All the latest Cybersecurity news in the media FortiGuard Labs | FortiGuard Center - Threat Signal Report

What is the vulnerability?A use-after-free vulnerability tagged as CVE-2023-49606 exists in Tinyproxy, a lightweight open-source HTTP proxy daemon. The threat actor may trigger this memory corruption and execute arbitrary code by sending a specially crafted HTTP header that triggers the reuse of previously freed memory. That can lead to remote code execution. As of May 3, 2024, Censys observed over 90,000 hosts running Tinyproxy service exposed in the Internet where 57% of which are potentially vulnerable to this CVE-2023-49606.What is the recommended Mitigation?FortiGuard Labs is not aware of any patches released by the vendor as of this report. To mitigate the risk, users are advised to make sure that Tinyproxy service is not exposed to the internet.What FortiGuard Coverage is available?FortiGuard Labs is currently investigating relevant protections and will update the threat signal as they are released. FortiGuard Incident Response team can be engaged to help with any suspected compromise.

lightweight open-source proxy daemon Tinyproxy vulnerability tagged

What is the vulnerability?A critical vulnerability has been discovered in GitLab, a DevOps platform for managing software development lifecycle. A successful exploitation of the vulnerability may allow an attacker to take control of the GitLab administrator account without user interaction. CVE-2023-7028 has been given a maximum CVSS score of 10. CISA added the vulnerability on May 1st to its Known Exploited Vulnerabilities (KEV) Catalog, What is the recommended Mitigation?GitLab users are advised to update their instances to a patched version and enable two factor authentication (2FA) which will deny malicious actors access to compromised accounts.What FortiGuard Coverage is available?FortiGuard Labs has an existing Web Application Security signature "GitLab.Password.Reset.Account.Takeover" released on Jan 16 to detect and block any attack attempts targeting the Authentication Bypass Vulnerability in GitLab (CVE-2023-7028) and has Endpoint Vulnerability signature ID "5551" to detect vulnerable versions of installed GitLab software.

DevOps platform Reset Vulnerability

Join the Be.Cyber community! On the program: news and tools monitoring, mutual aid and knowledge sharing, event organization (workshops, CTF resolution), ... And it's all in good fun!

What is the vulnerability?The CVE-2023-32315 is a path traversal vulnerability that affects all Openfire versions since version 3.1.0. Successful exploitation of this vulnerability can allow attackers to bypass authentication and gain access to sections of the restricted Openfire Admin Console. CISA recently added CVE-2023-32315 to the Known Exploited Vulnerabilities catalog, which means that the vulnerability has been observed to be exploited in the wild. What is the recommended Mitigation?The vendor released Openfire version 4.6.8 and 4.7.5 that contains a fix in mid 2023. More information could be found here: https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvmWhat FortiGuard Coverage is available?FortiGuard Labs has an existing "Openfire.setup.CVE-2023-32315.Authentication.Bypass" IPS signature released since August 2023.

Openfire Path Realtime Openfire

What is the vulnerability? A zero-day security vulnerability has been uncovered in an enterprise file-transfer software CrushFTP. The vulnerability tagged as CVE-2024-4040 is actively being exploited in targeted attacks and has also been added to the CISA Known Exploited Vulnerabilities (KEV) list. The vulnerability allows unauthenticated remote attackers to read files from the file system outside of the VFS Sandbox, gain administrative access, and perform remote code execution on the server.What is the vendor Mitigation? According to the vendor advisory, CrushFTP versions prior to 10.7.1 and 11.1.0 are vulnerable to CVE-2024-4040 and being advised to immediately apply the patch. What FortiGuard Coverage is available? Endpoint vulnerability service is available to help detect vulnerable endpoints running the CrushFTP server application. FortiGuard Labs is further investigating for additional coverages.

Escape Vulnerability VFS Sandbox zero-day security

What is the Attack? Cisco issued an advisory on 24th April, regarding its Adaptive Security Appliances, multifunctional devices combining firewall, VPN, and other security functions. It reported that these appliances had become the focus of state-sponsored espionage, with attackers exploiting two previously unknown vulnerabilities to infiltrate government entities worldwide. In this campaign, two backdoors were deployed: "Line Runner" and "Line Dancer." These backdoors operated in tandem to execute various malicious activities on the target systems, encompassing configuration alterations, reconnaissance, capturing/exfiltrating network traffic, and potentially facilitating lateral movement. What is the recommended Mitigation? According to Cisco's advisory, the initial attack vector remains unidentified, two vulnerabilities (CVE-2024-20353 and CVE-2024-20359) have been pinpointed. Customers are strongly urged to adhere to the instructions outlined in the security advisories provided. https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response What FortiGuard Coverage is available? FortiGuard Labs has blocked all the known Indicators of compromise (IoCs) related to this campaign as listed on Cisco's advisory and is currently investigating for further protections. Meanwhile, FortiGuard Labs recommends users apply patches as provided by Cisco's Product Security Incident Response Team (PSIRT).

