FortiGuard Outbreak Alert: Mallox Ransomware
| Description | FortiGuard Labs have observed the following CVEs being exploited to deploy Mallox Ransomware:
CVE-2019-1068 is a remote code execution vulnerability in Microsoft SQL Server where an authenticated attacker submits a specially crafted query to vulnerable Microsoft SQL Server to achieve RCE. CVE-2020-0618 is a remote code execution vulnerability in Microsoft SQL Server Reporting Services where an authenticated attacker submits a specially crafted page request to vulnerable Microsoft SQL Server Reporting Services to achieve RCE. | |||||||||
| CVE ID | CVE-2019-1068 (https://nvd.nist.gov/vuln/detail/CVE-2019-1068) CVE-2020-0618 (https://nvd.nist.gov/vuln/detail/CVE-2020-0618) | |||||||||
| NDR Cloud Detection Rule | FortiNDR Cloud v2024.10+
| |||||||||
| Playbook | N/A | |||||||||
| Threat Hunting | FortiNDR Cloud users can use the following IOCs from Fortinet to hunt for “Mallox Ransomware” related activities All IOCs listed above have been added to Threat Intelligence Intel | |||||||||
| Suricata Coverage | Customers can create custom investigation/detections using the Suricata signatures below: 2029476 -> ET EXPLOIT Possible Microsoft SQL RCE Attempt (CVE-2020-0618) | |||||||||
| Other Fortinet Product | For more details regarding mitigating the vulnerability by utilizing Fortinet products, please refer to |