Zero-Day Exploit to Hijack Firewalls Warned of by Fortinet

A serious security flaw has been discovered in FortiOS and FortiProxy, affecting several versions of Fortinet's firewall software. This vulnerability, known as CVE-2024-55591, allows hackers to bypass authentication and gain remote access with super-admin privileges. Attackers are exploiting this flaw to create unauthorized admin accounts, alter firewall settings, and establish hidden connections to company networks through SSL VPNs.

Cybersecurity firm Arctic Wolf reported that these attacks have been ongoing since mid-November 2024, with hackers targeting firewalls that are exposed to the internet. Once inside, the attackers create fake user accounts, change firewall rules, and use those accounts to tunnel into internal systems. Fortinet has advised organizations to immediately restrict management access or disable the administrative interfaces to prevent further exploitation.

The attackers' activities follow a clear pattern, starting with vulnerability scanning and progressing through reconnaissance, system modifications, and lateral movement within networks. Fortinet has acknowledged the issue and released security patches to address the flaw. Companies using affected versions are urged to apply these updates and monitor their systems for signs of unauthorized access.

Microsoft to Litigate Cybercriminals Using AI

Microsoft is taking legal action against cybercriminals who are using generative AI (GenAI) tools to create harmful content. The company has filed a lawsuit in Virginia, highlighting how some criminals bypass security measures to exploit AI services for malicious purposes. Despite Microsoft's efforts to develop secure AI products, these cybercriminals continue to find ways to misuse the technology, and Microsoft is determined to stop the weaponization of its AI systems.

In the legal filings, Microsoft revealed that a foreign-based group had been using stolen customer credentials to gain unauthorized access to generative AI services. They manipulated these tools to produce harmful content and sold this access to other criminals. Microsoft has since revoked the group’s access and strengthened security measures to prevent such misuse in the future. The company also encourages organizations and governments to adopt safeguards against the risks posed by AI-generated threats.

Additional BeyondTrust Exploit Added to CISA’s KEV List

The US Cybersecurity and Infrastructure Security Agency (CISA) is urging federal agencies to patch a second vulnerability in BeyondTrust's remote access tools, as it has been actively exploited by cybercriminals. This flaw, tracked as CVE-2024-12686, is a medium-severity issue that allows attackers with administrative privileges to upload malicious files and execute harmful commands on the system. It was discovered during an investigation into a breach that affected a limited number of BeyondTrust's customers, including a US Treasury Department instance.

The breach, which was linked to Chinese hackers known as Silk Typhoon, was disclosed on December 31. The hackers used a compromised API key to access remote services and target several organizations, including the US Treasury. In early December, BeyondTrust had already identified a critical vulnerability, CVE-2024-12356, which was also being exploited. CISA had added this first flaw to its list of known exploited vulnerabilities in mid-December.

CISA is now requiring federal agencies to identify and patch affected BeyondTrust systems by February 3, 2024, as part of its Binding Operational Directive (BOD) 22-01. Although this directive applies specifically to federal agencies, CISA advises all organizations to review its list of vulnerabilities and prioritize patching or removing affected products. The breach reportedly targeted sensitive areas within the Treasury, including departments handling foreign investments and sanctions.

Defensible Strategies

Learn from those who have been attacked

AWS Keys Being Abused in Ransomware Attacks

A cybersecurity attack has been discovered where a hacker, known as Codefinger, uses stolen AWS credentials to encrypt data stored in Amazon S3 buckets and then demands a ransom to release the encryption keys. The hacker takes advantage of AWS's encryption feature, Server-Side Encryption with Customer Provided Keys (SSE-C), which means only the attacker holds the key necessary to decrypt the data. This attack doesn't exploit any vulnerabilities in AWS itself but relies on gaining access to a customer's account credentials.

The hacker searches for AWS keys with permissions to read and write data in S3 buckets. Once they find these keys, they use them to encrypt files using a locally generated AES-256 encryption key, which AWS processes but does not store. Because AWS only logs a hashed version of the key (an HMAC), it is impossible to reconstruct or recover the original encryption key, leaving the encrypted data inaccessible without the attacker's key.

To pressure the victim, the hacker places a ransom note in the affected directories and threatens to delete the files within seven days using AWS's Object Lifecycle Management API. Organizations can reduce the risk of such attacks by carefully configuring permissions and limiting who can apply SSE-C encryption to sensitive data in their S3 buckets.s working to secure its systems and assist those affected by the breaches.

Potential Ban for Ransomware Payout Debated by UK Government

The UK government is considering a total ban on ransomware payments across the public sector as part of a consultation aimed at reducing the growing threat of ransomware attacks. This move would extend the current policy, which prevents central government departments from paying ransoms, to include hospitals, schools, local authorities, and critical national infrastructure. The consultation, running from January 14 to April 8, will explore three proposals, with the first suggesting a full payment ban for public sector organizations and mandatory reporting of incidents to help law enforcement.

A second, more restrictive proposal would create a "ransomware payment prevention regime," where public sector organizations would need government approval before paying a ransom. The third, less aggressive option, would introduce a mandatory reporting law for ransomware incidents to provide better data for cybercrime investigations without banning payments. The government aims to disrupt financially motivated criminals by cutting off their financial sources and improving incident reporting and response.

While some experts support a ransom payment ban to disrupt cybercriminals, others warn that it could have unintended consequences, such as victims seeking alternative ways to pay ransoms or avoiding law enforcement. Despite these concerns, the UK’s National Cyber Security Centre (NCSC) supports the consultation, emphasizing the importance of strengthening defenses against ransomware and continuing operations after an attack. The debate around these proposals will continue, as cybersecurity threats in the UK continue to rise.