Zero-Day Exploit to Hijack Firewalls Warned of by Fortinet

A serious security flaw has been discovered in FortiOS and FortiProxy, affecting several versions of Fortinet's firewall software. This vulnerability, known as CVE-2024-55591, allows hackers to bypass authentication and gain remote access with super-admin privileges. Attackers are exploiting this flaw to create unauthorized admin accounts, alter firewall settings, and establish hidden connections to company networks through SSL VPNs.

Cybersecurity firm Arctic Wolf reported that these attacks have been ongoing since mid-November 2024, with hackers targeting firewalls that are exposed to the internet. Once inside, the attackers create fake user accounts, change firewall rules, and use those accounts to tunnel into internal systems. Fortinet has advised organizations to immediately restrict management access or disable the administrative interfaces to prevent further exploitation.

The attackers' activities follow a clear pattern, starting with vulnerability scanning and progressing through reconnaissance, system modifications, and lateral movement within networks. Fortinet has acknowledged the issue and released security patches to address the flaw. Companies using affected versions are urged to apply these updates and monitor their systems for signs of unauthorized access.

Microsoft to Litigate Cybercriminals Using AI

Microsoft is taking legal action against cybercriminals who are using generative AI (GenAI) tools to create harmful content. The company has filed a lawsuit in Virginia, highlighting how some criminals bypass security measures to exploit AI services for malicious purposes. Despite Microsoft's efforts to develop secure AI products, these cybercriminals continue to find ways to misuse the technology, and Microsoft is determined to stop the weaponization of its AI systems.

In the legal filings, Microsoft revealed that a foreign-based group had been using stolen customer credentials to gain unauthorized access to generative AI services. They manipulated these tools to produce harmful content and sold this access to other criminals. Microsoft has since revoked the group’s access and strengthened security measures to prevent such misuse in the future. The company also encourages organizations and governments to adopt safeguards against the risks posed by AI-generated threats.

Additional BeyondTrust Exploit Added to CISA’s KEV List

The US Cybersecurity and Infrastructure Security Agency (CISA) is urging federal agencies to patch a second vulnerability in BeyondTrust's remote access tools, as it has been actively exploited by cybercriminals. This flaw, tracked as CVE-2024-12686, is a medium-severity issue that allows attackers with administrative privileges to upload malicious files and execute harmful commands on the system. It was discovered during an investigation into a breach that affected a limited number of BeyondTrust's customers, including a US Treasury Department instance.

The breach, which was linked to Chinese hackers known as Silk Typhoon, was disclosed on December 31. The hackers used a compromised API key to access remote services and target several organizations, including the US Treasury. In early December, BeyondTrust had already identified a critical vulnerability, CVE-2024-12356, which was also being exploited. CISA had added this first flaw to its list of known exploited vulnerabilities in mid-December.

CISA is now requiring federal agencies to identify and patch affected BeyondTrust systems by February 3, 2024, as part of its Binding Operational Directive (BOD) 22-01. Although this directive applies specifically to federal agencies, CISA advises all organizations to review its list of vulnerabilities and prioritize patching or removing affected products. The breach reportedly targeted sensitive areas within the Treasury, including departments handling foreign investments and sanctions.

Defensible Strategies

Learn from those who have been attacked

AWS Keys Being Abused in Ransomware Attacks

A cybersecurity attack has been discovered where a hacker, known as Codefinger, uses stolen AWS credentials to encrypt data stored in Amazon S3 buckets and then demands a ransom to release the encryption keys. The hacker takes advantage of AWS's encryption feature, Server-Side Encryption with Customer Provided Keys (SSE-C), which means only the attacker holds the key necessary to decrypt the data. This attack doesn't exploit any vulnerabilities in AWS itself but relies on gaining access to a customer's account credentials.

The hacker searches for AWS keys with permissions to read and write data in S3 buckets. Once they find these keys, they use them to encrypt files using a locally generated AES-256 encryption key, which AWS processes but does not store. Because AWS only logs a hashed version of the key (an HMAC), it is impossible to reconstruct or recover the original encryption key, leaving the encrypted data inaccessible without the attacker's key.

