10.17.22

Corvus Threat Intel

Fortinet Vulnerability Exploited, Alchimist Malware, & Phishing Targets Election Workers

Fortinet vulnerability exploited in the wild, malicious program Alchimist targets all systems (yes, macOS, too!) and election workers face phishing attempts.

Fortinet Critical Vulnerability Has PoC and is Being Exploited

Last week we reported on a critical Fortinet vulnerability (CVE-2022-40684). This vulnerability allows a remote attacker to bypass authentication and perform operations on the administrative interface of certain Fortinet devices. This week, security researchers released proof-of-concept exploit (PoC) exploit code even as threat intel vendors have released details on attackers scanning for targets with this vulnerability. A security patch is available and affected organizations should apply it as soon as possible. For organizations unable to update, Fortinet recommends blocking attacks by limiting the IP addresses that can reach the administrative interface using a local-in-policy. Fortinet has confirmed that this vulnerability is being exploited in the wild and CISA has added the vulnerability to the Known Exploited Vulnerabilities (KEV) catalog.

Why This Matters

This was already a critical authentication bypass vulnerability, but the presence of exploit code as well as confirmation that attackers are scanning for this vulnerability make the situation more dire. If you are an affected organization, the need to patch is crucial.

Additional Information:


“Alchimist” Malware Can Infect Windows, macOS, and Linux

If you haven’t already heard, macOS can in fact be infected with malware. Researchers uncovered a new malicious program called “Alchimist” that attackers are using to target Windows, macOS, and Linux systems. The program supports building customizable features depending on the operating system it’s used against, and generating code specific to the operating system. Alchimist boasts other features: the ability to download other malware like the Insekt Remote Access Trojan (RAT), command and control capabilities that remotely beacons back to attacker systems, and customizability for the malware operators.

Why This Matters

Regardless of the operating system your organization uses, good security practices are a must. Strong endpoint detection and response solutions work on a variety of operating systems and give visibility into the behavior of individual computers and devices on your network. In addition, having someone behind the keyboard to watch for suspicious activity is a must, whether that’s your internal security team or a managed detection service.

Additional Information:


Election Workers Hit with Phishing and Malicious Emails

Trellix security researchers have identified a surge in malicious email activity targeting election workers. This uptick, they report, coincides with the primaries in particular states like Arizona and Pennsylvania. Some of these campaigns rely on old tricks, such as a fraudulent password expiration alert. The alert claims that the user’s password has expired and will automatically log the user out to generate a new password unless the user visits a link and confirms their credentials. In reality, attackers control the linked page and can harvest any entered user information. Another more sinister tactic Trellix reports is attackers compromising an email account and using an existing email thread to target additional victims. This more readily tricks victims because they recognize the sender and even the email conversation but don’t know that the sender’s account has been compromised. Hackers can then use these hijacked threads to trick other users into visiting links or downloading malicious software.

Why This Matters

 While Trellix’s findings are interesting, the tactics being used to send malicious emails to election workers present wider lessons for the rest of us. Social engineering remains a top vector for hackers so staying vigilant is important. In a layered approach, organizations should conduct regular phishing training, use email protection solutions, and deploy EDR across the organization.

Additional Information:


This blog post and its contents are intended for general guidance and informational purposes only. This blog post is under no circumstances intended to be used or considered as specific insurance or information security advice.

[RELATED POST] Hive Ransomware, Holiday Phishing Scams, & Amazon RDS Leaks Data

Hive Ransomware, Holiday Phishing Scams, & Amazon RDS Leaks Data

Hive ransomware makes a profit, phishing for the holidays, and Amazon RDS leaks personal data.

[RELATED POST] Exploiting Zero Days, Citrix Vulnerability, and SEO Poisoning

Exploiting Zero Days, Citrix Vulnerability, and SEO Poisoning

Attackers are exploiting zero-days faster, Citrix vulnerability, and SEO poisoning attack.