10.11.22

Corvus Threat Intel

Fortinet Vulnerability, Teenage Blackmailer, & China-State Sponsored Hackers

Fortinet announces a critical vulnerability, an Australian teen extorts victims of a corporate data leak, and U.S. agencies announce top vulnerabilities exploited by China state-sponsored hackers.

Fortinet Warns of Critical Authentication Bypass Vulnerability

Fortinet has detailed a critical vulnerability affecting FortiOS and FortiProxy web proxies. This vulnerability allows a remote attacker to bypass authentication and perform operations on the administrative interface. Fortinet has released updates which should be immediately installed if you are running the following vulnerable versions:

  • FortiOS version 7.2.0 through 7.2.1
  • FortiOS version 7.0.0 through 7.0.6
  • FortiProxy version 7.2.0
  • FortiProxy version 7.0.0 through 7.0.6
  • FortiSwitchManager version 7.2.0
  • FortiSwitchManager version 7.0.0

For organizations unable to update, Fortinet recommends blocking attacks by limiting the IP addresses that can reach the administrative interface using a local-in-policy. Fortinet has confirmed that this vulnerability is being exploited in the wild.

Why This Matters

Authentication bypass vulnerabilities are particularly high priority, especially for things such as VPNs and firewalls. Authentication bypass nullifies the effects of basic security controls such as passwords and MFA, and allows an attacker free reign to conduct further exploitation. Fortunately, security patches have been released and should be applied as soon as possible.

Additional Information: 


Teenager in Australia uses Leaked Optus Data for Extortion

Australian police arrested a 19-year-old this week for extorting victims of a large corporate data leak. The situation started back in September when Optus, an Australian telecom company, was compromised by unknown attackers. The hackers stole and publicly leaked data on millions of Optus customers. This leak included names, birthdates, phone numbers, driver’s license numbers, and even Medicare numbers. Following the leak, the Australian teen (who is not believed to have been responsible for the initial Optus hack) allegedly found the leaked data and began blackmailing individual victims through SMS messages. This arrest comes as part of Operation Guardian, in which the Australian Federal Police have stepped in to investigate and protect victims of the data leak.

Why This Matters

Data theft is a pernicious threat and this story highlights one reason why. Stolen data can be used against innocent people, like those in this case who were individually extorted. It’s important for organizations to remember cyber posture extends beyond the organization itself to the customers, employees, and partners whose data should be protected.

Additional Information: 


U.S. Government Agencies Release Top List of Vulnerabilities Used by China State-Sponsored Hackers

In a joint publication, the CISA, NSA, and FBI released a list of top vulnerabilities exploited by China state-sponsored hackers. The list includes a few well-publicized vulnerabilities like Log4j and ProxyShell, but also a few that did not receive as much media attention. It’s likewise interesting to note that only 3 of the 20 vulnerabilities were discovered in 2022, while the rest are dated from 2019 to 2021. The recommended mitigation measures are no surprise: update and patch systems as soon as possible. In addition, the agencies recommend utilizing phish-resistant MFA and implementing a Zero Trust security model. See the official publication for additional details and recommendations.

[BLOG] Prioritize Patching - A Risk-Based Vulnerability Management Approach

Why This Matters

Even if you don’t think your organization should be worried about state-sponsored activity, less selective threat actors are just one step behind. More advanced and well-equipped state-sponsored groups often pave the way for lower tiers of cybercriminals.

For instance, China state-sponsored group, Hafnium, was the first to exploit Microsoft Exchange ProxyLogon vulnerabilities. Shortly thereafter, the vulnerabilities became adopted by ransomware actors.

This list highlights the importance of a regular patching cadence. While Zero-Days get all the media buzz, older vulnerabilities are fruitful for threat actors due to the availability of exploit code and the number of unpatched systems.

Additional Information:


 

This blog post and its contents are intended for general guidance and informational purposes only. This blog post is under no circumstances intended to be used or considered as specific insurance or information security advice.