Please see Security Advisories for the week ending March 11, 2021
- FBI Releases Indicators of Compromise for RagnarLocker Ransomware
- Security Advisory on Conti Ransomware
- Palo Alto Networks Security Advisories – March 2022
- CISA Releases Security Advisory on PTC Axeda Agent and Desktop Server
- CISA Adds 11 Known Exploited Vulnerabilities to Catalog
- Mozilla Releases Security Updates for Multiple Products
- Microsoft Releases March 2022 Security Updates
- SAP Releases March 2022 Security Updates
_______________________________
FBI Releases Indicators of Compromise for RagnarLocker Ransomware
Situation
The Federal Bureau of Investigation (FBI) has released a Flash report detailing indicators of compromise (IOCs) associated with ransomware attacks by RagnarLocker, a group of a ransomware actors targeting critical infrastructure sectors.
Problem
RagnarLocker uses VMProtect, UPX, and custom packing algorithms and deploys within an attacker’s custom Windows XP virtual machine on a target’s site. They uses Windows API GetLocaleInfoW to identify the location of the infected machine as certen locations the process terminate. RagnarLocker will the identifies all attached hard drives using Windows APIs: CreateFileW, DeviceIoControl, GetLogicalDrives, and SetVolumeMountPointA. The malware then attempts to silently delete all Volume Shadow Copies, preventing user recovery of encrypted files. Lastly, RagnarLocker encrypts all available files of interest. Instead of choosing which files to encrypt, RagnarLocker chooses which folders it will not encrypt.
Implication
Upon RagnarLocker successful deploying their ransomware they will attempt to delete all Volume Shadow Copies, encrypts all available files of interest, and leave ransom notes demanding payment.
Need
It is recommended to review FBI’s IOCs Flash report and apply the recommended mitigations.
FBI’s IOCs Flash report (PDF):
https://www.ic3.gov/Media/News/2022/220307.pdf
________________________________
Security Advisory on Conti Ransomware
Situation
CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the United States Secret Service (USSS) have re-released an advisory on Conti ransomware.
Problem
Conti cyber threat actors remain active!
Conti ransomware attacks against U.S. and international organizations have risen to more than 1,000 cases.
Implication
Businesses compromised with ransomware risk a lapse in business continuity and potentially unrecoverable data loss.
Need
CISA, the FBI, NSA, and the USSS encourage organizations to review AA21-265A: Conti Ransomware, which includes new indicators of compromise.
For more information, see Shields Up and StopRansomware.gov for ways to respond against disruptive cyber activity.
CISA Conti Ransomware Update:
https://content.govdelivery.com/accounts/USDHSCISA/bulletins/30e2188
________________________________
Palo Alto Networks Security Advisories – March 2022
Situation
Palo Alto Networks has published two new security advisories addressing issues found in the PAN-OS.
Problem
The most sever of these issues is a the usage of a weak cryptographic algorithm for stored password hashes in Palo Alto Network’s PAN-OS software (CVE-2022-0022). This can allow both administrator and local user accounts susceptible to password cracking attacks. The second advisories went over the Samba vulnerability (CVE-2021-44142) impact on the PAN-OS software. Palo Alto Networks has concluded that though PAN-OS dose contain Samba packages, it dose not run a Samba server. Therefore PAN-OS software is not susceptible to the Samba CVE-2021-44142 vulnerability.
Implication
If an attacker were to get access to the account password hashes they could be able to perform a password cracking attack and gain access to those accounts.
Need
Palo Alto encourages users and administrators to review the advisories and follow the recommended guidelines.
PAN-OS CVE-2022-0022: Weak Cryptographic Algorithm for Stored Password Hashes Advisory:
https://security.paloaltonetworks.com/CVE-2022-0022
Informational: Impact of the Samba Vulnerability CVE-2021-44142 on PAN-OS Advisory:
https://security.paloaltonetworks.com/CVE-2021-44142
________________________________
CISA Releases Security Advisory on PTC Axeda Agent and Desktop Server
Situation
The CISA has released an Industrial Controls Systems Advisory (ICSA), regarding vulnerabilities found in PTC Axeda agent and Axeda Desktop Server.
Problem
These vulnerabilities include use of Hard-coded Credentials, Missing Authentication for Critical Function, Exposure of Sensitive Information to an Unauthorized Actor, Path Traversal, Improper Check or Handling of Exceptional Conditions.
