Tag Archive for: Fortinet

Joseph Lee

February 2025 Threat Report: Tectonic Technology

Cyber threats are evolving at breakneck speed, but the fundamental weaknesses attackers exploit remain strikingly unchanged. So far in 2025, many analysts have published landscape reviews of 2024 and outlooks for 2025. The cost of cyber breaches is ticking upwards, but overall, cyber breach root-causes have not changed. Phishing [T1566] and exploiting known software vulnerabilities [T1190] continue to top the list. Another key observation is that attackers are weaponizing public information faster, converting CVE (Common Vulnerabilities and Exposures) disclosures into viable exploit code within days or even hours. Once inside a victim’s network, they are executing precision second-stage objectives faster too, deploying ransomware within minutes.

In this month’s edition of the Greenbone Threat Report, we will briefly review the disclosed chats of the Black Basta ransomware group and highlight Greenbone’s coverage of their now exposed techniques. We will also review a report from Greynoise about mass exploitation attacks, a new actively exploited vulnerability in Zimbra Collaboration Suite and new threats to edge networking devices.

The Era of Tectonic Technology

If security crises are like earthquakes, then the global tech ecosystem is the underlying tectonic plates. The global technology ecosystem would be best represented as the Paleozoic Era of geological history. Rapid innovative and competitive market forces are pushing and pulling at the fabric of IT security like the colliding supercontinents of Pangea; continuous earthquakes constantly forcing continental shift.

Entirely new paradigms of computing such as generative AI and quantum computing are creating advantages and risks; volcanoes of value and unstable ground. Global governments and tech giants are wresting for access to citizen’s sensitive personal data, adding gravity. These struggles have significant implications for privacy, security and how society will evolve. Here are some of the major forces destabilizing IT security today:

  • Rapidly evolving technologies are driving innovation, forcing technical change.
  • Organizations are both forced to change as technologies and standards depreciate and motivated to change to remain competitive.
  • Fierce market competition has accelerated product development and release cycles.
  • Strategic planned obsolescence has been normalized as a business strategy for reaping financial gain.
  • Pervasive lack of accountability for software vendors has led to prioritization of performance over “security-first” design principles.
  • Nation-states weaponize technology for Cyber Warfare, Information Warfare and Electronic Warfare.

Due to these forces, well-resourced and well-organized cyber criminals find a virtually unlimited number of security gaps to exploit. The Paleozoic Era lasted 300 million years. Hopefully, we won’t have to wait that long for product vendors to show accountability and employ secure design principles [1][2][3] to prevent so-called “unforgivable” vulnerabilities of negligence [4][5]. The takeaway is that organizations need to develop technical agility and efficient patch management programs. Continuous prioritized vulnerability management is a must.

Black Basta Tactics Revealed: Greenbone Has Coverage

Leaked internal chat logs belonging to Black Basta ransomware group have provided insight into the group’s tactics and inner workings. The logs were leaked by an individual using the alias “ExploitWhispers” who claimed the release was in response to Black Basta’s controversial targeting of Russian banks, allegedly creating internal conflicts within the group. Since its emergence in April 2022, Black Basta has reportedly amassed over $100 million in ransom payments from more than 300 victims worldwide. 62 CVEs referenced in leaked documents reveal the group’s tactics for exploiting known vulnerabilities. Of these 62, Greenbone maintains detection tests for 61, covering 98% of the CVEs.

The Greynoise 2025 Mass Exploitation Report

Mass exploitation attacks are fully automated network attacks against services that are accessible via internet. This month, Greynoise published a comprehensive report summarizing the mass exploitation landscape including the top CVEs attacked by the largest botnets (unique IPs), the most exploited product vendors and top CVEs included in the CISA’s (Cybersecurity and Infrastructure Security Agency) KEV (Known Exploited Vulnerabilities) catalog and exploited by botnets. Greenbone Enterprise Feed has detection tests for 86% of all CVEs (86 total) referenced in the report. When considering only CVEs issued in 2020 or later (66 total), our Enterprise Feed has 90% detection coverage.

Additional findings include:

  • 60% of CVEs exploited in mass exploitation attacks were published in 2020 or later.
  • Attackers are exploiting vulnerabilities within hours of disclosure.
  • 28% of vulnerabilities in CISA KEV are exploited by ransomware threat actors.

Zimbra Collaboration Suite

CVE-2023-34192 (CVSS 9.0) is a high-severity Cross-Site Scripting (XSS) vulnerability in Zimbra Collaboration Suite (ZCS) version 8.8.15. The flaw allows authenticated remote attackers to execute arbitrary code via crafted scripts targeting the `/h/autoSaveDraft` function. CISA added CVE-2023-34192 to its KEV catalog, indicating that it has been actively exploited in real-world attacks. Proof-of-concept (PoC) exploit code is publicly available, allowing low-skilled attackers to join the fray. CVE-2023-34192 has held a very high EPSS since its disclosure in 2023. For defenders leveraging EPSS for remediation prioritization, this indicates a high priority to patch.