To pressure the victim, the hacker places a ransom note in the affected directories and threatens to delete the files within seven days using AWS's Object Lifecycle Management API. Organizations can reduce the risk of such attacks by carefully configuring permissions and limiting who can apply SSE-C encryption to sensitive data in their S3 buckets.s working to secure its systems and assist those affected by the breaches.

Potential Ban for Ransomware Payout Debated by UK Government

The UK government is considering a total ban on ransomware payments across the public sector as part of a consultation aimed at reducing the growing threat of ransomware attacks. This move would extend the current policy, which prevents central government departments from paying ransoms, to include hospitals, schools, local authorities, and critical national infrastructure. The consultation, running from January 14 to April 8, will explore three proposals, with the first suggesting a full payment ban for public sector organizations and mandatory reporting of incidents to help law enforcement.

A second, more restrictive proposal would create a "ransomware payment prevention regime," where public sector organizations would need government approval before paying a ransom. The third, less aggressive option, would introduce a mandatory reporting law for ransomware incidents to provide better data for cybercrime investigations without banning payments. The government aims to disrupt financially motivated criminals by cutting off their financial sources and improving incident reporting and response.

While some experts support a ransom payment ban to disrupt cybercriminals, others warn that it could have unintended consequences, such as victims seeking alternative ways to pay ransoms or avoiding law enforcement. Despite these concerns, the UK’s National Cyber Security Centre (NCSC) supports the consultation, emphasizing the importance of strengthening defenses against ransomware and continuing operations after an attack. The debate around these proposals will continue, as cybersecurity threats in the UK continue to rise.

SonicWall VPN Firewall VPNS Exposed to Critical Flaws

Over 25,000 SonicWall SSLVPN devices are vulnerable to serious security flaws, according to a recent analysis by cybersecurity firm Bishop Fox. These devices, used to provide secure remote access for businesses, are exposed to the internet and are targeted by attackers, including ransomware groups. Many of the vulnerable devices are running outdated or unsupported firmware, with around 20,000 using software versions that the company no longer supports.

Bishop Fox used internet scanning tools to identify over 430,000 SonicWall devices exposed online, meaning attackers can easily access them and search for weaknesses. Some of the devices are running older Series 4 and 5 firmware, which have reached the end of life and are no longer receiving security updates. Many other devices are using unsupported versions of Series 6 firmware, leaving them open to known exploits.

While improvements have been made since earlier in the year, with fewer vulnerable devices, over 119,000 devices are still at risk. The majority of these are running Series 7 firmware but have not been updated to fix critical security flaws. The findings show that many organizations are slow to patch their devices, leaving them exposed to potential attacks.

CISA Updates KEV with Microsoft and Adobe Flaws

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. One is in Microsoft Windows Kernel-Mode Driver (CVE-2024-35250), which can allow attackers to gain high-level system privileges with low effort, making it a serious risk for Windows users. The second is in Adobe ColdFusion (CVE-2024-20767), where an attacker can gain unauthorized access to files, particularly if the admin panel is exposed. Both vulnerabilities have high severity ratings, with scores of 7.8 and 7.4, respectively.

CISA has ordered federal agencies to address these vulnerabilities by early 2025 to prevent potential exploitation. While there have been no reports of active ransomware attacks using these specific flaws, CISA’s guidance is also directed at private organizations, urging them to review and fix any vulnerabilities listed in the catalog. This ongoing effort is part of a broader initiative to strengthen cybersecurity across U.S. infrastructure.

Okta Support Warns of Increased Phishing Attacks

Okta, a major provider of identity and authentication solutions, has warned organizations about a rise in phishing attacks impersonating its support team. These attacks aim to steal Okta credentials, which can allow cybercriminals to access sensitive systems. Okta's own security team, as well as its customers, are frequently targeted by bad actors due to the widespread use of Okta across many large enterprises.

