Fortinet warns of new FortiOS and FortiSIEM bugs, one of which is likely exploited in the wild
Fortinet has warned of a new critical vulnerability in FortiOS SSL VPN that “is potentially being exploited in the wild,” without disclosing any additional details on the flaw’s possible exploitation. The security issue (CVE-2024-21762) allows for the execution of arbitrary code and commands. The vulnerability affects the following versions:
-
FortiOS 7.4 (versions 7.4.0 through 7.4.2) - Upgrade to 7.4.3 or above
-
FortiOS 7.2 (versions 7.2.0 through 7.2.6) - Upgrade to 7.2.7 or above
-
FortiOS 7.0 (versions 7.0.0 through 7.0.13) - Upgrade to 7.0.14 or above
-
FortiOS 6.4 (versions 6.4.0 through 6.4.14) - Upgrade to 6.4.15 or above
-
FortiOS 6.2 (versions 6.2.0 through 6.2.15) - Upgrade to 6.2.16 or above
-
FortiOS 6.0 (versions 6.0 all versions) - Migrate to a fixed release
FortiOS 7.6 is not impacted.
Additionally, Fortinet disclosed (and released patches) a number of vulnerabilities (CVE-2024-23108, CVE-2024-23109, CVE-2023-34992), affecting the FortiSIEM supervisor, allowing a remote unauthenticated hacker to execute unauthorized commands via crafted API requests.
The company has also released an analysis of the exploitation of known N-Day Fortinet vulnerabilities, including CVE-2022-42475 and CVE-2023-27997 exploited as zero-days by a slew of China-linked threat actors, namely Volt Typhoon, APT15, and APT31.
New Ivanti auth bypass flaw affects Connect Secure and ZTA Gateways
Ivanti disclosed yet another high-severity security flaw (CVE-2024-22024) affecting Ivanti Connect Secure, Ivanti Policy Secure and ZTA gateways. The flaw allows a remote attacker to access restricted resources without authentication. CVE-2024-22024 impacts only Ivanti Connect Secure (version 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1), Ivanti Policy Secure version 22.5R1.1 and ZTA version 22.6R1.3. While there’s no evidence that this flaw was exploited in the wild, users are urged to apply patches as soon as possible.
It’s worth noting that a recently disclosed critical server-side request forgery (SSRF) vulnerability affecting Ivanti Connect Secure and Ivanti Policy Secure, designated as CVE-2024-21893, has become a target for mass exploitation by numerous attackers.
According to reports from the threat monitoring service Shadowserver, the exploitation volume of CVE-2024-21893 far exceeds that of other recently addressed Ivanti vulnerabilities. The organization said it has observed 170 distinct IP addresses attempting to exploit the flaw.
A high-severity Shim bootloader vulnerability affects Linux distros
The maintainers of the Shim bootloader used to support Secure Boot in most Linux distributions have released version 15.8 to address six security vulnerabilities, one of which is a high-risk bug (CVE-2023-40547) that could allow a remote attacker to perform a man-in-the-middle (MitM) attack and use a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise.
Note: This flaw is only exploitable during the early boot phase, an attacker needs to perform a MitM attack or compromise the boot server to be able to exploit this vulnerability successfully.
Chinese hackers caught spying on the Dutch defense network
The Dutch Military Intelligence and Security Service (MIVD) disclosed that a China-linked threat actor compromised an internal computer network at the Dutch Ministry of Defense last year and deployed sophisticated malware for cyberespionage purposes.
The agency said that the malware was found on a standalone computer network used for unclassified Research and Development (R&D). Because this system was isolated, it did not cause damage to the defense network. The attackers exploited a vulnerability (CVE-2022-42475) in Fortinet FortiOS devices to plant a backdoor named 'Coathanger'.
Nearly half of known zero-day exploits linked to commercial spyware, Google says
Google's Threat Analysis Group (TAG) released a report shedding light on the rising dangers posed by the commercial surveillance industry (CSV) and its exploitation of zero-day vulnerabilities in Android and iOS devices. According to Google TAG, CSVs represent a significant threat to Google users, with half of all known 0-day exploits targeting Google products and devices within the Android ecosystem being attributed to these entities. Of the 72 in-the-wild zero-day exploits discovered since mid-2014, 35 zero-days have been traced to commercial spyware vendors.