Zimbra Collaboration Suite (ZCS) is an open-source office productivity platform that integrates email, calendar, contacts, tasks and collaboration tools but holds a niche market share of less than 1% of all email and messaging platforms.

Living on the Edge: New Critical Networking Device Flaws

In our monthly threat report we have been tracking the persistent threat to edge network devices. Earlier this-month, we reported on a perfect security storm affecting end-of-life (EOL) Zyxel routers and firewalls. In this section we will review new security risks that fall into the “edge networking” category. Greenbone has detection capabilities for all CVEs discussed below.

Chinese Hackers Exploit Palo Alto’s PAN-OS for Ransomware

CVE-2024-0012 (CVSS 9.8), a vulnerability in Palo Alto PAN-OS disclosed last November, is considered one of the most exploited vulnerabilities of 2024. The CVE is also reportedly being used by Chinese state-backed threat actors for ransomware attacks. Another new flaw affecting PAN-OS, CVE-2025-0108 (CVSS 9.1), was just disclosed this month and immediately tagged as actively exploited by CISA. CVE-2025-0108 is an authentication bypass in the management web-interface and can be chained together with CVE-2024-9474 (CVSS 7.2), a separate privilege escalation vulnerability to gain unauthenticated root control over an unpatched PAN-OS device.

SonicWall Patches a Critical Actively Exploited CVE in SonicOS

CVE-2024-53704, a critical severity vulnerability in SonicWall devices, has been recently added to CISA’s KEV list. Astoundingly, CISA lists 8 SonicWall CVEs that are known to be actively exploited in ransomware attacks. CVE-2024-53704 (CVSS 9.8) is an Improper Authentication vulnerability [CWE-287] in the SSLVPN authentication mechanism of SonicWall’s SonicOS versions 7.1.1-7058 and older, 7.1.2-7019, and 8.0.0-8035. It allows remote attackers to bypass authentication and and hijack active SSL VPN sessions, potentially gaining unauthorized network access. A full technical analysis is available from BishopFox. An advisory from SonicWall also names additional high severity CVEs in SonicOS that have been patched along with CVE-2024-53704.

Sophos’ CyberroamOS and EOL XG Firewalls Actively Exploited

Sophos, which acquired Cyberoam in 2014, has issued an alert and patch for CVE-2020-29574. CyberoamOS is part of Sophos’ product ecosystem. Aside from this CVE, Sophos XG Firewall, soon to be EOL, is also the subject of an active exploitation alert.

  • CVE-2020-29574 (CVSS 9.8): A critical SQL injection [CWE-89] vulnerability identified in the WebAdmin interface of CyberoamOS versions up to December 4, 2020. This flaw allows unauthenticated attackers to remotely execute arbitrary SQL statements, potentially gaining complete administrative access to the device. A hotfix patch has been issued, which also extends to some affected end-of-life (EOL) products.
  • CVE-2020-15069 (CVSS 9.8) is a critical Buffer Overflow vulnerability in Sophos XG Firewall versions 17.x through v17.5 MR12, allowing unauthenticated RCE via the HTTP/S Bookmarks feature for clientless access. This vulnerability, published in 2020 is now being actively exploited and has been added to CISA KEV indicating heightened risk. Sophos released an advisory in 2020 when the vulnerability was disclosed, along with a hotfix affected firewalls. The XG Series hardware appliances are soon scheduled to reach end-of-life (EOL) on March 31, 2025.

PrivEsc and Auth Bypasses in Fortinet FortiOS and FortiProxy

Fortinet disclosed two critical vulnerabilities, both affecting FortiOS and FortiProxy. The Canadian Center for Cybersecurity and the Belgian Center for Cybersecurity have issued advisories. Fortinet acknowledges active exploitation of CVE-2024-55591 and has released official guidance that includes details on affected versions and recommended updates. ​

  • CVE-2024-55591 (CVSS 9.8): An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module. Multiple PoC exploits are available [1][2] increasing the risk of exploitation by low-skilled attackers.
  • CVE-2024-40591 (CVSS 8.8): Allows an authenticated administrator with Security Fabric permissions to escalate their privileges to super-admin by connecting the targeted FortiGate device to a malicious upstream FortiGate under their control.