The company has advised users to be vigilant for support-related phishing emails or calls, stressing that legitimate Okta support staff will never ask for passwords or multi-factor authentication (MFA) tokens. Okta has provided customers with a list of legitimate contact details and tips for spotting suspicious messages, such as unusual email addresses, urgent language, and misspelled content. The evolving tactics of these phishing attacks, enhanced by AI tools like ChatGPT, have made it harder to detect traditional phishing signs.

This warning comes after Okta faced a major data breach last year, which compromised information about its customer support system users, underscoring the importance of vigilance against such social engineering attacks.

Defensible Strategies

Learn from those who have been attacked

Large Data Breach Impact Texas Tech University

Texas Tech University has announced that a ransomware attack on its Health Sciences Center and Health Sciences Center El Paso compromised the personal information of over 1.4 million individuals. The cyberattack, which occurred between September 17 and September 29, 2024, resulted in the theft of sensitive data, including names, addresses, Social Security numbers, health insurance details, medical diagnoses, and financial account information. The attack was discovered when the university experienced disruptions to its systems and applications.

While the university has not explicitly confirmed the use of ransomware, the Interlock ransomware group has claimed responsibility, stating they stole around 2.5 terabytes of data, including patient records and medical research. Interlock is known for targeting organizations in healthcare and other sectors using double-extortion tactics, where they encrypt data and demand ransom while also threatening to release it. The university is offering free credit monitoring to affected individuals and has reported the breach to the U.S. Department of Health and Human Services.

This breach is not the only cyberattack targeting Texas Tech University. Earlier in July, another ransomware group, Meow, claimed to have stolen sensitive data from the university, including emails and passwords, and was attempting to sell this information. Despite these ongoing attacks, Texas Tech University is working to secure its systems and assist those affected by the breaches.

A new phishing campaign has been spreading rapidly, using Google Calendar invites to trick users into revealing sensitive information. Attackers spoof Google Calendar notifications, making them appear as legitimate invites from trusted sources. Initially, the phishing attempts included malicious .ics files, but to avoid detection by email security systems, the attackers have now embedded links to Google Drawings and Google Forms. The aim of the attack is to steal user credentials and defraud victims through financial scams, such as credit card fraud or unauthorized transactions.

The campaign targets a massive user base, as Google Calendar is used by over 500 million people worldwide. Researchers have observed over 4,000 phishing emails over a four-week period, with fake invites referencing about 300 well-known brands to make them seem more authentic. Once users click on a disguised link, they are directed to a fraudulent page that mimics a cryptocurrency or bitcoin support site, where they are prompted to enter personal and payment details.

To protect against these types of attacks, experts recommend enabling Google's "known senders" setting in Google Calendar, which alerts users when they receive invites from unfamiliar sources. Additionally, businesses should use advanced email security tools, such as attachment scanning and URL checks, and encourage employees to use multifactor authentication (MFA) and be aware of sophisticated phishing tactics. These steps can help reduce the risk of falling victim to these types of financial scams.

As always, if you have any questions or would like to take a look at phishing training, please reach out to us!

Progress Kemp Loadmaster and VMWare Under Exploitation

Two major security vulnerabilities, now patched, are being actively exploited by cybercriminals. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical flaw (CVE-2024-1212) in the Progress Kemp LoadMaster, a device used for load balancing. This vulnerability allows attackers to remotely execute commands on the system through its management interface, potentially giving them full access. Although it was patched in February 2024, CISA has now added it to its list of actively exploited vulnerabilities, urging quick remediation, especially by government agencies.

In addition, security issues have been identified in VMware's vCenter Server. Two flaws (CVE-2024-38812 and CVE-2024-38813) were revealed, one allowing remote code execution and the other enabling attackers to gain higher privileges on the system. These vulnerabilities were initially fixed in September 2024, but VMware had to release additional patches after realizing the first ones didn't fully resolve the problems. Both issues are now being targeted in real-world attacks, with cybercriminals exploiting them for malicious purposes.

