A new Fortinet FortiManager RCE flaw exploited in zero-day attacks

A critical vulnerability in Fortinet's FortiManager, tracked as CVE-2024-47575 and dubbed “FortiJump,” has been actively exploited in zero-day attacks since June 2024. The vulnerability is related to missing authentication in FortiManager fgfmd daemon. The issue can be exploited by a remote non-authenticated attacker arbitrary commands execution via malicious requests.

Mandiant said that a threat actor, tracked as UNC5820, has been actively exploiting FortiManager devices since June 27, 2024. UNC5820 was able to stage and exfiltrate detailed configuration data of FortiGate devices managed by compromised FortiManager servers.

The configuration data includes critical details such as users’ information and their FortiOS256-hashed passwords, which could enable UNC5820 to compromise FortiManager devices further, move laterally to the managed Fortinet devices, and potentially infiltrate broader enterprise environments.

Currently, there is no evidence to suggest that the threat actor has leveraged the stolen configuration data to compromise the enterprise environment beyond FortiManager devices.

Additionally, Google’s Threat Analysis Group (TAG) has warned that a zero-day flaw (CVE-2024-44068) in Samsung’s mobile processors has been exploited as part of an exploit chain for arbitrary code execution.

Also, VMware has issued a new patch for CVE-2024-38812, a critical remote code execution (RCE) vulnerability affecting VMware vCenter Server. The flaw, which stems from a boundary error within the implementation of vCenter's DCE/RPC protocol, was not fully resolved in the first patch released in September 2024, leading VMware to release additional fixes in October.

In other news, the US Cybersecurity and Infrastructure Security Agency (CISA) has recently added CVE-2024-9537, a critical security vulnerability recently discovered in the ScienceLogic SL1 Portal (formerly EM7) CVE-2024-9537, to its Known Exploited Vulnerabilities (KEV) Catalog, indicating its exploitation in the wild. Additionally, CISA has flagged as actively exploited a Microsoft SharePoint Deserialization Vulnerability (CVE-2024-38094), which allows remote code execution.

In the meantime, Cisco issued patches addressing a slew of vulnerabilities in its Adaptive Security Appliance (ASA), Secure Firewall Management Center (FMC), and Firepower Threat Defense (FTD) products. One of the bugs, CVE-2024-20481, was exploited in a large-scale brute-force campaign observed in April 2024, which has also targeted VPN and SSH services from Checkpoint, Fortinet, SonicWall, MikroTik, Draytek, and Ubiquiti products. The vulnerability impacts the Remote Access VPN (RAVPN) service in ASA and FTD and could enable remote, unauthenticated attackers to trigger a denial-of-service (DoS) condition.

Amazon seizes domains used by the Russia-linked APT29 threat actor

Amazon said it seized internet domains exploited by APT29, a cyber-espionage group attributed to Russia's Foreign Intelligence Service (SVR), after Ukraine’ CERT team shared information on the attacks.

In this case, APT29 conducted a phishing campaign aimed at stealing credentials from organizations tied to government, military, and enterprise sectors mainly from Russian adversaries. The group targeted a large number of recipients, using phishing emails in Ukrainian. Some of the malicious domains resembled AWS URLs, though Amazon and AWS credentials were not targets. Instead, APT29 aimed to capture Windows credentials via Microsoft Remote Desktop.

The US offers up to $10M for info about Iranian hackers

The US authorities are offering a $10 million reward for information on four alleged members of the Iranian hacking group Shahid Hemmat, reportedly tied to Iran's Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC). The four suspects—Manuchehr Akbari, Amir Hosein Hoseini, Mohammad Hosein Moradi, and Mohammad Reza Rafatinezhad—are accused of launching cyberattacks against US critical infrastructure. Two of them, Akbari and Moradi, have been linked to known Iranian APT groups such as Tortoiseshell and Crimson Sandstorm. Reports claim that these individuals work for a private company named Dadeh Afzar Arman (DAA).

CERT-UA warns of phishing attack targeting Ukrainian orgs

The Ukrainian Governmental Computer Emergency Response Team (CERT-UA) has warned of a new wave of phishing attacks, tracked as UAC-0218. Malicious emails with subjects like "invoice" and "details," contain links to RAR archives on a platform that appears to be eDisk. The archives include two password-protected lure documents and a VBS script designed to steal information from the victim computer.

A separate phishing campaign has been targeting government bodies, key industrial enterprises, and military formations in Ukraine. The emails, masked as official communications related to “integration” with Amazon and Microsoft services, and promoting Zero Trust Architecture (ZTA) initiatives, have been part of a broader cyberattack campaign tracked under the identifier UAC-0215.