Cisco Flaws Implicated as Initial Access Vectors in Telecom Hacks

In the past few months, China’s Salt Typhoon espionage group has routinely exploited at least two critical vulnerabilities in Cisco IOS XE devices to gain persistent access to telecommunications networks. Victims include Italian ISP, a South African telecom, and a large Thai telecom, and twelve universities worldwide including UCLA, Indonesia’s Universitas Negeri Malang and Mexico’s UNAM among others. Previously, Salt Typhoon had compromised at least nine U.S. telecoms, including Verizon, AT&T and Lumen Technologies. U.S. authorities claim Salt Typhoon’s goal is surveilling high-profile individuals, political figures and officials related to Chinese political interests.

CVEs exploited by Salt Typhoon include:

  • CVE-2023-20198 (CVSS 10): A privilege escalation flaw in Cisco IOS XE’s web interface. Used for initial access, allowing attackers to create an admin account.
  • CVE-2023-20273 (CVSS 7.2): Another privilege escalation flaw, used after gaining admin access to escalate privileges to root and establish a GRE (Generic Routing Encapsulation) tunnel for persistence.

Also, two other CVEs in Cisco products entered the radar in February 2025:

  • CVE-2023-20118 (CVSS 7.2): A command injection vulnerability in the web-based management interface of Cisco Small Business Routers allows authenticated, remote attackers to execute arbitrary commands with root-level privileges by sending crafted HTTP requests. CISA added CVE-2023-20118 to its KEV catalog, indicating evidence of active exploitation.
  • CVE-2023-20026 (CVSS 7.2): A command injection vulnerability in the web-based management interface of Cisco Small Business Routers RV042 Series allows authenticated, remote attackers with valid administrative credentials to execute arbitrary commands on the device. The flaw is due to improper validation of user input within incoming HTTP packets. While CVE-2023-20026 is not known to be exploited in any active campaigns, Cisco’s Product Security Incident Response Team (PSIRT) is aware that PoC exploit code for this vulnerability exists.

Ivanti Patches Four Critical Flaws

Four critical vulnerabilities were identified, affecting Ivanti Connect Secure (ICS), Policy Secure (IPS), and Cloud Services Application (CSA). No reports of active attacks in the wild or PoC exploits have emerged yet. Ivanti advises users to promptly update to the newest versions to address these critical vulnerabilities.

Here is a brief technical summary:

  • CVE-2025-22467 (CVSS 8.8): Attackers with credentials can achieve remote code execution (RCE) due to a stack-based buffer overflow [CWE-121] flaw in ICS versions prior to 22.7R2.6.
  • CVE-2024-38657 (CVSS 9.1): Attackers with credentials can write arbitrary files due to an external control of file name vulnerability in ICS versions before 22.7R2.4 and IPS versions before 22.7R1.3.
  • CVE-2024-10644 (CVSS 9.1): A code injection flaw in ICS (pre-22.7R2.4) and IPS (pre-22.7R1.3), allows arbitrary RCE to authenticated administrators. ​
  • CVE-2024-47908 (CVSS 7.2): An operating system command injection vulnerability [CWE-78] in CSA’s admin web console (versions before 5.0.5), allows arbitrary RCE to authenticated administrators.

Summary

This month’s Threat Report highlights key cybersecurity developments, including the evolving tactics of ransomware groups like Black Basta and the pervasive critical threat to edge network devices. With the support of AI tools, attackers are exploiting vulnerabilities faster-sometimes within hours of disclosure. Organizations must remain vigilant by adopting proactive security measures, continuously updating their defenses and leveraging threat intelligence to stay ahead of emerging threats.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

January 2025 Threat Report: Fortune Favors the Prepared

This year, many large organizations around the world will be forced to reckon with the root-cause of cyber intrusions. Many known vulnerabilities are an open gateway to restricted network resources. Our first Threat Report of 2025 reviews some disastrous breaches from 2024 and then dives into some pressing cybersecurity vulnerabilities from this past month.

However, to be clear, the vulnerabilities discussed here merely scratch the surface. In January 2025, over 4,000 new CVEs (Common Vulnerabilities and Exposures) were published; 22 with the maximum CVSS score of 10, and 375 rated critical severity. The deluge of critical severity flaws in edge networking devices has not abated. Newly attacked flaws in products from global tech giants like Microsoft, Apple, Cisco, Fortinet, Palo Alto Networks, Ivanti, Oracle and others have been appended to CISA’s (Cybersecurity and Infrastructure Security Agency) Known Exploited Vulnerabilities (KEV) catalog.

Software Supply Chain: the User’s Responsibility

We are all running software we didn’t design ourselves. This places a huge emphasis on trust. Where trust is uncertain – whether due to fears of poor diligence, malice or human error – cybersecurity responsibility still rests on the end-user. Risk assurances depend heavily on technical knowledge and collective effort. Defenders need to remember these facts in 2025.