On Monday, the US authorities announced a new policy aimed at targeting individuals involved in the misuse of commercial spyware worldwide. This new policy empowers the imposition of visa restrictions on those found complicit in the misuse of commercial spyware.
Russian hackers target the Ukrainian military with new Subtle-Paws PowerShell backdoor
The Securonix Threat Research team uncovered a sophisticated cyber-espionage campaign targeting Ukraine, leveraging a novel PowerShell backdoor. This ongoing campaign, believed to be linked to the notorious Shuckworm group, employs stealthy tactics to evade detection and primarily targets Ukrainian military personnel.
North Korean Kinsuky APT targets South Korea with novel Troll Stealer malware
A North Korean nation-state threat actor known as Kimsuky launched a new campaign against South Korea, which involves a novel Go-based information-stealing malware dubbed ‘Troll Stealer.’ The malware masquerades as an installation file for security software and is capable of extracting various sensitive data including SSH, FileZilla, and browser credentials, as well as system information and screen captures from infected devices.
Chinese state-backed hackers have been hiding in US critical infrastructure for over five years
Chinese government-backed hackers have infiltrated critical infrastructure networks within the United States for at least the past five years with the goal of launching disruptive or destructive cyberattacks, a joint advisory from CISA, the FBI and NSA said. The agencies warn that the threat actors are strategically positioning themselves within IT networks, ready to execute attacks in the event of a major crisis or conflict with the United States.
Islamic non-profit targeted with new Zardoor backdoor
Cisco Talos released a report shedding light on a recently discovered cyber espionage campaign that has been ongoing since at least March 2021. The campaign targets an Islamic non-profit organization, leveraging backdoors associated with a previously unreported malware strain dubbed “Zardoor.”
The attack is believed to be the work of an advanced threat actor based on the use of the custom backdoor Zardoor, adaptation of reverse proxy tools, and successful evasion of detection over an extended period. Throughout the operation, the adversary relied on living-off-the-land binaries (LoLBins) to deploy backdoors, establish command and control (C2) infrastructure, and maintain persistence within the compromised environment.
Iran accelerates cyber ops against Israel, Microsoft says
Microsoft rolled out a report on Iranian government-aligned cyberattacks carried out since the Hamas-Israel war started on October 7, 2023. According to the report, operations conducted by hacker groups associated with the Islamic Revolutionary Guards initially appeared disorganized and rushed, suggesting little to no coordination with Hamas.
Despite this, they have managed to achieve increasing success. Microsoft says that Iran's cyber operations escalated from nine groups active in Israel during the first week of the conflict to 14 groups within two weeks. The report also highlights a significant increase in cyber-enabled influence operations, with occurrences rising from approximately one operation every other month in 2021 to eleven in October 2023 alone.
US sanctions Iranian military hackers for targeting water utilities
The US Treasury Department imposed sanctions on six Iranian military hackers, accusing them of carrying out cyberattacks against American water companies. The six sanctioned individuals are named as Hamid Reza Lashgarian, the head of the Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC) and a commander in the IRGC-Qods Force, Mahdi Lashgarian, Hamid Homayunfal, Milad Mansuri, Mohammad Bagher Shirinkar, and Reza Mohammad Amin Saberian, who are senior officials of the IRGC-CEC.
In addition, the US authorities sanctioned two Egyptian IT experts for providing cybersecurity support and training to the terrorist organization ISIS, including the use of cryptocurrency and supporting the group’s recruitment and propaganda.
Hackers compromised the IRGC front company Sahara Thunder, which sells weapons to Russia
A group of hackers known as PRANA Network claim to have hacked the email servers of the Iranian company Sahara Thunder linked to the Islamic Revolutionary Guard Corps (IRGC), which facilitates the illegal sale of weapons from Iran to Russia.
The hackers said they extracted nearly 10 GB of files from the company, including contracts detailing multi-million-dollar arms deals, evidence of payments made in gold bars, blueprints for unmanned aerial vehicles (UAVs), and details regarding an operative known as Generation Trading FZE based in the United Arab Emirates (UAE), a company called Alabuga. Furthermore, the leaked information included sensitive bank account details and factory layouts.
