Response Guide

Guide to Prevent Execution of Excel 4.0 Macro Malware – Microsoft Office 365 Product

Excel 4.0 macro (XLM) malware is an attack method that uses Microsoft Office Excel files, and it has been established as the new document malware flow following VBA (Visual Basic Application). Excel 4.0 macro malware uses the ‘macro sheet’ feature in Excel. Each cell in the Excel sheet is composed of a function flow that can be run. Excel 4.0 macro malware has been most actively used in the recent methods of malware distribution using MS Office files. The developer…

[Announcement] New Log4j Vulnerability (CVE-2021-45105) – Log4j 2.17.0

CVE-2021-45105 vulnerability that operates in Log4j 2.16.0 version was additionally revealed on December 18th, 2021 (CVSS 7.5). 1. Vulnerable Versions Log4j 2.0-beta9 to 2.16.0 2. Vulnerability Exploitation Technique Vulnerability exploitations may occur if applications that use Log4j are enabled with the layout pattern and thread context features. The following shows the vulnerable environment and the technique for exploiting it. 1) Vulnerable Environment [Settings] Applications are enabled to lookup thread contexts in the layout pattern [Part of log4j2.properties settings] appender.console.type =…

[Notice] Log4j Core Affected by Apache Log4j Vulnerability CVE-2021-44228

AhnLab recommends security updates for Apache Log4j vulnerability. An immediate update is required for CVE-2021-44228 vulnerability, which is most critical (CVSS 10.0). It is advised for the users to check if the systems that are being operated have vulnerable Log4j Core libraries. The list below shows the list of files for each Log4j-Core version that are affected by the CVE-2021-44228 vulnerability. The hash for each version may be different if the Log4j source code is manually built in the individual…

[Alert] Apache Log4j 2 Vulnerability, Update Recommended

The Apache Log4j 2 vulnerability (CVE-2021-44228) was revealed on Twitter and Github alongside POC on December 10th, 2021. It is the remote code execution (RCE) vulnerability of the Log4j software, which can include the remote Java object address in the log message and run it in the vulnerable server. Alibaba’s cloud security team first reported the vulnerability to the Apache Software Foundation on November 24th, 2021, and the first patch was distributed on December 6th, 2021. Patch is continually being released,…

Magniber Ransomware Decryption Tool with Random Vector Recovery Feature

AhnLab’s new Magniber decryption tool renewed the existing tool in GUI format and now supports recovery for the parts that used to be unrepairable due to a variable vector found since April 8. However, it is limited to the case where encrypted/decrypted file exists as a pair with extension and key information. The tool is designed to show key and vector information upon entering the encryption extension information. Key and vector information of extension is managed as the database file with the name of ‘magniber.db’ inside the decryption tool and it was continuously updated until it was expired in October 2019. It is not able to be recovered if key and vector information do not appear after entering the extension….