When supply chain security fails, ask why! Did the software vendor provide the required tools to take control of your own security outcomes? Is your IT security team executing diligent vulnerability discovery and remediation? Are your resources segmented with strong access controls? Have employees been trained to identify phishing attacks? Are other reasonable cybersecurity measures in place? Organizations need to mature their ransomware-readiness, implement regular vulnerability assessments and prioritized patch management. And they should verify reliable backup strategies can meet recovery targets and prioritize other fundamental security controls to protect sensitive data and prevent downtime.

Fortune Favors the Prepared

Assessing 2024, the UK’s NCSC (National Cyber Security Center) annual review painted a grim picture; significant cyberattacks had increased three times compared to 2023. For a birds-eye view, CSIS (The Center for International Strategic & International Studies) has posted an extensive list of the most significant cyber incidents of 2024. The landscape has been shaped by the Russia Ukraine conflict and an accelerated shift from globalization to adversarialism.

Check Point Research found that 96% of all vulnerabilities exploited in 2024 were over a year old. These are positive findings for proactive defenders. Entities conducting vulnerability management will fare much better against targeted ransomware and mass exploitation attacks. One thing is clear: proactive cybersecurity reduces the cost of a breach.

Let’s review two of the most significant breaches from 2024:

  • The Change Healthcare Breach: Overall in 2024, breaches of healthcare entities were down from 2023’s record setting year. However, the ransomware attack against Change Healthcare set a new record for the number of affected individuals at 190 million, with total costs so far reaching 2,457 billion Dollar. The State of Nebraska has now filed a lawsuit against Change Healthcare for operating outdated IT systems that failed to meet enterprise security standards. According to IBM, breaches in the healthcare industry are the most costly, averaging 9.77 million Dollar in 2024.
  • Typhoon Teams Breach 9 US Telecoms: The “Typhoon” suffix is used by Microsoft’s threat actor naming convention for groups with Chinese origins. The Chinese state-sponsored adversary known as Salt Typhoon infiltrated the networks of at least nine major U.S. telecommunications companies, accessing user’s call and text metadata and audio recordings of high-profile government officials. Volt Typhoon breached Singapore Telecommunications (SingTel) and other telecom operators globally. The “Typhoons” exploited vulnerabilities in outdated network devices, including unpatched Microsoft Exchange Server, Cisco routers, Fortinet and Sophos Firewalls and Ivanti VPN appliances. Greenbone is able to detect all known software vulnerabilities associated with Salt Typhoon and Volt Typhoon attacks [1][2].

UK May Ban Ransomware Payments in Public Sector

The UK government’s framework to combat ransomware has proposed a ban on ransom payments by public sector entities and critical infrastructure operators with hopes to deter cyber criminals from targeting them in the first place. However, a new report from The National Audit Office (NAO), the UK’s independent public spending watchdog, says “cyber threat to UK government is severe and advancing quickly”.

The FBI, CISA and NSA all advise against paying ransoms. After all, paying a ransom does not guarantee the recovery of encrypted data or prevent the public release of stolen data, and may even encourage further extortion. On the flip side IBM’s security think-tank acknowledges that many SME organizations could not fiscally survive the downtime imposed by ransomware. While both sides make points here, could enriching cyber criminals while failing to shore-up local talent result in a positive outcome?

Vulnerability in SonicWall SMA 1000 Actively Exploited

Microsoft Threat Intelligence has uncovered active exploitation of SonicWall SMA 1000 gateways via CVE-2025-23006 (CVSS 9.8 Critical). The flaw is caused by improper handling of untrusted data during deserialization [CWE-502]. It could allow an unauthenticated attacker with access to the internal Appliance Management Console (AMC) or Central Management Console (CMC) interface to execute arbitrary OS commands. SonicWall has released hotfix version 12.4.3-02854 to address the flaw.

While no publicly available exploit code has been identified, numerous government agencies have issued alerts including Germany’s BSI CERT-Bund, Canadian Center for Cybersecurity, CISA, and the UK’s NHS (National Health Service). Greenbone is able to detect SonicWall systems impacted by CVE-2025-23006 by remotely checking the version identified from the service banner.

CVE-2024-44243 for Persistent Rootkit in macOS

January 2025 was a firestorm month for Apple security. Microsoft Threat Intelligence has found time to security test macOS, discovering a vulnerability that could allow installed apps to modify the OS System Integrity Protection (SIP). According to Microsoft, this could allow attackers to install rootkits, persistent malware and bypass Transparency, Consent and Control (TCC) which grants granular access permissions to applications on a per-folder basis. While active exploitation has not been reported, Microsoft has released technical details on their findings.