Russian cyber spies target Georgia’s government and critical infrastructure

For over three years, Russian intelligence agencies reportedly infiltrated Georgia’s government and key companies in an extensive espionage operation, gaining access to sensitive information and means to potentially disrupt critical infrastructure. In addition to espionage, Moscow gained the capability to sabotage Georgia’s power and communications networks, which could be deployed if the government pursued policies against Russian interests. The operations included compromising IT systems at Georgia’s national railway, infiltrating energy companies, and gaining access to confidential emails of senior officials at the Foreign Ministry.

A separate report from the Institute for Strategic Dialogue (IDS) details how Russian state-affiliated media outlets and social media accounts have been using hurricanes Milton and Helene to foster discontent within the US, undermine trust in disaster relief efforts, and reduce public support for Ukraine. The response to the hurricanes has been depicted as neglectful, with claims that resources were directed to Ukraine at the expense of domestic needs. This disinformation spread unchecked on platforms like X, highlighting ongoing moderation challenges. Notably, Russian state-affiliated news agency RIA Novosti shared AI-generated images on Telegram, falsely depicting Disney World in Florida as devastated by Hurricane Milton, a narrative originating from a minor X account.

Cisco confirms a security incident after hacker offers to sell data

Cisco confirmed it had information stolen after reports emerged that some of its data was offered for sale on a popular cybercrime forum. The seller, a hacker known as “IntelBroker,” posted about a “Cisco breach” on October 14, claiming to have obtained a wide range of sensitive data. Following an internal investigation, Cisco said that its systems had not been breached. The company said that the stolen data originated from a public-facing DevHub environment, a resource center that hosts software code, scripts, and other materials intended for customer use.

Microsoft admits it lost weeks of security logs due to operational bug

Microsoft has confirmed that more than two weeks' worth of security logs were missing from some of its cloud products. The company said the issue was caused by a malfunction in one of its internal monitoring agents, which occurred between September 2 and September 19, 2024. According to Microsoft, a bug in one of its internal monitoring agents has lead to failed uploads of log data to the company’s logging platform. The issue primarily impacted logs from Microsoft Entra, Sentinel, Defender for Cloud, and Purview.

Malicious npm packages attempt to steal Ethereum private keys

Researchers at Phylum uncovered a malicious campaign targeting developers' Ethereum wallets through npm packages. The packages aim to exfiltrate sensitive Ethereum private keys and gain unauthorized SSH access to victims' machines by inserting the attacker's public key into the root user’s authorized_keys file.

Bumblebee malware resurfaces following major law enforcement takedown

Two notorious malware families, Bumblebee and Latrodectus have reemerged in phishing campaigns following a major law enforcement operation called Endgame in May 2024 that targeted malware droppers including, IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot. According to past reports, Bumblebee has been used by at least three cybercriminal groups associated with ransomware actors. Gangs using Bumblebee have in the past used the BazarLoader and IcedID loaders – linked to high-profile ransomware groups Conti and Diavol.

A new report from CIsco Talos looks into the new malware family WarmCookie/BadSpace that has been actively disseminated since April 2024 through malspam and malvertising campaigns. WarmCookie enables persistent access to compromised networks and acts as an initial payload, frequently facilitating the delivery of other malware, including CSharp-Streamer-RAT and Cobalt Strike.

New Spectre bypass impacts Intel and AMD CPUs

Researchers from ETH Zurich disclosed details about a new Spectre variant that bypasses existing security mechanisms, affecting recent Intel and AMD processors running on Linux. The new bypass is a cross-process Spectre attack that undermines Address Space Layout Randomization (ASLR) and can leak sensitive data, such as the root password hash, from the Set User ID (suid) process on modern Intel CPUs. It compromises key defenses implemented to guard against Spectre-like vulnerabilities.

New Deceptive Delight technique allows to trick gen-AI into embedding hateful or harmful info

Palo Alto Networks discovered a new AI jailbreak technique called Deceptive Delight, designed to bypass content restrictions in generative AI models by embedding sensitive topics within benign narratives. The technique requires a minimum of two interactions and involves initially prompting the AI chatbot to draw logical connections between various events, some of which include restricted topics, followed by a request to elaborate on the individual events, thus bypassing safeguards.

Four security companies hit with fines over SolarWinds disclosures

The US Securities and Exchange Commission (SEC) has charged four tech companies with making misleading disclosures about the 2019 SolarWinds data breach. The companies, Check Point, Mimecast, Unisys, and Avaya, were victims of the large-scale cyberattack but failed to properly disclose the extent of the breach and its risks in their public filings. Collectively, the four firms will pay over $6.9 million in penalties.

LinkedIn fined €310 million for EU privacy laws violation

The Irish Data Protection Commission has issued a record €310 million ($335 million) fine to LinkedIn for breaching GDPR regulations. The social media platform was found to have conducted behavioral analyses on users' personal data to fuel targeted advertising, violating EU privacy laws.