threat actors responsible are exploiting a two-year-old vulnerability, CVE-2021-21974. However, the specific vulnerability is not yet confirmed. VMware has publicly stated there is no evidence of a Zero-Day vulnerability, believing the flaw to be an old one for which some organizations remain unpatched. At the latest reporting, approximately 3,800 servers have been ransomed, roughly 300 of which are in the United States.
Early samples of the campaign, ESXiArgs, were only encrypting configuration files and leaving data relatively intact. This made recovery possible without paying the ransom for a decryptor. Later samples of the ransomware have evolved, making recovery more difficult. The impact and possibility of recovery will need to be evaluated.
Based on Corvus Threat Intel data, nearly one-quarter of ransomware groups have leveraged ESXi servers as part of their attacks. This campaign is unique because threat actors are using ESXi servers as the point of entry into the network and systematically searching for publicly exposed vulnerable targets from the outset.
If you’ve ever heard of a “Virtual Machine” or “VM” this is essentially a computer within a computer. You can run a Windows operating system and have a separate VM running Linux. In order to function, this mini-computer needs to share resources with the primary operating system or other VMs. Each VM needs to have RAM, CPU, and storage resources to function but needs a way to know how to share these.
To properly manage the VM and share resources, there is something called a hypervisor to distribute these. ESXi is a hypervisor. It is essentially software that sits on a physical server and manages the resources to ensure the VMs under its jurisdiction can function properly.
Since hypervisors manage numerous VMs, they are an attractive target for ransomware actors. Attacking a single ESXi can disable all of the virtual machines underneath. Those virtual resources may have contained valuable data or housed applications or other infrastructure rendered unusable until recovery. This makes life for a threat actor much easier since they don’t have to discover and attack each virtual resource individually, instead one target can multiply their efforts.
In terms of market share for virtualization, the numbers may differ slightly depending on the firm doing the analysis. However, VMware is one of the top providers with ESXi specifically making up around 6%. It’s unclear whether these analyses rely on externally visible products or whether the methodology includes a way to track the internal assets of companies.
If you use ESXi at your organization, make sure it’s configured not to be publicly accessible from the internet. Threat actors continually scan for targets as part of this campaign, so don’t be one of them. Also, ensure your ESXi, vCenter, and other virtualization components are patched and up-to-date.
Resources
ESXiArgs Ransomware Virtual Machine Recovery Guidance (CISA)
Exploit Vector Analysis of Emerging ‘ESXiArgs’ Ransomware (GreyNoise)
ESXiArgs Ransomware Hits Over 3,800 Servers as Hackers Continue Improving Malware (SecurityWeek)
How to secure your VMware ESXi hosts against ransomware (Truesec)
_________________________________
On February 1, 2023, Atlassian issued a security advisory for a critical vulnerability. The flaw, CVE-2023-22501, affects Jira Service Management Server and Data Center commonly used for collaboration and development. The vulnerability allows an attacker to impersonate another user and gain access to a Jira Service Management instance. Atlassian has released a security update and this should be installed as soon as possible.
An attacker could gain access to signup tokens sent to users with accounts that have never been logged into. This is possible in certain configurations when write access to a User Directory and outgoing email are enabled on a Jira Service Management instance.
Bot accounts are particularly susceptible to this vulnerability and could be targeted since their behavior often meets the criteria an attacker would need to acquire signup tokens. Corvus has observed similar vulnerabilities lead to data theft and extortion as well as ransomware attacks.
Note: Atlassian Cloud sites are not affected. If your Jira site is accessed via an atlassian.net domain, it is hosted by Atlassian and you are not affected by the vulnerability.
For Server: <Jira_Home>/plugins/installed-plugins
For Data Center: <Jira_Shared>/plugins/installed-plugins
Resources
_________________________________
Fortinet released an advisory detailing a critical security flaw (CVE-2021-42756) in their web application firewall (WAF), FortiWeb products. The vulnerability allows for an unauthenticated attacker to execute arbitrary code or commands. Corvus has observed similar vulnerabilities lead to ransomware incidents. Security patches have been released and should be applied as soon as possible.
Attackers can execute arbitrary code or commands against unpatched devices, gaining a foothold into the network. From there the attacker would be able to conduct further exploitation and potentially move around the network. Impacted organizations should apply a security patch immediately.