As January closed, a batch of 88 new CVEs, 17 with critical severity CVSS scores were published affecting the full spectrum of Apple products. One of these, CVE-2025-24085, was observed in active attacks and added to CISA’s KEV catalog. On top of these, dual speculative execution vulnerabilities in Apple’s M-series chips dubbed SLAP and FLOP were disclosed but have not yet been assigned CVEs. For SLAP, researchers leveraged chip flaws to exploit Safari WebKit’s heap allocation techniques and manipulated JavaScript string metadata to enable out-of-bounds speculative reads, allowing them to extract sensitive DOM content from other open website tabs. For FLOP, researchers demonstrated that sensitive data can be stolen from Safari and Google Chrome; bypassing Javascript type checking in Safari WebKit and Chrome’s Site Isolation via WebAssembly.

Furthermore, five high severity vulnerabilities were also published affecting Microsoft Office for macOS. Each potentially forfeiting Remote Code Execution (RCE) to an attacker. Affected products include Microsoft Word (CVE-2025-21363), Excel (CVE-2025-21354 and CVE-2025-21362) and OneNote (CVE-2025-21402) for macOS. While no technical details about these vulnerabilities are yet available, all have high CVSS ratings and users should update as soon as possible.

The Greenbone Enterprise Feed includes detection for missing macOS security updates and many other CVEs affecting applications for macOS including the five newly disclosed CVEs in Microsoft Office for Mac.

6 CVEs in Rsync Allow Both Server and Client Takeover

The combination of two newly discovered vulnerabilities may allow the execution of arbitrary code on vulnerable rsyncd servers while having only anonymous read access. CVE-2024-12084, a heap buffer overflow and CVE-2024-12085, an information leak flaw are the culprits. Public mirrors using rsyncd represent the highest risk since they inherently lack access control.

The researchers also found that a weaponized rsync server can read and write arbitrary files on connected clients. This can allow theft of sensitive information and potentially execution of malicious code by modifying executable files.

Here is a summary of the new flaws ordered by CVSS severity:

Collectively, these flaws present serious risk of RCE, data exfiltration and installing persistent malware on both rsyncd servers and unsuspecting clients. Users must update to the patched version, thoroughly look for any Indicators of Compromise (IoC) on any systems that have used rsync, and potentially redeploy file sharing infrastructure. Greenbone is able to detect all known vulnerabilities in rsync and non-compliance with critical security updates.

CVE-2025-0411: 7-Zip Offers MotW Bypass

On January 25, 2025, CVE-2025-0411 (CVSS 7.5 High) was published affecting 7-Zip archiver. The flaw allows bypassing the Windows security feature Mark of the Web (MotW) via specially crafted archive files. MoTW tags files downloaded from the internet with a Zone Identifier alternate data stream (ADS), warning when they originate from an untrusted source. However, 7-Zip versions before 24.09 do not pass the MotW flag to files within nested archives. Exploiting CVE-2025-0411 to gain control of a victim’s system requires human interaction. Targets must open a trojanized archive and then further execute a malicious file contained within.

Interestingly, research from Cofence found government websites around the world have been leveraged for credential phishing, malware delivery and command-and-control (C2) operations via CVE-2024-25608, a Liferay digital platform vulnerability. This flaw allows attackers to redirect users from trusted .gov URLs to malicious phishing sites. Combining redirection from a trusted .gov domain with the 7-Zip flaw has significant potential for stealthy malware distribution.

Considering the risks, users should manually upgrade to version 24.09, which has been available since late 2024. As discussed in the introduction above, software supply chain security often lies in a grey zone, we all depend on software beyond our control. Notably, prior to the publication of CVE-2025-0411, 7-Zip had not alerted users to a security flaw. Furthermore, although 7-Zip is open-source, the product’s GitHub account does not reveal many details or contact information for responsible disclosure.

Furthermore, the CVE has triggered DFN-CERT and BSI CERT-Bund advisories [1][2]. Greenbone is able to detect the presence of vulnerable versions of 7-Zip.

Summary

This edition of our monthly Threat Report reviewed major breaches from 2024 and newly discovered critical vulnerabilities in January 2025. The software supply chain presents elevated risk to all organizations large and small from both open-source and closed-source products. However, open-source software offers transparency and the opportunity for stakeholders to engage proactively in their own security outcomes, either collectively or independently. While cybersecurity costs are significant, advancing technical capabilities will increasingly be a determinant factor in both enterprise and national security. Fortune favors the prepared.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

October 2024 Threat Report: Ransomware Rising Defenders Must Respond

October was European Cyber Security Month (ECSM) and International Cybersecurity Awareness month with the latter’s theme being “Secure Our World”. It’s safe to say that instilling best practices for online safety to individuals, businesses and critical infrastructure is mission critical in 2024. At Greenbone, in addition to our Enterprise vulnerability management products, we are happy to make enterprise grade IT security tools more accessible via our free Community Edition, Community Portal and vibrant Community Forum to discuss development, features and get support.

