Please see Security Advisories for the week ending March 11, 2021
- FBI Releases Indicators of Compromise for RagnarLocker Ransomware
- Security Advisory on Conti Ransomware
- Palo Alto Networks Security Advisories – March 2022
- CISA Releases Security Advisory on PTC Axeda Agent and Desktop Server
- CISA Adds 11 Known Exploited Vulnerabilities to Catalog
- Mozilla Releases Security Updates for Multiple Products
- Microsoft Releases March 2022 Security Updates
- SAP Releases March 2022 Security Updates
FBI Releases Indicators of Compromise for RagnarLocker Ransomware
The Federal Bureau of Investigation (FBI) has released a Flash report detailing indicators of compromise (IOCs) associated with ransomware attacks by RagnarLocker, a group of a ransomware actors targeting critical infrastructure sectors.
RagnarLocker uses VMProtect, UPX, and custom packing algorithms and deploys within an attacker’s custom Windows XP virtual machine on a target’s site. They uses Windows API GetLocaleInfoW to identify the location of the infected machine as certen locations the process terminate. RagnarLocker will the identifies all attached hard drives using Windows APIs: CreateFileW, DeviceIoControl, GetLogicalDrives, and SetVolumeMountPointA. The malware then attempts to silently delete all Volume Shadow Copies, preventing user recovery of encrypted files. Lastly, RagnarLocker encrypts all available files of interest. Instead of choosing which files to encrypt, RagnarLocker chooses which folders it will not encrypt.
Upon RagnarLocker successful deploying their ransomware they will attempt to delete all Volume Shadow Copies, encrypts all available files of interest, and leave ransom notes demanding payment.
It is recommended to review FBI’s IOCs Flash report and apply the recommended mitigations.
FBI’s IOCs Flash report (PDF):
Security Advisory on Conti Ransomware
CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the United States Secret Service (USSS) have re-released an advisory on Conti ransomware.
Conti cyber threat actors remain active!
Conti ransomware attacks against U.S. and international organizations have risen to more than 1,000 cases.
Businesses compromised with ransomware risk a lapse in business continuity and potentially unrecoverable data loss.
CISA, the FBI, NSA, and the USSS encourage organizations to review AA21-265A: Conti Ransomware, which includes new indicators of compromise.
For more information, see Shields Up and StopRansomware.gov for ways to respond against disruptive cyber activity.
CISA Conti Ransomware Update:
Palo Alto Networks Security Advisories – March 2022
Palo Alto Networks has published two new security advisories addressing issues found in the PAN-OS.
The most sever of these issues is a the usage of a weak cryptographic algorithm for stored password hashes in Palo Alto Network’s PAN-OS software (CVE-2022-0022). This can allow both administrator and local user accounts susceptible to password cracking attacks. The second advisories went over the Samba vulnerability (CVE-2021-44142) impact on the PAN-OS software. Palo Alto Networks has concluded that though PAN-OS dose contain Samba packages, it dose not run a Samba server. Therefore PAN-OS software is not susceptible to the Samba CVE-2021-44142 vulnerability.
If an attacker were to get access to the account password hashes they could be able to perform a password cracking attack and gain access to those accounts.
Palo Alto encourages users and administrators to review the advisories and follow the recommended guidelines.
PAN-OS CVE-2022-0022: Weak Cryptographic Algorithm for Stored Password Hashes Advisory:
Informational: Impact of the Samba Vulnerability CVE-2021-44142 on PAN-OS Advisory:
CISA Releases Security Advisory on PTC Axeda Agent and Desktop Server
The CISA has released an Industrial Controls Systems Advisory (ICSA), regarding vulnerabilities found in PTC Axeda agent and Axeda Desktop Server.
These vulnerabilities include use of Hard-coded Credentials, Missing Authentication for Critical Function, Exposure of Sensitive Information to an Unauthorized Actor, Path Traversal, Improper Check or Handling of Exceptional Conditions.
Successful exploitation of some of these vulnerabilities could allow for, remote code execution, read/change configuration, file system read access, log information access, or a denial-of-service condition.
The CISA encourages users and administrators to review Industrial Controls Systems Advisory for technical details and mitigations.
Industrial Controls Systems Advisory (ICSA):
CISA Adds 11 Known Exploited Vulnerabilities to Catalog
The CISA has added 11 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, including Firefox, VMware, Pulse Connect, Atlassian, Netgear, and Adobe.
The CISA has evidence that threat actors are actively exploiting the 11 vulnerabilities listed in the table below.
|CVE ID||Vulnerability Name||Due Date|
|CVE-2022-26486||Mozilla Firefox Use-After-Free Vulnerability||3/21/2022|
|CVE-2022-26485||Mozilla Firefox Use-After-Free Vulnerability||3/21/2022|
|CVE-2021-21973||VMware vCenter Server and Cloud Foundation Server Side Request Forgery (SSRF) Vulnerability||3/21/2022|
|CVE-2020-8218||Pulse Connect Secure Code Injection Vulnerability||9/7/2022|
|CVE-2019-11581||Atlassian Jira Server and Data Center Server-Side Template Injection Vulnerability||9/7/2022|
|CVE-2017-6077||NETGEAR DGN2200 Remote Code Execution Vulnerability||9/7/2022|
|CVE-2016-6277||NETGEAR Multiple Routers Remote Code Execution Vulnerability||9/7/2022|
|CVE-2013-0631||Adobe ColdFusion Information Disclosure Vulnerability||9/7/2022|
|CVE-2013-0629||Adobe ColdFusion Directory Traversal Vulnerability||9/7/2022|
|CVE-2013-0625||Adobe ColdFusion Authentication Bypass Vulnerability||9/7/2022|
|CVE-2009-3960||Adobe BlazeDS Information Disclosure Vulnerability||9/7/2022|
These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.
Reduce your exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice.
Note: The CISA will continue to add vulnerabilities to the Catalog that meet the meet the specified criteria.
Known Exploited Vulnerabilities Catalogue:
Mozilla Releases Security Updates for Multiple Products
Mozilla has released security updates to address security vulnerabilities in Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0 and Focus 97.3.0.
Mozilla has released fixes that addressed removing of XSLT parameters and WebGPU IPC Framework during processing that could have lead to exploitable use-after-free
There were reports of attacks in wild abusing of XSLT parameter, and WebGPU IPC Framework Use-after-free that attackers can gain access.
CISA encourages users and administrators to review the Mozilla security advisory for MFSA 2022-09 and make the necessary update.
For a brief overview: https://www.cisa.gov/uscert/ncas/current-activity/2022/03/07/mozilla-releases-security-updates-multiple-products
For a more technical overview:
Microsoft Releases March 2022 Security Updates
Microsoft has released updates to address multiple vulnerabilities in Microsoft software including Windows 10, Windows 11, Windows Server 2016, Windows Defender, and more.
Vulnerabilities include RCE, privilege escalation, heap buffer overflow, and more.
A remote attacker could exploit some of these vulnerabilities to take control of an affected system.
Apply the necessary updates to Windows products.
For more info: https://msrc.microsoft.com/update-guide/
SAP Releases March 2022 Security Updates
SAP has released security updates to address vulnerabilities affecting multiple products including SAP NetWeaver, SAP Content Server, and SAP Web Dispatcher.
SAP has patched major vulnerabilities such as RCE associated with Log4j, missing authentication checks, directory traversal, and more.
An attacker can exploit these to take control of the affected system.
Apply the latest updates for SAP products.
For more info: https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10