Updates to Security Coming to Microsoft in 2025

Last summer, a flaw in a CrowdStrike security update caused major disruptions, damaging millions of PCs and servers worldwide. The incident exposed serious weaknesses in Windows' architecture, as fixing the problem required manual intervention on every affected device. In response, Microsoft announced new security measures designed to prevent similar issues in the future. These include new Safe Deployment Practices that ensure security updates are tested and deployed gradually, rather than all at once, allowing vendors to detect and fix problems before they cause widespread damage.

Microsoft is also introducing a feature called Quick Machine Recovery, which will help IT teams fix machines stuck in reboot loops due to faulty updates or drivers, without needing physical access to the devices. This feature, available for testing in early 2025, will allow remote fixes through Windows Update. Additionally, Microsoft is making a major change to allow security products to operate in user mode instead of kernel mode, improving security at a foundational level, though this change won’t be widely available until 2025 or later.

For Windows 11, Microsoft is rolling out new features to enhance security, such as preventing malware by limiting which apps can run. The new Smart App Control feature will block unknown and potentially harmful apps from running on personal PCs and will also stop scripts, including PowerShell, used by malware. This feature will be on by default for consumers and can be managed by IT teams in business environments. These updates aim to address key security vulnerabilities and make it harder for malware to exploit administrative privileges on user systems.

Malicious QR Codes Delivered by Mail

Cybercriminals have come up with a new way to spread malware by sending physical letters with malicious QR codes. In Switzerland, letters disguised as coming from the Swiss Federal Office of Meteorology encourage recipients to scan a QR code, claiming it will install a weather app on their Android smartphones. However, the QR code actually links to a malicious app called Coper, which can steal sensitive information from over 380 apps, including banking apps, and give hackers remote access to the device to spy on users.

This kind of attack is unusual because it uses the postal system, which is more costly compared to digital methods, but it can be effective since people are less suspicious of physical mail. Many people are also used to scanning QR codes in everyday situations without double-checking if the link is safe. The Swiss National Cyber Security Centre (NCSC) is warning recipients not to scan the QR code and to report any suspicious letters. Those who have already downloaded the malicious app are advised to reset their phones and change any compromised login details.

Defensible Strategies

Learn from those who have been attacked

Ford Launches Investigation of Potential Breach

Ford is investigating a claim by hackers who allege they stole customer information from the company. The hackers, known as IntelBroker and EnergyWeaponUser, posted on a cybercrime forum on November 17, claiming to have stolen 44,000 records, which include names, addresses, and details about product purchases. However, a sample of the stolen data released by the hackers shows mostly public information, such as car dealership addresses from around the world, rather than sensitive customer details. It’s unclear if the hackers have access to more sensitive data.

Ford confirmed that it is investigating the breach but has not yet confirmed the specifics of the stolen data. While IntelBroker is known for leaking data from high-profile companies, some of their previous claims have been exaggerated, and many victims have downplayed the extent of the breaches. Ford has not indicated whether any personal customer data has been compromised in this case.

Spotify Playlists Being Used as a Tool for Malicious Agents

Cybercriminals are abusing Spotify playlists and podcasts to promote pirated software, game cheat codes, and spam links, taking advantage of the platform's visibility on search engines like Google. By embedding targeted keywords such as "crack" or "warez" in playlist names and podcast descriptions, they boost the search engine rankings of their shady websites, making them more likely to appear in search results when people look for free software downloads. This tactic allows them to drive traffic to websites that often contain malware, scams, or unwanted programs hidden in "cracked" software.

One example of this scam involved a playlist titled "Sony Vegas Pro 13 Crack," which linked to dubious sites offering "free" software. While users might download the software they expect, they are often unknowingly putting their devices at risk, as these pirated versions can contain viruses or lead to scam websites. The real danger comes from the malware and deceptive ads often bundled with such pirated downloads. Spotify has removed the specific playlist and podcast after it was reported, but this type of abuse highlights the growing issue of spam and scam tactics on popular platforms like Spotify.