Our core message to cybersecurity decision makers is clear: To patch or not to patch isn’t a question. How to identify vulnerabilities and misconfigurations before an attacker can exploit them is. Being proactive is imperative; once identified, vulnerabilities must be prioritized and fixed. While alerts to active exploitation can support prioritization, waiting to act is unacceptable in high risk scenarios. Key performance indicators can help security teams and executive decision makers track progress quantitatively and highlight areas that need improvement.

In this month’s Threat Tracking blog post, we will review this year’s ransomware landscape including the root causes of ransomware attacks and replay some of the top cyber threats that emerged in October 2024.

International Efforts to Combat Ransomware Continue

The International Counter Ransomware Initiative (CRI), consisting of 68 countries and organizations (notably lacking Russia and China), convened in Washington, D.C., to improve ransomware resilience globally. The CRI aims to reduce global ransomware payments, improve incident reporting frameworks, strengthen partnerships with the cyber insurance industry to lessen the impact of ransomware incidents, and enhance resilience by establishing standards and best practices for both preventing and recovering from ransomware attacks.

Microsoft’s Digital Defense Report 2024 found the rate of attacks has increased so far in 2024, yet fewer breaches are reaching the encryption phase. The result is fewer victims paying ransom overall. Findings from Coveware, Kaseya, and the Chainanalysis blockchain monitoring firm also affirm lower rates of payout. Still, ransomware gangs are seeing record profits; more than 459 million US-Dollar were extorted during the first half of 2024. This year also saw a new single incident high; a 75 million US-Dollar extortion payout amid a trend towards “big game hunting” – targeting large firms rather than small and medium sized enterprises (SMEs).

What Is the Root Cause of Ransomware?

How are successful ransomware attacks succeeding in the first place? Root cause analyses can help: A 2024 Statista survey of organizations worldwide reports exploited software vulnerabilities are the leading root cause of successful ransomware attacks, implicated in 32% of successful attacks. The same survey ranked credential compromise the second-most common cause and malicious email (malspam and phishing attacks) third. Security experts from Symantec claim that exploitation of known vulnerabilities in public facing applications has become the primary initial access vector in ransomware attacks. Likewise, KnowBe4, a security awareness provider, ranked social engineering and unpatched software as the top root causes of ransomware.

These findings bring us back to our core message and highlight the importance of Greenbone’s industry leading core competency: helping defenders identify vulnerabilities lurking in their IT infrastructure so they can fix and close exploitable security gaps.

FortiJump: an Actively Exploited CVE in FortiManager

In late October 2024, Fortinet alerted its customers to a critical severity RCE vulnerability in FortiManager, the company’s flagship network security management solution. Dubbed “FortiJump” and tracked as CVE-2024-47575 (CVSS 9.8), the vulnerability is classified as “Missing Authentication for Critical Function” [CWE-306] in FortiManager’s fgfm daemon. Google’s Mandiant has retroactively searched logs and confirmed this vulnerability has been actively exploited since June 2024 and describes the situation as a mass exploitation scenario.

Another actively exploited vulnerability in Fortinet products, CVE-2024-23113 (CVSS 9.8) was also added to CISA’s KEV catalog during October. This time the culprit is an externally-controlled format string in FortiOS that could allow an attacker to execute unauthorized commands via specially crafted packets.

Greenbone is able to detect devices vulnerable to FortiJump, FortiOS devices susceptible to CVE-2024-23113 [1][2][3], and over 600 other flaws in Fortinet products.

Iranian Cyber Actors Serving Ransomware Threats

The FBI, CISA, NSA and other US and international security agencies issued a joint advisory warning of an ongoing Iranian-backed campaign targeting critical infrastructure networks particularly in healthcare, government, IT, engineering and energy sectors. Associated threat groups are attributed with ransomware attacks that primarily gain initial access by exploiting public facing services [T1190] such as VPNs. Other techniques used in the campaign include brute force attacks [T1110], password spraying [T1110.003], and MFA fatigue attacks.

