Security News – Week 51

Agenda Ransomware’s New Rust Variant Targets Critical Sectors

A new variant of Agenda Ransomware, developed with the Rust programming language, has been detected to be used in campaigns targeting critical sectors. Agenda has become one of the ransomware that adopts the cross-platform programming language, making it easy to adapt to different systems such as Windows and Linux with the new variant. Agenda, attributed to an operator named Qilin, is linked to a series of attacks targeting manufacturing and IT industries in different countries. The Agenda Ransomware family, which is still under development, has recently been observed to target critical sectors such as the healthcare and education industries.

Agenda’s new Rust variant, like the Royal ransomware, uses a partial encryption (also known as intermittent encryption) technique by configuring the parameters used to determine the percentage of file content to be encrypted. This method allows faster encryption and avoids detections based on malware read/write file operations. In addition, unlike older Agenda versions, the new variant can terminate the Windows AppInfo process and disable the User Account Control (UAC) feature, which helps prevent the execution of the malware with administrative rights.

Recently, it has been observed that the threat actors behind Ransomware software have started to migrate the ransomware codes to the Rust language. The Rust language is becoming more common among threat actors as it is more difficult to analyze and has a lower detection rate by antivirus engines.

In this context, it is recommended to consider the following security practices to avoid being exposed to targeted attacks that can be carried out using advanced malware.

  • E-mails, attachments, and links from unknown parties should not be respected,
  • Do not download files, programs, or applications from illegal and suspicious-looking sources,
  • Institution/organization personnel should be made aware of target-oriented social engineering/phishing attacks,
  • Network traffic should be continuously monitored for the possibility of malicious attempts and abnormal network behavior,
  • Comprehensive security solutions should be used,
  • Critical files/systems should be backed up regularly,

IoC findings related to the campaign should be blocked from the security solutions in use.

Critical RCE Alert in Foxit PDF Reader and PDF Editor

Foxit has released updates that fix a remote code execution (RCE) vulnerability affecting the PDF Reader and PDF Editor products. The vulnerability affects the Windows operating system and is found in Foxit PDF Reader 12.0.2.12465 and earlier and Foxit PhantomPDF-10.1.7.37777 and earlier.

The details of the detected security vulnerability are as follows;

The vulnerability, tracked as CVE-2022-28672, allows remote threat actors to run arbitrary code on affected installations of Foxit PDF Reader. Exploiting this vulnerability requires user interaction.

The related vulnerability has been fixed in Foxit PDF Reader 12.1 and Foxit PDF Editor 12.1. In this context, in order not to be the target of attacks that can be carried out using the said vulnerability, PDF Reader users are recommended to apply the updates that fix the vulnerability immediately.

Multiple Vulnerabilities Detected in Nessus Network Monitor

Multiple security vulnerabilities have been identified in Nessus Network Monitor due to third-party components that could allow threat actors to perform remote code execution (RCE) and Denial of Service attacks on affected installations.

The details of the critical vulnerabilities identified are as follows;

  • The security vulnerability, tracked as CVE-2022-24785, is due to an input validation error in the npm version of Moment.js. A remote threat actor can access files on the system by sending a specially crafted HTTP request. (Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates.)
  • The security vulnerability, tracked as CVE-2021-23369, is due to incorrect login validation. A remote threat actor can run arbitrary code on the target system through a specially crafted request.

Tenable has released Nessus Network Monitor version 6.2.0, which fixes the vulnerabilities. Nessus Network Monitor 6.2.0 updates moment.js to version 2.29.4 and Handlebars to version 4.7.7 to fix identified security vulnerabilities. In this context, it is recommended to immediately upgrade to the current version published in order not to be the target of attacks that can be carried out using vulnerabilities.

Share This: