New IPs & some attribution clues related to the TA exploiting #CVE_2022_42475:
139.99.35[.116
139.99.37[.119
194.62.42[.105
45.86.231[.71
45.86.229[.220
185.250.149[.32
137.175.30[.138
146.70.157[.133
155.138.220[.254
#JA3:
bf2b95ac267823f6588b2436bc537b26
FG x64: https://virustotal.com/gui/file/0184e3d3dd8f4778d192d07e2caf44211141a570d45bb47a87894c68ebebeabb/details
Linux x64: https://virustotal.com/gui/file/23f2536aec6a4977a504312ff5863468ba2900fece735acd775d0ae455b4cd4d
Old Windows: https://www.virustotal.com/gui/file/61aae0e18c41ec4f610676680d26f6c6e1d4d5aa4e5092e40915fe806b679cd4

TA was less careful with the windows samples - left us some clues:
- GBK (Chinese) encoding of the computer info (later changed to utf-8)
- UTC+8 compile time string inside sample (exactly 8 hours ahead of PE compile time)

https://www.fortinet.com/blog/psirt-blogs/analysis-of-fg-ir-22-398-fortios-heap-based-buffer-overflow-in-sslvpnd

Advisory of #CVE_2022_42475 (FortiOS SSL-VPN RCE) updated with additional IPs of the threat actor exploiting it:
139.180.184[.]197
66.42.91[.]32
158.247.221[.]101
107.148.27[.]117
139.180.128[.]142
155.138.224[.]122
185.174.136[.]20

https://www.fortiguard.com/psirt/FG-IR-22-398

@eevee Found a new rebranded #Conti #Ransomeware Linux & ESXi that surfaced on VT with the name #Monti.
Almost identical to previous versions of Conti.
Added cmdline argumens --detach --size, --file (latter unused).
We wrote about previous campaign on September (YARA included):
https://www.fortiguard.com/threat-signal-report/4736/new-conti-ransomware-campaign-observed-in-the-wild-1

Wall of Shame seems to be in the testing phase.
Victim is invited to a chatroom, but not given any credentials.

IoCs:
sha256 - edfe81babf50c2506853fd8375f1be0b7bebbefb2e5e9a33eff95ec23e867de1
hxxp://mblogci3rudehaagbryjznltdp33ojwzkq6hn2pckvjq33rycmzczpid[.]onion
hxxp://monti5o7lvyrpyk26lqofnfvajtyqruwatlfaazgm3zskt3xiktudwid[.]onion/chat/c7c5b8b0703950c40e6614bf957f94c1