New Ov3r_Stealer is being distributed via job postings on Facebook
A recently discovered malware called Ov3r_Stealer is making its way through deceptive job postings on Facebook, with the goal of pilfering both account logins and cryptocurrency holdings.
These bogus job listings typically promise managerial roles and redirect users to a Discord link, where a PowerShell script is employed to fetch the malware from a GitHub repository. While the tactics and techniques to drop the malware and the code itself are not unique, the malware campaign is still posing a risk given Facebook’s popularity, Trustwave researchers cautioned.
AnyDesk revokes passwords and certs after security breach
German remote desktop software maker AnyDesk disclosed a security breach that impacted its production systems. Following the incident, the company revoked all security-related certificates and systems have been remediated or replaced where necessary. While the company didn’t say whether any data was stolen in the incident, researchers at Resecurity spotted multiple threat actors selling compromised AnyDesk credentials on cybercriminal forums. Over 18,000 credentials were leaked and offered for sale on the dark web. These compromised account credentials are believed to have been obtained via info-stealer infections.
Fake LastPass password manager app steals personal data
LastPass has alerted customers about a deceptive app discovered on the Apple App Store. This fraudulent app masquerades as the authentic LastPass application, aiming to pilfer personal data. Dubbed “LassPass Password Manager,” the app lists Parvati Patel as the developer.
US authorities offer up to $15M for info on the Hive ransomware gang
The US Department of State has announced a reward of up to $10 million for information leading to the identification and/or location of key figures of the Hive ransomware group. An additional reward of up to $5 million has been offered for info leading to the arrest and/or conviction of people participating in Hive ransomware activity.
Data breaches at two French healthcare payment service providers impact half the population of France
Two French healthcare payment service providers, Viamedis and Almerys, have recently suffered data breaches, affecting more than 33 million individuals in the country.
The French data protection authority (CNIL) has officially confirmed both breaches, which have impacted a total of 33 million people nationwide. The compromised data includes sensitive information such as social security numbers, civil status details, dates of birth, health insurer names, and policy coverage details for both policyholders and their family members. Data such as banking information, medical data, health reimbursements, postal details, telephone numbers or emails was not impacted.
Cybercriminals unleash sophisticated DeFi Savings scams
Pig-butchering scammers are using a “cybercrime as-a-service”-like business model by selling pig-butchering kits on the dark web, globally expanding to new markets, a new report from cybersecurity firm Sophos revealed. The latest evolution of these schemes known as “DeFi Savings,” involves cybercriminals utilizing blockchain to bypass mobile device defenses.
Trio сharged in SIM-Swap attacks linked to $400 million FTX hack
Three individuals have been charged by the US authorities for orchestrating a series of SIM-swap attacks linked to the $400 million hack of FTX, one of the largest digital currency exchange platforms, in 2022. The exchange was hacked mere hours after it filed for bankruptcy. The alleged SIM-swap robbers have been identified as Robert Powell (aka R, R$, EISwapo1), Carter Rohn (aka Carti, Panslayer), and Emily Hernandez (aka Em).
Security researcher accused of scamming $2.5 million out of Apple
Noah Roskin-Frazee, a security researcher who previously reported vulnerabilities to big tech companies like Apple, is now facing charges for allegedly orchestrating a scheme to defraud the Cupertino-based company.
Court records reveal that Roskin-Frazee and his accomplice, Keith Latteri, accessed the target company’s systems through a third-party contractor and fraudulently obtained $2.5 million worth of gift cards and $100,000 worth of electronics. They reportedly sold these stolen items to third parties, profiting from their illicit activities and causing significant financial losses to both Apple and its contracted customer support business.
While the indictment doesn’t name the victim, the description of the affected company suggests that it is Apple.
Hackers can manipulate live conversations using AI
IBM security researchers have demonstrated how hackers can exploit generative artificial intelligence (Gen AI) and deep fake audio technology to hijack and manipulate live conversations.
The researchers devised a method they dubbed “audio-jacking,” which allows threat actors to intercept a speaker's audio and seamlessly replace snippets of authentic voice with deep fake replicas. Unlike traditional deep fake methods that create entirely fabricated voices, this technique operates in real-time, dynamically modifying the conversation based on context.