ArcaneDoor Attack

What is the Akira Ransomware Attack? The Akira ransomware attack has actively and widely impacting businesses. According to CISA advisory, the ransomware group has impacted over 250 organizations and claimed approximately million (USD) in ransomware proceeds. The ransomware group gains initial access via either less-secured VPN or Cisco vulnerabilities. Once the network is compromised, the threat actor is able to target a system and encrypt files with .akira extension. What is the recommended Mitigation? Review attack surfaces and ensure that all systems are kept up-to-date with the latest patches. Also, maintain general awareness and training about the risk of phishing and social engineering attacks in the organization. What FortiGuard Coverage is available? FortiGuard Labs has existing AV signatures (i.e. W64/Akira.C!tr.ransom) to block all the known malware variants used by Ransomware group and has blocked related IoCs via Web filtering service.

What is the vulnerability/attack? A critical unauthenticated remote code injection vulnerability in the PAN-OS GlobalProtect Gateway was discovered. This vulnerability tracked under CVE-2024-3400 has a CVSS rating of 10.0. The GlobalProtect Gateway provides security solution for roaming users by extending the same next-generation firewall-based policies. According to the vendor advisory, active exploitation is on-going. What is the recommended Mitigation? The vendor has released a threat prevention signature and is currently developing a hotfix releases of PAN-OS. What FortiGuard Coverage is available? As the situation is still developing; the FortiGuard team will update the threat signal and provide more information on related protections as they are released. FortiGuard Incident Response team can be engaged to help with any suspected compromise.

GlobalProtect Gateway PAN-OS Critical

What is the vulnerability/attack? A malicious code was discovered embedded in the XZ Utils which is a data compression software included in major Linux distributions. This vulnerability tracked under CVE-2024-3094 is a result of a supply chain attack on the versions 5.6.0 and 5.6.1 of the related tools and libraries. A security researcher found the malicious code when he experienced an unexpected behavior which led to further investigation and discovery of the vulnerability. What is the recommended Mitigation? CISA has advised XZ Utils users to downgrade to an older version of the utility immediately (i.e., any version before 5.6.0) and update their installations and packages according to distribution maintainer directions. Major Linux distributions and package maintainers have published guidance on updating. Please see the link and refer to individual distribution and package advisories for the latest information and remediation guidance. What FortiGuard Coverage is available? The situation is still developing; the FortiGuard team will update the threat signal and provide more information on related protections as they are released. FortiGuard Incident Response team can be engaged to help with any suspected compromise.

What is the vulnerability? Cyber threat actors are actively targeting Linear eMerge E3-Series to exploit a 5-year-old critical vulnerability. The vulnerability tracked as CVE-2019-7256 is a command injection flaw that could allow an attacker to cause remote code execution and full access to the system. The Nice Linear eMerge E3-Series is a popular access control system used in various commercial and industrial environments worldwide which underscores the importance of the potential widespread impact of this vulnerability. What is the recommended Mitigation? Nice has released a security bulletin that advises users to apply the latest firmware to mitigate the risk and recommends defensive measures to minimize the risk of exploitation. https://linear-solutions.com/wp-content/uploads/Service-Bulletin-for-Telephone-Entry-Products-04-12-2023.pdf What FortiGuard Coverage is available? FortiGuard Labs has an existing IPS signature "Linear.eMerge.E3.Unrestricted.File.Upload" to block any attack attempts targeting the vulnerability and has an OT virtual patch available for auto-patching. Fortinet customers remain protected by the vulnerability; however, it is recommended to apply firmware patches released by the vendor to mitigate any risks.

eMerge Command Linear eMerge

What is the Kimsuky Malware Attack? Kimsuky, officially known as the Kim Suky Group, is a cyber-espionage group linked to North Korea. The group has been active since at least 2012 and is primarily focused on gathering intelligence targeting South Korean government entities. According to a recent observation by Rapid7, the group launched an attack leveraging weaponized Microsoft Office documents, ISO files, Windows shortcut (LNK), and CHM files, or Compiled HTML Help files. What is the recommended Mitigation? Maintain general awareness and training about the risk of phishing and social engineering attacks in the organization. And, ensuring that all systems and software are kept up-to-date with the latest patches. What FortiGuard Coverage is available? FortiGuard Labs has existing AV signatures to block all the known malware variants used by Kimsuky group and has blocked related IoCs via Web filtering service. AI-based Behavior detection engine by FortiGuard can detect and block unknown variants of the malware and other sophisticated threats.

Kim Suky Kimsuky Malware

What is the Vulnerability? Cyber threat actors are actively targeting Jenkins which is a Java-based open-source automation server widely used by application developers. The critical vulnerability tracked as CVE-2024-23897 could enable remote code execution (RCE) potentially leading to unauthorized access and data compromise. Exploiting this vulnerability allows attackers to read any files on the Jenkins controller file system.FortiRecon ACI service has observed active and recent discussions in the Dark Web. Also, a Proof of Concept (PoC) exploit has been made publicly available which makes this vulnerability crucial for continuous monitoring and more exploitation activities. What is the Vendor Solution? Jenkins released a security advisory on January 24, 2024 about this vulnerability. [ Link ] What FortiGuard Coverage is available? FortiGuard Labs has provided protection via the IPS signature "Jenkins.LTS.Command.Line.Interface.Arbitrary.File.Read" which was released in early February to detect and block any attack attempts targeting the vulnerability (CVE-2024-23897). FortiGuard Labs advises organizations to apply the latest Jenkins security updates and patches.