FortiGuard Outbreak Alert: Russian Cyber Espionage Attack

kcheung · ‎10-11-2024

Description

FortiGuard Labs have observed the following vulnerabilities being exploited as outlined in the CISA advisory published about Russian military cyber actors

CVE-2020-1472, also known as “Zerologon”, is an elevation of privilege vulnerability which allows attackers to establish a vulnerable NetLogon Session with a Domain Controller to gain administrative privileges.

CVE-2021-3156 is a heap-based buffer overflow vulnerability in sudo (Linux) that allowed attackers to gain root privileges on a vulnerable host

The following versions of Sudo are affected:

All legacy versions from 1.8.2 to 1.8.31p2
All stable versions from 1.9.0 to 1.9.5p1

CVE-2021-26084 is an OGNL injection vulnerability in Confluence Server and Data Center which allows attackers to execute arbitrary code.

The following version are affected:

Version < 6.13.23
6.14.0 ≤ Version < 7.4.11
7.5.0 ≤ Version < 7.11.6
7.12.0 ≤ Version < 7.12.5

CVE-2022-26134 is an OGNL injection vulnerability in Confluence Server and Data Center which allows attackers to execute arbitrary code.

The following version are affected:

1.3.0 ≤ Version < 7.4.17
7.13.0 ≤ Version < 7.13.7
7.14.0 ≤ Version < 7.14.3
7.15.0 ≤ Version < 7.15.2
7.16.0 ≤ Version < 7.16.4
7.17.0 ≤ Version < 7.17.4
7.18.0 ≤ Version < 7.18.1

CVE-2022-2613 is a hard-coded credential vulnerability in Confluence Server and Data Center.

The Atlassian Questions For Confluence app creates a hardcoded username and password user.

This allowed attackers with knowledge of the hardcoded password to login into Confluence and access all content accessible to users in the confluence-users group.

The following versions have the fix:

Update Questions for Confluence app to a fixed version: 2.7.x >= 2.7.38 OR Versions >= 3.0.5

CVE-2022-3236 is a code injection vulnerability in User Portal and Webadmin in Sophos Firewall which allowed attackers perform remote code execution:

The following version are affected:

≤ v19.0 MR1 (19.0.1)

CVE-2021-33044/CVE-2021-33045 is an authentication bypass vulnerability in Dahua products during the login process. Dahua is a company which specializes in video surveillance equipment.

Refer to the following links for affected versions:

For more information on Russian Cyber Espionage Attack, refer to the following advisory published by CISA:

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a

CVE ID

CVE-2020-1472 (https://nvd.nist.gov/vuln/detail/CVE-2020-1472)

CVE-2021-3156 (https://nvd.nist.gov/vuln/detail/CVE-2021-3156)

CVE-2021-26084 (https://nvd.nist.gov/vuln/detail/CVE-2021-26084)

CVE-2022-26134 (https://nvd.nist.gov/vuln/detail/CVE-2022-26134)

CVE-2022-26138 (https://nvd.nist.gov/vuln/detail/CVE-2022-26138)

CVE-2022-3236 (https://nvd.nist.gov/vuln/detail/CVE-2022-3236)

CVE-2021-33044 (https://nvd.nist.gov/vuln/detail/CVE-2021-33044)

CVE-2021-33045 (https://nvd.nist.gov/vuln/detail/CVE-2021-33045)

NDR Cloud Detection Rule

FortiNDR Cloud v2024.9+

Detection Rule Name	Category	Primary MITRE ID
Netlogon Elevation of Privilege - CVE-2020-1472	Attack: Exploitation	T1190 - Exploit Public-Facing Application
Sudo Heap overflow CVE-2021-3156	Attack: Exploitation	T1548 - Abuse Elevation Control Mechanism
Atlassian Confluence OGNL Injection RCE - CVE-2021-26084	Attack: Exploitation	T1190 - Exploit Public-Facing Application
Atlassian Confluence OGNL Injection - CVE-2022-26134	Attack: Exploitation	T1190 - Exploit Public-Facing Application
Atlassian Confluence Questions add-on Hardcoded credentials - CVE-2022-26138	Attack: Exploitation	T1190 - Exploit Public-Facing Application
Sophos Firewall User Portal and Webadmin Code Injection - CVE-2022-3236	Attack: Exploitation	T1190 - Exploit Public-Facing Application
Dahua NVR HTTP Authentication Bypass - CVE-2021-33044/CVE-2021-33045	Attack: Exploitation	T1190 - Exploit Public-Facing Application

Playbook

N/A

Threat Hunting

FortiNDR Cloud users can use the following IOCs from Fortinet to hunt for “Russian Cyber Espionage Attack” related activities
IOC source: https://www.fortiguard.com/outbreak-ioc?tag=russian%20cyber%20espionage

All IOCs listed above have been added to Threat Intelligence Intel

Suricata Coverage

Customers can create custom investigation/detections using the Suricata signatures below:

2030871 -> ET EXPLOIT Possible Zerologon NetrServerAuthenticate with 0x00 Client Credentials (CVE-2020-1472)

2030888 -> ET INFO [401TRG] RPCNetlogon UUID (CVE-2020-1472) (Set)

2030870 -> ET EXPLOIT Possible Zerologon Phase 1/3 - NetrServerReqChallenge with 0x00 Client Challenge (CVE-2020-1472)

2035259 -> ET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate2 Request with 0x00 Client Challenge and Sign and Seal Disabled (CVE-2020-1472) M2

2035263 -> ET EXPLOIT Zerologon Phase 3/3 - NetrLogonSamLogonWithFlags Request with 0x00 Client Credentials (CVE-2020-1472)

2035258 -> ET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate2 Request with 0x00 Client Challenge and Sign and Seal Disabled (CVE-2020-1472) M1

2035260 -> ET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate3 Request with 0x00 Client Challenge and Sign and Seal Disabled (CVE-2020-1472) M1

2035261 -> ET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate3 Request with 0x00 Client Challenge and Sign and Seal Disabled (CVE-2020-1472) M2

2035262 -> ET EXPLOIT Zerologon Phase 3/3 - Malicious NetrServerPasswordSet2 (CVE-2020-1472)

Other Fortinet Products

For more details regarding mitigating the vulnerability by utilizing Fortinet products, please refer to
https://www.fortiguard.com/outbreak-alert/russian-cyber-espionage

FortiGuard Outbreak Alert: Russian Cyber Espionage Attack

You are leaving our website