Resources
_________________________________
A critical security flaw has been discovered in CentOS Control Web Panel 7 (CWP), a common interface for web hosting. The security flaw (CVE-2022-44877) allows a remote, unauthenticated attacker to perform arbitrary code execution. Attackers are actively exploiting this vulnerability. A security patch has been released and should be applied as soon as possible.
Attackers can exploit this vulnerability to gain full control over unpatched systems. Corvus has observed similar vulnerabilities lead to ransomware events.
Resources
_________________________________
A critical security flaw has been discovered in numerous Zoho ManageEngine products, often used in IT management and IT security. The flaw (CVE-2022-47966) allows a remote, unauthenticated attacker to perform arbitrary code execution on systems running the vulnerable software. Zoho reports that for exploitation to be successful, SAML SSO must currently be enabled in the ManageEngine setup or have been enabled in the past.
Threat actors are actively exploiting this vulnerability. Zoho has released security patches and these should be applied immediately. Regardless of SAML configuration, applying security patches is recommended.
Attackers can exploit this vulnerability to gain full control over unpatched systems. Corvus has observed similar vulnerabilities lead to ransomware events.
The following table includes the impacted products and versions as well as the corresponding security patch.
Product Name |
Impacted Version(s) |
Fixed Version(s) |
Applicable if SAML Currently Active |
Applicable if SAML Active in the Past |
Access Manager Plus* |
4307 and below |
X |
||
Active Directory 360** |
4309 and below |
X |
||
ADAudit Plus** |
7080 and below |
X |
||
ADManager Plus** |
7161 and below |
X |
||
ADSelfService Plus** |
6210 and below |
X |
||
Analytics Plus* |
5140 and below |
X |
||
Application Control Plus* |
10.1.2220.17 and below |
X |
||
Asset Explorer** |
6982 and below |
X |
||
Browser Security Plus* |
11.1.2238.5 and below |
X |
||
Device Control Plus* |
10.1.2220.17 and below |
X |
||
Endpoint Central* |
10.1.2228.10 and below |
X |
||
Endpoint Central MSP* |
10.1.2228.10 and below |
X |
||
Endpoint DLP* |
10.1.2137.5 and below |
X |
||
Key Manager Plus* |
6400 and below |
X |
||
OS Deployer* |
1.1.2243.0 and below |
X |
||
PAM 360* |
5712 and below |
X |
||
Password Manager Pro* |
12123 and below |
X |
||
Patch Manager Plus* |
10.1.2220.17 and below |
X |
||
Remote Access Plus* |
10.1.2228.10 and below |
X |
||
Remote Monitoring and Management (RMM)* |
10.1.40 and below |
X |
||
ServiceDesk Plus** |
14003 and below |
X |
||
ServiceDesk Plus MSP** |
13000 and below |
X |
||
SupportCenter Plus** |
11017 to 11025 |
X |
||
Vulnerability Manager Plus* |
10.1.2220.17 and below |
X |
Resources
https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.html
https://thehackernews.com/2023/02/experts-sound-alarm-over-growing.html
_________________________________
On January 17, 2023, security researchers in collaboration with GitLab announced the discovery of critical security flaws. Git is an open-source tool often used by software developers and engineers for version control as they collaborate on code changes. The flaws (CVE-2022-23521 & CVE-2022-41903) may allow a remote, unauthenticated attacker to perform arbitrary code execution on systems running vulnerable versions of Git.
Attackers may be able to exploit these vulnerabilities to gain full control over unpatched systems. Corvus has observed similar vulnerabilities lead to ransomware events.
Impacted Version(s): <=2.39.0(2)
Fixed Version(s): >=2.39.1
Impacted Version(s): <= v2.30.6, v2.31.5, v2.32.4, v2.33.5, v2.34.5, v2.35.5, v2.36.3, v2.37.4, v2.38.2, v2.39.0
Fixed Version(s): >= v2.30.7, v2.31.6, v2.32.5, v2.33.6, v2.34.6, v2.35.6, v2.36.4, v2.37.5, v2.38.3, v2.39.1
The method to do this will vary depending on your operating system and package manager. See here for a general guide.
One commonly used product is GitLab, which already released patches for both the GitLab Community and GitLab Enterprise editions.
Resources