Implication
Successful exploitation of some of these vulnerabilities could allow for, remote code execution, read/change configuration, file system read access, log information access, or a denial-of-service condition.
Need
The CISA encourages users and administrators to review Industrial Controls Systems Advisory for technical details and mitigations.
Industrial Controls Systems Advisory (ICSA):
https://www.cisa.gov/uscert/ics/advisories/icsa-22-067-01
________________________________
CISA Adds 11 Known Exploited Vulnerabilities to Catalog
Situation
The CISA has added 11 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, including Firefox, VMware, Pulse Connect, Atlassian, Netgear, and Adobe.
Problem
The CISA has evidence that threat actors are actively exploiting the 11 vulnerabilities listed in the table below.
CVE ID | Vulnerability Name | Due Date |
CVE-2022-26486 | Mozilla Firefox Use-After-Free Vulnerability | 3/21/2022 |
CVE-2022-26485 | Mozilla Firefox Use-After-Free Vulnerability | 3/21/2022 |
CVE-2021-21973 | VMware vCenter Server and Cloud Foundation Server Side Request Forgery (SSRF) Vulnerability | 3/21/2022 |
CVE-2020-8218 | Pulse Connect Secure Code Injection Vulnerability | 9/7/2022 |
CVE-2019-11581 | Atlassian Jira Server and Data Center Server-Side Template Injection Vulnerability | 9/7/2022 |
CVE-2017-6077 | NETGEAR DGN2200 Remote Code Execution Vulnerability | 9/7/2022 |
CVE-2016-6277 | NETGEAR Multiple Routers Remote Code Execution Vulnerability | 9/7/2022 |
CVE-2013-0631 | Adobe ColdFusion Information Disclosure Vulnerability | 9/7/2022 |
CVE-2013-0629 | Adobe ColdFusion Directory Traversal Vulnerability | 9/7/2022 |
CVE-2013-0625 | Adobe ColdFusion Authentication Bypass Vulnerability | 9/7/2022 |
CVE-2009-3960 | Adobe BlazeDS Information Disclosure Vulnerability | 9/7/2022 |
Implication
These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.
Need
Reduce your exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice.
Note: The CISA will continue to add vulnerabilities to the Catalog that meet the meet the specified criteria.
CISA Bulletin:
https://content.govdelivery.com/accounts/USDHSCISA/bulletins/30dcc35
Known Exploited Vulnerabilities Catalogue:
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
________________________________
Mozilla Releases Security Updates for Multiple Products
Situation
Mozilla has released security updates to address security vulnerabilities in Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0 and Focus 97.3.0.
Problem
Mozilla has released fixes that addressed removing of XSLT parameters and WebGPU IPC Framework during processing that could have lead to exploitable use-after-free
Implication
There were reports of attacks in wild abusing of XSLT parameter, and WebGPU IPC Framework Use-after-free that attackers can gain access.
Need
CISA encourages users and administrators to review the Mozilla security advisory for MFSA 2022-09 and make the necessary update.
For a brief overview: https://www.cisa.gov/uscert/ncas/current-activity/2022/03/07/mozilla-releases-security-updates-multiple-products
For a more technical overview:
https://www.mozilla.org/en-US/security/advisories/mfsa2022-09/
________________________________
Microsoft Releases March 2022 Security Updates
Situation
Microsoft has released updates to address multiple vulnerabilities in Microsoft software including Windows 10, Windows 11, Windows Server 2016, Windows Defender, and more.
Problem
Vulnerabilities include RCE, privilege escalation, heap buffer overflow, and more.
Implication
A remote attacker could exploit some of these vulnerabilities to take control of an affected system.
Need
Apply the necessary updates to Windows products.
For more info: https://msrc.microsoft.com/update-guide/
________________________________
SAP Releases March 2022 Security Updates
Situation
SAP has released security updates to address vulnerabilities affecting multiple products including SAP NetWeaver, SAP Content Server, and SAP Web Dispatcher.
Problem
SAP has patched major vulnerabilities such as RCE associated with Log4j, missing authentication checks, directory traversal, and more.
Implication
An attacker can exploit these to take control of the affected system.
Need
Apply the latest updates for SAP products.
For more info: https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10