Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Fortinet Proof-of-Concept Released - Update or Mitigate Now!

Horizon3 researchers have released proof-of-concept code for one of two vulnerabilities disclosed by Fortinet last month. CVE-2022-39952 is an "external control of file name or path" vulnerability (CWE-73) in FortiNAC web server which can allow an unauthenticated attacker to upload files to arbitrary locations on the target system, and thereby achieve remote code execution with root privileges. It therefore merited a CVSS score of 9.2

The affected products are:

• FortiNAC version 9.4.0
  
• FortiNAC version 9.2.0 through 9.2.5
  
• FortiNAC version 9.1.0 through 9.1.7
  
• FortiNAC 8.8 all versions
  
• FortiNAC 8.7 all versions
  
• FortiNAC 8.6 all versions
  
• FortiNAC 8.5 all versions
  
• FortiNAC 8.3 all versions
  

and there is no mitigation other than upgrading to the next version (9.4.1, 9.2.6, 9.1.8 or 7.2.0 or above).

The Horizon3 researchers simply compared a vulnerable version with a fixed version, and found that a .jsp (Java Servlet Pages) file had been removed, and perusal of that file and a related shell script quickly gave them the exploit. The technique they used was to create a cron job which executes every minute, creating a reverse shell back to the attacker. Once this was put into a ZIP file and uploaded, within a minute they had a reverse shell as root.

Now the Horizon3 code is up on GitHub, it will quickly be adapted and used in the wild. The time to update is now - or at least, remove that vulnerable .jsp page!

Hanley, Zach, Fortinet FortiNAC CVE-2022-39952 Deep-Dive and IOCs, blog post, 21 February 2023. Available online at https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/.

New InfoStealer Gains Popularity Rapidly

A malware developer going by the name of Plymouth on Russian-speaking forums has released a new infostealer called Stealc, which he claims to have developed from features of the earlier Vidar, Raccoon, Mars and Redline stealers. As a result, Stealc is very polished and highly functional, making it attractive to cybercriminals.

Researchers at SEKOIA.IO first encountered Stealc in January 2023, and during early February they were able to monitor some of its C2 communications - similar to Vidar and Raccoon - and discover several dozen samples of Stealc in the wild, along with over 40 of its C2 servers, indicating that it did, in fact, achieve rapid popularity.

SEKOIA.IO's technical analysis provides detailed insights into this new stealer. By default, Stealc will extract sensitive information from most web browsers, browser extensions for cryptocurrency wallets, desktop crypto wallets and many other applications including email clients and instant messaging. However, Stealc is highly configurable, tailoring its data collection to customer needs. It also has a more general file grabber which can be customised, based on rules, as well as loader capabilities for more advanced exploitation.

SEKOIA.IO's very detailed blog post details their analysis process, as well as what they found. It also provides MITRE ATT&CK TTP's, IOC's and YARA rules.

Threat & Detection Research Team, Stealc: a copycat of Vidar and Raccoon infostealers gaining in popularity – Part 1, blog post, 20 February 2023. Available online at https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.