The campaign is associated with exploitation of the following CVEs:

Greenbone can detect all CVEs referenced in the campaign advisories, providing defenders with visibility and the opportunity to mitigate risk. Furthermore, while not tracked as a CVE, preventing brute force and password spraying attacks is cybersecurity 101. While many authentication services do not natively offer brute force protection, add-on security products can be configured to impose a lockout time after repeated login failures. Greenbone can attest compliance with CIS security controls for Microsoft RDP including those that prevent brute-force and password spraying login attacks.

Finally, according to the EU’s Cyber Resilience Act’s (CRA), Annex I, Part I (2)(d), products with digital elements must “ensure protection from unauthorized access by appropriate control mechanisms”, including systems for authentication, identity and access management, and should also report any instances of unauthorized access. This implies that going forward the EU will eventually require all products to have built-in brute force protection rather than relying on third-party rate limiting tools such as fail2ban for Linux.

Unencrypted Cookies in F5 BIG-IP LTM Actively Exploited

CISA has observed that cyber threat actors are exploiting unencrypted persistent cookies on F5 BIG-IP Local Traffic Manager (LTM) systems. Once stolen, the cookies are used to identify other internal network devices which can further allow passive detection of vulnerabilities within a network. Similar to most web-applications, BIG-IP passes an  HTTP cookie between the client and server to track user sessions. The cookie, by default, is named BIGipServer<pool_name> and its value contains the encoded IP address and port of the destination server.

F5 BIG-IP is a network traffic management suite and LTM is the core module that provides load balancing and traffic distribution across servers. CISA advises organizations to ensure persistent cookies are encrypted. F5 offers guidance for setting up cookie encryption and a diagnostic tool, BIG-IP iHealth to detect unencrypted cookie persistence profiles.

While active exploitation increases the threat to organizations who have not remediated this weakness, the vulnerability has been known since early 2018.  Greenbone has included detection for this weakness since January 2018, allowing users to identify and close the security gap presented by unencrypted cookies in F5 BIG-IP LTM since its disclosure.

New High Risk Vulnerabilities in Palo Alto Expedition

Several new high risk vulnerabilities have been disclosed in Palo Alto’s Expedition, a migration tool designed to streamline the transition from third-party security configurations to Palo Alto’s PAN-OS. While not observed in active campaigns yet, two of the nine total CVEs assigned to Palo Alto in October were rated with EPSS scores in the top 98th percentile.  EPSS (Exploit Prediction Scoring System) is a machine learning prediction model that estimates the likelihood of a CVE being exploited in the wild within 30 days from the model prediction.

Here is a brief technical description of each CVE:

  • CVE-2024-9463 (CVSS 7.5, EPSS 91.34%): An OS command injection vulnerability in Palo Alto’s Expedition allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations and device API keys of PAN-OS firewalls.
  • CVE-2024-9465 (CVSS 9.1, EPSS 73.86%): An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal sensitive database contents, such as password hashes, usernames, device configurations and device API keys. Once this information has been obtained, attackers can create and read arbitrary files on affected systems.

Four Critical CVEs in Mozilla Firefox: One Actively Exploited

As mentioned before on our Threat Tracking blog, browser security is critical for preventing initial access, especially for workstation devices. In October 2024, seven new critical severity and 19 other less critical vulnerabilities were disclosed in Mozilla Firefox < 131.0 and Thunderbird < 131.0.1. One of these, CVE-2024-9680, was observed being actively exploited against Tor network users and added to CISA’s known exploited catalog. Greenbone includes vulnerability tests to identify all affected Mozilla products.

The seven new critical severity disclosures are:

  • CVE-2024-9680 (CVSS 9.8): Attackers achieved unauthorized RCE in the content process by exploiting a Use-After-Free in Animation timelines. CVE-2024-9680 is being exploited in the wild.
  • CVE-2024-10468 (CVSS 9.8): Potential race conditions in IndexedDB allows memory corruption, leading to a potentially exploitable crash.
  • CVE-2024-9392 (CVSS 9.8): A compromised content process enables arbitrary loading of cross-origin pages.
  • CVE-2024-10467, CVE-2024-9401 and CVE-2024-9402 (CVSS 9.8): Memory safety bugs present in Firefox showed evidence of memory corruption. Security researchers presume that with enough effort some of these could have been exploited to run arbitrary code.
  • CVE-2024-10004 (CVSS 9.1): Opening an external link to an HTTP website when Firefox iOS was previously closed and had an HTTPS tab open could result in the padlock icon showing an HTTPS indicator incorrectly.

Summary

Our monthly Threat Tracking blog covers major cybersecurity trends and high-risk threats. Key insights for October 2024 include expanded efforts to counter ransomware internationally and the role proactive vulnerability management plays in preventing successful ransomware attacks. Other highlights include Fortinet and Palo Alto vulnerabilities actively exploited and updates on an Iranian-backed cyber attack campaign targeting public-facing services of critical infrastructure sector entities. Additionally, F5 BIG-IP LTM’s unencrypted cookie vulnerability, exploited for reconnaissance, and four new Mozilla Firefox vulnerabilities, one actively weaponized, underscore the need for vigilance.

