FortiGuard Outbreak Alert: Mallox Ransomware

kcheung · ‎11-14-2024

Description

FortiGuard Labs have observed the following CVEs being exploited to deploy Mallox Ransomware:

CVE-2019-1068 is a remote code execution vulnerability in Microsoft SQL Server where an authenticated attacker submits a specially crafted query to vulnerable Microsoft SQL Server to achieve RCE.

CVE-2020-0618 is a remote code execution vulnerability in Microsoft SQL Server Reporting Services where an authenticated attacker submits a specially crafted page request to vulnerable Microsoft SQL Server Reporting Services to achieve RCE.

CVE ID

CVE-2019-1068 (https://nvd.nist.gov/vuln/detail/CVE-2019-1068)

CVE-2020-0618 (https://nvd.nist.gov/vuln/detail/CVE-2020-0618)

NDR Cloud Detection Rule

FortiNDR Cloud v2024.10+

Detection Rule Name	Category	Primary MITRE ID
FortiGuard Outbreak Alert: Microsoft SQL Server Remote Code Execution Attempt - CVE-2019-1068	Attack:Exploitation	T1190 - Exploit Public-Facing Application
FortiGuard Outbreak Alert: Microsoft SQL Server Reporting Services RCE Attempt - CVE-2020-0618	Attack:Exploitation	T1190 - Exploit Public-Facing Application

Playbook

N/A

Threat Hunting

FortiNDR Cloud users can use the following IOCs from Fortinet to hunt for “Mallox Ransomware” related activities
IOC source: https://www.fortiguard.com/outbreak-ioc?tag=mallox%20ransomware

All IOCs listed above have been added to Threat Intelligence Intel

Suricata Coverage

Customers can create custom investigation/detections using the Suricata signatures below:

2029476 -> ET EXPLOIT Possible Microsoft SQL RCE Attempt (CVE-2020-0618)

Other Fortinet Product

For more details regarding mitigating the vulnerability by utilizing Fortinet products, please refer to
https://www.fortiguard.com/outbreak-alert/mallox-ransomware

FortiGuard Outbreak Alert: Mallox Ransomware

You are leaving our website