Greenbone facilitates identification and remediation of these vulnerabilities and more, helping organizations enhance resilience against evolving cyber threats. Prioritizing rapid detection and timely patching remains crucial for mitigating risk.

Contact Test Now Buy Here Back to Overview

/by
Markus Feilner

Chinese hackers and Fortinet vulnerabilities: Warnings from US government

For several years in a row, the Californian manufacturer Fortinet has been in the public focus due to serious security problems. Known for its secure firewall, VPN and intrusion detection devices, the cyber security expert was again forced to announce several highly critical security vulnerabilities in February 2024.

Staying informed and applying patches promptly is what companies need to proactively protect themselves against such attacks. Products such as Greenbone’s Enterprise Appliances play a central role in this and are meant to help admins. All the vulnerabilities mentioned in this blog post are covered by tests from the Greenbone Enterprise Feed: active procedures check whether the exploit is possible, and versioning tests will deliver results about the success of patch management.

87,000 passwords: Fortinet wins “Vulnerability of the Year 2022”

In 2019, CVE-2018-13379 (CVSS 9.8) allowed over 87,000 passwords for the Fortinet VPN to be read from the devices. In the following years, this vulnerability was exploited so successfully that in 2022 it was awarded the dubious title of “most exploited vulnerability of 2022“. The US authorities reacted and urged all of their clients to be more aware of the problem: Both U.S. Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) warned about the fact that many customers did not apply patches promptly. Again, lack of foresight turned out to be one of the main reasons. Patching, so the agencies, would have prevented many of successful attacks.

2023: Unwanted guests in critical networks

What makes it worse, is the fact that Fortinet devices are mostly being used in security-critical areas. Unpatched and equipped with serious vulnerabilities, such devices have become the focus of attackers in recent years, especially by state actors. In 2023, for example, Chinese hacker groups successfully infiltrated Dutch military networks via a vulnerability in the FortiOS SSL VPN from December 2022 that actually had already been patched for a while (CVE-2022-42475, CVSS 9.3).

Even though the network was only used for research and development according to the Military Intelligence and Security Service (MIVD), the attacks published at the beginning of February made it clear how easy it is for attackers to penetrate even highly protected networks. Even worse so, the corresponding backdoor “Coathanger” allows attackers to gain permanent access to devices once they have been hacked, all thanks to the vulnerability 2022-42475, which allows the execution of arbitrary code.

February 2024: Warnings of further vulnerabilities, maximum severity

Unfortunately, the story does not end here: Fortinet also had to admit another serious vulnerability, beginning of February 2024: CVE-2024-21762 (CVSS score: 9.6) allows unauthorized attackers to execute arbitrary code via specially adapted requests. A long list of versions of the Fortinet operating system FortiOS and FortiProxy are affected. The manufacturer advises upgrading or deactivating the SSL VPN and warns of both the severity of the vulnerability and the fact that it is already being massively exploited by attackers.

Fortinet seemed to have some organizational issues, too. Just as bad as the above sounded CVE-2024-23108 and CVE-2024-23109, published just a few days later, which also allow unauthenticated attackers to execute arbitrary code. However, these CVEs have to be taken with a grain of salt: The fact that two CVEs from the same manufacturer received a 10.0 on the threat severity scale on the same day is probably unique and raised some experts’ eyebrows. Apart from that, the confusing communication from the vendor was not really likely to establish or further trust, similarly to the strange story of toothbrush-based attacks told by a Fortinet employee, reaching the mass media at the same time.

Fatal combination – vulnerability management can help

As always, Fortinet published patches promptly, but customers also have to install them. Again, the combination of serious security vulnerabilities, lack of awareness and the absence of patches showed its full impact: Only a few days later the US government pushed out another advisory from CISA, NSA and FBI about Volt Typhoon, a Chinese state hacker group. The US government had evidence that these attackers have permanently nested in critical infrastructure of US authorities for many years via such vulnerabilities – the associated risks should not be underestimated, according to the warning.

The security by design required there also includes the constant monitoring of one’s own servers, computers and installations with vulnerability tests such as those of Greenbone Enterprise Appliances. Those who constantly monitor their networks (not just Fortinet devices) with the vulnerability tests of a modern vulnerability scanner can inform their administrators as quickly as possible if known CVEs in an infrastructure are waiting for patches, reducing the attack surface.

Contact Test Now Buy Here Back to Overview

/by